From 482f1f2e90ee08d59b7c78f172b7003eef910e2c Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Tue, 6 Jul 2021 17:22:38 -0500 Subject: [PATCH 1/8] add addenda for RFC 0008 and 0021 --- schemas/as.yml | 5 +- schemas/event.yml | 11 +-- schemas/file.yml | 5 +- schemas/geo.yml | 5 +- schemas/hash.yml | 5 +- schemas/pe.yml | 6 ++ schemas/registry.yml | 9 +++ schemas/threat.yml | 181 +++++++++++++++++++++++++++++++++++++++++++ 8 files changed, 215 insertions(+), 12 deletions(-) diff --git a/schemas/as.yml b/schemas/as.yml index d75d4edaee..be0ac01547 100644 --- a/schemas/as.yml +++ b/schemas/as.yml @@ -15,7 +15,10 @@ - destination - server - source - - at: threat.enrichments + - at: threat.indicator + as: as + beta: Reusing the `as` fields in this location is currently considered beta. + - at: threat.enrichments.indicator as: as beta: Reusing the `as` fields in this location is currently considered beta. type: group diff --git a/schemas/event.yml b/schemas/event.yml index 7d4033398c..e20722df7e 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -17,12 +17,7 @@ See the `event.kind` definition in this section for additional details about metric and state events. type: group - reusable: - top_level: true - expected: - - at: threat.enrichments - as: event - beta: Reusing the `event` fields in this location is currently considered beta. + fields: - name: id @@ -593,8 +588,8 @@ dst=2.1.2.2spt=1232" short: Raw text message of entire event. description: > - Raw text message of entire event. Used to demonstrate log integrity - or where the full log message (before splitting it up in multiple + Raw text message of entire event. Used to demonstrate log integrity + or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be diff --git a/schemas/file.yml b/schemas/file.yml index c42559d156..598febbaf3 100644 --- a/schemas/file.yml +++ b/schemas/file.yml @@ -13,9 +13,12 @@ reusable: top_level: true expected: - - at: threat.enrichments + - at: threat.indicator as: file beta: Reusing the `file` fields in this location is currently considered beta. + - at: threat.enrichments.indicator + as: as + beta: Reusing the `as` fields in this location is currently considered beta. fields: - name: name level: extended diff --git a/schemas/geo.yml b/schemas/geo.yml index ddc6b0bccb..ca5012ef13 100644 --- a/schemas/geo.yml +++ b/schemas/geo.yml @@ -17,9 +17,12 @@ - host - server - source - - at: threat.enrichments + - at: threat.indicator as: geo beta: Reusing the `geo` fields in this location is currently considered beta. + - at: threat.enrichments.indicator + as: as + beta: Reusing the `as` fields in this location is currently considered beta. type: group fields: diff --git a/schemas/hash.yml b/schemas/hash.yml index 17b0d008c2..6b7306787f 100644 --- a/schemas/hash.yml +++ b/schemas/hash.yml @@ -21,9 +21,12 @@ - file - process - dll - - at: threat.enrichments + - at: threat.indicator as: hash beta: Reusing the `hash` fields in this location is currently considered beta. + - at: threat.enrichments.indicator + as: as + beta: Reusing the `as` fields in this location is currently considered beta. fields: diff --git a/schemas/pe.yml b/schemas/pe.yml index 126fb16136..35efc1b7a8 100644 --- a/schemas/pe.yml +++ b/schemas/pe.yml @@ -10,6 +10,12 @@ - file - dll - process + - at: threat.indicator + as: as + beta: Reusing the `as` fields in this location is currently considered beta. + - at: threat.enrichments.indicator + as: as + beta: Reusing the `as` fields in this location is currently considered beta. fields: - name: original_file_name level: extended diff --git a/schemas/registry.yml b/schemas/registry.yml index bf8670d84e..38912d9b08 100644 --- a/schemas/registry.yml +++ b/schemas/registry.yml @@ -4,6 +4,15 @@ group: 2 description: Fields related to Windows Registry operations. type: group + reusable: + top_level: true + expected: + - at: threat.indicator + as: as + beta: Reusing the `as` fields in this location is currently considered beta. + - at: threat.enrichments.indicator + as: as + beta: Reusing the `as` fields in this location is currently considered beta. fields: - name: hive diff --git a/schemas/threat.yml b/schemas/threat.yml index 0e20fe332a..ce98a37bb4 100644 --- a/schemas/threat.yml +++ b/schemas/threat.yml @@ -22,6 +22,169 @@ description: > A list of associated indicators enriching the event, and the context of that association/enrichment. + - name: enrichments.indicator + level: extended + type: object + short: Indicators + beta: This field is beta and subject to change. + description: > + Indicators + + - name: enrichments.indicator.first_seen + level: extended + type: date + short: Date/time indicator was first reported. + beta: This field is beta and subject to change. + description: > + The date and time when intelligence source first reported sighting this indicator. + example: "2020-11-05T17:25:47.000Z" + + - name: enrichments.indicator.last_seen + level: extended + type: date + short: Date/time indicator was last reported. + beta: This field is beta and subject to change. + description: > + The date and time when intelligence source last reported sighting this indicator. + example: "2020-11-05T17:25:47.000Z" + + - name: enrichments.indicator.modified_at + level: extended + type: date + short: Date/time indicator was last updated. + beta: This field is beta and subject to change. + description: > + The date and time when intelligence source last modified information for this indicator. + example: "2020-11-05T17:25:47.000Z" + + - name: enrichments.indicator.sightings + level: extended + type: long + short: Number of times indicator observed + beta: This field is beta and subject to change. + description: > + Number of times this indicator was observed conducting threat activity. + example: 20 + + - name: enrichments.indicator.type + level: extended + type: keyword + short: Type of indicator + beta: This field is beta and subject to change. + description: > + Type of indicator as represented by Cyber Observable in STIX 2.0. + Recommended values: + * autonomous-system + * artifact + * directory + * domain-name + * email-addr + * file + * ipv4-addr + * ipv6-addr + * mac-addr + * mutex + * port + * process + * software + * url + * user-account + * windows-registry-key + * x509-certificate + example: ipv4-addr + + - name: enrichments.indicator.description + level: extended + type: keyword + short: Indicator description + beta: This field is beta and subject to change. + description: > + Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + + - name: enrichments.indicator.scanner_stats + level: extended + type: long + short: Scanner statistics + beta: This field is beta and subject to change. + description: > + Count of AV/EDR vendors that successfully detected malicious file or URL. + example: 4 + + - name: enrichments.indicator.confidence + level: extended + type: keyword + short: Indicator confidence rating + beta: This field is beta and subject to change. + description: > + Identifies the confidence rating assigned by the provider using STIX confidence scales. + Expected values: + * Not Specified, None, Low, Medium, High + * 0-10 + * Admirality Scale (1-6) + * DNI Scale (5-95) + * WEP Scale (Impossible - Certain) + example: High + + - name: enrichments.indicator.ip + level: extended + type: ip + short: Indicator IP address + beta: This field is beta and subject to change. + description: > + Identifies a threat indicator as an IP address (irrespective of direction). + example: 1.2.3.4 + + - name: enrichments.indicator.port + level: extended + type: long + short: Indicator port + beta: This field is beta and subject to change. + description: > + Identifies a threat indicator as a port number (irrespective of direction). + example: 443 + + - name: enrichments.indicator.email.address + level: extended + type: keyword + short: Indicator email address + beta: This field is beta and subject to change. + description: > + Identifies a threat indicator as an email address (irrespective of direction). + example: phish@example.com + + - name: enrichments.indicator.marking.tlp + level: extended + type: keyword + short: Indicator TLP marking + beta: This field is beta and subject to change. + description: > + Traffic Light Protocol sharing markings. + Recommended values are: + * WHITE + * GREEN + * AMBER + * RED + example: White + + - name: enrichments.indicator.reference + level: extended + type: keyword + short: Indicator reference URL + beta: This field is beta and subject to change. + description: > + Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + + - name: enrichments.indicator.provider + level: extended + type: keyword + short: Indicator provider + beta: This field is beta and subject to change. + description: > + The name of the indicator's provider. + example: lrz_urlhaus + - name: enrichments.matched.atomic level: extended type: keyword @@ -271,6 +434,24 @@ example: WHITE + - name: indicator.reference + level: extended + type: keyword + short: Indicator reference URL + beta: This field is beta and subject to change. + description: > + Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + + - name: indicator.provider + level: extended + type: keyword + short: Indicator provider + beta: This field is beta and subject to change. + description: > + The name of the indicator's provider. + example: lrz_urlhaus + - name: software.id level: extended type: keyword From 8796f537e9a1153501866442f03ff11acdd52bf3 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Tue, 6 Jul 2021 17:23:47 -0500 Subject: [PATCH 2/8] artifacts --- code/go/ecs/event.go | 4 +- code/go/ecs/threat.go | 86 + docs/field-details.asciidoc | 492 +- experimental/generated/beats/fields.ecs.yml | 2025 ++++--- experimental/generated/csv/fields.csv | 210 +- experimental/generated/ecs/ecs_flat.yml | 4579 ++++++++-------- experimental/generated/ecs/ecs_nested.yml | 4671 ++++++++--------- .../generated/elasticsearch/7/template.json | 1114 ++-- .../elasticsearch/component/threat.json | 1118 ++-- generated/beats/fields.ecs.yml | 1570 +++--- generated/csv/fields.csv | 210 +- generated/ecs/ecs_flat.yml | 3574 ++++++------- generated/ecs/ecs_nested.yml | 3725 ++++++------- generated/elasticsearch/6/template.json | 777 +-- generated/elasticsearch/7/template.json | 777 +-- generated/elasticsearch/component/threat.json | 787 +-- 16 files changed, 12226 insertions(+), 13493 deletions(-) diff --git a/code/go/ecs/event.go b/code/go/ecs/event.go index 6bfe88880b..c55bc0d364 100644 --- a/code/go/ecs/event.go +++ b/code/go/ecs/event.go @@ -130,8 +130,8 @@ type Event struct { // to `event.severity`. Severity int64 `ecs:"severity"` - // Raw text message of entire event. Used to demonstrate log integrity or - // where the full log message (before splitting it up in multiple parts) + // Raw text message of entire event. Used to demonstrate log integrity or + // where the full log message (before splitting it up in multiple parts) // may be required, e.g. for reindex. // This field is not indexed and doc_values are disabled. It cannot be // searched, but it can be retrieved from `_source`. If users wish to diff --git a/code/go/ecs/threat.go b/code/go/ecs/threat.go index becd75adad..7d72f7f7ef 100644 --- a/code/go/ecs/threat.go +++ b/code/go/ecs/threat.go @@ -135,6 +135,12 @@ type Threat struct { // * RED IndicatorMarkingTlp string `ecs:"indicator.marking.tlp"` + // Reference URL linking to additional information about this indicator. + IndicatorReference string `ecs:"indicator.reference"` + + // The name of the indicator's provider. + IndicatorProvider string `ecs:"indicator.provider"` + // The id of the software used by this threat to conduct behavior commonly // modeled using MITRE ATT&CK®. While not required, you can use a MITRE // ATT&CK® software id. @@ -218,6 +224,86 @@ type Threat struct { } type Enrichments struct { + // Indicators + Indicator map[string]interface{} `ecs:"indicator"` + + // The date and time when intelligence source first reported sighting this + // indicator. + IndicatorFirstSeen time.Time `ecs:"indicator.first_seen"` + + // The date and time when intelligence source last reported sighting this + // indicator. + IndicatorLastSeen time.Time `ecs:"indicator.last_seen"` + + // The date and time when intelligence source last modified information for + // this indicator. + IndicatorModifiedAt time.Time `ecs:"indicator.modified_at"` + + // Number of times this indicator was observed conducting threat activity. + IndicatorSightings int64 `ecs:"indicator.sightings"` + + // Type of indicator as represented by Cyber Observable in STIX 2.0. + // Recommended values: + // * autonomous-system + // * artifact + // * directory + // * domain-name + // * email-addr + // * file + // * ipv4-addr + // * ipv6-addr + // * mac-addr + // * mutex + // * port + // * process + // * software + // * url + // * user-account + // * windows-registry-key + // * x509-certificate + IndicatorType string `ecs:"indicator.type"` + + // Describes the type of action conducted by the threat. + IndicatorDescription string `ecs:"indicator.description"` + + // Count of AV/EDR vendors that successfully detected malicious file or + // URL. + IndicatorScannerStats int64 `ecs:"indicator.scanner_stats"` + + // Identifies the confidence rating assigned by the provider using + // STIX confidence scales. Expected values: + // * Not Specified, None, Low, Medium, High + // * 0-10 + // * Admirality Scale (1-6) + // * DNI Scale (5-95) + // * WEP Scale (Impossible - Certain) + IndicatorConfidence string `ecs:"indicator.confidence"` + + // Identifies a threat indicator as an IP address (irrespective of + // direction). + IndicatorIP string `ecs:"indicator.ip"` + + // Identifies a threat indicator as a port number (irrespective of + // direction). + IndicatorPort int64 `ecs:"indicator.port"` + + // Identifies a threat indicator as an email address (irrespective of + // direction). + IndicatorEmailAddress string `ecs:"indicator.email.address"` + + // Traffic Light Protocol sharing markings. Recommended values are: + // * WHITE + // * GREEN + // * AMBER + // * RED + IndicatorMarkingTlp string `ecs:"indicator.marking.tlp"` + + // Reference URL linking to additional information about this indicator. + IndicatorReference string `ecs:"indicator.reference"` + + // The name of the indicator's provider. + IndicatorProvider string `ecs:"indicator.provider"` + // Identifies the atomic indicator value that matched a local environment // endpoint or network event. MatchedAtomic string `ecs:"matched.atomic"` diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 0b4eaf9bbc..0223835bfc 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -289,7 +289,9 @@ The `as` fields are expected to be nested at: * `source.as` -* `threat.enrichments.as` +* `threat.enrichments.indicator.as` + +* `threat.indicator.as` Note also that the `as` fields are not expected to be used directly at the root of the events. @@ -2779,7 +2781,7 @@ example: `apache` [[field-event-original]] <> -| Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. +| Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. @@ -3034,20 +3036,6 @@ example: `https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38f |===== -[discrete] -==== Field Reuse - -The `event` fields are expected to be nested at: - - -* `threat.enrichments.event` - - -Note also that the `event` fields may be used directly at the root of the events. - - - - [[ecs-file]] === File Fields @@ -3437,7 +3425,9 @@ example: `1001` The `file` fields are expected to be nested at: -* `threat.enrichments.file` +* `threat.enrichments.indicator.as` + +* `threat.indicator.file` Note also that the `file` fields may be used directly at the root of the events. @@ -3712,7 +3702,9 @@ The `geo` fields are expected to be nested at: * `source.geo` -* `threat.enrichments.geo` +* `threat.enrichments.indicator.as` + +* `threat.indicator.geo` Note also that the `geo` fields are not expected to be used directly at the root of the events. @@ -3912,7 +3904,9 @@ The `hash` fields are expected to be nested at: * `process.hash` -* `threat.enrichments.hash` +* `threat.enrichments.indicator.as` + +* `threat.indicator.hash` Note also that the `hash` fields are not expected to be used directly at the root of the events. @@ -6157,6 +6151,10 @@ The `pe` fields are expected to be nested at: * `process.pe` +* `threat.enrichments.indicator.as` + +* `threat.indicator.as` + Note also that the `pe` fields are not expected to be used directly at the root of the events. @@ -6684,6 +6682,22 @@ example: `Debugger` |===== +[discrete] +==== Field Reuse + +The `registry` fields are expected to be nested at: + + +* `threat.enrichments.indicator.as` + +* `threat.indicator.as` + + +Note also that the `registry` fields may be used directly at the root of the events. + + + + [[ecs-related]] === Related Fields @@ -7677,6 +7691,328 @@ type: nested +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator]] +<> + +| beta:[ This field is beta and subject to change. ] + +Indicators + +type: object + + + + + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-confidence]] +<> + +| beta:[ This field is beta and subject to change. ] + +Identifies the confidence rating assigned by the provider using STIX confidence scales. Expected values: + + * Not Specified, None, Low, Medium, High + + * 0-10 + + * Admirality Scale (1-6) + + * DNI Scale (5-95) + + * WEP Scale (Impossible - Certain) + +type: keyword + + + +example: `High` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-description]] +<> + +| beta:[ This field is beta and subject to change. ] + +Describes the type of action conducted by the threat. + +type: keyword + + + +example: `IP x.x.x.x was observed delivering the Angler EK.` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-email-address]] +<> + +| beta:[ This field is beta and subject to change. ] + +Identifies a threat indicator as an email address (irrespective of direction). + +type: keyword + + + +example: `phish@example.com` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-first-seen]] +<> + +| beta:[ This field is beta and subject to change. ] + +The date and time when intelligence source first reported sighting this indicator. + +type: date + + + +example: `2020-11-05T17:25:47.000Z` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-ip]] +<> + +| beta:[ This field is beta and subject to change. ] + +Identifies a threat indicator as an IP address (irrespective of direction). + +type: ip + + + +example: `1.2.3.4` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-last-seen]] +<> + +| beta:[ This field is beta and subject to change. ] + +The date and time when intelligence source last reported sighting this indicator. + +type: date + + + +example: `2020-11-05T17:25:47.000Z` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-marking-tlp]] +<> + +| beta:[ This field is beta and subject to change. ] + +Traffic Light Protocol sharing markings. Recommended values are: + + * WHITE + + * GREEN + + * AMBER + + * RED + +type: keyword + + + +example: `White` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-modified-at]] +<> + +| beta:[ This field is beta and subject to change. ] + +The date and time when intelligence source last modified information for this indicator. + +type: date + + + +example: `2020-11-05T17:25:47.000Z` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-port]] +<> + +| beta:[ This field is beta and subject to change. ] + +Identifies a threat indicator as a port number (irrespective of direction). + +type: long + + + +example: `443` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-provider]] +<> + +| beta:[ This field is beta and subject to change. ] + +The name of the indicator's provider. + +type: keyword + + + +example: `lrz_urlhaus` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-reference]] +<> + +| beta:[ This field is beta and subject to change. ] + +Reference URL linking to additional information about this indicator. + +type: keyword + + + +example: `https://system.example.com/indicator/0001234` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-scanner-stats]] +<> + +| beta:[ This field is beta and subject to change. ] + +Count of AV/EDR vendors that successfully detected malicious file or URL. + +type: long + + + +example: `4` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-sightings]] +<> + +| beta:[ This field is beta and subject to change. ] + +Number of times this indicator was observed conducting threat activity. + +type: long + + + +example: `20` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-type]] +<> + +| beta:[ This field is beta and subject to change. ] + +Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: + + * autonomous-system + + * artifact + + * directory + + * domain-name + + * email-addr + + * file + + * ipv4-addr + + * ipv6-addr + + * mac-addr + + * mutex + + * port + + * process + + * software + + * url + + * user-account + + * windows-registry-key + + * x509-certificate + +type: keyword + + + +example: `ipv4-addr` + | extended // =============================================================== @@ -8046,6 +8382,42 @@ example: `443` // =============================================================== +| +[[field-threat-indicator-provider]] +<> + +| beta:[ This field is beta and subject to change. ] + +The name of the indicator's provider. + +type: keyword + + + +example: `lrz_urlhaus` + +| extended + +// =============================================================== + +| +[[field-threat-indicator-reference]] +<> + +| beta:[ This field is beta and subject to change. ] + +Reference URL linking to additional information about this indicator. + +type: keyword + + + +example: `https://system.example.com/indicator/0001234` + +| extended + +// =============================================================== + | [[field-threat-indicator-scanner-stats]] <> @@ -8459,7 +8831,7 @@ example: `https://attack.mitre.org/techniques/T1059/001/` // =============================================================== -| `threat.enrichments.as.*` +| `threat.enrichments.indicator.as.*` | <>| beta:[ Reusing the `as` fields in this location is currently considered beta.] Fields describing an Autonomous System (Internet routing prefix). @@ -8467,34 +8839,42 @@ Fields describing an Autonomous System (Internet routing prefix). // =============================================================== -| `threat.enrichments.event.*` -| <>| beta:[ Reusing the `event` fields in this location is currently considered beta.] +| `threat.enrichments.indicator.as.*` +| <>| beta:[ Reusing the `as` fields in this location is currently considered beta.] -Fields breaking down the event details. +Fields describing files. // =============================================================== -| `threat.enrichments.file.*` -| <>| beta:[ Reusing the `file` fields in this location is currently considered beta.] +| `threat.enrichments.indicator.as.*` +| <>| beta:[ Reusing the `as` fields in this location is currently considered beta.] -Fields describing files. +Fields describing a location. // =============================================================== -| `threat.enrichments.geo.*` -| <>| beta:[ Reusing the `geo` fields in this location is currently considered beta.] +| `threat.enrichments.indicator.as.*` +| <>| beta:[ Reusing the `as` fields in this location is currently considered beta.] -Fields describing a location. +Hashes, usually file hashes. // =============================================================== -| `threat.enrichments.hash.*` -| <>| beta:[ Reusing the `hash` fields in this location is currently considered beta.] +| `threat.enrichments.indicator.as.*` +| <>| beta:[ Reusing the `as` fields in this location is currently considered beta.] -Hashes, usually file hashes. +These fields contain Windows Portable Executable (PE) metadata. + +// =============================================================== + + +| `threat.enrichments.indicator.as.*` +| <>| beta:[ Reusing the `as` fields in this location is currently considered beta.] + +Fields related to Windows Registry operations. // =============================================================== @@ -8515,6 +8895,54 @@ These fields contain x509 certificate metadata. // =============================================================== +| `threat.indicator.as.*` +| <>| beta:[ Reusing the `as` fields in this location is currently considered beta.] + +Fields describing an Autonomous System (Internet routing prefix). + +// =============================================================== + + +| `threat.indicator.as.*` +| <>| beta:[ Reusing the `as` fields in this location is currently considered beta.] + +These fields contain Windows Portable Executable (PE) metadata. + +// =============================================================== + + +| `threat.indicator.as.*` +| <>| beta:[ Reusing the `as` fields in this location is currently considered beta.] + +Fields related to Windows Registry operations. + +// =============================================================== + + +| `threat.indicator.file.*` +| <>| beta:[ Reusing the `file` fields in this location is currently considered beta.] + +Fields describing files. + +// =============================================================== + + +| `threat.indicator.geo.*` +| <>| beta:[ Reusing the `geo` fields in this location is currently considered beta.] + +Fields describing a location. + +// =============================================================== + + +| `threat.indicator.hash.*` +| <>| beta:[ Reusing the `hash` fields in this location is currently considered beta.] + +Hashes, usually file hashes. + +// =============================================================== + + |===== [[ecs-tls]] diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 9a9c890735..47fc148e9a 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1925,8 +1925,8 @@ - name: original level: core type: keyword - description: 'Raw text message of entire event. Used to demonstrate log integrity or - where the full log message (before splitting it up in multiple parts) may + description: 'Raw text message of entire event. Used to demonstrate log integrity + or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, @@ -8183,1625 +8183,1502 @@ description: A list of associated indicators enriching the event, and the context of that association/enrichment. default_field: false - - name: enrichments.as.number + - name: enrichments.indicator level: extended - type: long - description: Unique number allocated to the autonomous system. The autonomous - system number (ASN) uniquely identifies each network on the Internet. - example: 15169 + type: object + description: Indicators default_field: false - - name: enrichments.as.organization.name + - name: enrichments.indicator.as.data.bytes level: extended + type: keyword + ignore_above: 1024 + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + default_field: false + - name: enrichments.indicator.as.data.strings + level: core type: wildcard - multi_fields: - - name: text - type: text - norms: false - description: Organization name. - example: Google LLC + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' default_field: false - - name: enrichments.event.action + - name: enrichments.indicator.as.data.type level: core type: keyword ignore_above: 1024 - description: 'The action captured by the event. - - This describes the information in the event. It is more specific than `event.category`. - Examples are `group-add`, `process-started`, `file-created`. The value is - normally defined by the implementer.' - example: user-password-change + description: Standard registry type for encoding contents + example: REG_SZ default_field: false - - name: enrichments.event.agent_id_status - level: extended + - name: enrichments.indicator.as.hive + level: core type: keyword ignore_above: 1024 - description: 'Agents are normally responsible for populating the `agent.id` - field value. If the system receiving events is capable of validating the value - based on authentication information for the client then this field can be - used to reflect the outcome of that validation. - - For example if the agent''s connection is authenticated with mTLS and the - client cert contains the ID of the agent to which the cert was issued then - the `agent.id` value in events can be checked against the certificate. If - the values match then `event.agent_id_status: verified` is added to the event, - otherwise one of the other allowed values should be used. - - If no validation is performed then the field should be omitted. - - The allowed values are: - - `verified` - The `agent.id` field value matches expected value obtained from - auth metadata. - - `mismatch` - The `agent.id` field value does not match the expected value - obtained from auth metadata. - - `missing` - There was no `agent.id` field in the event to validate. - - `auth_metadata_missing` - There was no auth metadata or it was missing information - about the agent ID.' - example: verified + description: Abbreviated name for the hive. + example: HKLM default_field: false - - name: enrichments.event.category + - name: enrichments.indicator.as.key + level: core + type: wildcard + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + default_field: false + - name: enrichments.indicator.as.path + level: core + type: wildcard + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + default_field: false + - name: enrichments.indicator.as.value level: core type: keyword ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the - second level in the ECS category hierarchy. - - `event.category` represents the "big buckets" of ECS categories. For example, - filtering on `event.category:process` yields all events relating to process - activity. This field is closely related to `event.type`, which is used as - a subcategory. - - This field is an array. This will allow proper categorization of some events - that fall in multiple categories.' - example: authentication + description: Name of the value written. + example: Debugger default_field: false - - name: enrichments.event.code + - name: enrichments.indicator.confidence level: extended type: keyword ignore_above: 1024 - description: 'Identification code for this event, if one exists. - - Some event sources use event codes to identify messages unambiguously, regardless - of message language or wording adjustments over time. An example of this is - the Windows Event ID.' - example: 4648 + description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ + using\_STIX\_confidence scales. Expected values:\n * Not Specified, None,\ + \ Low, Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High default_field: false - - name: enrichments.event.created - level: core + - name: enrichments.indicator.description + level: extended + type: keyword + ignore_above: 1024 + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + default_field: false + - name: enrichments.indicator.email.address + level: extended + type: keyword + ignore_above: 1024 + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + default_field: false + - name: enrichments.indicator.first_seen + level: extended type: date - description: 'event.created contains the date/time when the event was first - read by an agent, or by your pipeline. - - This field is distinct from @timestamp in that @timestamp typically contain - the time extracted from the original event. - - In most situations, these two timestamps will be slightly different. The difference - can be used to calculate the delay between your source generating an event, - and the time when your agent first processed it. This can be used to monitor - your agent''s or pipeline''s ability to keep up with your event source. - - In case the two timestamps are identical, @timestamp should be used.' - example: '2016-05-23T08:05:34.857Z' + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' default_field: false - - name: enrichments.event.dataset - level: core + - name: enrichments.indicator.ip + level: extended + type: ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + default_field: false + - name: enrichments.indicator.last_seen + level: extended + type: date + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: enrichments.indicator.marking.tlp + level: extended type: keyword ignore_above: 1024 - description: 'Name of the dataset. - - If an event source publishes more than one type of log or events (e.g. access - log, error log), the dataset is used to specify which one the event comes - from. - - It''s recommended but not required to start the dataset name with the module - name, followed by a dot, then the dataset name.' - example: apache.access + description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: White default_field: false - - name: enrichments.event.duration - level: core + - name: enrichments.indicator.modified_at + level: extended + type: date + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: enrichments.indicator.port + level: extended type: long - format: duration - input_format: nanoseconds - output_format: asMilliseconds - output_precision: 1 - description: 'Duration of the event in nanoseconds. - - If event.start and event.end are known this value should be the difference - between the end and start time.' + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 default_field: false - - name: enrichments.event.end + - name: enrichments.indicator.provider level: extended - type: date - description: event.end contains the date when the event ended or when the activity - was last observed. + type: keyword + ignore_above: 1024 + description: The name of the indicator's provider. + example: lrz_urlhaus default_field: false - - name: enrichments.event.hash + - name: enrichments.indicator.reference level: extended type: keyword ignore_above: 1024 - description: Hash (perhaps logstash fingerprint) of raw field to be able to - demonstrate log integrity. - example: 123456789012345678901234567890ABCD + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 default_field: false - - name: enrichments.event.id - level: core + - name: enrichments.indicator.scanner_stats + level: extended + type: long + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + default_field: false + - name: enrichments.indicator.sightings + level: extended + type: long + description: Number of times this indicator was observed conducting threat activity. + example: 20 + default_field: false + - name: enrichments.indicator.type + level: extended type: keyword ignore_above: 1024 - description: Unique ID to describe the event. - example: 8a4f500d + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ + \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr default_field: false - - name: enrichments.event.ingested - level: core - type: date - description: 'Timestamp when an event arrived in the central data store. - - This is different from `@timestamp`, which is when the event originally occurred. It''s - also different from `event.created`, which is meant to capture the first time - an agent saw the event. - - In normal conditions, assuming no tampering, the timestamps should chronologically - look like this: `@timestamp` < `event.created` < `event.ingested`.' - example: '2016-05-23T08:05:35.101Z' + - name: enrichments.matched.atomic + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com default_field: false - - name: enrichments.event.kind - level: core + - name: enrichments.matched.field + level: extended type: keyword ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the - highest level in the ECS category hierarchy. - - `event.kind` gives high-level information about what type of information the - event contains, without being specific to the contents of the event. For example, - values of this field distinguish alert events from metric events. - - The value of this field can be used to inform how these kinds of events should - be handled. They may warrant different retention, different access control, - it may also help understand whether the data coming in at a regular interval - or not.' - example: alert + description: Identifies the field of the atomic indicator that matched a local + environment endpoint or network event. + example: file.hash.sha256 default_field: false - - name: enrichments.event.module - level: core + - name: enrichments.matched.id + level: extended type: keyword ignore_above: 1024 - description: 'Name of the module this data is coming from. - - If your monitoring agent supports the concept of modules or plugins to process - events of a given source (e.g. Apache logs), `event.module` should contain - the name of this module.' - example: apache + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + default_field: false + - name: enrichments.matched.index + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 + default_field: false + - name: enrichments.matched.type + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the type of match that caused the event to be enriched + with the given indicator + example: indicator_match_rule default_field: false - - name: enrichments.event.original - level: core + - name: enrichments.pe.architecture + level: extended type: keyword - description: 'Raw text message of entire event. Used to demonstrate log integrity or - where the full log message (before splitting it up in multiple parts) may - be required, e.g. for reindex. - - This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`. If users wish to override this and - index this field, please see `Field data types` in the `Elasticsearch Reference`.' - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| - worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - index: false - doc_values: false + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 default_field: false - - name: enrichments.event.outcome - level: core + - name: enrichments.pe.authentihash + level: extended type: keyword ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the - lowest level in the ECS category hierarchy. - - `event.outcome` simply denotes whether the event represents a success or a - failure from the perspective of the entity that produced the event. - - Note that when a single transaction is described in multiple events, each - event may populate different values of `event.outcome`, according to their - perspective. - - Also note that in the case of a compound event (a single event that contains - multiple logical events), this field should be populated with the value that - best captures the overall success or failure from the perspective of the event - producer. - - Further note that not all events will have an associated outcome. For example, - this field is generally not populated for metric events, events with `event.type:info`, - or any events for which an outcome does not make logical sense.' - example: success + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 default_field: false - - name: enrichments.event.provider + - name: enrichments.pe.company level: extended type: keyword ignore_above: 1024 - description: 'Source of the event. - - Event transports such as Syslog or the Windows Event Log typically mention - the source of an event. It can be the name of the software that generated - the event (e.g. Sysmon, httpd), or of a subsystem of the operating system - (kernel, Microsoft-Windows-Security-Auditing).' - example: kernel + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: enrichments.pe.compile_timestamp + level: extended + type: date + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' default_field: false - - name: enrichments.event.reason + - name: enrichments.pe.compiler.name level: extended type: keyword ignore_above: 1024 - description: 'Reason why this event happened, according to the source. - - This describes the why of a particular action or outcome captured in the event. - Where `event.action` captures the action from the event, `event.reason` describes - why that action was taken. For example, a web proxy with an `event.action` - which denied the request may also populate `event.reason` with the reason - why (e.g. `blocked site`).' - example: Terminated an unexpected process + description: Name of the compiler + example: Clang default_field: false - - name: enrichments.event.reference + - name: enrichments.pe.compiler.version level: extended type: keyword ignore_above: 1024 - description: 'Reference URL linking to additional information about this event. - - This URL links to a static definition of this event. Alert events, indicated - by `event.kind:alert`, are a common use case for this field.' - example: https://system.example.com/event/#0001234 + description: Version of the compiler. + example: 11.0.0 default_field: false - - name: enrichments.event.risk_score - level: core - type: float - description: Risk score or priority of the event (e.g. security solutions). - Use your system's original value here. + - name: enrichments.pe.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' default_field: false - - name: enrichments.event.risk_score_norm + - name: enrichments.pe.debug level: extended - type: float - description: 'Normalized risk score or priority of the event, on a scale of - 0 to 100. + type: nested + description: 'An array containing an object for each debug entry, if present. - This is mainly useful if you use more than one system that assigns risk scores, - and you want to see a normalized value across all systems.' + The expected fields for this nested object fall under the `debug.` prefix.' default_field: false - - name: enrichments.event.sequence + - name: enrichments.pe.debug.offset level: extended - type: long - format: string - description: 'Sequence number of the event. - - The sequence number is a value published by some event sources, to make the - exact ordering of events unambiguous, regardless of the timestamp precision.' + type: keyword + ignore_above: 1024 + description: Debug offset information. + example: 1296336 default_field: false - - name: enrichments.event.severity - level: core + - name: enrichments.pe.debug.size + level: extended type: long - format: string - description: 'The numeric severity of the event according to your event source. - - What the different severity values mean can be different between sources and - use cases. It''s up to the implementer to make sure severities are consistent - across events from the same source. - - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` - is meant to represent the severity according to the event source (e.g. firewall, - IDS). If the event source does not publish its own severity, you may optionally - copy the `log.syslog.severity.code` to `event.severity`.' - example: 7 + format: bytes + description: Size of the debug information. + example: 816 default_field: false - - name: enrichments.event.start + - name: enrichments.pe.debug.timestamp level: extended type: date - description: event.start contains the date when the event started or when the - activity was first observed. + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' default_field: false - - name: enrichments.event.timezone + - name: enrichments.pe.debug.type level: extended type: keyword ignore_above: 1024 - description: 'This field should be populated when the event''s timestamp does - not include timezone information already (e.g. default Syslog timestamps). - It''s optional otherwise. - - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), - abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO default_field: false - - name: enrichments.event.type - level: core + - name: enrichments.pe.description + level: extended type: keyword ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the - third level in the ECS category hierarchy. - - `event.type` represents a categorization "sub-bucket" that, when used along - with the `event.category` field values, enables filtering events down to a - level appropriate for single visualization. - - This field is an array. This will allow proper categorization of some events - that fall in multiple event types.' + description: Internal description of the file, provided at compile-time. + example: Paint default_field: false - - name: enrichments.event.url + - name: enrichments.pe.entry_point level: extended type: keyword ignore_above: 1024 - description: 'URL linking to an external system to continue investigation of - this event. - - This URL links to another system where in-depth investigation of the specific - occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, - are a common use case for this field.' - example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + description: Relative byte offset to the base of the PE file. + example: 25856 default_field: false - - name: enrichments.file.accessed + - name: enrichments.pe.exports level: extended - type: date - description: 'Last time the file was accessed. - - Note that not all filesystems keep track of access time.' + type: keyword + ignore_above: 1024 + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' default_field: false - - name: enrichments.file.attributes + - name: enrichments.pe.file_version level: extended type: keyword ignore_above: 1024 - description: 'Array of file attributes. - - Attributes names will vary by platform. Here''s a non-exhaustive list of values - that are expected in this field: archive, compressed, directory, encrypted, - execute, hidden, read, readonly, system, write.' - example: '["readonly", "system"]' - default_field: false - - name: enrichments.file.code_signature.exists - level: core - type: boolean - description: Boolean to capture if a signature is present. - example: 'true' + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 default_field: false - - name: enrichments.file.code_signature.signing_id + - name: enrichments.pe.icon.hash.dhash level: extended type: keyword ignore_above: 1024 - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. - The field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 default_field: false - - name: enrichments.file.code_signature.status + - name: enrichments.pe.imphash level: extended type: keyword ignore_above: 1024 - description: 'Additional information about the certificate status. + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - - name: enrichments.file.code_signature.subject_name - level: core + - name: enrichments.pe.imports + level: extended + type: flattened + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + default_field: false + - name: enrichments.pe.machine_type + level: extended type: keyword ignore_above: 1024 - description: Subject name of the code signer - example: Microsoft Corporation + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + default_field: false + - name: enrichments.pe.original_file_name + level: extended + type: wildcard + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE default_field: false - - name: enrichments.file.code_signature.team_id + - name: enrichments.pe.packers level: extended type: keyword ignore_above: 1024 - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field - is relevant to Apple *OS only.' - example: EQHXZ8M8AV + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' default_field: false - - name: enrichments.file.code_signature.trusted + - name: enrichments.pe.product level: extended - type: boolean - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this - field should only be populated by tools that actively check the status.' - example: 'true' + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" default_field: false - - name: enrichments.file.code_signature.valid + - name: enrichments.pe.resources level: extended - type: boolean - description: 'Boolean to capture if the digital signature is verified against - the binary content. + type: nested + description: 'An array containing an object for each PE resource, if present. - Leave unpopulated if a certificate was unchecked.' - example: 'true' + The expected fields for this nested object fall under the `resources.` prefix.' default_field: false - - name: enrichments.file.created + - name: enrichments.pe.resources.chi2 level: extended - type: date - description: 'File creation time. - - Note that not all filesystems store the creation time.' + type: long + description: Chi-square probability distribution. + example: -1 default_field: false - - name: enrichments.file.ctime + - name: enrichments.pe.resources.entropy level: extended - type: date - description: 'Last time the file attributes or metadata changed. - - Note that changes to the file content will update `mtime`. This implies `ctime` - will be adjusted at the same time, since `mtime` is an attribute of the file.' + type: long + description: Measurement of entropy randomness in the resources section. + example: 0, 1 default_field: false - - name: enrichments.file.device + - name: enrichments.pe.resources.filetype level: extended type: keyword ignore_above: 1024 - description: Device that is the source of the file. - example: sda - default_field: false - - name: enrichments.file.directory - level: extended - type: wildcard - description: Directory where the file is located. It should include the drive - letter, when appropriate. - example: /home/alice + description: File type of the resources section. + example: Data default_field: false - - name: enrichments.file.drive_letter + - name: enrichments.pe.resources.language level: extended type: keyword - ignore_above: 1 - description: 'Drive letter where the file is located. This field is only relevant - on Windows. - - The value should be uppercase, and not include the colon.' - example: C + ignore_above: 1024 + description: Language identification. + example: CHINESE SIMPLIFIED default_field: false - - name: enrichments.file.elf.architecture + - name: enrichments.pe.resources.sha256 level: extended type: keyword ignore_above: 1024 - description: Machine architecture of the ELF file. - example: x86-64 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 default_field: false - - name: enrichments.file.elf.byte_order + - name: enrichments.pe.resources.type level: extended type: keyword ignore_above: 1024 - description: Byte sequence of ELF file. - example: Little Endian + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' default_field: false - - name: enrichments.file.elf.cpu_type + - name: enrichments.pe.rich_header.hash.md5 level: extended type: keyword ignore_above: 1024 - description: CPU type of the ELF file. - example: Intel + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd default_field: false - - name: enrichments.file.elf.creation_date + - name: enrichments.pe.sections level: extended - type: date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. + type: nested + description: Data about sections of compiled binary PE default_field: false - - name: enrichments.file.elf.exports + - name: enrichments.pe.sections.chi2 level: extended - type: flattened - description: List of exported element names and types. + type: long + description: Chi-square probability distribution. + example: 3027194 default_field: false - - name: enrichments.file.elf.header.abi_version + - name: enrichments.pe.sections.entropy level: extended - type: keyword - ignore_above: 1024 - description: Version of the ELF Application Binary Interface (ABI). + type: float + description: Measurement of entropy randomness in the file. + example: 6.24 default_field: false - - name: enrichments.file.elf.header.class + - name: enrichments.pe.sections.flags level: extended type: keyword ignore_above: 1024 - description: Header class of the ELF file. + description: Section flags of the file. + example: rx default_field: false - - name: enrichments.file.elf.header.data + - name: enrichments.pe.sections.name level: extended type: keyword ignore_above: 1024 - description: Data table of the ELF header. + description: Section names of the file. + example: .text, .data default_field: false - - name: enrichments.file.elf.header.entrypoint + - name: enrichments.pe.sections.raw_size level: extended type: long - format: string - description: Header entrypoint of the ELF file. + format: bytes + description: Size of the section or the dize of the initialized data on disk. + example: 198144 default_field: false - - name: enrichments.file.elf.header.object_version + - name: enrichments.pe.sections.virtual_address level: extended - type: keyword - ignore_above: 1024 - description: '"0x1" for original ELF files.' + type: long + format: bytes + description: Virtual address available to the file. + example: 8192 default_field: false - - name: enrichments.file.elf.header.os_abi + - name: enrichments.registry.data.bytes level: extended type: keyword ignore_above: 1024 - description: Application Binary Interface (ABI) of the Linux OS. + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= default_field: false - - name: enrichments.file.elf.header.type - level: extended + - name: enrichments.registry.data.strings + level: core + type: wildcard + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + default_field: false + - name: enrichments.registry.data.type + level: core type: keyword ignore_above: 1024 - description: Header type of the ELF file. + description: Standard registry type for encoding contents + example: REG_SZ default_field: false - - name: enrichments.file.elf.header.version - level: extended + - name: enrichments.registry.hive + level: core type: keyword ignore_above: 1024 - description: Version of the ELF header. + description: Abbreviated name for the hive. + example: HKLM default_field: false - - name: enrichments.file.elf.imports - level: extended - type: flattened - description: List of imported element names and types. + - name: enrichments.registry.key + level: core + type: wildcard + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe default_field: false - - name: enrichments.file.elf.sections - level: extended - type: nested - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.sections.*`.' + - name: enrichments.registry.path + level: core + type: wildcard + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger default_field: false - - name: enrichments.file.elf.sections.chi2 - level: extended - type: long - format: number - description: Chi-square probability distribution of the section. + - name: enrichments.registry.value + level: core + type: keyword + ignore_above: 1024 + description: Name of the value written. + example: Debugger default_field: false - - name: enrichments.file.elf.sections.entropy + - name: enrichments.url.domain level: extended - type: long - format: number - description: Shannon entropy calculation from the section. + type: wildcard + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' + example: www.elastic.co default_field: false - - name: enrichments.file.elf.sections.flags + - name: enrichments.url.extension level: extended type: keyword ignore_above: 1024 - description: ELF Section List flags. + description: 'The field contains the file extension from the original request + url, excluding the leading dot. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png default_field: false - - name: enrichments.file.elf.sections.name + - name: enrichments.url.fragment level: extended type: keyword ignore_above: 1024 - description: ELF Section List name. + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' default_field: false - - name: enrichments.file.elf.sections.physical_offset + - name: enrichments.url.full level: extended - type: keyword - ignore_above: 1024 - description: ELF Section List offset. + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event + source. + example: https://www.elastic.co:443/search?q=elasticsearch#top default_field: false - - name: enrichments.file.elf.sections.physical_size + - name: enrichments.url.original level: extended - type: long - format: bytes - description: ELF Section List physical size. + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: 'Unmodified original url as seen in the event source. + + Note that in network monitoring, the observed URL may be a full URL, whereas + in access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch default_field: false - - name: enrichments.file.elf.sections.type + - name: enrichments.url.password level: extended type: keyword ignore_above: 1024 - description: ELF Section List type. + description: Password of the request. default_field: false - - name: enrichments.file.elf.sections.virtual_address + - name: enrichments.url.path level: extended - type: long - format: string - description: ELF Section List virtual address. + type: wildcard + description: Path of the request, such as "/search". default_field: false - - name: enrichments.file.elf.sections.virtual_size + - name: enrichments.url.port level: extended type: long format: string - description: ELF Section List virtual size. - default_field: false - - name: enrichments.file.elf.segments - level: extended - type: nested - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.segments.*`.' - default_field: false - - name: enrichments.file.elf.segments.sections - level: extended - type: keyword - ignore_above: 1024 - description: ELF object segment sections. + description: Port of the request, such as 443. + example: 443 default_field: false - - name: enrichments.file.elf.segments.type + - name: enrichments.url.query level: extended type: keyword ignore_above: 1024 - description: ELF object segment type. + description: 'The query field describes the query string of the request, such + as "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there + is no query field. If there is a `?` but no query, the query field exists + with an empty string. The `exists` query can be used to differentiate between + the two cases.' default_field: false - - name: enrichments.file.elf.shared_libraries + - name: enrichments.url.registered_domain level: extended - type: keyword - ignore_above: 1024 - description: List of shared libraries used by this ELF object. + type: wildcard + description: 'The highest registered url domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com default_field: false - - name: enrichments.file.elf.telfhash + - name: enrichments.url.scheme level: extended type: keyword ignore_above: 1024 - description: telfhash symbol hash for ELF file. + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https default_field: false - - name: enrichments.file.extension + - name: enrichments.url.subdomain level: extended type: keyword ignore_above: 1024 - description: 'File extension, excluding the leading dot. + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. - Note that when the file name has multiple extensions (example.tar.gz), only - the last one should be captured ("gz", not "tar.gz").' - example: png + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east default_field: false - - name: enrichments.file.gid + - name: enrichments.url.top_level_domain level: extended type: keyword ignore_above: 1024 - description: Primary group ID (GID) of the file. - example: '1001' + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk default_field: false - - name: enrichments.file.group + - name: enrichments.url.username level: extended type: keyword ignore_above: 1024 - description: Primary group name of the file. - example: alice + description: Username of the request. default_field: false - - name: enrichments.file.inode + - name: enrichments.x509.alternative_names level: extended type: keyword ignore_above: 1024 - description: Inode representing the file in the filesystem. - example: '256383' + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' default_field: false - - name: enrichments.file.mime_type + - name: enrichments.x509.issuer.common_name level: extended type: keyword ignore_above: 1024 - description: MIME type should identify the format of the file or stream of bytes - using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA - official types], where possible. When more than one type is applicable, the - most specific type should be used. + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA default_field: false - - name: enrichments.file.mode + - name: enrichments.x509.issuer.country level: extended type: keyword ignore_above: 1024 - description: Mode of the file in octal representation. - example: '0640' + description: List of country (C) codes + example: US default_field: false - - name: enrichments.file.mtime + - name: enrichments.x509.issuer.distinguished_name level: extended - type: date - description: Last time the file content was modified. + type: wildcard + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA default_field: false - - name: enrichments.file.name + - name: enrichments.x509.issuer.locality level: extended type: keyword ignore_above: 1024 - description: Name of the file including the extension, without the directory. - example: example.png + description: List of locality names (L) + example: Mountain View default_field: false - - name: enrichments.file.owner + - name: enrichments.x509.issuer.organization level: extended type: keyword ignore_above: 1024 - description: File owner's username. - example: alice - default_field: false - - name: enrichments.file.path - level: extended - type: wildcard - multi_fields: - - name: text - type: text - norms: false - description: Full path to the file, including the file name. It should include - the drive letter, when appropriate. - example: /home/alice/example.png - default_field: false - - name: enrichments.file.size - level: extended - type: long - description: 'File size in bytes. - - Only relevant when `file.type` is "file".' - example: 16384 - default_field: false - - name: enrichments.file.target_path - level: extended - type: wildcard - multi_fields: - - name: text - type: text - norms: false - description: Target path for symlinks. + description: List of organizations (O) of issuing certificate authority. + example: Example Inc default_field: false - - name: enrichments.file.type + - name: enrichments.x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 - description: File type (file, dir, or symlink). - example: file + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com default_field: false - - name: enrichments.file.uid + - name: enrichments.x509.issuer.state_or_province level: extended type: keyword ignore_above: 1024 - description: The user ID (UID) or security identifier (SID) of the file owner. - example: '1001' - default_field: false - - name: enrichments.geo.city_name - level: core - type: keyword - ignore_above: 1024 - description: City name. - example: Montreal + description: List of state or province names (ST, S, or P) + example: California default_field: false - - name: enrichments.geo.continent_code - level: core - type: keyword - ignore_above: 1024 - description: Two-letter code representing continent's name. - example: NA + - name: enrichments.x509.not_after + level: extended + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 default_field: false - - name: enrichments.geo.continent_name - level: core - type: keyword - ignore_above: 1024 - description: Name of the continent. - example: North America + - name: enrichments.x509.not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 default_field: false - - name: enrichments.geo.country_iso_code - level: core + - name: enrichments.x509.public_key_algorithm + level: extended type: keyword ignore_above: 1024 - description: Country ISO code. - example: CA + description: Algorithm used to generate the public key. + example: RSA default_field: false - - name: enrichments.geo.country_name - level: core + - name: enrichments.x509.public_key_curve + level: extended type: keyword ignore_above: 1024 - description: Country name. - example: Canada - default_field: false - - name: enrichments.geo.location - level: core - type: geo_point - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 default_field: false - - name: enrichments.geo.name + - name: enrichments.x509.public_key_exponent level: extended - type: wildcard - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + index: false + doc_values: false default_field: false - - name: enrichments.geo.postal_code - level: core - type: keyword - ignore_above: 1024 - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 + - name: enrichments.x509.public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 default_field: false - - name: enrichments.geo.region_iso_code - level: core + - name: enrichments.x509.serial_number + level: extended type: keyword ignore_above: 1024 - description: Region ISO code. - example: CA-QC + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA default_field: false - - name: enrichments.geo.region_name - level: core + - name: enrichments.x509.signature_algorithm + level: extended type: keyword ignore_above: 1024 - description: Region name. - example: Quebec + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA default_field: false - - name: enrichments.geo.timezone - level: core + - name: enrichments.x509.subject.common_name + level: extended type: keyword ignore_above: 1024 - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires + description: List of common names (CN) of subject. + example: shared.global.example.net default_field: false - - name: enrichments.hash.md5 + - name: enrichments.x509.subject.country level: extended type: keyword ignore_above: 1024 - description: MD5 hash. + description: List of country (C) code + example: US default_field: false - - name: enrichments.hash.sha1 + - name: enrichments.x509.subject.distinguished_name level: extended - type: keyword - ignore_above: 1024 - description: SHA1 hash. + type: wildcard + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - - name: enrichments.hash.sha256 + - name: enrichments.x509.subject.locality level: extended type: keyword ignore_above: 1024 - description: SHA256 hash. + description: List of locality names (L) + example: San Francisco default_field: false - - name: enrichments.hash.sha512 + - name: enrichments.x509.subject.organization level: extended type: keyword ignore_above: 1024 - description: SHA512 hash. + description: List of organizations (O) of subject. + example: Example, Inc. default_field: false - - name: enrichments.hash.ssdeep + - name: enrichments.x509.subject.organizational_unit level: extended type: keyword ignore_above: 1024 - description: SSDEEP hash. + description: List of organizational units (OU) of subject. default_field: false - - name: enrichments.matched.atomic + - name: enrichments.x509.subject.state_or_province level: extended type: keyword ignore_above: 1024 - description: Identifies the atomic indicator value that matched a local environment - endpoint or network event. - example: bad-domain.com + description: List of state or province names (ST, S, or P) + example: California default_field: false - - name: enrichments.matched.field + - name: enrichments.x509.version_number level: extended type: keyword ignore_above: 1024 - description: Identifies the field of the atomic indicator that matched a local - environment endpoint or network event. - example: file.hash.sha256 + description: Version of x509 format. + example: 3 default_field: false - - name: enrichments.matched.id + - name: framework level: extended type: keyword ignore_above: 1024 - description: Identifies the _id of the indicator document enriching the event. - example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 - default_field: false - - name: enrichments.matched.index + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification + can be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + - name: group.alias level: extended type: keyword ignore_above: 1024 - description: Identifies the _index of the indicator document enriching the event. - example: filebeat-8.0.0-2021.05.23-000011 + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' default_field: false - - name: enrichments.matched.type + - name: group.id level: extended type: keyword ignore_above: 1024 - description: Identifies the type of match that caused the event to be enriched - with the given indicator - example: indicator_match_rule + description: "The id of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group id." + example: G0037 default_field: false - - name: enrichments.pe.architecture + - name: group.name level: extended type: keyword ignore_above: 1024 - description: CPU architecture target for the file. - example: x64 + description: "The name of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 default_field: false - - name: enrichments.pe.authentihash + - name: group.reference level: extended type: keyword ignore_above: 1024 - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + description: "The reference URL of the group for a set of related intrusion\ + \ activity that are tracked by a common name in the security community. While\ + \ not required, you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ default_field: false - - name: enrichments.pe.company + - name: indicator.as.data.bytes level: extended type: keyword ignore_above: 1024 - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= default_field: false - - name: enrichments.pe.compile_timestamp - level: extended - type: date - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' + - name: indicator.as.data.strings + level: core + type: wildcard + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' default_field: false - - name: enrichments.pe.compiler.name - level: extended + - name: indicator.as.data.type + level: core type: keyword ignore_above: 1024 - description: Name of the compiler - example: Clang + description: Standard registry type for encoding contents + example: REG_SZ default_field: false - - name: enrichments.pe.compiler.version - level: extended + - name: indicator.as.hive + level: core type: keyword ignore_above: 1024 - description: Version of the compiler. - example: 11.0.0 + description: Abbreviated name for the hive. + example: HKLM default_field: false - - name: enrichments.pe.creation_date - level: extended - type: date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' + - name: indicator.as.key + level: core + type: wildcard + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe default_field: false - - name: enrichments.pe.debug - level: extended - type: nested - description: 'An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix.' + - name: indicator.as.path + level: core + type: wildcard + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger default_field: false - - name: enrichments.pe.debug.offset - level: extended + - name: indicator.as.value + level: core type: keyword ignore_above: 1024 - description: Debug offset information. - example: 1296336 - default_field: false - - name: enrichments.pe.debug.size - level: extended - type: long - format: bytes - description: Size of the debug information. - example: 816 - default_field: false - - name: enrichments.pe.debug.timestamp - level: extended - type: date - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' + description: Name of the value written. + example: Debugger default_field: false - - name: enrichments.pe.debug.type + - name: indicator.confidence level: extended type: keyword ignore_above: 1024 - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High default_field: false - - name: enrichments.pe.description + - name: indicator.description level: extended type: keyword ignore_above: 1024 - description: Internal description of the file, provided at compile-time. - example: Paint + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. default_field: false - - name: enrichments.pe.entry_point + - name: indicator.email.address level: extended type: keyword ignore_above: 1024 - description: Relative byte offset to the base of the PE file. - example: 25856 + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com default_field: false - - name: enrichments.pe.exports + - name: indicator.file.accessed level: extended - type: keyword - ignore_above: 1024 - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + type: date + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' default_field: false - - name: enrichments.pe.file_version + - name: indicator.file.attributes level: extended type: keyword ignore_above: 1024 - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' default_field: false - - name: enrichments.pe.icon.hash.dhash + - name: indicator.file.code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: indicator.file.code_signature.signing_id level: extended type: keyword ignore_above: 1024 - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy default_field: false - - name: enrichments.pe.imphash + - name: indicator.file.code_signature.status level: extended type: keyword ignore_above: 1024 - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. + description: 'Additional information about the certificate status. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - default_field: false - - name: enrichments.pe.imports - level: extended - type: flattened - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT default_field: false - - name: enrichments.pe.machine_type - level: extended + - name: indicator.file.code_signature.subject_name + level: core type: keyword ignore_above: 1024 - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - default_field: false - - name: enrichments.pe.original_file_name - level: extended - type: wildcard - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE + description: Subject name of the code signer + example: Microsoft Corporation default_field: false - - name: enrichments.pe.packers + - name: indicator.file.code_signature.team_id level: extended type: keyword ignore_above: 1024 - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV default_field: false - - name: enrichments.pe.product + - name: indicator.file.code_signature.trusted level: extended - type: keyword - ignore_above: 1024 - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' default_field: false - - name: enrichments.pe.resources + - name: indicator.file.code_signature.valid level: extended - type: nested - description: 'An array containing an object for each PE resource, if present. + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. - The expected fields for this nested object fall under the `resources.` prefix.' + Leave unpopulated if a certificate was unchecked.' + example: 'true' default_field: false - - name: enrichments.pe.resources.chi2 + - name: indicator.file.created level: extended - type: long - description: Chi-square probability distribution. - example: -1 + type: date + description: 'File creation time. + + Note that not all filesystems store the creation time.' default_field: false - - name: enrichments.pe.resources.entropy + - name: indicator.file.ctime level: extended - type: long - description: Measurement of entropy randomness in the resources section. - example: 0, 1 + type: date + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' default_field: false - - name: enrichments.pe.resources.filetype + - name: indicator.file.device level: extended type: keyword ignore_above: 1024 - description: File type of the resources section. - example: Data + description: Device that is the source of the file. + example: sda default_field: false - - name: enrichments.pe.resources.language + - name: indicator.file.directory + level: extended + type: wildcard + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice + default_field: false + - name: indicator.file.drive_letter level: extended type: keyword - ignore_above: 1024 - description: Language identification. - example: CHINESE SIMPLIFIED + ignore_above: 1 + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C default_field: false - - name: enrichments.pe.resources.sha256 + - name: indicator.file.elf.architecture level: extended type: keyword ignore_above: 1024 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + description: Machine architecture of the ELF file. + example: x86-64 default_field: false - - name: enrichments.pe.resources.type + - name: indicator.file.elf.byte_order level: extended type: keyword ignore_above: 1024 - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' + description: Byte sequence of ELF file. + example: Little Endian default_field: false - - name: enrichments.pe.rich_header.hash.md5 + - name: indicator.file.elf.cpu_type level: extended type: keyword ignore_above: 1024 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - default_field: false - - name: enrichments.pe.sections - level: extended - type: nested - description: Data about sections of compiled binary PE + description: CPU type of the ELF file. + example: Intel default_field: false - - name: enrichments.pe.sections.chi2 + - name: indicator.file.elf.creation_date level: extended - type: long - description: Chi-square probability distribution. - example: 3027194 + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. default_field: false - - name: enrichments.pe.sections.entropy + - name: indicator.file.elf.exports level: extended - type: float - description: Measurement of entropy randomness in the file. - example: 6.24 + type: flattened + description: List of exported element names and types. default_field: false - - name: enrichments.pe.sections.flags + - name: indicator.file.elf.header.abi_version level: extended type: keyword ignore_above: 1024 - description: Section flags of the file. - example: rx + description: Version of the ELF Application Binary Interface (ABI). default_field: false - - name: enrichments.pe.sections.name + - name: indicator.file.elf.header.class level: extended type: keyword ignore_above: 1024 - description: Section names of the file. - example: .text, .data + description: Header class of the ELF file. default_field: false - - name: enrichments.pe.sections.raw_size + - name: indicator.file.elf.header.data level: extended - type: long - format: bytes - description: Size of the section or the dize of the initialized data on disk. - example: 198144 + type: keyword + ignore_above: 1024 + description: Data table of the ELF header. default_field: false - - name: enrichments.pe.sections.virtual_address + - name: indicator.file.elf.header.entrypoint level: extended type: long - format: bytes - description: Virtual address available to the file. - example: 8192 + format: string + description: Header entrypoint of the ELF file. default_field: false - - name: enrichments.registry.data.bytes + - name: indicator.file.elf.header.object_version level: extended type: keyword ignore_above: 1024 - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides - better recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - default_field: false - - name: enrichments.registry.data.strings - level: core - type: wildcard - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single - string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with - one string. For sequences of string with REG_MULTI_SZ, this array will be - variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should - be populated with the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' + description: '"0x1" for original ELF files.' default_field: false - - name: enrichments.registry.data.type - level: core + - name: indicator.file.elf.header.os_abi + level: extended type: keyword ignore_above: 1024 - description: Standard registry type for encoding contents - example: REG_SZ + description: Application Binary Interface (ABI) of the Linux OS. default_field: false - - name: enrichments.registry.hive - level: core + - name: indicator.file.elf.header.type + level: extended type: keyword ignore_above: 1024 - description: Abbreviated name for the hive. - example: HKLM - default_field: false - - name: enrichments.registry.key - level: core - type: wildcard - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - default_field: false - - name: enrichments.registry.path - level: core - type: wildcard - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger + description: Header type of the ELF file. default_field: false - - name: enrichments.registry.value - level: core + - name: indicator.file.elf.header.version + level: extended type: keyword ignore_above: 1024 - description: Name of the value written. - example: Debugger + description: Version of the ELF header. default_field: false - - name: enrichments.url.domain + - name: indicator.file.elf.imports level: extended - type: wildcard - description: 'Domain of the url, such as "www.elastic.co". - - In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field. - - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC - 2732), the `[` and `]` characters should also be captured in the `domain` - field.' - example: www.elastic.co + type: flattened + description: List of imported element names and types. default_field: false - - name: enrichments.url.extension + - name: indicator.file.elf.sections level: extended - type: keyword - ignore_above: 1024 - description: 'The field contains the file extension from the original request - url, excluding the leading dot. - - The file extension is only set if it exists, as not every url has a file extension. - - The leading period must not be included. For example, the value must be "png", - not ".png". + type: nested + description: 'An array containing an object for each section of the ELF file. - Note that when the file name has multiple extensions (example.tar.gz), only - the last one should be captured ("gz", not "tar.gz").' - example: png + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' default_field: false - - name: enrichments.url.fragment + - name: indicator.file.elf.sections.chi2 level: extended - type: keyword - ignore_above: 1024 - description: 'Portion of the url after the `#`, such as "top". - - The `#` is not part of the fragment.' + type: long + format: number + description: Chi-square probability distribution of the section. default_field: false - - name: enrichments.url.full + - name: indicator.file.elf.sections.entropy level: extended - type: wildcard - multi_fields: - - name: text - type: text - norms: false - description: If full URLs are important to your use case, they should be stored - in `url.full`, whether this field is reconstructed or present in the event - source. - example: https://www.elastic.co:443/search?q=elasticsearch#top + type: long + format: number + description: Shannon entropy calculation from the section. default_field: false - - name: enrichments.url.original + - name: indicator.file.elf.sections.flags level: extended - type: wildcard - multi_fields: - - name: text - type: text - norms: false - description: 'Unmodified original url as seen in the event source. - - Note that in network monitoring, the observed URL may be a full URL, whereas - in access logs, the URL is often just represented as a path. - - This field is meant to represent the URL as it was observed, complete or not.' - example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + type: keyword + ignore_above: 1024 + description: ELF Section List flags. default_field: false - - name: enrichments.url.password + - name: indicator.file.elf.sections.name level: extended type: keyword ignore_above: 1024 - description: Password of the request. + description: ELF Section List name. default_field: false - - name: enrichments.url.path + - name: indicator.file.elf.sections.physical_offset level: extended - type: wildcard - description: Path of the request, such as "/search". + type: keyword + ignore_above: 1024 + description: ELF Section List offset. default_field: false - - name: enrichments.url.port + - name: indicator.file.elf.sections.physical_size level: extended type: long - format: string - description: Port of the request, such as 443. - example: 443 + format: bytes + description: ELF Section List physical size. default_field: false - - name: enrichments.url.query + - name: indicator.file.elf.sections.type level: extended type: keyword ignore_above: 1024 - description: 'The query field describes the query string of the request, such - as "q=elasticsearch". - - The `?` is excluded from the query string. If a URL contains no `?`, there - is no query field. If there is a `?` but no query, the query field exists - with an empty string. The `exists` query can be used to differentiate between - the two cases.' - default_field: false - - name: enrichments.url.registered_domain - level: extended - type: wildcard - description: 'The highest registered url domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix - list (http://publicsuffix.org). Trying to approximate this by simply taking - the last two labels will not work well for TLDs such as "co.uk".' - example: example.com + description: ELF Section List type. default_field: false - - name: enrichments.url.scheme + - name: indicator.file.elf.sections.virtual_address level: extended - type: keyword - ignore_above: 1024 - description: 'Scheme of the request, such as "https". - - Note: The `:` is not part of the scheme.' - example: https + type: long + format: string + description: ELF Section List virtual address. default_field: false - - name: enrichments.url.subdomain + - name: indicator.file.elf.sections.virtual_size level: extended - type: keyword - ignore_above: 1024 - description: 'The subdomain portion of a fully qualified domain name includes - all of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot - be determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", - the subdomain field should contain "sub2.sub1", with no trailing period.' - example: east + type: long + format: string + description: ELF Section List virtual size. default_field: false - - name: enrichments.url.top_level_domain + - name: indicator.file.elf.segments level: extended - type: keyword - ignore_above: 1024 - description: 'The effective top level domain (eTLD), also known as the domain - suffix, is the last part of the domain name. For example, the top level domain - for example.com is "com". + type: nested + description: 'An array containing an object for each segment of the ELF file. - This value can be determined precisely with a list like the public suffix - list (http://publicsuffix.org). Trying to approximate this by simply taking - the last label will not work well for effective TLDs such as "co.uk".' - example: co.uk + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' default_field: false - - name: enrichments.url.username + - name: indicator.file.elf.segments.sections level: extended type: keyword ignore_above: 1024 - description: Username of the request. + description: ELF object segment sections. default_field: false - - name: enrichments.x509.alternative_names + - name: indicator.file.elf.segments.type level: extended type: keyword ignore_above: 1024 - description: List of subject alternative names (SAN). Name types vary by certificate - authority and certificate type but commonly contain IP addresses, DNS names - (and wildcards), and email addresses. - example: '*.elastic.co' + description: ELF object segment type. default_field: false - - name: enrichments.x509.issuer.common_name + - name: indicator.file.elf.shared_libraries level: extended type: keyword ignore_above: 1024 - description: List of common name (CN) of issuing certificate authority. - example: Example SHA2 High Assurance Server CA + description: List of shared libraries used by this ELF object. default_field: false - - name: enrichments.x509.issuer.country + - name: indicator.file.elf.telfhash level: extended type: keyword ignore_above: 1024 - description: List of country (C) codes - example: US + description: telfhash symbol hash for ELF file. default_field: false - - name: enrichments.x509.issuer.distinguished_name + - name: indicator.file.extension level: extended - type: wildcard - description: Distinguished name (DN) of issuing certificate authority. - example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance - Server CA + type: keyword + ignore_above: 1024 + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png default_field: false - - name: enrichments.x509.issuer.locality + - name: indicator.file.gid level: extended type: keyword ignore_above: 1024 - description: List of locality names (L) - example: Mountain View + description: Primary group ID (GID) of the file. + example: '1001' default_field: false - - name: enrichments.x509.issuer.organization + - name: indicator.file.group level: extended type: keyword ignore_above: 1024 - description: List of organizations (O) of issuing certificate authority. - example: Example Inc + description: Primary group name of the file. + example: alice default_field: false - - name: enrichments.x509.issuer.organizational_unit + - name: indicator.file.inode level: extended type: keyword ignore_above: 1024 - description: List of organizational units (OU) of issuing certificate authority. - example: www.example.com + description: Inode representing the file in the filesystem. + example: '256383' default_field: false - - name: enrichments.x509.issuer.state_or_province + - name: indicator.file.mime_type level: extended type: keyword ignore_above: 1024 - description: List of state or province names (ST, S, or P) - example: California + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. default_field: false - - name: enrichments.x509.not_after + - name: indicator.file.mode level: extended - type: date - description: Time at which the certificate is no longer considered valid. - example: 2020-07-16 03:15:39+00:00 + type: keyword + ignore_above: 1024 + description: Mode of the file in octal representation. + example: '0640' default_field: false - - name: enrichments.x509.not_before + - name: indicator.file.mtime level: extended type: date - description: Time at which the certificate is first considered valid. - example: 2019-08-16 01:40:25+00:00 + description: Last time the file content was modified. default_field: false - - name: enrichments.x509.public_key_algorithm + - name: indicator.file.name level: extended type: keyword ignore_above: 1024 - description: Algorithm used to generate the public key. - example: RSA + description: Name of the file including the extension, without the directory. + example: example.png default_field: false - - name: enrichments.x509.public_key_curve + - name: indicator.file.owner level: extended type: keyword ignore_above: 1024 - description: The curve used by the elliptic curve public key algorithm. This - is algorithm specific. - example: nistp521 + description: File owner's username. + example: alice default_field: false - - name: enrichments.x509.public_key_exponent + - name: indicator.file.path level: extended - type: long - description: Exponent used to derive the public key. This is algorithm specific. - example: 65537 - index: false - doc_values: false + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png default_field: false - - name: enrichments.x509.public_key_size + - name: indicator.file.size level: extended type: long - description: The size of the public key space in bits. - example: 2048 + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 default_field: false - - name: enrichments.x509.serial_number + - name: indicator.file.target_path level: extended - type: keyword - ignore_above: 1024 - description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. - example: 55FBB9C7DEBF09809D12CCAA + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: Target path for symlinks. default_field: false - - name: enrichments.x509.signature_algorithm + - name: indicator.file.type level: extended type: keyword ignore_above: 1024 - description: Identifier for certificate signature algorithm. We recommend using - names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - example: SHA256-RSA + description: File type (file, dir, or symlink). + example: file default_field: false - - name: enrichments.x509.subject.common_name + - name: indicator.file.uid level: extended type: keyword ignore_above: 1024 - description: List of common names (CN) of subject. - example: shared.global.example.net + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' default_field: false - - name: enrichments.x509.subject.country + - name: indicator.first_seen level: extended + type: date + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.geo.city_name + level: core type: keyword ignore_above: 1024 - description: List of country (C) code - example: US - default_field: false - - name: enrichments.x509.subject.distinguished_name - level: extended - type: wildcard - description: Distinguished name (DN) of the certificate subject entity. - example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + description: City name. + example: Montreal default_field: false - - name: enrichments.x509.subject.locality - level: extended + - name: indicator.geo.continent_code + level: core type: keyword ignore_above: 1024 - description: List of locality names (L) - example: San Francisco + description: Two-letter code representing continent's name. + example: NA default_field: false - - name: enrichments.x509.subject.organization - level: extended + - name: indicator.geo.continent_name + level: core type: keyword ignore_above: 1024 - description: List of organizations (O) of subject. - example: Example, Inc. + description: Name of the continent. + example: North America default_field: false - - name: enrichments.x509.subject.organizational_unit - level: extended + - name: indicator.geo.country_iso_code + level: core type: keyword ignore_above: 1024 - description: List of organizational units (OU) of subject. + description: Country ISO code. + example: CA default_field: false - - name: enrichments.x509.subject.state_or_province - level: extended + - name: indicator.geo.country_name + level: core type: keyword ignore_above: 1024 - description: List of state or province names (ST, S, or P) - example: California + description: Country name. + example: Canada default_field: false - - name: enrichments.x509.version_number + - name: indicator.geo.location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + default_field: false + - name: indicator.geo.name level: extended + type: wildcard + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + default_field: false + - name: indicator.geo.postal_code + level: core type: keyword ignore_above: 1024 - description: Version of x509 format. - example: 3 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 default_field: false - - name: framework - level: extended + - name: indicator.geo.region_iso_code + level: core type: keyword ignore_above: 1024 - description: Name of the threat framework used to further categorize and classify - the tactic and technique of the reported threat. Framework classification - can be provided by detecting systems, evaluated at ingest time, or retrospectively - tagged to events. - example: MITRE ATT&CK - - name: group.alias - level: extended + description: Region ISO code. + example: CA-QC + default_field: false + - name: indicator.geo.region_name + level: core type: keyword ignore_above: 1024 - description: "The alias(es) of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group alias(es)." - example: '[ "Magecart Group 6" ]' + description: Region name. + example: Quebec default_field: false - - name: group.id - level: extended + - name: indicator.geo.timezone + level: core type: keyword ignore_above: 1024 - description: "The id of the group for a set of related intrusion activity that\ - \ are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group id." - example: G0037 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires default_field: false - - name: group.name + - name: indicator.hash.md5 level: extended type: keyword ignore_above: 1024 - description: "The name of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group name." - example: FIN6 + description: MD5 hash. default_field: false - - name: group.reference + - name: indicator.hash.sha1 level: extended type: keyword ignore_above: 1024 - description: "The reference URL of the group for a set of related intrusion\ - \ activity that are tracked by a common name in the security community. While\ - \ not required, you can use a MITRE ATT&CK\xAE group reference URL." - example: https://attack.mitre.org/groups/G0037/ + description: SHA1 hash. default_field: false - - name: indicator.confidence + - name: indicator.hash.sha256 level: extended type: keyword ignore_above: 1024 - description: "Identifies the confidence rating assigned by the provider using\ - \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ - \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ - \ * WEP Scale (Impossible - Certain)" - example: High + description: SHA256 hash. default_field: false - - name: indicator.description + - name: indicator.hash.sha512 level: extended type: keyword ignore_above: 1024 - description: Describes the type of action conducted by the threat. - example: IP x.x.x.x was observed delivering the Angler EK. + description: SHA512 hash. default_field: false - - name: indicator.email.address + - name: indicator.hash.ssdeep level: extended type: keyword ignore_above: 1024 - description: Identifies a threat indicator as an email address (irrespective - of direction). - example: phish@example.com - default_field: false - - name: indicator.first_seen - level: extended - type: date - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' + description: SSDEEP hash. default_field: false - name: indicator.ip level: extended @@ -9839,6 +9716,20 @@ direction). example: 443 default_field: false + - name: indicator.provider + level: extended + type: keyword + ignore_above: 1024 + description: The name of the indicator's provider. + example: lrz_urlhaus + default_field: false + - name: indicator.reference + level: extended + type: keyword + ignore_above: 1024 + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + default_field: false - name: indicator.scanner_stats level: extended type: long diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 32657a341c..e0b8aaffdb 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -991,110 +991,28 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 2.0.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. 2.0.0-dev+exp,true,threat,threat.enrichments,nested,extended,,,List of indicators enriching the event. -2.0.0-dev+exp,true,threat,threat.enrichments.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -2.0.0-dev+exp,true,threat,threat.enrichments.as.organization.name,wildcard,extended,,Google LLC,Organization name. -2.0.0-dev+exp,true,threat,threat.enrichments.as.organization.name.text,text,extended,,Google LLC,Organization name. -2.0.0-dev+exp,true,threat,threat.enrichments.event.action,keyword,core,,user-password-change,The action captured by the event. -2.0.0-dev+exp,true,threat,threat.enrichments.event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field. -2.0.0-dev+exp,true,threat,threat.enrichments.event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. -2.0.0-dev+exp,true,threat,threat.enrichments.event.code,keyword,extended,,4648,Identification code for this event. -2.0.0-dev+exp,true,threat,threat.enrichments.event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. -2.0.0-dev+exp,true,threat,threat.enrichments.event.dataset,keyword,core,,apache.access,Name of the dataset. -2.0.0-dev+exp,true,threat,threat.enrichments.event.duration,long,core,,,Duration of the event in nanoseconds. -2.0.0-dev+exp,true,threat,threat.enrichments.event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. -2.0.0-dev+exp,true,threat,threat.enrichments.event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. -2.0.0-dev+exp,true,threat,threat.enrichments.event.id,keyword,core,,8a4f500d,Unique ID to describe the event. -2.0.0-dev+exp,true,threat,threat.enrichments.event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. -2.0.0-dev+exp,true,threat,threat.enrichments.event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. -2.0.0-dev+exp,true,threat,threat.enrichments.event.module,keyword,core,,apache,Name of the module this data is coming from. -2.0.0-dev+exp,false,threat,threat.enrichments.event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. -2.0.0-dev+exp,true,threat,threat.enrichments.event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. -2.0.0-dev+exp,true,threat,threat.enrichments.event.provider,keyword,extended,,kernel,Source of the event. -2.0.0-dev+exp,true,threat,threat.enrichments.event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" -2.0.0-dev+exp,true,threat,threat.enrichments.event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL -2.0.0-dev+exp,true,threat,threat.enrichments.event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. -2.0.0-dev+exp,true,threat,threat.enrichments.event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). -2.0.0-dev+exp,true,threat,threat.enrichments.event.sequence,long,extended,,,Sequence number of the event. -2.0.0-dev+exp,true,threat,threat.enrichments.event.severity,long,core,,7,Numeric severity of the event. -2.0.0-dev+exp,true,threat,threat.enrichments.event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. -2.0.0-dev+exp,true,threat,threat.enrichments.event.timezone,keyword,extended,,,Event time zone. -2.0.0-dev+exp,true,threat,threat.enrichments.event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. -2.0.0-dev+exp,true,threat,threat.enrichments.event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL -2.0.0-dev+exp,true,threat,threat.enrichments.file.accessed,date,extended,,,Last time the file was accessed. -2.0.0-dev+exp,true,threat,threat.enrichments.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -2.0.0-dev+exp,true,threat,threat.enrichments.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -2.0.0-dev+exp,true,threat,threat.enrichments.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -2.0.0-dev+exp,true,threat,threat.enrichments.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -2.0.0-dev+exp,true,threat,threat.enrichments.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -2.0.0-dev+exp,true,threat,threat.enrichments.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -2.0.0-dev+exp,true,threat,threat.enrichments.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -2.0.0-dev+exp,true,threat,threat.enrichments.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -2.0.0-dev+exp,true,threat,threat.enrichments.file.created,date,extended,,,File creation time. -2.0.0-dev+exp,true,threat,threat.enrichments.file.ctime,date,extended,,,Last time the file attributes or metadata changed. -2.0.0-dev+exp,true,threat,threat.enrichments.file.device,keyword,extended,,sda,Device that is the source of the file. -2.0.0-dev+exp,true,threat,threat.enrichments.file.directory,wildcard,extended,,/home/alice,Directory where the file is located. -2.0.0-dev+exp,true,threat,threat.enrichments.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.creation_date,date,extended,,,Build or compile date. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.exports,flattened,extended,array,,List of exported element names and types. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.header.class,keyword,extended,,,Header class of the ELF file. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.header.data,keyword,extended,,,Data table of the ELF header. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.header.type,keyword,extended,,,Header type of the ELF file. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.header.version,keyword,extended,,,Version of the ELF header. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.imports,flattened,extended,array,,List of imported element names and types. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.sections,nested,extended,array,,Section information of the ELF file. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.name,keyword,extended,,,ELF Section List name. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.type,keyword,extended,,,ELF Section List type. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.segments,nested,extended,array,,ELF object segment list. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.segments.type,keyword,extended,,,ELF object segment type. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. -2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. -2.0.0-dev+exp,true,threat,threat.enrichments.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." -2.0.0-dev+exp,true,threat,threat.enrichments.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -2.0.0-dev+exp,true,threat,threat.enrichments.file.group,keyword,extended,,alice,Primary group name of the file. -2.0.0-dev+exp,true,threat,threat.enrichments.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -2.0.0-dev+exp,true,threat,threat.enrichments.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -2.0.0-dev+exp,true,threat,threat.enrichments.file.mode,keyword,extended,,0640,Mode of the file in octal representation. -2.0.0-dev+exp,true,threat,threat.enrichments.file.mtime,date,extended,,,Last time the file content was modified. -2.0.0-dev+exp,true,threat,threat.enrichments.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -2.0.0-dev+exp,true,threat,threat.enrichments.file.owner,keyword,extended,,alice,File owner's username. -2.0.0-dev+exp,true,threat,threat.enrichments.file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." -2.0.0-dev+exp,true,threat,threat.enrichments.file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -2.0.0-dev+exp,true,threat,threat.enrichments.file.size,long,extended,,16384,File size in bytes. -2.0.0-dev+exp,true,threat,threat.enrichments.file.target_path,wildcard,extended,,,Target path for symlinks. -2.0.0-dev+exp,true,threat,threat.enrichments.file.target_path.text,text,extended,,,Target path for symlinks. -2.0.0-dev+exp,true,threat,threat.enrichments.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -2.0.0-dev+exp,true,threat,threat.enrichments.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -2.0.0-dev+exp,true,threat,threat.enrichments.geo.city_name,keyword,core,,Montreal,City name. -2.0.0-dev+exp,true,threat,threat.enrichments.geo.continent_code,keyword,core,,NA,Continent code. -2.0.0-dev+exp,true,threat,threat.enrichments.geo.continent_name,keyword,core,,North America,Name of the continent. -2.0.0-dev+exp,true,threat,threat.enrichments.geo.country_iso_code,keyword,core,,CA,Country ISO code. -2.0.0-dev+exp,true,threat,threat.enrichments.geo.country_name,keyword,core,,Canada,Country name. -2.0.0-dev+exp,true,threat,threat.enrichments.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -2.0.0-dev+exp,true,threat,threat.enrichments.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -2.0.0-dev+exp,true,threat,threat.enrichments.geo.postal_code,keyword,core,,94040,Postal code. -2.0.0-dev+exp,true,threat,threat.enrichments.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -2.0.0-dev+exp,true,threat,threat.enrichments.geo.region_name,keyword,core,,Quebec,Region name. -2.0.0-dev+exp,true,threat,threat.enrichments.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -2.0.0-dev+exp,true,threat,threat.enrichments.hash.md5,keyword,extended,,,MD5 hash. -2.0.0-dev+exp,true,threat,threat.enrichments.hash.sha1,keyword,extended,,,SHA1 hash. -2.0.0-dev+exp,true,threat,threat.enrichments.hash.sha256,keyword,extended,,,SHA256 hash. -2.0.0-dev+exp,true,threat,threat.enrichments.hash.sha512,keyword,extended,,,SHA512 hash. -2.0.0-dev+exp,true,threat,threat.enrichments.hash.ssdeep,keyword,extended,,,SSDEEP hash. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Indicators +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.hive,keyword,core,,HKLM,Abbreviated name for the hive. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.value,keyword,core,,Debugger,Name of the value written. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,High,Indicator confidence rating +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,White,Indicator TLP marking +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator 2.0.0-dev+exp,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value 2.0.0-dev+exp,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field 2.0.0-dev+exp,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier @@ -1190,15 +1108,99 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group. 2.0.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group. 2.0.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group. +2.0.0-dev+exp,true,threat,threat.indicator.as.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +2.0.0-dev+exp,true,threat,threat.indicator.as.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +2.0.0-dev+exp,true,threat,threat.indicator.as.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +2.0.0-dev+exp,true,threat,threat.indicator.as.hive,keyword,core,,HKLM,Abbreviated name for the hive. +2.0.0-dev+exp,true,threat,threat.indicator.as.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +2.0.0-dev+exp,true,threat,threat.indicator.as.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +2.0.0-dev+exp,true,threat,threat.indicator.as.value,keyword,core,,Debugger,Name of the value written. 2.0.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,High,Indicator confidence rating 2.0.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description 2.0.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address +2.0.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed. +2.0.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +2.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +2.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +2.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +2.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +2.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +2.0.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time. +2.0.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. +2.0.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. +2.0.0-dev+exp,true,threat,threat.indicator.file.directory,wildcard,extended,,/home/alice,Directory where the file is located. +2.0.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +2.0.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +2.0.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +2.0.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +2.0.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +2.0.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +2.0.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +2.0.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. +2.0.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified. +2.0.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +2.0.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username. +2.0.0-dev+exp,true,threat,threat.indicator.file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." +2.0.0-dev+exp,true,threat,threat.indicator.file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +2.0.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes. +2.0.0-dev+exp,true,threat,threat.indicator.file.target_path,wildcard,extended,,,Target path for symlinks. +2.0.0-dev+exp,true,threat,threat.indicator.file.target_path.text,text,extended,,,Target path for symlinks. +2.0.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +2.0.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. 2.0.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. +2.0.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name. +2.0.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code. +2.0.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. +2.0.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. +2.0.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name. +2.0.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +2.0.0-dev+exp,true,threat,threat.indicator.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +2.0.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code. +2.0.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +2.0.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name. +2.0.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +2.0.0-dev+exp,true,threat,threat.indicator.hash.md5,keyword,extended,,,MD5 hash. +2.0.0-dev+exp,true,threat,threat.indicator.hash.sha1,keyword,extended,,,SHA1 hash. +2.0.0-dev+exp,true,threat,threat.indicator.hash.sha256,keyword,extended,,,SHA256 hash. +2.0.0-dev+exp,true,threat,threat.indicator.hash.sha512,keyword,extended,,,SHA512 hash. +2.0.0-dev+exp,true,threat,threat.indicator.hash.ssdeep,keyword,extended,,,SSDEEP hash. 2.0.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address 2.0.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. 2.0.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking 2.0.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. 2.0.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port +2.0.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider +2.0.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL 2.0.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics 2.0.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed 2.0.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 2a9f674dd7..2dc1c246b2 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -2644,8 +2644,8 @@ event.module: type: keyword event.original: dashed_name: event-original - description: 'Raw text message of entire event. Used to demonstrate log integrity or - where the full log message (before splitting it up in multiple parts) may be + description: 'Raw text message of entire event. Used to demonstrate log integrity + or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, @@ -12298,2267 +12298,1499 @@ threat.enrichments: normalize: [] short: List of indicators enriching the event. type: nested -threat.enrichments.as.number: - dashed_name: threat-enrichments-as-number - description: Unique number allocated to the autonomous system. The autonomous system - number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: threat.enrichments.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long -threat.enrichments.as.organization.name: - dashed_name: threat-enrichments-as-organization-name - description: Organization name. - example: Google LLC - flat_name: threat.enrichments.as.organization.name - level: extended - multi_fields: - - flat_name: threat.enrichments.as.organization.name.text - name: text - norms: false - type: text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: wildcard -threat.enrichments.event.action: - dashed_name: threat-enrichments-event-action - description: 'The action captured by the event. - - This describes the information in the event. It is more specific than `event.category`. - Examples are `group-add`, `process-started`, `file-created`. The value is normally - defined by the implementer.' - example: user-password-change - flat_name: threat.enrichments.event.action - ignore_above: 1024 - level: core - name: action - normalize: [] - original_fieldset: event - short: The action captured by the event. - type: keyword -threat.enrichments.event.agent_id_status: - dashed_name: threat-enrichments-event-agent-id-status - description: 'Agents are normally responsible for populating the `agent.id` field - value. If the system receiving events is capable of validating the value based - on authentication information for the client then this field can be used to reflect - the outcome of that validation. - - For example if the agent''s connection is authenticated with mTLS and the client - cert contains the ID of the agent to which the cert was issued then the `agent.id` - value in events can be checked against the certificate. If the values match then - `event.agent_id_status: verified` is added to the event, otherwise one of the - other allowed values should be used. - - If no validation is performed then the field should be omitted. - - The allowed values are: - - `verified` - The `agent.id` field value matches expected value obtained from auth - metadata. - - `mismatch` - The `agent.id` field value does not match the expected value obtained - from auth metadata. - - `missing` - There was no `agent.id` field in the event to validate. - - `auth_metadata_missing` - There was no auth metadata or it was missing information - about the agent ID.' - example: verified - flat_name: threat.enrichments.event.agent_id_status - ignore_above: 1024 - level: extended - name: agent_id_status - normalize: [] - original_fieldset: event - short: Validation status of the event's agent.id field. - type: keyword -threat.enrichments.event.category: - allowed_values: - - description: Events in this category are related to the challenge and response - process in which credentials are supplied and verified to allow the creation - of a session. Common sources for these logs are Windows event logs and ssh logs. - Visualize and analyze events in this category to look for failed logins, and - other authentication-related activity. - expected_event_types: - - start - - end - - info - name: authentication - - description: 'Events in the configuration category have to deal with creating, - modifying, or deleting the settings or parameters of an application, process, - or system. - - Example sources include security policy change logs, configuration auditing - logging, and system integrity monitoring.' - expected_event_types: - - access - - change - - creation - - deletion - - info - name: configuration - - description: The database category denotes events and metrics relating to a data - storage and retrieval system. Note that use of this category is not limited - to relational database systems. Examples include event logs from MS SQL, MySQL, - Elasticsearch, MongoDB, etc. Use this category to visualize and analyze database - activity such as accesses and changes. - expected_event_types: - - access - - change - - info - - error - name: database - - description: 'Events in the driver category have to do with operating system device - drivers and similar software entities such as Windows drivers, kernel extensions, - kernel modules, etc. - - Use events and metrics in this category to visualize and analyze driver-related - activity and status on hosts.' - expected_event_types: - - change - - end - - info - - start - name: driver - - description: Relating to a set of information that has been created on, or has - existed on a filesystem. Use this category of events to visualize and analyze - the creation, access, and deletions of files. Events in this category can come - from both host-based and network-based sources. An example source of a network-based - detection of a file transfer would be the Zeek file.log. - expected_event_types: - - change - - creation - - deletion - - info - name: file - - description: 'Use this category to visualize and analyze information such as host - inventory or host lifecycle events. - - Most of the events in this category can usually be observed from the outside, - such as from a hypervisor or a control plane''s point of view. Some can also - be seen from within, such as "start" or "end". - - Note that this category is for information about hosts themselves; it is not - meant to capture activity "happening on a host".' - expected_event_types: - - access - - change - - end - - info - - start - name: host - - description: Identity and access management (IAM) events relating to users, groups, - and administration. Use this category to visualize and analyze IAM-related logs - and data from active directory, LDAP, Okta, Duo, and other IAM systems. - expected_event_types: - - admin - - change - - creation - - deletion - - group - - info - - user - name: iam - - description: Relating to intrusion detections from IDS/IPS systems and functions, - both network and host-based. Use this category to visualize and analyze intrusion - detection alerts from systems such as Snort, Suricata, and Palo Alto threat - detections. - expected_event_types: - - allowed - - denied - - info - name: intrusion_detection - - description: Malware detection events and alerts. Use this category to visualize - and analyze malware detections from EDR/EPP systems such as Elastic Endpoint - Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems - such as Suricata, or other sources of malware-related events such as Palo Alto - Networks threat logs and Wildfire logs. - expected_event_types: - - info - name: malware - - description: Relating to all network activity, including network connection lifecycle, - network traffic, and essentially any event that includes an IP address. Many - events containing decoded network protocol transactions fit into this category. - Use events in this category to visualize or analyze counts of network ports, - protocols, addresses, geolocation information, etc. - expected_event_types: - - access - - allowed - - connection - - denied - - end - - info - - protocol - - start - name: network - - description: Relating to software packages installed on hosts. Use this category - to visualize and analyze inventory of software installed on various hosts, or - to determine host vulnerability in the absence of vulnerability scan data. - expected_event_types: - - access - - change - - deletion - - info - - installation - - start - name: package - - description: Use this category of events to visualize and analyze process-specific - information such as lifecycle events or process ancestry. - expected_event_types: - - access - - change - - end - - info - - start - name: process - - description: Having to do with settings and assets stored in the Windows registry. - Use this category to visualize and analyze activity such as registry access - and modifications. - expected_event_types: - - access - - change - - creation - - deletion - name: registry - - description: The session category is applied to events and metrics regarding logical - persistent connections to hosts and services. Use this category to visualize - and analyze interactive or automated persistent connections between assets. - Data for this category may come from Windows Event logs, SSH logs, or stateless - sessions such as HTTP cookie-based sessions, etc. - expected_event_types: - - start - - end - - info - name: session - - description: 'Relating to web server access. Use this category to create a dashboard - of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: - events from network observers such as Zeek http log may also be included in - this category.' - expected_event_types: - - access - - error - - info - name: web - dashed_name: threat-enrichments-event-category - description: 'This is one of four ECS Categorization Fields, and indicates the second - level in the ECS category hierarchy. - - `event.category` represents the "big buckets" of ECS categories. For example, - filtering on `event.category:process` yields all events relating to process activity. - This field is closely related to `event.type`, which is used as a subcategory. - - This field is an array. This will allow proper categorization of some events that - fall in multiple categories.' - example: authentication - flat_name: threat.enrichments.event.category - ignore_above: 1024 - level: core - name: category - normalize: - - array - original_fieldset: event - short: Event category. The second categorization field in the hierarchy. - type: keyword -threat.enrichments.event.code: - dashed_name: threat-enrichments-event-code - description: 'Identification code for this event, if one exists. - - Some event sources use event codes to identify messages unambiguously, regardless - of message language or wording adjustments over time. An example of this is the - Windows Event ID.' - example: 4648 - flat_name: threat.enrichments.event.code - ignore_above: 1024 - level: extended - name: code - normalize: [] - original_fieldset: event - short: Identification code for this event. - type: keyword -threat.enrichments.event.created: - dashed_name: threat-enrichments-event-created - description: 'event.created contains the date/time when the event was first read - by an agent, or by your pipeline. - - This field is distinct from @timestamp in that @timestamp typically contain the - time extracted from the original event. - - In most situations, these two timestamps will be slightly different. The difference - can be used to calculate the delay between your source generating an event, and - the time when your agent first processed it. This can be used to monitor your - agent''s or pipeline''s ability to keep up with your event source. - - In case the two timestamps are identical, @timestamp should be used.' - example: '2016-05-23T08:05:34.857Z' - flat_name: threat.enrichments.event.created - level: core - name: created - normalize: [] - original_fieldset: event - short: Time when the event was first read by an agent or by your pipeline. - type: date -threat.enrichments.event.dataset: - dashed_name: threat-enrichments-event-dataset - description: 'Name of the dataset. - - If an event source publishes more than one type of log or events (e.g. access - log, error log), the dataset is used to specify which one the event comes from. - - It''s recommended but not required to start the dataset name with the module name, - followed by a dot, then the dataset name.' - example: apache.access - flat_name: threat.enrichments.event.dataset - ignore_above: 1024 - level: core - name: dataset - normalize: [] - original_fieldset: event - short: Name of the dataset. - type: keyword -threat.enrichments.event.duration: - dashed_name: threat-enrichments-event-duration - description: 'Duration of the event in nanoseconds. - - If event.start and event.end are known this value should be the difference between - the end and start time.' - flat_name: threat.enrichments.event.duration - format: duration - input_format: nanoseconds - level: core - name: duration - normalize: [] - original_fieldset: event - output_format: asMilliseconds - output_precision: 1 - short: Duration of the event in nanoseconds. - type: long -threat.enrichments.event.end: - dashed_name: threat-enrichments-event-end - description: event.end contains the date when the event ended or when the activity - was last observed. - flat_name: threat.enrichments.event.end - level: extended - name: end - normalize: [] - original_fieldset: event - short: event.end contains the date when the event ended or when the activity was - last observed. - type: date -threat.enrichments.event.hash: - dashed_name: threat-enrichments-event-hash - description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate - log integrity. - example: 123456789012345678901234567890ABCD - flat_name: threat.enrichments.event.hash - ignore_above: 1024 - level: extended - name: hash - normalize: [] - original_fieldset: event - short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate - log integrity. - type: keyword -threat.enrichments.event.id: - dashed_name: threat-enrichments-event-id - description: Unique ID to describe the event. - example: 8a4f500d - flat_name: threat.enrichments.event.id - ignore_above: 1024 - level: core - name: id - normalize: [] - original_fieldset: event - short: Unique ID to describe the event. - type: keyword -threat.enrichments.event.ingested: - dashed_name: threat-enrichments-event-ingested - description: 'Timestamp when an event arrived in the central data store. - - This is different from `@timestamp`, which is when the event originally occurred. It''s - also different from `event.created`, which is meant to capture the first time - an agent saw the event. - - In normal conditions, assuming no tampering, the timestamps should chronologically - look like this: `@timestamp` < `event.created` < `event.ingested`.' - example: '2016-05-23T08:05:35.101Z' - flat_name: threat.enrichments.event.ingested - level: core - name: ingested - normalize: [] - original_fieldset: event - short: Timestamp when an event arrived in the central data store. - type: date -threat.enrichments.event.kind: - allowed_values: - - description: 'This value indicates an event that describes an alert or notable - event, triggered by a detection rule. - - `event.kind:alert` is often populated for events coming from firewalls, intrusion - detection systems, endpoint detection and response systems, and so on.' - name: alert - - description: This value is the most general and most common value for this field. - It is used to represent events that indicate that something happened. - name: event - - description: 'This value is used to indicate that this event describes a numeric - measurement taken at given point in time. - - Examples include CPU utilization, memory usage, or device temperature. - - Metric events are often collected on a predictable frequency, such as once every - few seconds, or once a minute, but can also be used to describe ad-hoc numeric - metric queries.' - name: metric - - description: 'The state value is similar to metric, indicating that this event - describes a measurement taken at given point in time, except that the measurement - does not result in a numeric value, but rather one of a fixed set of categorical - values that represent conditions or states. - - Examples include periodic events reporting Elasticsearch cluster state (green/yellow/red), - the state of a TCP connection (open, closed, fin_wait, etc.), the state of a - host with respect to a software vulnerability (vulnerable, not vulnerable), - and the state of a system regarding compliance with a regulatory standard (compliant, - not compliant). - - Note that an event that describes a change of state would not use `event.kind:state`, - but instead would use ''event.kind:event'' since a state change fits the more - general event definition of something that happened. - - State events are often collected on a predictable frequency, such as once every - few seconds, once a minute, once an hour, or once a day, but can also be used - to describe ad-hoc state queries.' - name: state - - description: This value indicates that an error occurred during the ingestion - of this event, and that event data may be missing, inconsistent, or incorrect. - `event.kind:pipeline_error` is often associated with parsing errors. - name: pipeline_error - - description: 'This value is used by the Elastic Security app to denote an Elasticsearch - document that was created by a SIEM detection engine rule. - - A signal will typically trigger a notification that something meaningful happened - and should be investigated. - - Usage of this value is reserved, and pipelines should not populate `event.kind` - with the value "signal".' - name: signal - dashed_name: threat-enrichments-event-kind - description: 'This is one of four ECS Categorization Fields, and indicates the highest - level in the ECS category hierarchy. - - `event.kind` gives high-level information about what type of information the event - contains, without being specific to the contents of the event. For example, values - of this field distinguish alert events from metric events. - - The value of this field can be used to inform how these kinds of events should - be handled. They may warrant different retention, different access control, it - may also help understand whether the data coming in at a regular interval or not.' - example: alert - flat_name: threat.enrichments.event.kind - ignore_above: 1024 - level: core - name: kind - normalize: [] - original_fieldset: event - short: The kind of the event. The highest categorization field in the hierarchy. - type: keyword -threat.enrichments.event.module: - dashed_name: threat-enrichments-event-module - description: 'Name of the module this data is coming from. - - If your monitoring agent supports the concept of modules or plugins to process - events of a given source (e.g. Apache logs), `event.module` should contain the - name of this module.' - example: apache - flat_name: threat.enrichments.event.module - ignore_above: 1024 - level: core - name: module - normalize: [] - original_fieldset: event - short: Name of the module this data is coming from. - type: keyword -threat.enrichments.event.original: - dashed_name: threat-enrichments-event-original - description: 'Raw text message of entire event. Used to demonstrate log integrity or - where the full log message (before splitting it up in multiple parts) may be - required, e.g. for reindex. - - This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`. If users wish to override this and index - this field, please see `Field data types` in the `Elasticsearch Reference`.' - doc_values: false - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| - worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - flat_name: threat.enrichments.event.original - index: false - level: core - name: original - normalize: [] - original_fieldset: event - short: Raw text message of entire event. - type: keyword -threat.enrichments.event.outcome: - allowed_values: - - description: Indicates that this event describes a failed result. A common example - is `event.category:file AND event.type:access AND event.outcome:failure` to - indicate that a file access was attempted, but was not successful. - name: failure - - description: Indicates that this event describes a successful result. A common - example is `event.category:file AND event.type:create AND event.outcome:success` - to indicate that a file was successfully created. - name: success - - description: Indicates that this event describes only an attempt for which the - result is unknown from the perspective of the event producer. For example, if - the event contains information only about the request side of a transaction - that results in a response, populating `event.outcome:unknown` in the request - event is appropriate. The unknown value should not be used when an outcome doesn't - make logical sense for the event. In such cases `event.outcome` should not be - populated. - name: unknown - dashed_name: threat-enrichments-event-outcome - description: 'This is one of four ECS Categorization Fields, and indicates the lowest - level in the ECS category hierarchy. - - `event.outcome` simply denotes whether the event represents a success or a failure - from the perspective of the entity that produced the event. - - Note that when a single transaction is described in multiple events, each event - may populate different values of `event.outcome`, according to their perspective. - - Also note that in the case of a compound event (a single event that contains multiple - logical events), this field should be populated with the value that best captures - the overall success or failure from the perspective of the event producer. - - Further note that not all events will have an associated outcome. For example, - this field is generally not populated for metric events, events with `event.type:info`, - or any events for which an outcome does not make logical sense.' - example: success - flat_name: threat.enrichments.event.outcome - ignore_above: 1024 - level: core - name: outcome - normalize: [] - original_fieldset: event - short: The outcome of the event. The lowest level categorization field in the hierarchy. - type: keyword -threat.enrichments.event.provider: - dashed_name: threat-enrichments-event-provider - description: 'Source of the event. - - Event transports such as Syslog or the Windows Event Log typically mention the - source of an event. It can be the name of the software that generated the event - (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).' - example: kernel - flat_name: threat.enrichments.event.provider - ignore_above: 1024 - level: extended - name: provider - normalize: [] - original_fieldset: event - short: Source of the event. - type: keyword -threat.enrichments.event.reason: - dashed_name: threat-enrichments-event-reason - description: 'Reason why this event happened, according to the source. - - This describes the why of a particular action or outcome captured in the event. - Where `event.action` captures the action from the event, `event.reason` describes - why that action was taken. For example, a web proxy with an `event.action` which - denied the request may also populate `event.reason` with the reason why (e.g. - `blocked site`).' - example: Terminated an unexpected process - flat_name: threat.enrichments.event.reason - ignore_above: 1024 - level: extended - name: reason - normalize: [] - original_fieldset: event - short: Reason why this event happened, according to the source - type: keyword -threat.enrichments.event.reference: - dashed_name: threat-enrichments-event-reference - description: 'Reference URL linking to additional information about this event. - - This URL links to a static definition of this event. Alert events, indicated by - `event.kind:alert`, are a common use case for this field.' - example: https://system.example.com/event/#0001234 - flat_name: threat.enrichments.event.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: event - short: Event reference URL - type: keyword -threat.enrichments.event.risk_score: - dashed_name: threat-enrichments-event-risk-score - description: Risk score or priority of the event (e.g. security solutions). Use - your system's original value here. - flat_name: threat.enrichments.event.risk_score - level: core - name: risk_score - normalize: [] - original_fieldset: event - short: Risk score or priority of the event (e.g. security solutions). Use your system's - original value here. - type: float -threat.enrichments.event.risk_score_norm: - dashed_name: threat-enrichments-event-risk-score-norm - description: 'Normalized risk score or priority of the event, on a scale of 0 to - 100. - - This is mainly useful if you use more than one system that assigns risk scores, - and you want to see a normalized value across all systems.' - flat_name: threat.enrichments.event.risk_score_norm - level: extended - name: risk_score_norm - normalize: [] - original_fieldset: event - short: Normalized risk score or priority of the event (0-100). - type: float -threat.enrichments.event.sequence: - dashed_name: threat-enrichments-event-sequence - description: 'Sequence number of the event. - - The sequence number is a value published by some event sources, to make the exact - ordering of events unambiguous, regardless of the timestamp precision.' - flat_name: threat.enrichments.event.sequence - format: string - level: extended - name: sequence - normalize: [] - original_fieldset: event - short: Sequence number of the event. - type: long -threat.enrichments.event.severity: - dashed_name: threat-enrichments-event-severity - description: 'The numeric severity of the event according to your event source. - - What the different severity values mean can be different between sources and use - cases. It''s up to the implementer to make sure severities are consistent across - events from the same source. - - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is - meant to represent the severity according to the event source (e.g. firewall, - IDS). If the event source does not publish its own severity, you may optionally - copy the `log.syslog.severity.code` to `event.severity`.' - example: 7 - flat_name: threat.enrichments.event.severity - format: string - level: core - name: severity - normalize: [] - original_fieldset: event - short: Numeric severity of the event. - type: long -threat.enrichments.event.start: - dashed_name: threat-enrichments-event-start - description: event.start contains the date when the event started or when the activity - was first observed. - flat_name: threat.enrichments.event.start - level: extended - name: start - normalize: [] - original_fieldset: event - short: event.start contains the date when the event started or when the activity - was first observed. - type: date -threat.enrichments.event.timezone: - dashed_name: threat-enrichments-event-timezone - description: 'This field should be populated when the event''s timestamp does not - include timezone information already (e.g. default Syslog timestamps). It''s optional - otherwise. - - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated - (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' - flat_name: threat.enrichments.event.timezone - ignore_above: 1024 - level: extended - name: timezone - normalize: [] - original_fieldset: event - short: Event time zone. - type: keyword -threat.enrichments.event.type: - allowed_values: - - description: The access event type is used for the subset of events within a category - that indicate that something was accessed. Common examples include `event.category:database - AND event.type:access`, or `event.category:file AND event.type:access`. Note - for file access, both directory listings and file opens should be included in - this subcategory. You can further distinguish access operations using the ECS - `event.action` field. - name: access - - description: 'The admin event type is used for the subset of events within a category - that are related to admin objects. For example, administrative changes within - an IAM framework that do not specifically affect a user or group (e.g., adding - new applications to a federation solution or connecting discrete forests in - Active Directory) would fall into this subcategory. Common example: `event.category:iam - AND event.type:change AND event.type:admin`. You can further distinguish admin - operations using the ECS `event.action` field.' - name: admin - - description: The allowed event type is used for the subset of events within a - category that indicate that something was allowed. Common examples include `event.category:network - AND event.type:connection AND event.type:allowed` (to indicate a network firewall - event for which the firewall disposition was to allow the connection to complete) - and `event.category:intrusion_detection AND event.type:allowed` (to indicate - a network intrusion prevention system event for which the IPS disposition was - to allow the connection to complete). You can further distinguish allowed operations - using the ECS `event.action` field, populating with values of your choosing, - such as "allow", "detect", or "pass". - name: allowed - - description: The change event type is used for the subset of events within a category - that indicate that something has changed. If semantics best describe an event - as modified, then include them in this subcategory. Common examples include - `event.category:process AND event.type:change`, and `event.category:file AND - event.type:change`. You can further distinguish change operations using the - ECS `event.action` field. - name: change - - description: Used primarily with `event.category:network` this value is used for - the subset of network traffic that includes sufficient information for the event - to be included in flow or connection analysis. Events in this subcategory will - contain at least source and destination IP addresses, source and destination - TCP/UDP ports, and will usually contain counts of bytes and/or packets transferred. - Events in this subcategory may contain unidirectional or bidirectional information, - including summary information. Use this subcategory to visualize and analyze - network connections. Flow analysis, including Netflow, IPFIX, and other flow-related - events fit in this subcategory. Note that firewall events from many Next-Generation - Firewall (NGFW) devices will also fit into this subcategory. A common filter - for flow/connection information would be `event.category:network AND event.type:connection - AND event.type:end` (to view or analyze all completed network connections, ignoring - mid-flow reports). You can further distinguish connection events using the ECS - `event.action` field, populating with values of your choosing, such as "timeout", - or "reset". - name: connection - - description: The "creation" event type is used for the subset of events within - a category that indicate that something was created. A common example is `event.category:file - AND event.type:creation`. - name: creation - - description: The deletion event type is used for the subset of events within a - category that indicate that something was deleted. A common example is `event.category:file - AND event.type:deletion` to indicate that a file has been deleted. - name: deletion - - description: The denied event type is used for the subset of events within a category - that indicate that something was denied. Common examples include `event.category:network - AND event.type:denied` (to indicate a network firewall event for which the firewall - disposition was to deny the connection) and `event.category:intrusion_detection - AND event.type:denied` (to indicate a network intrusion prevention system event - for which the IPS disposition was to deny the connection to complete). You can - further distinguish denied operations using the ECS `event.action` field, populating - with values of your choosing, such as "blocked", "dropped", or "quarantined". - name: denied - - description: The end event type is used for the subset of events within a category - that indicate something has ended. A common example is `event.category:process - AND event.type:end`. - name: end - - description: The error event type is used for the subset of events within a category - that indicate or describe an error. A common example is `event.category:database - AND event.type:error`. Note that pipeline errors that occur during the event - ingestion process should not use this `event.type` value. Instead, they should - use `event.kind:pipeline_error`. - name: error - - description: 'The group event type is used for the subset of events within a category - that are related to group objects. Common example: `event.category:iam AND event.type:creation - AND event.type:group`. You can further distinguish group operations using the - ECS `event.action` field.' - name: group - - description: The info event type is used for the subset of events within a category - that indicate that they are purely informational, and don't report a state change, - or any type of action. For example, an initial run of a file integrity monitoring - system (FIM), where an agent reports all files under management, would fall - into the "info" subcategory. Similarly, an event containing a dump of all currently - running processes (as opposed to reporting that a process started/ended) would - fall into the "info" subcategory. An additional common examples is `event.category:intrusion_detection - AND event.type:info`. - name: info - - description: The installation event type is used for the subset of events within - a category that indicate that something was installed. A common example is `event.category:package` - AND `event.type:installation`. - name: installation - - description: The protocol event type is used for the subset of events within a - category that indicate that they contain protocol details or analysis, beyond - simply identifying the protocol. Generally, network events that contain specific - protocol details will fall into this subcategory. A common example is `event.category:network - AND event.type:protocol AND event.type:connection AND event.type:end` (to indicate - that the event is a network connection event sent at the end of a connection - that also includes a protocol detail breakdown). Note that events that only - indicate the name or id of the protocol should not use the protocol value. Further - note that when the protocol subcategory is used, the identified protocol is - populated in the ECS `network.protocol` field. - name: protocol - - description: The start event type is used for the subset of events within a category - that indicate something has started. A common example is `event.category:process - AND event.type:start`. - name: start - - description: 'The user event type is used for the subset of events within a category - that are related to user objects. Common example: `event.category:iam AND event.type:deletion - AND event.type:user`. You can further distinguish user operations using the - ECS `event.action` field.' - name: user - dashed_name: threat-enrichments-event-type - description: 'This is one of four ECS Categorization Fields, and indicates the third - level in the ECS category hierarchy. - - `event.type` represents a categorization "sub-bucket" that, when used along with - the `event.category` field values, enables filtering events down to a level appropriate - for single visualization. - - This field is an array. This will allow proper categorization of some events that - fall in multiple event types.' - flat_name: threat.enrichments.event.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: event - short: Event type. The third categorization field in the hierarchy. - type: keyword -threat.enrichments.event.url: - dashed_name: threat-enrichments-event-url - description: 'URL linking to an external system to continue investigation of this - event. - - This URL links to another system where in-depth investigation of the specific - occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, - are a common use case for this field.' - example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe - flat_name: threat.enrichments.event.url - ignore_above: 1024 - level: extended - name: url - normalize: [] - original_fieldset: event - short: Event investigation URL - type: keyword -threat.enrichments.file.accessed: - dashed_name: threat-enrichments-file-accessed - description: 'Last time the file was accessed. - - Note that not all filesystems keep track of access time.' - flat_name: threat.enrichments.file.accessed - level: extended - name: accessed - normalize: [] - original_fieldset: file - short: Last time the file was accessed. - type: date -threat.enrichments.file.attributes: - dashed_name: threat-enrichments-file-attributes - description: 'Array of file attributes. - - Attributes names will vary by platform. Here''s a non-exhaustive list of values - that are expected in this field: archive, compressed, directory, encrypted, execute, - hidden, read, readonly, system, write.' - example: '["readonly", "system"]' - flat_name: threat.enrichments.file.attributes - ignore_above: 1024 - level: extended - name: attributes - normalize: - - array - original_fieldset: file - short: Array of file attributes. - type: keyword -threat.enrichments.file.code_signature.exists: - dashed_name: threat-enrichments-file-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: threat.enrichments.file.code_signature.exists - level: core - name: exists - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean -threat.enrichments.file.code_signature.signing_id: - dashed_name: threat-enrichments-file-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. The - field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: threat.enrichments.file.code_signature.signing_id - ignore_above: 1024 - level: extended - name: signing_id - normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. - type: keyword -threat.enrichments.file.code_signature.status: - dashed_name: threat-enrichments-file-code-signature-status - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: threat.enrichments.file.code_signature.status - ignore_above: 1024 - level: extended - name: status - normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. - type: keyword -threat.enrichments.file.code_signature.subject_name: - dashed_name: threat-enrichments-file-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: threat.enrichments.file.code_signature.subject_name - ignore_above: 1024 - level: core - name: subject_name - normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer - type: keyword -threat.enrichments.file.code_signature.team_id: - dashed_name: threat-enrichments-file-code-signature-team-id - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field is - relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: threat.enrichments.file.code_signature.team_id - ignore_above: 1024 - level: extended - name: team_id - normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. - type: keyword -threat.enrichments.file.code_signature.trusted: - dashed_name: threat-enrichments-file-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this field - should only be populated by tools that actively check the status.' - example: 'true' - flat_name: threat.enrichments.file.code_signature.trusted - level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean -threat.enrichments.file.code_signature.valid: - dashed_name: threat-enrichments-file-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against the - binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: threat.enrichments.file.code_signature.valid +threat.enrichments.indicator: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator + description: Indicators + flat_name: threat.enrichments.indicator level: extended - name: valid + name: enrichments.indicator normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean -threat.enrichments.file.created: - dashed_name: threat-enrichments-file-created - description: 'File creation time. + short: Indicators + type: object +threat.enrichments.indicator.as.data.bytes: + dashed_name: threat-enrichments-indicator-as-data-bytes + description: 'Original bytes written with base64 encoding. - Note that not all filesystems store the creation time.' - flat_name: threat.enrichments.file.created + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides better + recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.enrichments.indicator.as.data.bytes + ignore_above: 1024 level: extended - name: created + name: data.bytes normalize: [] - original_fieldset: file - short: File creation time. - type: date -threat.enrichments.file.ctime: - dashed_name: threat-enrichments-file-ctime - description: 'Last time the file attributes or metadata changed. + original_fieldset: registry + short: Original bytes written with base64 encoding. + type: keyword +threat.enrichments.indicator.as.data.strings: + dashed_name: threat-enrichments-indicator-as-data-strings + description: 'Content when writing string types. - Note that changes to the file content will update `mtime`. This implies `ctime` - will be adjusted at the same time, since `mtime` is an attribute of the file.' - flat_name: threat.enrichments.file.ctime - level: extended - name: ctime + Populated as an array when writing string data to the registry. For single string + registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. + For sequences of string with REG_MULTI_SZ, this array will be variable length. + For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with + the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.enrichments.indicator.as.data.strings + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: wildcard +threat.enrichments.indicator.as.data.type: + dashed_name: threat-enrichments-indicator-as-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.enrichments.indicator.as.data.type + ignore_above: 1024 + level: core + name: data.type normalize: [] - original_fieldset: file - short: Last time the file attributes or metadata changed. - type: date -threat.enrichments.file.device: - dashed_name: threat-enrichments-file-device - description: Device that is the source of the file. - example: sda - flat_name: threat.enrichments.file.device + original_fieldset: registry + short: Standard registry type for encoding contents + type: keyword +threat.enrichments.indicator.as.hive: + dashed_name: threat-enrichments-indicator-as-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.enrichments.indicator.as.hive ignore_above: 1024 - level: extended - name: device + level: core + name: hive normalize: [] - original_fieldset: file - short: Device that is the source of the file. + original_fieldset: registry + short: Abbreviated name for the hive. type: keyword -threat.enrichments.file.directory: - dashed_name: threat-enrichments-file-directory - description: Directory where the file is located. It should include the drive letter, - when appropriate. - example: /home/alice - flat_name: threat.enrichments.file.directory - level: extended - name: directory +threat.enrichments.indicator.as.key: + dashed_name: threat-enrichments-indicator-as-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.enrichments.indicator.as.key + level: core + name: key normalize: [] - original_fieldset: file - short: Directory where the file is located. + original_fieldset: registry + short: Hive-relative path of keys. type: wildcard -threat.enrichments.file.drive_letter: - dashed_name: threat-enrichments-file-drive-letter - description: 'Drive letter where the file is located. This field is only relevant - on Windows. - - The value should be uppercase, and not include the colon.' - example: C - flat_name: threat.enrichments.file.drive_letter - ignore_above: 1 - level: extended - name: drive_letter +threat.enrichments.indicator.as.path: + dashed_name: threat-enrichments-indicator-as-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.enrichments.indicator.as.path + level: core + name: path normalize: [] - original_fieldset: file - short: Drive letter where the file is located. + original_fieldset: registry + short: Full path, including hive, key and value + type: wildcard +threat.enrichments.indicator.as.value: + dashed_name: threat-enrichments-indicator-as-value + description: Name of the value written. + example: Debugger + flat_name: threat.enrichments.indicator.as.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. type: keyword -threat.enrichments.file.elf.architecture: - dashed_name: threat-enrichments-file-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: threat.enrichments.file.elf.architecture +threat.enrichments.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-confidence + description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ + using\_STIX\_confidence scales. Expected values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n \ + \ * WEP Scale (Impossible - Certain)" + example: High + flat_name: threat.enrichments.indicator.confidence ignore_above: 1024 level: extended - name: architecture + name: enrichments.indicator.confidence normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. + short: Indicator confidence rating type: keyword -threat.enrichments.file.elf.byte_order: - dashed_name: threat-enrichments-file-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: threat.enrichments.file.elf.byte_order +threat.enrichments.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.enrichments.indicator.description ignore_above: 1024 level: extended - name: byte_order + name: enrichments.indicator.description normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. + short: Indicator description type: keyword -threat.enrichments.file.elf.cpu_type: - dashed_name: threat-enrichments-file-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: threat.enrichments.file.elf.cpu_type +threat.enrichments.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective of + direction). + example: phish@example.com + flat_name: threat.enrichments.indicator.email.address ignore_above: 1024 level: extended - name: cpu_type + name: enrichments.indicator.email.address normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. + short: Indicator email address type: keyword -threat.enrichments.file.elf.creation_date: - dashed_name: threat-enrichments-file-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when it - was built or compiled. It can also be faked by malware creators. - flat_name: threat.enrichments.file.elf.creation_date +threat.enrichments.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.first_seen level: extended - name: creation_date + name: enrichments.indicator.first_seen normalize: [] - original_fieldset: elf - short: Build or compile date. + short: Date/time indicator was first reported. type: date -threat.enrichments.file.elf.exports: - dashed_name: threat-enrichments-file-elf-exports - description: List of exported element names and types. - flat_name: threat.enrichments.file.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened -threat.enrichments.file.elf.header.abi_version: - dashed_name: threat-enrichments-file-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: threat.enrichments.file.elf.header.abi_version - ignore_above: 1024 +threat.enrichments.indicator.ip: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of direction). + example: 1.2.3.4 + flat_name: threat.enrichments.indicator.ip level: extended - name: header.abi_version + name: enrichments.indicator.ip normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). - type: keyword -threat.enrichments.file.elf.header.class: - dashed_name: threat-enrichments-file-elf-header-class - description: Header class of the ELF file. - flat_name: threat.enrichments.file.elf.header.class - ignore_above: 1024 + short: Indicator IP address + type: ip +threat.enrichments.indicator.last_seen: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-last-seen + description: The date and time when intelligence source last reported sighting this + indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.last_seen level: extended - name: header.class + name: enrichments.indicator.last_seen normalize: [] - original_fieldset: elf - short: Header class of the ELF file. - type: keyword -threat.enrichments.file.elf.header.data: - dashed_name: threat-enrichments-file-elf-header-data - description: Data table of the ELF header. - flat_name: threat.enrichments.file.elf.header.data + short: Date/time indicator was last reported. + type: date +threat.enrichments.indicator.marking.tlp: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: White + flat_name: threat.enrichments.indicator.marking.tlp ignore_above: 1024 level: extended - name: header.data + name: enrichments.indicator.marking.tlp normalize: [] - original_fieldset: elf - short: Data table of the ELF header. + short: Indicator TLP marking type: keyword -threat.enrichments.file.elf.header.entrypoint: - dashed_name: threat-enrichments-file-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: threat.enrichments.file.elf.header.entrypoint - format: string - level: extended - name: header.entrypoint - normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long -threat.enrichments.file.elf.header.object_version: - dashed_name: threat-enrichments-file-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: threat.enrichments.file.elf.header.object_version - ignore_above: 1024 +threat.enrichments.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.modified_at level: extended - name: header.object_version + name: enrichments.indicator.modified_at normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' - type: keyword -threat.enrichments.file.elf.header.os_abi: - dashed_name: threat-enrichments-file-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: threat.enrichments.file.elf.header.os_abi - ignore_above: 1024 + short: Date/time indicator was last updated. + type: date +threat.enrichments.indicator.port: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-port + description: Identifies a threat indicator as a port number (irrespective of direction). + example: 443 + flat_name: threat.enrichments.indicator.port level: extended - name: header.os_abi + name: enrichments.indicator.port normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. - type: keyword -threat.enrichments.file.elf.header.type: - dashed_name: threat-enrichments-file-elf-header-type - description: Header type of the ELF file. - flat_name: threat.enrichments.file.elf.header.type + short: Indicator port + type: long +threat.enrichments.indicator.provider: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-provider + description: The name of the indicator's provider. + example: lrz_urlhaus + flat_name: threat.enrichments.indicator.provider ignore_above: 1024 level: extended - name: header.type + name: enrichments.indicator.provider normalize: [] - original_fieldset: elf - short: Header type of the ELF file. + short: Indicator provider type: keyword -threat.enrichments.file.elf.header.version: - dashed_name: threat-enrichments-file-elf-header-version - description: Version of the ELF header. - flat_name: threat.enrichments.file.elf.header.version +threat.enrichments.indicator.reference: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-reference + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + flat_name: threat.enrichments.indicator.reference ignore_above: 1024 level: extended - name: header.version + name: enrichments.indicator.reference normalize: [] - original_fieldset: elf - short: Version of the ELF header. + short: Indicator reference URL type: keyword -threat.enrichments.file.elf.imports: - dashed_name: threat-enrichments-file-elf-imports - description: List of imported element names and types. - flat_name: threat.enrichments.file.elf.imports - level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened -threat.enrichments.file.elf.sections: - dashed_name: threat-enrichments-file-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.sections.*`.' - flat_name: threat.enrichments.file.elf.sections - level: extended - name: sections - normalize: - - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested -threat.enrichments.file.elf.sections.chi2: - dashed_name: threat-enrichments-file-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: threat.enrichments.file.elf.sections.chi2 - format: number +threat.enrichments.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file or + URL. + example: 4 + flat_name: threat.enrichments.indicator.scanner_stats level: extended - name: sections.chi2 + name: enrichments.indicator.scanner_stats normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. - type: long -threat.enrichments.file.elf.sections.entropy: - dashed_name: threat-enrichments-file-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: threat.enrichments.file.elf.sections.entropy - format: number + short: Scanner statistics + type: long +threat.enrichments.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.enrichments.indicator.sightings level: extended - name: sections.entropy + name: enrichments.indicator.sightings normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. + short: Number of times indicator observed type: long -threat.enrichments.file.elf.sections.flags: - dashed_name: threat-enrichments-file-elf-sections-flags - description: ELF Section List flags. - flat_name: threat.enrichments.file.elf.sections.flags +threat.enrichments.indicator.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ + \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n *\ + \ domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n\ + \ * mutex\n * port\n * process\n * software\n * url\n * user-account\n \ + \ * windows-registry-key\n * x509-certificate" + example: ipv4-addr + flat_name: threat.enrichments.indicator.type ignore_above: 1024 level: extended - name: sections.flags + name: enrichments.indicator.type normalize: [] - original_fieldset: elf - short: ELF Section List flags. + short: Type of indicator type: keyword -threat.enrichments.file.elf.sections.name: - dashed_name: threat-enrichments-file-elf-sections-name - description: ELF Section List name. - flat_name: threat.enrichments.file.elf.sections.name +threat.enrichments.matched.atomic: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-atomic + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com + flat_name: threat.enrichments.matched.atomic ignore_above: 1024 level: extended - name: sections.name + name: enrichments.matched.atomic normalize: [] - original_fieldset: elf - short: ELF Section List name. + short: Matched indicator value type: keyword -threat.enrichments.file.elf.sections.physical_offset: - dashed_name: threat-enrichments-file-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: threat.enrichments.file.elf.sections.physical_offset +threat.enrichments.matched.field: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-field + description: Identifies the field of the atomic indicator that matched a local environment + endpoint or network event. + example: file.hash.sha256 + flat_name: threat.enrichments.matched.field ignore_above: 1024 level: extended - name: sections.physical_offset + name: enrichments.matched.field normalize: [] - original_fieldset: elf - short: ELF Section List offset. + short: Matched indicator field type: keyword -threat.enrichments.file.elf.sections.physical_size: - dashed_name: threat-enrichments-file-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: threat.enrichments.file.elf.sections.physical_size - format: bytes +threat.enrichments.matched.id: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-id + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + flat_name: threat.enrichments.matched.id + ignore_above: 1024 level: extended - name: sections.physical_size + name: enrichments.matched.id normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long -threat.enrichments.file.elf.sections.type: - dashed_name: threat-enrichments-file-elf-sections-type - description: ELF Section List type. - flat_name: threat.enrichments.file.elf.sections.type + short: Matched indicator identifier + type: keyword +threat.enrichments.matched.index: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-index + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 + flat_name: threat.enrichments.matched.index ignore_above: 1024 level: extended - name: sections.type + name: enrichments.matched.index normalize: [] - original_fieldset: elf - short: ELF Section List type. + short: Matched indicator index type: keyword -threat.enrichments.file.elf.sections.virtual_address: - dashed_name: threat-enrichments-file-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: threat.enrichments.file.elf.sections.virtual_address - format: string +threat.enrichments.matched.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-type + description: Identifies the type of match that caused the event to be enriched with + the given indicator + example: indicator_match_rule + flat_name: threat.enrichments.matched.type + ignore_above: 1024 level: extended - name: sections.virtual_address + name: enrichments.matched.type normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long -threat.enrichments.file.elf.sections.virtual_size: - dashed_name: threat-enrichments-file-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: threat.enrichments.file.elf.sections.virtual_size - format: string + short: Type of indicator match + type: keyword +threat.enrichments.pe.architecture: + dashed_name: threat-enrichments-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.enrichments.pe.architecture + ignore_above: 1024 level: extended - name: sections.virtual_size + name: architecture normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long -threat.enrichments.file.elf.segments: - dashed_name: threat-enrichments-file-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.segments.*`.' - flat_name: threat.enrichments.file.elf.segments - level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested -threat.enrichments.file.elf.segments.sections: - dashed_name: threat-enrichments-file-elf-segments-sections - description: ELF object segment sections. - flat_name: threat.enrichments.file.elf.segments.sections + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword +threat.enrichments.pe.authentihash: + dashed_name: threat-enrichments-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: threat.enrichments.pe.authentihash ignore_above: 1024 level: extended - name: segments.sections + name: authentihash normalize: [] - original_fieldset: elf - short: ELF object segment sections. + original_fieldset: pe + short: Authentihash of the PE file. type: keyword -threat.enrichments.file.elf.segments.type: - dashed_name: threat-enrichments-file-elf-segments-type - description: ELF object segment type. - flat_name: threat.enrichments.file.elf.segments.type +threat.enrichments.pe.company: + dashed_name: threat-enrichments-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.enrichments.pe.company ignore_above: 1024 level: extended - name: segments.type + name: company normalize: [] - original_fieldset: elf - short: ELF object segment type. + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. type: keyword -threat.enrichments.file.elf.shared_libraries: - dashed_name: threat-enrichments-file-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: threat.enrichments.file.elf.shared_libraries +threat.enrichments.pe.compile_timestamp: + dashed_name: threat-enrichments-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date +threat.enrichments.pe.compiler.name: + dashed_name: threat-enrichments-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: threat.enrichments.pe.compiler.name ignore_above: 1024 level: extended - name: shared_libraries - normalize: - - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler type: keyword -threat.enrichments.file.elf.telfhash: - dashed_name: threat-enrichments-file-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: threat.enrichments.file.elf.telfhash +threat.enrichments.pe.compiler.version: + dashed_name: threat-enrichments-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: threat.enrichments.pe.compiler.version ignore_above: 1024 level: extended - name: telfhash + name: compiler.version normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. + original_fieldset: pe + short: Version of the compiler. type: keyword -threat.enrichments.file.extension: - dashed_name: threat-enrichments-file-extension - description: 'File extension, excluding the leading dot. +threat.enrichments.pe.creation_date: + dashed_name: threat-enrichments-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date +threat.enrichments.pe.debug: + dashed_name: threat-enrichments-pe-debug + description: 'An array containing an object for each debug entry, if present. - Note that when the file name has multiple extensions (example.tar.gz), only the - last one should be captured ("gz", not "tar.gz").' - example: png - flat_name: threat.enrichments.file.extension + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: threat.enrichments.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested +threat.enrichments.pe.debug.offset: + dashed_name: threat-enrichments-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: threat.enrichments.pe.debug.offset ignore_above: 1024 level: extended - name: extension + name: debug.offset normalize: [] - original_fieldset: file - short: File extension, excluding the leading dot. + original_fieldset: pe + short: Debug offset information. type: keyword -threat.enrichments.file.gid: - dashed_name: threat-enrichments-file-gid - description: Primary group ID (GID) of the file. - example: '1001' - flat_name: threat.enrichments.file.gid +threat.enrichments.pe.debug.size: + dashed_name: threat-enrichments-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: threat.enrichments.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long +threat.enrichments.pe.debug.timestamp: + dashed_name: threat-enrichments-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date +threat.enrichments.pe.debug.type: + dashed_name: threat-enrichments-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: threat.enrichments.pe.debug.type ignore_above: 1024 level: extended - name: gid + name: debug.type normalize: [] - original_fieldset: file - short: Primary group ID (GID) of the file. + original_fieldset: pe + short: Information type generated by the debug options. type: keyword -threat.enrichments.file.group: - dashed_name: threat-enrichments-file-group - description: Primary group name of the file. - example: alice - flat_name: threat.enrichments.file.group +threat.enrichments.pe.description: + dashed_name: threat-enrichments-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.enrichments.pe.description ignore_above: 1024 level: extended - name: group + name: description normalize: [] - original_fieldset: file - short: Primary group name of the file. + original_fieldset: pe + short: Internal description of the file, provided at compile-time. type: keyword -threat.enrichments.file.inode: - dashed_name: threat-enrichments-file-inode - description: Inode representing the file in the filesystem. - example: '256383' - flat_name: threat.enrichments.file.inode +threat.enrichments.pe.entry_point: + dashed_name: threat-enrichments-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: threat.enrichments.pe.entry_point ignore_above: 1024 level: extended - name: inode + name: entry_point normalize: [] - original_fieldset: file - short: Inode representing the file in the filesystem. + original_fieldset: pe + short: Relative byte offset to the base of the PE file. type: keyword -threat.enrichments.file.mime_type: - dashed_name: threat-enrichments-file-mime-type - description: MIME type should identify the format of the file or stream of bytes - using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official - types], where possible. When more than one type is applicable, the most specific - type should be used. - flat_name: threat.enrichments.file.mime_type +threat.enrichments.pe.exports: + dashed_name: threat-enrichments-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: threat.enrichments.pe.exports ignore_above: 1024 level: extended - name: mime_type - normalize: [] - original_fieldset: file - short: Media type of file, document, or arrangement of bytes. + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE type: keyword -threat.enrichments.file.mode: - dashed_name: threat-enrichments-file-mode - description: Mode of the file in octal representation. - example: '0640' - flat_name: threat.enrichments.file.mode +threat.enrichments.pe.file_version: + dashed_name: threat-enrichments-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.enrichments.pe.file_version ignore_above: 1024 level: extended - name: mode + name: file_version normalize: [] - original_fieldset: file - short: Mode of the file in octal representation. + original_fieldset: pe + short: Process name. type: keyword -threat.enrichments.file.mtime: - dashed_name: threat-enrichments-file-mtime - description: Last time the file content was modified. - flat_name: threat.enrichments.file.mtime - level: extended - name: mtime - normalize: [] - original_fieldset: file - short: Last time the file content was modified. - type: date -threat.enrichments.file.name: - dashed_name: threat-enrichments-file-name - description: Name of the file including the extension, without the directory. - example: example.png - flat_name: threat.enrichments.file.name +threat.enrichments.pe.icon.hash.dhash: + dashed_name: threat-enrichments-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: threat.enrichments.pe.icon.hash.dhash ignore_above: 1024 level: extended - name: name + name: icon.hash.dhash normalize: [] - original_fieldset: file - short: Name of the file including the extension, without the directory. + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. type: keyword -threat.enrichments.file.owner: - dashed_name: threat-enrichments-file-owner - description: File owner's username. - example: alice - flat_name: threat.enrichments.file.owner +threat.enrichments.pe.imphash: + dashed_name: threat-enrichments-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.enrichments.pe.imphash ignore_above: 1024 level: extended - name: owner + name: imphash normalize: [] - original_fieldset: file - short: File owner's username. + original_fieldset: pe + short: A hash of the imports in a PE file. type: keyword -threat.enrichments.file.path: - dashed_name: threat-enrichments-file-path - description: Full path to the file, including the file name. It should include the - drive letter, when appropriate. - example: /home/alice/example.png - flat_name: threat.enrichments.file.path +threat.enrichments.pe.imports: + dashed_name: threat-enrichments-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: threat.enrichments.pe.imports level: extended - multi_fields: - - flat_name: threat.enrichments.file.path.text - name: text - norms: false - type: text - name: path + name: imports normalize: [] - original_fieldset: file - short: Full path to the file, including the file name. - type: wildcard -threat.enrichments.file.size: - dashed_name: threat-enrichments-file-size - description: 'File size in bytes. - - Only relevant when `file.type` is "file".' - example: 16384 - flat_name: threat.enrichments.file.size + original_fieldset: pe + short: List of all imported functions + type: flattened +threat.enrichments.pe.machine_type: + dashed_name: threat-enrichments-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: threat.enrichments.pe.machine_type + ignore_above: 1024 level: extended - name: size + name: machine_type normalize: [] - original_fieldset: file - short: File size in bytes. - type: long -threat.enrichments.file.target_path: - dashed_name: threat-enrichments-file-target-path - description: Target path for symlinks. - flat_name: threat.enrichments.file.target_path + original_fieldset: pe + short: Machine type of the PE file. + type: keyword +threat.enrichments.pe.original_file_name: + dashed_name: threat-enrichments-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.enrichments.pe.original_file_name level: extended - multi_fields: - - flat_name: threat.enrichments.file.target_path.text - name: text - norms: false - type: text - name: target_path + name: original_file_name normalize: [] - original_fieldset: file - short: Target path for symlinks. + original_fieldset: pe + short: Internal name of the file, provided at compile-time. type: wildcard -threat.enrichments.file.type: - dashed_name: threat-enrichments-file-type - description: File type (file, dir, or symlink). - example: file - flat_name: threat.enrichments.file.type +threat.enrichments.pe.packers: + dashed_name: threat-enrichments-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: threat.enrichments.pe.packers ignore_above: 1024 level: extended - name: type - normalize: [] - original_fieldset: file - short: File type (file, dir, or symlink). + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. type: keyword -threat.enrichments.file.uid: - dashed_name: threat-enrichments-file-uid - description: The user ID (UID) or security identifier (SID) of the file owner. - example: '1001' - flat_name: threat.enrichments.file.uid +threat.enrichments.pe.product: + dashed_name: threat-enrichments-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.enrichments.pe.product ignore_above: 1024 level: extended - name: uid - normalize: [] - original_fieldset: file - short: The user ID (UID) or security identifier (SID) of the file owner. - type: keyword -threat.enrichments.geo.city_name: - dashed_name: threat-enrichments-geo-city-name - description: City name. - example: Montreal - flat_name: threat.enrichments.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword -threat.enrichments.geo.continent_code: - dashed_name: threat-enrichments-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: threat.enrichments.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword -threat.enrichments.geo.continent_name: - dashed_name: threat-enrichments-geo-continent-name - description: Name of the continent. - example: North America - flat_name: threat.enrichments.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword -threat.enrichments.geo.country_iso_code: - dashed_name: threat-enrichments-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: threat.enrichments.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword -threat.enrichments.geo.country_name: - dashed_name: threat-enrichments-geo-country-name - description: Country name. - example: Canada - flat_name: threat.enrichments.geo.country_name - ignore_above: 1024 - level: core - name: country_name + name: product normalize: [] - original_fieldset: geo - short: Country name. + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. type: keyword -threat.enrichments.geo.location: - dashed_name: threat-enrichments-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: threat.enrichments.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point -threat.enrichments.geo.name: - dashed_name: threat-enrichments-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes a - local physical entity, city names. +threat.enrichments.pe.resources: + dashed_name: threat-enrichments-pe-resources + description: 'An array containing an object for each PE resource, if present. - Not typically used in automated geolocation.' - example: boston-dc - flat_name: threat.enrichments.geo.name + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: threat.enrichments.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested +threat.enrichments.pe.resources.chi2: + dashed_name: threat-enrichments-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: threat.enrichments.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +threat.enrichments.pe.resources.entropy: + dashed_name: threat-enrichments-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: threat.enrichments.pe.resources.entropy level: extended - name: name + name: resources.entropy normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: wildcard -threat.enrichments.geo.postal_code: - dashed_name: threat-enrichments-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: threat.enrichments.geo.postal_code + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long +threat.enrichments.pe.resources.filetype: + dashed_name: threat-enrichments-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: threat.enrichments.pe.resources.filetype ignore_above: 1024 - level: core - name: postal_code + level: extended + name: resources.filetype normalize: [] - original_fieldset: geo - short: Postal code. + original_fieldset: pe + short: File type of the resources section. type: keyword -threat.enrichments.geo.region_iso_code: - dashed_name: threat-enrichments-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: threat.enrichments.geo.region_iso_code +threat.enrichments.pe.resources.language: + dashed_name: threat-enrichments-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: threat.enrichments.pe.resources.language ignore_above: 1024 - level: core - name: region_iso_code + level: extended + name: resources.language normalize: [] - original_fieldset: geo - short: Region ISO code. + original_fieldset: pe + short: Language identification. type: keyword -threat.enrichments.geo.region_name: - dashed_name: threat-enrichments-geo-region-name - description: Region name. - example: Quebec - flat_name: threat.enrichments.geo.region_name +threat.enrichments.pe.resources.sha256: + dashed_name: threat-enrichments-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: threat.enrichments.pe.resources.sha256 ignore_above: 1024 - level: core - name: region_name + level: extended + name: resources.sha256 normalize: [] - original_fieldset: geo - short: Region name. + original_fieldset: pe + short: SHA256 hash of resources section. type: keyword -threat.enrichments.geo.timezone: - dashed_name: threat-enrichments-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: threat.enrichments.geo.timezone +threat.enrichments.pe.resources.type: + dashed_name: threat-enrichments-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: threat.enrichments.pe.resources.type ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. type: keyword -threat.enrichments.hash.md5: - dashed_name: threat-enrichments-hash-md5 - description: MD5 hash. - flat_name: threat.enrichments.hash.md5 +threat.enrichments.pe.rich_header.hash.md5: + dashed_name: threat-enrichments-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: threat.enrichments.pe.rich_header.hash.md5 ignore_above: 1024 level: extended - name: md5 + name: rich_header.hash.md5 normalize: [] - original_fieldset: hash - short: MD5 hash. + original_fieldset: pe + short: MD5 hash of the header for the PE file. type: keyword -threat.enrichments.hash.sha1: - dashed_name: threat-enrichments-hash-sha1 - description: SHA1 hash. - flat_name: threat.enrichments.hash.sha1 - ignore_above: 1024 +threat.enrichments.pe.sections: + dashed_name: threat-enrichments-pe-sections + description: Data about sections of compiled binary PE + flat_name: threat.enrichments.pe.sections level: extended - name: sha1 + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested +threat.enrichments.pe.sections.chi2: + dashed_name: threat-enrichments-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: threat.enrichments.pe.sections.chi2 + level: extended + name: sections.chi2 normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword -threat.enrichments.hash.sha256: - dashed_name: threat-enrichments-hash-sha256 - description: SHA256 hash. - flat_name: threat.enrichments.hash.sha256 - ignore_above: 1024 + original_fieldset: pe + short: Chi-square probability distribution. + type: long +threat.enrichments.pe.sections.entropy: + dashed_name: threat-enrichments-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: threat.enrichments.pe.sections.entropy level: extended - name: sha256 + name: sections.entropy normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword -threat.enrichments.hash.sha512: - dashed_name: threat-enrichments-hash-sha512 - description: SHA512 hash. - flat_name: threat.enrichments.hash.sha512 + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float +threat.enrichments.pe.sections.flags: + dashed_name: threat-enrichments-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: threat.enrichments.pe.sections.flags ignore_above: 1024 level: extended - name: sha512 + name: sections.flags normalize: [] - original_fieldset: hash - short: SHA512 hash. + original_fieldset: pe + short: Section flags of the file. type: keyword -threat.enrichments.hash.ssdeep: - dashed_name: threat-enrichments-hash-ssdeep - description: SSDEEP hash. - flat_name: threat.enrichments.hash.ssdeep +threat.enrichments.pe.sections.name: + dashed_name: threat-enrichments-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: threat.enrichments.pe.sections.name ignore_above: 1024 level: extended - name: ssdeep + name: sections.name normalize: [] - original_fieldset: hash - short: SSDEEP hash. + original_fieldset: pe + short: Section names of the file. type: keyword -threat.enrichments.matched.atomic: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-atomic - description: Identifies the atomic indicator value that matched a local environment - endpoint or network event. - example: bad-domain.com - flat_name: threat.enrichments.matched.atomic - ignore_above: 1024 +threat.enrichments.pe.sections.raw_size: + dashed_name: threat-enrichments-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: threat.enrichments.pe.sections.raw_size + format: bytes level: extended - name: enrichments.matched.atomic + name: sections.raw_size normalize: [] - short: Matched indicator value - type: keyword -threat.enrichments.matched.field: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-field - description: Identifies the field of the atomic indicator that matched a local environment - endpoint or network event. - example: file.hash.sha256 - flat_name: threat.enrichments.matched.field + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long +threat.enrichments.pe.sections.virtual_address: + dashed_name: threat-enrichments-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: threat.enrichments.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long +threat.enrichments.registry.data.bytes: + dashed_name: threat-enrichments-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides better + recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.enrichments.registry.data.bytes ignore_above: 1024 level: extended - name: enrichments.matched.field + name: data.bytes normalize: [] - short: Matched indicator field + original_fieldset: registry + short: Original bytes written with base64 encoding. type: keyword -threat.enrichments.matched.id: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-id - description: Identifies the _id of the indicator document enriching the event. - example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 - flat_name: threat.enrichments.matched.id +threat.enrichments.registry.data.strings: + dashed_name: threat-enrichments-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single string + registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. + For sequences of string with REG_MULTI_SZ, this array will be variable length. + For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with + the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.enrichments.registry.data.strings + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: wildcard +threat.enrichments.registry.data.type: + dashed_name: threat-enrichments-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.enrichments.registry.data.type ignore_above: 1024 - level: extended - name: enrichments.matched.id + level: core + name: data.type normalize: [] - short: Matched indicator identifier + original_fieldset: registry + short: Standard registry type for encoding contents type: keyword -threat.enrichments.matched.index: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-index - description: Identifies the _index of the indicator document enriching the event. - example: filebeat-8.0.0-2021.05.23-000011 - flat_name: threat.enrichments.matched.index +threat.enrichments.registry.hive: + dashed_name: threat-enrichments-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.enrichments.registry.hive ignore_above: 1024 - level: extended - name: enrichments.matched.index + level: core + name: hive normalize: [] - short: Matched indicator index + original_fieldset: registry + short: Abbreviated name for the hive. type: keyword -threat.enrichments.matched.type: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-type - description: Identifies the type of match that caused the event to be enriched with - the given indicator - example: indicator_match_rule - flat_name: threat.enrichments.matched.type +threat.enrichments.registry.key: + dashed_name: threat-enrichments-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.enrichments.registry.key + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: wildcard +threat.enrichments.registry.path: + dashed_name: threat-enrichments-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.enrichments.registry.path + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: wildcard +threat.enrichments.registry.value: + dashed_name: threat-enrichments-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.enrichments.registry.value ignore_above: 1024 - level: extended - name: enrichments.matched.type + level: core + name: value normalize: [] - short: Type of indicator match + original_fieldset: registry + short: Name of the value written. type: keyword -threat.enrichments.pe.architecture: - dashed_name: threat-enrichments-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: threat.enrichments.pe.architecture - ignore_above: 1024 +threat.enrichments.url.domain: + dashed_name: threat-enrichments-url-domain + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), + the `[` and `]` characters should also be captured in the `domain` field.' + example: www.elastic.co + flat_name: threat.enrichments.url.domain level: extended - name: architecture + name: domain normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. - type: keyword -threat.enrichments.pe.authentihash: - dashed_name: threat-enrichments-pe-authentihash - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: threat.enrichments.pe.authentihash + original_fieldset: url + short: Domain of the url. + type: wildcard +threat.enrichments.url.extension: + dashed_name: threat-enrichments-url-extension + description: 'The field contains the file extension from the original request url, + excluding the leading dot. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.url.extension ignore_above: 1024 level: extended - name: authentihash + name: extension normalize: [] - original_fieldset: pe - short: Authentihash of the PE file. + original_fieldset: url + short: File extension from the request url, excluding the leading dot. type: keyword -threat.enrichments.pe.company: - dashed_name: threat-enrichments-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: threat.enrichments.pe.company +threat.enrichments.url.fragment: + dashed_name: threat-enrichments-url-fragment + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + flat_name: threat.enrichments.url.fragment ignore_above: 1024 level: extended - name: company + name: fragment normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. + original_fieldset: url + short: Portion of the url after the `#`. type: keyword -threat.enrichments.pe.compile_timestamp: - dashed_name: threat-enrichments-pe-compile-timestamp - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.pe.compile_timestamp +threat.enrichments.url.full: + dashed_name: threat-enrichments-url-full + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + flat_name: threat.enrichments.url.full level: extended - name: compile_timestamp + multi_fields: + - flat_name: threat.enrichments.url.full.text + name: text + norms: false + type: text + name: full normalize: [] - original_fieldset: pe - short: Compile timestamp of the PE file. - type: date -threat.enrichments.pe.compiler.name: - dashed_name: threat-enrichments-pe-compiler-name - description: Name of the compiler - example: Clang - flat_name: threat.enrichments.pe.compiler.name - ignore_above: 1024 + original_fieldset: url + short: Full unparsed URL. + type: wildcard +threat.enrichments.url.original: + dashed_name: threat-enrichments-url-original + description: 'Unmodified original url as seen in the event source. + + Note that in network monitoring, the observed URL may be a full URL, whereas in + access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + flat_name: threat.enrichments.url.original level: extended - name: compiler.name + multi_fields: + - flat_name: threat.enrichments.url.original.text + name: text + norms: false + type: text + name: original normalize: [] - original_fieldset: pe - short: Name of the compiler - type: keyword -threat.enrichments.pe.compiler.version: - dashed_name: threat-enrichments-pe-compiler-version - description: Version of the compiler. - example: 11.0.0 - flat_name: threat.enrichments.pe.compiler.version + original_fieldset: url + short: Unmodified original url as seen in the event source. + type: wildcard +threat.enrichments.url.password: + dashed_name: threat-enrichments-url-password + description: Password of the request. + flat_name: threat.enrichments.url.password ignore_above: 1024 level: extended - name: compiler.version + name: password normalize: [] - original_fieldset: pe - short: Version of the compiler. + original_fieldset: url + short: Password of the request. type: keyword -threat.enrichments.pe.creation_date: - dashed_name: threat-enrichments-pe-creation-date - description: Extracted when possible from the file's metadata. Indicates when it - was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.pe.creation_date +threat.enrichments.url.path: + dashed_name: threat-enrichments-url-path + description: Path of the request, such as "/search". + flat_name: threat.enrichments.url.path level: extended - name: creation_date + name: path normalize: [] - original_fieldset: pe - short: Build or compile date. - type: date -threat.enrichments.pe.debug: - dashed_name: threat-enrichments-pe-debug - description: 'An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: threat.enrichments.pe.debug + original_fieldset: url + short: Path of the request, such as "/search". + type: wildcard +threat.enrichments.url.port: + dashed_name: threat-enrichments-url-port + description: Port of the request, such as 443. + example: 443 + flat_name: threat.enrichments.url.port + format: string level: extended - name: debug - normalize: - - array - original_fieldset: pe - short: Debug information - type: nested -threat.enrichments.pe.debug.offset: - dashed_name: threat-enrichments-pe-debug-offset - description: Debug offset information. - example: 1296336 - flat_name: threat.enrichments.pe.debug.offset + name: port + normalize: [] + original_fieldset: url + short: Port of the request, such as 443. + type: long +threat.enrichments.url.query: + dashed_name: threat-enrichments-url-query + description: 'The query field describes the query string of the request, such as + "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there is + no query field. If there is a `?` but no query, the query field exists with an + empty string. The `exists` query can be used to differentiate between the two + cases.' + flat_name: threat.enrichments.url.query ignore_above: 1024 level: extended - name: debug.offset + name: query normalize: [] - original_fieldset: pe - short: Debug offset information. + original_fieldset: url + short: Query string of the request. type: keyword -threat.enrichments.pe.debug.size: - dashed_name: threat-enrichments-pe-debug-size - description: Size of the debug information. - example: 816 - flat_name: threat.enrichments.pe.debug.size - format: bytes +threat.enrichments.url.registered_domain: + dashed_name: threat-enrichments-url-registered-domain + description: 'The highest registered url domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: threat.enrichments.url.registered_domain level: extended - name: debug.size + name: registered_domain normalize: [] - original_fieldset: pe - short: Size of the debug information. - type: long -threat.enrichments.pe.debug.timestamp: - dashed_name: threat-enrichments-pe-debug-timestamp - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.pe.debug.timestamp + original_fieldset: url + short: The highest registered url domain, stripped of the subdomain. + type: wildcard +threat.enrichments.url.scheme: + dashed_name: threat-enrichments-url-scheme + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https + flat_name: threat.enrichments.url.scheme + ignore_above: 1024 level: extended - name: debug.timestamp + name: scheme normalize: [] - original_fieldset: pe - short: Timestamp of the debug information. - type: date -threat.enrichments.pe.debug.type: - dashed_name: threat-enrichments-pe-debug-type - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - flat_name: threat.enrichments.pe.debug.type + original_fieldset: url + short: Scheme of the url. + type: keyword +threat.enrichments.url.subdomain: + dashed_name: threat-enrichments-url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: threat.enrichments.url.subdomain ignore_above: 1024 level: extended - name: debug.type + name: subdomain normalize: [] - original_fieldset: pe - short: Information type generated by the debug options. + original_fieldset: url + short: The subdomain of the domain. type: keyword -threat.enrichments.pe.description: - dashed_name: threat-enrichments-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: threat.enrichments.pe.description +threat.enrichments.url.top_level_domain: + dashed_name: threat-enrichments-url-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: threat.enrichments.url.top_level_domain ignore_above: 1024 level: extended - name: description + name: top_level_domain normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. + original_fieldset: url + short: The effective top level domain (com, org, net, co.uk). type: keyword -threat.enrichments.pe.entry_point: - dashed_name: threat-enrichments-pe-entry-point - description: Relative byte offset to the base of the PE file. - example: 25856 - flat_name: threat.enrichments.pe.entry_point +threat.enrichments.url.username: + dashed_name: threat-enrichments-url-username + description: Username of the request. + flat_name: threat.enrichments.url.username ignore_above: 1024 level: extended - name: entry_point + name: username normalize: [] - original_fieldset: pe - short: Relative byte offset to the base of the PE file. + original_fieldset: url + short: Username of the request. type: keyword -threat.enrichments.pe.exports: - dashed_name: threat-enrichments-pe-exports - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: threat.enrichments.pe.exports +threat.enrichments.x509.alternative_names: + dashed_name: threat-enrichments-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names (and + wildcards), and email addresses. + example: '*.elastic.co' + flat_name: threat.enrichments.x509.alternative_names ignore_above: 1024 level: extended - name: exports + name: alternative_names normalize: - array - original_fieldset: pe - short: List of symbols exported by PE + original_fieldset: x509 + short: List of subject alternative names (SAN). type: keyword -threat.enrichments.pe.file_version: - dashed_name: threat-enrichments-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: threat.enrichments.pe.file_version +threat.enrichments.x509.issuer.common_name: + dashed_name: threat-enrichments-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: threat.enrichments.x509.issuer.common_name ignore_above: 1024 level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. type: keyword -threat.enrichments.pe.icon.hash.dhash: - dashed_name: threat-enrichments-pe-icon-hash-dhash - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - flat_name: threat.enrichments.pe.icon.hash.dhash +threat.enrichments.x509.issuer.country: + dashed_name: threat-enrichments-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: threat.enrichments.x509.issuer.country ignore_above: 1024 level: extended - name: icon.hash.dhash + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes + type: keyword +threat.enrichments.x509.issuer.distinguished_name: + dashed_name: threat-enrichments-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: threat.enrichments.x509.issuer.distinguished_name + level: extended + name: issuer.distinguished_name normalize: [] - original_fieldset: pe - short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: wildcard +threat.enrichments.x509.issuer.locality: + dashed_name: threat-enrichments-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: threat.enrichments.x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) type: keyword -threat.enrichments.pe.imphash: - dashed_name: threat-enrichments-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash -- - can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: threat.enrichments.pe.imphash +threat.enrichments.x509.issuer.organization: + dashed_name: threat-enrichments-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: threat.enrichments.x509.issuer.organization ignore_above: 1024 level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. type: keyword -threat.enrichments.pe.imports: - dashed_name: threat-enrichments-pe-imports - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - flat_name: threat.enrichments.pe.imports +threat.enrichments.x509.issuer.organizational_unit: + dashed_name: threat-enrichments-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: threat.enrichments.x509.issuer.organizational_unit + ignore_above: 1024 level: extended - name: imports - normalize: [] - original_fieldset: pe - short: List of all imported functions - type: flattened -threat.enrichments.pe.machine_type: - dashed_name: threat-enrichments-pe-machine-type - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - flat_name: threat.enrichments.pe.machine_type + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword +threat.enrichments.x509.issuer.state_or_province: + dashed_name: threat-enrichments-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.x509.issuer.state_or_province ignore_above: 1024 level: extended - name: machine_type - normalize: [] - original_fieldset: pe - short: Machine type of the PE file. + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) type: keyword -threat.enrichments.pe.original_file_name: - dashed_name: threat-enrichments-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: threat.enrichments.pe.original_file_name +threat.enrichments.x509.not_after: + dashed_name: threat-enrichments-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: threat.enrichments.x509.not_after + level: extended + name: not_after + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date +threat.enrichments.x509.not_before: + dashed_name: threat-enrichments-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: threat.enrichments.x509.not_before level: extended - name: original_file_name + name: not_before normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: wildcard -threat.enrichments.pe.packers: - dashed_name: threat-enrichments-pe-packers - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - flat_name: threat.enrichments.pe.packers + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date +threat.enrichments.x509.public_key_algorithm: + dashed_name: threat-enrichments-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: threat.enrichments.x509.public_key_algorithm ignore_above: 1024 level: extended - name: packers - normalize: - - array - original_fieldset: pe - short: List of packers and tools used. + name: public_key_algorithm + normalize: [] + original_fieldset: x509 + short: Algorithm used to generate the public key. type: keyword -threat.enrichments.pe.product: - dashed_name: threat-enrichments-pe-product - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" - flat_name: threat.enrichments.pe.product +threat.enrichments.x509.public_key_curve: + dashed_name: threat-enrichments-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This is + algorithm specific. + example: nistp521 + flat_name: threat.enrichments.x509.public_key_curve ignore_above: 1024 level: extended - name: product + name: public_key_curve normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. type: keyword -threat.enrichments.pe.resources: - dashed_name: threat-enrichments-pe-resources - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: threat.enrichments.pe.resources - level: extended - name: resources - normalize: - - array - original_fieldset: pe - short: PE resource information - type: nested -threat.enrichments.pe.resources.chi2: - dashed_name: threat-enrichments-pe-resources-chi2 - description: Chi-square probability distribution. - example: -1 - flat_name: threat.enrichments.pe.resources.chi2 +threat.enrichments.x509.public_key_exponent: + dashed_name: threat-enrichments-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: threat.enrichments.x509.public_key_exponent + index: false level: extended - name: resources.chi2 + name: public_key_exponent normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. type: long -threat.enrichments.pe.resources.entropy: - dashed_name: threat-enrichments-pe-resources-entropy - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - flat_name: threat.enrichments.pe.resources.entropy +threat.enrichments.x509.public_key_size: + dashed_name: threat-enrichments-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: threat.enrichments.x509.public_key_size level: extended - name: resources.entropy + name: public_key_size normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the resources section. + original_fieldset: x509 + short: The size of the public key space in bits. type: long -threat.enrichments.pe.resources.filetype: - dashed_name: threat-enrichments-pe-resources-filetype - description: File type of the resources section. - example: Data - flat_name: threat.enrichments.pe.resources.filetype +threat.enrichments.x509.serial_number: + dashed_name: threat-enrichments-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: threat.enrichments.x509.serial_number ignore_above: 1024 level: extended - name: resources.filetype + name: serial_number normalize: [] - original_fieldset: pe - short: File type of the resources section. + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. type: keyword -threat.enrichments.pe.resources.language: - dashed_name: threat-enrichments-pe-resources-language - description: Language identification. - example: CHINESE SIMPLIFIED - flat_name: threat.enrichments.pe.resources.language +threat.enrichments.x509.signature_algorithm: + dashed_name: threat-enrichments-x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: threat.enrichments.x509.signature_algorithm ignore_above: 1024 level: extended - name: resources.language + name: signature_algorithm normalize: [] - original_fieldset: pe - short: Language identification. + original_fieldset: x509 + short: Identifier for certificate signature algorithm. type: keyword -threat.enrichments.pe.resources.sha256: - dashed_name: threat-enrichments-pe-resources-sha256 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: threat.enrichments.pe.resources.sha256 +threat.enrichments.x509.subject.common_name: + dashed_name: threat-enrichments-x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: threat.enrichments.x509.subject.common_name ignore_above: 1024 level: extended - name: resources.sha256 - normalize: [] - original_fieldset: pe - short: SHA256 hash of resources section. + name: subject.common_name + normalize: + - array + original_fieldset: x509 + short: List of common names (CN) of subject. type: keyword -threat.enrichments.pe.resources.type: - dashed_name: threat-enrichments-pe-resources-type - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: threat.enrichments.pe.resources.type +threat.enrichments.x509.subject.country: + dashed_name: threat-enrichments-x509-subject-country + description: List of country (C) code + example: US + flat_name: threat.enrichments.x509.subject.country ignore_above: 1024 level: extended - name: resources.type + name: subject.country normalize: - array - original_fieldset: pe - short: List of resource types. + original_fieldset: x509 + short: List of country (C) code type: keyword -threat.enrichments.pe.rich_header.hash.md5: - dashed_name: threat-enrichments-pe-rich-header-hash-md5 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: threat.enrichments.pe.rich_header.hash.md5 - ignore_above: 1024 +threat.enrichments.x509.subject.distinguished_name: + dashed_name: threat-enrichments-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: threat.enrichments.x509.subject.distinguished_name level: extended - name: rich_header.hash.md5 + name: subject.distinguished_name normalize: [] - original_fieldset: pe - short: MD5 hash of the header for the PE file. + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: wildcard +threat.enrichments.x509.subject.locality: + dashed_name: threat-enrichments-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: threat.enrichments.x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) type: keyword -threat.enrichments.pe.sections: - dashed_name: threat-enrichments-pe-sections - description: Data about sections of compiled binary PE - flat_name: threat.enrichments.pe.sections +threat.enrichments.x509.subject.organization: + dashed_name: threat-enrichments-x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: threat.enrichments.x509.subject.organization + ignore_above: 1024 level: extended - name: sections + name: subject.organization normalize: - array - original_fieldset: pe - short: Data about sections of the compiled binary PE - type: nested -threat.enrichments.pe.sections.chi2: - dashed_name: threat-enrichments-pe-sections-chi2 - description: Chi-square probability distribution. - example: 3027194 - flat_name: threat.enrichments.pe.sections.chi2 + original_fieldset: x509 + short: List of organizations (O) of subject. + type: keyword +threat.enrichments.x509.subject.organizational_unit: + dashed_name: threat-enrichments-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: threat.enrichments.x509.subject.organizational_unit + ignore_above: 1024 level: extended - name: sections.chi2 - normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long -threat.enrichments.pe.sections.entropy: - dashed_name: threat-enrichments-pe-sections-entropy - description: Measurement of entropy randomness in the file. - example: 6.24 - flat_name: threat.enrichments.pe.sections.entropy + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword +threat.enrichments.x509.subject.state_or_province: + dashed_name: threat-enrichments-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +threat.enrichments.x509.version_number: + dashed_name: threat-enrichments-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: threat.enrichments.x509.version_number + ignore_above: 1024 level: extended - name: sections.entropy + name: version_number normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the file. - type: float -threat.enrichments.pe.sections.flags: - dashed_name: threat-enrichments-pe-sections-flags - description: Section flags of the file. - example: rx - flat_name: threat.enrichments.pe.sections.flags + original_fieldset: x509 + short: Version of x509 format. + type: keyword +threat.framework: + dashed_name: threat-framework + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification can + be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + flat_name: threat.framework ignore_above: 1024 level: extended - name: sections.flags + name: framework normalize: [] - original_fieldset: pe - short: Section flags of the file. + short: Threat classification framework. type: keyword -threat.enrichments.pe.sections.name: - dashed_name: threat-enrichments-pe-sections-name - description: Section names of the file. - example: .text, .data - flat_name: threat.enrichments.pe.sections.name +threat.group.alias: + beta: This field is beta and subject to change. + dashed_name: threat-group-alias + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' + flat_name: threat.group.alias ignore_above: 1024 level: extended - name: sections.name + name: group.alias + normalize: + - array + short: Alias of the group. + type: keyword +threat.group.id: + beta: This field is beta and subject to change. + dashed_name: threat-group-id + description: "The id of the group for a set of related intrusion activity that are\ + \ tracked by a common name in the security community. While not required, you\ + \ can use a MITRE ATT&CK\xAE group id." + example: G0037 + flat_name: threat.group.id + ignore_above: 1024 + level: extended + name: group.id normalize: [] - original_fieldset: pe - short: Section names of the file. + short: ID of the group. type: keyword -threat.enrichments.pe.sections.raw_size: - dashed_name: threat-enrichments-pe-sections-raw-size - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - flat_name: threat.enrichments.pe.sections.raw_size - format: bytes +threat.group.name: + beta: This field is beta and subject to change. + dashed_name: threat-group-name + description: "The name of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 + flat_name: threat.group.name + ignore_above: 1024 level: extended - name: sections.raw_size + name: group.name normalize: [] - original_fieldset: pe - short: Size of the section or the dize of the initialized data on disk. - type: long -threat.enrichments.pe.sections.virtual_address: - dashed_name: threat-enrichments-pe-sections-virtual-address - description: Virtual address available to the file. - example: 8192 - flat_name: threat.enrichments.pe.sections.virtual_address - format: bytes + short: Name of the group. + type: keyword +threat.group.reference: + beta: This field is beta and subject to change. + dashed_name: threat-group-reference + description: "The reference URL of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ + flat_name: threat.group.reference + ignore_above: 1024 level: extended - name: sections.virtual_address + name: group.reference normalize: [] - original_fieldset: pe - short: Virtual address available to the file. - type: long -threat.enrichments.registry.data.bytes: - dashed_name: threat-enrichments-registry-data-bytes + short: Reference URL of the group. + type: keyword +threat.indicator.as.data.bytes: + dashed_name: threat-indicator-as-data-bytes description: 'Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.' example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - flat_name: threat.enrichments.registry.data.bytes + flat_name: threat.indicator.as.data.bytes ignore_above: 1024 level: extended name: data.bytes @@ -14566,8 +13798,8 @@ threat.enrichments.registry.data.bytes: original_fieldset: registry short: Original bytes written with base64 encoding. type: keyword -threat.enrichments.registry.data.strings: - dashed_name: threat-enrichments-registry-data-strings +threat.indicator.as.data.strings: + dashed_name: threat-indicator-as-data-strings description: 'Content when writing string types. Populated as an array when writing string data to the registry. For single string @@ -14576,7 +13808,7 @@ threat.enrichments.registry.data.strings: For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' - flat_name: threat.enrichments.registry.data.strings + flat_name: threat.indicator.as.data.strings level: core name: data.strings normalize: @@ -14584,710 +13816,1011 @@ threat.enrichments.registry.data.strings: original_fieldset: registry short: List of strings representing what was written to the registry. type: wildcard -threat.enrichments.registry.data.type: - dashed_name: threat-enrichments-registry-data-type +threat.indicator.as.data.type: + dashed_name: threat-indicator-as-data-type description: Standard registry type for encoding contents example: REG_SZ - flat_name: threat.enrichments.registry.data.type + flat_name: threat.indicator.as.data.type + ignore_above: 1024 + level: core + name: data.type + normalize: [] + original_fieldset: registry + short: Standard registry type for encoding contents + type: keyword +threat.indicator.as.hive: + dashed_name: threat-indicator-as-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.indicator.as.hive + ignore_above: 1024 + level: core + name: hive + normalize: [] + original_fieldset: registry + short: Abbreviated name for the hive. + type: keyword +threat.indicator.as.key: + dashed_name: threat-indicator-as-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.indicator.as.key + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: wildcard +threat.indicator.as.path: + dashed_name: threat-indicator-as-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.indicator.as.path + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: wildcard +threat.indicator.as.value: + dashed_name: threat-indicator-as-value + description: Name of the value written. + example: Debugger + flat_name: threat.indicator.as.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. + type: keyword +threat.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-confidence + description: "Identifies the confidence rating assigned by the provider using STIX\ + \ confidence scales.\nRecommended values:\n * Not Specified, None, Low, Medium,\ + \ High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n * WEP Scale\ + \ (Impossible - Certain)" + example: High + flat_name: threat.indicator.confidence + ignore_above: 1024 + level: extended + name: indicator.confidence + normalize: [] + short: Indicator confidence rating + type: keyword +threat.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.indicator.description + ignore_above: 1024 + level: extended + name: indicator.description + normalize: [] + short: Indicator description + type: keyword +threat.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective of + direction). + example: phish@example.com + flat_name: threat.indicator.email.address + ignore_above: 1024 + level: extended + name: indicator.email.address + normalize: [] + short: Indicator email address + type: keyword +threat.indicator.file.accessed: + dashed_name: threat-indicator-file-accessed + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + flat_name: threat.indicator.file.accessed + level: extended + name: accessed + normalize: [] + original_fieldset: file + short: Last time the file was accessed. + type: date +threat.indicator.file.attributes: + dashed_name: threat-indicator-file-attributes + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, execute, + hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: threat.indicator.file.attributes + ignore_above: 1024 + level: extended + name: attributes + normalize: + - array + original_fieldset: file + short: Array of file attributes. + type: keyword +threat.indicator.file.code_signature.exists: + dashed_name: threat-indicator-file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: threat.indicator.file.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +threat.indicator.file.code_signature.signing_id: + dashed_name: threat-indicator-file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: threat.indicator.file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword +threat.indicator.file.code_signature.status: + dashed_name: threat-indicator-file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: threat.indicator.file.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +threat.indicator.file.code_signature.subject_name: + dashed_name: threat-indicator-file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: threat.indicator.file.code_signature.subject_name ignore_above: 1024 level: core - name: data.type + name: subject_name normalize: [] - original_fieldset: registry - short: Standard registry type for encoding contents + original_fieldset: code_signature + short: Subject name of the code signer type: keyword -threat.enrichments.registry.hive: - dashed_name: threat-enrichments-registry-hive - description: Abbreviated name for the hive. - example: HKLM - flat_name: threat.enrichments.registry.hive +threat.indicator.file.code_signature.team_id: + dashed_name: threat-indicator-file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: threat.indicator.file.code_signature.team_id ignore_above: 1024 - level: core - name: hive + level: extended + name: team_id normalize: [] - original_fieldset: registry - short: Abbreviated name for the hive. + original_fieldset: code_signature + short: The team identifier used to sign the process. type: keyword -threat.enrichments.registry.key: - dashed_name: threat-enrichments-registry-key - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - flat_name: threat.enrichments.registry.key - level: core - name: key +threat.indicator.file.code_signature.trusted: + dashed_name: threat-indicator-file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: threat.indicator.file.code_signature.trusted + level: extended + name: trusted normalize: [] - original_fieldset: registry - short: Hive-relative path of keys. - type: wildcard -threat.enrichments.registry.path: - dashed_name: threat-enrichments-registry-path - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger - flat_name: threat.enrichments.registry.path - level: core - name: path + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +threat.indicator.file.code_signature.valid: + dashed_name: threat-indicator-file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: threat.indicator.file.code_signature.valid + level: extended + name: valid normalize: [] - original_fieldset: registry - short: Full path, including hive, key and value - type: wildcard -threat.enrichments.registry.value: - dashed_name: threat-enrichments-registry-value - description: Name of the value written. - example: Debugger - flat_name: threat.enrichments.registry.value + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +threat.indicator.file.created: + dashed_name: threat-indicator-file-created + description: 'File creation time. + + Note that not all filesystems store the creation time.' + flat_name: threat.indicator.file.created + level: extended + name: created + normalize: [] + original_fieldset: file + short: File creation time. + type: date +threat.indicator.file.ctime: + dashed_name: threat-indicator-file-ctime + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: threat.indicator.file.ctime + level: extended + name: ctime + normalize: [] + original_fieldset: file + short: Last time the file attributes or metadata changed. + type: date +threat.indicator.file.device: + dashed_name: threat-indicator-file-device + description: Device that is the source of the file. + example: sda + flat_name: threat.indicator.file.device ignore_above: 1024 - level: core - name: value + level: extended + name: device normalize: [] - original_fieldset: registry - short: Name of the value written. + original_fieldset: file + short: Device that is the source of the file. type: keyword -threat.enrichments.url.domain: - dashed_name: threat-enrichments-url-domain - description: 'Domain of the url, such as "www.elastic.co". - - In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field. - - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), - the `[` and `]` characters should also be captured in the `domain` field.' - example: www.elastic.co - flat_name: threat.enrichments.url.domain +threat.indicator.file.directory: + dashed_name: threat-indicator-file-directory + description: Directory where the file is located. It should include the drive letter, + when appropriate. + example: /home/alice + flat_name: threat.indicator.file.directory level: extended - name: domain + name: directory normalize: [] - original_fieldset: url - short: Domain of the url. + original_fieldset: file + short: Directory where the file is located. type: wildcard -threat.enrichments.url.extension: - dashed_name: threat-enrichments-url-extension - description: 'The field contains the file extension from the original request url, - excluding the leading dot. - - The file extension is only set if it exists, as not every url has a file extension. - - The leading period must not be included. For example, the value must be "png", - not ".png". +threat.indicator.file.drive_letter: + dashed_name: threat-indicator-file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. - Note that when the file name has multiple extensions (example.tar.gz), only the - last one should be captured ("gz", not "tar.gz").' - example: png - flat_name: threat.enrichments.url.extension + The value should be uppercase, and not include the colon.' + example: C + flat_name: threat.indicator.file.drive_letter + ignore_above: 1 + level: extended + name: drive_letter + normalize: [] + original_fieldset: file + short: Drive letter where the file is located. + type: keyword +threat.indicator.file.elf.architecture: + dashed_name: threat-indicator-file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: threat.indicator.file.elf.architecture ignore_above: 1024 level: extended - name: extension + name: architecture normalize: [] - original_fieldset: url - short: File extension from the request url, excluding the leading dot. + original_fieldset: elf + short: Machine architecture of the ELF file. type: keyword -threat.enrichments.url.fragment: - dashed_name: threat-enrichments-url-fragment - description: 'Portion of the url after the `#`, such as "top". - - The `#` is not part of the fragment.' - flat_name: threat.enrichments.url.fragment +threat.indicator.file.elf.byte_order: + dashed_name: threat-indicator-file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: threat.indicator.file.elf.byte_order ignore_above: 1024 level: extended - name: fragment + name: byte_order normalize: [] - original_fieldset: url - short: Portion of the url after the `#`. + original_fieldset: elf + short: Byte sequence of ELF file. type: keyword -threat.enrichments.url.full: - dashed_name: threat-enrichments-url-full - description: If full URLs are important to your use case, they should be stored - in `url.full`, whether this field is reconstructed or present in the event source. - example: https://www.elastic.co:443/search?q=elasticsearch#top - flat_name: threat.enrichments.url.full +threat.indicator.file.elf.cpu_type: + dashed_name: threat-indicator-file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: threat.indicator.file.elf.cpu_type + ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.enrichments.url.full.text - name: text - norms: false - type: text - name: full + name: cpu_type normalize: [] - original_fieldset: url - short: Full unparsed URL. - type: wildcard -threat.enrichments.url.original: - dashed_name: threat-enrichments-url-original - description: 'Unmodified original url as seen in the event source. - - Note that in network monitoring, the observed URL may be a full URL, whereas in - access logs, the URL is often just represented as a path. - - This field is meant to represent the URL as it was observed, complete or not.' - example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - flat_name: threat.enrichments.url.original + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword +threat.indicator.file.elf.creation_date: + dashed_name: threat-indicator-file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: threat.indicator.file.elf.creation_date level: extended - multi_fields: - - flat_name: threat.enrichments.url.original.text - name: text - norms: false - type: text - name: original + name: creation_date normalize: [] - original_fieldset: url - short: Unmodified original url as seen in the event source. - type: wildcard -threat.enrichments.url.password: - dashed_name: threat-enrichments-url-password - description: Password of the request. - flat_name: threat.enrichments.url.password + original_fieldset: elf + short: Build or compile date. + type: date +threat.indicator.file.elf.exports: + dashed_name: threat-indicator-file-elf-exports + description: List of exported element names and types. + flat_name: threat.indicator.file.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened +threat.indicator.file.elf.header.abi_version: + dashed_name: threat-indicator-file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: threat.indicator.file.elf.header.abi_version ignore_above: 1024 level: extended - name: password + name: header.abi_version normalize: [] - original_fieldset: url - short: Password of the request. + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). type: keyword -threat.enrichments.url.path: - dashed_name: threat-enrichments-url-path - description: Path of the request, such as "/search". - flat_name: threat.enrichments.url.path +threat.indicator.file.elf.header.class: + dashed_name: threat-indicator-file-elf-header-class + description: Header class of the ELF file. + flat_name: threat.indicator.file.elf.header.class + ignore_above: 1024 level: extended - name: path + name: header.class normalize: [] - original_fieldset: url - short: Path of the request, such as "/search". - type: wildcard -threat.enrichments.url.port: - dashed_name: threat-enrichments-url-port - description: Port of the request, such as 443. - example: 443 - flat_name: threat.enrichments.url.port + original_fieldset: elf + short: Header class of the ELF file. + type: keyword +threat.indicator.file.elf.header.data: + dashed_name: threat-indicator-file-elf-header-data + description: Data table of the ELF header. + flat_name: threat.indicator.file.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword +threat.indicator.file.elf.header.entrypoint: + dashed_name: threat-indicator-file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: threat.indicator.file.elf.header.entrypoint format: string level: extended - name: port + name: header.entrypoint normalize: [] - original_fieldset: url - short: Port of the request, such as 443. + original_fieldset: elf + short: Header entrypoint of the ELF file. type: long -threat.enrichments.url.query: - dashed_name: threat-enrichments-url-query - description: 'The query field describes the query string of the request, such as - "q=elasticsearch". - - The `?` is excluded from the query string. If a URL contains no `?`, there is - no query field. If there is a `?` but no query, the query field exists with an - empty string. The `exists` query can be used to differentiate between the two - cases.' - flat_name: threat.enrichments.url.query +threat.indicator.file.elf.header.object_version: + dashed_name: threat-indicator-file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: threat.indicator.file.elf.header.object_version ignore_above: 1024 level: extended - name: query + name: header.object_version normalize: [] - original_fieldset: url - short: Query string of the request. + original_fieldset: elf + short: '"0x1" for original ELF files.' type: keyword -threat.enrichments.url.registered_domain: - dashed_name: threat-enrichments-url-registered-domain - description: 'The highest registered url domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix list - (http://publicsuffix.org). Trying to approximate this by simply taking the last - two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: threat.enrichments.url.registered_domain +threat.indicator.file.elf.header.os_abi: + dashed_name: threat-indicator-file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: threat.indicator.file.elf.header.os_abi + ignore_above: 1024 level: extended - name: registered_domain + name: header.os_abi normalize: [] - original_fieldset: url - short: The highest registered url domain, stripped of the subdomain. - type: wildcard -threat.enrichments.url.scheme: - dashed_name: threat-enrichments-url-scheme - description: 'Scheme of the request, such as "https". - - Note: The `:` is not part of the scheme.' - example: https - flat_name: threat.enrichments.url.scheme + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword +threat.indicator.file.elf.header.type: + dashed_name: threat-indicator-file-elf-header-type + description: Header type of the ELF file. + flat_name: threat.indicator.file.elf.header.type ignore_above: 1024 level: extended - name: scheme + name: header.type normalize: [] - original_fieldset: url - short: Scheme of the url. + original_fieldset: elf + short: Header type of the ELF file. type: keyword -threat.enrichments.url.subdomain: - dashed_name: threat-enrichments-url-subdomain - description: 'The subdomain portion of a fully qualified domain name includes all - of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot be - determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the - domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the - subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: threat.enrichments.url.subdomain +threat.indicator.file.elf.header.version: + dashed_name: threat-indicator-file-elf-header-version + description: Version of the ELF header. + flat_name: threat.indicator.file.elf.header.version ignore_above: 1024 level: extended - name: subdomain + name: header.version normalize: [] - original_fieldset: url - short: The subdomain of the domain. + original_fieldset: elf + short: Version of the ELF header. type: keyword -threat.enrichments.url.top_level_domain: - dashed_name: threat-enrichments-url-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain suffix, - is the last part of the domain name. For example, the top level domain for example.com - is "com". +threat.indicator.file.elf.imports: + dashed_name: threat-indicator-file-elf-imports + description: List of imported element names and types. + flat_name: threat.indicator.file.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened +threat.indicator.file.elf.sections: + dashed_name: threat-indicator-file-elf-sections + description: 'An array containing an object for each section of the ELF file. - This value can be determined precisely with a list like the public suffix list - (http://publicsuffix.org). Trying to approximate this by simply taking the last - label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: threat.enrichments.url.top_level_domain - ignore_above: 1024 + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' + flat_name: threat.indicator.file.elf.sections level: extended - name: top_level_domain + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested +threat.indicator.file.elf.sections.chi2: + dashed_name: threat-indicator-file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: threat.indicator.file.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 normalize: [] - original_fieldset: url - short: The effective top level domain (com, org, net, co.uk). - type: keyword -threat.enrichments.url.username: - dashed_name: threat-enrichments-url-username - description: Username of the request. - flat_name: threat.enrichments.url.username + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long +threat.indicator.file.elf.sections.entropy: + dashed_name: threat-indicator-file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: threat.indicator.file.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long +threat.indicator.file.elf.sections.flags: + dashed_name: threat-indicator-file-elf-sections-flags + description: ELF Section List flags. + flat_name: threat.indicator.file.elf.sections.flags ignore_above: 1024 level: extended - name: username + name: sections.flags normalize: [] - original_fieldset: url - short: Username of the request. + original_fieldset: elf + short: ELF Section List flags. type: keyword -threat.enrichments.x509.alternative_names: - dashed_name: threat-enrichments-x509-alternative-names - description: List of subject alternative names (SAN). Name types vary by certificate - authority and certificate type but commonly contain IP addresses, DNS names (and - wildcards), and email addresses. - example: '*.elastic.co' - flat_name: threat.enrichments.x509.alternative_names +threat.indicator.file.elf.sections.name: + dashed_name: threat-indicator-file-elf-sections-name + description: ELF Section List name. + flat_name: threat.indicator.file.elf.sections.name ignore_above: 1024 level: extended - name: alternative_names - normalize: - - array - original_fieldset: x509 - short: List of subject alternative names (SAN). + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. type: keyword -threat.enrichments.x509.issuer.common_name: - dashed_name: threat-enrichments-x509-issuer-common-name - description: List of common name (CN) of issuing certificate authority. - example: Example SHA2 High Assurance Server CA - flat_name: threat.enrichments.x509.issuer.common_name +threat.indicator.file.elf.sections.physical_offset: + dashed_name: threat-indicator-file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: threat.indicator.file.elf.sections.physical_offset ignore_above: 1024 level: extended - name: issuer.common_name - normalize: - - array - original_fieldset: x509 - short: List of common name (CN) of issuing certificate authority. + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. type: keyword -threat.enrichments.x509.issuer.country: - dashed_name: threat-enrichments-x509-issuer-country - description: List of country (C) codes - example: US - flat_name: threat.enrichments.x509.issuer.country +threat.indicator.file.elf.sections.physical_size: + dashed_name: threat-indicator-file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: threat.indicator.file.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long +threat.indicator.file.elf.sections.type: + dashed_name: threat-indicator-file-elf-sections-type + description: ELF Section List type. + flat_name: threat.indicator.file.elf.sections.type ignore_above: 1024 level: extended - name: issuer.country - normalize: - - array - original_fieldset: x509 - short: List of country (C) codes + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. type: keyword -threat.enrichments.x509.issuer.distinguished_name: - dashed_name: threat-enrichments-x509-issuer-distinguished-name - description: Distinguished name (DN) of issuing certificate authority. - example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance - Server CA - flat_name: threat.enrichments.x509.issuer.distinguished_name +threat.indicator.file.elf.sections.virtual_address: + dashed_name: threat-indicator-file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: threat.indicator.file.elf.sections.virtual_address + format: string level: extended - name: issuer.distinguished_name + name: sections.virtual_address normalize: [] - original_fieldset: x509 - short: Distinguished name (DN) of issuing certificate authority. - type: wildcard -threat.enrichments.x509.issuer.locality: - dashed_name: threat-enrichments-x509-issuer-locality - description: List of locality names (L) - example: Mountain View - flat_name: threat.enrichments.x509.issuer.locality - ignore_above: 1024 + original_fieldset: elf + short: ELF Section List virtual address. + type: long +threat.indicator.file.elf.sections.virtual_size: + dashed_name: threat-indicator-file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: threat.indicator.file.elf.sections.virtual_size + format: string level: extended - name: issuer.locality + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long +threat.indicator.file.elf.segments: + dashed_name: threat-indicator-file-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' + flat_name: threat.indicator.file.elf.segments + level: extended + name: segments normalize: - array - original_fieldset: x509 - short: List of locality names (L) + original_fieldset: elf + short: ELF object segment list. + type: nested +threat.indicator.file.elf.segments.sections: + dashed_name: threat-indicator-file-elf-segments-sections + description: ELF object segment sections. + flat_name: threat.indicator.file.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. type: keyword -threat.enrichments.x509.issuer.organization: - dashed_name: threat-enrichments-x509-issuer-organization - description: List of organizations (O) of issuing certificate authority. - example: Example Inc - flat_name: threat.enrichments.x509.issuer.organization +threat.indicator.file.elf.segments.type: + dashed_name: threat-indicator-file-elf-segments-type + description: ELF object segment type. + flat_name: threat.indicator.file.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword +threat.indicator.file.elf.shared_libraries: + dashed_name: threat-indicator-file-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: threat.indicator.file.elf.shared_libraries ignore_above: 1024 level: extended - name: issuer.organization + name: shared_libraries normalize: - array - original_fieldset: x509 - short: List of organizations (O) of issuing certificate authority. + original_fieldset: elf + short: List of shared libraries used by this ELF object. type: keyword -threat.enrichments.x509.issuer.organizational_unit: - dashed_name: threat-enrichments-x509-issuer-organizational-unit - description: List of organizational units (OU) of issuing certificate authority. - example: www.example.com - flat_name: threat.enrichments.x509.issuer.organizational_unit +threat.indicator.file.elf.telfhash: + dashed_name: threat-indicator-file-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: threat.indicator.file.elf.telfhash ignore_above: 1024 level: extended - name: issuer.organizational_unit - normalize: - - array - original_fieldset: x509 - short: List of organizational units (OU) of issuing certificate authority. + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. type: keyword -threat.enrichments.x509.issuer.state_or_province: - dashed_name: threat-enrichments-x509-issuer-state-or-province - description: List of state or province names (ST, S, or P) - example: California - flat_name: threat.enrichments.x509.issuer.state_or_province +threat.indicator.file.extension: + dashed_name: threat-indicator-file-extension + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.indicator.file.extension ignore_above: 1024 level: extended - name: issuer.state_or_province - normalize: - - array - original_fieldset: x509 - short: List of state or province names (ST, S, or P) + name: extension + normalize: [] + original_fieldset: file + short: File extension, excluding the leading dot. type: keyword -threat.enrichments.x509.not_after: - dashed_name: threat-enrichments-x509-not-after - description: Time at which the certificate is no longer considered valid. - example: 2020-07-16 03:15:39+00:00 - flat_name: threat.enrichments.x509.not_after +threat.indicator.file.gid: + dashed_name: threat-indicator-file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: threat.indicator.file.gid + ignore_above: 1024 level: extended - name: not_after + name: gid normalize: [] - original_fieldset: x509 - short: Time at which the certificate is no longer considered valid. - type: date -threat.enrichments.x509.not_before: - dashed_name: threat-enrichments-x509-not-before - description: Time at which the certificate is first considered valid. - example: 2019-08-16 01:40:25+00:00 - flat_name: threat.enrichments.x509.not_before + original_fieldset: file + short: Primary group ID (GID) of the file. + type: keyword +threat.indicator.file.group: + dashed_name: threat-indicator-file-group + description: Primary group name of the file. + example: alice + flat_name: threat.indicator.file.group + ignore_above: 1024 level: extended - name: not_before + name: group normalize: [] - original_fieldset: x509 - short: Time at which the certificate is first considered valid. - type: date -threat.enrichments.x509.public_key_algorithm: - dashed_name: threat-enrichments-x509-public-key-algorithm - description: Algorithm used to generate the public key. - example: RSA - flat_name: threat.enrichments.x509.public_key_algorithm + original_fieldset: file + short: Primary group name of the file. + type: keyword +threat.indicator.file.inode: + dashed_name: threat-indicator-file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: threat.indicator.file.inode ignore_above: 1024 level: extended - name: public_key_algorithm + name: inode normalize: [] - original_fieldset: x509 - short: Algorithm used to generate the public key. + original_fieldset: file + short: Inode representing the file in the filesystem. type: keyword -threat.enrichments.x509.public_key_curve: - dashed_name: threat-enrichments-x509-public-key-curve - description: The curve used by the elliptic curve public key algorithm. This is - algorithm specific. - example: nistp521 - flat_name: threat.enrichments.x509.public_key_curve +threat.indicator.file.mime_type: + dashed_name: threat-indicator-file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official + types], where possible. When more than one type is applicable, the most specific + type should be used. + flat_name: threat.indicator.file.mime_type ignore_above: 1024 level: extended - name: public_key_curve + name: mime_type normalize: [] - original_fieldset: x509 - short: The curve used by the elliptic curve public key algorithm. This is algorithm - specific. + original_fieldset: file + short: Media type of file, document, or arrangement of bytes. type: keyword -threat.enrichments.x509.public_key_exponent: - dashed_name: threat-enrichments-x509-public-key-exponent - description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - example: 65537 - flat_name: threat.enrichments.x509.public_key_exponent - index: false +threat.indicator.file.mode: + dashed_name: threat-indicator-file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: threat.indicator.file.mode + ignore_above: 1024 level: extended - name: public_key_exponent + name: mode normalize: [] - original_fieldset: x509 - short: Exponent used to derive the public key. This is algorithm specific. - type: long -threat.enrichments.x509.public_key_size: - dashed_name: threat-enrichments-x509-public-key-size - description: The size of the public key space in bits. - example: 2048 - flat_name: threat.enrichments.x509.public_key_size + original_fieldset: file + short: Mode of the file in octal representation. + type: keyword +threat.indicator.file.mtime: + dashed_name: threat-indicator-file-mtime + description: Last time the file content was modified. + flat_name: threat.indicator.file.mtime level: extended - name: public_key_size + name: mtime normalize: [] - original_fieldset: x509 - short: The size of the public key space in bits. - type: long -threat.enrichments.x509.serial_number: - dashed_name: threat-enrichments-x509-serial-number - description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. - example: 55FBB9C7DEBF09809D12CCAA - flat_name: threat.enrichments.x509.serial_number + original_fieldset: file + short: Last time the file content was modified. + type: date +threat.indicator.file.name: + dashed_name: threat-indicator-file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: threat.indicator.file.name ignore_above: 1024 level: extended - name: serial_number + name: name normalize: [] - original_fieldset: x509 - short: Unique serial number issued by the certificate authority. + original_fieldset: file + short: Name of the file including the extension, without the directory. type: keyword -threat.enrichments.x509.signature_algorithm: - dashed_name: threat-enrichments-x509-signature-algorithm - description: Identifier for certificate signature algorithm. We recommend using - names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - example: SHA256-RSA - flat_name: threat.enrichments.x509.signature_algorithm +threat.indicator.file.owner: + dashed_name: threat-indicator-file-owner + description: File owner's username. + example: alice + flat_name: threat.indicator.file.owner ignore_above: 1024 level: extended - name: signature_algorithm + name: owner normalize: [] - original_fieldset: x509 - short: Identifier for certificate signature algorithm. + original_fieldset: file + short: File owner's username. type: keyword -threat.enrichments.x509.subject.common_name: - dashed_name: threat-enrichments-x509-subject-common-name - description: List of common names (CN) of subject. - example: shared.global.example.net - flat_name: threat.enrichments.x509.subject.common_name +threat.indicator.file.path: + dashed_name: threat-indicator-file-path + description: Full path to the file, including the file name. It should include the + drive letter, when appropriate. + example: /home/alice/example.png + flat_name: threat.indicator.file.path + level: extended + multi_fields: + - flat_name: threat.indicator.file.path.text + name: text + norms: false + type: text + name: path + normalize: [] + original_fieldset: file + short: Full path to the file, including the file name. + type: wildcard +threat.indicator.file.size: + dashed_name: threat-indicator-file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: threat.indicator.file.size + level: extended + name: size + normalize: [] + original_fieldset: file + short: File size in bytes. + type: long +threat.indicator.file.target_path: + dashed_name: threat-indicator-file-target-path + description: Target path for symlinks. + flat_name: threat.indicator.file.target_path + level: extended + multi_fields: + - flat_name: threat.indicator.file.target_path.text + name: text + norms: false + type: text + name: target_path + normalize: [] + original_fieldset: file + short: Target path for symlinks. + type: wildcard +threat.indicator.file.type: + dashed_name: threat-indicator-file-type + description: File type (file, dir, or symlink). + example: file + flat_name: threat.indicator.file.type ignore_above: 1024 level: extended - name: subject.common_name - normalize: - - array - original_fieldset: x509 - short: List of common names (CN) of subject. + name: type + normalize: [] + original_fieldset: file + short: File type (file, dir, or symlink). type: keyword -threat.enrichments.x509.subject.country: - dashed_name: threat-enrichments-x509-subject-country - description: List of country (C) code - example: US - flat_name: threat.enrichments.x509.subject.country +threat.indicator.file.uid: + dashed_name: threat-indicator-file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: threat.indicator.file.uid ignore_above: 1024 level: extended - name: subject.country - normalize: - - array - original_fieldset: x509 - short: List of country (C) code + name: uid + normalize: [] + original_fieldset: file + short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword -threat.enrichments.x509.subject.distinguished_name: - dashed_name: threat-enrichments-x509-subject-distinguished-name - description: Distinguished name (DN) of the certificate subject entity. - example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - flat_name: threat.enrichments.x509.subject.distinguished_name +threat.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.first_seen level: extended - name: subject.distinguished_name + name: indicator.first_seen normalize: [] - original_fieldset: x509 - short: Distinguished name (DN) of the certificate subject entity. - type: wildcard -threat.enrichments.x509.subject.locality: - dashed_name: threat-enrichments-x509-subject-locality - description: List of locality names (L) - example: San Francisco - flat_name: threat.enrichments.x509.subject.locality + short: Date/time indicator was first reported. + type: date +threat.indicator.geo.city_name: + dashed_name: threat-indicator-geo-city-name + description: City name. + example: Montreal + flat_name: threat.indicator.geo.city_name ignore_above: 1024 - level: extended - name: subject.locality - normalize: - - array - original_fieldset: x509 - short: List of locality names (L) + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. type: keyword -threat.enrichments.x509.subject.organization: - dashed_name: threat-enrichments-x509-subject-organization - description: List of organizations (O) of subject. - example: Example, Inc. - flat_name: threat.enrichments.x509.subject.organization +threat.indicator.geo.continent_code: + dashed_name: threat-indicator-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: threat.indicator.geo.continent_code ignore_above: 1024 - level: extended - name: subject.organization - normalize: - - array - original_fieldset: x509 - short: List of organizations (O) of subject. + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. type: keyword -threat.enrichments.x509.subject.organizational_unit: - dashed_name: threat-enrichments-x509-subject-organizational-unit - description: List of organizational units (OU) of subject. - flat_name: threat.enrichments.x509.subject.organizational_unit +threat.indicator.geo.continent_name: + dashed_name: threat-indicator-geo-continent-name + description: Name of the continent. + example: North America + flat_name: threat.indicator.geo.continent_name ignore_above: 1024 - level: extended - name: subject.organizational_unit - normalize: - - array - original_fieldset: x509 - short: List of organizational units (OU) of subject. + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. type: keyword -threat.enrichments.x509.subject.state_or_province: - dashed_name: threat-enrichments-x509-subject-state-or-province - description: List of state or province names (ST, S, or P) - example: California - flat_name: threat.enrichments.x509.subject.state_or_province +threat.indicator.geo.country_iso_code: + dashed_name: threat-indicator-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: threat.indicator.geo.country_iso_code ignore_above: 1024 - level: extended - name: subject.state_or_province - normalize: - - array - original_fieldset: x509 - short: List of state or province names (ST, S, or P) + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. type: keyword -threat.enrichments.x509.version_number: - dashed_name: threat-enrichments-x509-version-number - description: Version of x509 format. - example: 3 - flat_name: threat.enrichments.x509.version_number +threat.indicator.geo.country_name: + dashed_name: threat-indicator-geo-country-name + description: Country name. + example: Canada + flat_name: threat.indicator.geo.country_name ignore_above: 1024 - level: extended - name: version_number + level: core + name: country_name normalize: [] - original_fieldset: x509 - short: Version of x509 format. + original_fieldset: geo + short: Country name. type: keyword -threat.framework: - dashed_name: threat-framework - description: Name of the threat framework used to further categorize and classify - the tactic and technique of the reported threat. Framework classification can - be provided by detecting systems, evaluated at ingest time, or retrospectively - tagged to events. - example: MITRE ATT&CK - flat_name: threat.framework - ignore_above: 1024 +threat.indicator.geo.location: + dashed_name: threat-indicator-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: threat.indicator.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +threat.indicator.geo.name: + dashed_name: threat-indicator-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: threat.indicator.geo.name level: extended - name: framework + name: name normalize: [] - short: Threat classification framework. + original_fieldset: geo + short: User-defined description of a location. + type: wildcard +threat.indicator.geo.postal_code: + dashed_name: threat-indicator-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: threat.indicator.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. type: keyword -threat.group.alias: - beta: This field is beta and subject to change. - dashed_name: threat-group-alias - description: "The alias(es) of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group alias(es)." - example: '[ "Magecart Group 6" ]' - flat_name: threat.group.alias +threat.indicator.geo.region_iso_code: + dashed_name: threat-indicator-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: threat.indicator.geo.region_iso_code ignore_above: 1024 - level: extended - name: group.alias - normalize: - - array - short: Alias of the group. + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. type: keyword -threat.group.id: - beta: This field is beta and subject to change. - dashed_name: threat-group-id - description: "The id of the group for a set of related intrusion activity that are\ - \ tracked by a common name in the security community. While not required, you\ - \ can use a MITRE ATT&CK\xAE group id." - example: G0037 - flat_name: threat.group.id +threat.indicator.geo.region_name: + dashed_name: threat-indicator-geo-region-name + description: Region name. + example: Quebec + flat_name: threat.indicator.geo.region_name ignore_above: 1024 - level: extended - name: group.id + level: core + name: region_name normalize: [] - short: ID of the group. + original_fieldset: geo + short: Region name. type: keyword -threat.group.name: - beta: This field is beta and subject to change. - dashed_name: threat-group-name - description: "The name of the group for a set of related intrusion activity that\ - \ are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group name." - example: FIN6 - flat_name: threat.group.name +threat.indicator.geo.timezone: + dashed_name: threat-indicator-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: threat.indicator.geo.timezone ignore_above: 1024 - level: extended - name: group.name + level: core + name: timezone normalize: [] - short: Name of the group. + original_fieldset: geo + short: Time zone. type: keyword -threat.group.reference: - beta: This field is beta and subject to change. - dashed_name: threat-group-reference - description: "The reference URL of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group reference URL." - example: https://attack.mitre.org/groups/G0037/ - flat_name: threat.group.reference +threat.indicator.hash.md5: + dashed_name: threat-indicator-hash-md5 + description: MD5 hash. + flat_name: threat.indicator.hash.md5 ignore_above: 1024 level: extended - name: group.reference + name: md5 normalize: [] - short: Reference URL of the group. + original_fieldset: hash + short: MD5 hash. type: keyword -threat.indicator.confidence: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-confidence - description: "Identifies the confidence rating assigned by the provider using STIX\ - \ confidence scales.\nRecommended values:\n * Not Specified, None, Low, Medium,\ - \ High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n * WEP Scale\ - \ (Impossible - Certain)" - example: High - flat_name: threat.indicator.confidence +threat.indicator.hash.sha1: + dashed_name: threat-indicator-hash-sha1 + description: SHA1 hash. + flat_name: threat.indicator.hash.sha1 ignore_above: 1024 level: extended - name: indicator.confidence + name: sha1 normalize: [] - short: Indicator confidence rating + original_fieldset: hash + short: SHA1 hash. type: keyword -threat.indicator.description: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-description - description: Describes the type of action conducted by the threat. - example: IP x.x.x.x was observed delivering the Angler EK. - flat_name: threat.indicator.description +threat.indicator.hash.sha256: + dashed_name: threat-indicator-hash-sha256 + description: SHA256 hash. + flat_name: threat.indicator.hash.sha256 ignore_above: 1024 level: extended - name: indicator.description + name: sha256 normalize: [] - short: Indicator description + original_fieldset: hash + short: SHA256 hash. type: keyword -threat.indicator.email.address: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-email-address - description: Identifies a threat indicator as an email address (irrespective of - direction). - example: phish@example.com - flat_name: threat.indicator.email.address +threat.indicator.hash.sha512: + dashed_name: threat-indicator-hash-sha512 + description: SHA512 hash. + flat_name: threat.indicator.hash.sha512 ignore_above: 1024 level: extended - name: indicator.email.address + name: sha512 normalize: [] - short: Indicator email address + original_fieldset: hash + short: SHA512 hash. type: keyword -threat.indicator.first_seen: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-first-seen - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.first_seen +threat.indicator.hash.ssdeep: + dashed_name: threat-indicator-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.indicator.hash.ssdeep + ignore_above: 1024 level: extended - name: indicator.first_seen + name: ssdeep normalize: [] - short: Date/time indicator was first reported. - type: date + original_fieldset: hash + short: SSDEEP hash. + type: keyword threat.indicator.ip: beta: This field is beta and subject to change. dashed_name: threat-indicator-ip @@ -15347,6 +14880,30 @@ threat.indicator.port: normalize: [] short: Indicator port type: long +threat.indicator.provider: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-provider + description: The name of the indicator's provider. + example: lrz_urlhaus + flat_name: threat.indicator.provider + ignore_above: 1024 + level: extended + name: indicator.provider + normalize: [] + short: Indicator provider + type: keyword +threat.indicator.reference: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-reference + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + flat_name: threat.indicator.reference + ignore_above: 1024 + level: extended + name: indicator.reference + normalize: [] + short: Indicator reference URL + type: keyword threat.indicator.scanner_stats: beta: This field is beta and subject to change. dashed_name: threat-indicator-scanner-stats diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index cfc7bb5b9a..d0e78b4011 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -150,9 +150,13 @@ as: at: source full: source.as - as: as - at: threat.enrichments + at: threat.indicator + beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.indicator.as + - as: as + at: threat.enrichments.indicator beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.as + full: threat.enrichments.indicator.as top_level: false short: Fields describing an Autonomous System (Internet routing prefix). title: Autonomous System @@ -3422,8 +3426,8 @@ event: type: keyword event.original: dashed_name: event-original - description: 'Raw text message of entire event. Used to demonstrate log integrity or - where the full log message (before splitting it up in multiple parts) may + description: 'Raw text message of entire event. Used to demonstrate log integrity + or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, @@ -3773,13 +3777,6 @@ event: group: 2 name: event prefix: event. - reusable: - expected: - - as: event - at: threat.enrichments - beta: Reusing the `event` fields in this location is currently considered beta. - full: threat.enrichments.event - top_level: true short: Fields breaking down the event details. title: Event type: group @@ -5301,9 +5298,13 @@ file: reusable: expected: - as: file - at: threat.enrichments + at: threat.indicator beta: Reusing the `file` fields in this location is currently considered beta. - full: threat.enrichments.file + full: threat.indicator.file + - as: as + at: threat.enrichments.indicator + beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.indicator.as top_level: true reused_here: - full: file.code_signature @@ -5484,9 +5485,13 @@ geo: at: source full: source.geo - as: geo - at: threat.enrichments + at: threat.indicator beta: Reusing the `geo` fields in this location is currently considered beta. - full: threat.enrichments.geo + full: threat.indicator.geo + - as: as + at: threat.enrichments.indicator + beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.indicator.as top_level: false short: Fields describing a location. title: Geo @@ -5616,9 +5621,13 @@ hash: at: dll full: dll.hash - as: hash - at: threat.enrichments + at: threat.indicator beta: Reusing the `hash` fields in this location is currently considered beta. - full: threat.enrichments.hash + full: threat.indicator.hash + - as: as + at: threat.enrichments.indicator + beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.indicator.as top_level: false short: Hashes, usually file hashes. title: Hash @@ -8182,6 +8191,14 @@ pe: - as: pe at: process full: process.pe + - as: as + at: threat.indicator + beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.indicator.as + - as: as + at: threat.enrichments.indicator + beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.indicator.as - as: pe at: threat.enrichments full: threat.enrichments.pe @@ -13016,6 +13033,14 @@ registry: prefix: registry. reusable: expected: + - as: as + at: threat.indicator + beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.indicator.as + - as: as + at: threat.enrichments.indicator + beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.indicator.as - as: registry at: threat.enrichments full: threat.enrichments.registry @@ -14342,3015 +14367,2534 @@ threat: normalize: [] short: List of indicators enriching the event. type: nested - threat.enrichments.as.number: - dashed_name: threat-enrichments-as-number - description: Unique number allocated to the autonomous system. The autonomous - system number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: threat.enrichments.as.number + threat.enrichments.indicator: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator + description: Indicators + flat_name: threat.enrichments.indicator level: extended - name: number + name: enrichments.indicator normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long - threat.enrichments.as.organization.name: - dashed_name: threat-enrichments-as-organization-name - description: Organization name. - example: Google LLC - flat_name: threat.enrichments.as.organization.name + short: Indicators + type: object + threat.enrichments.indicator.as.data.bytes: + dashed_name: threat-enrichments-indicator-as-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.enrichments.indicator.as.data.bytes + ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.enrichments.as.organization.name.text - name: text - norms: false - type: text - name: organization.name + name: data.bytes normalize: [] - original_fieldset: as - short: Organization name. - type: wildcard - threat.enrichments.event.action: - dashed_name: threat-enrichments-event-action - description: 'The action captured by the event. + original_fieldset: registry + short: Original bytes written with base64 encoding. + type: keyword + threat.enrichments.indicator.as.data.strings: + dashed_name: threat-enrichments-indicator-as-data-strings + description: 'Content when writing string types. - This describes the information in the event. It is more specific than `event.category`. - Examples are `group-add`, `process-started`, `file-created`. The value is - normally defined by the implementer.' - example: user-password-change - flat_name: threat.enrichments.event.action + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.enrichments.indicator.as.data.strings + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: wildcard + threat.enrichments.indicator.as.data.type: + dashed_name: threat-enrichments-indicator-as-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.enrichments.indicator.as.data.type ignore_above: 1024 level: core - name: action + name: data.type normalize: [] - original_fieldset: event - short: The action captured by the event. + original_fieldset: registry + short: Standard registry type for encoding contents type: keyword - threat.enrichments.event.agent_id_status: - dashed_name: threat-enrichments-event-agent-id-status - description: 'Agents are normally responsible for populating the `agent.id` - field value. If the system receiving events is capable of validating the value - based on authentication information for the client then this field can be - used to reflect the outcome of that validation. - - For example if the agent''s connection is authenticated with mTLS and the - client cert contains the ID of the agent to which the cert was issued then - the `agent.id` value in events can be checked against the certificate. If - the values match then `event.agent_id_status: verified` is added to the event, - otherwise one of the other allowed values should be used. - - If no validation is performed then the field should be omitted. - - The allowed values are: - - `verified` - The `agent.id` field value matches expected value obtained from - auth metadata. - - `mismatch` - The `agent.id` field value does not match the expected value - obtained from auth metadata. - - `missing` - There was no `agent.id` field in the event to validate. - - `auth_metadata_missing` - There was no auth metadata or it was missing information - about the agent ID.' - example: verified - flat_name: threat.enrichments.event.agent_id_status + threat.enrichments.indicator.as.hive: + dashed_name: threat-enrichments-indicator-as-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.enrichments.indicator.as.hive + ignore_above: 1024 + level: core + name: hive + normalize: [] + original_fieldset: registry + short: Abbreviated name for the hive. + type: keyword + threat.enrichments.indicator.as.key: + dashed_name: threat-enrichments-indicator-as-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.enrichments.indicator.as.key + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: wildcard + threat.enrichments.indicator.as.path: + dashed_name: threat-enrichments-indicator-as-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.enrichments.indicator.as.path + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: wildcard + threat.enrichments.indicator.as.value: + dashed_name: threat-enrichments-indicator-as-value + description: Name of the value written. + example: Debugger + flat_name: threat.enrichments.indicator.as.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. + type: keyword + threat.enrichments.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-confidence + description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ + using\_STIX\_confidence scales. Expected values:\n * Not Specified, None,\ + \ Low, Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High + flat_name: threat.enrichments.indicator.confidence ignore_above: 1024 level: extended - name: agent_id_status + name: enrichments.indicator.confidence normalize: [] - original_fieldset: event - short: Validation status of the event's agent.id field. + short: Indicator confidence rating type: keyword - threat.enrichments.event.category: - allowed_values: - - description: Events in this category are related to the challenge and response - process in which credentials are supplied and verified to allow the creation - of a session. Common sources for these logs are Windows event logs and ssh - logs. Visualize and analyze events in this category to look for failed logins, - and other authentication-related activity. - expected_event_types: - - start - - end - - info - name: authentication - - description: 'Events in the configuration category have to deal with creating, - modifying, or deleting the settings or parameters of an application, process, - or system. - - Example sources include security policy change logs, configuration auditing - logging, and system integrity monitoring.' - expected_event_types: - - access - - change - - creation - - deletion - - info - name: configuration - - description: The database category denotes events and metrics relating to - a data storage and retrieval system. Note that use of this category is not - limited to relational database systems. Examples include event logs from - MS SQL, MySQL, Elasticsearch, MongoDB, etc. Use this category to visualize - and analyze database activity such as accesses and changes. - expected_event_types: - - access - - change - - info - - error - name: database - - description: 'Events in the driver category have to do with operating system - device drivers and similar software entities such as Windows drivers, kernel - extensions, kernel modules, etc. - - Use events and metrics in this category to visualize and analyze driver-related - activity and status on hosts.' - expected_event_types: - - change - - end - - info - - start - name: driver - - description: Relating to a set of information that has been created on, or - has existed on a filesystem. Use this category of events to visualize and - analyze the creation, access, and deletions of files. Events in this category - can come from both host-based and network-based sources. An example source - of a network-based detection of a file transfer would be the Zeek file.log. - expected_event_types: - - change - - creation - - deletion - - info - name: file - - description: 'Use this category to visualize and analyze information such - as host inventory or host lifecycle events. - - Most of the events in this category can usually be observed from the outside, - such as from a hypervisor or a control plane''s point of view. Some can - also be seen from within, such as "start" or "end". - - Note that this category is for information about hosts themselves; it is - not meant to capture activity "happening on a host".' - expected_event_types: - - access - - change - - end - - info - - start - name: host - - description: Identity and access management (IAM) events relating to users, - groups, and administration. Use this category to visualize and analyze IAM-related - logs and data from active directory, LDAP, Okta, Duo, and other IAM systems. - expected_event_types: - - admin - - change - - creation - - deletion - - group - - info - - user - name: iam - - description: Relating to intrusion detections from IDS/IPS systems and functions, - both network and host-based. Use this category to visualize and analyze - intrusion detection alerts from systems such as Snort, Suricata, and Palo - Alto threat detections. - expected_event_types: - - allowed - - denied - - info - name: intrusion_detection - - description: Malware detection events and alerts. Use this category to visualize - and analyze malware detections from EDR/EPP systems such as Elastic Endpoint - Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS - systems such as Suricata, or other sources of malware-related events such - as Palo Alto Networks threat logs and Wildfire logs. - expected_event_types: - - info - name: malware - - description: Relating to all network activity, including network connection - lifecycle, network traffic, and essentially any event that includes an IP - address. Many events containing decoded network protocol transactions fit - into this category. Use events in this category to visualize or analyze - counts of network ports, protocols, addresses, geolocation information, - etc. - expected_event_types: - - access - - allowed - - connection - - denied - - end - - info - - protocol - - start - name: network - - description: Relating to software packages installed on hosts. Use this category - to visualize and analyze inventory of software installed on various hosts, - or to determine host vulnerability in the absence of vulnerability scan - data. - expected_event_types: - - access - - change - - deletion - - info - - installation - - start - name: package - - description: Use this category of events to visualize and analyze process-specific - information such as lifecycle events or process ancestry. - expected_event_types: - - access - - change - - end - - info - - start - name: process - - description: Having to do with settings and assets stored in the Windows registry. - Use this category to visualize and analyze activity such as registry access - and modifications. - expected_event_types: - - access - - change - - creation - - deletion - name: registry - - description: The session category is applied to events and metrics regarding - logical persistent connections to hosts and services. Use this category - to visualize and analyze interactive or automated persistent connections - between assets. Data for this category may come from Windows Event logs, - SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc. - expected_event_types: - - start - - end - - info - name: session - - description: 'Relating to web server access. Use this category to create a - dashboard of web server/proxy activity from apache, IIS, nginx web servers, - etc. Note: events from network observers such as Zeek http log may also - be included in this category.' - expected_event_types: - - access - - error - - info - name: web - dashed_name: threat-enrichments-event-category - description: 'This is one of four ECS Categorization Fields, and indicates the - second level in the ECS category hierarchy. - - `event.category` represents the "big buckets" of ECS categories. For example, - filtering on `event.category:process` yields all events relating to process - activity. This field is closely related to `event.type`, which is used as - a subcategory. - - This field is an array. This will allow proper categorization of some events - that fall in multiple categories.' - example: authentication - flat_name: threat.enrichments.event.category + threat.enrichments.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.enrichments.indicator.description ignore_above: 1024 - level: core - name: category - normalize: - - array - original_fieldset: event - short: Event category. The second categorization field in the hierarchy. + level: extended + name: enrichments.indicator.description + normalize: [] + short: Indicator description type: keyword - threat.enrichments.event.code: - dashed_name: threat-enrichments-event-code - description: 'Identification code for this event, if one exists. - - Some event sources use event codes to identify messages unambiguously, regardless - of message language or wording adjustments over time. An example of this is - the Windows Event ID.' - example: 4648 - flat_name: threat.enrichments.event.code + threat.enrichments.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + flat_name: threat.enrichments.indicator.email.address ignore_above: 1024 level: extended - name: code + name: enrichments.indicator.email.address normalize: [] - original_fieldset: event - short: Identification code for this event. + short: Indicator email address type: keyword - threat.enrichments.event.created: - dashed_name: threat-enrichments-event-created - description: 'event.created contains the date/time when the event was first - read by an agent, or by your pipeline. - - This field is distinct from @timestamp in that @timestamp typically contain - the time extracted from the original event. - - In most situations, these two timestamps will be slightly different. The difference - can be used to calculate the delay between your source generating an event, - and the time when your agent first processed it. This can be used to monitor - your agent''s or pipeline''s ability to keep up with your event source. - - In case the two timestamps are identical, @timestamp should be used.' - example: '2016-05-23T08:05:34.857Z' - flat_name: threat.enrichments.event.created - level: core - name: created + threat.enrichments.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.first_seen + level: extended + name: enrichments.indicator.first_seen normalize: [] - original_fieldset: event - short: Time when the event was first read by an agent or by your pipeline. + short: Date/time indicator was first reported. type: date - threat.enrichments.event.dataset: - dashed_name: threat-enrichments-event-dataset - description: 'Name of the dataset. - - If an event source publishes more than one type of log or events (e.g. access - log, error log), the dataset is used to specify which one the event comes - from. - - It''s recommended but not required to start the dataset name with the module - name, followed by a dot, then the dataset name.' - example: apache.access - flat_name: threat.enrichments.event.dataset + threat.enrichments.indicator.ip: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + flat_name: threat.enrichments.indicator.ip + level: extended + name: enrichments.indicator.ip + normalize: [] + short: Indicator IP address + type: ip + threat.enrichments.indicator.last_seen: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-last-seen + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.last_seen + level: extended + name: enrichments.indicator.last_seen + normalize: [] + short: Date/time indicator was last reported. + type: date + threat.enrichments.indicator.marking.tlp: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: White + flat_name: threat.enrichments.indicator.marking.tlp ignore_above: 1024 - level: core - name: dataset + level: extended + name: enrichments.indicator.marking.tlp normalize: [] - original_fieldset: event - short: Name of the dataset. + short: Indicator TLP marking type: keyword - threat.enrichments.event.duration: - dashed_name: threat-enrichments-event-duration - description: 'Duration of the event in nanoseconds. - - If event.start and event.end are known this value should be the difference - between the end and start time.' - flat_name: threat.enrichments.event.duration - format: duration - input_format: nanoseconds - level: core - name: duration - normalize: [] - original_fieldset: event - output_format: asMilliseconds - output_precision: 1 - short: Duration of the event in nanoseconds. - type: long - threat.enrichments.event.end: - dashed_name: threat-enrichments-event-end - description: event.end contains the date when the event ended or when the activity - was last observed. - flat_name: threat.enrichments.event.end + threat.enrichments.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.modified_at level: extended - name: end + name: enrichments.indicator.modified_at normalize: [] - original_fieldset: event - short: event.end contains the date when the event ended or when the activity - was last observed. + short: Date/time indicator was last updated. type: date - threat.enrichments.event.hash: - dashed_name: threat-enrichments-event-hash - description: Hash (perhaps logstash fingerprint) of raw field to be able to - demonstrate log integrity. - example: 123456789012345678901234567890ABCD - flat_name: threat.enrichments.event.hash + threat.enrichments.indicator.port: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-port + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + flat_name: threat.enrichments.indicator.port + level: extended + name: enrichments.indicator.port + normalize: [] + short: Indicator port + type: long + threat.enrichments.indicator.provider: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-provider + description: The name of the indicator's provider. + example: lrz_urlhaus + flat_name: threat.enrichments.indicator.provider ignore_above: 1024 level: extended - name: hash + name: enrichments.indicator.provider normalize: [] - original_fieldset: event - short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate - log integrity. + short: Indicator provider type: keyword - threat.enrichments.event.id: - dashed_name: threat-enrichments-event-id - description: Unique ID to describe the event. - example: 8a4f500d - flat_name: threat.enrichments.event.id + threat.enrichments.indicator.reference: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-reference + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + flat_name: threat.enrichments.indicator.reference ignore_above: 1024 - level: core - name: id + level: extended + name: enrichments.indicator.reference normalize: [] - original_fieldset: event - short: Unique ID to describe the event. + short: Indicator reference URL type: keyword - threat.enrichments.event.ingested: - dashed_name: threat-enrichments-event-ingested - description: 'Timestamp when an event arrived in the central data store. - - This is different from `@timestamp`, which is when the event originally occurred. It''s - also different from `event.created`, which is meant to capture the first time - an agent saw the event. - - In normal conditions, assuming no tampering, the timestamps should chronologically - look like this: `@timestamp` < `event.created` < `event.ingested`.' - example: '2016-05-23T08:05:35.101Z' - flat_name: threat.enrichments.event.ingested - level: core - name: ingested + threat.enrichments.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + flat_name: threat.enrichments.indicator.scanner_stats + level: extended + name: enrichments.indicator.scanner_stats normalize: [] - original_fieldset: event - short: Timestamp when an event arrived in the central data store. - type: date - threat.enrichments.event.kind: - allowed_values: - - description: 'This value indicates an event that describes an alert or notable - event, triggered by a detection rule. - - `event.kind:alert` is often populated for events coming from firewalls, - intrusion detection systems, endpoint detection and response systems, and - so on.' - name: alert - - description: This value is the most general and most common value for this - field. It is used to represent events that indicate that something happened. - name: event - - description: 'This value is used to indicate that this event describes a numeric - measurement taken at given point in time. - - Examples include CPU utilization, memory usage, or device temperature. - - Metric events are often collected on a predictable frequency, such as once - every few seconds, or once a minute, but can also be used to describe ad-hoc - numeric metric queries.' - name: metric - - description: 'The state value is similar to metric, indicating that this event - describes a measurement taken at given point in time, except that the measurement - does not result in a numeric value, but rather one of a fixed set of categorical - values that represent conditions or states. - - Examples include periodic events reporting Elasticsearch cluster state (green/yellow/red), - the state of a TCP connection (open, closed, fin_wait, etc.), the state - of a host with respect to a software vulnerability (vulnerable, not vulnerable), - and the state of a system regarding compliance with a regulatory standard - (compliant, not compliant). - - Note that an event that describes a change of state would not use `event.kind:state`, - but instead would use ''event.kind:event'' since a state change fits the - more general event definition of something that happened. - - State events are often collected on a predictable frequency, such as once - every few seconds, once a minute, once an hour, or once a day, but can also - be used to describe ad-hoc state queries.' - name: state - - description: This value indicates that an error occurred during the ingestion - of this event, and that event data may be missing, inconsistent, or incorrect. - `event.kind:pipeline_error` is often associated with parsing errors. - name: pipeline_error - - description: 'This value is used by the Elastic Security app to denote an - Elasticsearch document that was created by a SIEM detection engine rule. - - A signal will typically trigger a notification that something meaningful - happened and should be investigated. - - Usage of this value is reserved, and pipelines should not populate `event.kind` - with the value "signal".' - name: signal - dashed_name: threat-enrichments-event-kind - description: 'This is one of four ECS Categorization Fields, and indicates the - highest level in the ECS category hierarchy. - - `event.kind` gives high-level information about what type of information the - event contains, without being specific to the contents of the event. For example, - values of this field distinguish alert events from metric events. - - The value of this field can be used to inform how these kinds of events should - be handled. They may warrant different retention, different access control, - it may also help understand whether the data coming in at a regular interval - or not.' - example: alert - flat_name: threat.enrichments.event.kind - ignore_above: 1024 - level: core - name: kind - normalize: [] - original_fieldset: event - short: The kind of the event. The highest categorization field in the hierarchy. - type: keyword - threat.enrichments.event.module: - dashed_name: threat-enrichments-event-module - description: 'Name of the module this data is coming from. - - If your monitoring agent supports the concept of modules or plugins to process - events of a given source (e.g. Apache logs), `event.module` should contain - the name of this module.' - example: apache - flat_name: threat.enrichments.event.module - ignore_above: 1024 - level: core - name: module - normalize: [] - original_fieldset: event - short: Name of the module this data is coming from. - type: keyword - threat.enrichments.event.original: - dashed_name: threat-enrichments-event-original - description: 'Raw text message of entire event. Used to demonstrate log integrity or - where the full log message (before splitting it up in multiple parts) may - be required, e.g. for reindex. - - This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`. If users wish to override this and - index this field, please see `Field data types` in the `Elasticsearch Reference`.' - doc_values: false - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| - worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - flat_name: threat.enrichments.event.original - index: false - level: core - name: original - normalize: [] - original_fieldset: event - short: Raw text message of entire event. - type: keyword - threat.enrichments.event.outcome: - allowed_values: - - description: Indicates that this event describes a failed result. A common - example is `event.category:file AND event.type:access AND event.outcome:failure` - to indicate that a file access was attempted, but was not successful. - name: failure - - description: Indicates that this event describes a successful result. A common - example is `event.category:file AND event.type:create AND event.outcome:success` - to indicate that a file was successfully created. - name: success - - description: Indicates that this event describes only an attempt for which - the result is unknown from the perspective of the event producer. For example, - if the event contains information only about the request side of a transaction - that results in a response, populating `event.outcome:unknown` in the request - event is appropriate. The unknown value should not be used when an outcome - doesn't make logical sense for the event. In such cases `event.outcome` - should not be populated. - name: unknown - dashed_name: threat-enrichments-event-outcome - description: 'This is one of four ECS Categorization Fields, and indicates the - lowest level in the ECS category hierarchy. - - `event.outcome` simply denotes whether the event represents a success or a - failure from the perspective of the entity that produced the event. - - Note that when a single transaction is described in multiple events, each - event may populate different values of `event.outcome`, according to their - perspective. - - Also note that in the case of a compound event (a single event that contains - multiple logical events), this field should be populated with the value that - best captures the overall success or failure from the perspective of the event - producer. - - Further note that not all events will have an associated outcome. For example, - this field is generally not populated for metric events, events with `event.type:info`, - or any events for which an outcome does not make logical sense.' - example: success - flat_name: threat.enrichments.event.outcome - ignore_above: 1024 - level: core - name: outcome - normalize: [] - original_fieldset: event - short: The outcome of the event. The lowest level categorization field in the - hierarchy. - type: keyword - threat.enrichments.event.provider: - dashed_name: threat-enrichments-event-provider - description: 'Source of the event. - - Event transports such as Syslog or the Windows Event Log typically mention - the source of an event. It can be the name of the software that generated - the event (e.g. Sysmon, httpd), or of a subsystem of the operating system - (kernel, Microsoft-Windows-Security-Auditing).' - example: kernel - flat_name: threat.enrichments.event.provider - ignore_above: 1024 - level: extended - name: provider - normalize: [] - original_fieldset: event - short: Source of the event. - type: keyword - threat.enrichments.event.reason: - dashed_name: threat-enrichments-event-reason - description: 'Reason why this event happened, according to the source. - - This describes the why of a particular action or outcome captured in the event. - Where `event.action` captures the action from the event, `event.reason` describes - why that action was taken. For example, a web proxy with an `event.action` - which denied the request may also populate `event.reason` with the reason - why (e.g. `blocked site`).' - example: Terminated an unexpected process - flat_name: threat.enrichments.event.reason - ignore_above: 1024 - level: extended - name: reason - normalize: [] - original_fieldset: event - short: Reason why this event happened, according to the source - type: keyword - threat.enrichments.event.reference: - dashed_name: threat-enrichments-event-reference - description: 'Reference URL linking to additional information about this event. - - This URL links to a static definition of this event. Alert events, indicated - by `event.kind:alert`, are a common use case for this field.' - example: https://system.example.com/event/#0001234 - flat_name: threat.enrichments.event.reference - ignore_above: 1024 - level: extended - name: reference - normalize: [] - original_fieldset: event - short: Event reference URL - type: keyword - threat.enrichments.event.risk_score: - dashed_name: threat-enrichments-event-risk-score - description: Risk score or priority of the event (e.g. security solutions). - Use your system's original value here. - flat_name: threat.enrichments.event.risk_score - level: core - name: risk_score - normalize: [] - original_fieldset: event - short: Risk score or priority of the event (e.g. security solutions). Use your - system's original value here. - type: float - threat.enrichments.event.risk_score_norm: - dashed_name: threat-enrichments-event-risk-score-norm - description: 'Normalized risk score or priority of the event, on a scale of - 0 to 100. - - This is mainly useful if you use more than one system that assigns risk scores, - and you want to see a normalized value across all systems.' - flat_name: threat.enrichments.event.risk_score_norm - level: extended - name: risk_score_norm - normalize: [] - original_fieldset: event - short: Normalized risk score or priority of the event (0-100). - type: float - threat.enrichments.event.sequence: - dashed_name: threat-enrichments-event-sequence - description: 'Sequence number of the event. - - The sequence number is a value published by some event sources, to make the - exact ordering of events unambiguous, regardless of the timestamp precision.' - flat_name: threat.enrichments.event.sequence - format: string - level: extended - name: sequence - normalize: [] - original_fieldset: event - short: Sequence number of the event. - type: long - threat.enrichments.event.severity: - dashed_name: threat-enrichments-event-severity - description: 'The numeric severity of the event according to your event source. - - What the different severity values mean can be different between sources and - use cases. It''s up to the implementer to make sure severities are consistent - across events from the same source. - - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` - is meant to represent the severity according to the event source (e.g. firewall, - IDS). If the event source does not publish its own severity, you may optionally - copy the `log.syslog.severity.code` to `event.severity`.' - example: 7 - flat_name: threat.enrichments.event.severity - format: string - level: core - name: severity - normalize: [] - original_fieldset: event - short: Numeric severity of the event. + short: Scanner statistics type: long - threat.enrichments.event.start: - dashed_name: threat-enrichments-event-start - description: event.start contains the date when the event started or when the - activity was first observed. - flat_name: threat.enrichments.event.start - level: extended - name: start - normalize: [] - original_fieldset: event - short: event.start contains the date when the event started or when the activity - was first observed. - type: date - threat.enrichments.event.timezone: - dashed_name: threat-enrichments-event-timezone - description: 'This field should be populated when the event''s timestamp does - not include timezone information already (e.g. default Syslog timestamps). - It''s optional otherwise. - - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), - abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' - flat_name: threat.enrichments.event.timezone - ignore_above: 1024 - level: extended - name: timezone - normalize: [] - original_fieldset: event - short: Event time zone. - type: keyword - threat.enrichments.event.type: - allowed_values: - - description: The access event type is used for the subset of events within - a category that indicate that something was accessed. Common examples include - `event.category:database AND event.type:access`, or `event.category:file - AND event.type:access`. Note for file access, both directory listings and - file opens should be included in this subcategory. You can further distinguish - access operations using the ECS `event.action` field. - name: access - - description: 'The admin event type is used for the subset of events within - a category that are related to admin objects. For example, administrative - changes within an IAM framework that do not specifically affect a user or - group (e.g., adding new applications to a federation solution or connecting - discrete forests in Active Directory) would fall into this subcategory. - Common example: `event.category:iam AND event.type:change AND event.type:admin`. - You can further distinguish admin operations using the ECS `event.action` - field.' - name: admin - - description: The allowed event type is used for the subset of events within - a category that indicate that something was allowed. Common examples include - `event.category:network AND event.type:connection AND event.type:allowed` - (to indicate a network firewall event for which the firewall disposition - was to allow the connection to complete) and `event.category:intrusion_detection - AND event.type:allowed` (to indicate a network intrusion prevention system - event for which the IPS disposition was to allow the connection to complete). - You can further distinguish allowed operations using the ECS `event.action` - field, populating with values of your choosing, such as "allow", "detect", - or "pass". - name: allowed - - description: The change event type is used for the subset of events within - a category that indicate that something has changed. If semantics best describe - an event as modified, then include them in this subcategory. Common examples - include `event.category:process AND event.type:change`, and `event.category:file - AND event.type:change`. You can further distinguish change operations using - the ECS `event.action` field. - name: change - - description: Used primarily with `event.category:network` this value is used - for the subset of network traffic that includes sufficient information for - the event to be included in flow or connection analysis. Events in this - subcategory will contain at least source and destination IP addresses, source - and destination TCP/UDP ports, and will usually contain counts of bytes - and/or packets transferred. Events in this subcategory may contain unidirectional - or bidirectional information, including summary information. Use this subcategory - to visualize and analyze network connections. Flow analysis, including Netflow, - IPFIX, and other flow-related events fit in this subcategory. Note that - firewall events from many Next-Generation Firewall (NGFW) devices will also - fit into this subcategory. A common filter for flow/connection information - would be `event.category:network AND event.type:connection AND event.type:end` - (to view or analyze all completed network connections, ignoring mid-flow - reports). You can further distinguish connection events using the ECS `event.action` - field, populating with values of your choosing, such as "timeout", or "reset". - name: connection - - description: The "creation" event type is used for the subset of events within - a category that indicate that something was created. A common example is - `event.category:file AND event.type:creation`. - name: creation - - description: The deletion event type is used for the subset of events within - a category that indicate that something was deleted. A common example is - `event.category:file AND event.type:deletion` to indicate that a file has - been deleted. - name: deletion - - description: The denied event type is used for the subset of events within - a category that indicate that something was denied. Common examples include - `event.category:network AND event.type:denied` (to indicate a network firewall - event for which the firewall disposition was to deny the connection) and - `event.category:intrusion_detection AND event.type:denied` (to indicate - a network intrusion prevention system event for which the IPS disposition - was to deny the connection to complete). You can further distinguish denied - operations using the ECS `event.action` field, populating with values of - your choosing, such as "blocked", "dropped", or "quarantined". - name: denied - - description: The end event type is used for the subset of events within a - category that indicate something has ended. A common example is `event.category:process - AND event.type:end`. - name: end - - description: The error event type is used for the subset of events within - a category that indicate or describe an error. A common example is `event.category:database - AND event.type:error`. Note that pipeline errors that occur during the event - ingestion process should not use this `event.type` value. Instead, they - should use `event.kind:pipeline_error`. - name: error - - description: 'The group event type is used for the subset of events within - a category that are related to group objects. Common example: `event.category:iam - AND event.type:creation AND event.type:group`. You can further distinguish - group operations using the ECS `event.action` field.' - name: group - - description: The info event type is used for the subset of events within a - category that indicate that they are purely informational, and don't report - a state change, or any type of action. For example, an initial run of a - file integrity monitoring system (FIM), where an agent reports all files - under management, would fall into the "info" subcategory. Similarly, an - event containing a dump of all currently running processes (as opposed to - reporting that a process started/ended) would fall into the "info" subcategory. - An additional common examples is `event.category:intrusion_detection AND - event.type:info`. - name: info - - description: The installation event type is used for the subset of events - within a category that indicate that something was installed. A common example - is `event.category:package` AND `event.type:installation`. - name: installation - - description: The protocol event type is used for the subset of events within - a category that indicate that they contain protocol details or analysis, - beyond simply identifying the protocol. Generally, network events that contain - specific protocol details will fall into this subcategory. A common example - is `event.category:network AND event.type:protocol AND event.type:connection - AND event.type:end` (to indicate that the event is a network connection - event sent at the end of a connection that also includes a protocol detail - breakdown). Note that events that only indicate the name or id of the protocol - should not use the protocol value. Further note that when the protocol subcategory - is used, the identified protocol is populated in the ECS `network.protocol` - field. - name: protocol - - description: The start event type is used for the subset of events within - a category that indicate something has started. A common example is `event.category:process - AND event.type:start`. - name: start - - description: 'The user event type is used for the subset of events within - a category that are related to user objects. Common example: `event.category:iam - AND event.type:deletion AND event.type:user`. You can further distinguish - user operations using the ECS `event.action` field.' - name: user - dashed_name: threat-enrichments-event-type - description: 'This is one of four ECS Categorization Fields, and indicates the - third level in the ECS category hierarchy. - - `event.type` represents a categorization "sub-bucket" that, when used along - with the `event.category` field values, enables filtering events down to a - level appropriate for single visualization. - - This field is an array. This will allow proper categorization of some events - that fall in multiple event types.' - flat_name: threat.enrichments.event.type + threat.enrichments.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.enrichments.indicator.sightings + level: extended + name: enrichments.indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long + threat.enrichments.indicator.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ + \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr + flat_name: threat.enrichments.indicator.type ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: event - short: Event type. The third categorization field in the hierarchy. + level: extended + name: enrichments.indicator.type + normalize: [] + short: Type of indicator type: keyword - threat.enrichments.event.url: - dashed_name: threat-enrichments-event-url - description: 'URL linking to an external system to continue investigation of - this event. - - This URL links to another system where in-depth investigation of the specific - occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, - are a common use case for this field.' - example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe - flat_name: threat.enrichments.event.url + threat.enrichments.matched.atomic: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-atomic + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com + flat_name: threat.enrichments.matched.atomic ignore_above: 1024 level: extended - name: url + name: enrichments.matched.atomic normalize: [] - original_fieldset: event - short: Event investigation URL + short: Matched indicator value type: keyword - threat.enrichments.file.accessed: - dashed_name: threat-enrichments-file-accessed - description: 'Last time the file was accessed. - - Note that not all filesystems keep track of access time.' - flat_name: threat.enrichments.file.accessed + threat.enrichments.matched.field: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-field + description: Identifies the field of the atomic indicator that matched a local + environment endpoint or network event. + example: file.hash.sha256 + flat_name: threat.enrichments.matched.field + ignore_above: 1024 level: extended - name: accessed + name: enrichments.matched.field normalize: [] - original_fieldset: file - short: Last time the file was accessed. - type: date - threat.enrichments.file.attributes: - dashed_name: threat-enrichments-file-attributes - description: 'Array of file attributes. - - Attributes names will vary by platform. Here''s a non-exhaustive list of values - that are expected in this field: archive, compressed, directory, encrypted, - execute, hidden, read, readonly, system, write.' - example: '["readonly", "system"]' - flat_name: threat.enrichments.file.attributes + short: Matched indicator field + type: keyword + threat.enrichments.matched.id: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-id + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + flat_name: threat.enrichments.matched.id ignore_above: 1024 level: extended - name: attributes - normalize: - - array - original_fieldset: file - short: Array of file attributes. + name: enrichments.matched.id + normalize: [] + short: Matched indicator identifier type: keyword - threat.enrichments.file.code_signature.exists: - dashed_name: threat-enrichments-file-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: threat.enrichments.file.code_signature.exists - level: core - name: exists + threat.enrichments.matched.index: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-index + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 + flat_name: threat.enrichments.matched.index + ignore_above: 1024 + level: extended + name: enrichments.matched.index normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean - threat.enrichments.file.code_signature.signing_id: - dashed_name: threat-enrichments-file-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. - The field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: threat.enrichments.file.code_signature.signing_id + short: Matched indicator index + type: keyword + threat.enrichments.matched.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-type + description: Identifies the type of match that caused the event to be enriched + with the given indicator + example: indicator_match_rule + flat_name: threat.enrichments.matched.type ignore_above: 1024 level: extended - name: signing_id + name: enrichments.matched.type normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. + short: Type of indicator match type: keyword - threat.enrichments.file.code_signature.status: - dashed_name: threat-enrichments-file-code-signature-status - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: threat.enrichments.file.code_signature.status + threat.enrichments.pe.architecture: + dashed_name: threat-enrichments-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.enrichments.pe.architecture ignore_above: 1024 level: extended - name: status + name: architecture normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. + original_fieldset: pe + short: CPU architecture target for the file. type: keyword - threat.enrichments.file.code_signature.subject_name: - dashed_name: threat-enrichments-file-code-signature-subject-name - description: Subject name of the code signer + threat.enrichments.pe.authentihash: + dashed_name: threat-enrichments-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: threat.enrichments.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword + threat.enrichments.pe.company: + dashed_name: threat-enrichments-pe-company + description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation - flat_name: threat.enrichments.file.code_signature.subject_name + flat_name: threat.enrichments.pe.company ignore_above: 1024 - level: core - name: subject_name + level: extended + name: company normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. type: keyword - threat.enrichments.file.code_signature.team_id: - dashed_name: threat-enrichments-file-code-signature-team-id - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field - is relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: threat.enrichments.file.code_signature.team_id + threat.enrichments.pe.compile_timestamp: + dashed_name: threat-enrichments-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date + threat.enrichments.pe.compiler.name: + dashed_name: threat-enrichments-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: threat.enrichments.pe.compiler.name ignore_above: 1024 level: extended - name: team_id + name: compiler.name normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. + original_fieldset: pe + short: Name of the compiler type: keyword - threat.enrichments.file.code_signature.trusted: - dashed_name: threat-enrichments-file-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this - field should only be populated by tools that actively check the status.' - example: 'true' - flat_name: threat.enrichments.file.code_signature.trusted + threat.enrichments.pe.compiler.version: + dashed_name: threat-enrichments-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: threat.enrichments.pe.compiler.version + ignore_above: 1024 level: extended - name: trusted + name: compiler.version normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean - threat.enrichments.file.code_signature.valid: - dashed_name: threat-enrichments-file-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against - the binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: threat.enrichments.file.code_signature.valid + original_fieldset: pe + short: Version of the compiler. + type: keyword + threat.enrichments.pe.creation_date: + dashed_name: threat-enrichments-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.creation_date level: extended - name: valid + name: creation_date normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean - threat.enrichments.file.created: - dashed_name: threat-enrichments-file-created - description: 'File creation time. + original_fieldset: pe + short: Build or compile date. + type: date + threat.enrichments.pe.debug: + dashed_name: threat-enrichments-pe-debug + description: 'An array containing an object for each debug entry, if present. - Note that not all filesystems store the creation time.' - flat_name: threat.enrichments.file.created + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: threat.enrichments.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested + threat.enrichments.pe.debug.offset: + dashed_name: threat-enrichments-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: threat.enrichments.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword + threat.enrichments.pe.debug.size: + dashed_name: threat-enrichments-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: threat.enrichments.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long + threat.enrichments.pe.debug.timestamp: + dashed_name: threat-enrichments-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.debug.timestamp level: extended - name: created + name: debug.timestamp normalize: [] - original_fieldset: file - short: File creation time. + original_fieldset: pe + short: Timestamp of the debug information. type: date - threat.enrichments.file.ctime: - dashed_name: threat-enrichments-file-ctime - description: 'Last time the file attributes or metadata changed. - - Note that changes to the file content will update `mtime`. This implies `ctime` - will be adjusted at the same time, since `mtime` is an attribute of the file.' - flat_name: threat.enrichments.file.ctime + threat.enrichments.pe.debug.type: + dashed_name: threat-enrichments-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: threat.enrichments.pe.debug.type + ignore_above: 1024 level: extended - name: ctime + name: debug.type normalize: [] - original_fieldset: file - short: Last time the file attributes or metadata changed. - type: date - threat.enrichments.file.device: - dashed_name: threat-enrichments-file-device - description: Device that is the source of the file. - example: sda - flat_name: threat.enrichments.file.device + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword + threat.enrichments.pe.description: + dashed_name: threat-enrichments-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.enrichments.pe.description ignore_above: 1024 level: extended - name: device + name: description normalize: [] - original_fieldset: file - short: Device that is the source of the file. + original_fieldset: pe + short: Internal description of the file, provided at compile-time. type: keyword - threat.enrichments.file.directory: - dashed_name: threat-enrichments-file-directory - description: Directory where the file is located. It should include the drive - letter, when appropriate. - example: /home/alice - flat_name: threat.enrichments.file.directory + threat.enrichments.pe.entry_point: + dashed_name: threat-enrichments-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: threat.enrichments.pe.entry_point + ignore_above: 1024 level: extended - name: directory + name: entry_point normalize: [] - original_fieldset: file - short: Directory where the file is located. - type: wildcard - threat.enrichments.file.drive_letter: - dashed_name: threat-enrichments-file-drive-letter - description: 'Drive letter where the file is located. This field is only relevant - on Windows. - - The value should be uppercase, and not include the colon.' - example: C - flat_name: threat.enrichments.file.drive_letter - ignore_above: 1 + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword + threat.enrichments.pe.exports: + dashed_name: threat-enrichments-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: threat.enrichments.pe.exports + ignore_above: 1024 level: extended - name: drive_letter - normalize: [] - original_fieldset: file - short: Drive letter where the file is located. + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE type: keyword - threat.enrichments.file.elf.architecture: - dashed_name: threat-enrichments-file-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: threat.enrichments.file.elf.architecture + threat.enrichments.pe.file_version: + dashed_name: threat-enrichments-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.enrichments.pe.file_version ignore_above: 1024 level: extended - name: architecture + name: file_version normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. + original_fieldset: pe + short: Process name. type: keyword - threat.enrichments.file.elf.byte_order: - dashed_name: threat-enrichments-file-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: threat.enrichments.file.elf.byte_order + threat.enrichments.pe.icon.hash.dhash: + dashed_name: threat-enrichments-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: threat.enrichments.pe.icon.hash.dhash ignore_above: 1024 level: extended - name: byte_order + name: icon.hash.dhash normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or + thumbnail. type: keyword - threat.enrichments.file.elf.cpu_type: - dashed_name: threat-enrichments-file-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: threat.enrichments.file.elf.cpu_type + threat.enrichments.pe.imphash: + dashed_name: threat-enrichments-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.enrichments.pe.imphash ignore_above: 1024 level: extended - name: cpu_type + name: imphash normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. + original_fieldset: pe + short: A hash of the imports in a PE file. type: keyword - threat.enrichments.file.elf.creation_date: - dashed_name: threat-enrichments-file-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - flat_name: threat.enrichments.file.elf.creation_date + threat.enrichments.pe.imports: + dashed_name: threat-enrichments-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: threat.enrichments.pe.imports level: extended - name: creation_date + name: imports normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date - threat.enrichments.file.elf.exports: - dashed_name: threat-enrichments-file-elf-exports - description: List of exported element names and types. - flat_name: threat.enrichments.file.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. + original_fieldset: pe + short: List of all imported functions type: flattened - threat.enrichments.file.elf.header.abi_version: - dashed_name: threat-enrichments-file-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: threat.enrichments.file.elf.header.abi_version + threat.enrichments.pe.machine_type: + dashed_name: threat-enrichments-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: threat.enrichments.pe.machine_type ignore_above: 1024 level: extended - name: header.abi_version + name: machine_type normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). + original_fieldset: pe + short: Machine type of the PE file. type: keyword - threat.enrichments.file.elf.header.class: - dashed_name: threat-enrichments-file-elf-header-class - description: Header class of the ELF file. - flat_name: threat.enrichments.file.elf.header.class - ignore_above: 1024 + threat.enrichments.pe.original_file_name: + dashed_name: threat-enrichments-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.enrichments.pe.original_file_name level: extended - name: header.class + name: original_file_name normalize: [] - original_fieldset: elf - short: Header class of the ELF file. + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: wildcard + threat.enrichments.pe.packers: + dashed_name: threat-enrichments-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: threat.enrichments.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. type: keyword - threat.enrichments.file.elf.header.data: - dashed_name: threat-enrichments-file-elf-header-data - description: Data table of the ELF header. - flat_name: threat.enrichments.file.elf.header.data + threat.enrichments.pe.product: + dashed_name: threat-enrichments-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.enrichments.pe.product ignore_above: 1024 level: extended - name: header.data + name: product normalize: [] - original_fieldset: elf - short: Data table of the ELF header. + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. type: keyword - threat.enrichments.file.elf.header.entrypoint: - dashed_name: threat-enrichments-file-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: threat.enrichments.file.elf.header.entrypoint - format: string + threat.enrichments.pe.resources: + dashed_name: threat-enrichments-pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: threat.enrichments.pe.resources level: extended - name: header.entrypoint + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested + threat.enrichments.pe.resources.chi2: + dashed_name: threat-enrichments-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: threat.enrichments.pe.resources.chi2 + level: extended + name: resources.chi2 normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. + original_fieldset: pe + short: Chi-square probability distribution. type: long - threat.enrichments.file.elf.header.object_version: - dashed_name: threat-enrichments-file-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: threat.enrichments.file.elf.header.object_version + threat.enrichments.pe.resources.entropy: + dashed_name: threat-enrichments-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: threat.enrichments.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long + threat.enrichments.pe.resources.filetype: + dashed_name: threat-enrichments-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: threat.enrichments.pe.resources.filetype ignore_above: 1024 level: extended - name: header.object_version + name: resources.filetype normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' + original_fieldset: pe + short: File type of the resources section. + type: keyword + threat.enrichments.pe.resources.language: + dashed_name: threat-enrichments-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: threat.enrichments.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. type: keyword - threat.enrichments.file.elf.header.os_abi: - dashed_name: threat-enrichments-file-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: threat.enrichments.file.elf.header.os_abi + threat.enrichments.pe.resources.sha256: + dashed_name: threat-enrichments-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: threat.enrichments.pe.resources.sha256 ignore_above: 1024 level: extended - name: header.os_abi + name: resources.sha256 normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. + original_fieldset: pe + short: SHA256 hash of resources section. type: keyword - threat.enrichments.file.elf.header.type: - dashed_name: threat-enrichments-file-elf-header-type - description: Header type of the ELF file. - flat_name: threat.enrichments.file.elf.header.type + threat.enrichments.pe.resources.type: + dashed_name: threat-enrichments-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: threat.enrichments.pe.resources.type ignore_above: 1024 level: extended - name: header.type - normalize: [] - original_fieldset: elf - short: Header type of the ELF file. + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. type: keyword - threat.enrichments.file.elf.header.version: - dashed_name: threat-enrichments-file-elf-header-version - description: Version of the ELF header. - flat_name: threat.enrichments.file.elf.header.version + threat.enrichments.pe.rich_header.hash.md5: + dashed_name: threat-enrichments-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: threat.enrichments.pe.rich_header.hash.md5 ignore_above: 1024 level: extended - name: header.version + name: rich_header.hash.md5 normalize: [] - original_fieldset: elf - short: Version of the ELF header. + original_fieldset: pe + short: MD5 hash of the header for the PE file. type: keyword - threat.enrichments.file.elf.imports: - dashed_name: threat-enrichments-file-elf-imports - description: List of imported element names and types. - flat_name: threat.enrichments.file.elf.imports - level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened - threat.enrichments.file.elf.sections: - dashed_name: threat-enrichments-file-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.sections.*`.' - flat_name: threat.enrichments.file.elf.sections + threat.enrichments.pe.sections: + dashed_name: threat-enrichments-pe-sections + description: Data about sections of compiled binary PE + flat_name: threat.enrichments.pe.sections level: extended name: sections normalize: - array - original_fieldset: elf - short: Section information of the ELF file. + original_fieldset: pe + short: Data about sections of the compiled binary PE type: nested - threat.enrichments.file.elf.sections.chi2: - dashed_name: threat-enrichments-file-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: threat.enrichments.file.elf.sections.chi2 - format: number + threat.enrichments.pe.sections.chi2: + dashed_name: threat-enrichments-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: threat.enrichments.pe.sections.chi2 level: extended name: sections.chi2 normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. + original_fieldset: pe + short: Chi-square probability distribution. type: long - threat.enrichments.file.elf.sections.entropy: - dashed_name: threat-enrichments-file-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: threat.enrichments.file.elf.sections.entropy - format: number + threat.enrichments.pe.sections.entropy: + dashed_name: threat-enrichments-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: threat.enrichments.pe.sections.entropy level: extended name: sections.entropy normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long - threat.enrichments.file.elf.sections.flags: - dashed_name: threat-enrichments-file-elf-sections-flags - description: ELF Section List flags. - flat_name: threat.enrichments.file.elf.sections.flags + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float + threat.enrichments.pe.sections.flags: + dashed_name: threat-enrichments-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: threat.enrichments.pe.sections.flags ignore_above: 1024 level: extended name: sections.flags normalize: [] - original_fieldset: elf - short: ELF Section List flags. + original_fieldset: pe + short: Section flags of the file. type: keyword - threat.enrichments.file.elf.sections.name: - dashed_name: threat-enrichments-file-elf-sections-name - description: ELF Section List name. - flat_name: threat.enrichments.file.elf.sections.name + threat.enrichments.pe.sections.name: + dashed_name: threat-enrichments-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: threat.enrichments.pe.sections.name ignore_above: 1024 level: extended name: sections.name normalize: [] - original_fieldset: elf - short: ELF Section List name. - type: keyword - threat.enrichments.file.elf.sections.physical_offset: - dashed_name: threat-enrichments-file-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: threat.enrichments.file.elf.sections.physical_offset - ignore_above: 1024 - level: extended - name: sections.physical_offset - normalize: [] - original_fieldset: elf - short: ELF Section List offset. + original_fieldset: pe + short: Section names of the file. type: keyword - threat.enrichments.file.elf.sections.physical_size: - dashed_name: threat-enrichments-file-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: threat.enrichments.file.elf.sections.physical_size + threat.enrichments.pe.sections.raw_size: + dashed_name: threat-enrichments-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: threat.enrichments.pe.sections.raw_size format: bytes level: extended - name: sections.physical_size + name: sections.raw_size normalize: [] - original_fieldset: elf - short: ELF Section List physical size. + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. type: long - threat.enrichments.file.elf.sections.type: - dashed_name: threat-enrichments-file-elf-sections-type - description: ELF Section List type. - flat_name: threat.enrichments.file.elf.sections.type - ignore_above: 1024 - level: extended - name: sections.type - normalize: [] - original_fieldset: elf - short: ELF Section List type. - type: keyword - threat.enrichments.file.elf.sections.virtual_address: - dashed_name: threat-enrichments-file-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: threat.enrichments.file.elf.sections.virtual_address - format: string + threat.enrichments.pe.sections.virtual_address: + dashed_name: threat-enrichments-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: threat.enrichments.pe.sections.virtual_address + format: bytes level: extended name: sections.virtual_address normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long - threat.enrichments.file.elf.sections.virtual_size: - dashed_name: threat-enrichments-file-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: threat.enrichments.file.elf.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. + original_fieldset: pe + short: Virtual address available to the file. type: long - threat.enrichments.file.elf.segments: - dashed_name: threat-enrichments-file-elf-segments - description: 'An array containing an object for each segment of the ELF file. + threat.enrichments.registry.data.bytes: + dashed_name: threat-enrichments-registry-data-bytes + description: 'Original bytes written with base64 encoding. - The keys that should be present in these objects are defined by sub-fields - underneath `elf.segments.*`.' - flat_name: threat.enrichments.file.elf.segments - level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested - threat.enrichments.file.elf.segments.sections: - dashed_name: threat-enrichments-file-elf-segments-sections - description: ELF object segment sections. - flat_name: threat.enrichments.file.elf.segments.sections - ignore_above: 1024 - level: extended - name: segments.sections - normalize: [] - original_fieldset: elf - short: ELF object segment sections. - type: keyword - threat.enrichments.file.elf.segments.type: - dashed_name: threat-enrichments-file-elf-segments-type - description: ELF object segment type. - flat_name: threat.enrichments.file.elf.segments.type + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.enrichments.registry.data.bytes ignore_above: 1024 level: extended - name: segments.type + name: data.bytes normalize: [] - original_fieldset: elf - short: ELF object segment type. + original_fieldset: registry + short: Original bytes written with base64 encoding. type: keyword - threat.enrichments.file.elf.shared_libraries: - dashed_name: threat-enrichments-file-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: threat.enrichments.file.elf.shared_libraries - ignore_above: 1024 - level: extended - name: shared_libraries + threat.enrichments.registry.data.strings: + dashed_name: threat-enrichments-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.enrichments.registry.data.strings + level: core + name: data.strings normalize: - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. - type: keyword - threat.enrichments.file.elf.telfhash: - dashed_name: threat-enrichments-file-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: threat.enrichments.file.elf.telfhash - ignore_above: 1024 - level: extended - name: telfhash - normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. - type: keyword - threat.enrichments.file.extension: - dashed_name: threat-enrichments-file-extension - description: 'File extension, excluding the leading dot. - - Note that when the file name has multiple extensions (example.tar.gz), only - the last one should be captured ("gz", not "tar.gz").' - example: png - flat_name: threat.enrichments.file.extension - ignore_above: 1024 - level: extended - name: extension - normalize: [] - original_fieldset: file - short: File extension, excluding the leading dot. - type: keyword - threat.enrichments.file.gid: - dashed_name: threat-enrichments-file-gid - description: Primary group ID (GID) of the file. - example: '1001' - flat_name: threat.enrichments.file.gid - ignore_above: 1024 - level: extended - name: gid - normalize: [] - original_fieldset: file - short: Primary group ID (GID) of the file. - type: keyword - threat.enrichments.file.group: - dashed_name: threat-enrichments-file-group - description: Primary group name of the file. - example: alice - flat_name: threat.enrichments.file.group - ignore_above: 1024 - level: extended - name: group - normalize: [] - original_fieldset: file - short: Primary group name of the file. - type: keyword - threat.enrichments.file.inode: - dashed_name: threat-enrichments-file-inode - description: Inode representing the file in the filesystem. - example: '256383' - flat_name: threat.enrichments.file.inode + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: wildcard + threat.enrichments.registry.data.type: + dashed_name: threat-enrichments-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.enrichments.registry.data.type ignore_above: 1024 - level: extended - name: inode + level: core + name: data.type normalize: [] - original_fieldset: file - short: Inode representing the file in the filesystem. + original_fieldset: registry + short: Standard registry type for encoding contents type: keyword - threat.enrichments.file.mime_type: - dashed_name: threat-enrichments-file-mime-type - description: MIME type should identify the format of the file or stream of bytes - using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA - official types], where possible. When more than one type is applicable, the - most specific type should be used. - flat_name: threat.enrichments.file.mime_type + threat.enrichments.registry.hive: + dashed_name: threat-enrichments-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.enrichments.registry.hive ignore_above: 1024 - level: extended - name: mime_type + level: core + name: hive normalize: [] - original_fieldset: file - short: Media type of file, document, or arrangement of bytes. + original_fieldset: registry + short: Abbreviated name for the hive. type: keyword - threat.enrichments.file.mode: - dashed_name: threat-enrichments-file-mode - description: Mode of the file in octal representation. - example: '0640' - flat_name: threat.enrichments.file.mode + threat.enrichments.registry.key: + dashed_name: threat-enrichments-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.enrichments.registry.key + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: wildcard + threat.enrichments.registry.path: + dashed_name: threat-enrichments-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.enrichments.registry.path + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: wildcard + threat.enrichments.registry.value: + dashed_name: threat-enrichments-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.enrichments.registry.value ignore_above: 1024 - level: extended - name: mode + level: core + name: value normalize: [] - original_fieldset: file - short: Mode of the file in octal representation. + original_fieldset: registry + short: Name of the value written. type: keyword - threat.enrichments.file.mtime: - dashed_name: threat-enrichments-file-mtime - description: Last time the file content was modified. - flat_name: threat.enrichments.file.mtime + threat.enrichments.url.domain: + dashed_name: threat-enrichments-url-domain + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' + example: www.elastic.co + flat_name: threat.enrichments.url.domain level: extended - name: mtime + name: domain normalize: [] - original_fieldset: file - short: Last time the file content was modified. - type: date - threat.enrichments.file.name: - dashed_name: threat-enrichments-file-name - description: Name of the file including the extension, without the directory. - example: example.png - flat_name: threat.enrichments.file.name + original_fieldset: url + short: Domain of the url. + type: wildcard + threat.enrichments.url.extension: + dashed_name: threat-enrichments-url-extension + description: 'The field contains the file extension from the original request + url, excluding the leading dot. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.url.extension ignore_above: 1024 level: extended - name: name + name: extension normalize: [] - original_fieldset: file - short: Name of the file including the extension, without the directory. + original_fieldset: url + short: File extension from the request url, excluding the leading dot. type: keyword - threat.enrichments.file.owner: - dashed_name: threat-enrichments-file-owner - description: File owner's username. - example: alice - flat_name: threat.enrichments.file.owner + threat.enrichments.url.fragment: + dashed_name: threat-enrichments-url-fragment + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + flat_name: threat.enrichments.url.fragment ignore_above: 1024 level: extended - name: owner + name: fragment normalize: [] - original_fieldset: file - short: File owner's username. + original_fieldset: url + short: Portion of the url after the `#`. type: keyword - threat.enrichments.file.path: - dashed_name: threat-enrichments-file-path - description: Full path to the file, including the file name. It should include - the drive letter, when appropriate. - example: /home/alice/example.png - flat_name: threat.enrichments.file.path + threat.enrichments.url.full: + dashed_name: threat-enrichments-url-full + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event + source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + flat_name: threat.enrichments.url.full level: extended multi_fields: - - flat_name: threat.enrichments.file.path.text + - flat_name: threat.enrichments.url.full.text name: text norms: false type: text - name: path + name: full normalize: [] - original_fieldset: file - short: Full path to the file, including the file name. + original_fieldset: url + short: Full unparsed URL. type: wildcard - threat.enrichments.file.size: - dashed_name: threat-enrichments-file-size - description: 'File size in bytes. + threat.enrichments.url.original: + dashed_name: threat-enrichments-url-original + description: 'Unmodified original url as seen in the event source. - Only relevant when `file.type` is "file".' - example: 16384 - flat_name: threat.enrichments.file.size - level: extended - name: size - normalize: [] - original_fieldset: file - short: File size in bytes. - type: long - threat.enrichments.file.target_path: - dashed_name: threat-enrichments-file-target-path - description: Target path for symlinks. - flat_name: threat.enrichments.file.target_path + Note that in network monitoring, the observed URL may be a full URL, whereas + in access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + flat_name: threat.enrichments.url.original level: extended multi_fields: - - flat_name: threat.enrichments.file.target_path.text + - flat_name: threat.enrichments.url.original.text name: text norms: false type: text - name: target_path + name: original normalize: [] - original_fieldset: file - short: Target path for symlinks. + original_fieldset: url + short: Unmodified original url as seen in the event source. type: wildcard - threat.enrichments.file.type: - dashed_name: threat-enrichments-file-type - description: File type (file, dir, or symlink). - example: file - flat_name: threat.enrichments.file.type + threat.enrichments.url.password: + dashed_name: threat-enrichments-url-password + description: Password of the request. + flat_name: threat.enrichments.url.password ignore_above: 1024 level: extended - name: type + name: password normalize: [] - original_fieldset: file - short: File type (file, dir, or symlink). + original_fieldset: url + short: Password of the request. type: keyword - threat.enrichments.file.uid: - dashed_name: threat-enrichments-file-uid - description: The user ID (UID) or security identifier (SID) of the file owner. - example: '1001' - flat_name: threat.enrichments.file.uid - ignore_above: 1024 + threat.enrichments.url.path: + dashed_name: threat-enrichments-url-path + description: Path of the request, such as "/search". + flat_name: threat.enrichments.url.path level: extended - name: uid - normalize: [] - original_fieldset: file - short: The user ID (UID) or security identifier (SID) of the file owner. - type: keyword - threat.enrichments.geo.city_name: - dashed_name: threat-enrichments-geo-city-name - description: City name. - example: Montreal - flat_name: threat.enrichments.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword - threat.enrichments.geo.continent_code: - dashed_name: threat-enrichments-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: threat.enrichments.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword - threat.enrichments.geo.continent_name: - dashed_name: threat-enrichments-geo-continent-name - description: Name of the continent. - example: North America - flat_name: threat.enrichments.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name + name: path normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword - threat.enrichments.geo.country_iso_code: - dashed_name: threat-enrichments-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: threat.enrichments.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code + original_fieldset: url + short: Path of the request, such as "/search". + type: wildcard + threat.enrichments.url.port: + dashed_name: threat-enrichments-url-port + description: Port of the request, such as 443. + example: 443 + flat_name: threat.enrichments.url.port + format: string + level: extended + name: port normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword - threat.enrichments.geo.country_name: - dashed_name: threat-enrichments-geo-country-name - description: Country name. - example: Canada - flat_name: threat.enrichments.geo.country_name + original_fieldset: url + short: Port of the request, such as 443. + type: long + threat.enrichments.url.query: + dashed_name: threat-enrichments-url-query + description: 'The query field describes the query string of the request, such + as "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there + is no query field. If there is a `?` but no query, the query field exists + with an empty string. The `exists` query can be used to differentiate between + the two cases.' + flat_name: threat.enrichments.url.query ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword - threat.enrichments.geo.location: - dashed_name: threat-enrichments-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: threat.enrichments.geo.location - level: core - name: location + level: extended + name: query normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point - threat.enrichments.geo.name: - dashed_name: threat-enrichments-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. + original_fieldset: url + short: Query string of the request. + type: keyword + threat.enrichments.url.registered_domain: + dashed_name: threat-enrichments-url-registered-domain + description: 'The highest registered url domain, stripped of the subdomain. - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. + For example, the registered domain for "foo.example.com" is "example.com". - Not typically used in automated geolocation.' - example: boston-dc - flat_name: threat.enrichments.geo.name + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: threat.enrichments.url.registered_domain level: extended - name: name + name: registered_domain normalize: [] - original_fieldset: geo - short: User-defined description of a location. + original_fieldset: url + short: The highest registered url domain, stripped of the subdomain. type: wildcard - threat.enrichments.geo.postal_code: - dashed_name: threat-enrichments-geo-postal-code - description: 'Postal code associated with the location. + threat.enrichments.url.scheme: + dashed_name: threat-enrichments-url-scheme + description: 'Scheme of the request, such as "https". - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: threat.enrichments.geo.postal_code + Note: The `:` is not part of the scheme.' + example: https + flat_name: threat.enrichments.url.scheme ignore_above: 1024 - level: core - name: postal_code + level: extended + name: scheme normalize: [] - original_fieldset: geo - short: Postal code. + original_fieldset: url + short: Scheme of the url. type: keyword - threat.enrichments.geo.region_iso_code: - dashed_name: threat-enrichments-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: threat.enrichments.geo.region_iso_code + threat.enrichments.url.subdomain: + dashed_name: threat-enrichments-url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: threat.enrichments.url.subdomain ignore_above: 1024 - level: core - name: region_iso_code + level: extended + name: subdomain normalize: [] - original_fieldset: geo - short: Region ISO code. + original_fieldset: url + short: The subdomain of the domain. type: keyword - threat.enrichments.geo.region_name: - dashed_name: threat-enrichments-geo-region-name - description: Region name. - example: Quebec - flat_name: threat.enrichments.geo.region_name + threat.enrichments.url.top_level_domain: + dashed_name: threat-enrichments-url-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: threat.enrichments.url.top_level_domain ignore_above: 1024 - level: core - name: region_name + level: extended + name: top_level_domain normalize: [] - original_fieldset: geo - short: Region name. + original_fieldset: url + short: The effective top level domain (com, org, net, co.uk). type: keyword - threat.enrichments.geo.timezone: - dashed_name: threat-enrichments-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: threat.enrichments.geo.timezone + threat.enrichments.url.username: + dashed_name: threat-enrichments-url-username + description: Username of the request. + flat_name: threat.enrichments.url.username ignore_above: 1024 - level: core - name: timezone + level: extended + name: username normalize: [] - original_fieldset: geo - short: Time zone. + original_fieldset: url + short: Username of the request. type: keyword - threat.enrichments.hash.md5: - dashed_name: threat-enrichments-hash-md5 - description: MD5 hash. - flat_name: threat.enrichments.hash.md5 + threat.enrichments.x509.alternative_names: + dashed_name: threat-enrichments-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + flat_name: threat.enrichments.x509.alternative_names ignore_above: 1024 level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. + name: alternative_names + normalize: + - array + original_fieldset: x509 + short: List of subject alternative names (SAN). type: keyword - threat.enrichments.hash.sha1: - dashed_name: threat-enrichments-hash-sha1 - description: SHA1 hash. - flat_name: threat.enrichments.hash.sha1 + threat.enrichments.x509.issuer.common_name: + dashed_name: threat-enrichments-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: threat.enrichments.x509.issuer.common_name ignore_above: 1024 level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. type: keyword - threat.enrichments.hash.sha256: - dashed_name: threat-enrichments-hash-sha256 - description: SHA256 hash. - flat_name: threat.enrichments.hash.sha256 + threat.enrichments.x509.issuer.country: + dashed_name: threat-enrichments-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: threat.enrichments.x509.issuer.country ignore_above: 1024 level: extended - name: sha256 + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes + type: keyword + threat.enrichments.x509.issuer.distinguished_name: + dashed_name: threat-enrichments-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: threat.enrichments.x509.issuer.distinguished_name + level: extended + name: issuer.distinguished_name normalize: [] - original_fieldset: hash - short: SHA256 hash. + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: wildcard + threat.enrichments.x509.issuer.locality: + dashed_name: threat-enrichments-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: threat.enrichments.x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) type: keyword - threat.enrichments.hash.sha512: - dashed_name: threat-enrichments-hash-sha512 - description: SHA512 hash. - flat_name: threat.enrichments.hash.sha512 + threat.enrichments.x509.issuer.organization: + dashed_name: threat-enrichments-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: threat.enrichments.x509.issuer.organization ignore_above: 1024 level: extended - name: sha512 - normalize: [] - original_fieldset: hash - short: SHA512 hash. + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. type: keyword - threat.enrichments.hash.ssdeep: - dashed_name: threat-enrichments-hash-ssdeep - description: SSDEEP hash. - flat_name: threat.enrichments.hash.ssdeep + threat.enrichments.x509.issuer.organizational_unit: + dashed_name: threat-enrichments-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: threat.enrichments.x509.issuer.organizational_unit ignore_above: 1024 level: extended - name: ssdeep - normalize: [] - original_fieldset: hash - short: SSDEEP hash. + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. type: keyword - threat.enrichments.matched.atomic: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-atomic - description: Identifies the atomic indicator value that matched a local environment - endpoint or network event. - example: bad-domain.com - flat_name: threat.enrichments.matched.atomic + threat.enrichments.x509.issuer.state_or_province: + dashed_name: threat-enrichments-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.x509.issuer.state_or_province ignore_above: 1024 level: extended - name: enrichments.matched.atomic - normalize: [] - short: Matched indicator value + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) type: keyword - threat.enrichments.matched.field: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-field - description: Identifies the field of the atomic indicator that matched a local - environment endpoint or network event. - example: file.hash.sha256 - flat_name: threat.enrichments.matched.field + threat.enrichments.x509.not_after: + dashed_name: threat-enrichments-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: threat.enrichments.x509.not_after + level: extended + name: not_after + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date + threat.enrichments.x509.not_before: + dashed_name: threat-enrichments-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: threat.enrichments.x509.not_before + level: extended + name: not_before + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date + threat.enrichments.x509.public_key_algorithm: + dashed_name: threat-enrichments-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: threat.enrichments.x509.public_key_algorithm ignore_above: 1024 level: extended - name: enrichments.matched.field + name: public_key_algorithm normalize: [] - short: Matched indicator field + original_fieldset: x509 + short: Algorithm used to generate the public key. type: keyword - threat.enrichments.matched.id: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-id - description: Identifies the _id of the indicator document enriching the event. - example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 - flat_name: threat.enrichments.matched.id + threat.enrichments.x509.public_key_curve: + dashed_name: threat-enrichments-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + flat_name: threat.enrichments.x509.public_key_curve ignore_above: 1024 level: extended - name: enrichments.matched.id + name: public_key_curve normalize: [] - short: Matched indicator identifier + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. type: keyword - threat.enrichments.matched.index: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-index - description: Identifies the _index of the indicator document enriching the event. - example: filebeat-8.0.0-2021.05.23-000011 - flat_name: threat.enrichments.matched.index - ignore_above: 1024 + threat.enrichments.x509.public_key_exponent: + dashed_name: threat-enrichments-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: threat.enrichments.x509.public_key_exponent + index: false level: extended - name: enrichments.matched.index + name: public_key_exponent normalize: [] - short: Matched indicator index - type: keyword - threat.enrichments.matched.type: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-type - description: Identifies the type of match that caused the event to be enriched - with the given indicator - example: indicator_match_rule - flat_name: threat.enrichments.matched.type + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long + threat.enrichments.x509.public_key_size: + dashed_name: threat-enrichments-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: threat.enrichments.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + original_fieldset: x509 + short: The size of the public key space in bits. + type: long + threat.enrichments.x509.serial_number: + dashed_name: threat-enrichments-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: threat.enrichments.x509.serial_number ignore_above: 1024 level: extended - name: enrichments.matched.type + name: serial_number normalize: [] - short: Type of indicator match + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. type: keyword - threat.enrichments.pe.architecture: - dashed_name: threat-enrichments-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: threat.enrichments.pe.architecture + threat.enrichments.x509.signature_algorithm: + dashed_name: threat-enrichments-x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: threat.enrichments.x509.signature_algorithm ignore_above: 1024 level: extended - name: architecture + name: signature_algorithm normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. + original_fieldset: x509 + short: Identifier for certificate signature algorithm. type: keyword - threat.enrichments.pe.authentihash: - dashed_name: threat-enrichments-pe-authentihash - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: threat.enrichments.pe.authentihash + threat.enrichments.x509.subject.common_name: + dashed_name: threat-enrichments-x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: threat.enrichments.x509.subject.common_name ignore_above: 1024 level: extended - name: authentihash - normalize: [] - original_fieldset: pe - short: Authentihash of the PE file. + name: subject.common_name + normalize: + - array + original_fieldset: x509 + short: List of common names (CN) of subject. type: keyword - threat.enrichments.pe.company: - dashed_name: threat-enrichments-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: threat.enrichments.pe.company + threat.enrichments.x509.subject.country: + dashed_name: threat-enrichments-x509-subject-country + description: List of country (C) code + example: US + flat_name: threat.enrichments.x509.subject.country ignore_above: 1024 level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code type: keyword - threat.enrichments.pe.compile_timestamp: - dashed_name: threat-enrichments-pe-compile-timestamp - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.pe.compile_timestamp + threat.enrichments.x509.subject.distinguished_name: + dashed_name: threat-enrichments-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: threat.enrichments.x509.subject.distinguished_name level: extended - name: compile_timestamp + name: subject.distinguished_name normalize: [] - original_fieldset: pe - short: Compile timestamp of the PE file. - type: date - threat.enrichments.pe.compiler.name: - dashed_name: threat-enrichments-pe-compiler-name - description: Name of the compiler - example: Clang - flat_name: threat.enrichments.pe.compiler.name + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: wildcard + threat.enrichments.x509.subject.locality: + dashed_name: threat-enrichments-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: threat.enrichments.x509.subject.locality ignore_above: 1024 level: extended - name: compiler.name - normalize: [] - original_fieldset: pe - short: Name of the compiler + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) type: keyword - threat.enrichments.pe.compiler.version: - dashed_name: threat-enrichments-pe-compiler-version - description: Version of the compiler. - example: 11.0.0 - flat_name: threat.enrichments.pe.compiler.version + threat.enrichments.x509.subject.organization: + dashed_name: threat-enrichments-x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: threat.enrichments.x509.subject.organization ignore_above: 1024 level: extended - name: compiler.version - normalize: [] - original_fieldset: pe - short: Version of the compiler. - type: keyword - threat.enrichments.pe.creation_date: - dashed_name: threat-enrichments-pe-creation-date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.pe.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: pe - short: Build or compile date. - type: date - threat.enrichments.pe.debug: - dashed_name: threat-enrichments-pe-debug - description: 'An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: threat.enrichments.pe.debug - level: extended - name: debug + name: subject.organization normalize: - array - original_fieldset: pe - short: Debug information - type: nested - threat.enrichments.pe.debug.offset: - dashed_name: threat-enrichments-pe-debug-offset - description: Debug offset information. - example: 1296336 - flat_name: threat.enrichments.pe.debug.offset + original_fieldset: x509 + short: List of organizations (O) of subject. + type: keyword + threat.enrichments.x509.subject.organizational_unit: + dashed_name: threat-enrichments-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: threat.enrichments.x509.subject.organizational_unit ignore_above: 1024 level: extended - name: debug.offset - normalize: [] - original_fieldset: pe - short: Debug offset information. + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. type: keyword - threat.enrichments.pe.debug.size: - dashed_name: threat-enrichments-pe-debug-size - description: Size of the debug information. - example: 816 - flat_name: threat.enrichments.pe.debug.size - format: bytes - level: extended - name: debug.size - normalize: [] - original_fieldset: pe - short: Size of the debug information. - type: long - threat.enrichments.pe.debug.timestamp: - dashed_name: threat-enrichments-pe-debug-timestamp - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.pe.debug.timestamp - level: extended - name: debug.timestamp - normalize: [] - original_fieldset: pe - short: Timestamp of the debug information. - type: date - threat.enrichments.pe.debug.type: - dashed_name: threat-enrichments-pe-debug-type - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - flat_name: threat.enrichments.pe.debug.type + threat.enrichments.x509.subject.state_or_province: + dashed_name: threat-enrichments-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.x509.subject.state_or_province ignore_above: 1024 level: extended - name: debug.type - normalize: [] - original_fieldset: pe - short: Information type generated by the debug options. + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) type: keyword - threat.enrichments.pe.description: - dashed_name: threat-enrichments-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: threat.enrichments.pe.description + threat.enrichments.x509.version_number: + dashed_name: threat-enrichments-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: threat.enrichments.x509.version_number ignore_above: 1024 level: extended - name: description + name: version_number normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. + original_fieldset: x509 + short: Version of x509 format. type: keyword - threat.enrichments.pe.entry_point: - dashed_name: threat-enrichments-pe-entry-point - description: Relative byte offset to the base of the PE file. - example: 25856 - flat_name: threat.enrichments.pe.entry_point + threat.framework: + dashed_name: threat-framework + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification + can be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + flat_name: threat.framework ignore_above: 1024 level: extended - name: entry_point + name: framework normalize: [] - original_fieldset: pe - short: Relative byte offset to the base of the PE file. + short: Threat classification framework. type: keyword - threat.enrichments.pe.exports: - dashed_name: threat-enrichments-pe-exports - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: threat.enrichments.pe.exports + threat.group.alias: + beta: This field is beta and subject to change. + dashed_name: threat-group-alias + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' + flat_name: threat.group.alias ignore_above: 1024 level: extended - name: exports + name: group.alias normalize: - array - original_fieldset: pe - short: List of symbols exported by PE + short: Alias of the group. type: keyword - threat.enrichments.pe.file_version: - dashed_name: threat-enrichments-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: threat.enrichments.pe.file_version + threat.group.id: + beta: This field is beta and subject to change. + dashed_name: threat-group-id + description: "The id of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group id." + example: G0037 + flat_name: threat.group.id ignore_above: 1024 level: extended - name: file_version + name: group.id normalize: [] - original_fieldset: pe - short: Process name. + short: ID of the group. type: keyword - threat.enrichments.pe.icon.hash.dhash: - dashed_name: threat-enrichments-pe-icon-hash-dhash - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - flat_name: threat.enrichments.pe.icon.hash.dhash + threat.group.name: + beta: This field is beta and subject to change. + dashed_name: threat-group-name + description: "The name of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 + flat_name: threat.group.name ignore_above: 1024 level: extended - name: icon.hash.dhash + name: group.name normalize: [] - original_fieldset: pe - short: Difference Hash (dhash) to find files with a visually similar icon or - thumbnail. + short: Name of the group. type: keyword - threat.enrichments.pe.imphash: - dashed_name: threat-enrichments-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: threat.enrichments.pe.imphash + threat.group.reference: + beta: This field is beta and subject to change. + dashed_name: threat-group-reference + description: "The reference URL of the group for a set of related intrusion\ + \ activity that are tracked by a common name in the security community. While\ + \ not required, you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ + flat_name: threat.group.reference ignore_above: 1024 level: extended - name: imphash + name: group.reference normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. + short: Reference URL of the group. type: keyword - threat.enrichments.pe.imports: - dashed_name: threat-enrichments-pe-imports - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - flat_name: threat.enrichments.pe.imports + threat.indicator.as.data.bytes: + dashed_name: threat-indicator-as-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.indicator.as.data.bytes + ignore_above: 1024 level: extended - name: imports + name: data.bytes normalize: [] - original_fieldset: pe - short: List of all imported functions - type: flattened - threat.enrichments.pe.machine_type: - dashed_name: threat-enrichments-pe-machine-type - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - flat_name: threat.enrichments.pe.machine_type + original_fieldset: registry + short: Original bytes written with base64 encoding. + type: keyword + threat.indicator.as.data.strings: + dashed_name: threat-indicator-as-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.indicator.as.data.strings + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: wildcard + threat.indicator.as.data.type: + dashed_name: threat-indicator-as-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.indicator.as.data.type ignore_above: 1024 - level: extended - name: machine_type + level: core + name: data.type normalize: [] - original_fieldset: pe - short: Machine type of the PE file. + original_fieldset: registry + short: Standard registry type for encoding contents type: keyword - threat.enrichments.pe.original_file_name: - dashed_name: threat-enrichments-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: threat.enrichments.pe.original_file_name - level: extended - name: original_file_name + threat.indicator.as.hive: + dashed_name: threat-indicator-as-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.indicator.as.hive + ignore_above: 1024 + level: core + name: hive normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. + original_fieldset: registry + short: Abbreviated name for the hive. + type: keyword + threat.indicator.as.key: + dashed_name: threat-indicator-as-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.indicator.as.key + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. type: wildcard - threat.enrichments.pe.packers: - dashed_name: threat-enrichments-pe-packers - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - flat_name: threat.enrichments.pe.packers + threat.indicator.as.path: + dashed_name: threat-indicator-as-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.indicator.as.path + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: wildcard + threat.indicator.as.value: + dashed_name: threat-indicator-as-value + description: Name of the value written. + example: Debugger + flat_name: threat.indicator.as.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. + type: keyword + threat.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-confidence + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High + flat_name: threat.indicator.confidence ignore_above: 1024 level: extended - name: packers - normalize: - - array - original_fieldset: pe - short: List of packers and tools used. + name: indicator.confidence + normalize: [] + short: Indicator confidence rating type: keyword - threat.enrichments.pe.product: - dashed_name: threat-enrichments-pe-product - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" - flat_name: threat.enrichments.pe.product + threat.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.indicator.description + ignore_above: 1024 + level: extended + name: indicator.description + normalize: [] + short: Indicator description + type: keyword + threat.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + flat_name: threat.indicator.email.address ignore_above: 1024 level: extended - name: product + name: indicator.email.address normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. + short: Indicator email address type: keyword - threat.enrichments.pe.resources: - dashed_name: threat-enrichments-pe-resources - description: 'An array containing an object for each PE resource, if present. + threat.indicator.file.accessed: + dashed_name: threat-indicator-file-accessed + description: 'Last time the file was accessed. - The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: threat.enrichments.pe.resources - level: extended - name: resources - normalize: - - array - original_fieldset: pe - short: PE resource information - type: nested - threat.enrichments.pe.resources.chi2: - dashed_name: threat-enrichments-pe-resources-chi2 - description: Chi-square probability distribution. - example: -1 - flat_name: threat.enrichments.pe.resources.chi2 + Note that not all filesystems keep track of access time.' + flat_name: threat.indicator.file.accessed level: extended - name: resources.chi2 + name: accessed normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long - threat.enrichments.pe.resources.entropy: - dashed_name: threat-enrichments-pe-resources-entropy - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - flat_name: threat.enrichments.pe.resources.entropy + original_fieldset: file + short: Last time the file was accessed. + type: date + threat.indicator.file.attributes: + dashed_name: threat-indicator-file-attributes + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: threat.indicator.file.attributes + ignore_above: 1024 level: extended - name: resources.entropy + name: attributes + normalize: + - array + original_fieldset: file + short: Array of file attributes. + type: keyword + threat.indicator.file.code_signature.exists: + dashed_name: threat-indicator-file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: threat.indicator.file.code_signature.exists + level: core + name: exists normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the resources section. - type: long - threat.enrichments.pe.resources.filetype: - dashed_name: threat-enrichments-pe-resources-filetype - description: File type of the resources section. - example: Data - flat_name: threat.enrichments.pe.resources.filetype + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + threat.indicator.file.code_signature.signing_id: + dashed_name: threat-indicator-file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: threat.indicator.file.code_signature.signing_id ignore_above: 1024 level: extended - name: resources.filetype + name: signing_id normalize: [] - original_fieldset: pe - short: File type of the resources section. + original_fieldset: code_signature + short: The identifier used to sign the process. type: keyword - threat.enrichments.pe.resources.language: - dashed_name: threat-enrichments-pe-resources-language - description: Language identification. - example: CHINESE SIMPLIFIED - flat_name: threat.enrichments.pe.resources.language + threat.indicator.file.code_signature.status: + dashed_name: threat-indicator-file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: threat.indicator.file.code_signature.status ignore_above: 1024 level: extended - name: resources.language + name: status normalize: [] - original_fieldset: pe - short: Language identification. + original_fieldset: code_signature + short: Additional information about the certificate status. type: keyword - threat.enrichments.pe.resources.sha256: - dashed_name: threat-enrichments-pe-resources-sha256 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: threat.enrichments.pe.resources.sha256 + threat.indicator.file.code_signature.subject_name: + dashed_name: threat-indicator-file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: threat.indicator.file.code_signature.subject_name ignore_above: 1024 - level: extended - name: resources.sha256 + level: core + name: subject_name normalize: [] - original_fieldset: pe - short: SHA256 hash of resources section. + original_fieldset: code_signature + short: Subject name of the code signer type: keyword - threat.enrichments.pe.resources.type: - dashed_name: threat-enrichments-pe-resources-type - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: threat.enrichments.pe.resources.type + threat.indicator.file.code_signature.team_id: + dashed_name: threat-indicator-file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: threat.indicator.file.code_signature.team_id ignore_above: 1024 level: extended - name: resources.type - normalize: - - array - original_fieldset: pe - short: List of resource types. + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. type: keyword - threat.enrichments.pe.rich_header.hash.md5: - dashed_name: threat-enrichments-pe-rich-header-hash-md5 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: threat.enrichments.pe.rich_header.hash.md5 - ignore_above: 1024 + threat.indicator.file.code_signature.trusted: + dashed_name: threat-indicator-file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: threat.indicator.file.code_signature.trusted level: extended - name: rich_header.hash.md5 + name: trusted normalize: [] - original_fieldset: pe - short: MD5 hash of the header for the PE file. - type: keyword - threat.enrichments.pe.sections: - dashed_name: threat-enrichments-pe-sections - description: Data about sections of compiled binary PE - flat_name: threat.enrichments.pe.sections + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + threat.indicator.file.code_signature.valid: + dashed_name: threat-indicator-file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: threat.indicator.file.code_signature.valid level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Data about sections of the compiled binary PE - type: nested - threat.enrichments.pe.sections.chi2: - dashed_name: threat-enrichments-pe-sections-chi2 - description: Chi-square probability distribution. - example: 3027194 - flat_name: threat.enrichments.pe.sections.chi2 + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + threat.indicator.file.created: + dashed_name: threat-indicator-file-created + description: 'File creation time. + + Note that not all filesystems store the creation time.' + flat_name: threat.indicator.file.created level: extended - name: sections.chi2 + name: created normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long - threat.enrichments.pe.sections.entropy: - dashed_name: threat-enrichments-pe-sections-entropy - description: Measurement of entropy randomness in the file. - example: 6.24 - flat_name: threat.enrichments.pe.sections.entropy + original_fieldset: file + short: File creation time. + type: date + threat.indicator.file.ctime: + dashed_name: threat-indicator-file-ctime + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: threat.indicator.file.ctime level: extended - name: sections.entropy + name: ctime normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the file. - type: float - threat.enrichments.pe.sections.flags: - dashed_name: threat-enrichments-pe-sections-flags - description: Section flags of the file. - example: rx - flat_name: threat.enrichments.pe.sections.flags + original_fieldset: file + short: Last time the file attributes or metadata changed. + type: date + threat.indicator.file.device: + dashed_name: threat-indicator-file-device + description: Device that is the source of the file. + example: sda + flat_name: threat.indicator.file.device ignore_above: 1024 level: extended - name: sections.flags + name: device normalize: [] - original_fieldset: pe - short: Section flags of the file. + original_fieldset: file + short: Device that is the source of the file. type: keyword - threat.enrichments.pe.sections.name: - dashed_name: threat-enrichments-pe-sections-name - description: Section names of the file. - example: .text, .data - flat_name: threat.enrichments.pe.sections.name - ignore_above: 1024 + threat.indicator.file.directory: + dashed_name: threat-indicator-file-directory + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice + flat_name: threat.indicator.file.directory level: extended - name: sections.name + name: directory normalize: [] - original_fieldset: pe - short: Section names of the file. + original_fieldset: file + short: Directory where the file is located. + type: wildcard + threat.indicator.file.drive_letter: + dashed_name: threat-indicator-file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + flat_name: threat.indicator.file.drive_letter + ignore_above: 1 + level: extended + name: drive_letter + normalize: [] + original_fieldset: file + short: Drive letter where the file is located. type: keyword - threat.enrichments.pe.sections.raw_size: - dashed_name: threat-enrichments-pe-sections-raw-size - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - flat_name: threat.enrichments.pe.sections.raw_size - format: bytes + threat.indicator.file.elf.architecture: + dashed_name: threat-indicator-file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: threat.indicator.file.elf.architecture + ignore_above: 1024 level: extended - name: sections.raw_size + name: architecture normalize: [] - original_fieldset: pe - short: Size of the section or the dize of the initialized data on disk. - type: long - threat.enrichments.pe.sections.virtual_address: - dashed_name: threat-enrichments-pe-sections-virtual-address - description: Virtual address available to the file. - example: 8192 - flat_name: threat.enrichments.pe.sections.virtual_address - format: bytes + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword + threat.indicator.file.elf.byte_order: + dashed_name: threat-indicator-file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: threat.indicator.file.elf.byte_order + ignore_above: 1024 level: extended - name: sections.virtual_address + name: byte_order normalize: [] - original_fieldset: pe - short: Virtual address available to the file. - type: long - threat.enrichments.registry.data.bytes: - dashed_name: threat-enrichments-registry-data-bytes - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides - better recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - flat_name: threat.enrichments.registry.data.bytes + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword + threat.indicator.file.elf.cpu_type: + dashed_name: threat-indicator-file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: threat.indicator.file.elf.cpu_type ignore_above: 1024 level: extended - name: data.bytes + name: cpu_type normalize: [] - original_fieldset: registry - short: Original bytes written with base64 encoding. + original_fieldset: elf + short: CPU type of the ELF file. type: keyword - threat.enrichments.registry.data.strings: - dashed_name: threat-enrichments-registry-data-strings - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single - string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with - one string. For sequences of string with REG_MULTI_SZ, this array will be - variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should - be populated with the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' - flat_name: threat.enrichments.registry.data.strings - level: core - name: data.strings + threat.indicator.file.elf.creation_date: + dashed_name: threat-indicator-file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: threat.indicator.file.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date + threat.indicator.file.elf.exports: + dashed_name: threat-indicator-file-elf-exports + description: List of exported element names and types. + flat_name: threat.indicator.file.elf.exports + level: extended + name: exports normalize: - array - original_fieldset: registry - short: List of strings representing what was written to the registry. - type: wildcard - threat.enrichments.registry.data.type: - dashed_name: threat-enrichments-registry-data-type - description: Standard registry type for encoding contents - example: REG_SZ - flat_name: threat.enrichments.registry.data.type + original_fieldset: elf + short: List of exported element names and types. + type: flattened + threat.indicator.file.elf.header.abi_version: + dashed_name: threat-indicator-file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: threat.indicator.file.elf.header.abi_version ignore_above: 1024 - level: core - name: data.type + level: extended + name: header.abi_version normalize: [] - original_fieldset: registry - short: Standard registry type for encoding contents + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). type: keyword - threat.enrichments.registry.hive: - dashed_name: threat-enrichments-registry-hive - description: Abbreviated name for the hive. - example: HKLM - flat_name: threat.enrichments.registry.hive + threat.indicator.file.elf.header.class: + dashed_name: threat-indicator-file-elf-header-class + description: Header class of the ELF file. + flat_name: threat.indicator.file.elf.header.class ignore_above: 1024 - level: core - name: hive + level: extended + name: header.class normalize: [] - original_fieldset: registry - short: Abbreviated name for the hive. + original_fieldset: elf + short: Header class of the ELF file. type: keyword - threat.enrichments.registry.key: - dashed_name: threat-enrichments-registry-key - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - flat_name: threat.enrichments.registry.key - level: core - name: key - normalize: [] - original_fieldset: registry - short: Hive-relative path of keys. - type: wildcard - threat.enrichments.registry.path: - dashed_name: threat-enrichments-registry-path - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger - flat_name: threat.enrichments.registry.path - level: core - name: path - normalize: [] - original_fieldset: registry - short: Full path, including hive, key and value - type: wildcard - threat.enrichments.registry.value: - dashed_name: threat-enrichments-registry-value - description: Name of the value written. - example: Debugger - flat_name: threat.enrichments.registry.value + threat.indicator.file.elf.header.data: + dashed_name: threat-indicator-file-elf-header-data + description: Data table of the ELF header. + flat_name: threat.indicator.file.elf.header.data ignore_above: 1024 - level: core - name: value + level: extended + name: header.data normalize: [] - original_fieldset: registry - short: Name of the value written. + original_fieldset: elf + short: Data table of the ELF header. type: keyword - threat.enrichments.url.domain: - dashed_name: threat-enrichments-url-domain - description: 'Domain of the url, such as "www.elastic.co". - - In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field. - - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC - 2732), the `[` and `]` characters should also be captured in the `domain` - field.' - example: www.elastic.co - flat_name: threat.enrichments.url.domain + threat.indicator.file.elf.header.entrypoint: + dashed_name: threat-indicator-file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: threat.indicator.file.elf.header.entrypoint + format: string level: extended - name: domain + name: header.entrypoint normalize: [] - original_fieldset: url - short: Domain of the url. - type: wildcard - threat.enrichments.url.extension: - dashed_name: threat-enrichments-url-extension - description: 'The field contains the file extension from the original request - url, excluding the leading dot. - - The file extension is only set if it exists, as not every url has a file extension. - - The leading period must not be included. For example, the value must be "png", - not ".png". - - Note that when the file name has multiple extensions (example.tar.gz), only - the last one should be captured ("gz", not "tar.gz").' - example: png - flat_name: threat.enrichments.url.extension + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + threat.indicator.file.elf.header.object_version: + dashed_name: threat-indicator-file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: threat.indicator.file.elf.header.object_version ignore_above: 1024 level: extended - name: extension + name: header.object_version normalize: [] - original_fieldset: url - short: File extension from the request url, excluding the leading dot. + original_fieldset: elf + short: '"0x1" for original ELF files.' type: keyword - threat.enrichments.url.fragment: - dashed_name: threat-enrichments-url-fragment - description: 'Portion of the url after the `#`, such as "top". - - The `#` is not part of the fragment.' - flat_name: threat.enrichments.url.fragment + threat.indicator.file.elf.header.os_abi: + dashed_name: threat-indicator-file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: threat.indicator.file.elf.header.os_abi ignore_above: 1024 level: extended - name: fragment + name: header.os_abi normalize: [] - original_fieldset: url - short: Portion of the url after the `#`. + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. type: keyword - threat.enrichments.url.full: - dashed_name: threat-enrichments-url-full - description: If full URLs are important to your use case, they should be stored - in `url.full`, whether this field is reconstructed or present in the event - source. - example: https://www.elastic.co:443/search?q=elasticsearch#top - flat_name: threat.enrichments.url.full + threat.indicator.file.elf.header.type: + dashed_name: threat-indicator-file-elf-header-type + description: Header type of the ELF file. + flat_name: threat.indicator.file.elf.header.type + ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.enrichments.url.full.text - name: text - norms: false - type: text - name: full + name: header.type normalize: [] - original_fieldset: url - short: Full unparsed URL. - type: wildcard - threat.enrichments.url.original: - dashed_name: threat-enrichments-url-original - description: 'Unmodified original url as seen in the event source. - - Note that in network monitoring, the observed URL may be a full URL, whereas - in access logs, the URL is often just represented as a path. - - This field is meant to represent the URL as it was observed, complete or not.' - example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - flat_name: threat.enrichments.url.original + original_fieldset: elf + short: Header type of the ELF file. + type: keyword + threat.indicator.file.elf.header.version: + dashed_name: threat-indicator-file-elf-header-version + description: Version of the ELF header. + flat_name: threat.indicator.file.elf.header.version + ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.enrichments.url.original.text - name: text - norms: false - type: text - name: original + name: header.version normalize: [] - original_fieldset: url - short: Unmodified original url as seen in the event source. - type: wildcard - threat.enrichments.url.password: - dashed_name: threat-enrichments-url-password - description: Password of the request. - flat_name: threat.enrichments.url.password - ignore_above: 1024 + original_fieldset: elf + short: Version of the ELF header. + type: keyword + threat.indicator.file.elf.imports: + dashed_name: threat-indicator-file-elf-imports + description: List of imported element names and types. + flat_name: threat.indicator.file.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened + threat.indicator.file.elf.sections: + dashed_name: threat-indicator-file-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + flat_name: threat.indicator.file.elf.sections level: extended - name: password - normalize: [] - original_fieldset: url - short: Password of the request. - type: keyword - threat.enrichments.url.path: - dashed_name: threat-enrichments-url-path - description: Path of the request, such as "/search". - flat_name: threat.enrichments.url.path + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested + threat.indicator.file.elf.sections.chi2: + dashed_name: threat-indicator-file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: threat.indicator.file.elf.sections.chi2 + format: number level: extended - name: path + name: sections.chi2 normalize: [] - original_fieldset: url - short: Path of the request, such as "/search". - type: wildcard - threat.enrichments.url.port: - dashed_name: threat-enrichments-url-port - description: Port of the request, such as 443. - example: 443 - flat_name: threat.enrichments.url.port - format: string + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long + threat.indicator.file.elf.sections.entropy: + dashed_name: threat-indicator-file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: threat.indicator.file.elf.sections.entropy + format: number level: extended - name: port + name: sections.entropy normalize: [] - original_fieldset: url - short: Port of the request, such as 443. + original_fieldset: elf + short: Shannon entropy calculation from the section. type: long - threat.enrichments.url.query: - dashed_name: threat-enrichments-url-query - description: 'The query field describes the query string of the request, such - as "q=elasticsearch". - - The `?` is excluded from the query string. If a URL contains no `?`, there - is no query field. If there is a `?` but no query, the query field exists - with an empty string. The `exists` query can be used to differentiate between - the two cases.' - flat_name: threat.enrichments.url.query + threat.indicator.file.elf.sections.flags: + dashed_name: threat-indicator-file-elf-sections-flags + description: ELF Section List flags. + flat_name: threat.indicator.file.elf.sections.flags ignore_above: 1024 level: extended - name: query + name: sections.flags normalize: [] - original_fieldset: url - short: Query string of the request. + original_fieldset: elf + short: ELF Section List flags. type: keyword - threat.enrichments.url.registered_domain: - dashed_name: threat-enrichments-url-registered-domain - description: 'The highest registered url domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix - list (http://publicsuffix.org). Trying to approximate this by simply taking - the last two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: threat.enrichments.url.registered_domain + threat.indicator.file.elf.sections.name: + dashed_name: threat-indicator-file-elf-sections-name + description: ELF Section List name. + flat_name: threat.indicator.file.elf.sections.name + ignore_above: 1024 level: extended - name: registered_domain + name: sections.name normalize: [] - original_fieldset: url - short: The highest registered url domain, stripped of the subdomain. - type: wildcard - threat.enrichments.url.scheme: - dashed_name: threat-enrichments-url-scheme - description: 'Scheme of the request, such as "https". - - Note: The `:` is not part of the scheme.' - example: https - flat_name: threat.enrichments.url.scheme + original_fieldset: elf + short: ELF Section List name. + type: keyword + threat.indicator.file.elf.sections.physical_offset: + dashed_name: threat-indicator-file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: threat.indicator.file.elf.sections.physical_offset ignore_above: 1024 level: extended - name: scheme + name: sections.physical_offset normalize: [] - original_fieldset: url - short: Scheme of the url. + original_fieldset: elf + short: ELF Section List offset. type: keyword - threat.enrichments.url.subdomain: - dashed_name: threat-enrichments-url-subdomain - description: 'The subdomain portion of a fully qualified domain name includes - all of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot - be determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", - the subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: threat.enrichments.url.subdomain + threat.indicator.file.elf.sections.physical_size: + dashed_name: threat-indicator-file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: threat.indicator.file.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long + threat.indicator.file.elf.sections.type: + dashed_name: threat-indicator-file-elf-sections-type + description: ELF Section List type. + flat_name: threat.indicator.file.elf.sections.type ignore_above: 1024 level: extended - name: subdomain + name: sections.type normalize: [] - original_fieldset: url - short: The subdomain of the domain. + original_fieldset: elf + short: ELF Section List type. type: keyword - threat.enrichments.url.top_level_domain: - dashed_name: threat-enrichments-url-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain - suffix, is the last part of the domain name. For example, the top level domain - for example.com is "com". + threat.indicator.file.elf.sections.virtual_address: + dashed_name: threat-indicator-file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: threat.indicator.file.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long + threat.indicator.file.elf.sections.virtual_size: + dashed_name: threat-indicator-file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: threat.indicator.file.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + threat.indicator.file.elf.segments: + dashed_name: threat-indicator-file-elf-segments + description: 'An array containing an object for each segment of the ELF file. - This value can be determined precisely with a list like the public suffix - list (http://publicsuffix.org). Trying to approximate this by simply taking - the last label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: threat.enrichments.url.top_level_domain + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + flat_name: threat.indicator.file.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested + threat.indicator.file.elf.segments.sections: + dashed_name: threat-indicator-file-elf-segments-sections + description: ELF object segment sections. + flat_name: threat.indicator.file.elf.segments.sections ignore_above: 1024 level: extended - name: top_level_domain + name: segments.sections normalize: [] - original_fieldset: url - short: The effective top level domain (com, org, net, co.uk). + original_fieldset: elf + short: ELF object segment sections. type: keyword - threat.enrichments.url.username: - dashed_name: threat-enrichments-url-username - description: Username of the request. - flat_name: threat.enrichments.url.username + threat.indicator.file.elf.segments.type: + dashed_name: threat-indicator-file-elf-segments-type + description: ELF object segment type. + flat_name: threat.indicator.file.elf.segments.type ignore_above: 1024 level: extended - name: username + name: segments.type normalize: [] - original_fieldset: url - short: Username of the request. + original_fieldset: elf + short: ELF object segment type. type: keyword - threat.enrichments.x509.alternative_names: - dashed_name: threat-enrichments-x509-alternative-names - description: List of subject alternative names (SAN). Name types vary by certificate - authority and certificate type but commonly contain IP addresses, DNS names - (and wildcards), and email addresses. - example: '*.elastic.co' - flat_name: threat.enrichments.x509.alternative_names + threat.indicator.file.elf.shared_libraries: + dashed_name: threat-indicator-file-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: threat.indicator.file.elf.shared_libraries ignore_above: 1024 level: extended - name: alternative_names + name: shared_libraries normalize: - array - original_fieldset: x509 - short: List of subject alternative names (SAN). + original_fieldset: elf + short: List of shared libraries used by this ELF object. type: keyword - threat.enrichments.x509.issuer.common_name: - dashed_name: threat-enrichments-x509-issuer-common-name - description: List of common name (CN) of issuing certificate authority. - example: Example SHA2 High Assurance Server CA - flat_name: threat.enrichments.x509.issuer.common_name + threat.indicator.file.elf.telfhash: + dashed_name: threat-indicator-file-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: threat.indicator.file.elf.telfhash ignore_above: 1024 level: extended - name: issuer.common_name - normalize: - - array - original_fieldset: x509 - short: List of common name (CN) of issuing certificate authority. + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. type: keyword - threat.enrichments.x509.issuer.country: - dashed_name: threat-enrichments-x509-issuer-country - description: List of country (C) codes - example: US - flat_name: threat.enrichments.x509.issuer.country + threat.indicator.file.extension: + dashed_name: threat-indicator-file-extension + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.indicator.file.extension ignore_above: 1024 level: extended - name: issuer.country - normalize: - - array - original_fieldset: x509 - short: List of country (C) codes - type: keyword - threat.enrichments.x509.issuer.distinguished_name: - dashed_name: threat-enrichments-x509-issuer-distinguished-name - description: Distinguished name (DN) of issuing certificate authority. - example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance - Server CA - flat_name: threat.enrichments.x509.issuer.distinguished_name - level: extended - name: issuer.distinguished_name + name: extension normalize: [] - original_fieldset: x509 - short: Distinguished name (DN) of issuing certificate authority. - type: wildcard - threat.enrichments.x509.issuer.locality: - dashed_name: threat-enrichments-x509-issuer-locality - description: List of locality names (L) - example: Mountain View - flat_name: threat.enrichments.x509.issuer.locality + original_fieldset: file + short: File extension, excluding the leading dot. + type: keyword + threat.indicator.file.gid: + dashed_name: threat-indicator-file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: threat.indicator.file.gid ignore_above: 1024 level: extended - name: issuer.locality - normalize: - - array - original_fieldset: x509 - short: List of locality names (L) - type: keyword - threat.enrichments.x509.issuer.organization: - dashed_name: threat-enrichments-x509-issuer-organization - description: List of organizations (O) of issuing certificate authority. - example: Example Inc - flat_name: threat.enrichments.x509.issuer.organization + name: gid + normalize: [] + original_fieldset: file + short: Primary group ID (GID) of the file. + type: keyword + threat.indicator.file.group: + dashed_name: threat-indicator-file-group + description: Primary group name of the file. + example: alice + flat_name: threat.indicator.file.group ignore_above: 1024 level: extended - name: issuer.organization - normalize: - - array - original_fieldset: x509 - short: List of organizations (O) of issuing certificate authority. + name: group + normalize: [] + original_fieldset: file + short: Primary group name of the file. type: keyword - threat.enrichments.x509.issuer.organizational_unit: - dashed_name: threat-enrichments-x509-issuer-organizational-unit - description: List of organizational units (OU) of issuing certificate authority. - example: www.example.com - flat_name: threat.enrichments.x509.issuer.organizational_unit + threat.indicator.file.inode: + dashed_name: threat-indicator-file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: threat.indicator.file.inode ignore_above: 1024 level: extended - name: issuer.organizational_unit - normalize: - - array - original_fieldset: x509 - short: List of organizational units (OU) of issuing certificate authority. + name: inode + normalize: [] + original_fieldset: file + short: Inode representing the file in the filesystem. type: keyword - threat.enrichments.x509.issuer.state_or_province: - dashed_name: threat-enrichments-x509-issuer-state-or-province - description: List of state or province names (ST, S, or P) - example: California - flat_name: threat.enrichments.x509.issuer.state_or_province + threat.indicator.file.mime_type: + dashed_name: threat-indicator-file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. + flat_name: threat.indicator.file.mime_type ignore_above: 1024 level: extended - name: issuer.state_or_province - normalize: - - array - original_fieldset: x509 - short: List of state or province names (ST, S, or P) + name: mime_type + normalize: [] + original_fieldset: file + short: Media type of file, document, or arrangement of bytes. type: keyword - threat.enrichments.x509.not_after: - dashed_name: threat-enrichments-x509-not-after - description: Time at which the certificate is no longer considered valid. - example: 2020-07-16 03:15:39+00:00 - flat_name: threat.enrichments.x509.not_after + threat.indicator.file.mode: + dashed_name: threat-indicator-file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: threat.indicator.file.mode + ignore_above: 1024 level: extended - name: not_after + name: mode normalize: [] - original_fieldset: x509 - short: Time at which the certificate is no longer considered valid. - type: date - threat.enrichments.x509.not_before: - dashed_name: threat-enrichments-x509-not-before - description: Time at which the certificate is first considered valid. - example: 2019-08-16 01:40:25+00:00 - flat_name: threat.enrichments.x509.not_before + original_fieldset: file + short: Mode of the file in octal representation. + type: keyword + threat.indicator.file.mtime: + dashed_name: threat-indicator-file-mtime + description: Last time the file content was modified. + flat_name: threat.indicator.file.mtime level: extended - name: not_before + name: mtime normalize: [] - original_fieldset: x509 - short: Time at which the certificate is first considered valid. + original_fieldset: file + short: Last time the file content was modified. type: date - threat.enrichments.x509.public_key_algorithm: - dashed_name: threat-enrichments-x509-public-key-algorithm - description: Algorithm used to generate the public key. - example: RSA - flat_name: threat.enrichments.x509.public_key_algorithm + threat.indicator.file.name: + dashed_name: threat-indicator-file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: threat.indicator.file.name ignore_above: 1024 level: extended - name: public_key_algorithm + name: name normalize: [] - original_fieldset: x509 - short: Algorithm used to generate the public key. + original_fieldset: file + short: Name of the file including the extension, without the directory. type: keyword - threat.enrichments.x509.public_key_curve: - dashed_name: threat-enrichments-x509-public-key-curve - description: The curve used by the elliptic curve public key algorithm. This - is algorithm specific. - example: nistp521 - flat_name: threat.enrichments.x509.public_key_curve + threat.indicator.file.owner: + dashed_name: threat-indicator-file-owner + description: File owner's username. + example: alice + flat_name: threat.indicator.file.owner ignore_above: 1024 level: extended - name: public_key_curve + name: owner normalize: [] - original_fieldset: x509 - short: The curve used by the elliptic curve public key algorithm. This is algorithm - specific. + original_fieldset: file + short: File owner's username. type: keyword - threat.enrichments.x509.public_key_exponent: - dashed_name: threat-enrichments-x509-public-key-exponent - description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - example: 65537 - flat_name: threat.enrichments.x509.public_key_exponent - index: false + threat.indicator.file.path: + dashed_name: threat-indicator-file-path + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + flat_name: threat.indicator.file.path level: extended - name: public_key_exponent + multi_fields: + - flat_name: threat.indicator.file.path.text + name: text + norms: false + type: text + name: path normalize: [] - original_fieldset: x509 - short: Exponent used to derive the public key. This is algorithm specific. - type: long - threat.enrichments.x509.public_key_size: - dashed_name: threat-enrichments-x509-public-key-size - description: The size of the public key space in bits. - example: 2048 - flat_name: threat.enrichments.x509.public_key_size + original_fieldset: file + short: Full path to the file, including the file name. + type: wildcard + threat.indicator.file.size: + dashed_name: threat-indicator-file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: threat.indicator.file.size level: extended - name: public_key_size + name: size normalize: [] - original_fieldset: x509 - short: The size of the public key space in bits. + original_fieldset: file + short: File size in bytes. type: long - threat.enrichments.x509.serial_number: - dashed_name: threat-enrichments-x509-serial-number - description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. - example: 55FBB9C7DEBF09809D12CCAA - flat_name: threat.enrichments.x509.serial_number - ignore_above: 1024 + threat.indicator.file.target_path: + dashed_name: threat-indicator-file-target-path + description: Target path for symlinks. + flat_name: threat.indicator.file.target_path level: extended - name: serial_number + multi_fields: + - flat_name: threat.indicator.file.target_path.text + name: text + norms: false + type: text + name: target_path normalize: [] - original_fieldset: x509 - short: Unique serial number issued by the certificate authority. - type: keyword - threat.enrichments.x509.signature_algorithm: - dashed_name: threat-enrichments-x509-signature-algorithm - description: Identifier for certificate signature algorithm. We recommend using - names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - example: SHA256-RSA - flat_name: threat.enrichments.x509.signature_algorithm + original_fieldset: file + short: Target path for symlinks. + type: wildcard + threat.indicator.file.type: + dashed_name: threat-indicator-file-type + description: File type (file, dir, or symlink). + example: file + flat_name: threat.indicator.file.type ignore_above: 1024 level: extended - name: signature_algorithm + name: type normalize: [] - original_fieldset: x509 - short: Identifier for certificate signature algorithm. - type: keyword - threat.enrichments.x509.subject.common_name: - dashed_name: threat-enrichments-x509-subject-common-name - description: List of common names (CN) of subject. - example: shared.global.example.net - flat_name: threat.enrichments.x509.subject.common_name - ignore_above: 1024 - level: extended - name: subject.common_name - normalize: - - array - original_fieldset: x509 - short: List of common names (CN) of subject. + original_fieldset: file + short: File type (file, dir, or symlink). type: keyword - threat.enrichments.x509.subject.country: - dashed_name: threat-enrichments-x509-subject-country - description: List of country (C) code - example: US - flat_name: threat.enrichments.x509.subject.country + threat.indicator.file.uid: + dashed_name: threat-indicator-file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: threat.indicator.file.uid ignore_above: 1024 level: extended - name: subject.country - normalize: - - array - original_fieldset: x509 - short: List of country (C) code + name: uid + normalize: [] + original_fieldset: file + short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword - threat.enrichments.x509.subject.distinguished_name: - dashed_name: threat-enrichments-x509-subject-distinguished-name - description: Distinguished name (DN) of the certificate subject entity. - example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - flat_name: threat.enrichments.x509.subject.distinguished_name + threat.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.first_seen level: extended - name: subject.distinguished_name + name: indicator.first_seen normalize: [] - original_fieldset: x509 - short: Distinguished name (DN) of the certificate subject entity. - type: wildcard - threat.enrichments.x509.subject.locality: - dashed_name: threat-enrichments-x509-subject-locality - description: List of locality names (L) - example: San Francisco - flat_name: threat.enrichments.x509.subject.locality - ignore_above: 1024 - level: extended - name: subject.locality - normalize: - - array - original_fieldset: x509 - short: List of locality names (L) - type: keyword - threat.enrichments.x509.subject.organization: - dashed_name: threat-enrichments-x509-subject-organization - description: List of organizations (O) of subject. - example: Example, Inc. - flat_name: threat.enrichments.x509.subject.organization + short: Date/time indicator was first reported. + type: date + threat.indicator.geo.city_name: + dashed_name: threat-indicator-geo-city-name + description: City name. + example: Montreal + flat_name: threat.indicator.geo.city_name ignore_above: 1024 - level: extended - name: subject.organization - normalize: - - array - original_fieldset: x509 - short: List of organizations (O) of subject. - type: keyword - threat.enrichments.x509.subject.organizational_unit: - dashed_name: threat-enrichments-x509-subject-organizational-unit - description: List of organizational units (OU) of subject. - flat_name: threat.enrichments.x509.subject.organizational_unit + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + threat.indicator.geo.continent_code: + dashed_name: threat-indicator-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: threat.indicator.geo.continent_code ignore_above: 1024 - level: extended - name: subject.organizational_unit - normalize: - - array - original_fieldset: x509 - short: List of organizational units (OU) of subject. + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. type: keyword - threat.enrichments.x509.subject.state_or_province: - dashed_name: threat-enrichments-x509-subject-state-or-province - description: List of state or province names (ST, S, or P) - example: California - flat_name: threat.enrichments.x509.subject.state_or_province + threat.indicator.geo.continent_name: + dashed_name: threat-indicator-geo-continent-name + description: Name of the continent. + example: North America + flat_name: threat.indicator.geo.continent_name ignore_above: 1024 - level: extended - name: subject.state_or_province - normalize: - - array - original_fieldset: x509 - short: List of state or province names (ST, S, or P) + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. type: keyword - threat.enrichments.x509.version_number: - dashed_name: threat-enrichments-x509-version-number - description: Version of x509 format. - example: 3 - flat_name: threat.enrichments.x509.version_number + threat.indicator.geo.country_iso_code: + dashed_name: threat-indicator-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: threat.indicator.geo.country_iso_code ignore_above: 1024 - level: extended - name: version_number + level: core + name: country_iso_code normalize: [] - original_fieldset: x509 - short: Version of x509 format. + original_fieldset: geo + short: Country ISO code. type: keyword - threat.framework: - dashed_name: threat-framework - description: Name of the threat framework used to further categorize and classify - the tactic and technique of the reported threat. Framework classification - can be provided by detecting systems, evaluated at ingest time, or retrospectively - tagged to events. - example: MITRE ATT&CK - flat_name: threat.framework + threat.indicator.geo.country_name: + dashed_name: threat-indicator-geo-country-name + description: Country name. + example: Canada + flat_name: threat.indicator.geo.country_name ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + threat.indicator.geo.location: + dashed_name: threat-indicator-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: threat.indicator.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + threat.indicator.geo.name: + dashed_name: threat-indicator-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: threat.indicator.geo.name level: extended - name: framework + name: name normalize: [] - short: Threat classification framework. + original_fieldset: geo + short: User-defined description of a location. + type: wildcard + threat.indicator.geo.postal_code: + dashed_name: threat-indicator-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: threat.indicator.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. type: keyword - threat.group.alias: - beta: This field is beta and subject to change. - dashed_name: threat-group-alias - description: "The alias(es) of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group alias(es)." - example: '[ "Magecart Group 6" ]' - flat_name: threat.group.alias + threat.indicator.geo.region_iso_code: + dashed_name: threat-indicator-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: threat.indicator.geo.region_iso_code ignore_above: 1024 - level: extended - name: group.alias - normalize: - - array - short: Alias of the group. + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. type: keyword - threat.group.id: - beta: This field is beta and subject to change. - dashed_name: threat-group-id - description: "The id of the group for a set of related intrusion activity that\ - \ are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group id." - example: G0037 - flat_name: threat.group.id + threat.indicator.geo.region_name: + dashed_name: threat-indicator-geo-region-name + description: Region name. + example: Quebec + flat_name: threat.indicator.geo.region_name ignore_above: 1024 - level: extended - name: group.id + level: core + name: region_name normalize: [] - short: ID of the group. + original_fieldset: geo + short: Region name. type: keyword - threat.group.name: - beta: This field is beta and subject to change. - dashed_name: threat-group-name - description: "The name of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group name." - example: FIN6 - flat_name: threat.group.name + threat.indicator.geo.timezone: + dashed_name: threat-indicator-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: threat.indicator.geo.timezone ignore_above: 1024 - level: extended - name: group.name + level: core + name: timezone normalize: [] - short: Name of the group. + original_fieldset: geo + short: Time zone. type: keyword - threat.group.reference: - beta: This field is beta and subject to change. - dashed_name: threat-group-reference - description: "The reference URL of the group for a set of related intrusion\ - \ activity that are tracked by a common name in the security community. While\ - \ not required, you can use a MITRE ATT&CK\xAE group reference URL." - example: https://attack.mitre.org/groups/G0037/ - flat_name: threat.group.reference + threat.indicator.hash.md5: + dashed_name: threat-indicator-hash-md5 + description: MD5 hash. + flat_name: threat.indicator.hash.md5 ignore_above: 1024 level: extended - name: group.reference + name: md5 normalize: [] - short: Reference URL of the group. + original_fieldset: hash + short: MD5 hash. type: keyword - threat.indicator.confidence: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-confidence - description: "Identifies the confidence rating assigned by the provider using\ - \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ - \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ - \ * WEP Scale (Impossible - Certain)" - example: High - flat_name: threat.indicator.confidence + threat.indicator.hash.sha1: + dashed_name: threat-indicator-hash-sha1 + description: SHA1 hash. + flat_name: threat.indicator.hash.sha1 ignore_above: 1024 level: extended - name: indicator.confidence + name: sha1 normalize: [] - short: Indicator confidence rating + original_fieldset: hash + short: SHA1 hash. type: keyword - threat.indicator.description: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-description - description: Describes the type of action conducted by the threat. - example: IP x.x.x.x was observed delivering the Angler EK. - flat_name: threat.indicator.description + threat.indicator.hash.sha256: + dashed_name: threat-indicator-hash-sha256 + description: SHA256 hash. + flat_name: threat.indicator.hash.sha256 ignore_above: 1024 level: extended - name: indicator.description + name: sha256 normalize: [] - short: Indicator description + original_fieldset: hash + short: SHA256 hash. type: keyword - threat.indicator.email.address: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-email-address - description: Identifies a threat indicator as an email address (irrespective - of direction). - example: phish@example.com - flat_name: threat.indicator.email.address + threat.indicator.hash.sha512: + dashed_name: threat-indicator-hash-sha512 + description: SHA512 hash. + flat_name: threat.indicator.hash.sha512 ignore_above: 1024 level: extended - name: indicator.email.address + name: sha512 normalize: [] - short: Indicator email address + original_fieldset: hash + short: SHA512 hash. type: keyword - threat.indicator.first_seen: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-first-seen - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.first_seen + threat.indicator.hash.ssdeep: + dashed_name: threat-indicator-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.indicator.hash.ssdeep + ignore_above: 1024 level: extended - name: indicator.first_seen + name: ssdeep normalize: [] - short: Date/time indicator was first reported. - type: date + original_fieldset: hash + short: SSDEEP hash. + type: keyword threat.indicator.ip: beta: This field is beta and subject to change. dashed_name: threat-indicator-ip @@ -17412,6 +16956,30 @@ threat: normalize: [] short: Indicator port type: long + threat.indicator.provider: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-provider + description: The name of the indicator's provider. + example: lrz_urlhaus + flat_name: threat.indicator.provider + ignore_above: 1024 + level: extended + name: indicator.provider + normalize: [] + short: Indicator provider + type: keyword + threat.indicator.reference: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-reference + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + flat_name: threat.indicator.reference + ignore_above: 1024 + level: extended + name: indicator.reference + normalize: [] + short: Indicator reference URL + type: keyword threat.indicator.scanner_stats: beta: This field is beta and subject to change. dashed_name: threat-indicator-scanner-stats @@ -17655,40 +17223,75 @@ threat: group: 2 name: threat nestings: - - threat.enrichments.as - - threat.enrichments.event - - threat.enrichments.file - - threat.enrichments.geo - - threat.enrichments.hash + - threat.enrichments.indicator.as + - threat.enrichments.indicator.as + - threat.enrichments.indicator.as + - threat.enrichments.indicator.as + - threat.enrichments.indicator.as + - threat.enrichments.indicator.as - threat.enrichments.pe - threat.enrichments.registry - threat.enrichments.url - threat.enrichments.x509 + - threat.indicator.as + - threat.indicator.as + - threat.indicator.as + - threat.indicator.file + - threat.indicator.geo + - threat.indicator.hash prefix: threat. reused_here: - beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.as + full: threat.indicator.as + schema_name: as + short: Fields describing an Autonomous System (Internet routing prefix). + - beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.indicator.as schema_name: as short: Fields describing an Autonomous System (Internet routing prefix). - - beta: Reusing the `event` fields in this location is currently considered beta. - full: threat.enrichments.event - schema_name: event - short: Fields breaking down the event details. - beta: Reusing the `file` fields in this location is currently considered beta. - full: threat.enrichments.file + full: threat.indicator.file + schema_name: file + short: Fields describing files. + - beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.indicator.as schema_name: file short: Fields describing files. - beta: Reusing the `geo` fields in this location is currently considered beta. - full: threat.enrichments.geo + full: threat.indicator.geo + schema_name: geo + short: Fields describing a location. + - beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.indicator.as schema_name: geo short: Fields describing a location. - beta: Reusing the `hash` fields in this location is currently considered beta. - full: threat.enrichments.hash + full: threat.indicator.hash + schema_name: hash + short: Hashes, usually file hashes. + - beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.indicator.as schema_name: hash short: Hashes, usually file hashes. + - beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.indicator.as + schema_name: pe + short: These fields contain Windows Portable Executable (PE) metadata. + - beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.indicator.as + schema_name: pe + short: These fields contain Windows Portable Executable (PE) metadata. - full: threat.enrichments.pe schema_name: pe short: These fields contain Windows Portable Executable (PE) metadata. + - beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.indicator.as + schema_name: registry + short: Fields related to Windows Registry operations. + - beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.indicator.as + schema_name: registry + short: Fields related to Windows Registry operations. - full: threat.enrichments.registry schema_name: registry short: Fields related to Windows Registry operations. diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 3aafaed00a..51709fd85e 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -4415,334 +4415,339 @@ "properties": { "enrichments": { "properties": { - "as": { + "indicator": { "properties": { - "number": { - "type": "long" - }, - "organization": { + "as": { "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { "type": "wildcard" + }, + "path": { + "type": "wildcard" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" } } - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" }, - "agent_id_status": { + "confidence": { "ignore_above": 1024, "type": "keyword" }, - "category": { + "description": { "ignore_above": 1024, "type": "keyword" }, - "code": { - "ignore_above": 1024, - "type": "keyword" + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } }, - "created": { + "first_seen": { "type": "date" }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" + "ip": { + "type": "ip" }, - "end": { + "last_seen": { "type": "date" }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } }, - "ingested": { + "modified_at": { "type": "date" }, - "kind": { + "port": { + "type": "long" + }, + "provider": { "ignore_above": 1024, "type": "keyword" }, - "module": { + "reference": { "ignore_above": 1024, "type": "keyword" }, - "original": { - "doc_values": false, - "index": false, - "type": "keyword" + "scanner_stats": { + "type": "long" }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" + "sightings": { + "type": "long" }, - "provider": { + "type": { "ignore_above": 1024, "type": "keyword" - }, - "reason": { + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { "ignore_above": 1024, "type": "keyword" }, - "reference": { + "field": { "ignore_above": 1024, "type": "keyword" }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { + "id": { "ignore_above": 1024, "type": "keyword" }, - "type": { + "index": { "ignore_above": 1024, "type": "keyword" }, - "url": { + "type": { "ignore_above": 1024, "type": "keyword" } } }, - "file": { + "pe": { "properties": { - "accessed": { - "type": "date" + "architecture": { + "ignore_above": 1024, + "type": "keyword" }, - "attributes": { + "authentihash": { "ignore_above": 1024, "type": "keyword" }, - "code_signature": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { "properties": { - "exists": { - "type": "boolean" - }, - "signing_id": { + "name": { "ignore_above": 1024, "type": "keyword" }, - "status": { + "version": { "ignore_above": 1024, "type": "keyword" - }, - "subject_name": { + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { "ignore_above": 1024, "type": "keyword" }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" + "size": { + "type": "long" }, - "trusted": { - "type": "boolean" + "timestamp": { + "type": "date" }, - "valid": { - "type": "boolean" + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, - "created": { - "type": "date" + "imphash": { + "ignore_above": 1024, + "type": "keyword" }, - "ctime": { - "type": "date" + "imports": { + "type": "flattened" }, - "device": { + "machine_type": { "ignore_above": 1024, "type": "keyword" }, - "directory": { + "original_file_name": { "type": "wildcard" }, - "drive_letter": { - "ignore_above": 1, + "packers": { + "ignore_above": 1024, "type": "keyword" }, - "elf": { + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "resources": { "properties": { - "architecture": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { "ignore_above": 1024, "type": "keyword" }, - "byte_order": { + "language": { "ignore_above": 1024, "type": "keyword" }, - "cpu_type": { + "sha256": { "ignore_above": 1024, "type": "keyword" }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flattened" - }, - "header": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { + "md5": { "ignore_above": 1024, "type": "keyword" } } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" }, - "imports": { - "type": "flattened" + "entropy": { + "type": "float" }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" + "flags": { + "ignore_above": 1024, + "type": "keyword" }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" + "name": { + "ignore_above": 1024, + "type": "keyword" }, - "shared_libraries": { + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { "ignore_above": 1024, "type": "keyword" }, - "telfhash": { + "strings": { + "type": "wildcard" + }, + "type": { "ignore_above": 1024, "type": "keyword" } } }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { + "hive": { "ignore_above": 1024, "type": "keyword" }, - "inode": { - "ignore_above": 1024, - "type": "keyword" + "key": { + "type": "wildcard" }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" + "path": { + "type": "wildcard" }, - "mode": { + "value": { "ignore_above": 1024, "type": "keyword" + } + } + }, + "url": { + "properties": { + "domain": { + "type": "wildcard" }, - "mtime": { - "type": "date" - }, - "name": { + "extension": { "ignore_above": 1024, "type": "keyword" }, - "owner": { + "fragment": { "ignore_above": 1024, "type": "keyword" }, - "path": { + "full": { "fields": { "text": { "norms": false, @@ -4751,10 +4756,7 @@ }, "type": "wildcard" }, - "size": { - "type": "long" - }, - "target_path": { + "original": { "fields": { "text": { "norms": false, @@ -4763,324 +4765,431 @@ }, "type": "wildcard" }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { + "password": { "ignore_above": 1024, "type": "keyword" }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" + "path": { + "type": "wildcard" }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" + "port": { + "type": "long" }, - "country_name": { + "query": { "ignore_above": 1024, "type": "keyword" }, - "location": { - "type": "geo_point" - }, - "name": { + "registered_domain": { "type": "wildcard" }, - "postal_code": { + "scheme": { "ignore_above": 1024, "type": "keyword" }, - "region_iso_code": { + "subdomain": { "ignore_above": 1024, "type": "keyword" }, - "region_name": { + "top_level_domain": { "ignore_above": 1024, "type": "keyword" }, - "timezone": { + "username": { "ignore_above": 1024, "type": "keyword" } } }, - "hash": { + "x509": { "properties": { - "md5": { + "alternative_names": { "ignore_above": 1024, "type": "keyword" }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" + "not_after": { + "type": "date" }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" + "not_before": { + "type": "date" }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "matched": { - "properties": { - "atomic": { + "public_key_algorithm": { "ignore_above": 1024, "type": "keyword" }, - "field": { + "public_key_curve": { "ignore_above": 1024, "type": "keyword" }, - "id": { - "ignore_above": 1024, - "type": "keyword" + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" }, - "index": { - "ignore_above": 1024, - "type": "keyword" + "public_key_size": { + "type": "long" }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "architecture": { + "serial_number": { "ignore_above": 1024, "type": "keyword" }, - "authentihash": { + "signature_algorithm": { "ignore_above": 1024, "type": "keyword" }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "compile_timestamp": { - "type": "date" - }, - "compiler": { + "subject": { "properties": { - "name": { + "common_name": { "ignore_above": 1024, "type": "keyword" }, - "version": { + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { "ignore_above": 1024, "type": "keyword" } } }, - "creation_date": { - "type": "date" - }, - "debug": { + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "nested" + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "data": { "properties": { - "offset": { + "bytes": { "ignore_above": 1024, "type": "keyword" }, - "size": { - "type": "long" - }, - "timestamp": { - "type": "date" + "strings": { + "type": "wildcard" }, "type": { "ignore_above": 1024, "type": "keyword" } - }, - "type": "nested" + } }, - "description": { + "hive": { "ignore_above": 1024, "type": "keyword" }, - "entry_point": { + "key": { + "type": "wildcard" + }, + "path": { + "type": "wildcard" + }, + "value": { "ignore_above": 1024, "type": "keyword" - }, - "exports": { + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { "ignore_above": 1024, "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" }, - "file_version": { + "attributes": { "ignore_above": 1024, "type": "keyword" }, - "icon": { + "code_signature": { "properties": { - "hash": { - "properties": { - "dhash": { - "ignore_above": 1024, - "type": "keyword" - } - } + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" } } }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" + "created": { + "type": "date" }, - "imports": { - "type": "flattened" + "ctime": { + "type": "date" }, - "machine_type": { + "device": { "ignore_above": 1024, "type": "keyword" }, - "original_file_name": { + "directory": { "type": "wildcard" }, - "packers": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, + "drive_letter": { + "ignore_above": 1, "type": "keyword" }, - "resources": { + "elf": { "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "filetype": { + "architecture": { "ignore_above": 1024, "type": "keyword" }, - "language": { + "byte_order": { "ignore_above": 1024, "type": "keyword" }, - "sha256": { + "cpu_type": { "ignore_above": 1024, "type": "keyword" }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "rich_header": { - "properties": { - "hash": { + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { "properties": { - "md5": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { "ignore_above": 1024, "type": "keyword" } } - } - } - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "float" }, - "flags": { - "ignore_above": 1024, - "type": "keyword" + "imports": { + "type": "flattened" }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" }, - "raw_size": { - "type": "long" + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" }, - "virtual_address": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { + "shared_libraries": { "ignore_above": 1024, "type": "keyword" }, - "strings": { - "type": "wildcard" - }, - "type": { + "telfhash": { "ignore_above": 1024, "type": "keyword" } } }, - "hive": { + "extension": { "ignore_above": 1024, "type": "keyword" }, - "key": { - "type": "wildcard" + "gid": { + "ignore_above": 1024, + "type": "keyword" }, - "path": { - "type": "wildcard" + "group": { + "ignore_above": 1024, + "type": "keyword" }, - "value": { + "inode": { "ignore_above": 1024, "type": "keyword" - } - } - }, - "url": { - "properties": { - "domain": { - "type": "wildcard" }, - "extension": { + "mime_type": { "ignore_above": 1024, "type": "keyword" }, - "fragment": { + "mode": { "ignore_above": 1024, "type": "keyword" }, - "full": { + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { "fields": { "text": { "norms": false, @@ -5089,7 +5198,10 @@ }, "type": "wildcard" }, - "original": { + "size": { + "type": "long" + }, + "target_path": { "fields": { "text": { "norms": false, @@ -5098,193 +5210,89 @@ }, "type": "wildcard" }, - "password": { + "type": { "ignore_above": 1024, "type": "keyword" }, - "path": { - "type": "wildcard" - }, - "port": { - "type": "long" - }, - "query": { + "uid": { "ignore_above": 1024, "type": "keyword" - }, - "registered_domain": { - "type": "wildcard" - }, - "scheme": { + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { "ignore_above": 1024, "type": "keyword" }, - "subdomain": { + "continent_code": { "ignore_above": 1024, "type": "keyword" }, - "top_level_domain": { + "continent_name": { "ignore_above": 1024, "type": "keyword" }, - "username": { + "country_iso_code": { "ignore_above": 1024, "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { + }, + "country_name": { "ignore_above": 1024, "type": "keyword" }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "type": "wildcard" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" + "location": { + "type": "geo_point" }, - "not_before": { - "type": "date" + "name": { + "type": "wildcard" }, - "public_key_algorithm": { + "postal_code": { "ignore_above": 1024, "type": "keyword" }, - "public_key_curve": { + "region_iso_code": { "ignore_above": 1024, "type": "keyword" }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" + "region_name": { + "ignore_above": 1024, + "type": "keyword" }, - "serial_number": { + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { "ignore_above": 1024, "type": "keyword" }, - "signature_algorithm": { + "sha1": { "ignore_above": 1024, "type": "keyword" }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "type": "wildcard" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } + "sha256": { + "ignore_above": 1024, + "type": "keyword" }, - "version_number": { + "sha512": { "ignore_above": 1024, "type": "keyword" - } - } - } - }, - "type": "nested" - }, - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "indicator": { - "properties": { - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { + }, + "ssdeep": { "ignore_above": 1024, "type": "keyword" } } }, - "first_seen": { - "type": "date" - }, "ip": { "type": "ip" }, @@ -5305,6 +5313,14 @@ "port": { "type": "long" }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, "scanner_stats": { "type": "long" }, diff --git a/experimental/generated/elasticsearch/component/threat.json b/experimental/generated/elasticsearch/component/threat.json index d5a25d4897..22c146bf17 100644 --- a/experimental/generated/elasticsearch/component/threat.json +++ b/experimental/generated/elasticsearch/component/threat.json @@ -10,334 +10,339 @@ "properties": { "enrichments": { "properties": { - "as": { + "indicator": { "properties": { - "number": { - "type": "long" - }, - "organization": { + "as": { "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "type": "wildcard" + }, + "path": { "type": "wildcard" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" } } - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" }, - "agent_id_status": { + "confidence": { "ignore_above": 1024, "type": "keyword" }, - "category": { + "description": { "ignore_above": 1024, "type": "keyword" }, - "code": { - "ignore_above": 1024, - "type": "keyword" + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } }, - "created": { + "first_seen": { "type": "date" }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" + "ip": { + "type": "ip" }, - "end": { + "last_seen": { "type": "date" }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } }, - "ingested": { + "modified_at": { "type": "date" }, - "kind": { + "port": { + "type": "long" + }, + "provider": { "ignore_above": 1024, "type": "keyword" }, - "module": { + "reference": { "ignore_above": 1024, "type": "keyword" }, - "original": { - "doc_values": false, - "index": false, - "type": "keyword" + "scanner_stats": { + "type": "long" }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" + "sightings": { + "type": "long" }, - "provider": { + "type": { "ignore_above": 1024, "type": "keyword" - }, - "reason": { + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { "ignore_above": 1024, "type": "keyword" }, - "reference": { + "field": { "ignore_above": 1024, "type": "keyword" }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { + "id": { "ignore_above": 1024, "type": "keyword" }, - "type": { + "index": { "ignore_above": 1024, "type": "keyword" }, - "url": { + "type": { "ignore_above": 1024, "type": "keyword" } } }, - "file": { + "pe": { "properties": { - "accessed": { - "type": "date" + "architecture": { + "ignore_above": 1024, + "type": "keyword" }, - "attributes": { + "authentihash": { "ignore_above": 1024, "type": "keyword" }, - "code_signature": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { "properties": { - "exists": { - "type": "boolean" - }, - "signing_id": { + "name": { "ignore_above": 1024, "type": "keyword" }, - "status": { + "version": { "ignore_above": 1024, "type": "keyword" - }, - "subject_name": { + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { "ignore_above": 1024, "type": "keyword" }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" + "size": { + "type": "long" }, - "trusted": { - "type": "boolean" + "timestamp": { + "type": "date" }, - "valid": { - "type": "boolean" + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, - "created": { - "type": "date" + "imphash": { + "ignore_above": 1024, + "type": "keyword" }, - "ctime": { - "type": "date" + "imports": { + "type": "flattened" }, - "device": { + "machine_type": { "ignore_above": 1024, "type": "keyword" }, - "directory": { + "original_file_name": { "type": "wildcard" }, - "drive_letter": { - "ignore_above": 1, + "packers": { + "ignore_above": 1024, "type": "keyword" }, - "elf": { + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "resources": { "properties": { - "architecture": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { "ignore_above": 1024, "type": "keyword" }, - "byte_order": { + "language": { "ignore_above": 1024, "type": "keyword" }, - "cpu_type": { + "sha256": { "ignore_above": 1024, "type": "keyword" }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flattened" - }, - "header": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { + "md5": { "ignore_above": 1024, "type": "keyword" } } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" }, - "imports": { - "type": "flattened" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" + "entropy": { + "type": "float" }, - "shared_libraries": { + "flags": { "ignore_above": 1024, "type": "keyword" }, - "telfhash": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { "ignore_above": 1024, "type": "keyword" } } }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { + "hive": { "ignore_above": 1024, "type": "keyword" }, - "inode": { - "ignore_above": 1024, - "type": "keyword" + "key": { + "type": "wildcard" }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" + "path": { + "type": "wildcard" }, - "mode": { + "value": { "ignore_above": 1024, "type": "keyword" + } + } + }, + "url": { + "properties": { + "domain": { + "type": "wildcard" }, - "mtime": { - "type": "date" - }, - "name": { + "extension": { "ignore_above": 1024, "type": "keyword" }, - "owner": { + "fragment": { "ignore_above": 1024, "type": "keyword" }, - "path": { + "full": { "fields": { "text": { "norms": false, @@ -346,10 +351,7 @@ }, "type": "wildcard" }, - "size": { - "type": "long" - }, - "target_path": { + "original": { "fields": { "text": { "norms": false, @@ -358,324 +360,431 @@ }, "type": "wildcard" }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { + "password": { "ignore_above": 1024, "type": "keyword" }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" + "path": { + "type": "wildcard" }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" + "port": { + "type": "long" }, - "country_name": { + "query": { "ignore_above": 1024, "type": "keyword" }, - "location": { - "type": "geo_point" - }, - "name": { + "registered_domain": { "type": "wildcard" }, - "postal_code": { + "scheme": { "ignore_above": 1024, "type": "keyword" }, - "region_iso_code": { + "subdomain": { "ignore_above": 1024, "type": "keyword" }, - "region_name": { + "top_level_domain": { "ignore_above": 1024, "type": "keyword" }, - "timezone": { + "username": { "ignore_above": 1024, "type": "keyword" } } }, - "hash": { + "x509": { "properties": { - "md5": { + "alternative_names": { "ignore_above": 1024, "type": "keyword" }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" + "not_after": { + "type": "date" }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" + "not_before": { + "type": "date" }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "matched": { - "properties": { - "atomic": { + "public_key_algorithm": { "ignore_above": 1024, "type": "keyword" }, - "field": { + "public_key_curve": { "ignore_above": 1024, "type": "keyword" }, - "id": { - "ignore_above": 1024, - "type": "keyword" + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" }, - "index": { - "ignore_above": 1024, - "type": "keyword" + "public_key_size": { + "type": "long" }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "architecture": { + "serial_number": { "ignore_above": 1024, "type": "keyword" }, - "authentihash": { + "signature_algorithm": { "ignore_above": 1024, "type": "keyword" }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "compile_timestamp": { - "type": "date" - }, - "compiler": { + "subject": { "properties": { - "name": { + "common_name": { "ignore_above": 1024, "type": "keyword" }, - "version": { + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { "ignore_above": 1024, "type": "keyword" } } }, - "creation_date": { - "type": "date" - }, - "debug": { + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "nested" + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "data": { "properties": { - "offset": { + "bytes": { "ignore_above": 1024, "type": "keyword" }, - "size": { - "type": "long" - }, - "timestamp": { - "type": "date" + "strings": { + "type": "wildcard" }, "type": { "ignore_above": 1024, "type": "keyword" } - }, - "type": "nested" + } }, - "description": { + "hive": { "ignore_above": 1024, "type": "keyword" }, - "entry_point": { + "key": { + "type": "wildcard" + }, + "path": { + "type": "wildcard" + }, + "value": { "ignore_above": 1024, "type": "keyword" - }, - "exports": { + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { "ignore_above": 1024, "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" }, - "file_version": { + "attributes": { "ignore_above": 1024, "type": "keyword" }, - "icon": { + "code_signature": { "properties": { - "hash": { - "properties": { - "dhash": { - "ignore_above": 1024, - "type": "keyword" - } - } + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" } } }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" + "created": { + "type": "date" }, - "imports": { - "type": "flattened" + "ctime": { + "type": "date" }, - "machine_type": { + "device": { "ignore_above": 1024, "type": "keyword" }, - "original_file_name": { + "directory": { "type": "wildcard" }, - "packers": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, + "drive_letter": { + "ignore_above": 1, "type": "keyword" }, - "resources": { + "elf": { "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "filetype": { + "architecture": { "ignore_above": 1024, "type": "keyword" }, - "language": { + "byte_order": { "ignore_above": 1024, "type": "keyword" }, - "sha256": { + "cpu_type": { "ignore_above": 1024, "type": "keyword" }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "rich_header": { - "properties": { - "hash": { + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { "properties": { - "md5": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { "ignore_above": 1024, "type": "keyword" } } - } - } - }, - "sections": { - "properties": { - "chi2": { - "type": "long" }, - "entropy": { - "type": "float" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" + "imports": { + "type": "flattened" }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" }, - "raw_size": { - "type": "long" + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" }, - "virtual_address": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { + "shared_libraries": { "ignore_above": 1024, "type": "keyword" }, - "strings": { - "type": "wildcard" - }, - "type": { + "telfhash": { "ignore_above": 1024, "type": "keyword" } } }, - "hive": { + "extension": { "ignore_above": 1024, "type": "keyword" }, - "key": { - "type": "wildcard" + "gid": { + "ignore_above": 1024, + "type": "keyword" }, - "path": { - "type": "wildcard" + "group": { + "ignore_above": 1024, + "type": "keyword" }, - "value": { + "inode": { "ignore_above": 1024, "type": "keyword" - } - } - }, - "url": { - "properties": { - "domain": { - "type": "wildcard" }, - "extension": { + "mime_type": { "ignore_above": 1024, "type": "keyword" }, - "fragment": { + "mode": { "ignore_above": 1024, "type": "keyword" }, - "full": { + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { "fields": { "text": { "norms": false, @@ -684,7 +793,10 @@ }, "type": "wildcard" }, - "original": { + "size": { + "type": "long" + }, + "target_path": { "fields": { "text": { "norms": false, @@ -693,193 +805,89 @@ }, "type": "wildcard" }, - "password": { + "type": { "ignore_above": 1024, "type": "keyword" }, - "path": { - "type": "wildcard" - }, - "port": { - "type": "long" - }, - "query": { + "uid": { "ignore_above": 1024, "type": "keyword" - }, - "registered_domain": { - "type": "wildcard" - }, - "scheme": { + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { "ignore_above": 1024, "type": "keyword" }, - "subdomain": { + "continent_code": { "ignore_above": 1024, "type": "keyword" }, - "top_level_domain": { + "continent_name": { "ignore_above": 1024, "type": "keyword" }, - "username": { + "country_iso_code": { "ignore_above": 1024, "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { + }, + "country_name": { "ignore_above": 1024, "type": "keyword" }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "type": "wildcard" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" + "location": { + "type": "geo_point" }, - "not_before": { - "type": "date" + "name": { + "type": "wildcard" }, - "public_key_algorithm": { + "postal_code": { "ignore_above": 1024, "type": "keyword" }, - "public_key_curve": { + "region_iso_code": { "ignore_above": 1024, "type": "keyword" }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" + "region_name": { + "ignore_above": 1024, + "type": "keyword" }, - "serial_number": { + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { "ignore_above": 1024, "type": "keyword" }, - "signature_algorithm": { + "sha1": { "ignore_above": 1024, "type": "keyword" }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "type": "wildcard" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } + "sha256": { + "ignore_above": 1024, + "type": "keyword" }, - "version_number": { + "sha512": { "ignore_above": 1024, "type": "keyword" - } - } - } - }, - "type": "nested" - }, - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "indicator": { - "properties": { - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { + }, + "ssdeep": { "ignore_above": 1024, "type": "keyword" } } }, - "first_seen": { - "type": "date" - }, "ip": { "type": "ip" }, @@ -900,6 +908,14 @@ "port": { "type": "long" }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, "scanner_stats": { "type": "long" }, diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 2854637315..9d9addc651 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1737,8 +1737,8 @@ - name: original level: core type: keyword - description: 'Raw text message of entire event. Used to demonstrate log integrity or - where the full log message (before splitting it up in multiple parts) may + description: 'Raw text message of entire event. Used to demonstrate log integrity + or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, @@ -5851,1318 +5851,1200 @@ description: A list of associated indicators enriching the event, and the context of that association/enrichment. default_field: false - - name: enrichments.as.number + - name: enrichments.indicator level: extended - type: long - description: Unique number allocated to the autonomous system. The autonomous - system number (ASN) uniquely identifies each network on the Internet. - example: 15169 - default_field: false - - name: enrichments.as.organization.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Organization name. - example: Google LLC - default_field: false - - name: enrichments.event.action - level: core - type: keyword - ignore_above: 1024 - description: 'The action captured by the event. - - This describes the information in the event. It is more specific than `event.category`. - Examples are `group-add`, `process-started`, `file-created`. The value is - normally defined by the implementer.' - example: user-password-change - default_field: false - - name: enrichments.event.agent_id_status - level: extended - type: keyword - ignore_above: 1024 - description: 'Agents are normally responsible for populating the `agent.id` - field value. If the system receiving events is capable of validating the value - based on authentication information for the client then this field can be - used to reflect the outcome of that validation. - - For example if the agent''s connection is authenticated with mTLS and the - client cert contains the ID of the agent to which the cert was issued then - the `agent.id` value in events can be checked against the certificate. If - the values match then `event.agent_id_status: verified` is added to the event, - otherwise one of the other allowed values should be used. - - If no validation is performed then the field should be omitted. - - The allowed values are: - - `verified` - The `agent.id` field value matches expected value obtained from - auth metadata. - - `mismatch` - The `agent.id` field value does not match the expected value - obtained from auth metadata. - - `missing` - There was no `agent.id` field in the event to validate. - - `auth_metadata_missing` - There was no auth metadata or it was missing information - about the agent ID.' - example: verified - default_field: false - - name: enrichments.event.category - level: core - type: keyword - ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the - second level in the ECS category hierarchy. - - `event.category` represents the "big buckets" of ECS categories. For example, - filtering on `event.category:process` yields all events relating to process - activity. This field is closely related to `event.type`, which is used as - a subcategory. - - This field is an array. This will allow proper categorization of some events - that fall in multiple categories.' - example: authentication + type: object + description: Indicators default_field: false - - name: enrichments.event.code + - name: enrichments.indicator.as.data.bytes level: extended type: keyword ignore_above: 1024 - description: 'Identification code for this event, if one exists. - - Some event sources use event codes to identify messages unambiguously, regardless - of message language or wording adjustments over time. An example of this is - the Windows Event ID.' - example: 4648 - default_field: false - - name: enrichments.event.created - level: core - type: date - description: 'event.created contains the date/time when the event was first - read by an agent, or by your pipeline. - - This field is distinct from @timestamp in that @timestamp typically contain - the time extracted from the original event. - - In most situations, these two timestamps will be slightly different. The difference - can be used to calculate the delay between your source generating an event, - and the time when your agent first processed it. This can be used to monitor - your agent''s or pipeline''s ability to keep up with your event source. + description: 'Original bytes written with base64 encoding. - In case the two timestamps are identical, @timestamp should be used.' - example: '2016-05-23T08:05:34.857Z' + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= default_field: false - - name: enrichments.event.dataset + - name: enrichments.indicator.as.data.strings level: core type: keyword ignore_above: 1024 - description: 'Name of the dataset. - - If an event source publishes more than one type of log or events (e.g. access - log, error log), the dataset is used to specify which one the event comes - from. + description: 'Content when writing string types. - It''s recommended but not required to start the dataset name with the module - name, followed by a dot, then the dataset name.' - example: apache.access + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' default_field: false - - name: enrichments.event.duration + - name: enrichments.indicator.as.data.type level: core - type: long - format: duration - input_format: nanoseconds - output_format: asMilliseconds - output_precision: 1 - description: 'Duration of the event in nanoseconds. - - If event.start and event.end are known this value should be the difference - between the end and start time.' - default_field: false - - name: enrichments.event.end - level: extended - type: date - description: event.end contains the date when the event ended or when the activity - was last observed. - default_field: false - - name: enrichments.event.hash - level: extended type: keyword ignore_above: 1024 - description: Hash (perhaps logstash fingerprint) of raw field to be able to - demonstrate log integrity. - example: 123456789012345678901234567890ABCD + description: Standard registry type for encoding contents + example: REG_SZ default_field: false - - name: enrichments.event.id + - name: enrichments.indicator.as.hive level: core type: keyword ignore_above: 1024 - description: Unique ID to describe the event. - example: 8a4f500d - default_field: false - - name: enrichments.event.ingested - level: core - type: date - description: 'Timestamp when an event arrived in the central data store. - - This is different from `@timestamp`, which is when the event originally occurred. It''s - also different from `event.created`, which is meant to capture the first time - an agent saw the event. - - In normal conditions, assuming no tampering, the timestamps should chronologically - look like this: `@timestamp` < `event.created` < `event.ingested`.' - example: '2016-05-23T08:05:35.101Z' + description: Abbreviated name for the hive. + example: HKLM default_field: false - - name: enrichments.event.kind + - name: enrichments.indicator.as.key level: core type: keyword ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the - highest level in the ECS category hierarchy. - - `event.kind` gives high-level information about what type of information the - event contains, without being specific to the contents of the event. For example, - values of this field distinguish alert events from metric events. - - The value of this field can be used to inform how these kinds of events should - be handled. They may warrant different retention, different access control, - it may also help understand whether the data coming in at a regular interval - or not.' - example: alert + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe default_field: false - - name: enrichments.event.module + - name: enrichments.indicator.as.path level: core type: keyword ignore_above: 1024 - description: 'Name of the module this data is coming from. - - If your monitoring agent supports the concept of modules or plugins to process - events of a given source (e.g. Apache logs), `event.module` should contain - the name of this module.' - example: apache - default_field: false - - name: enrichments.event.original - level: core - type: keyword - description: 'Raw text message of entire event. Used to demonstrate log integrity or - where the full log message (before splitting it up in multiple parts) may - be required, e.g. for reindex. - - This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`. If users wish to override this and - index this field, please see `Field data types` in the `Elasticsearch Reference`.' - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| - worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - index: false - doc_values: false + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger default_field: false - - name: enrichments.event.outcome + - name: enrichments.indicator.as.value level: core type: keyword ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the - lowest level in the ECS category hierarchy. - - `event.outcome` simply denotes whether the event represents a success or a - failure from the perspective of the entity that produced the event. - - Note that when a single transaction is described in multiple events, each - event may populate different values of `event.outcome`, according to their - perspective. - - Also note that in the case of a compound event (a single event that contains - multiple logical events), this field should be populated with the value that - best captures the overall success or failure from the perspective of the event - producer. - - Further note that not all events will have an associated outcome. For example, - this field is generally not populated for metric events, events with `event.type:info`, - or any events for which an outcome does not make logical sense.' - example: success + description: Name of the value written. + example: Debugger default_field: false - - name: enrichments.event.provider + - name: enrichments.indicator.confidence level: extended type: keyword ignore_above: 1024 - description: 'Source of the event. - - Event transports such as Syslog or the Windows Event Log typically mention - the source of an event. It can be the name of the software that generated - the event (e.g. Sysmon, httpd), or of a subsystem of the operating system - (kernel, Microsoft-Windows-Security-Auditing).' - example: kernel + description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ + using\_STIX\_confidence scales. Expected values:\n * Not Specified, None,\ + \ Low, Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High default_field: false - - name: enrichments.event.reason + - name: enrichments.indicator.description level: extended type: keyword ignore_above: 1024 - description: 'Reason why this event happened, according to the source. - - This describes the why of a particular action or outcome captured in the event. - Where `event.action` captures the action from the event, `event.reason` describes - why that action was taken. For example, a web proxy with an `event.action` - which denied the request may also populate `event.reason` with the reason - why (e.g. `blocked site`).' - example: Terminated an unexpected process + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. default_field: false - - name: enrichments.event.reference + - name: enrichments.indicator.email.address level: extended type: keyword ignore_above: 1024 - description: 'Reference URL linking to additional information about this event. - - This URL links to a static definition of this event. Alert events, indicated - by `event.kind:alert`, are a common use case for this field.' - example: https://system.example.com/event/#0001234 - default_field: false - - name: enrichments.event.risk_score - level: core - type: float - description: Risk score or priority of the event (e.g. security solutions). - Use your system's original value here. + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com default_field: false - - name: enrichments.event.risk_score_norm + - name: enrichments.indicator.first_seen level: extended - type: float - description: 'Normalized risk score or priority of the event, on a scale of - 0 to 100. - - This is mainly useful if you use more than one system that assigns risk scores, - and you want to see a normalized value across all systems.' + type: date + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' default_field: false - - name: enrichments.event.sequence + - name: enrichments.indicator.ip level: extended - type: long - format: string - description: 'Sequence number of the event. - - The sequence number is a value published by some event sources, to make the - exact ordering of events unambiguous, regardless of the timestamp precision.' - default_field: false - - name: enrichments.event.severity - level: core - type: long - format: string - description: 'The numeric severity of the event according to your event source. - - What the different severity values mean can be different between sources and - use cases. It''s up to the implementer to make sure severities are consistent - across events from the same source. - - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` - is meant to represent the severity according to the event source (e.g. firewall, - IDS). If the event source does not publish its own severity, you may optionally - copy the `log.syslog.severity.code` to `event.severity`.' - example: 7 + type: ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 default_field: false - - name: enrichments.event.start + - name: enrichments.indicator.last_seen level: extended type: date - description: event.start contains the date when the event started or when the - activity was first observed. + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' default_field: false - - name: enrichments.event.timezone + - name: enrichments.indicator.marking.tlp level: extended type: keyword ignore_above: 1024 - description: 'This field should be populated when the event''s timestamp does - not include timezone information already (e.g. default Syslog timestamps). - It''s optional otherwise. - - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), - abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' + description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: White default_field: false - - name: enrichments.event.type - level: core + - name: enrichments.indicator.modified_at + level: extended + type: date + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: enrichments.indicator.port + level: extended + type: long + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + default_field: false + - name: enrichments.indicator.provider + level: extended type: keyword ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the - third level in the ECS category hierarchy. - - `event.type` represents a categorization "sub-bucket" that, when used along - with the `event.category` field values, enables filtering events down to a - level appropriate for single visualization. - - This field is an array. This will allow proper categorization of some events - that fall in multiple event types.' + description: The name of the indicator's provider. + example: lrz_urlhaus default_field: false - - name: enrichments.event.url + - name: enrichments.indicator.reference level: extended type: keyword ignore_above: 1024 - description: 'URL linking to an external system to continue investigation of - this event. - - This URL links to another system where in-depth investigation of the specific - occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, - are a common use case for this field.' - example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + default_field: false + - name: enrichments.indicator.scanner_stats + level: extended + type: long + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 default_field: false - - name: enrichments.file.accessed + - name: enrichments.indicator.sightings level: extended - type: date - description: 'Last time the file was accessed. - - Note that not all filesystems keep track of access time.' + type: long + description: Number of times this indicator was observed conducting threat activity. + example: 20 default_field: false - - name: enrichments.file.attributes + - name: enrichments.indicator.type level: extended type: keyword ignore_above: 1024 - description: 'Array of file attributes. - - Attributes names will vary by platform. Here''s a non-exhaustive list of values - that are expected in this field: archive, compressed, directory, encrypted, - execute, hidden, read, readonly, system, write.' - example: '["readonly", "system"]' - default_field: false - - name: enrichments.file.code_signature.exists - level: core - type: boolean - description: Boolean to capture if a signature is present. - example: 'true' + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ + \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr default_field: false - - name: enrichments.file.code_signature.signing_id + - name: enrichments.matched.atomic level: extended type: keyword ignore_above: 1024 - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. - The field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com default_field: false - - name: enrichments.file.code_signature.status + - name: enrichments.matched.field level: extended type: keyword ignore_above: 1024 - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT + description: Identifies the field of the atomic indicator that matched a local + environment endpoint or network event. + example: file.hash.sha256 default_field: false - - name: enrichments.file.code_signature.subject_name - level: core + - name: enrichments.matched.id + level: extended type: keyword ignore_above: 1024 - description: Subject name of the code signer - example: Microsoft Corporation + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 default_field: false - - name: enrichments.file.code_signature.team_id + - name: enrichments.matched.index level: extended type: keyword ignore_above: 1024 - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field - is relevant to Apple *OS only.' - example: EQHXZ8M8AV - default_field: false - - name: enrichments.file.code_signature.trusted - level: extended - type: boolean - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this - field should only be populated by tools that actively check the status.' - example: 'true' + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 default_field: false - - name: enrichments.file.code_signature.valid + - name: enrichments.matched.type level: extended - type: boolean - description: 'Boolean to capture if the digital signature is verified against - the binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' + type: keyword + ignore_above: 1024 + description: Identifies the type of match that caused the event to be enriched + with the given indicator + example: indicator_match_rule default_field: false - - name: enrichments.file.created + - name: enrichments.url.domain level: extended - type: date - description: 'File creation time. + type: keyword + ignore_above: 1024 + description: 'Domain of the url, such as "www.elastic.co". - Note that not all filesystems store the creation time.' - default_field: false - - name: enrichments.file.ctime - level: extended - type: date - description: 'Last time the file attributes or metadata changed. + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. - Note that changes to the file content will update `mtime`. This implies `ctime` - will be adjusted at the same time, since `mtime` is an attribute of the file.' + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' + example: www.elastic.co default_field: false - - name: enrichments.file.device + - name: enrichments.url.extension level: extended type: keyword ignore_above: 1024 - description: Device that is the source of the file. - example: sda + description: 'The field contains the file extension from the original request + url, excluding the leading dot. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png default_field: false - - name: enrichments.file.directory + - name: enrichments.url.fragment level: extended type: keyword ignore_above: 1024 - description: Directory where the file is located. It should include the drive - letter, when appropriate. - example: /home/alice - default_field: false - - name: enrichments.file.drive_letter - level: extended - type: keyword - ignore_above: 1 - description: 'Drive letter where the file is located. This field is only relevant - on Windows. + description: 'Portion of the url after the `#`, such as "top". - The value should be uppercase, and not include the colon.' - example: C + The `#` is not part of the fragment.' default_field: false - - name: enrichments.file.elf.architecture + - name: enrichments.url.full level: extended type: keyword ignore_above: 1024 - description: Machine architecture of the ELF file. - example: x86-64 + multi_fields: + - name: text + type: text + norms: false + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event + source. + example: https://www.elastic.co:443/search?q=elasticsearch#top default_field: false - - name: enrichments.file.elf.byte_order + - name: enrichments.url.original level: extended type: keyword ignore_above: 1024 - description: Byte sequence of ELF file. - example: Little Endian + multi_fields: + - name: text + type: text + norms: false + description: 'Unmodified original url as seen in the event source. + + Note that in network monitoring, the observed URL may be a full URL, whereas + in access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch default_field: false - - name: enrichments.file.elf.cpu_type + - name: enrichments.url.password level: extended type: keyword ignore_above: 1024 - description: CPU type of the ELF file. - example: Intel + description: Password of the request. default_field: false - - name: enrichments.file.elf.creation_date + - name: enrichments.url.path level: extended - type: date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. + type: keyword + ignore_above: 1024 + description: Path of the request, such as "/search". default_field: false - - name: enrichments.file.elf.exports + - name: enrichments.url.port level: extended - type: flattened - description: List of exported element names and types. + type: long + format: string + description: Port of the request, such as 443. + example: 443 default_field: false - - name: enrichments.file.elf.header.abi_version + - name: enrichments.url.query level: extended type: keyword ignore_above: 1024 - description: Version of the ELF Application Binary Interface (ABI). + description: 'The query field describes the query string of the request, such + as "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there + is no query field. If there is a `?` but no query, the query field exists + with an empty string. The `exists` query can be used to differentiate between + the two cases.' default_field: false - - name: enrichments.file.elf.header.class + - name: enrichments.url.registered_domain level: extended type: keyword ignore_above: 1024 - description: Header class of the ELF file. + description: 'The highest registered url domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com default_field: false - - name: enrichments.file.elf.header.data + - name: enrichments.url.scheme level: extended type: keyword ignore_above: 1024 - description: Data table of the ELF header. - default_field: false - - name: enrichments.file.elf.header.entrypoint - level: extended - type: long - format: string - description: Header entrypoint of the ELF file. + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https default_field: false - - name: enrichments.file.elf.header.object_version + - name: enrichments.url.subdomain level: extended type: keyword ignore_above: 1024 - description: '"0x1" for original ELF files.' + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east default_field: false - - name: enrichments.file.elf.header.os_abi + - name: enrichments.url.top_level_domain level: extended type: keyword ignore_above: 1024 - description: Application Binary Interface (ABI) of the Linux OS. + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk default_field: false - - name: enrichments.file.elf.header.type + - name: enrichments.url.username level: extended type: keyword ignore_above: 1024 - description: Header type of the ELF file. + description: Username of the request. default_field: false - - name: enrichments.file.elf.header.version + - name: enrichments.x509.alternative_names level: extended type: keyword ignore_above: 1024 - description: Version of the ELF header. + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' default_field: false - - name: enrichments.file.elf.imports + - name: enrichments.x509.issuer.common_name level: extended - type: flattened - description: List of imported element names and types. + type: keyword + ignore_above: 1024 + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA default_field: false - - name: enrichments.file.elf.sections + - name: enrichments.x509.issuer.country level: extended - type: nested - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.sections.*`.' + type: keyword + ignore_above: 1024 + description: List of country (C) codes + example: US default_field: false - - name: enrichments.file.elf.sections.chi2 + - name: enrichments.x509.issuer.distinguished_name level: extended - type: long - format: number - description: Chi-square probability distribution of the section. + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA default_field: false - - name: enrichments.file.elf.sections.entropy + - name: enrichments.x509.issuer.locality level: extended - type: long - format: number - description: Shannon entropy calculation from the section. + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: Mountain View default_field: false - - name: enrichments.file.elf.sections.flags + - name: enrichments.x509.issuer.organization level: extended type: keyword ignore_above: 1024 - description: ELF Section List flags. + description: List of organizations (O) of issuing certificate authority. + example: Example Inc default_field: false - - name: enrichments.file.elf.sections.name + - name: enrichments.x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 - description: ELF Section List name. + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com default_field: false - - name: enrichments.file.elf.sections.physical_offset + - name: enrichments.x509.issuer.state_or_province level: extended type: keyword ignore_above: 1024 - description: ELF Section List offset. + description: List of state or province names (ST, S, or P) + example: California default_field: false - - name: enrichments.file.elf.sections.physical_size + - name: enrichments.x509.not_after level: extended - type: long - format: bytes - description: ELF Section List physical size. + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + default_field: false + - name: enrichments.x509.not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 default_field: false - - name: enrichments.file.elf.sections.type + - name: enrichments.x509.public_key_algorithm level: extended type: keyword ignore_above: 1024 - description: ELF Section List type. + description: Algorithm used to generate the public key. + example: RSA default_field: false - - name: enrichments.file.elf.sections.virtual_address + - name: enrichments.x509.public_key_curve level: extended - type: long - format: string - description: ELF Section List virtual address. + type: keyword + ignore_above: 1024 + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 default_field: false - - name: enrichments.file.elf.sections.virtual_size + - name: enrichments.x509.public_key_exponent level: extended type: long - format: string - description: ELF Section List virtual size. + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + index: false + doc_values: false default_field: false - - name: enrichments.file.elf.segments + - name: enrichments.x509.public_key_size level: extended - type: nested - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.segments.*`.' + type: long + description: The size of the public key space in bits. + example: 2048 default_field: false - - name: enrichments.file.elf.segments.sections + - name: enrichments.x509.serial_number level: extended type: keyword ignore_above: 1024 - description: ELF object segment sections. + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA default_field: false - - name: enrichments.file.elf.segments.type + - name: enrichments.x509.signature_algorithm level: extended type: keyword ignore_above: 1024 - description: ELF object segment type. + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA default_field: false - - name: enrichments.file.elf.shared_libraries + - name: enrichments.x509.subject.common_name level: extended type: keyword ignore_above: 1024 - description: List of shared libraries used by this ELF object. + description: List of common names (CN) of subject. + example: shared.global.example.net default_field: false - - name: enrichments.file.elf.telfhash + - name: enrichments.x509.subject.country level: extended type: keyword ignore_above: 1024 - description: telfhash symbol hash for ELF file. + description: List of country (C) code + example: US default_field: false - - name: enrichments.file.extension + - name: enrichments.x509.subject.distinguished_name level: extended type: keyword ignore_above: 1024 - description: 'File extension, excluding the leading dot. - - Note that when the file name has multiple extensions (example.tar.gz), only - the last one should be captured ("gz", not "tar.gz").' - example: png + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - - name: enrichments.file.gid + - name: enrichments.x509.subject.locality level: extended type: keyword ignore_above: 1024 - description: Primary group ID (GID) of the file. - example: '1001' + description: List of locality names (L) + example: San Francisco default_field: false - - name: enrichments.file.group + - name: enrichments.x509.subject.organization level: extended type: keyword ignore_above: 1024 - description: Primary group name of the file. - example: alice + description: List of organizations (O) of subject. + example: Example, Inc. default_field: false - - name: enrichments.file.inode + - name: enrichments.x509.subject.organizational_unit level: extended type: keyword ignore_above: 1024 - description: Inode representing the file in the filesystem. - example: '256383' + description: List of organizational units (OU) of subject. default_field: false - - name: enrichments.file.mime_type + - name: enrichments.x509.subject.state_or_province level: extended type: keyword ignore_above: 1024 - description: MIME type should identify the format of the file or stream of bytes - using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA - official types], where possible. When more than one type is applicable, the - most specific type should be used. + description: List of state or province names (ST, S, or P) + example: California default_field: false - - name: enrichments.file.mode + - name: enrichments.x509.version_number level: extended type: keyword ignore_above: 1024 - description: Mode of the file in octal representation. - example: '0640' - default_field: false - - name: enrichments.file.mtime - level: extended - type: date - description: Last time the file content was modified. + description: Version of x509 format. + example: 3 default_field: false - - name: enrichments.file.name + - name: framework level: extended type: keyword ignore_above: 1024 - description: Name of the file including the extension, without the directory. - example: example.png - default_field: false - - name: enrichments.file.owner + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification + can be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + - name: group.alias level: extended type: keyword ignore_above: 1024 - description: File owner's username. - example: alice + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' default_field: false - - name: enrichments.file.path + - name: group.id level: extended type: keyword ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Full path to the file, including the file name. It should include - the drive letter, when appropriate. - example: /home/alice/example.png - default_field: false - - name: enrichments.file.size - level: extended - type: long - description: 'File size in bytes. - - Only relevant when `file.type` is "file".' - example: 16384 + description: "The id of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group id." + example: G0037 default_field: false - - name: enrichments.file.target_path + - name: group.name level: extended type: keyword ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Target path for symlinks. + description: "The name of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 default_field: false - - name: enrichments.file.type + - name: group.reference level: extended type: keyword ignore_above: 1024 - description: File type (file, dir, or symlink). - example: file + description: "The reference URL of the group for a set of related intrusion\ + \ activity that are tracked by a common name in the security community. While\ + \ not required, you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ default_field: false - - name: enrichments.file.uid + - name: indicator.as.data.bytes level: extended type: keyword ignore_above: 1024 - description: The user ID (UID) or security identifier (SID) of the file owner. - example: '1001' + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= default_field: false - - name: enrichments.geo.city_name + - name: indicator.as.data.strings level: core type: keyword ignore_above: 1024 - description: City name. - example: Montreal + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' default_field: false - - name: enrichments.geo.continent_code + - name: indicator.as.data.type level: core type: keyword ignore_above: 1024 - description: Two-letter code representing continent's name. - example: NA + description: Standard registry type for encoding contents + example: REG_SZ default_field: false - - name: enrichments.geo.continent_name + - name: indicator.as.hive level: core type: keyword ignore_above: 1024 - description: Name of the continent. - example: North America + description: Abbreviated name for the hive. + example: HKLM default_field: false - - name: enrichments.geo.country_iso_code + - name: indicator.as.key level: core type: keyword ignore_above: 1024 - description: Country ISO code. - example: CA + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe default_field: false - - name: enrichments.geo.country_name + - name: indicator.as.path level: core type: keyword ignore_above: 1024 - description: Country name. - example: Canada + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger default_field: false - - name: enrichments.geo.location + - name: indicator.as.value level: core - type: geo_point - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' + type: keyword + ignore_above: 1024 + description: Name of the value written. + example: Debugger default_field: false - - name: enrichments.geo.name + - name: indicator.confidence level: extended type: keyword ignore_above: 1024 - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High + default_field: false + - name: indicator.description + level: extended + type: keyword + ignore_above: 1024 + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + default_field: false + - name: indicator.email.address + level: extended + type: keyword + ignore_above: 1024 + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + default_field: false + - name: indicator.file.accessed + level: extended + type: date + description: 'Last time the file was accessed. - Not typically used in automated geolocation.' - example: boston-dc + Note that not all filesystems keep track of access time.' default_field: false - - name: enrichments.geo.postal_code - level: core + - name: indicator.file.attributes + level: extended type: keyword ignore_above: 1024 - description: 'Postal code associated with the location. + description: 'Array of file attributes. - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + default_field: false + - name: indicator.file.code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' default_field: false - - name: enrichments.geo.region_iso_code - level: core + - name: indicator.file.code_signature.signing_id + level: extended type: keyword ignore_above: 1024 - description: Region ISO code. - example: CA-QC + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy default_field: false - - name: enrichments.geo.region_name - level: core + - name: indicator.file.code_signature.status + level: extended type: keyword ignore_above: 1024 - description: Region name. - example: Quebec + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT default_field: false - - name: enrichments.geo.timezone + - name: indicator.file.code_signature.subject_name level: core type: keyword ignore_above: 1024 - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires + description: Subject name of the code signer + example: Microsoft Corporation default_field: false - - name: enrichments.hash.md5 + - name: indicator.file.code_signature.team_id level: extended type: keyword ignore_above: 1024 - description: MD5 hash. + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV default_field: false - - name: enrichments.hash.sha1 + - name: indicator.file.code_signature.trusted level: extended - type: keyword - ignore_above: 1024 - description: SHA1 hash. + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' default_field: false - - name: enrichments.hash.sha256 + - name: indicator.file.code_signature.valid level: extended - type: keyword - ignore_above: 1024 - description: SHA256 hash. + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' default_field: false - - name: enrichments.hash.sha512 + - name: indicator.file.created level: extended - type: keyword - ignore_above: 1024 - description: SHA512 hash. + type: date + description: 'File creation time. + + Note that not all filesystems store the creation time.' default_field: false - - name: enrichments.hash.ssdeep + - name: indicator.file.ctime + level: extended + type: date + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + default_field: false + - name: indicator.file.device level: extended type: keyword ignore_above: 1024 - description: SSDEEP hash. + description: Device that is the source of the file. + example: sda default_field: false - - name: enrichments.matched.atomic + - name: indicator.file.directory level: extended type: keyword ignore_above: 1024 - description: Identifies the atomic indicator value that matched a local environment - endpoint or network event. - example: bad-domain.com + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice default_field: false - - name: enrichments.matched.field + - name: indicator.file.drive_letter level: extended type: keyword - ignore_above: 1024 - description: Identifies the field of the atomic indicator that matched a local - environment endpoint or network event. - example: file.hash.sha256 + ignore_above: 1 + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C default_field: false - - name: enrichments.matched.id + - name: indicator.file.elf.architecture level: extended type: keyword ignore_above: 1024 - description: Identifies the _id of the indicator document enriching the event. - example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + description: Machine architecture of the ELF file. + example: x86-64 default_field: false - - name: enrichments.matched.index + - name: indicator.file.elf.byte_order level: extended type: keyword ignore_above: 1024 - description: Identifies the _index of the indicator document enriching the event. - example: filebeat-8.0.0-2021.05.23-000011 + description: Byte sequence of ELF file. + example: Little Endian default_field: false - - name: enrichments.matched.type + - name: indicator.file.elf.cpu_type level: extended type: keyword ignore_above: 1024 - description: Identifies the type of match that caused the event to be enriched - with the given indicator - example: indicator_match_rule + description: CPU type of the ELF file. + example: Intel default_field: false - - name: enrichments.url.domain + - name: indicator.file.elf.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + default_field: false + - name: indicator.file.elf.exports + level: extended + type: flattened + description: List of exported element names and types. + default_field: false + - name: indicator.file.elf.header.abi_version level: extended type: keyword ignore_above: 1024 - description: 'Domain of the url, such as "www.elastic.co". - - In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field. - - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC - 2732), the `[` and `]` characters should also be captured in the `domain` - field.' - example: www.elastic.co + description: Version of the ELF Application Binary Interface (ABI). default_field: false - - name: enrichments.url.extension + - name: indicator.file.elf.header.class level: extended type: keyword ignore_above: 1024 - description: 'The field contains the file extension from the original request - url, excluding the leading dot. - - The file extension is only set if it exists, as not every url has a file extension. - - The leading period must not be included. For example, the value must be "png", - not ".png". - - Note that when the file name has multiple extensions (example.tar.gz), only - the last one should be captured ("gz", not "tar.gz").' - example: png + description: Header class of the ELF file. default_field: false - - name: enrichments.url.fragment + - name: indicator.file.elf.header.data level: extended type: keyword ignore_above: 1024 - description: 'Portion of the url after the `#`, such as "top". - - The `#` is not part of the fragment.' + description: Data table of the ELF header. default_field: false - - name: enrichments.url.full + - name: indicator.file.elf.header.entrypoint + level: extended + type: long + format: string + description: Header entrypoint of the ELF file. + default_field: false + - name: indicator.file.elf.header.object_version level: extended type: keyword ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: If full URLs are important to your use case, they should be stored - in `url.full`, whether this field is reconstructed or present in the event - source. - example: https://www.elastic.co:443/search?q=elasticsearch#top + description: '"0x1" for original ELF files.' default_field: false - - name: enrichments.url.original + - name: indicator.file.elf.header.os_abi level: extended type: keyword ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Unmodified original url as seen in the event source. - - Note that in network monitoring, the observed URL may be a full URL, whereas - in access logs, the URL is often just represented as a path. - - This field is meant to represent the URL as it was observed, complete or not.' - example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + description: Application Binary Interface (ABI) of the Linux OS. default_field: false - - name: enrichments.url.password + - name: indicator.file.elf.header.type level: extended type: keyword ignore_above: 1024 - description: Password of the request. + description: Header type of the ELF file. default_field: false - - name: enrichments.url.path + - name: indicator.file.elf.header.version level: extended type: keyword ignore_above: 1024 - description: Path of the request, such as "/search". + description: Version of the ELF header. default_field: false - - name: enrichments.url.port + - name: indicator.file.elf.imports level: extended - type: long - format: string - description: Port of the request, such as 443. - example: 443 + type: flattened + description: List of imported element names and types. default_field: false - - name: enrichments.url.query + - name: indicator.file.elf.sections level: extended - type: keyword - ignore_above: 1024 - description: 'The query field describes the query string of the request, such - as "q=elasticsearch". + type: nested + description: 'An array containing an object for each section of the ELF file. - The `?` is excluded from the query string. If a URL contains no `?`, there - is no query field. If there is a `?` but no query, the query field exists - with an empty string. The `exists` query can be used to differentiate between - the two cases.' + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' default_field: false - - name: enrichments.url.registered_domain + - name: indicator.file.elf.sections.chi2 + level: extended + type: long + format: number + description: Chi-square probability distribution of the section. + default_field: false + - name: indicator.file.elf.sections.entropy + level: extended + type: long + format: number + description: Shannon entropy calculation from the section. + default_field: false + - name: indicator.file.elf.sections.flags level: extended type: keyword ignore_above: 1024 - description: 'The highest registered url domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix - list (http://publicsuffix.org). Trying to approximate this by simply taking - the last two labels will not work well for TLDs such as "co.uk".' - example: example.com + description: ELF Section List flags. default_field: false - - name: enrichments.url.scheme + - name: indicator.file.elf.sections.name level: extended type: keyword ignore_above: 1024 - description: 'Scheme of the request, such as "https". - - Note: The `:` is not part of the scheme.' - example: https + description: ELF Section List name. default_field: false - - name: enrichments.url.subdomain + - name: indicator.file.elf.sections.physical_offset level: extended type: keyword ignore_above: 1024 - description: 'The subdomain portion of a fully qualified domain name includes - all of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot - be determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", - the subdomain field should contain "sub2.sub1", with no trailing period.' - example: east + description: ELF Section List offset. default_field: false - - name: enrichments.url.top_level_domain + - name: indicator.file.elf.sections.physical_size + level: extended + type: long + format: bytes + description: ELF Section List physical size. + default_field: false + - name: indicator.file.elf.sections.type level: extended type: keyword ignore_above: 1024 - description: 'The effective top level domain (eTLD), also known as the domain - suffix, is the last part of the domain name. For example, the top level domain - for example.com is "com". - - This value can be determined precisely with a list like the public suffix - list (http://publicsuffix.org). Trying to approximate this by simply taking - the last label will not work well for effective TLDs such as "co.uk".' - example: co.uk + description: ELF Section List type. + default_field: false + - name: indicator.file.elf.sections.virtual_address + level: extended + type: long + format: string + description: ELF Section List virtual address. + default_field: false + - name: indicator.file.elf.sections.virtual_size + level: extended + type: long + format: string + description: ELF Section List virtual size. + default_field: false + - name: indicator.file.elf.segments + level: extended + type: nested + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' default_field: false - - name: enrichments.url.username + - name: indicator.file.elf.segments.sections level: extended type: keyword ignore_above: 1024 - description: Username of the request. + description: ELF object segment sections. default_field: false - - name: enrichments.x509.alternative_names + - name: indicator.file.elf.segments.type level: extended type: keyword ignore_above: 1024 - description: List of subject alternative names (SAN). Name types vary by certificate - authority and certificate type but commonly contain IP addresses, DNS names - (and wildcards), and email addresses. - example: '*.elastic.co' + description: ELF object segment type. default_field: false - - name: enrichments.x509.issuer.common_name + - name: indicator.file.elf.shared_libraries level: extended type: keyword ignore_above: 1024 - description: List of common name (CN) of issuing certificate authority. - example: Example SHA2 High Assurance Server CA + description: List of shared libraries used by this ELF object. default_field: false - - name: enrichments.x509.issuer.country + - name: indicator.file.elf.telfhash level: extended type: keyword ignore_above: 1024 - description: List of country (C) codes - example: US + description: telfhash symbol hash for ELF file. default_field: false - - name: enrichments.x509.issuer.distinguished_name + - name: indicator.file.extension level: extended type: keyword ignore_above: 1024 - description: Distinguished name (DN) of issuing certificate authority. - example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance - Server CA + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png default_field: false - - name: enrichments.x509.issuer.locality + - name: indicator.file.gid level: extended type: keyword ignore_above: 1024 - description: List of locality names (L) - example: Mountain View + description: Primary group ID (GID) of the file. + example: '1001' default_field: false - - name: enrichments.x509.issuer.organization + - name: indicator.file.group level: extended type: keyword ignore_above: 1024 - description: List of organizations (O) of issuing certificate authority. - example: Example Inc + description: Primary group name of the file. + example: alice default_field: false - - name: enrichments.x509.issuer.organizational_unit + - name: indicator.file.inode level: extended type: keyword ignore_above: 1024 - description: List of organizational units (OU) of issuing certificate authority. - example: www.example.com + description: Inode representing the file in the filesystem. + example: '256383' default_field: false - - name: enrichments.x509.issuer.state_or_province + - name: indicator.file.mime_type level: extended type: keyword ignore_above: 1024 - description: List of state or province names (ST, S, or P) - example: California + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. default_field: false - - name: enrichments.x509.not_after + - name: indicator.file.mode level: extended - type: date - description: Time at which the certificate is no longer considered valid. - example: 2020-07-16 03:15:39+00:00 + type: keyword + ignore_above: 1024 + description: Mode of the file in octal representation. + example: '0640' default_field: false - - name: enrichments.x509.not_before + - name: indicator.file.mtime level: extended type: date - description: Time at which the certificate is first considered valid. - example: 2019-08-16 01:40:25+00:00 + description: Last time the file content was modified. default_field: false - - name: enrichments.x509.public_key_algorithm + - name: indicator.file.name level: extended type: keyword ignore_above: 1024 - description: Algorithm used to generate the public key. - example: RSA + description: Name of the file including the extension, without the directory. + example: example.png default_field: false - - name: enrichments.x509.public_key_curve + - name: indicator.file.owner level: extended type: keyword ignore_above: 1024 - description: The curve used by the elliptic curve public key algorithm. This - is algorithm specific. - example: nistp521 + description: File owner's username. + example: alice default_field: false - - name: enrichments.x509.public_key_exponent + - name: indicator.file.path level: extended - type: long - description: Exponent used to derive the public key. This is algorithm specific. - example: 65537 - index: false - doc_values: false + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png default_field: false - - name: enrichments.x509.public_key_size + - name: indicator.file.size level: extended type: long - description: The size of the public key space in bits. - example: 2048 + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 default_field: false - - name: enrichments.x509.serial_number + - name: indicator.file.target_path level: extended type: keyword ignore_above: 1024 - description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. - example: 55FBB9C7DEBF09809D12CCAA + multi_fields: + - name: text + type: text + norms: false + description: Target path for symlinks. default_field: false - - name: enrichments.x509.signature_algorithm + - name: indicator.file.type level: extended type: keyword ignore_above: 1024 - description: Identifier for certificate signature algorithm. We recommend using - names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - example: SHA256-RSA + description: File type (file, dir, or symlink). + example: file default_field: false - - name: enrichments.x509.subject.common_name + - name: indicator.file.uid level: extended type: keyword ignore_above: 1024 - description: List of common names (CN) of subject. - example: shared.global.example.net + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' default_field: false - - name: enrichments.x509.subject.country + - name: indicator.first_seen level: extended + type: date + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.geo.city_name + level: core type: keyword ignore_above: 1024 - description: List of country (C) code - example: US + description: City name. + example: Montreal default_field: false - - name: enrichments.x509.subject.distinguished_name - level: extended + - name: indicator.geo.continent_code + level: core type: keyword ignore_above: 1024 - description: Distinguished name (DN) of the certificate subject entity. - example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + description: Two-letter code representing continent's name. + example: NA default_field: false - - name: enrichments.x509.subject.locality - level: extended + - name: indicator.geo.continent_name + level: core type: keyword ignore_above: 1024 - description: List of locality names (L) - example: San Francisco + description: Name of the continent. + example: North America default_field: false - - name: enrichments.x509.subject.organization - level: extended + - name: indicator.geo.country_iso_code + level: core type: keyword ignore_above: 1024 - description: List of organizations (O) of subject. - example: Example, Inc. + description: Country ISO code. + example: CA default_field: false - - name: enrichments.x509.subject.organizational_unit - level: extended + - name: indicator.geo.country_name + level: core type: keyword ignore_above: 1024 - description: List of organizational units (OU) of subject. + description: Country name. + example: Canada default_field: false - - name: enrichments.x509.subject.state_or_province + - name: indicator.geo.location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + default_field: false + - name: indicator.geo.name level: extended type: keyword ignore_above: 1024 - description: List of state or province names (ST, S, or P) - example: California + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc default_field: false - - name: enrichments.x509.version_number - level: extended + - name: indicator.geo.postal_code + level: core type: keyword ignore_above: 1024 - description: Version of x509 format. - example: 3 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 default_field: false - - name: framework - level: extended + - name: indicator.geo.region_iso_code + level: core type: keyword ignore_above: 1024 - description: Name of the threat framework used to further categorize and classify - the tactic and technique of the reported threat. Framework classification - can be provided by detecting systems, evaluated at ingest time, or retrospectively - tagged to events. - example: MITRE ATT&CK - - name: group.alias - level: extended + description: Region ISO code. + example: CA-QC + default_field: false + - name: indicator.geo.region_name + level: core type: keyword ignore_above: 1024 - description: "The alias(es) of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group alias(es)." - example: '[ "Magecart Group 6" ]' + description: Region name. + example: Quebec default_field: false - - name: group.id - level: extended + - name: indicator.geo.timezone + level: core type: keyword ignore_above: 1024 - description: "The id of the group for a set of related intrusion activity that\ - \ are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group id." - example: G0037 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires default_field: false - - name: group.name + - name: indicator.hash.md5 level: extended type: keyword ignore_above: 1024 - description: "The name of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group name." - example: FIN6 + description: MD5 hash. default_field: false - - name: group.reference + - name: indicator.hash.sha1 level: extended type: keyword ignore_above: 1024 - description: "The reference URL of the group for a set of related intrusion\ - \ activity that are tracked by a common name in the security community. While\ - \ not required, you can use a MITRE ATT&CK\xAE group reference URL." - example: https://attack.mitre.org/groups/G0037/ + description: SHA1 hash. default_field: false - - name: indicator.confidence + - name: indicator.hash.sha256 level: extended type: keyword ignore_above: 1024 - description: "Identifies the confidence rating assigned by the provider using\ - \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ - \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ - \ * WEP Scale (Impossible - Certain)" - example: High + description: SHA256 hash. default_field: false - - name: indicator.description + - name: indicator.hash.sha512 level: extended type: keyword ignore_above: 1024 - description: Describes the type of action conducted by the threat. - example: IP x.x.x.x was observed delivering the Angler EK. + description: SHA512 hash. default_field: false - - name: indicator.email.address + - name: indicator.hash.ssdeep level: extended type: keyword ignore_above: 1024 - description: Identifies a threat indicator as an email address (irrespective - of direction). - example: phish@example.com - default_field: false - - name: indicator.first_seen - level: extended - type: date - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' + description: SSDEEP hash. default_field: false - name: indicator.ip level: extended @@ -7200,6 +7082,20 @@ direction). example: 443 default_field: false + - name: indicator.provider + level: extended + type: keyword + ignore_above: 1024 + description: The name of the indicator's provider. + example: lrz_urlhaus + default_field: false + - name: indicator.reference + level: extended + type: keyword + ignore_above: 1024 + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + default_field: false - name: indicator.scanner_stats level: extended type: long diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index d6cde32c00..af1f686771 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -667,110 +667,28 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 2.0.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. 2.0.0-dev,true,threat,threat.enrichments,nested,extended,,,List of indicators enriching the event. -2.0.0-dev,true,threat,threat.enrichments.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -2.0.0-dev,true,threat,threat.enrichments.as.organization.name,keyword,extended,,Google LLC,Organization name. -2.0.0-dev,true,threat,threat.enrichments.as.organization.name.text,text,extended,,Google LLC,Organization name. -2.0.0-dev,true,threat,threat.enrichments.event.action,keyword,core,,user-password-change,The action captured by the event. -2.0.0-dev,true,threat,threat.enrichments.event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field. -2.0.0-dev,true,threat,threat.enrichments.event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. -2.0.0-dev,true,threat,threat.enrichments.event.code,keyword,extended,,4648,Identification code for this event. -2.0.0-dev,true,threat,threat.enrichments.event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. -2.0.0-dev,true,threat,threat.enrichments.event.dataset,keyword,core,,apache.access,Name of the dataset. -2.0.0-dev,true,threat,threat.enrichments.event.duration,long,core,,,Duration of the event in nanoseconds. -2.0.0-dev,true,threat,threat.enrichments.event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. -2.0.0-dev,true,threat,threat.enrichments.event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. -2.0.0-dev,true,threat,threat.enrichments.event.id,keyword,core,,8a4f500d,Unique ID to describe the event. -2.0.0-dev,true,threat,threat.enrichments.event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. -2.0.0-dev,true,threat,threat.enrichments.event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. -2.0.0-dev,true,threat,threat.enrichments.event.module,keyword,core,,apache,Name of the module this data is coming from. -2.0.0-dev,false,threat,threat.enrichments.event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. -2.0.0-dev,true,threat,threat.enrichments.event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. -2.0.0-dev,true,threat,threat.enrichments.event.provider,keyword,extended,,kernel,Source of the event. -2.0.0-dev,true,threat,threat.enrichments.event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" -2.0.0-dev,true,threat,threat.enrichments.event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL -2.0.0-dev,true,threat,threat.enrichments.event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. -2.0.0-dev,true,threat,threat.enrichments.event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). -2.0.0-dev,true,threat,threat.enrichments.event.sequence,long,extended,,,Sequence number of the event. -2.0.0-dev,true,threat,threat.enrichments.event.severity,long,core,,7,Numeric severity of the event. -2.0.0-dev,true,threat,threat.enrichments.event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. -2.0.0-dev,true,threat,threat.enrichments.event.timezone,keyword,extended,,,Event time zone. -2.0.0-dev,true,threat,threat.enrichments.event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. -2.0.0-dev,true,threat,threat.enrichments.event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL -2.0.0-dev,true,threat,threat.enrichments.file.accessed,date,extended,,,Last time the file was accessed. -2.0.0-dev,true,threat,threat.enrichments.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -2.0.0-dev,true,threat,threat.enrichments.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -2.0.0-dev,true,threat,threat.enrichments.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -2.0.0-dev,true,threat,threat.enrichments.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -2.0.0-dev,true,threat,threat.enrichments.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -2.0.0-dev,true,threat,threat.enrichments.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -2.0.0-dev,true,threat,threat.enrichments.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -2.0.0-dev,true,threat,threat.enrichments.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -2.0.0-dev,true,threat,threat.enrichments.file.created,date,extended,,,File creation time. -2.0.0-dev,true,threat,threat.enrichments.file.ctime,date,extended,,,Last time the file attributes or metadata changed. -2.0.0-dev,true,threat,threat.enrichments.file.device,keyword,extended,,sda,Device that is the source of the file. -2.0.0-dev,true,threat,threat.enrichments.file.directory,keyword,extended,,/home/alice,Directory where the file is located. -2.0.0-dev,true,threat,threat.enrichments.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -2.0.0-dev,true,threat,threat.enrichments.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -2.0.0-dev,true,threat,threat.enrichments.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. -2.0.0-dev,true,threat,threat.enrichments.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -2.0.0-dev,true,threat,threat.enrichments.file.elf.creation_date,date,extended,,,Build or compile date. -2.0.0-dev,true,threat,threat.enrichments.file.elf.exports,flattened,extended,array,,List of exported element names and types. -2.0.0-dev,true,threat,threat.enrichments.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -2.0.0-dev,true,threat,threat.enrichments.file.elf.header.class,keyword,extended,,,Header class of the ELF file. -2.0.0-dev,true,threat,threat.enrichments.file.elf.header.data,keyword,extended,,,Data table of the ELF header. -2.0.0-dev,true,threat,threat.enrichments.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -2.0.0-dev,true,threat,threat.enrichments.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -2.0.0-dev,true,threat,threat.enrichments.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -2.0.0-dev,true,threat,threat.enrichments.file.elf.header.type,keyword,extended,,,Header type of the ELF file. -2.0.0-dev,true,threat,threat.enrichments.file.elf.header.version,keyword,extended,,,Version of the ELF header. -2.0.0-dev,true,threat,threat.enrichments.file.elf.imports,flattened,extended,array,,List of imported element names and types. -2.0.0-dev,true,threat,threat.enrichments.file.elf.sections,nested,extended,array,,Section information of the ELF file. -2.0.0-dev,true,threat,threat.enrichments.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -2.0.0-dev,true,threat,threat.enrichments.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -2.0.0-dev,true,threat,threat.enrichments.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. -2.0.0-dev,true,threat,threat.enrichments.file.elf.sections.name,keyword,extended,,,ELF Section List name. -2.0.0-dev,true,threat,threat.enrichments.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -2.0.0-dev,true,threat,threat.enrichments.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -2.0.0-dev,true,threat,threat.enrichments.file.elf.sections.type,keyword,extended,,,ELF Section List type. -2.0.0-dev,true,threat,threat.enrichments.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -2.0.0-dev,true,threat,threat.enrichments.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -2.0.0-dev,true,threat,threat.enrichments.file.elf.segments,nested,extended,array,,ELF object segment list. -2.0.0-dev,true,threat,threat.enrichments.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. -2.0.0-dev,true,threat,threat.enrichments.file.elf.segments.type,keyword,extended,,,ELF object segment type. -2.0.0-dev,true,threat,threat.enrichments.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. -2.0.0-dev,true,threat,threat.enrichments.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. -2.0.0-dev,true,threat,threat.enrichments.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." -2.0.0-dev,true,threat,threat.enrichments.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -2.0.0-dev,true,threat,threat.enrichments.file.group,keyword,extended,,alice,Primary group name of the file. -2.0.0-dev,true,threat,threat.enrichments.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -2.0.0-dev,true,threat,threat.enrichments.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -2.0.0-dev,true,threat,threat.enrichments.file.mode,keyword,extended,,0640,Mode of the file in octal representation. -2.0.0-dev,true,threat,threat.enrichments.file.mtime,date,extended,,,Last time the file content was modified. -2.0.0-dev,true,threat,threat.enrichments.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -2.0.0-dev,true,threat,threat.enrichments.file.owner,keyword,extended,,alice,File owner's username. -2.0.0-dev,true,threat,threat.enrichments.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." -2.0.0-dev,true,threat,threat.enrichments.file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -2.0.0-dev,true,threat,threat.enrichments.file.size,long,extended,,16384,File size in bytes. -2.0.0-dev,true,threat,threat.enrichments.file.target_path,keyword,extended,,,Target path for symlinks. -2.0.0-dev,true,threat,threat.enrichments.file.target_path.text,text,extended,,,Target path for symlinks. -2.0.0-dev,true,threat,threat.enrichments.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -2.0.0-dev,true,threat,threat.enrichments.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -2.0.0-dev,true,threat,threat.enrichments.geo.city_name,keyword,core,,Montreal,City name. -2.0.0-dev,true,threat,threat.enrichments.geo.continent_code,keyword,core,,NA,Continent code. -2.0.0-dev,true,threat,threat.enrichments.geo.continent_name,keyword,core,,North America,Name of the continent. -2.0.0-dev,true,threat,threat.enrichments.geo.country_iso_code,keyword,core,,CA,Country ISO code. -2.0.0-dev,true,threat,threat.enrichments.geo.country_name,keyword,core,,Canada,Country name. -2.0.0-dev,true,threat,threat.enrichments.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -2.0.0-dev,true,threat,threat.enrichments.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -2.0.0-dev,true,threat,threat.enrichments.geo.postal_code,keyword,core,,94040,Postal code. -2.0.0-dev,true,threat,threat.enrichments.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -2.0.0-dev,true,threat,threat.enrichments.geo.region_name,keyword,core,,Quebec,Region name. -2.0.0-dev,true,threat,threat.enrichments.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -2.0.0-dev,true,threat,threat.enrichments.hash.md5,keyword,extended,,,MD5 hash. -2.0.0-dev,true,threat,threat.enrichments.hash.sha1,keyword,extended,,,SHA1 hash. -2.0.0-dev,true,threat,threat.enrichments.hash.sha256,keyword,extended,,,SHA256 hash. -2.0.0-dev,true,threat,threat.enrichments.hash.sha512,keyword,extended,,,SHA512 hash. -2.0.0-dev,true,threat,threat.enrichments.hash.ssdeep,keyword,extended,,,SSDEEP hash. +2.0.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Indicators +2.0.0-dev,true,threat,threat.enrichments.indicator.as.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +2.0.0-dev,true,threat,threat.enrichments.indicator.as.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +2.0.0-dev,true,threat,threat.enrichments.indicator.as.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +2.0.0-dev,true,threat,threat.enrichments.indicator.as.hive,keyword,core,,HKLM,Abbreviated name for the hive. +2.0.0-dev,true,threat,threat.enrichments.indicator.as.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +2.0.0-dev,true,threat,threat.enrichments.indicator.as.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +2.0.0-dev,true,threat,threat.enrichments.indicator.as.value,keyword,core,,Debugger,Name of the value written. +2.0.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,High,Indicator confidence rating +2.0.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description +2.0.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address +2.0.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. +2.0.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address +2.0.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. +2.0.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,White,Indicator TLP marking +2.0.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. +2.0.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port +2.0.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider +2.0.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL +2.0.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics +2.0.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed +2.0.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator 2.0.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value 2.0.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field 2.0.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier @@ -821,15 +739,99 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group. 2.0.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group. 2.0.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group. +2.0.0-dev,true,threat,threat.indicator.as.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +2.0.0-dev,true,threat,threat.indicator.as.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +2.0.0-dev,true,threat,threat.indicator.as.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +2.0.0-dev,true,threat,threat.indicator.as.hive,keyword,core,,HKLM,Abbreviated name for the hive. +2.0.0-dev,true,threat,threat.indicator.as.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +2.0.0-dev,true,threat,threat.indicator.as.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +2.0.0-dev,true,threat,threat.indicator.as.value,keyword,core,,Debugger,Name of the value written. 2.0.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,High,Indicator confidence rating 2.0.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description 2.0.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address +2.0.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed. +2.0.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +2.0.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +2.0.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +2.0.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +2.0.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +2.0.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +2.0.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time. +2.0.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. +2.0.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. +2.0.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located. +2.0.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +2.0.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +2.0.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +2.0.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +2.0.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date. +2.0.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types. +2.0.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +2.0.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. +2.0.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. +2.0.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +2.0.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +2.0.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +2.0.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. +2.0.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. +2.0.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types. +2.0.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. +2.0.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +2.0.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +2.0.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +2.0.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. +2.0.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +2.0.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +2.0.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. +2.0.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +2.0.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +2.0.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. +2.0.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +2.0.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. +2.0.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +2.0.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +2.0.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +2.0.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +2.0.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +2.0.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +2.0.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +2.0.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. +2.0.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified. +2.0.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +2.0.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username. +2.0.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +2.0.0-dev,true,threat,threat.indicator.file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +2.0.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes. +2.0.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks. +2.0.0-dev,true,threat,threat.indicator.file.target_path.text,text,extended,,,Target path for symlinks. +2.0.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +2.0.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. 2.0.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. +2.0.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name. +2.0.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code. +2.0.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. +2.0.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. +2.0.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name. +2.0.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +2.0.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +2.0.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code. +2.0.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +2.0.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name. +2.0.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +2.0.0-dev,true,threat,threat.indicator.hash.md5,keyword,extended,,,MD5 hash. +2.0.0-dev,true,threat,threat.indicator.hash.sha1,keyword,extended,,,SHA1 hash. +2.0.0-dev,true,threat,threat.indicator.hash.sha256,keyword,extended,,,SHA256 hash. +2.0.0-dev,true,threat,threat.indicator.hash.sha512,keyword,extended,,,SHA512 hash. +2.0.0-dev,true,threat,threat.indicator.hash.ssdeep,keyword,extended,,,SSDEEP hash. 2.0.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address 2.0.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. 2.0.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking 2.0.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. 2.0.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port +2.0.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider +2.0.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL 2.0.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics 2.0.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed 2.0.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 963cc21c9d..64da234148 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -2294,8 +2294,8 @@ event.module: type: keyword event.original: dashed_name: event-original - description: 'Raw text message of entire event. Used to demonstrate log integrity or - where the full log message (before splitting it up in multiple parts) may be + description: 'Raw text message of entire event. Used to demonstrate log integrity + or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, @@ -8541,2457 +8541,1995 @@ threat.enrichments: normalize: [] short: List of indicators enriching the event. type: nested -threat.enrichments.as.number: - dashed_name: threat-enrichments-as-number - description: Unique number allocated to the autonomous system. The autonomous system - number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: threat.enrichments.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long -threat.enrichments.as.organization.name: - dashed_name: threat-enrichments-as-organization-name - description: Organization name. - example: Google LLC - flat_name: threat.enrichments.as.organization.name - ignore_above: 1024 - level: extended - multi_fields: - - flat_name: threat.enrichments.as.organization.name.text - name: text - norms: false - type: text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: keyword -threat.enrichments.event.action: - dashed_name: threat-enrichments-event-action - description: 'The action captured by the event. - - This describes the information in the event. It is more specific than `event.category`. - Examples are `group-add`, `process-started`, `file-created`. The value is normally - defined by the implementer.' - example: user-password-change - flat_name: threat.enrichments.event.action - ignore_above: 1024 - level: core - name: action - normalize: [] - original_fieldset: event - short: The action captured by the event. - type: keyword -threat.enrichments.event.agent_id_status: - dashed_name: threat-enrichments-event-agent-id-status - description: 'Agents are normally responsible for populating the `agent.id` field - value. If the system receiving events is capable of validating the value based - on authentication information for the client then this field can be used to reflect - the outcome of that validation. - - For example if the agent''s connection is authenticated with mTLS and the client - cert contains the ID of the agent to which the cert was issued then the `agent.id` - value in events can be checked against the certificate. If the values match then - `event.agent_id_status: verified` is added to the event, otherwise one of the - other allowed values should be used. - - If no validation is performed then the field should be omitted. - - The allowed values are: - - `verified` - The `agent.id` field value matches expected value obtained from auth - metadata. - - `mismatch` - The `agent.id` field value does not match the expected value obtained - from auth metadata. - - `missing` - There was no `agent.id` field in the event to validate. - - `auth_metadata_missing` - There was no auth metadata or it was missing information - about the agent ID.' - example: verified - flat_name: threat.enrichments.event.agent_id_status - ignore_above: 1024 - level: extended - name: agent_id_status - normalize: [] - original_fieldset: event - short: Validation status of the event's agent.id field. - type: keyword -threat.enrichments.event.category: - allowed_values: - - description: Events in this category are related to the challenge and response - process in which credentials are supplied and verified to allow the creation - of a session. Common sources for these logs are Windows event logs and ssh logs. - Visualize and analyze events in this category to look for failed logins, and - other authentication-related activity. - expected_event_types: - - start - - end - - info - name: authentication - - description: 'Events in the configuration category have to deal with creating, - modifying, or deleting the settings or parameters of an application, process, - or system. - - Example sources include security policy change logs, configuration auditing - logging, and system integrity monitoring.' - expected_event_types: - - access - - change - - creation - - deletion - - info - name: configuration - - description: The database category denotes events and metrics relating to a data - storage and retrieval system. Note that use of this category is not limited - to relational database systems. Examples include event logs from MS SQL, MySQL, - Elasticsearch, MongoDB, etc. Use this category to visualize and analyze database - activity such as accesses and changes. - expected_event_types: - - access - - change - - info - - error - name: database - - description: 'Events in the driver category have to do with operating system device - drivers and similar software entities such as Windows drivers, kernel extensions, - kernel modules, etc. - - Use events and metrics in this category to visualize and analyze driver-related - activity and status on hosts.' - expected_event_types: - - change - - end - - info - - start - name: driver - - description: Relating to a set of information that has been created on, or has - existed on a filesystem. Use this category of events to visualize and analyze - the creation, access, and deletions of files. Events in this category can come - from both host-based and network-based sources. An example source of a network-based - detection of a file transfer would be the Zeek file.log. - expected_event_types: - - change - - creation - - deletion - - info - name: file - - description: 'Use this category to visualize and analyze information such as host - inventory or host lifecycle events. - - Most of the events in this category can usually be observed from the outside, - such as from a hypervisor or a control plane''s point of view. Some can also - be seen from within, such as "start" or "end". - - Note that this category is for information about hosts themselves; it is not - meant to capture activity "happening on a host".' - expected_event_types: - - access - - change - - end - - info - - start - name: host - - description: Identity and access management (IAM) events relating to users, groups, - and administration. Use this category to visualize and analyze IAM-related logs - and data from active directory, LDAP, Okta, Duo, and other IAM systems. - expected_event_types: - - admin - - change - - creation - - deletion - - group - - info - - user - name: iam - - description: Relating to intrusion detections from IDS/IPS systems and functions, - both network and host-based. Use this category to visualize and analyze intrusion - detection alerts from systems such as Snort, Suricata, and Palo Alto threat - detections. - expected_event_types: - - allowed - - denied - - info - name: intrusion_detection - - description: Malware detection events and alerts. Use this category to visualize - and analyze malware detections from EDR/EPP systems such as Elastic Endpoint - Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems - such as Suricata, or other sources of malware-related events such as Palo Alto - Networks threat logs and Wildfire logs. - expected_event_types: - - info - name: malware - - description: Relating to all network activity, including network connection lifecycle, - network traffic, and essentially any event that includes an IP address. Many - events containing decoded network protocol transactions fit into this category. - Use events in this category to visualize or analyze counts of network ports, - protocols, addresses, geolocation information, etc. - expected_event_types: - - access - - allowed - - connection - - denied - - end - - info - - protocol - - start - name: network - - description: Relating to software packages installed on hosts. Use this category - to visualize and analyze inventory of software installed on various hosts, or - to determine host vulnerability in the absence of vulnerability scan data. - expected_event_types: - - access - - change - - deletion - - info - - installation - - start - name: package - - description: Use this category of events to visualize and analyze process-specific - information such as lifecycle events or process ancestry. - expected_event_types: - - access - - change - - end - - info - - start - name: process - - description: Having to do with settings and assets stored in the Windows registry. - Use this category to visualize and analyze activity such as registry access - and modifications. - expected_event_types: - - access - - change - - creation - - deletion - name: registry - - description: The session category is applied to events and metrics regarding logical - persistent connections to hosts and services. Use this category to visualize - and analyze interactive or automated persistent connections between assets. - Data for this category may come from Windows Event logs, SSH logs, or stateless - sessions such as HTTP cookie-based sessions, etc. - expected_event_types: - - start - - end - - info - name: session - - description: 'Relating to web server access. Use this category to create a dashboard - of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: - events from network observers such as Zeek http log may also be included in - this category.' - expected_event_types: - - access - - error - - info - name: web - dashed_name: threat-enrichments-event-category - description: 'This is one of four ECS Categorization Fields, and indicates the second - level in the ECS category hierarchy. - - `event.category` represents the "big buckets" of ECS categories. For example, - filtering on `event.category:process` yields all events relating to process activity. - This field is closely related to `event.type`, which is used as a subcategory. - - This field is an array. This will allow proper categorization of some events that - fall in multiple categories.' - example: authentication - flat_name: threat.enrichments.event.category - ignore_above: 1024 - level: core - name: category - normalize: - - array - original_fieldset: event - short: Event category. The second categorization field in the hierarchy. - type: keyword -threat.enrichments.event.code: - dashed_name: threat-enrichments-event-code - description: 'Identification code for this event, if one exists. - - Some event sources use event codes to identify messages unambiguously, regardless - of message language or wording adjustments over time. An example of this is the - Windows Event ID.' - example: 4648 - flat_name: threat.enrichments.event.code - ignore_above: 1024 - level: extended - name: code - normalize: [] - original_fieldset: event - short: Identification code for this event. - type: keyword -threat.enrichments.event.created: - dashed_name: threat-enrichments-event-created - description: 'event.created contains the date/time when the event was first read - by an agent, or by your pipeline. - - This field is distinct from @timestamp in that @timestamp typically contain the - time extracted from the original event. - - In most situations, these two timestamps will be slightly different. The difference - can be used to calculate the delay between your source generating an event, and - the time when your agent first processed it. This can be used to monitor your - agent''s or pipeline''s ability to keep up with your event source. - - In case the two timestamps are identical, @timestamp should be used.' - example: '2016-05-23T08:05:34.857Z' - flat_name: threat.enrichments.event.created - level: core - name: created - normalize: [] - original_fieldset: event - short: Time when the event was first read by an agent or by your pipeline. - type: date -threat.enrichments.event.dataset: - dashed_name: threat-enrichments-event-dataset - description: 'Name of the dataset. - - If an event source publishes more than one type of log or events (e.g. access - log, error log), the dataset is used to specify which one the event comes from. - - It''s recommended but not required to start the dataset name with the module name, - followed by a dot, then the dataset name.' - example: apache.access - flat_name: threat.enrichments.event.dataset - ignore_above: 1024 - level: core - name: dataset - normalize: [] - original_fieldset: event - short: Name of the dataset. - type: keyword -threat.enrichments.event.duration: - dashed_name: threat-enrichments-event-duration - description: 'Duration of the event in nanoseconds. - - If event.start and event.end are known this value should be the difference between - the end and start time.' - flat_name: threat.enrichments.event.duration - format: duration - input_format: nanoseconds - level: core - name: duration - normalize: [] - original_fieldset: event - output_format: asMilliseconds - output_precision: 1 - short: Duration of the event in nanoseconds. - type: long -threat.enrichments.event.end: - dashed_name: threat-enrichments-event-end - description: event.end contains the date when the event ended or when the activity - was last observed. - flat_name: threat.enrichments.event.end +threat.enrichments.indicator: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator + description: Indicators + flat_name: threat.enrichments.indicator level: extended - name: end + name: enrichments.indicator normalize: [] - original_fieldset: event - short: event.end contains the date when the event ended or when the activity was - last observed. - type: date -threat.enrichments.event.hash: - dashed_name: threat-enrichments-event-hash - description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate - log integrity. - example: 123456789012345678901234567890ABCD - flat_name: threat.enrichments.event.hash + short: Indicators + type: object +threat.enrichments.indicator.as.data.bytes: + dashed_name: threat-enrichments-indicator-as-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides better + recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.enrichments.indicator.as.data.bytes ignore_above: 1024 level: extended - name: hash + name: data.bytes normalize: [] - original_fieldset: event - short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate - log integrity. + original_fieldset: registry + short: Original bytes written with base64 encoding. type: keyword -threat.enrichments.event.id: - dashed_name: threat-enrichments-event-id - description: Unique ID to describe the event. - example: 8a4f500d - flat_name: threat.enrichments.event.id +threat.enrichments.indicator.as.data.strings: + dashed_name: threat-enrichments-indicator-as-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single string + registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. + For sequences of string with REG_MULTI_SZ, this array will be variable length. + For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with + the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.enrichments.indicator.as.data.strings ignore_above: 1024 level: core - name: id - normalize: [] - original_fieldset: event - short: Unique ID to describe the event. + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. type: keyword -threat.enrichments.event.ingested: - dashed_name: threat-enrichments-event-ingested - description: 'Timestamp when an event arrived in the central data store. - - This is different from `@timestamp`, which is when the event originally occurred. It''s - also different from `event.created`, which is meant to capture the first time - an agent saw the event. - - In normal conditions, assuming no tampering, the timestamps should chronologically - look like this: `@timestamp` < `event.created` < `event.ingested`.' - example: '2016-05-23T08:05:35.101Z' - flat_name: threat.enrichments.event.ingested +threat.enrichments.indicator.as.data.type: + dashed_name: threat-enrichments-indicator-as-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.enrichments.indicator.as.data.type + ignore_above: 1024 level: core - name: ingested + name: data.type normalize: [] - original_fieldset: event - short: Timestamp when an event arrived in the central data store. - type: date -threat.enrichments.event.kind: - allowed_values: - - description: 'This value indicates an event that describes an alert or notable - event, triggered by a detection rule. - - `event.kind:alert` is often populated for events coming from firewalls, intrusion - detection systems, endpoint detection and response systems, and so on.' - name: alert - - description: This value is the most general and most common value for this field. - It is used to represent events that indicate that something happened. - name: event - - description: 'This value is used to indicate that this event describes a numeric - measurement taken at given point in time. - - Examples include CPU utilization, memory usage, or device temperature. - - Metric events are often collected on a predictable frequency, such as once every - few seconds, or once a minute, but can also be used to describe ad-hoc numeric - metric queries.' - name: metric - - description: 'The state value is similar to metric, indicating that this event - describes a measurement taken at given point in time, except that the measurement - does not result in a numeric value, but rather one of a fixed set of categorical - values that represent conditions or states. - - Examples include periodic events reporting Elasticsearch cluster state (green/yellow/red), - the state of a TCP connection (open, closed, fin_wait, etc.), the state of a - host with respect to a software vulnerability (vulnerable, not vulnerable), - and the state of a system regarding compliance with a regulatory standard (compliant, - not compliant). - - Note that an event that describes a change of state would not use `event.kind:state`, - but instead would use ''event.kind:event'' since a state change fits the more - general event definition of something that happened. - - State events are often collected on a predictable frequency, such as once every - few seconds, once a minute, once an hour, or once a day, but can also be used - to describe ad-hoc state queries.' - name: state - - description: This value indicates that an error occurred during the ingestion - of this event, and that event data may be missing, inconsistent, or incorrect. - `event.kind:pipeline_error` is often associated with parsing errors. - name: pipeline_error - - description: 'This value is used by the Elastic Security app to denote an Elasticsearch - document that was created by a SIEM detection engine rule. - - A signal will typically trigger a notification that something meaningful happened - and should be investigated. - - Usage of this value is reserved, and pipelines should not populate `event.kind` - with the value "signal".' - name: signal - dashed_name: threat-enrichments-event-kind - description: 'This is one of four ECS Categorization Fields, and indicates the highest - level in the ECS category hierarchy. - - `event.kind` gives high-level information about what type of information the event - contains, without being specific to the contents of the event. For example, values - of this field distinguish alert events from metric events. - - The value of this field can be used to inform how these kinds of events should - be handled. They may warrant different retention, different access control, it - may also help understand whether the data coming in at a regular interval or not.' - example: alert - flat_name: threat.enrichments.event.kind + original_fieldset: registry + short: Standard registry type for encoding contents + type: keyword +threat.enrichments.indicator.as.hive: + dashed_name: threat-enrichments-indicator-as-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.enrichments.indicator.as.hive ignore_above: 1024 level: core - name: kind + name: hive normalize: [] - original_fieldset: event - short: The kind of the event. The highest categorization field in the hierarchy. + original_fieldset: registry + short: Abbreviated name for the hive. type: keyword -threat.enrichments.event.module: - dashed_name: threat-enrichments-event-module - description: 'Name of the module this data is coming from. - - If your monitoring agent supports the concept of modules or plugins to process - events of a given source (e.g. Apache logs), `event.module` should contain the - name of this module.' - example: apache - flat_name: threat.enrichments.event.module +threat.enrichments.indicator.as.key: + dashed_name: threat-enrichments-indicator-as-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.enrichments.indicator.as.key ignore_above: 1024 level: core - name: module + name: key normalize: [] - original_fieldset: event - short: Name of the module this data is coming from. + original_fieldset: registry + short: Hive-relative path of keys. type: keyword -threat.enrichments.event.original: - dashed_name: threat-enrichments-event-original - description: 'Raw text message of entire event. Used to demonstrate log integrity or - where the full log message (before splitting it up in multiple parts) may be - required, e.g. for reindex. - - This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`. If users wish to override this and index - this field, please see `Field data types` in the `Elasticsearch Reference`.' - doc_values: false - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| - worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - flat_name: threat.enrichments.event.original - index: false +threat.enrichments.indicator.as.path: + dashed_name: threat-enrichments-indicator-as-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.enrichments.indicator.as.path + ignore_above: 1024 level: core - name: original + name: path normalize: [] - original_fieldset: event - short: Raw text message of entire event. + original_fieldset: registry + short: Full path, including hive, key and value type: keyword -threat.enrichments.event.outcome: - allowed_values: - - description: Indicates that this event describes a failed result. A common example - is `event.category:file AND event.type:access AND event.outcome:failure` to - indicate that a file access was attempted, but was not successful. - name: failure - - description: Indicates that this event describes a successful result. A common - example is `event.category:file AND event.type:create AND event.outcome:success` - to indicate that a file was successfully created. - name: success - - description: Indicates that this event describes only an attempt for which the - result is unknown from the perspective of the event producer. For example, if - the event contains information only about the request side of a transaction - that results in a response, populating `event.outcome:unknown` in the request - event is appropriate. The unknown value should not be used when an outcome doesn't - make logical sense for the event. In such cases `event.outcome` should not be - populated. - name: unknown - dashed_name: threat-enrichments-event-outcome - description: 'This is one of four ECS Categorization Fields, and indicates the lowest - level in the ECS category hierarchy. - - `event.outcome` simply denotes whether the event represents a success or a failure - from the perspective of the entity that produced the event. - - Note that when a single transaction is described in multiple events, each event - may populate different values of `event.outcome`, according to their perspective. - - Also note that in the case of a compound event (a single event that contains multiple - logical events), this field should be populated with the value that best captures - the overall success or failure from the perspective of the event producer. - - Further note that not all events will have an associated outcome. For example, - this field is generally not populated for metric events, events with `event.type:info`, - or any events for which an outcome does not make logical sense.' - example: success - flat_name: threat.enrichments.event.outcome +threat.enrichments.indicator.as.value: + dashed_name: threat-enrichments-indicator-as-value + description: Name of the value written. + example: Debugger + flat_name: threat.enrichments.indicator.as.value ignore_above: 1024 level: core - name: outcome + name: value normalize: [] - original_fieldset: event - short: The outcome of the event. The lowest level categorization field in the hierarchy. + original_fieldset: registry + short: Name of the value written. type: keyword -threat.enrichments.event.provider: - dashed_name: threat-enrichments-event-provider - description: 'Source of the event. - - Event transports such as Syslog or the Windows Event Log typically mention the - source of an event. It can be the name of the software that generated the event - (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).' - example: kernel - flat_name: threat.enrichments.event.provider +threat.enrichments.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-confidence + description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ + using\_STIX\_confidence scales. Expected values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n \ + \ * WEP Scale (Impossible - Certain)" + example: High + flat_name: threat.enrichments.indicator.confidence ignore_above: 1024 level: extended - name: provider + name: enrichments.indicator.confidence normalize: [] - original_fieldset: event - short: Source of the event. + short: Indicator confidence rating type: keyword -threat.enrichments.event.reason: - dashed_name: threat-enrichments-event-reason - description: 'Reason why this event happened, according to the source. - - This describes the why of a particular action or outcome captured in the event. - Where `event.action` captures the action from the event, `event.reason` describes - why that action was taken. For example, a web proxy with an `event.action` which - denied the request may also populate `event.reason` with the reason why (e.g. - `blocked site`).' - example: Terminated an unexpected process - flat_name: threat.enrichments.event.reason +threat.enrichments.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.enrichments.indicator.description ignore_above: 1024 level: extended - name: reason + name: enrichments.indicator.description normalize: [] - original_fieldset: event - short: Reason why this event happened, according to the source + short: Indicator description type: keyword -threat.enrichments.event.reference: - dashed_name: threat-enrichments-event-reference - description: 'Reference URL linking to additional information about this event. - - This URL links to a static definition of this event. Alert events, indicated by - `event.kind:alert`, are a common use case for this field.' - example: https://system.example.com/event/#0001234 - flat_name: threat.enrichments.event.reference +threat.enrichments.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective of + direction). + example: phish@example.com + flat_name: threat.enrichments.indicator.email.address ignore_above: 1024 level: extended - name: reference + name: enrichments.indicator.email.address normalize: [] - original_fieldset: event - short: Event reference URL + short: Indicator email address type: keyword -threat.enrichments.event.risk_score: - dashed_name: threat-enrichments-event-risk-score - description: Risk score or priority of the event (e.g. security solutions). Use - your system's original value here. - flat_name: threat.enrichments.event.risk_score - level: core - name: risk_score - normalize: [] - original_fieldset: event - short: Risk score or priority of the event (e.g. security solutions). Use your system's - original value here. - type: float -threat.enrichments.event.risk_score_norm: - dashed_name: threat-enrichments-event-risk-score-norm - description: 'Normalized risk score or priority of the event, on a scale of 0 to - 100. - - This is mainly useful if you use more than one system that assigns risk scores, - and you want to see a normalized value across all systems.' - flat_name: threat.enrichments.event.risk_score_norm - level: extended - name: risk_score_norm - normalize: [] - original_fieldset: event - short: Normalized risk score or priority of the event (0-100). - type: float -threat.enrichments.event.sequence: - dashed_name: threat-enrichments-event-sequence - description: 'Sequence number of the event. - - The sequence number is a value published by some event sources, to make the exact - ordering of events unambiguous, regardless of the timestamp precision.' - flat_name: threat.enrichments.event.sequence - format: string +threat.enrichments.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.first_seen level: extended - name: sequence + name: enrichments.indicator.first_seen normalize: [] - original_fieldset: event - short: Sequence number of the event. - type: long -threat.enrichments.event.severity: - dashed_name: threat-enrichments-event-severity - description: 'The numeric severity of the event according to your event source. - - What the different severity values mean can be different between sources and use - cases. It''s up to the implementer to make sure severities are consistent across - events from the same source. - - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is - meant to represent the severity according to the event source (e.g. firewall, - IDS). If the event source does not publish its own severity, you may optionally - copy the `log.syslog.severity.code` to `event.severity`.' - example: 7 - flat_name: threat.enrichments.event.severity - format: string - level: core - name: severity + short: Date/time indicator was first reported. + type: date +threat.enrichments.indicator.ip: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of direction). + example: 1.2.3.4 + flat_name: threat.enrichments.indicator.ip + level: extended + name: enrichments.indicator.ip normalize: [] - original_fieldset: event - short: Numeric severity of the event. - type: long -threat.enrichments.event.start: - dashed_name: threat-enrichments-event-start - description: event.start contains the date when the event started or when the activity - was first observed. - flat_name: threat.enrichments.event.start + short: Indicator IP address + type: ip +threat.enrichments.indicator.last_seen: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-last-seen + description: The date and time when intelligence source last reported sighting this + indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.last_seen level: extended - name: start + name: enrichments.indicator.last_seen normalize: [] - original_fieldset: event - short: event.start contains the date when the event started or when the activity - was first observed. + short: Date/time indicator was last reported. type: date -threat.enrichments.event.timezone: - dashed_name: threat-enrichments-event-timezone - description: 'This field should be populated when the event''s timestamp does not - include timezone information already (e.g. default Syslog timestamps). It''s optional - otherwise. - - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated - (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' - flat_name: threat.enrichments.event.timezone +threat.enrichments.indicator.marking.tlp: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: White + flat_name: threat.enrichments.indicator.marking.tlp ignore_above: 1024 level: extended - name: timezone + name: enrichments.indicator.marking.tlp normalize: [] - original_fieldset: event - short: Event time zone. + short: Indicator TLP marking type: keyword -threat.enrichments.event.type: - allowed_values: - - description: The access event type is used for the subset of events within a category - that indicate that something was accessed. Common examples include `event.category:database - AND event.type:access`, or `event.category:file AND event.type:access`. Note - for file access, both directory listings and file opens should be included in - this subcategory. You can further distinguish access operations using the ECS - `event.action` field. - name: access - - description: 'The admin event type is used for the subset of events within a category - that are related to admin objects. For example, administrative changes within - an IAM framework that do not specifically affect a user or group (e.g., adding - new applications to a federation solution or connecting discrete forests in - Active Directory) would fall into this subcategory. Common example: `event.category:iam - AND event.type:change AND event.type:admin`. You can further distinguish admin - operations using the ECS `event.action` field.' - name: admin - - description: The allowed event type is used for the subset of events within a - category that indicate that something was allowed. Common examples include `event.category:network - AND event.type:connection AND event.type:allowed` (to indicate a network firewall - event for which the firewall disposition was to allow the connection to complete) - and `event.category:intrusion_detection AND event.type:allowed` (to indicate - a network intrusion prevention system event for which the IPS disposition was - to allow the connection to complete). You can further distinguish allowed operations - using the ECS `event.action` field, populating with values of your choosing, - such as "allow", "detect", or "pass". - name: allowed - - description: The change event type is used for the subset of events within a category - that indicate that something has changed. If semantics best describe an event - as modified, then include them in this subcategory. Common examples include - `event.category:process AND event.type:change`, and `event.category:file AND - event.type:change`. You can further distinguish change operations using the - ECS `event.action` field. - name: change - - description: Used primarily with `event.category:network` this value is used for - the subset of network traffic that includes sufficient information for the event - to be included in flow or connection analysis. Events in this subcategory will - contain at least source and destination IP addresses, source and destination - TCP/UDP ports, and will usually contain counts of bytes and/or packets transferred. - Events in this subcategory may contain unidirectional or bidirectional information, - including summary information. Use this subcategory to visualize and analyze - network connections. Flow analysis, including Netflow, IPFIX, and other flow-related - events fit in this subcategory. Note that firewall events from many Next-Generation - Firewall (NGFW) devices will also fit into this subcategory. A common filter - for flow/connection information would be `event.category:network AND event.type:connection - AND event.type:end` (to view or analyze all completed network connections, ignoring - mid-flow reports). You can further distinguish connection events using the ECS - `event.action` field, populating with values of your choosing, such as "timeout", - or "reset". - name: connection - - description: The "creation" event type is used for the subset of events within - a category that indicate that something was created. A common example is `event.category:file - AND event.type:creation`. - name: creation - - description: The deletion event type is used for the subset of events within a - category that indicate that something was deleted. A common example is `event.category:file - AND event.type:deletion` to indicate that a file has been deleted. - name: deletion - - description: The denied event type is used for the subset of events within a category - that indicate that something was denied. Common examples include `event.category:network - AND event.type:denied` (to indicate a network firewall event for which the firewall - disposition was to deny the connection) and `event.category:intrusion_detection - AND event.type:denied` (to indicate a network intrusion prevention system event - for which the IPS disposition was to deny the connection to complete). You can - further distinguish denied operations using the ECS `event.action` field, populating - with values of your choosing, such as "blocked", "dropped", or "quarantined". - name: denied - - description: The end event type is used for the subset of events within a category - that indicate something has ended. A common example is `event.category:process - AND event.type:end`. - name: end - - description: The error event type is used for the subset of events within a category - that indicate or describe an error. A common example is `event.category:database - AND event.type:error`. Note that pipeline errors that occur during the event - ingestion process should not use this `event.type` value. Instead, they should - use `event.kind:pipeline_error`. - name: error - - description: 'The group event type is used for the subset of events within a category - that are related to group objects. Common example: `event.category:iam AND event.type:creation - AND event.type:group`. You can further distinguish group operations using the - ECS `event.action` field.' - name: group - - description: The info event type is used for the subset of events within a category - that indicate that they are purely informational, and don't report a state change, - or any type of action. For example, an initial run of a file integrity monitoring - system (FIM), where an agent reports all files under management, would fall - into the "info" subcategory. Similarly, an event containing a dump of all currently - running processes (as opposed to reporting that a process started/ended) would - fall into the "info" subcategory. An additional common examples is `event.category:intrusion_detection - AND event.type:info`. - name: info - - description: The installation event type is used for the subset of events within - a category that indicate that something was installed. A common example is `event.category:package` - AND `event.type:installation`. - name: installation - - description: The protocol event type is used for the subset of events within a - category that indicate that they contain protocol details or analysis, beyond - simply identifying the protocol. Generally, network events that contain specific - protocol details will fall into this subcategory. A common example is `event.category:network - AND event.type:protocol AND event.type:connection AND event.type:end` (to indicate - that the event is a network connection event sent at the end of a connection - that also includes a protocol detail breakdown). Note that events that only - indicate the name or id of the protocol should not use the protocol value. Further - note that when the protocol subcategory is used, the identified protocol is - populated in the ECS `network.protocol` field. - name: protocol - - description: The start event type is used for the subset of events within a category - that indicate something has started. A common example is `event.category:process - AND event.type:start`. - name: start - - description: 'The user event type is used for the subset of events within a category - that are related to user objects. Common example: `event.category:iam AND event.type:deletion - AND event.type:user`. You can further distinguish user operations using the - ECS `event.action` field.' - name: user - dashed_name: threat-enrichments-event-type - description: 'This is one of four ECS Categorization Fields, and indicates the third - level in the ECS category hierarchy. - - `event.type` represents a categorization "sub-bucket" that, when used along with - the `event.category` field values, enables filtering events down to a level appropriate - for single visualization. - - This field is an array. This will allow proper categorization of some events that - fall in multiple event types.' - flat_name: threat.enrichments.event.type +threat.enrichments.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.modified_at + level: extended + name: enrichments.indicator.modified_at + normalize: [] + short: Date/time indicator was last updated. + type: date +threat.enrichments.indicator.port: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-port + description: Identifies a threat indicator as a port number (irrespective of direction). + example: 443 + flat_name: threat.enrichments.indicator.port + level: extended + name: enrichments.indicator.port + normalize: [] + short: Indicator port + type: long +threat.enrichments.indicator.provider: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-provider + description: The name of the indicator's provider. + example: lrz_urlhaus + flat_name: threat.enrichments.indicator.provider ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: event - short: Event type. The third categorization field in the hierarchy. + level: extended + name: enrichments.indicator.provider + normalize: [] + short: Indicator provider type: keyword -threat.enrichments.event.url: - dashed_name: threat-enrichments-event-url - description: 'URL linking to an external system to continue investigation of this - event. - - This URL links to another system where in-depth investigation of the specific - occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, - are a common use case for this field.' - example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe - flat_name: threat.enrichments.event.url +threat.enrichments.indicator.reference: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-reference + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + flat_name: threat.enrichments.indicator.reference ignore_above: 1024 level: extended - name: url + name: enrichments.indicator.reference normalize: [] - original_fieldset: event - short: Event investigation URL + short: Indicator reference URL type: keyword -threat.enrichments.file.accessed: - dashed_name: threat-enrichments-file-accessed - description: 'Last time the file was accessed. - - Note that not all filesystems keep track of access time.' - flat_name: threat.enrichments.file.accessed +threat.enrichments.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file or + URL. + example: 4 + flat_name: threat.enrichments.indicator.scanner_stats level: extended - name: accessed + name: enrichments.indicator.scanner_stats normalize: [] - original_fieldset: file - short: Last time the file was accessed. - type: date -threat.enrichments.file.attributes: - dashed_name: threat-enrichments-file-attributes - description: 'Array of file attributes. - - Attributes names will vary by platform. Here''s a non-exhaustive list of values - that are expected in this field: archive, compressed, directory, encrypted, execute, - hidden, read, readonly, system, write.' - example: '["readonly", "system"]' - flat_name: threat.enrichments.file.attributes + short: Scanner statistics + type: long +threat.enrichments.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.enrichments.indicator.sightings + level: extended + name: enrichments.indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long +threat.enrichments.indicator.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ + \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n *\ + \ domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n\ + \ * mutex\n * port\n * process\n * software\n * url\n * user-account\n \ + \ * windows-registry-key\n * x509-certificate" + example: ipv4-addr + flat_name: threat.enrichments.indicator.type ignore_above: 1024 level: extended - name: attributes - normalize: - - array - original_fieldset: file - short: Array of file attributes. - type: keyword -threat.enrichments.file.code_signature.exists: - dashed_name: threat-enrichments-file-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: threat.enrichments.file.code_signature.exists - level: core - name: exists + name: enrichments.indicator.type normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean -threat.enrichments.file.code_signature.signing_id: - dashed_name: threat-enrichments-file-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. The - field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: threat.enrichments.file.code_signature.signing_id + short: Type of indicator + type: keyword +threat.enrichments.matched.atomic: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-atomic + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com + flat_name: threat.enrichments.matched.atomic ignore_above: 1024 level: extended - name: signing_id + name: enrichments.matched.atomic normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. + short: Matched indicator value type: keyword -threat.enrichments.file.code_signature.status: - dashed_name: threat-enrichments-file-code-signature-status - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: threat.enrichments.file.code_signature.status +threat.enrichments.matched.field: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-field + description: Identifies the field of the atomic indicator that matched a local environment + endpoint or network event. + example: file.hash.sha256 + flat_name: threat.enrichments.matched.field ignore_above: 1024 level: extended - name: status + name: enrichments.matched.field normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. + short: Matched indicator field type: keyword -threat.enrichments.file.code_signature.subject_name: - dashed_name: threat-enrichments-file-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: threat.enrichments.file.code_signature.subject_name +threat.enrichments.matched.id: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-id + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + flat_name: threat.enrichments.matched.id ignore_above: 1024 - level: core - name: subject_name + level: extended + name: enrichments.matched.id normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer + short: Matched indicator identifier type: keyword -threat.enrichments.file.code_signature.team_id: - dashed_name: threat-enrichments-file-code-signature-team-id - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field is - relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: threat.enrichments.file.code_signature.team_id +threat.enrichments.matched.index: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-index + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 + flat_name: threat.enrichments.matched.index ignore_above: 1024 level: extended - name: team_id + name: enrichments.matched.index normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. + short: Matched indicator index type: keyword -threat.enrichments.file.code_signature.trusted: - dashed_name: threat-enrichments-file-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this field - should only be populated by tools that actively check the status.' - example: 'true' - flat_name: threat.enrichments.file.code_signature.trusted +threat.enrichments.matched.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-type + description: Identifies the type of match that caused the event to be enriched with + the given indicator + example: indicator_match_rule + flat_name: threat.enrichments.matched.type + ignore_above: 1024 level: extended - name: trusted + name: enrichments.matched.type normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean -threat.enrichments.file.code_signature.valid: - dashed_name: threat-enrichments-file-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against the - binary content. + short: Type of indicator match + type: keyword +threat.enrichments.url.domain: + dashed_name: threat-enrichments-url-domain + description: 'Domain of the url, such as "www.elastic.co". - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: threat.enrichments.file.code_signature.valid - level: extended - name: valid - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean -threat.enrichments.file.created: - dashed_name: threat-enrichments-file-created - description: 'File creation time. + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. - Note that not all filesystems store the creation time.' - flat_name: threat.enrichments.file.created + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), + the `[` and `]` characters should also be captured in the `domain` field.' + example: www.elastic.co + flat_name: threat.enrichments.url.domain + ignore_above: 1024 level: extended - name: created + name: domain normalize: [] - original_fieldset: file - short: File creation time. - type: date -threat.enrichments.file.ctime: - dashed_name: threat-enrichments-file-ctime - description: 'Last time the file attributes or metadata changed. + original_fieldset: url + short: Domain of the url. + type: keyword +threat.enrichments.url.extension: + dashed_name: threat-enrichments-url-extension + description: 'The field contains the file extension from the original request url, + excluding the leading dot. - Note that changes to the file content will update `mtime`. This implies `ctime` - will be adjusted at the same time, since `mtime` is an attribute of the file.' - flat_name: threat.enrichments.file.ctime - level: extended - name: ctime - normalize: [] - original_fieldset: file - short: Last time the file attributes or metadata changed. - type: date -threat.enrichments.file.device: - dashed_name: threat-enrichments-file-device - description: Device that is the source of the file. - example: sda - flat_name: threat.enrichments.file.device + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.url.extension ignore_above: 1024 level: extended - name: device + name: extension normalize: [] - original_fieldset: file - short: Device that is the source of the file. + original_fieldset: url + short: File extension from the request url, excluding the leading dot. type: keyword -threat.enrichments.file.directory: - dashed_name: threat-enrichments-file-directory - description: Directory where the file is located. It should include the drive letter, - when appropriate. - example: /home/alice - flat_name: threat.enrichments.file.directory +threat.enrichments.url.fragment: + dashed_name: threat-enrichments-url-fragment + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + flat_name: threat.enrichments.url.fragment ignore_above: 1024 level: extended - name: directory + name: fragment normalize: [] - original_fieldset: file - short: Directory where the file is located. + original_fieldset: url + short: Portion of the url after the `#`. type: keyword -threat.enrichments.file.drive_letter: - dashed_name: threat-enrichments-file-drive-letter - description: 'Drive letter where the file is located. This field is only relevant - on Windows. - - The value should be uppercase, and not include the colon.' - example: C - flat_name: threat.enrichments.file.drive_letter - ignore_above: 1 +threat.enrichments.url.full: + dashed_name: threat-enrichments-url-full + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + flat_name: threat.enrichments.url.full + ignore_above: 1024 level: extended - name: drive_letter + multi_fields: + - flat_name: threat.enrichments.url.full.text + name: text + norms: false + type: text + name: full normalize: [] - original_fieldset: file - short: Drive letter where the file is located. + original_fieldset: url + short: Full unparsed URL. type: keyword -threat.enrichments.file.elf.architecture: - dashed_name: threat-enrichments-file-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: threat.enrichments.file.elf.architecture +threat.enrichments.url.original: + dashed_name: threat-enrichments-url-original + description: 'Unmodified original url as seen in the event source. + + Note that in network monitoring, the observed URL may be a full URL, whereas in + access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + flat_name: threat.enrichments.url.original ignore_above: 1024 level: extended - name: architecture + multi_fields: + - flat_name: threat.enrichments.url.original.text + name: text + norms: false + type: text + name: original normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. + original_fieldset: url + short: Unmodified original url as seen in the event source. type: keyword -threat.enrichments.file.elf.byte_order: - dashed_name: threat-enrichments-file-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: threat.enrichments.file.elf.byte_order +threat.enrichments.url.password: + dashed_name: threat-enrichments-url-password + description: Password of the request. + flat_name: threat.enrichments.url.password ignore_above: 1024 level: extended - name: byte_order + name: password normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. + original_fieldset: url + short: Password of the request. type: keyword -threat.enrichments.file.elf.cpu_type: - dashed_name: threat-enrichments-file-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: threat.enrichments.file.elf.cpu_type +threat.enrichments.url.path: + dashed_name: threat-enrichments-url-path + description: Path of the request, such as "/search". + flat_name: threat.enrichments.url.path ignore_above: 1024 level: extended - name: cpu_type + name: path normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. + original_fieldset: url + short: Path of the request, such as "/search". type: keyword -threat.enrichments.file.elf.creation_date: - dashed_name: threat-enrichments-file-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when it - was built or compiled. It can also be faked by malware creators. - flat_name: threat.enrichments.file.elf.creation_date +threat.enrichments.url.port: + dashed_name: threat-enrichments-url-port + description: Port of the request, such as 443. + example: 443 + flat_name: threat.enrichments.url.port + format: string level: extended - name: creation_date + name: port normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date -threat.enrichments.file.elf.exports: - dashed_name: threat-enrichments-file-elf-exports - description: List of exported element names and types. - flat_name: threat.enrichments.file.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened -threat.enrichments.file.elf.header.abi_version: - dashed_name: threat-enrichments-file-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: threat.enrichments.file.elf.header.abi_version + original_fieldset: url + short: Port of the request, such as 443. + type: long +threat.enrichments.url.query: + dashed_name: threat-enrichments-url-query + description: 'The query field describes the query string of the request, such as + "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there is + no query field. If there is a `?` but no query, the query field exists with an + empty string. The `exists` query can be used to differentiate between the two + cases.' + flat_name: threat.enrichments.url.query ignore_above: 1024 level: extended - name: header.abi_version + name: query normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). + original_fieldset: url + short: Query string of the request. type: keyword -threat.enrichments.file.elf.header.class: - dashed_name: threat-enrichments-file-elf-header-class - description: Header class of the ELF file. - flat_name: threat.enrichments.file.elf.header.class +threat.enrichments.url.registered_domain: + dashed_name: threat-enrichments-url-registered-domain + description: 'The highest registered url domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: threat.enrichments.url.registered_domain ignore_above: 1024 level: extended - name: header.class + name: registered_domain normalize: [] - original_fieldset: elf - short: Header class of the ELF file. + original_fieldset: url + short: The highest registered url domain, stripped of the subdomain. type: keyword -threat.enrichments.file.elf.header.data: - dashed_name: threat-enrichments-file-elf-header-data - description: Data table of the ELF header. - flat_name: threat.enrichments.file.elf.header.data +threat.enrichments.url.scheme: + dashed_name: threat-enrichments-url-scheme + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https + flat_name: threat.enrichments.url.scheme ignore_above: 1024 level: extended - name: header.data + name: scheme normalize: [] - original_fieldset: elf - short: Data table of the ELF header. + original_fieldset: url + short: Scheme of the url. type: keyword -threat.enrichments.file.elf.header.entrypoint: - dashed_name: threat-enrichments-file-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: threat.enrichments.file.elf.header.entrypoint - format: string - level: extended - name: header.entrypoint - normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long -threat.enrichments.file.elf.header.object_version: - dashed_name: threat-enrichments-file-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: threat.enrichments.file.elf.header.object_version +threat.enrichments.url.subdomain: + dashed_name: threat-enrichments-url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: threat.enrichments.url.subdomain ignore_above: 1024 level: extended - name: header.object_version + name: subdomain normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' + original_fieldset: url + short: The subdomain of the domain. type: keyword -threat.enrichments.file.elf.header.os_abi: - dashed_name: threat-enrichments-file-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: threat.enrichments.file.elf.header.os_abi +threat.enrichments.url.top_level_domain: + dashed_name: threat-enrichments-url-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: threat.enrichments.url.top_level_domain ignore_above: 1024 level: extended - name: header.os_abi + name: top_level_domain normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. + original_fieldset: url + short: The effective top level domain (com, org, net, co.uk). type: keyword -threat.enrichments.file.elf.header.type: - dashed_name: threat-enrichments-file-elf-header-type - description: Header type of the ELF file. - flat_name: threat.enrichments.file.elf.header.type +threat.enrichments.url.username: + dashed_name: threat-enrichments-url-username + description: Username of the request. + flat_name: threat.enrichments.url.username ignore_above: 1024 level: extended - name: header.type + name: username normalize: [] - original_fieldset: elf - short: Header type of the ELF file. + original_fieldset: url + short: Username of the request. type: keyword -threat.enrichments.file.elf.header.version: - dashed_name: threat-enrichments-file-elf-header-version - description: Version of the ELF header. - flat_name: threat.enrichments.file.elf.header.version +threat.enrichments.x509.alternative_names: + dashed_name: threat-enrichments-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names (and + wildcards), and email addresses. + example: '*.elastic.co' + flat_name: threat.enrichments.x509.alternative_names ignore_above: 1024 level: extended - name: header.version - normalize: [] - original_fieldset: elf - short: Version of the ELF header. + name: alternative_names + normalize: + - array + original_fieldset: x509 + short: List of subject alternative names (SAN). type: keyword -threat.enrichments.file.elf.imports: - dashed_name: threat-enrichments-file-elf-imports - description: List of imported element names and types. - flat_name: threat.enrichments.file.elf.imports +threat.enrichments.x509.issuer.common_name: + dashed_name: threat-enrichments-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: threat.enrichments.x509.issuer.common_name + ignore_above: 1024 level: extended - name: imports + name: issuer.common_name normalize: - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened -threat.enrichments.file.elf.sections: - dashed_name: threat-enrichments-file-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.sections.*`.' - flat_name: threat.enrichments.file.elf.sections + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. + type: keyword +threat.enrichments.x509.issuer.country: + dashed_name: threat-enrichments-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: threat.enrichments.x509.issuer.country + ignore_above: 1024 level: extended - name: sections + name: issuer.country normalize: - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested -threat.enrichments.file.elf.sections.chi2: - dashed_name: threat-enrichments-file-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: threat.enrichments.file.elf.sections.chi2 - format: number + original_fieldset: x509 + short: List of country (C) codes + type: keyword +threat.enrichments.x509.issuer.distinguished_name: + dashed_name: threat-enrichments-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: threat.enrichments.x509.issuer.distinguished_name + ignore_above: 1024 level: extended - name: sections.chi2 + name: issuer.distinguished_name normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. - type: long -threat.enrichments.file.elf.sections.entropy: - dashed_name: threat-enrichments-file-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: threat.enrichments.file.elf.sections.entropy - format: number + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: keyword +threat.enrichments.x509.issuer.locality: + dashed_name: threat-enrichments-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: threat.enrichments.x509.issuer.locality + ignore_above: 1024 level: extended - name: sections.entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long -threat.enrichments.file.elf.sections.flags: - dashed_name: threat-enrichments-file-elf-sections-flags - description: ELF Section List flags. - flat_name: threat.enrichments.file.elf.sections.flags + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword +threat.enrichments.x509.issuer.organization: + dashed_name: threat-enrichments-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: threat.enrichments.x509.issuer.organization ignore_above: 1024 level: extended - name: sections.flags - normalize: [] - original_fieldset: elf - short: ELF Section List flags. + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. type: keyword -threat.enrichments.file.elf.sections.name: - dashed_name: threat-enrichments-file-elf-sections-name - description: ELF Section List name. - flat_name: threat.enrichments.file.elf.sections.name +threat.enrichments.x509.issuer.organizational_unit: + dashed_name: threat-enrichments-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: threat.enrichments.x509.issuer.organizational_unit ignore_above: 1024 level: extended - name: sections.name - normalize: [] - original_fieldset: elf - short: ELF Section List name. + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. type: keyword -threat.enrichments.file.elf.sections.physical_offset: - dashed_name: threat-enrichments-file-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: threat.enrichments.file.elf.sections.physical_offset +threat.enrichments.x509.issuer.state_or_province: + dashed_name: threat-enrichments-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.x509.issuer.state_or_province ignore_above: 1024 level: extended - name: sections.physical_offset - normalize: [] - original_fieldset: elf - short: ELF Section List offset. + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) type: keyword -threat.enrichments.file.elf.sections.physical_size: - dashed_name: threat-enrichments-file-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: threat.enrichments.file.elf.sections.physical_size - format: bytes +threat.enrichments.x509.not_after: + dashed_name: threat-enrichments-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: threat.enrichments.x509.not_after + level: extended + name: not_after + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date +threat.enrichments.x509.not_before: + dashed_name: threat-enrichments-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: threat.enrichments.x509.not_before + level: extended + name: not_before + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date +threat.enrichments.x509.public_key_algorithm: + dashed_name: threat-enrichments-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: threat.enrichments.x509.public_key_algorithm + ignore_above: 1024 level: extended - name: sections.physical_size + name: public_key_algorithm normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long -threat.enrichments.file.elf.sections.type: - dashed_name: threat-enrichments-file-elf-sections-type - description: ELF Section List type. - flat_name: threat.enrichments.file.elf.sections.type + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword +threat.enrichments.x509.public_key_curve: + dashed_name: threat-enrichments-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This is + algorithm specific. + example: nistp521 + flat_name: threat.enrichments.x509.public_key_curve ignore_above: 1024 level: extended - name: sections.type + name: public_key_curve normalize: [] - original_fieldset: elf - short: ELF Section List type. + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. type: keyword -threat.enrichments.file.elf.sections.virtual_address: - dashed_name: threat-enrichments-file-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: threat.enrichments.file.elf.sections.virtual_address - format: string +threat.enrichments.x509.public_key_exponent: + dashed_name: threat-enrichments-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: threat.enrichments.x509.public_key_exponent + index: false level: extended - name: sections.virtual_address + name: public_key_exponent normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. type: long -threat.enrichments.file.elf.sections.virtual_size: - dashed_name: threat-enrichments-file-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: threat.enrichments.file.elf.sections.virtual_size - format: string +threat.enrichments.x509.public_key_size: + dashed_name: threat-enrichments-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: threat.enrichments.x509.public_key_size level: extended - name: sections.virtual_size + name: public_key_size normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. + original_fieldset: x509 + short: The size of the public key space in bits. type: long -threat.enrichments.file.elf.segments: - dashed_name: threat-enrichments-file-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.segments.*`.' - flat_name: threat.enrichments.file.elf.segments - level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested -threat.enrichments.file.elf.segments.sections: - dashed_name: threat-enrichments-file-elf-segments-sections - description: ELF object segment sections. - flat_name: threat.enrichments.file.elf.segments.sections +threat.enrichments.x509.serial_number: + dashed_name: threat-enrichments-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: threat.enrichments.x509.serial_number ignore_above: 1024 level: extended - name: segments.sections + name: serial_number normalize: [] - original_fieldset: elf - short: ELF object segment sections. + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. type: keyword -threat.enrichments.file.elf.segments.type: - dashed_name: threat-enrichments-file-elf-segments-type - description: ELF object segment type. - flat_name: threat.enrichments.file.elf.segments.type +threat.enrichments.x509.signature_algorithm: + dashed_name: threat-enrichments-x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: threat.enrichments.x509.signature_algorithm ignore_above: 1024 level: extended - name: segments.type + name: signature_algorithm normalize: [] - original_fieldset: elf - short: ELF object segment type. + original_fieldset: x509 + short: Identifier for certificate signature algorithm. type: keyword -threat.enrichments.file.elf.shared_libraries: - dashed_name: threat-enrichments-file-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: threat.enrichments.file.elf.shared_libraries +threat.enrichments.x509.subject.common_name: + dashed_name: threat-enrichments-x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: threat.enrichments.x509.subject.common_name ignore_above: 1024 level: extended - name: shared_libraries + name: subject.common_name normalize: - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. + original_fieldset: x509 + short: List of common names (CN) of subject. type: keyword -threat.enrichments.file.elf.telfhash: - dashed_name: threat-enrichments-file-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: threat.enrichments.file.elf.telfhash +threat.enrichments.x509.subject.country: + dashed_name: threat-enrichments-x509-subject-country + description: List of country (C) code + example: US + flat_name: threat.enrichments.x509.subject.country ignore_above: 1024 level: extended - name: telfhash - normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code type: keyword -threat.enrichments.file.extension: - dashed_name: threat-enrichments-file-extension - description: 'File extension, excluding the leading dot. - - Note that when the file name has multiple extensions (example.tar.gz), only the - last one should be captured ("gz", not "tar.gz").' - example: png - flat_name: threat.enrichments.file.extension +threat.enrichments.x509.subject.distinguished_name: + dashed_name: threat-enrichments-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: threat.enrichments.x509.subject.distinguished_name ignore_above: 1024 level: extended - name: extension + name: subject.distinguished_name normalize: [] - original_fieldset: file - short: File extension, excluding the leading dot. + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. type: keyword -threat.enrichments.file.gid: - dashed_name: threat-enrichments-file-gid - description: Primary group ID (GID) of the file. - example: '1001' - flat_name: threat.enrichments.file.gid +threat.enrichments.x509.subject.locality: + dashed_name: threat-enrichments-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: threat.enrichments.x509.subject.locality ignore_above: 1024 level: extended - name: gid - normalize: [] - original_fieldset: file - short: Primary group ID (GID) of the file. + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) type: keyword -threat.enrichments.file.group: - dashed_name: threat-enrichments-file-group - description: Primary group name of the file. - example: alice - flat_name: threat.enrichments.file.group +threat.enrichments.x509.subject.organization: + dashed_name: threat-enrichments-x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: threat.enrichments.x509.subject.organization ignore_above: 1024 level: extended - name: group - normalize: [] - original_fieldset: file - short: Primary group name of the file. + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. type: keyword -threat.enrichments.file.inode: - dashed_name: threat-enrichments-file-inode - description: Inode representing the file in the filesystem. - example: '256383' - flat_name: threat.enrichments.file.inode +threat.enrichments.x509.subject.organizational_unit: + dashed_name: threat-enrichments-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: threat.enrichments.x509.subject.organizational_unit ignore_above: 1024 level: extended - name: inode - normalize: [] - original_fieldset: file - short: Inode representing the file in the filesystem. + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. type: keyword -threat.enrichments.file.mime_type: - dashed_name: threat-enrichments-file-mime-type - description: MIME type should identify the format of the file or stream of bytes - using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official - types], where possible. When more than one type is applicable, the most specific - type should be used. - flat_name: threat.enrichments.file.mime_type +threat.enrichments.x509.subject.state_or_province: + dashed_name: threat-enrichments-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.x509.subject.state_or_province ignore_above: 1024 level: extended - name: mime_type - normalize: [] - original_fieldset: file - short: Media type of file, document, or arrangement of bytes. + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) type: keyword -threat.enrichments.file.mode: - dashed_name: threat-enrichments-file-mode - description: Mode of the file in octal representation. - example: '0640' - flat_name: threat.enrichments.file.mode +threat.enrichments.x509.version_number: + dashed_name: threat-enrichments-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: threat.enrichments.x509.version_number ignore_above: 1024 level: extended - name: mode + name: version_number normalize: [] - original_fieldset: file - short: Mode of the file in octal representation. + original_fieldset: x509 + short: Version of x509 format. type: keyword -threat.enrichments.file.mtime: - dashed_name: threat-enrichments-file-mtime - description: Last time the file content was modified. - flat_name: threat.enrichments.file.mtime +threat.framework: + dashed_name: threat-framework + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification can + be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + flat_name: threat.framework + ignore_above: 1024 level: extended - name: mtime + name: framework normalize: [] - original_fieldset: file - short: Last time the file content was modified. - type: date -threat.enrichments.file.name: - dashed_name: threat-enrichments-file-name - description: Name of the file including the extension, without the directory. - example: example.png - flat_name: threat.enrichments.file.name + short: Threat classification framework. + type: keyword +threat.group.alias: + beta: This field is beta and subject to change. + dashed_name: threat-group-alias + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' + flat_name: threat.group.alias ignore_above: 1024 level: extended - name: name - normalize: [] - original_fieldset: file - short: Name of the file including the extension, without the directory. + name: group.alias + normalize: + - array + short: Alias of the group. type: keyword -threat.enrichments.file.owner: - dashed_name: threat-enrichments-file-owner - description: File owner's username. - example: alice - flat_name: threat.enrichments.file.owner +threat.group.id: + beta: This field is beta and subject to change. + dashed_name: threat-group-id + description: "The id of the group for a set of related intrusion activity that are\ + \ tracked by a common name in the security community. While not required, you\ + \ can use a MITRE ATT&CK\xAE group id." + example: G0037 + flat_name: threat.group.id ignore_above: 1024 level: extended - name: owner + name: group.id normalize: [] - original_fieldset: file - short: File owner's username. + short: ID of the group. type: keyword -threat.enrichments.file.path: - dashed_name: threat-enrichments-file-path - description: Full path to the file, including the file name. It should include the - drive letter, when appropriate. - example: /home/alice/example.png - flat_name: threat.enrichments.file.path +threat.group.name: + beta: This field is beta and subject to change. + dashed_name: threat-group-name + description: "The name of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 + flat_name: threat.group.name ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.enrichments.file.path.text - name: text - norms: false - type: text - name: path + name: group.name normalize: [] - original_fieldset: file - short: Full path to the file, including the file name. + short: Name of the group. type: keyword -threat.enrichments.file.size: - dashed_name: threat-enrichments-file-size - description: 'File size in bytes. - - Only relevant when `file.type` is "file".' - example: 16384 - flat_name: threat.enrichments.file.size - level: extended - name: size - normalize: [] - original_fieldset: file - short: File size in bytes. - type: long -threat.enrichments.file.target_path: - dashed_name: threat-enrichments-file-target-path - description: Target path for symlinks. - flat_name: threat.enrichments.file.target_path +threat.group.reference: + beta: This field is beta and subject to change. + dashed_name: threat-group-reference + description: "The reference URL of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ + flat_name: threat.group.reference ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.enrichments.file.target_path.text - name: text - norms: false - type: text - name: target_path + name: group.reference normalize: [] - original_fieldset: file - short: Target path for symlinks. + short: Reference URL of the group. type: keyword -threat.enrichments.file.type: - dashed_name: threat-enrichments-file-type - description: File type (file, dir, or symlink). - example: file - flat_name: threat.enrichments.file.type +threat.indicator.as.data.bytes: + dashed_name: threat-indicator-as-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides better + recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.indicator.as.data.bytes ignore_above: 1024 level: extended - name: type + name: data.bytes normalize: [] - original_fieldset: file - short: File type (file, dir, or symlink). + original_fieldset: registry + short: Original bytes written with base64 encoding. type: keyword -threat.enrichments.file.uid: - dashed_name: threat-enrichments-file-uid - description: The user ID (UID) or security identifier (SID) of the file owner. - example: '1001' - flat_name: threat.enrichments.file.uid +threat.indicator.as.data.strings: + dashed_name: threat-indicator-as-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single string + registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. + For sequences of string with REG_MULTI_SZ, this array will be variable length. + For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with + the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.indicator.as.data.strings ignore_above: 1024 - level: extended - name: uid - normalize: [] - original_fieldset: file - short: The user ID (UID) or security identifier (SID) of the file owner. + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. type: keyword -threat.enrichments.geo.city_name: - dashed_name: threat-enrichments-geo-city-name - description: City name. - example: Montreal - flat_name: threat.enrichments.geo.city_name +threat.indicator.as.data.type: + dashed_name: threat-indicator-as-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.indicator.as.data.type ignore_above: 1024 level: core - name: city_name + name: data.type normalize: [] - original_fieldset: geo - short: City name. + original_fieldset: registry + short: Standard registry type for encoding contents type: keyword -threat.enrichments.geo.continent_code: - dashed_name: threat-enrichments-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: threat.enrichments.geo.continent_code +threat.indicator.as.hive: + dashed_name: threat-indicator-as-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.indicator.as.hive ignore_above: 1024 level: core - name: continent_code + name: hive normalize: [] - original_fieldset: geo - short: Continent code. + original_fieldset: registry + short: Abbreviated name for the hive. type: keyword -threat.enrichments.geo.continent_name: - dashed_name: threat-enrichments-geo-continent-name - description: Name of the continent. - example: North America - flat_name: threat.enrichments.geo.continent_name +threat.indicator.as.key: + dashed_name: threat-indicator-as-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.indicator.as.key ignore_above: 1024 level: core - name: continent_name + name: key normalize: [] - original_fieldset: geo - short: Name of the continent. + original_fieldset: registry + short: Hive-relative path of keys. type: keyword -threat.enrichments.geo.country_iso_code: - dashed_name: threat-enrichments-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: threat.enrichments.geo.country_iso_code +threat.indicator.as.path: + dashed_name: threat-indicator-as-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.indicator.as.path ignore_above: 1024 level: core - name: country_iso_code + name: path normalize: [] - original_fieldset: geo - short: Country ISO code. + original_fieldset: registry + short: Full path, including hive, key and value type: keyword -threat.enrichments.geo.country_name: - dashed_name: threat-enrichments-geo-country-name - description: Country name. - example: Canada - flat_name: threat.enrichments.geo.country_name +threat.indicator.as.value: + dashed_name: threat-indicator-as-value + description: Name of the value written. + example: Debugger + flat_name: threat.indicator.as.value ignore_above: 1024 level: core - name: country_name + name: value normalize: [] - original_fieldset: geo - short: Country name. + original_fieldset: registry + short: Name of the value written. type: keyword -threat.enrichments.geo.location: - dashed_name: threat-enrichments-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: threat.enrichments.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point -threat.enrichments.geo.name: - dashed_name: threat-enrichments-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes a - local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: threat.enrichments.geo.name +threat.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-confidence + description: "Identifies the confidence rating assigned by the provider using STIX\ + \ confidence scales.\nRecommended values:\n * Not Specified, None, Low, Medium,\ + \ High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n * WEP Scale\ + \ (Impossible - Certain)" + example: High + flat_name: threat.indicator.confidence ignore_above: 1024 level: extended - name: name + name: indicator.confidence normalize: [] - original_fieldset: geo - short: User-defined description of a location. + short: Indicator confidence rating type: keyword -threat.enrichments.geo.postal_code: - dashed_name: threat-enrichments-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: threat.enrichments.geo.postal_code +threat.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.indicator.description ignore_above: 1024 - level: core - name: postal_code + level: extended + name: indicator.description normalize: [] - original_fieldset: geo - short: Postal code. + short: Indicator description type: keyword -threat.enrichments.geo.region_iso_code: - dashed_name: threat-enrichments-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: threat.enrichments.geo.region_iso_code +threat.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective of + direction). + example: phish@example.com + flat_name: threat.indicator.email.address ignore_above: 1024 - level: core - name: region_iso_code + level: extended + name: indicator.email.address normalize: [] - original_fieldset: geo - short: Region ISO code. + short: Indicator email address type: keyword -threat.enrichments.geo.region_name: - dashed_name: threat-enrichments-geo-region-name - description: Region name. - example: Quebec - flat_name: threat.enrichments.geo.region_name - ignore_above: 1024 - level: core - name: region_name +threat.indicator.file.accessed: + dashed_name: threat-indicator-file-accessed + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + flat_name: threat.indicator.file.accessed + level: extended + name: accessed normalize: [] - original_fieldset: geo - short: Region name. - type: keyword -threat.enrichments.geo.timezone: - dashed_name: threat-enrichments-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: threat.enrichments.geo.timezone + original_fieldset: file + short: Last time the file was accessed. + type: date +threat.indicator.file.attributes: + dashed_name: threat-indicator-file-attributes + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, execute, + hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: threat.indicator.file.attributes ignore_above: 1024 + level: extended + name: attributes + normalize: + - array + original_fieldset: file + short: Array of file attributes. + type: keyword +threat.indicator.file.code_signature.exists: + dashed_name: threat-indicator-file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: threat.indicator.file.code_signature.exists level: core - name: timezone + name: exists normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword -threat.enrichments.hash.md5: - dashed_name: threat-enrichments-hash-md5 - description: MD5 hash. - flat_name: threat.enrichments.hash.md5 + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +threat.indicator.file.code_signature.signing_id: + dashed_name: threat-indicator-file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: threat.indicator.file.code_signature.signing_id ignore_above: 1024 level: extended - name: md5 + name: signing_id normalize: [] - original_fieldset: hash - short: MD5 hash. + original_fieldset: code_signature + short: The identifier used to sign the process. type: keyword -threat.enrichments.hash.sha1: - dashed_name: threat-enrichments-hash-sha1 - description: SHA1 hash. - flat_name: threat.enrichments.hash.sha1 +threat.indicator.file.code_signature.status: + dashed_name: threat-indicator-file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: threat.indicator.file.code_signature.status ignore_above: 1024 level: extended - name: sha1 + name: status normalize: [] - original_fieldset: hash - short: SHA1 hash. + original_fieldset: code_signature + short: Additional information about the certificate status. type: keyword -threat.enrichments.hash.sha256: - dashed_name: threat-enrichments-hash-sha256 - description: SHA256 hash. - flat_name: threat.enrichments.hash.sha256 +threat.indicator.file.code_signature.subject_name: + dashed_name: threat-indicator-file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: threat.indicator.file.code_signature.subject_name ignore_above: 1024 - level: extended - name: sha256 + level: core + name: subject_name normalize: [] - original_fieldset: hash - short: SHA256 hash. + original_fieldset: code_signature + short: Subject name of the code signer type: keyword -threat.enrichments.hash.sha512: - dashed_name: threat-enrichments-hash-sha512 - description: SHA512 hash. - flat_name: threat.enrichments.hash.sha512 +threat.indicator.file.code_signature.team_id: + dashed_name: threat-indicator-file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: threat.indicator.file.code_signature.team_id ignore_above: 1024 level: extended - name: sha512 + name: team_id normalize: [] - original_fieldset: hash - short: SHA512 hash. + original_fieldset: code_signature + short: The team identifier used to sign the process. type: keyword -threat.enrichments.hash.ssdeep: - dashed_name: threat-enrichments-hash-ssdeep - description: SSDEEP hash. - flat_name: threat.enrichments.hash.ssdeep - ignore_above: 1024 +threat.indicator.file.code_signature.trusted: + dashed_name: threat-indicator-file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: threat.indicator.file.code_signature.trusted level: extended - name: ssdeep + name: trusted normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword -threat.enrichments.matched.atomic: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-atomic - description: Identifies the atomic indicator value that matched a local environment - endpoint or network event. - example: bad-domain.com - flat_name: threat.enrichments.matched.atomic - ignore_above: 1024 + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +threat.indicator.file.code_signature.valid: + dashed_name: threat-indicator-file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: threat.indicator.file.code_signature.valid level: extended - name: enrichments.matched.atomic + name: valid normalize: [] - short: Matched indicator value - type: keyword -threat.enrichments.matched.field: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-field - description: Identifies the field of the atomic indicator that matched a local environment - endpoint or network event. - example: file.hash.sha256 - flat_name: threat.enrichments.matched.field - ignore_above: 1024 + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +threat.indicator.file.created: + dashed_name: threat-indicator-file-created + description: 'File creation time. + + Note that not all filesystems store the creation time.' + flat_name: threat.indicator.file.created level: extended - name: enrichments.matched.field + name: created normalize: [] - short: Matched indicator field - type: keyword -threat.enrichments.matched.id: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-id - description: Identifies the _id of the indicator document enriching the event. - example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 - flat_name: threat.enrichments.matched.id - ignore_above: 1024 + original_fieldset: file + short: File creation time. + type: date +threat.indicator.file.ctime: + dashed_name: threat-indicator-file-ctime + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: threat.indicator.file.ctime level: extended - name: enrichments.matched.id + name: ctime normalize: [] - short: Matched indicator identifier - type: keyword -threat.enrichments.matched.index: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-index - description: Identifies the _index of the indicator document enriching the event. - example: filebeat-8.0.0-2021.05.23-000011 - flat_name: threat.enrichments.matched.index + original_fieldset: file + short: Last time the file attributes or metadata changed. + type: date +threat.indicator.file.device: + dashed_name: threat-indicator-file-device + description: Device that is the source of the file. + example: sda + flat_name: threat.indicator.file.device ignore_above: 1024 level: extended - name: enrichments.matched.index + name: device normalize: [] - short: Matched indicator index + original_fieldset: file + short: Device that is the source of the file. type: keyword -threat.enrichments.matched.type: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-type - description: Identifies the type of match that caused the event to be enriched with - the given indicator - example: indicator_match_rule - flat_name: threat.enrichments.matched.type +threat.indicator.file.directory: + dashed_name: threat-indicator-file-directory + description: Directory where the file is located. It should include the drive letter, + when appropriate. + example: /home/alice + flat_name: threat.indicator.file.directory ignore_above: 1024 level: extended - name: enrichments.matched.type + name: directory normalize: [] - short: Type of indicator match + original_fieldset: file + short: Directory where the file is located. type: keyword -threat.enrichments.url.domain: - dashed_name: threat-enrichments-url-domain - description: 'Domain of the url, such as "www.elastic.co". - - In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field. +threat.indicator.file.drive_letter: + dashed_name: threat-indicator-file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), - the `[` and `]` characters should also be captured in the `domain` field.' - example: www.elastic.co - flat_name: threat.enrichments.url.domain - ignore_above: 1024 + The value should be uppercase, and not include the colon.' + example: C + flat_name: threat.indicator.file.drive_letter + ignore_above: 1 level: extended - name: domain + name: drive_letter normalize: [] - original_fieldset: url - short: Domain of the url. + original_fieldset: file + short: Drive letter where the file is located. type: keyword -threat.enrichments.url.extension: - dashed_name: threat-enrichments-url-extension - description: 'The field contains the file extension from the original request url, - excluding the leading dot. - - The file extension is only set if it exists, as not every url has a file extension. - - The leading period must not be included. For example, the value must be "png", - not ".png". - - Note that when the file name has multiple extensions (example.tar.gz), only the - last one should be captured ("gz", not "tar.gz").' - example: png - flat_name: threat.enrichments.url.extension +threat.indicator.file.elf.architecture: + dashed_name: threat-indicator-file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: threat.indicator.file.elf.architecture ignore_above: 1024 level: extended - name: extension + name: architecture normalize: [] - original_fieldset: url - short: File extension from the request url, excluding the leading dot. + original_fieldset: elf + short: Machine architecture of the ELF file. type: keyword -threat.enrichments.url.fragment: - dashed_name: threat-enrichments-url-fragment - description: 'Portion of the url after the `#`, such as "top". - - The `#` is not part of the fragment.' - flat_name: threat.enrichments.url.fragment +threat.indicator.file.elf.byte_order: + dashed_name: threat-indicator-file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: threat.indicator.file.elf.byte_order ignore_above: 1024 level: extended - name: fragment + name: byte_order normalize: [] - original_fieldset: url - short: Portion of the url after the `#`. + original_fieldset: elf + short: Byte sequence of ELF file. type: keyword -threat.enrichments.url.full: - dashed_name: threat-enrichments-url-full - description: If full URLs are important to your use case, they should be stored - in `url.full`, whether this field is reconstructed or present in the event source. - example: https://www.elastic.co:443/search?q=elasticsearch#top - flat_name: threat.enrichments.url.full +threat.indicator.file.elf.cpu_type: + dashed_name: threat-indicator-file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: threat.indicator.file.elf.cpu_type ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.enrichments.url.full.text - name: text - norms: false - type: text - name: full + name: cpu_type normalize: [] - original_fieldset: url - short: Full unparsed URL. + original_fieldset: elf + short: CPU type of the ELF file. type: keyword -threat.enrichments.url.original: - dashed_name: threat-enrichments-url-original - description: 'Unmodified original url as seen in the event source. - - Note that in network monitoring, the observed URL may be a full URL, whereas in - access logs, the URL is often just represented as a path. - - This field is meant to represent the URL as it was observed, complete or not.' - example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - flat_name: threat.enrichments.url.original +threat.indicator.file.elf.creation_date: + dashed_name: threat-indicator-file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: threat.indicator.file.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date +threat.indicator.file.elf.exports: + dashed_name: threat-indicator-file-elf-exports + description: List of exported element names and types. + flat_name: threat.indicator.file.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened +threat.indicator.file.elf.header.abi_version: + dashed_name: threat-indicator-file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: threat.indicator.file.elf.header.abi_version ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.enrichments.url.original.text - name: text - norms: false - type: text - name: original + name: header.abi_version normalize: [] - original_fieldset: url - short: Unmodified original url as seen in the event source. + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). type: keyword -threat.enrichments.url.password: - dashed_name: threat-enrichments-url-password - description: Password of the request. - flat_name: threat.enrichments.url.password +threat.indicator.file.elf.header.class: + dashed_name: threat-indicator-file-elf-header-class + description: Header class of the ELF file. + flat_name: threat.indicator.file.elf.header.class ignore_above: 1024 level: extended - name: password + name: header.class normalize: [] - original_fieldset: url - short: Password of the request. + original_fieldset: elf + short: Header class of the ELF file. type: keyword -threat.enrichments.url.path: - dashed_name: threat-enrichments-url-path - description: Path of the request, such as "/search". - flat_name: threat.enrichments.url.path +threat.indicator.file.elf.header.data: + dashed_name: threat-indicator-file-elf-header-data + description: Data table of the ELF header. + flat_name: threat.indicator.file.elf.header.data ignore_above: 1024 level: extended - name: path + name: header.data normalize: [] - original_fieldset: url - short: Path of the request, such as "/search". + original_fieldset: elf + short: Data table of the ELF header. type: keyword -threat.enrichments.url.port: - dashed_name: threat-enrichments-url-port - description: Port of the request, such as 443. - example: 443 - flat_name: threat.enrichments.url.port +threat.indicator.file.elf.header.entrypoint: + dashed_name: threat-indicator-file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: threat.indicator.file.elf.header.entrypoint format: string level: extended - name: port + name: header.entrypoint normalize: [] - original_fieldset: url - short: Port of the request, such as 443. + original_fieldset: elf + short: Header entrypoint of the ELF file. type: long -threat.enrichments.url.query: - dashed_name: threat-enrichments-url-query - description: 'The query field describes the query string of the request, such as - "q=elasticsearch". - - The `?` is excluded from the query string. If a URL contains no `?`, there is - no query field. If there is a `?` but no query, the query field exists with an - empty string. The `exists` query can be used to differentiate between the two - cases.' - flat_name: threat.enrichments.url.query +threat.indicator.file.elf.header.object_version: + dashed_name: threat-indicator-file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: threat.indicator.file.elf.header.object_version ignore_above: 1024 level: extended - name: query + name: header.object_version normalize: [] - original_fieldset: url - short: Query string of the request. + original_fieldset: elf + short: '"0x1" for original ELF files.' type: keyword -threat.enrichments.url.registered_domain: - dashed_name: threat-enrichments-url-registered-domain - description: 'The highest registered url domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix list - (http://publicsuffix.org). Trying to approximate this by simply taking the last - two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: threat.enrichments.url.registered_domain +threat.indicator.file.elf.header.os_abi: + dashed_name: threat-indicator-file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: threat.indicator.file.elf.header.os_abi ignore_above: 1024 level: extended - name: registered_domain + name: header.os_abi normalize: [] - original_fieldset: url - short: The highest registered url domain, stripped of the subdomain. + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. type: keyword -threat.enrichments.url.scheme: - dashed_name: threat-enrichments-url-scheme - description: 'Scheme of the request, such as "https". - - Note: The `:` is not part of the scheme.' - example: https - flat_name: threat.enrichments.url.scheme +threat.indicator.file.elf.header.type: + dashed_name: threat-indicator-file-elf-header-type + description: Header type of the ELF file. + flat_name: threat.indicator.file.elf.header.type ignore_above: 1024 level: extended - name: scheme + name: header.type normalize: [] - original_fieldset: url - short: Scheme of the url. + original_fieldset: elf + short: Header type of the ELF file. type: keyword -threat.enrichments.url.subdomain: - dashed_name: threat-enrichments-url-subdomain - description: 'The subdomain portion of a fully qualified domain name includes all - of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot be - determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the - domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the - subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: threat.enrichments.url.subdomain +threat.indicator.file.elf.header.version: + dashed_name: threat-indicator-file-elf-header-version + description: Version of the ELF header. + flat_name: threat.indicator.file.elf.header.version ignore_above: 1024 level: extended - name: subdomain + name: header.version normalize: [] - original_fieldset: url - short: The subdomain of the domain. + original_fieldset: elf + short: Version of the ELF header. type: keyword -threat.enrichments.url.top_level_domain: - dashed_name: threat-enrichments-url-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain suffix, - is the last part of the domain name. For example, the top level domain for example.com - is "com". +threat.indicator.file.elf.imports: + dashed_name: threat-indicator-file-elf-imports + description: List of imported element names and types. + flat_name: threat.indicator.file.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened +threat.indicator.file.elf.sections: + dashed_name: threat-indicator-file-elf-sections + description: 'An array containing an object for each section of the ELF file. - This value can be determined precisely with a list like the public suffix list - (http://publicsuffix.org). Trying to approximate this by simply taking the last - label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: threat.enrichments.url.top_level_domain + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' + flat_name: threat.indicator.file.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested +threat.indicator.file.elf.sections.chi2: + dashed_name: threat-indicator-file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: threat.indicator.file.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long +threat.indicator.file.elf.sections.entropy: + dashed_name: threat-indicator-file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: threat.indicator.file.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long +threat.indicator.file.elf.sections.flags: + dashed_name: threat-indicator-file-elf-sections-flags + description: ELF Section List flags. + flat_name: threat.indicator.file.elf.sections.flags ignore_above: 1024 level: extended - name: top_level_domain + name: sections.flags normalize: [] - original_fieldset: url - short: The effective top level domain (com, org, net, co.uk). + original_fieldset: elf + short: ELF Section List flags. type: keyword -threat.enrichments.url.username: - dashed_name: threat-enrichments-url-username - description: Username of the request. - flat_name: threat.enrichments.url.username +threat.indicator.file.elf.sections.name: + dashed_name: threat-indicator-file-elf-sections-name + description: ELF Section List name. + flat_name: threat.indicator.file.elf.sections.name ignore_above: 1024 level: extended - name: username + name: sections.name normalize: [] - original_fieldset: url - short: Username of the request. + original_fieldset: elf + short: ELF Section List name. type: keyword -threat.enrichments.x509.alternative_names: - dashed_name: threat-enrichments-x509-alternative-names - description: List of subject alternative names (SAN). Name types vary by certificate - authority and certificate type but commonly contain IP addresses, DNS names (and - wildcards), and email addresses. - example: '*.elastic.co' - flat_name: threat.enrichments.x509.alternative_names +threat.indicator.file.elf.sections.physical_offset: + dashed_name: threat-indicator-file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: threat.indicator.file.elf.sections.physical_offset ignore_above: 1024 level: extended - name: alternative_names - normalize: - - array - original_fieldset: x509 - short: List of subject alternative names (SAN). + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. type: keyword -threat.enrichments.x509.issuer.common_name: - dashed_name: threat-enrichments-x509-issuer-common-name - description: List of common name (CN) of issuing certificate authority. - example: Example SHA2 High Assurance Server CA - flat_name: threat.enrichments.x509.issuer.common_name +threat.indicator.file.elf.sections.physical_size: + dashed_name: threat-indicator-file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: threat.indicator.file.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long +threat.indicator.file.elf.sections.type: + dashed_name: threat-indicator-file-elf-sections-type + description: ELF Section List type. + flat_name: threat.indicator.file.elf.sections.type ignore_above: 1024 level: extended - name: issuer.common_name + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword +threat.indicator.file.elf.sections.virtual_address: + dashed_name: threat-indicator-file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: threat.indicator.file.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long +threat.indicator.file.elf.sections.virtual_size: + dashed_name: threat-indicator-file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: threat.indicator.file.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long +threat.indicator.file.elf.segments: + dashed_name: threat-indicator-file-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' + flat_name: threat.indicator.file.elf.segments + level: extended + name: segments normalize: - array - original_fieldset: x509 - short: List of common name (CN) of issuing certificate authority. + original_fieldset: elf + short: ELF object segment list. + type: nested +threat.indicator.file.elf.segments.sections: + dashed_name: threat-indicator-file-elf-segments-sections + description: ELF object segment sections. + flat_name: threat.indicator.file.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. type: keyword -threat.enrichments.x509.issuer.country: - dashed_name: threat-enrichments-x509-issuer-country - description: List of country (C) codes - example: US - flat_name: threat.enrichments.x509.issuer.country +threat.indicator.file.elf.segments.type: + dashed_name: threat-indicator-file-elf-segments-type + description: ELF object segment type. + flat_name: threat.indicator.file.elf.segments.type ignore_above: 1024 level: extended - name: issuer.country + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword +threat.indicator.file.elf.shared_libraries: + dashed_name: threat-indicator-file-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: threat.indicator.file.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries normalize: - array - original_fieldset: x509 - short: List of country (C) codes + original_fieldset: elf + short: List of shared libraries used by this ELF object. type: keyword -threat.enrichments.x509.issuer.distinguished_name: - dashed_name: threat-enrichments-x509-issuer-distinguished-name - description: Distinguished name (DN) of issuing certificate authority. - example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance - Server CA - flat_name: threat.enrichments.x509.issuer.distinguished_name +threat.indicator.file.elf.telfhash: + dashed_name: threat-indicator-file-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: threat.indicator.file.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword +threat.indicator.file.extension: + dashed_name: threat-indicator-file-extension + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.indicator.file.extension ignore_above: 1024 level: extended - name: issuer.distinguished_name + name: extension normalize: [] - original_fieldset: x509 - short: Distinguished name (DN) of issuing certificate authority. + original_fieldset: file + short: File extension, excluding the leading dot. type: keyword -threat.enrichments.x509.issuer.locality: - dashed_name: threat-enrichments-x509-issuer-locality - description: List of locality names (L) - example: Mountain View - flat_name: threat.enrichments.x509.issuer.locality +threat.indicator.file.gid: + dashed_name: threat-indicator-file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: threat.indicator.file.gid ignore_above: 1024 level: extended - name: issuer.locality - normalize: - - array - original_fieldset: x509 - short: List of locality names (L) + name: gid + normalize: [] + original_fieldset: file + short: Primary group ID (GID) of the file. type: keyword -threat.enrichments.x509.issuer.organization: - dashed_name: threat-enrichments-x509-issuer-organization - description: List of organizations (O) of issuing certificate authority. - example: Example Inc - flat_name: threat.enrichments.x509.issuer.organization +threat.indicator.file.group: + dashed_name: threat-indicator-file-group + description: Primary group name of the file. + example: alice + flat_name: threat.indicator.file.group ignore_above: 1024 level: extended - name: issuer.organization - normalize: - - array - original_fieldset: x509 - short: List of organizations (O) of issuing certificate authority. + name: group + normalize: [] + original_fieldset: file + short: Primary group name of the file. type: keyword -threat.enrichments.x509.issuer.organizational_unit: - dashed_name: threat-enrichments-x509-issuer-organizational-unit - description: List of organizational units (OU) of issuing certificate authority. - example: www.example.com - flat_name: threat.enrichments.x509.issuer.organizational_unit +threat.indicator.file.inode: + dashed_name: threat-indicator-file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: threat.indicator.file.inode ignore_above: 1024 level: extended - name: issuer.organizational_unit - normalize: - - array - original_fieldset: x509 - short: List of organizational units (OU) of issuing certificate authority. + name: inode + normalize: [] + original_fieldset: file + short: Inode representing the file in the filesystem. type: keyword -threat.enrichments.x509.issuer.state_or_province: - dashed_name: threat-enrichments-x509-issuer-state-or-province - description: List of state or province names (ST, S, or P) - example: California - flat_name: threat.enrichments.x509.issuer.state_or_province +threat.indicator.file.mime_type: + dashed_name: threat-indicator-file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official + types], where possible. When more than one type is applicable, the most specific + type should be used. + flat_name: threat.indicator.file.mime_type ignore_above: 1024 level: extended - name: issuer.state_or_province - normalize: - - array - original_fieldset: x509 - short: List of state or province names (ST, S, or P) + name: mime_type + normalize: [] + original_fieldset: file + short: Media type of file, document, or arrangement of bytes. type: keyword -threat.enrichments.x509.not_after: - dashed_name: threat-enrichments-x509-not-after - description: Time at which the certificate is no longer considered valid. - example: 2020-07-16 03:15:39+00:00 - flat_name: threat.enrichments.x509.not_after +threat.indicator.file.mode: + dashed_name: threat-indicator-file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: threat.indicator.file.mode + ignore_above: 1024 level: extended - name: not_after + name: mode normalize: [] - original_fieldset: x509 - short: Time at which the certificate is no longer considered valid. - type: date -threat.enrichments.x509.not_before: - dashed_name: threat-enrichments-x509-not-before - description: Time at which the certificate is first considered valid. - example: 2019-08-16 01:40:25+00:00 - flat_name: threat.enrichments.x509.not_before + original_fieldset: file + short: Mode of the file in octal representation. + type: keyword +threat.indicator.file.mtime: + dashed_name: threat-indicator-file-mtime + description: Last time the file content was modified. + flat_name: threat.indicator.file.mtime level: extended - name: not_before + name: mtime normalize: [] - original_fieldset: x509 - short: Time at which the certificate is first considered valid. + original_fieldset: file + short: Last time the file content was modified. type: date -threat.enrichments.x509.public_key_algorithm: - dashed_name: threat-enrichments-x509-public-key-algorithm - description: Algorithm used to generate the public key. - example: RSA - flat_name: threat.enrichments.x509.public_key_algorithm +threat.indicator.file.name: + dashed_name: threat-indicator-file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: threat.indicator.file.name ignore_above: 1024 level: extended - name: public_key_algorithm + name: name normalize: [] - original_fieldset: x509 - short: Algorithm used to generate the public key. + original_fieldset: file + short: Name of the file including the extension, without the directory. type: keyword -threat.enrichments.x509.public_key_curve: - dashed_name: threat-enrichments-x509-public-key-curve - description: The curve used by the elliptic curve public key algorithm. This is - algorithm specific. - example: nistp521 - flat_name: threat.enrichments.x509.public_key_curve +threat.indicator.file.owner: + dashed_name: threat-indicator-file-owner + description: File owner's username. + example: alice + flat_name: threat.indicator.file.owner ignore_above: 1024 level: extended - name: public_key_curve + name: owner normalize: [] - original_fieldset: x509 - short: The curve used by the elliptic curve public key algorithm. This is algorithm - specific. + original_fieldset: file + short: File owner's username. type: keyword -threat.enrichments.x509.public_key_exponent: - dashed_name: threat-enrichments-x509-public-key-exponent - description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - example: 65537 - flat_name: threat.enrichments.x509.public_key_exponent - index: false +threat.indicator.file.path: + dashed_name: threat-indicator-file-path + description: Full path to the file, including the file name. It should include the + drive letter, when appropriate. + example: /home/alice/example.png + flat_name: threat.indicator.file.path + ignore_above: 1024 level: extended - name: public_key_exponent + multi_fields: + - flat_name: threat.indicator.file.path.text + name: text + norms: false + type: text + name: path normalize: [] - original_fieldset: x509 - short: Exponent used to derive the public key. This is algorithm specific. - type: long -threat.enrichments.x509.public_key_size: - dashed_name: threat-enrichments-x509-public-key-size - description: The size of the public key space in bits. - example: 2048 - flat_name: threat.enrichments.x509.public_key_size + original_fieldset: file + short: Full path to the file, including the file name. + type: keyword +threat.indicator.file.size: + dashed_name: threat-indicator-file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: threat.indicator.file.size level: extended - name: public_key_size + name: size normalize: [] - original_fieldset: x509 - short: The size of the public key space in bits. + original_fieldset: file + short: File size in bytes. type: long -threat.enrichments.x509.serial_number: - dashed_name: threat-enrichments-x509-serial-number - description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. - example: 55FBB9C7DEBF09809D12CCAA - flat_name: threat.enrichments.x509.serial_number +threat.indicator.file.target_path: + dashed_name: threat-indicator-file-target-path + description: Target path for symlinks. + flat_name: threat.indicator.file.target_path ignore_above: 1024 level: extended - name: serial_number + multi_fields: + - flat_name: threat.indicator.file.target_path.text + name: text + norms: false + type: text + name: target_path normalize: [] - original_fieldset: x509 - short: Unique serial number issued by the certificate authority. + original_fieldset: file + short: Target path for symlinks. type: keyword -threat.enrichments.x509.signature_algorithm: - dashed_name: threat-enrichments-x509-signature-algorithm - description: Identifier for certificate signature algorithm. We recommend using - names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - example: SHA256-RSA - flat_name: threat.enrichments.x509.signature_algorithm +threat.indicator.file.type: + dashed_name: threat-indicator-file-type + description: File type (file, dir, or symlink). + example: file + flat_name: threat.indicator.file.type ignore_above: 1024 level: extended - name: signature_algorithm + name: type normalize: [] - original_fieldset: x509 - short: Identifier for certificate signature algorithm. + original_fieldset: file + short: File type (file, dir, or symlink). type: keyword -threat.enrichments.x509.subject.common_name: - dashed_name: threat-enrichments-x509-subject-common-name - description: List of common names (CN) of subject. - example: shared.global.example.net - flat_name: threat.enrichments.x509.subject.common_name +threat.indicator.file.uid: + dashed_name: threat-indicator-file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: threat.indicator.file.uid ignore_above: 1024 level: extended - name: subject.common_name - normalize: - - array - original_fieldset: x509 - short: List of common names (CN) of subject. + name: uid + normalize: [] + original_fieldset: file + short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword -threat.enrichments.x509.subject.country: - dashed_name: threat-enrichments-x509-subject-country - description: List of country (C) code - example: US - flat_name: threat.enrichments.x509.subject.country - ignore_above: 1024 +threat.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.first_seen level: extended - name: subject.country - normalize: - - array - original_fieldset: x509 - short: List of country (C) code - type: keyword -threat.enrichments.x509.subject.distinguished_name: - dashed_name: threat-enrichments-x509-subject-distinguished-name - description: Distinguished name (DN) of the certificate subject entity. - example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - flat_name: threat.enrichments.x509.subject.distinguished_name + name: indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date +threat.indicator.geo.city_name: + dashed_name: threat-indicator-geo-city-name + description: City name. + example: Montreal + flat_name: threat.indicator.geo.city_name ignore_above: 1024 - level: extended - name: subject.distinguished_name + level: core + name: city_name normalize: [] - original_fieldset: x509 - short: Distinguished name (DN) of the certificate subject entity. + original_fieldset: geo + short: City name. type: keyword -threat.enrichments.x509.subject.locality: - dashed_name: threat-enrichments-x509-subject-locality - description: List of locality names (L) - example: San Francisco - flat_name: threat.enrichments.x509.subject.locality +threat.indicator.geo.continent_code: + dashed_name: threat-indicator-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: threat.indicator.geo.continent_code ignore_above: 1024 - level: extended - name: subject.locality - normalize: - - array - original_fieldset: x509 - short: List of locality names (L) + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. type: keyword -threat.enrichments.x509.subject.organization: - dashed_name: threat-enrichments-x509-subject-organization - description: List of organizations (O) of subject. - example: Example, Inc. - flat_name: threat.enrichments.x509.subject.organization +threat.indicator.geo.continent_name: + dashed_name: threat-indicator-geo-continent-name + description: Name of the continent. + example: North America + flat_name: threat.indicator.geo.continent_name ignore_above: 1024 - level: extended - name: subject.organization - normalize: - - array - original_fieldset: x509 - short: List of organizations (O) of subject. + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. type: keyword -threat.enrichments.x509.subject.organizational_unit: - dashed_name: threat-enrichments-x509-subject-organizational-unit - description: List of organizational units (OU) of subject. - flat_name: threat.enrichments.x509.subject.organizational_unit +threat.indicator.geo.country_iso_code: + dashed_name: threat-indicator-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: threat.indicator.geo.country_iso_code ignore_above: 1024 - level: extended - name: subject.organizational_unit - normalize: - - array - original_fieldset: x509 - short: List of organizational units (OU) of subject. + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. type: keyword -threat.enrichments.x509.subject.state_or_province: - dashed_name: threat-enrichments-x509-subject-state-or-province - description: List of state or province names (ST, S, or P) - example: California - flat_name: threat.enrichments.x509.subject.state_or_province +threat.indicator.geo.country_name: + dashed_name: threat-indicator-geo-country-name + description: Country name. + example: Canada + flat_name: threat.indicator.geo.country_name ignore_above: 1024 - level: extended - name: subject.state_or_province - normalize: - - array - original_fieldset: x509 - short: List of state or province names (ST, S, or P) + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. type: keyword -threat.enrichments.x509.version_number: - dashed_name: threat-enrichments-x509-version-number - description: Version of x509 format. - example: 3 - flat_name: threat.enrichments.x509.version_number +threat.indicator.geo.location: + dashed_name: threat-indicator-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: threat.indicator.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +threat.indicator.geo.name: + dashed_name: threat-indicator-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: threat.indicator.geo.name ignore_above: 1024 level: extended - name: version_number + name: name normalize: [] - original_fieldset: x509 - short: Version of x509 format. + original_fieldset: geo + short: User-defined description of a location. type: keyword -threat.framework: - dashed_name: threat-framework - description: Name of the threat framework used to further categorize and classify - the tactic and technique of the reported threat. Framework classification can - be provided by detecting systems, evaluated at ingest time, or retrospectively - tagged to events. - example: MITRE ATT&CK - flat_name: threat.framework +threat.indicator.geo.postal_code: + dashed_name: threat-indicator-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: threat.indicator.geo.postal_code ignore_above: 1024 - level: extended - name: framework + level: core + name: postal_code normalize: [] - short: Threat classification framework. + original_fieldset: geo + short: Postal code. type: keyword -threat.group.alias: - beta: This field is beta and subject to change. - dashed_name: threat-group-alias - description: "The alias(es) of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group alias(es)." - example: '[ "Magecart Group 6" ]' - flat_name: threat.group.alias +threat.indicator.geo.region_iso_code: + dashed_name: threat-indicator-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: threat.indicator.geo.region_iso_code ignore_above: 1024 - level: extended - name: group.alias - normalize: - - array - short: Alias of the group. + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. type: keyword -threat.group.id: - beta: This field is beta and subject to change. - dashed_name: threat-group-id - description: "The id of the group for a set of related intrusion activity that are\ - \ tracked by a common name in the security community. While not required, you\ - \ can use a MITRE ATT&CK\xAE group id." - example: G0037 - flat_name: threat.group.id +threat.indicator.geo.region_name: + dashed_name: threat-indicator-geo-region-name + description: Region name. + example: Quebec + flat_name: threat.indicator.geo.region_name ignore_above: 1024 - level: extended - name: group.id + level: core + name: region_name normalize: [] - short: ID of the group. + original_fieldset: geo + short: Region name. type: keyword -threat.group.name: - beta: This field is beta and subject to change. - dashed_name: threat-group-name - description: "The name of the group for a set of related intrusion activity that\ - \ are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group name." - example: FIN6 - flat_name: threat.group.name +threat.indicator.geo.timezone: + dashed_name: threat-indicator-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: threat.indicator.geo.timezone ignore_above: 1024 - level: extended - name: group.name + level: core + name: timezone normalize: [] - short: Name of the group. + original_fieldset: geo + short: Time zone. type: keyword -threat.group.reference: - beta: This field is beta and subject to change. - dashed_name: threat-group-reference - description: "The reference URL of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group reference URL." - example: https://attack.mitre.org/groups/G0037/ - flat_name: threat.group.reference +threat.indicator.hash.md5: + dashed_name: threat-indicator-hash-md5 + description: MD5 hash. + flat_name: threat.indicator.hash.md5 ignore_above: 1024 level: extended - name: group.reference + name: md5 normalize: [] - short: Reference URL of the group. + original_fieldset: hash + short: MD5 hash. type: keyword -threat.indicator.confidence: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-confidence - description: "Identifies the confidence rating assigned by the provider using STIX\ - \ confidence scales.\nRecommended values:\n * Not Specified, None, Low, Medium,\ - \ High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n * WEP Scale\ - \ (Impossible - Certain)" - example: High - flat_name: threat.indicator.confidence +threat.indicator.hash.sha1: + dashed_name: threat-indicator-hash-sha1 + description: SHA1 hash. + flat_name: threat.indicator.hash.sha1 ignore_above: 1024 level: extended - name: indicator.confidence + name: sha1 normalize: [] - short: Indicator confidence rating + original_fieldset: hash + short: SHA1 hash. type: keyword -threat.indicator.description: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-description - description: Describes the type of action conducted by the threat. - example: IP x.x.x.x was observed delivering the Angler EK. - flat_name: threat.indicator.description +threat.indicator.hash.sha256: + dashed_name: threat-indicator-hash-sha256 + description: SHA256 hash. + flat_name: threat.indicator.hash.sha256 ignore_above: 1024 level: extended - name: indicator.description + name: sha256 normalize: [] - short: Indicator description + original_fieldset: hash + short: SHA256 hash. type: keyword -threat.indicator.email.address: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-email-address - description: Identifies a threat indicator as an email address (irrespective of - direction). - example: phish@example.com - flat_name: threat.indicator.email.address +threat.indicator.hash.sha512: + dashed_name: threat-indicator-hash-sha512 + description: SHA512 hash. + flat_name: threat.indicator.hash.sha512 ignore_above: 1024 level: extended - name: indicator.email.address + name: sha512 normalize: [] - short: Indicator email address + original_fieldset: hash + short: SHA512 hash. type: keyword -threat.indicator.first_seen: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-first-seen - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.first_seen +threat.indicator.hash.ssdeep: + dashed_name: threat-indicator-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.indicator.hash.ssdeep + ignore_above: 1024 level: extended - name: indicator.first_seen + name: ssdeep normalize: [] - short: Date/time indicator was first reported. - type: date + original_fieldset: hash + short: SSDEEP hash. + type: keyword threat.indicator.ip: beta: This field is beta and subject to change. dashed_name: threat-indicator-ip @@ -11051,6 +10589,30 @@ threat.indicator.port: normalize: [] short: Indicator port type: long +threat.indicator.provider: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-provider + description: The name of the indicator's provider. + example: lrz_urlhaus + flat_name: threat.indicator.provider + ignore_above: 1024 + level: extended + name: indicator.provider + normalize: [] + short: Indicator provider + type: keyword +threat.indicator.reference: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-reference + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + flat_name: threat.indicator.reference + ignore_above: 1024 + level: extended + name: indicator.reference + normalize: [] + short: Indicator reference URL + type: keyword threat.indicator.scanner_stats: beta: This field is beta and subject to change. dashed_name: threat-indicator-scanner-stats diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index c44dd00cdf..6aee16b037 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -152,9 +152,13 @@ as: at: source full: source.as - as: as - at: threat.enrichments + at: threat.indicator + beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.indicator.as + - as: as + at: threat.enrichments.indicator beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.as + full: threat.enrichments.indicator.as top_level: false short: Fields describing an Autonomous System (Internet routing prefix). title: Autonomous System @@ -3072,8 +3076,8 @@ event: type: keyword event.original: dashed_name: event-original - description: 'Raw text message of entire event. Used to demonstrate log integrity or - where the full log message (before splitting it up in multiple parts) may + description: 'Raw text message of entire event. Used to demonstrate log integrity + or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, @@ -3423,13 +3427,6 @@ event: group: 2 name: event prefix: event. - reusable: - expected: - - as: event - at: threat.enrichments - beta: Reusing the `event` fields in this location is currently considered beta. - full: threat.enrichments.event - top_level: true short: Fields breaking down the event details. title: Event type: group @@ -4585,9 +4582,13 @@ file: reusable: expected: - as: file - at: threat.enrichments + at: threat.indicator beta: Reusing the `file` fields in this location is currently considered beta. - full: threat.enrichments.file + full: threat.indicator.file + - as: as + at: threat.enrichments.indicator + beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.indicator.as top_level: true reused_here: - full: file.code_signature @@ -4769,9 +4770,13 @@ geo: at: source full: source.geo - as: geo - at: threat.enrichments + at: threat.indicator beta: Reusing the `geo` fields in this location is currently considered beta. - full: threat.enrichments.geo + full: threat.indicator.geo + - as: as + at: threat.enrichments.indicator + beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.indicator.as top_level: false short: Fields describing a location. title: Geo @@ -4901,9 +4906,13 @@ hash: at: dll full: dll.hash - as: hash - at: threat.enrichments + at: threat.indicator beta: Reusing the `hash` fields in this location is currently considered beta. - full: threat.enrichments.hash + full: threat.indicator.hash + - as: as + at: threat.enrichments.indicator + beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.indicator.as top_level: false short: Hashes, usually file hashes. title: Hash @@ -7142,6 +7151,14 @@ pe: - as: pe at: process full: process.pe + - as: as + at: threat.indicator + beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.indicator.as + - as: as + at: threat.enrichments.indicator + beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.indicator.as top_level: false short: These fields contain Windows Portable Executable (PE) metadata. title: PE Header @@ -8884,6 +8901,17 @@ registry: group: 2 name: registry prefix: registry. + reusable: + expected: + - as: as + at: threat.indicator + beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.indicator.as + - as: as + at: threat.enrichments.indicator + beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.indicator.as + top_level: true short: Fields related to Windows Registry operations. title: Registry type: group @@ -10220,2475 +10248,1999 @@ threat: normalize: [] short: List of indicators enriching the event. type: nested - threat.enrichments.as.number: - dashed_name: threat-enrichments-as-number - description: Unique number allocated to the autonomous system. The autonomous - system number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: threat.enrichments.as.number + threat.enrichments.indicator: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator + description: Indicators + flat_name: threat.enrichments.indicator level: extended - name: number + name: enrichments.indicator normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long - threat.enrichments.as.organization.name: - dashed_name: threat-enrichments-as-organization-name - description: Organization name. - example: Google LLC - flat_name: threat.enrichments.as.organization.name + short: Indicators + type: object + threat.enrichments.indicator.as.data.bytes: + dashed_name: threat-enrichments-indicator-as-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.enrichments.indicator.as.data.bytes ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.enrichments.as.organization.name.text - name: text - norms: false - type: text - name: organization.name + name: data.bytes normalize: [] - original_fieldset: as - short: Organization name. + original_fieldset: registry + short: Original bytes written with base64 encoding. type: keyword - threat.enrichments.event.action: - dashed_name: threat-enrichments-event-action - description: 'The action captured by the event. + threat.enrichments.indicator.as.data.strings: + dashed_name: threat-enrichments-indicator-as-data-strings + description: 'Content when writing string types. - This describes the information in the event. It is more specific than `event.category`. - Examples are `group-add`, `process-started`, `file-created`. The value is - normally defined by the implementer.' - example: user-password-change - flat_name: threat.enrichments.event.action + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.enrichments.indicator.as.data.strings ignore_above: 1024 level: core - name: action + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: keyword + threat.enrichments.indicator.as.data.type: + dashed_name: threat-enrichments-indicator-as-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.enrichments.indicator.as.data.type + ignore_above: 1024 + level: core + name: data.type normalize: [] - original_fieldset: event - short: The action captured by the event. + original_fieldset: registry + short: Standard registry type for encoding contents type: keyword - threat.enrichments.event.agent_id_status: - dashed_name: threat-enrichments-event-agent-id-status - description: 'Agents are normally responsible for populating the `agent.id` - field value. If the system receiving events is capable of validating the value - based on authentication information for the client then this field can be - used to reflect the outcome of that validation. - - For example if the agent''s connection is authenticated with mTLS and the - client cert contains the ID of the agent to which the cert was issued then - the `agent.id` value in events can be checked against the certificate. If - the values match then `event.agent_id_status: verified` is added to the event, - otherwise one of the other allowed values should be used. - - If no validation is performed then the field should be omitted. - - The allowed values are: - - `verified` - The `agent.id` field value matches expected value obtained from - auth metadata. - - `mismatch` - The `agent.id` field value does not match the expected value - obtained from auth metadata. - - `missing` - There was no `agent.id` field in the event to validate. - - `auth_metadata_missing` - There was no auth metadata or it was missing information - about the agent ID.' - example: verified - flat_name: threat.enrichments.event.agent_id_status + threat.enrichments.indicator.as.hive: + dashed_name: threat-enrichments-indicator-as-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.enrichments.indicator.as.hive + ignore_above: 1024 + level: core + name: hive + normalize: [] + original_fieldset: registry + short: Abbreviated name for the hive. + type: keyword + threat.enrichments.indicator.as.key: + dashed_name: threat-enrichments-indicator-as-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.enrichments.indicator.as.key + ignore_above: 1024 + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: keyword + threat.enrichments.indicator.as.path: + dashed_name: threat-enrichments-indicator-as-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.enrichments.indicator.as.path + ignore_above: 1024 + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: keyword + threat.enrichments.indicator.as.value: + dashed_name: threat-enrichments-indicator-as-value + description: Name of the value written. + example: Debugger + flat_name: threat.enrichments.indicator.as.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. + type: keyword + threat.enrichments.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-confidence + description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ + using\_STIX\_confidence scales. Expected values:\n * Not Specified, None,\ + \ Low, Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High + flat_name: threat.enrichments.indicator.confidence ignore_above: 1024 level: extended - name: agent_id_status + name: enrichments.indicator.confidence normalize: [] - original_fieldset: event - short: Validation status of the event's agent.id field. + short: Indicator confidence rating type: keyword - threat.enrichments.event.category: - allowed_values: - - description: Events in this category are related to the challenge and response - process in which credentials are supplied and verified to allow the creation - of a session. Common sources for these logs are Windows event logs and ssh - logs. Visualize and analyze events in this category to look for failed logins, - and other authentication-related activity. - expected_event_types: - - start - - end - - info - name: authentication - - description: 'Events in the configuration category have to deal with creating, - modifying, or deleting the settings or parameters of an application, process, - or system. - - Example sources include security policy change logs, configuration auditing - logging, and system integrity monitoring.' - expected_event_types: - - access - - change - - creation - - deletion - - info - name: configuration - - description: The database category denotes events and metrics relating to - a data storage and retrieval system. Note that use of this category is not - limited to relational database systems. Examples include event logs from - MS SQL, MySQL, Elasticsearch, MongoDB, etc. Use this category to visualize - and analyze database activity such as accesses and changes. - expected_event_types: - - access - - change - - info - - error - name: database - - description: 'Events in the driver category have to do with operating system - device drivers and similar software entities such as Windows drivers, kernel - extensions, kernel modules, etc. - - Use events and metrics in this category to visualize and analyze driver-related - activity and status on hosts.' - expected_event_types: - - change - - end - - info - - start - name: driver - - description: Relating to a set of information that has been created on, or - has existed on a filesystem. Use this category of events to visualize and - analyze the creation, access, and deletions of files. Events in this category - can come from both host-based and network-based sources. An example source - of a network-based detection of a file transfer would be the Zeek file.log. - expected_event_types: - - change - - creation - - deletion - - info - name: file - - description: 'Use this category to visualize and analyze information such - as host inventory or host lifecycle events. - - Most of the events in this category can usually be observed from the outside, - such as from a hypervisor or a control plane''s point of view. Some can - also be seen from within, such as "start" or "end". - - Note that this category is for information about hosts themselves; it is - not meant to capture activity "happening on a host".' - expected_event_types: - - access - - change - - end - - info - - start - name: host - - description: Identity and access management (IAM) events relating to users, - groups, and administration. Use this category to visualize and analyze IAM-related - logs and data from active directory, LDAP, Okta, Duo, and other IAM systems. - expected_event_types: - - admin - - change - - creation - - deletion - - group - - info - - user - name: iam - - description: Relating to intrusion detections from IDS/IPS systems and functions, - both network and host-based. Use this category to visualize and analyze - intrusion detection alerts from systems such as Snort, Suricata, and Palo - Alto threat detections. - expected_event_types: - - allowed - - denied - - info - name: intrusion_detection - - description: Malware detection events and alerts. Use this category to visualize - and analyze malware detections from EDR/EPP systems such as Elastic Endpoint - Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS - systems such as Suricata, or other sources of malware-related events such - as Palo Alto Networks threat logs and Wildfire logs. - expected_event_types: - - info - name: malware - - description: Relating to all network activity, including network connection - lifecycle, network traffic, and essentially any event that includes an IP - address. Many events containing decoded network protocol transactions fit - into this category. Use events in this category to visualize or analyze - counts of network ports, protocols, addresses, geolocation information, - etc. - expected_event_types: - - access - - allowed - - connection - - denied - - end - - info - - protocol - - start - name: network - - description: Relating to software packages installed on hosts. Use this category - to visualize and analyze inventory of software installed on various hosts, - or to determine host vulnerability in the absence of vulnerability scan - data. - expected_event_types: - - access - - change - - deletion - - info - - installation - - start - name: package - - description: Use this category of events to visualize and analyze process-specific - information such as lifecycle events or process ancestry. - expected_event_types: - - access - - change - - end - - info - - start - name: process - - description: Having to do with settings and assets stored in the Windows registry. - Use this category to visualize and analyze activity such as registry access - and modifications. - expected_event_types: - - access - - change - - creation - - deletion - name: registry - - description: The session category is applied to events and metrics regarding - logical persistent connections to hosts and services. Use this category - to visualize and analyze interactive or automated persistent connections - between assets. Data for this category may come from Windows Event logs, - SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc. - expected_event_types: - - start - - end - - info - name: session - - description: 'Relating to web server access. Use this category to create a - dashboard of web server/proxy activity from apache, IIS, nginx web servers, - etc. Note: events from network observers such as Zeek http log may also - be included in this category.' - expected_event_types: - - access - - error - - info - name: web - dashed_name: threat-enrichments-event-category - description: 'This is one of four ECS Categorization Fields, and indicates the - second level in the ECS category hierarchy. - - `event.category` represents the "big buckets" of ECS categories. For example, - filtering on `event.category:process` yields all events relating to process - activity. This field is closely related to `event.type`, which is used as - a subcategory. - - This field is an array. This will allow proper categorization of some events - that fall in multiple categories.' - example: authentication - flat_name: threat.enrichments.event.category + threat.enrichments.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.enrichments.indicator.description ignore_above: 1024 - level: core - name: category - normalize: - - array - original_fieldset: event - short: Event category. The second categorization field in the hierarchy. + level: extended + name: enrichments.indicator.description + normalize: [] + short: Indicator description type: keyword - threat.enrichments.event.code: - dashed_name: threat-enrichments-event-code - description: 'Identification code for this event, if one exists. - - Some event sources use event codes to identify messages unambiguously, regardless - of message language or wording adjustments over time. An example of this is - the Windows Event ID.' - example: 4648 - flat_name: threat.enrichments.event.code + threat.enrichments.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + flat_name: threat.enrichments.indicator.email.address ignore_above: 1024 level: extended - name: code + name: enrichments.indicator.email.address normalize: [] - original_fieldset: event - short: Identification code for this event. + short: Indicator email address type: keyword - threat.enrichments.event.created: - dashed_name: threat-enrichments-event-created - description: 'event.created contains the date/time when the event was first - read by an agent, or by your pipeline. - - This field is distinct from @timestamp in that @timestamp typically contain - the time extracted from the original event. - - In most situations, these two timestamps will be slightly different. The difference - can be used to calculate the delay between your source generating an event, - and the time when your agent first processed it. This can be used to monitor - your agent''s or pipeline''s ability to keep up with your event source. - - In case the two timestamps are identical, @timestamp should be used.' - example: '2016-05-23T08:05:34.857Z' - flat_name: threat.enrichments.event.created - level: core - name: created + threat.enrichments.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.first_seen + level: extended + name: enrichments.indicator.first_seen normalize: [] - original_fieldset: event - short: Time when the event was first read by an agent or by your pipeline. + short: Date/time indicator was first reported. type: date - threat.enrichments.event.dataset: - dashed_name: threat-enrichments-event-dataset - description: 'Name of the dataset. - - If an event source publishes more than one type of log or events (e.g. access - log, error log), the dataset is used to specify which one the event comes - from. - - It''s recommended but not required to start the dataset name with the module - name, followed by a dot, then the dataset name.' - example: apache.access - flat_name: threat.enrichments.event.dataset + threat.enrichments.indicator.ip: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + flat_name: threat.enrichments.indicator.ip + level: extended + name: enrichments.indicator.ip + normalize: [] + short: Indicator IP address + type: ip + threat.enrichments.indicator.last_seen: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-last-seen + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.last_seen + level: extended + name: enrichments.indicator.last_seen + normalize: [] + short: Date/time indicator was last reported. + type: date + threat.enrichments.indicator.marking.tlp: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: White + flat_name: threat.enrichments.indicator.marking.tlp ignore_above: 1024 - level: core - name: dataset + level: extended + name: enrichments.indicator.marking.tlp normalize: [] - original_fieldset: event - short: Name of the dataset. + short: Indicator TLP marking type: keyword - threat.enrichments.event.duration: - dashed_name: threat-enrichments-event-duration - description: 'Duration of the event in nanoseconds. - - If event.start and event.end are known this value should be the difference - between the end and start time.' - flat_name: threat.enrichments.event.duration - format: duration - input_format: nanoseconds - level: core - name: duration + threat.enrichments.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.modified_at + level: extended + name: enrichments.indicator.modified_at normalize: [] - original_fieldset: event - output_format: asMilliseconds - output_precision: 1 - short: Duration of the event in nanoseconds. + short: Date/time indicator was last updated. + type: date + threat.enrichments.indicator.port: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-port + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + flat_name: threat.enrichments.indicator.port + level: extended + name: enrichments.indicator.port + normalize: [] + short: Indicator port type: long - threat.enrichments.event.end: - dashed_name: threat-enrichments-event-end - description: event.end contains the date when the event ended or when the activity - was last observed. - flat_name: threat.enrichments.event.end + threat.enrichments.indicator.provider: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-provider + description: The name of the indicator's provider. + example: lrz_urlhaus + flat_name: threat.enrichments.indicator.provider + ignore_above: 1024 level: extended - name: end + name: enrichments.indicator.provider normalize: [] - original_fieldset: event - short: event.end contains the date when the event ended or when the activity - was last observed. - type: date - threat.enrichments.event.hash: - dashed_name: threat-enrichments-event-hash - description: Hash (perhaps logstash fingerprint) of raw field to be able to - demonstrate log integrity. - example: 123456789012345678901234567890ABCD - flat_name: threat.enrichments.event.hash + short: Indicator provider + type: keyword + threat.enrichments.indicator.reference: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-reference + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + flat_name: threat.enrichments.indicator.reference ignore_above: 1024 level: extended - name: hash + name: enrichments.indicator.reference normalize: [] - original_fieldset: event - short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate - log integrity. + short: Indicator reference URL type: keyword - threat.enrichments.event.id: - dashed_name: threat-enrichments-event-id - description: Unique ID to describe the event. - example: 8a4f500d - flat_name: threat.enrichments.event.id + threat.enrichments.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + flat_name: threat.enrichments.indicator.scanner_stats + level: extended + name: enrichments.indicator.scanner_stats + normalize: [] + short: Scanner statistics + type: long + threat.enrichments.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.enrichments.indicator.sightings + level: extended + name: enrichments.indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long + threat.enrichments.indicator.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ + \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr + flat_name: threat.enrichments.indicator.type ignore_above: 1024 - level: core - name: id + level: extended + name: enrichments.indicator.type normalize: [] - original_fieldset: event - short: Unique ID to describe the event. + short: Type of indicator type: keyword - threat.enrichments.event.ingested: - dashed_name: threat-enrichments-event-ingested - description: 'Timestamp when an event arrived in the central data store. - - This is different from `@timestamp`, which is when the event originally occurred. It''s - also different from `event.created`, which is meant to capture the first time - an agent saw the event. - - In normal conditions, assuming no tampering, the timestamps should chronologically - look like this: `@timestamp` < `event.created` < `event.ingested`.' - example: '2016-05-23T08:05:35.101Z' - flat_name: threat.enrichments.event.ingested - level: core - name: ingested + threat.enrichments.matched.atomic: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-atomic + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com + flat_name: threat.enrichments.matched.atomic + ignore_above: 1024 + level: extended + name: enrichments.matched.atomic normalize: [] - original_fieldset: event - short: Timestamp when an event arrived in the central data store. - type: date - threat.enrichments.event.kind: - allowed_values: - - description: 'This value indicates an event that describes an alert or notable - event, triggered by a detection rule. - - `event.kind:alert` is often populated for events coming from firewalls, - intrusion detection systems, endpoint detection and response systems, and - so on.' - name: alert - - description: This value is the most general and most common value for this - field. It is used to represent events that indicate that something happened. - name: event - - description: 'This value is used to indicate that this event describes a numeric - measurement taken at given point in time. - - Examples include CPU utilization, memory usage, or device temperature. - - Metric events are often collected on a predictable frequency, such as once - every few seconds, or once a minute, but can also be used to describe ad-hoc - numeric metric queries.' - name: metric - - description: 'The state value is similar to metric, indicating that this event - describes a measurement taken at given point in time, except that the measurement - does not result in a numeric value, but rather one of a fixed set of categorical - values that represent conditions or states. - - Examples include periodic events reporting Elasticsearch cluster state (green/yellow/red), - the state of a TCP connection (open, closed, fin_wait, etc.), the state - of a host with respect to a software vulnerability (vulnerable, not vulnerable), - and the state of a system regarding compliance with a regulatory standard - (compliant, not compliant). - - Note that an event that describes a change of state would not use `event.kind:state`, - but instead would use ''event.kind:event'' since a state change fits the - more general event definition of something that happened. - - State events are often collected on a predictable frequency, such as once - every few seconds, once a minute, once an hour, or once a day, but can also - be used to describe ad-hoc state queries.' - name: state - - description: This value indicates that an error occurred during the ingestion - of this event, and that event data may be missing, inconsistent, or incorrect. - `event.kind:pipeline_error` is often associated with parsing errors. - name: pipeline_error - - description: 'This value is used by the Elastic Security app to denote an - Elasticsearch document that was created by a SIEM detection engine rule. - - A signal will typically trigger a notification that something meaningful - happened and should be investigated. - - Usage of this value is reserved, and pipelines should not populate `event.kind` - with the value "signal".' - name: signal - dashed_name: threat-enrichments-event-kind - description: 'This is one of four ECS Categorization Fields, and indicates the - highest level in the ECS category hierarchy. - - `event.kind` gives high-level information about what type of information the - event contains, without being specific to the contents of the event. For example, - values of this field distinguish alert events from metric events. - - The value of this field can be used to inform how these kinds of events should - be handled. They may warrant different retention, different access control, - it may also help understand whether the data coming in at a regular interval - or not.' - example: alert - flat_name: threat.enrichments.event.kind - ignore_above: 1024 - level: core - name: kind - normalize: [] - original_fieldset: event - short: The kind of the event. The highest categorization field in the hierarchy. - type: keyword - threat.enrichments.event.module: - dashed_name: threat-enrichments-event-module - description: 'Name of the module this data is coming from. - - If your monitoring agent supports the concept of modules or plugins to process - events of a given source (e.g. Apache logs), `event.module` should contain - the name of this module.' - example: apache - flat_name: threat.enrichments.event.module - ignore_above: 1024 - level: core - name: module - normalize: [] - original_fieldset: event - short: Name of the module this data is coming from. - type: keyword - threat.enrichments.event.original: - dashed_name: threat-enrichments-event-original - description: 'Raw text message of entire event. Used to demonstrate log integrity or - where the full log message (before splitting it up in multiple parts) may - be required, e.g. for reindex. - - This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`. If users wish to override this and - index this field, please see `Field data types` in the `Elasticsearch Reference`.' - doc_values: false - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| - worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - flat_name: threat.enrichments.event.original - index: false - level: core - name: original - normalize: [] - original_fieldset: event - short: Raw text message of entire event. + short: Matched indicator value type: keyword - threat.enrichments.event.outcome: - allowed_values: - - description: Indicates that this event describes a failed result. A common - example is `event.category:file AND event.type:access AND event.outcome:failure` - to indicate that a file access was attempted, but was not successful. - name: failure - - description: Indicates that this event describes a successful result. A common - example is `event.category:file AND event.type:create AND event.outcome:success` - to indicate that a file was successfully created. - name: success - - description: Indicates that this event describes only an attempt for which - the result is unknown from the perspective of the event producer. For example, - if the event contains information only about the request side of a transaction - that results in a response, populating `event.outcome:unknown` in the request - event is appropriate. The unknown value should not be used when an outcome - doesn't make logical sense for the event. In such cases `event.outcome` - should not be populated. - name: unknown - dashed_name: threat-enrichments-event-outcome - description: 'This is one of four ECS Categorization Fields, and indicates the - lowest level in the ECS category hierarchy. - - `event.outcome` simply denotes whether the event represents a success or a - failure from the perspective of the entity that produced the event. - - Note that when a single transaction is described in multiple events, each - event may populate different values of `event.outcome`, according to their - perspective. - - Also note that in the case of a compound event (a single event that contains - multiple logical events), this field should be populated with the value that - best captures the overall success or failure from the perspective of the event - producer. - - Further note that not all events will have an associated outcome. For example, - this field is generally not populated for metric events, events with `event.type:info`, - or any events for which an outcome does not make logical sense.' - example: success - flat_name: threat.enrichments.event.outcome + threat.enrichments.matched.field: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-field + description: Identifies the field of the atomic indicator that matched a local + environment endpoint or network event. + example: file.hash.sha256 + flat_name: threat.enrichments.matched.field ignore_above: 1024 - level: core - name: outcome + level: extended + name: enrichments.matched.field normalize: [] - original_fieldset: event - short: The outcome of the event. The lowest level categorization field in the - hierarchy. + short: Matched indicator field type: keyword - threat.enrichments.event.provider: - dashed_name: threat-enrichments-event-provider - description: 'Source of the event. - - Event transports such as Syslog or the Windows Event Log typically mention - the source of an event. It can be the name of the software that generated - the event (e.g. Sysmon, httpd), or of a subsystem of the operating system - (kernel, Microsoft-Windows-Security-Auditing).' - example: kernel - flat_name: threat.enrichments.event.provider + threat.enrichments.matched.id: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-id + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + flat_name: threat.enrichments.matched.id ignore_above: 1024 level: extended - name: provider + name: enrichments.matched.id normalize: [] - original_fieldset: event - short: Source of the event. + short: Matched indicator identifier type: keyword - threat.enrichments.event.reason: - dashed_name: threat-enrichments-event-reason - description: 'Reason why this event happened, according to the source. - - This describes the why of a particular action or outcome captured in the event. - Where `event.action` captures the action from the event, `event.reason` describes - why that action was taken. For example, a web proxy with an `event.action` - which denied the request may also populate `event.reason` with the reason - why (e.g. `blocked site`).' - example: Terminated an unexpected process - flat_name: threat.enrichments.event.reason + threat.enrichments.matched.index: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-index + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 + flat_name: threat.enrichments.matched.index ignore_above: 1024 level: extended - name: reason + name: enrichments.matched.index normalize: [] - original_fieldset: event - short: Reason why this event happened, according to the source + short: Matched indicator index type: keyword - threat.enrichments.event.reference: - dashed_name: threat-enrichments-event-reference - description: 'Reference URL linking to additional information about this event. - - This URL links to a static definition of this event. Alert events, indicated - by `event.kind:alert`, are a common use case for this field.' - example: https://system.example.com/event/#0001234 - flat_name: threat.enrichments.event.reference + threat.enrichments.matched.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-type + description: Identifies the type of match that caused the event to be enriched + with the given indicator + example: indicator_match_rule + flat_name: threat.enrichments.matched.type ignore_above: 1024 level: extended - name: reference + name: enrichments.matched.type normalize: [] - original_fieldset: event - short: Event reference URL + short: Type of indicator match type: keyword - threat.enrichments.event.risk_score: - dashed_name: threat-enrichments-event-risk-score - description: Risk score or priority of the event (e.g. security solutions). - Use your system's original value here. - flat_name: threat.enrichments.event.risk_score - level: core - name: risk_score - normalize: [] - original_fieldset: event - short: Risk score or priority of the event (e.g. security solutions). Use your - system's original value here. - type: float - threat.enrichments.event.risk_score_norm: - dashed_name: threat-enrichments-event-risk-score-norm - description: 'Normalized risk score or priority of the event, on a scale of - 0 to 100. - - This is mainly useful if you use more than one system that assigns risk scores, - and you want to see a normalized value across all systems.' - flat_name: threat.enrichments.event.risk_score_norm - level: extended - name: risk_score_norm - normalize: [] - original_fieldset: event - short: Normalized risk score or priority of the event (0-100). - type: float - threat.enrichments.event.sequence: - dashed_name: threat-enrichments-event-sequence - description: 'Sequence number of the event. - - The sequence number is a value published by some event sources, to make the - exact ordering of events unambiguous, regardless of the timestamp precision.' - flat_name: threat.enrichments.event.sequence - format: string - level: extended - name: sequence - normalize: [] - original_fieldset: event - short: Sequence number of the event. - type: long - threat.enrichments.event.severity: - dashed_name: threat-enrichments-event-severity - description: 'The numeric severity of the event according to your event source. - - What the different severity values mean can be different between sources and - use cases. It''s up to the implementer to make sure severities are consistent - across events from the same source. + threat.enrichments.url.domain: + dashed_name: threat-enrichments-url-domain + description: 'Domain of the url, such as "www.elastic.co". - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` - is meant to represent the severity according to the event source (e.g. firewall, - IDS). If the event source does not publish its own severity, you may optionally - copy the `log.syslog.severity.code` to `event.severity`.' - example: 7 - flat_name: threat.enrichments.event.severity - format: string - level: core - name: severity - normalize: [] - original_fieldset: event - short: Numeric severity of the event. - type: long - threat.enrichments.event.start: - dashed_name: threat-enrichments-event-start - description: event.start contains the date when the event started or when the - activity was first observed. - flat_name: threat.enrichments.event.start - level: extended - name: start - normalize: [] - original_fieldset: event - short: event.start contains the date when the event started or when the activity - was first observed. - type: date - threat.enrichments.event.timezone: - dashed_name: threat-enrichments-event-timezone - description: 'This field should be populated when the event''s timestamp does - not include timezone information already (e.g. default Syslog timestamps). - It''s optional otherwise. + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), - abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' - flat_name: threat.enrichments.event.timezone + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' + example: www.elastic.co + flat_name: threat.enrichments.url.domain ignore_above: 1024 level: extended - name: timezone + name: domain normalize: [] - original_fieldset: event - short: Event time zone. + original_fieldset: url + short: Domain of the url. type: keyword - threat.enrichments.event.type: - allowed_values: - - description: The access event type is used for the subset of events within - a category that indicate that something was accessed. Common examples include - `event.category:database AND event.type:access`, or `event.category:file - AND event.type:access`. Note for file access, both directory listings and - file opens should be included in this subcategory. You can further distinguish - access operations using the ECS `event.action` field. - name: access - - description: 'The admin event type is used for the subset of events within - a category that are related to admin objects. For example, administrative - changes within an IAM framework that do not specifically affect a user or - group (e.g., adding new applications to a federation solution or connecting - discrete forests in Active Directory) would fall into this subcategory. - Common example: `event.category:iam AND event.type:change AND event.type:admin`. - You can further distinguish admin operations using the ECS `event.action` - field.' - name: admin - - description: The allowed event type is used for the subset of events within - a category that indicate that something was allowed. Common examples include - `event.category:network AND event.type:connection AND event.type:allowed` - (to indicate a network firewall event for which the firewall disposition - was to allow the connection to complete) and `event.category:intrusion_detection - AND event.type:allowed` (to indicate a network intrusion prevention system - event for which the IPS disposition was to allow the connection to complete). - You can further distinguish allowed operations using the ECS `event.action` - field, populating with values of your choosing, such as "allow", "detect", - or "pass". - name: allowed - - description: The change event type is used for the subset of events within - a category that indicate that something has changed. If semantics best describe - an event as modified, then include them in this subcategory. Common examples - include `event.category:process AND event.type:change`, and `event.category:file - AND event.type:change`. You can further distinguish change operations using - the ECS `event.action` field. - name: change - - description: Used primarily with `event.category:network` this value is used - for the subset of network traffic that includes sufficient information for - the event to be included in flow or connection analysis. Events in this - subcategory will contain at least source and destination IP addresses, source - and destination TCP/UDP ports, and will usually contain counts of bytes - and/or packets transferred. Events in this subcategory may contain unidirectional - or bidirectional information, including summary information. Use this subcategory - to visualize and analyze network connections. Flow analysis, including Netflow, - IPFIX, and other flow-related events fit in this subcategory. Note that - firewall events from many Next-Generation Firewall (NGFW) devices will also - fit into this subcategory. A common filter for flow/connection information - would be `event.category:network AND event.type:connection AND event.type:end` - (to view or analyze all completed network connections, ignoring mid-flow - reports). You can further distinguish connection events using the ECS `event.action` - field, populating with values of your choosing, such as "timeout", or "reset". - name: connection - - description: The "creation" event type is used for the subset of events within - a category that indicate that something was created. A common example is - `event.category:file AND event.type:creation`. - name: creation - - description: The deletion event type is used for the subset of events within - a category that indicate that something was deleted. A common example is - `event.category:file AND event.type:deletion` to indicate that a file has - been deleted. - name: deletion - - description: The denied event type is used for the subset of events within - a category that indicate that something was denied. Common examples include - `event.category:network AND event.type:denied` (to indicate a network firewall - event for which the firewall disposition was to deny the connection) and - `event.category:intrusion_detection AND event.type:denied` (to indicate - a network intrusion prevention system event for which the IPS disposition - was to deny the connection to complete). You can further distinguish denied - operations using the ECS `event.action` field, populating with values of - your choosing, such as "blocked", "dropped", or "quarantined". - name: denied - - description: The end event type is used for the subset of events within a - category that indicate something has ended. A common example is `event.category:process - AND event.type:end`. - name: end - - description: The error event type is used for the subset of events within - a category that indicate or describe an error. A common example is `event.category:database - AND event.type:error`. Note that pipeline errors that occur during the event - ingestion process should not use this `event.type` value. Instead, they - should use `event.kind:pipeline_error`. - name: error - - description: 'The group event type is used for the subset of events within - a category that are related to group objects. Common example: `event.category:iam - AND event.type:creation AND event.type:group`. You can further distinguish - group operations using the ECS `event.action` field.' - name: group - - description: The info event type is used for the subset of events within a - category that indicate that they are purely informational, and don't report - a state change, or any type of action. For example, an initial run of a - file integrity monitoring system (FIM), where an agent reports all files - under management, would fall into the "info" subcategory. Similarly, an - event containing a dump of all currently running processes (as opposed to - reporting that a process started/ended) would fall into the "info" subcategory. - An additional common examples is `event.category:intrusion_detection AND - event.type:info`. - name: info - - description: The installation event type is used for the subset of events - within a category that indicate that something was installed. A common example - is `event.category:package` AND `event.type:installation`. - name: installation - - description: The protocol event type is used for the subset of events within - a category that indicate that they contain protocol details or analysis, - beyond simply identifying the protocol. Generally, network events that contain - specific protocol details will fall into this subcategory. A common example - is `event.category:network AND event.type:protocol AND event.type:connection - AND event.type:end` (to indicate that the event is a network connection - event sent at the end of a connection that also includes a protocol detail - breakdown). Note that events that only indicate the name or id of the protocol - should not use the protocol value. Further note that when the protocol subcategory - is used, the identified protocol is populated in the ECS `network.protocol` - field. - name: protocol - - description: The start event type is used for the subset of events within - a category that indicate something has started. A common example is `event.category:process - AND event.type:start`. - name: start - - description: 'The user event type is used for the subset of events within - a category that are related to user objects. Common example: `event.category:iam - AND event.type:deletion AND event.type:user`. You can further distinguish - user operations using the ECS `event.action` field.' - name: user - dashed_name: threat-enrichments-event-type - description: 'This is one of four ECS Categorization Fields, and indicates the - third level in the ECS category hierarchy. + threat.enrichments.url.extension: + dashed_name: threat-enrichments-url-extension + description: 'The field contains the file extension from the original request + url, excluding the leading dot. - `event.type` represents a categorization "sub-bucket" that, when used along - with the `event.category` field values, enables filtering events down to a - level appropriate for single visualization. + The file extension is only set if it exists, as not every url has a file extension. - This field is an array. This will allow proper categorization of some events - that fall in multiple event types.' - flat_name: threat.enrichments.event.type - ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: event - short: Event type. The third categorization field in the hierarchy. - type: keyword - threat.enrichments.event.url: - dashed_name: threat-enrichments-event-url - description: 'URL linking to an external system to continue investigation of - this event. + The leading period must not be included. For example, the value must be "png", + not ".png". - This URL links to another system where in-depth investigation of the specific - occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, - are a common use case for this field.' - example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe - flat_name: threat.enrichments.event.url + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.url.extension ignore_above: 1024 level: extended - name: url + name: extension normalize: [] - original_fieldset: event - short: Event investigation URL + original_fieldset: url + short: File extension from the request url, excluding the leading dot. type: keyword - threat.enrichments.file.accessed: - dashed_name: threat-enrichments-file-accessed - description: 'Last time the file was accessed. - - Note that not all filesystems keep track of access time.' - flat_name: threat.enrichments.file.accessed - level: extended - name: accessed - normalize: [] - original_fieldset: file - short: Last time the file was accessed. - type: date - threat.enrichments.file.attributes: - dashed_name: threat-enrichments-file-attributes - description: 'Array of file attributes. + threat.enrichments.url.fragment: + dashed_name: threat-enrichments-url-fragment + description: 'Portion of the url after the `#`, such as "top". - Attributes names will vary by platform. Here''s a non-exhaustive list of values - that are expected in this field: archive, compressed, directory, encrypted, - execute, hidden, read, readonly, system, write.' - example: '["readonly", "system"]' - flat_name: threat.enrichments.file.attributes + The `#` is not part of the fragment.' + flat_name: threat.enrichments.url.fragment ignore_above: 1024 level: extended - name: attributes - normalize: - - array - original_fieldset: file - short: Array of file attributes. - type: keyword - threat.enrichments.file.code_signature.exists: - dashed_name: threat-enrichments-file-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: threat.enrichments.file.code_signature.exists - level: core - name: exists + name: fragment normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean - threat.enrichments.file.code_signature.signing_id: - dashed_name: threat-enrichments-file-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. - The field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: threat.enrichments.file.code_signature.signing_id + original_fieldset: url + short: Portion of the url after the `#`. + type: keyword + threat.enrichments.url.full: + dashed_name: threat-enrichments-url-full + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event + source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + flat_name: threat.enrichments.url.full ignore_above: 1024 level: extended - name: signing_id + multi_fields: + - flat_name: threat.enrichments.url.full.text + name: text + norms: false + type: text + name: full normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. + original_fieldset: url + short: Full unparsed URL. type: keyword - threat.enrichments.file.code_signature.status: - dashed_name: threat-enrichments-file-code-signature-status - description: 'Additional information about the certificate status. + threat.enrichments.url.original: + dashed_name: threat-enrichments-url-original + description: 'Unmodified original url as seen in the event source. - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: threat.enrichments.file.code_signature.status + Note that in network monitoring, the observed URL may be a full URL, whereas + in access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + flat_name: threat.enrichments.url.original ignore_above: 1024 level: extended - name: status + multi_fields: + - flat_name: threat.enrichments.url.original.text + name: text + norms: false + type: text + name: original normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. + original_fieldset: url + short: Unmodified original url as seen in the event source. type: keyword - threat.enrichments.file.code_signature.subject_name: - dashed_name: threat-enrichments-file-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: threat.enrichments.file.code_signature.subject_name + threat.enrichments.url.password: + dashed_name: threat-enrichments-url-password + description: Password of the request. + flat_name: threat.enrichments.url.password ignore_above: 1024 - level: core - name: subject_name + level: extended + name: password normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer + original_fieldset: url + short: Password of the request. type: keyword - threat.enrichments.file.code_signature.team_id: - dashed_name: threat-enrichments-file-code-signature-team-id - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field - is relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: threat.enrichments.file.code_signature.team_id + threat.enrichments.url.path: + dashed_name: threat-enrichments-url-path + description: Path of the request, such as "/search". + flat_name: threat.enrichments.url.path ignore_above: 1024 level: extended - name: team_id + name: path normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. + original_fieldset: url + short: Path of the request, such as "/search". type: keyword - threat.enrichments.file.code_signature.trusted: - dashed_name: threat-enrichments-file-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this - field should only be populated by tools that actively check the status.' - example: 'true' - flat_name: threat.enrichments.file.code_signature.trusted + threat.enrichments.url.port: + dashed_name: threat-enrichments-url-port + description: Port of the request, such as 443. + example: 443 + flat_name: threat.enrichments.url.port + format: string level: extended - name: trusted + name: port normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean - threat.enrichments.file.code_signature.valid: - dashed_name: threat-enrichments-file-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against - the binary content. + original_fieldset: url + short: Port of the request, such as 443. + type: long + threat.enrichments.url.query: + dashed_name: threat-enrichments-url-query + description: 'The query field describes the query string of the request, such + as "q=elasticsearch". - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: threat.enrichments.file.code_signature.valid + The `?` is excluded from the query string. If a URL contains no `?`, there + is no query field. If there is a `?` but no query, the query field exists + with an empty string. The `exists` query can be used to differentiate between + the two cases.' + flat_name: threat.enrichments.url.query + ignore_above: 1024 level: extended - name: valid + name: query normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean - threat.enrichments.file.created: - dashed_name: threat-enrichments-file-created - description: 'File creation time. + original_fieldset: url + short: Query string of the request. + type: keyword + threat.enrichments.url.registered_domain: + dashed_name: threat-enrichments-url-registered-domain + description: 'The highest registered url domain, stripped of the subdomain. - Note that not all filesystems store the creation time.' - flat_name: threat.enrichments.file.created - level: extended - name: created - normalize: [] - original_fieldset: file - short: File creation time. - type: date - threat.enrichments.file.ctime: - dashed_name: threat-enrichments-file-ctime - description: 'Last time the file attributes or metadata changed. + For example, the registered domain for "foo.example.com" is "example.com". - Note that changes to the file content will update `mtime`. This implies `ctime` - will be adjusted at the same time, since `mtime` is an attribute of the file.' - flat_name: threat.enrichments.file.ctime - level: extended - name: ctime - normalize: [] - original_fieldset: file - short: Last time the file attributes or metadata changed. - type: date - threat.enrichments.file.device: - dashed_name: threat-enrichments-file-device - description: Device that is the source of the file. - example: sda - flat_name: threat.enrichments.file.device + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: threat.enrichments.url.registered_domain ignore_above: 1024 level: extended - name: device + name: registered_domain normalize: [] - original_fieldset: file - short: Device that is the source of the file. + original_fieldset: url + short: The highest registered url domain, stripped of the subdomain. type: keyword - threat.enrichments.file.directory: - dashed_name: threat-enrichments-file-directory - description: Directory where the file is located. It should include the drive - letter, when appropriate. - example: /home/alice - flat_name: threat.enrichments.file.directory + threat.enrichments.url.scheme: + dashed_name: threat-enrichments-url-scheme + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https + flat_name: threat.enrichments.url.scheme ignore_above: 1024 level: extended - name: directory + name: scheme normalize: [] - original_fieldset: file - short: Directory where the file is located. + original_fieldset: url + short: Scheme of the url. type: keyword - threat.enrichments.file.drive_letter: - dashed_name: threat-enrichments-file-drive-letter - description: 'Drive letter where the file is located. This field is only relevant - on Windows. + threat.enrichments.url.subdomain: + dashed_name: threat-enrichments-url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. - The value should be uppercase, and not include the colon.' - example: C - flat_name: threat.enrichments.file.drive_letter - ignore_above: 1 + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: threat.enrichments.url.subdomain + ignore_above: 1024 level: extended - name: drive_letter + name: subdomain normalize: [] - original_fieldset: file - short: Drive letter where the file is located. + original_fieldset: url + short: The subdomain of the domain. type: keyword - threat.enrichments.file.elf.architecture: - dashed_name: threat-enrichments-file-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: threat.enrichments.file.elf.architecture + threat.enrichments.url.top_level_domain: + dashed_name: threat-enrichments-url-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: threat.enrichments.url.top_level_domain ignore_above: 1024 level: extended - name: architecture + name: top_level_domain normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. + original_fieldset: url + short: The effective top level domain (com, org, net, co.uk). type: keyword - threat.enrichments.file.elf.byte_order: - dashed_name: threat-enrichments-file-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: threat.enrichments.file.elf.byte_order + threat.enrichments.url.username: + dashed_name: threat-enrichments-url-username + description: Username of the request. + flat_name: threat.enrichments.url.username ignore_above: 1024 level: extended - name: byte_order + name: username normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. + original_fieldset: url + short: Username of the request. type: keyword - threat.enrichments.file.elf.cpu_type: - dashed_name: threat-enrichments-file-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: threat.enrichments.file.elf.cpu_type + threat.enrichments.x509.alternative_names: + dashed_name: threat-enrichments-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + flat_name: threat.enrichments.x509.alternative_names ignore_above: 1024 level: extended - name: cpu_type - normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. - type: keyword - threat.enrichments.file.elf.creation_date: - dashed_name: threat-enrichments-file-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - flat_name: threat.enrichments.file.elf.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date - threat.enrichments.file.elf.exports: - dashed_name: threat-enrichments-file-elf-exports - description: List of exported element names and types. - flat_name: threat.enrichments.file.elf.exports - level: extended - name: exports + name: alternative_names normalize: - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened - threat.enrichments.file.elf.header.abi_version: - dashed_name: threat-enrichments-file-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: threat.enrichments.file.elf.header.abi_version - ignore_above: 1024 - level: extended - name: header.abi_version - normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). + original_fieldset: x509 + short: List of subject alternative names (SAN). type: keyword - threat.enrichments.file.elf.header.class: - dashed_name: threat-enrichments-file-elf-header-class - description: Header class of the ELF file. - flat_name: threat.enrichments.file.elf.header.class + threat.enrichments.x509.issuer.common_name: + dashed_name: threat-enrichments-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: threat.enrichments.x509.issuer.common_name ignore_above: 1024 level: extended - name: header.class - normalize: [] - original_fieldset: elf - short: Header class of the ELF file. + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. type: keyword - threat.enrichments.file.elf.header.data: - dashed_name: threat-enrichments-file-elf-header-data - description: Data table of the ELF header. - flat_name: threat.enrichments.file.elf.header.data + threat.enrichments.x509.issuer.country: + dashed_name: threat-enrichments-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: threat.enrichments.x509.issuer.country ignore_above: 1024 level: extended - name: header.data - normalize: [] - original_fieldset: elf - short: Data table of the ELF header. + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes type: keyword - threat.enrichments.file.elf.header.entrypoint: - dashed_name: threat-enrichments-file-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: threat.enrichments.file.elf.header.entrypoint - format: string - level: extended - name: header.entrypoint - normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long - threat.enrichments.file.elf.header.object_version: - dashed_name: threat-enrichments-file-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: threat.enrichments.file.elf.header.object_version + threat.enrichments.x509.issuer.distinguished_name: + dashed_name: threat-enrichments-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: threat.enrichments.x509.issuer.distinguished_name ignore_above: 1024 level: extended - name: header.object_version + name: issuer.distinguished_name normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. type: keyword - threat.enrichments.file.elf.header.os_abi: - dashed_name: threat-enrichments-file-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: threat.enrichments.file.elf.header.os_abi + threat.enrichments.x509.issuer.locality: + dashed_name: threat-enrichments-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: threat.enrichments.x509.issuer.locality ignore_above: 1024 level: extended - name: header.os_abi - normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) type: keyword - threat.enrichments.file.elf.header.type: - dashed_name: threat-enrichments-file-elf-header-type - description: Header type of the ELF file. - flat_name: threat.enrichments.file.elf.header.type + threat.enrichments.x509.issuer.organization: + dashed_name: threat-enrichments-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: threat.enrichments.x509.issuer.organization ignore_above: 1024 level: extended - name: header.type - normalize: [] - original_fieldset: elf - short: Header type of the ELF file. + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. type: keyword - threat.enrichments.file.elf.header.version: - dashed_name: threat-enrichments-file-elf-header-version - description: Version of the ELF header. - flat_name: threat.enrichments.file.elf.header.version + threat.enrichments.x509.issuer.organizational_unit: + dashed_name: threat-enrichments-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: threat.enrichments.x509.issuer.organizational_unit ignore_above: 1024 level: extended - name: header.version - normalize: [] - original_fieldset: elf - short: Version of the ELF header. - type: keyword - threat.enrichments.file.elf.imports: - dashed_name: threat-enrichments-file-elf-imports - description: List of imported element names and types. - flat_name: threat.enrichments.file.elf.imports - level: extended - name: imports + name: issuer.organizational_unit normalize: - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened - threat.enrichments.file.elf.sections: - dashed_name: threat-enrichments-file-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.sections.*`.' - flat_name: threat.enrichments.file.elf.sections + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword + threat.enrichments.x509.issuer.state_or_province: + dashed_name: threat-enrichments-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.x509.issuer.state_or_province + ignore_above: 1024 level: extended - name: sections + name: issuer.state_or_province normalize: - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested - threat.enrichments.file.elf.sections.chi2: - dashed_name: threat-enrichments-file-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: threat.enrichments.file.elf.sections.chi2 - format: number - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. - type: long - threat.enrichments.file.elf.sections.entropy: - dashed_name: threat-enrichments-file-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: threat.enrichments.file.elf.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long - threat.enrichments.file.elf.sections.flags: - dashed_name: threat-enrichments-file-elf-sections-flags - description: ELF Section List flags. - flat_name: threat.enrichments.file.elf.sections.flags - ignore_above: 1024 + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword + threat.enrichments.x509.not_after: + dashed_name: threat-enrichments-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: threat.enrichments.x509.not_after level: extended - name: sections.flags + name: not_after normalize: [] - original_fieldset: elf - short: ELF Section List flags. - type: keyword - threat.enrichments.file.elf.sections.name: - dashed_name: threat-enrichments-file-elf-sections-name - description: ELF Section List name. - flat_name: threat.enrichments.file.elf.sections.name - ignore_above: 1024 + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date + threat.enrichments.x509.not_before: + dashed_name: threat-enrichments-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: threat.enrichments.x509.not_before level: extended - name: sections.name + name: not_before normalize: [] - original_fieldset: elf - short: ELF Section List name. - type: keyword - threat.enrichments.file.elf.sections.physical_offset: - dashed_name: threat-enrichments-file-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: threat.enrichments.file.elf.sections.physical_offset + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date + threat.enrichments.x509.public_key_algorithm: + dashed_name: threat-enrichments-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: threat.enrichments.x509.public_key_algorithm ignore_above: 1024 level: extended - name: sections.physical_offset + name: public_key_algorithm normalize: [] - original_fieldset: elf - short: ELF Section List offset. + original_fieldset: x509 + short: Algorithm used to generate the public key. type: keyword - threat.enrichments.file.elf.sections.physical_size: - dashed_name: threat-enrichments-file-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: threat.enrichments.file.elf.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long - threat.enrichments.file.elf.sections.type: - dashed_name: threat-enrichments-file-elf-sections-type - description: ELF Section List type. - flat_name: threat.enrichments.file.elf.sections.type + threat.enrichments.x509.public_key_curve: + dashed_name: threat-enrichments-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + flat_name: threat.enrichments.x509.public_key_curve ignore_above: 1024 level: extended - name: sections.type + name: public_key_curve normalize: [] - original_fieldset: elf - short: ELF Section List type. + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. type: keyword - threat.enrichments.file.elf.sections.virtual_address: - dashed_name: threat-enrichments-file-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: threat.enrichments.file.elf.sections.virtual_address - format: string + threat.enrichments.x509.public_key_exponent: + dashed_name: threat-enrichments-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: threat.enrichments.x509.public_key_exponent + index: false level: extended - name: sections.virtual_address + name: public_key_exponent normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. type: long - threat.enrichments.file.elf.sections.virtual_size: - dashed_name: threat-enrichments-file-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: threat.enrichments.file.elf.sections.virtual_size - format: string + threat.enrichments.x509.public_key_size: + dashed_name: threat-enrichments-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: threat.enrichments.x509.public_key_size level: extended - name: sections.virtual_size + name: public_key_size normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. + original_fieldset: x509 + short: The size of the public key space in bits. type: long - threat.enrichments.file.elf.segments: - dashed_name: threat-enrichments-file-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.segments.*`.' - flat_name: threat.enrichments.file.elf.segments - level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested - threat.enrichments.file.elf.segments.sections: - dashed_name: threat-enrichments-file-elf-segments-sections - description: ELF object segment sections. - flat_name: threat.enrichments.file.elf.segments.sections + threat.enrichments.x509.serial_number: + dashed_name: threat-enrichments-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: threat.enrichments.x509.serial_number ignore_above: 1024 level: extended - name: segments.sections + name: serial_number normalize: [] - original_fieldset: elf - short: ELF object segment sections. + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. type: keyword - threat.enrichments.file.elf.segments.type: - dashed_name: threat-enrichments-file-elf-segments-type - description: ELF object segment type. - flat_name: threat.enrichments.file.elf.segments.type + threat.enrichments.x509.signature_algorithm: + dashed_name: threat-enrichments-x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: threat.enrichments.x509.signature_algorithm ignore_above: 1024 level: extended - name: segments.type + name: signature_algorithm normalize: [] - original_fieldset: elf - short: ELF object segment type. + original_fieldset: x509 + short: Identifier for certificate signature algorithm. type: keyword - threat.enrichments.file.elf.shared_libraries: - dashed_name: threat-enrichments-file-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: threat.enrichments.file.elf.shared_libraries + threat.enrichments.x509.subject.common_name: + dashed_name: threat-enrichments-x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: threat.enrichments.x509.subject.common_name ignore_above: 1024 level: extended - name: shared_libraries + name: subject.common_name normalize: - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. + original_fieldset: x509 + short: List of common names (CN) of subject. type: keyword - threat.enrichments.file.elf.telfhash: - dashed_name: threat-enrichments-file-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: threat.enrichments.file.elf.telfhash + threat.enrichments.x509.subject.country: + dashed_name: threat-enrichments-x509-subject-country + description: List of country (C) code + example: US + flat_name: threat.enrichments.x509.subject.country ignore_above: 1024 level: extended - name: telfhash - normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code type: keyword - threat.enrichments.file.extension: - dashed_name: threat-enrichments-file-extension - description: 'File extension, excluding the leading dot. - - Note that when the file name has multiple extensions (example.tar.gz), only - the last one should be captured ("gz", not "tar.gz").' - example: png - flat_name: threat.enrichments.file.extension + threat.enrichments.x509.subject.distinguished_name: + dashed_name: threat-enrichments-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: threat.enrichments.x509.subject.distinguished_name ignore_above: 1024 level: extended - name: extension + name: subject.distinguished_name normalize: [] - original_fieldset: file - short: File extension, excluding the leading dot. + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. type: keyword - threat.enrichments.file.gid: - dashed_name: threat-enrichments-file-gid - description: Primary group ID (GID) of the file. - example: '1001' - flat_name: threat.enrichments.file.gid + threat.enrichments.x509.subject.locality: + dashed_name: threat-enrichments-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: threat.enrichments.x509.subject.locality ignore_above: 1024 level: extended - name: gid - normalize: [] - original_fieldset: file - short: Primary group ID (GID) of the file. + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) type: keyword - threat.enrichments.file.group: - dashed_name: threat-enrichments-file-group - description: Primary group name of the file. - example: alice - flat_name: threat.enrichments.file.group + threat.enrichments.x509.subject.organization: + dashed_name: threat-enrichments-x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: threat.enrichments.x509.subject.organization ignore_above: 1024 level: extended - name: group - normalize: [] - original_fieldset: file - short: Primary group name of the file. + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. type: keyword - threat.enrichments.file.inode: - dashed_name: threat-enrichments-file-inode - description: Inode representing the file in the filesystem. - example: '256383' - flat_name: threat.enrichments.file.inode + threat.enrichments.x509.subject.organizational_unit: + dashed_name: threat-enrichments-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: threat.enrichments.x509.subject.organizational_unit ignore_above: 1024 level: extended - name: inode - normalize: [] - original_fieldset: file - short: Inode representing the file in the filesystem. + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. type: keyword - threat.enrichments.file.mime_type: - dashed_name: threat-enrichments-file-mime-type - description: MIME type should identify the format of the file or stream of bytes - using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA - official types], where possible. When more than one type is applicable, the - most specific type should be used. - flat_name: threat.enrichments.file.mime_type + threat.enrichments.x509.subject.state_or_province: + dashed_name: threat-enrichments-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.x509.subject.state_or_province ignore_above: 1024 level: extended - name: mime_type - normalize: [] - original_fieldset: file - short: Media type of file, document, or arrangement of bytes. + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) type: keyword - threat.enrichments.file.mode: - dashed_name: threat-enrichments-file-mode - description: Mode of the file in octal representation. - example: '0640' - flat_name: threat.enrichments.file.mode + threat.enrichments.x509.version_number: + dashed_name: threat-enrichments-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: threat.enrichments.x509.version_number ignore_above: 1024 level: extended - name: mode + name: version_number normalize: [] - original_fieldset: file - short: Mode of the file in octal representation. + original_fieldset: x509 + short: Version of x509 format. type: keyword - threat.enrichments.file.mtime: - dashed_name: threat-enrichments-file-mtime - description: Last time the file content was modified. - flat_name: threat.enrichments.file.mtime + threat.framework: + dashed_name: threat-framework + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification + can be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + flat_name: threat.framework + ignore_above: 1024 level: extended - name: mtime + name: framework normalize: [] - original_fieldset: file - short: Last time the file content was modified. - type: date - threat.enrichments.file.name: - dashed_name: threat-enrichments-file-name - description: Name of the file including the extension, without the directory. - example: example.png - flat_name: threat.enrichments.file.name + short: Threat classification framework. + type: keyword + threat.group.alias: + beta: This field is beta and subject to change. + dashed_name: threat-group-alias + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' + flat_name: threat.group.alias ignore_above: 1024 level: extended - name: name + name: group.alias + normalize: + - array + short: Alias of the group. + type: keyword + threat.group.id: + beta: This field is beta and subject to change. + dashed_name: threat-group-id + description: "The id of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group id." + example: G0037 + flat_name: threat.group.id + ignore_above: 1024 + level: extended + name: group.id normalize: [] - original_fieldset: file - short: Name of the file including the extension, without the directory. + short: ID of the group. type: keyword - threat.enrichments.file.owner: - dashed_name: threat-enrichments-file-owner - description: File owner's username. - example: alice - flat_name: threat.enrichments.file.owner + threat.group.name: + beta: This field is beta and subject to change. + dashed_name: threat-group-name + description: "The name of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 + flat_name: threat.group.name ignore_above: 1024 level: extended - name: owner + name: group.name normalize: [] - original_fieldset: file - short: File owner's username. + short: Name of the group. type: keyword - threat.enrichments.file.path: - dashed_name: threat-enrichments-file-path - description: Full path to the file, including the file name. It should include - the drive letter, when appropriate. - example: /home/alice/example.png - flat_name: threat.enrichments.file.path + threat.group.reference: + beta: This field is beta and subject to change. + dashed_name: threat-group-reference + description: "The reference URL of the group for a set of related intrusion\ + \ activity that are tracked by a common name in the security community. While\ + \ not required, you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ + flat_name: threat.group.reference ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.enrichments.file.path.text - name: text - norms: false - type: text - name: path + name: group.reference normalize: [] - original_fieldset: file - short: Full path to the file, including the file name. + short: Reference URL of the group. type: keyword - threat.enrichments.file.size: - dashed_name: threat-enrichments-file-size - description: 'File size in bytes. + threat.indicator.as.data.bytes: + dashed_name: threat-indicator-as-data-bytes + description: 'Original bytes written with base64 encoding. - Only relevant when `file.type` is "file".' - example: 16384 - flat_name: threat.enrichments.file.size - level: extended - name: size - normalize: [] - original_fieldset: file - short: File size in bytes. - type: long - threat.enrichments.file.target_path: - dashed_name: threat-enrichments-file-target-path - description: Target path for symlinks. - flat_name: threat.enrichments.file.target_path + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.indicator.as.data.bytes ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.enrichments.file.target_path.text - name: text - norms: false - type: text - name: target_path + name: data.bytes normalize: [] - original_fieldset: file - short: Target path for symlinks. + original_fieldset: registry + short: Original bytes written with base64 encoding. type: keyword - threat.enrichments.file.type: - dashed_name: threat-enrichments-file-type - description: File type (file, dir, or symlink). - example: file - flat_name: threat.enrichments.file.type + threat.indicator.as.data.strings: + dashed_name: threat-indicator-as-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.indicator.as.data.strings ignore_above: 1024 - level: extended - name: type - normalize: [] - original_fieldset: file - short: File type (file, dir, or symlink). + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. type: keyword - threat.enrichments.file.uid: - dashed_name: threat-enrichments-file-uid - description: The user ID (UID) or security identifier (SID) of the file owner. - example: '1001' - flat_name: threat.enrichments.file.uid + threat.indicator.as.data.type: + dashed_name: threat-indicator-as-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.indicator.as.data.type ignore_above: 1024 - level: extended - name: uid + level: core + name: data.type normalize: [] - original_fieldset: file - short: The user ID (UID) or security identifier (SID) of the file owner. + original_fieldset: registry + short: Standard registry type for encoding contents type: keyword - threat.enrichments.geo.city_name: - dashed_name: threat-enrichments-geo-city-name - description: City name. - example: Montreal - flat_name: threat.enrichments.geo.city_name + threat.indicator.as.hive: + dashed_name: threat-indicator-as-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.indicator.as.hive ignore_above: 1024 level: core - name: city_name + name: hive normalize: [] - original_fieldset: geo - short: City name. + original_fieldset: registry + short: Abbreviated name for the hive. type: keyword - threat.enrichments.geo.continent_code: - dashed_name: threat-enrichments-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: threat.enrichments.geo.continent_code + threat.indicator.as.key: + dashed_name: threat-indicator-as-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.indicator.as.key ignore_above: 1024 level: core - name: continent_code + name: key normalize: [] - original_fieldset: geo - short: Continent code. + original_fieldset: registry + short: Hive-relative path of keys. type: keyword - threat.enrichments.geo.continent_name: - dashed_name: threat-enrichments-geo-continent-name - description: Name of the continent. - example: North America - flat_name: threat.enrichments.geo.continent_name + threat.indicator.as.path: + dashed_name: threat-indicator-as-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.indicator.as.path ignore_above: 1024 level: core - name: continent_name + name: path normalize: [] - original_fieldset: geo - short: Name of the continent. + original_fieldset: registry + short: Full path, including hive, key and value type: keyword - threat.enrichments.geo.country_iso_code: - dashed_name: threat-enrichments-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: threat.enrichments.geo.country_iso_code + threat.indicator.as.value: + dashed_name: threat-indicator-as-value + description: Name of the value written. + example: Debugger + flat_name: threat.indicator.as.value ignore_above: 1024 level: core - name: country_iso_code + name: value normalize: [] - original_fieldset: geo - short: Country ISO code. + original_fieldset: registry + short: Name of the value written. type: keyword - threat.enrichments.geo.country_name: - dashed_name: threat-enrichments-geo-country-name - description: Country name. - example: Canada - flat_name: threat.enrichments.geo.country_name + threat.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-confidence + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High + flat_name: threat.indicator.confidence ignore_above: 1024 - level: core - name: country_name + level: extended + name: indicator.confidence normalize: [] - original_fieldset: geo - short: Country name. + short: Indicator confidence rating type: keyword - threat.enrichments.geo.location: - dashed_name: threat-enrichments-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: threat.enrichments.geo.location - level: core - name: location + threat.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.indicator.description + ignore_above: 1024 + level: extended + name: indicator.description normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point - threat.enrichments.geo.name: - dashed_name: threat-enrichments-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: threat.enrichments.geo.name + short: Indicator description + type: keyword + threat.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + flat_name: threat.indicator.email.address ignore_above: 1024 level: extended - name: name + name: indicator.email.address normalize: [] - original_fieldset: geo - short: User-defined description of a location. + short: Indicator email address type: keyword - threat.enrichments.geo.postal_code: - dashed_name: threat-enrichments-geo-postal-code - description: 'Postal code associated with the location. + threat.indicator.file.accessed: + dashed_name: threat-indicator-file-accessed + description: 'Last time the file was accessed. - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: threat.enrichments.geo.postal_code + Note that not all filesystems keep track of access time.' + flat_name: threat.indicator.file.accessed + level: extended + name: accessed + normalize: [] + original_fieldset: file + short: Last time the file was accessed. + type: date + threat.indicator.file.attributes: + dashed_name: threat-indicator-file-attributes + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: threat.indicator.file.attributes ignore_above: 1024 + level: extended + name: attributes + normalize: + - array + original_fieldset: file + short: Array of file attributes. + type: keyword + threat.indicator.file.code_signature.exists: + dashed_name: threat-indicator-file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: threat.indicator.file.code_signature.exists level: core - name: postal_code + name: exists normalize: [] - original_fieldset: geo - short: Postal code. + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + threat.indicator.file.code_signature.signing_id: + dashed_name: threat-indicator-file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: threat.indicator.file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. type: keyword - threat.enrichments.geo.region_iso_code: - dashed_name: threat-enrichments-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: threat.enrichments.geo.region_iso_code + threat.indicator.file.code_signature.status: + dashed_name: threat-indicator-file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: threat.indicator.file.code_signature.status ignore_above: 1024 - level: core - name: region_iso_code + level: extended + name: status normalize: [] - original_fieldset: geo - short: Region ISO code. + original_fieldset: code_signature + short: Additional information about the certificate status. type: keyword - threat.enrichments.geo.region_name: - dashed_name: threat-enrichments-geo-region-name - description: Region name. - example: Quebec - flat_name: threat.enrichments.geo.region_name + threat.indicator.file.code_signature.subject_name: + dashed_name: threat-indicator-file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: threat.indicator.file.code_signature.subject_name ignore_above: 1024 level: core - name: region_name + name: subject_name normalize: [] - original_fieldset: geo - short: Region name. + original_fieldset: code_signature + short: Subject name of the code signer type: keyword - threat.enrichments.geo.timezone: - dashed_name: threat-enrichments-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: threat.enrichments.geo.timezone + threat.indicator.file.code_signature.team_id: + dashed_name: threat-indicator-file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: threat.indicator.file.code_signature.team_id ignore_above: 1024 - level: core - name: timezone + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword + threat.indicator.file.code_signature.trusted: + dashed_name: threat-indicator-file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: threat.indicator.file.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + threat.indicator.file.code_signature.valid: + dashed_name: threat-indicator-file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: threat.indicator.file.code_signature.valid + level: extended + name: valid normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword - threat.enrichments.hash.md5: - dashed_name: threat-enrichments-hash-md5 - description: MD5 hash. - flat_name: threat.enrichments.hash.md5 - ignore_above: 1024 + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + threat.indicator.file.created: + dashed_name: threat-indicator-file-created + description: 'File creation time. + + Note that not all filesystems store the creation time.' + flat_name: threat.indicator.file.created level: extended - name: md5 + name: created normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword - threat.enrichments.hash.sha1: - dashed_name: threat-enrichments-hash-sha1 - description: SHA1 hash. - flat_name: threat.enrichments.hash.sha1 - ignore_above: 1024 + original_fieldset: file + short: File creation time. + type: date + threat.indicator.file.ctime: + dashed_name: threat-indicator-file-ctime + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: threat.indicator.file.ctime level: extended - name: sha1 + name: ctime normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword - threat.enrichments.hash.sha256: - dashed_name: threat-enrichments-hash-sha256 - description: SHA256 hash. - flat_name: threat.enrichments.hash.sha256 + original_fieldset: file + short: Last time the file attributes or metadata changed. + type: date + threat.indicator.file.device: + dashed_name: threat-indicator-file-device + description: Device that is the source of the file. + example: sda + flat_name: threat.indicator.file.device ignore_above: 1024 level: extended - name: sha256 + name: device normalize: [] - original_fieldset: hash - short: SHA256 hash. + original_fieldset: file + short: Device that is the source of the file. type: keyword - threat.enrichments.hash.sha512: - dashed_name: threat-enrichments-hash-sha512 - description: SHA512 hash. - flat_name: threat.enrichments.hash.sha512 + threat.indicator.file.directory: + dashed_name: threat-indicator-file-directory + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice + flat_name: threat.indicator.file.directory ignore_above: 1024 level: extended - name: sha512 + name: directory normalize: [] - original_fieldset: hash - short: SHA512 hash. + original_fieldset: file + short: Directory where the file is located. type: keyword - threat.enrichments.hash.ssdeep: - dashed_name: threat-enrichments-hash-ssdeep - description: SSDEEP hash. - flat_name: threat.enrichments.hash.ssdeep - ignore_above: 1024 + threat.indicator.file.drive_letter: + dashed_name: threat-indicator-file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + flat_name: threat.indicator.file.drive_letter + ignore_above: 1 level: extended - name: ssdeep + name: drive_letter normalize: [] - original_fieldset: hash - short: SSDEEP hash. + original_fieldset: file + short: Drive letter where the file is located. type: keyword - threat.enrichments.matched.atomic: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-atomic - description: Identifies the atomic indicator value that matched a local environment - endpoint or network event. - example: bad-domain.com - flat_name: threat.enrichments.matched.atomic + threat.indicator.file.elf.architecture: + dashed_name: threat-indicator-file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: threat.indicator.file.elf.architecture ignore_above: 1024 level: extended - name: enrichments.matched.atomic + name: architecture normalize: [] - short: Matched indicator value + original_fieldset: elf + short: Machine architecture of the ELF file. type: keyword - threat.enrichments.matched.field: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-field - description: Identifies the field of the atomic indicator that matched a local - environment endpoint or network event. - example: file.hash.sha256 - flat_name: threat.enrichments.matched.field + threat.indicator.file.elf.byte_order: + dashed_name: threat-indicator-file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: threat.indicator.file.elf.byte_order ignore_above: 1024 level: extended - name: enrichments.matched.field + name: byte_order normalize: [] - short: Matched indicator field + original_fieldset: elf + short: Byte sequence of ELF file. type: keyword - threat.enrichments.matched.id: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-id - description: Identifies the _id of the indicator document enriching the event. - example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 - flat_name: threat.enrichments.matched.id + threat.indicator.file.elf.cpu_type: + dashed_name: threat-indicator-file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: threat.indicator.file.elf.cpu_type ignore_above: 1024 level: extended - name: enrichments.matched.id + name: cpu_type normalize: [] - short: Matched indicator identifier + original_fieldset: elf + short: CPU type of the ELF file. type: keyword - threat.enrichments.matched.index: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-index - description: Identifies the _index of the indicator document enriching the event. - example: filebeat-8.0.0-2021.05.23-000011 - flat_name: threat.enrichments.matched.index - ignore_above: 1024 + threat.indicator.file.elf.creation_date: + dashed_name: threat-indicator-file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: threat.indicator.file.elf.creation_date level: extended - name: enrichments.matched.index + name: creation_date normalize: [] - short: Matched indicator index - type: keyword - threat.enrichments.matched.type: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-type - description: Identifies the type of match that caused the event to be enriched - with the given indicator - example: indicator_match_rule - flat_name: threat.enrichments.matched.type + original_fieldset: elf + short: Build or compile date. + type: date + threat.indicator.file.elf.exports: + dashed_name: threat-indicator-file-elf-exports + description: List of exported element names and types. + flat_name: threat.indicator.file.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened + threat.indicator.file.elf.header.abi_version: + dashed_name: threat-indicator-file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: threat.indicator.file.elf.header.abi_version ignore_above: 1024 level: extended - name: enrichments.matched.type + name: header.abi_version normalize: [] - short: Type of indicator match + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). type: keyword - threat.enrichments.url.domain: - dashed_name: threat-enrichments-url-domain - description: 'Domain of the url, such as "www.elastic.co". - - In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field. - - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC - 2732), the `[` and `]` characters should also be captured in the `domain` - field.' - example: www.elastic.co - flat_name: threat.enrichments.url.domain + threat.indicator.file.elf.header.class: + dashed_name: threat-indicator-file-elf-header-class + description: Header class of the ELF file. + flat_name: threat.indicator.file.elf.header.class ignore_above: 1024 level: extended - name: domain + name: header.class normalize: [] - original_fieldset: url - short: Domain of the url. + original_fieldset: elf + short: Header class of the ELF file. type: keyword - threat.enrichments.url.extension: - dashed_name: threat-enrichments-url-extension - description: 'The field contains the file extension from the original request - url, excluding the leading dot. - - The file extension is only set if it exists, as not every url has a file extension. - - The leading period must not be included. For example, the value must be "png", - not ".png". - - Note that when the file name has multiple extensions (example.tar.gz), only - the last one should be captured ("gz", not "tar.gz").' - example: png - flat_name: threat.enrichments.url.extension + threat.indicator.file.elf.header.data: + dashed_name: threat-indicator-file-elf-header-data + description: Data table of the ELF header. + flat_name: threat.indicator.file.elf.header.data ignore_above: 1024 level: extended - name: extension + name: header.data normalize: [] - original_fieldset: url - short: File extension from the request url, excluding the leading dot. + original_fieldset: elf + short: Data table of the ELF header. type: keyword - threat.enrichments.url.fragment: - dashed_name: threat-enrichments-url-fragment - description: 'Portion of the url after the `#`, such as "top". - - The `#` is not part of the fragment.' - flat_name: threat.enrichments.url.fragment - ignore_above: 1024 + threat.indicator.file.elf.header.entrypoint: + dashed_name: threat-indicator-file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: threat.indicator.file.elf.header.entrypoint + format: string level: extended - name: fragment + name: header.entrypoint normalize: [] - original_fieldset: url - short: Portion of the url after the `#`. - type: keyword - threat.enrichments.url.full: - dashed_name: threat-enrichments-url-full - description: If full URLs are important to your use case, they should be stored - in `url.full`, whether this field is reconstructed or present in the event - source. - example: https://www.elastic.co:443/search?q=elasticsearch#top - flat_name: threat.enrichments.url.full + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + threat.indicator.file.elf.header.object_version: + dashed_name: threat-indicator-file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: threat.indicator.file.elf.header.object_version ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.enrichments.url.full.text - name: text - norms: false - type: text - name: full + name: header.object_version normalize: [] - original_fieldset: url - short: Full unparsed URL. + original_fieldset: elf + short: '"0x1" for original ELF files.' type: keyword - threat.enrichments.url.original: - dashed_name: threat-enrichments-url-original - description: 'Unmodified original url as seen in the event source. - - Note that in network monitoring, the observed URL may be a full URL, whereas - in access logs, the URL is often just represented as a path. - - This field is meant to represent the URL as it was observed, complete or not.' - example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - flat_name: threat.enrichments.url.original + threat.indicator.file.elf.header.os_abi: + dashed_name: threat-indicator-file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: threat.indicator.file.elf.header.os_abi ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.enrichments.url.original.text - name: text - norms: false - type: text - name: original + name: header.os_abi normalize: [] - original_fieldset: url - short: Unmodified original url as seen in the event source. - type: keyword - threat.enrichments.url.password: - dashed_name: threat-enrichments-url-password - description: Password of the request. - flat_name: threat.enrichments.url.password + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + threat.indicator.file.elf.header.type: + dashed_name: threat-indicator-file-elf-header-type + description: Header type of the ELF file. + flat_name: threat.indicator.file.elf.header.type ignore_above: 1024 level: extended - name: password + name: header.type normalize: [] - original_fieldset: url - short: Password of the request. + original_fieldset: elf + short: Header type of the ELF file. type: keyword - threat.enrichments.url.path: - dashed_name: threat-enrichments-url-path - description: Path of the request, such as "/search". - flat_name: threat.enrichments.url.path + threat.indicator.file.elf.header.version: + dashed_name: threat-indicator-file-elf-header-version + description: Version of the ELF header. + flat_name: threat.indicator.file.elf.header.version ignore_above: 1024 level: extended - name: path + name: header.version normalize: [] - original_fieldset: url - short: Path of the request, such as "/search". + original_fieldset: elf + short: Version of the ELF header. type: keyword - threat.enrichments.url.port: - dashed_name: threat-enrichments-url-port - description: Port of the request, such as 443. - example: 443 - flat_name: threat.enrichments.url.port - format: string + threat.indicator.file.elf.imports: + dashed_name: threat-indicator-file-elf-imports + description: List of imported element names and types. + flat_name: threat.indicator.file.elf.imports level: extended - name: port + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened + threat.indicator.file.elf.sections: + dashed_name: threat-indicator-file-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + flat_name: threat.indicator.file.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested + threat.indicator.file.elf.sections.chi2: + dashed_name: threat-indicator-file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: threat.indicator.file.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 normalize: [] - original_fieldset: url - short: Port of the request, such as 443. + original_fieldset: elf + short: Chi-square probability distribution of the section. type: long - threat.enrichments.url.query: - dashed_name: threat-enrichments-url-query - description: 'The query field describes the query string of the request, such - as "q=elasticsearch". - - The `?` is excluded from the query string. If a URL contains no `?`, there - is no query field. If there is a `?` but no query, the query field exists - with an empty string. The `exists` query can be used to differentiate between - the two cases.' - flat_name: threat.enrichments.url.query - ignore_above: 1024 + threat.indicator.file.elf.sections.entropy: + dashed_name: threat-indicator-file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: threat.indicator.file.elf.sections.entropy + format: number level: extended - name: query + name: sections.entropy normalize: [] - original_fieldset: url - short: Query string of the request. - type: keyword - threat.enrichments.url.registered_domain: - dashed_name: threat-enrichments-url-registered-domain - description: 'The highest registered url domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix - list (http://publicsuffix.org). Trying to approximate this by simply taking - the last two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: threat.enrichments.url.registered_domain + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long + threat.indicator.file.elf.sections.flags: + dashed_name: threat-indicator-file-elf-sections-flags + description: ELF Section List flags. + flat_name: threat.indicator.file.elf.sections.flags ignore_above: 1024 level: extended - name: registered_domain + name: sections.flags normalize: [] - original_fieldset: url - short: The highest registered url domain, stripped of the subdomain. + original_fieldset: elf + short: ELF Section List flags. type: keyword - threat.enrichments.url.scheme: - dashed_name: threat-enrichments-url-scheme - description: 'Scheme of the request, such as "https". - - Note: The `:` is not part of the scheme.' - example: https - flat_name: threat.enrichments.url.scheme + threat.indicator.file.elf.sections.name: + dashed_name: threat-indicator-file-elf-sections-name + description: ELF Section List name. + flat_name: threat.indicator.file.elf.sections.name ignore_above: 1024 level: extended - name: scheme + name: sections.name normalize: [] - original_fieldset: url - short: Scheme of the url. + original_fieldset: elf + short: ELF Section List name. type: keyword - threat.enrichments.url.subdomain: - dashed_name: threat-enrichments-url-subdomain - description: 'The subdomain portion of a fully qualified domain name includes - all of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot - be determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", - the subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: threat.enrichments.url.subdomain + threat.indicator.file.elf.sections.physical_offset: + dashed_name: threat-indicator-file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: threat.indicator.file.elf.sections.physical_offset ignore_above: 1024 level: extended - name: subdomain + name: sections.physical_offset normalize: [] - original_fieldset: url - short: The subdomain of the domain. + original_fieldset: elf + short: ELF Section List offset. type: keyword - threat.enrichments.url.top_level_domain: - dashed_name: threat-enrichments-url-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain - suffix, is the last part of the domain name. For example, the top level domain - for example.com is "com". - - This value can be determined precisely with a list like the public suffix - list (http://publicsuffix.org). Trying to approximate this by simply taking - the last label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: threat.enrichments.url.top_level_domain + threat.indicator.file.elf.sections.physical_size: + dashed_name: threat-indicator-file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: threat.indicator.file.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long + threat.indicator.file.elf.sections.type: + dashed_name: threat-indicator-file-elf-sections-type + description: ELF Section List type. + flat_name: threat.indicator.file.elf.sections.type ignore_above: 1024 level: extended - name: top_level_domain + name: sections.type normalize: [] - original_fieldset: url - short: The effective top level domain (com, org, net, co.uk). + original_fieldset: elf + short: ELF Section List type. type: keyword - threat.enrichments.url.username: - dashed_name: threat-enrichments-url-username - description: Username of the request. - flat_name: threat.enrichments.url.username + threat.indicator.file.elf.sections.virtual_address: + dashed_name: threat-indicator-file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: threat.indicator.file.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long + threat.indicator.file.elf.sections.virtual_size: + dashed_name: threat-indicator-file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: threat.indicator.file.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + threat.indicator.file.elf.segments: + dashed_name: threat-indicator-file-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + flat_name: threat.indicator.file.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested + threat.indicator.file.elf.segments.sections: + dashed_name: threat-indicator-file-elf-segments-sections + description: ELF object segment sections. + flat_name: threat.indicator.file.elf.segments.sections ignore_above: 1024 level: extended - name: username + name: segments.sections normalize: [] - original_fieldset: url - short: Username of the request. + original_fieldset: elf + short: ELF object segment sections. type: keyword - threat.enrichments.x509.alternative_names: - dashed_name: threat-enrichments-x509-alternative-names - description: List of subject alternative names (SAN). Name types vary by certificate - authority and certificate type but commonly contain IP addresses, DNS names - (and wildcards), and email addresses. - example: '*.elastic.co' - flat_name: threat.enrichments.x509.alternative_names + threat.indicator.file.elf.segments.type: + dashed_name: threat-indicator-file-elf-segments-type + description: ELF object segment type. + flat_name: threat.indicator.file.elf.segments.type ignore_above: 1024 level: extended - name: alternative_names - normalize: - - array - original_fieldset: x509 - short: List of subject alternative names (SAN). + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. type: keyword - threat.enrichments.x509.issuer.common_name: - dashed_name: threat-enrichments-x509-issuer-common-name - description: List of common name (CN) of issuing certificate authority. - example: Example SHA2 High Assurance Server CA - flat_name: threat.enrichments.x509.issuer.common_name + threat.indicator.file.elf.shared_libraries: + dashed_name: threat-indicator-file-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: threat.indicator.file.elf.shared_libraries ignore_above: 1024 level: extended - name: issuer.common_name + name: shared_libraries normalize: - array - original_fieldset: x509 - short: List of common name (CN) of issuing certificate authority. + original_fieldset: elf + short: List of shared libraries used by this ELF object. type: keyword - threat.enrichments.x509.issuer.country: - dashed_name: threat-enrichments-x509-issuer-country - description: List of country (C) codes - example: US - flat_name: threat.enrichments.x509.issuer.country + threat.indicator.file.elf.telfhash: + dashed_name: threat-indicator-file-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: threat.indicator.file.elf.telfhash ignore_above: 1024 level: extended - name: issuer.country - normalize: - - array - original_fieldset: x509 - short: List of country (C) codes + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. type: keyword - threat.enrichments.x509.issuer.distinguished_name: - dashed_name: threat-enrichments-x509-issuer-distinguished-name - description: Distinguished name (DN) of issuing certificate authority. - example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance - Server CA - flat_name: threat.enrichments.x509.issuer.distinguished_name + threat.indicator.file.extension: + dashed_name: threat-indicator-file-extension + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.indicator.file.extension ignore_above: 1024 level: extended - name: issuer.distinguished_name + name: extension normalize: [] - original_fieldset: x509 - short: Distinguished name (DN) of issuing certificate authority. + original_fieldset: file + short: File extension, excluding the leading dot. type: keyword - threat.enrichments.x509.issuer.locality: - dashed_name: threat-enrichments-x509-issuer-locality - description: List of locality names (L) - example: Mountain View - flat_name: threat.enrichments.x509.issuer.locality + threat.indicator.file.gid: + dashed_name: threat-indicator-file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: threat.indicator.file.gid ignore_above: 1024 level: extended - name: issuer.locality - normalize: - - array - original_fieldset: x509 - short: List of locality names (L) + name: gid + normalize: [] + original_fieldset: file + short: Primary group ID (GID) of the file. type: keyword - threat.enrichments.x509.issuer.organization: - dashed_name: threat-enrichments-x509-issuer-organization - description: List of organizations (O) of issuing certificate authority. - example: Example Inc - flat_name: threat.enrichments.x509.issuer.organization + threat.indicator.file.group: + dashed_name: threat-indicator-file-group + description: Primary group name of the file. + example: alice + flat_name: threat.indicator.file.group ignore_above: 1024 level: extended - name: issuer.organization - normalize: - - array - original_fieldset: x509 - short: List of organizations (O) of issuing certificate authority. + name: group + normalize: [] + original_fieldset: file + short: Primary group name of the file. type: keyword - threat.enrichments.x509.issuer.organizational_unit: - dashed_name: threat-enrichments-x509-issuer-organizational-unit - description: List of organizational units (OU) of issuing certificate authority. - example: www.example.com - flat_name: threat.enrichments.x509.issuer.organizational_unit + threat.indicator.file.inode: + dashed_name: threat-indicator-file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: threat.indicator.file.inode ignore_above: 1024 level: extended - name: issuer.organizational_unit - normalize: - - array - original_fieldset: x509 - short: List of organizational units (OU) of issuing certificate authority. + name: inode + normalize: [] + original_fieldset: file + short: Inode representing the file in the filesystem. type: keyword - threat.enrichments.x509.issuer.state_or_province: - dashed_name: threat-enrichments-x509-issuer-state-or-province - description: List of state or province names (ST, S, or P) - example: California - flat_name: threat.enrichments.x509.issuer.state_or_province + threat.indicator.file.mime_type: + dashed_name: threat-indicator-file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. + flat_name: threat.indicator.file.mime_type ignore_above: 1024 level: extended - name: issuer.state_or_province - normalize: - - array - original_fieldset: x509 - short: List of state or province names (ST, S, or P) + name: mime_type + normalize: [] + original_fieldset: file + short: Media type of file, document, or arrangement of bytes. type: keyword - threat.enrichments.x509.not_after: - dashed_name: threat-enrichments-x509-not-after - description: Time at which the certificate is no longer considered valid. - example: 2020-07-16 03:15:39+00:00 - flat_name: threat.enrichments.x509.not_after + threat.indicator.file.mode: + dashed_name: threat-indicator-file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: threat.indicator.file.mode + ignore_above: 1024 level: extended - name: not_after + name: mode normalize: [] - original_fieldset: x509 - short: Time at which the certificate is no longer considered valid. - type: date - threat.enrichments.x509.not_before: - dashed_name: threat-enrichments-x509-not-before - description: Time at which the certificate is first considered valid. - example: 2019-08-16 01:40:25+00:00 - flat_name: threat.enrichments.x509.not_before + original_fieldset: file + short: Mode of the file in octal representation. + type: keyword + threat.indicator.file.mtime: + dashed_name: threat-indicator-file-mtime + description: Last time the file content was modified. + flat_name: threat.indicator.file.mtime level: extended - name: not_before + name: mtime normalize: [] - original_fieldset: x509 - short: Time at which the certificate is first considered valid. + original_fieldset: file + short: Last time the file content was modified. type: date - threat.enrichments.x509.public_key_algorithm: - dashed_name: threat-enrichments-x509-public-key-algorithm - description: Algorithm used to generate the public key. - example: RSA - flat_name: threat.enrichments.x509.public_key_algorithm + threat.indicator.file.name: + dashed_name: threat-indicator-file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: threat.indicator.file.name ignore_above: 1024 level: extended - name: public_key_algorithm + name: name normalize: [] - original_fieldset: x509 - short: Algorithm used to generate the public key. + original_fieldset: file + short: Name of the file including the extension, without the directory. type: keyword - threat.enrichments.x509.public_key_curve: - dashed_name: threat-enrichments-x509-public-key-curve - description: The curve used by the elliptic curve public key algorithm. This - is algorithm specific. - example: nistp521 - flat_name: threat.enrichments.x509.public_key_curve + threat.indicator.file.owner: + dashed_name: threat-indicator-file-owner + description: File owner's username. + example: alice + flat_name: threat.indicator.file.owner ignore_above: 1024 level: extended - name: public_key_curve + name: owner normalize: [] - original_fieldset: x509 - short: The curve used by the elliptic curve public key algorithm. This is algorithm - specific. + original_fieldset: file + short: File owner's username. type: keyword - threat.enrichments.x509.public_key_exponent: - dashed_name: threat-enrichments-x509-public-key-exponent - description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - example: 65537 - flat_name: threat.enrichments.x509.public_key_exponent - index: false + threat.indicator.file.path: + dashed_name: threat-indicator-file-path + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + flat_name: threat.indicator.file.path + ignore_above: 1024 level: extended - name: public_key_exponent + multi_fields: + - flat_name: threat.indicator.file.path.text + name: text + norms: false + type: text + name: path normalize: [] - original_fieldset: x509 - short: Exponent used to derive the public key. This is algorithm specific. - type: long - threat.enrichments.x509.public_key_size: - dashed_name: threat-enrichments-x509-public-key-size - description: The size of the public key space in bits. - example: 2048 - flat_name: threat.enrichments.x509.public_key_size + original_fieldset: file + short: Full path to the file, including the file name. + type: keyword + threat.indicator.file.size: + dashed_name: threat-indicator-file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: threat.indicator.file.size level: extended - name: public_key_size + name: size normalize: [] - original_fieldset: x509 - short: The size of the public key space in bits. + original_fieldset: file + short: File size in bytes. type: long - threat.enrichments.x509.serial_number: - dashed_name: threat-enrichments-x509-serial-number - description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. - example: 55FBB9C7DEBF09809D12CCAA - flat_name: threat.enrichments.x509.serial_number + threat.indicator.file.target_path: + dashed_name: threat-indicator-file-target-path + description: Target path for symlinks. + flat_name: threat.indicator.file.target_path ignore_above: 1024 level: extended - name: serial_number + multi_fields: + - flat_name: threat.indicator.file.target_path.text + name: text + norms: false + type: text + name: target_path normalize: [] - original_fieldset: x509 - short: Unique serial number issued by the certificate authority. + original_fieldset: file + short: Target path for symlinks. type: keyword - threat.enrichments.x509.signature_algorithm: - dashed_name: threat-enrichments-x509-signature-algorithm - description: Identifier for certificate signature algorithm. We recommend using - names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - example: SHA256-RSA - flat_name: threat.enrichments.x509.signature_algorithm + threat.indicator.file.type: + dashed_name: threat-indicator-file-type + description: File type (file, dir, or symlink). + example: file + flat_name: threat.indicator.file.type ignore_above: 1024 level: extended - name: signature_algorithm + name: type normalize: [] - original_fieldset: x509 - short: Identifier for certificate signature algorithm. + original_fieldset: file + short: File type (file, dir, or symlink). type: keyword - threat.enrichments.x509.subject.common_name: - dashed_name: threat-enrichments-x509-subject-common-name - description: List of common names (CN) of subject. - example: shared.global.example.net - flat_name: threat.enrichments.x509.subject.common_name + threat.indicator.file.uid: + dashed_name: threat-indicator-file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: threat.indicator.file.uid ignore_above: 1024 level: extended - name: subject.common_name - normalize: - - array - original_fieldset: x509 - short: List of common names (CN) of subject. + name: uid + normalize: [] + original_fieldset: file + short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword - threat.enrichments.x509.subject.country: - dashed_name: threat-enrichments-x509-subject-country - description: List of country (C) code - example: US - flat_name: threat.enrichments.x509.subject.country - ignore_above: 1024 + threat.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.first_seen level: extended - name: subject.country - normalize: - - array - original_fieldset: x509 - short: List of country (C) code - type: keyword - threat.enrichments.x509.subject.distinguished_name: - dashed_name: threat-enrichments-x509-subject-distinguished-name - description: Distinguished name (DN) of the certificate subject entity. - example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - flat_name: threat.enrichments.x509.subject.distinguished_name + name: indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date + threat.indicator.geo.city_name: + dashed_name: threat-indicator-geo-city-name + description: City name. + example: Montreal + flat_name: threat.indicator.geo.city_name ignore_above: 1024 - level: extended - name: subject.distinguished_name + level: core + name: city_name normalize: [] - original_fieldset: x509 - short: Distinguished name (DN) of the certificate subject entity. + original_fieldset: geo + short: City name. type: keyword - threat.enrichments.x509.subject.locality: - dashed_name: threat-enrichments-x509-subject-locality - description: List of locality names (L) - example: San Francisco - flat_name: threat.enrichments.x509.subject.locality + threat.indicator.geo.continent_code: + dashed_name: threat-indicator-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: threat.indicator.geo.continent_code ignore_above: 1024 - level: extended - name: subject.locality - normalize: - - array - original_fieldset: x509 - short: List of locality names (L) + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. type: keyword - threat.enrichments.x509.subject.organization: - dashed_name: threat-enrichments-x509-subject-organization - description: List of organizations (O) of subject. - example: Example, Inc. - flat_name: threat.enrichments.x509.subject.organization + threat.indicator.geo.continent_name: + dashed_name: threat-indicator-geo-continent-name + description: Name of the continent. + example: North America + flat_name: threat.indicator.geo.continent_name ignore_above: 1024 - level: extended - name: subject.organization - normalize: - - array - original_fieldset: x509 - short: List of organizations (O) of subject. + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. type: keyword - threat.enrichments.x509.subject.organizational_unit: - dashed_name: threat-enrichments-x509-subject-organizational-unit - description: List of organizational units (OU) of subject. - flat_name: threat.enrichments.x509.subject.organizational_unit + threat.indicator.geo.country_iso_code: + dashed_name: threat-indicator-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: threat.indicator.geo.country_iso_code ignore_above: 1024 - level: extended - name: subject.organizational_unit - normalize: - - array - original_fieldset: x509 - short: List of organizational units (OU) of subject. + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. type: keyword - threat.enrichments.x509.subject.state_or_province: - dashed_name: threat-enrichments-x509-subject-state-or-province - description: List of state or province names (ST, S, or P) - example: California - flat_name: threat.enrichments.x509.subject.state_or_province + threat.indicator.geo.country_name: + dashed_name: threat-indicator-geo-country-name + description: Country name. + example: Canada + flat_name: threat.indicator.geo.country_name ignore_above: 1024 - level: extended - name: subject.state_or_province - normalize: - - array - original_fieldset: x509 - short: List of state or province names (ST, S, or P) + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. type: keyword - threat.enrichments.x509.version_number: - dashed_name: threat-enrichments-x509-version-number - description: Version of x509 format. - example: 3 - flat_name: threat.enrichments.x509.version_number + threat.indicator.geo.location: + dashed_name: threat-indicator-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: threat.indicator.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + threat.indicator.geo.name: + dashed_name: threat-indicator-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: threat.indicator.geo.name ignore_above: 1024 level: extended - name: version_number + name: name normalize: [] - original_fieldset: x509 - short: Version of x509 format. + original_fieldset: geo + short: User-defined description of a location. type: keyword - threat.framework: - dashed_name: threat-framework - description: Name of the threat framework used to further categorize and classify - the tactic and technique of the reported threat. Framework classification - can be provided by detecting systems, evaluated at ingest time, or retrospectively - tagged to events. - example: MITRE ATT&CK - flat_name: threat.framework + threat.indicator.geo.postal_code: + dashed_name: threat-indicator-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: threat.indicator.geo.postal_code ignore_above: 1024 - level: extended - name: framework + level: core + name: postal_code normalize: [] - short: Threat classification framework. + original_fieldset: geo + short: Postal code. type: keyword - threat.group.alias: - beta: This field is beta and subject to change. - dashed_name: threat-group-alias - description: "The alias(es) of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group alias(es)." - example: '[ "Magecart Group 6" ]' - flat_name: threat.group.alias + threat.indicator.geo.region_iso_code: + dashed_name: threat-indicator-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: threat.indicator.geo.region_iso_code ignore_above: 1024 - level: extended - name: group.alias - normalize: - - array - short: Alias of the group. + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. type: keyword - threat.group.id: - beta: This field is beta and subject to change. - dashed_name: threat-group-id - description: "The id of the group for a set of related intrusion activity that\ - \ are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group id." - example: G0037 - flat_name: threat.group.id + threat.indicator.geo.region_name: + dashed_name: threat-indicator-geo-region-name + description: Region name. + example: Quebec + flat_name: threat.indicator.geo.region_name ignore_above: 1024 - level: extended - name: group.id + level: core + name: region_name normalize: [] - short: ID of the group. + original_fieldset: geo + short: Region name. type: keyword - threat.group.name: - beta: This field is beta and subject to change. - dashed_name: threat-group-name - description: "The name of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group name." - example: FIN6 - flat_name: threat.group.name + threat.indicator.geo.timezone: + dashed_name: threat-indicator-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: threat.indicator.geo.timezone ignore_above: 1024 - level: extended - name: group.name + level: core + name: timezone normalize: [] - short: Name of the group. + original_fieldset: geo + short: Time zone. type: keyword - threat.group.reference: - beta: This field is beta and subject to change. - dashed_name: threat-group-reference - description: "The reference URL of the group for a set of related intrusion\ - \ activity that are tracked by a common name in the security community. While\ - \ not required, you can use a MITRE ATT&CK\xAE group reference URL." - example: https://attack.mitre.org/groups/G0037/ - flat_name: threat.group.reference + threat.indicator.hash.md5: + dashed_name: threat-indicator-hash-md5 + description: MD5 hash. + flat_name: threat.indicator.hash.md5 ignore_above: 1024 level: extended - name: group.reference + name: md5 normalize: [] - short: Reference URL of the group. + original_fieldset: hash + short: MD5 hash. type: keyword - threat.indicator.confidence: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-confidence - description: "Identifies the confidence rating assigned by the provider using\ - \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ - \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ - \ * WEP Scale (Impossible - Certain)" - example: High - flat_name: threat.indicator.confidence + threat.indicator.hash.sha1: + dashed_name: threat-indicator-hash-sha1 + description: SHA1 hash. + flat_name: threat.indicator.hash.sha1 ignore_above: 1024 level: extended - name: indicator.confidence + name: sha1 normalize: [] - short: Indicator confidence rating + original_fieldset: hash + short: SHA1 hash. type: keyword - threat.indicator.description: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-description - description: Describes the type of action conducted by the threat. - example: IP x.x.x.x was observed delivering the Angler EK. - flat_name: threat.indicator.description + threat.indicator.hash.sha256: + dashed_name: threat-indicator-hash-sha256 + description: SHA256 hash. + flat_name: threat.indicator.hash.sha256 ignore_above: 1024 level: extended - name: indicator.description + name: sha256 normalize: [] - short: Indicator description + original_fieldset: hash + short: SHA256 hash. type: keyword - threat.indicator.email.address: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-email-address - description: Identifies a threat indicator as an email address (irrespective - of direction). - example: phish@example.com - flat_name: threat.indicator.email.address + threat.indicator.hash.sha512: + dashed_name: threat-indicator-hash-sha512 + description: SHA512 hash. + flat_name: threat.indicator.hash.sha512 ignore_above: 1024 level: extended - name: indicator.email.address + name: sha512 normalize: [] - short: Indicator email address + original_fieldset: hash + short: SHA512 hash. type: keyword - threat.indicator.first_seen: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-first-seen - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.first_seen + threat.indicator.hash.ssdeep: + dashed_name: threat-indicator-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.indicator.hash.ssdeep + ignore_above: 1024 level: extended - name: indicator.first_seen + name: ssdeep normalize: [] - short: Date/time indicator was first reported. - type: date + original_fieldset: hash + short: SSDEEP hash. + type: keyword threat.indicator.ip: beta: This field is beta and subject to change. dashed_name: threat-indicator-ip @@ -12750,6 +12302,30 @@ threat: normalize: [] short: Indicator port type: long + threat.indicator.provider: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-provider + description: The name of the indicator's provider. + example: lrz_urlhaus + flat_name: threat.indicator.provider + ignore_above: 1024 + level: extended + name: indicator.provider + normalize: [] + short: Indicator provider + type: keyword + threat.indicator.reference: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-reference + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + flat_name: threat.indicator.reference + ignore_above: 1024 + level: extended + name: indicator.reference + normalize: [] + short: Indicator reference URL + type: keyword threat.indicator.scanner_stats: beta: This field is beta and subject to change. dashed_name: threat-indicator-scanner-stats @@ -12993,35 +12569,70 @@ threat: group: 2 name: threat nestings: - - threat.enrichments.as - - threat.enrichments.event - - threat.enrichments.file - - threat.enrichments.geo - - threat.enrichments.hash + - threat.enrichments.indicator.as + - threat.enrichments.indicator.as + - threat.enrichments.indicator.as + - threat.enrichments.indicator.as + - threat.enrichments.indicator.as + - threat.enrichments.indicator.as - threat.enrichments.url - threat.enrichments.x509 + - threat.indicator.as + - threat.indicator.as + - threat.indicator.as + - threat.indicator.file + - threat.indicator.geo + - threat.indicator.hash prefix: threat. reused_here: - beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.as + full: threat.indicator.as + schema_name: as + short: Fields describing an Autonomous System (Internet routing prefix). + - beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.indicator.as schema_name: as short: Fields describing an Autonomous System (Internet routing prefix). - - beta: Reusing the `event` fields in this location is currently considered beta. - full: threat.enrichments.event - schema_name: event - short: Fields breaking down the event details. - beta: Reusing the `file` fields in this location is currently considered beta. - full: threat.enrichments.file + full: threat.indicator.file + schema_name: file + short: Fields describing files. + - beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.indicator.as schema_name: file short: Fields describing files. - beta: Reusing the `geo` fields in this location is currently considered beta. - full: threat.enrichments.geo + full: threat.indicator.geo + schema_name: geo + short: Fields describing a location. + - beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.indicator.as schema_name: geo short: Fields describing a location. - beta: Reusing the `hash` fields in this location is currently considered beta. - full: threat.enrichments.hash + full: threat.indicator.hash + schema_name: hash + short: Hashes, usually file hashes. + - beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.indicator.as schema_name: hash short: Hashes, usually file hashes. + - beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.indicator.as + schema_name: pe + short: These fields contain Windows Portable Executable (PE) metadata. + - beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.indicator.as + schema_name: pe + short: These fields contain Windows Portable Executable (PE) metadata. + - beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.indicator.as + schema_name: registry + short: Fields related to Windows Registry operations. + - beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.indicator.as + schema_name: registry + short: Fields related to Windows Registry operations. - beta: Reusing the `url` fields in this location is currently considered beta. full: threat.enrichments.url schema_name: url diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index e4bb0a569a..d5f879e506 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -3096,248 +3096,507 @@ "properties": { "enrichments": { "properties": { - "as": { + "indicator": { "properties": { - "number": { - "type": "long" - }, - "organization": { + "as": { "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { "ignore_above": 1024, "type": "keyword" } } - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" }, - "agent_id_status": { + "confidence": { "ignore_above": 1024, "type": "keyword" }, - "category": { + "description": { "ignore_above": 1024, "type": "keyword" }, - "code": { - "ignore_above": 1024, - "type": "keyword" + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } }, - "created": { + "first_seen": { + "type": "date" + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { "type": "date" }, - "dataset": { + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { "ignore_above": 1024, "type": "keyword" }, - "duration": { + "scanner_stats": { "type": "long" }, - "end": { - "type": "date" + "sightings": { + "type": "long" }, - "hash": { + "type": { "ignore_above": 1024, "type": "keyword" - }, - "id": { + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { "ignore_above": 1024, "type": "keyword" }, - "ingested": { - "type": "date" + "field": { + "ignore_above": 1024, + "type": "keyword" }, - "kind": { + "id": { "ignore_above": 1024, "type": "keyword" }, - "module": { + "index": { "ignore_above": 1024, "type": "keyword" }, - "original": { - "doc_values": false, - "index": false, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, "type": "keyword" }, - "outcome": { + "extension": { "ignore_above": 1024, "type": "keyword" }, - "provider": { + "fragment": { "ignore_above": 1024, "type": "keyword" }, - "reason": { + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, "ignore_above": 1024, "type": "keyword" }, - "reference": { + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, "ignore_above": 1024, "type": "keyword" }, - "risk_score": { - "type": "float" + "password": { + "ignore_above": 1024, + "type": "keyword" }, - "risk_score_norm": { - "type": "float" + "path": { + "ignore_above": 1024, + "type": "keyword" }, - "sequence": { + "port": { "type": "long" }, - "severity": { - "type": "long" + "query": { + "ignore_above": 1024, + "type": "keyword" }, - "start": { - "type": "date" + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" }, - "timezone": { + "scheme": { "ignore_above": 1024, "type": "keyword" }, - "type": { + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { "ignore_above": 1024, "type": "keyword" }, - "url": { + "username": { "ignore_above": 1024, "type": "keyword" } } }, - "file": { + "x509": { "properties": { - "accessed": { - "type": "date" - }, - "attributes": { + "alternative_names": { "ignore_above": 1024, "type": "keyword" }, - "code_signature": { + "issuer": { "properties": { - "exists": { - "type": "boolean" + "common_name": { + "ignore_above": 1024, + "type": "keyword" }, - "signing_id": { + "country": { "ignore_above": 1024, "type": "keyword" }, - "status": { + "distinguished_name": { "ignore_above": 1024, "type": "keyword" }, - "subject_name": { + "locality": { "ignore_above": 1024, "type": "keyword" }, - "team_id": { + "organization": { "ignore_above": 1024, "type": "keyword" }, - "trusted": { - "type": "boolean" + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" }, - "valid": { - "type": "boolean" + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" } } }, - "created": { + "not_after": { "type": "date" }, - "ctime": { + "not_before": { "type": "date" }, - "device": { + "public_key_algorithm": { "ignore_above": 1024, "type": "keyword" }, - "directory": { + "public_key_curve": { "ignore_above": 1024, "type": "keyword" }, - "drive_letter": { - "ignore_above": 1, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, "type": "keyword" }, - "elf": { + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { "properties": { - "architecture": { + "common_name": { "ignore_above": 1024, "type": "keyword" }, - "byte_order": { + "country": { "ignore_above": 1024, "type": "keyword" }, - "cpu_type": { + "distinguished_name": { "ignore_above": 1024, "type": "keyword" }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flattened" + "locality": { + "ignore_above": 1024, + "type": "keyword" }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } + "organization": { + "ignore_above": 1024, + "type": "keyword" }, - "imports": { - "type": "flattened" + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "nested" + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" }, "flags": { "ignore_above": 1024, @@ -3458,6 +3717,9 @@ } } }, + "first_seen": { + "type": "date" + }, "geo": { "properties": { "city_name": { @@ -3529,255 +3791,6 @@ } } }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "index": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "nested" - }, - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "indicator": { - "properties": { - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "first_seen": { - "type": "date" - }, "ip": { "type": "ip" }, @@ -3798,6 +3811,14 @@ "port": { "type": "long" }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, "scanner_stats": { "type": "long" }, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 6b1cbdd7e9..04e4d6a619 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -3092,248 +3092,507 @@ "properties": { "enrichments": { "properties": { - "as": { + "indicator": { "properties": { - "number": { - "type": "long" - }, - "organization": { + "as": { "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { "ignore_above": 1024, "type": "keyword" } } - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" }, - "agent_id_status": { + "confidence": { "ignore_above": 1024, "type": "keyword" }, - "category": { + "description": { "ignore_above": 1024, "type": "keyword" }, - "code": { - "ignore_above": 1024, - "type": "keyword" + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } }, - "created": { + "first_seen": { + "type": "date" + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { "type": "date" }, - "dataset": { + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { "ignore_above": 1024, "type": "keyword" }, - "duration": { + "scanner_stats": { "type": "long" }, - "end": { - "type": "date" + "sightings": { + "type": "long" }, - "hash": { + "type": { "ignore_above": 1024, "type": "keyword" - }, - "id": { + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { "ignore_above": 1024, "type": "keyword" }, - "ingested": { - "type": "date" + "field": { + "ignore_above": 1024, + "type": "keyword" }, - "kind": { + "id": { "ignore_above": 1024, "type": "keyword" }, - "module": { + "index": { "ignore_above": 1024, "type": "keyword" }, - "original": { - "doc_values": false, - "index": false, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, "type": "keyword" }, - "outcome": { + "extension": { "ignore_above": 1024, "type": "keyword" }, - "provider": { + "fragment": { "ignore_above": 1024, "type": "keyword" }, - "reason": { + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, "ignore_above": 1024, "type": "keyword" }, - "reference": { + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, "ignore_above": 1024, "type": "keyword" }, - "risk_score": { - "type": "float" + "password": { + "ignore_above": 1024, + "type": "keyword" }, - "risk_score_norm": { - "type": "float" + "path": { + "ignore_above": 1024, + "type": "keyword" }, - "sequence": { + "port": { "type": "long" }, - "severity": { - "type": "long" + "query": { + "ignore_above": 1024, + "type": "keyword" }, - "start": { - "type": "date" + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" }, - "timezone": { + "scheme": { "ignore_above": 1024, "type": "keyword" }, - "type": { + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { "ignore_above": 1024, "type": "keyword" }, - "url": { + "username": { "ignore_above": 1024, "type": "keyword" } } }, - "file": { + "x509": { "properties": { - "accessed": { - "type": "date" - }, - "attributes": { + "alternative_names": { "ignore_above": 1024, "type": "keyword" }, - "code_signature": { + "issuer": { "properties": { - "exists": { - "type": "boolean" + "common_name": { + "ignore_above": 1024, + "type": "keyword" }, - "signing_id": { + "country": { "ignore_above": 1024, "type": "keyword" }, - "status": { + "distinguished_name": { "ignore_above": 1024, "type": "keyword" }, - "subject_name": { + "locality": { "ignore_above": 1024, "type": "keyword" }, - "team_id": { + "organization": { "ignore_above": 1024, "type": "keyword" }, - "trusted": { - "type": "boolean" + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" }, - "valid": { - "type": "boolean" + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" } } }, - "created": { + "not_after": { "type": "date" }, - "ctime": { + "not_before": { "type": "date" }, - "device": { + "public_key_algorithm": { "ignore_above": 1024, "type": "keyword" }, - "directory": { + "public_key_curve": { "ignore_above": 1024, "type": "keyword" }, - "drive_letter": { - "ignore_above": 1, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, "type": "keyword" }, - "elf": { + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { "properties": { - "architecture": { + "common_name": { "ignore_above": 1024, "type": "keyword" }, - "byte_order": { + "country": { "ignore_above": 1024, "type": "keyword" }, - "cpu_type": { + "distinguished_name": { "ignore_above": 1024, "type": "keyword" }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flattened" + "locality": { + "ignore_above": 1024, + "type": "keyword" }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } + "organization": { + "ignore_above": 1024, + "type": "keyword" }, - "imports": { - "type": "flattened" + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "nested" + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" }, "flags": { "ignore_above": 1024, @@ -3454,6 +3713,9 @@ } } }, + "first_seen": { + "type": "date" + }, "geo": { "properties": { "city_name": { @@ -3525,255 +3787,6 @@ } } }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "index": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "nested" - }, - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "indicator": { - "properties": { - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "first_seen": { - "type": "date" - }, "ip": { "type": "ip" }, @@ -3794,6 +3807,14 @@ "port": { "type": "long" }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, "scanner_stats": { "type": "long" }, diff --git a/generated/elasticsearch/component/threat.json b/generated/elasticsearch/component/threat.json index c41fa0e1c6..b0196d0d29 100644 --- a/generated/elasticsearch/component/threat.json +++ b/generated/elasticsearch/component/threat.json @@ -10,253 +10,512 @@ "properties": { "enrichments": { "properties": { - "as": { + "indicator": { "properties": { - "number": { - "type": "long" - }, - "organization": { + "as": { "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { "ignore_above": 1024, "type": "keyword" } } - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" }, - "agent_id_status": { + "confidence": { "ignore_above": 1024, "type": "keyword" }, - "category": { + "description": { "ignore_above": 1024, "type": "keyword" }, - "code": { - "ignore_above": 1024, - "type": "keyword" + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } }, - "created": { + "first_seen": { + "type": "date" + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { "type": "date" }, - "dataset": { + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { "ignore_above": 1024, "type": "keyword" }, - "duration": { + "scanner_stats": { "type": "long" }, - "end": { - "type": "date" + "sightings": { + "type": "long" }, - "hash": { + "type": { "ignore_above": 1024, "type": "keyword" - }, - "id": { + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { "ignore_above": 1024, "type": "keyword" }, - "ingested": { - "type": "date" + "field": { + "ignore_above": 1024, + "type": "keyword" }, - "kind": { + "id": { "ignore_above": 1024, "type": "keyword" }, - "module": { + "index": { "ignore_above": 1024, "type": "keyword" }, - "original": { - "doc_values": false, - "index": false, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, "type": "keyword" }, - "outcome": { + "extension": { "ignore_above": 1024, "type": "keyword" }, - "provider": { + "fragment": { "ignore_above": 1024, "type": "keyword" }, - "reason": { + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, "ignore_above": 1024, "type": "keyword" }, - "reference": { + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, "ignore_above": 1024, "type": "keyword" }, - "risk_score": { - "type": "float" + "password": { + "ignore_above": 1024, + "type": "keyword" }, - "risk_score_norm": { - "type": "float" + "path": { + "ignore_above": 1024, + "type": "keyword" }, - "sequence": { + "port": { "type": "long" }, - "severity": { - "type": "long" + "query": { + "ignore_above": 1024, + "type": "keyword" }, - "start": { - "type": "date" + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" }, - "timezone": { + "scheme": { "ignore_above": 1024, "type": "keyword" }, - "type": { + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { "ignore_above": 1024, "type": "keyword" }, - "url": { + "username": { "ignore_above": 1024, "type": "keyword" } } }, - "file": { + "x509": { "properties": { - "accessed": { - "type": "date" - }, - "attributes": { + "alternative_names": { "ignore_above": 1024, "type": "keyword" }, - "code_signature": { + "issuer": { "properties": { - "exists": { - "type": "boolean" + "common_name": { + "ignore_above": 1024, + "type": "keyword" }, - "signing_id": { + "country": { "ignore_above": 1024, "type": "keyword" }, - "status": { + "distinguished_name": { "ignore_above": 1024, "type": "keyword" }, - "subject_name": { + "locality": { "ignore_above": 1024, "type": "keyword" }, - "team_id": { + "organization": { "ignore_above": 1024, "type": "keyword" }, - "trusted": { - "type": "boolean" + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" }, - "valid": { - "type": "boolean" + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" } } }, - "created": { + "not_after": { "type": "date" }, - "ctime": { + "not_before": { "type": "date" }, - "device": { + "public_key_algorithm": { "ignore_above": 1024, "type": "keyword" }, - "directory": { + "public_key_curve": { "ignore_above": 1024, "type": "keyword" }, - "drive_letter": { - "ignore_above": 1, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, "type": "keyword" }, - "elf": { + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { "properties": { - "architecture": { + "common_name": { "ignore_above": 1024, "type": "keyword" }, - "byte_order": { + "country": { "ignore_above": 1024, "type": "keyword" }, - "cpu_type": { + "distinguished_name": { "ignore_above": 1024, "type": "keyword" }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flattened" + "locality": { + "ignore_above": 1024, + "type": "keyword" }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } + "organization": { + "ignore_above": 1024, + "type": "keyword" }, - "imports": { - "type": "flattened" + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "nested" + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, "name": { "ignore_above": 1024, "type": "keyword" @@ -372,6 +631,9 @@ } } }, + "first_seen": { + "type": "date" + }, "geo": { "properties": { "city_name": { @@ -443,255 +705,6 @@ } } }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "index": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "nested" - }, - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "indicator": { - "properties": { - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "first_seen": { - "type": "date" - }, "ip": { "type": "ip" }, @@ -712,6 +725,14 @@ "port": { "type": "long" }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, "scanner_stats": { "type": "long" }, From cfcb9c3b70bf7f9e2a5095fad36c00684e6b7044 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Tue, 6 Jul 2021 17:26:34 -0500 Subject: [PATCH 3/8] changelog --- CHANGELOG.next.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index a051b25ad4..4b4e0d5b90 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -37,8 +37,8 @@ Thanks, you're awesome :-) --> * Extend `threat.*` field set beta. #1438 * Added `event.agent_id_status` field. #1454 * `process.target` and `process.target.parent` added to experimental schema. #1467 -* Threat indicator fields progress to beta stage. #1471 -* `threat.enrichments` beta fields. #1478 +* Threat indicator fields progress to beta stage. #1471, #1504 +* `threat.enrichments` beta fields. #1478, #1504 #### Improvements From 0e974699cc746b6bdb7c28f797540c184d1ecdba Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 7 Jul 2021 12:22:23 -0500 Subject: [PATCH 4/8] correct reusable configuration for pe and registry --- docs/field-details.asciidoc | 42 +- experimental/generated/beats/fields.ecs.yml | 1319 +++-- experimental/generated/csv/fields.csv | 112 +- experimental/generated/ecs/ecs_flat.yml | 4255 +++++++++------- experimental/generated/ecs/ecs_nested.yml | 4311 ++++++++++------- .../generated/elasticsearch/7/template.json | 466 +- .../elasticsearch/component/threat.json | 466 +- generated/beats/fields.ecs.yml | 352 +- generated/csv/fields.csv | 50 +- generated/ecs/ecs_flat.yml | 602 ++- generated/ecs/ecs_nested.yml | 634 ++- generated/elasticsearch/6/template.json | 199 +- generated/elasticsearch/7/template.json | 199 +- generated/elasticsearch/component/threat.json | 199 +- schemas/pe.yml | 4 +- schemas/registry.yml | 4 +- 16 files changed, 8824 insertions(+), 4390 deletions(-) diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 0223835bfc..136f1041cd 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -6151,9 +6151,9 @@ The `pe` fields are expected to be nested at: * `process.pe` -* `threat.enrichments.indicator.as` +* `threat.enrichments.indicator.pe` -* `threat.indicator.as` +* `threat.indicator.pe` Note also that the `pe` fields are not expected to be used directly at the root of the events. @@ -6688,9 +6688,9 @@ example: `Debugger` The `registry` fields are expected to be nested at: -* `threat.enrichments.indicator.as` +* `threat.enrichments.indicator.registry` -* `threat.indicator.as` +* `threat.indicator.registry` Note also that the `registry` fields may be used directly at the root of the events. @@ -8863,7 +8863,7 @@ Hashes, usually file hashes. // =============================================================== -| `threat.enrichments.indicator.as.*` +| `threat.enrichments.indicator.pe.*` | <>| beta:[ Reusing the `as` fields in this location is currently considered beta.] These fields contain Windows Portable Executable (PE) metadata. @@ -8871,7 +8871,7 @@ These fields contain Windows Portable Executable (PE) metadata. // =============================================================== -| `threat.enrichments.indicator.as.*` +| `threat.enrichments.indicator.registry.*` | <>| beta:[ Reusing the `as` fields in this location is currently considered beta.] Fields related to Windows Registry operations. @@ -8903,42 +8903,42 @@ Fields describing an Autonomous System (Internet routing prefix). // =============================================================== -| `threat.indicator.as.*` -| <>| beta:[ Reusing the `as` fields in this location is currently considered beta.] +| `threat.indicator.file.*` +| <>| beta:[ Reusing the `file` fields in this location is currently considered beta.] -These fields contain Windows Portable Executable (PE) metadata. +Fields describing files. // =============================================================== -| `threat.indicator.as.*` -| <>| beta:[ Reusing the `as` fields in this location is currently considered beta.] +| `threat.indicator.geo.*` +| <>| beta:[ Reusing the `geo` fields in this location is currently considered beta.] -Fields related to Windows Registry operations. +Fields describing a location. // =============================================================== -| `threat.indicator.file.*` -| <>| beta:[ Reusing the `file` fields in this location is currently considered beta.] +| `threat.indicator.hash.*` +| <>| beta:[ Reusing the `hash` fields in this location is currently considered beta.] -Fields describing files. +Hashes, usually file hashes. // =============================================================== -| `threat.indicator.geo.*` -| <>| beta:[ Reusing the `geo` fields in this location is currently considered beta.] +| `threat.indicator.pe.*` +| <>| beta:[ Reusing the `as` fields in this location is currently considered beta.] -Fields describing a location. +These fields contain Windows Portable Executable (PE) metadata. // =============================================================== -| `threat.indicator.hash.*` -| <>| beta:[ Reusing the `hash` fields in this location is currently considered beta.] +| `threat.indicator.registry.*` +| <>| beta:[ Reusing the `as` fields in this location is currently considered beta.] -Hashes, usually file hashes. +Fields related to Windows Registry operations. // =============================================================== diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 47fc148e9a..0ac5e5d5a4 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -8188,62 +8188,35 @@ type: object description: Indicators default_field: false - - name: enrichments.indicator.as.data.bytes + - name: enrichments.indicator.as.md5 level: extended type: keyword ignore_above: 1024 - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides - better recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - default_field: false - - name: enrichments.indicator.as.data.strings - level: core - type: wildcard - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single - string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with - one string. For sequences of string with REG_MULTI_SZ, this array will be - variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should - be populated with the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' + description: MD5 hash. default_field: false - - name: enrichments.indicator.as.data.type - level: core + - name: enrichments.indicator.as.sha1 + level: extended type: keyword ignore_above: 1024 - description: Standard registry type for encoding contents - example: REG_SZ + description: SHA1 hash. default_field: false - - name: enrichments.indicator.as.hive - level: core + - name: enrichments.indicator.as.sha256 + level: extended type: keyword ignore_above: 1024 - description: Abbreviated name for the hive. - example: HKLM - default_field: false - - name: enrichments.indicator.as.key - level: core - type: wildcard - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + description: SHA256 hash. default_field: false - - name: enrichments.indicator.as.path - level: core - type: wildcard - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger + - name: enrichments.indicator.as.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. default_field: false - - name: enrichments.indicator.as.value - level: core + - name: enrichments.indicator.as.ssdeep + level: extended type: keyword ignore_above: 1024 - description: Name of the value written. - example: Debugger + description: SSDEEP hash. default_field: false - name: enrichments.indicator.confidence level: extended @@ -8306,200 +8279,117 @@ for this indicator. example: '2020-11-05T17:25:47.000Z' default_field: false - - name: enrichments.indicator.port - level: extended - type: long - description: Identifies a threat indicator as a port number (irrespective of - direction). - example: 443 - default_field: false - - name: enrichments.indicator.provider - level: extended - type: keyword - ignore_above: 1024 - description: The name of the indicator's provider. - example: lrz_urlhaus - default_field: false - - name: enrichments.indicator.reference - level: extended - type: keyword - ignore_above: 1024 - description: Reference URL linking to additional information about this indicator. - example: https://system.example.com/indicator/0001234 - default_field: false - - name: enrichments.indicator.scanner_stats - level: extended - type: long - description: Count of AV/EDR vendors that successfully detected malicious file - or URL. - example: 4 - default_field: false - - name: enrichments.indicator.sightings - level: extended - type: long - description: Number of times this indicator was observed conducting threat activity. - example: 20 - default_field: false - - name: enrichments.indicator.type - level: extended - type: keyword - ignore_above: 1024 - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ - \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ - \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ - \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ - \ * user-account\n * windows-registry-key\n * x509-certificate" - example: ipv4-addr - default_field: false - - name: enrichments.matched.atomic - level: extended - type: keyword - ignore_above: 1024 - description: Identifies the atomic indicator value that matched a local environment - endpoint or network event. - example: bad-domain.com - default_field: false - - name: enrichments.matched.field - level: extended - type: keyword - ignore_above: 1024 - description: Identifies the field of the atomic indicator that matched a local - environment endpoint or network event. - example: file.hash.sha256 - default_field: false - - name: enrichments.matched.id - level: extended - type: keyword - ignore_above: 1024 - description: Identifies the _id of the indicator document enriching the event. - example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 - default_field: false - - name: enrichments.matched.index - level: extended - type: keyword - ignore_above: 1024 - description: Identifies the _index of the indicator document enriching the event. - example: filebeat-8.0.0-2021.05.23-000011 - default_field: false - - name: enrichments.matched.type - level: extended - type: keyword - ignore_above: 1024 - description: Identifies the type of match that caused the event to be enriched - with the given indicator - example: indicator_match_rule - default_field: false - - name: enrichments.pe.architecture + - name: enrichments.indicator.pe.architecture level: extended type: keyword ignore_above: 1024 description: CPU architecture target for the file. example: x64 default_field: false - - name: enrichments.pe.authentihash + - name: enrichments.indicator.pe.authentihash level: extended type: keyword ignore_above: 1024 description: Authentihash of the PE file. example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 default_field: false - - name: enrichments.pe.company + - name: enrichments.indicator.pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - - name: enrichments.pe.compile_timestamp + - name: enrichments.indicator.pe.compile_timestamp level: extended type: date description: Compile timestamp of the PE file. example: '2020-11-05T17:25:47.000Z' default_field: false - - name: enrichments.pe.compiler.name + - name: enrichments.indicator.pe.compiler.name level: extended type: keyword ignore_above: 1024 description: Name of the compiler example: Clang default_field: false - - name: enrichments.pe.compiler.version + - name: enrichments.indicator.pe.compiler.version level: extended type: keyword ignore_above: 1024 description: Version of the compiler. example: 11.0.0 default_field: false - - name: enrichments.pe.creation_date + - name: enrichments.indicator.pe.creation_date level: extended type: date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. example: '2020-11-05T17:25:47.000Z' default_field: false - - name: enrichments.pe.debug + - name: enrichments.indicator.pe.debug level: extended type: nested description: 'An array containing an object for each debug entry, if present. The expected fields for this nested object fall under the `debug.` prefix.' default_field: false - - name: enrichments.pe.debug.offset + - name: enrichments.indicator.pe.debug.offset level: extended type: keyword ignore_above: 1024 description: Debug offset information. example: 1296336 default_field: false - - name: enrichments.pe.debug.size + - name: enrichments.indicator.pe.debug.size level: extended type: long format: bytes description: Size of the debug information. example: 816 default_field: false - - name: enrichments.pe.debug.timestamp + - name: enrichments.indicator.pe.debug.timestamp level: extended type: date description: Timestamp of the debug information. example: '2020-11-05T17:25:47.000Z' default_field: false - - name: enrichments.pe.debug.type + - name: enrichments.indicator.pe.debug.type level: extended type: keyword ignore_above: 1024 description: Information type generated by the debug options. example: IMAGE_DEBUG_TYPE_POGO default_field: false - - name: enrichments.pe.description + - name: enrichments.indicator.pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - - name: enrichments.pe.entry_point + - name: enrichments.indicator.pe.entry_point level: extended type: keyword ignore_above: 1024 description: Relative byte offset to the base of the PE file. example: 25856 default_field: false - - name: enrichments.pe.exports + - name: enrichments.indicator.pe.exports level: extended type: keyword ignore_above: 1024 description: List of symbols exported by PE example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' default_field: false - - name: enrichments.pe.file_version + - name: enrichments.indicator.pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - - name: enrichments.pe.icon.hash.dhash + - name: enrichments.indicator.pe.icon.hash.dhash level: extended type: keyword ignore_above: 1024 @@ -8507,7 +8397,7 @@ or thumbnail. example: b806e17c8e330d82 default_field: false - - name: enrichments.pe.imphash + - name: enrichments.indicator.pe.imphash level: extended type: keyword ignore_above: 1024 @@ -8518,140 +8408,161 @@ Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - - name: enrichments.pe.imports + - name: enrichments.indicator.pe.imports level: extended type: flattened description: List of all imported functions example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" }' default_field: false - - name: enrichments.pe.machine_type + - name: enrichments.indicator.pe.machine_type level: extended type: keyword ignore_above: 1024 description: Machine type of the PE file. example: Intel 386 or later, and compatibles default_field: false - - name: enrichments.pe.original_file_name + - name: enrichments.indicator.pe.original_file_name level: extended type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - - name: enrichments.pe.packers + - name: enrichments.indicator.pe.packers level: extended type: keyword ignore_above: 1024 description: List of packers and tools used. example: '["ASPack v2.12", ".NET executable"]' default_field: false - - name: enrichments.pe.product + - name: enrichments.indicator.pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false - - name: enrichments.pe.resources + - name: enrichments.indicator.pe.resources level: extended type: nested description: 'An array containing an object for each PE resource, if present. The expected fields for this nested object fall under the `resources.` prefix.' default_field: false - - name: enrichments.pe.resources.chi2 + - name: enrichments.indicator.pe.resources.chi2 level: extended type: long description: Chi-square probability distribution. example: -1 default_field: false - - name: enrichments.pe.resources.entropy + - name: enrichments.indicator.pe.resources.entropy level: extended type: long description: Measurement of entropy randomness in the resources section. example: 0, 1 default_field: false - - name: enrichments.pe.resources.filetype + - name: enrichments.indicator.pe.resources.filetype level: extended type: keyword ignore_above: 1024 description: File type of the resources section. example: Data default_field: false - - name: enrichments.pe.resources.language + - name: enrichments.indicator.pe.resources.language level: extended type: keyword ignore_above: 1024 description: Language identification. example: CHINESE SIMPLIFIED default_field: false - - name: enrichments.pe.resources.sha256 + - name: enrichments.indicator.pe.resources.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash of resources section. example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 default_field: false - - name: enrichments.pe.resources.type + - name: enrichments.indicator.pe.resources.type level: extended type: keyword ignore_above: 1024 description: Digest of resource types. example: '["RT_VERSION", "RT_MANIFEST"]' default_field: false - - name: enrichments.pe.rich_header.hash.md5 + - name: enrichments.indicator.pe.rich_header.hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash of the header for the PE file. example: 5aa1aa0f2b4be70397a1e9e2b87627cd default_field: false - - name: enrichments.pe.sections + - name: enrichments.indicator.pe.sections level: extended type: nested description: Data about sections of compiled binary PE default_field: false - - name: enrichments.pe.sections.chi2 + - name: enrichments.indicator.pe.sections.chi2 level: extended type: long description: Chi-square probability distribution. example: 3027194 default_field: false - - name: enrichments.pe.sections.entropy + - name: enrichments.indicator.pe.sections.entropy level: extended type: float description: Measurement of entropy randomness in the file. example: 6.24 default_field: false - - name: enrichments.pe.sections.flags + - name: enrichments.indicator.pe.sections.flags level: extended type: keyword ignore_above: 1024 description: Section flags of the file. example: rx default_field: false - - name: enrichments.pe.sections.name + - name: enrichments.indicator.pe.sections.name level: extended type: keyword ignore_above: 1024 description: Section names of the file. example: .text, .data default_field: false - - name: enrichments.pe.sections.raw_size + - name: enrichments.indicator.pe.sections.raw_size level: extended type: long format: bytes description: Size of the section or the dize of the initialized data on disk. example: 198144 default_field: false - - name: enrichments.pe.sections.virtual_address + - name: enrichments.indicator.pe.sections.virtual_address level: extended type: long format: bytes description: Virtual address available to the file. example: 8192 default_field: false - - name: enrichments.registry.data.bytes + - name: enrichments.indicator.port + level: extended + type: long + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + default_field: false + - name: enrichments.indicator.provider + level: extended + type: keyword + ignore_above: 1024 + description: The name of the indicator's provider. + example: lrz_urlhaus + default_field: false + - name: enrichments.indicator.reference + level: extended + type: keyword + ignore_above: 1024 + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + default_field: false + - name: enrichments.indicator.registry.data.bytes level: extended type: keyword ignore_above: 1024 @@ -8662,7 +8573,7 @@ better recoverability and should be populated for REG_BINARY encoded values.' example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= default_field: false - - name: enrichments.registry.data.strings + - name: enrichments.indicator.registry.data.strings level: core type: wildcard description: 'Content when writing string types. @@ -8674,88 +8585,469 @@ be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' default_field: false - - name: enrichments.registry.data.type + - name: enrichments.indicator.registry.data.type level: core type: keyword ignore_above: 1024 description: Standard registry type for encoding contents example: REG_SZ default_field: false - - name: enrichments.registry.hive + - name: enrichments.indicator.registry.hive level: core type: keyword ignore_above: 1024 description: Abbreviated name for the hive. example: HKLM default_field: false - - name: enrichments.registry.key + - name: enrichments.indicator.registry.key level: core type: wildcard description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe default_field: false - - name: enrichments.registry.path + - name: enrichments.indicator.registry.path level: core type: wildcard description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger default_field: false - - name: enrichments.registry.value + - name: enrichments.indicator.registry.value level: core type: keyword ignore_above: 1024 description: Name of the value written. example: Debugger default_field: false - - name: enrichments.url.domain + - name: enrichments.indicator.scanner_stats level: extended - type: wildcard - description: 'Domain of the url, such as "www.elastic.co". - - In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field. - - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC - 2732), the `[` and `]` characters should also be captured in the `domain` - field.' - example: www.elastic.co + type: long + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 default_field: false - - name: enrichments.url.extension + - name: enrichments.indicator.sightings + level: extended + type: long + description: Number of times this indicator was observed conducting threat activity. + example: 20 + default_field: false + - name: enrichments.indicator.type level: extended type: keyword ignore_above: 1024 - description: 'The field contains the file extension from the original request - url, excluding the leading dot. - - The file extension is only set if it exists, as not every url has a file extension. - - The leading period must not be included. For example, the value must be "png", - not ".png". - - Note that when the file name has multiple extensions (example.tar.gz), only - the last one should be captured ("gz", not "tar.gz").' - example: png + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ + \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr default_field: false - - name: enrichments.url.fragment + - name: enrichments.matched.atomic level: extended type: keyword ignore_above: 1024 - description: 'Portion of the url after the `#`, such as "top". - - The `#` is not part of the fragment.' + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com default_field: false - - name: enrichments.url.full + - name: enrichments.matched.field level: extended - type: wildcard - multi_fields: - - name: text - type: text - norms: false - description: If full URLs are important to your use case, they should be stored - in `url.full`, whether this field is reconstructed or present in the event - source. - example: https://www.elastic.co:443/search?q=elasticsearch#top + type: keyword + ignore_above: 1024 + description: Identifies the field of the atomic indicator that matched a local + environment endpoint or network event. + example: file.hash.sha256 + default_field: false + - name: enrichments.matched.id + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + default_field: false + - name: enrichments.matched.index + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 + default_field: false + - name: enrichments.matched.type + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the type of match that caused the event to be enriched + with the given indicator + example: indicator_match_rule + default_field: false + - name: enrichments.pe.architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false + - name: enrichments.pe.authentihash + level: extended + type: keyword + ignore_above: 1024 + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + default_field: false + - name: enrichments.pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: enrichments.pe.compile_timestamp + level: extended + type: date + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: enrichments.pe.compiler.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the compiler + example: Clang + default_field: false + - name: enrichments.pe.compiler.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the compiler. + example: 11.0.0 + default_field: false + - name: enrichments.pe.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: enrichments.pe.debug + level: extended + type: nested + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + default_field: false + - name: enrichments.pe.debug.offset + level: extended + type: keyword + ignore_above: 1024 + description: Debug offset information. + example: 1296336 + default_field: false + - name: enrichments.pe.debug.size + level: extended + type: long + format: bytes + description: Size of the debug information. + example: 816 + default_field: false + - name: enrichments.pe.debug.timestamp + level: extended + type: date + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: enrichments.pe.debug.type + level: extended + type: keyword + ignore_above: 1024 + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + default_field: false + - name: enrichments.pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: enrichments.pe.entry_point + level: extended + type: keyword + ignore_above: 1024 + description: Relative byte offset to the base of the PE file. + example: 25856 + default_field: false + - name: enrichments.pe.exports + level: extended + type: keyword + ignore_above: 1024 + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + default_field: false + - name: enrichments.pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: enrichments.pe.icon.hash.dhash + level: extended + type: keyword + ignore_above: 1024 + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + default_field: false + - name: enrichments.pe.imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false + - name: enrichments.pe.imports + level: extended + type: flattened + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + default_field: false + - name: enrichments.pe.machine_type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + default_field: false + - name: enrichments.pe.original_file_name + level: extended + type: wildcard + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: enrichments.pe.packers + level: extended + type: keyword + ignore_above: 1024 + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + default_field: false + - name: enrichments.pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false + - name: enrichments.pe.resources + level: extended + type: nested + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + default_field: false + - name: enrichments.pe.resources.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: -1 + default_field: false + - name: enrichments.pe.resources.entropy + level: extended + type: long + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + default_field: false + - name: enrichments.pe.resources.filetype + level: extended + type: keyword + ignore_above: 1024 + description: File type of the resources section. + example: Data + default_field: false + - name: enrichments.pe.resources.language + level: extended + type: keyword + ignore_above: 1024 + description: Language identification. + example: CHINESE SIMPLIFIED + default_field: false + - name: enrichments.pe.resources.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + default_field: false + - name: enrichments.pe.resources.type + level: extended + type: keyword + ignore_above: 1024 + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + default_field: false + - name: enrichments.pe.rich_header.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + default_field: false + - name: enrichments.pe.sections + level: extended + type: nested + description: Data about sections of compiled binary PE + default_field: false + - name: enrichments.pe.sections.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: 3027194 + default_field: false + - name: enrichments.pe.sections.entropy + level: extended + type: float + description: Measurement of entropy randomness in the file. + example: 6.24 + default_field: false + - name: enrichments.pe.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: Section flags of the file. + example: rx + default_field: false + - name: enrichments.pe.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: Section names of the file. + example: .text, .data + default_field: false + - name: enrichments.pe.sections.raw_size + level: extended + type: long + format: bytes + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + default_field: false + - name: enrichments.pe.sections.virtual_address + level: extended + type: long + format: bytes + description: Virtual address available to the file. + example: 8192 + default_field: false + - name: enrichments.registry.data.bytes + level: extended + type: keyword + ignore_above: 1024 + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + default_field: false + - name: enrichments.registry.data.strings + level: core + type: wildcard + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + default_field: false + - name: enrichments.registry.data.type + level: core + type: keyword + ignore_above: 1024 + description: Standard registry type for encoding contents + example: REG_SZ + default_field: false + - name: enrichments.registry.hive + level: core + type: keyword + ignore_above: 1024 + description: Abbreviated name for the hive. + example: HKLM + default_field: false + - name: enrichments.registry.key + level: core + type: wildcard + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + default_field: false + - name: enrichments.registry.path + level: core + type: wildcard + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + default_field: false + - name: enrichments.registry.value + level: core + type: keyword + ignore_above: 1024 + description: Name of the value written. + example: Debugger + default_field: false + - name: enrichments.url.domain + level: extended + type: wildcard + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' + example: www.elastic.co + default_field: false + - name: enrichments.url.extension + level: extended + type: keyword + ignore_above: 1024 + description: 'The field contains the file extension from the original request + url, excluding the leading dot. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + default_field: false + - name: enrichments.url.fragment + level: extended + type: keyword + ignore_above: 1024 + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + default_field: false + - name: enrichments.url.full + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event + source. + example: https://www.elastic.co:443/search?q=elasticsearch#top default_field: false - name: enrichments.url.original level: extended @@ -9046,87 +9338,47 @@ default_field: false - name: group.id level: extended - type: keyword - ignore_above: 1024 - description: "The id of the group for a set of related intrusion activity that\ - \ are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group id." - example: G0037 - default_field: false - - name: group.name - level: extended - type: keyword - ignore_above: 1024 - description: "The name of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group name." - example: FIN6 - default_field: false - - name: group.reference - level: extended - type: keyword - ignore_above: 1024 - description: "The reference URL of the group for a set of related intrusion\ - \ activity that are tracked by a common name in the security community. While\ - \ not required, you can use a MITRE ATT&CK\xAE group reference URL." - example: https://attack.mitre.org/groups/G0037/ - default_field: false - - name: indicator.as.data.bytes - level: extended - type: keyword - ignore_above: 1024 - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides - better recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - default_field: false - - name: indicator.as.data.strings - level: core - type: wildcard - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single - string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with - one string. For sequences of string with REG_MULTI_SZ, this array will be - variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should - be populated with the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' + type: keyword + ignore_above: 1024 + description: "The id of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group id." + example: G0037 default_field: false - - name: indicator.as.data.type - level: core + - name: group.name + level: extended type: keyword ignore_above: 1024 - description: Standard registry type for encoding contents - example: REG_SZ + description: "The name of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 default_field: false - - name: indicator.as.hive - level: core + - name: group.reference + level: extended type: keyword ignore_above: 1024 - description: Abbreviated name for the hive. - example: HKLM + description: "The reference URL of the group for a set of related intrusion\ + \ activity that are tracked by a common name in the security community. While\ + \ not required, you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ default_field: false - - name: indicator.as.key - level: core - type: wildcard - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + - name: indicator.as.number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 default_field: false - - name: indicator.as.path - level: core + - name: indicator.as.organization.name + level: extended type: wildcard - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger - default_field: false - - name: indicator.as.value - level: core - type: keyword - ignore_above: 1024 - description: Name of the value written. - example: Debugger + multi_fields: + - name: text + type: text + norms: false + description: Organization name. + example: Google LLC default_field: false - name: indicator.confidence level: extended @@ -9545,169 +9797,431 @@ norms: false description: Target path for symlinks. default_field: false - - name: indicator.file.type + - name: indicator.file.type + level: extended + type: keyword + ignore_above: 1024 + description: File type (file, dir, or symlink). + example: file + default_field: false + - name: indicator.file.uid + level: extended + type: keyword + ignore_above: 1024 + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + default_field: false + - name: indicator.first_seen + level: extended + type: date + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.geo.city_name + level: core + type: keyword + ignore_above: 1024 + description: City name. + example: Montreal + default_field: false + - name: indicator.geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false + - name: indicator.geo.continent_name + level: core + type: keyword + ignore_above: 1024 + description: Name of the continent. + example: North America + default_field: false + - name: indicator.geo.country_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Country ISO code. + example: CA + default_field: false + - name: indicator.geo.country_name + level: core + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada + default_field: false + - name: indicator.geo.location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + default_field: false + - name: indicator.geo.name + level: extended + type: wildcard + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + default_field: false + - name: indicator.geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false + - name: indicator.geo.region_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + default_field: false + - name: indicator.geo.region_name + level: core + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec + default_field: false + - name: indicator.geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false + - name: indicator.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: indicator.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: indicator.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: indicator.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: indicator.hash.ssdeep + level: extended + type: keyword + ignore_above: 1024 + description: SSDEEP hash. + default_field: false + - name: indicator.ip + level: extended + type: ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + default_field: false + - name: indicator.last_seen + level: extended + type: date + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.marking.tlp + level: extended + type: keyword + ignore_above: 1024 + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE + default_field: false + - name: indicator.modified_at + level: extended + type: date + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.pe.architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false + - name: indicator.pe.authentihash + level: extended + type: keyword + ignore_above: 1024 + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + default_field: false + - name: indicator.pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: indicator.pe.compile_timestamp + level: extended + type: date + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.pe.compiler.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the compiler + example: Clang + default_field: false + - name: indicator.pe.compiler.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the compiler. + example: 11.0.0 + default_field: false + - name: indicator.pe.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.pe.debug + level: extended + type: nested + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + default_field: false + - name: indicator.pe.debug.offset level: extended type: keyword ignore_above: 1024 - description: File type (file, dir, or symlink). - example: file + description: Debug offset information. + example: 1296336 default_field: false - - name: indicator.file.uid + - name: indicator.pe.debug.size level: extended - type: keyword - ignore_above: 1024 - description: The user ID (UID) or security identifier (SID) of the file owner. - example: '1001' + type: long + format: bytes + description: Size of the debug information. + example: 816 default_field: false - - name: indicator.first_seen + - name: indicator.pe.debug.timestamp level: extended type: date - description: The date and time when intelligence source first reported sighting - this indicator. + description: Timestamp of the debug information. example: '2020-11-05T17:25:47.000Z' default_field: false - - name: indicator.geo.city_name - level: core + - name: indicator.pe.debug.type + level: extended type: keyword ignore_above: 1024 - description: City name. - example: Montreal + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO default_field: false - - name: indicator.geo.continent_code - level: core + - name: indicator.pe.description + level: extended type: keyword ignore_above: 1024 - description: Two-letter code representing continent's name. - example: NA + description: Internal description of the file, provided at compile-time. + example: Paint default_field: false - - name: indicator.geo.continent_name - level: core + - name: indicator.pe.entry_point + level: extended type: keyword ignore_above: 1024 - description: Name of the continent. - example: North America + description: Relative byte offset to the base of the PE file. + example: 25856 default_field: false - - name: indicator.geo.country_iso_code - level: core + - name: indicator.pe.exports + level: extended type: keyword ignore_above: 1024 - description: Country ISO code. - example: CA + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' default_field: false - - name: indicator.geo.country_name - level: core + - name: indicator.pe.file_version + level: extended type: keyword ignore_above: 1024 - description: Country name. - example: Canada - default_field: false - - name: indicator.geo.location - level: core - type: geo_point - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 default_field: false - - name: indicator.geo.name + - name: indicator.pe.icon.hash.dhash level: extended - type: wildcard - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc + type: keyword + ignore_above: 1024 + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 default_field: false - - name: indicator.geo.postal_code - level: core + - name: indicator.pe.imphash + level: extended type: keyword ignore_above: 1024 - description: 'Postal code associated with the location. + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - - name: indicator.geo.region_iso_code - level: core + - name: indicator.pe.imports + level: extended + type: flattened + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + default_field: false + - name: indicator.pe.machine_type + level: extended type: keyword ignore_above: 1024 - description: Region ISO code. - example: CA-QC + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles default_field: false - - name: indicator.geo.region_name - level: core + - name: indicator.pe.original_file_name + level: extended + type: wildcard + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: indicator.pe.packers + level: extended type: keyword ignore_above: 1024 - description: Region name. - example: Quebec + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' default_field: false - - name: indicator.geo.timezone - level: core + - name: indicator.pe.product + level: extended type: keyword ignore_above: 1024 - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" default_field: false - - name: indicator.hash.md5 + - name: indicator.pe.resources + level: extended + type: nested + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + default_field: false + - name: indicator.pe.resources.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: -1 + default_field: false + - name: indicator.pe.resources.entropy + level: extended + type: long + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + default_field: false + - name: indicator.pe.resources.filetype level: extended type: keyword ignore_above: 1024 - description: MD5 hash. + description: File type of the resources section. + example: Data default_field: false - - name: indicator.hash.sha1 + - name: indicator.pe.resources.language level: extended type: keyword ignore_above: 1024 - description: SHA1 hash. + description: Language identification. + example: CHINESE SIMPLIFIED default_field: false - - name: indicator.hash.sha256 + - name: indicator.pe.resources.sha256 level: extended type: keyword ignore_above: 1024 - description: SHA256 hash. + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 default_field: false - - name: indicator.hash.sha512 + - name: indicator.pe.resources.type level: extended type: keyword ignore_above: 1024 - description: SHA512 hash. + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' default_field: false - - name: indicator.hash.ssdeep + - name: indicator.pe.rich_header.hash.md5 level: extended type: keyword ignore_above: 1024 - description: SSDEEP hash. + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd default_field: false - - name: indicator.ip + - name: indicator.pe.sections level: extended - type: ip - description: Identifies a threat indicator as an IP address (irrespective of - direction). - example: 1.2.3.4 + type: nested + description: Data about sections of compiled binary PE default_field: false - - name: indicator.last_seen + - name: indicator.pe.sections.chi2 level: extended - type: date - description: The date and time when intelligence source last reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' + type: long + description: Chi-square probability distribution. + example: 3027194 default_field: false - - name: indicator.marking.tlp + - name: indicator.pe.sections.entropy + level: extended + type: float + description: Measurement of entropy randomness in the file. + example: 6.24 + default_field: false + - name: indicator.pe.sections.flags level: extended type: keyword ignore_above: 1024 - description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: WHITE + description: Section flags of the file. + example: rx default_field: false - - name: indicator.modified_at + - name: indicator.pe.sections.name level: extended - type: date - description: The date and time when intelligence source last modified information - for this indicator. - example: '2020-11-05T17:25:47.000Z' + type: keyword + ignore_above: 1024 + description: Section names of the file. + example: .text, .data + default_field: false + - name: indicator.pe.sections.raw_size + level: extended + type: long + format: bytes + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + default_field: false + - name: indicator.pe.sections.virtual_address + level: extended + type: long + format: bytes + description: Virtual address available to the file. + example: 8192 default_field: false - name: indicator.port level: extended @@ -9730,6 +10244,63 @@ description: Reference URL linking to additional information about this indicator. example: https://system.example.com/indicator/0001234 default_field: false + - name: indicator.registry.data.bytes + level: extended + type: keyword + ignore_above: 1024 + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + default_field: false + - name: indicator.registry.data.strings + level: core + type: wildcard + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + default_field: false + - name: indicator.registry.data.type + level: core + type: keyword + ignore_above: 1024 + description: Standard registry type for encoding contents + example: REG_SZ + default_field: false + - name: indicator.registry.hive + level: core + type: keyword + ignore_above: 1024 + description: Abbreviated name for the hive. + example: HKLM + default_field: false + - name: indicator.registry.key + level: core + type: wildcard + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + default_field: false + - name: indicator.registry.path + level: core + type: wildcard + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + default_field: false + - name: indicator.registry.value + level: core + type: keyword + ignore_above: 1024 + description: Name of the value written. + example: Debugger + default_field: false - name: indicator.scanner_stats level: extended type: long diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index e0b8aaffdb..7edf0e8fb2 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -992,13 +992,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. 2.0.0-dev+exp,true,threat,threat.enrichments,nested,extended,,,List of indicators enriching the event. 2.0.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Indicators -2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.hive,keyword,core,,HKLM,Abbreviated name for the hive. -2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.value,keyword,core,,Debugger,Name of the value written. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.md5,keyword,extended,,,MD5 hash. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.sha1,keyword,extended,,,SHA1 hash. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.sha256,keyword,extended,,,SHA256 hash. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.sha512,keyword,extended,,,SHA512 hash. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.ssdeep,keyword,extended,,,SSDEEP hash. 2.0.0-dev+exp,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,High,Indicator confidence rating 2.0.0-dev+exp,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description 2.0.0-dev+exp,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address @@ -1007,9 +1005,54 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. 2.0.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,White,Indicator TLP marking 2.0.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.compiler.name,keyword,extended,,Clang,Name of the compiler +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.debug,nested,extended,array,,Debug information +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.debug.offset,keyword,extended,,1296336,Debug offset information. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.debug.size,long,extended,,816,Size of the debug information. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.resources,nested,extended,array,,PE resource information +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.sections.flags,keyword,extended,,rx,Section flags of the file. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. 2.0.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port 2.0.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider 2.0.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written. 2.0.0-dev+exp,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics 2.0.0-dev+exp,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed 2.0.0-dev+exp,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator @@ -1108,13 +1151,9 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group. 2.0.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group. 2.0.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group. -2.0.0-dev+exp,true,threat,threat.indicator.as.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -2.0.0-dev+exp,true,threat,threat.indicator.as.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -2.0.0-dev+exp,true,threat,threat.indicator.as.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -2.0.0-dev+exp,true,threat,threat.indicator.as.hive,keyword,core,,HKLM,Abbreviated name for the hive. -2.0.0-dev+exp,true,threat,threat.indicator.as.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -2.0.0-dev+exp,true,threat,threat.indicator.as.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -2.0.0-dev+exp,true,threat,threat.indicator.as.value,keyword,core,,Debugger,Name of the value written. +2.0.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +2.0.0-dev+exp,true,threat,threat.indicator.as.organization.name,wildcard,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,text,extended,,Google LLC,Organization name. 2.0.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,High,Indicator confidence rating 2.0.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description 2.0.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address @@ -1198,9 +1237,54 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. 2.0.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking 2.0.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. +2.0.0-dev+exp,true,threat,threat.indicator.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +2.0.0-dev+exp,true,threat,threat.indicator.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. +2.0.0-dev+exp,true,threat,threat.indicator.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +2.0.0-dev+exp,true,threat,threat.indicator.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. +2.0.0-dev+exp,true,threat,threat.indicator.pe.compiler.name,keyword,extended,,Clang,Name of the compiler +2.0.0-dev+exp,true,threat,threat.indicator.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. +2.0.0-dev+exp,true,threat,threat.indicator.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. +2.0.0-dev+exp,true,threat,threat.indicator.pe.debug,nested,extended,array,,Debug information +2.0.0-dev+exp,true,threat,threat.indicator.pe.debug.offset,keyword,extended,,1296336,Debug offset information. +2.0.0-dev+exp,true,threat,threat.indicator.pe.debug.size,long,extended,,816,Size of the debug information. +2.0.0-dev+exp,true,threat,threat.indicator.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. +2.0.0-dev+exp,true,threat,threat.indicator.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. +2.0.0-dev+exp,true,threat,threat.indicator.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +2.0.0-dev+exp,true,threat,threat.indicator.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. +2.0.0-dev+exp,true,threat,threat.indicator.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE +2.0.0-dev+exp,true,threat,threat.indicator.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +2.0.0-dev+exp,true,threat,threat.indicator.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. +2.0.0-dev+exp,true,threat,threat.indicator.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +2.0.0-dev+exp,true,threat,threat.indicator.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions +2.0.0-dev+exp,true,threat,threat.indicator.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. +2.0.0-dev+exp,true,threat,threat.indicator.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev+exp,true,threat,threat.indicator.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. +2.0.0-dev+exp,true,threat,threat.indicator.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +2.0.0-dev+exp,true,threat,threat.indicator.pe.resources,nested,extended,array,,PE resource information +2.0.0-dev+exp,true,threat,threat.indicator.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. +2.0.0-dev+exp,true,threat,threat.indicator.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. +2.0.0-dev+exp,true,threat,threat.indicator.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. +2.0.0-dev+exp,true,threat,threat.indicator.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. +2.0.0-dev+exp,true,threat,threat.indicator.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. +2.0.0-dev+exp,true,threat,threat.indicator.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. +2.0.0-dev+exp,true,threat,threat.indicator.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. +2.0.0-dev+exp,true,threat,threat.indicator.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE +2.0.0-dev+exp,true,threat,threat.indicator.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. +2.0.0-dev+exp,true,threat,threat.indicator.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. +2.0.0-dev+exp,true,threat,threat.indicator.pe.sections.flags,keyword,extended,,rx,Section flags of the file. +2.0.0-dev+exp,true,threat,threat.indicator.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. +2.0.0-dev+exp,true,threat,threat.indicator.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. +2.0.0-dev+exp,true,threat,threat.indicator.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. 2.0.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port 2.0.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider 2.0.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL +2.0.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +2.0.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +2.0.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +2.0.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +2.0.0-dev+exp,true,threat,threat.indicator.registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +2.0.0-dev+exp,true,threat,threat.indicator.registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +2.0.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written. 2.0.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics 2.0.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed 2.0.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 2dc1c246b2..592b61f228 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -12308,98 +12308,60 @@ threat.enrichments.indicator: normalize: [] short: Indicators type: object -threat.enrichments.indicator.as.data.bytes: - dashed_name: threat-enrichments-indicator-as-data-bytes - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides better - recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - flat_name: threat.enrichments.indicator.as.data.bytes +threat.enrichments.indicator.as.md5: + dashed_name: threat-enrichments-indicator-as-md5 + description: MD5 hash. + flat_name: threat.enrichments.indicator.as.md5 ignore_above: 1024 level: extended - name: data.bytes + name: md5 normalize: [] - original_fieldset: registry - short: Original bytes written with base64 encoding. + original_fieldset: hash + short: MD5 hash. type: keyword -threat.enrichments.indicator.as.data.strings: - dashed_name: threat-enrichments-indicator-as-data-strings - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single string - registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. - For sequences of string with REG_MULTI_SZ, this array will be variable length. - For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with - the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' - flat_name: threat.enrichments.indicator.as.data.strings - level: core - name: data.strings - normalize: - - array - original_fieldset: registry - short: List of strings representing what was written to the registry. - type: wildcard -threat.enrichments.indicator.as.data.type: - dashed_name: threat-enrichments-indicator-as-data-type - description: Standard registry type for encoding contents - example: REG_SZ - flat_name: threat.enrichments.indicator.as.data.type +threat.enrichments.indicator.as.sha1: + dashed_name: threat-enrichments-indicator-as-sha1 + description: SHA1 hash. + flat_name: threat.enrichments.indicator.as.sha1 ignore_above: 1024 - level: core - name: data.type + level: extended + name: sha1 normalize: [] - original_fieldset: registry - short: Standard registry type for encoding contents + original_fieldset: hash + short: SHA1 hash. type: keyword -threat.enrichments.indicator.as.hive: - dashed_name: threat-enrichments-indicator-as-hive - description: Abbreviated name for the hive. - example: HKLM - flat_name: threat.enrichments.indicator.as.hive +threat.enrichments.indicator.as.sha256: + dashed_name: threat-enrichments-indicator-as-sha256 + description: SHA256 hash. + flat_name: threat.enrichments.indicator.as.sha256 ignore_above: 1024 - level: core - name: hive + level: extended + name: sha256 normalize: [] - original_fieldset: registry - short: Abbreviated name for the hive. + original_fieldset: hash + short: SHA256 hash. type: keyword -threat.enrichments.indicator.as.key: - dashed_name: threat-enrichments-indicator-as-key - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - flat_name: threat.enrichments.indicator.as.key - level: core - name: key - normalize: [] - original_fieldset: registry - short: Hive-relative path of keys. - type: wildcard -threat.enrichments.indicator.as.path: - dashed_name: threat-enrichments-indicator-as-path - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger - flat_name: threat.enrichments.indicator.as.path - level: core - name: path +threat.enrichments.indicator.as.sha512: + dashed_name: threat-enrichments-indicator-as-sha512 + description: SHA512 hash. + flat_name: threat.enrichments.indicator.as.sha512 + ignore_above: 1024 + level: extended + name: sha512 normalize: [] - original_fieldset: registry - short: Full path, including hive, key and value - type: wildcard -threat.enrichments.indicator.as.value: - dashed_name: threat-enrichments-indicator-as-value - description: Name of the value written. - example: Debugger - flat_name: threat.enrichments.indicator.as.value + original_fieldset: hash + short: SHA512 hash. + type: keyword +threat.enrichments.indicator.as.ssdeep: + dashed_name: threat-enrichments-indicator-as-ssdeep + description: SSDEEP hash. + flat_name: threat.enrichments.indicator.as.ssdeep ignore_above: 1024 - level: core - name: value + level: extended + name: ssdeep normalize: [] - original_fieldset: registry - short: Name of the value written. + original_fieldset: hash + short: SSDEEP hash. type: keyword threat.enrichments.indicator.confidence: beta: This field is beta and subject to change. @@ -12501,148 +12463,11 @@ threat.enrichments.indicator.modified_at: normalize: [] short: Date/time indicator was last updated. type: date -threat.enrichments.indicator.port: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-port - description: Identifies a threat indicator as a port number (irrespective of direction). - example: 443 - flat_name: threat.enrichments.indicator.port - level: extended - name: enrichments.indicator.port - normalize: [] - short: Indicator port - type: long -threat.enrichments.indicator.provider: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-provider - description: The name of the indicator's provider. - example: lrz_urlhaus - flat_name: threat.enrichments.indicator.provider - ignore_above: 1024 - level: extended - name: enrichments.indicator.provider - normalize: [] - short: Indicator provider - type: keyword -threat.enrichments.indicator.reference: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-reference - description: Reference URL linking to additional information about this indicator. - example: https://system.example.com/indicator/0001234 - flat_name: threat.enrichments.indicator.reference - ignore_above: 1024 - level: extended - name: enrichments.indicator.reference - normalize: [] - short: Indicator reference URL - type: keyword -threat.enrichments.indicator.scanner_stats: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-scanner-stats - description: Count of AV/EDR vendors that successfully detected malicious file or - URL. - example: 4 - flat_name: threat.enrichments.indicator.scanner_stats - level: extended - name: enrichments.indicator.scanner_stats - normalize: [] - short: Scanner statistics - type: long -threat.enrichments.indicator.sightings: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-sightings - description: Number of times this indicator was observed conducting threat activity. - example: 20 - flat_name: threat.enrichments.indicator.sightings - level: extended - name: enrichments.indicator.sightings - normalize: [] - short: Number of times indicator observed - type: long -threat.enrichments.indicator.type: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-type - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ - \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n *\ - \ domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n\ - \ * mutex\n * port\n * process\n * software\n * url\n * user-account\n \ - \ * windows-registry-key\n * x509-certificate" - example: ipv4-addr - flat_name: threat.enrichments.indicator.type - ignore_above: 1024 - level: extended - name: enrichments.indicator.type - normalize: [] - short: Type of indicator - type: keyword -threat.enrichments.matched.atomic: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-atomic - description: Identifies the atomic indicator value that matched a local environment - endpoint or network event. - example: bad-domain.com - flat_name: threat.enrichments.matched.atomic - ignore_above: 1024 - level: extended - name: enrichments.matched.atomic - normalize: [] - short: Matched indicator value - type: keyword -threat.enrichments.matched.field: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-field - description: Identifies the field of the atomic indicator that matched a local environment - endpoint or network event. - example: file.hash.sha256 - flat_name: threat.enrichments.matched.field - ignore_above: 1024 - level: extended - name: enrichments.matched.field - normalize: [] - short: Matched indicator field - type: keyword -threat.enrichments.matched.id: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-id - description: Identifies the _id of the indicator document enriching the event. - example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 - flat_name: threat.enrichments.matched.id - ignore_above: 1024 - level: extended - name: enrichments.matched.id - normalize: [] - short: Matched indicator identifier - type: keyword -threat.enrichments.matched.index: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-index - description: Identifies the _index of the indicator document enriching the event. - example: filebeat-8.0.0-2021.05.23-000011 - flat_name: threat.enrichments.matched.index - ignore_above: 1024 - level: extended - name: enrichments.matched.index - normalize: [] - short: Matched indicator index - type: keyword -threat.enrichments.matched.type: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-type - description: Identifies the type of match that caused the event to be enriched with - the given indicator - example: indicator_match_rule - flat_name: threat.enrichments.matched.type - ignore_above: 1024 - level: extended - name: enrichments.matched.type - normalize: [] - short: Type of indicator match - type: keyword -threat.enrichments.pe.architecture: - dashed_name: threat-enrichments-pe-architecture +threat.enrichments.indicator.pe.architecture: + dashed_name: threat-enrichments-indicator-pe-architecture description: CPU architecture target for the file. example: x64 - flat_name: threat.enrichments.pe.architecture + flat_name: threat.enrichments.indicator.pe.architecture ignore_above: 1024 level: extended name: architecture @@ -12650,11 +12475,11 @@ threat.enrichments.pe.architecture: original_fieldset: pe short: CPU architecture target for the file. type: keyword -threat.enrichments.pe.authentihash: - dashed_name: threat-enrichments-pe-authentihash +threat.enrichments.indicator.pe.authentihash: + dashed_name: threat-enrichments-indicator-pe-authentihash description: Authentihash of the PE file. example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: threat.enrichments.pe.authentihash + flat_name: threat.enrichments.indicator.pe.authentihash ignore_above: 1024 level: extended name: authentihash @@ -12662,11 +12487,11 @@ threat.enrichments.pe.authentihash: original_fieldset: pe short: Authentihash of the PE file. type: keyword -threat.enrichments.pe.company: - dashed_name: threat-enrichments-pe-company +threat.enrichments.indicator.pe.company: + dashed_name: threat-enrichments-indicator-pe-company description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation - flat_name: threat.enrichments.pe.company + flat_name: threat.enrichments.indicator.pe.company ignore_above: 1024 level: extended name: company @@ -12674,22 +12499,22 @@ threat.enrichments.pe.company: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword -threat.enrichments.pe.compile_timestamp: - dashed_name: threat-enrichments-pe-compile-timestamp +threat.enrichments.indicator.pe.compile_timestamp: + dashed_name: threat-enrichments-indicator-pe-compile-timestamp description: Compile timestamp of the PE file. example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.pe.compile_timestamp + flat_name: threat.enrichments.indicator.pe.compile_timestamp level: extended name: compile_timestamp normalize: [] original_fieldset: pe short: Compile timestamp of the PE file. type: date -threat.enrichments.pe.compiler.name: - dashed_name: threat-enrichments-pe-compiler-name +threat.enrichments.indicator.pe.compiler.name: + dashed_name: threat-enrichments-indicator-pe-compiler-name description: Name of the compiler example: Clang - flat_name: threat.enrichments.pe.compiler.name + flat_name: threat.enrichments.indicator.pe.compiler.name ignore_above: 1024 level: extended name: compiler.name @@ -12697,11 +12522,11 @@ threat.enrichments.pe.compiler.name: original_fieldset: pe short: Name of the compiler type: keyword -threat.enrichments.pe.compiler.version: - dashed_name: threat-enrichments-pe-compiler-version +threat.enrichments.indicator.pe.compiler.version: + dashed_name: threat-enrichments-indicator-pe-compiler-version description: Version of the compiler. example: 11.0.0 - flat_name: threat.enrichments.pe.compiler.version + flat_name: threat.enrichments.indicator.pe.compiler.version ignore_above: 1024 level: extended name: compiler.version @@ -12709,24 +12534,24 @@ threat.enrichments.pe.compiler.version: original_fieldset: pe short: Version of the compiler. type: keyword -threat.enrichments.pe.creation_date: - dashed_name: threat-enrichments-pe-creation-date +threat.enrichments.indicator.pe.creation_date: + dashed_name: threat-enrichments-indicator-pe-creation-date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.pe.creation_date + flat_name: threat.enrichments.indicator.pe.creation_date level: extended name: creation_date normalize: [] original_fieldset: pe short: Build or compile date. type: date -threat.enrichments.pe.debug: - dashed_name: threat-enrichments-pe-debug +threat.enrichments.indicator.pe.debug: + dashed_name: threat-enrichments-indicator-pe-debug description: 'An array containing an object for each debug entry, if present. The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: threat.enrichments.pe.debug + flat_name: threat.enrichments.indicator.pe.debug level: extended name: debug normalize: @@ -12734,11 +12559,11 @@ threat.enrichments.pe.debug: original_fieldset: pe short: Debug information type: nested -threat.enrichments.pe.debug.offset: - dashed_name: threat-enrichments-pe-debug-offset +threat.enrichments.indicator.pe.debug.offset: + dashed_name: threat-enrichments-indicator-pe-debug-offset description: Debug offset information. example: 1296336 - flat_name: threat.enrichments.pe.debug.offset + flat_name: threat.enrichments.indicator.pe.debug.offset ignore_above: 1024 level: extended name: debug.offset @@ -12746,11 +12571,11 @@ threat.enrichments.pe.debug.offset: original_fieldset: pe short: Debug offset information. type: keyword -threat.enrichments.pe.debug.size: - dashed_name: threat-enrichments-pe-debug-size +threat.enrichments.indicator.pe.debug.size: + dashed_name: threat-enrichments-indicator-pe-debug-size description: Size of the debug information. example: 816 - flat_name: threat.enrichments.pe.debug.size + flat_name: threat.enrichments.indicator.pe.debug.size format: bytes level: extended name: debug.size @@ -12758,22 +12583,22 @@ threat.enrichments.pe.debug.size: original_fieldset: pe short: Size of the debug information. type: long -threat.enrichments.pe.debug.timestamp: - dashed_name: threat-enrichments-pe-debug-timestamp +threat.enrichments.indicator.pe.debug.timestamp: + dashed_name: threat-enrichments-indicator-pe-debug-timestamp description: Timestamp of the debug information. example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.pe.debug.timestamp + flat_name: threat.enrichments.indicator.pe.debug.timestamp level: extended name: debug.timestamp normalize: [] original_fieldset: pe short: Timestamp of the debug information. type: date -threat.enrichments.pe.debug.type: - dashed_name: threat-enrichments-pe-debug-type +threat.enrichments.indicator.pe.debug.type: + dashed_name: threat-enrichments-indicator-pe-debug-type description: Information type generated by the debug options. example: IMAGE_DEBUG_TYPE_POGO - flat_name: threat.enrichments.pe.debug.type + flat_name: threat.enrichments.indicator.pe.debug.type ignore_above: 1024 level: extended name: debug.type @@ -12781,11 +12606,11 @@ threat.enrichments.pe.debug.type: original_fieldset: pe short: Information type generated by the debug options. type: keyword -threat.enrichments.pe.description: - dashed_name: threat-enrichments-pe-description +threat.enrichments.indicator.pe.description: + dashed_name: threat-enrichments-indicator-pe-description description: Internal description of the file, provided at compile-time. example: Paint - flat_name: threat.enrichments.pe.description + flat_name: threat.enrichments.indicator.pe.description ignore_above: 1024 level: extended name: description @@ -12793,11 +12618,11 @@ threat.enrichments.pe.description: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword -threat.enrichments.pe.entry_point: - dashed_name: threat-enrichments-pe-entry-point +threat.enrichments.indicator.pe.entry_point: + dashed_name: threat-enrichments-indicator-pe-entry-point description: Relative byte offset to the base of the PE file. example: 25856 - flat_name: threat.enrichments.pe.entry_point + flat_name: threat.enrichments.indicator.pe.entry_point ignore_above: 1024 level: extended name: entry_point @@ -12805,11 +12630,11 @@ threat.enrichments.pe.entry_point: original_fieldset: pe short: Relative byte offset to the base of the PE file. type: keyword -threat.enrichments.pe.exports: - dashed_name: threat-enrichments-pe-exports +threat.enrichments.indicator.pe.exports: + dashed_name: threat-enrichments-indicator-pe-exports description: List of symbols exported by PE example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: threat.enrichments.pe.exports + flat_name: threat.enrichments.indicator.pe.exports ignore_above: 1024 level: extended name: exports @@ -12818,11 +12643,11 @@ threat.enrichments.pe.exports: original_fieldset: pe short: List of symbols exported by PE type: keyword -threat.enrichments.pe.file_version: - dashed_name: threat-enrichments-pe-file-version +threat.enrichments.indicator.pe.file_version: + dashed_name: threat-enrichments-indicator-pe-file-version description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 - flat_name: threat.enrichments.pe.file_version + flat_name: threat.enrichments.indicator.pe.file_version ignore_above: 1024 level: extended name: file_version @@ -12830,12 +12655,12 @@ threat.enrichments.pe.file_version: original_fieldset: pe short: Process name. type: keyword -threat.enrichments.pe.icon.hash.dhash: - dashed_name: threat-enrichments-pe-icon-hash-dhash +threat.enrichments.indicator.pe.icon.hash.dhash: + dashed_name: threat-enrichments-indicator-pe-icon-hash-dhash description: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. example: b806e17c8e330d82 - flat_name: threat.enrichments.pe.icon.hash.dhash + flat_name: threat.enrichments.indicator.pe.icon.hash.dhash ignore_above: 1024 level: extended name: icon.hash.dhash @@ -12843,15 +12668,15 @@ threat.enrichments.pe.icon.hash.dhash: original_fieldset: pe short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. type: keyword -threat.enrichments.pe.imphash: - dashed_name: threat-enrichments-pe-imphash +threat.enrichments.indicator.pe.imphash: + dashed_name: threat-enrichments-indicator-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: threat.enrichments.pe.imphash + flat_name: threat.enrichments.indicator.pe.imphash ignore_above: 1024 level: extended name: imphash @@ -12859,23 +12684,23 @@ threat.enrichments.pe.imphash: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword -threat.enrichments.pe.imports: - dashed_name: threat-enrichments-pe-imports +threat.enrichments.indicator.pe.imports: + dashed_name: threat-enrichments-indicator-pe-imports description: List of all imported functions example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" }' - flat_name: threat.enrichments.pe.imports + flat_name: threat.enrichments.indicator.pe.imports level: extended name: imports normalize: [] original_fieldset: pe short: List of all imported functions type: flattened -threat.enrichments.pe.machine_type: - dashed_name: threat-enrichments-pe-machine-type +threat.enrichments.indicator.pe.machine_type: + dashed_name: threat-enrichments-indicator-pe-machine-type description: Machine type of the PE file. example: Intel 386 or later, and compatibles - flat_name: threat.enrichments.pe.machine_type + flat_name: threat.enrichments.indicator.pe.machine_type ignore_above: 1024 level: extended name: machine_type @@ -12883,22 +12708,22 @@ threat.enrichments.pe.machine_type: original_fieldset: pe short: Machine type of the PE file. type: keyword -threat.enrichments.pe.original_file_name: - dashed_name: threat-enrichments-pe-original-file-name +threat.enrichments.indicator.pe.original_file_name: + dashed_name: threat-enrichments-indicator-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE - flat_name: threat.enrichments.pe.original_file_name + flat_name: threat.enrichments.indicator.pe.original_file_name level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard -threat.enrichments.pe.packers: - dashed_name: threat-enrichments-pe-packers +threat.enrichments.indicator.pe.packers: + dashed_name: threat-enrichments-indicator-pe-packers description: List of packers and tools used. example: '["ASPack v2.12", ".NET executable"]' - flat_name: threat.enrichments.pe.packers + flat_name: threat.enrichments.indicator.pe.packers ignore_above: 1024 level: extended name: packers @@ -12907,11 +12732,11 @@ threat.enrichments.pe.packers: original_fieldset: pe short: List of packers and tools used. type: keyword -threat.enrichments.pe.product: - dashed_name: threat-enrichments-pe-product +threat.enrichments.indicator.pe.product: + dashed_name: threat-enrichments-indicator-pe-product description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" - flat_name: threat.enrichments.pe.product + flat_name: threat.enrichments.indicator.pe.product ignore_above: 1024 level: extended name: product @@ -12919,12 +12744,12 @@ threat.enrichments.pe.product: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword -threat.enrichments.pe.resources: - dashed_name: threat-enrichments-pe-resources +threat.enrichments.indicator.pe.resources: + dashed_name: threat-enrichments-indicator-pe-resources description: 'An array containing an object for each PE resource, if present. The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: threat.enrichments.pe.resources + flat_name: threat.enrichments.indicator.pe.resources level: extended name: resources normalize: @@ -12932,33 +12757,33 @@ threat.enrichments.pe.resources: original_fieldset: pe short: PE resource information type: nested -threat.enrichments.pe.resources.chi2: - dashed_name: threat-enrichments-pe-resources-chi2 +threat.enrichments.indicator.pe.resources.chi2: + dashed_name: threat-enrichments-indicator-pe-resources-chi2 description: Chi-square probability distribution. example: -1 - flat_name: threat.enrichments.pe.resources.chi2 + flat_name: threat.enrichments.indicator.pe.resources.chi2 level: extended name: resources.chi2 normalize: [] original_fieldset: pe short: Chi-square probability distribution. type: long -threat.enrichments.pe.resources.entropy: - dashed_name: threat-enrichments-pe-resources-entropy +threat.enrichments.indicator.pe.resources.entropy: + dashed_name: threat-enrichments-indicator-pe-resources-entropy description: Measurement of entropy randomness in the resources section. example: 0, 1 - flat_name: threat.enrichments.pe.resources.entropy + flat_name: threat.enrichments.indicator.pe.resources.entropy level: extended name: resources.entropy normalize: [] original_fieldset: pe short: Measurement of entropy randomness in the resources section. type: long -threat.enrichments.pe.resources.filetype: - dashed_name: threat-enrichments-pe-resources-filetype +threat.enrichments.indicator.pe.resources.filetype: + dashed_name: threat-enrichments-indicator-pe-resources-filetype description: File type of the resources section. example: Data - flat_name: threat.enrichments.pe.resources.filetype + flat_name: threat.enrichments.indicator.pe.resources.filetype ignore_above: 1024 level: extended name: resources.filetype @@ -12966,11 +12791,11 @@ threat.enrichments.pe.resources.filetype: original_fieldset: pe short: File type of the resources section. type: keyword -threat.enrichments.pe.resources.language: - dashed_name: threat-enrichments-pe-resources-language +threat.enrichments.indicator.pe.resources.language: + dashed_name: threat-enrichments-indicator-pe-resources-language description: Language identification. example: CHINESE SIMPLIFIED - flat_name: threat.enrichments.pe.resources.language + flat_name: threat.enrichments.indicator.pe.resources.language ignore_above: 1024 level: extended name: resources.language @@ -12978,11 +12803,11 @@ threat.enrichments.pe.resources.language: original_fieldset: pe short: Language identification. type: keyword -threat.enrichments.pe.resources.sha256: - dashed_name: threat-enrichments-pe-resources-sha256 +threat.enrichments.indicator.pe.resources.sha256: + dashed_name: threat-enrichments-indicator-pe-resources-sha256 description: SHA256 hash of resources section. example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: threat.enrichments.pe.resources.sha256 + flat_name: threat.enrichments.indicator.pe.resources.sha256 ignore_above: 1024 level: extended name: resources.sha256 @@ -12990,11 +12815,11 @@ threat.enrichments.pe.resources.sha256: original_fieldset: pe short: SHA256 hash of resources section. type: keyword -threat.enrichments.pe.resources.type: - dashed_name: threat-enrichments-pe-resources-type +threat.enrichments.indicator.pe.resources.type: + dashed_name: threat-enrichments-indicator-pe-resources-type description: Digest of resource types. example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: threat.enrichments.pe.resources.type + flat_name: threat.enrichments.indicator.pe.resources.type ignore_above: 1024 level: extended name: resources.type @@ -13003,11 +12828,11 @@ threat.enrichments.pe.resources.type: original_fieldset: pe short: List of resource types. type: keyword -threat.enrichments.pe.rich_header.hash.md5: - dashed_name: threat-enrichments-pe-rich-header-hash-md5 +threat.enrichments.indicator.pe.rich_header.hash.md5: + dashed_name: threat-enrichments-indicator-pe-rich-header-hash-md5 description: MD5 hash of the header for the PE file. example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: threat.enrichments.pe.rich_header.hash.md5 + flat_name: threat.enrichments.indicator.pe.rich_header.hash.md5 ignore_above: 1024 level: extended name: rich_header.hash.md5 @@ -13015,10 +12840,10 @@ threat.enrichments.pe.rich_header.hash.md5: original_fieldset: pe short: MD5 hash of the header for the PE file. type: keyword -threat.enrichments.pe.sections: - dashed_name: threat-enrichments-pe-sections +threat.enrichments.indicator.pe.sections: + dashed_name: threat-enrichments-indicator-pe-sections description: Data about sections of compiled binary PE - flat_name: threat.enrichments.pe.sections + flat_name: threat.enrichments.indicator.pe.sections level: extended name: sections normalize: @@ -13026,33 +12851,33 @@ threat.enrichments.pe.sections: original_fieldset: pe short: Data about sections of the compiled binary PE type: nested -threat.enrichments.pe.sections.chi2: - dashed_name: threat-enrichments-pe-sections-chi2 +threat.enrichments.indicator.pe.sections.chi2: + dashed_name: threat-enrichments-indicator-pe-sections-chi2 description: Chi-square probability distribution. example: 3027194 - flat_name: threat.enrichments.pe.sections.chi2 + flat_name: threat.enrichments.indicator.pe.sections.chi2 level: extended name: sections.chi2 normalize: [] original_fieldset: pe short: Chi-square probability distribution. type: long -threat.enrichments.pe.sections.entropy: - dashed_name: threat-enrichments-pe-sections-entropy +threat.enrichments.indicator.pe.sections.entropy: + dashed_name: threat-enrichments-indicator-pe-sections-entropy description: Measurement of entropy randomness in the file. example: 6.24 - flat_name: threat.enrichments.pe.sections.entropy + flat_name: threat.enrichments.indicator.pe.sections.entropy level: extended name: sections.entropy normalize: [] original_fieldset: pe short: Measurement of entropy randomness in the file. type: float -threat.enrichments.pe.sections.flags: - dashed_name: threat-enrichments-pe-sections-flags +threat.enrichments.indicator.pe.sections.flags: + dashed_name: threat-enrichments-indicator-pe-sections-flags description: Section flags of the file. example: rx - flat_name: threat.enrichments.pe.sections.flags + flat_name: threat.enrichments.indicator.pe.sections.flags ignore_above: 1024 level: extended name: sections.flags @@ -13060,11 +12885,11 @@ threat.enrichments.pe.sections.flags: original_fieldset: pe short: Section flags of the file. type: keyword -threat.enrichments.pe.sections.name: - dashed_name: threat-enrichments-pe-sections-name +threat.enrichments.indicator.pe.sections.name: + dashed_name: threat-enrichments-indicator-pe-sections-name description: Section names of the file. example: .text, .data - flat_name: threat.enrichments.pe.sections.name + flat_name: threat.enrichments.indicator.pe.sections.name ignore_above: 1024 level: extended name: sections.name @@ -13072,11 +12897,11 @@ threat.enrichments.pe.sections.name: original_fieldset: pe short: Section names of the file. type: keyword -threat.enrichments.pe.sections.raw_size: - dashed_name: threat-enrichments-pe-sections-raw-size +threat.enrichments.indicator.pe.sections.raw_size: + dashed_name: threat-enrichments-indicator-pe-sections-raw-size description: Size of the section or the dize of the initialized data on disk. example: 198144 - flat_name: threat.enrichments.pe.sections.raw_size + flat_name: threat.enrichments.indicator.pe.sections.raw_size format: bytes level: extended name: sections.raw_size @@ -13084,11 +12909,11 @@ threat.enrichments.pe.sections.raw_size: original_fieldset: pe short: Size of the section or the dize of the initialized data on disk. type: long -threat.enrichments.pe.sections.virtual_address: - dashed_name: threat-enrichments-pe-sections-virtual-address +threat.enrichments.indicator.pe.sections.virtual_address: + dashed_name: threat-enrichments-indicator-pe-sections-virtual-address description: Virtual address available to the file. example: 8192 - flat_name: threat.enrichments.pe.sections.virtual_address + flat_name: threat.enrichments.indicator.pe.sections.virtual_address format: bytes level: extended name: sections.virtual_address @@ -13096,15 +12921,50 @@ threat.enrichments.pe.sections.virtual_address: original_fieldset: pe short: Virtual address available to the file. type: long -threat.enrichments.registry.data.bytes: - dashed_name: threat-enrichments-registry-data-bytes +threat.enrichments.indicator.port: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-port + description: Identifies a threat indicator as a port number (irrespective of direction). + example: 443 + flat_name: threat.enrichments.indicator.port + level: extended + name: enrichments.indicator.port + normalize: [] + short: Indicator port + type: long +threat.enrichments.indicator.provider: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-provider + description: The name of the indicator's provider. + example: lrz_urlhaus + flat_name: threat.enrichments.indicator.provider + ignore_above: 1024 + level: extended + name: enrichments.indicator.provider + normalize: [] + short: Indicator provider + type: keyword +threat.enrichments.indicator.reference: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-reference + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + flat_name: threat.enrichments.indicator.reference + ignore_above: 1024 + level: extended + name: enrichments.indicator.reference + normalize: [] + short: Indicator reference URL + type: keyword +threat.enrichments.indicator.registry.data.bytes: + dashed_name: threat-enrichments-indicator-registry-data-bytes description: 'Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.' example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - flat_name: threat.enrichments.registry.data.bytes + flat_name: threat.enrichments.indicator.registry.data.bytes ignore_above: 1024 level: extended name: data.bytes @@ -13112,8 +12972,8 @@ threat.enrichments.registry.data.bytes: original_fieldset: registry short: Original bytes written with base64 encoding. type: keyword -threat.enrichments.registry.data.strings: - dashed_name: threat-enrichments-registry-data-strings +threat.enrichments.indicator.registry.data.strings: + dashed_name: threat-enrichments-indicator-registry-data-strings description: 'Content when writing string types. Populated as an array when writing string data to the registry. For single string @@ -13122,7 +12982,7 @@ threat.enrichments.registry.data.strings: For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' - flat_name: threat.enrichments.registry.data.strings + flat_name: threat.enrichments.indicator.registry.data.strings level: core name: data.strings normalize: @@ -13130,11 +12990,11 @@ threat.enrichments.registry.data.strings: original_fieldset: registry short: List of strings representing what was written to the registry. type: wildcard -threat.enrichments.registry.data.type: - dashed_name: threat-enrichments-registry-data-type +threat.enrichments.indicator.registry.data.type: + dashed_name: threat-enrichments-indicator-registry-data-type description: Standard registry type for encoding contents example: REG_SZ - flat_name: threat.enrichments.registry.data.type + flat_name: threat.enrichments.indicator.registry.data.type ignore_above: 1024 level: core name: data.type @@ -13142,11 +13002,11 @@ threat.enrichments.registry.data.type: original_fieldset: registry short: Standard registry type for encoding contents type: keyword -threat.enrichments.registry.hive: - dashed_name: threat-enrichments-registry-hive +threat.enrichments.indicator.registry.hive: + dashed_name: threat-enrichments-indicator-registry-hive description: Abbreviated name for the hive. example: HKLM - flat_name: threat.enrichments.registry.hive + flat_name: threat.enrichments.indicator.registry.hive ignore_above: 1024 level: core name: hive @@ -13154,34 +13014,34 @@ threat.enrichments.registry.hive: original_fieldset: registry short: Abbreviated name for the hive. type: keyword -threat.enrichments.registry.key: - dashed_name: threat-enrichments-registry-key +threat.enrichments.indicator.registry.key: + dashed_name: threat-enrichments-indicator-registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - flat_name: threat.enrichments.registry.key + flat_name: threat.enrichments.indicator.registry.key level: core name: key normalize: [] original_fieldset: registry short: Hive-relative path of keys. type: wildcard -threat.enrichments.registry.path: - dashed_name: threat-enrichments-registry-path +threat.enrichments.indicator.registry.path: + dashed_name: threat-enrichments-indicator-registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger - flat_name: threat.enrichments.registry.path + flat_name: threat.enrichments.indicator.registry.path level: core name: path normalize: [] original_fieldset: registry short: Full path, including hive, key and value type: wildcard -threat.enrichments.registry.value: - dashed_name: threat-enrichments-registry-value +threat.enrichments.indicator.registry.value: + dashed_name: threat-enrichments-indicator-registry-value description: Name of the value written. example: Debugger - flat_name: threat.enrichments.registry.value + flat_name: threat.enrichments.indicator.registry.value ignore_above: 1024 level: core name: value @@ -13189,617 +13049,584 @@ threat.enrichments.registry.value: original_fieldset: registry short: Name of the value written. type: keyword -threat.enrichments.url.domain: - dashed_name: threat-enrichments-url-domain - description: 'Domain of the url, such as "www.elastic.co". - - In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field. - - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), - the `[` and `]` characters should also be captured in the `domain` field.' - example: www.elastic.co - flat_name: threat.enrichments.url.domain +threat.enrichments.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file or + URL. + example: 4 + flat_name: threat.enrichments.indicator.scanner_stats level: extended - name: domain + name: enrichments.indicator.scanner_stats normalize: [] - original_fieldset: url - short: Domain of the url. - type: wildcard -threat.enrichments.url.extension: - dashed_name: threat-enrichments-url-extension - description: 'The field contains the file extension from the original request url, - excluding the leading dot. - - The file extension is only set if it exists, as not every url has a file extension. - - The leading period must not be included. For example, the value must be "png", - not ".png". - - Note that when the file name has multiple extensions (example.tar.gz), only the - last one should be captured ("gz", not "tar.gz").' - example: png - flat_name: threat.enrichments.url.extension + short: Scanner statistics + type: long +threat.enrichments.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.enrichments.indicator.sightings + level: extended + name: enrichments.indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long +threat.enrichments.indicator.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ + \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n *\ + \ domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n\ + \ * mutex\n * port\n * process\n * software\n * url\n * user-account\n \ + \ * windows-registry-key\n * x509-certificate" + example: ipv4-addr + flat_name: threat.enrichments.indicator.type ignore_above: 1024 level: extended - name: extension + name: enrichments.indicator.type normalize: [] - original_fieldset: url - short: File extension from the request url, excluding the leading dot. + short: Type of indicator type: keyword -threat.enrichments.url.fragment: - dashed_name: threat-enrichments-url-fragment - description: 'Portion of the url after the `#`, such as "top". - - The `#` is not part of the fragment.' - flat_name: threat.enrichments.url.fragment +threat.enrichments.matched.atomic: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-atomic + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com + flat_name: threat.enrichments.matched.atomic ignore_above: 1024 level: extended - name: fragment + name: enrichments.matched.atomic normalize: [] - original_fieldset: url - short: Portion of the url after the `#`. + short: Matched indicator value type: keyword -threat.enrichments.url.full: - dashed_name: threat-enrichments-url-full - description: If full URLs are important to your use case, they should be stored - in `url.full`, whether this field is reconstructed or present in the event source. - example: https://www.elastic.co:443/search?q=elasticsearch#top - flat_name: threat.enrichments.url.full +threat.enrichments.matched.field: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-field + description: Identifies the field of the atomic indicator that matched a local environment + endpoint or network event. + example: file.hash.sha256 + flat_name: threat.enrichments.matched.field + ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.enrichments.url.full.text - name: text - norms: false - type: text - name: full + name: enrichments.matched.field normalize: [] - original_fieldset: url - short: Full unparsed URL. - type: wildcard -threat.enrichments.url.original: - dashed_name: threat-enrichments-url-original - description: 'Unmodified original url as seen in the event source. - - Note that in network monitoring, the observed URL may be a full URL, whereas in - access logs, the URL is often just represented as a path. - - This field is meant to represent the URL as it was observed, complete or not.' - example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - flat_name: threat.enrichments.url.original - level: extended - multi_fields: - - flat_name: threat.enrichments.url.original.text - name: text - norms: false - type: text - name: original - normalize: [] - original_fieldset: url - short: Unmodified original url as seen in the event source. - type: wildcard -threat.enrichments.url.password: - dashed_name: threat-enrichments-url-password - description: Password of the request. - flat_name: threat.enrichments.url.password + short: Matched indicator field + type: keyword +threat.enrichments.matched.id: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-id + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + flat_name: threat.enrichments.matched.id ignore_above: 1024 level: extended - name: password + name: enrichments.matched.id normalize: [] - original_fieldset: url - short: Password of the request. + short: Matched indicator identifier type: keyword -threat.enrichments.url.path: - dashed_name: threat-enrichments-url-path - description: Path of the request, such as "/search". - flat_name: threat.enrichments.url.path - level: extended - name: path - normalize: [] - original_fieldset: url - short: Path of the request, such as "/search". - type: wildcard -threat.enrichments.url.port: - dashed_name: threat-enrichments-url-port - description: Port of the request, such as 443. - example: 443 - flat_name: threat.enrichments.url.port - format: string - level: extended - name: port - normalize: [] - original_fieldset: url - short: Port of the request, such as 443. - type: long -threat.enrichments.url.query: - dashed_name: threat-enrichments-url-query - description: 'The query field describes the query string of the request, such as - "q=elasticsearch". - - The `?` is excluded from the query string. If a URL contains no `?`, there is - no query field. If there is a `?` but no query, the query field exists with an - empty string. The `exists` query can be used to differentiate between the two - cases.' - flat_name: threat.enrichments.url.query +threat.enrichments.matched.index: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-index + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 + flat_name: threat.enrichments.matched.index ignore_above: 1024 level: extended - name: query + name: enrichments.matched.index normalize: [] - original_fieldset: url - short: Query string of the request. + short: Matched indicator index type: keyword -threat.enrichments.url.registered_domain: - dashed_name: threat-enrichments-url-registered-domain - description: 'The highest registered url domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix list - (http://publicsuffix.org). Trying to approximate this by simply taking the last - two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: threat.enrichments.url.registered_domain +threat.enrichments.matched.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-type + description: Identifies the type of match that caused the event to be enriched with + the given indicator + example: indicator_match_rule + flat_name: threat.enrichments.matched.type + ignore_above: 1024 level: extended - name: registered_domain + name: enrichments.matched.type normalize: [] - original_fieldset: url - short: The highest registered url domain, stripped of the subdomain. - type: wildcard -threat.enrichments.url.scheme: - dashed_name: threat-enrichments-url-scheme - description: 'Scheme of the request, such as "https". - - Note: The `:` is not part of the scheme.' - example: https - flat_name: threat.enrichments.url.scheme + short: Type of indicator match + type: keyword +threat.enrichments.pe.architecture: + dashed_name: threat-enrichments-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.enrichments.pe.architecture ignore_above: 1024 level: extended - name: scheme + name: architecture normalize: [] - original_fieldset: url - short: Scheme of the url. + original_fieldset: pe + short: CPU architecture target for the file. type: keyword -threat.enrichments.url.subdomain: - dashed_name: threat-enrichments-url-subdomain - description: 'The subdomain portion of a fully qualified domain name includes all - of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot be - determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the - domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the - subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: threat.enrichments.url.subdomain +threat.enrichments.pe.authentihash: + dashed_name: threat-enrichments-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: threat.enrichments.pe.authentihash ignore_above: 1024 level: extended - name: subdomain + name: authentihash normalize: [] - original_fieldset: url - short: The subdomain of the domain. + original_fieldset: pe + short: Authentihash of the PE file. type: keyword -threat.enrichments.url.top_level_domain: - dashed_name: threat-enrichments-url-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain suffix, - is the last part of the domain name. For example, the top level domain for example.com - is "com". - - This value can be determined precisely with a list like the public suffix list - (http://publicsuffix.org). Trying to approximate this by simply taking the last - label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: threat.enrichments.url.top_level_domain +threat.enrichments.pe.company: + dashed_name: threat-enrichments-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.enrichments.pe.company ignore_above: 1024 level: extended - name: top_level_domain + name: company normalize: [] - original_fieldset: url - short: The effective top level domain (com, org, net, co.uk). + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. type: keyword -threat.enrichments.url.username: - dashed_name: threat-enrichments-url-username - description: Username of the request. - flat_name: threat.enrichments.url.username +threat.enrichments.pe.compile_timestamp: + dashed_name: threat-enrichments-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date +threat.enrichments.pe.compiler.name: + dashed_name: threat-enrichments-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: threat.enrichments.pe.compiler.name ignore_above: 1024 level: extended - name: username + name: compiler.name normalize: [] - original_fieldset: url - short: Username of the request. + original_fieldset: pe + short: Name of the compiler type: keyword -threat.enrichments.x509.alternative_names: - dashed_name: threat-enrichments-x509-alternative-names - description: List of subject alternative names (SAN). Name types vary by certificate - authority and certificate type but commonly contain IP addresses, DNS names (and - wildcards), and email addresses. - example: '*.elastic.co' - flat_name: threat.enrichments.x509.alternative_names +threat.enrichments.pe.compiler.version: + dashed_name: threat-enrichments-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: threat.enrichments.pe.compiler.version ignore_above: 1024 level: extended - name: alternative_names - normalize: - - array - original_fieldset: x509 - short: List of subject alternative names (SAN). + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. type: keyword -threat.enrichments.x509.issuer.common_name: - dashed_name: threat-enrichments-x509-issuer-common-name - description: List of common name (CN) of issuing certificate authority. - example: Example SHA2 High Assurance Server CA - flat_name: threat.enrichments.x509.issuer.common_name - ignore_above: 1024 +threat.enrichments.pe.creation_date: + dashed_name: threat-enrichments-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.creation_date level: extended - name: issuer.common_name + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date +threat.enrichments.pe.debug: + dashed_name: threat-enrichments-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: threat.enrichments.pe.debug + level: extended + name: debug normalize: - array - original_fieldset: x509 - short: List of common name (CN) of issuing certificate authority. - type: keyword -threat.enrichments.x509.issuer.country: - dashed_name: threat-enrichments-x509-issuer-country - description: List of country (C) codes - example: US - flat_name: threat.enrichments.x509.issuer.country + original_fieldset: pe + short: Debug information + type: nested +threat.enrichments.pe.debug.offset: + dashed_name: threat-enrichments-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: threat.enrichments.pe.debug.offset ignore_above: 1024 level: extended - name: issuer.country - normalize: - - array - original_fieldset: x509 - short: List of country (C) codes + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. type: keyword -threat.enrichments.x509.issuer.distinguished_name: - dashed_name: threat-enrichments-x509-issuer-distinguished-name - description: Distinguished name (DN) of issuing certificate authority. - example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance - Server CA - flat_name: threat.enrichments.x509.issuer.distinguished_name +threat.enrichments.pe.debug.size: + dashed_name: threat-enrichments-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: threat.enrichments.pe.debug.size + format: bytes level: extended - name: issuer.distinguished_name + name: debug.size normalize: [] - original_fieldset: x509 - short: Distinguished name (DN) of issuing certificate authority. - type: wildcard -threat.enrichments.x509.issuer.locality: - dashed_name: threat-enrichments-x509-issuer-locality - description: List of locality names (L) - example: Mountain View - flat_name: threat.enrichments.x509.issuer.locality + original_fieldset: pe + short: Size of the debug information. + type: long +threat.enrichments.pe.debug.timestamp: + dashed_name: threat-enrichments-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date +threat.enrichments.pe.debug.type: + dashed_name: threat-enrichments-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: threat.enrichments.pe.debug.type ignore_above: 1024 level: extended - name: issuer.locality - normalize: - - array - original_fieldset: x509 - short: List of locality names (L) + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. type: keyword -threat.enrichments.x509.issuer.organization: - dashed_name: threat-enrichments-x509-issuer-organization - description: List of organizations (O) of issuing certificate authority. - example: Example Inc - flat_name: threat.enrichments.x509.issuer.organization +threat.enrichments.pe.description: + dashed_name: threat-enrichments-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.enrichments.pe.description ignore_above: 1024 level: extended - name: issuer.organization - normalize: - - array - original_fieldset: x509 - short: List of organizations (O) of issuing certificate authority. + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. type: keyword -threat.enrichments.x509.issuer.organizational_unit: - dashed_name: threat-enrichments-x509-issuer-organizational-unit - description: List of organizational units (OU) of issuing certificate authority. - example: www.example.com - flat_name: threat.enrichments.x509.issuer.organizational_unit +threat.enrichments.pe.entry_point: + dashed_name: threat-enrichments-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: threat.enrichments.pe.entry_point ignore_above: 1024 level: extended - name: issuer.organizational_unit - normalize: - - array - original_fieldset: x509 - short: List of organizational units (OU) of issuing certificate authority. + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. type: keyword -threat.enrichments.x509.issuer.state_or_province: - dashed_name: threat-enrichments-x509-issuer-state-or-province - description: List of state or province names (ST, S, or P) - example: California - flat_name: threat.enrichments.x509.issuer.state_or_province +threat.enrichments.pe.exports: + dashed_name: threat-enrichments-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: threat.enrichments.pe.exports ignore_above: 1024 level: extended - name: issuer.state_or_province + name: exports normalize: - array - original_fieldset: x509 - short: List of state or province names (ST, S, or P) + original_fieldset: pe + short: List of symbols exported by PE type: keyword -threat.enrichments.x509.not_after: - dashed_name: threat-enrichments-x509-not-after - description: Time at which the certificate is no longer considered valid. - example: 2020-07-16 03:15:39+00:00 - flat_name: threat.enrichments.x509.not_after - level: extended - name: not_after - normalize: [] - original_fieldset: x509 - short: Time at which the certificate is no longer considered valid. - type: date -threat.enrichments.x509.not_before: - dashed_name: threat-enrichments-x509-not-before - description: Time at which the certificate is first considered valid. - example: 2019-08-16 01:40:25+00:00 - flat_name: threat.enrichments.x509.not_before - level: extended - name: not_before - normalize: [] - original_fieldset: x509 - short: Time at which the certificate is first considered valid. - type: date -threat.enrichments.x509.public_key_algorithm: - dashed_name: threat-enrichments-x509-public-key-algorithm - description: Algorithm used to generate the public key. - example: RSA - flat_name: threat.enrichments.x509.public_key_algorithm +threat.enrichments.pe.file_version: + dashed_name: threat-enrichments-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.enrichments.pe.file_version ignore_above: 1024 level: extended - name: public_key_algorithm + name: file_version normalize: [] - original_fieldset: x509 - short: Algorithm used to generate the public key. + original_fieldset: pe + short: Process name. type: keyword -threat.enrichments.x509.public_key_curve: - dashed_name: threat-enrichments-x509-public-key-curve - description: The curve used by the elliptic curve public key algorithm. This is - algorithm specific. - example: nistp521 - flat_name: threat.enrichments.x509.public_key_curve +threat.enrichments.pe.icon.hash.dhash: + dashed_name: threat-enrichments-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: threat.enrichments.pe.icon.hash.dhash ignore_above: 1024 level: extended - name: public_key_curve + name: icon.hash.dhash normalize: [] - original_fieldset: x509 - short: The curve used by the elliptic curve public key algorithm. This is algorithm - specific. + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. type: keyword -threat.enrichments.x509.public_key_exponent: - dashed_name: threat-enrichments-x509-public-key-exponent - description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - example: 65537 - flat_name: threat.enrichments.x509.public_key_exponent - index: false +threat.enrichments.pe.imphash: + dashed_name: threat-enrichments-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.enrichments.pe.imphash + ignore_above: 1024 level: extended - name: public_key_exponent + name: imphash normalize: [] - original_fieldset: x509 - short: Exponent used to derive the public key. This is algorithm specific. - type: long -threat.enrichments.x509.public_key_size: - dashed_name: threat-enrichments-x509-public-key-size - description: The size of the public key space in bits. - example: 2048 - flat_name: threat.enrichments.x509.public_key_size + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +threat.enrichments.pe.imports: + dashed_name: threat-enrichments-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: threat.enrichments.pe.imports level: extended - name: public_key_size + name: imports normalize: [] - original_fieldset: x509 - short: The size of the public key space in bits. - type: long -threat.enrichments.x509.serial_number: - dashed_name: threat-enrichments-x509-serial-number - description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. - example: 55FBB9C7DEBF09809D12CCAA - flat_name: threat.enrichments.x509.serial_number + original_fieldset: pe + short: List of all imported functions + type: flattened +threat.enrichments.pe.machine_type: + dashed_name: threat-enrichments-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: threat.enrichments.pe.machine_type ignore_above: 1024 level: extended - name: serial_number + name: machine_type normalize: [] - original_fieldset: x509 - short: Unique serial number issued by the certificate authority. + original_fieldset: pe + short: Machine type of the PE file. type: keyword -threat.enrichments.x509.signature_algorithm: - dashed_name: threat-enrichments-x509-signature-algorithm - description: Identifier for certificate signature algorithm. We recommend using - names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - example: SHA256-RSA - flat_name: threat.enrichments.x509.signature_algorithm - ignore_above: 1024 +threat.enrichments.pe.original_file_name: + dashed_name: threat-enrichments-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.enrichments.pe.original_file_name level: extended - name: signature_algorithm + name: original_file_name normalize: [] - original_fieldset: x509 - short: Identifier for certificate signature algorithm. - type: keyword -threat.enrichments.x509.subject.common_name: - dashed_name: threat-enrichments-x509-subject-common-name - description: List of common names (CN) of subject. - example: shared.global.example.net - flat_name: threat.enrichments.x509.subject.common_name + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: wildcard +threat.enrichments.pe.packers: + dashed_name: threat-enrichments-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: threat.enrichments.pe.packers ignore_above: 1024 level: extended - name: subject.common_name + name: packers normalize: - array - original_fieldset: x509 - short: List of common names (CN) of subject. - type: keyword -threat.enrichments.x509.subject.country: - dashed_name: threat-enrichments-x509-subject-country - description: List of country (C) code - example: US - flat_name: threat.enrichments.x509.subject.country + original_fieldset: pe + short: List of packers and tools used. + type: keyword +threat.enrichments.pe.product: + dashed_name: threat-enrichments-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.enrichments.pe.product ignore_above: 1024 level: extended - name: subject.country + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword +threat.enrichments.pe.resources: + dashed_name: threat-enrichments-pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: threat.enrichments.pe.resources + level: extended + name: resources normalize: - array - original_fieldset: x509 - short: List of country (C) code - type: keyword -threat.enrichments.x509.subject.distinguished_name: - dashed_name: threat-enrichments-x509-subject-distinguished-name - description: Distinguished name (DN) of the certificate subject entity. - example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - flat_name: threat.enrichments.x509.subject.distinguished_name + original_fieldset: pe + short: PE resource information + type: nested +threat.enrichments.pe.resources.chi2: + dashed_name: threat-enrichments-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: threat.enrichments.pe.resources.chi2 level: extended - name: subject.distinguished_name + name: resources.chi2 normalize: [] - original_fieldset: x509 - short: Distinguished name (DN) of the certificate subject entity. - type: wildcard -threat.enrichments.x509.subject.locality: - dashed_name: threat-enrichments-x509-subject-locality - description: List of locality names (L) - example: San Francisco - flat_name: threat.enrichments.x509.subject.locality + original_fieldset: pe + short: Chi-square probability distribution. + type: long +threat.enrichments.pe.resources.entropy: + dashed_name: threat-enrichments-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: threat.enrichments.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long +threat.enrichments.pe.resources.filetype: + dashed_name: threat-enrichments-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: threat.enrichments.pe.resources.filetype ignore_above: 1024 level: extended - name: subject.locality - normalize: - - array - original_fieldset: x509 - short: List of locality names (L) + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. type: keyword -threat.enrichments.x509.subject.organization: - dashed_name: threat-enrichments-x509-subject-organization - description: List of organizations (O) of subject. - example: Example, Inc. - flat_name: threat.enrichments.x509.subject.organization +threat.enrichments.pe.resources.language: + dashed_name: threat-enrichments-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: threat.enrichments.pe.resources.language ignore_above: 1024 level: extended - name: subject.organization - normalize: - - array - original_fieldset: x509 - short: List of organizations (O) of subject. + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. type: keyword -threat.enrichments.x509.subject.organizational_unit: - dashed_name: threat-enrichments-x509-subject-organizational-unit - description: List of organizational units (OU) of subject. - flat_name: threat.enrichments.x509.subject.organizational_unit +threat.enrichments.pe.resources.sha256: + dashed_name: threat-enrichments-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: threat.enrichments.pe.resources.sha256 ignore_above: 1024 level: extended - name: subject.organizational_unit - normalize: - - array - original_fieldset: x509 - short: List of organizational units (OU) of subject. + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. type: keyword -threat.enrichments.x509.subject.state_or_province: - dashed_name: threat-enrichments-x509-subject-state-or-province - description: List of state or province names (ST, S, or P) - example: California - flat_name: threat.enrichments.x509.subject.state_or_province +threat.enrichments.pe.resources.type: + dashed_name: threat-enrichments-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: threat.enrichments.pe.resources.type ignore_above: 1024 level: extended - name: subject.state_or_province + name: resources.type normalize: - array - original_fieldset: x509 - short: List of state or province names (ST, S, or P) - type: keyword -threat.enrichments.x509.version_number: - dashed_name: threat-enrichments-x509-version-number - description: Version of x509 format. - example: 3 - flat_name: threat.enrichments.x509.version_number - ignore_above: 1024 - level: extended - name: version_number - normalize: [] - original_fieldset: x509 - short: Version of x509 format. + original_fieldset: pe + short: List of resource types. type: keyword -threat.framework: - dashed_name: threat-framework - description: Name of the threat framework used to further categorize and classify - the tactic and technique of the reported threat. Framework classification can - be provided by detecting systems, evaluated at ingest time, or retrospectively - tagged to events. - example: MITRE ATT&CK - flat_name: threat.framework +threat.enrichments.pe.rich_header.hash.md5: + dashed_name: threat-enrichments-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: threat.enrichments.pe.rich_header.hash.md5 ignore_above: 1024 level: extended - name: framework + name: rich_header.hash.md5 normalize: [] - short: Threat classification framework. + original_fieldset: pe + short: MD5 hash of the header for the PE file. type: keyword -threat.group.alias: - beta: This field is beta and subject to change. - dashed_name: threat-group-alias - description: "The alias(es) of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group alias(es)." - example: '[ "Magecart Group 6" ]' - flat_name: threat.group.alias - ignore_above: 1024 +threat.enrichments.pe.sections: + dashed_name: threat-enrichments-pe-sections + description: Data about sections of compiled binary PE + flat_name: threat.enrichments.pe.sections level: extended - name: group.alias + name: sections normalize: - array - short: Alias of the group. - type: keyword -threat.group.id: - beta: This field is beta and subject to change. - dashed_name: threat-group-id - description: "The id of the group for a set of related intrusion activity that are\ - \ tracked by a common name in the security community. While not required, you\ - \ can use a MITRE ATT&CK\xAE group id." - example: G0037 - flat_name: threat.group.id - ignore_above: 1024 + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested +threat.enrichments.pe.sections.chi2: + dashed_name: threat-enrichments-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: threat.enrichments.pe.sections.chi2 level: extended - name: group.id + name: sections.chi2 normalize: [] - short: ID of the group. - type: keyword -threat.group.name: - beta: This field is beta and subject to change. - dashed_name: threat-group-name - description: "The name of the group for a set of related intrusion activity that\ - \ are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group name." - example: FIN6 - flat_name: threat.group.name - ignore_above: 1024 + original_fieldset: pe + short: Chi-square probability distribution. + type: long +threat.enrichments.pe.sections.entropy: + dashed_name: threat-enrichments-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: threat.enrichments.pe.sections.entropy level: extended - name: group.name + name: sections.entropy normalize: [] - short: Name of the group. - type: keyword -threat.group.reference: - beta: This field is beta and subject to change. - dashed_name: threat-group-reference - description: "The reference URL of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group reference URL." - example: https://attack.mitre.org/groups/G0037/ - flat_name: threat.group.reference + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float +threat.enrichments.pe.sections.flags: + dashed_name: threat-enrichments-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: threat.enrichments.pe.sections.flags ignore_above: 1024 level: extended - name: group.reference + name: sections.flags normalize: [] - short: Reference URL of the group. + original_fieldset: pe + short: Section flags of the file. type: keyword -threat.indicator.as.data.bytes: - dashed_name: threat-indicator-as-data-bytes - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides better - recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - flat_name: threat.indicator.as.data.bytes +threat.enrichments.pe.sections.name: + dashed_name: threat-enrichments-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: threat.enrichments.pe.sections.name ignore_above: 1024 level: extended - name: data.bytes + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword +threat.enrichments.pe.sections.raw_size: + dashed_name: threat-enrichments-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: threat.enrichments.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long +threat.enrichments.pe.sections.virtual_address: + dashed_name: threat-enrichments-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: threat.enrichments.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long +threat.enrichments.registry.data.bytes: + dashed_name: threat-enrichments-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides better + recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.enrichments.registry.data.bytes + ignore_above: 1024 + level: extended + name: data.bytes normalize: [] original_fieldset: registry short: Original bytes written with base64 encoding. type: keyword -threat.indicator.as.data.strings: - dashed_name: threat-indicator-as-data-strings +threat.enrichments.registry.data.strings: + dashed_name: threat-enrichments-registry-data-strings description: 'Content when writing string types. Populated as an array when writing string data to the registry. For single string @@ -13808,7 +13635,7 @@ threat.indicator.as.data.strings: For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' - flat_name: threat.indicator.as.data.strings + flat_name: threat.enrichments.registry.data.strings level: core name: data.strings normalize: @@ -13816,11 +13643,11 @@ threat.indicator.as.data.strings: original_fieldset: registry short: List of strings representing what was written to the registry. type: wildcard -threat.indicator.as.data.type: - dashed_name: threat-indicator-as-data-type +threat.enrichments.registry.data.type: + dashed_name: threat-enrichments-registry-data-type description: Standard registry type for encoding contents example: REG_SZ - flat_name: threat.indicator.as.data.type + flat_name: threat.enrichments.registry.data.type ignore_above: 1024 level: core name: data.type @@ -13828,11 +13655,11 @@ threat.indicator.as.data.type: original_fieldset: registry short: Standard registry type for encoding contents type: keyword -threat.indicator.as.hive: - dashed_name: threat-indicator-as-hive +threat.enrichments.registry.hive: + dashed_name: threat-enrichments-registry-hive description: Abbreviated name for the hive. example: HKLM - flat_name: threat.indicator.as.hive + flat_name: threat.enrichments.registry.hive ignore_above: 1024 level: core name: hive @@ -13840,34 +13667,34 @@ threat.indicator.as.hive: original_fieldset: registry short: Abbreviated name for the hive. type: keyword -threat.indicator.as.key: - dashed_name: threat-indicator-as-key +threat.enrichments.registry.key: + dashed_name: threat-enrichments-registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - flat_name: threat.indicator.as.key + flat_name: threat.enrichments.registry.key level: core name: key normalize: [] original_fieldset: registry short: Hive-relative path of keys. type: wildcard -threat.indicator.as.path: - dashed_name: threat-indicator-as-path +threat.enrichments.registry.path: + dashed_name: threat-enrichments-registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger - flat_name: threat.indicator.as.path + flat_name: threat.enrichments.registry.path level: core name: path normalize: [] original_fieldset: registry short: Full path, including hive, key and value type: wildcard -threat.indicator.as.value: - dashed_name: threat-indicator-as-value +threat.enrichments.registry.value: + dashed_name: threat-enrichments-registry-value description: Name of the value written. example: Debugger - flat_name: threat.indicator.as.value + flat_name: threat.enrichments.registry.value ignore_above: 1024 level: core name: value @@ -13875,1000 +13702,2079 @@ threat.indicator.as.value: original_fieldset: registry short: Name of the value written. type: keyword -threat.indicator.confidence: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-confidence - description: "Identifies the confidence rating assigned by the provider using STIX\ - \ confidence scales.\nRecommended values:\n * Not Specified, None, Low, Medium,\ - \ High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n * WEP Scale\ - \ (Impossible - Certain)" - example: High - flat_name: threat.indicator.confidence - ignore_above: 1024 +threat.enrichments.url.domain: + dashed_name: threat-enrichments-url-domain + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), + the `[` and `]` characters should also be captured in the `domain` field.' + example: www.elastic.co + flat_name: threat.enrichments.url.domain level: extended - name: indicator.confidence + name: domain normalize: [] - short: Indicator confidence rating - type: keyword -threat.indicator.description: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-description - description: Describes the type of action conducted by the threat. - example: IP x.x.x.x was observed delivering the Angler EK. - flat_name: threat.indicator.description + original_fieldset: url + short: Domain of the url. + type: wildcard +threat.enrichments.url.extension: + dashed_name: threat-enrichments-url-extension + description: 'The field contains the file extension from the original request url, + excluding the leading dot. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.url.extension ignore_above: 1024 level: extended - name: indicator.description + name: extension normalize: [] - short: Indicator description + original_fieldset: url + short: File extension from the request url, excluding the leading dot. type: keyword -threat.indicator.email.address: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-email-address - description: Identifies a threat indicator as an email address (irrespective of - direction). - example: phish@example.com - flat_name: threat.indicator.email.address +threat.enrichments.url.fragment: + dashed_name: threat-enrichments-url-fragment + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + flat_name: threat.enrichments.url.fragment ignore_above: 1024 level: extended - name: indicator.email.address + name: fragment normalize: [] - short: Indicator email address + original_fieldset: url + short: Portion of the url after the `#`. type: keyword -threat.indicator.file.accessed: - dashed_name: threat-indicator-file-accessed - description: 'Last time the file was accessed. - - Note that not all filesystems keep track of access time.' - flat_name: threat.indicator.file.accessed +threat.enrichments.url.full: + dashed_name: threat-enrichments-url-full + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + flat_name: threat.enrichments.url.full level: extended - name: accessed + multi_fields: + - flat_name: threat.enrichments.url.full.text + name: text + norms: false + type: text + name: full normalize: [] - original_fieldset: file - short: Last time the file was accessed. - type: date -threat.indicator.file.attributes: - dashed_name: threat-indicator-file-attributes - description: 'Array of file attributes. + original_fieldset: url + short: Full unparsed URL. + type: wildcard +threat.enrichments.url.original: + dashed_name: threat-enrichments-url-original + description: 'Unmodified original url as seen in the event source. - Attributes names will vary by platform. Here''s a non-exhaustive list of values - that are expected in this field: archive, compressed, directory, encrypted, execute, - hidden, read, readonly, system, write.' - example: '["readonly", "system"]' - flat_name: threat.indicator.file.attributes + Note that in network monitoring, the observed URL may be a full URL, whereas in + access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + flat_name: threat.enrichments.url.original + level: extended + multi_fields: + - flat_name: threat.enrichments.url.original.text + name: text + norms: false + type: text + name: original + normalize: [] + original_fieldset: url + short: Unmodified original url as seen in the event source. + type: wildcard +threat.enrichments.url.password: + dashed_name: threat-enrichments-url-password + description: Password of the request. + flat_name: threat.enrichments.url.password ignore_above: 1024 level: extended - name: attributes - normalize: - - array - original_fieldset: file - short: Array of file attributes. + name: password + normalize: [] + original_fieldset: url + short: Password of the request. type: keyword -threat.indicator.file.code_signature.exists: - dashed_name: threat-indicator-file-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: threat.indicator.file.code_signature.exists - level: core - name: exists +threat.enrichments.url.path: + dashed_name: threat-enrichments-url-path + description: Path of the request, such as "/search". + flat_name: threat.enrichments.url.path + level: extended + name: path normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean -threat.indicator.file.code_signature.signing_id: - dashed_name: threat-indicator-file-code-signature-signing-id - description: 'The identifier used to sign the process. + original_fieldset: url + short: Path of the request, such as "/search". + type: wildcard +threat.enrichments.url.port: + dashed_name: threat-enrichments-url-port + description: Port of the request, such as 443. + example: 443 + flat_name: threat.enrichments.url.port + format: string + level: extended + name: port + normalize: [] + original_fieldset: url + short: Port of the request, such as 443. + type: long +threat.enrichments.url.query: + dashed_name: threat-enrichments-url-query + description: 'The query field describes the query string of the request, such as + "q=elasticsearch". - This is used to identify the application manufactured by a software vendor. The - field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: threat.indicator.file.code_signature.signing_id + The `?` is excluded from the query string. If a URL contains no `?`, there is + no query field. If there is a `?` but no query, the query field exists with an + empty string. The `exists` query can be used to differentiate between the two + cases.' + flat_name: threat.enrichments.url.query ignore_above: 1024 level: extended - name: signing_id + name: query normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. + original_fieldset: url + short: Query string of the request. type: keyword -threat.indicator.file.code_signature.status: - dashed_name: threat-indicator-file-code-signature-status - description: 'Additional information about the certificate status. +threat.enrichments.url.registered_domain: + dashed_name: threat-enrichments-url-registered-domain + description: 'The highest registered url domain, stripped of the subdomain. - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: threat.indicator.file.code_signature.status - ignore_above: 1024 + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: threat.enrichments.url.registered_domain level: extended - name: status - normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. - type: keyword -threat.indicator.file.code_signature.subject_name: - dashed_name: threat-indicator-file-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: threat.indicator.file.code_signature.subject_name - ignore_above: 1024 - level: core - name: subject_name + name: registered_domain normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer - type: keyword -threat.indicator.file.code_signature.team_id: - dashed_name: threat-indicator-file-code-signature-team-id - description: 'The team identifier used to sign the process. + original_fieldset: url + short: The highest registered url domain, stripped of the subdomain. + type: wildcard +threat.enrichments.url.scheme: + dashed_name: threat-enrichments-url-scheme + description: 'Scheme of the request, such as "https". - This is used to identify the team or vendor of a software product. The field is - relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: threat.indicator.file.code_signature.team_id + Note: The `:` is not part of the scheme.' + example: https + flat_name: threat.enrichments.url.scheme ignore_above: 1024 level: extended - name: team_id + name: scheme normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. + original_fieldset: url + short: Scheme of the url. type: keyword -threat.indicator.file.code_signature.trusted: - dashed_name: threat-indicator-file-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this field - should only be populated by tools that actively check the status.' - example: 'true' - flat_name: threat.indicator.file.code_signature.trusted - level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean -threat.indicator.file.code_signature.valid: - dashed_name: threat-indicator-file-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against the - binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: threat.indicator.file.code_signature.valid - level: extended - name: valid - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean -threat.indicator.file.created: - dashed_name: threat-indicator-file-created - description: 'File creation time. - - Note that not all filesystems store the creation time.' - flat_name: threat.indicator.file.created - level: extended - name: created - normalize: [] - original_fieldset: file - short: File creation time. - type: date -threat.indicator.file.ctime: - dashed_name: threat-indicator-file-ctime - description: 'Last time the file attributes or metadata changed. +threat.enrichments.url.subdomain: + dashed_name: threat-enrichments-url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. - Note that changes to the file content will update `mtime`. This implies `ctime` - will be adjusted at the same time, since `mtime` is an attribute of the file.' - flat_name: threat.indicator.file.ctime - level: extended - name: ctime - normalize: [] - original_fieldset: file - short: Last time the file attributes or metadata changed. - type: date -threat.indicator.file.device: - dashed_name: threat-indicator-file-device - description: Device that is the source of the file. - example: sda - flat_name: threat.indicator.file.device + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: threat.enrichments.url.subdomain ignore_above: 1024 level: extended - name: device + name: subdomain normalize: [] - original_fieldset: file - short: Device that is the source of the file. + original_fieldset: url + short: The subdomain of the domain. type: keyword -threat.indicator.file.directory: - dashed_name: threat-indicator-file-directory - description: Directory where the file is located. It should include the drive letter, - when appropriate. - example: /home/alice - flat_name: threat.indicator.file.directory - level: extended - name: directory - normalize: [] - original_fieldset: file - short: Directory where the file is located. - type: wildcard -threat.indicator.file.drive_letter: - dashed_name: threat-indicator-file-drive-letter - description: 'Drive letter where the file is located. This field is only relevant - on Windows. +threat.enrichments.url.top_level_domain: + dashed_name: threat-enrichments-url-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". - The value should be uppercase, and not include the colon.' - example: C - flat_name: threat.indicator.file.drive_letter - ignore_above: 1 - level: extended - name: drive_letter - normalize: [] - original_fieldset: file - short: Drive letter where the file is located. - type: keyword -threat.indicator.file.elf.architecture: - dashed_name: threat-indicator-file-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: threat.indicator.file.elf.architecture + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: threat.enrichments.url.top_level_domain ignore_above: 1024 level: extended - name: architecture + name: top_level_domain normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. + original_fieldset: url + short: The effective top level domain (com, org, net, co.uk). type: keyword -threat.indicator.file.elf.byte_order: - dashed_name: threat-indicator-file-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: threat.indicator.file.elf.byte_order +threat.enrichments.url.username: + dashed_name: threat-enrichments-url-username + description: Username of the request. + flat_name: threat.enrichments.url.username ignore_above: 1024 level: extended - name: byte_order + name: username normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. + original_fieldset: url + short: Username of the request. type: keyword -threat.indicator.file.elf.cpu_type: - dashed_name: threat-indicator-file-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: threat.indicator.file.elf.cpu_type +threat.enrichments.x509.alternative_names: + dashed_name: threat-enrichments-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names (and + wildcards), and email addresses. + example: '*.elastic.co' + flat_name: threat.enrichments.x509.alternative_names ignore_above: 1024 level: extended - name: cpu_type - normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. - type: keyword -threat.indicator.file.elf.creation_date: - dashed_name: threat-indicator-file-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when it - was built or compiled. It can also be faked by malware creators. - flat_name: threat.indicator.file.elf.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date -threat.indicator.file.elf.exports: - dashed_name: threat-indicator-file-elf-exports - description: List of exported element names and types. - flat_name: threat.indicator.file.elf.exports - level: extended - name: exports + name: alternative_names normalize: - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened -threat.indicator.file.elf.header.abi_version: - dashed_name: threat-indicator-file-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: threat.indicator.file.elf.header.abi_version + original_fieldset: x509 + short: List of subject alternative names (SAN). + type: keyword +threat.enrichments.x509.issuer.common_name: + dashed_name: threat-enrichments-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: threat.enrichments.x509.issuer.common_name ignore_above: 1024 level: extended - name: header.abi_version - normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. type: keyword -threat.indicator.file.elf.header.class: - dashed_name: threat-indicator-file-elf-header-class - description: Header class of the ELF file. - flat_name: threat.indicator.file.elf.header.class +threat.enrichments.x509.issuer.country: + dashed_name: threat-enrichments-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: threat.enrichments.x509.issuer.country ignore_above: 1024 level: extended - name: header.class - normalize: [] - original_fieldset: elf - short: Header class of the ELF file. - type: keyword -threat.indicator.file.elf.header.data: - dashed_name: threat-indicator-file-elf-header-data - description: Data table of the ELF header. - flat_name: threat.indicator.file.elf.header.data - ignore_above: 1024 - level: extended - name: header.data - normalize: [] - original_fieldset: elf - short: Data table of the ELF header. + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes type: keyword -threat.indicator.file.elf.header.entrypoint: - dashed_name: threat-indicator-file-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: threat.indicator.file.elf.header.entrypoint - format: string - level: extended - name: header.entrypoint - normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long -threat.indicator.file.elf.header.object_version: - dashed_name: threat-indicator-file-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: threat.indicator.file.elf.header.object_version - ignore_above: 1024 +threat.enrichments.x509.issuer.distinguished_name: + dashed_name: threat-enrichments-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: threat.enrichments.x509.issuer.distinguished_name level: extended - name: header.object_version + name: issuer.distinguished_name normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' - type: keyword -threat.indicator.file.elf.header.os_abi: - dashed_name: threat-indicator-file-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: threat.indicator.file.elf.header.os_abi + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: wildcard +threat.enrichments.x509.issuer.locality: + dashed_name: threat-enrichments-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: threat.enrichments.x509.issuer.locality ignore_above: 1024 level: extended - name: header.os_abi - normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) type: keyword -threat.indicator.file.elf.header.type: - dashed_name: threat-indicator-file-elf-header-type - description: Header type of the ELF file. - flat_name: threat.indicator.file.elf.header.type +threat.enrichments.x509.issuer.organization: + dashed_name: threat-enrichments-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: threat.enrichments.x509.issuer.organization ignore_above: 1024 level: extended - name: header.type - normalize: [] - original_fieldset: elf - short: Header type of the ELF file. + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. type: keyword -threat.indicator.file.elf.header.version: - dashed_name: threat-indicator-file-elf-header-version - description: Version of the ELF header. - flat_name: threat.indicator.file.elf.header.version +threat.enrichments.x509.issuer.organizational_unit: + dashed_name: threat-enrichments-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: threat.enrichments.x509.issuer.organizational_unit ignore_above: 1024 level: extended - name: header.version - normalize: [] - original_fieldset: elf - short: Version of the ELF header. - type: keyword -threat.indicator.file.elf.imports: - dashed_name: threat-indicator-file-elf-imports - description: List of imported element names and types. - flat_name: threat.indicator.file.elf.imports - level: extended - name: imports + name: issuer.organizational_unit normalize: - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened -threat.indicator.file.elf.sections: - dashed_name: threat-indicator-file-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.sections.*`.' - flat_name: threat.indicator.file.elf.sections + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword +threat.enrichments.x509.issuer.state_or_province: + dashed_name: threat-enrichments-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.x509.issuer.state_or_province + ignore_above: 1024 level: extended - name: sections + name: issuer.state_or_province normalize: - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested -threat.indicator.file.elf.sections.chi2: - dashed_name: threat-indicator-file-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: threat.indicator.file.elf.sections.chi2 - format: number + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +threat.enrichments.x509.not_after: + dashed_name: threat-enrichments-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: threat.enrichments.x509.not_after level: extended - name: sections.chi2 + name: not_after normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. - type: long -threat.indicator.file.elf.sections.entropy: - dashed_name: threat-indicator-file-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: threat.indicator.file.elf.sections.entropy - format: number + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date +threat.enrichments.x509.not_before: + dashed_name: threat-enrichments-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: threat.enrichments.x509.not_before level: extended - name: sections.entropy + name: not_before normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long -threat.indicator.file.elf.sections.flags: - dashed_name: threat-indicator-file-elf-sections-flags - description: ELF Section List flags. - flat_name: threat.indicator.file.elf.sections.flags + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date +threat.enrichments.x509.public_key_algorithm: + dashed_name: threat-enrichments-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: threat.enrichments.x509.public_key_algorithm ignore_above: 1024 level: extended - name: sections.flags + name: public_key_algorithm normalize: [] - original_fieldset: elf - short: ELF Section List flags. + original_fieldset: x509 + short: Algorithm used to generate the public key. type: keyword -threat.indicator.file.elf.sections.name: - dashed_name: threat-indicator-file-elf-sections-name - description: ELF Section List name. - flat_name: threat.indicator.file.elf.sections.name +threat.enrichments.x509.public_key_curve: + dashed_name: threat-enrichments-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This is + algorithm specific. + example: nistp521 + flat_name: threat.enrichments.x509.public_key_curve ignore_above: 1024 level: extended - name: sections.name + name: public_key_curve normalize: [] - original_fieldset: elf - short: ELF Section List name. + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. type: keyword -threat.indicator.file.elf.sections.physical_offset: - dashed_name: threat-indicator-file-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: threat.indicator.file.elf.sections.physical_offset - ignore_above: 1024 +threat.enrichments.x509.public_key_exponent: + dashed_name: threat-enrichments-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: threat.enrichments.x509.public_key_exponent + index: false level: extended - name: sections.physical_offset + name: public_key_exponent normalize: [] - original_fieldset: elf - short: ELF Section List offset. - type: keyword -threat.indicator.file.elf.sections.physical_size: - dashed_name: threat-indicator-file-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: threat.indicator.file.elf.sections.physical_size - format: bytes + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long +threat.enrichments.x509.public_key_size: + dashed_name: threat-enrichments-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: threat.enrichments.x509.public_key_size level: extended - name: sections.physical_size + name: public_key_size normalize: [] - original_fieldset: elf - short: ELF Section List physical size. + original_fieldset: x509 + short: The size of the public key space in bits. type: long -threat.indicator.file.elf.sections.type: - dashed_name: threat-indicator-file-elf-sections-type - description: ELF Section List type. - flat_name: threat.indicator.file.elf.sections.type +threat.enrichments.x509.serial_number: + dashed_name: threat-enrichments-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: threat.enrichments.x509.serial_number ignore_above: 1024 level: extended - name: sections.type + name: serial_number normalize: [] - original_fieldset: elf - short: ELF Section List type. + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. type: keyword -threat.indicator.file.elf.sections.virtual_address: - dashed_name: threat-indicator-file-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: threat.indicator.file.elf.sections.virtual_address - format: string +threat.enrichments.x509.signature_algorithm: + dashed_name: threat-enrichments-x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: threat.enrichments.x509.signature_algorithm + ignore_above: 1024 level: extended - name: sections.virtual_address + name: signature_algorithm normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long -threat.indicator.file.elf.sections.virtual_size: - dashed_name: threat-indicator-file-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: threat.indicator.file.elf.sections.virtual_size - format: string + original_fieldset: x509 + short: Identifier for certificate signature algorithm. + type: keyword +threat.enrichments.x509.subject.common_name: + dashed_name: threat-enrichments-x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: threat.enrichments.x509.subject.common_name + ignore_above: 1024 level: extended - name: sections.virtual_size + name: subject.common_name + normalize: + - array + original_fieldset: x509 + short: List of common names (CN) of subject. + type: keyword +threat.enrichments.x509.subject.country: + dashed_name: threat-enrichments-x509-subject-country + description: List of country (C) code + example: US + flat_name: threat.enrichments.x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code + type: keyword +threat.enrichments.x509.subject.distinguished_name: + dashed_name: threat-enrichments-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: threat.enrichments.x509.subject.distinguished_name + level: extended + name: subject.distinguished_name normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long -threat.indicator.file.elf.segments: - dashed_name: threat-indicator-file-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.segments.*`.' - flat_name: threat.indicator.file.elf.segments + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: wildcard +threat.enrichments.x509.subject.locality: + dashed_name: threat-enrichments-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: threat.enrichments.x509.subject.locality + ignore_above: 1024 level: extended - name: segments + name: subject.locality normalize: - array - original_fieldset: elf - short: ELF object segment list. - type: nested -threat.indicator.file.elf.segments.sections: - dashed_name: threat-indicator-file-elf-segments-sections - description: ELF object segment sections. - flat_name: threat.indicator.file.elf.segments.sections + original_fieldset: x509 + short: List of locality names (L) + type: keyword +threat.enrichments.x509.subject.organization: + dashed_name: threat-enrichments-x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: threat.enrichments.x509.subject.organization ignore_above: 1024 level: extended - name: segments.sections + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. + type: keyword +threat.enrichments.x509.subject.organizational_unit: + dashed_name: threat-enrichments-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: threat.enrichments.x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword +threat.enrichments.x509.subject.state_or_province: + dashed_name: threat-enrichments-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +threat.enrichments.x509.version_number: + dashed_name: threat-enrichments-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: threat.enrichments.x509.version_number + ignore_above: 1024 + level: extended + name: version_number normalize: [] - original_fieldset: elf - short: ELF object segment sections. + original_fieldset: x509 + short: Version of x509 format. type: keyword -threat.indicator.file.elf.segments.type: - dashed_name: threat-indicator-file-elf-segments-type - description: ELF object segment type. - flat_name: threat.indicator.file.elf.segments.type +threat.framework: + dashed_name: threat-framework + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification can + be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + flat_name: threat.framework ignore_above: 1024 level: extended - name: segments.type + name: framework + normalize: [] + short: Threat classification framework. + type: keyword +threat.group.alias: + beta: This field is beta and subject to change. + dashed_name: threat-group-alias + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' + flat_name: threat.group.alias + ignore_above: 1024 + level: extended + name: group.alias + normalize: + - array + short: Alias of the group. + type: keyword +threat.group.id: + beta: This field is beta and subject to change. + dashed_name: threat-group-id + description: "The id of the group for a set of related intrusion activity that are\ + \ tracked by a common name in the security community. While not required, you\ + \ can use a MITRE ATT&CK\xAE group id." + example: G0037 + flat_name: threat.group.id + ignore_above: 1024 + level: extended + name: group.id + normalize: [] + short: ID of the group. + type: keyword +threat.group.name: + beta: This field is beta and subject to change. + dashed_name: threat-group-name + description: "The name of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 + flat_name: threat.group.name + ignore_above: 1024 + level: extended + name: group.name + normalize: [] + short: Name of the group. + type: keyword +threat.group.reference: + beta: This field is beta and subject to change. + dashed_name: threat-group-reference + description: "The reference URL of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ + flat_name: threat.group.reference + ignore_above: 1024 + level: extended + name: group.reference + normalize: [] + short: Reference URL of the group. + type: keyword +threat.indicator.as.number: + dashed_name: threat-indicator-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: threat.indicator.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long +threat.indicator.as.organization.name: + dashed_name: threat-indicator-as-organization-name + description: Organization name. + example: Google LLC + flat_name: threat.indicator.as.organization.name + level: extended + multi_fields: + - flat_name: threat.indicator.as.organization.name.text + name: text + norms: false + type: text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: wildcard +threat.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-confidence + description: "Identifies the confidence rating assigned by the provider using STIX\ + \ confidence scales.\nRecommended values:\n * Not Specified, None, Low, Medium,\ + \ High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n * WEP Scale\ + \ (Impossible - Certain)" + example: High + flat_name: threat.indicator.confidence + ignore_above: 1024 + level: extended + name: indicator.confidence + normalize: [] + short: Indicator confidence rating + type: keyword +threat.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.indicator.description + ignore_above: 1024 + level: extended + name: indicator.description + normalize: [] + short: Indicator description + type: keyword +threat.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective of + direction). + example: phish@example.com + flat_name: threat.indicator.email.address + ignore_above: 1024 + level: extended + name: indicator.email.address + normalize: [] + short: Indicator email address + type: keyword +threat.indicator.file.accessed: + dashed_name: threat-indicator-file-accessed + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + flat_name: threat.indicator.file.accessed + level: extended + name: accessed + normalize: [] + original_fieldset: file + short: Last time the file was accessed. + type: date +threat.indicator.file.attributes: + dashed_name: threat-indicator-file-attributes + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, execute, + hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: threat.indicator.file.attributes + ignore_above: 1024 + level: extended + name: attributes + normalize: + - array + original_fieldset: file + short: Array of file attributes. + type: keyword +threat.indicator.file.code_signature.exists: + dashed_name: threat-indicator-file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: threat.indicator.file.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +threat.indicator.file.code_signature.signing_id: + dashed_name: threat-indicator-file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: threat.indicator.file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword +threat.indicator.file.code_signature.status: + dashed_name: threat-indicator-file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: threat.indicator.file.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +threat.indicator.file.code_signature.subject_name: + dashed_name: threat-indicator-file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: threat.indicator.file.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +threat.indicator.file.code_signature.team_id: + dashed_name: threat-indicator-file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: threat.indicator.file.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword +threat.indicator.file.code_signature.trusted: + dashed_name: threat-indicator-file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: threat.indicator.file.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +threat.indicator.file.code_signature.valid: + dashed_name: threat-indicator-file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: threat.indicator.file.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +threat.indicator.file.created: + dashed_name: threat-indicator-file-created + description: 'File creation time. + + Note that not all filesystems store the creation time.' + flat_name: threat.indicator.file.created + level: extended + name: created + normalize: [] + original_fieldset: file + short: File creation time. + type: date +threat.indicator.file.ctime: + dashed_name: threat-indicator-file-ctime + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: threat.indicator.file.ctime + level: extended + name: ctime + normalize: [] + original_fieldset: file + short: Last time the file attributes or metadata changed. + type: date +threat.indicator.file.device: + dashed_name: threat-indicator-file-device + description: Device that is the source of the file. + example: sda + flat_name: threat.indicator.file.device + ignore_above: 1024 + level: extended + name: device + normalize: [] + original_fieldset: file + short: Device that is the source of the file. + type: keyword +threat.indicator.file.directory: + dashed_name: threat-indicator-file-directory + description: Directory where the file is located. It should include the drive letter, + when appropriate. + example: /home/alice + flat_name: threat.indicator.file.directory + level: extended + name: directory + normalize: [] + original_fieldset: file + short: Directory where the file is located. + type: wildcard +threat.indicator.file.drive_letter: + dashed_name: threat-indicator-file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + flat_name: threat.indicator.file.drive_letter + ignore_above: 1 + level: extended + name: drive_letter + normalize: [] + original_fieldset: file + short: Drive letter where the file is located. + type: keyword +threat.indicator.file.elf.architecture: + dashed_name: threat-indicator-file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: threat.indicator.file.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword +threat.indicator.file.elf.byte_order: + dashed_name: threat-indicator-file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: threat.indicator.file.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword +threat.indicator.file.elf.cpu_type: + dashed_name: threat-indicator-file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: threat.indicator.file.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword +threat.indicator.file.elf.creation_date: + dashed_name: threat-indicator-file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: threat.indicator.file.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date +threat.indicator.file.elf.exports: + dashed_name: threat-indicator-file-elf-exports + description: List of exported element names and types. + flat_name: threat.indicator.file.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened +threat.indicator.file.elf.header.abi_version: + dashed_name: threat-indicator-file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: threat.indicator.file.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword +threat.indicator.file.elf.header.class: + dashed_name: threat-indicator-file-elf-header-class + description: Header class of the ELF file. + flat_name: threat.indicator.file.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword +threat.indicator.file.elf.header.data: + dashed_name: threat-indicator-file-elf-header-data + description: Data table of the ELF header. + flat_name: threat.indicator.file.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword +threat.indicator.file.elf.header.entrypoint: + dashed_name: threat-indicator-file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: threat.indicator.file.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long +threat.indicator.file.elf.header.object_version: + dashed_name: threat-indicator-file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: threat.indicator.file.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword +threat.indicator.file.elf.header.os_abi: + dashed_name: threat-indicator-file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: threat.indicator.file.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword +threat.indicator.file.elf.header.type: + dashed_name: threat-indicator-file-elf-header-type + description: Header type of the ELF file. + flat_name: threat.indicator.file.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword +threat.indicator.file.elf.header.version: + dashed_name: threat-indicator-file-elf-header-version + description: Version of the ELF header. + flat_name: threat.indicator.file.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword +threat.indicator.file.elf.imports: + dashed_name: threat-indicator-file-elf-imports + description: List of imported element names and types. + flat_name: threat.indicator.file.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened +threat.indicator.file.elf.sections: + dashed_name: threat-indicator-file-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' + flat_name: threat.indicator.file.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested +threat.indicator.file.elf.sections.chi2: + dashed_name: threat-indicator-file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: threat.indicator.file.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long +threat.indicator.file.elf.sections.entropy: + dashed_name: threat-indicator-file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: threat.indicator.file.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long +threat.indicator.file.elf.sections.flags: + dashed_name: threat-indicator-file-elf-sections-flags + description: ELF Section List flags. + flat_name: threat.indicator.file.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword +threat.indicator.file.elf.sections.name: + dashed_name: threat-indicator-file-elf-sections-name + description: ELF Section List name. + flat_name: threat.indicator.file.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword +threat.indicator.file.elf.sections.physical_offset: + dashed_name: threat-indicator-file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: threat.indicator.file.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword +threat.indicator.file.elf.sections.physical_size: + dashed_name: threat-indicator-file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: threat.indicator.file.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long +threat.indicator.file.elf.sections.type: + dashed_name: threat-indicator-file-elf-sections-type + description: ELF Section List type. + flat_name: threat.indicator.file.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword +threat.indicator.file.elf.sections.virtual_address: + dashed_name: threat-indicator-file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: threat.indicator.file.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long +threat.indicator.file.elf.sections.virtual_size: + dashed_name: threat-indicator-file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: threat.indicator.file.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long +threat.indicator.file.elf.segments: + dashed_name: threat-indicator-file-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' + flat_name: threat.indicator.file.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested +threat.indicator.file.elf.segments.sections: + dashed_name: threat-indicator-file-elf-segments-sections + description: ELF object segment sections. + flat_name: threat.indicator.file.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword +threat.indicator.file.elf.segments.type: + dashed_name: threat-indicator-file-elf-segments-type + description: ELF object segment type. + flat_name: threat.indicator.file.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword +threat.indicator.file.elf.shared_libraries: + dashed_name: threat-indicator-file-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: threat.indicator.file.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword +threat.indicator.file.elf.telfhash: + dashed_name: threat-indicator-file-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: threat.indicator.file.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword +threat.indicator.file.extension: + dashed_name: threat-indicator-file-extension + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.indicator.file.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + original_fieldset: file + short: File extension, excluding the leading dot. + type: keyword +threat.indicator.file.gid: + dashed_name: threat-indicator-file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: threat.indicator.file.gid + ignore_above: 1024 + level: extended + name: gid + normalize: [] + original_fieldset: file + short: Primary group ID (GID) of the file. + type: keyword +threat.indicator.file.group: + dashed_name: threat-indicator-file-group + description: Primary group name of the file. + example: alice + flat_name: threat.indicator.file.group + ignore_above: 1024 + level: extended + name: group + normalize: [] + original_fieldset: file + short: Primary group name of the file. + type: keyword +threat.indicator.file.inode: + dashed_name: threat-indicator-file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: threat.indicator.file.inode + ignore_above: 1024 + level: extended + name: inode + normalize: [] + original_fieldset: file + short: Inode representing the file in the filesystem. + type: keyword +threat.indicator.file.mime_type: + dashed_name: threat-indicator-file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official + types], where possible. When more than one type is applicable, the most specific + type should be used. + flat_name: threat.indicator.file.mime_type + ignore_above: 1024 + level: extended + name: mime_type + normalize: [] + original_fieldset: file + short: Media type of file, document, or arrangement of bytes. + type: keyword +threat.indicator.file.mode: + dashed_name: threat-indicator-file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: threat.indicator.file.mode + ignore_above: 1024 + level: extended + name: mode + normalize: [] + original_fieldset: file + short: Mode of the file in octal representation. + type: keyword +threat.indicator.file.mtime: + dashed_name: threat-indicator-file-mtime + description: Last time the file content was modified. + flat_name: threat.indicator.file.mtime + level: extended + name: mtime + normalize: [] + original_fieldset: file + short: Last time the file content was modified. + type: date +threat.indicator.file.name: + dashed_name: threat-indicator-file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: threat.indicator.file.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: file + short: Name of the file including the extension, without the directory. + type: keyword +threat.indicator.file.owner: + dashed_name: threat-indicator-file-owner + description: File owner's username. + example: alice + flat_name: threat.indicator.file.owner + ignore_above: 1024 + level: extended + name: owner + normalize: [] + original_fieldset: file + short: File owner's username. + type: keyword +threat.indicator.file.path: + dashed_name: threat-indicator-file-path + description: Full path to the file, including the file name. It should include the + drive letter, when appropriate. + example: /home/alice/example.png + flat_name: threat.indicator.file.path + level: extended + multi_fields: + - flat_name: threat.indicator.file.path.text + name: text + norms: false + type: text + name: path + normalize: [] + original_fieldset: file + short: Full path to the file, including the file name. + type: wildcard +threat.indicator.file.size: + dashed_name: threat-indicator-file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: threat.indicator.file.size + level: extended + name: size + normalize: [] + original_fieldset: file + short: File size in bytes. + type: long +threat.indicator.file.target_path: + dashed_name: threat-indicator-file-target-path + description: Target path for symlinks. + flat_name: threat.indicator.file.target_path + level: extended + multi_fields: + - flat_name: threat.indicator.file.target_path.text + name: text + norms: false + type: text + name: target_path + normalize: [] + original_fieldset: file + short: Target path for symlinks. + type: wildcard +threat.indicator.file.type: + dashed_name: threat-indicator-file-type + description: File type (file, dir, or symlink). + example: file + flat_name: threat.indicator.file.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: file + short: File type (file, dir, or symlink). + type: keyword +threat.indicator.file.uid: + dashed_name: threat-indicator-file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: threat.indicator.file.uid + ignore_above: 1024 + level: extended + name: uid + normalize: [] + original_fieldset: file + short: The user ID (UID) or security identifier (SID) of the file owner. + type: keyword +threat.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.first_seen + level: extended + name: indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date +threat.indicator.geo.city_name: + dashed_name: threat-indicator-geo-city-name + description: City name. + example: Montreal + flat_name: threat.indicator.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +threat.indicator.geo.continent_code: + dashed_name: threat-indicator-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: threat.indicator.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword +threat.indicator.geo.continent_name: + dashed_name: threat-indicator-geo-continent-name + description: Name of the continent. + example: North America + flat_name: threat.indicator.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +threat.indicator.geo.country_iso_code: + dashed_name: threat-indicator-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: threat.indicator.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +threat.indicator.geo.country_name: + dashed_name: threat-indicator-geo-country-name + description: Country name. + example: Canada + flat_name: threat.indicator.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +threat.indicator.geo.location: + dashed_name: threat-indicator-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: threat.indicator.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +threat.indicator.geo.name: + dashed_name: threat-indicator-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: threat.indicator.geo.name + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: wildcard +threat.indicator.geo.postal_code: + dashed_name: threat-indicator-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: threat.indicator.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword +threat.indicator.geo.region_iso_code: + dashed_name: threat-indicator-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: threat.indicator.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +threat.indicator.geo.region_name: + dashed_name: threat-indicator-geo-region-name + description: Region name. + example: Quebec + flat_name: threat.indicator.geo.region_name + ignore_above: 1024 + level: core + name: region_name normalize: [] - original_fieldset: elf - short: ELF object segment type. + original_fieldset: geo + short: Region name. type: keyword -threat.indicator.file.elf.shared_libraries: - dashed_name: threat-indicator-file-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: threat.indicator.file.elf.shared_libraries +threat.indicator.geo.timezone: + dashed_name: threat-indicator-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: threat.indicator.geo.timezone ignore_above: 1024 - level: extended - name: shared_libraries - normalize: - - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. type: keyword -threat.indicator.file.elf.telfhash: - dashed_name: threat-indicator-file-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: threat.indicator.file.elf.telfhash +threat.indicator.hash.md5: + dashed_name: threat-indicator-hash-md5 + description: MD5 hash. + flat_name: threat.indicator.hash.md5 ignore_above: 1024 level: extended - name: telfhash + name: md5 normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. + original_fieldset: hash + short: MD5 hash. type: keyword -threat.indicator.file.extension: - dashed_name: threat-indicator-file-extension - description: 'File extension, excluding the leading dot. - - Note that when the file name has multiple extensions (example.tar.gz), only the - last one should be captured ("gz", not "tar.gz").' - example: png - flat_name: threat.indicator.file.extension +threat.indicator.hash.sha1: + dashed_name: threat-indicator-hash-sha1 + description: SHA1 hash. + flat_name: threat.indicator.hash.sha1 ignore_above: 1024 level: extended - name: extension + name: sha1 normalize: [] - original_fieldset: file - short: File extension, excluding the leading dot. + original_fieldset: hash + short: SHA1 hash. type: keyword -threat.indicator.file.gid: - dashed_name: threat-indicator-file-gid - description: Primary group ID (GID) of the file. - example: '1001' - flat_name: threat.indicator.file.gid +threat.indicator.hash.sha256: + dashed_name: threat-indicator-hash-sha256 + description: SHA256 hash. + flat_name: threat.indicator.hash.sha256 ignore_above: 1024 level: extended - name: gid + name: sha256 normalize: [] - original_fieldset: file - short: Primary group ID (GID) of the file. + original_fieldset: hash + short: SHA256 hash. type: keyword -threat.indicator.file.group: - dashed_name: threat-indicator-file-group - description: Primary group name of the file. - example: alice - flat_name: threat.indicator.file.group +threat.indicator.hash.sha512: + dashed_name: threat-indicator-hash-sha512 + description: SHA512 hash. + flat_name: threat.indicator.hash.sha512 ignore_above: 1024 level: extended - name: group + name: sha512 normalize: [] - original_fieldset: file - short: Primary group name of the file. + original_fieldset: hash + short: SHA512 hash. type: keyword -threat.indicator.file.inode: - dashed_name: threat-indicator-file-inode - description: Inode representing the file in the filesystem. - example: '256383' - flat_name: threat.indicator.file.inode +threat.indicator.hash.ssdeep: + dashed_name: threat-indicator-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.indicator.hash.ssdeep ignore_above: 1024 level: extended - name: inode + name: ssdeep normalize: [] - original_fieldset: file - short: Inode representing the file in the filesystem. + original_fieldset: hash + short: SSDEEP hash. type: keyword -threat.indicator.file.mime_type: - dashed_name: threat-indicator-file-mime-type - description: MIME type should identify the format of the file or stream of bytes - using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official - types], where possible. When more than one type is applicable, the most specific - type should be used. - flat_name: threat.indicator.file.mime_type - ignore_above: 1024 +threat.indicator.ip: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of direction). + example: 1.2.3.4 + flat_name: threat.indicator.ip level: extended - name: mime_type + name: indicator.ip normalize: [] - original_fieldset: file - short: Media type of file, document, or arrangement of bytes. - type: keyword -threat.indicator.file.mode: - dashed_name: threat-indicator-file-mode - description: Mode of the file in octal representation. - example: '0640' - flat_name: threat.indicator.file.mode + short: Indicator IP address + type: ip +threat.indicator.last_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-last-seen + description: The date and time when intelligence source last reported sighting this + indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.last_seen + level: extended + name: indicator.last_seen + normalize: [] + short: Date/time indicator was last reported. + type: date +threat.indicator.marking.tlp: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE + flat_name: threat.indicator.marking.tlp ignore_above: 1024 level: extended - name: mode + name: indicator.marking.tlp normalize: [] - original_fieldset: file - short: Mode of the file in octal representation. + short: Indicator TLP marking type: keyword -threat.indicator.file.mtime: - dashed_name: threat-indicator-file-mtime - description: Last time the file content was modified. - flat_name: threat.indicator.file.mtime +threat.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.modified_at level: extended - name: mtime + name: indicator.modified_at normalize: [] - original_fieldset: file - short: Last time the file content was modified. + short: Date/time indicator was last updated. type: date -threat.indicator.file.name: - dashed_name: threat-indicator-file-name - description: Name of the file including the extension, without the directory. - example: example.png - flat_name: threat.indicator.file.name +threat.indicator.pe.architecture: + dashed_name: threat-indicator-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.indicator.pe.architecture ignore_above: 1024 level: extended - name: name + name: architecture normalize: [] - original_fieldset: file - short: Name of the file including the extension, without the directory. + original_fieldset: pe + short: CPU architecture target for the file. type: keyword -threat.indicator.file.owner: - dashed_name: threat-indicator-file-owner - description: File owner's username. - example: alice - flat_name: threat.indicator.file.owner +threat.indicator.pe.authentihash: + dashed_name: threat-indicator-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: threat.indicator.pe.authentihash ignore_above: 1024 level: extended - name: owner + name: authentihash normalize: [] - original_fieldset: file - short: File owner's username. + original_fieldset: pe + short: Authentihash of the PE file. type: keyword -threat.indicator.file.path: - dashed_name: threat-indicator-file-path - description: Full path to the file, including the file name. It should include the - drive letter, when appropriate. - example: /home/alice/example.png - flat_name: threat.indicator.file.path +threat.indicator.pe.company: + dashed_name: threat-indicator-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.indicator.pe.company + ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.indicator.file.path.text - name: text - norms: false - type: text - name: path + name: company normalize: [] - original_fieldset: file - short: Full path to the file, including the file name. - type: wildcard -threat.indicator.file.size: - dashed_name: threat-indicator-file-size - description: 'File size in bytes. - - Only relevant when `file.type` is "file".' - example: 16384 - flat_name: threat.indicator.file.size + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +threat.indicator.pe.compile_timestamp: + dashed_name: threat-indicator-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.pe.compile_timestamp level: extended - name: size + name: compile_timestamp normalize: [] - original_fieldset: file - short: File size in bytes. - type: long -threat.indicator.file.target_path: - dashed_name: threat-indicator-file-target-path - description: Target path for symlinks. - flat_name: threat.indicator.file.target_path + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date +threat.indicator.pe.compiler.name: + dashed_name: threat-indicator-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: threat.indicator.pe.compiler.name + ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.indicator.file.target_path.text - name: text - norms: false - type: text - name: target_path + name: compiler.name normalize: [] - original_fieldset: file - short: Target path for symlinks. - type: wildcard -threat.indicator.file.type: - dashed_name: threat-indicator-file-type - description: File type (file, dir, or symlink). - example: file - flat_name: threat.indicator.file.type + original_fieldset: pe + short: Name of the compiler + type: keyword +threat.indicator.pe.compiler.version: + dashed_name: threat-indicator-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: threat.indicator.pe.compiler.version ignore_above: 1024 level: extended - name: type + name: compiler.version normalize: [] - original_fieldset: file - short: File type (file, dir, or symlink). + original_fieldset: pe + short: Version of the compiler. type: keyword -threat.indicator.file.uid: - dashed_name: threat-indicator-file-uid - description: The user ID (UID) or security identifier (SID) of the file owner. - example: '1001' - flat_name: threat.indicator.file.uid +threat.indicator.pe.creation_date: + dashed_name: threat-indicator-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date +threat.indicator.pe.debug: + dashed_name: threat-indicator-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: threat.indicator.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested +threat.indicator.pe.debug.offset: + dashed_name: threat-indicator-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: threat.indicator.pe.debug.offset ignore_above: 1024 level: extended - name: uid + name: debug.offset normalize: [] - original_fieldset: file - short: The user ID (UID) or security identifier (SID) of the file owner. + original_fieldset: pe + short: Debug offset information. type: keyword -threat.indicator.first_seen: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-first-seen - description: The date and time when intelligence source first reported sighting - this indicator. +threat.indicator.pe.debug.size: + dashed_name: threat-indicator-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: threat.indicator.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long +threat.indicator.pe.debug.timestamp: + dashed_name: threat-indicator-pe-debug-timestamp + description: Timestamp of the debug information. example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.first_seen + flat_name: threat.indicator.pe.debug.timestamp level: extended - name: indicator.first_seen + name: debug.timestamp normalize: [] - short: Date/time indicator was first reported. + original_fieldset: pe + short: Timestamp of the debug information. type: date -threat.indicator.geo.city_name: - dashed_name: threat-indicator-geo-city-name - description: City name. - example: Montreal - flat_name: threat.indicator.geo.city_name +threat.indicator.pe.debug.type: + dashed_name: threat-indicator-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: threat.indicator.pe.debug.type ignore_above: 1024 - level: core - name: city_name + level: extended + name: debug.type normalize: [] - original_fieldset: geo - short: City name. + original_fieldset: pe + short: Information type generated by the debug options. type: keyword -threat.indicator.geo.continent_code: - dashed_name: threat-indicator-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: threat.indicator.geo.continent_code +threat.indicator.pe.description: + dashed_name: threat-indicator-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.indicator.pe.description ignore_above: 1024 - level: core - name: continent_code + level: extended + name: description normalize: [] - original_fieldset: geo - short: Continent code. + original_fieldset: pe + short: Internal description of the file, provided at compile-time. type: keyword -threat.indicator.geo.continent_name: - dashed_name: threat-indicator-geo-continent-name - description: Name of the continent. - example: North America - flat_name: threat.indicator.geo.continent_name +threat.indicator.pe.entry_point: + dashed_name: threat-indicator-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: threat.indicator.pe.entry_point ignore_above: 1024 - level: core - name: continent_name + level: extended + name: entry_point normalize: [] - original_fieldset: geo - short: Name of the continent. + original_fieldset: pe + short: Relative byte offset to the base of the PE file. type: keyword -threat.indicator.geo.country_iso_code: - dashed_name: threat-indicator-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: threat.indicator.geo.country_iso_code +threat.indicator.pe.exports: + dashed_name: threat-indicator-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: threat.indicator.pe.exports ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE type: keyword -threat.indicator.geo.country_name: - dashed_name: threat-indicator-geo-country-name - description: Country name. - example: Canada - flat_name: threat.indicator.geo.country_name +threat.indicator.pe.file_version: + dashed_name: threat-indicator-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.indicator.pe.file_version ignore_above: 1024 - level: core - name: country_name + level: extended + name: file_version normalize: [] - original_fieldset: geo - short: Country name. + original_fieldset: pe + short: Process name. type: keyword -threat.indicator.geo.location: - dashed_name: threat-indicator-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: threat.indicator.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point -threat.indicator.geo.name: - dashed_name: threat-indicator-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes a - local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: threat.indicator.geo.name +threat.indicator.pe.icon.hash.dhash: + dashed_name: threat-indicator-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: threat.indicator.pe.icon.hash.dhash + ignore_above: 1024 level: extended - name: name + name: icon.hash.dhash normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: wildcard -threat.indicator.geo.postal_code: - dashed_name: threat-indicator-geo-postal-code - description: 'Postal code associated with the location. + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. + type: keyword +threat.indicator.pe.imphash: + dashed_name: threat-indicator-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: threat.indicator.geo.postal_code + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.indicator.pe.imphash ignore_above: 1024 - level: core - name: postal_code + level: extended + name: imphash normalize: [] - original_fieldset: geo - short: Postal code. + original_fieldset: pe + short: A hash of the imports in a PE file. type: keyword -threat.indicator.geo.region_iso_code: - dashed_name: threat-indicator-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: threat.indicator.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code +threat.indicator.pe.imports: + dashed_name: threat-indicator-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: threat.indicator.pe.imports + level: extended + name: imports normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword -threat.indicator.geo.region_name: - dashed_name: threat-indicator-geo-region-name - description: Region name. - example: Quebec - flat_name: threat.indicator.geo.region_name + original_fieldset: pe + short: List of all imported functions + type: flattened +threat.indicator.pe.machine_type: + dashed_name: threat-indicator-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: threat.indicator.pe.machine_type ignore_above: 1024 - level: core - name: region_name + level: extended + name: machine_type normalize: [] - original_fieldset: geo - short: Region name. + original_fieldset: pe + short: Machine type of the PE file. type: keyword -threat.indicator.geo.timezone: - dashed_name: threat-indicator-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: threat.indicator.geo.timezone - ignore_above: 1024 - level: core - name: timezone +threat.indicator.pe.original_file_name: + dashed_name: threat-indicator-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.indicator.pe.original_file_name + level: extended + name: original_file_name normalize: [] - original_fieldset: geo - short: Time zone. + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: wildcard +threat.indicator.pe.packers: + dashed_name: threat-indicator-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: threat.indicator.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. type: keyword -threat.indicator.hash.md5: - dashed_name: threat-indicator-hash-md5 - description: MD5 hash. - flat_name: threat.indicator.hash.md5 +threat.indicator.pe.product: + dashed_name: threat-indicator-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.indicator.pe.product ignore_above: 1024 level: extended - name: md5 + name: product normalize: [] - original_fieldset: hash - short: MD5 hash. + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. type: keyword -threat.indicator.hash.sha1: - dashed_name: threat-indicator-hash-sha1 - description: SHA1 hash. - flat_name: threat.indicator.hash.sha1 +threat.indicator.pe.resources: + dashed_name: threat-indicator-pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: threat.indicator.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested +threat.indicator.pe.resources.chi2: + dashed_name: threat-indicator-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: threat.indicator.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +threat.indicator.pe.resources.entropy: + dashed_name: threat-indicator-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: threat.indicator.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long +threat.indicator.pe.resources.filetype: + dashed_name: threat-indicator-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: threat.indicator.pe.resources.filetype ignore_above: 1024 level: extended - name: sha1 + name: resources.filetype normalize: [] - original_fieldset: hash - short: SHA1 hash. + original_fieldset: pe + short: File type of the resources section. type: keyword -threat.indicator.hash.sha256: - dashed_name: threat-indicator-hash-sha256 - description: SHA256 hash. - flat_name: threat.indicator.hash.sha256 +threat.indicator.pe.resources.language: + dashed_name: threat-indicator-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: threat.indicator.pe.resources.language ignore_above: 1024 level: extended - name: sha256 + name: resources.language normalize: [] - original_fieldset: hash - short: SHA256 hash. + original_fieldset: pe + short: Language identification. type: keyword -threat.indicator.hash.sha512: - dashed_name: threat-indicator-hash-sha512 - description: SHA512 hash. - flat_name: threat.indicator.hash.sha512 +threat.indicator.pe.resources.sha256: + dashed_name: threat-indicator-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: threat.indicator.pe.resources.sha256 ignore_above: 1024 level: extended - name: sha512 + name: resources.sha256 normalize: [] - original_fieldset: hash - short: SHA512 hash. + original_fieldset: pe + short: SHA256 hash of resources section. type: keyword -threat.indicator.hash.ssdeep: - dashed_name: threat-indicator-hash-ssdeep - description: SSDEEP hash. - flat_name: threat.indicator.hash.ssdeep +threat.indicator.pe.resources.type: + dashed_name: threat-indicator-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: threat.indicator.pe.resources.type ignore_above: 1024 level: extended - name: ssdeep + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword +threat.indicator.pe.rich_header.hash.md5: + dashed_name: threat-indicator-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: threat.indicator.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 normalize: [] - original_fieldset: hash - short: SSDEEP hash. + original_fieldset: pe + short: MD5 hash of the header for the PE file. type: keyword -threat.indicator.ip: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-ip - description: Identifies a threat indicator as an IP address (irrespective of direction). - example: 1.2.3.4 - flat_name: threat.indicator.ip +threat.indicator.pe.sections: + dashed_name: threat-indicator-pe-sections + description: Data about sections of compiled binary PE + flat_name: threat.indicator.pe.sections level: extended - name: indicator.ip + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested +threat.indicator.pe.sections.chi2: + dashed_name: threat-indicator-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: threat.indicator.pe.sections.chi2 + level: extended + name: sections.chi2 normalize: [] - short: Indicator IP address - type: ip -threat.indicator.last_seen: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-last-seen - description: The date and time when intelligence source last reported sighting this - indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.last_seen + original_fieldset: pe + short: Chi-square probability distribution. + type: long +threat.indicator.pe.sections.entropy: + dashed_name: threat-indicator-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: threat.indicator.pe.sections.entropy level: extended - name: indicator.last_seen + name: sections.entropy normalize: [] - short: Date/time indicator was last reported. - type: date -threat.indicator.marking.tlp: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: WHITE - flat_name: threat.indicator.marking.tlp + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float +threat.indicator.pe.sections.flags: + dashed_name: threat-indicator-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: threat.indicator.pe.sections.flags ignore_above: 1024 level: extended - name: indicator.marking.tlp + name: sections.flags normalize: [] - short: Indicator TLP marking + original_fieldset: pe + short: Section flags of the file. type: keyword -threat.indicator.modified_at: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-modified-at - description: The date and time when intelligence source last modified information - for this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.modified_at +threat.indicator.pe.sections.name: + dashed_name: threat-indicator-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: threat.indicator.pe.sections.name + ignore_above: 1024 level: extended - name: indicator.modified_at + name: sections.name normalize: [] - short: Date/time indicator was last updated. - type: date + original_fieldset: pe + short: Section names of the file. + type: keyword +threat.indicator.pe.sections.raw_size: + dashed_name: threat-indicator-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: threat.indicator.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long +threat.indicator.pe.sections.virtual_address: + dashed_name: threat-indicator-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: threat.indicator.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long threat.indicator.port: beta: This field is beta and subject to change. dashed_name: threat-indicator-port @@ -14904,6 +15810,99 @@ threat.indicator.reference: normalize: [] short: Indicator reference URL type: keyword +threat.indicator.registry.data.bytes: + dashed_name: threat-indicator-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides better + recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.indicator.registry.data.bytes + ignore_above: 1024 + level: extended + name: data.bytes + normalize: [] + original_fieldset: registry + short: Original bytes written with base64 encoding. + type: keyword +threat.indicator.registry.data.strings: + dashed_name: threat-indicator-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single string + registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. + For sequences of string with REG_MULTI_SZ, this array will be variable length. + For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with + the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.indicator.registry.data.strings + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: wildcard +threat.indicator.registry.data.type: + dashed_name: threat-indicator-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.indicator.registry.data.type + ignore_above: 1024 + level: core + name: data.type + normalize: [] + original_fieldset: registry + short: Standard registry type for encoding contents + type: keyword +threat.indicator.registry.hive: + dashed_name: threat-indicator-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.indicator.registry.hive + ignore_above: 1024 + level: core + name: hive + normalize: [] + original_fieldset: registry + short: Abbreviated name for the hive. + type: keyword +threat.indicator.registry.key: + dashed_name: threat-indicator-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.indicator.registry.key + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: wildcard +threat.indicator.registry.path: + dashed_name: threat-indicator-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.indicator.registry.path + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: wildcard +threat.indicator.registry.value: + dashed_name: threat-indicator-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.indicator.registry.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. + type: keyword threat.indicator.scanner_stats: beta: This field is beta and subject to change. dashed_name: threat-indicator-scanner-stats diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index d0e78b4011..bac350a361 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -8191,14 +8191,14 @@ pe: - as: pe at: process full: process.pe - - as: as + - as: pe at: threat.indicator beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.indicator.as - - as: as + full: threat.indicator.pe + - as: pe at: threat.enrichments.indicator beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.indicator.as + full: threat.enrichments.indicator.pe - as: pe at: threat.enrichments full: threat.enrichments.pe @@ -13033,14 +13033,14 @@ registry: prefix: registry. reusable: expected: - - as: as + - as: registry at: threat.indicator beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.indicator.as - - as: as + full: threat.indicator.registry + - as: registry at: threat.enrichments.indicator beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.indicator.as + full: threat.enrichments.indicator.registry - as: registry at: threat.enrichments full: threat.enrichments.registry @@ -14377,98 +14377,60 @@ threat: normalize: [] short: Indicators type: object - threat.enrichments.indicator.as.data.bytes: - dashed_name: threat-enrichments-indicator-as-data-bytes - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides - better recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - flat_name: threat.enrichments.indicator.as.data.bytes + threat.enrichments.indicator.as.md5: + dashed_name: threat-enrichments-indicator-as-md5 + description: MD5 hash. + flat_name: threat.enrichments.indicator.as.md5 ignore_above: 1024 level: extended - name: data.bytes + name: md5 normalize: [] - original_fieldset: registry - short: Original bytes written with base64 encoding. + original_fieldset: hash + short: MD5 hash. type: keyword - threat.enrichments.indicator.as.data.strings: - dashed_name: threat-enrichments-indicator-as-data-strings - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single - string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with - one string. For sequences of string with REG_MULTI_SZ, this array will be - variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should - be populated with the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' - flat_name: threat.enrichments.indicator.as.data.strings - level: core - name: data.strings - normalize: - - array - original_fieldset: registry - short: List of strings representing what was written to the registry. - type: wildcard - threat.enrichments.indicator.as.data.type: - dashed_name: threat-enrichments-indicator-as-data-type - description: Standard registry type for encoding contents - example: REG_SZ - flat_name: threat.enrichments.indicator.as.data.type + threat.enrichments.indicator.as.sha1: + dashed_name: threat-enrichments-indicator-as-sha1 + description: SHA1 hash. + flat_name: threat.enrichments.indicator.as.sha1 ignore_above: 1024 - level: core - name: data.type + level: extended + name: sha1 normalize: [] - original_fieldset: registry - short: Standard registry type for encoding contents + original_fieldset: hash + short: SHA1 hash. type: keyword - threat.enrichments.indicator.as.hive: - dashed_name: threat-enrichments-indicator-as-hive - description: Abbreviated name for the hive. - example: HKLM - flat_name: threat.enrichments.indicator.as.hive + threat.enrichments.indicator.as.sha256: + dashed_name: threat-enrichments-indicator-as-sha256 + description: SHA256 hash. + flat_name: threat.enrichments.indicator.as.sha256 ignore_above: 1024 - level: core - name: hive + level: extended + name: sha256 normalize: [] - original_fieldset: registry - short: Abbreviated name for the hive. + original_fieldset: hash + short: SHA256 hash. type: keyword - threat.enrichments.indicator.as.key: - dashed_name: threat-enrichments-indicator-as-key - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - flat_name: threat.enrichments.indicator.as.key - level: core - name: key - normalize: [] - original_fieldset: registry - short: Hive-relative path of keys. - type: wildcard - threat.enrichments.indicator.as.path: - dashed_name: threat-enrichments-indicator-as-path - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger - flat_name: threat.enrichments.indicator.as.path - level: core - name: path + threat.enrichments.indicator.as.sha512: + dashed_name: threat-enrichments-indicator-as-sha512 + description: SHA512 hash. + flat_name: threat.enrichments.indicator.as.sha512 + ignore_above: 1024 + level: extended + name: sha512 normalize: [] - original_fieldset: registry - short: Full path, including hive, key and value - type: wildcard - threat.enrichments.indicator.as.value: - dashed_name: threat-enrichments-indicator-as-value - description: Name of the value written. - example: Debugger - flat_name: threat.enrichments.indicator.as.value + original_fieldset: hash + short: SHA512 hash. + type: keyword + threat.enrichments.indicator.as.ssdeep: + dashed_name: threat-enrichments-indicator-as-ssdeep + description: SSDEEP hash. + flat_name: threat.enrichments.indicator.as.ssdeep ignore_above: 1024 - level: core - name: value + level: extended + name: ssdeep normalize: [] - original_fieldset: registry - short: Name of the value written. + original_fieldset: hash + short: SSDEEP hash. type: keyword threat.enrichments.indicator.confidence: beta: This field is beta and subject to change. @@ -14571,149 +14533,11 @@ threat: normalize: [] short: Date/time indicator was last updated. type: date - threat.enrichments.indicator.port: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-port - description: Identifies a threat indicator as a port number (irrespective of - direction). - example: 443 - flat_name: threat.enrichments.indicator.port - level: extended - name: enrichments.indicator.port - normalize: [] - short: Indicator port - type: long - threat.enrichments.indicator.provider: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-provider - description: The name of the indicator's provider. - example: lrz_urlhaus - flat_name: threat.enrichments.indicator.provider - ignore_above: 1024 - level: extended - name: enrichments.indicator.provider - normalize: [] - short: Indicator provider - type: keyword - threat.enrichments.indicator.reference: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-reference - description: Reference URL linking to additional information about this indicator. - example: https://system.example.com/indicator/0001234 - flat_name: threat.enrichments.indicator.reference - ignore_above: 1024 - level: extended - name: enrichments.indicator.reference - normalize: [] - short: Indicator reference URL - type: keyword - threat.enrichments.indicator.scanner_stats: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-scanner-stats - description: Count of AV/EDR vendors that successfully detected malicious file - or URL. - example: 4 - flat_name: threat.enrichments.indicator.scanner_stats - level: extended - name: enrichments.indicator.scanner_stats - normalize: [] - short: Scanner statistics - type: long - threat.enrichments.indicator.sightings: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-sightings - description: Number of times this indicator was observed conducting threat activity. - example: 20 - flat_name: threat.enrichments.indicator.sightings - level: extended - name: enrichments.indicator.sightings - normalize: [] - short: Number of times indicator observed - type: long - threat.enrichments.indicator.type: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-type - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ - \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ - \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ - \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ - \ * user-account\n * windows-registry-key\n * x509-certificate" - example: ipv4-addr - flat_name: threat.enrichments.indicator.type - ignore_above: 1024 - level: extended - name: enrichments.indicator.type - normalize: [] - short: Type of indicator - type: keyword - threat.enrichments.matched.atomic: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-atomic - description: Identifies the atomic indicator value that matched a local environment - endpoint or network event. - example: bad-domain.com - flat_name: threat.enrichments.matched.atomic - ignore_above: 1024 - level: extended - name: enrichments.matched.atomic - normalize: [] - short: Matched indicator value - type: keyword - threat.enrichments.matched.field: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-field - description: Identifies the field of the atomic indicator that matched a local - environment endpoint or network event. - example: file.hash.sha256 - flat_name: threat.enrichments.matched.field - ignore_above: 1024 - level: extended - name: enrichments.matched.field - normalize: [] - short: Matched indicator field - type: keyword - threat.enrichments.matched.id: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-id - description: Identifies the _id of the indicator document enriching the event. - example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 - flat_name: threat.enrichments.matched.id - ignore_above: 1024 - level: extended - name: enrichments.matched.id - normalize: [] - short: Matched indicator identifier - type: keyword - threat.enrichments.matched.index: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-index - description: Identifies the _index of the indicator document enriching the event. - example: filebeat-8.0.0-2021.05.23-000011 - flat_name: threat.enrichments.matched.index - ignore_above: 1024 - level: extended - name: enrichments.matched.index - normalize: [] - short: Matched indicator index - type: keyword - threat.enrichments.matched.type: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-type - description: Identifies the type of match that caused the event to be enriched - with the given indicator - example: indicator_match_rule - flat_name: threat.enrichments.matched.type - ignore_above: 1024 - level: extended - name: enrichments.matched.type - normalize: [] - short: Type of indicator match - type: keyword - threat.enrichments.pe.architecture: - dashed_name: threat-enrichments-pe-architecture + threat.enrichments.indicator.pe.architecture: + dashed_name: threat-enrichments-indicator-pe-architecture description: CPU architecture target for the file. example: x64 - flat_name: threat.enrichments.pe.architecture + flat_name: threat.enrichments.indicator.pe.architecture ignore_above: 1024 level: extended name: architecture @@ -14721,11 +14545,11 @@ threat: original_fieldset: pe short: CPU architecture target for the file. type: keyword - threat.enrichments.pe.authentihash: - dashed_name: threat-enrichments-pe-authentihash + threat.enrichments.indicator.pe.authentihash: + dashed_name: threat-enrichments-indicator-pe-authentihash description: Authentihash of the PE file. example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: threat.enrichments.pe.authentihash + flat_name: threat.enrichments.indicator.pe.authentihash ignore_above: 1024 level: extended name: authentihash @@ -14733,11 +14557,11 @@ threat: original_fieldset: pe short: Authentihash of the PE file. type: keyword - threat.enrichments.pe.company: - dashed_name: threat-enrichments-pe-company + threat.enrichments.indicator.pe.company: + dashed_name: threat-enrichments-indicator-pe-company description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation - flat_name: threat.enrichments.pe.company + flat_name: threat.enrichments.indicator.pe.company ignore_above: 1024 level: extended name: company @@ -14745,22 +14569,22 @@ threat: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword - threat.enrichments.pe.compile_timestamp: - dashed_name: threat-enrichments-pe-compile-timestamp + threat.enrichments.indicator.pe.compile_timestamp: + dashed_name: threat-enrichments-indicator-pe-compile-timestamp description: Compile timestamp of the PE file. example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.pe.compile_timestamp + flat_name: threat.enrichments.indicator.pe.compile_timestamp level: extended name: compile_timestamp normalize: [] original_fieldset: pe short: Compile timestamp of the PE file. type: date - threat.enrichments.pe.compiler.name: - dashed_name: threat-enrichments-pe-compiler-name + threat.enrichments.indicator.pe.compiler.name: + dashed_name: threat-enrichments-indicator-pe-compiler-name description: Name of the compiler example: Clang - flat_name: threat.enrichments.pe.compiler.name + flat_name: threat.enrichments.indicator.pe.compiler.name ignore_above: 1024 level: extended name: compiler.name @@ -14768,11 +14592,11 @@ threat: original_fieldset: pe short: Name of the compiler type: keyword - threat.enrichments.pe.compiler.version: - dashed_name: threat-enrichments-pe-compiler-version + threat.enrichments.indicator.pe.compiler.version: + dashed_name: threat-enrichments-indicator-pe-compiler-version description: Version of the compiler. example: 11.0.0 - flat_name: threat.enrichments.pe.compiler.version + flat_name: threat.enrichments.indicator.pe.compiler.version ignore_above: 1024 level: extended name: compiler.version @@ -14780,24 +14604,24 @@ threat: original_fieldset: pe short: Version of the compiler. type: keyword - threat.enrichments.pe.creation_date: - dashed_name: threat-enrichments-pe-creation-date + threat.enrichments.indicator.pe.creation_date: + dashed_name: threat-enrichments-indicator-pe-creation-date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.pe.creation_date + flat_name: threat.enrichments.indicator.pe.creation_date level: extended name: creation_date normalize: [] original_fieldset: pe short: Build or compile date. type: date - threat.enrichments.pe.debug: - dashed_name: threat-enrichments-pe-debug + threat.enrichments.indicator.pe.debug: + dashed_name: threat-enrichments-indicator-pe-debug description: 'An array containing an object for each debug entry, if present. The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: threat.enrichments.pe.debug + flat_name: threat.enrichments.indicator.pe.debug level: extended name: debug normalize: @@ -14805,11 +14629,11 @@ threat: original_fieldset: pe short: Debug information type: nested - threat.enrichments.pe.debug.offset: - dashed_name: threat-enrichments-pe-debug-offset + threat.enrichments.indicator.pe.debug.offset: + dashed_name: threat-enrichments-indicator-pe-debug-offset description: Debug offset information. example: 1296336 - flat_name: threat.enrichments.pe.debug.offset + flat_name: threat.enrichments.indicator.pe.debug.offset ignore_above: 1024 level: extended name: debug.offset @@ -14817,11 +14641,11 @@ threat: original_fieldset: pe short: Debug offset information. type: keyword - threat.enrichments.pe.debug.size: - dashed_name: threat-enrichments-pe-debug-size + threat.enrichments.indicator.pe.debug.size: + dashed_name: threat-enrichments-indicator-pe-debug-size description: Size of the debug information. example: 816 - flat_name: threat.enrichments.pe.debug.size + flat_name: threat.enrichments.indicator.pe.debug.size format: bytes level: extended name: debug.size @@ -14829,22 +14653,22 @@ threat: original_fieldset: pe short: Size of the debug information. type: long - threat.enrichments.pe.debug.timestamp: - dashed_name: threat-enrichments-pe-debug-timestamp + threat.enrichments.indicator.pe.debug.timestamp: + dashed_name: threat-enrichments-indicator-pe-debug-timestamp description: Timestamp of the debug information. example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.pe.debug.timestamp + flat_name: threat.enrichments.indicator.pe.debug.timestamp level: extended name: debug.timestamp normalize: [] original_fieldset: pe short: Timestamp of the debug information. type: date - threat.enrichments.pe.debug.type: - dashed_name: threat-enrichments-pe-debug-type + threat.enrichments.indicator.pe.debug.type: + dashed_name: threat-enrichments-indicator-pe-debug-type description: Information type generated by the debug options. example: IMAGE_DEBUG_TYPE_POGO - flat_name: threat.enrichments.pe.debug.type + flat_name: threat.enrichments.indicator.pe.debug.type ignore_above: 1024 level: extended name: debug.type @@ -14852,11 +14676,11 @@ threat: original_fieldset: pe short: Information type generated by the debug options. type: keyword - threat.enrichments.pe.description: - dashed_name: threat-enrichments-pe-description + threat.enrichments.indicator.pe.description: + dashed_name: threat-enrichments-indicator-pe-description description: Internal description of the file, provided at compile-time. example: Paint - flat_name: threat.enrichments.pe.description + flat_name: threat.enrichments.indicator.pe.description ignore_above: 1024 level: extended name: description @@ -14864,11 +14688,11 @@ threat: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword - threat.enrichments.pe.entry_point: - dashed_name: threat-enrichments-pe-entry-point + threat.enrichments.indicator.pe.entry_point: + dashed_name: threat-enrichments-indicator-pe-entry-point description: Relative byte offset to the base of the PE file. example: 25856 - flat_name: threat.enrichments.pe.entry_point + flat_name: threat.enrichments.indicator.pe.entry_point ignore_above: 1024 level: extended name: entry_point @@ -14876,11 +14700,11 @@ threat: original_fieldset: pe short: Relative byte offset to the base of the PE file. type: keyword - threat.enrichments.pe.exports: - dashed_name: threat-enrichments-pe-exports + threat.enrichments.indicator.pe.exports: + dashed_name: threat-enrichments-indicator-pe-exports description: List of symbols exported by PE example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: threat.enrichments.pe.exports + flat_name: threat.enrichments.indicator.pe.exports ignore_above: 1024 level: extended name: exports @@ -14889,11 +14713,11 @@ threat: original_fieldset: pe short: List of symbols exported by PE type: keyword - threat.enrichments.pe.file_version: - dashed_name: threat-enrichments-pe-file-version + threat.enrichments.indicator.pe.file_version: + dashed_name: threat-enrichments-indicator-pe-file-version description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 - flat_name: threat.enrichments.pe.file_version + flat_name: threat.enrichments.indicator.pe.file_version ignore_above: 1024 level: extended name: file_version @@ -14901,12 +14725,12 @@ threat: original_fieldset: pe short: Process name. type: keyword - threat.enrichments.pe.icon.hash.dhash: - dashed_name: threat-enrichments-pe-icon-hash-dhash + threat.enrichments.indicator.pe.icon.hash.dhash: + dashed_name: threat-enrichments-indicator-pe-icon-hash-dhash description: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. example: b806e17c8e330d82 - flat_name: threat.enrichments.pe.icon.hash.dhash + flat_name: threat.enrichments.indicator.pe.icon.hash.dhash ignore_above: 1024 level: extended name: icon.hash.dhash @@ -14915,15 +14739,15 @@ threat: short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. type: keyword - threat.enrichments.pe.imphash: - dashed_name: threat-enrichments-pe-imphash + threat.enrichments.indicator.pe.imphash: + dashed_name: threat-enrichments-indicator-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: threat.enrichments.pe.imphash + flat_name: threat.enrichments.indicator.pe.imphash ignore_above: 1024 level: extended name: imphash @@ -14931,23 +14755,23 @@ threat: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword - threat.enrichments.pe.imports: - dashed_name: threat-enrichments-pe-imports + threat.enrichments.indicator.pe.imports: + dashed_name: threat-enrichments-indicator-pe-imports description: List of all imported functions example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" }' - flat_name: threat.enrichments.pe.imports + flat_name: threat.enrichments.indicator.pe.imports level: extended name: imports normalize: [] original_fieldset: pe short: List of all imported functions type: flattened - threat.enrichments.pe.machine_type: - dashed_name: threat-enrichments-pe-machine-type + threat.enrichments.indicator.pe.machine_type: + dashed_name: threat-enrichments-indicator-pe-machine-type description: Machine type of the PE file. example: Intel 386 or later, and compatibles - flat_name: threat.enrichments.pe.machine_type + flat_name: threat.enrichments.indicator.pe.machine_type ignore_above: 1024 level: extended name: machine_type @@ -14955,22 +14779,22 @@ threat: original_fieldset: pe short: Machine type of the PE file. type: keyword - threat.enrichments.pe.original_file_name: - dashed_name: threat-enrichments-pe-original-file-name + threat.enrichments.indicator.pe.original_file_name: + dashed_name: threat-enrichments-indicator-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE - flat_name: threat.enrichments.pe.original_file_name + flat_name: threat.enrichments.indicator.pe.original_file_name level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard - threat.enrichments.pe.packers: - dashed_name: threat-enrichments-pe-packers + threat.enrichments.indicator.pe.packers: + dashed_name: threat-enrichments-indicator-pe-packers description: List of packers and tools used. example: '["ASPack v2.12", ".NET executable"]' - flat_name: threat.enrichments.pe.packers + flat_name: threat.enrichments.indicator.pe.packers ignore_above: 1024 level: extended name: packers @@ -14979,11 +14803,11 @@ threat: original_fieldset: pe short: List of packers and tools used. type: keyword - threat.enrichments.pe.product: - dashed_name: threat-enrichments-pe-product + threat.enrichments.indicator.pe.product: + dashed_name: threat-enrichments-indicator-pe-product description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" - flat_name: threat.enrichments.pe.product + flat_name: threat.enrichments.indicator.pe.product ignore_above: 1024 level: extended name: product @@ -14991,12 +14815,12 @@ threat: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword - threat.enrichments.pe.resources: - dashed_name: threat-enrichments-pe-resources + threat.enrichments.indicator.pe.resources: + dashed_name: threat-enrichments-indicator-pe-resources description: 'An array containing an object for each PE resource, if present. The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: threat.enrichments.pe.resources + flat_name: threat.enrichments.indicator.pe.resources level: extended name: resources normalize: @@ -15004,33 +14828,33 @@ threat: original_fieldset: pe short: PE resource information type: nested - threat.enrichments.pe.resources.chi2: - dashed_name: threat-enrichments-pe-resources-chi2 + threat.enrichments.indicator.pe.resources.chi2: + dashed_name: threat-enrichments-indicator-pe-resources-chi2 description: Chi-square probability distribution. example: -1 - flat_name: threat.enrichments.pe.resources.chi2 + flat_name: threat.enrichments.indicator.pe.resources.chi2 level: extended name: resources.chi2 normalize: [] original_fieldset: pe short: Chi-square probability distribution. type: long - threat.enrichments.pe.resources.entropy: - dashed_name: threat-enrichments-pe-resources-entropy + threat.enrichments.indicator.pe.resources.entropy: + dashed_name: threat-enrichments-indicator-pe-resources-entropy description: Measurement of entropy randomness in the resources section. example: 0, 1 - flat_name: threat.enrichments.pe.resources.entropy + flat_name: threat.enrichments.indicator.pe.resources.entropy level: extended name: resources.entropy normalize: [] original_fieldset: pe short: Measurement of entropy randomness in the resources section. type: long - threat.enrichments.pe.resources.filetype: - dashed_name: threat-enrichments-pe-resources-filetype + threat.enrichments.indicator.pe.resources.filetype: + dashed_name: threat-enrichments-indicator-pe-resources-filetype description: File type of the resources section. example: Data - flat_name: threat.enrichments.pe.resources.filetype + flat_name: threat.enrichments.indicator.pe.resources.filetype ignore_above: 1024 level: extended name: resources.filetype @@ -15038,11 +14862,11 @@ threat: original_fieldset: pe short: File type of the resources section. type: keyword - threat.enrichments.pe.resources.language: - dashed_name: threat-enrichments-pe-resources-language + threat.enrichments.indicator.pe.resources.language: + dashed_name: threat-enrichments-indicator-pe-resources-language description: Language identification. example: CHINESE SIMPLIFIED - flat_name: threat.enrichments.pe.resources.language + flat_name: threat.enrichments.indicator.pe.resources.language ignore_above: 1024 level: extended name: resources.language @@ -15050,11 +14874,11 @@ threat: original_fieldset: pe short: Language identification. type: keyword - threat.enrichments.pe.resources.sha256: - dashed_name: threat-enrichments-pe-resources-sha256 + threat.enrichments.indicator.pe.resources.sha256: + dashed_name: threat-enrichments-indicator-pe-resources-sha256 description: SHA256 hash of resources section. example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: threat.enrichments.pe.resources.sha256 + flat_name: threat.enrichments.indicator.pe.resources.sha256 ignore_above: 1024 level: extended name: resources.sha256 @@ -15062,11 +14886,11 @@ threat: original_fieldset: pe short: SHA256 hash of resources section. type: keyword - threat.enrichments.pe.resources.type: - dashed_name: threat-enrichments-pe-resources-type + threat.enrichments.indicator.pe.resources.type: + dashed_name: threat-enrichments-indicator-pe-resources-type description: Digest of resource types. example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: threat.enrichments.pe.resources.type + flat_name: threat.enrichments.indicator.pe.resources.type ignore_above: 1024 level: extended name: resources.type @@ -15075,11 +14899,11 @@ threat: original_fieldset: pe short: List of resource types. type: keyword - threat.enrichments.pe.rich_header.hash.md5: - dashed_name: threat-enrichments-pe-rich-header-hash-md5 + threat.enrichments.indicator.pe.rich_header.hash.md5: + dashed_name: threat-enrichments-indicator-pe-rich-header-hash-md5 description: MD5 hash of the header for the PE file. example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: threat.enrichments.pe.rich_header.hash.md5 + flat_name: threat.enrichments.indicator.pe.rich_header.hash.md5 ignore_above: 1024 level: extended name: rich_header.hash.md5 @@ -15087,10 +14911,10 @@ threat: original_fieldset: pe short: MD5 hash of the header for the PE file. type: keyword - threat.enrichments.pe.sections: - dashed_name: threat-enrichments-pe-sections + threat.enrichments.indicator.pe.sections: + dashed_name: threat-enrichments-indicator-pe-sections description: Data about sections of compiled binary PE - flat_name: threat.enrichments.pe.sections + flat_name: threat.enrichments.indicator.pe.sections level: extended name: sections normalize: @@ -15098,33 +14922,33 @@ threat: original_fieldset: pe short: Data about sections of the compiled binary PE type: nested - threat.enrichments.pe.sections.chi2: - dashed_name: threat-enrichments-pe-sections-chi2 + threat.enrichments.indicator.pe.sections.chi2: + dashed_name: threat-enrichments-indicator-pe-sections-chi2 description: Chi-square probability distribution. example: 3027194 - flat_name: threat.enrichments.pe.sections.chi2 + flat_name: threat.enrichments.indicator.pe.sections.chi2 level: extended name: sections.chi2 normalize: [] original_fieldset: pe short: Chi-square probability distribution. type: long - threat.enrichments.pe.sections.entropy: - dashed_name: threat-enrichments-pe-sections-entropy + threat.enrichments.indicator.pe.sections.entropy: + dashed_name: threat-enrichments-indicator-pe-sections-entropy description: Measurement of entropy randomness in the file. example: 6.24 - flat_name: threat.enrichments.pe.sections.entropy + flat_name: threat.enrichments.indicator.pe.sections.entropy level: extended name: sections.entropy normalize: [] original_fieldset: pe short: Measurement of entropy randomness in the file. type: float - threat.enrichments.pe.sections.flags: - dashed_name: threat-enrichments-pe-sections-flags + threat.enrichments.indicator.pe.sections.flags: + dashed_name: threat-enrichments-indicator-pe-sections-flags description: Section flags of the file. example: rx - flat_name: threat.enrichments.pe.sections.flags + flat_name: threat.enrichments.indicator.pe.sections.flags ignore_above: 1024 level: extended name: sections.flags @@ -15132,11 +14956,11 @@ threat: original_fieldset: pe short: Section flags of the file. type: keyword - threat.enrichments.pe.sections.name: - dashed_name: threat-enrichments-pe-sections-name + threat.enrichments.indicator.pe.sections.name: + dashed_name: threat-enrichments-indicator-pe-sections-name description: Section names of the file. example: .text, .data - flat_name: threat.enrichments.pe.sections.name + flat_name: threat.enrichments.indicator.pe.sections.name ignore_above: 1024 level: extended name: sections.name @@ -15144,11 +14968,11 @@ threat: original_fieldset: pe short: Section names of the file. type: keyword - threat.enrichments.pe.sections.raw_size: - dashed_name: threat-enrichments-pe-sections-raw-size + threat.enrichments.indicator.pe.sections.raw_size: + dashed_name: threat-enrichments-indicator-pe-sections-raw-size description: Size of the section or the dize of the initialized data on disk. example: 198144 - flat_name: threat.enrichments.pe.sections.raw_size + flat_name: threat.enrichments.indicator.pe.sections.raw_size format: bytes level: extended name: sections.raw_size @@ -15156,11 +14980,11 @@ threat: original_fieldset: pe short: Size of the section or the dize of the initialized data on disk. type: long - threat.enrichments.pe.sections.virtual_address: - dashed_name: threat-enrichments-pe-sections-virtual-address + threat.enrichments.indicator.pe.sections.virtual_address: + dashed_name: threat-enrichments-indicator-pe-sections-virtual-address description: Virtual address available to the file. example: 8192 - flat_name: threat.enrichments.pe.sections.virtual_address + flat_name: threat.enrichments.indicator.pe.sections.virtual_address format: bytes level: extended name: sections.virtual_address @@ -15168,15 +14992,51 @@ threat: original_fieldset: pe short: Virtual address available to the file. type: long - threat.enrichments.registry.data.bytes: - dashed_name: threat-enrichments-registry-data-bytes + threat.enrichments.indicator.port: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-port + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + flat_name: threat.enrichments.indicator.port + level: extended + name: enrichments.indicator.port + normalize: [] + short: Indicator port + type: long + threat.enrichments.indicator.provider: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-provider + description: The name of the indicator's provider. + example: lrz_urlhaus + flat_name: threat.enrichments.indicator.provider + ignore_above: 1024 + level: extended + name: enrichments.indicator.provider + normalize: [] + short: Indicator provider + type: keyword + threat.enrichments.indicator.reference: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-reference + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + flat_name: threat.enrichments.indicator.reference + ignore_above: 1024 + level: extended + name: enrichments.indicator.reference + normalize: [] + short: Indicator reference URL + type: keyword + threat.enrichments.indicator.registry.data.bytes: + dashed_name: threat-enrichments-indicator-registry-data-bytes description: 'Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.' example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - flat_name: threat.enrichments.registry.data.bytes + flat_name: threat.enrichments.indicator.registry.data.bytes ignore_above: 1024 level: extended name: data.bytes @@ -15184,8 +15044,8 @@ threat: original_fieldset: registry short: Original bytes written with base64 encoding. type: keyword - threat.enrichments.registry.data.strings: - dashed_name: threat-enrichments-registry-data-strings + threat.enrichments.indicator.registry.data.strings: + dashed_name: threat-enrichments-indicator-registry-data-strings description: 'Content when writing string types. Populated as an array when writing string data to the registry. For single @@ -15194,7 +15054,7 @@ threat: variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' - flat_name: threat.enrichments.registry.data.strings + flat_name: threat.enrichments.indicator.registry.data.strings level: core name: data.strings normalize: @@ -15202,11 +15062,11 @@ threat: original_fieldset: registry short: List of strings representing what was written to the registry. type: wildcard - threat.enrichments.registry.data.type: - dashed_name: threat-enrichments-registry-data-type + threat.enrichments.indicator.registry.data.type: + dashed_name: threat-enrichments-indicator-registry-data-type description: Standard registry type for encoding contents example: REG_SZ - flat_name: threat.enrichments.registry.data.type + flat_name: threat.enrichments.indicator.registry.data.type ignore_above: 1024 level: core name: data.type @@ -15214,11 +15074,11 @@ threat: original_fieldset: registry short: Standard registry type for encoding contents type: keyword - threat.enrichments.registry.hive: - dashed_name: threat-enrichments-registry-hive + threat.enrichments.indicator.registry.hive: + dashed_name: threat-enrichments-indicator-registry-hive description: Abbreviated name for the hive. example: HKLM - flat_name: threat.enrichments.registry.hive + flat_name: threat.enrichments.indicator.registry.hive ignore_above: 1024 level: core name: hive @@ -15226,34 +15086,34 @@ threat: original_fieldset: registry short: Abbreviated name for the hive. type: keyword - threat.enrichments.registry.key: - dashed_name: threat-enrichments-registry-key + threat.enrichments.indicator.registry.key: + dashed_name: threat-enrichments-indicator-registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - flat_name: threat.enrichments.registry.key + flat_name: threat.enrichments.indicator.registry.key level: core name: key normalize: [] original_fieldset: registry short: Hive-relative path of keys. type: wildcard - threat.enrichments.registry.path: - dashed_name: threat-enrichments-registry-path + threat.enrichments.indicator.registry.path: + dashed_name: threat-enrichments-indicator-registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger - flat_name: threat.enrichments.registry.path + flat_name: threat.enrichments.indicator.registry.path level: core name: path normalize: [] original_fieldset: registry short: Full path, including hive, key and value type: wildcard - threat.enrichments.registry.value: - dashed_name: threat-enrichments-registry-value + threat.enrichments.indicator.registry.value: + dashed_name: threat-enrichments-indicator-registry-value description: Name of the value written. example: Debugger - flat_name: threat.enrichments.registry.value + flat_name: threat.enrichments.indicator.registry.value ignore_above: 1024 level: core name: value @@ -15261,640 +15121,606 @@ threat: original_fieldset: registry short: Name of the value written. type: keyword - threat.enrichments.url.domain: - dashed_name: threat-enrichments-url-domain - description: 'Domain of the url, such as "www.elastic.co". - - In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field. - - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC - 2732), the `[` and `]` characters should also be captured in the `domain` - field.' - example: www.elastic.co - flat_name: threat.enrichments.url.domain + threat.enrichments.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + flat_name: threat.enrichments.indicator.scanner_stats level: extended - name: domain + name: enrichments.indicator.scanner_stats normalize: [] - original_fieldset: url - short: Domain of the url. - type: wildcard - threat.enrichments.url.extension: - dashed_name: threat-enrichments-url-extension - description: 'The field contains the file extension from the original request - url, excluding the leading dot. - - The file extension is only set if it exists, as not every url has a file extension. - - The leading period must not be included. For example, the value must be "png", - not ".png". - - Note that when the file name has multiple extensions (example.tar.gz), only - the last one should be captured ("gz", not "tar.gz").' - example: png - flat_name: threat.enrichments.url.extension + short: Scanner statistics + type: long + threat.enrichments.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.enrichments.indicator.sightings + level: extended + name: enrichments.indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long + threat.enrichments.indicator.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ + \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr + flat_name: threat.enrichments.indicator.type ignore_above: 1024 level: extended - name: extension + name: enrichments.indicator.type normalize: [] - original_fieldset: url - short: File extension from the request url, excluding the leading dot. + short: Type of indicator type: keyword - threat.enrichments.url.fragment: - dashed_name: threat-enrichments-url-fragment - description: 'Portion of the url after the `#`, such as "top". - - The `#` is not part of the fragment.' - flat_name: threat.enrichments.url.fragment + threat.enrichments.matched.atomic: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-atomic + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com + flat_name: threat.enrichments.matched.atomic ignore_above: 1024 level: extended - name: fragment + name: enrichments.matched.atomic normalize: [] - original_fieldset: url - short: Portion of the url after the `#`. + short: Matched indicator value type: keyword - threat.enrichments.url.full: - dashed_name: threat-enrichments-url-full - description: If full URLs are important to your use case, they should be stored - in `url.full`, whether this field is reconstructed or present in the event - source. - example: https://www.elastic.co:443/search?q=elasticsearch#top - flat_name: threat.enrichments.url.full + threat.enrichments.matched.field: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-field + description: Identifies the field of the atomic indicator that matched a local + environment endpoint or network event. + example: file.hash.sha256 + flat_name: threat.enrichments.matched.field + ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.enrichments.url.full.text - name: text - norms: false - type: text - name: full + name: enrichments.matched.field normalize: [] - original_fieldset: url - short: Full unparsed URL. - type: wildcard - threat.enrichments.url.original: - dashed_name: threat-enrichments-url-original - description: 'Unmodified original url as seen in the event source. - - Note that in network monitoring, the observed URL may be a full URL, whereas - in access logs, the URL is often just represented as a path. - - This field is meant to represent the URL as it was observed, complete or not.' - example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - flat_name: threat.enrichments.url.original - level: extended - multi_fields: - - flat_name: threat.enrichments.url.original.text - name: text - norms: false - type: text - name: original - normalize: [] - original_fieldset: url - short: Unmodified original url as seen in the event source. - type: wildcard - threat.enrichments.url.password: - dashed_name: threat-enrichments-url-password - description: Password of the request. - flat_name: threat.enrichments.url.password + short: Matched indicator field + type: keyword + threat.enrichments.matched.id: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-id + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + flat_name: threat.enrichments.matched.id ignore_above: 1024 level: extended - name: password + name: enrichments.matched.id normalize: [] - original_fieldset: url - short: Password of the request. + short: Matched indicator identifier type: keyword - threat.enrichments.url.path: - dashed_name: threat-enrichments-url-path - description: Path of the request, such as "/search". - flat_name: threat.enrichments.url.path - level: extended - name: path - normalize: [] - original_fieldset: url - short: Path of the request, such as "/search". - type: wildcard - threat.enrichments.url.port: - dashed_name: threat-enrichments-url-port - description: Port of the request, such as 443. - example: 443 - flat_name: threat.enrichments.url.port - format: string - level: extended - name: port - normalize: [] - original_fieldset: url - short: Port of the request, such as 443. - type: long - threat.enrichments.url.query: - dashed_name: threat-enrichments-url-query - description: 'The query field describes the query string of the request, such - as "q=elasticsearch". - - The `?` is excluded from the query string. If a URL contains no `?`, there - is no query field. If there is a `?` but no query, the query field exists - with an empty string. The `exists` query can be used to differentiate between - the two cases.' - flat_name: threat.enrichments.url.query + threat.enrichments.matched.index: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-index + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 + flat_name: threat.enrichments.matched.index ignore_above: 1024 level: extended - name: query + name: enrichments.matched.index normalize: [] - original_fieldset: url - short: Query string of the request. + short: Matched indicator index type: keyword - threat.enrichments.url.registered_domain: - dashed_name: threat-enrichments-url-registered-domain - description: 'The highest registered url domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix - list (http://publicsuffix.org). Trying to approximate this by simply taking - the last two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: threat.enrichments.url.registered_domain - level: extended - name: registered_domain - normalize: [] - original_fieldset: url - short: The highest registered url domain, stripped of the subdomain. - type: wildcard - threat.enrichments.url.scheme: - dashed_name: threat-enrichments-url-scheme - description: 'Scheme of the request, such as "https". - - Note: The `:` is not part of the scheme.' - example: https - flat_name: threat.enrichments.url.scheme + threat.enrichments.matched.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-type + description: Identifies the type of match that caused the event to be enriched + with the given indicator + example: indicator_match_rule + flat_name: threat.enrichments.matched.type ignore_above: 1024 level: extended - name: scheme + name: enrichments.matched.type normalize: [] - original_fieldset: url - short: Scheme of the url. + short: Type of indicator match type: keyword - threat.enrichments.url.subdomain: - dashed_name: threat-enrichments-url-subdomain - description: 'The subdomain portion of a fully qualified domain name includes - all of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot - be determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", - the subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: threat.enrichments.url.subdomain + threat.enrichments.pe.architecture: + dashed_name: threat-enrichments-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.enrichments.pe.architecture ignore_above: 1024 level: extended - name: subdomain + name: architecture normalize: [] - original_fieldset: url - short: The subdomain of the domain. + original_fieldset: pe + short: CPU architecture target for the file. type: keyword - threat.enrichments.url.top_level_domain: - dashed_name: threat-enrichments-url-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain - suffix, is the last part of the domain name. For example, the top level domain - for example.com is "com". - - This value can be determined precisely with a list like the public suffix - list (http://publicsuffix.org). Trying to approximate this by simply taking - the last label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: threat.enrichments.url.top_level_domain + threat.enrichments.pe.authentihash: + dashed_name: threat-enrichments-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: threat.enrichments.pe.authentihash ignore_above: 1024 level: extended - name: top_level_domain + name: authentihash normalize: [] - original_fieldset: url - short: The effective top level domain (com, org, net, co.uk). + original_fieldset: pe + short: Authentihash of the PE file. type: keyword - threat.enrichments.url.username: - dashed_name: threat-enrichments-url-username - description: Username of the request. - flat_name: threat.enrichments.url.username + threat.enrichments.pe.company: + dashed_name: threat-enrichments-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.enrichments.pe.company ignore_above: 1024 level: extended - name: username + name: company normalize: [] - original_fieldset: url - short: Username of the request. + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. type: keyword - threat.enrichments.x509.alternative_names: - dashed_name: threat-enrichments-x509-alternative-names - description: List of subject alternative names (SAN). Name types vary by certificate - authority and certificate type but commonly contain IP addresses, DNS names - (and wildcards), and email addresses. - example: '*.elastic.co' - flat_name: threat.enrichments.x509.alternative_names - ignore_above: 1024 + threat.enrichments.pe.compile_timestamp: + dashed_name: threat-enrichments-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.compile_timestamp level: extended - name: alternative_names - normalize: - - array - original_fieldset: x509 - short: List of subject alternative names (SAN). - type: keyword - threat.enrichments.x509.issuer.common_name: - dashed_name: threat-enrichments-x509-issuer-common-name - description: List of common name (CN) of issuing certificate authority. - example: Example SHA2 High Assurance Server CA - flat_name: threat.enrichments.x509.issuer.common_name + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date + threat.enrichments.pe.compiler.name: + dashed_name: threat-enrichments-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: threat.enrichments.pe.compiler.name ignore_above: 1024 level: extended - name: issuer.common_name - normalize: - - array - original_fieldset: x509 - short: List of common name (CN) of issuing certificate authority. + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler type: keyword - threat.enrichments.x509.issuer.country: - dashed_name: threat-enrichments-x509-issuer-country - description: List of country (C) codes - example: US - flat_name: threat.enrichments.x509.issuer.country + threat.enrichments.pe.compiler.version: + dashed_name: threat-enrichments-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: threat.enrichments.pe.compiler.version ignore_above: 1024 level: extended - name: issuer.country - normalize: - - array - original_fieldset: x509 - short: List of country (C) codes + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. type: keyword - threat.enrichments.x509.issuer.distinguished_name: - dashed_name: threat-enrichments-x509-issuer-distinguished-name - description: Distinguished name (DN) of issuing certificate authority. - example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance - Server CA - flat_name: threat.enrichments.x509.issuer.distinguished_name + threat.enrichments.pe.creation_date: + dashed_name: threat-enrichments-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.creation_date level: extended - name: issuer.distinguished_name + name: creation_date normalize: [] - original_fieldset: x509 - short: Distinguished name (DN) of issuing certificate authority. - type: wildcard - threat.enrichments.x509.issuer.locality: - dashed_name: threat-enrichments-x509-issuer-locality - description: List of locality names (L) - example: Mountain View - flat_name: threat.enrichments.x509.issuer.locality - ignore_above: 1024 - level: extended - name: issuer.locality - normalize: - - array - original_fieldset: x509 - short: List of locality names (L) - type: keyword - threat.enrichments.x509.issuer.organization: - dashed_name: threat-enrichments-x509-issuer-organization - description: List of organizations (O) of issuing certificate authority. - example: Example Inc - flat_name: threat.enrichments.x509.issuer.organization - ignore_above: 1024 - level: extended - name: issuer.organization - normalize: - - array - original_fieldset: x509 - short: List of organizations (O) of issuing certificate authority. - type: keyword - threat.enrichments.x509.issuer.organizational_unit: - dashed_name: threat-enrichments-x509-issuer-organizational-unit - description: List of organizational units (OU) of issuing certificate authority. - example: www.example.com - flat_name: threat.enrichments.x509.issuer.organizational_unit - ignore_above: 1024 + original_fieldset: pe + short: Build or compile date. + type: date + threat.enrichments.pe.debug: + dashed_name: threat-enrichments-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: threat.enrichments.pe.debug level: extended - name: issuer.organizational_unit + name: debug normalize: - array - original_fieldset: x509 - short: List of organizational units (OU) of issuing certificate authority. - type: keyword - threat.enrichments.x509.issuer.state_or_province: - dashed_name: threat-enrichments-x509-issuer-state-or-province - description: List of state or province names (ST, S, or P) - example: California - flat_name: threat.enrichments.x509.issuer.state_or_province + original_fieldset: pe + short: Debug information + type: nested + threat.enrichments.pe.debug.offset: + dashed_name: threat-enrichments-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: threat.enrichments.pe.debug.offset ignore_above: 1024 level: extended - name: issuer.state_or_province - normalize: - - array - original_fieldset: x509 - short: List of state or province names (ST, S, or P) + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. type: keyword - threat.enrichments.x509.not_after: - dashed_name: threat-enrichments-x509-not-after - description: Time at which the certificate is no longer considered valid. - example: 2020-07-16 03:15:39+00:00 - flat_name: threat.enrichments.x509.not_after + threat.enrichments.pe.debug.size: + dashed_name: threat-enrichments-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: threat.enrichments.pe.debug.size + format: bytes level: extended - name: not_after + name: debug.size normalize: [] - original_fieldset: x509 - short: Time at which the certificate is no longer considered valid. - type: date - threat.enrichments.x509.not_before: - dashed_name: threat-enrichments-x509-not-before - description: Time at which the certificate is first considered valid. - example: 2019-08-16 01:40:25+00:00 - flat_name: threat.enrichments.x509.not_before + original_fieldset: pe + short: Size of the debug information. + type: long + threat.enrichments.pe.debug.timestamp: + dashed_name: threat-enrichments-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.debug.timestamp level: extended - name: not_before + name: debug.timestamp normalize: [] - original_fieldset: x509 - short: Time at which the certificate is first considered valid. + original_fieldset: pe + short: Timestamp of the debug information. type: date - threat.enrichments.x509.public_key_algorithm: - dashed_name: threat-enrichments-x509-public-key-algorithm - description: Algorithm used to generate the public key. - example: RSA - flat_name: threat.enrichments.x509.public_key_algorithm + threat.enrichments.pe.debug.type: + dashed_name: threat-enrichments-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: threat.enrichments.pe.debug.type ignore_above: 1024 level: extended - name: public_key_algorithm + name: debug.type normalize: [] - original_fieldset: x509 - short: Algorithm used to generate the public key. + original_fieldset: pe + short: Information type generated by the debug options. type: keyword - threat.enrichments.x509.public_key_curve: - dashed_name: threat-enrichments-x509-public-key-curve - description: The curve used by the elliptic curve public key algorithm. This - is algorithm specific. - example: nistp521 - flat_name: threat.enrichments.x509.public_key_curve + threat.enrichments.pe.description: + dashed_name: threat-enrichments-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.enrichments.pe.description ignore_above: 1024 level: extended - name: public_key_curve + name: description normalize: [] - original_fieldset: x509 - short: The curve used by the elliptic curve public key algorithm. This is algorithm - specific. + original_fieldset: pe + short: Internal description of the file, provided at compile-time. type: keyword - threat.enrichments.x509.public_key_exponent: - dashed_name: threat-enrichments-x509-public-key-exponent - description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - example: 65537 - flat_name: threat.enrichments.x509.public_key_exponent - index: false - level: extended - name: public_key_exponent - normalize: [] - original_fieldset: x509 - short: Exponent used to derive the public key. This is algorithm specific. - type: long - threat.enrichments.x509.public_key_size: - dashed_name: threat-enrichments-x509-public-key-size - description: The size of the public key space in bits. - example: 2048 - flat_name: threat.enrichments.x509.public_key_size + threat.enrichments.pe.entry_point: + dashed_name: threat-enrichments-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: threat.enrichments.pe.entry_point + ignore_above: 1024 level: extended - name: public_key_size + name: entry_point normalize: [] - original_fieldset: x509 - short: The size of the public key space in bits. - type: long - threat.enrichments.x509.serial_number: - dashed_name: threat-enrichments-x509-serial-number - description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. - example: 55FBB9C7DEBF09809D12CCAA - flat_name: threat.enrichments.x509.serial_number + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword + threat.enrichments.pe.exports: + dashed_name: threat-enrichments-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: threat.enrichments.pe.exports ignore_above: 1024 level: extended - name: serial_number - normalize: [] - original_fieldset: x509 - short: Unique serial number issued by the certificate authority. + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE type: keyword - threat.enrichments.x509.signature_algorithm: - dashed_name: threat-enrichments-x509-signature-algorithm - description: Identifier for certificate signature algorithm. We recommend using - names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - example: SHA256-RSA - flat_name: threat.enrichments.x509.signature_algorithm + threat.enrichments.pe.file_version: + dashed_name: threat-enrichments-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.enrichments.pe.file_version ignore_above: 1024 level: extended - name: signature_algorithm + name: file_version normalize: [] - original_fieldset: x509 - short: Identifier for certificate signature algorithm. + original_fieldset: pe + short: Process name. type: keyword - threat.enrichments.x509.subject.common_name: - dashed_name: threat-enrichments-x509-subject-common-name - description: List of common names (CN) of subject. - example: shared.global.example.net - flat_name: threat.enrichments.x509.subject.common_name + threat.enrichments.pe.icon.hash.dhash: + dashed_name: threat-enrichments-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: threat.enrichments.pe.icon.hash.dhash ignore_above: 1024 level: extended - name: subject.common_name - normalize: - - array - original_fieldset: x509 - short: List of common names (CN) of subject. + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or + thumbnail. type: keyword - threat.enrichments.x509.subject.country: - dashed_name: threat-enrichments-x509-subject-country - description: List of country (C) code - example: US - flat_name: threat.enrichments.x509.subject.country + threat.enrichments.pe.imphash: + dashed_name: threat-enrichments-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.enrichments.pe.imphash ignore_above: 1024 level: extended - name: subject.country - normalize: - - array - original_fieldset: x509 - short: List of country (C) code + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. type: keyword - threat.enrichments.x509.subject.distinguished_name: - dashed_name: threat-enrichments-x509-subject-distinguished-name - description: Distinguished name (DN) of the certificate subject entity. - example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - flat_name: threat.enrichments.x509.subject.distinguished_name + threat.enrichments.pe.imports: + dashed_name: threat-enrichments-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: threat.enrichments.pe.imports level: extended - name: subject.distinguished_name + name: imports normalize: [] - original_fieldset: x509 - short: Distinguished name (DN) of the certificate subject entity. - type: wildcard - threat.enrichments.x509.subject.locality: - dashed_name: threat-enrichments-x509-subject-locality - description: List of locality names (L) - example: San Francisco - flat_name: threat.enrichments.x509.subject.locality + original_fieldset: pe + short: List of all imported functions + type: flattened + threat.enrichments.pe.machine_type: + dashed_name: threat-enrichments-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: threat.enrichments.pe.machine_type ignore_above: 1024 level: extended - name: subject.locality - normalize: - - array - original_fieldset: x509 - short: List of locality names (L) + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. type: keyword - threat.enrichments.x509.subject.organization: - dashed_name: threat-enrichments-x509-subject-organization - description: List of organizations (O) of subject. - example: Example, Inc. - flat_name: threat.enrichments.x509.subject.organization + threat.enrichments.pe.original_file_name: + dashed_name: threat-enrichments-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.enrichments.pe.original_file_name + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: wildcard + threat.enrichments.pe.packers: + dashed_name: threat-enrichments-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: threat.enrichments.pe.packers ignore_above: 1024 level: extended - name: subject.organization + name: packers normalize: - array - original_fieldset: x509 - short: List of organizations (O) of subject. + original_fieldset: pe + short: List of packers and tools used. type: keyword - threat.enrichments.x509.subject.organizational_unit: - dashed_name: threat-enrichments-x509-subject-organizational-unit - description: List of organizational units (OU) of subject. - flat_name: threat.enrichments.x509.subject.organizational_unit + threat.enrichments.pe.product: + dashed_name: threat-enrichments-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.enrichments.pe.product ignore_above: 1024 level: extended - name: subject.organizational_unit - normalize: - - array - original_fieldset: x509 - short: List of organizational units (OU) of subject. + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. type: keyword - threat.enrichments.x509.subject.state_or_province: - dashed_name: threat-enrichments-x509-subject-state-or-province - description: List of state or province names (ST, S, or P) - example: California - flat_name: threat.enrichments.x509.subject.state_or_province - ignore_above: 1024 + threat.enrichments.pe.resources: + dashed_name: threat-enrichments-pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: threat.enrichments.pe.resources level: extended - name: subject.state_or_province + name: resources normalize: - array - original_fieldset: x509 - short: List of state or province names (ST, S, or P) - type: keyword - threat.enrichments.x509.version_number: - dashed_name: threat-enrichments-x509-version-number - description: Version of x509 format. - example: 3 - flat_name: threat.enrichments.x509.version_number - ignore_above: 1024 + original_fieldset: pe + short: PE resource information + type: nested + threat.enrichments.pe.resources.chi2: + dashed_name: threat-enrichments-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: threat.enrichments.pe.resources.chi2 level: extended - name: version_number + name: resources.chi2 normalize: [] - original_fieldset: x509 - short: Version of x509 format. - type: keyword - threat.framework: - dashed_name: threat-framework - description: Name of the threat framework used to further categorize and classify - the tactic and technique of the reported threat. Framework classification - can be provided by detecting systems, evaluated at ingest time, or retrospectively - tagged to events. - example: MITRE ATT&CK - flat_name: threat.framework - ignore_above: 1024 + original_fieldset: pe + short: Chi-square probability distribution. + type: long + threat.enrichments.pe.resources.entropy: + dashed_name: threat-enrichments-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: threat.enrichments.pe.resources.entropy level: extended - name: framework + name: resources.entropy normalize: [] - short: Threat classification framework. - type: keyword - threat.group.alias: - beta: This field is beta and subject to change. - dashed_name: threat-group-alias - description: "The alias(es) of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group alias(es)." - example: '[ "Magecart Group 6" ]' - flat_name: threat.group.alias + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long + threat.enrichments.pe.resources.filetype: + dashed_name: threat-enrichments-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: threat.enrichments.pe.resources.filetype ignore_above: 1024 level: extended - name: group.alias - normalize: - - array - short: Alias of the group. + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. type: keyword - threat.group.id: - beta: This field is beta and subject to change. - dashed_name: threat-group-id - description: "The id of the group for a set of related intrusion activity that\ - \ are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group id." - example: G0037 - flat_name: threat.group.id + threat.enrichments.pe.resources.language: + dashed_name: threat-enrichments-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: threat.enrichments.pe.resources.language ignore_above: 1024 level: extended - name: group.id + name: resources.language normalize: [] - short: ID of the group. + original_fieldset: pe + short: Language identification. type: keyword - threat.group.name: - beta: This field is beta and subject to change. - dashed_name: threat-group-name - description: "The name of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group name." - example: FIN6 - flat_name: threat.group.name + threat.enrichments.pe.resources.sha256: + dashed_name: threat-enrichments-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: threat.enrichments.pe.resources.sha256 ignore_above: 1024 level: extended - name: group.name + name: resources.sha256 normalize: [] - short: Name of the group. + original_fieldset: pe + short: SHA256 hash of resources section. type: keyword - threat.group.reference: - beta: This field is beta and subject to change. - dashed_name: threat-group-reference - description: "The reference URL of the group for a set of related intrusion\ - \ activity that are tracked by a common name in the security community. While\ - \ not required, you can use a MITRE ATT&CK\xAE group reference URL." - example: https://attack.mitre.org/groups/G0037/ - flat_name: threat.group.reference + threat.enrichments.pe.resources.type: + dashed_name: threat-enrichments-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: threat.enrichments.pe.resources.type ignore_above: 1024 level: extended - name: group.reference - normalize: [] - short: Reference URL of the group. + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. type: keyword - threat.indicator.as.data.bytes: - dashed_name: threat-indicator-as-data-bytes - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides - better recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - flat_name: threat.indicator.as.data.bytes + threat.enrichments.pe.rich_header.hash.md5: + dashed_name: threat-enrichments-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: threat.enrichments.pe.rich_header.hash.md5 ignore_above: 1024 level: extended - name: data.bytes + name: rich_header.hash.md5 normalize: [] - original_fieldset: registry - short: Original bytes written with base64 encoding. + original_fieldset: pe + short: MD5 hash of the header for the PE file. type: keyword - threat.indicator.as.data.strings: - dashed_name: threat-indicator-as-data-strings - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single - string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with - one string. For sequences of string with REG_MULTI_SZ, this array will be - variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should - be populated with the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' - flat_name: threat.indicator.as.data.strings - level: core - name: data.strings + threat.enrichments.pe.sections: + dashed_name: threat-enrichments-pe-sections + description: Data about sections of compiled binary PE + flat_name: threat.enrichments.pe.sections + level: extended + name: sections normalize: - array - original_fieldset: registry - short: List of strings representing what was written to the registry. - type: wildcard - threat.indicator.as.data.type: - dashed_name: threat-indicator-as-data-type - description: Standard registry type for encoding contents - example: REG_SZ - flat_name: threat.indicator.as.data.type + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested + threat.enrichments.pe.sections.chi2: + dashed_name: threat-enrichments-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: threat.enrichments.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + threat.enrichments.pe.sections.entropy: + dashed_name: threat-enrichments-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: threat.enrichments.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float + threat.enrichments.pe.sections.flags: + dashed_name: threat-enrichments-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: threat.enrichments.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword + threat.enrichments.pe.sections.name: + dashed_name: threat-enrichments-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: threat.enrichments.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword + threat.enrichments.pe.sections.raw_size: + dashed_name: threat-enrichments-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: threat.enrichments.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long + threat.enrichments.pe.sections.virtual_address: + dashed_name: threat-enrichments-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: threat.enrichments.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long + threat.enrichments.registry.data.bytes: + dashed_name: threat-enrichments-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.enrichments.registry.data.bytes + ignore_above: 1024 + level: extended + name: data.bytes + normalize: [] + original_fieldset: registry + short: Original bytes written with base64 encoding. + type: keyword + threat.enrichments.registry.data.strings: + dashed_name: threat-enrichments-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.enrichments.registry.data.strings + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: wildcard + threat.enrichments.registry.data.type: + dashed_name: threat-enrichments-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.enrichments.registry.data.type ignore_above: 1024 level: core name: data.type @@ -15902,11 +15728,11 @@ threat: original_fieldset: registry short: Standard registry type for encoding contents type: keyword - threat.indicator.as.hive: - dashed_name: threat-indicator-as-hive + threat.enrichments.registry.hive: + dashed_name: threat-enrichments-registry-hive description: Abbreviated name for the hive. example: HKLM - flat_name: threat.indicator.as.hive + flat_name: threat.enrichments.registry.hive ignore_above: 1024 level: core name: hive @@ -15914,34 +15740,34 @@ threat: original_fieldset: registry short: Abbreviated name for the hive. type: keyword - threat.indicator.as.key: - dashed_name: threat-indicator-as-key + threat.enrichments.registry.key: + dashed_name: threat-enrichments-registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - flat_name: threat.indicator.as.key + flat_name: threat.enrichments.registry.key level: core name: key normalize: [] original_fieldset: registry short: Hive-relative path of keys. type: wildcard - threat.indicator.as.path: - dashed_name: threat-indicator-as-path + threat.enrichments.registry.path: + dashed_name: threat-enrichments-registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger - flat_name: threat.indicator.as.path + flat_name: threat.enrichments.registry.path level: core name: path normalize: [] original_fieldset: registry short: Full path, including hive, key and value type: wildcard - threat.indicator.as.value: - dashed_name: threat-indicator-as-value + threat.enrichments.registry.value: + dashed_name: threat-enrichments-registry-value description: Name of the value written. example: Debugger - flat_name: threat.indicator.as.value + flat_name: threat.enrichments.registry.value ignore_above: 1024 level: core name: value @@ -15949,1001 +15775,2083 @@ threat: original_fieldset: registry short: Name of the value written. type: keyword - threat.indicator.confidence: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-confidence - description: "Identifies the confidence rating assigned by the provider using\ - \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ - \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ - \ * WEP Scale (Impossible - Certain)" - example: High - flat_name: threat.indicator.confidence - ignore_above: 1024 + threat.enrichments.url.domain: + dashed_name: threat-enrichments-url-domain + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' + example: www.elastic.co + flat_name: threat.enrichments.url.domain level: extended - name: indicator.confidence + name: domain normalize: [] - short: Indicator confidence rating - type: keyword - threat.indicator.description: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-description - description: Describes the type of action conducted by the threat. - example: IP x.x.x.x was observed delivering the Angler EK. - flat_name: threat.indicator.description + original_fieldset: url + short: Domain of the url. + type: wildcard + threat.enrichments.url.extension: + dashed_name: threat-enrichments-url-extension + description: 'The field contains the file extension from the original request + url, excluding the leading dot. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.url.extension ignore_above: 1024 level: extended - name: indicator.description + name: extension normalize: [] - short: Indicator description + original_fieldset: url + short: File extension from the request url, excluding the leading dot. type: keyword - threat.indicator.email.address: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-email-address - description: Identifies a threat indicator as an email address (irrespective - of direction). - example: phish@example.com - flat_name: threat.indicator.email.address + threat.enrichments.url.fragment: + dashed_name: threat-enrichments-url-fragment + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + flat_name: threat.enrichments.url.fragment ignore_above: 1024 level: extended - name: indicator.email.address + name: fragment normalize: [] - short: Indicator email address + original_fieldset: url + short: Portion of the url after the `#`. type: keyword - threat.indicator.file.accessed: - dashed_name: threat-indicator-file-accessed - description: 'Last time the file was accessed. - - Note that not all filesystems keep track of access time.' - flat_name: threat.indicator.file.accessed + threat.enrichments.url.full: + dashed_name: threat-enrichments-url-full + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event + source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + flat_name: threat.enrichments.url.full level: extended - name: accessed + multi_fields: + - flat_name: threat.enrichments.url.full.text + name: text + norms: false + type: text + name: full normalize: [] - original_fieldset: file - short: Last time the file was accessed. - type: date - threat.indicator.file.attributes: - dashed_name: threat-indicator-file-attributes - description: 'Array of file attributes. + original_fieldset: url + short: Full unparsed URL. + type: wildcard + threat.enrichments.url.original: + dashed_name: threat-enrichments-url-original + description: 'Unmodified original url as seen in the event source. - Attributes names will vary by platform. Here''s a non-exhaustive list of values - that are expected in this field: archive, compressed, directory, encrypted, - execute, hidden, read, readonly, system, write.' - example: '["readonly", "system"]' - flat_name: threat.indicator.file.attributes + Note that in network monitoring, the observed URL may be a full URL, whereas + in access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + flat_name: threat.enrichments.url.original + level: extended + multi_fields: + - flat_name: threat.enrichments.url.original.text + name: text + norms: false + type: text + name: original + normalize: [] + original_fieldset: url + short: Unmodified original url as seen in the event source. + type: wildcard + threat.enrichments.url.password: + dashed_name: threat-enrichments-url-password + description: Password of the request. + flat_name: threat.enrichments.url.password ignore_above: 1024 level: extended - name: attributes - normalize: - - array - original_fieldset: file - short: Array of file attributes. - type: keyword - threat.indicator.file.code_signature.exists: - dashed_name: threat-indicator-file-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: threat.indicator.file.code_signature.exists - level: core - name: exists - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean - threat.indicator.file.code_signature.signing_id: - dashed_name: threat-indicator-file-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. - The field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: threat.indicator.file.code_signature.signing_id - ignore_above: 1024 - level: extended - name: signing_id + name: password normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. + original_fieldset: url + short: Password of the request. type: keyword - threat.indicator.file.code_signature.status: - dashed_name: threat-indicator-file-code-signature-status - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: threat.indicator.file.code_signature.status - ignore_above: 1024 + threat.enrichments.url.path: + dashed_name: threat-enrichments-url-path + description: Path of the request, such as "/search". + flat_name: threat.enrichments.url.path level: extended - name: status + name: path normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. - type: keyword - threat.indicator.file.code_signature.subject_name: - dashed_name: threat-indicator-file-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: threat.indicator.file.code_signature.subject_name - ignore_above: 1024 - level: core - name: subject_name + original_fieldset: url + short: Path of the request, such as "/search". + type: wildcard + threat.enrichments.url.port: + dashed_name: threat-enrichments-url-port + description: Port of the request, such as 443. + example: 443 + flat_name: threat.enrichments.url.port + format: string + level: extended + name: port normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer - type: keyword - threat.indicator.file.code_signature.team_id: - dashed_name: threat-indicator-file-code-signature-team-id - description: 'The team identifier used to sign the process. + original_fieldset: url + short: Port of the request, such as 443. + type: long + threat.enrichments.url.query: + dashed_name: threat-enrichments-url-query + description: 'The query field describes the query string of the request, such + as "q=elasticsearch". - This is used to identify the team or vendor of a software product. The field - is relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: threat.indicator.file.code_signature.team_id + The `?` is excluded from the query string. If a URL contains no `?`, there + is no query field. If there is a `?` but no query, the query field exists + with an empty string. The `exists` query can be used to differentiate between + the two cases.' + flat_name: threat.enrichments.url.query ignore_above: 1024 level: extended - name: team_id + name: query normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. + original_fieldset: url + short: Query string of the request. type: keyword - threat.indicator.file.code_signature.trusted: - dashed_name: threat-indicator-file-code-signature-trusted - description: 'Stores the trust status of the certificate chain. + threat.enrichments.url.registered_domain: + dashed_name: threat-enrichments-url-registered-domain + description: 'The highest registered url domain, stripped of the subdomain. - Validating the trust of the certificate chain may be complicated, and this - field should only be populated by tools that actively check the status.' - example: 'true' - flat_name: threat.indicator.file.code_signature.trusted - level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean - threat.indicator.file.code_signature.valid: - dashed_name: threat-indicator-file-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against - the binary content. + For example, the registered domain for "foo.example.com" is "example.com". - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: threat.indicator.file.code_signature.valid + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: threat.enrichments.url.registered_domain level: extended - name: valid + name: registered_domain normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean - threat.indicator.file.created: - dashed_name: threat-indicator-file-created - description: 'File creation time. + original_fieldset: url + short: The highest registered url domain, stripped of the subdomain. + type: wildcard + threat.enrichments.url.scheme: + dashed_name: threat-enrichments-url-scheme + description: 'Scheme of the request, such as "https". - Note that not all filesystems store the creation time.' - flat_name: threat.indicator.file.created + Note: The `:` is not part of the scheme.' + example: https + flat_name: threat.enrichments.url.scheme + ignore_above: 1024 level: extended - name: created + name: scheme normalize: [] - original_fieldset: file - short: File creation time. - type: date - threat.indicator.file.ctime: - dashed_name: threat-indicator-file-ctime - description: 'Last time the file attributes or metadata changed. + original_fieldset: url + short: Scheme of the url. + type: keyword + threat.enrichments.url.subdomain: + dashed_name: threat-enrichments-url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. - Note that changes to the file content will update `mtime`. This implies `ctime` - will be adjusted at the same time, since `mtime` is an attribute of the file.' - flat_name: threat.indicator.file.ctime - level: extended - name: ctime - normalize: [] - original_fieldset: file - short: Last time the file attributes or metadata changed. - type: date - threat.indicator.file.device: - dashed_name: threat-indicator-file-device - description: Device that is the source of the file. - example: sda - flat_name: threat.indicator.file.device + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: threat.enrichments.url.subdomain ignore_above: 1024 level: extended - name: device + name: subdomain normalize: [] - original_fieldset: file - short: Device that is the source of the file. + original_fieldset: url + short: The subdomain of the domain. type: keyword - threat.indicator.file.directory: - dashed_name: threat-indicator-file-directory - description: Directory where the file is located. It should include the drive - letter, when appropriate. - example: /home/alice - flat_name: threat.indicator.file.directory - level: extended - name: directory - normalize: [] - original_fieldset: file - short: Directory where the file is located. - type: wildcard - threat.indicator.file.drive_letter: - dashed_name: threat-indicator-file-drive-letter - description: 'Drive letter where the file is located. This field is only relevant - on Windows. + threat.enrichments.url.top_level_domain: + dashed_name: threat-enrichments-url-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". - The value should be uppercase, and not include the colon.' - example: C - flat_name: threat.indicator.file.drive_letter - ignore_above: 1 + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: threat.enrichments.url.top_level_domain + ignore_above: 1024 level: extended - name: drive_letter + name: top_level_domain normalize: [] - original_fieldset: file - short: Drive letter where the file is located. + original_fieldset: url + short: The effective top level domain (com, org, net, co.uk). type: keyword - threat.indicator.file.elf.architecture: - dashed_name: threat-indicator-file-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: threat.indicator.file.elf.architecture + threat.enrichments.url.username: + dashed_name: threat-enrichments-url-username + description: Username of the request. + flat_name: threat.enrichments.url.username ignore_above: 1024 level: extended - name: architecture + name: username normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. + original_fieldset: url + short: Username of the request. type: keyword - threat.indicator.file.elf.byte_order: - dashed_name: threat-indicator-file-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: threat.indicator.file.elf.byte_order + threat.enrichments.x509.alternative_names: + dashed_name: threat-enrichments-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + flat_name: threat.enrichments.x509.alternative_names ignore_above: 1024 level: extended - name: byte_order - normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. + name: alternative_names + normalize: + - array + original_fieldset: x509 + short: List of subject alternative names (SAN). type: keyword - threat.indicator.file.elf.cpu_type: - dashed_name: threat-indicator-file-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: threat.indicator.file.elf.cpu_type + threat.enrichments.x509.issuer.common_name: + dashed_name: threat-enrichments-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: threat.enrichments.x509.issuer.common_name ignore_above: 1024 level: extended - name: cpu_type - normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. type: keyword - threat.indicator.file.elf.creation_date: - dashed_name: threat-indicator-file-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - flat_name: threat.indicator.file.elf.creation_date + threat.enrichments.x509.issuer.country: + dashed_name: threat-enrichments-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: threat.enrichments.x509.issuer.country + ignore_above: 1024 level: extended - name: creation_date + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes + type: keyword + threat.enrichments.x509.issuer.distinguished_name: + dashed_name: threat-enrichments-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: threat.enrichments.x509.issuer.distinguished_name + level: extended + name: issuer.distinguished_name normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date - threat.indicator.file.elf.exports: - dashed_name: threat-indicator-file-elf-exports - description: List of exported element names and types. - flat_name: threat.indicator.file.elf.exports + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: wildcard + threat.enrichments.x509.issuer.locality: + dashed_name: threat-enrichments-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: threat.enrichments.x509.issuer.locality + ignore_above: 1024 level: extended - name: exports + name: issuer.locality normalize: - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened - threat.indicator.file.elf.header.abi_version: - dashed_name: threat-indicator-file-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: threat.indicator.file.elf.header.abi_version + original_fieldset: x509 + short: List of locality names (L) + type: keyword + threat.enrichments.x509.issuer.organization: + dashed_name: threat-enrichments-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: threat.enrichments.x509.issuer.organization ignore_above: 1024 level: extended - name: header.abi_version - normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. type: keyword - threat.indicator.file.elf.header.class: - dashed_name: threat-indicator-file-elf-header-class - description: Header class of the ELF file. - flat_name: threat.indicator.file.elf.header.class + threat.enrichments.x509.issuer.organizational_unit: + dashed_name: threat-enrichments-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: threat.enrichments.x509.issuer.organizational_unit ignore_above: 1024 level: extended - name: header.class - normalize: [] - original_fieldset: elf - short: Header class of the ELF file. + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. type: keyword - threat.indicator.file.elf.header.data: - dashed_name: threat-indicator-file-elf-header-data - description: Data table of the ELF header. - flat_name: threat.indicator.file.elf.header.data + threat.enrichments.x509.issuer.state_or_province: + dashed_name: threat-enrichments-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.x509.issuer.state_or_province ignore_above: 1024 level: extended - name: header.data - normalize: [] - original_fieldset: elf - short: Data table of the ELF header. + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) type: keyword - threat.indicator.file.elf.header.entrypoint: - dashed_name: threat-indicator-file-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: threat.indicator.file.elf.header.entrypoint - format: string + threat.enrichments.x509.not_after: + dashed_name: threat-enrichments-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: threat.enrichments.x509.not_after level: extended - name: header.entrypoint + name: not_after normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long - threat.indicator.file.elf.header.object_version: - dashed_name: threat-indicator-file-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: threat.indicator.file.elf.header.object_version + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date + threat.enrichments.x509.not_before: + dashed_name: threat-enrichments-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: threat.enrichments.x509.not_before + level: extended + name: not_before + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date + threat.enrichments.x509.public_key_algorithm: + dashed_name: threat-enrichments-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: threat.enrichments.x509.public_key_algorithm ignore_above: 1024 level: extended - name: header.object_version + name: public_key_algorithm normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' + original_fieldset: x509 + short: Algorithm used to generate the public key. type: keyword - threat.indicator.file.elf.header.os_abi: - dashed_name: threat-indicator-file-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: threat.indicator.file.elf.header.os_abi + threat.enrichments.x509.public_key_curve: + dashed_name: threat-enrichments-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + flat_name: threat.enrichments.x509.public_key_curve ignore_above: 1024 level: extended - name: header.os_abi + name: public_key_curve normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. type: keyword - threat.indicator.file.elf.header.type: - dashed_name: threat-indicator-file-elf-header-type - description: Header type of the ELF file. - flat_name: threat.indicator.file.elf.header.type + threat.enrichments.x509.public_key_exponent: + dashed_name: threat-enrichments-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: threat.enrichments.x509.public_key_exponent + index: false + level: extended + name: public_key_exponent + normalize: [] + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long + threat.enrichments.x509.public_key_size: + dashed_name: threat-enrichments-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: threat.enrichments.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + original_fieldset: x509 + short: The size of the public key space in bits. + type: long + threat.enrichments.x509.serial_number: + dashed_name: threat-enrichments-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: threat.enrichments.x509.serial_number ignore_above: 1024 level: extended - name: header.type + name: serial_number normalize: [] - original_fieldset: elf - short: Header type of the ELF file. + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. type: keyword - threat.indicator.file.elf.header.version: - dashed_name: threat-indicator-file-elf-header-version - description: Version of the ELF header. - flat_name: threat.indicator.file.elf.header.version + threat.enrichments.x509.signature_algorithm: + dashed_name: threat-enrichments-x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: threat.enrichments.x509.signature_algorithm ignore_above: 1024 level: extended - name: header.version + name: signature_algorithm normalize: [] - original_fieldset: elf - short: Version of the ELF header. + original_fieldset: x509 + short: Identifier for certificate signature algorithm. type: keyword - threat.indicator.file.elf.imports: - dashed_name: threat-indicator-file-elf-imports - description: List of imported element names and types. - flat_name: threat.indicator.file.elf.imports - level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened - threat.indicator.file.elf.sections: - dashed_name: threat-indicator-file-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.sections.*`.' - flat_name: threat.indicator.file.elf.sections + threat.enrichments.x509.subject.common_name: + dashed_name: threat-enrichments-x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: threat.enrichments.x509.subject.common_name + ignore_above: 1024 level: extended - name: sections + name: subject.common_name normalize: - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested - threat.indicator.file.elf.sections.chi2: - dashed_name: threat-indicator-file-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: threat.indicator.file.elf.sections.chi2 - format: number + original_fieldset: x509 + short: List of common names (CN) of subject. + type: keyword + threat.enrichments.x509.subject.country: + dashed_name: threat-enrichments-x509-subject-country + description: List of country (C) code + example: US + flat_name: threat.enrichments.x509.subject.country + ignore_above: 1024 level: extended - name: sections.chi2 - normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. - type: long - threat.indicator.file.elf.sections.entropy: - dashed_name: threat-indicator-file-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: threat.indicator.file.elf.sections.entropy - format: number + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code + type: keyword + threat.enrichments.x509.subject.distinguished_name: + dashed_name: threat-enrichments-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: threat.enrichments.x509.subject.distinguished_name level: extended - name: sections.entropy + name: subject.distinguished_name normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long - threat.indicator.file.elf.sections.flags: - dashed_name: threat-indicator-file-elf-sections-flags - description: ELF Section List flags. - flat_name: threat.indicator.file.elf.sections.flags + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: wildcard + threat.enrichments.x509.subject.locality: + dashed_name: threat-enrichments-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: threat.enrichments.x509.subject.locality ignore_above: 1024 level: extended - name: sections.flags - normalize: [] - original_fieldset: elf - short: ELF Section List flags. + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) type: keyword - threat.indicator.file.elf.sections.name: - dashed_name: threat-indicator-file-elf-sections-name - description: ELF Section List name. - flat_name: threat.indicator.file.elf.sections.name + threat.enrichments.x509.subject.organization: + dashed_name: threat-enrichments-x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: threat.enrichments.x509.subject.organization ignore_above: 1024 level: extended - name: sections.name + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. + type: keyword + threat.enrichments.x509.subject.organizational_unit: + dashed_name: threat-enrichments-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: threat.enrichments.x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword + threat.enrichments.x509.subject.state_or_province: + dashed_name: threat-enrichments-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword + threat.enrichments.x509.version_number: + dashed_name: threat-enrichments-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: threat.enrichments.x509.version_number + ignore_above: 1024 + level: extended + name: version_number normalize: [] - original_fieldset: elf - short: ELF Section List name. + original_fieldset: x509 + short: Version of x509 format. type: keyword - threat.indicator.file.elf.sections.physical_offset: - dashed_name: threat-indicator-file-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: threat.indicator.file.elf.sections.physical_offset + threat.framework: + dashed_name: threat-framework + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification + can be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + flat_name: threat.framework ignore_above: 1024 level: extended - name: sections.physical_offset + name: framework normalize: [] - original_fieldset: elf - short: ELF Section List offset. + short: Threat classification framework. type: keyword - threat.indicator.file.elf.sections.physical_size: - dashed_name: threat-indicator-file-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: threat.indicator.file.elf.sections.physical_size - format: bytes + threat.group.alias: + beta: This field is beta and subject to change. + dashed_name: threat-group-alias + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' + flat_name: threat.group.alias + ignore_above: 1024 level: extended - name: sections.physical_size + name: group.alias + normalize: + - array + short: Alias of the group. + type: keyword + threat.group.id: + beta: This field is beta and subject to change. + dashed_name: threat-group-id + description: "The id of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group id." + example: G0037 + flat_name: threat.group.id + ignore_above: 1024 + level: extended + name: group.id normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long - threat.indicator.file.elf.sections.type: - dashed_name: threat-indicator-file-elf-sections-type - description: ELF Section List type. - flat_name: threat.indicator.file.elf.sections.type + short: ID of the group. + type: keyword + threat.group.name: + beta: This field is beta and subject to change. + dashed_name: threat-group-name + description: "The name of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 + flat_name: threat.group.name ignore_above: 1024 level: extended - name: sections.type + name: group.name normalize: [] - original_fieldset: elf - short: ELF Section List type. + short: Name of the group. type: keyword - threat.indicator.file.elf.sections.virtual_address: - dashed_name: threat-indicator-file-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: threat.indicator.file.elf.sections.virtual_address - format: string + threat.group.reference: + beta: This field is beta and subject to change. + dashed_name: threat-group-reference + description: "The reference URL of the group for a set of related intrusion\ + \ activity that are tracked by a common name in the security community. While\ + \ not required, you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ + flat_name: threat.group.reference + ignore_above: 1024 level: extended - name: sections.virtual_address + name: group.reference normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long - threat.indicator.file.elf.sections.virtual_size: - dashed_name: threat-indicator-file-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: threat.indicator.file.elf.sections.virtual_size - format: string + short: Reference URL of the group. + type: keyword + threat.indicator.as.number: + dashed_name: threat-indicator-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: threat.indicator.as.number level: extended - name: sections.virtual_size + name: number normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. + original_fieldset: as + short: Unique number allocated to the autonomous system. type: long - threat.indicator.file.elf.segments: - dashed_name: threat-indicator-file-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.segments.*`.' - flat_name: threat.indicator.file.elf.segments + threat.indicator.as.organization.name: + dashed_name: threat-indicator-as-organization-name + description: Organization name. + example: Google LLC + flat_name: threat.indicator.as.organization.name level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested - threat.indicator.file.elf.segments.sections: - dashed_name: threat-indicator-file-elf-segments-sections + multi_fields: + - flat_name: threat.indicator.as.organization.name.text + name: text + norms: false + type: text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: wildcard + threat.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-confidence + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High + flat_name: threat.indicator.confidence + ignore_above: 1024 + level: extended + name: indicator.confidence + normalize: [] + short: Indicator confidence rating + type: keyword + threat.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.indicator.description + ignore_above: 1024 + level: extended + name: indicator.description + normalize: [] + short: Indicator description + type: keyword + threat.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + flat_name: threat.indicator.email.address + ignore_above: 1024 + level: extended + name: indicator.email.address + normalize: [] + short: Indicator email address + type: keyword + threat.indicator.file.accessed: + dashed_name: threat-indicator-file-accessed + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + flat_name: threat.indicator.file.accessed + level: extended + name: accessed + normalize: [] + original_fieldset: file + short: Last time the file was accessed. + type: date + threat.indicator.file.attributes: + dashed_name: threat-indicator-file-attributes + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: threat.indicator.file.attributes + ignore_above: 1024 + level: extended + name: attributes + normalize: + - array + original_fieldset: file + short: Array of file attributes. + type: keyword + threat.indicator.file.code_signature.exists: + dashed_name: threat-indicator-file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: threat.indicator.file.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + threat.indicator.file.code_signature.signing_id: + dashed_name: threat-indicator-file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: threat.indicator.file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword + threat.indicator.file.code_signature.status: + dashed_name: threat-indicator-file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: threat.indicator.file.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + threat.indicator.file.code_signature.subject_name: + dashed_name: threat-indicator-file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: threat.indicator.file.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + threat.indicator.file.code_signature.team_id: + dashed_name: threat-indicator-file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: threat.indicator.file.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword + threat.indicator.file.code_signature.trusted: + dashed_name: threat-indicator-file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: threat.indicator.file.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + threat.indicator.file.code_signature.valid: + dashed_name: threat-indicator-file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: threat.indicator.file.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + threat.indicator.file.created: + dashed_name: threat-indicator-file-created + description: 'File creation time. + + Note that not all filesystems store the creation time.' + flat_name: threat.indicator.file.created + level: extended + name: created + normalize: [] + original_fieldset: file + short: File creation time. + type: date + threat.indicator.file.ctime: + dashed_name: threat-indicator-file-ctime + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: threat.indicator.file.ctime + level: extended + name: ctime + normalize: [] + original_fieldset: file + short: Last time the file attributes or metadata changed. + type: date + threat.indicator.file.device: + dashed_name: threat-indicator-file-device + description: Device that is the source of the file. + example: sda + flat_name: threat.indicator.file.device + ignore_above: 1024 + level: extended + name: device + normalize: [] + original_fieldset: file + short: Device that is the source of the file. + type: keyword + threat.indicator.file.directory: + dashed_name: threat-indicator-file-directory + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice + flat_name: threat.indicator.file.directory + level: extended + name: directory + normalize: [] + original_fieldset: file + short: Directory where the file is located. + type: wildcard + threat.indicator.file.drive_letter: + dashed_name: threat-indicator-file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + flat_name: threat.indicator.file.drive_letter + ignore_above: 1 + level: extended + name: drive_letter + normalize: [] + original_fieldset: file + short: Drive letter where the file is located. + type: keyword + threat.indicator.file.elf.architecture: + dashed_name: threat-indicator-file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: threat.indicator.file.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword + threat.indicator.file.elf.byte_order: + dashed_name: threat-indicator-file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: threat.indicator.file.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword + threat.indicator.file.elf.cpu_type: + dashed_name: threat-indicator-file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: threat.indicator.file.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword + threat.indicator.file.elf.creation_date: + dashed_name: threat-indicator-file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: threat.indicator.file.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date + threat.indicator.file.elf.exports: + dashed_name: threat-indicator-file-elf-exports + description: List of exported element names and types. + flat_name: threat.indicator.file.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened + threat.indicator.file.elf.header.abi_version: + dashed_name: threat-indicator-file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: threat.indicator.file.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword + threat.indicator.file.elf.header.class: + dashed_name: threat-indicator-file-elf-header-class + description: Header class of the ELF file. + flat_name: threat.indicator.file.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword + threat.indicator.file.elf.header.data: + dashed_name: threat-indicator-file-elf-header-data + description: Data table of the ELF header. + flat_name: threat.indicator.file.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword + threat.indicator.file.elf.header.entrypoint: + dashed_name: threat-indicator-file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: threat.indicator.file.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + threat.indicator.file.elf.header.object_version: + dashed_name: threat-indicator-file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: threat.indicator.file.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword + threat.indicator.file.elf.header.os_abi: + dashed_name: threat-indicator-file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: threat.indicator.file.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + threat.indicator.file.elf.header.type: + dashed_name: threat-indicator-file-elf-header-type + description: Header type of the ELF file. + flat_name: threat.indicator.file.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword + threat.indicator.file.elf.header.version: + dashed_name: threat-indicator-file-elf-header-version + description: Version of the ELF header. + flat_name: threat.indicator.file.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword + threat.indicator.file.elf.imports: + dashed_name: threat-indicator-file-elf-imports + description: List of imported element names and types. + flat_name: threat.indicator.file.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened + threat.indicator.file.elf.sections: + dashed_name: threat-indicator-file-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + flat_name: threat.indicator.file.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested + threat.indicator.file.elf.sections.chi2: + dashed_name: threat-indicator-file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: threat.indicator.file.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long + threat.indicator.file.elf.sections.entropy: + dashed_name: threat-indicator-file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: threat.indicator.file.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long + threat.indicator.file.elf.sections.flags: + dashed_name: threat-indicator-file-elf-sections-flags + description: ELF Section List flags. + flat_name: threat.indicator.file.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword + threat.indicator.file.elf.sections.name: + dashed_name: threat-indicator-file-elf-sections-name + description: ELF Section List name. + flat_name: threat.indicator.file.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword + threat.indicator.file.elf.sections.physical_offset: + dashed_name: threat-indicator-file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: threat.indicator.file.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword + threat.indicator.file.elf.sections.physical_size: + dashed_name: threat-indicator-file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: threat.indicator.file.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long + threat.indicator.file.elf.sections.type: + dashed_name: threat-indicator-file-elf-sections-type + description: ELF Section List type. + flat_name: threat.indicator.file.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword + threat.indicator.file.elf.sections.virtual_address: + dashed_name: threat-indicator-file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: threat.indicator.file.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long + threat.indicator.file.elf.sections.virtual_size: + dashed_name: threat-indicator-file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: threat.indicator.file.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + threat.indicator.file.elf.segments: + dashed_name: threat-indicator-file-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + flat_name: threat.indicator.file.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested + threat.indicator.file.elf.segments.sections: + dashed_name: threat-indicator-file-elf-segments-sections description: ELF object segment sections. flat_name: threat.indicator.file.elf.segments.sections ignore_above: 1024 level: extended - name: segments.sections + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword + threat.indicator.file.elf.segments.type: + dashed_name: threat-indicator-file-elf-segments-type + description: ELF object segment type. + flat_name: threat.indicator.file.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword + threat.indicator.file.elf.shared_libraries: + dashed_name: threat-indicator-file-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: threat.indicator.file.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword + threat.indicator.file.elf.telfhash: + dashed_name: threat-indicator-file-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: threat.indicator.file.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword + threat.indicator.file.extension: + dashed_name: threat-indicator-file-extension + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.indicator.file.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + original_fieldset: file + short: File extension, excluding the leading dot. + type: keyword + threat.indicator.file.gid: + dashed_name: threat-indicator-file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: threat.indicator.file.gid + ignore_above: 1024 + level: extended + name: gid + normalize: [] + original_fieldset: file + short: Primary group ID (GID) of the file. + type: keyword + threat.indicator.file.group: + dashed_name: threat-indicator-file-group + description: Primary group name of the file. + example: alice + flat_name: threat.indicator.file.group + ignore_above: 1024 + level: extended + name: group + normalize: [] + original_fieldset: file + short: Primary group name of the file. + type: keyword + threat.indicator.file.inode: + dashed_name: threat-indicator-file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: threat.indicator.file.inode + ignore_above: 1024 + level: extended + name: inode + normalize: [] + original_fieldset: file + short: Inode representing the file in the filesystem. + type: keyword + threat.indicator.file.mime_type: + dashed_name: threat-indicator-file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. + flat_name: threat.indicator.file.mime_type + ignore_above: 1024 + level: extended + name: mime_type + normalize: [] + original_fieldset: file + short: Media type of file, document, or arrangement of bytes. + type: keyword + threat.indicator.file.mode: + dashed_name: threat-indicator-file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: threat.indicator.file.mode + ignore_above: 1024 + level: extended + name: mode + normalize: [] + original_fieldset: file + short: Mode of the file in octal representation. + type: keyword + threat.indicator.file.mtime: + dashed_name: threat-indicator-file-mtime + description: Last time the file content was modified. + flat_name: threat.indicator.file.mtime + level: extended + name: mtime + normalize: [] + original_fieldset: file + short: Last time the file content was modified. + type: date + threat.indicator.file.name: + dashed_name: threat-indicator-file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: threat.indicator.file.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: file + short: Name of the file including the extension, without the directory. + type: keyword + threat.indicator.file.owner: + dashed_name: threat-indicator-file-owner + description: File owner's username. + example: alice + flat_name: threat.indicator.file.owner + ignore_above: 1024 + level: extended + name: owner + normalize: [] + original_fieldset: file + short: File owner's username. + type: keyword + threat.indicator.file.path: + dashed_name: threat-indicator-file-path + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + flat_name: threat.indicator.file.path + level: extended + multi_fields: + - flat_name: threat.indicator.file.path.text + name: text + norms: false + type: text + name: path + normalize: [] + original_fieldset: file + short: Full path to the file, including the file name. + type: wildcard + threat.indicator.file.size: + dashed_name: threat-indicator-file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: threat.indicator.file.size + level: extended + name: size + normalize: [] + original_fieldset: file + short: File size in bytes. + type: long + threat.indicator.file.target_path: + dashed_name: threat-indicator-file-target-path + description: Target path for symlinks. + flat_name: threat.indicator.file.target_path + level: extended + multi_fields: + - flat_name: threat.indicator.file.target_path.text + name: text + norms: false + type: text + name: target_path + normalize: [] + original_fieldset: file + short: Target path for symlinks. + type: wildcard + threat.indicator.file.type: + dashed_name: threat-indicator-file-type + description: File type (file, dir, or symlink). + example: file + flat_name: threat.indicator.file.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: file + short: File type (file, dir, or symlink). + type: keyword + threat.indicator.file.uid: + dashed_name: threat-indicator-file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: threat.indicator.file.uid + ignore_above: 1024 + level: extended + name: uid + normalize: [] + original_fieldset: file + short: The user ID (UID) or security identifier (SID) of the file owner. + type: keyword + threat.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.first_seen + level: extended + name: indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date + threat.indicator.geo.city_name: + dashed_name: threat-indicator-geo-city-name + description: City name. + example: Montreal + flat_name: threat.indicator.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + threat.indicator.geo.continent_code: + dashed_name: threat-indicator-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: threat.indicator.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword + threat.indicator.geo.continent_name: + dashed_name: threat-indicator-geo-continent-name + description: Name of the continent. + example: North America + flat_name: threat.indicator.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + threat.indicator.geo.country_iso_code: + dashed_name: threat-indicator-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: threat.indicator.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + threat.indicator.geo.country_name: + dashed_name: threat-indicator-geo-country-name + description: Country name. + example: Canada + flat_name: threat.indicator.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + threat.indicator.geo.location: + dashed_name: threat-indicator-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: threat.indicator.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + threat.indicator.geo.name: + dashed_name: threat-indicator-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: threat.indicator.geo.name + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: wildcard + threat.indicator.geo.postal_code: + dashed_name: threat-indicator-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: threat.indicator.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword + threat.indicator.geo.region_iso_code: + dashed_name: threat-indicator-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: threat.indicator.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + threat.indicator.geo.region_name: + dashed_name: threat-indicator-geo-region-name + description: Region name. + example: Quebec + flat_name: threat.indicator.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + threat.indicator.geo.timezone: + dashed_name: threat-indicator-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: threat.indicator.geo.timezone + ignore_above: 1024 + level: core + name: timezone normalize: [] - original_fieldset: elf - short: ELF object segment sections. + original_fieldset: geo + short: Time zone. type: keyword - threat.indicator.file.elf.segments.type: - dashed_name: threat-indicator-file-elf-segments-type - description: ELF object segment type. - flat_name: threat.indicator.file.elf.segments.type + threat.indicator.hash.md5: + dashed_name: threat-indicator-hash-md5 + description: MD5 hash. + flat_name: threat.indicator.hash.md5 ignore_above: 1024 level: extended - name: segments.type + name: md5 normalize: [] - original_fieldset: elf - short: ELF object segment type. + original_fieldset: hash + short: MD5 hash. type: keyword - threat.indicator.file.elf.shared_libraries: - dashed_name: threat-indicator-file-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: threat.indicator.file.elf.shared_libraries + threat.indicator.hash.sha1: + dashed_name: threat-indicator-hash-sha1 + description: SHA1 hash. + flat_name: threat.indicator.hash.sha1 ignore_above: 1024 level: extended - name: shared_libraries - normalize: - - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. type: keyword - threat.indicator.file.elf.telfhash: - dashed_name: threat-indicator-file-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: threat.indicator.file.elf.telfhash + threat.indicator.hash.sha256: + dashed_name: threat-indicator-hash-sha256 + description: SHA256 hash. + flat_name: threat.indicator.hash.sha256 ignore_above: 1024 level: extended - name: telfhash + name: sha256 normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. + original_fieldset: hash + short: SHA256 hash. type: keyword - threat.indicator.file.extension: - dashed_name: threat-indicator-file-extension - description: 'File extension, excluding the leading dot. - - Note that when the file name has multiple extensions (example.tar.gz), only - the last one should be captured ("gz", not "tar.gz").' - example: png - flat_name: threat.indicator.file.extension + threat.indicator.hash.sha512: + dashed_name: threat-indicator-hash-sha512 + description: SHA512 hash. + flat_name: threat.indicator.hash.sha512 ignore_above: 1024 level: extended - name: extension + name: sha512 normalize: [] - original_fieldset: file - short: File extension, excluding the leading dot. + original_fieldset: hash + short: SHA512 hash. type: keyword - threat.indicator.file.gid: - dashed_name: threat-indicator-file-gid - description: Primary group ID (GID) of the file. - example: '1001' - flat_name: threat.indicator.file.gid + threat.indicator.hash.ssdeep: + dashed_name: threat-indicator-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.indicator.hash.ssdeep ignore_above: 1024 level: extended - name: gid + name: ssdeep normalize: [] - original_fieldset: file - short: Primary group ID (GID) of the file. + original_fieldset: hash + short: SSDEEP hash. type: keyword - threat.indicator.file.group: - dashed_name: threat-indicator-file-group - description: Primary group name of the file. - example: alice - flat_name: threat.indicator.file.group + threat.indicator.ip: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + flat_name: threat.indicator.ip + level: extended + name: indicator.ip + normalize: [] + short: Indicator IP address + type: ip + threat.indicator.last_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-last-seen + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.last_seen + level: extended + name: indicator.last_seen + normalize: [] + short: Date/time indicator was last reported. + type: date + threat.indicator.marking.tlp: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE + flat_name: threat.indicator.marking.tlp ignore_above: 1024 level: extended - name: group + name: indicator.marking.tlp normalize: [] - original_fieldset: file - short: Primary group name of the file. + short: Indicator TLP marking type: keyword - threat.indicator.file.inode: - dashed_name: threat-indicator-file-inode - description: Inode representing the file in the filesystem. - example: '256383' - flat_name: threat.indicator.file.inode + threat.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.modified_at + level: extended + name: indicator.modified_at + normalize: [] + short: Date/time indicator was last updated. + type: date + threat.indicator.pe.architecture: + dashed_name: threat-indicator-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.indicator.pe.architecture ignore_above: 1024 level: extended - name: inode + name: architecture normalize: [] - original_fieldset: file - short: Inode representing the file in the filesystem. + original_fieldset: pe + short: CPU architecture target for the file. type: keyword - threat.indicator.file.mime_type: - dashed_name: threat-indicator-file-mime-type - description: MIME type should identify the format of the file or stream of bytes - using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA - official types], where possible. When more than one type is applicable, the - most specific type should be used. - flat_name: threat.indicator.file.mime_type + threat.indicator.pe.authentihash: + dashed_name: threat-indicator-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: threat.indicator.pe.authentihash ignore_above: 1024 level: extended - name: mime_type + name: authentihash normalize: [] - original_fieldset: file - short: Media type of file, document, or arrangement of bytes. + original_fieldset: pe + short: Authentihash of the PE file. type: keyword - threat.indicator.file.mode: - dashed_name: threat-indicator-file-mode - description: Mode of the file in octal representation. - example: '0640' - flat_name: threat.indicator.file.mode + threat.indicator.pe.company: + dashed_name: threat-indicator-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.indicator.pe.company ignore_above: 1024 level: extended - name: mode + name: company normalize: [] - original_fieldset: file - short: Mode of the file in octal representation. + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. type: keyword - threat.indicator.file.mtime: - dashed_name: threat-indicator-file-mtime - description: Last time the file content was modified. - flat_name: threat.indicator.file.mtime + threat.indicator.pe.compile_timestamp: + dashed_name: threat-indicator-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.pe.compile_timestamp level: extended - name: mtime + name: compile_timestamp normalize: [] - original_fieldset: file - short: Last time the file content was modified. + original_fieldset: pe + short: Compile timestamp of the PE file. type: date - threat.indicator.file.name: - dashed_name: threat-indicator-file-name - description: Name of the file including the extension, without the directory. - example: example.png - flat_name: threat.indicator.file.name + threat.indicator.pe.compiler.name: + dashed_name: threat-indicator-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: threat.indicator.pe.compiler.name ignore_above: 1024 level: extended - name: name + name: compiler.name normalize: [] - original_fieldset: file - short: Name of the file including the extension, without the directory. + original_fieldset: pe + short: Name of the compiler type: keyword - threat.indicator.file.owner: - dashed_name: threat-indicator-file-owner - description: File owner's username. - example: alice - flat_name: threat.indicator.file.owner + threat.indicator.pe.compiler.version: + dashed_name: threat-indicator-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: threat.indicator.pe.compiler.version ignore_above: 1024 level: extended - name: owner + name: compiler.version normalize: [] - original_fieldset: file - short: File owner's username. + original_fieldset: pe + short: Version of the compiler. type: keyword - threat.indicator.file.path: - dashed_name: threat-indicator-file-path - description: Full path to the file, including the file name. It should include - the drive letter, when appropriate. - example: /home/alice/example.png - flat_name: threat.indicator.file.path + threat.indicator.pe.creation_date: + dashed_name: threat-indicator-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.pe.creation_date level: extended - multi_fields: - - flat_name: threat.indicator.file.path.text - name: text - norms: false - type: text - name: path + name: creation_date normalize: [] - original_fieldset: file - short: Full path to the file, including the file name. - type: wildcard - threat.indicator.file.size: - dashed_name: threat-indicator-file-size - description: 'File size in bytes. + original_fieldset: pe + short: Build or compile date. + type: date + threat.indicator.pe.debug: + dashed_name: threat-indicator-pe-debug + description: 'An array containing an object for each debug entry, if present. - Only relevant when `file.type` is "file".' - example: 16384 - flat_name: threat.indicator.file.size + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: threat.indicator.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested + threat.indicator.pe.debug.offset: + dashed_name: threat-indicator-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: threat.indicator.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword + threat.indicator.pe.debug.size: + dashed_name: threat-indicator-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: threat.indicator.pe.debug.size + format: bytes level: extended - name: size + name: debug.size normalize: [] - original_fieldset: file - short: File size in bytes. + original_fieldset: pe + short: Size of the debug information. type: long - threat.indicator.file.target_path: - dashed_name: threat-indicator-file-target-path - description: Target path for symlinks. - flat_name: threat.indicator.file.target_path + threat.indicator.pe.debug.timestamp: + dashed_name: threat-indicator-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.pe.debug.timestamp level: extended - multi_fields: - - flat_name: threat.indicator.file.target_path.text - name: text - norms: false - type: text - name: target_path + name: debug.timestamp normalize: [] - original_fieldset: file - short: Target path for symlinks. - type: wildcard - threat.indicator.file.type: - dashed_name: threat-indicator-file-type - description: File type (file, dir, or symlink). - example: file - flat_name: threat.indicator.file.type + original_fieldset: pe + short: Timestamp of the debug information. + type: date + threat.indicator.pe.debug.type: + dashed_name: threat-indicator-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: threat.indicator.pe.debug.type ignore_above: 1024 level: extended - name: type + name: debug.type normalize: [] - original_fieldset: file - short: File type (file, dir, or symlink). + original_fieldset: pe + short: Information type generated by the debug options. type: keyword - threat.indicator.file.uid: - dashed_name: threat-indicator-file-uid - description: The user ID (UID) or security identifier (SID) of the file owner. - example: '1001' - flat_name: threat.indicator.file.uid + threat.indicator.pe.description: + dashed_name: threat-indicator-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.indicator.pe.description ignore_above: 1024 level: extended - name: uid + name: description normalize: [] - original_fieldset: file - short: The user ID (UID) or security identifier (SID) of the file owner. + original_fieldset: pe + short: Internal description of the file, provided at compile-time. type: keyword - threat.indicator.first_seen: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-first-seen - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.first_seen + threat.indicator.pe.entry_point: + dashed_name: threat-indicator-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: threat.indicator.pe.entry_point + ignore_above: 1024 level: extended - name: indicator.first_seen + name: entry_point normalize: [] - short: Date/time indicator was first reported. - type: date - threat.indicator.geo.city_name: - dashed_name: threat-indicator-geo-city-name - description: City name. - example: Montreal - flat_name: threat.indicator.geo.city_name + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword + threat.indicator.pe.exports: + dashed_name: threat-indicator-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: threat.indicator.pe.exports ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE type: keyword - threat.indicator.geo.continent_code: - dashed_name: threat-indicator-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: threat.indicator.geo.continent_code + threat.indicator.pe.file_version: + dashed_name: threat-indicator-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.indicator.pe.file_version ignore_above: 1024 - level: core - name: continent_code + level: extended + name: file_version normalize: [] - original_fieldset: geo - short: Continent code. + original_fieldset: pe + short: Process name. type: keyword - threat.indicator.geo.continent_name: - dashed_name: threat-indicator-geo-continent-name - description: Name of the continent. - example: North America - flat_name: threat.indicator.geo.continent_name + threat.indicator.pe.icon.hash.dhash: + dashed_name: threat-indicator-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: threat.indicator.pe.icon.hash.dhash ignore_above: 1024 - level: core - name: continent_name + level: extended + name: icon.hash.dhash normalize: [] - original_fieldset: geo - short: Name of the continent. + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or + thumbnail. type: keyword - threat.indicator.geo.country_iso_code: - dashed_name: threat-indicator-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: threat.indicator.geo.country_iso_code + threat.indicator.pe.imphash: + dashed_name: threat-indicator-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.indicator.pe.imphash ignore_above: 1024 - level: core - name: country_iso_code + level: extended + name: imphash normalize: [] - original_fieldset: geo - short: Country ISO code. + original_fieldset: pe + short: A hash of the imports in a PE file. type: keyword - threat.indicator.geo.country_name: - dashed_name: threat-indicator-geo-country-name - description: Country name. - example: Canada - flat_name: threat.indicator.geo.country_name + threat.indicator.pe.imports: + dashed_name: threat-indicator-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: threat.indicator.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened + threat.indicator.pe.machine_type: + dashed_name: threat-indicator-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: threat.indicator.pe.machine_type ignore_above: 1024 - level: core - name: country_name + level: extended + name: machine_type normalize: [] - original_fieldset: geo - short: Country name. + original_fieldset: pe + short: Machine type of the PE file. type: keyword - threat.indicator.geo.location: - dashed_name: threat-indicator-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: threat.indicator.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point - threat.indicator.geo.name: - dashed_name: threat-indicator-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. - - Not typically used in automated geolocation.' - example: boston-dc - flat_name: threat.indicator.geo.name + threat.indicator.pe.original_file_name: + dashed_name: threat-indicator-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.indicator.pe.original_file_name level: extended - name: name + name: original_file_name normalize: [] - original_fieldset: geo - short: User-defined description of a location. + original_fieldset: pe + short: Internal name of the file, provided at compile-time. type: wildcard - threat.indicator.geo.postal_code: - dashed_name: threat-indicator-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: threat.indicator.geo.postal_code + threat.indicator.pe.packers: + dashed_name: threat-indicator-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: threat.indicator.pe.packers ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. type: keyword - threat.indicator.geo.region_iso_code: - dashed_name: threat-indicator-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: threat.indicator.geo.region_iso_code + threat.indicator.pe.product: + dashed_name: threat-indicator-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.indicator.pe.product ignore_above: 1024 - level: core - name: region_iso_code + level: extended + name: product normalize: [] - original_fieldset: geo - short: Region ISO code. + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. type: keyword - threat.indicator.geo.region_name: - dashed_name: threat-indicator-geo-region-name - description: Region name. - example: Quebec - flat_name: threat.indicator.geo.region_name - ignore_above: 1024 - level: core - name: region_name + threat.indicator.pe.resources: + dashed_name: threat-indicator-pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: threat.indicator.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested + threat.indicator.pe.resources.chi2: + dashed_name: threat-indicator-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: threat.indicator.pe.resources.chi2 + level: extended + name: resources.chi2 normalize: [] - original_fieldset: geo - short: Region name. - type: keyword - threat.indicator.geo.timezone: - dashed_name: threat-indicator-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: threat.indicator.geo.timezone - ignore_above: 1024 - level: core - name: timezone + original_fieldset: pe + short: Chi-square probability distribution. + type: long + threat.indicator.pe.resources.entropy: + dashed_name: threat-indicator-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: threat.indicator.pe.resources.entropy + level: extended + name: resources.entropy normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword - threat.indicator.hash.md5: - dashed_name: threat-indicator-hash-md5 - description: MD5 hash. - flat_name: threat.indicator.hash.md5 + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long + threat.indicator.pe.resources.filetype: + dashed_name: threat-indicator-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: threat.indicator.pe.resources.filetype ignore_above: 1024 level: extended - name: md5 + name: resources.filetype normalize: [] - original_fieldset: hash - short: MD5 hash. + original_fieldset: pe + short: File type of the resources section. type: keyword - threat.indicator.hash.sha1: - dashed_name: threat-indicator-hash-sha1 - description: SHA1 hash. - flat_name: threat.indicator.hash.sha1 + threat.indicator.pe.resources.language: + dashed_name: threat-indicator-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: threat.indicator.pe.resources.language ignore_above: 1024 level: extended - name: sha1 + name: resources.language normalize: [] - original_fieldset: hash - short: SHA1 hash. + original_fieldset: pe + short: Language identification. type: keyword - threat.indicator.hash.sha256: - dashed_name: threat-indicator-hash-sha256 - description: SHA256 hash. - flat_name: threat.indicator.hash.sha256 + threat.indicator.pe.resources.sha256: + dashed_name: threat-indicator-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: threat.indicator.pe.resources.sha256 ignore_above: 1024 level: extended - name: sha256 + name: resources.sha256 normalize: [] - original_fieldset: hash - short: SHA256 hash. + original_fieldset: pe + short: SHA256 hash of resources section. type: keyword - threat.indicator.hash.sha512: - dashed_name: threat-indicator-hash-sha512 - description: SHA512 hash. - flat_name: threat.indicator.hash.sha512 + threat.indicator.pe.resources.type: + dashed_name: threat-indicator-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: threat.indicator.pe.resources.type ignore_above: 1024 level: extended - name: sha512 - normalize: [] - original_fieldset: hash - short: SHA512 hash. + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. type: keyword - threat.indicator.hash.ssdeep: - dashed_name: threat-indicator-hash-ssdeep - description: SSDEEP hash. - flat_name: threat.indicator.hash.ssdeep + threat.indicator.pe.rich_header.hash.md5: + dashed_name: threat-indicator-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: threat.indicator.pe.rich_header.hash.md5 ignore_above: 1024 level: extended - name: ssdeep + name: rich_header.hash.md5 normalize: [] - original_fieldset: hash - short: SSDEEP hash. + original_fieldset: pe + short: MD5 hash of the header for the PE file. type: keyword - threat.indicator.ip: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-ip - description: Identifies a threat indicator as an IP address (irrespective of - direction). - example: 1.2.3.4 - flat_name: threat.indicator.ip + threat.indicator.pe.sections: + dashed_name: threat-indicator-pe-sections + description: Data about sections of compiled binary PE + flat_name: threat.indicator.pe.sections level: extended - name: indicator.ip + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested + threat.indicator.pe.sections.chi2: + dashed_name: threat-indicator-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: threat.indicator.pe.sections.chi2 + level: extended + name: sections.chi2 normalize: [] - short: Indicator IP address - type: ip - threat.indicator.last_seen: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-last-seen - description: The date and time when intelligence source last reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.last_seen + original_fieldset: pe + short: Chi-square probability distribution. + type: long + threat.indicator.pe.sections.entropy: + dashed_name: threat-indicator-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: threat.indicator.pe.sections.entropy level: extended - name: indicator.last_seen + name: sections.entropy normalize: [] - short: Date/time indicator was last reported. - type: date - threat.indicator.marking.tlp: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: WHITE - flat_name: threat.indicator.marking.tlp + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float + threat.indicator.pe.sections.flags: + dashed_name: threat-indicator-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: threat.indicator.pe.sections.flags ignore_above: 1024 level: extended - name: indicator.marking.tlp + name: sections.flags normalize: [] - short: Indicator TLP marking + original_fieldset: pe + short: Section flags of the file. type: keyword - threat.indicator.modified_at: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-modified-at - description: The date and time when intelligence source last modified information - for this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.modified_at + threat.indicator.pe.sections.name: + dashed_name: threat-indicator-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: threat.indicator.pe.sections.name + ignore_above: 1024 level: extended - name: indicator.modified_at + name: sections.name normalize: [] - short: Date/time indicator was last updated. - type: date + original_fieldset: pe + short: Section names of the file. + type: keyword + threat.indicator.pe.sections.raw_size: + dashed_name: threat-indicator-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: threat.indicator.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long + threat.indicator.pe.sections.virtual_address: + dashed_name: threat-indicator-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: threat.indicator.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long threat.indicator.port: beta: This field is beta and subject to change. dashed_name: threat-indicator-port @@ -16980,6 +17888,99 @@ threat: normalize: [] short: Indicator reference URL type: keyword + threat.indicator.registry.data.bytes: + dashed_name: threat-indicator-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.indicator.registry.data.bytes + ignore_above: 1024 + level: extended + name: data.bytes + normalize: [] + original_fieldset: registry + short: Original bytes written with base64 encoding. + type: keyword + threat.indicator.registry.data.strings: + dashed_name: threat-indicator-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.indicator.registry.data.strings + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: wildcard + threat.indicator.registry.data.type: + dashed_name: threat-indicator-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.indicator.registry.data.type + ignore_above: 1024 + level: core + name: data.type + normalize: [] + original_fieldset: registry + short: Standard registry type for encoding contents + type: keyword + threat.indicator.registry.hive: + dashed_name: threat-indicator-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.indicator.registry.hive + ignore_above: 1024 + level: core + name: hive + normalize: [] + original_fieldset: registry + short: Abbreviated name for the hive. + type: keyword + threat.indicator.registry.key: + dashed_name: threat-indicator-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.indicator.registry.key + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: wildcard + threat.indicator.registry.path: + dashed_name: threat-indicator-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.indicator.registry.path + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: wildcard + threat.indicator.registry.value: + dashed_name: threat-indicator-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.indicator.registry.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. + type: keyword threat.indicator.scanner_stats: beta: This field is beta and subject to change. dashed_name: threat-indicator-scanner-stats @@ -17227,18 +18228,18 @@ threat: - threat.enrichments.indicator.as - threat.enrichments.indicator.as - threat.enrichments.indicator.as - - threat.enrichments.indicator.as - - threat.enrichments.indicator.as + - threat.enrichments.indicator.pe + - threat.enrichments.indicator.registry - threat.enrichments.pe - threat.enrichments.registry - threat.enrichments.url - threat.enrichments.x509 - threat.indicator.as - - threat.indicator.as - - threat.indicator.as - threat.indicator.file - threat.indicator.geo - threat.indicator.hash + - threat.indicator.pe + - threat.indicator.registry prefix: threat. reused_here: - beta: Reusing the `as` fields in this location is currently considered beta. @@ -17274,22 +18275,22 @@ threat: schema_name: hash short: Hashes, usually file hashes. - beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.indicator.as + full: threat.indicator.pe schema_name: pe short: These fields contain Windows Portable Executable (PE) metadata. - beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.indicator.as + full: threat.enrichments.indicator.pe schema_name: pe short: These fields contain Windows Portable Executable (PE) metadata. - full: threat.enrichments.pe schema_name: pe short: These fields contain Windows Portable Executable (PE) metadata. - beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.indicator.as + full: threat.indicator.registry schema_name: registry short: Fields related to Windows Registry operations. - beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.indicator.as + full: threat.enrichments.indicator.registry schema_name: registry short: Fields related to Windows Registry operations. - full: threat.enrichments.registry diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 51709fd85e..22f0e565fe 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -4419,32 +4419,23 @@ "properties": { "as": { "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "type": "wildcard" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } + "md5": { + "ignore_above": 1024, + "type": "keyword" }, - "hive": { + "sha1": { "ignore_above": 1024, "type": "keyword" }, - "key": { - "type": "wildcard" + "sha256": { + "ignore_above": 1024, + "type": "keyword" }, - "path": { - "type": "wildcard" + "sha512": { + "ignore_above": 1024, + "type": "keyword" }, - "value": { + "ssdeep": { "ignore_above": 1024, "type": "keyword" } @@ -4486,6 +4477,173 @@ "modified_at": { "type": "date" }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "type": "wildcard" + }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" + } + } + }, "port": { "type": "long" }, @@ -4497,6 +4655,39 @@ "ignore_above": 1024, "type": "keyword" }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "type": "wildcard" + }, + "path": { + "type": "wildcard" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "scanner_stats": { "type": "long" }, @@ -4935,34 +5126,21 @@ "properties": { "as": { "properties": { - "data": { + "number": { + "type": "long" + }, + "organization": { "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, "type": "wildcard" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "type": "wildcard" - }, - "path": { - "type": "wildcard" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" } } }, @@ -5310,6 +5488,173 @@ "modified_at": { "type": "date" }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "type": "wildcard" + }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" + } + } + }, "port": { "type": "long" }, @@ -5321,6 +5666,39 @@ "ignore_above": 1024, "type": "keyword" }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "type": "wildcard" + }, + "path": { + "type": "wildcard" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "scanner_stats": { "type": "long" }, diff --git a/experimental/generated/elasticsearch/component/threat.json b/experimental/generated/elasticsearch/component/threat.json index 22c146bf17..53400624c1 100644 --- a/experimental/generated/elasticsearch/component/threat.json +++ b/experimental/generated/elasticsearch/component/threat.json @@ -14,32 +14,23 @@ "properties": { "as": { "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "type": "wildcard" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } + "md5": { + "ignore_above": 1024, + "type": "keyword" }, - "hive": { + "sha1": { "ignore_above": 1024, "type": "keyword" }, - "key": { - "type": "wildcard" + "sha256": { + "ignore_above": 1024, + "type": "keyword" }, - "path": { - "type": "wildcard" + "sha512": { + "ignore_above": 1024, + "type": "keyword" }, - "value": { + "ssdeep": { "ignore_above": 1024, "type": "keyword" } @@ -81,6 +72,173 @@ "modified_at": { "type": "date" }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "type": "wildcard" + }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" + } + } + }, "port": { "type": "long" }, @@ -92,6 +250,39 @@ "ignore_above": 1024, "type": "keyword" }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "type": "wildcard" + }, + "path": { + "type": "wildcard" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "scanner_stats": { "type": "long" }, @@ -530,34 +721,21 @@ "properties": { "as": { "properties": { - "data": { + "number": { + "type": "long" + }, + "organization": { "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, "type": "wildcard" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "type": "wildcard" - }, - "path": { - "type": "wildcard" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" } } }, @@ -905,6 +1083,173 @@ "modified_at": { "type": "date" }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "type": "wildcard" + }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" + } + } + }, "port": { "type": "long" }, @@ -916,6 +1261,39 @@ "ignore_above": 1024, "type": "keyword" }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "type": "wildcard" + }, + "path": { + "type": "wildcard" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "scanner_stats": { "type": "long" }, diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 9d9addc651..1469267817 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -5856,65 +5856,35 @@ type: object description: Indicators default_field: false - - name: enrichments.indicator.as.data.bytes + - name: enrichments.indicator.as.md5 level: extended type: keyword ignore_above: 1024 - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides - better recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - default_field: false - - name: enrichments.indicator.as.data.strings - level: core - type: keyword - ignore_above: 1024 - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single - string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with - one string. For sequences of string with REG_MULTI_SZ, this array will be - variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should - be populated with the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' - default_field: false - - name: enrichments.indicator.as.data.type - level: core - type: keyword - ignore_above: 1024 - description: Standard registry type for encoding contents - example: REG_SZ + description: MD5 hash. default_field: false - - name: enrichments.indicator.as.hive - level: core + - name: enrichments.indicator.as.sha1 + level: extended type: keyword ignore_above: 1024 - description: Abbreviated name for the hive. - example: HKLM + description: SHA1 hash. default_field: false - - name: enrichments.indicator.as.key - level: core + - name: enrichments.indicator.as.sha256 + level: extended type: keyword ignore_above: 1024 - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + description: SHA256 hash. default_field: false - - name: enrichments.indicator.as.path - level: core + - name: enrichments.indicator.as.sha512 + level: extended type: keyword ignore_above: 1024 - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger + description: SHA512 hash. default_field: false - - name: enrichments.indicator.as.value - level: core + - name: enrichments.indicator.as.ssdeep + level: extended type: keyword ignore_above: 1024 - description: Name of the value written. - example: Debugger + description: SSDEEP hash. default_field: false - name: enrichments.indicator.confidence level: extended @@ -5977,6 +5947,59 @@ for this indicator. example: '2020-11-05T17:25:47.000Z' default_field: false + - name: enrichments.indicator.pe.architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false + - name: enrichments.indicator.pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: enrichments.indicator.pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: enrichments.indicator.pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: enrichments.indicator.pe.imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false + - name: enrichments.indicator.pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: enrichments.indicator.pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false - name: enrichments.indicator.port level: extended type: long @@ -5998,6 +6021,66 @@ description: Reference URL linking to additional information about this indicator. example: https://system.example.com/indicator/0001234 default_field: false + - name: enrichments.indicator.registry.data.bytes + level: extended + type: keyword + ignore_above: 1024 + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + default_field: false + - name: enrichments.indicator.registry.data.strings + level: core + type: keyword + ignore_above: 1024 + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + default_field: false + - name: enrichments.indicator.registry.data.type + level: core + type: keyword + ignore_above: 1024 + description: Standard registry type for encoding contents + example: REG_SZ + default_field: false + - name: enrichments.indicator.registry.hive + level: core + type: keyword + ignore_above: 1024 + description: Abbreviated name for the hive. + example: HKLM + default_field: false + - name: enrichments.indicator.registry.key + level: core + type: keyword + ignore_above: 1024 + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + default_field: false + - name: enrichments.indicator.registry.path + level: core + type: keyword + ignore_above: 1024 + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + default_field: false + - name: enrichments.indicator.registry.value + level: core + type: keyword + ignore_above: 1024 + description: Name of the value written. + example: Debugger + default_field: false - name: enrichments.indicator.scanner_stats level: extended type: long @@ -6430,65 +6513,23 @@ \ not required, you can use a MITRE ATT&CK\xAE group reference URL." example: https://attack.mitre.org/groups/G0037/ default_field: false - - name: indicator.as.data.bytes + - name: indicator.as.number level: extended - type: keyword - ignore_above: 1024 - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides - better recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - default_field: false - - name: indicator.as.data.strings - level: core - type: keyword - ignore_above: 1024 - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single - string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with - one string. For sequences of string with REG_MULTI_SZ, this array will be - variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should - be populated with the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' - default_field: false - - name: indicator.as.data.type - level: core - type: keyword - ignore_above: 1024 - description: Standard registry type for encoding contents - example: REG_SZ - default_field: false - - name: indicator.as.hive - level: core - type: keyword - ignore_above: 1024 - description: Abbreviated name for the hive. - example: HKLM - default_field: false - - name: indicator.as.key - level: core - type: keyword - ignore_above: 1024 - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - default_field: false - - name: indicator.as.path - level: core - type: keyword - ignore_above: 1024 - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger + type: long + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 default_field: false - - name: indicator.as.value - level: core + - name: indicator.as.organization.name + level: extended type: keyword ignore_above: 1024 - description: Name of the value written. - example: Debugger + multi_fields: + - name: text + type: text + norms: false + description: Organization name. + example: Google LLC default_field: false - name: indicator.confidence level: extended @@ -7075,6 +7116,59 @@ for this indicator. example: '2020-11-05T17:25:47.000Z' default_field: false + - name: indicator.pe.architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false + - name: indicator.pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: indicator.pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: indicator.pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: indicator.pe.imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false + - name: indicator.pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: indicator.pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false - name: indicator.port level: extended type: long @@ -7096,6 +7190,66 @@ description: Reference URL linking to additional information about this indicator. example: https://system.example.com/indicator/0001234 default_field: false + - name: indicator.registry.data.bytes + level: extended + type: keyword + ignore_above: 1024 + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + default_field: false + - name: indicator.registry.data.strings + level: core + type: keyword + ignore_above: 1024 + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + default_field: false + - name: indicator.registry.data.type + level: core + type: keyword + ignore_above: 1024 + description: Standard registry type for encoding contents + example: REG_SZ + default_field: false + - name: indicator.registry.hive + level: core + type: keyword + ignore_above: 1024 + description: Abbreviated name for the hive. + example: HKLM + default_field: false + - name: indicator.registry.key + level: core + type: keyword + ignore_above: 1024 + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + default_field: false + - name: indicator.registry.path + level: core + type: keyword + ignore_above: 1024 + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + default_field: false + - name: indicator.registry.value + level: core + type: keyword + ignore_above: 1024 + description: Name of the value written. + example: Debugger + default_field: false - name: indicator.scanner_stats level: extended type: long diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index af1f686771..1f36512e3a 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -668,13 +668,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. 2.0.0-dev,true,threat,threat.enrichments,nested,extended,,,List of indicators enriching the event. 2.0.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Indicators -2.0.0-dev,true,threat,threat.enrichments.indicator.as.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -2.0.0-dev,true,threat,threat.enrichments.indicator.as.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -2.0.0-dev,true,threat,threat.enrichments.indicator.as.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -2.0.0-dev,true,threat,threat.enrichments.indicator.as.hive,keyword,core,,HKLM,Abbreviated name for the hive. -2.0.0-dev,true,threat,threat.enrichments.indicator.as.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -2.0.0-dev,true,threat,threat.enrichments.indicator.as.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -2.0.0-dev,true,threat,threat.enrichments.indicator.as.value,keyword,core,,Debugger,Name of the value written. +2.0.0-dev,true,threat,threat.enrichments.indicator.as.md5,keyword,extended,,,MD5 hash. +2.0.0-dev,true,threat,threat.enrichments.indicator.as.sha1,keyword,extended,,,SHA1 hash. +2.0.0-dev,true,threat,threat.enrichments.indicator.as.sha256,keyword,extended,,,SHA256 hash. +2.0.0-dev,true,threat,threat.enrichments.indicator.as.sha512,keyword,extended,,,SHA512 hash. +2.0.0-dev,true,threat,threat.enrichments.indicator.as.ssdeep,keyword,extended,,,SSDEEP hash. 2.0.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,High,Indicator confidence rating 2.0.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description 2.0.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address @@ -683,9 +681,23 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. 2.0.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,White,Indicator TLP marking 2.0.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. +2.0.0-dev,true,threat,threat.enrichments.indicator.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +2.0.0-dev,true,threat,threat.enrichments.indicator.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +2.0.0-dev,true,threat,threat.enrichments.indicator.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +2.0.0-dev,true,threat,threat.enrichments.indicator.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +2.0.0-dev,true,threat,threat.enrichments.indicator.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +2.0.0-dev,true,threat,threat.enrichments.indicator.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev,true,threat,threat.enrichments.indicator.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 2.0.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port 2.0.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider 2.0.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL +2.0.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +2.0.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +2.0.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +2.0.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +2.0.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +2.0.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +2.0.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written. 2.0.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics 2.0.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed 2.0.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator @@ -739,13 +751,9 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group. 2.0.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group. 2.0.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group. -2.0.0-dev,true,threat,threat.indicator.as.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -2.0.0-dev,true,threat,threat.indicator.as.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -2.0.0-dev,true,threat,threat.indicator.as.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -2.0.0-dev,true,threat,threat.indicator.as.hive,keyword,core,,HKLM,Abbreviated name for the hive. -2.0.0-dev,true,threat,threat.indicator.as.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -2.0.0-dev,true,threat,threat.indicator.as.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -2.0.0-dev,true,threat,threat.indicator.as.value,keyword,core,,Debugger,Name of the value written. +2.0.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +2.0.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name. +2.0.0-dev,true,threat,threat.indicator.as.organization.name.text,text,extended,,Google LLC,Organization name. 2.0.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,High,Indicator confidence rating 2.0.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description 2.0.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address @@ -829,9 +837,23 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. 2.0.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking 2.0.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. +2.0.0-dev,true,threat,threat.indicator.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +2.0.0-dev,true,threat,threat.indicator.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +2.0.0-dev,true,threat,threat.indicator.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +2.0.0-dev,true,threat,threat.indicator.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +2.0.0-dev,true,threat,threat.indicator.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +2.0.0-dev,true,threat,threat.indicator.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev,true,threat,threat.indicator.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 2.0.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port 2.0.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider 2.0.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL +2.0.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +2.0.0-dev,true,threat,threat.indicator.registry.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +2.0.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +2.0.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +2.0.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +2.0.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +2.0.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written. 2.0.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics 2.0.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed 2.0.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 64da234148..89a03a2cd3 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -8551,101 +8551,60 @@ threat.enrichments.indicator: normalize: [] short: Indicators type: object -threat.enrichments.indicator.as.data.bytes: - dashed_name: threat-enrichments-indicator-as-data-bytes - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides better - recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - flat_name: threat.enrichments.indicator.as.data.bytes +threat.enrichments.indicator.as.md5: + dashed_name: threat-enrichments-indicator-as-md5 + description: MD5 hash. + flat_name: threat.enrichments.indicator.as.md5 ignore_above: 1024 level: extended - name: data.bytes - normalize: [] - original_fieldset: registry - short: Original bytes written with base64 encoding. - type: keyword -threat.enrichments.indicator.as.data.strings: - dashed_name: threat-enrichments-indicator-as-data-strings - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single string - registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. - For sequences of string with REG_MULTI_SZ, this array will be variable length. - For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with - the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' - flat_name: threat.enrichments.indicator.as.data.strings - ignore_above: 1024 - level: core - name: data.strings - normalize: - - array - original_fieldset: registry - short: List of strings representing what was written to the registry. - type: keyword -threat.enrichments.indicator.as.data.type: - dashed_name: threat-enrichments-indicator-as-data-type - description: Standard registry type for encoding contents - example: REG_SZ - flat_name: threat.enrichments.indicator.as.data.type - ignore_above: 1024 - level: core - name: data.type + name: md5 normalize: [] - original_fieldset: registry - short: Standard registry type for encoding contents + original_fieldset: hash + short: MD5 hash. type: keyword -threat.enrichments.indicator.as.hive: - dashed_name: threat-enrichments-indicator-as-hive - description: Abbreviated name for the hive. - example: HKLM - flat_name: threat.enrichments.indicator.as.hive +threat.enrichments.indicator.as.sha1: + dashed_name: threat-enrichments-indicator-as-sha1 + description: SHA1 hash. + flat_name: threat.enrichments.indicator.as.sha1 ignore_above: 1024 - level: core - name: hive + level: extended + name: sha1 normalize: [] - original_fieldset: registry - short: Abbreviated name for the hive. + original_fieldset: hash + short: SHA1 hash. type: keyword -threat.enrichments.indicator.as.key: - dashed_name: threat-enrichments-indicator-as-key - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - flat_name: threat.enrichments.indicator.as.key +threat.enrichments.indicator.as.sha256: + dashed_name: threat-enrichments-indicator-as-sha256 + description: SHA256 hash. + flat_name: threat.enrichments.indicator.as.sha256 ignore_above: 1024 - level: core - name: key + level: extended + name: sha256 normalize: [] - original_fieldset: registry - short: Hive-relative path of keys. + original_fieldset: hash + short: SHA256 hash. type: keyword -threat.enrichments.indicator.as.path: - dashed_name: threat-enrichments-indicator-as-path - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger - flat_name: threat.enrichments.indicator.as.path +threat.enrichments.indicator.as.sha512: + dashed_name: threat-enrichments-indicator-as-sha512 + description: SHA512 hash. + flat_name: threat.enrichments.indicator.as.sha512 ignore_above: 1024 - level: core - name: path + level: extended + name: sha512 normalize: [] - original_fieldset: registry - short: Full path, including hive, key and value + original_fieldset: hash + short: SHA512 hash. type: keyword -threat.enrichments.indicator.as.value: - dashed_name: threat-enrichments-indicator-as-value - description: Name of the value written. - example: Debugger - flat_name: threat.enrichments.indicator.as.value +threat.enrichments.indicator.as.ssdeep: + dashed_name: threat-enrichments-indicator-as-ssdeep + description: SSDEEP hash. + flat_name: threat.enrichments.indicator.as.ssdeep ignore_above: 1024 - level: core - name: value + level: extended + name: ssdeep normalize: [] - original_fieldset: registry - short: Name of the value written. + original_fieldset: hash + short: SSDEEP hash. type: keyword threat.enrichments.indicator.confidence: beta: This field is beta and subject to change. @@ -8747,6 +8706,94 @@ threat.enrichments.indicator.modified_at: normalize: [] short: Date/time indicator was last updated. type: date +threat.enrichments.indicator.pe.architecture: + dashed_name: threat-enrichments-indicator-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.enrichments.indicator.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword +threat.enrichments.indicator.pe.company: + dashed_name: threat-enrichments-indicator-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.enrichments.indicator.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +threat.enrichments.indicator.pe.description: + dashed_name: threat-enrichments-indicator-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.enrichments.indicator.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +threat.enrichments.indicator.pe.file_version: + dashed_name: threat-enrichments-indicator-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.enrichments.indicator.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword +threat.enrichments.indicator.pe.imphash: + dashed_name: threat-enrichments-indicator-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.enrichments.indicator.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +threat.enrichments.indicator.pe.original_file_name: + dashed_name: threat-enrichments-indicator-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.enrichments.indicator.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword +threat.enrichments.indicator.pe.product: + dashed_name: threat-enrichments-indicator-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.enrichments.indicator.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword threat.enrichments.indicator.port: beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-port @@ -8782,6 +8829,102 @@ threat.enrichments.indicator.reference: normalize: [] short: Indicator reference URL type: keyword +threat.enrichments.indicator.registry.data.bytes: + dashed_name: threat-enrichments-indicator-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides better + recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.enrichments.indicator.registry.data.bytes + ignore_above: 1024 + level: extended + name: data.bytes + normalize: [] + original_fieldset: registry + short: Original bytes written with base64 encoding. + type: keyword +threat.enrichments.indicator.registry.data.strings: + dashed_name: threat-enrichments-indicator-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single string + registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. + For sequences of string with REG_MULTI_SZ, this array will be variable length. + For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with + the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.enrichments.indicator.registry.data.strings + ignore_above: 1024 + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: keyword +threat.enrichments.indicator.registry.data.type: + dashed_name: threat-enrichments-indicator-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.enrichments.indicator.registry.data.type + ignore_above: 1024 + level: core + name: data.type + normalize: [] + original_fieldset: registry + short: Standard registry type for encoding contents + type: keyword +threat.enrichments.indicator.registry.hive: + dashed_name: threat-enrichments-indicator-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.enrichments.indicator.registry.hive + ignore_above: 1024 + level: core + name: hive + normalize: [] + original_fieldset: registry + short: Abbreviated name for the hive. + type: keyword +threat.enrichments.indicator.registry.key: + dashed_name: threat-enrichments-indicator-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.enrichments.indicator.registry.key + ignore_above: 1024 + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: keyword +threat.enrichments.indicator.registry.path: + dashed_name: threat-enrichments-indicator-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.enrichments.indicator.registry.path + ignore_above: 1024 + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: keyword +threat.enrichments.indicator.registry.value: + dashed_name: threat-enrichments-indicator-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.enrichments.indicator.registry.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. + type: keyword threat.enrichments.indicator.scanner_stats: beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-scanner-stats @@ -9484,101 +9627,34 @@ threat.group.reference: normalize: [] short: Reference URL of the group. type: keyword -threat.indicator.as.data.bytes: - dashed_name: threat-indicator-as-data-bytes - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides better - recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - flat_name: threat.indicator.as.data.bytes - ignore_above: 1024 +threat.indicator.as.number: + dashed_name: threat-indicator-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: threat.indicator.as.number level: extended - name: data.bytes - normalize: [] - original_fieldset: registry - short: Original bytes written with base64 encoding. - type: keyword -threat.indicator.as.data.strings: - dashed_name: threat-indicator-as-data-strings - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single string - registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. - For sequences of string with REG_MULTI_SZ, this array will be variable length. - For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with - the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' - flat_name: threat.indicator.as.data.strings - ignore_above: 1024 - level: core - name: data.strings - normalize: - - array - original_fieldset: registry - short: List of strings representing what was written to the registry. - type: keyword -threat.indicator.as.data.type: - dashed_name: threat-indicator-as-data-type - description: Standard registry type for encoding contents - example: REG_SZ - flat_name: threat.indicator.as.data.type - ignore_above: 1024 - level: core - name: data.type - normalize: [] - original_fieldset: registry - short: Standard registry type for encoding contents - type: keyword -threat.indicator.as.hive: - dashed_name: threat-indicator-as-hive - description: Abbreviated name for the hive. - example: HKLM - flat_name: threat.indicator.as.hive - ignore_above: 1024 - level: core - name: hive - normalize: [] - original_fieldset: registry - short: Abbreviated name for the hive. - type: keyword -threat.indicator.as.key: - dashed_name: threat-indicator-as-key - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - flat_name: threat.indicator.as.key - ignore_above: 1024 - level: core - name: key - normalize: [] - original_fieldset: registry - short: Hive-relative path of keys. - type: keyword -threat.indicator.as.path: - dashed_name: threat-indicator-as-path - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger - flat_name: threat.indicator.as.path - ignore_above: 1024 - level: core - name: path + name: number normalize: [] - original_fieldset: registry - short: Full path, including hive, key and value - type: keyword -threat.indicator.as.value: - dashed_name: threat-indicator-as-value - description: Name of the value written. - example: Debugger - flat_name: threat.indicator.as.value + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long +threat.indicator.as.organization.name: + dashed_name: threat-indicator-as-organization-name + description: Organization name. + example: Google LLC + flat_name: threat.indicator.as.organization.name ignore_above: 1024 - level: core - name: value + level: extended + multi_fields: + - flat_name: threat.indicator.as.organization.name.text + name: text + norms: false + type: text + name: organization.name normalize: [] - original_fieldset: registry - short: Name of the value written. + original_fieldset: as + short: Organization name. type: keyword threat.indicator.confidence: beta: This field is beta and subject to change. @@ -10578,6 +10654,94 @@ threat.indicator.modified_at: normalize: [] short: Date/time indicator was last updated. type: date +threat.indicator.pe.architecture: + dashed_name: threat-indicator-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.indicator.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword +threat.indicator.pe.company: + dashed_name: threat-indicator-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.indicator.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +threat.indicator.pe.description: + dashed_name: threat-indicator-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.indicator.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +threat.indicator.pe.file_version: + dashed_name: threat-indicator-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.indicator.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword +threat.indicator.pe.imphash: + dashed_name: threat-indicator-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.indicator.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +threat.indicator.pe.original_file_name: + dashed_name: threat-indicator-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.indicator.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword +threat.indicator.pe.product: + dashed_name: threat-indicator-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.indicator.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword threat.indicator.port: beta: This field is beta and subject to change. dashed_name: threat-indicator-port @@ -10613,6 +10777,102 @@ threat.indicator.reference: normalize: [] short: Indicator reference URL type: keyword +threat.indicator.registry.data.bytes: + dashed_name: threat-indicator-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides better + recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.indicator.registry.data.bytes + ignore_above: 1024 + level: extended + name: data.bytes + normalize: [] + original_fieldset: registry + short: Original bytes written with base64 encoding. + type: keyword +threat.indicator.registry.data.strings: + dashed_name: threat-indicator-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single string + registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. + For sequences of string with REG_MULTI_SZ, this array will be variable length. + For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with + the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.indicator.registry.data.strings + ignore_above: 1024 + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: keyword +threat.indicator.registry.data.type: + dashed_name: threat-indicator-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.indicator.registry.data.type + ignore_above: 1024 + level: core + name: data.type + normalize: [] + original_fieldset: registry + short: Standard registry type for encoding contents + type: keyword +threat.indicator.registry.hive: + dashed_name: threat-indicator-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.indicator.registry.hive + ignore_above: 1024 + level: core + name: hive + normalize: [] + original_fieldset: registry + short: Abbreviated name for the hive. + type: keyword +threat.indicator.registry.key: + dashed_name: threat-indicator-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.indicator.registry.key + ignore_above: 1024 + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: keyword +threat.indicator.registry.path: + dashed_name: threat-indicator-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.indicator.registry.path + ignore_above: 1024 + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: keyword +threat.indicator.registry.value: + dashed_name: threat-indicator-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.indicator.registry.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. + type: keyword threat.indicator.scanner_stats: beta: This field is beta and subject to change. dashed_name: threat-indicator-scanner-stats diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 6aee16b037..3689b05f0e 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -7151,14 +7151,14 @@ pe: - as: pe at: process full: process.pe - - as: as + - as: pe at: threat.indicator beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.indicator.as - - as: as + full: threat.indicator.pe + - as: pe at: threat.enrichments.indicator beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.indicator.as + full: threat.enrichments.indicator.pe top_level: false short: These fields contain Windows Portable Executable (PE) metadata. title: PE Header @@ -8903,14 +8903,14 @@ registry: prefix: registry. reusable: expected: - - as: as + - as: registry at: threat.indicator beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.indicator.as - - as: as + full: threat.indicator.registry + - as: registry at: threat.enrichments.indicator beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.indicator.as + full: threat.enrichments.indicator.registry top_level: true short: Fields related to Windows Registry operations. title: Registry @@ -10258,101 +10258,60 @@ threat: normalize: [] short: Indicators type: object - threat.enrichments.indicator.as.data.bytes: - dashed_name: threat-enrichments-indicator-as-data-bytes - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides - better recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - flat_name: threat.enrichments.indicator.as.data.bytes + threat.enrichments.indicator.as.md5: + dashed_name: threat-enrichments-indicator-as-md5 + description: MD5 hash. + flat_name: threat.enrichments.indicator.as.md5 ignore_above: 1024 level: extended - name: data.bytes - normalize: [] - original_fieldset: registry - short: Original bytes written with base64 encoding. - type: keyword - threat.enrichments.indicator.as.data.strings: - dashed_name: threat-enrichments-indicator-as-data-strings - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single - string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with - one string. For sequences of string with REG_MULTI_SZ, this array will be - variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should - be populated with the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' - flat_name: threat.enrichments.indicator.as.data.strings - ignore_above: 1024 - level: core - name: data.strings - normalize: - - array - original_fieldset: registry - short: List of strings representing what was written to the registry. - type: keyword - threat.enrichments.indicator.as.data.type: - dashed_name: threat-enrichments-indicator-as-data-type - description: Standard registry type for encoding contents - example: REG_SZ - flat_name: threat.enrichments.indicator.as.data.type - ignore_above: 1024 - level: core - name: data.type + name: md5 normalize: [] - original_fieldset: registry - short: Standard registry type for encoding contents + original_fieldset: hash + short: MD5 hash. type: keyword - threat.enrichments.indicator.as.hive: - dashed_name: threat-enrichments-indicator-as-hive - description: Abbreviated name for the hive. - example: HKLM - flat_name: threat.enrichments.indicator.as.hive + threat.enrichments.indicator.as.sha1: + dashed_name: threat-enrichments-indicator-as-sha1 + description: SHA1 hash. + flat_name: threat.enrichments.indicator.as.sha1 ignore_above: 1024 - level: core - name: hive + level: extended + name: sha1 normalize: [] - original_fieldset: registry - short: Abbreviated name for the hive. + original_fieldset: hash + short: SHA1 hash. type: keyword - threat.enrichments.indicator.as.key: - dashed_name: threat-enrichments-indicator-as-key - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - flat_name: threat.enrichments.indicator.as.key + threat.enrichments.indicator.as.sha256: + dashed_name: threat-enrichments-indicator-as-sha256 + description: SHA256 hash. + flat_name: threat.enrichments.indicator.as.sha256 ignore_above: 1024 - level: core - name: key + level: extended + name: sha256 normalize: [] - original_fieldset: registry - short: Hive-relative path of keys. + original_fieldset: hash + short: SHA256 hash. type: keyword - threat.enrichments.indicator.as.path: - dashed_name: threat-enrichments-indicator-as-path - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger - flat_name: threat.enrichments.indicator.as.path + threat.enrichments.indicator.as.sha512: + dashed_name: threat-enrichments-indicator-as-sha512 + description: SHA512 hash. + flat_name: threat.enrichments.indicator.as.sha512 ignore_above: 1024 - level: core - name: path + level: extended + name: sha512 normalize: [] - original_fieldset: registry - short: Full path, including hive, key and value + original_fieldset: hash + short: SHA512 hash. type: keyword - threat.enrichments.indicator.as.value: - dashed_name: threat-enrichments-indicator-as-value - description: Name of the value written. - example: Debugger - flat_name: threat.enrichments.indicator.as.value + threat.enrichments.indicator.as.ssdeep: + dashed_name: threat-enrichments-indicator-as-ssdeep + description: SSDEEP hash. + flat_name: threat.enrichments.indicator.as.ssdeep ignore_above: 1024 - level: core - name: value + level: extended + name: ssdeep normalize: [] - original_fieldset: registry - short: Name of the value written. + original_fieldset: hash + short: SSDEEP hash. type: keyword threat.enrichments.indicator.confidence: beta: This field is beta and subject to change. @@ -10455,6 +10414,94 @@ threat: normalize: [] short: Date/time indicator was last updated. type: date + threat.enrichments.indicator.pe.architecture: + dashed_name: threat-enrichments-indicator-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.enrichments.indicator.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword + threat.enrichments.indicator.pe.company: + dashed_name: threat-enrichments-indicator-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.enrichments.indicator.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + threat.enrichments.indicator.pe.description: + dashed_name: threat-enrichments-indicator-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.enrichments.indicator.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + threat.enrichments.indicator.pe.file_version: + dashed_name: threat-enrichments-indicator-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.enrichments.indicator.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword + threat.enrichments.indicator.pe.imphash: + dashed_name: threat-enrichments-indicator-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.enrichments.indicator.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + threat.enrichments.indicator.pe.original_file_name: + dashed_name: threat-enrichments-indicator-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.enrichments.indicator.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword + threat.enrichments.indicator.pe.product: + dashed_name: threat-enrichments-indicator-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.enrichments.indicator.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword threat.enrichments.indicator.port: beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-port @@ -10491,6 +10538,102 @@ threat: normalize: [] short: Indicator reference URL type: keyword + threat.enrichments.indicator.registry.data.bytes: + dashed_name: threat-enrichments-indicator-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.enrichments.indicator.registry.data.bytes + ignore_above: 1024 + level: extended + name: data.bytes + normalize: [] + original_fieldset: registry + short: Original bytes written with base64 encoding. + type: keyword + threat.enrichments.indicator.registry.data.strings: + dashed_name: threat-enrichments-indicator-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.enrichments.indicator.registry.data.strings + ignore_above: 1024 + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: keyword + threat.enrichments.indicator.registry.data.type: + dashed_name: threat-enrichments-indicator-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.enrichments.indicator.registry.data.type + ignore_above: 1024 + level: core + name: data.type + normalize: [] + original_fieldset: registry + short: Standard registry type for encoding contents + type: keyword + threat.enrichments.indicator.registry.hive: + dashed_name: threat-enrichments-indicator-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.enrichments.indicator.registry.hive + ignore_above: 1024 + level: core + name: hive + normalize: [] + original_fieldset: registry + short: Abbreviated name for the hive. + type: keyword + threat.enrichments.indicator.registry.key: + dashed_name: threat-enrichments-indicator-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.enrichments.indicator.registry.key + ignore_above: 1024 + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: keyword + threat.enrichments.indicator.registry.path: + dashed_name: threat-enrichments-indicator-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.enrichments.indicator.registry.path + ignore_above: 1024 + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: keyword + threat.enrichments.indicator.registry.value: + dashed_name: threat-enrichments-indicator-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.enrichments.indicator.registry.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. + type: keyword threat.enrichments.indicator.scanner_stats: beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-scanner-stats @@ -11195,101 +11338,34 @@ threat: normalize: [] short: Reference URL of the group. type: keyword - threat.indicator.as.data.bytes: - dashed_name: threat-indicator-as-data-bytes - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides - better recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - flat_name: threat.indicator.as.data.bytes - ignore_above: 1024 + threat.indicator.as.number: + dashed_name: threat-indicator-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: threat.indicator.as.number level: extended - name: data.bytes - normalize: [] - original_fieldset: registry - short: Original bytes written with base64 encoding. - type: keyword - threat.indicator.as.data.strings: - dashed_name: threat-indicator-as-data-strings - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single - string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with - one string. For sequences of string with REG_MULTI_SZ, this array will be - variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should - be populated with the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' - flat_name: threat.indicator.as.data.strings - ignore_above: 1024 - level: core - name: data.strings - normalize: - - array - original_fieldset: registry - short: List of strings representing what was written to the registry. - type: keyword - threat.indicator.as.data.type: - dashed_name: threat-indicator-as-data-type - description: Standard registry type for encoding contents - example: REG_SZ - flat_name: threat.indicator.as.data.type - ignore_above: 1024 - level: core - name: data.type - normalize: [] - original_fieldset: registry - short: Standard registry type for encoding contents - type: keyword - threat.indicator.as.hive: - dashed_name: threat-indicator-as-hive - description: Abbreviated name for the hive. - example: HKLM - flat_name: threat.indicator.as.hive - ignore_above: 1024 - level: core - name: hive - normalize: [] - original_fieldset: registry - short: Abbreviated name for the hive. - type: keyword - threat.indicator.as.key: - dashed_name: threat-indicator-as-key - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - flat_name: threat.indicator.as.key - ignore_above: 1024 - level: core - name: key - normalize: [] - original_fieldset: registry - short: Hive-relative path of keys. - type: keyword - threat.indicator.as.path: - dashed_name: threat-indicator-as-path - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger - flat_name: threat.indicator.as.path - ignore_above: 1024 - level: core - name: path + name: number normalize: [] - original_fieldset: registry - short: Full path, including hive, key and value - type: keyword - threat.indicator.as.value: - dashed_name: threat-indicator-as-value - description: Name of the value written. - example: Debugger - flat_name: threat.indicator.as.value + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long + threat.indicator.as.organization.name: + dashed_name: threat-indicator-as-organization-name + description: Organization name. + example: Google LLC + flat_name: threat.indicator.as.organization.name ignore_above: 1024 - level: core - name: value + level: extended + multi_fields: + - flat_name: threat.indicator.as.organization.name.text + name: text + norms: false + type: text + name: organization.name normalize: [] - original_fieldset: registry - short: Name of the value written. + original_fieldset: as + short: Organization name. type: keyword threat.indicator.confidence: beta: This field is beta and subject to change. @@ -12290,6 +12366,94 @@ threat: normalize: [] short: Date/time indicator was last updated. type: date + threat.indicator.pe.architecture: + dashed_name: threat-indicator-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.indicator.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword + threat.indicator.pe.company: + dashed_name: threat-indicator-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.indicator.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + threat.indicator.pe.description: + dashed_name: threat-indicator-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.indicator.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + threat.indicator.pe.file_version: + dashed_name: threat-indicator-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.indicator.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword + threat.indicator.pe.imphash: + dashed_name: threat-indicator-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.indicator.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + threat.indicator.pe.original_file_name: + dashed_name: threat-indicator-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.indicator.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword + threat.indicator.pe.product: + dashed_name: threat-indicator-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.indicator.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword threat.indicator.port: beta: This field is beta and subject to change. dashed_name: threat-indicator-port @@ -12326,6 +12490,102 @@ threat: normalize: [] short: Indicator reference URL type: keyword + threat.indicator.registry.data.bytes: + dashed_name: threat-indicator-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.indicator.registry.data.bytes + ignore_above: 1024 + level: extended + name: data.bytes + normalize: [] + original_fieldset: registry + short: Original bytes written with base64 encoding. + type: keyword + threat.indicator.registry.data.strings: + dashed_name: threat-indicator-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.indicator.registry.data.strings + ignore_above: 1024 + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: keyword + threat.indicator.registry.data.type: + dashed_name: threat-indicator-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.indicator.registry.data.type + ignore_above: 1024 + level: core + name: data.type + normalize: [] + original_fieldset: registry + short: Standard registry type for encoding contents + type: keyword + threat.indicator.registry.hive: + dashed_name: threat-indicator-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.indicator.registry.hive + ignore_above: 1024 + level: core + name: hive + normalize: [] + original_fieldset: registry + short: Abbreviated name for the hive. + type: keyword + threat.indicator.registry.key: + dashed_name: threat-indicator-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.indicator.registry.key + ignore_above: 1024 + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: keyword + threat.indicator.registry.path: + dashed_name: threat-indicator-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.indicator.registry.path + ignore_above: 1024 + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: keyword + threat.indicator.registry.value: + dashed_name: threat-indicator-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.indicator.registry.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. + type: keyword threat.indicator.scanner_stats: beta: This field is beta and subject to change. dashed_name: threat-indicator-scanner-stats @@ -12573,16 +12833,16 @@ threat: - threat.enrichments.indicator.as - threat.enrichments.indicator.as - threat.enrichments.indicator.as - - threat.enrichments.indicator.as - - threat.enrichments.indicator.as + - threat.enrichments.indicator.pe + - threat.enrichments.indicator.registry - threat.enrichments.url - threat.enrichments.x509 - threat.indicator.as - - threat.indicator.as - - threat.indicator.as - threat.indicator.file - threat.indicator.geo - threat.indicator.hash + - threat.indicator.pe + - threat.indicator.registry prefix: threat. reused_here: - beta: Reusing the `as` fields in this location is currently considered beta. @@ -12618,19 +12878,19 @@ threat: schema_name: hash short: Hashes, usually file hashes. - beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.indicator.as + full: threat.indicator.pe schema_name: pe short: These fields contain Windows Portable Executable (PE) metadata. - beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.indicator.as + full: threat.enrichments.indicator.pe schema_name: pe short: These fields contain Windows Portable Executable (PE) metadata. - beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.indicator.as + full: threat.indicator.registry schema_name: registry short: Fields related to Windows Registry operations. - beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.indicator.as + full: threat.enrichments.indicator.registry schema_name: registry short: Fields related to Windows Registry operations. - beta: Reusing the `url` fields in this location is currently considered beta. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index d5f879e506..6369597767 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -3100,35 +3100,23 @@ "properties": { "as": { "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } + "md5": { + "ignore_above": 1024, + "type": "keyword" }, - "hive": { + "sha1": { "ignore_above": 1024, "type": "keyword" }, - "key": { + "sha256": { "ignore_above": 1024, "type": "keyword" }, - "path": { + "sha512": { "ignore_above": 1024, "type": "keyword" }, - "value": { + "ssdeep": { "ignore_above": 1024, "type": "keyword" } @@ -3170,6 +3158,38 @@ "modified_at": { "type": "date" }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "port": { "type": "long" }, @@ -3181,6 +3201,42 @@ "ignore_above": 1024, "type": "keyword" }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "scanner_stats": { "type": "long" }, @@ -3426,37 +3482,22 @@ "properties": { "as": { "properties": { - "data": { + "number": { + "type": "long" + }, + "organization": { "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, "ignore_above": 1024, "type": "keyword" } } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" } } }, @@ -3808,6 +3849,38 @@ "modified_at": { "type": "date" }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "port": { "type": "long" }, @@ -3819,6 +3892,42 @@ "ignore_above": 1024, "type": "keyword" }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "scanner_stats": { "type": "long" }, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 04e4d6a619..1006c07d11 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -3096,35 +3096,23 @@ "properties": { "as": { "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } + "md5": { + "ignore_above": 1024, + "type": "keyword" }, - "hive": { + "sha1": { "ignore_above": 1024, "type": "keyword" }, - "key": { + "sha256": { "ignore_above": 1024, "type": "keyword" }, - "path": { + "sha512": { "ignore_above": 1024, "type": "keyword" }, - "value": { + "ssdeep": { "ignore_above": 1024, "type": "keyword" } @@ -3166,6 +3154,38 @@ "modified_at": { "type": "date" }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "port": { "type": "long" }, @@ -3177,6 +3197,42 @@ "ignore_above": 1024, "type": "keyword" }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "scanner_stats": { "type": "long" }, @@ -3422,37 +3478,22 @@ "properties": { "as": { "properties": { - "data": { + "number": { + "type": "long" + }, + "organization": { "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, "ignore_above": 1024, "type": "keyword" } } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" } } }, @@ -3804,6 +3845,38 @@ "modified_at": { "type": "date" }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "port": { "type": "long" }, @@ -3815,6 +3888,42 @@ "ignore_above": 1024, "type": "keyword" }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "scanner_stats": { "type": "long" }, diff --git a/generated/elasticsearch/component/threat.json b/generated/elasticsearch/component/threat.json index b0196d0d29..f4b17a6f0d 100644 --- a/generated/elasticsearch/component/threat.json +++ b/generated/elasticsearch/component/threat.json @@ -14,35 +14,23 @@ "properties": { "as": { "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } + "md5": { + "ignore_above": 1024, + "type": "keyword" }, - "hive": { + "sha1": { "ignore_above": 1024, "type": "keyword" }, - "key": { + "sha256": { "ignore_above": 1024, "type": "keyword" }, - "path": { + "sha512": { "ignore_above": 1024, "type": "keyword" }, - "value": { + "ssdeep": { "ignore_above": 1024, "type": "keyword" } @@ -84,6 +72,38 @@ "modified_at": { "type": "date" }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "port": { "type": "long" }, @@ -95,6 +115,42 @@ "ignore_above": 1024, "type": "keyword" }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "scanner_stats": { "type": "long" }, @@ -340,37 +396,22 @@ "properties": { "as": { "properties": { - "data": { + "number": { + "type": "long" + }, + "organization": { "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, "ignore_above": 1024, "type": "keyword" } } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" } } }, @@ -722,6 +763,38 @@ "modified_at": { "type": "date" }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "port": { "type": "long" }, @@ -733,6 +806,42 @@ "ignore_above": 1024, "type": "keyword" }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "scanner_stats": { "type": "long" }, diff --git a/schemas/pe.yml b/schemas/pe.yml index 35efc1b7a8..92715fef59 100644 --- a/schemas/pe.yml +++ b/schemas/pe.yml @@ -11,10 +11,10 @@ - dll - process - at: threat.indicator - as: as + as: pe beta: Reusing the `as` fields in this location is currently considered beta. - at: threat.enrichments.indicator - as: as + as: pe beta: Reusing the `as` fields in this location is currently considered beta. fields: - name: original_file_name diff --git a/schemas/registry.yml b/schemas/registry.yml index 38912d9b08..649b3d07a2 100644 --- a/schemas/registry.yml +++ b/schemas/registry.yml @@ -8,10 +8,10 @@ top_level: true expected: - at: threat.indicator - as: as + as: registry beta: Reusing the `as` fields in this location is currently considered beta. - at: threat.enrichments.indicator - as: as + as: registry beta: Reusing the `as` fields in this location is currently considered beta. fields: From 75d019b9a769a39d918453ee1b60f95422b87928 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 7 Jul 2021 12:27:56 -0500 Subject: [PATCH 5/8] improve descriptions --- code/go/ecs/threat.go | 6 +++--- docs/field-details.asciidoc | 4 ++-- experimental/generated/beats/fields.ecs.yml | 6 +++--- experimental/generated/csv/fields.csv | 4 ++-- experimental/generated/ecs/ecs_flat.yml | 10 +++++----- experimental/generated/ecs/ecs_nested.yml | 10 +++++----- generated/beats/fields.ecs.yml | 6 +++--- generated/csv/fields.csv | 4 ++-- generated/ecs/ecs_flat.yml | 10 +++++----- generated/ecs/ecs_nested.yml | 10 +++++----- schemas/threat.yml | 9 +++++---- 11 files changed, 40 insertions(+), 39 deletions(-) diff --git a/code/go/ecs/threat.go b/code/go/ecs/threat.go index 7d72f7f7ef..913ebf69ac 100644 --- a/code/go/ecs/threat.go +++ b/code/go/ecs/threat.go @@ -32,8 +32,8 @@ import ( // used by this detected threat, to accomplish the goal (e.g. "endpoint denial // of service"). type Threat struct { - // A list of associated indicators enriching the event, and the context of - // that association/enrichment. + // A list of associated indicators objects enriching the event, and the + // context of that association/enrichment. Enrichments []Enrichments `ecs:"enrichments"` // Name of the threat framework used to further categorize and classify the @@ -224,7 +224,7 @@ type Threat struct { } type Enrichments struct { - // Indicators + // Object containing associated indicators enriching the event. Indicator map[string]interface{} `ecs:"indicator"` // The date and time when intelligence source first reported sighting this diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 136f1041cd..eff3156b1f 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -7683,7 +7683,7 @@ These fields are for users to classify alerts from all of their sources (e.g. ID | beta:[ This field is beta and subject to change. ] -A list of associated indicators enriching the event, and the context of that association/enrichment. +A list of associated indicators objects enriching the event, and the context of that association/enrichment. type: nested @@ -7701,7 +7701,7 @@ type: nested | beta:[ This field is beta and subject to change. ] -Indicators +Object containing associated indicators enriching the event. type: object diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 0ac5e5d5a4..6b89dc7854 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -8180,13 +8180,13 @@ - name: enrichments level: extended type: nested - description: A list of associated indicators enriching the event, and the context - of that association/enrichment. + description: A list of associated indicators objects enriching the event, and + the context of that association/enrichment. default_field: false - name: enrichments.indicator level: extended type: object - description: Indicators + description: Object containing associated indicators enriching the event. default_field: false - name: enrichments.indicator.as.md5 level: extended diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 7edf0e8fb2..4599743215 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -990,8 +990,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. 2.0.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 2.0.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. -2.0.0-dev+exp,true,threat,threat.enrichments,nested,extended,,,List of indicators enriching the event. -2.0.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Indicators +2.0.0-dev+exp,true,threat,threat.enrichments,nested,extended,,,List of objects containing indicators enriching the event. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event. 2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.md5,keyword,extended,,,MD5 hash. 2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.sha1,keyword,extended,,,SHA1 hash. 2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.sha256,keyword,extended,,,SHA256 hash. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 592b61f228..e3c3948ec9 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -12290,23 +12290,23 @@ tags: threat.enrichments: beta: This field is beta and subject to change. dashed_name: threat-enrichments - description: A list of associated indicators enriching the event, and the context - of that association/enrichment. + description: A list of associated indicators objects enriching the event, and the + context of that association/enrichment. flat_name: threat.enrichments level: extended name: enrichments normalize: [] - short: List of indicators enriching the event. + short: List of objects containing indicators enriching the event. type: nested threat.enrichments.indicator: beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator - description: Indicators + description: Object containing associated indicators enriching the event. flat_name: threat.enrichments.indicator level: extended name: enrichments.indicator normalize: [] - short: Indicators + short: Object containing indicators enriching the event. type: object threat.enrichments.indicator.as.md5: dashed_name: threat-enrichments-indicator-as-md5 diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index bac350a361..bf274e0c69 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -14359,23 +14359,23 @@ threat: threat.enrichments: beta: This field is beta and subject to change. dashed_name: threat-enrichments - description: A list of associated indicators enriching the event, and the context - of that association/enrichment. + description: A list of associated indicators objects enriching the event, and + the context of that association/enrichment. flat_name: threat.enrichments level: extended name: enrichments normalize: [] - short: List of indicators enriching the event. + short: List of objects containing indicators enriching the event. type: nested threat.enrichments.indicator: beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator - description: Indicators + description: Object containing associated indicators enriching the event. flat_name: threat.enrichments.indicator level: extended name: enrichments.indicator normalize: [] - short: Indicators + short: Object containing indicators enriching the event. type: object threat.enrichments.indicator.as.md5: dashed_name: threat-enrichments-indicator-as-md5 diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 1469267817..b6a81bedf2 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -5848,13 +5848,13 @@ - name: enrichments level: extended type: nested - description: A list of associated indicators enriching the event, and the context - of that association/enrichment. + description: A list of associated indicators objects enriching the event, and + the context of that association/enrichment. default_field: false - name: enrichments.indicator level: extended type: object - description: Indicators + description: Object containing associated indicators enriching the event. default_field: false - name: enrichments.indicator.as.md5 level: extended diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 1f36512e3a..3d159f8746 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -666,8 +666,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. 2.0.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 2.0.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. -2.0.0-dev,true,threat,threat.enrichments,nested,extended,,,List of indicators enriching the event. -2.0.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Indicators +2.0.0-dev,true,threat,threat.enrichments,nested,extended,,,List of objects containing indicators enriching the event. +2.0.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event. 2.0.0-dev,true,threat,threat.enrichments.indicator.as.md5,keyword,extended,,,MD5 hash. 2.0.0-dev,true,threat,threat.enrichments.indicator.as.sha1,keyword,extended,,,SHA1 hash. 2.0.0-dev,true,threat,threat.enrichments.indicator.as.sha256,keyword,extended,,,SHA256 hash. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 89a03a2cd3..2c8767b73c 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -8533,23 +8533,23 @@ tags: threat.enrichments: beta: This field is beta and subject to change. dashed_name: threat-enrichments - description: A list of associated indicators enriching the event, and the context - of that association/enrichment. + description: A list of associated indicators objects enriching the event, and the + context of that association/enrichment. flat_name: threat.enrichments level: extended name: enrichments normalize: [] - short: List of indicators enriching the event. + short: List of objects containing indicators enriching the event. type: nested threat.enrichments.indicator: beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator - description: Indicators + description: Object containing associated indicators enriching the event. flat_name: threat.enrichments.indicator level: extended name: enrichments.indicator normalize: [] - short: Indicators + short: Object containing indicators enriching the event. type: object threat.enrichments.indicator.as.md5: dashed_name: threat-enrichments-indicator-as-md5 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 3689b05f0e..ea3b197b3b 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -10240,23 +10240,23 @@ threat: threat.enrichments: beta: This field is beta and subject to change. dashed_name: threat-enrichments - description: A list of associated indicators enriching the event, and the context - of that association/enrichment. + description: A list of associated indicators objects enriching the event, and + the context of that association/enrichment. flat_name: threat.enrichments level: extended name: enrichments normalize: [] - short: List of indicators enriching the event. + short: List of objects containing indicators enriching the event. type: nested threat.enrichments.indicator: beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator - description: Indicators + description: Object containing associated indicators enriching the event. flat_name: threat.enrichments.indicator level: extended name: enrichments.indicator normalize: [] - short: Indicators + short: Object containing indicators enriching the event. type: object threat.enrichments.indicator.as.md5: dashed_name: threat-enrichments-indicator-as-md5 diff --git a/schemas/threat.yml b/schemas/threat.yml index ce98a37bb4..87287b7eb5 100644 --- a/schemas/threat.yml +++ b/schemas/threat.yml @@ -17,18 +17,19 @@ - name: enrichments level: extended type: nested - short: List of indicators enriching the event. + short: List of objects containing indicators enriching the event. beta: This field is beta and subject to change. description: > - A list of associated indicators enriching the event, and the context of that association/enrichment. + A list of associated indicators objects enriching the event, and the context of + that association/enrichment. - name: enrichments.indicator level: extended type: object - short: Indicators + short: Object containing indicators enriching the event. beta: This field is beta and subject to change. description: > - Indicators + Object containing associated indicators enriching the event. - name: enrichments.indicator.first_seen level: extended From 043f447548a59af3c175ef919a3ab67e69595714 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 7 Jul 2021 12:41:29 -0500 Subject: [PATCH 6/8] reuse cleanup --- schemas/file.yml | 4 ++-- schemas/geo.yml | 4 ++-- schemas/hash.yml | 4 ++-- schemas/url.yml | 5 ++++- schemas/x509.yml | 5 ++++- 5 files changed, 14 insertions(+), 8 deletions(-) diff --git a/schemas/file.yml b/schemas/file.yml index 598febbaf3..9b52b2520e 100644 --- a/schemas/file.yml +++ b/schemas/file.yml @@ -17,8 +17,8 @@ as: file beta: Reusing the `file` fields in this location is currently considered beta. - at: threat.enrichments.indicator - as: as - beta: Reusing the `as` fields in this location is currently considered beta. + as: file + beta: Reusing the `file` fields in this location is currently considered beta. fields: - name: name level: extended diff --git a/schemas/geo.yml b/schemas/geo.yml index ca5012ef13..aef1a86f30 100644 --- a/schemas/geo.yml +++ b/schemas/geo.yml @@ -21,8 +21,8 @@ as: geo beta: Reusing the `geo` fields in this location is currently considered beta. - at: threat.enrichments.indicator - as: as - beta: Reusing the `as` fields in this location is currently considered beta. + as: geo + beta: Reusing the `geo` fields in this location is currently considered beta. type: group fields: diff --git a/schemas/hash.yml b/schemas/hash.yml index 6b7306787f..33cb0f556b 100644 --- a/schemas/hash.yml +++ b/schemas/hash.yml @@ -25,8 +25,8 @@ as: hash beta: Reusing the `hash` fields in this location is currently considered beta. - at: threat.enrichments.indicator - as: as - beta: Reusing the `as` fields in this location is currently considered beta. + as: hash + beta: Reusing the `hash` fields in this location is currently considered beta. fields: diff --git a/schemas/url.yml b/schemas/url.yml index 1d68bc55e8..5fc48c54f6 100644 --- a/schemas/url.yml +++ b/schemas/url.yml @@ -9,7 +9,10 @@ reusable: top_level: true expected: - - at: threat.enrichments + - at: threat.indicator + as: url + beta: Reusing the `url` fields in this location is currently considered beta. + - at: threat.enrichments.indicator as: url beta: Reusing the `url` fields in this location is currently considered beta. fields: diff --git a/schemas/x509.yml b/schemas/x509.yml index d37db9807a..f60f65099d 100644 --- a/schemas/x509.yml +++ b/schemas/x509.yml @@ -17,7 +17,10 @@ top_level: false expected: - file - - at: threat.enrichments + - at: threat.indicator + as: x509 + beta: Reusing the `x509` fields in this location is currently considered beta. + - at: threat.enrichments.indicator as: x509 beta: Reusing the `x509` fields in this location is currently considered beta. - tls.client From d921b18d1a9083e7bfdfc1a840b8e13fe523f73c Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 7 Jul 2021 12:42:05 -0500 Subject: [PATCH 7/8] artifacts --- docs/field-details.asciidoc | 46 +- experimental/generated/beats/fields.ecs.yml | 2819 +++++--- experimental/generated/csv/fields.csv | 203 +- experimental/generated/ecs/ecs_flat.yml | 5889 +++++++++------- experimental/generated/ecs/ecs_nested.yml | 5973 ++++++++++------- .../generated/elasticsearch/7/template.json | 1026 ++- .../elasticsearch/component/threat.json | 1026 ++- generated/beats/fields.ecs.yml | 2533 ++++--- generated/csv/fields.csv | 203 +- generated/ecs/ecs_flat.yml | 4997 +++++++++----- generated/ecs/ecs_nested.yml | 5113 +++++++++----- generated/elasticsearch/6/template.json | 824 ++- generated/elasticsearch/7/template.json | 824 ++- generated/elasticsearch/component/threat.json | 824 ++- 14 files changed, 21117 insertions(+), 11183 deletions(-) diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index eff3156b1f..d80f250833 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -3425,7 +3425,7 @@ example: `1001` The `file` fields are expected to be nested at: -* `threat.enrichments.indicator.as` +* `threat.enrichments.indicator.file` * `threat.indicator.file` @@ -3702,7 +3702,7 @@ The `geo` fields are expected to be nested at: * `source.geo` -* `threat.enrichments.indicator.as` +* `threat.enrichments.indicator.geo` * `threat.indicator.geo` @@ -3904,7 +3904,7 @@ The `hash` fields are expected to be nested at: * `process.hash` -* `threat.enrichments.indicator.as` +* `threat.enrichments.indicator.hash` * `threat.indicator.hash` @@ -8839,24 +8839,24 @@ Fields describing an Autonomous System (Internet routing prefix). // =============================================================== -| `threat.enrichments.indicator.as.*` -| <>| beta:[ Reusing the `as` fields in this location is currently considered beta.] +| `threat.enrichments.indicator.file.*` +| <>| beta:[ Reusing the `file` fields in this location is currently considered beta.] Fields describing files. // =============================================================== -| `threat.enrichments.indicator.as.*` -| <>| beta:[ Reusing the `as` fields in this location is currently considered beta.] +| `threat.enrichments.indicator.geo.*` +| <>| beta:[ Reusing the `geo` fields in this location is currently considered beta.] Fields describing a location. // =============================================================== -| `threat.enrichments.indicator.as.*` -| <>| beta:[ Reusing the `as` fields in this location is currently considered beta.] +| `threat.enrichments.indicator.hash.*` +| <>| beta:[ Reusing the `hash` fields in this location is currently considered beta.] Hashes, usually file hashes. @@ -8879,7 +8879,7 @@ Fields related to Windows Registry operations. // =============================================================== -| `threat.enrichments.url.*` +| `threat.enrichments.indicator.url.*` | <>| beta:[ Reusing the `url` fields in this location is currently considered beta.] Fields that let you store URLs in various forms. @@ -8887,7 +8887,7 @@ Fields that let you store URLs in various forms. // =============================================================== -| `threat.enrichments.x509.*` +| `threat.enrichments.indicator.x509.*` | <>| beta:[ Reusing the `x509` fields in this location is currently considered beta.] These fields contain x509 certificate metadata. @@ -8943,6 +8943,22 @@ Fields related to Windows Registry operations. // =============================================================== +| `threat.indicator.url.*` +| <>| beta:[ Reusing the `url` fields in this location is currently considered beta.] + +Fields that let you store URLs in various forms. + +// =============================================================== + + +| `threat.indicator.x509.*` +| <>| beta:[ Reusing the `x509` fields in this location is currently considered beta.] + +These fields contain x509 certificate metadata. + +// =============================================================== + + |===== [[ecs-tls]] @@ -9825,7 +9841,9 @@ type: keyword The `url` fields are expected to be nested at: -* `threat.enrichments.url` +* `threat.enrichments.indicator.url` + +* `threat.indicator.url` Note also that the `url` fields may be used directly at the root of the events. @@ -10940,7 +10958,9 @@ The `x509` fields are expected to be nested at: * `file.x509` -* `threat.enrichments.x509` +* `threat.enrichments.indicator.x509` + +* `threat.indicator.x509` * `tls.client.x509` diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 6b89dc7854..8dddaf42d3 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -8188,35 +8188,22 @@ type: object description: Object containing associated indicators enriching the event. default_field: false - - name: enrichments.indicator.as.md5 + - name: enrichments.indicator.as.number level: extended - type: keyword - ignore_above: 1024 - description: MD5 hash. - default_field: false - - name: enrichments.indicator.as.sha1 - level: extended - type: keyword - ignore_above: 1024 - description: SHA1 hash. - default_field: false - - name: enrichments.indicator.as.sha256 - level: extended - type: keyword - ignore_above: 1024 - description: SHA256 hash. - default_field: false - - name: enrichments.indicator.as.sha512 - level: extended - type: keyword - ignore_above: 1024 - description: SHA512 hash. + type: long + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 default_field: false - - name: enrichments.indicator.as.ssdeep + - name: enrichments.indicator.as.organization.name level: extended - type: keyword - ignore_above: 1024 - description: SSDEEP hash. + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: Organization name. + example: Google LLC default_field: false - name: enrichments.indicator.confidence level: extended @@ -8243,555 +8230,673 @@ of direction). example: phish@example.com default_field: false - - name: enrichments.indicator.first_seen - level: extended - type: date - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: enrichments.indicator.ip - level: extended - type: ip - description: Identifies a threat indicator as an IP address (irrespective of - direction). - example: 1.2.3.4 - default_field: false - - name: enrichments.indicator.last_seen + - name: enrichments.indicator.file.accessed level: extended type: date - description: The date and time when intelligence source last reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' default_field: false - - name: enrichments.indicator.marking.tlp + - name: enrichments.indicator.file.attributes level: extended type: keyword ignore_above: 1024 - description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: White + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' default_field: false - - name: enrichments.indicator.modified_at - level: extended - type: date - description: The date and time when intelligence source last modified information - for this indicator. - example: '2020-11-05T17:25:47.000Z' + - name: enrichments.indicator.file.code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' default_field: false - - name: enrichments.indicator.pe.architecture + - name: enrichments.indicator.file.code_signature.signing_id level: extended type: keyword ignore_above: 1024 - description: CPU architecture target for the file. - example: x64 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy default_field: false - - name: enrichments.indicator.pe.authentihash + - name: enrichments.indicator.file.code_signature.status level: extended type: keyword ignore_above: 1024 - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT default_field: false - - name: enrichments.indicator.pe.company - level: extended + - name: enrichments.indicator.file.code_signature.subject_name + level: core type: keyword ignore_above: 1024 - description: Internal company name of the file, provided at compile-time. + description: Subject name of the code signer example: Microsoft Corporation default_field: false - - name: enrichments.indicator.pe.compile_timestamp - level: extended - type: date - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: enrichments.indicator.pe.compiler.name + - name: enrichments.indicator.file.code_signature.team_id level: extended type: keyword ignore_above: 1024 - description: Name of the compiler - example: Clang + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV default_field: false - - name: enrichments.indicator.pe.compiler.version + - name: enrichments.indicator.file.code_signature.trusted level: extended - type: keyword - ignore_above: 1024 - description: Version of the compiler. - example: 11.0.0 + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' default_field: false - - name: enrichments.indicator.pe.creation_date + - name: enrichments.indicator.file.code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: enrichments.indicator.file.created level: extended type: date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' + description: 'File creation time. + + Note that not all filesystems store the creation time.' default_field: false - - name: enrichments.indicator.pe.debug + - name: enrichments.indicator.file.ctime level: extended - type: nested - description: 'An array containing an object for each debug entry, if present. + type: date + description: 'Last time the file attributes or metadata changed. - The expected fields for this nested object fall under the `debug.` prefix.' + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' default_field: false - - name: enrichments.indicator.pe.debug.offset + - name: enrichments.indicator.file.device level: extended type: keyword ignore_above: 1024 - description: Debug offset information. - example: 1296336 + description: Device that is the source of the file. + example: sda default_field: false - - name: enrichments.indicator.pe.debug.size + - name: enrichments.indicator.file.directory level: extended - type: long - format: bytes - description: Size of the debug information. - example: 816 + type: wildcard + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice default_field: false - - name: enrichments.indicator.pe.debug.timestamp + - name: enrichments.indicator.file.drive_letter level: extended - type: date - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' + type: keyword + ignore_above: 1 + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C default_field: false - - name: enrichments.indicator.pe.debug.type + - name: enrichments.indicator.file.elf.architecture level: extended type: keyword ignore_above: 1024 - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO + description: Machine architecture of the ELF file. + example: x86-64 default_field: false - - name: enrichments.indicator.pe.description + - name: enrichments.indicator.file.elf.byte_order level: extended type: keyword ignore_above: 1024 - description: Internal description of the file, provided at compile-time. - example: Paint + description: Byte sequence of ELF file. + example: Little Endian default_field: false - - name: enrichments.indicator.pe.entry_point + - name: enrichments.indicator.file.elf.cpu_type level: extended type: keyword ignore_above: 1024 - description: Relative byte offset to the base of the PE file. - example: 25856 + description: CPU type of the ELF file. + example: Intel default_field: false - - name: enrichments.indicator.pe.exports + - name: enrichments.indicator.file.elf.creation_date level: extended - type: keyword - ignore_above: 1024 - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. default_field: false - - name: enrichments.indicator.pe.file_version + - name: enrichments.indicator.file.elf.exports + level: extended + type: flattened + description: List of exported element names and types. + default_field: false + - name: enrichments.indicator.file.elf.header.abi_version level: extended type: keyword ignore_above: 1024 - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 + description: Version of the ELF Application Binary Interface (ABI). default_field: false - - name: enrichments.indicator.pe.icon.hash.dhash + - name: enrichments.indicator.file.elf.header.class level: extended type: keyword ignore_above: 1024 - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 + description: Header class of the ELF file. default_field: false - - name: enrichments.indicator.pe.imphash + - name: enrichments.indicator.file.elf.header.data level: extended type: keyword ignore_above: 1024 - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf + description: Data table of the ELF header. default_field: false - - name: enrichments.indicator.pe.imports + - name: enrichments.indicator.file.elf.header.entrypoint level: extended - type: flattened - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' + type: long + format: string + description: Header entrypoint of the ELF file. default_field: false - - name: enrichments.indicator.pe.machine_type + - name: enrichments.indicator.file.elf.header.object_version level: extended type: keyword ignore_above: 1024 - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles + description: '"0x1" for original ELF files.' default_field: false - - name: enrichments.indicator.pe.original_file_name + - name: enrichments.indicator.file.elf.header.os_abi level: extended - type: wildcard - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE + type: keyword + ignore_above: 1024 + description: Application Binary Interface (ABI) of the Linux OS. default_field: false - - name: enrichments.indicator.pe.packers + - name: enrichments.indicator.file.elf.header.type level: extended type: keyword ignore_above: 1024 - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' + description: Header type of the ELF file. default_field: false - - name: enrichments.indicator.pe.product + - name: enrichments.indicator.file.elf.header.version level: extended type: keyword ignore_above: 1024 - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" + description: Version of the ELF header. default_field: false - - name: enrichments.indicator.pe.resources + - name: enrichments.indicator.file.elf.imports + level: extended + type: flattened + description: List of imported element names and types. + default_field: false + - name: enrichments.indicator.file.elf.sections level: extended type: nested - description: 'An array containing an object for each PE resource, if present. + description: 'An array containing an object for each section of the ELF file. - The expected fields for this nested object fall under the `resources.` prefix.' + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' default_field: false - - name: enrichments.indicator.pe.resources.chi2 + - name: enrichments.indicator.file.elf.sections.chi2 level: extended type: long - description: Chi-square probability distribution. - example: -1 + format: number + description: Chi-square probability distribution of the section. default_field: false - - name: enrichments.indicator.pe.resources.entropy + - name: enrichments.indicator.file.elf.sections.entropy level: extended type: long - description: Measurement of entropy randomness in the resources section. - example: 0, 1 + format: number + description: Shannon entropy calculation from the section. default_field: false - - name: enrichments.indicator.pe.resources.filetype + - name: enrichments.indicator.file.elf.sections.flags level: extended type: keyword ignore_above: 1024 - description: File type of the resources section. - example: Data + description: ELF Section List flags. default_field: false - - name: enrichments.indicator.pe.resources.language + - name: enrichments.indicator.file.elf.sections.name level: extended type: keyword ignore_above: 1024 - description: Language identification. - example: CHINESE SIMPLIFIED + description: ELF Section List name. default_field: false - - name: enrichments.indicator.pe.resources.sha256 + - name: enrichments.indicator.file.elf.sections.physical_offset level: extended type: keyword ignore_above: 1024 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + description: ELF Section List offset. default_field: false - - name: enrichments.indicator.pe.resources.type + - name: enrichments.indicator.file.elf.sections.physical_size level: extended - type: keyword - ignore_above: 1024 - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' + type: long + format: bytes + description: ELF Section List physical size. default_field: false - - name: enrichments.indicator.pe.rich_header.hash.md5 + - name: enrichments.indicator.file.elf.sections.type level: extended type: keyword ignore_above: 1024 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd + description: ELF Section List type. default_field: false - - name: enrichments.indicator.pe.sections + - name: enrichments.indicator.file.elf.sections.virtual_address level: extended - type: nested - description: Data about sections of compiled binary PE + type: long + format: string + description: ELF Section List virtual address. default_field: false - - name: enrichments.indicator.pe.sections.chi2 + - name: enrichments.indicator.file.elf.sections.virtual_size level: extended type: long - description: Chi-square probability distribution. - example: 3027194 + format: string + description: ELF Section List virtual size. default_field: false - - name: enrichments.indicator.pe.sections.entropy + - name: enrichments.indicator.file.elf.segments level: extended - type: float - description: Measurement of entropy randomness in the file. - example: 6.24 + type: nested + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' default_field: false - - name: enrichments.indicator.pe.sections.flags + - name: enrichments.indicator.file.elf.segments.sections level: extended type: keyword ignore_above: 1024 - description: Section flags of the file. - example: rx + description: ELF object segment sections. default_field: false - - name: enrichments.indicator.pe.sections.name + - name: enrichments.indicator.file.elf.segments.type level: extended type: keyword ignore_above: 1024 - description: Section names of the file. - example: .text, .data - default_field: false - - name: enrichments.indicator.pe.sections.raw_size - level: extended - type: long - format: bytes - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - default_field: false - - name: enrichments.indicator.pe.sections.virtual_address - level: extended - type: long - format: bytes - description: Virtual address available to the file. - example: 8192 - default_field: false - - name: enrichments.indicator.port - level: extended - type: long - description: Identifies a threat indicator as a port number (irrespective of - direction). - example: 443 + description: ELF object segment type. default_field: false - - name: enrichments.indicator.provider + - name: enrichments.indicator.file.elf.shared_libraries level: extended type: keyword ignore_above: 1024 - description: The name of the indicator's provider. - example: lrz_urlhaus + description: List of shared libraries used by this ELF object. default_field: false - - name: enrichments.indicator.reference + - name: enrichments.indicator.file.elf.telfhash level: extended type: keyword ignore_above: 1024 - description: Reference URL linking to additional information about this indicator. - example: https://system.example.com/indicator/0001234 + description: telfhash symbol hash for ELF file. default_field: false - - name: enrichments.indicator.registry.data.bytes + - name: enrichments.indicator.file.extension level: extended type: keyword ignore_above: 1024 - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides - better recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - default_field: false - - name: enrichments.indicator.registry.data.strings - level: core - type: wildcard - description: 'Content when writing string types. + description: 'File extension, excluding the leading dot. - Populated as an array when writing string data to the registry. For single - string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with - one string. For sequences of string with REG_MULTI_SZ, this array will be - variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should - be populated with the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png default_field: false - - name: enrichments.indicator.registry.data.type - level: core + - name: enrichments.indicator.file.gid + level: extended type: keyword ignore_above: 1024 - description: Standard registry type for encoding contents - example: REG_SZ + description: Primary group ID (GID) of the file. + example: '1001' default_field: false - - name: enrichments.indicator.registry.hive - level: core + - name: enrichments.indicator.file.group + level: extended type: keyword ignore_above: 1024 - description: Abbreviated name for the hive. - example: HKLM - default_field: false - - name: enrichments.indicator.registry.key - level: core - type: wildcard - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - default_field: false - - name: enrichments.indicator.registry.path - level: core - type: wildcard - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger + description: Primary group name of the file. + example: alice default_field: false - - name: enrichments.indicator.registry.value - level: core + - name: enrichments.indicator.file.inode + level: extended type: keyword ignore_above: 1024 - description: Name of the value written. - example: Debugger - default_field: false - - name: enrichments.indicator.scanner_stats - level: extended - type: long - description: Count of AV/EDR vendors that successfully detected malicious file - or URL. - example: 4 - default_field: false - - name: enrichments.indicator.sightings - level: extended - type: long - description: Number of times this indicator was observed conducting threat activity. - example: 20 + description: Inode representing the file in the filesystem. + example: '256383' default_field: false - - name: enrichments.indicator.type + - name: enrichments.indicator.file.mime_type level: extended type: keyword ignore_above: 1024 - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ - \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ - \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ - \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ - \ * user-account\n * windows-registry-key\n * x509-certificate" - example: ipv4-addr + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. default_field: false - - name: enrichments.matched.atomic + - name: enrichments.indicator.file.mode level: extended type: keyword ignore_above: 1024 - description: Identifies the atomic indicator value that matched a local environment - endpoint or network event. - example: bad-domain.com + description: Mode of the file in octal representation. + example: '0640' default_field: false - - name: enrichments.matched.field + - name: enrichments.indicator.file.mtime level: extended - type: keyword - ignore_above: 1024 - description: Identifies the field of the atomic indicator that matched a local - environment endpoint or network event. - example: file.hash.sha256 + type: date + description: Last time the file content was modified. default_field: false - - name: enrichments.matched.id + - name: enrichments.indicator.file.name level: extended type: keyword ignore_above: 1024 - description: Identifies the _id of the indicator document enriching the event. - example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + description: Name of the file including the extension, without the directory. + example: example.png default_field: false - - name: enrichments.matched.index + - name: enrichments.indicator.file.owner level: extended type: keyword ignore_above: 1024 - description: Identifies the _index of the indicator document enriching the event. - example: filebeat-8.0.0-2021.05.23-000011 + description: File owner's username. + example: alice default_field: false - - name: enrichments.matched.type + - name: enrichments.indicator.file.path level: extended - type: keyword - ignore_above: 1024 - description: Identifies the type of match that caused the event to be enriched - with the given indicator - example: indicator_match_rule + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png default_field: false - - name: enrichments.pe.architecture + - name: enrichments.indicator.file.size level: extended - type: keyword - ignore_above: 1024 - description: CPU architecture target for the file. - example: x64 + type: long + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 default_field: false - - name: enrichments.pe.authentihash + - name: enrichments.indicator.file.target_path + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: Target path for symlinks. + default_field: false + - name: enrichments.indicator.file.type level: extended type: keyword ignore_above: 1024 - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + description: File type (file, dir, or symlink). + example: file default_field: false - - name: enrichments.pe.company + - name: enrichments.indicator.file.uid level: extended type: keyword ignore_above: 1024 - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' default_field: false - - name: enrichments.pe.compile_timestamp + - name: enrichments.indicator.first_seen level: extended type: date - description: Compile timestamp of the PE file. + description: The date and time when intelligence source first reported sighting + this indicator. example: '2020-11-05T17:25:47.000Z' default_field: false - - name: enrichments.pe.compiler.name - level: extended + - name: enrichments.indicator.geo.city_name + level: core type: keyword ignore_above: 1024 - description: Name of the compiler - example: Clang + description: City name. + example: Montreal default_field: false - - name: enrichments.pe.compiler.version - level: extended + - name: enrichments.indicator.geo.continent_code + level: core type: keyword ignore_above: 1024 - description: Version of the compiler. - example: 11.0.0 - default_field: false - - name: enrichments.pe.creation_date - level: extended - type: date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' + description: Two-letter code representing continent's name. + example: NA default_field: false - - name: enrichments.pe.debug + - name: enrichments.indicator.geo.continent_name + level: core + type: keyword + ignore_above: 1024 + description: Name of the continent. + example: North America + default_field: false + - name: enrichments.indicator.geo.country_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Country ISO code. + example: CA + default_field: false + - name: enrichments.indicator.geo.country_name + level: core + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada + default_field: false + - name: enrichments.indicator.geo.location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + default_field: false + - name: enrichments.indicator.geo.name + level: extended + type: wildcard + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + default_field: false + - name: enrichments.indicator.geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false + - name: enrichments.indicator.geo.region_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + default_field: false + - name: enrichments.indicator.geo.region_name + level: core + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec + default_field: false + - name: enrichments.indicator.geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false + - name: enrichments.indicator.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: enrichments.indicator.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: enrichments.indicator.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: enrichments.indicator.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: enrichments.indicator.hash.ssdeep + level: extended + type: keyword + ignore_above: 1024 + description: SSDEEP hash. + default_field: false + - name: enrichments.indicator.ip + level: extended + type: ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + default_field: false + - name: enrichments.indicator.last_seen + level: extended + type: date + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: enrichments.indicator.marking.tlp + level: extended + type: keyword + ignore_above: 1024 + description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: White + default_field: false + - name: enrichments.indicator.modified_at + level: extended + type: date + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: enrichments.indicator.pe.architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false + - name: enrichments.indicator.pe.authentihash + level: extended + type: keyword + ignore_above: 1024 + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + default_field: false + - name: enrichments.indicator.pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: enrichments.indicator.pe.compile_timestamp + level: extended + type: date + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: enrichments.indicator.pe.compiler.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the compiler + example: Clang + default_field: false + - name: enrichments.indicator.pe.compiler.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the compiler. + example: 11.0.0 + default_field: false + - name: enrichments.indicator.pe.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: enrichments.indicator.pe.debug level: extended type: nested description: 'An array containing an object for each debug entry, if present. The expected fields for this nested object fall under the `debug.` prefix.' default_field: false - - name: enrichments.pe.debug.offset + - name: enrichments.indicator.pe.debug.offset level: extended type: keyword ignore_above: 1024 description: Debug offset information. example: 1296336 default_field: false - - name: enrichments.pe.debug.size + - name: enrichments.indicator.pe.debug.size level: extended type: long format: bytes description: Size of the debug information. example: 816 default_field: false - - name: enrichments.pe.debug.timestamp + - name: enrichments.indicator.pe.debug.timestamp level: extended type: date description: Timestamp of the debug information. example: '2020-11-05T17:25:47.000Z' default_field: false - - name: enrichments.pe.debug.type + - name: enrichments.indicator.pe.debug.type level: extended type: keyword ignore_above: 1024 description: Information type generated by the debug options. example: IMAGE_DEBUG_TYPE_POGO default_field: false - - name: enrichments.pe.description + - name: enrichments.indicator.pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - - name: enrichments.pe.entry_point + - name: enrichments.indicator.pe.entry_point level: extended type: keyword ignore_above: 1024 description: Relative byte offset to the base of the PE file. example: 25856 default_field: false - - name: enrichments.pe.exports + - name: enrichments.indicator.pe.exports level: extended type: keyword ignore_above: 1024 description: List of symbols exported by PE example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' default_field: false - - name: enrichments.pe.file_version + - name: enrichments.indicator.pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - - name: enrichments.pe.icon.hash.dhash + - name: enrichments.indicator.pe.icon.hash.dhash level: extended type: keyword ignore_above: 1024 @@ -8799,7 +8904,7 @@ or thumbnail. example: b806e17c8e330d82 default_field: false - - name: enrichments.pe.imphash + - name: enrichments.indicator.pe.imphash level: extended type: keyword ignore_above: 1024 @@ -8810,140 +8915,161 @@ Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - - name: enrichments.pe.imports + - name: enrichments.indicator.pe.imports level: extended type: flattened description: List of all imported functions example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" }' default_field: false - - name: enrichments.pe.machine_type + - name: enrichments.indicator.pe.machine_type level: extended type: keyword ignore_above: 1024 description: Machine type of the PE file. example: Intel 386 or later, and compatibles default_field: false - - name: enrichments.pe.original_file_name + - name: enrichments.indicator.pe.original_file_name level: extended type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - - name: enrichments.pe.packers + - name: enrichments.indicator.pe.packers level: extended type: keyword ignore_above: 1024 description: List of packers and tools used. example: '["ASPack v2.12", ".NET executable"]' default_field: false - - name: enrichments.pe.product + - name: enrichments.indicator.pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false - - name: enrichments.pe.resources + - name: enrichments.indicator.pe.resources level: extended type: nested description: 'An array containing an object for each PE resource, if present. The expected fields for this nested object fall under the `resources.` prefix.' default_field: false - - name: enrichments.pe.resources.chi2 + - name: enrichments.indicator.pe.resources.chi2 level: extended type: long description: Chi-square probability distribution. example: -1 default_field: false - - name: enrichments.pe.resources.entropy + - name: enrichments.indicator.pe.resources.entropy level: extended type: long description: Measurement of entropy randomness in the resources section. example: 0, 1 default_field: false - - name: enrichments.pe.resources.filetype + - name: enrichments.indicator.pe.resources.filetype level: extended type: keyword ignore_above: 1024 description: File type of the resources section. example: Data default_field: false - - name: enrichments.pe.resources.language + - name: enrichments.indicator.pe.resources.language level: extended type: keyword ignore_above: 1024 description: Language identification. example: CHINESE SIMPLIFIED default_field: false - - name: enrichments.pe.resources.sha256 + - name: enrichments.indicator.pe.resources.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash of resources section. example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 default_field: false - - name: enrichments.pe.resources.type + - name: enrichments.indicator.pe.resources.type level: extended type: keyword ignore_above: 1024 description: Digest of resource types. example: '["RT_VERSION", "RT_MANIFEST"]' default_field: false - - name: enrichments.pe.rich_header.hash.md5 + - name: enrichments.indicator.pe.rich_header.hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash of the header for the PE file. example: 5aa1aa0f2b4be70397a1e9e2b87627cd default_field: false - - name: enrichments.pe.sections + - name: enrichments.indicator.pe.sections level: extended type: nested description: Data about sections of compiled binary PE default_field: false - - name: enrichments.pe.sections.chi2 + - name: enrichments.indicator.pe.sections.chi2 level: extended type: long description: Chi-square probability distribution. example: 3027194 default_field: false - - name: enrichments.pe.sections.entropy + - name: enrichments.indicator.pe.sections.entropy level: extended type: float description: Measurement of entropy randomness in the file. example: 6.24 default_field: false - - name: enrichments.pe.sections.flags + - name: enrichments.indicator.pe.sections.flags level: extended type: keyword ignore_above: 1024 description: Section flags of the file. example: rx default_field: false - - name: enrichments.pe.sections.name + - name: enrichments.indicator.pe.sections.name level: extended type: keyword ignore_above: 1024 description: Section names of the file. example: .text, .data default_field: false - - name: enrichments.pe.sections.raw_size + - name: enrichments.indicator.pe.sections.raw_size level: extended type: long format: bytes description: Size of the section or the dize of the initialized data on disk. example: 198144 default_field: false - - name: enrichments.pe.sections.virtual_address + - name: enrichments.indicator.pe.sections.virtual_address level: extended type: long format: bytes description: Virtual address available to the file. example: 8192 default_field: false - - name: enrichments.registry.data.bytes + - name: enrichments.indicator.port + level: extended + type: long + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + default_field: false + - name: enrichments.indicator.provider + level: extended + type: keyword + ignore_above: 1024 + description: The name of the indicator's provider. + example: lrz_urlhaus + default_field: false + - name: enrichments.indicator.reference + level: extended + type: keyword + ignore_above: 1024 + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + default_field: false + - name: enrichments.indicator.registry.data.bytes level: extended type: keyword ignore_above: 1024 @@ -8954,7 +9080,7 @@ better recoverability and should be populated for REG_BINARY encoded values.' example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= default_field: false - - name: enrichments.registry.data.strings + - name: enrichments.indicator.registry.data.strings level: core type: wildcard description: 'Content when writing string types. @@ -8966,41 +9092,65 @@ be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' default_field: false - - name: enrichments.registry.data.type + - name: enrichments.indicator.registry.data.type level: core type: keyword ignore_above: 1024 description: Standard registry type for encoding contents example: REG_SZ default_field: false - - name: enrichments.registry.hive + - name: enrichments.indicator.registry.hive level: core type: keyword ignore_above: 1024 description: Abbreviated name for the hive. example: HKLM default_field: false - - name: enrichments.registry.key + - name: enrichments.indicator.registry.key level: core type: wildcard description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe default_field: false - - name: enrichments.registry.path + - name: enrichments.indicator.registry.path level: core type: wildcard description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger default_field: false - - name: enrichments.registry.value + - name: enrichments.indicator.registry.value level: core type: keyword ignore_above: 1024 description: Name of the value written. example: Debugger default_field: false - - name: enrichments.url.domain + - name: enrichments.indicator.scanner_stats + level: extended + type: long + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + default_field: false + - name: enrichments.indicator.sightings + level: extended + type: long + description: Number of times this indicator was observed conducting threat activity. + example: 20 + default_field: false + - name: enrichments.indicator.type + level: extended + type: keyword + ignore_above: 1024 + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ + \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr + default_field: false + - name: enrichments.indicator.url.domain level: extended type: wildcard description: 'Domain of the url, such as "www.elastic.co". @@ -9013,7 +9163,7 @@ field.' example: www.elastic.co default_field: false - - name: enrichments.url.extension + - name: enrichments.indicator.url.extension level: extended type: keyword ignore_above: 1024 @@ -9029,7 +9179,7 @@ the last one should be captured ("gz", not "tar.gz").' example: png default_field: false - - name: enrichments.url.fragment + - name: enrichments.indicator.url.fragment level: extended type: keyword ignore_above: 1024 @@ -9037,7 +9187,7 @@ The `#` is not part of the fragment.' default_field: false - - name: enrichments.url.full + - name: enrichments.indicator.url.full level: extended type: wildcard multi_fields: @@ -9049,7 +9199,7 @@ source. example: https://www.elastic.co:443/search?q=elasticsearch#top default_field: false - - name: enrichments.url.original + - name: enrichments.indicator.url.original level: extended type: wildcard multi_fields: @@ -9064,25 +9214,25 @@ This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch default_field: false - - name: enrichments.url.password + - name: enrichments.indicator.url.password level: extended type: keyword ignore_above: 1024 description: Password of the request. default_field: false - - name: enrichments.url.path + - name: enrichments.indicator.url.path level: extended type: wildcard description: Path of the request, such as "/search". default_field: false - - name: enrichments.url.port + - name: enrichments.indicator.url.port level: extended type: long format: string description: Port of the request, such as 443. example: 443 default_field: false - - name: enrichments.url.query + - name: enrichments.indicator.url.query level: extended type: keyword ignore_above: 1024 @@ -9094,7 +9244,7 @@ with an empty string. The `exists` query can be used to differentiate between the two cases.' default_field: false - - name: enrichments.url.registered_domain + - name: enrichments.indicator.url.registered_domain level: extended type: wildcard description: 'The highest registered url domain, stripped of the subdomain. @@ -9106,7 +9256,7 @@ the last two labels will not work well for TLDs such as "co.uk".' example: example.com default_field: false - - name: enrichments.url.scheme + - name: enrichments.indicator.url.scheme level: extended type: keyword ignore_above: 1024 @@ -9115,7 +9265,7 @@ Note: The `:` is not part of the scheme.' example: https default_field: false - - name: enrichments.url.subdomain + - name: enrichments.indicator.url.subdomain level: extended type: keyword ignore_above: 1024 @@ -9129,7 +9279,7 @@ the subdomain field should contain "sub2.sub1", with no trailing period.' example: east default_field: false - - name: enrichments.url.top_level_domain + - name: enrichments.indicator.url.top_level_domain level: extended type: keyword ignore_above: 1024 @@ -9142,13 +9292,13 @@ the last label will not work well for effective TLDs such as "co.uk".' example: co.uk default_field: false - - name: enrichments.url.username + - name: enrichments.indicator.url.username level: extended type: keyword ignore_above: 1024 description: Username of the request. default_field: false - - name: enrichments.x509.alternative_names + - name: enrichments.indicator.x509.alternative_names level: extended type: keyword ignore_above: 1024 @@ -9157,75 +9307,75 @@ (and wildcards), and email addresses. example: '*.elastic.co' default_field: false - - name: enrichments.x509.issuer.common_name + - name: enrichments.indicator.x509.issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - - name: enrichments.x509.issuer.country + - name: enrichments.indicator.x509.issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - - name: enrichments.x509.issuer.distinguished_name + - name: enrichments.indicator.x509.issuer.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - - name: enrichments.x509.issuer.locality + - name: enrichments.indicator.x509.issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - - name: enrichments.x509.issuer.organization + - name: enrichments.indicator.x509.issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - - name: enrichments.x509.issuer.organizational_unit + - name: enrichments.indicator.x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - - name: enrichments.x509.issuer.state_or_province + - name: enrichments.indicator.x509.issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - - name: enrichments.x509.not_after + - name: enrichments.indicator.x509.not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - - name: enrichments.x509.not_before + - name: enrichments.indicator.x509.not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - - name: enrichments.x509.public_key_algorithm + - name: enrichments.indicator.x509.public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - - name: enrichments.x509.public_key_curve + - name: enrichments.indicator.x509.public_key_curve level: extended type: keyword ignore_above: 1024 @@ -9233,7 +9383,7 @@ is algorithm specific. example: nistp521 default_field: false - - name: enrichments.x509.public_key_exponent + - name: enrichments.indicator.x509.public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. @@ -9241,13 +9391,13 @@ index: false doc_values: false default_field: false - - name: enrichments.x509.public_key_size + - name: enrichments.indicator.x509.public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - - name: enrichments.x509.serial_number + - name: enrichments.indicator.x509.serial_number level: extended type: keyword ignore_above: 1024 @@ -9256,7 +9406,7 @@ characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - - name: enrichments.x509.signature_algorithm + - name: enrichments.indicator.x509.signature_algorithm level: extended type: keyword ignore_above: 1024 @@ -9264,1066 +9414,1741 @@ names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - - name: enrichments.x509.subject.common_name + - name: enrichments.indicator.x509.subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - - name: enrichments.x509.subject.country + - name: enrichments.indicator.x509.subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - - name: enrichments.x509.subject.distinguished_name + - name: enrichments.indicator.x509.subject.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - - name: enrichments.x509.subject.locality + - name: enrichments.indicator.x509.subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - - name: enrichments.x509.subject.organization + - name: enrichments.indicator.x509.subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - - name: enrichments.x509.subject.organizational_unit + - name: enrichments.indicator.x509.subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - - name: enrichments.x509.subject.state_or_province + - name: enrichments.indicator.x509.subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - - name: enrichments.x509.version_number + - name: enrichments.indicator.x509.version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false - - name: framework + - name: enrichments.matched.atomic level: extended type: keyword ignore_above: 1024 - description: Name of the threat framework used to further categorize and classify - the tactic and technique of the reported threat. Framework classification - can be provided by detecting systems, evaluated at ingest time, or retrospectively - tagged to events. - example: MITRE ATT&CK - - name: group.alias + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com + default_field: false + - name: enrichments.matched.field level: extended type: keyword ignore_above: 1024 - description: "The alias(es) of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group alias(es)." - example: '[ "Magecart Group 6" ]' + description: Identifies the field of the atomic indicator that matched a local + environment endpoint or network event. + example: file.hash.sha256 default_field: false - - name: group.id + - name: enrichments.matched.id level: extended type: keyword ignore_above: 1024 - description: "The id of the group for a set of related intrusion activity that\ - \ are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group id." - example: G0037 + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 default_field: false - - name: group.name + - name: enrichments.matched.index level: extended type: keyword ignore_above: 1024 - description: "The name of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group name." - example: FIN6 + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 default_field: false - - name: group.reference + - name: enrichments.matched.type level: extended type: keyword ignore_above: 1024 - description: "The reference URL of the group for a set of related intrusion\ - \ activity that are tracked by a common name in the security community. While\ - \ not required, you can use a MITRE ATT&CK\xAE group reference URL." - example: https://attack.mitre.org/groups/G0037/ - default_field: false - - name: indicator.as.number - level: extended - type: long - description: Unique number allocated to the autonomous system. The autonomous - system number (ASN) uniquely identifies each network on the Internet. - example: 15169 - default_field: false - - name: indicator.as.organization.name - level: extended - type: wildcard - multi_fields: - - name: text - type: text - norms: false - description: Organization name. - example: Google LLC + description: Identifies the type of match that caused the event to be enriched + with the given indicator + example: indicator_match_rule default_field: false - - name: indicator.confidence + - name: enrichments.pe.architecture level: extended type: keyword ignore_above: 1024 - description: "Identifies the confidence rating assigned by the provider using\ - \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ - \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ - \ * WEP Scale (Impossible - Certain)" - example: High + description: CPU architecture target for the file. + example: x64 default_field: false - - name: indicator.description + - name: enrichments.pe.authentihash level: extended type: keyword ignore_above: 1024 - description: Describes the type of action conducted by the threat. - example: IP x.x.x.x was observed delivering the Angler EK. + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 default_field: false - - name: indicator.email.address + - name: enrichments.pe.company level: extended type: keyword ignore_above: 1024 - description: Identifies a threat indicator as an email address (irrespective - of direction). - example: phish@example.com + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation default_field: false - - name: indicator.file.accessed + - name: enrichments.pe.compile_timestamp level: extended type: date - description: 'Last time the file was accessed. - - Note that not all filesystems keep track of access time.' - default_field: false - - name: indicator.file.attributes - level: extended - type: keyword - ignore_above: 1024 - description: 'Array of file attributes. - - Attributes names will vary by platform. Here''s a non-exhaustive list of values - that are expected in this field: archive, compressed, directory, encrypted, - execute, hidden, read, readonly, system, write.' - example: '["readonly", "system"]' - default_field: false - - name: indicator.file.code_signature.exists - level: core - type: boolean - description: Boolean to capture if a signature is present. - example: 'true' + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' default_field: false - - name: indicator.file.code_signature.signing_id + - name: enrichments.pe.compiler.name level: extended type: keyword ignore_above: 1024 - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. - The field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy + description: Name of the compiler + example: Clang default_field: false - - name: indicator.file.code_signature.status + - name: enrichments.pe.compiler.version level: extended type: keyword ignore_above: 1024 - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - default_field: false - - name: indicator.file.code_signature.subject_name - level: core - type: keyword - ignore_above: 1024 - description: Subject name of the code signer - example: Microsoft Corporation + description: Version of the compiler. + example: 11.0.0 default_field: false - - name: indicator.file.code_signature.team_id + - name: enrichments.pe.creation_date level: extended - type: keyword - ignore_above: 1024 - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field - is relevant to Apple *OS only.' - example: EQHXZ8M8AV + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' default_field: false - - name: indicator.file.code_signature.trusted + - name: enrichments.pe.debug level: extended - type: boolean - description: 'Stores the trust status of the certificate chain. + type: nested + description: 'An array containing an object for each debug entry, if present. - Validating the trust of the certificate chain may be complicated, and this - field should only be populated by tools that actively check the status.' - example: 'true' + The expected fields for this nested object fall under the `debug.` prefix.' default_field: false - - name: indicator.file.code_signature.valid + - name: enrichments.pe.debug.offset level: extended - type: boolean - description: 'Boolean to capture if the digital signature is verified against - the binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' + type: keyword + ignore_above: 1024 + description: Debug offset information. + example: 1296336 default_field: false - - name: indicator.file.created + - name: enrichments.pe.debug.size level: extended - type: date - description: 'File creation time. - - Note that not all filesystems store the creation time.' + type: long + format: bytes + description: Size of the debug information. + example: 816 default_field: false - - name: indicator.file.ctime + - name: enrichments.pe.debug.timestamp level: extended type: date - description: 'Last time the file attributes or metadata changed. - - Note that changes to the file content will update `mtime`. This implies `ctime` - will be adjusted at the same time, since `mtime` is an attribute of the file.' + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' default_field: false - - name: indicator.file.device + - name: enrichments.pe.debug.type level: extended type: keyword ignore_above: 1024 - description: Device that is the source of the file. - example: sda + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO default_field: false - - name: indicator.file.directory + - name: enrichments.pe.description level: extended - type: wildcard - description: Directory where the file is located. It should include the drive - letter, when appropriate. - example: /home/alice + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint default_field: false - - name: indicator.file.drive_letter + - name: enrichments.pe.entry_point level: extended type: keyword - ignore_above: 1 - description: 'Drive letter where the file is located. This field is only relevant - on Windows. - - The value should be uppercase, and not include the colon.' - example: C + ignore_above: 1024 + description: Relative byte offset to the base of the PE file. + example: 25856 default_field: false - - name: indicator.file.elf.architecture + - name: enrichments.pe.exports level: extended type: keyword ignore_above: 1024 - description: Machine architecture of the ELF file. - example: x86-64 + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' default_field: false - - name: indicator.file.elf.byte_order + - name: enrichments.pe.file_version level: extended type: keyword ignore_above: 1024 - description: Byte sequence of ELF file. - example: Little Endian + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 default_field: false - - name: indicator.file.elf.cpu_type + - name: enrichments.pe.icon.hash.dhash level: extended type: keyword ignore_above: 1024 - description: CPU type of the ELF file. - example: Intel + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 default_field: false - - name: indicator.file.elf.creation_date + - name: enrichments.pe.imphash level: extended - type: date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - - name: indicator.file.elf.exports + - name: enrichments.pe.imports level: extended type: flattened - description: List of exported element names and types. + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' default_field: false - - name: indicator.file.elf.header.abi_version + - name: enrichments.pe.machine_type level: extended type: keyword ignore_above: 1024 - description: Version of the ELF Application Binary Interface (ABI). + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles default_field: false - - name: indicator.file.elf.header.class + - name: enrichments.pe.original_file_name + level: extended + type: wildcard + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: enrichments.pe.packers level: extended type: keyword ignore_above: 1024 - description: Header class of the ELF file. + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' default_field: false - - name: indicator.file.elf.header.data + - name: enrichments.pe.product level: extended type: keyword ignore_above: 1024 - description: Data table of the ELF header. + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" default_field: false - - name: indicator.file.elf.header.entrypoint + - name: enrichments.pe.resources + level: extended + type: nested + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + default_field: false + - name: enrichments.pe.resources.chi2 level: extended type: long - format: string - description: Header entrypoint of the ELF file. + description: Chi-square probability distribution. + example: -1 default_field: false - - name: indicator.file.elf.header.object_version + - name: enrichments.pe.resources.entropy + level: extended + type: long + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + default_field: false + - name: enrichments.pe.resources.filetype level: extended type: keyword ignore_above: 1024 - description: '"0x1" for original ELF files.' + description: File type of the resources section. + example: Data default_field: false - - name: indicator.file.elf.header.os_abi + - name: enrichments.pe.resources.language level: extended type: keyword ignore_above: 1024 - description: Application Binary Interface (ABI) of the Linux OS. + description: Language identification. + example: CHINESE SIMPLIFIED default_field: false - - name: indicator.file.elf.header.type + - name: enrichments.pe.resources.sha256 level: extended type: keyword ignore_above: 1024 - description: Header type of the ELF file. + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 default_field: false - - name: indicator.file.elf.header.version + - name: enrichments.pe.resources.type level: extended type: keyword ignore_above: 1024 - description: Version of the ELF header. + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' default_field: false - - name: indicator.file.elf.imports + - name: enrichments.pe.rich_header.hash.md5 level: extended - type: flattened - description: List of imported element names and types. + type: keyword + ignore_above: 1024 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd default_field: false - - name: indicator.file.elf.sections + - name: enrichments.pe.sections level: extended type: nested - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.sections.*`.' + description: Data about sections of compiled binary PE default_field: false - - name: indicator.file.elf.sections.chi2 + - name: enrichments.pe.sections.chi2 level: extended type: long - format: number - description: Chi-square probability distribution of the section. + description: Chi-square probability distribution. + example: 3027194 default_field: false - - name: indicator.file.elf.sections.entropy + - name: enrichments.pe.sections.entropy level: extended - type: long - format: number - description: Shannon entropy calculation from the section. + type: float + description: Measurement of entropy randomness in the file. + example: 6.24 default_field: false - - name: indicator.file.elf.sections.flags + - name: enrichments.pe.sections.flags level: extended type: keyword ignore_above: 1024 - description: ELF Section List flags. + description: Section flags of the file. + example: rx default_field: false - - name: indicator.file.elf.sections.name + - name: enrichments.pe.sections.name level: extended type: keyword ignore_above: 1024 - description: ELF Section List name. + description: Section names of the file. + example: .text, .data default_field: false - - name: indicator.file.elf.sections.physical_offset + - name: enrichments.pe.sections.raw_size level: extended - type: keyword - ignore_above: 1024 - description: ELF Section List offset. + type: long + format: bytes + description: Size of the section or the dize of the initialized data on disk. + example: 198144 default_field: false - - name: indicator.file.elf.sections.physical_size + - name: enrichments.pe.sections.virtual_address level: extended type: long format: bytes - description: ELF Section List physical size. + description: Virtual address available to the file. + example: 8192 default_field: false - - name: indicator.file.elf.sections.type + - name: enrichments.registry.data.bytes level: extended type: keyword ignore_above: 1024 - description: ELF Section List type. - default_field: false - - name: indicator.file.elf.sections.virtual_address - level: extended - type: long - format: string - description: ELF Section List virtual address. - default_field: false - - name: indicator.file.elf.sections.virtual_size - level: extended - type: long - format: string - description: ELF Section List virtual size. + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= default_field: false - - name: indicator.file.elf.segments - level: extended - type: nested - description: 'An array containing an object for each segment of the ELF file. + - name: enrichments.registry.data.strings + level: core + type: wildcard + description: 'Content when writing string types. - The keys that should be present in these objects are defined by sub-fields - underneath `elf.segments.*`.' + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' default_field: false - - name: indicator.file.elf.segments.sections - level: extended + - name: enrichments.registry.data.type + level: core type: keyword ignore_above: 1024 - description: ELF object segment sections. + description: Standard registry type for encoding contents + example: REG_SZ default_field: false - - name: indicator.file.elf.segments.type - level: extended + - name: enrichments.registry.hive + level: core type: keyword ignore_above: 1024 - description: ELF object segment type. + description: Abbreviated name for the hive. + example: HKLM default_field: false - - name: indicator.file.elf.shared_libraries - level: extended + - name: enrichments.registry.key + level: core + type: wildcard + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + default_field: false + - name: enrichments.registry.path + level: core + type: wildcard + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + default_field: false + - name: enrichments.registry.value + level: core type: keyword ignore_above: 1024 - description: List of shared libraries used by this ELF object. + description: Name of the value written. + example: Debugger default_field: false - - name: indicator.file.elf.telfhash + - name: framework level: extended type: keyword ignore_above: 1024 - description: telfhash symbol hash for ELF file. - default_field: false - - name: indicator.file.extension + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification + can be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + - name: group.alias level: extended type: keyword ignore_above: 1024 - description: 'File extension, excluding the leading dot. - - Note that when the file name has multiple extensions (example.tar.gz), only - the last one should be captured ("gz", not "tar.gz").' - example: png + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' default_field: false - - name: indicator.file.gid + - name: group.id level: extended type: keyword ignore_above: 1024 - description: Primary group ID (GID) of the file. - example: '1001' + description: "The id of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group id." + example: G0037 default_field: false - - name: indicator.file.group + - name: group.name level: extended type: keyword ignore_above: 1024 - description: Primary group name of the file. - example: alice + description: "The name of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 default_field: false - - name: indicator.file.inode + - name: group.reference level: extended type: keyword ignore_above: 1024 - description: Inode representing the file in the filesystem. - example: '256383' + description: "The reference URL of the group for a set of related intrusion\ + \ activity that are tracked by a common name in the security community. While\ + \ not required, you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ default_field: false - - name: indicator.file.mime_type + - name: indicator.as.number level: extended - type: keyword - ignore_above: 1024 - description: MIME type should identify the format of the file or stream of bytes - using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA - official types], where possible. When more than one type is applicable, the - most specific type should be used. - default_field: false - - name: indicator.file.mode - level: extended - type: keyword - ignore_above: 1024 - description: Mode of the file in octal representation. - example: '0640' - default_field: false - - name: indicator.file.mtime - level: extended - type: date - description: Last time the file content was modified. - default_field: false - - name: indicator.file.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the file including the extension, without the directory. - example: example.png - default_field: false - - name: indicator.file.owner - level: extended - type: keyword - ignore_above: 1024 - description: File owner's username. - example: alice + type: long + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 default_field: false - - name: indicator.file.path + - name: indicator.as.organization.name level: extended type: wildcard multi_fields: - name: text type: text norms: false - description: Full path to the file, including the file name. It should include - the drive letter, when appropriate. - example: /home/alice/example.png - default_field: false - - name: indicator.file.size - level: extended - type: long - description: 'File size in bytes. - - Only relevant when `file.type` is "file".' - example: 16384 + description: Organization name. + example: Google LLC default_field: false - - name: indicator.file.target_path + - name: indicator.confidence level: extended - type: wildcard - multi_fields: - - name: text - type: text - norms: false - description: Target path for symlinks. + type: keyword + ignore_above: 1024 + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High default_field: false - - name: indicator.file.type + - name: indicator.description level: extended type: keyword ignore_above: 1024 - description: File type (file, dir, or symlink). - example: file + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. default_field: false - - name: indicator.file.uid + - name: indicator.email.address level: extended type: keyword ignore_above: 1024 - description: The user ID (UID) or security identifier (SID) of the file owner. - example: '1001' + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com default_field: false - - name: indicator.first_seen + - name: indicator.file.accessed level: extended type: date - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' default_field: false - - name: indicator.geo.city_name - level: core + - name: indicator.file.attributes + level: extended type: keyword ignore_above: 1024 - description: City name. - example: Montreal + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' default_field: false - - name: indicator.geo.continent_code + - name: indicator.file.code_signature.exists level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: indicator.file.code_signature.signing_id + level: extended type: keyword ignore_above: 1024 - description: Two-letter code representing continent's name. - example: NA + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy default_field: false - - name: indicator.geo.continent_name - level: core + - name: indicator.file.code_signature.status + level: extended type: keyword ignore_above: 1024 - description: Name of the continent. - example: North America + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT default_field: false - - name: indicator.geo.country_iso_code + - name: indicator.file.code_signature.subject_name level: core type: keyword ignore_above: 1024 - description: Country ISO code. - example: CA + description: Subject name of the code signer + example: Microsoft Corporation default_field: false - - name: indicator.geo.country_name - level: core + - name: indicator.file.code_signature.team_id + level: extended type: keyword ignore_above: 1024 - description: Country name. - example: Canada + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV default_field: false - - name: indicator.geo.location - level: core - type: geo_point - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' + - name: indicator.file.code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' default_field: false - - name: indicator.geo.name + - name: indicator.file.code_signature.valid level: extended - type: wildcard - description: 'User-defined description of a location, at the level of granularity - they care about. + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: indicator.file.created + level: extended + type: date + description: 'File creation time. - Not typically used in automated geolocation.' - example: boston-dc + Note that not all filesystems store the creation time.' default_field: false - - name: indicator.geo.postal_code - level: core - type: keyword - ignore_above: 1024 - description: 'Postal code associated with the location. + - name: indicator.file.ctime + level: extended + type: date + description: 'Last time the file attributes or metadata changed. - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' default_field: false - - name: indicator.geo.region_iso_code - level: core + - name: indicator.file.device + level: extended type: keyword ignore_above: 1024 - description: Region ISO code. - example: CA-QC + description: Device that is the source of the file. + example: sda default_field: false - - name: indicator.geo.region_name - level: core + - name: indicator.file.directory + level: extended + type: wildcard + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice + default_field: false + - name: indicator.file.drive_letter + level: extended type: keyword - ignore_above: 1024 - description: Region name. - example: Quebec + ignore_above: 1 + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C default_field: false - - name: indicator.geo.timezone - level: core + - name: indicator.file.elf.architecture + level: extended type: keyword ignore_above: 1024 - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires + description: Machine architecture of the ELF file. + example: x86-64 default_field: false - - name: indicator.hash.md5 + - name: indicator.file.elf.byte_order level: extended type: keyword ignore_above: 1024 - description: MD5 hash. + description: Byte sequence of ELF file. + example: Little Endian default_field: false - - name: indicator.hash.sha1 + - name: indicator.file.elf.cpu_type level: extended type: keyword ignore_above: 1024 - description: SHA1 hash. + description: CPU type of the ELF file. + example: Intel default_field: false - - name: indicator.hash.sha256 + - name: indicator.file.elf.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + default_field: false + - name: indicator.file.elf.exports + level: extended + type: flattened + description: List of exported element names and types. + default_field: false + - name: indicator.file.elf.header.abi_version level: extended type: keyword ignore_above: 1024 - description: SHA256 hash. + description: Version of the ELF Application Binary Interface (ABI). default_field: false - - name: indicator.hash.sha512 + - name: indicator.file.elf.header.class level: extended type: keyword ignore_above: 1024 - description: SHA512 hash. + description: Header class of the ELF file. default_field: false - - name: indicator.hash.ssdeep + - name: indicator.file.elf.header.data level: extended type: keyword ignore_above: 1024 - description: SSDEEP hash. - default_field: false - - name: indicator.ip - level: extended - type: ip - description: Identifies a threat indicator as an IP address (irrespective of - direction). - example: 1.2.3.4 + description: Data table of the ELF header. default_field: false - - name: indicator.last_seen + - name: indicator.file.elf.header.entrypoint level: extended - type: date - description: The date and time when intelligence source last reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' + type: long + format: string + description: Header entrypoint of the ELF file. default_field: false - - name: indicator.marking.tlp + - name: indicator.file.elf.header.object_version level: extended type: keyword ignore_above: 1024 - description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: WHITE + description: '"0x1" for original ELF files.' default_field: false - - name: indicator.modified_at + - name: indicator.file.elf.header.os_abi level: extended - type: date - description: The date and time when intelligence source last modified information - for this indicator. - example: '2020-11-05T17:25:47.000Z' + type: keyword + ignore_above: 1024 + description: Application Binary Interface (ABI) of the Linux OS. default_field: false - - name: indicator.pe.architecture + - name: indicator.file.elf.header.type level: extended type: keyword ignore_above: 1024 - description: CPU architecture target for the file. - example: x64 + description: Header type of the ELF file. default_field: false - - name: indicator.pe.authentihash + - name: indicator.file.elf.header.version level: extended type: keyword ignore_above: 1024 - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + description: Version of the ELF header. default_field: false - - name: indicator.pe.company + - name: indicator.file.elf.imports + level: extended + type: flattened + description: List of imported element names and types. + default_field: false + - name: indicator.file.elf.sections + level: extended + type: nested + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + default_field: false + - name: indicator.file.elf.sections.chi2 + level: extended + type: long + format: number + description: Chi-square probability distribution of the section. + default_field: false + - name: indicator.file.elf.sections.entropy + level: extended + type: long + format: number + description: Shannon entropy calculation from the section. + default_field: false + - name: indicator.file.elf.sections.flags level: extended type: keyword ignore_above: 1024 - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation + description: ELF Section List flags. default_field: false - - name: indicator.pe.compile_timestamp + - name: indicator.file.elf.sections.name level: extended - type: date - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' + type: keyword + ignore_above: 1024 + description: ELF Section List name. default_field: false - - name: indicator.pe.compiler.name + - name: indicator.file.elf.sections.physical_offset level: extended type: keyword ignore_above: 1024 - description: Name of the compiler - example: Clang + description: ELF Section List offset. default_field: false - - name: indicator.pe.compiler.version + - name: indicator.file.elf.sections.physical_size + level: extended + type: long + format: bytes + description: ELF Section List physical size. + default_field: false + - name: indicator.file.elf.sections.type level: extended type: keyword ignore_above: 1024 - description: Version of the compiler. - example: 11.0.0 + description: ELF Section List type. default_field: false - - name: indicator.pe.creation_date + - name: indicator.file.elf.sections.virtual_address level: extended - type: date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' + type: long + format: string + description: ELF Section List virtual address. default_field: false - - name: indicator.pe.debug + - name: indicator.file.elf.sections.virtual_size + level: extended + type: long + format: string + description: ELF Section List virtual size. + default_field: false + - name: indicator.file.elf.segments level: extended type: nested - description: 'An array containing an object for each debug entry, if present. + description: 'An array containing an object for each segment of the ELF file. - The expected fields for this nested object fall under the `debug.` prefix.' + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' default_field: false - - name: indicator.pe.debug.offset + - name: indicator.file.elf.segments.sections level: extended type: keyword ignore_above: 1024 - description: Debug offset information. - example: 1296336 + description: ELF object segment sections. default_field: false - - name: indicator.pe.debug.size + - name: indicator.file.elf.segments.type level: extended - type: long - format: bytes - description: Size of the debug information. - example: 816 + type: keyword + ignore_above: 1024 + description: ELF object segment type. default_field: false - - name: indicator.pe.debug.timestamp + - name: indicator.file.elf.shared_libraries level: extended - type: date - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' + type: keyword + ignore_above: 1024 + description: List of shared libraries used by this ELF object. default_field: false - - name: indicator.pe.debug.type + - name: indicator.file.elf.telfhash level: extended type: keyword ignore_above: 1024 - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO + description: telfhash symbol hash for ELF file. default_field: false - - name: indicator.pe.description + - name: indicator.file.extension level: extended type: keyword ignore_above: 1024 - description: Internal description of the file, provided at compile-time. - example: Paint + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png default_field: false - - name: indicator.pe.entry_point + - name: indicator.file.gid level: extended type: keyword ignore_above: 1024 - description: Relative byte offset to the base of the PE file. - example: 25856 + description: Primary group ID (GID) of the file. + example: '1001' default_field: false - - name: indicator.pe.exports + - name: indicator.file.group level: extended type: keyword ignore_above: 1024 - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + description: Primary group name of the file. + example: alice default_field: false - - name: indicator.pe.file_version + - name: indicator.file.inode level: extended type: keyword ignore_above: 1024 - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 + description: Inode representing the file in the filesystem. + example: '256383' default_field: false - - name: indicator.pe.icon.hash.dhash + - name: indicator.file.mime_type level: extended type: keyword ignore_above: 1024 - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. default_field: false - - name: indicator.pe.imphash + - name: indicator.file.mode level: extended type: keyword ignore_above: 1024 - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. + description: Mode of the file in octal representation. + example: '0640' + default_field: false + - name: indicator.file.mtime + level: extended + type: date + description: Last time the file content was modified. + default_field: false + - name: indicator.file.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the file including the extension, without the directory. + example: example.png + default_field: false + - name: indicator.file.owner + level: extended + type: keyword + ignore_above: 1024 + description: File owner's username. + example: alice + default_field: false + - name: indicator.file.path + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + default_field: false + - name: indicator.file.size + level: extended + type: long + description: 'File size in bytes. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf + Only relevant when `file.type` is "file".' + example: 16384 default_field: false - - name: indicator.pe.imports + - name: indicator.file.target_path + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: Target path for symlinks. + default_field: false + - name: indicator.file.type + level: extended + type: keyword + ignore_above: 1024 + description: File type (file, dir, or symlink). + example: file + default_field: false + - name: indicator.file.uid + level: extended + type: keyword + ignore_above: 1024 + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + default_field: false + - name: indicator.first_seen + level: extended + type: date + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.geo.city_name + level: core + type: keyword + ignore_above: 1024 + description: City name. + example: Montreal + default_field: false + - name: indicator.geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false + - name: indicator.geo.continent_name + level: core + type: keyword + ignore_above: 1024 + description: Name of the continent. + example: North America + default_field: false + - name: indicator.geo.country_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Country ISO code. + example: CA + default_field: false + - name: indicator.geo.country_name + level: core + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada + default_field: false + - name: indicator.geo.location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + default_field: false + - name: indicator.geo.name + level: extended + type: wildcard + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + default_field: false + - name: indicator.geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false + - name: indicator.geo.region_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + default_field: false + - name: indicator.geo.region_name + level: core + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec + default_field: false + - name: indicator.geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false + - name: indicator.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: indicator.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: indicator.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: indicator.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: indicator.hash.ssdeep + level: extended + type: keyword + ignore_above: 1024 + description: SSDEEP hash. + default_field: false + - name: indicator.ip + level: extended + type: ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + default_field: false + - name: indicator.last_seen + level: extended + type: date + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.marking.tlp + level: extended + type: keyword + ignore_above: 1024 + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE + default_field: false + - name: indicator.modified_at + level: extended + type: date + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.pe.architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false + - name: indicator.pe.authentihash + level: extended + type: keyword + ignore_above: 1024 + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + default_field: false + - name: indicator.pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: indicator.pe.compile_timestamp + level: extended + type: date + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.pe.compiler.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the compiler + example: Clang + default_field: false + - name: indicator.pe.compiler.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the compiler. + example: 11.0.0 + default_field: false + - name: indicator.pe.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.pe.debug + level: extended + type: nested + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + default_field: false + - name: indicator.pe.debug.offset + level: extended + type: keyword + ignore_above: 1024 + description: Debug offset information. + example: 1296336 + default_field: false + - name: indicator.pe.debug.size + level: extended + type: long + format: bytes + description: Size of the debug information. + example: 816 + default_field: false + - name: indicator.pe.debug.timestamp + level: extended + type: date + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.pe.debug.type + level: extended + type: keyword + ignore_above: 1024 + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + default_field: false + - name: indicator.pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: indicator.pe.entry_point + level: extended + type: keyword + ignore_above: 1024 + description: Relative byte offset to the base of the PE file. + example: 25856 + default_field: false + - name: indicator.pe.exports + level: extended + type: keyword + ignore_above: 1024 + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + default_field: false + - name: indicator.pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: indicator.pe.icon.hash.dhash + level: extended + type: keyword + ignore_above: 1024 + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + default_field: false + - name: indicator.pe.imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false + - name: indicator.pe.imports + level: extended + type: flattened + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + default_field: false + - name: indicator.pe.machine_type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + default_field: false + - name: indicator.pe.original_file_name + level: extended + type: wildcard + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: indicator.pe.packers + level: extended + type: keyword + ignore_above: 1024 + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + default_field: false + - name: indicator.pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false + - name: indicator.pe.resources + level: extended + type: nested + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + default_field: false + - name: indicator.pe.resources.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: -1 + default_field: false + - name: indicator.pe.resources.entropy + level: extended + type: long + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + default_field: false + - name: indicator.pe.resources.filetype + level: extended + type: keyword + ignore_above: 1024 + description: File type of the resources section. + example: Data + default_field: false + - name: indicator.pe.resources.language + level: extended + type: keyword + ignore_above: 1024 + description: Language identification. + example: CHINESE SIMPLIFIED + default_field: false + - name: indicator.pe.resources.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + default_field: false + - name: indicator.pe.resources.type + level: extended + type: keyword + ignore_above: 1024 + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + default_field: false + - name: indicator.pe.rich_header.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + default_field: false + - name: indicator.pe.sections + level: extended + type: nested + description: Data about sections of compiled binary PE + default_field: false + - name: indicator.pe.sections.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: 3027194 + default_field: false + - name: indicator.pe.sections.entropy + level: extended + type: float + description: Measurement of entropy randomness in the file. + example: 6.24 + default_field: false + - name: indicator.pe.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: Section flags of the file. + example: rx + default_field: false + - name: indicator.pe.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: Section names of the file. + example: .text, .data + default_field: false + - name: indicator.pe.sections.raw_size + level: extended + type: long + format: bytes + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + default_field: false + - name: indicator.pe.sections.virtual_address + level: extended + type: long + format: bytes + description: Virtual address available to the file. + example: 8192 + default_field: false + - name: indicator.port + level: extended + type: long + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + default_field: false + - name: indicator.provider + level: extended + type: keyword + ignore_above: 1024 + description: The name of the indicator's provider. + example: lrz_urlhaus + default_field: false + - name: indicator.reference + level: extended + type: keyword + ignore_above: 1024 + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + default_field: false + - name: indicator.registry.data.bytes + level: extended + type: keyword + ignore_above: 1024 + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + default_field: false + - name: indicator.registry.data.strings + level: core + type: wildcard + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + default_field: false + - name: indicator.registry.data.type + level: core + type: keyword + ignore_above: 1024 + description: Standard registry type for encoding contents + example: REG_SZ + default_field: false + - name: indicator.registry.hive + level: core + type: keyword + ignore_above: 1024 + description: Abbreviated name for the hive. + example: HKLM + default_field: false + - name: indicator.registry.key + level: core + type: wildcard + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + default_field: false + - name: indicator.registry.path + level: core + type: wildcard + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + default_field: false + - name: indicator.registry.value + level: core + type: keyword + ignore_above: 1024 + description: Name of the value written. + example: Debugger + default_field: false + - name: indicator.scanner_stats + level: extended + type: long + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + default_field: false + - name: indicator.sightings + level: extended + type: long + description: Number of times this indicator was observed conducting threat activity. + example: 20 + default_field: false + - name: indicator.type + level: extended + type: keyword + ignore_above: 1024 + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ + Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr + default_field: false + - name: indicator.url.domain + level: extended + type: wildcard + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' + example: www.elastic.co + default_field: false + - name: indicator.url.extension + level: extended + type: keyword + ignore_above: 1024 + description: 'The field contains the file extension from the original request + url, excluding the leading dot. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + default_field: false + - name: indicator.url.fragment + level: extended + type: keyword + ignore_above: 1024 + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + default_field: false + - name: indicator.url.full + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event + source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + default_field: false + - name: indicator.url.original + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: 'Unmodified original url as seen in the event source. + + Note that in network monitoring, the observed URL may be a full URL, whereas + in access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + default_field: false + - name: indicator.url.password + level: extended + type: keyword + ignore_above: 1024 + description: Password of the request. + default_field: false + - name: indicator.url.path + level: extended + type: wildcard + description: Path of the request, such as "/search". + default_field: false + - name: indicator.url.port level: extended - type: flattened - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' + type: long + format: string + description: Port of the request, such as 443. + example: 443 default_field: false - - name: indicator.pe.machine_type + - name: indicator.url.query level: extended type: keyword ignore_above: 1024 - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles + description: 'The query field describes the query string of the request, such + as "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there + is no query field. If there is a `?` but no query, the query field exists + with an empty string. The `exists` query can be used to differentiate between + the two cases.' default_field: false - - name: indicator.pe.original_file_name + - name: indicator.url.registered_domain level: extended type: wildcard - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE + description: 'The highest registered url domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com default_field: false - - name: indicator.pe.packers + - name: indicator.url.scheme level: extended type: keyword ignore_above: 1024 - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https default_field: false - - name: indicator.pe.product + - name: indicator.url.subdomain level: extended type: keyword ignore_above: 1024 - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east default_field: false - - name: indicator.pe.resources + - name: indicator.url.top_level_domain level: extended - type: nested - description: 'An array containing an object for each PE resource, if present. + type: keyword + ignore_above: 1024 + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". - The expected fields for this nested object fall under the `resources.` prefix.' + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk default_field: false - - name: indicator.pe.resources.chi2 + - name: indicator.url.username level: extended - type: long - description: Chi-square probability distribution. - example: -1 + type: keyword + ignore_above: 1024 + description: Username of the request. default_field: false - - name: indicator.pe.resources.entropy + - name: indicator.x509.alternative_names level: extended - type: long - description: Measurement of entropy randomness in the resources section. - example: 0, 1 + type: keyword + ignore_above: 1024 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' default_field: false - - name: indicator.pe.resources.filetype + - name: indicator.x509.issuer.common_name level: extended type: keyword ignore_above: 1024 - description: File type of the resources section. - example: Data + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA default_field: false - - name: indicator.pe.resources.language + - name: indicator.x509.issuer.country level: extended type: keyword ignore_above: 1024 - description: Language identification. - example: CHINESE SIMPLIFIED + description: List of country (C) codes + example: US default_field: false - - name: indicator.pe.resources.sha256 + - name: indicator.x509.issuer.distinguished_name + level: extended + type: wildcard + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + default_field: false + - name: indicator.x509.issuer.locality level: extended type: keyword ignore_above: 1024 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + description: List of locality names (L) + example: Mountain View default_field: false - - name: indicator.pe.resources.type + - name: indicator.x509.issuer.organization level: extended type: keyword ignore_above: 1024 - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' + description: List of organizations (O) of issuing certificate authority. + example: Example Inc default_field: false - - name: indicator.pe.rich_header.hash.md5 + - name: indicator.x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com default_field: false - - name: indicator.pe.sections + - name: indicator.x509.issuer.state_or_province level: extended - type: nested - description: Data about sections of compiled binary PE + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California default_field: false - - name: indicator.pe.sections.chi2 + - name: indicator.x509.not_after level: extended - type: long - description: Chi-square probability distribution. - example: 3027194 + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 default_field: false - - name: indicator.pe.sections.entropy + - name: indicator.x509.not_before level: extended - type: float - description: Measurement of entropy randomness in the file. - example: 6.24 + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 default_field: false - - name: indicator.pe.sections.flags + - name: indicator.x509.public_key_algorithm level: extended type: keyword ignore_above: 1024 - description: Section flags of the file. - example: rx + description: Algorithm used to generate the public key. + example: RSA default_field: false - - name: indicator.pe.sections.name + - name: indicator.x509.public_key_curve level: extended type: keyword ignore_above: 1024 - description: Section names of the file. - example: .text, .data + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 default_field: false - - name: indicator.pe.sections.raw_size + - name: indicator.x509.public_key_exponent level: extended type: long - format: bytes - description: Size of the section or the dize of the initialized data on disk. - example: 198144 + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + index: false + doc_values: false default_field: false - - name: indicator.pe.sections.virtual_address + - name: indicator.x509.public_key_size level: extended type: long - format: bytes - description: Virtual address available to the file. - example: 8192 + description: The size of the public key space in bits. + example: 2048 default_field: false - - name: indicator.port + - name: indicator.x509.serial_number level: extended - type: long - description: Identifies a threat indicator as a port number (irrespective of - direction). - example: 443 + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA default_field: false - - name: indicator.provider + - name: indicator.x509.signature_algorithm level: extended type: keyword ignore_above: 1024 - description: The name of the indicator's provider. - example: lrz_urlhaus + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA default_field: false - - name: indicator.reference + - name: indicator.x509.subject.common_name level: extended type: keyword ignore_above: 1024 - description: Reference URL linking to additional information about this indicator. - example: https://system.example.com/indicator/0001234 + description: List of common names (CN) of subject. + example: shared.global.example.net default_field: false - - name: indicator.registry.data.bytes + - name: indicator.x509.subject.country level: extended type: keyword ignore_above: 1024 - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides - better recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + description: List of country (C) code + example: US default_field: false - - name: indicator.registry.data.strings - level: core + - name: indicator.x509.subject.distinguished_name + level: extended type: wildcard - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single - string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with - one string. For sequences of string with REG_MULTI_SZ, this array will be - variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should - be populated with the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - - name: indicator.registry.data.type - level: core + - name: indicator.x509.subject.locality + level: extended type: keyword ignore_above: 1024 - description: Standard registry type for encoding contents - example: REG_SZ + description: List of locality names (L) + example: San Francisco default_field: false - - name: indicator.registry.hive - level: core + - name: indicator.x509.subject.organization + level: extended type: keyword ignore_above: 1024 - description: Abbreviated name for the hive. - example: HKLM - default_field: false - - name: indicator.registry.key - level: core - type: wildcard - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - default_field: false - - name: indicator.registry.path - level: core - type: wildcard - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger + description: List of organizations (O) of subject. + example: Example, Inc. default_field: false - - name: indicator.registry.value - level: core + - name: indicator.x509.subject.organizational_unit + level: extended type: keyword ignore_above: 1024 - description: Name of the value written. - example: Debugger - default_field: false - - name: indicator.scanner_stats - level: extended - type: long - description: Count of AV/EDR vendors that successfully detected malicious file - or URL. - example: 4 + description: List of organizational units (OU) of subject. default_field: false - - name: indicator.sightings + - name: indicator.x509.subject.state_or_province level: extended - type: long - description: Number of times this indicator was observed conducting threat activity. - example: 20 + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California default_field: false - - name: indicator.type + - name: indicator.x509.version_number level: extended type: keyword ignore_above: 1024 - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ - Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ - \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ - \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ - \ * user-account\n * windows-registry-key\n * x509-certificate" - example: ipv4-addr + description: Version of x509 format. + example: 3 default_field: false - name: software.id level: extended diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 4599743215..0444c19de0 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -992,15 +992,88 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. 2.0.0-dev+exp,true,threat,threat.enrichments,nested,extended,,,List of objects containing indicators enriching the event. 2.0.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event. -2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.md5,keyword,extended,,,MD5 hash. -2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.sha1,keyword,extended,,,SHA1 hash. -2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.sha256,keyword,extended,,,SHA256 hash. -2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.sha512,keyword,extended,,,SHA512 hash. -2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.ssdeep,keyword,extended,,,SSDEEP hash. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name,wildcard,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name.text,text,extended,,Google LLC,Organization name. 2.0.0-dev+exp,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,High,Indicator confidence rating 2.0.0-dev+exp,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description 2.0.0-dev+exp,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.directory,wildcard,extended,,/home/alice,Directory where the file is located. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path,wildcard,extended,,,Target path for symlinks. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path.text,text,extended,,,Target path for symlinks. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. 2.0.0-dev+exp,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.hash.md5,keyword,extended,,,MD5 hash. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.hash.sha1,keyword,extended,,,SHA1 hash. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.hash.sha256,keyword,extended,,,SHA256 hash. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.hash.sha512,keyword,extended,,,SHA512 hash. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.hash.ssdeep,keyword,extended,,,SSDEEP hash. 2.0.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address 2.0.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. 2.0.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,White,Indicator TLP marking @@ -1056,6 +1129,46 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics 2.0.0-dev+exp,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed 2.0.0-dev+exp,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.domain,wildcard,extended,,www.elastic.co,Domain of the url. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443." +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +2.0.0-dev+exp,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country (C) code +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev+exp,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format. 2.0.0-dev+exp,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value 2.0.0-dev+exp,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field 2.0.0-dev+exp,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier @@ -1106,46 +1219,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,threat,threat.enrichments.registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. 2.0.0-dev+exp,true,threat,threat.enrichments.registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" 2.0.0-dev+exp,true,threat,threat.enrichments.registry.value,keyword,core,,Debugger,Name of the value written. -2.0.0-dev+exp,true,threat,threat.enrichments.url.domain,wildcard,extended,,www.elastic.co,Domain of the url. -2.0.0-dev+exp,true,threat,threat.enrichments.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." -2.0.0-dev+exp,true,threat,threat.enrichments.url.fragment,keyword,extended,,,Portion of the url after the `#`. -2.0.0-dev+exp,true,threat,threat.enrichments.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -2.0.0-dev+exp,true,threat,threat.enrichments.url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -2.0.0-dev+exp,true,threat,threat.enrichments.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -2.0.0-dev+exp,true,threat,threat.enrichments.url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -2.0.0-dev+exp,true,threat,threat.enrichments.url.password,keyword,extended,,,Password of the request. -2.0.0-dev+exp,true,threat,threat.enrichments.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." -2.0.0-dev+exp,true,threat,threat.enrichments.url.port,long,extended,,443,"Port of the request, such as 443." -2.0.0-dev+exp,true,threat,threat.enrichments.url.query,keyword,extended,,,Query string of the request. -2.0.0-dev+exp,true,threat,threat.enrichments.url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -2.0.0-dev+exp,true,threat,threat.enrichments.url.scheme,keyword,extended,,https,Scheme of the url. -2.0.0-dev+exp,true,threat,threat.enrichments.url.subdomain,keyword,extended,,east,The subdomain of the domain. -2.0.0-dev+exp,true,threat,threat.enrichments.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -2.0.0-dev+exp,true,threat,threat.enrichments.url.username,keyword,extended,,,Username of the request. -2.0.0-dev+exp,true,threat,threat.enrichments.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -2.0.0-dev+exp,true,threat,threat.enrichments.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -2.0.0-dev+exp,true,threat,threat.enrichments.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -2.0.0-dev+exp,true,threat,threat.enrichments.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -2.0.0-dev+exp,true,threat,threat.enrichments.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -2.0.0-dev+exp,true,threat,threat.enrichments.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -2.0.0-dev+exp,true,threat,threat.enrichments.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -2.0.0-dev+exp,true,threat,threat.enrichments.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -2.0.0-dev+exp,true,threat,threat.enrichments.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -2.0.0-dev+exp,true,threat,threat.enrichments.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -2.0.0-dev+exp,true,threat,threat.enrichments.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -2.0.0-dev+exp,true,threat,threat.enrichments.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -2.0.0-dev+exp,false,threat,threat.enrichments.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -2.0.0-dev+exp,true,threat,threat.enrichments.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -2.0.0-dev+exp,true,threat,threat.enrichments.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -2.0.0-dev+exp,true,threat,threat.enrichments.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -2.0.0-dev+exp,true,threat,threat.enrichments.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -2.0.0-dev+exp,true,threat,threat.enrichments.x509.subject.country,keyword,extended,array,US,List of country (C) code -2.0.0-dev+exp,true,threat,threat.enrichments.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -2.0.0-dev+exp,true,threat,threat.enrichments.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -2.0.0-dev+exp,true,threat,threat.enrichments.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -2.0.0-dev+exp,true,threat,threat.enrichments.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -2.0.0-dev+exp,true,threat,threat.enrichments.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -2.0.0-dev+exp,true,threat,threat.enrichments.x509.version_number,keyword,extended,,3,Version of x509 format. 2.0.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. 2.0.0-dev+exp,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group. 2.0.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group. @@ -1288,6 +1361,46 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics 2.0.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed 2.0.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator +2.0.0-dev+exp,true,threat,threat.indicator.url.domain,wildcard,extended,,www.elastic.co,Domain of the url. +2.0.0-dev+exp,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +2.0.0-dev+exp,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`. +2.0.0-dev+exp,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +2.0.0-dev+exp,true,threat,threat.indicator.url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +2.0.0-dev+exp,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +2.0.0-dev+exp,true,threat,threat.indicator.url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +2.0.0-dev+exp,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request. +2.0.0-dev+exp,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +2.0.0-dev+exp,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443." +2.0.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request. +2.0.0-dev+exp,true,threat,threat.indicator.url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +2.0.0-dev+exp,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url. +2.0.0-dev+exp,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. +2.0.0-dev+exp,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +2.0.0-dev+exp,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request. +2.0.0-dev+exp,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +2.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +2.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +2.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +2.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +2.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +2.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +2.0.0-dev+exp,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev+exp,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +2.0.0-dev+exp,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +2.0.0-dev+exp,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +2.0.0-dev+exp,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +2.0.0-dev+exp,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +2.0.0-dev+exp,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +2.0.0-dev+exp,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +2.0.0-dev+exp,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +2.0.0-dev+exp,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +2.0.0-dev+exp,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country (C) code +2.0.0-dev+exp,true,threat,threat.indicator.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +2.0.0-dev+exp,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +2.0.0-dev+exp,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +2.0.0-dev+exp,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +2.0.0-dev+exp,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev+exp,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format. 2.0.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software 2.0.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software. 2.0.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index e3c3948ec9..077f47c2a0 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -12308,61 +12308,34 @@ threat.enrichments.indicator: normalize: [] short: Object containing indicators enriching the event. type: object -threat.enrichments.indicator.as.md5: - dashed_name: threat-enrichments-indicator-as-md5 - description: MD5 hash. - flat_name: threat.enrichments.indicator.as.md5 - ignore_above: 1024 - level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword -threat.enrichments.indicator.as.sha1: - dashed_name: threat-enrichments-indicator-as-sha1 - description: SHA1 hash. - flat_name: threat.enrichments.indicator.as.sha1 - ignore_above: 1024 - level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword -threat.enrichments.indicator.as.sha256: - dashed_name: threat-enrichments-indicator-as-sha256 - description: SHA256 hash. - flat_name: threat.enrichments.indicator.as.sha256 - ignore_above: 1024 - level: extended - name: sha256 - normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword -threat.enrichments.indicator.as.sha512: - dashed_name: threat-enrichments-indicator-as-sha512 - description: SHA512 hash. - flat_name: threat.enrichments.indicator.as.sha512 - ignore_above: 1024 +threat.enrichments.indicator.as.number: + dashed_name: threat-enrichments-indicator-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: threat.enrichments.indicator.as.number level: extended - name: sha512 + name: number normalize: [] - original_fieldset: hash - short: SHA512 hash. - type: keyword -threat.enrichments.indicator.as.ssdeep: - dashed_name: threat-enrichments-indicator-as-ssdeep - description: SSDEEP hash. - flat_name: threat.enrichments.indicator.as.ssdeep - ignore_above: 1024 + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long +threat.enrichments.indicator.as.organization.name: + dashed_name: threat-enrichments-indicator-as-organization-name + description: Organization name. + example: Google LLC + flat_name: threat.enrichments.indicator.as.organization.name level: extended - name: ssdeep + multi_fields: + - flat_name: threat.enrichments.indicator.as.organization.name.text + name: text + norms: false + type: text + name: organization.name normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword + original_fieldset: as + short: Organization name. + type: wildcard threat.enrichments.indicator.confidence: beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-confidence @@ -12403,771 +12376,977 @@ threat.enrichments.indicator.email.address: normalize: [] short: Indicator email address type: keyword -threat.enrichments.indicator.first_seen: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-first-seen - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.indicator.first_seen - level: extended - name: enrichments.indicator.first_seen - normalize: [] - short: Date/time indicator was first reported. - type: date -threat.enrichments.indicator.ip: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-ip - description: Identifies a threat indicator as an IP address (irrespective of direction). - example: 1.2.3.4 - flat_name: threat.enrichments.indicator.ip - level: extended - name: enrichments.indicator.ip - normalize: [] - short: Indicator IP address - type: ip -threat.enrichments.indicator.last_seen: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-last-seen - description: The date and time when intelligence source last reported sighting this - indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.indicator.last_seen +threat.enrichments.indicator.file.accessed: + dashed_name: threat-enrichments-indicator-file-accessed + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + flat_name: threat.enrichments.indicator.file.accessed level: extended - name: enrichments.indicator.last_seen + name: accessed normalize: [] - short: Date/time indicator was last reported. + original_fieldset: file + short: Last time the file was accessed. type: date -threat.enrichments.indicator.marking.tlp: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: White - flat_name: threat.enrichments.indicator.marking.tlp +threat.enrichments.indicator.file.attributes: + dashed_name: threat-enrichments-indicator-file-attributes + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, execute, + hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: threat.enrichments.indicator.file.attributes ignore_above: 1024 level: extended - name: enrichments.indicator.marking.tlp - normalize: [] - short: Indicator TLP marking + name: attributes + normalize: + - array + original_fieldset: file + short: Array of file attributes. type: keyword -threat.enrichments.indicator.modified_at: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-modified-at - description: The date and time when intelligence source last modified information - for this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.indicator.modified_at - level: extended - name: enrichments.indicator.modified_at +threat.enrichments.indicator.file.code_signature.exists: + dashed_name: threat-enrichments-indicator-file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: threat.enrichments.indicator.file.code_signature.exists + level: core + name: exists normalize: [] - short: Date/time indicator was last updated. - type: date -threat.enrichments.indicator.pe.architecture: - dashed_name: threat-enrichments-indicator-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: threat.enrichments.indicator.pe.architecture + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +threat.enrichments.indicator.file.code_signature.signing_id: + dashed_name: threat-enrichments-indicator-file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: threat.enrichments.indicator.file.code_signature.signing_id ignore_above: 1024 level: extended - name: architecture + name: signing_id normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. + original_fieldset: code_signature + short: The identifier used to sign the process. type: keyword -threat.enrichments.indicator.pe.authentihash: - dashed_name: threat-enrichments-indicator-pe-authentihash - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: threat.enrichments.indicator.pe.authentihash +threat.enrichments.indicator.file.code_signature.status: + dashed_name: threat-enrichments-indicator-file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: threat.enrichments.indicator.file.code_signature.status ignore_above: 1024 level: extended - name: authentihash + name: status normalize: [] - original_fieldset: pe - short: Authentihash of the PE file. + original_fieldset: code_signature + short: Additional information about the certificate status. type: keyword -threat.enrichments.indicator.pe.company: - dashed_name: threat-enrichments-indicator-pe-company - description: Internal company name of the file, provided at compile-time. +threat.enrichments.indicator.file.code_signature.subject_name: + dashed_name: threat-enrichments-indicator-file-code-signature-subject-name + description: Subject name of the code signer example: Microsoft Corporation - flat_name: threat.enrichments.indicator.pe.company + flat_name: threat.enrichments.indicator.file.code_signature.subject_name ignore_above: 1024 - level: extended - name: company + level: core + name: subject_name normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. + original_fieldset: code_signature + short: Subject name of the code signer type: keyword -threat.enrichments.indicator.pe.compile_timestamp: - dashed_name: threat-enrichments-indicator-pe-compile-timestamp - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.indicator.pe.compile_timestamp - level: extended - name: compile_timestamp - normalize: [] - original_fieldset: pe - short: Compile timestamp of the PE file. - type: date -threat.enrichments.indicator.pe.compiler.name: - dashed_name: threat-enrichments-indicator-pe-compiler-name - description: Name of the compiler - example: Clang - flat_name: threat.enrichments.indicator.pe.compiler.name +threat.enrichments.indicator.file.code_signature.team_id: + dashed_name: threat-enrichments-indicator-file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: threat.enrichments.indicator.file.code_signature.team_id ignore_above: 1024 level: extended - name: compiler.name + name: team_id normalize: [] - original_fieldset: pe - short: Name of the compiler + original_fieldset: code_signature + short: The team identifier used to sign the process. type: keyword -threat.enrichments.indicator.pe.compiler.version: - dashed_name: threat-enrichments-indicator-pe-compiler-version - description: Version of the compiler. - example: 11.0.0 - flat_name: threat.enrichments.indicator.pe.compiler.version - ignore_above: 1024 +threat.enrichments.indicator.file.code_signature.trusted: + dashed_name: threat-enrichments-indicator-file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: threat.enrichments.indicator.file.code_signature.trusted level: extended - name: compiler.version + name: trusted normalize: [] - original_fieldset: pe - short: Version of the compiler. - type: keyword -threat.enrichments.indicator.pe.creation_date: - dashed_name: threat-enrichments-indicator-pe-creation-date - description: Extracted when possible from the file's metadata. Indicates when it - was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.indicator.pe.creation_date + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +threat.enrichments.indicator.file.code_signature.valid: + dashed_name: threat-enrichments-indicator-file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: threat.enrichments.indicator.file.code_signature.valid level: extended - name: creation_date + name: valid normalize: [] - original_fieldset: pe - short: Build or compile date. - type: date -threat.enrichments.indicator.pe.debug: - dashed_name: threat-enrichments-indicator-pe-debug - description: 'An array containing an object for each debug entry, if present. + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +threat.enrichments.indicator.file.created: + dashed_name: threat-enrichments-indicator-file-created + description: 'File creation time. - The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: threat.enrichments.indicator.pe.debug + Note that not all filesystems store the creation time.' + flat_name: threat.enrichments.indicator.file.created level: extended - name: debug - normalize: - - array - original_fieldset: pe - short: Debug information - type: nested -threat.enrichments.indicator.pe.debug.offset: - dashed_name: threat-enrichments-indicator-pe-debug-offset - description: Debug offset information. - example: 1296336 - flat_name: threat.enrichments.indicator.pe.debug.offset + name: created + normalize: [] + original_fieldset: file + short: File creation time. + type: date +threat.enrichments.indicator.file.ctime: + dashed_name: threat-enrichments-indicator-file-ctime + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: threat.enrichments.indicator.file.ctime + level: extended + name: ctime + normalize: [] + original_fieldset: file + short: Last time the file attributes or metadata changed. + type: date +threat.enrichments.indicator.file.device: + dashed_name: threat-enrichments-indicator-file-device + description: Device that is the source of the file. + example: sda + flat_name: threat.enrichments.indicator.file.device ignore_above: 1024 level: extended - name: debug.offset + name: device normalize: [] - original_fieldset: pe - short: Debug offset information. + original_fieldset: file + short: Device that is the source of the file. type: keyword -threat.enrichments.indicator.pe.debug.size: - dashed_name: threat-enrichments-indicator-pe-debug-size - description: Size of the debug information. - example: 816 - flat_name: threat.enrichments.indicator.pe.debug.size - format: bytes +threat.enrichments.indicator.file.directory: + dashed_name: threat-enrichments-indicator-file-directory + description: Directory where the file is located. It should include the drive letter, + when appropriate. + example: /home/alice + flat_name: threat.enrichments.indicator.file.directory level: extended - name: debug.size + name: directory normalize: [] - original_fieldset: pe - short: Size of the debug information. - type: long -threat.enrichments.indicator.pe.debug.timestamp: - dashed_name: threat-enrichments-indicator-pe-debug-timestamp - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.indicator.pe.debug.timestamp + original_fieldset: file + short: Directory where the file is located. + type: wildcard +threat.enrichments.indicator.file.drive_letter: + dashed_name: threat-enrichments-indicator-file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + flat_name: threat.enrichments.indicator.file.drive_letter + ignore_above: 1 level: extended - name: debug.timestamp + name: drive_letter normalize: [] - original_fieldset: pe - short: Timestamp of the debug information. - type: date -threat.enrichments.indicator.pe.debug.type: - dashed_name: threat-enrichments-indicator-pe-debug-type - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - flat_name: threat.enrichments.indicator.pe.debug.type + original_fieldset: file + short: Drive letter where the file is located. + type: keyword +threat.enrichments.indicator.file.elf.architecture: + dashed_name: threat-enrichments-indicator-file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: threat.enrichments.indicator.file.elf.architecture ignore_above: 1024 level: extended - name: debug.type + name: architecture normalize: [] - original_fieldset: pe - short: Information type generated by the debug options. + original_fieldset: elf + short: Machine architecture of the ELF file. type: keyword -threat.enrichments.indicator.pe.description: - dashed_name: threat-enrichments-indicator-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: threat.enrichments.indicator.pe.description +threat.enrichments.indicator.file.elf.byte_order: + dashed_name: threat-enrichments-indicator-file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: threat.enrichments.indicator.file.elf.byte_order ignore_above: 1024 level: extended - name: description + name: byte_order normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. + original_fieldset: elf + short: Byte sequence of ELF file. type: keyword -threat.enrichments.indicator.pe.entry_point: - dashed_name: threat-enrichments-indicator-pe-entry-point - description: Relative byte offset to the base of the PE file. - example: 25856 - flat_name: threat.enrichments.indicator.pe.entry_point +threat.enrichments.indicator.file.elf.cpu_type: + dashed_name: threat-enrichments-indicator-file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: threat.enrichments.indicator.file.elf.cpu_type ignore_above: 1024 level: extended - name: entry_point + name: cpu_type normalize: [] - original_fieldset: pe - short: Relative byte offset to the base of the PE file. + original_fieldset: elf + short: CPU type of the ELF file. type: keyword -threat.enrichments.indicator.pe.exports: - dashed_name: threat-enrichments-indicator-pe-exports - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: threat.enrichments.indicator.pe.exports - ignore_above: 1024 +threat.enrichments.indicator.file.elf.creation_date: + dashed_name: threat-enrichments-indicator-file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: threat.enrichments.indicator.file.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date +threat.enrichments.indicator.file.elf.exports: + dashed_name: threat-enrichments-indicator-file-elf-exports + description: List of exported element names and types. + flat_name: threat.enrichments.indicator.file.elf.exports level: extended name: exports normalize: - array - original_fieldset: pe - short: List of symbols exported by PE - type: keyword -threat.enrichments.indicator.pe.file_version: - dashed_name: threat-enrichments-indicator-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: threat.enrichments.indicator.pe.file_version + original_fieldset: elf + short: List of exported element names and types. + type: flattened +threat.enrichments.indicator.file.elf.header.abi_version: + dashed_name: threat-enrichments-indicator-file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: threat.enrichments.indicator.file.elf.header.abi_version ignore_above: 1024 level: extended - name: file_version + name: header.abi_version normalize: [] - original_fieldset: pe - short: Process name. + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). type: keyword -threat.enrichments.indicator.pe.icon.hash.dhash: - dashed_name: threat-enrichments-indicator-pe-icon-hash-dhash - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - flat_name: threat.enrichments.indicator.pe.icon.hash.dhash +threat.enrichments.indicator.file.elf.header.class: + dashed_name: threat-enrichments-indicator-file-elf-header-class + description: Header class of the ELF file. + flat_name: threat.enrichments.indicator.file.elf.header.class ignore_above: 1024 level: extended - name: icon.hash.dhash + name: header.class normalize: [] - original_fieldset: pe - short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. + original_fieldset: elf + short: Header class of the ELF file. type: keyword -threat.enrichments.indicator.pe.imphash: - dashed_name: threat-enrichments-indicator-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash -- - can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: threat.enrichments.indicator.pe.imphash +threat.enrichments.indicator.file.elf.header.data: + dashed_name: threat-enrichments-indicator-file-elf-header-data + description: Data table of the ELF header. + flat_name: threat.enrichments.indicator.file.elf.header.data ignore_above: 1024 level: extended - name: imphash + name: header.data normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. + original_fieldset: elf + short: Data table of the ELF header. type: keyword -threat.enrichments.indicator.pe.imports: - dashed_name: threat-enrichments-indicator-pe-imports - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - flat_name: threat.enrichments.indicator.pe.imports +threat.enrichments.indicator.file.elf.header.entrypoint: + dashed_name: threat-enrichments-indicator-file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: threat.enrichments.indicator.file.elf.header.entrypoint + format: string level: extended - name: imports + name: header.entrypoint normalize: [] - original_fieldset: pe - short: List of all imported functions - type: flattened -threat.enrichments.indicator.pe.machine_type: - dashed_name: threat-enrichments-indicator-pe-machine-type - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - flat_name: threat.enrichments.indicator.pe.machine_type + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long +threat.enrichments.indicator.file.elf.header.object_version: + dashed_name: threat-enrichments-indicator-file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: threat.enrichments.indicator.file.elf.header.object_version ignore_above: 1024 level: extended - name: machine_type + name: header.object_version normalize: [] - original_fieldset: pe - short: Machine type of the PE file. + original_fieldset: elf + short: '"0x1" for original ELF files.' type: keyword -threat.enrichments.indicator.pe.original_file_name: - dashed_name: threat-enrichments-indicator-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: threat.enrichments.indicator.pe.original_file_name +threat.enrichments.indicator.file.elf.header.os_abi: + dashed_name: threat-enrichments-indicator-file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: threat.enrichments.indicator.file.elf.header.os_abi + ignore_above: 1024 level: extended - name: original_file_name + name: header.os_abi normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: wildcard -threat.enrichments.indicator.pe.packers: - dashed_name: threat-enrichments-indicator-pe-packers - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - flat_name: threat.enrichments.indicator.pe.packers + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword +threat.enrichments.indicator.file.elf.header.type: + dashed_name: threat-enrichments-indicator-file-elf-header-type + description: Header type of the ELF file. + flat_name: threat.enrichments.indicator.file.elf.header.type ignore_above: 1024 level: extended - name: packers - normalize: - - array - original_fieldset: pe - short: List of packers and tools used. + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. type: keyword -threat.enrichments.indicator.pe.product: - dashed_name: threat-enrichments-indicator-pe-product - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" - flat_name: threat.enrichments.indicator.pe.product +threat.enrichments.indicator.file.elf.header.version: + dashed_name: threat-enrichments-indicator-file-elf-header-version + description: Version of the ELF header. + flat_name: threat.enrichments.indicator.file.elf.header.version ignore_above: 1024 level: extended - name: product + name: header.version normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. + original_fieldset: elf + short: Version of the ELF header. type: keyword -threat.enrichments.indicator.pe.resources: - dashed_name: threat-enrichments-indicator-pe-resources - description: 'An array containing an object for each PE resource, if present. +threat.enrichments.indicator.file.elf.imports: + dashed_name: threat-enrichments-indicator-file-elf-imports + description: List of imported element names and types. + flat_name: threat.enrichments.indicator.file.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened +threat.enrichments.indicator.file.elf.sections: + dashed_name: threat-enrichments-indicator-file-elf-sections + description: 'An array containing an object for each section of the ELF file. - The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: threat.enrichments.indicator.pe.resources + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' + flat_name: threat.enrichments.indicator.file.elf.sections level: extended - name: resources + name: sections normalize: - array - original_fieldset: pe - short: PE resource information + original_fieldset: elf + short: Section information of the ELF file. type: nested -threat.enrichments.indicator.pe.resources.chi2: - dashed_name: threat-enrichments-indicator-pe-resources-chi2 - description: Chi-square probability distribution. - example: -1 - flat_name: threat.enrichments.indicator.pe.resources.chi2 +threat.enrichments.indicator.file.elf.sections.chi2: + dashed_name: threat-enrichments-indicator-file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: threat.enrichments.indicator.file.elf.sections.chi2 + format: number level: extended - name: resources.chi2 + name: sections.chi2 normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. + original_fieldset: elf + short: Chi-square probability distribution of the section. type: long -threat.enrichments.indicator.pe.resources.entropy: - dashed_name: threat-enrichments-indicator-pe-resources-entropy - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - flat_name: threat.enrichments.indicator.pe.resources.entropy +threat.enrichments.indicator.file.elf.sections.entropy: + dashed_name: threat-enrichments-indicator-file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: threat.enrichments.indicator.file.elf.sections.entropy + format: number level: extended - name: resources.entropy + name: sections.entropy normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the resources section. + original_fieldset: elf + short: Shannon entropy calculation from the section. type: long -threat.enrichments.indicator.pe.resources.filetype: - dashed_name: threat-enrichments-indicator-pe-resources-filetype - description: File type of the resources section. - example: Data - flat_name: threat.enrichments.indicator.pe.resources.filetype +threat.enrichments.indicator.file.elf.sections.flags: + dashed_name: threat-enrichments-indicator-file-elf-sections-flags + description: ELF Section List flags. + flat_name: threat.enrichments.indicator.file.elf.sections.flags ignore_above: 1024 level: extended - name: resources.filetype + name: sections.flags normalize: [] - original_fieldset: pe - short: File type of the resources section. + original_fieldset: elf + short: ELF Section List flags. type: keyword -threat.enrichments.indicator.pe.resources.language: - dashed_name: threat-enrichments-indicator-pe-resources-language - description: Language identification. - example: CHINESE SIMPLIFIED - flat_name: threat.enrichments.indicator.pe.resources.language +threat.enrichments.indicator.file.elf.sections.name: + dashed_name: threat-enrichments-indicator-file-elf-sections-name + description: ELF Section List name. + flat_name: threat.enrichments.indicator.file.elf.sections.name ignore_above: 1024 level: extended - name: resources.language + name: sections.name normalize: [] - original_fieldset: pe - short: Language identification. + original_fieldset: elf + short: ELF Section List name. type: keyword -threat.enrichments.indicator.pe.resources.sha256: - dashed_name: threat-enrichments-indicator-pe-resources-sha256 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: threat.enrichments.indicator.pe.resources.sha256 +threat.enrichments.indicator.file.elf.sections.physical_offset: + dashed_name: threat-enrichments-indicator-file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: threat.enrichments.indicator.file.elf.sections.physical_offset ignore_above: 1024 level: extended - name: resources.sha256 + name: sections.physical_offset normalize: [] - original_fieldset: pe - short: SHA256 hash of resources section. + original_fieldset: elf + short: ELF Section List offset. type: keyword -threat.enrichments.indicator.pe.resources.type: - dashed_name: threat-enrichments-indicator-pe-resources-type - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: threat.enrichments.indicator.pe.resources.type - ignore_above: 1024 +threat.enrichments.indicator.file.elf.sections.physical_size: + dashed_name: threat-enrichments-indicator-file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: threat.enrichments.indicator.file.elf.sections.physical_size + format: bytes level: extended - name: resources.type - normalize: - - array - original_fieldset: pe - short: List of resource types. - type: keyword -threat.enrichments.indicator.pe.rich_header.hash.md5: - dashed_name: threat-enrichments-indicator-pe-rich-header-hash-md5 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: threat.enrichments.indicator.pe.rich_header.hash.md5 + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long +threat.enrichments.indicator.file.elf.sections.type: + dashed_name: threat-enrichments-indicator-file-elf-sections-type + description: ELF Section List type. + flat_name: threat.enrichments.indicator.file.elf.sections.type ignore_above: 1024 level: extended - name: rich_header.hash.md5 + name: sections.type normalize: [] - original_fieldset: pe - short: MD5 hash of the header for the PE file. + original_fieldset: elf + short: ELF Section List type. type: keyword -threat.enrichments.indicator.pe.sections: - dashed_name: threat-enrichments-indicator-pe-sections - description: Data about sections of compiled binary PE - flat_name: threat.enrichments.indicator.pe.sections - level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Data about sections of the compiled binary PE - type: nested -threat.enrichments.indicator.pe.sections.chi2: - dashed_name: threat-enrichments-indicator-pe-sections-chi2 - description: Chi-square probability distribution. - example: 3027194 - flat_name: threat.enrichments.indicator.pe.sections.chi2 +threat.enrichments.indicator.file.elf.sections.virtual_address: + dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: threat.enrichments.indicator.file.elf.sections.virtual_address + format: string level: extended - name: sections.chi2 + name: sections.virtual_address normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. + original_fieldset: elf + short: ELF Section List virtual address. type: long -threat.enrichments.indicator.pe.sections.entropy: - dashed_name: threat-enrichments-indicator-pe-sections-entropy - description: Measurement of entropy randomness in the file. - example: 6.24 - flat_name: threat.enrichments.indicator.pe.sections.entropy +threat.enrichments.indicator.file.elf.sections.virtual_size: + dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: threat.enrichments.indicator.file.elf.sections.virtual_size + format: string level: extended - name: sections.entropy + name: sections.virtual_size normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the file. - type: float -threat.enrichments.indicator.pe.sections.flags: - dashed_name: threat-enrichments-indicator-pe-sections-flags - description: Section flags of the file. - example: rx - flat_name: threat.enrichments.indicator.pe.sections.flags + original_fieldset: elf + short: ELF Section List virtual size. + type: long +threat.enrichments.indicator.file.elf.segments: + dashed_name: threat-enrichments-indicator-file-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' + flat_name: threat.enrichments.indicator.file.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested +threat.enrichments.indicator.file.elf.segments.sections: + dashed_name: threat-enrichments-indicator-file-elf-segments-sections + description: ELF object segment sections. + flat_name: threat.enrichments.indicator.file.elf.segments.sections ignore_above: 1024 level: extended - name: sections.flags + name: segments.sections normalize: [] - original_fieldset: pe - short: Section flags of the file. + original_fieldset: elf + short: ELF object segment sections. type: keyword -threat.enrichments.indicator.pe.sections.name: - dashed_name: threat-enrichments-indicator-pe-sections-name - description: Section names of the file. - example: .text, .data - flat_name: threat.enrichments.indicator.pe.sections.name +threat.enrichments.indicator.file.elf.segments.type: + dashed_name: threat-enrichments-indicator-file-elf-segments-type + description: ELF object segment type. + flat_name: threat.enrichments.indicator.file.elf.segments.type ignore_above: 1024 level: extended - name: sections.name + name: segments.type normalize: [] - original_fieldset: pe - short: Section names of the file. + original_fieldset: elf + short: ELF object segment type. type: keyword -threat.enrichments.indicator.pe.sections.raw_size: - dashed_name: threat-enrichments-indicator-pe-sections-raw-size - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - flat_name: threat.enrichments.indicator.pe.sections.raw_size - format: bytes - level: extended - name: sections.raw_size - normalize: [] - original_fieldset: pe - short: Size of the section or the dize of the initialized data on disk. - type: long -threat.enrichments.indicator.pe.sections.virtual_address: - dashed_name: threat-enrichments-indicator-pe-sections-virtual-address - description: Virtual address available to the file. - example: 8192 - flat_name: threat.enrichments.indicator.pe.sections.virtual_address - format: bytes +threat.enrichments.indicator.file.elf.shared_libraries: + dashed_name: threat-enrichments-indicator-file-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: threat.enrichments.indicator.file.elf.shared_libraries + ignore_above: 1024 level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: pe - short: Virtual address available to the file. - type: long -threat.enrichments.indicator.port: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-port - description: Identifies a threat indicator as a port number (irrespective of direction). - example: 443 - flat_name: threat.enrichments.indicator.port + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword +threat.enrichments.indicator.file.elf.telfhash: + dashed_name: threat-enrichments-indicator-file-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: threat.enrichments.indicator.file.elf.telfhash + ignore_above: 1024 level: extended - name: enrichments.indicator.port + name: telfhash normalize: [] - short: Indicator port - type: long -threat.enrichments.indicator.provider: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-provider - description: The name of the indicator's provider. - example: lrz_urlhaus - flat_name: threat.enrichments.indicator.provider + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword +threat.enrichments.indicator.file.extension: + dashed_name: threat-enrichments-indicator-file-extension + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.indicator.file.extension ignore_above: 1024 level: extended - name: enrichments.indicator.provider + name: extension normalize: [] - short: Indicator provider + original_fieldset: file + short: File extension, excluding the leading dot. type: keyword -threat.enrichments.indicator.reference: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-reference - description: Reference URL linking to additional information about this indicator. - example: https://system.example.com/indicator/0001234 - flat_name: threat.enrichments.indicator.reference +threat.enrichments.indicator.file.gid: + dashed_name: threat-enrichments-indicator-file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: threat.enrichments.indicator.file.gid ignore_above: 1024 level: extended - name: enrichments.indicator.reference + name: gid normalize: [] - short: Indicator reference URL + original_fieldset: file + short: Primary group ID (GID) of the file. type: keyword -threat.enrichments.indicator.registry.data.bytes: - dashed_name: threat-enrichments-indicator-registry-data-bytes - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides better - recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - flat_name: threat.enrichments.indicator.registry.data.bytes +threat.enrichments.indicator.file.group: + dashed_name: threat-enrichments-indicator-file-group + description: Primary group name of the file. + example: alice + flat_name: threat.enrichments.indicator.file.group ignore_above: 1024 level: extended - name: data.bytes + name: group normalize: [] - original_fieldset: registry - short: Original bytes written with base64 encoding. + original_fieldset: file + short: Primary group name of the file. type: keyword -threat.enrichments.indicator.registry.data.strings: - dashed_name: threat-enrichments-indicator-registry-data-strings - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single string - registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. - For sequences of string with REG_MULTI_SZ, this array will be variable length. - For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with - the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' - flat_name: threat.enrichments.indicator.registry.data.strings - level: core - name: data.strings - normalize: - - array - original_fieldset: registry - short: List of strings representing what was written to the registry. - type: wildcard -threat.enrichments.indicator.registry.data.type: - dashed_name: threat-enrichments-indicator-registry-data-type - description: Standard registry type for encoding contents - example: REG_SZ - flat_name: threat.enrichments.indicator.registry.data.type +threat.enrichments.indicator.file.inode: + dashed_name: threat-enrichments-indicator-file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: threat.enrichments.indicator.file.inode ignore_above: 1024 - level: core - name: data.type + level: extended + name: inode normalize: [] - original_fieldset: registry - short: Standard registry type for encoding contents + original_fieldset: file + short: Inode representing the file in the filesystem. type: keyword -threat.enrichments.indicator.registry.hive: - dashed_name: threat-enrichments-indicator-registry-hive - description: Abbreviated name for the hive. - example: HKLM - flat_name: threat.enrichments.indicator.registry.hive +threat.enrichments.indicator.file.mime_type: + dashed_name: threat-enrichments-indicator-file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official + types], where possible. When more than one type is applicable, the most specific + type should be used. + flat_name: threat.enrichments.indicator.file.mime_type ignore_above: 1024 - level: core - name: hive + level: extended + name: mime_type normalize: [] - original_fieldset: registry - short: Abbreviated name for the hive. + original_fieldset: file + short: Media type of file, document, or arrangement of bytes. type: keyword -threat.enrichments.indicator.registry.key: - dashed_name: threat-enrichments-indicator-registry-key - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - flat_name: threat.enrichments.indicator.registry.key - level: core - name: key +threat.enrichments.indicator.file.mode: + dashed_name: threat-enrichments-indicator-file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: threat.enrichments.indicator.file.mode + ignore_above: 1024 + level: extended + name: mode normalize: [] - original_fieldset: registry - short: Hive-relative path of keys. - type: wildcard -threat.enrichments.indicator.registry.path: - dashed_name: threat-enrichments-indicator-registry-path - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger - flat_name: threat.enrichments.indicator.registry.path - level: core - name: path + original_fieldset: file + short: Mode of the file in octal representation. + type: keyword +threat.enrichments.indicator.file.mtime: + dashed_name: threat-enrichments-indicator-file-mtime + description: Last time the file content was modified. + flat_name: threat.enrichments.indicator.file.mtime + level: extended + name: mtime normalize: [] - original_fieldset: registry - short: Full path, including hive, key and value - type: wildcard -threat.enrichments.indicator.registry.value: - dashed_name: threat-enrichments-indicator-registry-value - description: Name of the value written. - example: Debugger - flat_name: threat.enrichments.indicator.registry.value + original_fieldset: file + short: Last time the file content was modified. + type: date +threat.enrichments.indicator.file.name: + dashed_name: threat-enrichments-indicator-file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: threat.enrichments.indicator.file.name ignore_above: 1024 - level: core - name: value + level: extended + name: name normalize: [] - original_fieldset: registry - short: Name of the value written. + original_fieldset: file + short: Name of the file including the extension, without the directory. type: keyword -threat.enrichments.indicator.scanner_stats: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-scanner-stats - description: Count of AV/EDR vendors that successfully detected malicious file or - URL. - example: 4 - flat_name: threat.enrichments.indicator.scanner_stats +threat.enrichments.indicator.file.owner: + dashed_name: threat-enrichments-indicator-file-owner + description: File owner's username. + example: alice + flat_name: threat.enrichments.indicator.file.owner + ignore_above: 1024 level: extended - name: enrichments.indicator.scanner_stats + name: owner normalize: [] - short: Scanner statistics - type: long -threat.enrichments.indicator.sightings: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-sightings - description: Number of times this indicator was observed conducting threat activity. - example: 20 - flat_name: threat.enrichments.indicator.sightings + original_fieldset: file + short: File owner's username. + type: keyword +threat.enrichments.indicator.file.path: + dashed_name: threat-enrichments-indicator-file-path + description: Full path to the file, including the file name. It should include the + drive letter, when appropriate. + example: /home/alice/example.png + flat_name: threat.enrichments.indicator.file.path level: extended - name: enrichments.indicator.sightings + multi_fields: + - flat_name: threat.enrichments.indicator.file.path.text + name: text + norms: false + type: text + name: path normalize: [] - short: Number of times indicator observed + original_fieldset: file + short: Full path to the file, including the file name. + type: wildcard +threat.enrichments.indicator.file.size: + dashed_name: threat-enrichments-indicator-file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: threat.enrichments.indicator.file.size + level: extended + name: size + normalize: [] + original_fieldset: file + short: File size in bytes. type: long -threat.enrichments.indicator.type: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-type - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ - \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n *\ - \ domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n\ - \ * mutex\n * port\n * process\n * software\n * url\n * user-account\n \ - \ * windows-registry-key\n * x509-certificate" - example: ipv4-addr - flat_name: threat.enrichments.indicator.type - ignore_above: 1024 +threat.enrichments.indicator.file.target_path: + dashed_name: threat-enrichments-indicator-file-target-path + description: Target path for symlinks. + flat_name: threat.enrichments.indicator.file.target_path level: extended - name: enrichments.indicator.type + multi_fields: + - flat_name: threat.enrichments.indicator.file.target_path.text + name: text + norms: false + type: text + name: target_path normalize: [] - short: Type of indicator - type: keyword -threat.enrichments.matched.atomic: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-atomic - description: Identifies the atomic indicator value that matched a local environment - endpoint or network event. - example: bad-domain.com - flat_name: threat.enrichments.matched.atomic + original_fieldset: file + short: Target path for symlinks. + type: wildcard +threat.enrichments.indicator.file.type: + dashed_name: threat-enrichments-indicator-file-type + description: File type (file, dir, or symlink). + example: file + flat_name: threat.enrichments.indicator.file.type ignore_above: 1024 level: extended - name: enrichments.matched.atomic + name: type normalize: [] - short: Matched indicator value + original_fieldset: file + short: File type (file, dir, or symlink). type: keyword -threat.enrichments.matched.field: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-field - description: Identifies the field of the atomic indicator that matched a local environment - endpoint or network event. - example: file.hash.sha256 - flat_name: threat.enrichments.matched.field +threat.enrichments.indicator.file.uid: + dashed_name: threat-enrichments-indicator-file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: threat.enrichments.indicator.file.uid ignore_above: 1024 level: extended - name: enrichments.matched.field + name: uid normalize: [] - short: Matched indicator field + original_fieldset: file + short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword -threat.enrichments.matched.id: +threat.enrichments.indicator.first_seen: beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-id - description: Identifies the _id of the indicator document enriching the event. - example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 - flat_name: threat.enrichments.matched.id - ignore_above: 1024 + dashed_name: threat-enrichments-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.first_seen level: extended - name: enrichments.matched.id + name: enrichments.indicator.first_seen normalize: [] - short: Matched indicator identifier - type: keyword -threat.enrichments.matched.index: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-index - description: Identifies the _index of the indicator document enriching the event. - example: filebeat-8.0.0-2021.05.23-000011 - flat_name: threat.enrichments.matched.index + short: Date/time indicator was first reported. + type: date +threat.enrichments.indicator.geo.city_name: + dashed_name: threat-enrichments-indicator-geo-city-name + description: City name. + example: Montreal + flat_name: threat.enrichments.indicator.geo.city_name ignore_above: 1024 - level: extended - name: enrichments.matched.index + level: core + name: city_name normalize: [] - short: Matched indicator index + original_fieldset: geo + short: City name. type: keyword -threat.enrichments.matched.type: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-type - description: Identifies the type of match that caused the event to be enriched with - the given indicator - example: indicator_match_rule - flat_name: threat.enrichments.matched.type +threat.enrichments.indicator.geo.continent_code: + dashed_name: threat-enrichments-indicator-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: threat.enrichments.indicator.geo.continent_code ignore_above: 1024 - level: extended - name: enrichments.matched.type + level: core + name: continent_code normalize: [] - short: Type of indicator match + original_fieldset: geo + short: Continent code. type: keyword -threat.enrichments.pe.architecture: - dashed_name: threat-enrichments-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: threat.enrichments.pe.architecture +threat.enrichments.indicator.geo.continent_name: + dashed_name: threat-enrichments-indicator-geo-continent-name + description: Name of the continent. + example: North America + flat_name: threat.enrichments.indicator.geo.continent_name ignore_above: 1024 - level: extended + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +threat.enrichments.indicator.geo.country_iso_code: + dashed_name: threat-enrichments-indicator-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: threat.enrichments.indicator.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +threat.enrichments.indicator.geo.country_name: + dashed_name: threat-enrichments-indicator-geo-country-name + description: Country name. + example: Canada + flat_name: threat.enrichments.indicator.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +threat.enrichments.indicator.geo.location: + dashed_name: threat-enrichments-indicator-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: threat.enrichments.indicator.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +threat.enrichments.indicator.geo.name: + dashed_name: threat-enrichments-indicator-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: threat.enrichments.indicator.geo.name + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: wildcard +threat.enrichments.indicator.geo.postal_code: + dashed_name: threat-enrichments-indicator-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: threat.enrichments.indicator.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword +threat.enrichments.indicator.geo.region_iso_code: + dashed_name: threat-enrichments-indicator-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: threat.enrichments.indicator.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +threat.enrichments.indicator.geo.region_name: + dashed_name: threat-enrichments-indicator-geo-region-name + description: Region name. + example: Quebec + flat_name: threat.enrichments.indicator.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +threat.enrichments.indicator.geo.timezone: + dashed_name: threat-enrichments-indicator-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: threat.enrichments.indicator.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword +threat.enrichments.indicator.hash.md5: + dashed_name: threat-enrichments-indicator-hash-md5 + description: MD5 hash. + flat_name: threat.enrichments.indicator.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword +threat.enrichments.indicator.hash.sha1: + dashed_name: threat-enrichments-indicator-hash-sha1 + description: SHA1 hash. + flat_name: threat.enrichments.indicator.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword +threat.enrichments.indicator.hash.sha256: + dashed_name: threat-enrichments-indicator-hash-sha256 + description: SHA256 hash. + flat_name: threat.enrichments.indicator.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword +threat.enrichments.indicator.hash.sha512: + dashed_name: threat-enrichments-indicator-hash-sha512 + description: SHA512 hash. + flat_name: threat.enrichments.indicator.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword +threat.enrichments.indicator.hash.ssdeep: + dashed_name: threat-enrichments-indicator-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.enrichments.indicator.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword +threat.enrichments.indicator.ip: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of direction). + example: 1.2.3.4 + flat_name: threat.enrichments.indicator.ip + level: extended + name: enrichments.indicator.ip + normalize: [] + short: Indicator IP address + type: ip +threat.enrichments.indicator.last_seen: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-last-seen + description: The date and time when intelligence source last reported sighting this + indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.last_seen + level: extended + name: enrichments.indicator.last_seen + normalize: [] + short: Date/time indicator was last reported. + type: date +threat.enrichments.indicator.marking.tlp: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: White + flat_name: threat.enrichments.indicator.marking.tlp + ignore_above: 1024 + level: extended + name: enrichments.indicator.marking.tlp + normalize: [] + short: Indicator TLP marking + type: keyword +threat.enrichments.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.modified_at + level: extended + name: enrichments.indicator.modified_at + normalize: [] + short: Date/time indicator was last updated. + type: date +threat.enrichments.indicator.pe.architecture: + dashed_name: threat-enrichments-indicator-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.enrichments.indicator.pe.architecture + ignore_above: 1024 + level: extended name: architecture normalize: [] original_fieldset: pe short: CPU architecture target for the file. type: keyword -threat.enrichments.pe.authentihash: - dashed_name: threat-enrichments-pe-authentihash +threat.enrichments.indicator.pe.authentihash: + dashed_name: threat-enrichments-indicator-pe-authentihash description: Authentihash of the PE file. example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: threat.enrichments.pe.authentihash + flat_name: threat.enrichments.indicator.pe.authentihash ignore_above: 1024 level: extended name: authentihash @@ -13175,11 +13354,11 @@ threat.enrichments.pe.authentihash: original_fieldset: pe short: Authentihash of the PE file. type: keyword -threat.enrichments.pe.company: - dashed_name: threat-enrichments-pe-company +threat.enrichments.indicator.pe.company: + dashed_name: threat-enrichments-indicator-pe-company description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation - flat_name: threat.enrichments.pe.company + flat_name: threat.enrichments.indicator.pe.company ignore_above: 1024 level: extended name: company @@ -13187,22 +13366,22 @@ threat.enrichments.pe.company: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword -threat.enrichments.pe.compile_timestamp: - dashed_name: threat-enrichments-pe-compile-timestamp +threat.enrichments.indicator.pe.compile_timestamp: + dashed_name: threat-enrichments-indicator-pe-compile-timestamp description: Compile timestamp of the PE file. example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.pe.compile_timestamp + flat_name: threat.enrichments.indicator.pe.compile_timestamp level: extended name: compile_timestamp normalize: [] original_fieldset: pe short: Compile timestamp of the PE file. type: date -threat.enrichments.pe.compiler.name: - dashed_name: threat-enrichments-pe-compiler-name +threat.enrichments.indicator.pe.compiler.name: + dashed_name: threat-enrichments-indicator-pe-compiler-name description: Name of the compiler example: Clang - flat_name: threat.enrichments.pe.compiler.name + flat_name: threat.enrichments.indicator.pe.compiler.name ignore_above: 1024 level: extended name: compiler.name @@ -13210,11 +13389,11 @@ threat.enrichments.pe.compiler.name: original_fieldset: pe short: Name of the compiler type: keyword -threat.enrichments.pe.compiler.version: - dashed_name: threat-enrichments-pe-compiler-version +threat.enrichments.indicator.pe.compiler.version: + dashed_name: threat-enrichments-indicator-pe-compiler-version description: Version of the compiler. example: 11.0.0 - flat_name: threat.enrichments.pe.compiler.version + flat_name: threat.enrichments.indicator.pe.compiler.version ignore_above: 1024 level: extended name: compiler.version @@ -13222,24 +13401,24 @@ threat.enrichments.pe.compiler.version: original_fieldset: pe short: Version of the compiler. type: keyword -threat.enrichments.pe.creation_date: - dashed_name: threat-enrichments-pe-creation-date +threat.enrichments.indicator.pe.creation_date: + dashed_name: threat-enrichments-indicator-pe-creation-date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.pe.creation_date + flat_name: threat.enrichments.indicator.pe.creation_date level: extended name: creation_date normalize: [] original_fieldset: pe short: Build or compile date. type: date -threat.enrichments.pe.debug: - dashed_name: threat-enrichments-pe-debug +threat.enrichments.indicator.pe.debug: + dashed_name: threat-enrichments-indicator-pe-debug description: 'An array containing an object for each debug entry, if present. The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: threat.enrichments.pe.debug + flat_name: threat.enrichments.indicator.pe.debug level: extended name: debug normalize: @@ -13247,11 +13426,11 @@ threat.enrichments.pe.debug: original_fieldset: pe short: Debug information type: nested -threat.enrichments.pe.debug.offset: - dashed_name: threat-enrichments-pe-debug-offset +threat.enrichments.indicator.pe.debug.offset: + dashed_name: threat-enrichments-indicator-pe-debug-offset description: Debug offset information. example: 1296336 - flat_name: threat.enrichments.pe.debug.offset + flat_name: threat.enrichments.indicator.pe.debug.offset ignore_above: 1024 level: extended name: debug.offset @@ -13259,11 +13438,11 @@ threat.enrichments.pe.debug.offset: original_fieldset: pe short: Debug offset information. type: keyword -threat.enrichments.pe.debug.size: - dashed_name: threat-enrichments-pe-debug-size +threat.enrichments.indicator.pe.debug.size: + dashed_name: threat-enrichments-indicator-pe-debug-size description: Size of the debug information. example: 816 - flat_name: threat.enrichments.pe.debug.size + flat_name: threat.enrichments.indicator.pe.debug.size format: bytes level: extended name: debug.size @@ -13271,22 +13450,22 @@ threat.enrichments.pe.debug.size: original_fieldset: pe short: Size of the debug information. type: long -threat.enrichments.pe.debug.timestamp: - dashed_name: threat-enrichments-pe-debug-timestamp +threat.enrichments.indicator.pe.debug.timestamp: + dashed_name: threat-enrichments-indicator-pe-debug-timestamp description: Timestamp of the debug information. example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.pe.debug.timestamp + flat_name: threat.enrichments.indicator.pe.debug.timestamp level: extended name: debug.timestamp normalize: [] original_fieldset: pe short: Timestamp of the debug information. type: date -threat.enrichments.pe.debug.type: - dashed_name: threat-enrichments-pe-debug-type +threat.enrichments.indicator.pe.debug.type: + dashed_name: threat-enrichments-indicator-pe-debug-type description: Information type generated by the debug options. example: IMAGE_DEBUG_TYPE_POGO - flat_name: threat.enrichments.pe.debug.type + flat_name: threat.enrichments.indicator.pe.debug.type ignore_above: 1024 level: extended name: debug.type @@ -13294,11 +13473,11 @@ threat.enrichments.pe.debug.type: original_fieldset: pe short: Information type generated by the debug options. type: keyword -threat.enrichments.pe.description: - dashed_name: threat-enrichments-pe-description +threat.enrichments.indicator.pe.description: + dashed_name: threat-enrichments-indicator-pe-description description: Internal description of the file, provided at compile-time. example: Paint - flat_name: threat.enrichments.pe.description + flat_name: threat.enrichments.indicator.pe.description ignore_above: 1024 level: extended name: description @@ -13306,11 +13485,11 @@ threat.enrichments.pe.description: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword -threat.enrichments.pe.entry_point: - dashed_name: threat-enrichments-pe-entry-point +threat.enrichments.indicator.pe.entry_point: + dashed_name: threat-enrichments-indicator-pe-entry-point description: Relative byte offset to the base of the PE file. example: 25856 - flat_name: threat.enrichments.pe.entry_point + flat_name: threat.enrichments.indicator.pe.entry_point ignore_above: 1024 level: extended name: entry_point @@ -13318,11 +13497,11 @@ threat.enrichments.pe.entry_point: original_fieldset: pe short: Relative byte offset to the base of the PE file. type: keyword -threat.enrichments.pe.exports: - dashed_name: threat-enrichments-pe-exports +threat.enrichments.indicator.pe.exports: + dashed_name: threat-enrichments-indicator-pe-exports description: List of symbols exported by PE example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: threat.enrichments.pe.exports + flat_name: threat.enrichments.indicator.pe.exports ignore_above: 1024 level: extended name: exports @@ -13331,11 +13510,11 @@ threat.enrichments.pe.exports: original_fieldset: pe short: List of symbols exported by PE type: keyword -threat.enrichments.pe.file_version: - dashed_name: threat-enrichments-pe-file-version +threat.enrichments.indicator.pe.file_version: + dashed_name: threat-enrichments-indicator-pe-file-version description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 - flat_name: threat.enrichments.pe.file_version + flat_name: threat.enrichments.indicator.pe.file_version ignore_above: 1024 level: extended name: file_version @@ -13343,12 +13522,12 @@ threat.enrichments.pe.file_version: original_fieldset: pe short: Process name. type: keyword -threat.enrichments.pe.icon.hash.dhash: - dashed_name: threat-enrichments-pe-icon-hash-dhash +threat.enrichments.indicator.pe.icon.hash.dhash: + dashed_name: threat-enrichments-indicator-pe-icon-hash-dhash description: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. example: b806e17c8e330d82 - flat_name: threat.enrichments.pe.icon.hash.dhash + flat_name: threat.enrichments.indicator.pe.icon.hash.dhash ignore_above: 1024 level: extended name: icon.hash.dhash @@ -13356,15 +13535,15 @@ threat.enrichments.pe.icon.hash.dhash: original_fieldset: pe short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. type: keyword -threat.enrichments.pe.imphash: - dashed_name: threat-enrichments-pe-imphash +threat.enrichments.indicator.pe.imphash: + dashed_name: threat-enrichments-indicator-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: threat.enrichments.pe.imphash + flat_name: threat.enrichments.indicator.pe.imphash ignore_above: 1024 level: extended name: imphash @@ -13372,23 +13551,23 @@ threat.enrichments.pe.imphash: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword -threat.enrichments.pe.imports: - dashed_name: threat-enrichments-pe-imports +threat.enrichments.indicator.pe.imports: + dashed_name: threat-enrichments-indicator-pe-imports description: List of all imported functions example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" }' - flat_name: threat.enrichments.pe.imports + flat_name: threat.enrichments.indicator.pe.imports level: extended name: imports normalize: [] original_fieldset: pe short: List of all imported functions type: flattened -threat.enrichments.pe.machine_type: - dashed_name: threat-enrichments-pe-machine-type +threat.enrichments.indicator.pe.machine_type: + dashed_name: threat-enrichments-indicator-pe-machine-type description: Machine type of the PE file. example: Intel 386 or later, and compatibles - flat_name: threat.enrichments.pe.machine_type + flat_name: threat.enrichments.indicator.pe.machine_type ignore_above: 1024 level: extended name: machine_type @@ -13396,22 +13575,22 @@ threat.enrichments.pe.machine_type: original_fieldset: pe short: Machine type of the PE file. type: keyword -threat.enrichments.pe.original_file_name: - dashed_name: threat-enrichments-pe-original-file-name +threat.enrichments.indicator.pe.original_file_name: + dashed_name: threat-enrichments-indicator-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE - flat_name: threat.enrichments.pe.original_file_name + flat_name: threat.enrichments.indicator.pe.original_file_name level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard -threat.enrichments.pe.packers: - dashed_name: threat-enrichments-pe-packers +threat.enrichments.indicator.pe.packers: + dashed_name: threat-enrichments-indicator-pe-packers description: List of packers and tools used. example: '["ASPack v2.12", ".NET executable"]' - flat_name: threat.enrichments.pe.packers + flat_name: threat.enrichments.indicator.pe.packers ignore_above: 1024 level: extended name: packers @@ -13420,11 +13599,11 @@ threat.enrichments.pe.packers: original_fieldset: pe short: List of packers and tools used. type: keyword -threat.enrichments.pe.product: - dashed_name: threat-enrichments-pe-product +threat.enrichments.indicator.pe.product: + dashed_name: threat-enrichments-indicator-pe-product description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" - flat_name: threat.enrichments.pe.product + flat_name: threat.enrichments.indicator.pe.product ignore_above: 1024 level: extended name: product @@ -13432,12 +13611,12 @@ threat.enrichments.pe.product: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword -threat.enrichments.pe.resources: - dashed_name: threat-enrichments-pe-resources +threat.enrichments.indicator.pe.resources: + dashed_name: threat-enrichments-indicator-pe-resources description: 'An array containing an object for each PE resource, if present. The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: threat.enrichments.pe.resources + flat_name: threat.enrichments.indicator.pe.resources level: extended name: resources normalize: @@ -13445,33 +13624,33 @@ threat.enrichments.pe.resources: original_fieldset: pe short: PE resource information type: nested -threat.enrichments.pe.resources.chi2: - dashed_name: threat-enrichments-pe-resources-chi2 +threat.enrichments.indicator.pe.resources.chi2: + dashed_name: threat-enrichments-indicator-pe-resources-chi2 description: Chi-square probability distribution. example: -1 - flat_name: threat.enrichments.pe.resources.chi2 + flat_name: threat.enrichments.indicator.pe.resources.chi2 level: extended name: resources.chi2 normalize: [] original_fieldset: pe short: Chi-square probability distribution. type: long -threat.enrichments.pe.resources.entropy: - dashed_name: threat-enrichments-pe-resources-entropy +threat.enrichments.indicator.pe.resources.entropy: + dashed_name: threat-enrichments-indicator-pe-resources-entropy description: Measurement of entropy randomness in the resources section. example: 0, 1 - flat_name: threat.enrichments.pe.resources.entropy + flat_name: threat.enrichments.indicator.pe.resources.entropy level: extended name: resources.entropy normalize: [] original_fieldset: pe short: Measurement of entropy randomness in the resources section. type: long -threat.enrichments.pe.resources.filetype: - dashed_name: threat-enrichments-pe-resources-filetype +threat.enrichments.indicator.pe.resources.filetype: + dashed_name: threat-enrichments-indicator-pe-resources-filetype description: File type of the resources section. example: Data - flat_name: threat.enrichments.pe.resources.filetype + flat_name: threat.enrichments.indicator.pe.resources.filetype ignore_above: 1024 level: extended name: resources.filetype @@ -13479,11 +13658,11 @@ threat.enrichments.pe.resources.filetype: original_fieldset: pe short: File type of the resources section. type: keyword -threat.enrichments.pe.resources.language: - dashed_name: threat-enrichments-pe-resources-language +threat.enrichments.indicator.pe.resources.language: + dashed_name: threat-enrichments-indicator-pe-resources-language description: Language identification. example: CHINESE SIMPLIFIED - flat_name: threat.enrichments.pe.resources.language + flat_name: threat.enrichments.indicator.pe.resources.language ignore_above: 1024 level: extended name: resources.language @@ -13491,11 +13670,11 @@ threat.enrichments.pe.resources.language: original_fieldset: pe short: Language identification. type: keyword -threat.enrichments.pe.resources.sha256: - dashed_name: threat-enrichments-pe-resources-sha256 +threat.enrichments.indicator.pe.resources.sha256: + dashed_name: threat-enrichments-indicator-pe-resources-sha256 description: SHA256 hash of resources section. example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: threat.enrichments.pe.resources.sha256 + flat_name: threat.enrichments.indicator.pe.resources.sha256 ignore_above: 1024 level: extended name: resources.sha256 @@ -13503,11 +13682,11 @@ threat.enrichments.pe.resources.sha256: original_fieldset: pe short: SHA256 hash of resources section. type: keyword -threat.enrichments.pe.resources.type: - dashed_name: threat-enrichments-pe-resources-type +threat.enrichments.indicator.pe.resources.type: + dashed_name: threat-enrichments-indicator-pe-resources-type description: Digest of resource types. example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: threat.enrichments.pe.resources.type + flat_name: threat.enrichments.indicator.pe.resources.type ignore_above: 1024 level: extended name: resources.type @@ -13516,11 +13695,11 @@ threat.enrichments.pe.resources.type: original_fieldset: pe short: List of resource types. type: keyword -threat.enrichments.pe.rich_header.hash.md5: - dashed_name: threat-enrichments-pe-rich-header-hash-md5 +threat.enrichments.indicator.pe.rich_header.hash.md5: + dashed_name: threat-enrichments-indicator-pe-rich-header-hash-md5 description: MD5 hash of the header for the PE file. example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: threat.enrichments.pe.rich_header.hash.md5 + flat_name: threat.enrichments.indicator.pe.rich_header.hash.md5 ignore_above: 1024 level: extended name: rich_header.hash.md5 @@ -13528,10 +13707,10 @@ threat.enrichments.pe.rich_header.hash.md5: original_fieldset: pe short: MD5 hash of the header for the PE file. type: keyword -threat.enrichments.pe.sections: - dashed_name: threat-enrichments-pe-sections +threat.enrichments.indicator.pe.sections: + dashed_name: threat-enrichments-indicator-pe-sections description: Data about sections of compiled binary PE - flat_name: threat.enrichments.pe.sections + flat_name: threat.enrichments.indicator.pe.sections level: extended name: sections normalize: @@ -13539,33 +13718,33 @@ threat.enrichments.pe.sections: original_fieldset: pe short: Data about sections of the compiled binary PE type: nested -threat.enrichments.pe.sections.chi2: - dashed_name: threat-enrichments-pe-sections-chi2 +threat.enrichments.indicator.pe.sections.chi2: + dashed_name: threat-enrichments-indicator-pe-sections-chi2 description: Chi-square probability distribution. example: 3027194 - flat_name: threat.enrichments.pe.sections.chi2 + flat_name: threat.enrichments.indicator.pe.sections.chi2 level: extended name: sections.chi2 normalize: [] original_fieldset: pe short: Chi-square probability distribution. type: long -threat.enrichments.pe.sections.entropy: - dashed_name: threat-enrichments-pe-sections-entropy +threat.enrichments.indicator.pe.sections.entropy: + dashed_name: threat-enrichments-indicator-pe-sections-entropy description: Measurement of entropy randomness in the file. example: 6.24 - flat_name: threat.enrichments.pe.sections.entropy + flat_name: threat.enrichments.indicator.pe.sections.entropy level: extended name: sections.entropy normalize: [] original_fieldset: pe short: Measurement of entropy randomness in the file. type: float -threat.enrichments.pe.sections.flags: - dashed_name: threat-enrichments-pe-sections-flags +threat.enrichments.indicator.pe.sections.flags: + dashed_name: threat-enrichments-indicator-pe-sections-flags description: Section flags of the file. example: rx - flat_name: threat.enrichments.pe.sections.flags + flat_name: threat.enrichments.indicator.pe.sections.flags ignore_above: 1024 level: extended name: sections.flags @@ -13573,11 +13752,11 @@ threat.enrichments.pe.sections.flags: original_fieldset: pe short: Section flags of the file. type: keyword -threat.enrichments.pe.sections.name: - dashed_name: threat-enrichments-pe-sections-name +threat.enrichments.indicator.pe.sections.name: + dashed_name: threat-enrichments-indicator-pe-sections-name description: Section names of the file. example: .text, .data - flat_name: threat.enrichments.pe.sections.name + flat_name: threat.enrichments.indicator.pe.sections.name ignore_above: 1024 level: extended name: sections.name @@ -13585,11 +13764,11 @@ threat.enrichments.pe.sections.name: original_fieldset: pe short: Section names of the file. type: keyword -threat.enrichments.pe.sections.raw_size: - dashed_name: threat-enrichments-pe-sections-raw-size +threat.enrichments.indicator.pe.sections.raw_size: + dashed_name: threat-enrichments-indicator-pe-sections-raw-size description: Size of the section or the dize of the initialized data on disk. example: 198144 - flat_name: threat.enrichments.pe.sections.raw_size + flat_name: threat.enrichments.indicator.pe.sections.raw_size format: bytes level: extended name: sections.raw_size @@ -13597,11 +13776,11 @@ threat.enrichments.pe.sections.raw_size: original_fieldset: pe short: Size of the section or the dize of the initialized data on disk. type: long -threat.enrichments.pe.sections.virtual_address: - dashed_name: threat-enrichments-pe-sections-virtual-address +threat.enrichments.indicator.pe.sections.virtual_address: + dashed_name: threat-enrichments-indicator-pe-sections-virtual-address description: Virtual address available to the file. example: 8192 - flat_name: threat.enrichments.pe.sections.virtual_address + flat_name: threat.enrichments.indicator.pe.sections.virtual_address format: bytes level: extended name: sections.virtual_address @@ -13609,15 +13788,50 @@ threat.enrichments.pe.sections.virtual_address: original_fieldset: pe short: Virtual address available to the file. type: long -threat.enrichments.registry.data.bytes: - dashed_name: threat-enrichments-registry-data-bytes +threat.enrichments.indicator.port: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-port + description: Identifies a threat indicator as a port number (irrespective of direction). + example: 443 + flat_name: threat.enrichments.indicator.port + level: extended + name: enrichments.indicator.port + normalize: [] + short: Indicator port + type: long +threat.enrichments.indicator.provider: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-provider + description: The name of the indicator's provider. + example: lrz_urlhaus + flat_name: threat.enrichments.indicator.provider + ignore_above: 1024 + level: extended + name: enrichments.indicator.provider + normalize: [] + short: Indicator provider + type: keyword +threat.enrichments.indicator.reference: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-reference + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + flat_name: threat.enrichments.indicator.reference + ignore_above: 1024 + level: extended + name: enrichments.indicator.reference + normalize: [] + short: Indicator reference URL + type: keyword +threat.enrichments.indicator.registry.data.bytes: + dashed_name: threat-enrichments-indicator-registry-data-bytes description: 'Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.' example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - flat_name: threat.enrichments.registry.data.bytes + flat_name: threat.enrichments.indicator.registry.data.bytes ignore_above: 1024 level: extended name: data.bytes @@ -13625,8 +13839,8 @@ threat.enrichments.registry.data.bytes: original_fieldset: registry short: Original bytes written with base64 encoding. type: keyword -threat.enrichments.registry.data.strings: - dashed_name: threat-enrichments-registry-data-strings +threat.enrichments.indicator.registry.data.strings: + dashed_name: threat-enrichments-indicator-registry-data-strings description: 'Content when writing string types. Populated as an array when writing string data to the registry. For single string @@ -13635,7 +13849,7 @@ threat.enrichments.registry.data.strings: For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' - flat_name: threat.enrichments.registry.data.strings + flat_name: threat.enrichments.indicator.registry.data.strings level: core name: data.strings normalize: @@ -13643,11 +13857,11 @@ threat.enrichments.registry.data.strings: original_fieldset: registry short: List of strings representing what was written to the registry. type: wildcard -threat.enrichments.registry.data.type: - dashed_name: threat-enrichments-registry-data-type +threat.enrichments.indicator.registry.data.type: + dashed_name: threat-enrichments-indicator-registry-data-type description: Standard registry type for encoding contents example: REG_SZ - flat_name: threat.enrichments.registry.data.type + flat_name: threat.enrichments.indicator.registry.data.type ignore_above: 1024 level: core name: data.type @@ -13655,11 +13869,11 @@ threat.enrichments.registry.data.type: original_fieldset: registry short: Standard registry type for encoding contents type: keyword -threat.enrichments.registry.hive: - dashed_name: threat-enrichments-registry-hive +threat.enrichments.indicator.registry.hive: + dashed_name: threat-enrichments-indicator-registry-hive description: Abbreviated name for the hive. example: HKLM - flat_name: threat.enrichments.registry.hive + flat_name: threat.enrichments.indicator.registry.hive ignore_above: 1024 level: core name: hive @@ -13667,34 +13881,34 @@ threat.enrichments.registry.hive: original_fieldset: registry short: Abbreviated name for the hive. type: keyword -threat.enrichments.registry.key: - dashed_name: threat-enrichments-registry-key +threat.enrichments.indicator.registry.key: + dashed_name: threat-enrichments-indicator-registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - flat_name: threat.enrichments.registry.key + flat_name: threat.enrichments.indicator.registry.key level: core name: key normalize: [] original_fieldset: registry short: Hive-relative path of keys. type: wildcard -threat.enrichments.registry.path: - dashed_name: threat-enrichments-registry-path +threat.enrichments.indicator.registry.path: + dashed_name: threat-enrichments-indicator-registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger - flat_name: threat.enrichments.registry.path + flat_name: threat.enrichments.indicator.registry.path level: core name: path normalize: [] original_fieldset: registry short: Full path, including hive, key and value type: wildcard -threat.enrichments.registry.value: - dashed_name: threat-enrichments-registry-value +threat.enrichments.indicator.registry.value: + dashed_name: threat-enrichments-indicator-registry-value description: Name of the value written. example: Debugger - flat_name: threat.enrichments.registry.value + flat_name: threat.enrichments.indicator.registry.value ignore_above: 1024 level: core name: value @@ -13702,50 +13916,89 @@ threat.enrichments.registry.value: original_fieldset: registry short: Name of the value written. type: keyword -threat.enrichments.url.domain: - dashed_name: threat-enrichments-url-domain - description: 'Domain of the url, such as "www.elastic.co". - - In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field. - - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), - the `[` and `]` characters should also be captured in the `domain` field.' - example: www.elastic.co - flat_name: threat.enrichments.url.domain +threat.enrichments.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file or + URL. + example: 4 + flat_name: threat.enrichments.indicator.scanner_stats level: extended - name: domain + name: enrichments.indicator.scanner_stats normalize: [] - original_fieldset: url - short: Domain of the url. - type: wildcard -threat.enrichments.url.extension: - dashed_name: threat-enrichments-url-extension - description: 'The field contains the file extension from the original request url, - excluding the leading dot. - - The file extension is only set if it exists, as not every url has a file extension. - - The leading period must not be included. For example, the value must be "png", - not ".png". - - Note that when the file name has multiple extensions (example.tar.gz), only the - last one should be captured ("gz", not "tar.gz").' - example: png - flat_name: threat.enrichments.url.extension - ignore_above: 1024 - level: extended + short: Scanner statistics + type: long +threat.enrichments.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.enrichments.indicator.sightings + level: extended + name: enrichments.indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long +threat.enrichments.indicator.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ + \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n *\ + \ domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n\ + \ * mutex\n * port\n * process\n * software\n * url\n * user-account\n \ + \ * windows-registry-key\n * x509-certificate" + example: ipv4-addr + flat_name: threat.enrichments.indicator.type + ignore_above: 1024 + level: extended + name: enrichments.indicator.type + normalize: [] + short: Type of indicator + type: keyword +threat.enrichments.indicator.url.domain: + dashed_name: threat-enrichments-indicator-url-domain + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), + the `[` and `]` characters should also be captured in the `domain` field.' + example: www.elastic.co + flat_name: threat.enrichments.indicator.url.domain + level: extended + name: domain + normalize: [] + original_fieldset: url + short: Domain of the url. + type: wildcard +threat.enrichments.indicator.url.extension: + dashed_name: threat-enrichments-indicator-url-extension + description: 'The field contains the file extension from the original request url, + excluding the leading dot. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.indicator.url.extension + ignore_above: 1024 + level: extended name: extension normalize: [] original_fieldset: url short: File extension from the request url, excluding the leading dot. type: keyword -threat.enrichments.url.fragment: - dashed_name: threat-enrichments-url-fragment +threat.enrichments.indicator.url.fragment: + dashed_name: threat-enrichments-indicator-url-fragment description: 'Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.' - flat_name: threat.enrichments.url.fragment + flat_name: threat.enrichments.indicator.url.fragment ignore_above: 1024 level: extended name: fragment @@ -13753,15 +14006,15 @@ threat.enrichments.url.fragment: original_fieldset: url short: Portion of the url after the `#`. type: keyword -threat.enrichments.url.full: - dashed_name: threat-enrichments-url-full +threat.enrichments.indicator.url.full: + dashed_name: threat-enrichments-indicator-url-full description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top - flat_name: threat.enrichments.url.full + flat_name: threat.enrichments.indicator.url.full level: extended multi_fields: - - flat_name: threat.enrichments.url.full.text + - flat_name: threat.enrichments.indicator.url.full.text name: text norms: false type: text @@ -13770,8 +14023,8 @@ threat.enrichments.url.full: original_fieldset: url short: Full unparsed URL. type: wildcard -threat.enrichments.url.original: - dashed_name: threat-enrichments-url-original +threat.enrichments.indicator.url.original: + dashed_name: threat-enrichments-indicator-url-original description: 'Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in @@ -13779,10 +14032,10 @@ threat.enrichments.url.original: This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - flat_name: threat.enrichments.url.original + flat_name: threat.enrichments.indicator.url.original level: extended multi_fields: - - flat_name: threat.enrichments.url.original.text + - flat_name: threat.enrichments.indicator.url.original.text name: text norms: false type: text @@ -13791,10 +14044,10 @@ threat.enrichments.url.original: original_fieldset: url short: Unmodified original url as seen in the event source. type: wildcard -threat.enrichments.url.password: - dashed_name: threat-enrichments-url-password +threat.enrichments.indicator.url.password: + dashed_name: threat-enrichments-indicator-url-password description: Password of the request. - flat_name: threat.enrichments.url.password + flat_name: threat.enrichments.indicator.url.password ignore_above: 1024 level: extended name: password @@ -13802,21 +14055,21 @@ threat.enrichments.url.password: original_fieldset: url short: Password of the request. type: keyword -threat.enrichments.url.path: - dashed_name: threat-enrichments-url-path +threat.enrichments.indicator.url.path: + dashed_name: threat-enrichments-indicator-url-path description: Path of the request, such as "/search". - flat_name: threat.enrichments.url.path + flat_name: threat.enrichments.indicator.url.path level: extended name: path normalize: [] original_fieldset: url short: Path of the request, such as "/search". type: wildcard -threat.enrichments.url.port: - dashed_name: threat-enrichments-url-port +threat.enrichments.indicator.url.port: + dashed_name: threat-enrichments-indicator-url-port description: Port of the request, such as 443. example: 443 - flat_name: threat.enrichments.url.port + flat_name: threat.enrichments.indicator.url.port format: string level: extended name: port @@ -13824,8 +14077,8 @@ threat.enrichments.url.port: original_fieldset: url short: Port of the request, such as 443. type: long -threat.enrichments.url.query: - dashed_name: threat-enrichments-url-query +threat.enrichments.indicator.url.query: + dashed_name: threat-enrichments-indicator-url-query description: 'The query field describes the query string of the request, such as "q=elasticsearch". @@ -13833,7 +14086,7 @@ threat.enrichments.url.query: no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' - flat_name: threat.enrichments.url.query + flat_name: threat.enrichments.indicator.url.query ignore_above: 1024 level: extended name: query @@ -13841,8 +14094,8 @@ threat.enrichments.url.query: original_fieldset: url short: Query string of the request. type: keyword -threat.enrichments.url.registered_domain: - dashed_name: threat-enrichments-url-registered-domain +threat.enrichments.indicator.url.registered_domain: + dashed_name: threat-enrichments-indicator-url-registered-domain description: 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -13851,20 +14104,20 @@ threat.enrichments.url.registered_domain: (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - flat_name: threat.enrichments.url.registered_domain + flat_name: threat.enrichments.indicator.url.registered_domain level: extended name: registered_domain normalize: [] original_fieldset: url short: The highest registered url domain, stripped of the subdomain. type: wildcard -threat.enrichments.url.scheme: - dashed_name: threat-enrichments-url-scheme +threat.enrichments.indicator.url.scheme: + dashed_name: threat-enrichments-indicator-url-scheme description: 'Scheme of the request, such as "https". Note: The `:` is not part of the scheme.' example: https - flat_name: threat.enrichments.url.scheme + flat_name: threat.enrichments.indicator.url.scheme ignore_above: 1024 level: extended name: scheme @@ -13872,8 +14125,8 @@ threat.enrichments.url.scheme: original_fieldset: url short: Scheme of the url. type: keyword -threat.enrichments.url.subdomain: - dashed_name: threat-enrichments-url-subdomain +threat.enrichments.indicator.url.subdomain: + dashed_name: threat-enrichments-indicator-url-subdomain description: 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be @@ -13883,7 +14136,7 @@ threat.enrichments.url.subdomain: domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: east - flat_name: threat.enrichments.url.subdomain + flat_name: threat.enrichments.indicator.url.subdomain ignore_above: 1024 level: extended name: subdomain @@ -13891,8 +14144,8 @@ threat.enrichments.url.subdomain: original_fieldset: url short: The subdomain of the domain. type: keyword -threat.enrichments.url.top_level_domain: - dashed_name: threat-enrichments-url-top-level-domain +threat.enrichments.indicator.url.top_level_domain: + dashed_name: threat-enrichments-indicator-url-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". @@ -13901,7 +14154,7 @@ threat.enrichments.url.top_level_domain: (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - flat_name: threat.enrichments.url.top_level_domain + flat_name: threat.enrichments.indicator.url.top_level_domain ignore_above: 1024 level: extended name: top_level_domain @@ -13909,10 +14162,10 @@ threat.enrichments.url.top_level_domain: original_fieldset: url short: The effective top level domain (com, org, net, co.uk). type: keyword -threat.enrichments.url.username: - dashed_name: threat-enrichments-url-username +threat.enrichments.indicator.url.username: + dashed_name: threat-enrichments-indicator-url-username description: Username of the request. - flat_name: threat.enrichments.url.username + flat_name: threat.enrichments.indicator.url.username ignore_above: 1024 level: extended name: username @@ -13920,13 +14173,13 @@ threat.enrichments.url.username: original_fieldset: url short: Username of the request. type: keyword -threat.enrichments.x509.alternative_names: - dashed_name: threat-enrichments-x509-alternative-names +threat.enrichments.indicator.x509.alternative_names: + dashed_name: threat-enrichments-indicator-x509-alternative-names description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: '*.elastic.co' - flat_name: threat.enrichments.x509.alternative_names + flat_name: threat.enrichments.indicator.x509.alternative_names ignore_above: 1024 level: extended name: alternative_names @@ -13935,11 +14188,11 @@ threat.enrichments.x509.alternative_names: original_fieldset: x509 short: List of subject alternative names (SAN). type: keyword -threat.enrichments.x509.issuer.common_name: - dashed_name: threat-enrichments-x509-issuer-common-name +threat.enrichments.indicator.x509.issuer.common_name: + dashed_name: threat-enrichments-indicator-x509-issuer-common-name description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA - flat_name: threat.enrichments.x509.issuer.common_name + flat_name: threat.enrichments.indicator.x509.issuer.common_name ignore_above: 1024 level: extended name: issuer.common_name @@ -13948,11 +14201,11 @@ threat.enrichments.x509.issuer.common_name: original_fieldset: x509 short: List of common name (CN) of issuing certificate authority. type: keyword -threat.enrichments.x509.issuer.country: - dashed_name: threat-enrichments-x509-issuer-country +threat.enrichments.indicator.x509.issuer.country: + dashed_name: threat-enrichments-indicator-x509-issuer-country description: List of country (C) codes example: US - flat_name: threat.enrichments.x509.issuer.country + flat_name: threat.enrichments.indicator.x509.issuer.country ignore_above: 1024 level: extended name: issuer.country @@ -13961,23 +14214,23 @@ threat.enrichments.x509.issuer.country: original_fieldset: x509 short: List of country (C) codes type: keyword -threat.enrichments.x509.issuer.distinguished_name: - dashed_name: threat-enrichments-x509-issuer-distinguished-name +threat.enrichments.indicator.x509.issuer.distinguished_name: + dashed_name: threat-enrichments-indicator-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA - flat_name: threat.enrichments.x509.issuer.distinguished_name + flat_name: threat.enrichments.indicator.x509.issuer.distinguished_name level: extended name: issuer.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. type: wildcard -threat.enrichments.x509.issuer.locality: - dashed_name: threat-enrichments-x509-issuer-locality +threat.enrichments.indicator.x509.issuer.locality: + dashed_name: threat-enrichments-indicator-x509-issuer-locality description: List of locality names (L) example: Mountain View - flat_name: threat.enrichments.x509.issuer.locality + flat_name: threat.enrichments.indicator.x509.issuer.locality ignore_above: 1024 level: extended name: issuer.locality @@ -13986,11 +14239,11 @@ threat.enrichments.x509.issuer.locality: original_fieldset: x509 short: List of locality names (L) type: keyword -threat.enrichments.x509.issuer.organization: - dashed_name: threat-enrichments-x509-issuer-organization +threat.enrichments.indicator.x509.issuer.organization: + dashed_name: threat-enrichments-indicator-x509-issuer-organization description: List of organizations (O) of issuing certificate authority. example: Example Inc - flat_name: threat.enrichments.x509.issuer.organization + flat_name: threat.enrichments.indicator.x509.issuer.organization ignore_above: 1024 level: extended name: issuer.organization @@ -13999,11 +14252,11 @@ threat.enrichments.x509.issuer.organization: original_fieldset: x509 short: List of organizations (O) of issuing certificate authority. type: keyword -threat.enrichments.x509.issuer.organizational_unit: - dashed_name: threat-enrichments-x509-issuer-organizational-unit +threat.enrichments.indicator.x509.issuer.organizational_unit: + dashed_name: threat-enrichments-indicator-x509-issuer-organizational-unit description: List of organizational units (OU) of issuing certificate authority. example: www.example.com - flat_name: threat.enrichments.x509.issuer.organizational_unit + flat_name: threat.enrichments.indicator.x509.issuer.organizational_unit ignore_above: 1024 level: extended name: issuer.organizational_unit @@ -14012,11 +14265,11 @@ threat.enrichments.x509.issuer.organizational_unit: original_fieldset: x509 short: List of organizational units (OU) of issuing certificate authority. type: keyword -threat.enrichments.x509.issuer.state_or_province: - dashed_name: threat-enrichments-x509-issuer-state-or-province +threat.enrichments.indicator.x509.issuer.state_or_province: + dashed_name: threat-enrichments-indicator-x509-issuer-state-or-province description: List of state or province names (ST, S, or P) example: California - flat_name: threat.enrichments.x509.issuer.state_or_province + flat_name: threat.enrichments.indicator.x509.issuer.state_or_province ignore_above: 1024 level: extended name: issuer.state_or_province @@ -14025,33 +14278,33 @@ threat.enrichments.x509.issuer.state_or_province: original_fieldset: x509 short: List of state or province names (ST, S, or P) type: keyword -threat.enrichments.x509.not_after: - dashed_name: threat-enrichments-x509-not-after +threat.enrichments.indicator.x509.not_after: + dashed_name: threat-enrichments-indicator-x509-not-after description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 - flat_name: threat.enrichments.x509.not_after + flat_name: threat.enrichments.indicator.x509.not_after level: extended name: not_after normalize: [] original_fieldset: x509 short: Time at which the certificate is no longer considered valid. type: date -threat.enrichments.x509.not_before: - dashed_name: threat-enrichments-x509-not-before +threat.enrichments.indicator.x509.not_before: + dashed_name: threat-enrichments-indicator-x509-not-before description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 - flat_name: threat.enrichments.x509.not_before + flat_name: threat.enrichments.indicator.x509.not_before level: extended name: not_before normalize: [] original_fieldset: x509 short: Time at which the certificate is first considered valid. type: date -threat.enrichments.x509.public_key_algorithm: - dashed_name: threat-enrichments-x509-public-key-algorithm +threat.enrichments.indicator.x509.public_key_algorithm: + dashed_name: threat-enrichments-indicator-x509-public-key-algorithm description: Algorithm used to generate the public key. example: RSA - flat_name: threat.enrichments.x509.public_key_algorithm + flat_name: threat.enrichments.indicator.x509.public_key_algorithm ignore_above: 1024 level: extended name: public_key_algorithm @@ -14059,12 +14312,12 @@ threat.enrichments.x509.public_key_algorithm: original_fieldset: x509 short: Algorithm used to generate the public key. type: keyword -threat.enrichments.x509.public_key_curve: - dashed_name: threat-enrichments-x509-public-key-curve +threat.enrichments.indicator.x509.public_key_curve: + dashed_name: threat-enrichments-indicator-x509-public-key-curve description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 - flat_name: threat.enrichments.x509.public_key_curve + flat_name: threat.enrichments.indicator.x509.public_key_curve ignore_above: 1024 level: extended name: public_key_curve @@ -14073,12 +14326,12 @@ threat.enrichments.x509.public_key_curve: short: The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword -threat.enrichments.x509.public_key_exponent: - dashed_name: threat-enrichments-x509-public-key-exponent +threat.enrichments.indicator.x509.public_key_exponent: + dashed_name: threat-enrichments-indicator-x509-public-key-exponent description: Exponent used to derive the public key. This is algorithm specific. doc_values: false example: 65537 - flat_name: threat.enrichments.x509.public_key_exponent + flat_name: threat.enrichments.indicator.x509.public_key_exponent index: false level: extended name: public_key_exponent @@ -14086,24 +14339,24 @@ threat.enrichments.x509.public_key_exponent: original_fieldset: x509 short: Exponent used to derive the public key. This is algorithm specific. type: long -threat.enrichments.x509.public_key_size: - dashed_name: threat-enrichments-x509-public-key-size +threat.enrichments.indicator.x509.public_key_size: + dashed_name: threat-enrichments-indicator-x509-public-key-size description: The size of the public key space in bits. example: 2048 - flat_name: threat.enrichments.x509.public_key_size + flat_name: threat.enrichments.indicator.x509.public_key_size level: extended name: public_key_size normalize: [] original_fieldset: x509 short: The size of the public key space in bits. type: long -threat.enrichments.x509.serial_number: - dashed_name: threat-enrichments-x509-serial-number +threat.enrichments.indicator.x509.serial_number: + dashed_name: threat-enrichments-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA - flat_name: threat.enrichments.x509.serial_number + flat_name: threat.enrichments.indicator.x509.serial_number ignore_above: 1024 level: extended name: serial_number @@ -14111,12 +14364,12 @@ threat.enrichments.x509.serial_number: original_fieldset: x509 short: Unique serial number issued by the certificate authority. type: keyword -threat.enrichments.x509.signature_algorithm: - dashed_name: threat-enrichments-x509-signature-algorithm +threat.enrichments.indicator.x509.signature_algorithm: + dashed_name: threat-enrichments-indicator-x509-signature-algorithm description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA - flat_name: threat.enrichments.x509.signature_algorithm + flat_name: threat.enrichments.indicator.x509.signature_algorithm ignore_above: 1024 level: extended name: signature_algorithm @@ -14124,11 +14377,11 @@ threat.enrichments.x509.signature_algorithm: original_fieldset: x509 short: Identifier for certificate signature algorithm. type: keyword -threat.enrichments.x509.subject.common_name: - dashed_name: threat-enrichments-x509-subject-common-name +threat.enrichments.indicator.x509.subject.common_name: + dashed_name: threat-enrichments-indicator-x509-subject-common-name description: List of common names (CN) of subject. example: shared.global.example.net - flat_name: threat.enrichments.x509.subject.common_name + flat_name: threat.enrichments.indicator.x509.subject.common_name ignore_above: 1024 level: extended name: subject.common_name @@ -14137,11 +14390,11 @@ threat.enrichments.x509.subject.common_name: original_fieldset: x509 short: List of common names (CN) of subject. type: keyword -threat.enrichments.x509.subject.country: - dashed_name: threat-enrichments-x509-subject-country +threat.enrichments.indicator.x509.subject.country: + dashed_name: threat-enrichments-indicator-x509-subject-country description: List of country (C) code example: US - flat_name: threat.enrichments.x509.subject.country + flat_name: threat.enrichments.indicator.x509.subject.country ignore_above: 1024 level: extended name: subject.country @@ -14150,22 +14403,22 @@ threat.enrichments.x509.subject.country: original_fieldset: x509 short: List of country (C) code type: keyword -threat.enrichments.x509.subject.distinguished_name: - dashed_name: threat-enrichments-x509-subject-distinguished-name +threat.enrichments.indicator.x509.subject.distinguished_name: + dashed_name: threat-enrichments-indicator-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - flat_name: threat.enrichments.x509.subject.distinguished_name + flat_name: threat.enrichments.indicator.x509.subject.distinguished_name level: extended name: subject.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. type: wildcard -threat.enrichments.x509.subject.locality: - dashed_name: threat-enrichments-x509-subject-locality +threat.enrichments.indicator.x509.subject.locality: + dashed_name: threat-enrichments-indicator-x509-subject-locality description: List of locality names (L) example: San Francisco - flat_name: threat.enrichments.x509.subject.locality + flat_name: threat.enrichments.indicator.x509.subject.locality ignore_above: 1024 level: extended name: subject.locality @@ -14174,11 +14427,11 @@ threat.enrichments.x509.subject.locality: original_fieldset: x509 short: List of locality names (L) type: keyword -threat.enrichments.x509.subject.organization: - dashed_name: threat-enrichments-x509-subject-organization +threat.enrichments.indicator.x509.subject.organization: + dashed_name: threat-enrichments-indicator-x509-subject-organization description: List of organizations (O) of subject. example: Example, Inc. - flat_name: threat.enrichments.x509.subject.organization + flat_name: threat.enrichments.indicator.x509.subject.organization ignore_above: 1024 level: extended name: subject.organization @@ -14187,10 +14440,10 @@ threat.enrichments.x509.subject.organization: original_fieldset: x509 short: List of organizations (O) of subject. type: keyword -threat.enrichments.x509.subject.organizational_unit: - dashed_name: threat-enrichments-x509-subject-organizational-unit +threat.enrichments.indicator.x509.subject.organizational_unit: + dashed_name: threat-enrichments-indicator-x509-subject-organizational-unit description: List of organizational units (OU) of subject. - flat_name: threat.enrichments.x509.subject.organizational_unit + flat_name: threat.enrichments.indicator.x509.subject.organizational_unit ignore_above: 1024 level: extended name: subject.organizational_unit @@ -14199,11 +14452,11 @@ threat.enrichments.x509.subject.organizational_unit: original_fieldset: x509 short: List of organizational units (OU) of subject. type: keyword -threat.enrichments.x509.subject.state_or_province: - dashed_name: threat-enrichments-x509-subject-state-or-province +threat.enrichments.indicator.x509.subject.state_or_province: + dashed_name: threat-enrichments-indicator-x509-subject-state-or-province description: List of state or province names (ST, S, or P) example: California - flat_name: threat.enrichments.x509.subject.state_or_province + flat_name: threat.enrichments.indicator.x509.subject.state_or_province ignore_above: 1024 level: extended name: subject.state_or_province @@ -14212,11 +14465,11 @@ threat.enrichments.x509.subject.state_or_province: original_fieldset: x509 short: List of state or province names (ST, S, or P) type: keyword -threat.enrichments.x509.version_number: - dashed_name: threat-enrichments-x509-version-number +threat.enrichments.indicator.x509.version_number: + dashed_name: threat-enrichments-indicator-x509-version-number description: Version of x509 format. example: 3 - flat_name: threat.enrichments.x509.version_number + flat_name: threat.enrichments.indicator.x509.version_number ignore_above: 1024 level: extended name: version_number @@ -14224,1723 +14477,2859 @@ threat.enrichments.x509.version_number: original_fieldset: x509 short: Version of x509 format. type: keyword -threat.framework: - dashed_name: threat-framework - description: Name of the threat framework used to further categorize and classify - the tactic and technique of the reported threat. Framework classification can - be provided by detecting systems, evaluated at ingest time, or retrospectively - tagged to events. - example: MITRE ATT&CK - flat_name: threat.framework +threat.enrichments.matched.atomic: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-atomic + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com + flat_name: threat.enrichments.matched.atomic ignore_above: 1024 level: extended - name: framework + name: enrichments.matched.atomic normalize: [] - short: Threat classification framework. + short: Matched indicator value type: keyword -threat.group.alias: +threat.enrichments.matched.field: beta: This field is beta and subject to change. - dashed_name: threat-group-alias - description: "The alias(es) of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group alias(es)." - example: '[ "Magecart Group 6" ]' - flat_name: threat.group.alias + dashed_name: threat-enrichments-matched-field + description: Identifies the field of the atomic indicator that matched a local environment + endpoint or network event. + example: file.hash.sha256 + flat_name: threat.enrichments.matched.field ignore_above: 1024 level: extended - name: group.alias - normalize: - - array - short: Alias of the group. + name: enrichments.matched.field + normalize: [] + short: Matched indicator field type: keyword -threat.group.id: +threat.enrichments.matched.id: beta: This field is beta and subject to change. - dashed_name: threat-group-id - description: "The id of the group for a set of related intrusion activity that are\ - \ tracked by a common name in the security community. While not required, you\ - \ can use a MITRE ATT&CK\xAE group id." - example: G0037 - flat_name: threat.group.id + dashed_name: threat-enrichments-matched-id + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + flat_name: threat.enrichments.matched.id ignore_above: 1024 level: extended - name: group.id + name: enrichments.matched.id normalize: [] - short: ID of the group. + short: Matched indicator identifier type: keyword -threat.group.name: +threat.enrichments.matched.index: beta: This field is beta and subject to change. - dashed_name: threat-group-name - description: "The name of the group for a set of related intrusion activity that\ - \ are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group name." - example: FIN6 - flat_name: threat.group.name + dashed_name: threat-enrichments-matched-index + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 + flat_name: threat.enrichments.matched.index ignore_above: 1024 level: extended - name: group.name + name: enrichments.matched.index normalize: [] - short: Name of the group. + short: Matched indicator index type: keyword -threat.group.reference: +threat.enrichments.matched.type: beta: This field is beta and subject to change. - dashed_name: threat-group-reference - description: "The reference URL of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group reference URL." - example: https://attack.mitre.org/groups/G0037/ - flat_name: threat.group.reference + dashed_name: threat-enrichments-matched-type + description: Identifies the type of match that caused the event to be enriched with + the given indicator + example: indicator_match_rule + flat_name: threat.enrichments.matched.type ignore_above: 1024 level: extended - name: group.reference + name: enrichments.matched.type normalize: [] - short: Reference URL of the group. + short: Type of indicator match type: keyword -threat.indicator.as.number: - dashed_name: threat-indicator-as-number - description: Unique number allocated to the autonomous system. The autonomous system - number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: threat.indicator.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long -threat.indicator.as.organization.name: - dashed_name: threat-indicator-as-organization-name - description: Organization name. - example: Google LLC - flat_name: threat.indicator.as.organization.name - level: extended - multi_fields: - - flat_name: threat.indicator.as.organization.name.text - name: text - norms: false - type: text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: wildcard -threat.indicator.confidence: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-confidence - description: "Identifies the confidence rating assigned by the provider using STIX\ - \ confidence scales.\nRecommended values:\n * Not Specified, None, Low, Medium,\ - \ High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n * WEP Scale\ - \ (Impossible - Certain)" - example: High - flat_name: threat.indicator.confidence +threat.enrichments.pe.architecture: + dashed_name: threat-enrichments-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.enrichments.pe.architecture ignore_above: 1024 level: extended - name: indicator.confidence + name: architecture normalize: [] - short: Indicator confidence rating + original_fieldset: pe + short: CPU architecture target for the file. type: keyword -threat.indicator.description: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-description - description: Describes the type of action conducted by the threat. - example: IP x.x.x.x was observed delivering the Angler EK. - flat_name: threat.indicator.description +threat.enrichments.pe.authentihash: + dashed_name: threat-enrichments-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: threat.enrichments.pe.authentihash ignore_above: 1024 level: extended - name: indicator.description + name: authentihash normalize: [] - short: Indicator description + original_fieldset: pe + short: Authentihash of the PE file. type: keyword -threat.indicator.email.address: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-email-address - description: Identifies a threat indicator as an email address (irrespective of - direction). - example: phish@example.com - flat_name: threat.indicator.email.address +threat.enrichments.pe.company: + dashed_name: threat-enrichments-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.enrichments.pe.company ignore_above: 1024 level: extended - name: indicator.email.address + name: company normalize: [] - short: Indicator email address + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. type: keyword -threat.indicator.file.accessed: - dashed_name: threat-indicator-file-accessed - description: 'Last time the file was accessed. - - Note that not all filesystems keep track of access time.' - flat_name: threat.indicator.file.accessed +threat.enrichments.pe.compile_timestamp: + dashed_name: threat-enrichments-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.compile_timestamp level: extended - name: accessed + name: compile_timestamp normalize: [] - original_fieldset: file - short: Last time the file was accessed. + original_fieldset: pe + short: Compile timestamp of the PE file. type: date -threat.indicator.file.attributes: - dashed_name: threat-indicator-file-attributes - description: 'Array of file attributes. - - Attributes names will vary by platform. Here''s a non-exhaustive list of values - that are expected in this field: archive, compressed, directory, encrypted, execute, - hidden, read, readonly, system, write.' - example: '["readonly", "system"]' - flat_name: threat.indicator.file.attributes +threat.enrichments.pe.compiler.name: + dashed_name: threat-enrichments-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: threat.enrichments.pe.compiler.name ignore_above: 1024 level: extended - name: attributes - normalize: - - array - original_fieldset: file - short: Array of file attributes. - type: keyword -threat.indicator.file.code_signature.exists: - dashed_name: threat-indicator-file-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: threat.indicator.file.code_signature.exists - level: core - name: exists - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean -threat.indicator.file.code_signature.signing_id: - dashed_name: threat-indicator-file-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. The - field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: threat.indicator.file.code_signature.signing_id - ignore_above: 1024 - level: extended - name: signing_id - normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. - type: keyword -threat.indicator.file.code_signature.status: - dashed_name: threat-indicator-file-code-signature-status - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: threat.indicator.file.code_signature.status - ignore_above: 1024 - level: extended - name: status - normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. - type: keyword -threat.indicator.file.code_signature.subject_name: - dashed_name: threat-indicator-file-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: threat.indicator.file.code_signature.subject_name - ignore_above: 1024 - level: core - name: subject_name + name: compiler.name normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer + original_fieldset: pe + short: Name of the compiler type: keyword -threat.indicator.file.code_signature.team_id: - dashed_name: threat-indicator-file-code-signature-team-id - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field is - relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: threat.indicator.file.code_signature.team_id +threat.enrichments.pe.compiler.version: + dashed_name: threat-enrichments-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: threat.enrichments.pe.compiler.version ignore_above: 1024 level: extended - name: team_id + name: compiler.version normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. + original_fieldset: pe + short: Version of the compiler. type: keyword -threat.indicator.file.code_signature.trusted: - dashed_name: threat-indicator-file-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this field - should only be populated by tools that actively check the status.' - example: 'true' - flat_name: threat.indicator.file.code_signature.trusted - level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean -threat.indicator.file.code_signature.valid: - dashed_name: threat-indicator-file-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against the - binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: threat.indicator.file.code_signature.valid - level: extended - name: valid - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean -threat.indicator.file.created: - dashed_name: threat-indicator-file-created - description: 'File creation time. - - Note that not all filesystems store the creation time.' - flat_name: threat.indicator.file.created +threat.enrichments.pe.creation_date: + dashed_name: threat-enrichments-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.creation_date level: extended - name: created + name: creation_date normalize: [] - original_fieldset: file - short: File creation time. + original_fieldset: pe + short: Build or compile date. type: date -threat.indicator.file.ctime: - dashed_name: threat-indicator-file-ctime - description: 'Last time the file attributes or metadata changed. +threat.enrichments.pe.debug: + dashed_name: threat-enrichments-pe-debug + description: 'An array containing an object for each debug entry, if present. - Note that changes to the file content will update `mtime`. This implies `ctime` - will be adjusted at the same time, since `mtime` is an attribute of the file.' - flat_name: threat.indicator.file.ctime + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: threat.enrichments.pe.debug level: extended - name: ctime - normalize: [] - original_fieldset: file - short: Last time the file attributes or metadata changed. - type: date -threat.indicator.file.device: - dashed_name: threat-indicator-file-device - description: Device that is the source of the file. - example: sda - flat_name: threat.indicator.file.device + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested +threat.enrichments.pe.debug.offset: + dashed_name: threat-enrichments-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: threat.enrichments.pe.debug.offset ignore_above: 1024 level: extended - name: device + name: debug.offset normalize: [] - original_fieldset: file - short: Device that is the source of the file. + original_fieldset: pe + short: Debug offset information. type: keyword -threat.indicator.file.directory: - dashed_name: threat-indicator-file-directory - description: Directory where the file is located. It should include the drive letter, - when appropriate. - example: /home/alice - flat_name: threat.indicator.file.directory +threat.enrichments.pe.debug.size: + dashed_name: threat-enrichments-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: threat.enrichments.pe.debug.size + format: bytes level: extended - name: directory + name: debug.size normalize: [] - original_fieldset: file - short: Directory where the file is located. - type: wildcard -threat.indicator.file.drive_letter: - dashed_name: threat-indicator-file-drive-letter - description: 'Drive letter where the file is located. This field is only relevant - on Windows. - - The value should be uppercase, and not include the colon.' - example: C - flat_name: threat.indicator.file.drive_letter - ignore_above: 1 + original_fieldset: pe + short: Size of the debug information. + type: long +threat.enrichments.pe.debug.timestamp: + dashed_name: threat-enrichments-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.debug.timestamp level: extended - name: drive_letter + name: debug.timestamp normalize: [] - original_fieldset: file - short: Drive letter where the file is located. - type: keyword -threat.indicator.file.elf.architecture: - dashed_name: threat-indicator-file-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: threat.indicator.file.elf.architecture + original_fieldset: pe + short: Timestamp of the debug information. + type: date +threat.enrichments.pe.debug.type: + dashed_name: threat-enrichments-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: threat.enrichments.pe.debug.type ignore_above: 1024 level: extended - name: architecture + name: debug.type normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. + original_fieldset: pe + short: Information type generated by the debug options. type: keyword -threat.indicator.file.elf.byte_order: - dashed_name: threat-indicator-file-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: threat.indicator.file.elf.byte_order +threat.enrichments.pe.description: + dashed_name: threat-enrichments-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.enrichments.pe.description ignore_above: 1024 level: extended - name: byte_order + name: description normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. + original_fieldset: pe + short: Internal description of the file, provided at compile-time. type: keyword -threat.indicator.file.elf.cpu_type: - dashed_name: threat-indicator-file-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: threat.indicator.file.elf.cpu_type +threat.enrichments.pe.entry_point: + dashed_name: threat-enrichments-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: threat.enrichments.pe.entry_point ignore_above: 1024 level: extended - name: cpu_type + name: entry_point normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. + original_fieldset: pe + short: Relative byte offset to the base of the PE file. type: keyword -threat.indicator.file.elf.creation_date: - dashed_name: threat-indicator-file-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when it - was built or compiled. It can also be faked by malware creators. - flat_name: threat.indicator.file.elf.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date -threat.indicator.file.elf.exports: - dashed_name: threat-indicator-file-elf-exports - description: List of exported element names and types. - flat_name: threat.indicator.file.elf.exports +threat.enrichments.pe.exports: + dashed_name: threat-enrichments-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: threat.enrichments.pe.exports + ignore_above: 1024 level: extended name: exports normalize: - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened -threat.indicator.file.elf.header.abi_version: - dashed_name: threat-indicator-file-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: threat.indicator.file.elf.header.abi_version + original_fieldset: pe + short: List of symbols exported by PE + type: keyword +threat.enrichments.pe.file_version: + dashed_name: threat-enrichments-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.enrichments.pe.file_version ignore_above: 1024 level: extended - name: header.abi_version + name: file_version normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). + original_fieldset: pe + short: Process name. type: keyword -threat.indicator.file.elf.header.class: - dashed_name: threat-indicator-file-elf-header-class - description: Header class of the ELF file. - flat_name: threat.indicator.file.elf.header.class +threat.enrichments.pe.icon.hash.dhash: + dashed_name: threat-enrichments-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: threat.enrichments.pe.icon.hash.dhash ignore_above: 1024 level: extended - name: header.class + name: icon.hash.dhash normalize: [] - original_fieldset: elf - short: Header class of the ELF file. + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. type: keyword -threat.indicator.file.elf.header.data: - dashed_name: threat-indicator-file-elf-header-data - description: Data table of the ELF header. - flat_name: threat.indicator.file.elf.header.data +threat.enrichments.pe.imphash: + dashed_name: threat-enrichments-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.enrichments.pe.imphash ignore_above: 1024 level: extended - name: header.data + name: imphash normalize: [] - original_fieldset: elf - short: Data table of the ELF header. + original_fieldset: pe + short: A hash of the imports in a PE file. type: keyword -threat.indicator.file.elf.header.entrypoint: - dashed_name: threat-indicator-file-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: threat.indicator.file.elf.header.entrypoint - format: string +threat.enrichments.pe.imports: + dashed_name: threat-enrichments-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: threat.enrichments.pe.imports level: extended - name: header.entrypoint + name: imports normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long -threat.indicator.file.elf.header.object_version: - dashed_name: threat-indicator-file-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: threat.indicator.file.elf.header.object_version + original_fieldset: pe + short: List of all imported functions + type: flattened +threat.enrichments.pe.machine_type: + dashed_name: threat-enrichments-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: threat.enrichments.pe.machine_type ignore_above: 1024 level: extended - name: header.object_version + name: machine_type normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' + original_fieldset: pe + short: Machine type of the PE file. type: keyword -threat.indicator.file.elf.header.os_abi: - dashed_name: threat-indicator-file-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: threat.indicator.file.elf.header.os_abi - ignore_above: 1024 +threat.enrichments.pe.original_file_name: + dashed_name: threat-enrichments-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.enrichments.pe.original_file_name level: extended - name: header.os_abi + name: original_file_name normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. - type: keyword -threat.indicator.file.elf.header.type: - dashed_name: threat-indicator-file-elf-header-type - description: Header type of the ELF file. - flat_name: threat.indicator.file.elf.header.type + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: wildcard +threat.enrichments.pe.packers: + dashed_name: threat-enrichments-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: threat.enrichments.pe.packers ignore_above: 1024 level: extended - name: header.type - normalize: [] - original_fieldset: elf - short: Header type of the ELF file. + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. type: keyword -threat.indicator.file.elf.header.version: - dashed_name: threat-indicator-file-elf-header-version - description: Version of the ELF header. - flat_name: threat.indicator.file.elf.header.version +threat.enrichments.pe.product: + dashed_name: threat-enrichments-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.enrichments.pe.product ignore_above: 1024 level: extended - name: header.version + name: product normalize: [] - original_fieldset: elf - short: Version of the ELF header. + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. type: keyword -threat.indicator.file.elf.imports: - dashed_name: threat-indicator-file-elf-imports - description: List of imported element names and types. - flat_name: threat.indicator.file.elf.imports - level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened -threat.indicator.file.elf.sections: - dashed_name: threat-indicator-file-elf-sections - description: 'An array containing an object for each section of the ELF file. +threat.enrichments.pe.resources: + dashed_name: threat-enrichments-pe-resources + description: 'An array containing an object for each PE resource, if present. - The keys that should be present in these objects are defined by sub-fields underneath - `elf.sections.*`.' - flat_name: threat.indicator.file.elf.sections + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: threat.enrichments.pe.resources level: extended - name: sections + name: resources normalize: - array - original_fieldset: elf - short: Section information of the ELF file. + original_fieldset: pe + short: PE resource information type: nested -threat.indicator.file.elf.sections.chi2: - dashed_name: threat-indicator-file-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: threat.indicator.file.elf.sections.chi2 - format: number +threat.enrichments.pe.resources.chi2: + dashed_name: threat-enrichments-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: threat.enrichments.pe.resources.chi2 level: extended - name: sections.chi2 + name: resources.chi2 normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. + original_fieldset: pe + short: Chi-square probability distribution. type: long -threat.indicator.file.elf.sections.entropy: - dashed_name: threat-indicator-file-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: threat.indicator.file.elf.sections.entropy - format: number +threat.enrichments.pe.resources.entropy: + dashed_name: threat-enrichments-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: threat.enrichments.pe.resources.entropy level: extended - name: sections.entropy + name: resources.entropy normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. type: long -threat.indicator.file.elf.sections.flags: - dashed_name: threat-indicator-file-elf-sections-flags - description: ELF Section List flags. - flat_name: threat.indicator.file.elf.sections.flags +threat.enrichments.pe.resources.filetype: + dashed_name: threat-enrichments-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: threat.enrichments.pe.resources.filetype ignore_above: 1024 level: extended - name: sections.flags + name: resources.filetype normalize: [] - original_fieldset: elf - short: ELF Section List flags. + original_fieldset: pe + short: File type of the resources section. type: keyword -threat.indicator.file.elf.sections.name: - dashed_name: threat-indicator-file-elf-sections-name - description: ELF Section List name. - flat_name: threat.indicator.file.elf.sections.name +threat.enrichments.pe.resources.language: + dashed_name: threat-enrichments-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: threat.enrichments.pe.resources.language ignore_above: 1024 level: extended - name: sections.name + name: resources.language normalize: [] - original_fieldset: elf - short: ELF Section List name. + original_fieldset: pe + short: Language identification. type: keyword -threat.indicator.file.elf.sections.physical_offset: - dashed_name: threat-indicator-file-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: threat.indicator.file.elf.sections.physical_offset - ignore_above: 1024 - level: extended - name: sections.physical_offset - normalize: [] - original_fieldset: elf - short: ELF Section List offset. - type: keyword -threat.indicator.file.elf.sections.physical_size: - dashed_name: threat-indicator-file-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: threat.indicator.file.elf.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long -threat.indicator.file.elf.sections.type: - dashed_name: threat-indicator-file-elf-sections-type - description: ELF Section List type. - flat_name: threat.indicator.file.elf.sections.type +threat.enrichments.pe.resources.sha256: + dashed_name: threat-enrichments-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: threat.enrichments.pe.resources.sha256 ignore_above: 1024 level: extended - name: sections.type + name: resources.sha256 normalize: [] - original_fieldset: elf - short: ELF Section List type. + original_fieldset: pe + short: SHA256 hash of resources section. type: keyword -threat.indicator.file.elf.sections.virtual_address: - dashed_name: threat-indicator-file-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: threat.indicator.file.elf.sections.virtual_address - format: string - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long -threat.indicator.file.elf.sections.virtual_size: - dashed_name: threat-indicator-file-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: threat.indicator.file.elf.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long -threat.indicator.file.elf.segments: - dashed_name: threat-indicator-file-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.segments.*`.' - flat_name: threat.indicator.file.elf.segments +threat.enrichments.pe.resources.type: + dashed_name: threat-enrichments-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: threat.enrichments.pe.resources.type + ignore_above: 1024 level: extended - name: segments + name: resources.type normalize: - array - original_fieldset: elf - short: ELF object segment list. - type: nested -threat.indicator.file.elf.segments.sections: - dashed_name: threat-indicator-file-elf-segments-sections - description: ELF object segment sections. - flat_name: threat.indicator.file.elf.segments.sections - ignore_above: 1024 - level: extended - name: segments.sections - normalize: [] - original_fieldset: elf - short: ELF object segment sections. + original_fieldset: pe + short: List of resource types. type: keyword -threat.indicator.file.elf.segments.type: - dashed_name: threat-indicator-file-elf-segments-type - description: ELF object segment type. - flat_name: threat.indicator.file.elf.segments.type +threat.enrichments.pe.rich_header.hash.md5: + dashed_name: threat-enrichments-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: threat.enrichments.pe.rich_header.hash.md5 ignore_above: 1024 level: extended - name: segments.type + name: rich_header.hash.md5 normalize: [] - original_fieldset: elf - short: ELF object segment type. + original_fieldset: pe + short: MD5 hash of the header for the PE file. type: keyword -threat.indicator.file.elf.shared_libraries: - dashed_name: threat-indicator-file-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: threat.indicator.file.elf.shared_libraries - ignore_above: 1024 +threat.enrichments.pe.sections: + dashed_name: threat-enrichments-pe-sections + description: Data about sections of compiled binary PE + flat_name: threat.enrichments.pe.sections level: extended - name: shared_libraries + name: sections normalize: - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. - type: keyword -threat.indicator.file.elf.telfhash: - dashed_name: threat-indicator-file-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: threat.indicator.file.elf.telfhash - ignore_above: 1024 + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested +threat.enrichments.pe.sections.chi2: + dashed_name: threat-enrichments-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: threat.enrichments.pe.sections.chi2 level: extended - name: telfhash + name: sections.chi2 normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. - type: keyword -threat.indicator.file.extension: - dashed_name: threat-indicator-file-extension - description: 'File extension, excluding the leading dot. - - Note that when the file name has multiple extensions (example.tar.gz), only the - last one should be captured ("gz", not "tar.gz").' - example: png - flat_name: threat.indicator.file.extension - ignore_above: 1024 + original_fieldset: pe + short: Chi-square probability distribution. + type: long +threat.enrichments.pe.sections.entropy: + dashed_name: threat-enrichments-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: threat.enrichments.pe.sections.entropy level: extended - name: extension + name: sections.entropy normalize: [] - original_fieldset: file - short: File extension, excluding the leading dot. - type: keyword -threat.indicator.file.gid: - dashed_name: threat-indicator-file-gid - description: Primary group ID (GID) of the file. - example: '1001' - flat_name: threat.indicator.file.gid + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float +threat.enrichments.pe.sections.flags: + dashed_name: threat-enrichments-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: threat.enrichments.pe.sections.flags ignore_above: 1024 level: extended - name: gid + name: sections.flags normalize: [] - original_fieldset: file - short: Primary group ID (GID) of the file. + original_fieldset: pe + short: Section flags of the file. type: keyword -threat.indicator.file.group: - dashed_name: threat-indicator-file-group - description: Primary group name of the file. - example: alice - flat_name: threat.indicator.file.group +threat.enrichments.pe.sections.name: + dashed_name: threat-enrichments-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: threat.enrichments.pe.sections.name ignore_above: 1024 level: extended - name: group + name: sections.name normalize: [] - original_fieldset: file - short: Primary group name of the file. + original_fieldset: pe + short: Section names of the file. type: keyword -threat.indicator.file.inode: - dashed_name: threat-indicator-file-inode - description: Inode representing the file in the filesystem. - example: '256383' - flat_name: threat.indicator.file.inode - ignore_above: 1024 +threat.enrichments.pe.sections.raw_size: + dashed_name: threat-enrichments-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: threat.enrichments.pe.sections.raw_size + format: bytes level: extended - name: inode + name: sections.raw_size normalize: [] - original_fieldset: file - short: Inode representing the file in the filesystem. - type: keyword -threat.indicator.file.mime_type: - dashed_name: threat-indicator-file-mime-type - description: MIME type should identify the format of the file or stream of bytes - using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official - types], where possible. When more than one type is applicable, the most specific - type should be used. - flat_name: threat.indicator.file.mime_type - ignore_above: 1024 + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long +threat.enrichments.pe.sections.virtual_address: + dashed_name: threat-enrichments-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: threat.enrichments.pe.sections.virtual_address + format: bytes level: extended - name: mime_type + name: sections.virtual_address normalize: [] - original_fieldset: file - short: Media type of file, document, or arrangement of bytes. - type: keyword -threat.indicator.file.mode: - dashed_name: threat-indicator-file-mode - description: Mode of the file in octal representation. - example: '0640' - flat_name: threat.indicator.file.mode + original_fieldset: pe + short: Virtual address available to the file. + type: long +threat.enrichments.registry.data.bytes: + dashed_name: threat-enrichments-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides better + recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.enrichments.registry.data.bytes ignore_above: 1024 level: extended - name: mode + name: data.bytes normalize: [] - original_fieldset: file - short: Mode of the file in octal representation. + original_fieldset: registry + short: Original bytes written with base64 encoding. type: keyword -threat.indicator.file.mtime: - dashed_name: threat-indicator-file-mtime - description: Last time the file content was modified. - flat_name: threat.indicator.file.mtime - level: extended - name: mtime - normalize: [] - original_fieldset: file - short: Last time the file content was modified. - type: date -threat.indicator.file.name: - dashed_name: threat-indicator-file-name - description: Name of the file including the extension, without the directory. - example: example.png - flat_name: threat.indicator.file.name +threat.enrichments.registry.data.strings: + dashed_name: threat-enrichments-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single string + registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. + For sequences of string with REG_MULTI_SZ, this array will be variable length. + For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with + the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.enrichments.registry.data.strings + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: wildcard +threat.enrichments.registry.data.type: + dashed_name: threat-enrichments-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.enrichments.registry.data.type + ignore_above: 1024 + level: core + name: data.type + normalize: [] + original_fieldset: registry + short: Standard registry type for encoding contents + type: keyword +threat.enrichments.registry.hive: + dashed_name: threat-enrichments-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.enrichments.registry.hive + ignore_above: 1024 + level: core + name: hive + normalize: [] + original_fieldset: registry + short: Abbreviated name for the hive. + type: keyword +threat.enrichments.registry.key: + dashed_name: threat-enrichments-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.enrichments.registry.key + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: wildcard +threat.enrichments.registry.path: + dashed_name: threat-enrichments-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.enrichments.registry.path + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: wildcard +threat.enrichments.registry.value: + dashed_name: threat-enrichments-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.enrichments.registry.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. + type: keyword +threat.framework: + dashed_name: threat-framework + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification can + be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + flat_name: threat.framework ignore_above: 1024 level: extended - name: name + name: framework normalize: [] - original_fieldset: file - short: Name of the file including the extension, without the directory. + short: Threat classification framework. type: keyword -threat.indicator.file.owner: - dashed_name: threat-indicator-file-owner - description: File owner's username. - example: alice - flat_name: threat.indicator.file.owner +threat.group.alias: + beta: This field is beta and subject to change. + dashed_name: threat-group-alias + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' + flat_name: threat.group.alias ignore_above: 1024 level: extended - name: owner + name: group.alias + normalize: + - array + short: Alias of the group. + type: keyword +threat.group.id: + beta: This field is beta and subject to change. + dashed_name: threat-group-id + description: "The id of the group for a set of related intrusion activity that are\ + \ tracked by a common name in the security community. While not required, you\ + \ can use a MITRE ATT&CK\xAE group id." + example: G0037 + flat_name: threat.group.id + ignore_above: 1024 + level: extended + name: group.id normalize: [] - original_fieldset: file - short: File owner's username. + short: ID of the group. type: keyword -threat.indicator.file.path: - dashed_name: threat-indicator-file-path - description: Full path to the file, including the file name. It should include the - drive letter, when appropriate. - example: /home/alice/example.png - flat_name: threat.indicator.file.path +threat.group.name: + beta: This field is beta and subject to change. + dashed_name: threat-group-name + description: "The name of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 + flat_name: threat.group.name + ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.indicator.file.path.text - name: text - norms: false - type: text - name: path + name: group.name normalize: [] - original_fieldset: file - short: Full path to the file, including the file name. - type: wildcard -threat.indicator.file.size: - dashed_name: threat-indicator-file-size - description: 'File size in bytes. - - Only relevant when `file.type` is "file".' - example: 16384 - flat_name: threat.indicator.file.size + short: Name of the group. + type: keyword +threat.group.reference: + beta: This field is beta and subject to change. + dashed_name: threat-group-reference + description: "The reference URL of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ + flat_name: threat.group.reference + ignore_above: 1024 level: extended - name: size + name: group.reference normalize: [] - original_fieldset: file - short: File size in bytes. + short: Reference URL of the group. + type: keyword +threat.indicator.as.number: + dashed_name: threat-indicator-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: threat.indicator.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. type: long -threat.indicator.file.target_path: - dashed_name: threat-indicator-file-target-path - description: Target path for symlinks. - flat_name: threat.indicator.file.target_path +threat.indicator.as.organization.name: + dashed_name: threat-indicator-as-organization-name + description: Organization name. + example: Google LLC + flat_name: threat.indicator.as.organization.name level: extended multi_fields: - - flat_name: threat.indicator.file.target_path.text + - flat_name: threat.indicator.as.organization.name.text name: text norms: false type: text - name: target_path + name: organization.name normalize: [] - original_fieldset: file - short: Target path for symlinks. + original_fieldset: as + short: Organization name. type: wildcard -threat.indicator.file.type: - dashed_name: threat-indicator-file-type - description: File type (file, dir, or symlink). - example: file - flat_name: threat.indicator.file.type +threat.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-confidence + description: "Identifies the confidence rating assigned by the provider using STIX\ + \ confidence scales.\nRecommended values:\n * Not Specified, None, Low, Medium,\ + \ High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n * WEP Scale\ + \ (Impossible - Certain)" + example: High + flat_name: threat.indicator.confidence ignore_above: 1024 level: extended - name: type + name: indicator.confidence normalize: [] - original_fieldset: file - short: File type (file, dir, or symlink). + short: Indicator confidence rating type: keyword -threat.indicator.file.uid: - dashed_name: threat-indicator-file-uid - description: The user ID (UID) or security identifier (SID) of the file owner. - example: '1001' - flat_name: threat.indicator.file.uid +threat.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.indicator.description ignore_above: 1024 level: extended - name: uid + name: indicator.description normalize: [] - original_fieldset: file - short: The user ID (UID) or security identifier (SID) of the file owner. + short: Indicator description type: keyword -threat.indicator.first_seen: +threat.indicator.email.address: beta: This field is beta and subject to change. - dashed_name: threat-indicator-first-seen - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.first_seen + dashed_name: threat-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective of + direction). + example: phish@example.com + flat_name: threat.indicator.email.address + ignore_above: 1024 level: extended - name: indicator.first_seen + name: indicator.email.address normalize: [] - short: Date/time indicator was first reported. + short: Indicator email address + type: keyword +threat.indicator.file.accessed: + dashed_name: threat-indicator-file-accessed + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + flat_name: threat.indicator.file.accessed + level: extended + name: accessed + normalize: [] + original_fieldset: file + short: Last time the file was accessed. type: date -threat.indicator.geo.city_name: - dashed_name: threat-indicator-geo-city-name - description: City name. - example: Montreal - flat_name: threat.indicator.geo.city_name +threat.indicator.file.attributes: + dashed_name: threat-indicator-file-attributes + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, execute, + hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: threat.indicator.file.attributes ignore_above: 1024 + level: extended + name: attributes + normalize: + - array + original_fieldset: file + short: Array of file attributes. + type: keyword +threat.indicator.file.code_signature.exists: + dashed_name: threat-indicator-file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: threat.indicator.file.code_signature.exists level: core - name: city_name + name: exists normalize: [] - original_fieldset: geo - short: City name. - type: keyword -threat.indicator.geo.continent_code: - dashed_name: threat-indicator-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: threat.indicator.geo.continent_code + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +threat.indicator.file.code_signature.signing_id: + dashed_name: threat-indicator-file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: threat.indicator.file.code_signature.signing_id ignore_above: 1024 - level: core - name: continent_code + level: extended + name: signing_id normalize: [] - original_fieldset: geo - short: Continent code. + original_fieldset: code_signature + short: The identifier used to sign the process. type: keyword -threat.indicator.geo.continent_name: - dashed_name: threat-indicator-geo-continent-name - description: Name of the continent. - example: North America - flat_name: threat.indicator.geo.continent_name +threat.indicator.file.code_signature.status: + dashed_name: threat-indicator-file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: threat.indicator.file.code_signature.status ignore_above: 1024 - level: core - name: continent_name + level: extended + name: status normalize: [] - original_fieldset: geo - short: Name of the continent. + original_fieldset: code_signature + short: Additional information about the certificate status. type: keyword -threat.indicator.geo.country_iso_code: - dashed_name: threat-indicator-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: threat.indicator.geo.country_iso_code +threat.indicator.file.code_signature.subject_name: + dashed_name: threat-indicator-file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: threat.indicator.file.code_signature.subject_name ignore_above: 1024 level: core - name: country_iso_code + name: subject_name normalize: [] - original_fieldset: geo - short: Country ISO code. + original_fieldset: code_signature + short: Subject name of the code signer type: keyword -threat.indicator.geo.country_name: - dashed_name: threat-indicator-geo-country-name - description: Country name. - example: Canada - flat_name: threat.indicator.geo.country_name +threat.indicator.file.code_signature.team_id: + dashed_name: threat-indicator-file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: threat.indicator.file.code_signature.team_id ignore_above: 1024 - level: core - name: country_name + level: extended + name: team_id normalize: [] - original_fieldset: geo - short: Country name. + original_fieldset: code_signature + short: The team identifier used to sign the process. type: keyword -threat.indicator.geo.location: - dashed_name: threat-indicator-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: threat.indicator.geo.location - level: core - name: location +threat.indicator.file.code_signature.trusted: + dashed_name: threat-indicator-file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: threat.indicator.file.code_signature.trusted + level: extended + name: trusted normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point -threat.indicator.geo.name: - dashed_name: threat-indicator-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +threat.indicator.file.code_signature.valid: + dashed_name: threat-indicator-file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. - Could be the name of their data centers, the floor number, if this describes a - local physical entity, city names. + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: threat.indicator.file.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +threat.indicator.file.created: + dashed_name: threat-indicator-file-created + description: 'File creation time. - Not typically used in automated geolocation.' - example: boston-dc - flat_name: threat.indicator.geo.name + Note that not all filesystems store the creation time.' + flat_name: threat.indicator.file.created level: extended - name: name + name: created normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: wildcard -threat.indicator.geo.postal_code: - dashed_name: threat-indicator-geo-postal-code - description: 'Postal code associated with the location. + original_fieldset: file + short: File creation time. + type: date +threat.indicator.file.ctime: + dashed_name: threat-indicator-file-ctime + description: 'Last time the file attributes or metadata changed. - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: threat.indicator.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: threat.indicator.file.ctime + level: extended + name: ctime normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword -threat.indicator.geo.region_iso_code: - dashed_name: threat-indicator-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: threat.indicator.geo.region_iso_code + original_fieldset: file + short: Last time the file attributes or metadata changed. + type: date +threat.indicator.file.device: + dashed_name: threat-indicator-file-device + description: Device that is the source of the file. + example: sda + flat_name: threat.indicator.file.device ignore_above: 1024 - level: core - name: region_iso_code + level: extended + name: device normalize: [] - original_fieldset: geo - short: Region ISO code. + original_fieldset: file + short: Device that is the source of the file. type: keyword -threat.indicator.geo.region_name: - dashed_name: threat-indicator-geo-region-name - description: Region name. - example: Quebec - flat_name: threat.indicator.geo.region_name - ignore_above: 1024 - level: core - name: region_name +threat.indicator.file.directory: + dashed_name: threat-indicator-file-directory + description: Directory where the file is located. It should include the drive letter, + when appropriate. + example: /home/alice + flat_name: threat.indicator.file.directory + level: extended + name: directory normalize: [] - original_fieldset: geo - short: Region name. - type: keyword -threat.indicator.geo.timezone: - dashed_name: threat-indicator-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: threat.indicator.geo.timezone - ignore_above: 1024 + original_fieldset: file + short: Directory where the file is located. + type: wildcard +threat.indicator.file.drive_letter: + dashed_name: threat-indicator-file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + flat_name: threat.indicator.file.drive_letter + ignore_above: 1 + level: extended + name: drive_letter + normalize: [] + original_fieldset: file + short: Drive letter where the file is located. + type: keyword +threat.indicator.file.elf.architecture: + dashed_name: threat-indicator-file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: threat.indicator.file.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword +threat.indicator.file.elf.byte_order: + dashed_name: threat-indicator-file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: threat.indicator.file.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword +threat.indicator.file.elf.cpu_type: + dashed_name: threat-indicator-file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: threat.indicator.file.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword +threat.indicator.file.elf.creation_date: + dashed_name: threat-indicator-file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: threat.indicator.file.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date +threat.indicator.file.elf.exports: + dashed_name: threat-indicator-file-elf-exports + description: List of exported element names and types. + flat_name: threat.indicator.file.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened +threat.indicator.file.elf.header.abi_version: + dashed_name: threat-indicator-file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: threat.indicator.file.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword +threat.indicator.file.elf.header.class: + dashed_name: threat-indicator-file-elf-header-class + description: Header class of the ELF file. + flat_name: threat.indicator.file.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword +threat.indicator.file.elf.header.data: + dashed_name: threat-indicator-file-elf-header-data + description: Data table of the ELF header. + flat_name: threat.indicator.file.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword +threat.indicator.file.elf.header.entrypoint: + dashed_name: threat-indicator-file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: threat.indicator.file.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long +threat.indicator.file.elf.header.object_version: + dashed_name: threat-indicator-file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: threat.indicator.file.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword +threat.indicator.file.elf.header.os_abi: + dashed_name: threat-indicator-file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: threat.indicator.file.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword +threat.indicator.file.elf.header.type: + dashed_name: threat-indicator-file-elf-header-type + description: Header type of the ELF file. + flat_name: threat.indicator.file.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword +threat.indicator.file.elf.header.version: + dashed_name: threat-indicator-file-elf-header-version + description: Version of the ELF header. + flat_name: threat.indicator.file.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword +threat.indicator.file.elf.imports: + dashed_name: threat-indicator-file-elf-imports + description: List of imported element names and types. + flat_name: threat.indicator.file.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened +threat.indicator.file.elf.sections: + dashed_name: threat-indicator-file-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' + flat_name: threat.indicator.file.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested +threat.indicator.file.elf.sections.chi2: + dashed_name: threat-indicator-file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: threat.indicator.file.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long +threat.indicator.file.elf.sections.entropy: + dashed_name: threat-indicator-file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: threat.indicator.file.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long +threat.indicator.file.elf.sections.flags: + dashed_name: threat-indicator-file-elf-sections-flags + description: ELF Section List flags. + flat_name: threat.indicator.file.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword +threat.indicator.file.elf.sections.name: + dashed_name: threat-indicator-file-elf-sections-name + description: ELF Section List name. + flat_name: threat.indicator.file.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword +threat.indicator.file.elf.sections.physical_offset: + dashed_name: threat-indicator-file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: threat.indicator.file.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword +threat.indicator.file.elf.sections.physical_size: + dashed_name: threat-indicator-file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: threat.indicator.file.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long +threat.indicator.file.elf.sections.type: + dashed_name: threat-indicator-file-elf-sections-type + description: ELF Section List type. + flat_name: threat.indicator.file.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword +threat.indicator.file.elf.sections.virtual_address: + dashed_name: threat-indicator-file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: threat.indicator.file.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long +threat.indicator.file.elf.sections.virtual_size: + dashed_name: threat-indicator-file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: threat.indicator.file.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long +threat.indicator.file.elf.segments: + dashed_name: threat-indicator-file-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' + flat_name: threat.indicator.file.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested +threat.indicator.file.elf.segments.sections: + dashed_name: threat-indicator-file-elf-segments-sections + description: ELF object segment sections. + flat_name: threat.indicator.file.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword +threat.indicator.file.elf.segments.type: + dashed_name: threat-indicator-file-elf-segments-type + description: ELF object segment type. + flat_name: threat.indicator.file.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword +threat.indicator.file.elf.shared_libraries: + dashed_name: threat-indicator-file-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: threat.indicator.file.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword +threat.indicator.file.elf.telfhash: + dashed_name: threat-indicator-file-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: threat.indicator.file.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword +threat.indicator.file.extension: + dashed_name: threat-indicator-file-extension + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.indicator.file.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + original_fieldset: file + short: File extension, excluding the leading dot. + type: keyword +threat.indicator.file.gid: + dashed_name: threat-indicator-file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: threat.indicator.file.gid + ignore_above: 1024 + level: extended + name: gid + normalize: [] + original_fieldset: file + short: Primary group ID (GID) of the file. + type: keyword +threat.indicator.file.group: + dashed_name: threat-indicator-file-group + description: Primary group name of the file. + example: alice + flat_name: threat.indicator.file.group + ignore_above: 1024 + level: extended + name: group + normalize: [] + original_fieldset: file + short: Primary group name of the file. + type: keyword +threat.indicator.file.inode: + dashed_name: threat-indicator-file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: threat.indicator.file.inode + ignore_above: 1024 + level: extended + name: inode + normalize: [] + original_fieldset: file + short: Inode representing the file in the filesystem. + type: keyword +threat.indicator.file.mime_type: + dashed_name: threat-indicator-file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official + types], where possible. When more than one type is applicable, the most specific + type should be used. + flat_name: threat.indicator.file.mime_type + ignore_above: 1024 + level: extended + name: mime_type + normalize: [] + original_fieldset: file + short: Media type of file, document, or arrangement of bytes. + type: keyword +threat.indicator.file.mode: + dashed_name: threat-indicator-file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: threat.indicator.file.mode + ignore_above: 1024 + level: extended + name: mode + normalize: [] + original_fieldset: file + short: Mode of the file in octal representation. + type: keyword +threat.indicator.file.mtime: + dashed_name: threat-indicator-file-mtime + description: Last time the file content was modified. + flat_name: threat.indicator.file.mtime + level: extended + name: mtime + normalize: [] + original_fieldset: file + short: Last time the file content was modified. + type: date +threat.indicator.file.name: + dashed_name: threat-indicator-file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: threat.indicator.file.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: file + short: Name of the file including the extension, without the directory. + type: keyword +threat.indicator.file.owner: + dashed_name: threat-indicator-file-owner + description: File owner's username. + example: alice + flat_name: threat.indicator.file.owner + ignore_above: 1024 + level: extended + name: owner + normalize: [] + original_fieldset: file + short: File owner's username. + type: keyword +threat.indicator.file.path: + dashed_name: threat-indicator-file-path + description: Full path to the file, including the file name. It should include the + drive letter, when appropriate. + example: /home/alice/example.png + flat_name: threat.indicator.file.path + level: extended + multi_fields: + - flat_name: threat.indicator.file.path.text + name: text + norms: false + type: text + name: path + normalize: [] + original_fieldset: file + short: Full path to the file, including the file name. + type: wildcard +threat.indicator.file.size: + dashed_name: threat-indicator-file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: threat.indicator.file.size + level: extended + name: size + normalize: [] + original_fieldset: file + short: File size in bytes. + type: long +threat.indicator.file.target_path: + dashed_name: threat-indicator-file-target-path + description: Target path for symlinks. + flat_name: threat.indicator.file.target_path + level: extended + multi_fields: + - flat_name: threat.indicator.file.target_path.text + name: text + norms: false + type: text + name: target_path + normalize: [] + original_fieldset: file + short: Target path for symlinks. + type: wildcard +threat.indicator.file.type: + dashed_name: threat-indicator-file-type + description: File type (file, dir, or symlink). + example: file + flat_name: threat.indicator.file.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: file + short: File type (file, dir, or symlink). + type: keyword +threat.indicator.file.uid: + dashed_name: threat-indicator-file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: threat.indicator.file.uid + ignore_above: 1024 + level: extended + name: uid + normalize: [] + original_fieldset: file + short: The user ID (UID) or security identifier (SID) of the file owner. + type: keyword +threat.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.first_seen + level: extended + name: indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date +threat.indicator.geo.city_name: + dashed_name: threat-indicator-geo-city-name + description: City name. + example: Montreal + flat_name: threat.indicator.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +threat.indicator.geo.continent_code: + dashed_name: threat-indicator-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: threat.indicator.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword +threat.indicator.geo.continent_name: + dashed_name: threat-indicator-geo-continent-name + description: Name of the continent. + example: North America + flat_name: threat.indicator.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +threat.indicator.geo.country_iso_code: + dashed_name: threat-indicator-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: threat.indicator.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +threat.indicator.geo.country_name: + dashed_name: threat-indicator-geo-country-name + description: Country name. + example: Canada + flat_name: threat.indicator.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +threat.indicator.geo.location: + dashed_name: threat-indicator-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: threat.indicator.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +threat.indicator.geo.name: + dashed_name: threat-indicator-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: threat.indicator.geo.name + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: wildcard +threat.indicator.geo.postal_code: + dashed_name: threat-indicator-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: threat.indicator.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword +threat.indicator.geo.region_iso_code: + dashed_name: threat-indicator-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: threat.indicator.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +threat.indicator.geo.region_name: + dashed_name: threat-indicator-geo-region-name + description: Region name. + example: Quebec + flat_name: threat.indicator.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +threat.indicator.geo.timezone: + dashed_name: threat-indicator-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: threat.indicator.geo.timezone + ignore_above: 1024 level: core name: timezone normalize: [] - original_fieldset: geo - short: Time zone. + original_fieldset: geo + short: Time zone. + type: keyword +threat.indicator.hash.md5: + dashed_name: threat-indicator-hash-md5 + description: MD5 hash. + flat_name: threat.indicator.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword +threat.indicator.hash.sha1: + dashed_name: threat-indicator-hash-sha1 + description: SHA1 hash. + flat_name: threat.indicator.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword +threat.indicator.hash.sha256: + dashed_name: threat-indicator-hash-sha256 + description: SHA256 hash. + flat_name: threat.indicator.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword +threat.indicator.hash.sha512: + dashed_name: threat-indicator-hash-sha512 + description: SHA512 hash. + flat_name: threat.indicator.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword +threat.indicator.hash.ssdeep: + dashed_name: threat-indicator-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.indicator.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword +threat.indicator.ip: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of direction). + example: 1.2.3.4 + flat_name: threat.indicator.ip + level: extended + name: indicator.ip + normalize: [] + short: Indicator IP address + type: ip +threat.indicator.last_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-last-seen + description: The date and time when intelligence source last reported sighting this + indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.last_seen + level: extended + name: indicator.last_seen + normalize: [] + short: Date/time indicator was last reported. + type: date +threat.indicator.marking.tlp: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE + flat_name: threat.indicator.marking.tlp + ignore_above: 1024 + level: extended + name: indicator.marking.tlp + normalize: [] + short: Indicator TLP marking + type: keyword +threat.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.modified_at + level: extended + name: indicator.modified_at + normalize: [] + short: Date/time indicator was last updated. + type: date +threat.indicator.pe.architecture: + dashed_name: threat-indicator-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.indicator.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword +threat.indicator.pe.authentihash: + dashed_name: threat-indicator-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: threat.indicator.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword +threat.indicator.pe.company: + dashed_name: threat-indicator-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.indicator.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +threat.indicator.pe.compile_timestamp: + dashed_name: threat-indicator-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date +threat.indicator.pe.compiler.name: + dashed_name: threat-indicator-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: threat.indicator.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword +threat.indicator.pe.compiler.version: + dashed_name: threat-indicator-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: threat.indicator.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword +threat.indicator.pe.creation_date: + dashed_name: threat-indicator-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date +threat.indicator.pe.debug: + dashed_name: threat-indicator-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: threat.indicator.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested +threat.indicator.pe.debug.offset: + dashed_name: threat-indicator-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: threat.indicator.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword +threat.indicator.pe.debug.size: + dashed_name: threat-indicator-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: threat.indicator.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long +threat.indicator.pe.debug.timestamp: + dashed_name: threat-indicator-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date +threat.indicator.pe.debug.type: + dashed_name: threat-indicator-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: threat.indicator.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword +threat.indicator.pe.description: + dashed_name: threat-indicator-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.indicator.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +threat.indicator.pe.entry_point: + dashed_name: threat-indicator-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: threat.indicator.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword +threat.indicator.pe.exports: + dashed_name: threat-indicator-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: threat.indicator.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword +threat.indicator.pe.file_version: + dashed_name: threat-indicator-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.indicator.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. type: keyword -threat.indicator.hash.md5: - dashed_name: threat-indicator-hash-md5 - description: MD5 hash. - flat_name: threat.indicator.hash.md5 +threat.indicator.pe.icon.hash.dhash: + dashed_name: threat-indicator-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: threat.indicator.pe.icon.hash.dhash ignore_above: 1024 level: extended - name: md5 + name: icon.hash.dhash normalize: [] - original_fieldset: hash - short: MD5 hash. + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. type: keyword -threat.indicator.hash.sha1: - dashed_name: threat-indicator-hash-sha1 - description: SHA1 hash. - flat_name: threat.indicator.hash.sha1 +threat.indicator.pe.imphash: + dashed_name: threat-indicator-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.indicator.pe.imphash ignore_above: 1024 level: extended - name: sha1 + name: imphash normalize: [] - original_fieldset: hash - short: SHA1 hash. + original_fieldset: pe + short: A hash of the imports in a PE file. type: keyword -threat.indicator.hash.sha256: - dashed_name: threat-indicator-hash-sha256 - description: SHA256 hash. - flat_name: threat.indicator.hash.sha256 +threat.indicator.pe.imports: + dashed_name: threat-indicator-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: threat.indicator.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened +threat.indicator.pe.machine_type: + dashed_name: threat-indicator-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: threat.indicator.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword +threat.indicator.pe.original_file_name: + dashed_name: threat-indicator-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.indicator.pe.original_file_name + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: wildcard +threat.indicator.pe.packers: + dashed_name: threat-indicator-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: threat.indicator.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword +threat.indicator.pe.product: + dashed_name: threat-indicator-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.indicator.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword +threat.indicator.pe.resources: + dashed_name: threat-indicator-pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: threat.indicator.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested +threat.indicator.pe.resources.chi2: + dashed_name: threat-indicator-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: threat.indicator.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +threat.indicator.pe.resources.entropy: + dashed_name: threat-indicator-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: threat.indicator.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long +threat.indicator.pe.resources.filetype: + dashed_name: threat-indicator-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: threat.indicator.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword +threat.indicator.pe.resources.language: + dashed_name: threat-indicator-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: threat.indicator.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword +threat.indicator.pe.resources.sha256: + dashed_name: threat-indicator-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: threat.indicator.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword +threat.indicator.pe.resources.type: + dashed_name: threat-indicator-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: threat.indicator.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword +threat.indicator.pe.rich_header.hash.md5: + dashed_name: threat-indicator-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: threat.indicator.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword +threat.indicator.pe.sections: + dashed_name: threat-indicator-pe-sections + description: Data about sections of compiled binary PE + flat_name: threat.indicator.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested +threat.indicator.pe.sections.chi2: + dashed_name: threat-indicator-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: threat.indicator.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +threat.indicator.pe.sections.entropy: + dashed_name: threat-indicator-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: threat.indicator.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float +threat.indicator.pe.sections.flags: + dashed_name: threat-indicator-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: threat.indicator.pe.sections.flags ignore_above: 1024 level: extended - name: sha256 + name: sections.flags normalize: [] - original_fieldset: hash - short: SHA256 hash. + original_fieldset: pe + short: Section flags of the file. type: keyword -threat.indicator.hash.sha512: - dashed_name: threat-indicator-hash-sha512 - description: SHA512 hash. - flat_name: threat.indicator.hash.sha512 +threat.indicator.pe.sections.name: + dashed_name: threat-indicator-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: threat.indicator.pe.sections.name ignore_above: 1024 level: extended - name: sha512 + name: sections.name normalize: [] - original_fieldset: hash - short: SHA512 hash. + original_fieldset: pe + short: Section names of the file. type: keyword -threat.indicator.hash.ssdeep: - dashed_name: threat-indicator-hash-ssdeep - description: SSDEEP hash. - flat_name: threat.indicator.hash.ssdeep - ignore_above: 1024 +threat.indicator.pe.sections.raw_size: + dashed_name: threat-indicator-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: threat.indicator.pe.sections.raw_size + format: bytes level: extended - name: ssdeep + name: sections.raw_size normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword -threat.indicator.ip: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-ip - description: Identifies a threat indicator as an IP address (irrespective of direction). - example: 1.2.3.4 - flat_name: threat.indicator.ip + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long +threat.indicator.pe.sections.virtual_address: + dashed_name: threat-indicator-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: threat.indicator.pe.sections.virtual_address + format: bytes level: extended - name: indicator.ip + name: sections.virtual_address normalize: [] - short: Indicator IP address - type: ip -threat.indicator.last_seen: + original_fieldset: pe + short: Virtual address available to the file. + type: long +threat.indicator.port: beta: This field is beta and subject to change. - dashed_name: threat-indicator-last-seen - description: The date and time when intelligence source last reported sighting this - indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.last_seen + dashed_name: threat-indicator-port + description: Identifies a threat indicator as a port number (irrespective of direction). + example: 443 + flat_name: threat.indicator.port level: extended - name: indicator.last_seen + name: indicator.port normalize: [] - short: Date/time indicator was last reported. - type: date -threat.indicator.marking.tlp: + short: Indicator port + type: long +threat.indicator.provider: beta: This field is beta and subject to change. - dashed_name: threat-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: WHITE - flat_name: threat.indicator.marking.tlp + dashed_name: threat-indicator-provider + description: The name of the indicator's provider. + example: lrz_urlhaus + flat_name: threat.indicator.provider ignore_above: 1024 level: extended - name: indicator.marking.tlp + name: indicator.provider normalize: [] - short: Indicator TLP marking + short: Indicator provider type: keyword -threat.indicator.modified_at: +threat.indicator.reference: beta: This field is beta and subject to change. - dashed_name: threat-indicator-modified-at - description: The date and time when intelligence source last modified information - for this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.modified_at + dashed_name: threat-indicator-reference + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + flat_name: threat.indicator.reference + ignore_above: 1024 level: extended - name: indicator.modified_at + name: indicator.reference normalize: [] - short: Date/time indicator was last updated. - type: date -threat.indicator.pe.architecture: - dashed_name: threat-indicator-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: threat.indicator.pe.architecture + short: Indicator reference URL + type: keyword +threat.indicator.registry.data.bytes: + dashed_name: threat-indicator-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides better + recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.indicator.registry.data.bytes ignore_above: 1024 level: extended - name: architecture + name: data.bytes normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. + original_fieldset: registry + short: Original bytes written with base64 encoding. type: keyword -threat.indicator.pe.authentihash: - dashed_name: threat-indicator-pe-authentihash - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: threat.indicator.pe.authentihash +threat.indicator.registry.data.strings: + dashed_name: threat-indicator-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single string + registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. + For sequences of string with REG_MULTI_SZ, this array will be variable length. + For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with + the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.indicator.registry.data.strings + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: wildcard +threat.indicator.registry.data.type: + dashed_name: threat-indicator-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.indicator.registry.data.type ignore_above: 1024 - level: extended - name: authentihash + level: core + name: data.type normalize: [] - original_fieldset: pe - short: Authentihash of the PE file. + original_fieldset: registry + short: Standard registry type for encoding contents type: keyword -threat.indicator.pe.company: - dashed_name: threat-indicator-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: threat.indicator.pe.company +threat.indicator.registry.hive: + dashed_name: threat-indicator-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.indicator.registry.hive + ignore_above: 1024 + level: core + name: hive + normalize: [] + original_fieldset: registry + short: Abbreviated name for the hive. + type: keyword +threat.indicator.registry.key: + dashed_name: threat-indicator-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.indicator.registry.key + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: wildcard +threat.indicator.registry.path: + dashed_name: threat-indicator-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.indicator.registry.path + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: wildcard +threat.indicator.registry.value: + dashed_name: threat-indicator-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.indicator.registry.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. + type: keyword +threat.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file or + URL. + example: 4 + flat_name: threat.indicator.scanner_stats + level: extended + name: indicator.scanner_stats + normalize: [] + short: Scanner statistics + type: long +threat.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.indicator.sightings + level: extended + name: indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long +threat.indicator.type: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ + Recommended values:\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ + \ * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n * mutex\n\ + \ * port\n * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ + \ * x509-certificate" + example: ipv4-addr + flat_name: threat.indicator.type ignore_above: 1024 level: extended - name: company + name: indicator.type normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. + short: Type of indicator type: keyword -threat.indicator.pe.compile_timestamp: - dashed_name: threat-indicator-pe-compile-timestamp - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.pe.compile_timestamp +threat.indicator.url.domain: + dashed_name: threat-indicator-url-domain + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), + the `[` and `]` characters should also be captured in the `domain` field.' + example: www.elastic.co + flat_name: threat.indicator.url.domain level: extended - name: compile_timestamp + name: domain normalize: [] - original_fieldset: pe - short: Compile timestamp of the PE file. - type: date -threat.indicator.pe.compiler.name: - dashed_name: threat-indicator-pe-compiler-name - description: Name of the compiler - example: Clang - flat_name: threat.indicator.pe.compiler.name + original_fieldset: url + short: Domain of the url. + type: wildcard +threat.indicator.url.extension: + dashed_name: threat-indicator-url-extension + description: 'The field contains the file extension from the original request url, + excluding the leading dot. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.indicator.url.extension ignore_above: 1024 level: extended - name: compiler.name + name: extension normalize: [] - original_fieldset: pe - short: Name of the compiler + original_fieldset: url + short: File extension from the request url, excluding the leading dot. type: keyword -threat.indicator.pe.compiler.version: - dashed_name: threat-indicator-pe-compiler-version - description: Version of the compiler. - example: 11.0.0 - flat_name: threat.indicator.pe.compiler.version +threat.indicator.url.fragment: + dashed_name: threat-indicator-url-fragment + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + flat_name: threat.indicator.url.fragment ignore_above: 1024 level: extended - name: compiler.version + name: fragment normalize: [] - original_fieldset: pe - short: Version of the compiler. + original_fieldset: url + short: Portion of the url after the `#`. type: keyword -threat.indicator.pe.creation_date: - dashed_name: threat-indicator-pe-creation-date - description: Extracted when possible from the file's metadata. Indicates when it - was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.pe.creation_date +threat.indicator.url.full: + dashed_name: threat-indicator-url-full + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + flat_name: threat.indicator.url.full level: extended - name: creation_date + multi_fields: + - flat_name: threat.indicator.url.full.text + name: text + norms: false + type: text + name: full normalize: [] - original_fieldset: pe - short: Build or compile date. - type: date -threat.indicator.pe.debug: - dashed_name: threat-indicator-pe-debug - description: 'An array containing an object for each debug entry, if present. + original_fieldset: url + short: Full unparsed URL. + type: wildcard +threat.indicator.url.original: + dashed_name: threat-indicator-url-original + description: 'Unmodified original url as seen in the event source. - The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: threat.indicator.pe.debug + Note that in network monitoring, the observed URL may be a full URL, whereas in + access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + flat_name: threat.indicator.url.original level: extended - name: debug - normalize: - - array - original_fieldset: pe - short: Debug information - type: nested -threat.indicator.pe.debug.offset: - dashed_name: threat-indicator-pe-debug-offset - description: Debug offset information. - example: 1296336 - flat_name: threat.indicator.pe.debug.offset + multi_fields: + - flat_name: threat.indicator.url.original.text + name: text + norms: false + type: text + name: original + normalize: [] + original_fieldset: url + short: Unmodified original url as seen in the event source. + type: wildcard +threat.indicator.url.password: + dashed_name: threat-indicator-url-password + description: Password of the request. + flat_name: threat.indicator.url.password ignore_above: 1024 level: extended - name: debug.offset + name: password normalize: [] - original_fieldset: pe - short: Debug offset information. + original_fieldset: url + short: Password of the request. type: keyword -threat.indicator.pe.debug.size: - dashed_name: threat-indicator-pe-debug-size - description: Size of the debug information. - example: 816 - flat_name: threat.indicator.pe.debug.size - format: bytes - level: extended - name: debug.size - normalize: [] - original_fieldset: pe - short: Size of the debug information. - type: long -threat.indicator.pe.debug.timestamp: - dashed_name: threat-indicator-pe-debug-timestamp - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.pe.debug.timestamp +threat.indicator.url.path: + dashed_name: threat-indicator-url-path + description: Path of the request, such as "/search". + flat_name: threat.indicator.url.path level: extended - name: debug.timestamp + name: path normalize: [] - original_fieldset: pe - short: Timestamp of the debug information. - type: date -threat.indicator.pe.debug.type: - dashed_name: threat-indicator-pe-debug-type - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - flat_name: threat.indicator.pe.debug.type - ignore_above: 1024 + original_fieldset: url + short: Path of the request, such as "/search". + type: wildcard +threat.indicator.url.port: + dashed_name: threat-indicator-url-port + description: Port of the request, such as 443. + example: 443 + flat_name: threat.indicator.url.port + format: string level: extended - name: debug.type + name: port normalize: [] - original_fieldset: pe - short: Information type generated by the debug options. - type: keyword -threat.indicator.pe.description: - dashed_name: threat-indicator-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: threat.indicator.pe.description + original_fieldset: url + short: Port of the request, such as 443. + type: long +threat.indicator.url.query: + dashed_name: threat-indicator-url-query + description: 'The query field describes the query string of the request, such as + "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there is + no query field. If there is a `?` but no query, the query field exists with an + empty string. The `exists` query can be used to differentiate between the two + cases.' + flat_name: threat.indicator.url.query ignore_above: 1024 level: extended - name: description + name: query normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. + original_fieldset: url + short: Query string of the request. type: keyword -threat.indicator.pe.entry_point: - dashed_name: threat-indicator-pe-entry-point - description: Relative byte offset to the base of the PE file. - example: 25856 - flat_name: threat.indicator.pe.entry_point - ignore_above: 1024 +threat.indicator.url.registered_domain: + dashed_name: threat-indicator-url-registered-domain + description: 'The highest registered url domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: threat.indicator.url.registered_domain level: extended - name: entry_point + name: registered_domain normalize: [] - original_fieldset: pe - short: Relative byte offset to the base of the PE file. - type: keyword -threat.indicator.pe.exports: - dashed_name: threat-indicator-pe-exports - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: threat.indicator.pe.exports - ignore_above: 1024 - level: extended - name: exports - normalize: - - array - original_fieldset: pe - short: List of symbols exported by PE - type: keyword -threat.indicator.pe.file_version: - dashed_name: threat-indicator-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: threat.indicator.pe.file_version + original_fieldset: url + short: The highest registered url domain, stripped of the subdomain. + type: wildcard +threat.indicator.url.scheme: + dashed_name: threat-indicator-url-scheme + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https + flat_name: threat.indicator.url.scheme ignore_above: 1024 level: extended - name: file_version + name: scheme normalize: [] - original_fieldset: pe - short: Process name. + original_fieldset: url + short: Scheme of the url. type: keyword -threat.indicator.pe.icon.hash.dhash: - dashed_name: threat-indicator-pe-icon-hash-dhash - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - flat_name: threat.indicator.pe.icon.hash.dhash +threat.indicator.url.subdomain: + dashed_name: threat-indicator-url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: threat.indicator.url.subdomain ignore_above: 1024 level: extended - name: icon.hash.dhash + name: subdomain normalize: [] - original_fieldset: pe - short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. + original_fieldset: url + short: The subdomain of the domain. type: keyword -threat.indicator.pe.imphash: - dashed_name: threat-indicator-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash -- - can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. +threat.indicator.url.top_level_domain: + dashed_name: threat-indicator-url-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: threat.indicator.pe.imphash + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: threat.indicator.url.top_level_domain ignore_above: 1024 level: extended - name: imphash + name: top_level_domain normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. + original_fieldset: url + short: The effective top level domain (com, org, net, co.uk). type: keyword -threat.indicator.pe.imports: - dashed_name: threat-indicator-pe-imports - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - flat_name: threat.indicator.pe.imports - level: extended - name: imports - normalize: [] - original_fieldset: pe - short: List of all imported functions - type: flattened -threat.indicator.pe.machine_type: - dashed_name: threat-indicator-pe-machine-type - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - flat_name: threat.indicator.pe.machine_type +threat.indicator.url.username: + dashed_name: threat-indicator-url-username + description: Username of the request. + flat_name: threat.indicator.url.username ignore_above: 1024 level: extended - name: machine_type + name: username normalize: [] - original_fieldset: pe - short: Machine type of the PE file. + original_fieldset: url + short: Username of the request. type: keyword -threat.indicator.pe.original_file_name: - dashed_name: threat-indicator-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: threat.indicator.pe.original_file_name - level: extended - name: original_file_name - normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: wildcard -threat.indicator.pe.packers: - dashed_name: threat-indicator-pe-packers - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - flat_name: threat.indicator.pe.packers +threat.indicator.x509.alternative_names: + dashed_name: threat-indicator-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names (and + wildcards), and email addresses. + example: '*.elastic.co' + flat_name: threat.indicator.x509.alternative_names ignore_above: 1024 level: extended - name: packers + name: alternative_names normalize: - array - original_fieldset: pe - short: List of packers and tools used. + original_fieldset: x509 + short: List of subject alternative names (SAN). type: keyword -threat.indicator.pe.product: - dashed_name: threat-indicator-pe-product - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" - flat_name: threat.indicator.pe.product +threat.indicator.x509.issuer.common_name: + dashed_name: threat-indicator-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: threat.indicator.x509.issuer.common_name ignore_above: 1024 level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword -threat.indicator.pe.resources: - dashed_name: threat-indicator-pe-resources - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: threat.indicator.pe.resources - level: extended - name: resources + name: issuer.common_name normalize: - array - original_fieldset: pe - short: PE resource information - type: nested -threat.indicator.pe.resources.chi2: - dashed_name: threat-indicator-pe-resources-chi2 - description: Chi-square probability distribution. - example: -1 - flat_name: threat.indicator.pe.resources.chi2 - level: extended - name: resources.chi2 - normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long -threat.indicator.pe.resources.entropy: - dashed_name: threat-indicator-pe-resources-entropy - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - flat_name: threat.indicator.pe.resources.entropy - level: extended - name: resources.entropy - normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the resources section. - type: long -threat.indicator.pe.resources.filetype: - dashed_name: threat-indicator-pe-resources-filetype - description: File type of the resources section. - example: Data - flat_name: threat.indicator.pe.resources.filetype + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. + type: keyword +threat.indicator.x509.issuer.country: + dashed_name: threat-indicator-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: threat.indicator.x509.issuer.country ignore_above: 1024 level: extended - name: resources.filetype - normalize: [] - original_fieldset: pe - short: File type of the resources section. + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes type: keyword -threat.indicator.pe.resources.language: - dashed_name: threat-indicator-pe-resources-language - description: Language identification. - example: CHINESE SIMPLIFIED - flat_name: threat.indicator.pe.resources.language - ignore_above: 1024 +threat.indicator.x509.issuer.distinguished_name: + dashed_name: threat-indicator-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: threat.indicator.x509.issuer.distinguished_name level: extended - name: resources.language + name: issuer.distinguished_name normalize: [] - original_fieldset: pe - short: Language identification. - type: keyword -threat.indicator.pe.resources.sha256: - dashed_name: threat-indicator-pe-resources-sha256 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: threat.indicator.pe.resources.sha256 + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: wildcard +threat.indicator.x509.issuer.locality: + dashed_name: threat-indicator-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: threat.indicator.x509.issuer.locality ignore_above: 1024 level: extended - name: resources.sha256 - normalize: [] - original_fieldset: pe - short: SHA256 hash of resources section. + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) type: keyword -threat.indicator.pe.resources.type: - dashed_name: threat-indicator-pe-resources-type - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: threat.indicator.pe.resources.type +threat.indicator.x509.issuer.organization: + dashed_name: threat-indicator-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: threat.indicator.x509.issuer.organization ignore_above: 1024 level: extended - name: resources.type + name: issuer.organization normalize: - array - original_fieldset: pe - short: List of resource types. + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. type: keyword -threat.indicator.pe.rich_header.hash.md5: - dashed_name: threat-indicator-pe-rich-header-hash-md5 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: threat.indicator.pe.rich_header.hash.md5 +threat.indicator.x509.issuer.organizational_unit: + dashed_name: threat-indicator-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: threat.indicator.x509.issuer.organizational_unit ignore_above: 1024 level: extended - name: rich_header.hash.md5 - normalize: [] - original_fieldset: pe - short: MD5 hash of the header for the PE file. + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. type: keyword -threat.indicator.pe.sections: - dashed_name: threat-indicator-pe-sections - description: Data about sections of compiled binary PE - flat_name: threat.indicator.pe.sections +threat.indicator.x509.issuer.state_or_province: + dashed_name: threat-indicator-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.indicator.x509.issuer.state_or_province + ignore_above: 1024 level: extended - name: sections + name: issuer.state_or_province normalize: - array - original_fieldset: pe - short: Data about sections of the compiled binary PE - type: nested -threat.indicator.pe.sections.chi2: - dashed_name: threat-indicator-pe-sections-chi2 - description: Chi-square probability distribution. - example: 3027194 - flat_name: threat.indicator.pe.sections.chi2 - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long -threat.indicator.pe.sections.entropy: - dashed_name: threat-indicator-pe-sections-entropy - description: Measurement of entropy randomness in the file. - example: 6.24 - flat_name: threat.indicator.pe.sections.entropy + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +threat.indicator.x509.not_after: + dashed_name: threat-indicator-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: threat.indicator.x509.not_after level: extended - name: sections.entropy + name: not_after normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the file. - type: float -threat.indicator.pe.sections.flags: - dashed_name: threat-indicator-pe-sections-flags - description: Section flags of the file. - example: rx - flat_name: threat.indicator.pe.sections.flags - ignore_above: 1024 + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date +threat.indicator.x509.not_before: + dashed_name: threat-indicator-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: threat.indicator.x509.not_before level: extended - name: sections.flags + name: not_before normalize: [] - original_fieldset: pe - short: Section flags of the file. - type: keyword -threat.indicator.pe.sections.name: - dashed_name: threat-indicator-pe-sections-name - description: Section names of the file. - example: .text, .data - flat_name: threat.indicator.pe.sections.name + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date +threat.indicator.x509.public_key_algorithm: + dashed_name: threat-indicator-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: threat.indicator.x509.public_key_algorithm ignore_above: 1024 level: extended - name: sections.name + name: public_key_algorithm normalize: [] - original_fieldset: pe - short: Section names of the file. + original_fieldset: x509 + short: Algorithm used to generate the public key. type: keyword -threat.indicator.pe.sections.raw_size: - dashed_name: threat-indicator-pe-sections-raw-size - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - flat_name: threat.indicator.pe.sections.raw_size - format: bytes +threat.indicator.x509.public_key_curve: + dashed_name: threat-indicator-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This is + algorithm specific. + example: nistp521 + flat_name: threat.indicator.x509.public_key_curve + ignore_above: 1024 level: extended - name: sections.raw_size + name: public_key_curve normalize: [] - original_fieldset: pe - short: Size of the section or the dize of the initialized data on disk. - type: long -threat.indicator.pe.sections.virtual_address: - dashed_name: threat-indicator-pe-sections-virtual-address - description: Virtual address available to the file. - example: 8192 - flat_name: threat.indicator.pe.sections.virtual_address - format: bytes + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword +threat.indicator.x509.public_key_exponent: + dashed_name: threat-indicator-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: threat.indicator.x509.public_key_exponent + index: false level: extended - name: sections.virtual_address + name: public_key_exponent normalize: [] - original_fieldset: pe - short: Virtual address available to the file. + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. type: long -threat.indicator.port: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-port - description: Identifies a threat indicator as a port number (irrespective of direction). - example: 443 - flat_name: threat.indicator.port +threat.indicator.x509.public_key_size: + dashed_name: threat-indicator-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: threat.indicator.x509.public_key_size level: extended - name: indicator.port + name: public_key_size normalize: [] - short: Indicator port + original_fieldset: x509 + short: The size of the public key space in bits. type: long -threat.indicator.provider: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-provider - description: The name of the indicator's provider. - example: lrz_urlhaus - flat_name: threat.indicator.provider +threat.indicator.x509.serial_number: + dashed_name: threat-indicator-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: threat.indicator.x509.serial_number ignore_above: 1024 level: extended - name: indicator.provider + name: serial_number normalize: [] - short: Indicator provider + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. type: keyword -threat.indicator.reference: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-reference - description: Reference URL linking to additional information about this indicator. - example: https://system.example.com/indicator/0001234 - flat_name: threat.indicator.reference +threat.indicator.x509.signature_algorithm: + dashed_name: threat-indicator-x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: threat.indicator.x509.signature_algorithm ignore_above: 1024 level: extended - name: indicator.reference + name: signature_algorithm normalize: [] - short: Indicator reference URL + original_fieldset: x509 + short: Identifier for certificate signature algorithm. type: keyword -threat.indicator.registry.data.bytes: - dashed_name: threat-indicator-registry-data-bytes - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides better - recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - flat_name: threat.indicator.registry.data.bytes +threat.indicator.x509.subject.common_name: + dashed_name: threat-indicator-x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: threat.indicator.x509.subject.common_name ignore_above: 1024 level: extended - name: data.bytes - normalize: [] - original_fieldset: registry - short: Original bytes written with base64 encoding. - type: keyword -threat.indicator.registry.data.strings: - dashed_name: threat-indicator-registry-data-strings - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single string - registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. - For sequences of string with REG_MULTI_SZ, this array will be variable length. - For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with - the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' - flat_name: threat.indicator.registry.data.strings - level: core - name: data.strings + name: subject.common_name normalize: - array - original_fieldset: registry - short: List of strings representing what was written to the registry. - type: wildcard -threat.indicator.registry.data.type: - dashed_name: threat-indicator-registry-data-type - description: Standard registry type for encoding contents - example: REG_SZ - flat_name: threat.indicator.registry.data.type - ignore_above: 1024 - level: core - name: data.type - normalize: [] - original_fieldset: registry - short: Standard registry type for encoding contents + original_fieldset: x509 + short: List of common names (CN) of subject. type: keyword -threat.indicator.registry.hive: - dashed_name: threat-indicator-registry-hive - description: Abbreviated name for the hive. - example: HKLM - flat_name: threat.indicator.registry.hive +threat.indicator.x509.subject.country: + dashed_name: threat-indicator-x509-subject-country + description: List of country (C) code + example: US + flat_name: threat.indicator.x509.subject.country ignore_above: 1024 - level: core - name: hive - normalize: [] - original_fieldset: registry - short: Abbreviated name for the hive. + level: extended + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code type: keyword -threat.indicator.registry.key: - dashed_name: threat-indicator-registry-key - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - flat_name: threat.indicator.registry.key - level: core - name: key - normalize: [] - original_fieldset: registry - short: Hive-relative path of keys. - type: wildcard -threat.indicator.registry.path: - dashed_name: threat-indicator-registry-path - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger - flat_name: threat.indicator.registry.path - level: core - name: path +threat.indicator.x509.subject.distinguished_name: + dashed_name: threat-indicator-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: threat.indicator.x509.subject.distinguished_name + level: extended + name: subject.distinguished_name normalize: [] - original_fieldset: registry - short: Full path, including hive, key and value + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. type: wildcard -threat.indicator.registry.value: - dashed_name: threat-indicator-registry-value - description: Name of the value written. - example: Debugger - flat_name: threat.indicator.registry.value +threat.indicator.x509.subject.locality: + dashed_name: threat-indicator-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: threat.indicator.x509.subject.locality ignore_above: 1024 - level: core - name: value - normalize: [] - original_fieldset: registry - short: Name of the value written. + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) type: keyword -threat.indicator.scanner_stats: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-scanner-stats - description: Count of AV/EDR vendors that successfully detected malicious file or - URL. - example: 4 - flat_name: threat.indicator.scanner_stats +threat.indicator.x509.subject.organization: + dashed_name: threat-indicator-x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: threat.indicator.x509.subject.organization + ignore_above: 1024 level: extended - name: indicator.scanner_stats - normalize: [] - short: Scanner statistics - type: long -threat.indicator.sightings: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-sightings - description: Number of times this indicator was observed conducting threat activity. - example: 20 - flat_name: threat.indicator.sightings + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. + type: keyword +threat.indicator.x509.subject.organizational_unit: + dashed_name: threat-indicator-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: threat.indicator.x509.subject.organizational_unit + ignore_above: 1024 level: extended - name: indicator.sightings - normalize: [] - short: Number of times indicator observed - type: long -threat.indicator.type: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-type - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ - Recommended values:\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ - \ * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n * mutex\n\ - \ * port\n * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ - \ * x509-certificate" - example: ipv4-addr - flat_name: threat.indicator.type + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword +threat.indicator.x509.subject.state_or_province: + dashed_name: threat-indicator-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.indicator.x509.subject.state_or_province ignore_above: 1024 level: extended - name: indicator.type + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +threat.indicator.x509.version_number: + dashed_name: threat-indicator-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: threat.indicator.x509.version_number + ignore_above: 1024 + level: extended + name: version_number normalize: [] - short: Type of indicator + original_fieldset: x509 + short: Version of x509 format. type: keyword threat.software.id: beta: This field is beta and subject to change. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index bf274e0c69..a38716ece9 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -5301,10 +5301,10 @@ file: at: threat.indicator beta: Reusing the `file` fields in this location is currently considered beta. full: threat.indicator.file - - as: as + - as: file at: threat.enrichments.indicator - beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.indicator.as + beta: Reusing the `file` fields in this location is currently considered beta. + full: threat.enrichments.indicator.file top_level: true reused_here: - full: file.code_signature @@ -5488,10 +5488,10 @@ geo: at: threat.indicator beta: Reusing the `geo` fields in this location is currently considered beta. full: threat.indicator.geo - - as: as + - as: geo at: threat.enrichments.indicator - beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.indicator.as + beta: Reusing the `geo` fields in this location is currently considered beta. + full: threat.enrichments.indicator.geo top_level: false short: Fields describing a location. title: Geo @@ -5624,10 +5624,10 @@ hash: at: threat.indicator beta: Reusing the `hash` fields in this location is currently considered beta. full: threat.indicator.hash - - as: as + - as: hash at: threat.enrichments.indicator - beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.indicator.as + beta: Reusing the `hash` fields in this location is currently considered beta. + full: threat.enrichments.indicator.hash top_level: false short: Hashes, usually file hashes. title: Hash @@ -14377,61 +14377,34 @@ threat: normalize: [] short: Object containing indicators enriching the event. type: object - threat.enrichments.indicator.as.md5: - dashed_name: threat-enrichments-indicator-as-md5 - description: MD5 hash. - flat_name: threat.enrichments.indicator.as.md5 - ignore_above: 1024 - level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword - threat.enrichments.indicator.as.sha1: - dashed_name: threat-enrichments-indicator-as-sha1 - description: SHA1 hash. - flat_name: threat.enrichments.indicator.as.sha1 - ignore_above: 1024 - level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword - threat.enrichments.indicator.as.sha256: - dashed_name: threat-enrichments-indicator-as-sha256 - description: SHA256 hash. - flat_name: threat.enrichments.indicator.as.sha256 - ignore_above: 1024 - level: extended - name: sha256 - normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword - threat.enrichments.indicator.as.sha512: - dashed_name: threat-enrichments-indicator-as-sha512 - description: SHA512 hash. - flat_name: threat.enrichments.indicator.as.sha512 - ignore_above: 1024 + threat.enrichments.indicator.as.number: + dashed_name: threat-enrichments-indicator-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: threat.enrichments.indicator.as.number level: extended - name: sha512 + name: number normalize: [] - original_fieldset: hash - short: SHA512 hash. - type: keyword - threat.enrichments.indicator.as.ssdeep: - dashed_name: threat-enrichments-indicator-as-ssdeep - description: SSDEEP hash. - flat_name: threat.enrichments.indicator.as.ssdeep - ignore_above: 1024 + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long + threat.enrichments.indicator.as.organization.name: + dashed_name: threat-enrichments-indicator-as-organization-name + description: Organization name. + example: Google LLC + flat_name: threat.enrichments.indicator.as.organization.name level: extended - name: ssdeep + multi_fields: + - flat_name: threat.enrichments.indicator.as.organization.name.text + name: text + norms: false + type: text + name: organization.name normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword + original_fieldset: as + short: Organization name. + type: wildcard threat.enrichments.indicator.confidence: beta: This field is beta and subject to change. dashed_name: threat-enrichments-indicator-confidence @@ -14472,762 +14445,966 @@ threat: normalize: [] short: Indicator email address type: keyword - threat.enrichments.indicator.first_seen: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-first-seen - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.indicator.first_seen - level: extended - name: enrichments.indicator.first_seen - normalize: [] - short: Date/time indicator was first reported. - type: date - threat.enrichments.indicator.ip: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-ip - description: Identifies a threat indicator as an IP address (irrespective of - direction). - example: 1.2.3.4 - flat_name: threat.enrichments.indicator.ip - level: extended - name: enrichments.indicator.ip - normalize: [] - short: Indicator IP address - type: ip - threat.enrichments.indicator.last_seen: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-last-seen - description: The date and time when intelligence source last reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.indicator.last_seen + threat.enrichments.indicator.file.accessed: + dashed_name: threat-enrichments-indicator-file-accessed + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + flat_name: threat.enrichments.indicator.file.accessed level: extended - name: enrichments.indicator.last_seen + name: accessed normalize: [] - short: Date/time indicator was last reported. + original_fieldset: file + short: Last time the file was accessed. type: date - threat.enrichments.indicator.marking.tlp: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: White - flat_name: threat.enrichments.indicator.marking.tlp + threat.enrichments.indicator.file.attributes: + dashed_name: threat-enrichments-indicator-file-attributes + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: threat.enrichments.indicator.file.attributes ignore_above: 1024 level: extended - name: enrichments.indicator.marking.tlp - normalize: [] - short: Indicator TLP marking + name: attributes + normalize: + - array + original_fieldset: file + short: Array of file attributes. type: keyword - threat.enrichments.indicator.modified_at: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-modified-at - description: The date and time when intelligence source last modified information - for this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.indicator.modified_at - level: extended - name: enrichments.indicator.modified_at + threat.enrichments.indicator.file.code_signature.exists: + dashed_name: threat-enrichments-indicator-file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: threat.enrichments.indicator.file.code_signature.exists + level: core + name: exists normalize: [] - short: Date/time indicator was last updated. - type: date - threat.enrichments.indicator.pe.architecture: - dashed_name: threat-enrichments-indicator-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: threat.enrichments.indicator.pe.architecture + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + threat.enrichments.indicator.file.code_signature.signing_id: + dashed_name: threat-enrichments-indicator-file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: threat.enrichments.indicator.file.code_signature.signing_id ignore_above: 1024 level: extended - name: architecture + name: signing_id normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. + original_fieldset: code_signature + short: The identifier used to sign the process. type: keyword - threat.enrichments.indicator.pe.authentihash: - dashed_name: threat-enrichments-indicator-pe-authentihash - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: threat.enrichments.indicator.pe.authentihash + threat.enrichments.indicator.file.code_signature.status: + dashed_name: threat-enrichments-indicator-file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: threat.enrichments.indicator.file.code_signature.status ignore_above: 1024 level: extended - name: authentihash + name: status normalize: [] - original_fieldset: pe - short: Authentihash of the PE file. + original_fieldset: code_signature + short: Additional information about the certificate status. type: keyword - threat.enrichments.indicator.pe.company: - dashed_name: threat-enrichments-indicator-pe-company - description: Internal company name of the file, provided at compile-time. + threat.enrichments.indicator.file.code_signature.subject_name: + dashed_name: threat-enrichments-indicator-file-code-signature-subject-name + description: Subject name of the code signer example: Microsoft Corporation - flat_name: threat.enrichments.indicator.pe.company + flat_name: threat.enrichments.indicator.file.code_signature.subject_name ignore_above: 1024 - level: extended - name: company + level: core + name: subject_name normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. + original_fieldset: code_signature + short: Subject name of the code signer type: keyword - threat.enrichments.indicator.pe.compile_timestamp: - dashed_name: threat-enrichments-indicator-pe-compile-timestamp - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.indicator.pe.compile_timestamp - level: extended - name: compile_timestamp - normalize: [] - original_fieldset: pe - short: Compile timestamp of the PE file. - type: date - threat.enrichments.indicator.pe.compiler.name: - dashed_name: threat-enrichments-indicator-pe-compiler-name - description: Name of the compiler - example: Clang - flat_name: threat.enrichments.indicator.pe.compiler.name + threat.enrichments.indicator.file.code_signature.team_id: + dashed_name: threat-enrichments-indicator-file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: threat.enrichments.indicator.file.code_signature.team_id ignore_above: 1024 level: extended - name: compiler.name + name: team_id normalize: [] - original_fieldset: pe - short: Name of the compiler + original_fieldset: code_signature + short: The team identifier used to sign the process. type: keyword - threat.enrichments.indicator.pe.compiler.version: - dashed_name: threat-enrichments-indicator-pe-compiler-version - description: Version of the compiler. - example: 11.0.0 - flat_name: threat.enrichments.indicator.pe.compiler.version - ignore_above: 1024 + threat.enrichments.indicator.file.code_signature.trusted: + dashed_name: threat-enrichments-indicator-file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: threat.enrichments.indicator.file.code_signature.trusted level: extended - name: compiler.version + name: trusted normalize: [] - original_fieldset: pe - short: Version of the compiler. - type: keyword - threat.enrichments.indicator.pe.creation_date: - dashed_name: threat-enrichments-indicator-pe-creation-date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.indicator.pe.creation_date + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + threat.enrichments.indicator.file.code_signature.valid: + dashed_name: threat-enrichments-indicator-file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: threat.enrichments.indicator.file.code_signature.valid level: extended - name: creation_date + name: valid normalize: [] - original_fieldset: pe - short: Build or compile date. - type: date - threat.enrichments.indicator.pe.debug: - dashed_name: threat-enrichments-indicator-pe-debug - description: 'An array containing an object for each debug entry, if present. + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + threat.enrichments.indicator.file.created: + dashed_name: threat-enrichments-indicator-file-created + description: 'File creation time. - The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: threat.enrichments.indicator.pe.debug + Note that not all filesystems store the creation time.' + flat_name: threat.enrichments.indicator.file.created level: extended - name: debug - normalize: - - array - original_fieldset: pe - short: Debug information - type: nested - threat.enrichments.indicator.pe.debug.offset: - dashed_name: threat-enrichments-indicator-pe-debug-offset - description: Debug offset information. - example: 1296336 - flat_name: threat.enrichments.indicator.pe.debug.offset + name: created + normalize: [] + original_fieldset: file + short: File creation time. + type: date + threat.enrichments.indicator.file.ctime: + dashed_name: threat-enrichments-indicator-file-ctime + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: threat.enrichments.indicator.file.ctime + level: extended + name: ctime + normalize: [] + original_fieldset: file + short: Last time the file attributes or metadata changed. + type: date + threat.enrichments.indicator.file.device: + dashed_name: threat-enrichments-indicator-file-device + description: Device that is the source of the file. + example: sda + flat_name: threat.enrichments.indicator.file.device ignore_above: 1024 level: extended - name: debug.offset + name: device normalize: [] - original_fieldset: pe - short: Debug offset information. + original_fieldset: file + short: Device that is the source of the file. type: keyword - threat.enrichments.indicator.pe.debug.size: - dashed_name: threat-enrichments-indicator-pe-debug-size - description: Size of the debug information. - example: 816 - flat_name: threat.enrichments.indicator.pe.debug.size - format: bytes + threat.enrichments.indicator.file.directory: + dashed_name: threat-enrichments-indicator-file-directory + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice + flat_name: threat.enrichments.indicator.file.directory level: extended - name: debug.size + name: directory normalize: [] - original_fieldset: pe - short: Size of the debug information. - type: long - threat.enrichments.indicator.pe.debug.timestamp: - dashed_name: threat-enrichments-indicator-pe-debug-timestamp - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.indicator.pe.debug.timestamp + original_fieldset: file + short: Directory where the file is located. + type: wildcard + threat.enrichments.indicator.file.drive_letter: + dashed_name: threat-enrichments-indicator-file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + flat_name: threat.enrichments.indicator.file.drive_letter + ignore_above: 1 level: extended - name: debug.timestamp + name: drive_letter normalize: [] - original_fieldset: pe - short: Timestamp of the debug information. - type: date - threat.enrichments.indicator.pe.debug.type: - dashed_name: threat-enrichments-indicator-pe-debug-type - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - flat_name: threat.enrichments.indicator.pe.debug.type + original_fieldset: file + short: Drive letter where the file is located. + type: keyword + threat.enrichments.indicator.file.elf.architecture: + dashed_name: threat-enrichments-indicator-file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: threat.enrichments.indicator.file.elf.architecture ignore_above: 1024 level: extended - name: debug.type + name: architecture normalize: [] - original_fieldset: pe - short: Information type generated by the debug options. + original_fieldset: elf + short: Machine architecture of the ELF file. type: keyword - threat.enrichments.indicator.pe.description: - dashed_name: threat-enrichments-indicator-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: threat.enrichments.indicator.pe.description + threat.enrichments.indicator.file.elf.byte_order: + dashed_name: threat-enrichments-indicator-file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: threat.enrichments.indicator.file.elf.byte_order ignore_above: 1024 level: extended - name: description + name: byte_order normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. + original_fieldset: elf + short: Byte sequence of ELF file. type: keyword - threat.enrichments.indicator.pe.entry_point: - dashed_name: threat-enrichments-indicator-pe-entry-point - description: Relative byte offset to the base of the PE file. - example: 25856 - flat_name: threat.enrichments.indicator.pe.entry_point + threat.enrichments.indicator.file.elf.cpu_type: + dashed_name: threat-enrichments-indicator-file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: threat.enrichments.indicator.file.elf.cpu_type ignore_above: 1024 level: extended - name: entry_point + name: cpu_type normalize: [] - original_fieldset: pe - short: Relative byte offset to the base of the PE file. + original_fieldset: elf + short: CPU type of the ELF file. type: keyword - threat.enrichments.indicator.pe.exports: - dashed_name: threat-enrichments-indicator-pe-exports - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: threat.enrichments.indicator.pe.exports - ignore_above: 1024 + threat.enrichments.indicator.file.elf.creation_date: + dashed_name: threat-enrichments-indicator-file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: threat.enrichments.indicator.file.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date + threat.enrichments.indicator.file.elf.exports: + dashed_name: threat-enrichments-indicator-file-elf-exports + description: List of exported element names and types. + flat_name: threat.enrichments.indicator.file.elf.exports level: extended name: exports normalize: - array - original_fieldset: pe - short: List of symbols exported by PE - type: keyword - threat.enrichments.indicator.pe.file_version: - dashed_name: threat-enrichments-indicator-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: threat.enrichments.indicator.pe.file_version + original_fieldset: elf + short: List of exported element names and types. + type: flattened + threat.enrichments.indicator.file.elf.header.abi_version: + dashed_name: threat-enrichments-indicator-file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: threat.enrichments.indicator.file.elf.header.abi_version ignore_above: 1024 level: extended - name: file_version + name: header.abi_version normalize: [] - original_fieldset: pe - short: Process name. + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). type: keyword - threat.enrichments.indicator.pe.icon.hash.dhash: - dashed_name: threat-enrichments-indicator-pe-icon-hash-dhash - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - flat_name: threat.enrichments.indicator.pe.icon.hash.dhash + threat.enrichments.indicator.file.elf.header.class: + dashed_name: threat-enrichments-indicator-file-elf-header-class + description: Header class of the ELF file. + flat_name: threat.enrichments.indicator.file.elf.header.class ignore_above: 1024 level: extended - name: icon.hash.dhash + name: header.class normalize: [] - original_fieldset: pe - short: Difference Hash (dhash) to find files with a visually similar icon or - thumbnail. + original_fieldset: elf + short: Header class of the ELF file. type: keyword - threat.enrichments.indicator.pe.imphash: - dashed_name: threat-enrichments-indicator-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: threat.enrichments.indicator.pe.imphash + threat.enrichments.indicator.file.elf.header.data: + dashed_name: threat-enrichments-indicator-file-elf-header-data + description: Data table of the ELF header. + flat_name: threat.enrichments.indicator.file.elf.header.data ignore_above: 1024 level: extended - name: imphash + name: header.data normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. + original_fieldset: elf + short: Data table of the ELF header. type: keyword - threat.enrichments.indicator.pe.imports: - dashed_name: threat-enrichments-indicator-pe-imports - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - flat_name: threat.enrichments.indicator.pe.imports + threat.enrichments.indicator.file.elf.header.entrypoint: + dashed_name: threat-enrichments-indicator-file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: threat.enrichments.indicator.file.elf.header.entrypoint + format: string level: extended - name: imports + name: header.entrypoint normalize: [] - original_fieldset: pe - short: List of all imported functions - type: flattened - threat.enrichments.indicator.pe.machine_type: - dashed_name: threat-enrichments-indicator-pe-machine-type - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - flat_name: threat.enrichments.indicator.pe.machine_type + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + threat.enrichments.indicator.file.elf.header.object_version: + dashed_name: threat-enrichments-indicator-file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: threat.enrichments.indicator.file.elf.header.object_version ignore_above: 1024 level: extended - name: machine_type + name: header.object_version normalize: [] - original_fieldset: pe - short: Machine type of the PE file. + original_fieldset: elf + short: '"0x1" for original ELF files.' type: keyword - threat.enrichments.indicator.pe.original_file_name: - dashed_name: threat-enrichments-indicator-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: threat.enrichments.indicator.pe.original_file_name + threat.enrichments.indicator.file.elf.header.os_abi: + dashed_name: threat-enrichments-indicator-file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: threat.enrichments.indicator.file.elf.header.os_abi + ignore_above: 1024 level: extended - name: original_file_name + name: header.os_abi normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: wildcard - threat.enrichments.indicator.pe.packers: - dashed_name: threat-enrichments-indicator-pe-packers - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - flat_name: threat.enrichments.indicator.pe.packers + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + threat.enrichments.indicator.file.elf.header.type: + dashed_name: threat-enrichments-indicator-file-elf-header-type + description: Header type of the ELF file. + flat_name: threat.enrichments.indicator.file.elf.header.type ignore_above: 1024 level: extended - name: packers - normalize: - - array - original_fieldset: pe - short: List of packers and tools used. + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. type: keyword - threat.enrichments.indicator.pe.product: - dashed_name: threat-enrichments-indicator-pe-product - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" - flat_name: threat.enrichments.indicator.pe.product + threat.enrichments.indicator.file.elf.header.version: + dashed_name: threat-enrichments-indicator-file-elf-header-version + description: Version of the ELF header. + flat_name: threat.enrichments.indicator.file.elf.header.version ignore_above: 1024 level: extended - name: product + name: header.version normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. + original_fieldset: elf + short: Version of the ELF header. type: keyword - threat.enrichments.indicator.pe.resources: - dashed_name: threat-enrichments-indicator-pe-resources - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: threat.enrichments.indicator.pe.resources + threat.enrichments.indicator.file.elf.imports: + dashed_name: threat-enrichments-indicator-file-elf-imports + description: List of imported element names and types. + flat_name: threat.enrichments.indicator.file.elf.imports level: extended - name: resources + name: imports normalize: - array - original_fieldset: pe - short: PE resource information + original_fieldset: elf + short: List of imported element names and types. + type: flattened + threat.enrichments.indicator.file.elf.sections: + dashed_name: threat-enrichments-indicator-file-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + flat_name: threat.enrichments.indicator.file.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. type: nested - threat.enrichments.indicator.pe.resources.chi2: - dashed_name: threat-enrichments-indicator-pe-resources-chi2 - description: Chi-square probability distribution. - example: -1 - flat_name: threat.enrichments.indicator.pe.resources.chi2 + threat.enrichments.indicator.file.elf.sections.chi2: + dashed_name: threat-enrichments-indicator-file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: threat.enrichments.indicator.file.elf.sections.chi2 + format: number level: extended - name: resources.chi2 + name: sections.chi2 normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. + original_fieldset: elf + short: Chi-square probability distribution of the section. type: long - threat.enrichments.indicator.pe.resources.entropy: - dashed_name: threat-enrichments-indicator-pe-resources-entropy - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - flat_name: threat.enrichments.indicator.pe.resources.entropy + threat.enrichments.indicator.file.elf.sections.entropy: + dashed_name: threat-enrichments-indicator-file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: threat.enrichments.indicator.file.elf.sections.entropy + format: number level: extended - name: resources.entropy + name: sections.entropy normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the resources section. + original_fieldset: elf + short: Shannon entropy calculation from the section. type: long - threat.enrichments.indicator.pe.resources.filetype: - dashed_name: threat-enrichments-indicator-pe-resources-filetype - description: File type of the resources section. - example: Data - flat_name: threat.enrichments.indicator.pe.resources.filetype + threat.enrichments.indicator.file.elf.sections.flags: + dashed_name: threat-enrichments-indicator-file-elf-sections-flags + description: ELF Section List flags. + flat_name: threat.enrichments.indicator.file.elf.sections.flags ignore_above: 1024 level: extended - name: resources.filetype + name: sections.flags normalize: [] - original_fieldset: pe - short: File type of the resources section. + original_fieldset: elf + short: ELF Section List flags. type: keyword - threat.enrichments.indicator.pe.resources.language: - dashed_name: threat-enrichments-indicator-pe-resources-language - description: Language identification. - example: CHINESE SIMPLIFIED - flat_name: threat.enrichments.indicator.pe.resources.language + threat.enrichments.indicator.file.elf.sections.name: + dashed_name: threat-enrichments-indicator-file-elf-sections-name + description: ELF Section List name. + flat_name: threat.enrichments.indicator.file.elf.sections.name ignore_above: 1024 level: extended - name: resources.language + name: sections.name normalize: [] - original_fieldset: pe - short: Language identification. + original_fieldset: elf + short: ELF Section List name. type: keyword - threat.enrichments.indicator.pe.resources.sha256: - dashed_name: threat-enrichments-indicator-pe-resources-sha256 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: threat.enrichments.indicator.pe.resources.sha256 + threat.enrichments.indicator.file.elf.sections.physical_offset: + dashed_name: threat-enrichments-indicator-file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: threat.enrichments.indicator.file.elf.sections.physical_offset ignore_above: 1024 level: extended - name: resources.sha256 + name: sections.physical_offset normalize: [] - original_fieldset: pe - short: SHA256 hash of resources section. + original_fieldset: elf + short: ELF Section List offset. type: keyword - threat.enrichments.indicator.pe.resources.type: - dashed_name: threat-enrichments-indicator-pe-resources-type - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: threat.enrichments.indicator.pe.resources.type + threat.enrichments.indicator.file.elf.sections.physical_size: + dashed_name: threat-enrichments-indicator-file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: threat.enrichments.indicator.file.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long + threat.enrichments.indicator.file.elf.sections.type: + dashed_name: threat-enrichments-indicator-file-elf-sections-type + description: ELF Section List type. + flat_name: threat.enrichments.indicator.file.elf.sections.type ignore_above: 1024 level: extended - name: resources.type + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword + threat.enrichments.indicator.file.elf.sections.virtual_address: + dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: threat.enrichments.indicator.file.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long + threat.enrichments.indicator.file.elf.sections.virtual_size: + dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: threat.enrichments.indicator.file.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + threat.enrichments.indicator.file.elf.segments: + dashed_name: threat-enrichments-indicator-file-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + flat_name: threat.enrichments.indicator.file.elf.segments + level: extended + name: segments normalize: - array - original_fieldset: pe - short: List of resource types. + original_fieldset: elf + short: ELF object segment list. + type: nested + threat.enrichments.indicator.file.elf.segments.sections: + dashed_name: threat-enrichments-indicator-file-elf-segments-sections + description: ELF object segment sections. + flat_name: threat.enrichments.indicator.file.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. type: keyword - threat.enrichments.indicator.pe.rich_header.hash.md5: - dashed_name: threat-enrichments-indicator-pe-rich-header-hash-md5 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: threat.enrichments.indicator.pe.rich_header.hash.md5 + threat.enrichments.indicator.file.elf.segments.type: + dashed_name: threat-enrichments-indicator-file-elf-segments-type + description: ELF object segment type. + flat_name: threat.enrichments.indicator.file.elf.segments.type ignore_above: 1024 level: extended - name: rich_header.hash.md5 + name: segments.type normalize: [] - original_fieldset: pe - short: MD5 hash of the header for the PE file. + original_fieldset: elf + short: ELF object segment type. type: keyword - threat.enrichments.indicator.pe.sections: - dashed_name: threat-enrichments-indicator-pe-sections - description: Data about sections of compiled binary PE - flat_name: threat.enrichments.indicator.pe.sections + threat.enrichments.indicator.file.elf.shared_libraries: + dashed_name: threat-enrichments-indicator-file-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: threat.enrichments.indicator.file.elf.shared_libraries + ignore_above: 1024 level: extended - name: sections + name: shared_libraries normalize: - array - original_fieldset: pe - short: Data about sections of the compiled binary PE - type: nested - threat.enrichments.indicator.pe.sections.chi2: - dashed_name: threat-enrichments-indicator-pe-sections-chi2 - description: Chi-square probability distribution. - example: 3027194 - flat_name: threat.enrichments.indicator.pe.sections.chi2 + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword + threat.enrichments.indicator.file.elf.telfhash: + dashed_name: threat-enrichments-indicator-file-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: threat.enrichments.indicator.file.elf.telfhash + ignore_above: 1024 level: extended - name: sections.chi2 + name: telfhash normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long - threat.enrichments.indicator.pe.sections.entropy: - dashed_name: threat-enrichments-indicator-pe-sections-entropy - description: Measurement of entropy randomness in the file. - example: 6.24 - flat_name: threat.enrichments.indicator.pe.sections.entropy + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword + threat.enrichments.indicator.file.extension: + dashed_name: threat-enrichments-indicator-file-extension + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.indicator.file.extension + ignore_above: 1024 level: extended - name: sections.entropy + name: extension normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the file. - type: float - threat.enrichments.indicator.pe.sections.flags: - dashed_name: threat-enrichments-indicator-pe-sections-flags - description: Section flags of the file. - example: rx - flat_name: threat.enrichments.indicator.pe.sections.flags + original_fieldset: file + short: File extension, excluding the leading dot. + type: keyword + threat.enrichments.indicator.file.gid: + dashed_name: threat-enrichments-indicator-file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: threat.enrichments.indicator.file.gid ignore_above: 1024 level: extended - name: sections.flags + name: gid normalize: [] - original_fieldset: pe - short: Section flags of the file. + original_fieldset: file + short: Primary group ID (GID) of the file. type: keyword - threat.enrichments.indicator.pe.sections.name: - dashed_name: threat-enrichments-indicator-pe-sections-name - description: Section names of the file. - example: .text, .data - flat_name: threat.enrichments.indicator.pe.sections.name + threat.enrichments.indicator.file.group: + dashed_name: threat-enrichments-indicator-file-group + description: Primary group name of the file. + example: alice + flat_name: threat.enrichments.indicator.file.group ignore_above: 1024 level: extended - name: sections.name + name: group normalize: [] - original_fieldset: pe - short: Section names of the file. + original_fieldset: file + short: Primary group name of the file. type: keyword - threat.enrichments.indicator.pe.sections.raw_size: - dashed_name: threat-enrichments-indicator-pe-sections-raw-size - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - flat_name: threat.enrichments.indicator.pe.sections.raw_size - format: bytes + threat.enrichments.indicator.file.inode: + dashed_name: threat-enrichments-indicator-file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: threat.enrichments.indicator.file.inode + ignore_above: 1024 level: extended - name: sections.raw_size + name: inode normalize: [] - original_fieldset: pe - short: Size of the section or the dize of the initialized data on disk. - type: long - threat.enrichments.indicator.pe.sections.virtual_address: - dashed_name: threat-enrichments-indicator-pe-sections-virtual-address - description: Virtual address available to the file. - example: 8192 - flat_name: threat.enrichments.indicator.pe.sections.virtual_address - format: bytes + original_fieldset: file + short: Inode representing the file in the filesystem. + type: keyword + threat.enrichments.indicator.file.mime_type: + dashed_name: threat-enrichments-indicator-file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. + flat_name: threat.enrichments.indicator.file.mime_type + ignore_above: 1024 level: extended - name: sections.virtual_address + name: mime_type normalize: [] - original_fieldset: pe - short: Virtual address available to the file. - type: long - threat.enrichments.indicator.port: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-port - description: Identifies a threat indicator as a port number (irrespective of - direction). - example: 443 - flat_name: threat.enrichments.indicator.port - level: extended - name: enrichments.indicator.port - normalize: [] - short: Indicator port - type: long - threat.enrichments.indicator.provider: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-provider - description: The name of the indicator's provider. - example: lrz_urlhaus - flat_name: threat.enrichments.indicator.provider - ignore_above: 1024 - level: extended - name: enrichments.indicator.provider - normalize: [] - short: Indicator provider + original_fieldset: file + short: Media type of file, document, or arrangement of bytes. type: keyword - threat.enrichments.indicator.reference: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-reference - description: Reference URL linking to additional information about this indicator. - example: https://system.example.com/indicator/0001234 - flat_name: threat.enrichments.indicator.reference + threat.enrichments.indicator.file.mode: + dashed_name: threat-enrichments-indicator-file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: threat.enrichments.indicator.file.mode ignore_above: 1024 level: extended - name: enrichments.indicator.reference + name: mode normalize: [] - short: Indicator reference URL + original_fieldset: file + short: Mode of the file in octal representation. type: keyword - threat.enrichments.indicator.registry.data.bytes: - dashed_name: threat-enrichments-indicator-registry-data-bytes - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides - better recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - flat_name: threat.enrichments.indicator.registry.data.bytes - ignore_above: 1024 + threat.enrichments.indicator.file.mtime: + dashed_name: threat-enrichments-indicator-file-mtime + description: Last time the file content was modified. + flat_name: threat.enrichments.indicator.file.mtime level: extended - name: data.bytes + name: mtime normalize: [] - original_fieldset: registry - short: Original bytes written with base64 encoding. - type: keyword - threat.enrichments.indicator.registry.data.strings: - dashed_name: threat-enrichments-indicator-registry-data-strings - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single - string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with - one string. For sequences of string with REG_MULTI_SZ, this array will be - variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should - be populated with the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' - flat_name: threat.enrichments.indicator.registry.data.strings - level: core - name: data.strings - normalize: - - array - original_fieldset: registry - short: List of strings representing what was written to the registry. - type: wildcard - threat.enrichments.indicator.registry.data.type: - dashed_name: threat-enrichments-indicator-registry-data-type - description: Standard registry type for encoding contents - example: REG_SZ - flat_name: threat.enrichments.indicator.registry.data.type + original_fieldset: file + short: Last time the file content was modified. + type: date + threat.enrichments.indicator.file.name: + dashed_name: threat-enrichments-indicator-file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: threat.enrichments.indicator.file.name ignore_above: 1024 - level: core - name: data.type + level: extended + name: name normalize: [] - original_fieldset: registry - short: Standard registry type for encoding contents + original_fieldset: file + short: Name of the file including the extension, without the directory. type: keyword - threat.enrichments.indicator.registry.hive: - dashed_name: threat-enrichments-indicator-registry-hive - description: Abbreviated name for the hive. - example: HKLM - flat_name: threat.enrichments.indicator.registry.hive + threat.enrichments.indicator.file.owner: + dashed_name: threat-enrichments-indicator-file-owner + description: File owner's username. + example: alice + flat_name: threat.enrichments.indicator.file.owner ignore_above: 1024 - level: core - name: hive + level: extended + name: owner normalize: [] - original_fieldset: registry - short: Abbreviated name for the hive. + original_fieldset: file + short: File owner's username. type: keyword - threat.enrichments.indicator.registry.key: - dashed_name: threat-enrichments-indicator-registry-key - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - flat_name: threat.enrichments.indicator.registry.key - level: core - name: key - normalize: [] - original_fieldset: registry - short: Hive-relative path of keys. - type: wildcard - threat.enrichments.indicator.registry.path: - dashed_name: threat-enrichments-indicator-registry-path - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger - flat_name: threat.enrichments.indicator.registry.path - level: core + threat.enrichments.indicator.file.path: + dashed_name: threat-enrichments-indicator-file-path + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + flat_name: threat.enrichments.indicator.file.path + level: extended + multi_fields: + - flat_name: threat.enrichments.indicator.file.path.text + name: text + norms: false + type: text name: path normalize: [] - original_fieldset: registry - short: Full path, including hive, key and value + original_fieldset: file + short: Full path to the file, including the file name. type: wildcard - threat.enrichments.indicator.registry.value: - dashed_name: threat-enrichments-indicator-registry-value - description: Name of the value written. - example: Debugger - flat_name: threat.enrichments.indicator.registry.value - ignore_above: 1024 - level: core - name: value - normalize: [] - original_fieldset: registry - short: Name of the value written. - type: keyword - threat.enrichments.indicator.scanner_stats: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-scanner-stats - description: Count of AV/EDR vendors that successfully detected malicious file - or URL. - example: 4 - flat_name: threat.enrichments.indicator.scanner_stats + threat.enrichments.indicator.file.size: + dashed_name: threat-enrichments-indicator-file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: threat.enrichments.indicator.file.size level: extended - name: enrichments.indicator.scanner_stats + name: size normalize: [] - short: Scanner statistics + original_fieldset: file + short: File size in bytes. type: long - threat.enrichments.indicator.sightings: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-sightings - description: Number of times this indicator was observed conducting threat activity. - example: 20 - flat_name: threat.enrichments.indicator.sightings + threat.enrichments.indicator.file.target_path: + dashed_name: threat-enrichments-indicator-file-target-path + description: Target path for symlinks. + flat_name: threat.enrichments.indicator.file.target_path level: extended - name: enrichments.indicator.sightings + multi_fields: + - flat_name: threat.enrichments.indicator.file.target_path.text + name: text + norms: false + type: text + name: target_path normalize: [] - short: Number of times indicator observed - type: long - threat.enrichments.indicator.type: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-type - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ - \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ - \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ - \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ - \ * user-account\n * windows-registry-key\n * x509-certificate" - example: ipv4-addr - flat_name: threat.enrichments.indicator.type + original_fieldset: file + short: Target path for symlinks. + type: wildcard + threat.enrichments.indicator.file.type: + dashed_name: threat-enrichments-indicator-file-type + description: File type (file, dir, or symlink). + example: file + flat_name: threat.enrichments.indicator.file.type ignore_above: 1024 level: extended - name: enrichments.indicator.type + name: type normalize: [] - short: Type of indicator + original_fieldset: file + short: File type (file, dir, or symlink). type: keyword - threat.enrichments.matched.atomic: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-atomic - description: Identifies the atomic indicator value that matched a local environment - endpoint or network event. - example: bad-domain.com - flat_name: threat.enrichments.matched.atomic + threat.enrichments.indicator.file.uid: + dashed_name: threat-enrichments-indicator-file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: threat.enrichments.indicator.file.uid ignore_above: 1024 level: extended - name: enrichments.matched.atomic + name: uid normalize: [] - short: Matched indicator value + original_fieldset: file + short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword - threat.enrichments.matched.field: + threat.enrichments.indicator.first_seen: beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-field - description: Identifies the field of the atomic indicator that matched a local - environment endpoint or network event. - example: file.hash.sha256 - flat_name: threat.enrichments.matched.field - ignore_above: 1024 + dashed_name: threat-enrichments-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.first_seen level: extended - name: enrichments.matched.field + name: enrichments.indicator.first_seen normalize: [] - short: Matched indicator field - type: keyword - threat.enrichments.matched.id: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-id - description: Identifies the _id of the indicator document enriching the event. - example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 - flat_name: threat.enrichments.matched.id + short: Date/time indicator was first reported. + type: date + threat.enrichments.indicator.geo.city_name: + dashed_name: threat-enrichments-indicator-geo-city-name + description: City name. + example: Montreal + flat_name: threat.enrichments.indicator.geo.city_name ignore_above: 1024 - level: extended - name: enrichments.matched.id + level: core + name: city_name normalize: [] - short: Matched indicator identifier + original_fieldset: geo + short: City name. type: keyword - threat.enrichments.matched.index: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-index - description: Identifies the _index of the indicator document enriching the event. - example: filebeat-8.0.0-2021.05.23-000011 - flat_name: threat.enrichments.matched.index + threat.enrichments.indicator.geo.continent_code: + dashed_name: threat-enrichments-indicator-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: threat.enrichments.indicator.geo.continent_code ignore_above: 1024 - level: extended - name: enrichments.matched.index + level: core + name: continent_code normalize: [] - short: Matched indicator index + original_fieldset: geo + short: Continent code. type: keyword - threat.enrichments.matched.type: + threat.enrichments.indicator.geo.continent_name: + dashed_name: threat-enrichments-indicator-geo-continent-name + description: Name of the continent. + example: North America + flat_name: threat.enrichments.indicator.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + threat.enrichments.indicator.geo.country_iso_code: + dashed_name: threat-enrichments-indicator-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: threat.enrichments.indicator.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + threat.enrichments.indicator.geo.country_name: + dashed_name: threat-enrichments-indicator-geo-country-name + description: Country name. + example: Canada + flat_name: threat.enrichments.indicator.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + threat.enrichments.indicator.geo.location: + dashed_name: threat-enrichments-indicator-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: threat.enrichments.indicator.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + threat.enrichments.indicator.geo.name: + dashed_name: threat-enrichments-indicator-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: threat.enrichments.indicator.geo.name + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: wildcard + threat.enrichments.indicator.geo.postal_code: + dashed_name: threat-enrichments-indicator-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: threat.enrichments.indicator.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword + threat.enrichments.indicator.geo.region_iso_code: + dashed_name: threat-enrichments-indicator-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: threat.enrichments.indicator.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + threat.enrichments.indicator.geo.region_name: + dashed_name: threat-enrichments-indicator-geo-region-name + description: Region name. + example: Quebec + flat_name: threat.enrichments.indicator.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + threat.enrichments.indicator.geo.timezone: + dashed_name: threat-enrichments-indicator-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: threat.enrichments.indicator.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword + threat.enrichments.indicator.hash.md5: + dashed_name: threat-enrichments-indicator-hash-md5 + description: MD5 hash. + flat_name: threat.enrichments.indicator.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword + threat.enrichments.indicator.hash.sha1: + dashed_name: threat-enrichments-indicator-hash-sha1 + description: SHA1 hash. + flat_name: threat.enrichments.indicator.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword + threat.enrichments.indicator.hash.sha256: + dashed_name: threat-enrichments-indicator-hash-sha256 + description: SHA256 hash. + flat_name: threat.enrichments.indicator.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword + threat.enrichments.indicator.hash.sha512: + dashed_name: threat-enrichments-indicator-hash-sha512 + description: SHA512 hash. + flat_name: threat.enrichments.indicator.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword + threat.enrichments.indicator.hash.ssdeep: + dashed_name: threat-enrichments-indicator-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.enrichments.indicator.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword + threat.enrichments.indicator.ip: beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-type - description: Identifies the type of match that caused the event to be enriched - with the given indicator - example: indicator_match_rule - flat_name: threat.enrichments.matched.type + dashed_name: threat-enrichments-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + flat_name: threat.enrichments.indicator.ip + level: extended + name: enrichments.indicator.ip + normalize: [] + short: Indicator IP address + type: ip + threat.enrichments.indicator.last_seen: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-last-seen + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.last_seen + level: extended + name: enrichments.indicator.last_seen + normalize: [] + short: Date/time indicator was last reported. + type: date + threat.enrichments.indicator.marking.tlp: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: White + flat_name: threat.enrichments.indicator.marking.tlp ignore_above: 1024 level: extended - name: enrichments.matched.type + name: enrichments.indicator.marking.tlp normalize: [] - short: Type of indicator match + short: Indicator TLP marking type: keyword - threat.enrichments.pe.architecture: - dashed_name: threat-enrichments-pe-architecture + threat.enrichments.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.modified_at + level: extended + name: enrichments.indicator.modified_at + normalize: [] + short: Date/time indicator was last updated. + type: date + threat.enrichments.indicator.pe.architecture: + dashed_name: threat-enrichments-indicator-pe-architecture description: CPU architecture target for the file. example: x64 - flat_name: threat.enrichments.pe.architecture + flat_name: threat.enrichments.indicator.pe.architecture ignore_above: 1024 level: extended name: architecture @@ -15235,11 +15412,11 @@ threat: original_fieldset: pe short: CPU architecture target for the file. type: keyword - threat.enrichments.pe.authentihash: - dashed_name: threat-enrichments-pe-authentihash + threat.enrichments.indicator.pe.authentihash: + dashed_name: threat-enrichments-indicator-pe-authentihash description: Authentihash of the PE file. example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: threat.enrichments.pe.authentihash + flat_name: threat.enrichments.indicator.pe.authentihash ignore_above: 1024 level: extended name: authentihash @@ -15247,11 +15424,11 @@ threat: original_fieldset: pe short: Authentihash of the PE file. type: keyword - threat.enrichments.pe.company: - dashed_name: threat-enrichments-pe-company + threat.enrichments.indicator.pe.company: + dashed_name: threat-enrichments-indicator-pe-company description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation - flat_name: threat.enrichments.pe.company + flat_name: threat.enrichments.indicator.pe.company ignore_above: 1024 level: extended name: company @@ -15259,22 +15436,22 @@ threat: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword - threat.enrichments.pe.compile_timestamp: - dashed_name: threat-enrichments-pe-compile-timestamp + threat.enrichments.indicator.pe.compile_timestamp: + dashed_name: threat-enrichments-indicator-pe-compile-timestamp description: Compile timestamp of the PE file. example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.pe.compile_timestamp + flat_name: threat.enrichments.indicator.pe.compile_timestamp level: extended name: compile_timestamp normalize: [] original_fieldset: pe short: Compile timestamp of the PE file. type: date - threat.enrichments.pe.compiler.name: - dashed_name: threat-enrichments-pe-compiler-name + threat.enrichments.indicator.pe.compiler.name: + dashed_name: threat-enrichments-indicator-pe-compiler-name description: Name of the compiler example: Clang - flat_name: threat.enrichments.pe.compiler.name + flat_name: threat.enrichments.indicator.pe.compiler.name ignore_above: 1024 level: extended name: compiler.name @@ -15282,11 +15459,11 @@ threat: original_fieldset: pe short: Name of the compiler type: keyword - threat.enrichments.pe.compiler.version: - dashed_name: threat-enrichments-pe-compiler-version + threat.enrichments.indicator.pe.compiler.version: + dashed_name: threat-enrichments-indicator-pe-compiler-version description: Version of the compiler. example: 11.0.0 - flat_name: threat.enrichments.pe.compiler.version + flat_name: threat.enrichments.indicator.pe.compiler.version ignore_above: 1024 level: extended name: compiler.version @@ -15294,24 +15471,24 @@ threat: original_fieldset: pe short: Version of the compiler. type: keyword - threat.enrichments.pe.creation_date: - dashed_name: threat-enrichments-pe-creation-date + threat.enrichments.indicator.pe.creation_date: + dashed_name: threat-enrichments-indicator-pe-creation-date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.pe.creation_date + flat_name: threat.enrichments.indicator.pe.creation_date level: extended name: creation_date normalize: [] original_fieldset: pe short: Build or compile date. type: date - threat.enrichments.pe.debug: - dashed_name: threat-enrichments-pe-debug + threat.enrichments.indicator.pe.debug: + dashed_name: threat-enrichments-indicator-pe-debug description: 'An array containing an object for each debug entry, if present. The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: threat.enrichments.pe.debug + flat_name: threat.enrichments.indicator.pe.debug level: extended name: debug normalize: @@ -15319,11 +15496,11 @@ threat: original_fieldset: pe short: Debug information type: nested - threat.enrichments.pe.debug.offset: - dashed_name: threat-enrichments-pe-debug-offset + threat.enrichments.indicator.pe.debug.offset: + dashed_name: threat-enrichments-indicator-pe-debug-offset description: Debug offset information. example: 1296336 - flat_name: threat.enrichments.pe.debug.offset + flat_name: threat.enrichments.indicator.pe.debug.offset ignore_above: 1024 level: extended name: debug.offset @@ -15331,11 +15508,11 @@ threat: original_fieldset: pe short: Debug offset information. type: keyword - threat.enrichments.pe.debug.size: - dashed_name: threat-enrichments-pe-debug-size + threat.enrichments.indicator.pe.debug.size: + dashed_name: threat-enrichments-indicator-pe-debug-size description: Size of the debug information. example: 816 - flat_name: threat.enrichments.pe.debug.size + flat_name: threat.enrichments.indicator.pe.debug.size format: bytes level: extended name: debug.size @@ -15343,22 +15520,22 @@ threat: original_fieldset: pe short: Size of the debug information. type: long - threat.enrichments.pe.debug.timestamp: - dashed_name: threat-enrichments-pe-debug-timestamp + threat.enrichments.indicator.pe.debug.timestamp: + dashed_name: threat-enrichments-indicator-pe-debug-timestamp description: Timestamp of the debug information. example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.pe.debug.timestamp + flat_name: threat.enrichments.indicator.pe.debug.timestamp level: extended name: debug.timestamp normalize: [] original_fieldset: pe short: Timestamp of the debug information. type: date - threat.enrichments.pe.debug.type: - dashed_name: threat-enrichments-pe-debug-type + threat.enrichments.indicator.pe.debug.type: + dashed_name: threat-enrichments-indicator-pe-debug-type description: Information type generated by the debug options. example: IMAGE_DEBUG_TYPE_POGO - flat_name: threat.enrichments.pe.debug.type + flat_name: threat.enrichments.indicator.pe.debug.type ignore_above: 1024 level: extended name: debug.type @@ -15366,11 +15543,11 @@ threat: original_fieldset: pe short: Information type generated by the debug options. type: keyword - threat.enrichments.pe.description: - dashed_name: threat-enrichments-pe-description + threat.enrichments.indicator.pe.description: + dashed_name: threat-enrichments-indicator-pe-description description: Internal description of the file, provided at compile-time. example: Paint - flat_name: threat.enrichments.pe.description + flat_name: threat.enrichments.indicator.pe.description ignore_above: 1024 level: extended name: description @@ -15378,11 +15555,11 @@ threat: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword - threat.enrichments.pe.entry_point: - dashed_name: threat-enrichments-pe-entry-point + threat.enrichments.indicator.pe.entry_point: + dashed_name: threat-enrichments-indicator-pe-entry-point description: Relative byte offset to the base of the PE file. example: 25856 - flat_name: threat.enrichments.pe.entry_point + flat_name: threat.enrichments.indicator.pe.entry_point ignore_above: 1024 level: extended name: entry_point @@ -15390,11 +15567,11 @@ threat: original_fieldset: pe short: Relative byte offset to the base of the PE file. type: keyword - threat.enrichments.pe.exports: - dashed_name: threat-enrichments-pe-exports + threat.enrichments.indicator.pe.exports: + dashed_name: threat-enrichments-indicator-pe-exports description: List of symbols exported by PE example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: threat.enrichments.pe.exports + flat_name: threat.enrichments.indicator.pe.exports ignore_above: 1024 level: extended name: exports @@ -15403,11 +15580,11 @@ threat: original_fieldset: pe short: List of symbols exported by PE type: keyword - threat.enrichments.pe.file_version: - dashed_name: threat-enrichments-pe-file-version + threat.enrichments.indicator.pe.file_version: + dashed_name: threat-enrichments-indicator-pe-file-version description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 - flat_name: threat.enrichments.pe.file_version + flat_name: threat.enrichments.indicator.pe.file_version ignore_above: 1024 level: extended name: file_version @@ -15415,12 +15592,12 @@ threat: original_fieldset: pe short: Process name. type: keyword - threat.enrichments.pe.icon.hash.dhash: - dashed_name: threat-enrichments-pe-icon-hash-dhash + threat.enrichments.indicator.pe.icon.hash.dhash: + dashed_name: threat-enrichments-indicator-pe-icon-hash-dhash description: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. example: b806e17c8e330d82 - flat_name: threat.enrichments.pe.icon.hash.dhash + flat_name: threat.enrichments.indicator.pe.icon.hash.dhash ignore_above: 1024 level: extended name: icon.hash.dhash @@ -15429,15 +15606,15 @@ threat: short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. type: keyword - threat.enrichments.pe.imphash: - dashed_name: threat-enrichments-pe-imphash + threat.enrichments.indicator.pe.imphash: + dashed_name: threat-enrichments-indicator-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: threat.enrichments.pe.imphash + flat_name: threat.enrichments.indicator.pe.imphash ignore_above: 1024 level: extended name: imphash @@ -15445,23 +15622,23 @@ threat: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword - threat.enrichments.pe.imports: - dashed_name: threat-enrichments-pe-imports + threat.enrichments.indicator.pe.imports: + dashed_name: threat-enrichments-indicator-pe-imports description: List of all imported functions example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" }' - flat_name: threat.enrichments.pe.imports + flat_name: threat.enrichments.indicator.pe.imports level: extended name: imports normalize: [] original_fieldset: pe short: List of all imported functions type: flattened - threat.enrichments.pe.machine_type: - dashed_name: threat-enrichments-pe-machine-type + threat.enrichments.indicator.pe.machine_type: + dashed_name: threat-enrichments-indicator-pe-machine-type description: Machine type of the PE file. example: Intel 386 or later, and compatibles - flat_name: threat.enrichments.pe.machine_type + flat_name: threat.enrichments.indicator.pe.machine_type ignore_above: 1024 level: extended name: machine_type @@ -15469,22 +15646,22 @@ threat: original_fieldset: pe short: Machine type of the PE file. type: keyword - threat.enrichments.pe.original_file_name: - dashed_name: threat-enrichments-pe-original-file-name + threat.enrichments.indicator.pe.original_file_name: + dashed_name: threat-enrichments-indicator-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE - flat_name: threat.enrichments.pe.original_file_name + flat_name: threat.enrichments.indicator.pe.original_file_name level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard - threat.enrichments.pe.packers: - dashed_name: threat-enrichments-pe-packers + threat.enrichments.indicator.pe.packers: + dashed_name: threat-enrichments-indicator-pe-packers description: List of packers and tools used. example: '["ASPack v2.12", ".NET executable"]' - flat_name: threat.enrichments.pe.packers + flat_name: threat.enrichments.indicator.pe.packers ignore_above: 1024 level: extended name: packers @@ -15493,11 +15670,11 @@ threat: original_fieldset: pe short: List of packers and tools used. type: keyword - threat.enrichments.pe.product: - dashed_name: threat-enrichments-pe-product + threat.enrichments.indicator.pe.product: + dashed_name: threat-enrichments-indicator-pe-product description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" - flat_name: threat.enrichments.pe.product + flat_name: threat.enrichments.indicator.pe.product ignore_above: 1024 level: extended name: product @@ -15505,12 +15682,12 @@ threat: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword - threat.enrichments.pe.resources: - dashed_name: threat-enrichments-pe-resources + threat.enrichments.indicator.pe.resources: + dashed_name: threat-enrichments-indicator-pe-resources description: 'An array containing an object for each PE resource, if present. The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: threat.enrichments.pe.resources + flat_name: threat.enrichments.indicator.pe.resources level: extended name: resources normalize: @@ -15518,33 +15695,33 @@ threat: original_fieldset: pe short: PE resource information type: nested - threat.enrichments.pe.resources.chi2: - dashed_name: threat-enrichments-pe-resources-chi2 + threat.enrichments.indicator.pe.resources.chi2: + dashed_name: threat-enrichments-indicator-pe-resources-chi2 description: Chi-square probability distribution. example: -1 - flat_name: threat.enrichments.pe.resources.chi2 + flat_name: threat.enrichments.indicator.pe.resources.chi2 level: extended name: resources.chi2 normalize: [] original_fieldset: pe short: Chi-square probability distribution. type: long - threat.enrichments.pe.resources.entropy: - dashed_name: threat-enrichments-pe-resources-entropy + threat.enrichments.indicator.pe.resources.entropy: + dashed_name: threat-enrichments-indicator-pe-resources-entropy description: Measurement of entropy randomness in the resources section. example: 0, 1 - flat_name: threat.enrichments.pe.resources.entropy + flat_name: threat.enrichments.indicator.pe.resources.entropy level: extended name: resources.entropy normalize: [] original_fieldset: pe short: Measurement of entropy randomness in the resources section. type: long - threat.enrichments.pe.resources.filetype: - dashed_name: threat-enrichments-pe-resources-filetype + threat.enrichments.indicator.pe.resources.filetype: + dashed_name: threat-enrichments-indicator-pe-resources-filetype description: File type of the resources section. example: Data - flat_name: threat.enrichments.pe.resources.filetype + flat_name: threat.enrichments.indicator.pe.resources.filetype ignore_above: 1024 level: extended name: resources.filetype @@ -15552,11 +15729,11 @@ threat: original_fieldset: pe short: File type of the resources section. type: keyword - threat.enrichments.pe.resources.language: - dashed_name: threat-enrichments-pe-resources-language + threat.enrichments.indicator.pe.resources.language: + dashed_name: threat-enrichments-indicator-pe-resources-language description: Language identification. example: CHINESE SIMPLIFIED - flat_name: threat.enrichments.pe.resources.language + flat_name: threat.enrichments.indicator.pe.resources.language ignore_above: 1024 level: extended name: resources.language @@ -15564,11 +15741,11 @@ threat: original_fieldset: pe short: Language identification. type: keyword - threat.enrichments.pe.resources.sha256: - dashed_name: threat-enrichments-pe-resources-sha256 + threat.enrichments.indicator.pe.resources.sha256: + dashed_name: threat-enrichments-indicator-pe-resources-sha256 description: SHA256 hash of resources section. example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: threat.enrichments.pe.resources.sha256 + flat_name: threat.enrichments.indicator.pe.resources.sha256 ignore_above: 1024 level: extended name: resources.sha256 @@ -15576,11 +15753,11 @@ threat: original_fieldset: pe short: SHA256 hash of resources section. type: keyword - threat.enrichments.pe.resources.type: - dashed_name: threat-enrichments-pe-resources-type + threat.enrichments.indicator.pe.resources.type: + dashed_name: threat-enrichments-indicator-pe-resources-type description: Digest of resource types. example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: threat.enrichments.pe.resources.type + flat_name: threat.enrichments.indicator.pe.resources.type ignore_above: 1024 level: extended name: resources.type @@ -15589,11 +15766,11 @@ threat: original_fieldset: pe short: List of resource types. type: keyword - threat.enrichments.pe.rich_header.hash.md5: - dashed_name: threat-enrichments-pe-rich-header-hash-md5 + threat.enrichments.indicator.pe.rich_header.hash.md5: + dashed_name: threat-enrichments-indicator-pe-rich-header-hash-md5 description: MD5 hash of the header for the PE file. example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: threat.enrichments.pe.rich_header.hash.md5 + flat_name: threat.enrichments.indicator.pe.rich_header.hash.md5 ignore_above: 1024 level: extended name: rich_header.hash.md5 @@ -15601,10 +15778,10 @@ threat: original_fieldset: pe short: MD5 hash of the header for the PE file. type: keyword - threat.enrichments.pe.sections: - dashed_name: threat-enrichments-pe-sections + threat.enrichments.indicator.pe.sections: + dashed_name: threat-enrichments-indicator-pe-sections description: Data about sections of compiled binary PE - flat_name: threat.enrichments.pe.sections + flat_name: threat.enrichments.indicator.pe.sections level: extended name: sections normalize: @@ -15612,33 +15789,33 @@ threat: original_fieldset: pe short: Data about sections of the compiled binary PE type: nested - threat.enrichments.pe.sections.chi2: - dashed_name: threat-enrichments-pe-sections-chi2 + threat.enrichments.indicator.pe.sections.chi2: + dashed_name: threat-enrichments-indicator-pe-sections-chi2 description: Chi-square probability distribution. example: 3027194 - flat_name: threat.enrichments.pe.sections.chi2 + flat_name: threat.enrichments.indicator.pe.sections.chi2 level: extended name: sections.chi2 normalize: [] original_fieldset: pe short: Chi-square probability distribution. type: long - threat.enrichments.pe.sections.entropy: - dashed_name: threat-enrichments-pe-sections-entropy + threat.enrichments.indicator.pe.sections.entropy: + dashed_name: threat-enrichments-indicator-pe-sections-entropy description: Measurement of entropy randomness in the file. example: 6.24 - flat_name: threat.enrichments.pe.sections.entropy + flat_name: threat.enrichments.indicator.pe.sections.entropy level: extended name: sections.entropy normalize: [] original_fieldset: pe short: Measurement of entropy randomness in the file. type: float - threat.enrichments.pe.sections.flags: - dashed_name: threat-enrichments-pe-sections-flags + threat.enrichments.indicator.pe.sections.flags: + dashed_name: threat-enrichments-indicator-pe-sections-flags description: Section flags of the file. example: rx - flat_name: threat.enrichments.pe.sections.flags + flat_name: threat.enrichments.indicator.pe.sections.flags ignore_above: 1024 level: extended name: sections.flags @@ -15646,11 +15823,11 @@ threat: original_fieldset: pe short: Section flags of the file. type: keyword - threat.enrichments.pe.sections.name: - dashed_name: threat-enrichments-pe-sections-name + threat.enrichments.indicator.pe.sections.name: + dashed_name: threat-enrichments-indicator-pe-sections-name description: Section names of the file. example: .text, .data - flat_name: threat.enrichments.pe.sections.name + flat_name: threat.enrichments.indicator.pe.sections.name ignore_above: 1024 level: extended name: sections.name @@ -15658,11 +15835,11 @@ threat: original_fieldset: pe short: Section names of the file. type: keyword - threat.enrichments.pe.sections.raw_size: - dashed_name: threat-enrichments-pe-sections-raw-size + threat.enrichments.indicator.pe.sections.raw_size: + dashed_name: threat-enrichments-indicator-pe-sections-raw-size description: Size of the section or the dize of the initialized data on disk. example: 198144 - flat_name: threat.enrichments.pe.sections.raw_size + flat_name: threat.enrichments.indicator.pe.sections.raw_size format: bytes level: extended name: sections.raw_size @@ -15670,11 +15847,11 @@ threat: original_fieldset: pe short: Size of the section or the dize of the initialized data on disk. type: long - threat.enrichments.pe.sections.virtual_address: - dashed_name: threat-enrichments-pe-sections-virtual-address + threat.enrichments.indicator.pe.sections.virtual_address: + dashed_name: threat-enrichments-indicator-pe-sections-virtual-address description: Virtual address available to the file. example: 8192 - flat_name: threat.enrichments.pe.sections.virtual_address + flat_name: threat.enrichments.indicator.pe.sections.virtual_address format: bytes level: extended name: sections.virtual_address @@ -15682,15 +15859,51 @@ threat: original_fieldset: pe short: Virtual address available to the file. type: long - threat.enrichments.registry.data.bytes: - dashed_name: threat-enrichments-registry-data-bytes + threat.enrichments.indicator.port: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-port + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + flat_name: threat.enrichments.indicator.port + level: extended + name: enrichments.indicator.port + normalize: [] + short: Indicator port + type: long + threat.enrichments.indicator.provider: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-provider + description: The name of the indicator's provider. + example: lrz_urlhaus + flat_name: threat.enrichments.indicator.provider + ignore_above: 1024 + level: extended + name: enrichments.indicator.provider + normalize: [] + short: Indicator provider + type: keyword + threat.enrichments.indicator.reference: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-reference + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + flat_name: threat.enrichments.indicator.reference + ignore_above: 1024 + level: extended + name: enrichments.indicator.reference + normalize: [] + short: Indicator reference URL + type: keyword + threat.enrichments.indicator.registry.data.bytes: + dashed_name: threat-enrichments-indicator-registry-data-bytes description: 'Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.' example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - flat_name: threat.enrichments.registry.data.bytes + flat_name: threat.enrichments.indicator.registry.data.bytes ignore_above: 1024 level: extended name: data.bytes @@ -15698,8 +15911,8 @@ threat: original_fieldset: registry short: Original bytes written with base64 encoding. type: keyword - threat.enrichments.registry.data.strings: - dashed_name: threat-enrichments-registry-data-strings + threat.enrichments.indicator.registry.data.strings: + dashed_name: threat-enrichments-indicator-registry-data-strings description: 'Content when writing string types. Populated as an array when writing string data to the registry. For single @@ -15708,7 +15921,7 @@ threat: variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' - flat_name: threat.enrichments.registry.data.strings + flat_name: threat.enrichments.indicator.registry.data.strings level: core name: data.strings normalize: @@ -15716,11 +15929,11 @@ threat: original_fieldset: registry short: List of strings representing what was written to the registry. type: wildcard - threat.enrichments.registry.data.type: - dashed_name: threat-enrichments-registry-data-type + threat.enrichments.indicator.registry.data.type: + dashed_name: threat-enrichments-indicator-registry-data-type description: Standard registry type for encoding contents example: REG_SZ - flat_name: threat.enrichments.registry.data.type + flat_name: threat.enrichments.indicator.registry.data.type ignore_above: 1024 level: core name: data.type @@ -15728,11 +15941,11 @@ threat: original_fieldset: registry short: Standard registry type for encoding contents type: keyword - threat.enrichments.registry.hive: - dashed_name: threat-enrichments-registry-hive + threat.enrichments.indicator.registry.hive: + dashed_name: threat-enrichments-indicator-registry-hive description: Abbreviated name for the hive. example: HKLM - flat_name: threat.enrichments.registry.hive + flat_name: threat.enrichments.indicator.registry.hive ignore_above: 1024 level: core name: hive @@ -15740,34 +15953,34 @@ threat: original_fieldset: registry short: Abbreviated name for the hive. type: keyword - threat.enrichments.registry.key: - dashed_name: threat-enrichments-registry-key + threat.enrichments.indicator.registry.key: + dashed_name: threat-enrichments-indicator-registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - flat_name: threat.enrichments.registry.key + flat_name: threat.enrichments.indicator.registry.key level: core name: key normalize: [] original_fieldset: registry short: Hive-relative path of keys. type: wildcard - threat.enrichments.registry.path: - dashed_name: threat-enrichments-registry-path + threat.enrichments.indicator.registry.path: + dashed_name: threat-enrichments-indicator-registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger - flat_name: threat.enrichments.registry.path + flat_name: threat.enrichments.indicator.registry.path level: core name: path normalize: [] original_fieldset: registry short: Full path, including hive, key and value type: wildcard - threat.enrichments.registry.value: - dashed_name: threat-enrichments-registry-value + threat.enrichments.indicator.registry.value: + dashed_name: threat-enrichments-indicator-registry-value description: Name of the value written. example: Debugger - flat_name: threat.enrichments.registry.value + flat_name: threat.enrichments.indicator.registry.value ignore_above: 1024 level: core name: value @@ -15775,28 +15988,67 @@ threat: original_fieldset: registry short: Name of the value written. type: keyword - threat.enrichments.url.domain: - dashed_name: threat-enrichments-url-domain - description: 'Domain of the url, such as "www.elastic.co". - - In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field. - - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC - 2732), the `[` and `]` characters should also be captured in the `domain` - field.' - example: www.elastic.co - flat_name: threat.enrichments.url.domain + threat.enrichments.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + flat_name: threat.enrichments.indicator.scanner_stats level: extended - name: domain + name: enrichments.indicator.scanner_stats normalize: [] - original_fieldset: url - short: Domain of the url. - type: wildcard - threat.enrichments.url.extension: - dashed_name: threat-enrichments-url-extension - description: 'The field contains the file extension from the original request - url, excluding the leading dot. + short: Scanner statistics + type: long + threat.enrichments.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.enrichments.indicator.sightings + level: extended + name: enrichments.indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long + threat.enrichments.indicator.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ + \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr + flat_name: threat.enrichments.indicator.type + ignore_above: 1024 + level: extended + name: enrichments.indicator.type + normalize: [] + short: Type of indicator + type: keyword + threat.enrichments.indicator.url.domain: + dashed_name: threat-enrichments-indicator-url-domain + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' + example: www.elastic.co + flat_name: threat.enrichments.indicator.url.domain + level: extended + name: domain + normalize: [] + original_fieldset: url + short: Domain of the url. + type: wildcard + threat.enrichments.indicator.url.extension: + dashed_name: threat-enrichments-indicator-url-extension + description: 'The field contains the file extension from the original request + url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. @@ -15806,7 +16058,7 @@ threat: Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png - flat_name: threat.enrichments.url.extension + flat_name: threat.enrichments.indicator.url.extension ignore_above: 1024 level: extended name: extension @@ -15814,12 +16066,12 @@ threat: original_fieldset: url short: File extension from the request url, excluding the leading dot. type: keyword - threat.enrichments.url.fragment: - dashed_name: threat-enrichments-url-fragment + threat.enrichments.indicator.url.fragment: + dashed_name: threat-enrichments-indicator-url-fragment description: 'Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.' - flat_name: threat.enrichments.url.fragment + flat_name: threat.enrichments.indicator.url.fragment ignore_above: 1024 level: extended name: fragment @@ -15827,16 +16079,16 @@ threat: original_fieldset: url short: Portion of the url after the `#`. type: keyword - threat.enrichments.url.full: - dashed_name: threat-enrichments-url-full + threat.enrichments.indicator.url.full: + dashed_name: threat-enrichments-indicator-url-full description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top - flat_name: threat.enrichments.url.full + flat_name: threat.enrichments.indicator.url.full level: extended multi_fields: - - flat_name: threat.enrichments.url.full.text + - flat_name: threat.enrichments.indicator.url.full.text name: text norms: false type: text @@ -15845,8 +16097,8 @@ threat: original_fieldset: url short: Full unparsed URL. type: wildcard - threat.enrichments.url.original: - dashed_name: threat-enrichments-url-original + threat.enrichments.indicator.url.original: + dashed_name: threat-enrichments-indicator-url-original description: 'Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas @@ -15854,10 +16106,10 @@ threat: This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - flat_name: threat.enrichments.url.original + flat_name: threat.enrichments.indicator.url.original level: extended multi_fields: - - flat_name: threat.enrichments.url.original.text + - flat_name: threat.enrichments.indicator.url.original.text name: text norms: false type: text @@ -15866,10 +16118,10 @@ threat: original_fieldset: url short: Unmodified original url as seen in the event source. type: wildcard - threat.enrichments.url.password: - dashed_name: threat-enrichments-url-password + threat.enrichments.indicator.url.password: + dashed_name: threat-enrichments-indicator-url-password description: Password of the request. - flat_name: threat.enrichments.url.password + flat_name: threat.enrichments.indicator.url.password ignore_above: 1024 level: extended name: password @@ -15877,21 +16129,21 @@ threat: original_fieldset: url short: Password of the request. type: keyword - threat.enrichments.url.path: - dashed_name: threat-enrichments-url-path + threat.enrichments.indicator.url.path: + dashed_name: threat-enrichments-indicator-url-path description: Path of the request, such as "/search". - flat_name: threat.enrichments.url.path + flat_name: threat.enrichments.indicator.url.path level: extended name: path normalize: [] original_fieldset: url short: Path of the request, such as "/search". type: wildcard - threat.enrichments.url.port: - dashed_name: threat-enrichments-url-port + threat.enrichments.indicator.url.port: + dashed_name: threat-enrichments-indicator-url-port description: Port of the request, such as 443. example: 443 - flat_name: threat.enrichments.url.port + flat_name: threat.enrichments.indicator.url.port format: string level: extended name: port @@ -15899,8 +16151,8 @@ threat: original_fieldset: url short: Port of the request, such as 443. type: long - threat.enrichments.url.query: - dashed_name: threat-enrichments-url-query + threat.enrichments.indicator.url.query: + dashed_name: threat-enrichments-indicator-url-query description: 'The query field describes the query string of the request, such as "q=elasticsearch". @@ -15908,7 +16160,7 @@ threat: is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' - flat_name: threat.enrichments.url.query + flat_name: threat.enrichments.indicator.url.query ignore_above: 1024 level: extended name: query @@ -15916,8 +16168,8 @@ threat: original_fieldset: url short: Query string of the request. type: keyword - threat.enrichments.url.registered_domain: - dashed_name: threat-enrichments-url-registered-domain + threat.enrichments.indicator.url.registered_domain: + dashed_name: threat-enrichments-indicator-url-registered-domain description: 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -15926,20 +16178,20 @@ threat: list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - flat_name: threat.enrichments.url.registered_domain + flat_name: threat.enrichments.indicator.url.registered_domain level: extended name: registered_domain normalize: [] original_fieldset: url short: The highest registered url domain, stripped of the subdomain. type: wildcard - threat.enrichments.url.scheme: - dashed_name: threat-enrichments-url-scheme + threat.enrichments.indicator.url.scheme: + dashed_name: threat-enrichments-indicator-url-scheme description: 'Scheme of the request, such as "https". Note: The `:` is not part of the scheme.' example: https - flat_name: threat.enrichments.url.scheme + flat_name: threat.enrichments.indicator.url.scheme ignore_above: 1024 level: extended name: scheme @@ -15947,8 +16199,8 @@ threat: original_fieldset: url short: Scheme of the url. type: keyword - threat.enrichments.url.subdomain: - dashed_name: threat-enrichments-url-subdomain + threat.enrichments.indicator.url.subdomain: + dashed_name: threat-enrichments-indicator-url-subdomain description: 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot @@ -15958,7 +16210,7 @@ threat: If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: east - flat_name: threat.enrichments.url.subdomain + flat_name: threat.enrichments.indicator.url.subdomain ignore_above: 1024 level: extended name: subdomain @@ -15966,8 +16218,8 @@ threat: original_fieldset: url short: The subdomain of the domain. type: keyword - threat.enrichments.url.top_level_domain: - dashed_name: threat-enrichments-url-top-level-domain + threat.enrichments.indicator.url.top_level_domain: + dashed_name: threat-enrichments-indicator-url-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". @@ -15976,7 +16228,7 @@ threat: list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - flat_name: threat.enrichments.url.top_level_domain + flat_name: threat.enrichments.indicator.url.top_level_domain ignore_above: 1024 level: extended name: top_level_domain @@ -15984,10 +16236,10 @@ threat: original_fieldset: url short: The effective top level domain (com, org, net, co.uk). type: keyword - threat.enrichments.url.username: - dashed_name: threat-enrichments-url-username + threat.enrichments.indicator.url.username: + dashed_name: threat-enrichments-indicator-url-username description: Username of the request. - flat_name: threat.enrichments.url.username + flat_name: threat.enrichments.indicator.url.username ignore_above: 1024 level: extended name: username @@ -15995,13 +16247,13 @@ threat: original_fieldset: url short: Username of the request. type: keyword - threat.enrichments.x509.alternative_names: - dashed_name: threat-enrichments-x509-alternative-names + threat.enrichments.indicator.x509.alternative_names: + dashed_name: threat-enrichments-indicator-x509-alternative-names description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: '*.elastic.co' - flat_name: threat.enrichments.x509.alternative_names + flat_name: threat.enrichments.indicator.x509.alternative_names ignore_above: 1024 level: extended name: alternative_names @@ -16010,11 +16262,11 @@ threat: original_fieldset: x509 short: List of subject alternative names (SAN). type: keyword - threat.enrichments.x509.issuer.common_name: - dashed_name: threat-enrichments-x509-issuer-common-name + threat.enrichments.indicator.x509.issuer.common_name: + dashed_name: threat-enrichments-indicator-x509-issuer-common-name description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA - flat_name: threat.enrichments.x509.issuer.common_name + flat_name: threat.enrichments.indicator.x509.issuer.common_name ignore_above: 1024 level: extended name: issuer.common_name @@ -16023,11 +16275,11 @@ threat: original_fieldset: x509 short: List of common name (CN) of issuing certificate authority. type: keyword - threat.enrichments.x509.issuer.country: - dashed_name: threat-enrichments-x509-issuer-country + threat.enrichments.indicator.x509.issuer.country: + dashed_name: threat-enrichments-indicator-x509-issuer-country description: List of country (C) codes example: US - flat_name: threat.enrichments.x509.issuer.country + flat_name: threat.enrichments.indicator.x509.issuer.country ignore_above: 1024 level: extended name: issuer.country @@ -16036,23 +16288,23 @@ threat: original_fieldset: x509 short: List of country (C) codes type: keyword - threat.enrichments.x509.issuer.distinguished_name: - dashed_name: threat-enrichments-x509-issuer-distinguished-name + threat.enrichments.indicator.x509.issuer.distinguished_name: + dashed_name: threat-enrichments-indicator-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA - flat_name: threat.enrichments.x509.issuer.distinguished_name + flat_name: threat.enrichments.indicator.x509.issuer.distinguished_name level: extended name: issuer.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. type: wildcard - threat.enrichments.x509.issuer.locality: - dashed_name: threat-enrichments-x509-issuer-locality + threat.enrichments.indicator.x509.issuer.locality: + dashed_name: threat-enrichments-indicator-x509-issuer-locality description: List of locality names (L) example: Mountain View - flat_name: threat.enrichments.x509.issuer.locality + flat_name: threat.enrichments.indicator.x509.issuer.locality ignore_above: 1024 level: extended name: issuer.locality @@ -16061,11 +16313,11 @@ threat: original_fieldset: x509 short: List of locality names (L) type: keyword - threat.enrichments.x509.issuer.organization: - dashed_name: threat-enrichments-x509-issuer-organization + threat.enrichments.indicator.x509.issuer.organization: + dashed_name: threat-enrichments-indicator-x509-issuer-organization description: List of organizations (O) of issuing certificate authority. example: Example Inc - flat_name: threat.enrichments.x509.issuer.organization + flat_name: threat.enrichments.indicator.x509.issuer.organization ignore_above: 1024 level: extended name: issuer.organization @@ -16074,11 +16326,11 @@ threat: original_fieldset: x509 short: List of organizations (O) of issuing certificate authority. type: keyword - threat.enrichments.x509.issuer.organizational_unit: - dashed_name: threat-enrichments-x509-issuer-organizational-unit + threat.enrichments.indicator.x509.issuer.organizational_unit: + dashed_name: threat-enrichments-indicator-x509-issuer-organizational-unit description: List of organizational units (OU) of issuing certificate authority. example: www.example.com - flat_name: threat.enrichments.x509.issuer.organizational_unit + flat_name: threat.enrichments.indicator.x509.issuer.organizational_unit ignore_above: 1024 level: extended name: issuer.organizational_unit @@ -16087,11 +16339,11 @@ threat: original_fieldset: x509 short: List of organizational units (OU) of issuing certificate authority. type: keyword - threat.enrichments.x509.issuer.state_or_province: - dashed_name: threat-enrichments-x509-issuer-state-or-province + threat.enrichments.indicator.x509.issuer.state_or_province: + dashed_name: threat-enrichments-indicator-x509-issuer-state-or-province description: List of state or province names (ST, S, or P) example: California - flat_name: threat.enrichments.x509.issuer.state_or_province + flat_name: threat.enrichments.indicator.x509.issuer.state_or_province ignore_above: 1024 level: extended name: issuer.state_or_province @@ -16100,33 +16352,33 @@ threat: original_fieldset: x509 short: List of state or province names (ST, S, or P) type: keyword - threat.enrichments.x509.not_after: - dashed_name: threat-enrichments-x509-not-after + threat.enrichments.indicator.x509.not_after: + dashed_name: threat-enrichments-indicator-x509-not-after description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 - flat_name: threat.enrichments.x509.not_after + flat_name: threat.enrichments.indicator.x509.not_after level: extended name: not_after normalize: [] original_fieldset: x509 short: Time at which the certificate is no longer considered valid. type: date - threat.enrichments.x509.not_before: - dashed_name: threat-enrichments-x509-not-before + threat.enrichments.indicator.x509.not_before: + dashed_name: threat-enrichments-indicator-x509-not-before description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 - flat_name: threat.enrichments.x509.not_before + flat_name: threat.enrichments.indicator.x509.not_before level: extended name: not_before normalize: [] original_fieldset: x509 short: Time at which the certificate is first considered valid. type: date - threat.enrichments.x509.public_key_algorithm: - dashed_name: threat-enrichments-x509-public-key-algorithm + threat.enrichments.indicator.x509.public_key_algorithm: + dashed_name: threat-enrichments-indicator-x509-public-key-algorithm description: Algorithm used to generate the public key. example: RSA - flat_name: threat.enrichments.x509.public_key_algorithm + flat_name: threat.enrichments.indicator.x509.public_key_algorithm ignore_above: 1024 level: extended name: public_key_algorithm @@ -16134,12 +16386,12 @@ threat: original_fieldset: x509 short: Algorithm used to generate the public key. type: keyword - threat.enrichments.x509.public_key_curve: - dashed_name: threat-enrichments-x509-public-key-curve + threat.enrichments.indicator.x509.public_key_curve: + dashed_name: threat-enrichments-indicator-x509-public-key-curve description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 - flat_name: threat.enrichments.x509.public_key_curve + flat_name: threat.enrichments.indicator.x509.public_key_curve ignore_above: 1024 level: extended name: public_key_curve @@ -16148,12 +16400,12 @@ threat: short: The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword - threat.enrichments.x509.public_key_exponent: - dashed_name: threat-enrichments-x509-public-key-exponent + threat.enrichments.indicator.x509.public_key_exponent: + dashed_name: threat-enrichments-indicator-x509-public-key-exponent description: Exponent used to derive the public key. This is algorithm specific. doc_values: false example: 65537 - flat_name: threat.enrichments.x509.public_key_exponent + flat_name: threat.enrichments.indicator.x509.public_key_exponent index: false level: extended name: public_key_exponent @@ -16161,24 +16413,24 @@ threat: original_fieldset: x509 short: Exponent used to derive the public key. This is algorithm specific. type: long - threat.enrichments.x509.public_key_size: - dashed_name: threat-enrichments-x509-public-key-size + threat.enrichments.indicator.x509.public_key_size: + dashed_name: threat-enrichments-indicator-x509-public-key-size description: The size of the public key space in bits. example: 2048 - flat_name: threat.enrichments.x509.public_key_size + flat_name: threat.enrichments.indicator.x509.public_key_size level: extended name: public_key_size normalize: [] original_fieldset: x509 short: The size of the public key space in bits. type: long - threat.enrichments.x509.serial_number: - dashed_name: threat-enrichments-x509-serial-number + threat.enrichments.indicator.x509.serial_number: + dashed_name: threat-enrichments-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA - flat_name: threat.enrichments.x509.serial_number + flat_name: threat.enrichments.indicator.x509.serial_number ignore_above: 1024 level: extended name: serial_number @@ -16186,12 +16438,12 @@ threat: original_fieldset: x509 short: Unique serial number issued by the certificate authority. type: keyword - threat.enrichments.x509.signature_algorithm: - dashed_name: threat-enrichments-x509-signature-algorithm + threat.enrichments.indicator.x509.signature_algorithm: + dashed_name: threat-enrichments-indicator-x509-signature-algorithm description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA - flat_name: threat.enrichments.x509.signature_algorithm + flat_name: threat.enrichments.indicator.x509.signature_algorithm ignore_above: 1024 level: extended name: signature_algorithm @@ -16199,11 +16451,11 @@ threat: original_fieldset: x509 short: Identifier for certificate signature algorithm. type: keyword - threat.enrichments.x509.subject.common_name: - dashed_name: threat-enrichments-x509-subject-common-name + threat.enrichments.indicator.x509.subject.common_name: + dashed_name: threat-enrichments-indicator-x509-subject-common-name description: List of common names (CN) of subject. example: shared.global.example.net - flat_name: threat.enrichments.x509.subject.common_name + flat_name: threat.enrichments.indicator.x509.subject.common_name ignore_above: 1024 level: extended name: subject.common_name @@ -16212,11 +16464,11 @@ threat: original_fieldset: x509 short: List of common names (CN) of subject. type: keyword - threat.enrichments.x509.subject.country: - dashed_name: threat-enrichments-x509-subject-country + threat.enrichments.indicator.x509.subject.country: + dashed_name: threat-enrichments-indicator-x509-subject-country description: List of country (C) code example: US - flat_name: threat.enrichments.x509.subject.country + flat_name: threat.enrichments.indicator.x509.subject.country ignore_above: 1024 level: extended name: subject.country @@ -16225,22 +16477,22 @@ threat: original_fieldset: x509 short: List of country (C) code type: keyword - threat.enrichments.x509.subject.distinguished_name: - dashed_name: threat-enrichments-x509-subject-distinguished-name + threat.enrichments.indicator.x509.subject.distinguished_name: + dashed_name: threat-enrichments-indicator-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - flat_name: threat.enrichments.x509.subject.distinguished_name + flat_name: threat.enrichments.indicator.x509.subject.distinguished_name level: extended name: subject.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. type: wildcard - threat.enrichments.x509.subject.locality: - dashed_name: threat-enrichments-x509-subject-locality + threat.enrichments.indicator.x509.subject.locality: + dashed_name: threat-enrichments-indicator-x509-subject-locality description: List of locality names (L) example: San Francisco - flat_name: threat.enrichments.x509.subject.locality + flat_name: threat.enrichments.indicator.x509.subject.locality ignore_above: 1024 level: extended name: subject.locality @@ -16249,11 +16501,11 @@ threat: original_fieldset: x509 short: List of locality names (L) type: keyword - threat.enrichments.x509.subject.organization: - dashed_name: threat-enrichments-x509-subject-organization + threat.enrichments.indicator.x509.subject.organization: + dashed_name: threat-enrichments-indicator-x509-subject-organization description: List of organizations (O) of subject. example: Example, Inc. - flat_name: threat.enrichments.x509.subject.organization + flat_name: threat.enrichments.indicator.x509.subject.organization ignore_above: 1024 level: extended name: subject.organization @@ -16262,10 +16514,10 @@ threat: original_fieldset: x509 short: List of organizations (O) of subject. type: keyword - threat.enrichments.x509.subject.organizational_unit: - dashed_name: threat-enrichments-x509-subject-organizational-unit + threat.enrichments.indicator.x509.subject.organizational_unit: + dashed_name: threat-enrichments-indicator-x509-subject-organizational-unit description: List of organizational units (OU) of subject. - flat_name: threat.enrichments.x509.subject.organizational_unit + flat_name: threat.enrichments.indicator.x509.subject.organizational_unit ignore_above: 1024 level: extended name: subject.organizational_unit @@ -16274,11 +16526,11 @@ threat: original_fieldset: x509 short: List of organizational units (OU) of subject. type: keyword - threat.enrichments.x509.subject.state_or_province: - dashed_name: threat-enrichments-x509-subject-state-or-province + threat.enrichments.indicator.x509.subject.state_or_province: + dashed_name: threat-enrichments-indicator-x509-subject-state-or-province description: List of state or province names (ST, S, or P) example: California - flat_name: threat.enrichments.x509.subject.state_or_province + flat_name: threat.enrichments.indicator.x509.subject.state_or_province ignore_above: 1024 level: extended name: subject.state_or_province @@ -16287,11 +16539,11 @@ threat: original_fieldset: x509 short: List of state or province names (ST, S, or P) type: keyword - threat.enrichments.x509.version_number: - dashed_name: threat-enrichments-x509-version-number + threat.enrichments.indicator.x509.version_number: + dashed_name: threat-enrichments-indicator-x509-version-number description: Version of x509 format. example: 3 - flat_name: threat.enrichments.x509.version_number + flat_name: threat.enrichments.indicator.x509.version_number ignore_above: 1024 level: extended name: version_number @@ -16299,1726 +16551,2865 @@ threat: original_fieldset: x509 short: Version of x509 format. type: keyword - threat.framework: - dashed_name: threat-framework - description: Name of the threat framework used to further categorize and classify - the tactic and technique of the reported threat. Framework classification - can be provided by detecting systems, evaluated at ingest time, or retrospectively - tagged to events. - example: MITRE ATT&CK - flat_name: threat.framework + threat.enrichments.matched.atomic: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-atomic + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com + flat_name: threat.enrichments.matched.atomic ignore_above: 1024 level: extended - name: framework + name: enrichments.matched.atomic normalize: [] - short: Threat classification framework. + short: Matched indicator value type: keyword - threat.group.alias: + threat.enrichments.matched.field: beta: This field is beta and subject to change. - dashed_name: threat-group-alias - description: "The alias(es) of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group alias(es)." - example: '[ "Magecart Group 6" ]' - flat_name: threat.group.alias + dashed_name: threat-enrichments-matched-field + description: Identifies the field of the atomic indicator that matched a local + environment endpoint or network event. + example: file.hash.sha256 + flat_name: threat.enrichments.matched.field ignore_above: 1024 level: extended - name: group.alias - normalize: - - array - short: Alias of the group. + name: enrichments.matched.field + normalize: [] + short: Matched indicator field type: keyword - threat.group.id: + threat.enrichments.matched.id: beta: This field is beta and subject to change. - dashed_name: threat-group-id - description: "The id of the group for a set of related intrusion activity that\ - \ are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group id." - example: G0037 - flat_name: threat.group.id + dashed_name: threat-enrichments-matched-id + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + flat_name: threat.enrichments.matched.id ignore_above: 1024 level: extended - name: group.id + name: enrichments.matched.id normalize: [] - short: ID of the group. + short: Matched indicator identifier type: keyword - threat.group.name: + threat.enrichments.matched.index: beta: This field is beta and subject to change. - dashed_name: threat-group-name - description: "The name of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group name." - example: FIN6 - flat_name: threat.group.name + dashed_name: threat-enrichments-matched-index + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 + flat_name: threat.enrichments.matched.index ignore_above: 1024 level: extended - name: group.name + name: enrichments.matched.index normalize: [] - short: Name of the group. + short: Matched indicator index type: keyword - threat.group.reference: + threat.enrichments.matched.type: beta: This field is beta and subject to change. - dashed_name: threat-group-reference - description: "The reference URL of the group for a set of related intrusion\ - \ activity that are tracked by a common name in the security community. While\ - \ not required, you can use a MITRE ATT&CK\xAE group reference URL." - example: https://attack.mitre.org/groups/G0037/ - flat_name: threat.group.reference + dashed_name: threat-enrichments-matched-type + description: Identifies the type of match that caused the event to be enriched + with the given indicator + example: indicator_match_rule + flat_name: threat.enrichments.matched.type ignore_above: 1024 level: extended - name: group.reference + name: enrichments.matched.type normalize: [] - short: Reference URL of the group. + short: Type of indicator match type: keyword - threat.indicator.as.number: - dashed_name: threat-indicator-as-number - description: Unique number allocated to the autonomous system. The autonomous - system number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: threat.indicator.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long - threat.indicator.as.organization.name: - dashed_name: threat-indicator-as-organization-name - description: Organization name. - example: Google LLC - flat_name: threat.indicator.as.organization.name - level: extended - multi_fields: - - flat_name: threat.indicator.as.organization.name.text - name: text - norms: false - type: text - name: organization.name - normalize: [] - original_fieldset: as - short: Organization name. - type: wildcard - threat.indicator.confidence: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-confidence - description: "Identifies the confidence rating assigned by the provider using\ - \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ - \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ - \ * WEP Scale (Impossible - Certain)" - example: High - flat_name: threat.indicator.confidence + threat.enrichments.pe.architecture: + dashed_name: threat-enrichments-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.enrichments.pe.architecture ignore_above: 1024 level: extended - name: indicator.confidence + name: architecture normalize: [] - short: Indicator confidence rating + original_fieldset: pe + short: CPU architecture target for the file. type: keyword - threat.indicator.description: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-description - description: Describes the type of action conducted by the threat. - example: IP x.x.x.x was observed delivering the Angler EK. - flat_name: threat.indicator.description + threat.enrichments.pe.authentihash: + dashed_name: threat-enrichments-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: threat.enrichments.pe.authentihash ignore_above: 1024 level: extended - name: indicator.description + name: authentihash normalize: [] - short: Indicator description + original_fieldset: pe + short: Authentihash of the PE file. type: keyword - threat.indicator.email.address: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-email-address - description: Identifies a threat indicator as an email address (irrespective - of direction). - example: phish@example.com - flat_name: threat.indicator.email.address + threat.enrichments.pe.company: + dashed_name: threat-enrichments-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.enrichments.pe.company ignore_above: 1024 level: extended - name: indicator.email.address + name: company normalize: [] - short: Indicator email address + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. type: keyword - threat.indicator.file.accessed: - dashed_name: threat-indicator-file-accessed - description: 'Last time the file was accessed. - - Note that not all filesystems keep track of access time.' - flat_name: threat.indicator.file.accessed + threat.enrichments.pe.compile_timestamp: + dashed_name: threat-enrichments-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.compile_timestamp level: extended - name: accessed + name: compile_timestamp normalize: [] - original_fieldset: file - short: Last time the file was accessed. + original_fieldset: pe + short: Compile timestamp of the PE file. type: date - threat.indicator.file.attributes: - dashed_name: threat-indicator-file-attributes - description: 'Array of file attributes. - - Attributes names will vary by platform. Here''s a non-exhaustive list of values - that are expected in this field: archive, compressed, directory, encrypted, - execute, hidden, read, readonly, system, write.' - example: '["readonly", "system"]' - flat_name: threat.indicator.file.attributes + threat.enrichments.pe.compiler.name: + dashed_name: threat-enrichments-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: threat.enrichments.pe.compiler.name ignore_above: 1024 level: extended - name: attributes - normalize: - - array - original_fieldset: file - short: Array of file attributes. + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler type: keyword - threat.indicator.file.code_signature.exists: - dashed_name: threat-indicator-file-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: threat.indicator.file.code_signature.exists - level: core - name: exists - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean - threat.indicator.file.code_signature.signing_id: - dashed_name: threat-indicator-file-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. - The field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: threat.indicator.file.code_signature.signing_id + threat.enrichments.pe.compiler.version: + dashed_name: threat-enrichments-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: threat.enrichments.pe.compiler.version ignore_above: 1024 level: extended - name: signing_id + name: compiler.version normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. + original_fieldset: pe + short: Version of the compiler. type: keyword - threat.indicator.file.code_signature.status: - dashed_name: threat-indicator-file-code-signature-status - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: threat.indicator.file.code_signature.status - ignore_above: 1024 + threat.enrichments.pe.creation_date: + dashed_name: threat-enrichments-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.creation_date level: extended - name: status - normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. - type: keyword - threat.indicator.file.code_signature.subject_name: - dashed_name: threat-indicator-file-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: threat.indicator.file.code_signature.subject_name - ignore_above: 1024 - level: core - name: subject_name + name: creation_date normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer - type: keyword - threat.indicator.file.code_signature.team_id: - dashed_name: threat-indicator-file-code-signature-team-id - description: 'The team identifier used to sign the process. + original_fieldset: pe + short: Build or compile date. + type: date + threat.enrichments.pe.debug: + dashed_name: threat-enrichments-pe-debug + description: 'An array containing an object for each debug entry, if present. - This is used to identify the team or vendor of a software product. The field - is relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: threat.indicator.file.code_signature.team_id + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: threat.enrichments.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested + threat.enrichments.pe.debug.offset: + dashed_name: threat-enrichments-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: threat.enrichments.pe.debug.offset ignore_above: 1024 level: extended - name: team_id + name: debug.offset normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. + original_fieldset: pe + short: Debug offset information. type: keyword - threat.indicator.file.code_signature.trusted: - dashed_name: threat-indicator-file-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this - field should only be populated by tools that actively check the status.' - example: 'true' - flat_name: threat.indicator.file.code_signature.trusted - level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean - threat.indicator.file.code_signature.valid: - dashed_name: threat-indicator-file-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against - the binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: threat.indicator.file.code_signature.valid - level: extended - name: valid - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean - threat.indicator.file.created: - dashed_name: threat-indicator-file-created - description: 'File creation time. - - Note that not all filesystems store the creation time.' - flat_name: threat.indicator.file.created + threat.enrichments.pe.debug.size: + dashed_name: threat-enrichments-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: threat.enrichments.pe.debug.size + format: bytes level: extended - name: created + name: debug.size normalize: [] - original_fieldset: file - short: File creation time. - type: date - threat.indicator.file.ctime: - dashed_name: threat-indicator-file-ctime - description: 'Last time the file attributes or metadata changed. - - Note that changes to the file content will update `mtime`. This implies `ctime` - will be adjusted at the same time, since `mtime` is an attribute of the file.' - flat_name: threat.indicator.file.ctime + original_fieldset: pe + short: Size of the debug information. + type: long + threat.enrichments.pe.debug.timestamp: + dashed_name: threat-enrichments-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.debug.timestamp level: extended - name: ctime + name: debug.timestamp normalize: [] - original_fieldset: file - short: Last time the file attributes or metadata changed. + original_fieldset: pe + short: Timestamp of the debug information. type: date - threat.indicator.file.device: - dashed_name: threat-indicator-file-device - description: Device that is the source of the file. - example: sda - flat_name: threat.indicator.file.device + threat.enrichments.pe.debug.type: + dashed_name: threat-enrichments-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: threat.enrichments.pe.debug.type ignore_above: 1024 level: extended - name: device + name: debug.type normalize: [] - original_fieldset: file - short: Device that is the source of the file. + original_fieldset: pe + short: Information type generated by the debug options. type: keyword - threat.indicator.file.directory: - dashed_name: threat-indicator-file-directory - description: Directory where the file is located. It should include the drive - letter, when appropriate. - example: /home/alice - flat_name: threat.indicator.file.directory - level: extended - name: directory - normalize: [] - original_fieldset: file - short: Directory where the file is located. - type: wildcard - threat.indicator.file.drive_letter: - dashed_name: threat-indicator-file-drive-letter - description: 'Drive letter where the file is located. This field is only relevant - on Windows. - - The value should be uppercase, and not include the colon.' - example: C - flat_name: threat.indicator.file.drive_letter - ignore_above: 1 + threat.enrichments.pe.description: + dashed_name: threat-enrichments-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.enrichments.pe.description + ignore_above: 1024 level: extended - name: drive_letter + name: description normalize: [] - original_fieldset: file - short: Drive letter where the file is located. + original_fieldset: pe + short: Internal description of the file, provided at compile-time. type: keyword - threat.indicator.file.elf.architecture: - dashed_name: threat-indicator-file-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: threat.indicator.file.elf.architecture + threat.enrichments.pe.entry_point: + dashed_name: threat-enrichments-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: threat.enrichments.pe.entry_point ignore_above: 1024 level: extended - name: architecture + name: entry_point normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. + original_fieldset: pe + short: Relative byte offset to the base of the PE file. type: keyword - threat.indicator.file.elf.byte_order: - dashed_name: threat-indicator-file-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: threat.indicator.file.elf.byte_order + threat.enrichments.pe.exports: + dashed_name: threat-enrichments-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: threat.enrichments.pe.exports ignore_above: 1024 level: extended - name: byte_order - normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE type: keyword - threat.indicator.file.elf.cpu_type: - dashed_name: threat-indicator-file-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: threat.indicator.file.elf.cpu_type + threat.enrichments.pe.file_version: + dashed_name: threat-enrichments-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.enrichments.pe.file_version ignore_above: 1024 level: extended - name: cpu_type - normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. - type: keyword - threat.indicator.file.elf.creation_date: - dashed_name: threat-indicator-file-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - flat_name: threat.indicator.file.elf.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date - threat.indicator.file.elf.exports: - dashed_name: threat-indicator-file-elf-exports - description: List of exported element names and types. - flat_name: threat.indicator.file.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened - threat.indicator.file.elf.header.abi_version: - dashed_name: threat-indicator-file-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: threat.indicator.file.elf.header.abi_version - ignore_above: 1024 - level: extended - name: header.abi_version + name: file_version normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). + original_fieldset: pe + short: Process name. type: keyword - threat.indicator.file.elf.header.class: - dashed_name: threat-indicator-file-elf-header-class - description: Header class of the ELF file. - flat_name: threat.indicator.file.elf.header.class + threat.enrichments.pe.icon.hash.dhash: + dashed_name: threat-enrichments-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: threat.enrichments.pe.icon.hash.dhash ignore_above: 1024 level: extended - name: header.class + name: icon.hash.dhash normalize: [] - original_fieldset: elf - short: Header class of the ELF file. + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or + thumbnail. type: keyword - threat.indicator.file.elf.header.data: - dashed_name: threat-indicator-file-elf-header-data - description: Data table of the ELF header. - flat_name: threat.indicator.file.elf.header.data + threat.enrichments.pe.imphash: + dashed_name: threat-enrichments-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.enrichments.pe.imphash ignore_above: 1024 level: extended - name: header.data + name: imphash normalize: [] - original_fieldset: elf - short: Data table of the ELF header. + original_fieldset: pe + short: A hash of the imports in a PE file. type: keyword - threat.indicator.file.elf.header.entrypoint: - dashed_name: threat-indicator-file-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: threat.indicator.file.elf.header.entrypoint - format: string + threat.enrichments.pe.imports: + dashed_name: threat-enrichments-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: threat.enrichments.pe.imports level: extended - name: header.entrypoint + name: imports normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long - threat.indicator.file.elf.header.object_version: - dashed_name: threat-indicator-file-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: threat.indicator.file.elf.header.object_version + original_fieldset: pe + short: List of all imported functions + type: flattened + threat.enrichments.pe.machine_type: + dashed_name: threat-enrichments-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: threat.enrichments.pe.machine_type ignore_above: 1024 level: extended - name: header.object_version + name: machine_type normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' + original_fieldset: pe + short: Machine type of the PE file. type: keyword - threat.indicator.file.elf.header.os_abi: - dashed_name: threat-indicator-file-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: threat.indicator.file.elf.header.os_abi - ignore_above: 1024 + threat.enrichments.pe.original_file_name: + dashed_name: threat-enrichments-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.enrichments.pe.original_file_name level: extended - name: header.os_abi + name: original_file_name normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. - type: keyword - threat.indicator.file.elf.header.type: - dashed_name: threat-indicator-file-elf-header-type - description: Header type of the ELF file. - flat_name: threat.indicator.file.elf.header.type + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: wildcard + threat.enrichments.pe.packers: + dashed_name: threat-enrichments-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: threat.enrichments.pe.packers ignore_above: 1024 level: extended - name: header.type - normalize: [] - original_fieldset: elf - short: Header type of the ELF file. + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. type: keyword - threat.indicator.file.elf.header.version: - dashed_name: threat-indicator-file-elf-header-version - description: Version of the ELF header. - flat_name: threat.indicator.file.elf.header.version + threat.enrichments.pe.product: + dashed_name: threat-enrichments-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.enrichments.pe.product ignore_above: 1024 level: extended - name: header.version + name: product normalize: [] - original_fieldset: elf - short: Version of the ELF header. + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. type: keyword - threat.indicator.file.elf.imports: - dashed_name: threat-indicator-file-elf-imports - description: List of imported element names and types. - flat_name: threat.indicator.file.elf.imports - level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened - threat.indicator.file.elf.sections: - dashed_name: threat-indicator-file-elf-sections - description: 'An array containing an object for each section of the ELF file. + threat.enrichments.pe.resources: + dashed_name: threat-enrichments-pe-resources + description: 'An array containing an object for each PE resource, if present. - The keys that should be present in these objects are defined by sub-fields - underneath `elf.sections.*`.' - flat_name: threat.indicator.file.elf.sections + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: threat.enrichments.pe.resources level: extended - name: sections + name: resources normalize: - array - original_fieldset: elf - short: Section information of the ELF file. + original_fieldset: pe + short: PE resource information type: nested - threat.indicator.file.elf.sections.chi2: - dashed_name: threat-indicator-file-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: threat.indicator.file.elf.sections.chi2 - format: number + threat.enrichments.pe.resources.chi2: + dashed_name: threat-enrichments-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: threat.enrichments.pe.resources.chi2 level: extended - name: sections.chi2 + name: resources.chi2 normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. + original_fieldset: pe + short: Chi-square probability distribution. type: long - threat.indicator.file.elf.sections.entropy: - dashed_name: threat-indicator-file-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: threat.indicator.file.elf.sections.entropy - format: number + threat.enrichments.pe.resources.entropy: + dashed_name: threat-enrichments-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: threat.enrichments.pe.resources.entropy level: extended - name: sections.entropy + name: resources.entropy normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. type: long - threat.indicator.file.elf.sections.flags: - dashed_name: threat-indicator-file-elf-sections-flags - description: ELF Section List flags. - flat_name: threat.indicator.file.elf.sections.flags + threat.enrichments.pe.resources.filetype: + dashed_name: threat-enrichments-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: threat.enrichments.pe.resources.filetype ignore_above: 1024 level: extended - name: sections.flags + name: resources.filetype normalize: [] - original_fieldset: elf - short: ELF Section List flags. + original_fieldset: pe + short: File type of the resources section. type: keyword - threat.indicator.file.elf.sections.name: - dashed_name: threat-indicator-file-elf-sections-name - description: ELF Section List name. - flat_name: threat.indicator.file.elf.sections.name + threat.enrichments.pe.resources.language: + dashed_name: threat-enrichments-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: threat.enrichments.pe.resources.language ignore_above: 1024 level: extended - name: sections.name + name: resources.language normalize: [] - original_fieldset: elf - short: ELF Section List name. + original_fieldset: pe + short: Language identification. type: keyword - threat.indicator.file.elf.sections.physical_offset: - dashed_name: threat-indicator-file-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: threat.indicator.file.elf.sections.physical_offset - ignore_above: 1024 - level: extended - name: sections.physical_offset - normalize: [] - original_fieldset: elf - short: ELF Section List offset. - type: keyword - threat.indicator.file.elf.sections.physical_size: - dashed_name: threat-indicator-file-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: threat.indicator.file.elf.sections.physical_size - format: bytes - level: extended - name: sections.physical_size - normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long - threat.indicator.file.elf.sections.type: - dashed_name: threat-indicator-file-elf-sections-type - description: ELF Section List type. - flat_name: threat.indicator.file.elf.sections.type + threat.enrichments.pe.resources.sha256: + dashed_name: threat-enrichments-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: threat.enrichments.pe.resources.sha256 ignore_above: 1024 level: extended - name: sections.type + name: resources.sha256 normalize: [] - original_fieldset: elf - short: ELF Section List type. + original_fieldset: pe + short: SHA256 hash of resources section. type: keyword - threat.indicator.file.elf.sections.virtual_address: - dashed_name: threat-indicator-file-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: threat.indicator.file.elf.sections.virtual_address - format: string - level: extended - name: sections.virtual_address - normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long - threat.indicator.file.elf.sections.virtual_size: - dashed_name: threat-indicator-file-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: threat.indicator.file.elf.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long - threat.indicator.file.elf.segments: - dashed_name: threat-indicator-file-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.segments.*`.' - flat_name: threat.indicator.file.elf.segments + threat.enrichments.pe.resources.type: + dashed_name: threat-enrichments-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: threat.enrichments.pe.resources.type + ignore_above: 1024 level: extended - name: segments + name: resources.type normalize: - array - original_fieldset: elf - short: ELF object segment list. - type: nested - threat.indicator.file.elf.segments.sections: - dashed_name: threat-indicator-file-elf-segments-sections - description: ELF object segment sections. - flat_name: threat.indicator.file.elf.segments.sections - ignore_above: 1024 - level: extended - name: segments.sections - normalize: [] - original_fieldset: elf - short: ELF object segment sections. + original_fieldset: pe + short: List of resource types. type: keyword - threat.indicator.file.elf.segments.type: - dashed_name: threat-indicator-file-elf-segments-type - description: ELF object segment type. - flat_name: threat.indicator.file.elf.segments.type + threat.enrichments.pe.rich_header.hash.md5: + dashed_name: threat-enrichments-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: threat.enrichments.pe.rich_header.hash.md5 ignore_above: 1024 level: extended - name: segments.type + name: rich_header.hash.md5 normalize: [] - original_fieldset: elf - short: ELF object segment type. + original_fieldset: pe + short: MD5 hash of the header for the PE file. type: keyword - threat.indicator.file.elf.shared_libraries: - dashed_name: threat-indicator-file-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: threat.indicator.file.elf.shared_libraries - ignore_above: 1024 + threat.enrichments.pe.sections: + dashed_name: threat-enrichments-pe-sections + description: Data about sections of compiled binary PE + flat_name: threat.enrichments.pe.sections level: extended - name: shared_libraries + name: sections normalize: - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. - type: keyword - threat.indicator.file.elf.telfhash: - dashed_name: threat-indicator-file-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: threat.indicator.file.elf.telfhash - ignore_above: 1024 + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested + threat.enrichments.pe.sections.chi2: + dashed_name: threat-enrichments-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: threat.enrichments.pe.sections.chi2 level: extended - name: telfhash + name: sections.chi2 normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. - type: keyword - threat.indicator.file.extension: - dashed_name: threat-indicator-file-extension - description: 'File extension, excluding the leading dot. - - Note that when the file name has multiple extensions (example.tar.gz), only - the last one should be captured ("gz", not "tar.gz").' - example: png - flat_name: threat.indicator.file.extension - ignore_above: 1024 + original_fieldset: pe + short: Chi-square probability distribution. + type: long + threat.enrichments.pe.sections.entropy: + dashed_name: threat-enrichments-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: threat.enrichments.pe.sections.entropy level: extended - name: extension + name: sections.entropy normalize: [] - original_fieldset: file - short: File extension, excluding the leading dot. - type: keyword - threat.indicator.file.gid: - dashed_name: threat-indicator-file-gid - description: Primary group ID (GID) of the file. - example: '1001' - flat_name: threat.indicator.file.gid + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float + threat.enrichments.pe.sections.flags: + dashed_name: threat-enrichments-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: threat.enrichments.pe.sections.flags ignore_above: 1024 level: extended - name: gid + name: sections.flags normalize: [] - original_fieldset: file - short: Primary group ID (GID) of the file. + original_fieldset: pe + short: Section flags of the file. type: keyword - threat.indicator.file.group: - dashed_name: threat-indicator-file-group - description: Primary group name of the file. - example: alice - flat_name: threat.indicator.file.group + threat.enrichments.pe.sections.name: + dashed_name: threat-enrichments-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: threat.enrichments.pe.sections.name ignore_above: 1024 level: extended - name: group + name: sections.name normalize: [] - original_fieldset: file - short: Primary group name of the file. + original_fieldset: pe + short: Section names of the file. type: keyword - threat.indicator.file.inode: - dashed_name: threat-indicator-file-inode - description: Inode representing the file in the filesystem. - example: '256383' - flat_name: threat.indicator.file.inode - ignore_above: 1024 + threat.enrichments.pe.sections.raw_size: + dashed_name: threat-enrichments-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: threat.enrichments.pe.sections.raw_size + format: bytes level: extended - name: inode + name: sections.raw_size normalize: [] - original_fieldset: file - short: Inode representing the file in the filesystem. - type: keyword - threat.indicator.file.mime_type: - dashed_name: threat-indicator-file-mime-type - description: MIME type should identify the format of the file or stream of bytes - using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA - official types], where possible. When more than one type is applicable, the - most specific type should be used. - flat_name: threat.indicator.file.mime_type - ignore_above: 1024 + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long + threat.enrichments.pe.sections.virtual_address: + dashed_name: threat-enrichments-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: threat.enrichments.pe.sections.virtual_address + format: bytes level: extended - name: mime_type + name: sections.virtual_address normalize: [] - original_fieldset: file - short: Media type of file, document, or arrangement of bytes. - type: keyword - threat.indicator.file.mode: - dashed_name: threat-indicator-file-mode - description: Mode of the file in octal representation. - example: '0640' - flat_name: threat.indicator.file.mode + original_fieldset: pe + short: Virtual address available to the file. + type: long + threat.enrichments.registry.data.bytes: + dashed_name: threat-enrichments-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.enrichments.registry.data.bytes ignore_above: 1024 level: extended - name: mode + name: data.bytes normalize: [] - original_fieldset: file - short: Mode of the file in octal representation. + original_fieldset: registry + short: Original bytes written with base64 encoding. type: keyword - threat.indicator.file.mtime: - dashed_name: threat-indicator-file-mtime - description: Last time the file content was modified. - flat_name: threat.indicator.file.mtime - level: extended - name: mtime - normalize: [] - original_fieldset: file + threat.enrichments.registry.data.strings: + dashed_name: threat-enrichments-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.enrichments.registry.data.strings + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: wildcard + threat.enrichments.registry.data.type: + dashed_name: threat-enrichments-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.enrichments.registry.data.type + ignore_above: 1024 + level: core + name: data.type + normalize: [] + original_fieldset: registry + short: Standard registry type for encoding contents + type: keyword + threat.enrichments.registry.hive: + dashed_name: threat-enrichments-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.enrichments.registry.hive + ignore_above: 1024 + level: core + name: hive + normalize: [] + original_fieldset: registry + short: Abbreviated name for the hive. + type: keyword + threat.enrichments.registry.key: + dashed_name: threat-enrichments-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.enrichments.registry.key + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: wildcard + threat.enrichments.registry.path: + dashed_name: threat-enrichments-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.enrichments.registry.path + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: wildcard + threat.enrichments.registry.value: + dashed_name: threat-enrichments-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.enrichments.registry.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. + type: keyword + threat.framework: + dashed_name: threat-framework + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification + can be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + flat_name: threat.framework + ignore_above: 1024 + level: extended + name: framework + normalize: [] + short: Threat classification framework. + type: keyword + threat.group.alias: + beta: This field is beta and subject to change. + dashed_name: threat-group-alias + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' + flat_name: threat.group.alias + ignore_above: 1024 + level: extended + name: group.alias + normalize: + - array + short: Alias of the group. + type: keyword + threat.group.id: + beta: This field is beta and subject to change. + dashed_name: threat-group-id + description: "The id of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group id." + example: G0037 + flat_name: threat.group.id + ignore_above: 1024 + level: extended + name: group.id + normalize: [] + short: ID of the group. + type: keyword + threat.group.name: + beta: This field is beta and subject to change. + dashed_name: threat-group-name + description: "The name of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 + flat_name: threat.group.name + ignore_above: 1024 + level: extended + name: group.name + normalize: [] + short: Name of the group. + type: keyword + threat.group.reference: + beta: This field is beta and subject to change. + dashed_name: threat-group-reference + description: "The reference URL of the group for a set of related intrusion\ + \ activity that are tracked by a common name in the security community. While\ + \ not required, you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ + flat_name: threat.group.reference + ignore_above: 1024 + level: extended + name: group.reference + normalize: [] + short: Reference URL of the group. + type: keyword + threat.indicator.as.number: + dashed_name: threat-indicator-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: threat.indicator.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long + threat.indicator.as.organization.name: + dashed_name: threat-indicator-as-organization-name + description: Organization name. + example: Google LLC + flat_name: threat.indicator.as.organization.name + level: extended + multi_fields: + - flat_name: threat.indicator.as.organization.name.text + name: text + norms: false + type: text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: wildcard + threat.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-confidence + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High + flat_name: threat.indicator.confidence + ignore_above: 1024 + level: extended + name: indicator.confidence + normalize: [] + short: Indicator confidence rating + type: keyword + threat.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.indicator.description + ignore_above: 1024 + level: extended + name: indicator.description + normalize: [] + short: Indicator description + type: keyword + threat.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + flat_name: threat.indicator.email.address + ignore_above: 1024 + level: extended + name: indicator.email.address + normalize: [] + short: Indicator email address + type: keyword + threat.indicator.file.accessed: + dashed_name: threat-indicator-file-accessed + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + flat_name: threat.indicator.file.accessed + level: extended + name: accessed + normalize: [] + original_fieldset: file + short: Last time the file was accessed. + type: date + threat.indicator.file.attributes: + dashed_name: threat-indicator-file-attributes + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: threat.indicator.file.attributes + ignore_above: 1024 + level: extended + name: attributes + normalize: + - array + original_fieldset: file + short: Array of file attributes. + type: keyword + threat.indicator.file.code_signature.exists: + dashed_name: threat-indicator-file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: threat.indicator.file.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + threat.indicator.file.code_signature.signing_id: + dashed_name: threat-indicator-file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: threat.indicator.file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword + threat.indicator.file.code_signature.status: + dashed_name: threat-indicator-file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: threat.indicator.file.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + threat.indicator.file.code_signature.subject_name: + dashed_name: threat-indicator-file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: threat.indicator.file.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + threat.indicator.file.code_signature.team_id: + dashed_name: threat-indicator-file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: threat.indicator.file.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword + threat.indicator.file.code_signature.trusted: + dashed_name: threat-indicator-file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: threat.indicator.file.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + threat.indicator.file.code_signature.valid: + dashed_name: threat-indicator-file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: threat.indicator.file.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + threat.indicator.file.created: + dashed_name: threat-indicator-file-created + description: 'File creation time. + + Note that not all filesystems store the creation time.' + flat_name: threat.indicator.file.created + level: extended + name: created + normalize: [] + original_fieldset: file + short: File creation time. + type: date + threat.indicator.file.ctime: + dashed_name: threat-indicator-file-ctime + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: threat.indicator.file.ctime + level: extended + name: ctime + normalize: [] + original_fieldset: file + short: Last time the file attributes or metadata changed. + type: date + threat.indicator.file.device: + dashed_name: threat-indicator-file-device + description: Device that is the source of the file. + example: sda + flat_name: threat.indicator.file.device + ignore_above: 1024 + level: extended + name: device + normalize: [] + original_fieldset: file + short: Device that is the source of the file. + type: keyword + threat.indicator.file.directory: + dashed_name: threat-indicator-file-directory + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice + flat_name: threat.indicator.file.directory + level: extended + name: directory + normalize: [] + original_fieldset: file + short: Directory where the file is located. + type: wildcard + threat.indicator.file.drive_letter: + dashed_name: threat-indicator-file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + flat_name: threat.indicator.file.drive_letter + ignore_above: 1 + level: extended + name: drive_letter + normalize: [] + original_fieldset: file + short: Drive letter where the file is located. + type: keyword + threat.indicator.file.elf.architecture: + dashed_name: threat-indicator-file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: threat.indicator.file.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword + threat.indicator.file.elf.byte_order: + dashed_name: threat-indicator-file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: threat.indicator.file.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword + threat.indicator.file.elf.cpu_type: + dashed_name: threat-indicator-file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: threat.indicator.file.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword + threat.indicator.file.elf.creation_date: + dashed_name: threat-indicator-file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: threat.indicator.file.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date + threat.indicator.file.elf.exports: + dashed_name: threat-indicator-file-elf-exports + description: List of exported element names and types. + flat_name: threat.indicator.file.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened + threat.indicator.file.elf.header.abi_version: + dashed_name: threat-indicator-file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: threat.indicator.file.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword + threat.indicator.file.elf.header.class: + dashed_name: threat-indicator-file-elf-header-class + description: Header class of the ELF file. + flat_name: threat.indicator.file.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword + threat.indicator.file.elf.header.data: + dashed_name: threat-indicator-file-elf-header-data + description: Data table of the ELF header. + flat_name: threat.indicator.file.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword + threat.indicator.file.elf.header.entrypoint: + dashed_name: threat-indicator-file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: threat.indicator.file.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + threat.indicator.file.elf.header.object_version: + dashed_name: threat-indicator-file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: threat.indicator.file.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword + threat.indicator.file.elf.header.os_abi: + dashed_name: threat-indicator-file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: threat.indicator.file.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + threat.indicator.file.elf.header.type: + dashed_name: threat-indicator-file-elf-header-type + description: Header type of the ELF file. + flat_name: threat.indicator.file.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword + threat.indicator.file.elf.header.version: + dashed_name: threat-indicator-file-elf-header-version + description: Version of the ELF header. + flat_name: threat.indicator.file.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword + threat.indicator.file.elf.imports: + dashed_name: threat-indicator-file-elf-imports + description: List of imported element names and types. + flat_name: threat.indicator.file.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened + threat.indicator.file.elf.sections: + dashed_name: threat-indicator-file-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + flat_name: threat.indicator.file.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested + threat.indicator.file.elf.sections.chi2: + dashed_name: threat-indicator-file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: threat.indicator.file.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long + threat.indicator.file.elf.sections.entropy: + dashed_name: threat-indicator-file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: threat.indicator.file.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long + threat.indicator.file.elf.sections.flags: + dashed_name: threat-indicator-file-elf-sections-flags + description: ELF Section List flags. + flat_name: threat.indicator.file.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword + threat.indicator.file.elf.sections.name: + dashed_name: threat-indicator-file-elf-sections-name + description: ELF Section List name. + flat_name: threat.indicator.file.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword + threat.indicator.file.elf.sections.physical_offset: + dashed_name: threat-indicator-file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: threat.indicator.file.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword + threat.indicator.file.elf.sections.physical_size: + dashed_name: threat-indicator-file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: threat.indicator.file.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long + threat.indicator.file.elf.sections.type: + dashed_name: threat-indicator-file-elf-sections-type + description: ELF Section List type. + flat_name: threat.indicator.file.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword + threat.indicator.file.elf.sections.virtual_address: + dashed_name: threat-indicator-file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: threat.indicator.file.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long + threat.indicator.file.elf.sections.virtual_size: + dashed_name: threat-indicator-file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: threat.indicator.file.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + threat.indicator.file.elf.segments: + dashed_name: threat-indicator-file-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + flat_name: threat.indicator.file.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested + threat.indicator.file.elf.segments.sections: + dashed_name: threat-indicator-file-elf-segments-sections + description: ELF object segment sections. + flat_name: threat.indicator.file.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword + threat.indicator.file.elf.segments.type: + dashed_name: threat-indicator-file-elf-segments-type + description: ELF object segment type. + flat_name: threat.indicator.file.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword + threat.indicator.file.elf.shared_libraries: + dashed_name: threat-indicator-file-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: threat.indicator.file.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword + threat.indicator.file.elf.telfhash: + dashed_name: threat-indicator-file-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: threat.indicator.file.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword + threat.indicator.file.extension: + dashed_name: threat-indicator-file-extension + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.indicator.file.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + original_fieldset: file + short: File extension, excluding the leading dot. + type: keyword + threat.indicator.file.gid: + dashed_name: threat-indicator-file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: threat.indicator.file.gid + ignore_above: 1024 + level: extended + name: gid + normalize: [] + original_fieldset: file + short: Primary group ID (GID) of the file. + type: keyword + threat.indicator.file.group: + dashed_name: threat-indicator-file-group + description: Primary group name of the file. + example: alice + flat_name: threat.indicator.file.group + ignore_above: 1024 + level: extended + name: group + normalize: [] + original_fieldset: file + short: Primary group name of the file. + type: keyword + threat.indicator.file.inode: + dashed_name: threat-indicator-file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: threat.indicator.file.inode + ignore_above: 1024 + level: extended + name: inode + normalize: [] + original_fieldset: file + short: Inode representing the file in the filesystem. + type: keyword + threat.indicator.file.mime_type: + dashed_name: threat-indicator-file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. + flat_name: threat.indicator.file.mime_type + ignore_above: 1024 + level: extended + name: mime_type + normalize: [] + original_fieldset: file + short: Media type of file, document, or arrangement of bytes. + type: keyword + threat.indicator.file.mode: + dashed_name: threat-indicator-file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: threat.indicator.file.mode + ignore_above: 1024 + level: extended + name: mode + normalize: [] + original_fieldset: file + short: Mode of the file in octal representation. + type: keyword + threat.indicator.file.mtime: + dashed_name: threat-indicator-file-mtime + description: Last time the file content was modified. + flat_name: threat.indicator.file.mtime + level: extended + name: mtime + normalize: [] + original_fieldset: file short: Last time the file content was modified. type: date - threat.indicator.file.name: - dashed_name: threat-indicator-file-name - description: Name of the file including the extension, without the directory. - example: example.png - flat_name: threat.indicator.file.name + threat.indicator.file.name: + dashed_name: threat-indicator-file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: threat.indicator.file.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: file + short: Name of the file including the extension, without the directory. + type: keyword + threat.indicator.file.owner: + dashed_name: threat-indicator-file-owner + description: File owner's username. + example: alice + flat_name: threat.indicator.file.owner + ignore_above: 1024 + level: extended + name: owner + normalize: [] + original_fieldset: file + short: File owner's username. + type: keyword + threat.indicator.file.path: + dashed_name: threat-indicator-file-path + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + flat_name: threat.indicator.file.path + level: extended + multi_fields: + - flat_name: threat.indicator.file.path.text + name: text + norms: false + type: text + name: path + normalize: [] + original_fieldset: file + short: Full path to the file, including the file name. + type: wildcard + threat.indicator.file.size: + dashed_name: threat-indicator-file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: threat.indicator.file.size + level: extended + name: size + normalize: [] + original_fieldset: file + short: File size in bytes. + type: long + threat.indicator.file.target_path: + dashed_name: threat-indicator-file-target-path + description: Target path for symlinks. + flat_name: threat.indicator.file.target_path + level: extended + multi_fields: + - flat_name: threat.indicator.file.target_path.text + name: text + norms: false + type: text + name: target_path + normalize: [] + original_fieldset: file + short: Target path for symlinks. + type: wildcard + threat.indicator.file.type: + dashed_name: threat-indicator-file-type + description: File type (file, dir, or symlink). + example: file + flat_name: threat.indicator.file.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: file + short: File type (file, dir, or symlink). + type: keyword + threat.indicator.file.uid: + dashed_name: threat-indicator-file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: threat.indicator.file.uid + ignore_above: 1024 + level: extended + name: uid + normalize: [] + original_fieldset: file + short: The user ID (UID) or security identifier (SID) of the file owner. + type: keyword + threat.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.first_seen + level: extended + name: indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date + threat.indicator.geo.city_name: + dashed_name: threat-indicator-geo-city-name + description: City name. + example: Montreal + flat_name: threat.indicator.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + threat.indicator.geo.continent_code: + dashed_name: threat-indicator-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: threat.indicator.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword + threat.indicator.geo.continent_name: + dashed_name: threat-indicator-geo-continent-name + description: Name of the continent. + example: North America + flat_name: threat.indicator.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + threat.indicator.geo.country_iso_code: + dashed_name: threat-indicator-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: threat.indicator.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + threat.indicator.geo.country_name: + dashed_name: threat-indicator-geo-country-name + description: Country name. + example: Canada + flat_name: threat.indicator.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + threat.indicator.geo.location: + dashed_name: threat-indicator-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: threat.indicator.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + threat.indicator.geo.name: + dashed_name: threat-indicator-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: threat.indicator.geo.name + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: wildcard + threat.indicator.geo.postal_code: + dashed_name: threat-indicator-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: threat.indicator.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword + threat.indicator.geo.region_iso_code: + dashed_name: threat-indicator-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: threat.indicator.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + threat.indicator.geo.region_name: + dashed_name: threat-indicator-geo-region-name + description: Region name. + example: Quebec + flat_name: threat.indicator.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + threat.indicator.geo.timezone: + dashed_name: threat-indicator-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: threat.indicator.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword + threat.indicator.hash.md5: + dashed_name: threat-indicator-hash-md5 + description: MD5 hash. + flat_name: threat.indicator.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword + threat.indicator.hash.sha1: + dashed_name: threat-indicator-hash-sha1 + description: SHA1 hash. + flat_name: threat.indicator.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword + threat.indicator.hash.sha256: + dashed_name: threat-indicator-hash-sha256 + description: SHA256 hash. + flat_name: threat.indicator.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword + threat.indicator.hash.sha512: + dashed_name: threat-indicator-hash-sha512 + description: SHA512 hash. + flat_name: threat.indicator.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword + threat.indicator.hash.ssdeep: + dashed_name: threat-indicator-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.indicator.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword + threat.indicator.ip: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + flat_name: threat.indicator.ip + level: extended + name: indicator.ip + normalize: [] + short: Indicator IP address + type: ip + threat.indicator.last_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-last-seen + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.last_seen + level: extended + name: indicator.last_seen + normalize: [] + short: Date/time indicator was last reported. + type: date + threat.indicator.marking.tlp: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE + flat_name: threat.indicator.marking.tlp + ignore_above: 1024 + level: extended + name: indicator.marking.tlp + normalize: [] + short: Indicator TLP marking + type: keyword + threat.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.modified_at + level: extended + name: indicator.modified_at + normalize: [] + short: Date/time indicator was last updated. + type: date + threat.indicator.pe.architecture: + dashed_name: threat-indicator-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.indicator.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword + threat.indicator.pe.authentihash: + dashed_name: threat-indicator-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: threat.indicator.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword + threat.indicator.pe.company: + dashed_name: threat-indicator-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.indicator.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + threat.indicator.pe.compile_timestamp: + dashed_name: threat-indicator-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date + threat.indicator.pe.compiler.name: + dashed_name: threat-indicator-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: threat.indicator.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword + threat.indicator.pe.compiler.version: + dashed_name: threat-indicator-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: threat.indicator.pe.compiler.version ignore_above: 1024 level: extended - name: name - normalize: [] - original_fieldset: file - short: Name of the file including the extension, without the directory. - type: keyword - threat.indicator.file.owner: - dashed_name: threat-indicator-file-owner - description: File owner's username. - example: alice - flat_name: threat.indicator.file.owner + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword + threat.indicator.pe.creation_date: + dashed_name: threat-indicator-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date + threat.indicator.pe.debug: + dashed_name: threat-indicator-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: threat.indicator.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested + threat.indicator.pe.debug.offset: + dashed_name: threat-indicator-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: threat.indicator.pe.debug.offset ignore_above: 1024 level: extended - name: owner + name: debug.offset normalize: [] - original_fieldset: file - short: File owner's username. + original_fieldset: pe + short: Debug offset information. type: keyword - threat.indicator.file.path: - dashed_name: threat-indicator-file-path - description: Full path to the file, including the file name. It should include - the drive letter, when appropriate. - example: /home/alice/example.png - flat_name: threat.indicator.file.path + threat.indicator.pe.debug.size: + dashed_name: threat-indicator-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: threat.indicator.pe.debug.size + format: bytes level: extended - multi_fields: - - flat_name: threat.indicator.file.path.text - name: text - norms: false - type: text - name: path + name: debug.size normalize: [] - original_fieldset: file - short: Full path to the file, including the file name. - type: wildcard - threat.indicator.file.size: - dashed_name: threat-indicator-file-size - description: 'File size in bytes. - - Only relevant when `file.type` is "file".' - example: 16384 - flat_name: threat.indicator.file.size + original_fieldset: pe + short: Size of the debug information. + type: long + threat.indicator.pe.debug.timestamp: + dashed_name: threat-indicator-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.pe.debug.timestamp level: extended - name: size + name: debug.timestamp normalize: [] - original_fieldset: file - short: File size in bytes. - type: long - threat.indicator.file.target_path: - dashed_name: threat-indicator-file-target-path - description: Target path for symlinks. - flat_name: threat.indicator.file.target_path + original_fieldset: pe + short: Timestamp of the debug information. + type: date + threat.indicator.pe.debug.type: + dashed_name: threat-indicator-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: threat.indicator.pe.debug.type + ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.indicator.file.target_path.text - name: text - norms: false - type: text - name: target_path + name: debug.type normalize: [] - original_fieldset: file - short: Target path for symlinks. - type: wildcard - threat.indicator.file.type: - dashed_name: threat-indicator-file-type - description: File type (file, dir, or symlink). - example: file - flat_name: threat.indicator.file.type + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword + threat.indicator.pe.description: + dashed_name: threat-indicator-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.indicator.pe.description ignore_above: 1024 level: extended - name: type + name: description normalize: [] - original_fieldset: file - short: File type (file, dir, or symlink). + original_fieldset: pe + short: Internal description of the file, provided at compile-time. type: keyword - threat.indicator.file.uid: - dashed_name: threat-indicator-file-uid - description: The user ID (UID) or security identifier (SID) of the file owner. - example: '1001' - flat_name: threat.indicator.file.uid + threat.indicator.pe.entry_point: + dashed_name: threat-indicator-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: threat.indicator.pe.entry_point ignore_above: 1024 level: extended - name: uid + name: entry_point normalize: [] - original_fieldset: file - short: The user ID (UID) or security identifier (SID) of the file owner. + original_fieldset: pe + short: Relative byte offset to the base of the PE file. type: keyword - threat.indicator.first_seen: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-first-seen - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.first_seen + threat.indicator.pe.exports: + dashed_name: threat-indicator-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: threat.indicator.pe.exports + ignore_above: 1024 level: extended - name: indicator.first_seen + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword + threat.indicator.pe.file_version: + dashed_name: threat-indicator-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.indicator.pe.file_version + ignore_above: 1024 + level: extended + name: file_version normalize: [] - short: Date/time indicator was first reported. - type: date - threat.indicator.geo.city_name: - dashed_name: threat-indicator-geo-city-name - description: City name. - example: Montreal - flat_name: threat.indicator.geo.city_name + original_fieldset: pe + short: Process name. + type: keyword + threat.indicator.pe.icon.hash.dhash: + dashed_name: threat-indicator-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: threat.indicator.pe.icon.hash.dhash ignore_above: 1024 - level: core - name: city_name + level: extended + name: icon.hash.dhash normalize: [] - original_fieldset: geo - short: City name. + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or + thumbnail. type: keyword - threat.indicator.geo.continent_code: - dashed_name: threat-indicator-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: threat.indicator.geo.continent_code + threat.indicator.pe.imphash: + dashed_name: threat-indicator-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.indicator.pe.imphash ignore_above: 1024 - level: core - name: continent_code + level: extended + name: imphash normalize: [] - original_fieldset: geo - short: Continent code. + original_fieldset: pe + short: A hash of the imports in a PE file. type: keyword - threat.indicator.geo.continent_name: - dashed_name: threat-indicator-geo-continent-name - description: Name of the continent. - example: North America - flat_name: threat.indicator.geo.continent_name + threat.indicator.pe.imports: + dashed_name: threat-indicator-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: threat.indicator.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened + threat.indicator.pe.machine_type: + dashed_name: threat-indicator-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: threat.indicator.pe.machine_type ignore_above: 1024 - level: core - name: continent_name + level: extended + name: machine_type normalize: [] - original_fieldset: geo - short: Name of the continent. + original_fieldset: pe + short: Machine type of the PE file. type: keyword - threat.indicator.geo.country_iso_code: - dashed_name: threat-indicator-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: threat.indicator.geo.country_iso_code + threat.indicator.pe.original_file_name: + dashed_name: threat-indicator-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.indicator.pe.original_file_name + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: wildcard + threat.indicator.pe.packers: + dashed_name: threat-indicator-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: threat.indicator.pe.packers ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. type: keyword - threat.indicator.geo.country_name: - dashed_name: threat-indicator-geo-country-name - description: Country name. - example: Canada - flat_name: threat.indicator.geo.country_name + threat.indicator.pe.product: + dashed_name: threat-indicator-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.indicator.pe.product ignore_above: 1024 - level: core - name: country_name + level: extended + name: product normalize: [] - original_fieldset: geo - short: Country name. + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. type: keyword - threat.indicator.geo.location: - dashed_name: threat-indicator-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: threat.indicator.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point - threat.indicator.geo.name: - dashed_name: threat-indicator-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. + threat.indicator.pe.resources: + dashed_name: threat-indicator-pe-resources + description: 'An array containing an object for each PE resource, if present. - Not typically used in automated geolocation.' - example: boston-dc - flat_name: threat.indicator.geo.name + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: threat.indicator.pe.resources level: extended - name: name + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested + threat.indicator.pe.resources.chi2: + dashed_name: threat-indicator-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: threat.indicator.pe.resources.chi2 + level: extended + name: resources.chi2 normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: wildcard - threat.indicator.geo.postal_code: - dashed_name: threat-indicator-geo-postal-code - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: threat.indicator.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code + original_fieldset: pe + short: Chi-square probability distribution. + type: long + threat.indicator.pe.resources.entropy: + dashed_name: threat-indicator-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: threat.indicator.pe.resources.entropy + level: extended + name: resources.entropy normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword - threat.indicator.geo.region_iso_code: - dashed_name: threat-indicator-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: threat.indicator.geo.region_iso_code + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long + threat.indicator.pe.resources.filetype: + dashed_name: threat-indicator-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: threat.indicator.pe.resources.filetype ignore_above: 1024 - level: core - name: region_iso_code + level: extended + name: resources.filetype normalize: [] - original_fieldset: geo - short: Region ISO code. + original_fieldset: pe + short: File type of the resources section. type: keyword - threat.indicator.geo.region_name: - dashed_name: threat-indicator-geo-region-name - description: Region name. - example: Quebec - flat_name: threat.indicator.geo.region_name + threat.indicator.pe.resources.language: + dashed_name: threat-indicator-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: threat.indicator.pe.resources.language ignore_above: 1024 - level: core - name: region_name + level: extended + name: resources.language normalize: [] - original_fieldset: geo - short: Region name. + original_fieldset: pe + short: Language identification. type: keyword - threat.indicator.geo.timezone: - dashed_name: threat-indicator-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: threat.indicator.geo.timezone + threat.indicator.pe.resources.sha256: + dashed_name: threat-indicator-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: threat.indicator.pe.resources.sha256 ignore_above: 1024 - level: core - name: timezone + level: extended + name: resources.sha256 normalize: [] - original_fieldset: geo - short: Time zone. + original_fieldset: pe + short: SHA256 hash of resources section. type: keyword - threat.indicator.hash.md5: - dashed_name: threat-indicator-hash-md5 - description: MD5 hash. - flat_name: threat.indicator.hash.md5 + threat.indicator.pe.resources.type: + dashed_name: threat-indicator-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: threat.indicator.pe.resources.type ignore_above: 1024 level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. type: keyword - threat.indicator.hash.sha1: - dashed_name: threat-indicator-hash-sha1 - description: SHA1 hash. - flat_name: threat.indicator.hash.sha1 + threat.indicator.pe.rich_header.hash.md5: + dashed_name: threat-indicator-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: threat.indicator.pe.rich_header.hash.md5 ignore_above: 1024 level: extended - name: sha1 + name: rich_header.hash.md5 normalize: [] - original_fieldset: hash - short: SHA1 hash. + original_fieldset: pe + short: MD5 hash of the header for the PE file. type: keyword - threat.indicator.hash.sha256: - dashed_name: threat-indicator-hash-sha256 - description: SHA256 hash. - flat_name: threat.indicator.hash.sha256 + threat.indicator.pe.sections: + dashed_name: threat-indicator-pe-sections + description: Data about sections of compiled binary PE + flat_name: threat.indicator.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested + threat.indicator.pe.sections.chi2: + dashed_name: threat-indicator-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: threat.indicator.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + threat.indicator.pe.sections.entropy: + dashed_name: threat-indicator-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: threat.indicator.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float + threat.indicator.pe.sections.flags: + dashed_name: threat-indicator-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: threat.indicator.pe.sections.flags ignore_above: 1024 level: extended - name: sha256 + name: sections.flags normalize: [] - original_fieldset: hash - short: SHA256 hash. + original_fieldset: pe + short: Section flags of the file. type: keyword - threat.indicator.hash.sha512: - dashed_name: threat-indicator-hash-sha512 - description: SHA512 hash. - flat_name: threat.indicator.hash.sha512 + threat.indicator.pe.sections.name: + dashed_name: threat-indicator-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: threat.indicator.pe.sections.name ignore_above: 1024 level: extended - name: sha512 + name: sections.name normalize: [] - original_fieldset: hash - short: SHA512 hash. + original_fieldset: pe + short: Section names of the file. type: keyword - threat.indicator.hash.ssdeep: - dashed_name: threat-indicator-hash-ssdeep - description: SSDEEP hash. - flat_name: threat.indicator.hash.ssdeep - ignore_above: 1024 + threat.indicator.pe.sections.raw_size: + dashed_name: threat-indicator-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: threat.indicator.pe.sections.raw_size + format: bytes level: extended - name: ssdeep + name: sections.raw_size normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword - threat.indicator.ip: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-ip - description: Identifies a threat indicator as an IP address (irrespective of - direction). - example: 1.2.3.4 - flat_name: threat.indicator.ip + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long + threat.indicator.pe.sections.virtual_address: + dashed_name: threat-indicator-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: threat.indicator.pe.sections.virtual_address + format: bytes level: extended - name: indicator.ip + name: sections.virtual_address normalize: [] - short: Indicator IP address - type: ip - threat.indicator.last_seen: + original_fieldset: pe + short: Virtual address available to the file. + type: long + threat.indicator.port: beta: This field is beta and subject to change. - dashed_name: threat-indicator-last-seen - description: The date and time when intelligence source last reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.last_seen + dashed_name: threat-indicator-port + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + flat_name: threat.indicator.port level: extended - name: indicator.last_seen + name: indicator.port normalize: [] - short: Date/time indicator was last reported. - type: date - threat.indicator.marking.tlp: + short: Indicator port + type: long + threat.indicator.provider: beta: This field is beta and subject to change. - dashed_name: threat-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: WHITE - flat_name: threat.indicator.marking.tlp + dashed_name: threat-indicator-provider + description: The name of the indicator's provider. + example: lrz_urlhaus + flat_name: threat.indicator.provider ignore_above: 1024 level: extended - name: indicator.marking.tlp + name: indicator.provider normalize: [] - short: Indicator TLP marking + short: Indicator provider type: keyword - threat.indicator.modified_at: + threat.indicator.reference: beta: This field is beta and subject to change. - dashed_name: threat-indicator-modified-at - description: The date and time when intelligence source last modified information - for this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.modified_at + dashed_name: threat-indicator-reference + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + flat_name: threat.indicator.reference + ignore_above: 1024 level: extended - name: indicator.modified_at + name: indicator.reference normalize: [] - short: Date/time indicator was last updated. - type: date - threat.indicator.pe.architecture: - dashed_name: threat-indicator-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: threat.indicator.pe.architecture + short: Indicator reference URL + type: keyword + threat.indicator.registry.data.bytes: + dashed_name: threat-indicator-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.indicator.registry.data.bytes ignore_above: 1024 level: extended - name: architecture + name: data.bytes normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. + original_fieldset: registry + short: Original bytes written with base64 encoding. type: keyword - threat.indicator.pe.authentihash: - dashed_name: threat-indicator-pe-authentihash - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: threat.indicator.pe.authentihash + threat.indicator.registry.data.strings: + dashed_name: threat-indicator-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.indicator.registry.data.strings + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: wildcard + threat.indicator.registry.data.type: + dashed_name: threat-indicator-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.indicator.registry.data.type ignore_above: 1024 - level: extended - name: authentihash + level: core + name: data.type normalize: [] - original_fieldset: pe - short: Authentihash of the PE file. + original_fieldset: registry + short: Standard registry type for encoding contents type: keyword - threat.indicator.pe.company: - dashed_name: threat-indicator-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: threat.indicator.pe.company + threat.indicator.registry.hive: + dashed_name: threat-indicator-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.indicator.registry.hive ignore_above: 1024 - level: extended - name: company + level: core + name: hive normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. + original_fieldset: registry + short: Abbreviated name for the hive. type: keyword - threat.indicator.pe.compile_timestamp: - dashed_name: threat-indicator-pe-compile-timestamp - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.pe.compile_timestamp + threat.indicator.registry.key: + dashed_name: threat-indicator-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.indicator.registry.key + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: wildcard + threat.indicator.registry.path: + dashed_name: threat-indicator-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.indicator.registry.path + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: wildcard + threat.indicator.registry.value: + dashed_name: threat-indicator-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.indicator.registry.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. + type: keyword + threat.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + flat_name: threat.indicator.scanner_stats level: extended - name: compile_timestamp + name: indicator.scanner_stats normalize: [] - original_fieldset: pe - short: Compile timestamp of the PE file. - type: date - threat.indicator.pe.compiler.name: - dashed_name: threat-indicator-pe-compiler-name - description: Name of the compiler - example: Clang - flat_name: threat.indicator.pe.compiler.name + short: Scanner statistics + type: long + threat.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.indicator.sightings + level: extended + name: indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long + threat.indicator.type: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ + Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr + flat_name: threat.indicator.type ignore_above: 1024 level: extended - name: compiler.name + name: indicator.type normalize: [] - original_fieldset: pe - short: Name of the compiler + short: Type of indicator type: keyword - threat.indicator.pe.compiler.version: - dashed_name: threat-indicator-pe-compiler-version - description: Version of the compiler. - example: 11.0.0 - flat_name: threat.indicator.pe.compiler.version - ignore_above: 1024 + threat.indicator.url.domain: + dashed_name: threat-indicator-url-domain + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' + example: www.elastic.co + flat_name: threat.indicator.url.domain level: extended - name: compiler.version + name: domain normalize: [] - original_fieldset: pe - short: Version of the compiler. - type: keyword - threat.indicator.pe.creation_date: - dashed_name: threat-indicator-pe-creation-date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.pe.creation_date + original_fieldset: url + short: Domain of the url. + type: wildcard + threat.indicator.url.extension: + dashed_name: threat-indicator-url-extension + description: 'The field contains the file extension from the original request + url, excluding the leading dot. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.indicator.url.extension + ignore_above: 1024 level: extended - name: creation_date + name: extension normalize: [] - original_fieldset: pe - short: Build or compile date. - type: date - threat.indicator.pe.debug: - dashed_name: threat-indicator-pe-debug - description: 'An array containing an object for each debug entry, if present. + original_fieldset: url + short: File extension from the request url, excluding the leading dot. + type: keyword + threat.indicator.url.fragment: + dashed_name: threat-indicator-url-fragment + description: 'Portion of the url after the `#`, such as "top". - The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: threat.indicator.pe.debug - level: extended - name: debug - normalize: - - array - original_fieldset: pe - short: Debug information - type: nested - threat.indicator.pe.debug.offset: - dashed_name: threat-indicator-pe-debug-offset - description: Debug offset information. - example: 1296336 - flat_name: threat.indicator.pe.debug.offset + The `#` is not part of the fragment.' + flat_name: threat.indicator.url.fragment ignore_above: 1024 level: extended - name: debug.offset + name: fragment normalize: [] - original_fieldset: pe - short: Debug offset information. + original_fieldset: url + short: Portion of the url after the `#`. type: keyword - threat.indicator.pe.debug.size: - dashed_name: threat-indicator-pe-debug-size - description: Size of the debug information. - example: 816 - flat_name: threat.indicator.pe.debug.size - format: bytes + threat.indicator.url.full: + dashed_name: threat-indicator-url-full + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event + source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + flat_name: threat.indicator.url.full level: extended - name: debug.size + multi_fields: + - flat_name: threat.indicator.url.full.text + name: text + norms: false + type: text + name: full normalize: [] - original_fieldset: pe - short: Size of the debug information. - type: long - threat.indicator.pe.debug.timestamp: - dashed_name: threat-indicator-pe-debug-timestamp - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.pe.debug.timestamp + original_fieldset: url + short: Full unparsed URL. + type: wildcard + threat.indicator.url.original: + dashed_name: threat-indicator-url-original + description: 'Unmodified original url as seen in the event source. + + Note that in network monitoring, the observed URL may be a full URL, whereas + in access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + flat_name: threat.indicator.url.original level: extended - name: debug.timestamp + multi_fields: + - flat_name: threat.indicator.url.original.text + name: text + norms: false + type: text + name: original normalize: [] - original_fieldset: pe - short: Timestamp of the debug information. - type: date - threat.indicator.pe.debug.type: - dashed_name: threat-indicator-pe-debug-type - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - flat_name: threat.indicator.pe.debug.type + original_fieldset: url + short: Unmodified original url as seen in the event source. + type: wildcard + threat.indicator.url.password: + dashed_name: threat-indicator-url-password + description: Password of the request. + flat_name: threat.indicator.url.password ignore_above: 1024 level: extended - name: debug.type + name: password normalize: [] - original_fieldset: pe - short: Information type generated by the debug options. + original_fieldset: url + short: Password of the request. type: keyword - threat.indicator.pe.description: - dashed_name: threat-indicator-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: threat.indicator.pe.description - ignore_above: 1024 + threat.indicator.url.path: + dashed_name: threat-indicator-url-path + description: Path of the request, such as "/search". + flat_name: threat.indicator.url.path level: extended - name: description + name: path normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. - type: keyword - threat.indicator.pe.entry_point: - dashed_name: threat-indicator-pe-entry-point - description: Relative byte offset to the base of the PE file. - example: 25856 - flat_name: threat.indicator.pe.entry_point - ignore_above: 1024 + original_fieldset: url + short: Path of the request, such as "/search". + type: wildcard + threat.indicator.url.port: + dashed_name: threat-indicator-url-port + description: Port of the request, such as 443. + example: 443 + flat_name: threat.indicator.url.port + format: string level: extended - name: entry_point + name: port normalize: [] - original_fieldset: pe - short: Relative byte offset to the base of the PE file. - type: keyword - threat.indicator.pe.exports: - dashed_name: threat-indicator-pe-exports - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: threat.indicator.pe.exports + original_fieldset: url + short: Port of the request, such as 443. + type: long + threat.indicator.url.query: + dashed_name: threat-indicator-url-query + description: 'The query field describes the query string of the request, such + as "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there + is no query field. If there is a `?` but no query, the query field exists + with an empty string. The `exists` query can be used to differentiate between + the two cases.' + flat_name: threat.indicator.url.query ignore_above: 1024 level: extended - name: exports - normalize: - - array - original_fieldset: pe - short: List of symbols exported by PE + name: query + normalize: [] + original_fieldset: url + short: Query string of the request. type: keyword - threat.indicator.pe.file_version: - dashed_name: threat-indicator-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: threat.indicator.pe.file_version - ignore_above: 1024 + threat.indicator.url.registered_domain: + dashed_name: threat-indicator-url-registered-domain + description: 'The highest registered url domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: threat.indicator.url.registered_domain level: extended - name: file_version + name: registered_domain normalize: [] - original_fieldset: pe - short: Process name. - type: keyword - threat.indicator.pe.icon.hash.dhash: - dashed_name: threat-indicator-pe-icon-hash-dhash - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - flat_name: threat.indicator.pe.icon.hash.dhash + original_fieldset: url + short: The highest registered url domain, stripped of the subdomain. + type: wildcard + threat.indicator.url.scheme: + dashed_name: threat-indicator-url-scheme + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https + flat_name: threat.indicator.url.scheme ignore_above: 1024 level: extended - name: icon.hash.dhash + name: scheme normalize: [] - original_fieldset: pe - short: Difference Hash (dhash) to find files with a visually similar icon or - thumbnail. + original_fieldset: url + short: Scheme of the url. type: keyword - threat.indicator.pe.imphash: - dashed_name: threat-indicator-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. + threat.indicator.url.subdomain: + dashed_name: threat-indicator-url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: threat.indicator.pe.imphash + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: threat.indicator.url.subdomain ignore_above: 1024 level: extended - name: imphash + name: subdomain normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. + original_fieldset: url + short: The subdomain of the domain. type: keyword - threat.indicator.pe.imports: - dashed_name: threat-indicator-pe-imports - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - flat_name: threat.indicator.pe.imports - level: extended - name: imports - normalize: [] - original_fieldset: pe - short: List of all imported functions - type: flattened - threat.indicator.pe.machine_type: - dashed_name: threat-indicator-pe-machine-type - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - flat_name: threat.indicator.pe.machine_type + threat.indicator.url.top_level_domain: + dashed_name: threat-indicator-url-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: threat.indicator.url.top_level_domain ignore_above: 1024 level: extended - name: machine_type + name: top_level_domain normalize: [] - original_fieldset: pe - short: Machine type of the PE file. + original_fieldset: url + short: The effective top level domain (com, org, net, co.uk). type: keyword - threat.indicator.pe.original_file_name: - dashed_name: threat-indicator-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: threat.indicator.pe.original_file_name + threat.indicator.url.username: + dashed_name: threat-indicator-url-username + description: Username of the request. + flat_name: threat.indicator.url.username + ignore_above: 1024 level: extended - name: original_file_name + name: username normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: wildcard - threat.indicator.pe.packers: - dashed_name: threat-indicator-pe-packers - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - flat_name: threat.indicator.pe.packers + original_fieldset: url + short: Username of the request. + type: keyword + threat.indicator.x509.alternative_names: + dashed_name: threat-indicator-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + flat_name: threat.indicator.x509.alternative_names ignore_above: 1024 level: extended - name: packers + name: alternative_names normalize: - array - original_fieldset: pe - short: List of packers and tools used. + original_fieldset: x509 + short: List of subject alternative names (SAN). type: keyword - threat.indicator.pe.product: - dashed_name: threat-indicator-pe-product - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" - flat_name: threat.indicator.pe.product + threat.indicator.x509.issuer.common_name: + dashed_name: threat-indicator-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: threat.indicator.x509.issuer.common_name ignore_above: 1024 level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword - threat.indicator.pe.resources: - dashed_name: threat-indicator-pe-resources - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: threat.indicator.pe.resources - level: extended - name: resources + name: issuer.common_name normalize: - array - original_fieldset: pe - short: PE resource information - type: nested - threat.indicator.pe.resources.chi2: - dashed_name: threat-indicator-pe-resources-chi2 - description: Chi-square probability distribution. - example: -1 - flat_name: threat.indicator.pe.resources.chi2 - level: extended - name: resources.chi2 - normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long - threat.indicator.pe.resources.entropy: - dashed_name: threat-indicator-pe-resources-entropy - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - flat_name: threat.indicator.pe.resources.entropy - level: extended - name: resources.entropy - normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the resources section. - type: long - threat.indicator.pe.resources.filetype: - dashed_name: threat-indicator-pe-resources-filetype - description: File type of the resources section. - example: Data - flat_name: threat.indicator.pe.resources.filetype + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. + type: keyword + threat.indicator.x509.issuer.country: + dashed_name: threat-indicator-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: threat.indicator.x509.issuer.country ignore_above: 1024 level: extended - name: resources.filetype - normalize: [] - original_fieldset: pe - short: File type of the resources section. + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes type: keyword - threat.indicator.pe.resources.language: - dashed_name: threat-indicator-pe-resources-language - description: Language identification. - example: CHINESE SIMPLIFIED - flat_name: threat.indicator.pe.resources.language - ignore_above: 1024 + threat.indicator.x509.issuer.distinguished_name: + dashed_name: threat-indicator-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: threat.indicator.x509.issuer.distinguished_name level: extended - name: resources.language + name: issuer.distinguished_name normalize: [] - original_fieldset: pe - short: Language identification. - type: keyword - threat.indicator.pe.resources.sha256: - dashed_name: threat-indicator-pe-resources-sha256 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: threat.indicator.pe.resources.sha256 + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: wildcard + threat.indicator.x509.issuer.locality: + dashed_name: threat-indicator-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: threat.indicator.x509.issuer.locality ignore_above: 1024 level: extended - name: resources.sha256 - normalize: [] - original_fieldset: pe - short: SHA256 hash of resources section. + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) type: keyword - threat.indicator.pe.resources.type: - dashed_name: threat-indicator-pe-resources-type - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: threat.indicator.pe.resources.type + threat.indicator.x509.issuer.organization: + dashed_name: threat-indicator-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: threat.indicator.x509.issuer.organization ignore_above: 1024 level: extended - name: resources.type + name: issuer.organization normalize: - array - original_fieldset: pe - short: List of resource types. + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. type: keyword - threat.indicator.pe.rich_header.hash.md5: - dashed_name: threat-indicator-pe-rich-header-hash-md5 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: threat.indicator.pe.rich_header.hash.md5 + threat.indicator.x509.issuer.organizational_unit: + dashed_name: threat-indicator-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: threat.indicator.x509.issuer.organizational_unit ignore_above: 1024 level: extended - name: rich_header.hash.md5 - normalize: [] - original_fieldset: pe - short: MD5 hash of the header for the PE file. + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. type: keyword - threat.indicator.pe.sections: - dashed_name: threat-indicator-pe-sections - description: Data about sections of compiled binary PE - flat_name: threat.indicator.pe.sections + threat.indicator.x509.issuer.state_or_province: + dashed_name: threat-indicator-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.indicator.x509.issuer.state_or_province + ignore_above: 1024 level: extended - name: sections + name: issuer.state_or_province normalize: - array - original_fieldset: pe - short: Data about sections of the compiled binary PE - type: nested - threat.indicator.pe.sections.chi2: - dashed_name: threat-indicator-pe-sections-chi2 - description: Chi-square probability distribution. - example: 3027194 - flat_name: threat.indicator.pe.sections.chi2 + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword + threat.indicator.x509.not_after: + dashed_name: threat-indicator-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: threat.indicator.x509.not_after level: extended - name: sections.chi2 + name: not_after normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long - threat.indicator.pe.sections.entropy: - dashed_name: threat-indicator-pe-sections-entropy - description: Measurement of entropy randomness in the file. - example: 6.24 - flat_name: threat.indicator.pe.sections.entropy + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date + threat.indicator.x509.not_before: + dashed_name: threat-indicator-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: threat.indicator.x509.not_before level: extended - name: sections.entropy + name: not_before normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the file. - type: float - threat.indicator.pe.sections.flags: - dashed_name: threat-indicator-pe-sections-flags - description: Section flags of the file. - example: rx - flat_name: threat.indicator.pe.sections.flags + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date + threat.indicator.x509.public_key_algorithm: + dashed_name: threat-indicator-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: threat.indicator.x509.public_key_algorithm ignore_above: 1024 level: extended - name: sections.flags + name: public_key_algorithm normalize: [] - original_fieldset: pe - short: Section flags of the file. + original_fieldset: x509 + short: Algorithm used to generate the public key. type: keyword - threat.indicator.pe.sections.name: - dashed_name: threat-indicator-pe-sections-name - description: Section names of the file. - example: .text, .data - flat_name: threat.indicator.pe.sections.name + threat.indicator.x509.public_key_curve: + dashed_name: threat-indicator-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + flat_name: threat.indicator.x509.public_key_curve ignore_above: 1024 level: extended - name: sections.name - normalize: [] - original_fieldset: pe - short: Section names of the file. - type: keyword - threat.indicator.pe.sections.raw_size: - dashed_name: threat-indicator-pe-sections-raw-size - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - flat_name: threat.indicator.pe.sections.raw_size - format: bytes - level: extended - name: sections.raw_size + name: public_key_curve normalize: [] - original_fieldset: pe - short: Size of the section or the dize of the initialized data on disk. - type: long - threat.indicator.pe.sections.virtual_address: - dashed_name: threat-indicator-pe-sections-virtual-address - description: Virtual address available to the file. - example: 8192 - flat_name: threat.indicator.pe.sections.virtual_address - format: bytes + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword + threat.indicator.x509.public_key_exponent: + dashed_name: threat-indicator-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: threat.indicator.x509.public_key_exponent + index: false level: extended - name: sections.virtual_address + name: public_key_exponent normalize: [] - original_fieldset: pe - short: Virtual address available to the file. + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. type: long - threat.indicator.port: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-port - description: Identifies a threat indicator as a port number (irrespective of - direction). - example: 443 - flat_name: threat.indicator.port + threat.indicator.x509.public_key_size: + dashed_name: threat-indicator-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: threat.indicator.x509.public_key_size level: extended - name: indicator.port + name: public_key_size normalize: [] - short: Indicator port + original_fieldset: x509 + short: The size of the public key space in bits. type: long - threat.indicator.provider: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-provider - description: The name of the indicator's provider. - example: lrz_urlhaus - flat_name: threat.indicator.provider + threat.indicator.x509.serial_number: + dashed_name: threat-indicator-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: threat.indicator.x509.serial_number ignore_above: 1024 level: extended - name: indicator.provider + name: serial_number normalize: [] - short: Indicator provider + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. type: keyword - threat.indicator.reference: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-reference - description: Reference URL linking to additional information about this indicator. - example: https://system.example.com/indicator/0001234 - flat_name: threat.indicator.reference + threat.indicator.x509.signature_algorithm: + dashed_name: threat-indicator-x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: threat.indicator.x509.signature_algorithm ignore_above: 1024 level: extended - name: indicator.reference + name: signature_algorithm normalize: [] - short: Indicator reference URL + original_fieldset: x509 + short: Identifier for certificate signature algorithm. type: keyword - threat.indicator.registry.data.bytes: - dashed_name: threat-indicator-registry-data-bytes - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides - better recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - flat_name: threat.indicator.registry.data.bytes + threat.indicator.x509.subject.common_name: + dashed_name: threat-indicator-x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: threat.indicator.x509.subject.common_name ignore_above: 1024 level: extended - name: data.bytes - normalize: [] - original_fieldset: registry - short: Original bytes written with base64 encoding. - type: keyword - threat.indicator.registry.data.strings: - dashed_name: threat-indicator-registry-data-strings - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single - string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with - one string. For sequences of string with REG_MULTI_SZ, this array will be - variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should - be populated with the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' - flat_name: threat.indicator.registry.data.strings - level: core - name: data.strings + name: subject.common_name normalize: - array - original_fieldset: registry - short: List of strings representing what was written to the registry. - type: wildcard - threat.indicator.registry.data.type: - dashed_name: threat-indicator-registry-data-type - description: Standard registry type for encoding contents - example: REG_SZ - flat_name: threat.indicator.registry.data.type - ignore_above: 1024 - level: core - name: data.type - normalize: [] - original_fieldset: registry - short: Standard registry type for encoding contents + original_fieldset: x509 + short: List of common names (CN) of subject. type: keyword - threat.indicator.registry.hive: - dashed_name: threat-indicator-registry-hive - description: Abbreviated name for the hive. - example: HKLM - flat_name: threat.indicator.registry.hive + threat.indicator.x509.subject.country: + dashed_name: threat-indicator-x509-subject-country + description: List of country (C) code + example: US + flat_name: threat.indicator.x509.subject.country ignore_above: 1024 - level: core - name: hive - normalize: [] - original_fieldset: registry - short: Abbreviated name for the hive. + level: extended + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code type: keyword - threat.indicator.registry.key: - dashed_name: threat-indicator-registry-key - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - flat_name: threat.indicator.registry.key - level: core - name: key - normalize: [] - original_fieldset: registry - short: Hive-relative path of keys. - type: wildcard - threat.indicator.registry.path: - dashed_name: threat-indicator-registry-path - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger - flat_name: threat.indicator.registry.path - level: core - name: path + threat.indicator.x509.subject.distinguished_name: + dashed_name: threat-indicator-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: threat.indicator.x509.subject.distinguished_name + level: extended + name: subject.distinguished_name normalize: [] - original_fieldset: registry - short: Full path, including hive, key and value + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. type: wildcard - threat.indicator.registry.value: - dashed_name: threat-indicator-registry-value - description: Name of the value written. - example: Debugger - flat_name: threat.indicator.registry.value + threat.indicator.x509.subject.locality: + dashed_name: threat-indicator-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: threat.indicator.x509.subject.locality ignore_above: 1024 - level: core - name: value - normalize: [] - original_fieldset: registry - short: Name of the value written. + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) type: keyword - threat.indicator.scanner_stats: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-scanner-stats - description: Count of AV/EDR vendors that successfully detected malicious file - or URL. - example: 4 - flat_name: threat.indicator.scanner_stats + threat.indicator.x509.subject.organization: + dashed_name: threat-indicator-x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: threat.indicator.x509.subject.organization + ignore_above: 1024 level: extended - name: indicator.scanner_stats - normalize: [] - short: Scanner statistics - type: long - threat.indicator.sightings: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-sightings - description: Number of times this indicator was observed conducting threat activity. - example: 20 - flat_name: threat.indicator.sightings + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. + type: keyword + threat.indicator.x509.subject.organizational_unit: + dashed_name: threat-indicator-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: threat.indicator.x509.subject.organizational_unit + ignore_above: 1024 level: extended - name: indicator.sightings - normalize: [] - short: Number of times indicator observed - type: long - threat.indicator.type: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-type - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ - Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ - \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ - \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ - \ * user-account\n * windows-registry-key\n * x509-certificate" - example: ipv4-addr - flat_name: threat.indicator.type + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword + threat.indicator.x509.subject.state_or_province: + dashed_name: threat-indicator-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.indicator.x509.subject.state_or_province ignore_above: 1024 level: extended - name: indicator.type + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword + threat.indicator.x509.version_number: + dashed_name: threat-indicator-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: threat.indicator.x509.version_number + ignore_above: 1024 + level: extended + name: version_number normalize: [] - short: Type of indicator + original_fieldset: x509 + short: Version of x509 format. type: keyword threat.software.id: beta: This field is beta and subject to change. @@ -18225,21 +19616,23 @@ threat: name: threat nestings: - threat.enrichments.indicator.as - - threat.enrichments.indicator.as - - threat.enrichments.indicator.as - - threat.enrichments.indicator.as + - threat.enrichments.indicator.file + - threat.enrichments.indicator.geo + - threat.enrichments.indicator.hash - threat.enrichments.indicator.pe - threat.enrichments.indicator.registry + - threat.enrichments.indicator.url + - threat.enrichments.indicator.x509 - threat.enrichments.pe - threat.enrichments.registry - - threat.enrichments.url - - threat.enrichments.x509 - threat.indicator.as - threat.indicator.file - threat.indicator.geo - threat.indicator.hash - threat.indicator.pe - threat.indicator.registry + - threat.indicator.url + - threat.indicator.x509 prefix: threat. reused_here: - beta: Reusing the `as` fields in this location is currently considered beta. @@ -18254,24 +19647,24 @@ threat: full: threat.indicator.file schema_name: file short: Fields describing files. - - beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.indicator.as + - beta: Reusing the `file` fields in this location is currently considered beta. + full: threat.enrichments.indicator.file schema_name: file short: Fields describing files. - beta: Reusing the `geo` fields in this location is currently considered beta. full: threat.indicator.geo schema_name: geo short: Fields describing a location. - - beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.indicator.as + - beta: Reusing the `geo` fields in this location is currently considered beta. + full: threat.enrichments.indicator.geo schema_name: geo short: Fields describing a location. - beta: Reusing the `hash` fields in this location is currently considered beta. full: threat.indicator.hash schema_name: hash short: Hashes, usually file hashes. - - beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.indicator.as + - beta: Reusing the `hash` fields in this location is currently considered beta. + full: threat.enrichments.indicator.hash schema_name: hash short: Hashes, usually file hashes. - beta: Reusing the `as` fields in this location is currently considered beta. @@ -18297,11 +19690,19 @@ threat: schema_name: registry short: Fields related to Windows Registry operations. - beta: Reusing the `url` fields in this location is currently considered beta. - full: threat.enrichments.url + full: threat.indicator.url schema_name: url short: Fields that let you store URLs in various forms. + - beta: Reusing the `url` fields in this location is currently considered beta. + full: threat.enrichments.indicator.url + schema_name: url + short: Fields that let you store URLs in various forms. + - beta: Reusing the `x509` fields in this location is currently considered beta. + full: threat.indicator.x509 + schema_name: x509 + short: These fields contain x509 certificate metadata. - beta: Reusing the `x509` fields in this location is currently considered beta. - full: threat.enrichments.x509 + full: threat.enrichments.indicator.x509 schema_name: x509 short: These fields contain x509 certificate metadata. short: Fields to classify events and alerts according to a threat taxonomy. @@ -19571,9 +20972,13 @@ url: reusable: expected: - as: url - at: threat.enrichments + at: threat.indicator beta: Reusing the `url` fields in this location is currently considered beta. - full: threat.enrichments.url + full: threat.indicator.url + - as: url + at: threat.enrichments.indicator + beta: Reusing the `url` fields in this location is currently considered beta. + full: threat.enrichments.indicator.url top_level: true short: Fields that let you store URLs in various forms. title: URL @@ -20859,9 +22264,13 @@ x509: at: file full: file.x509 - as: x509 - at: threat.enrichments + at: threat.indicator + beta: Reusing the `x509` fields in this location is currently considered beta. + full: threat.indicator.x509 + - as: x509 + at: threat.enrichments.indicator beta: Reusing the `x509` fields in this location is currently considered beta. - full: threat.enrichments.x509 + full: threat.enrichments.indicator.x509 - as: x509 at: tls.client full: tls.client.x509 diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 22f0e565fe..0830143486 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -4419,46 +4419,350 @@ "properties": { "as": { "properties": { - "md5": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { "ignore_above": 1024, "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" }, - "sha1": { + "attributes": { "ignore_above": 1024, "type": "keyword" }, - "sha256": { + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { "ignore_above": 1024, "type": "keyword" }, - "sha512": { + "directory": { + "type": "wildcard" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { "ignore_above": 1024, "type": "keyword" }, - "ssdeep": { + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { "ignore_above": 1024, "type": "keyword" } } }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" + "first_seen": { + "type": "date" }, - "email": { + "geo": { "properties": { - "address": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "wildcard" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { "ignore_above": 1024, "type": "keyword" } } }, - "first_seen": { - "type": "date" + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } }, "ip": { "type": "ip" @@ -4697,399 +5001,399 @@ "type": { "ignore_above": 1024, "type": "keyword" - } - }, - "type": "object" - }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "index": { - "ignore_above": 1024, - "type": "keyword" }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "authentihash": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "compile_timestamp": { - "type": "date" - }, - "compiler": { + "url": { "properties": { - "name": { + "domain": { + "type": "wildcard" + }, + "extension": { "ignore_above": 1024, "type": "keyword" }, - "version": { + "fragment": { "ignore_above": 1024, "type": "keyword" - } - } - }, - "creation_date": { - "type": "date" - }, - "debug": { - "properties": { - "offset": { + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "password": { "ignore_above": 1024, "type": "keyword" }, - "size": { - "type": "long" + "path": { + "type": "wildcard" }, - "timestamp": { - "type": "date" + "port": { + "type": "long" }, - "type": { + "query": { "ignore_above": 1024, "type": "keyword" - } - }, - "type": "nested" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_point": { - "ignore_above": 1024, - "type": "keyword" - }, - "exports": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "icon": { - "properties": { - "hash": { - "properties": { - "dhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flattened" - }, - "machine_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "type": "wildcard" - }, - "packers": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "resources": { - "properties": { - "chi2": { - "type": "long" }, - "entropy": { - "type": "long" + "registered_domain": { + "type": "wildcard" }, - "filetype": { + "scheme": { "ignore_above": 1024, "type": "keyword" }, - "language": { + "subdomain": { "ignore_above": 1024, "type": "keyword" }, - "sha256": { + "top_level_domain": { "ignore_above": 1024, "type": "keyword" }, - "type": { + "username": { "ignore_above": 1024, "type": "keyword" } - }, - "type": "nested" + } }, - "rich_header": { + "x509": { "properties": { - "hash": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { "properties": { - "md5": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { "ignore_above": 1024, "type": "keyword" } } - } - } - }, - "sections": { - "properties": { - "chi2": { - "type": "long" }, - "entropy": { - "type": "float" + "not_after": { + "type": "date" }, - "flags": { + "not_before": { + "type": "date" + }, + "public_key_algorithm": { "ignore_above": 1024, "type": "keyword" }, - "name": { + "public_key_curve": { "ignore_above": 1024, "type": "keyword" }, - "raw_size": { + "public_key_exponent": { + "doc_values": false, + "index": false, "type": "long" }, - "virtual_address": { + "public_key_size": { "type": "long" - } - }, - "type": "nested" - } - } - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { + }, + "serial_number": { "ignore_above": 1024, "type": "keyword" }, - "strings": { - "type": "wildcard" + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" }, - "type": { + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { "ignore_above": 1024, "type": "keyword" } } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "type": "wildcard" - }, - "path": { - "type": "wildcard" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" } - } + }, + "type": "object" }, - "url": { + "matched": { "properties": { - "domain": { - "type": "wildcard" - }, - "extension": { + "atomic": { "ignore_above": 1024, "type": "keyword" }, - "fragment": { + "field": { "ignore_above": 1024, "type": "keyword" }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "type": "wildcard" - }, - "original": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "type": "wildcard" - }, - "password": { + "id": { "ignore_above": 1024, "type": "keyword" }, - "path": { - "type": "wildcard" - }, - "port": { - "type": "long" - }, - "query": { + "index": { "ignore_above": 1024, "type": "keyword" }, - "registered_domain": { - "type": "wildcard" - }, - "scheme": { + "type": { "ignore_above": 1024, "type": "keyword" - }, - "subdomain": { + } + } + }, + "pe": { + "properties": { + "architecture": { "ignore_above": 1024, "type": "keyword" }, - "top_level_domain": { + "authentihash": { "ignore_above": 1024, "type": "keyword" }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { + "company": { "ignore_above": 1024, "type": "keyword" }, - "issuer": { + "compile_timestamp": { + "type": "date" + }, + "compiler": { "properties": { - "common_name": { + "name": { "ignore_above": 1024, "type": "keyword" }, - "country": { + "version": { "ignore_above": 1024, "type": "keyword" - }, - "distinguished_name": { - "type": "wildcard" - }, - "locality": { + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { "ignore_above": 1024, "type": "keyword" }, - "organization": { - "ignore_above": 1024, - "type": "keyword" + "size": { + "type": "long" }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" + "timestamp": { + "type": "date" }, - "state_or_province": { + "type": { "ignore_above": 1024, "type": "keyword" } - } + }, + "type": "nested" }, - "not_after": { - "type": "date" + "description": { + "ignore_above": 1024, + "type": "keyword" }, - "not_before": { - "type": "date" + "entry_point": { + "ignore_above": 1024, + "type": "keyword" }, - "public_key_algorithm": { + "exports": { "ignore_above": 1024, "type": "keyword" }, - "public_key_curve": { + "file_version": { "ignore_above": 1024, "type": "keyword" }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } }, - "public_key_size": { - "type": "long" + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "type": "wildcard" }, - "serial_number": { + "packers": { "ignore_above": 1024, "type": "keyword" }, - "signature_algorithm": { + "product": { "ignore_above": 1024, "type": "keyword" }, - "subject": { + "resources": { "properties": { - "common_name": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { "ignore_above": 1024, "type": "keyword" }, - "country": { + "language": { "ignore_above": 1024, "type": "keyword" }, - "distinguished_name": { - "type": "wildcard" + "sha256": { + "ignore_above": 1024, + "type": "keyword" }, - "locality": { + "type": { "ignore_above": 1024, "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" }, - "organization": { + "entropy": { + "type": "float" + }, + "flags": { "ignore_above": 1024, "type": "keyword" }, - "organizational_unit": { + "name": { "ignore_above": 1024, "type": "keyword" }, - "state_or_province": { + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { "ignore_above": 1024, "type": "keyword" } } }, - "version_number": { + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "type": "wildcard" + }, + "path": { + "type": "wildcard" + }, + "value": { "ignore_above": 1024, "type": "keyword" } @@ -5708,6 +6012,176 @@ "type": { "ignore_above": 1024, "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "type": "wildcard" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "type": "wildcard" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, diff --git a/experimental/generated/elasticsearch/component/threat.json b/experimental/generated/elasticsearch/component/threat.json index 53400624c1..00d8bffb3f 100644 --- a/experimental/generated/elasticsearch/component/threat.json +++ b/experimental/generated/elasticsearch/component/threat.json @@ -14,46 +14,350 @@ "properties": { "as": { "properties": { - "md5": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { "ignore_above": 1024, "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" }, - "sha1": { + "attributes": { "ignore_above": 1024, "type": "keyword" }, - "sha256": { + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { "ignore_above": 1024, "type": "keyword" }, - "sha512": { + "directory": { + "type": "wildcard" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { "ignore_above": 1024, "type": "keyword" }, - "ssdeep": { + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { "ignore_above": 1024, "type": "keyword" } } }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" + "first_seen": { + "type": "date" }, - "email": { + "geo": { "properties": { - "address": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "wildcard" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { "ignore_above": 1024, "type": "keyword" } } }, - "first_seen": { - "type": "date" + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } }, "ip": { "type": "ip" @@ -292,399 +596,399 @@ "type": { "ignore_above": 1024, "type": "keyword" - } - }, - "type": "object" - }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "index": { - "ignore_above": 1024, - "type": "keyword" }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "authentihash": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "compile_timestamp": { - "type": "date" - }, - "compiler": { + "url": { "properties": { - "name": { + "domain": { + "type": "wildcard" + }, + "extension": { "ignore_above": 1024, "type": "keyword" }, - "version": { + "fragment": { "ignore_above": 1024, "type": "keyword" - } - } - }, - "creation_date": { - "type": "date" - }, - "debug": { - "properties": { - "offset": { + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "password": { "ignore_above": 1024, "type": "keyword" }, - "size": { - "type": "long" + "path": { + "type": "wildcard" }, - "timestamp": { - "type": "date" + "port": { + "type": "long" }, - "type": { + "query": { "ignore_above": 1024, "type": "keyword" - } - }, - "type": "nested" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_point": { - "ignore_above": 1024, - "type": "keyword" - }, - "exports": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "icon": { - "properties": { - "hash": { - "properties": { - "dhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flattened" - }, - "machine_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "type": "wildcard" - }, - "packers": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "resources": { - "properties": { - "chi2": { - "type": "long" }, - "entropy": { - "type": "long" + "registered_domain": { + "type": "wildcard" }, - "filetype": { + "scheme": { "ignore_above": 1024, "type": "keyword" }, - "language": { + "subdomain": { "ignore_above": 1024, "type": "keyword" }, - "sha256": { + "top_level_domain": { "ignore_above": 1024, "type": "keyword" }, - "type": { + "username": { "ignore_above": 1024, "type": "keyword" } - }, - "type": "nested" + } }, - "rich_header": { + "x509": { "properties": { - "hash": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { "properties": { - "md5": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { "ignore_above": 1024, "type": "keyword" } } - } - } - }, - "sections": { - "properties": { - "chi2": { - "type": "long" }, - "entropy": { - "type": "float" + "not_after": { + "type": "date" }, - "flags": { + "not_before": { + "type": "date" + }, + "public_key_algorithm": { "ignore_above": 1024, "type": "keyword" }, - "name": { + "public_key_curve": { "ignore_above": 1024, "type": "keyword" }, - "raw_size": { + "public_key_exponent": { + "doc_values": false, + "index": false, "type": "long" }, - "virtual_address": { + "public_key_size": { "type": "long" - } - }, - "type": "nested" - } - } - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { + }, + "serial_number": { "ignore_above": 1024, "type": "keyword" }, - "strings": { - "type": "wildcard" + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" }, - "type": { + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { "ignore_above": 1024, "type": "keyword" } } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "type": "wildcard" - }, - "path": { - "type": "wildcard" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" } - } + }, + "type": "object" }, - "url": { + "matched": { "properties": { - "domain": { - "type": "wildcard" - }, - "extension": { + "atomic": { "ignore_above": 1024, "type": "keyword" }, - "fragment": { + "field": { "ignore_above": 1024, "type": "keyword" }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "type": "wildcard" - }, - "original": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "type": "wildcard" - }, - "password": { + "id": { "ignore_above": 1024, "type": "keyword" }, - "path": { - "type": "wildcard" - }, - "port": { - "type": "long" - }, - "query": { + "index": { "ignore_above": 1024, "type": "keyword" }, - "registered_domain": { - "type": "wildcard" - }, - "scheme": { + "type": { "ignore_above": 1024, "type": "keyword" - }, - "subdomain": { + } + } + }, + "pe": { + "properties": { + "architecture": { "ignore_above": 1024, "type": "keyword" }, - "top_level_domain": { + "authentihash": { "ignore_above": 1024, "type": "keyword" }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { + "company": { "ignore_above": 1024, "type": "keyword" }, - "issuer": { + "compile_timestamp": { + "type": "date" + }, + "compiler": { "properties": { - "common_name": { + "name": { "ignore_above": 1024, "type": "keyword" }, - "country": { + "version": { "ignore_above": 1024, "type": "keyword" - }, - "distinguished_name": { - "type": "wildcard" - }, - "locality": { + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { "ignore_above": 1024, "type": "keyword" }, - "organization": { - "ignore_above": 1024, - "type": "keyword" + "size": { + "type": "long" }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" + "timestamp": { + "type": "date" }, - "state_or_province": { + "type": { "ignore_above": 1024, "type": "keyword" } - } + }, + "type": "nested" }, - "not_after": { - "type": "date" + "description": { + "ignore_above": 1024, + "type": "keyword" }, - "not_before": { - "type": "date" + "entry_point": { + "ignore_above": 1024, + "type": "keyword" }, - "public_key_algorithm": { + "exports": { "ignore_above": 1024, "type": "keyword" }, - "public_key_curve": { + "file_version": { "ignore_above": 1024, "type": "keyword" }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } }, - "public_key_size": { - "type": "long" + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "type": "wildcard" }, - "serial_number": { + "packers": { "ignore_above": 1024, "type": "keyword" }, - "signature_algorithm": { + "product": { "ignore_above": 1024, "type": "keyword" }, - "subject": { + "resources": { "properties": { - "common_name": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { "ignore_above": 1024, "type": "keyword" }, - "country": { + "language": { "ignore_above": 1024, "type": "keyword" }, - "distinguished_name": { - "type": "wildcard" + "sha256": { + "ignore_above": 1024, + "type": "keyword" }, - "locality": { + "type": { "ignore_above": 1024, "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" }, - "organization": { + "entropy": { + "type": "float" + }, + "flags": { "ignore_above": 1024, "type": "keyword" }, - "organizational_unit": { + "name": { "ignore_above": 1024, "type": "keyword" }, - "state_or_province": { + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { "ignore_above": 1024, "type": "keyword" } } }, - "version_number": { + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "type": "wildcard" + }, + "path": { + "type": "wildcard" + }, + "value": { "ignore_above": 1024, "type": "keyword" } @@ -1303,6 +1607,176 @@ "type": { "ignore_above": 1024, "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "type": "wildcard" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "type": "wildcard" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index b6a81bedf2..ccd90d1e62 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -5856,35 +5856,23 @@ type: object description: Object containing associated indicators enriching the event. default_field: false - - name: enrichments.indicator.as.md5 + - name: enrichments.indicator.as.number level: extended - type: keyword - ignore_above: 1024 - description: MD5 hash. - default_field: false - - name: enrichments.indicator.as.sha1 - level: extended - type: keyword - ignore_above: 1024 - description: SHA1 hash. - default_field: false - - name: enrichments.indicator.as.sha256 - level: extended - type: keyword - ignore_above: 1024 - description: SHA256 hash. - default_field: false - - name: enrichments.indicator.as.sha512 - level: extended - type: keyword - ignore_above: 1024 - description: SHA512 hash. + type: long + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 default_field: false - - name: enrichments.indicator.as.ssdeep + - name: enrichments.indicator.as.organization.name level: extended type: keyword ignore_above: 1024 - description: SSDEEP hash. + multi_fields: + - name: text + type: text + norms: false + description: Organization name. + example: Google LLC default_field: false - name: enrichments.indicator.confidence level: extended @@ -5911,1368 +5899,2217 @@ of direction). example: phish@example.com default_field: false - - name: enrichments.indicator.first_seen - level: extended - type: date - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: enrichments.indicator.ip - level: extended - type: ip - description: Identifies a threat indicator as an IP address (irrespective of - direction). - example: 1.2.3.4 - default_field: false - - name: enrichments.indicator.last_seen + - name: enrichments.indicator.file.accessed level: extended type: date - description: The date and time when intelligence source last reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' default_field: false - - name: enrichments.indicator.marking.tlp + - name: enrichments.indicator.file.attributes level: extended type: keyword ignore_above: 1024 - description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: White + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' default_field: false - - name: enrichments.indicator.modified_at - level: extended - type: date - description: The date and time when intelligence source last modified information - for this indicator. - example: '2020-11-05T17:25:47.000Z' + - name: enrichments.indicator.file.code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' default_field: false - - name: enrichments.indicator.pe.architecture + - name: enrichments.indicator.file.code_signature.signing_id level: extended type: keyword ignore_above: 1024 - description: CPU architecture target for the file. - example: x64 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy default_field: false - - name: enrichments.indicator.pe.company + - name: enrichments.indicator.file.code_signature.status level: extended type: keyword ignore_above: 1024 - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT default_field: false - - name: enrichments.indicator.pe.description - level: extended + - name: enrichments.indicator.file.code_signature.subject_name + level: core type: keyword ignore_above: 1024 - description: Internal description of the file, provided at compile-time. - example: Paint + description: Subject name of the code signer + example: Microsoft Corporation default_field: false - - name: enrichments.indicator.pe.file_version + - name: enrichments.indicator.file.code_signature.team_id level: extended type: keyword ignore_above: 1024 - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV default_field: false - - name: enrichments.indicator.pe.imphash + - name: enrichments.indicator.file.code_signature.trusted level: extended - type: keyword - ignore_above: 1024 - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. + type: boolean + description: 'Stores the trust status of the certificate chain. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' default_field: false - - name: enrichments.indicator.pe.original_file_name + - name: enrichments.indicator.file.code_signature.valid level: extended - type: keyword - ignore_above: 1024 - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' default_field: false - - name: enrichments.indicator.pe.product + - name: enrichments.indicator.file.created level: extended - type: keyword - ignore_above: 1024 - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" + type: date + description: 'File creation time. + + Note that not all filesystems store the creation time.' default_field: false - - name: enrichments.indicator.port + - name: enrichments.indicator.file.ctime level: extended - type: long - description: Identifies a threat indicator as a port number (irrespective of - direction). - example: 443 + type: date + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' default_field: false - - name: enrichments.indicator.provider + - name: enrichments.indicator.file.device level: extended type: keyword ignore_above: 1024 - description: The name of the indicator's provider. - example: lrz_urlhaus + description: Device that is the source of the file. + example: sda default_field: false - - name: enrichments.indicator.reference + - name: enrichments.indicator.file.directory level: extended type: keyword ignore_above: 1024 - description: Reference URL linking to additional information about this indicator. - example: https://system.example.com/indicator/0001234 + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice default_field: false - - name: enrichments.indicator.registry.data.bytes + - name: enrichments.indicator.file.drive_letter level: extended type: keyword - ignore_above: 1024 - description: 'Original bytes written with base64 encoding. + ignore_above: 1 + description: 'Drive letter where the file is located. This field is only relevant + on Windows. - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides - better recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + The value should be uppercase, and not include the colon.' + example: C default_field: false - - name: enrichments.indicator.registry.data.strings - level: core + - name: enrichments.indicator.file.elf.architecture + level: extended type: keyword ignore_above: 1024 - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single - string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with - one string. For sequences of string with REG_MULTI_SZ, this array will be - variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should - be populated with the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' + description: Machine architecture of the ELF file. + example: x86-64 default_field: false - - name: enrichments.indicator.registry.data.type - level: core + - name: enrichments.indicator.file.elf.byte_order + level: extended type: keyword ignore_above: 1024 - description: Standard registry type for encoding contents - example: REG_SZ + description: Byte sequence of ELF file. + example: Little Endian default_field: false - - name: enrichments.indicator.registry.hive - level: core + - name: enrichments.indicator.file.elf.cpu_type + level: extended type: keyword ignore_above: 1024 - description: Abbreviated name for the hive. - example: HKLM + description: CPU type of the ELF file. + example: Intel default_field: false - - name: enrichments.indicator.registry.key - level: core - type: keyword - ignore_above: 1024 - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + - name: enrichments.indicator.file.elf.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. default_field: false - - name: enrichments.indicator.registry.path - level: core + - name: enrichments.indicator.file.elf.exports + level: extended + type: flattened + description: List of exported element names and types. + default_field: false + - name: enrichments.indicator.file.elf.header.abi_version + level: extended type: keyword ignore_above: 1024 - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger + description: Version of the ELF Application Binary Interface (ABI). default_field: false - - name: enrichments.indicator.registry.value - level: core + - name: enrichments.indicator.file.elf.header.class + level: extended type: keyword ignore_above: 1024 - description: Name of the value written. - example: Debugger + description: Header class of the ELF file. default_field: false - - name: enrichments.indicator.scanner_stats + - name: enrichments.indicator.file.elf.header.data level: extended - type: long - description: Count of AV/EDR vendors that successfully detected malicious file - or URL. - example: 4 + type: keyword + ignore_above: 1024 + description: Data table of the ELF header. default_field: false - - name: enrichments.indicator.sightings + - name: enrichments.indicator.file.elf.header.entrypoint level: extended type: long - description: Number of times this indicator was observed conducting threat activity. - example: 20 + format: string + description: Header entrypoint of the ELF file. default_field: false - - name: enrichments.indicator.type + - name: enrichments.indicator.file.elf.header.object_version level: extended type: keyword ignore_above: 1024 - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ - \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ - \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ - \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ - \ * user-account\n * windows-registry-key\n * x509-certificate" - example: ipv4-addr + description: '"0x1" for original ELF files.' default_field: false - - name: enrichments.matched.atomic + - name: enrichments.indicator.file.elf.header.os_abi level: extended type: keyword ignore_above: 1024 - description: Identifies the atomic indicator value that matched a local environment - endpoint or network event. - example: bad-domain.com + description: Application Binary Interface (ABI) of the Linux OS. default_field: false - - name: enrichments.matched.field + - name: enrichments.indicator.file.elf.header.type level: extended type: keyword ignore_above: 1024 - description: Identifies the field of the atomic indicator that matched a local - environment endpoint or network event. - example: file.hash.sha256 + description: Header type of the ELF file. default_field: false - - name: enrichments.matched.id + - name: enrichments.indicator.file.elf.header.version level: extended type: keyword ignore_above: 1024 - description: Identifies the _id of the indicator document enriching the event. - example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + description: Version of the ELF header. default_field: false - - name: enrichments.matched.index + - name: enrichments.indicator.file.elf.imports level: extended - type: keyword - ignore_above: 1024 - description: Identifies the _index of the indicator document enriching the event. - example: filebeat-8.0.0-2021.05.23-000011 + type: flattened + description: List of imported element names and types. default_field: false - - name: enrichments.matched.type + - name: enrichments.indicator.file.elf.sections level: extended - type: keyword - ignore_above: 1024 - description: Identifies the type of match that caused the event to be enriched - with the given indicator - example: indicator_match_rule + type: nested + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' default_field: false - - name: enrichments.url.domain + - name: enrichments.indicator.file.elf.sections.chi2 level: extended - type: keyword - ignore_above: 1024 - description: 'Domain of the url, such as "www.elastic.co". - - In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field. - - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC - 2732), the `[` and `]` characters should also be captured in the `domain` - field.' - example: www.elastic.co + type: long + format: number + description: Chi-square probability distribution of the section. default_field: false - - name: enrichments.url.extension + - name: enrichments.indicator.file.elf.sections.entropy level: extended - type: keyword - ignore_above: 1024 - description: 'The field contains the file extension from the original request - url, excluding the leading dot. - - The file extension is only set if it exists, as not every url has a file extension. - - The leading period must not be included. For example, the value must be "png", - not ".png". - - Note that when the file name has multiple extensions (example.tar.gz), only - the last one should be captured ("gz", not "tar.gz").' - example: png + type: long + format: number + description: Shannon entropy calculation from the section. default_field: false - - name: enrichments.url.fragment + - name: enrichments.indicator.file.elf.sections.flags level: extended type: keyword ignore_above: 1024 - description: 'Portion of the url after the `#`, such as "top". - - The `#` is not part of the fragment.' + description: ELF Section List flags. default_field: false - - name: enrichments.url.full + - name: enrichments.indicator.file.elf.sections.name level: extended type: keyword ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: If full URLs are important to your use case, they should be stored - in `url.full`, whether this field is reconstructed or present in the event - source. - example: https://www.elastic.co:443/search?q=elasticsearch#top + description: ELF Section List name. default_field: false - - name: enrichments.url.original + - name: enrichments.indicator.file.elf.sections.physical_offset level: extended type: keyword ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: 'Unmodified original url as seen in the event source. - - Note that in network monitoring, the observed URL may be a full URL, whereas - in access logs, the URL is often just represented as a path. - - This field is meant to represent the URL as it was observed, complete or not.' - example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + description: ELF Section List offset. default_field: false - - name: enrichments.url.password + - name: enrichments.indicator.file.elf.sections.physical_size level: extended - type: keyword - ignore_above: 1024 - description: Password of the request. + type: long + format: bytes + description: ELF Section List physical size. default_field: false - - name: enrichments.url.path + - name: enrichments.indicator.file.elf.sections.type level: extended type: keyword ignore_above: 1024 - description: Path of the request, such as "/search". + description: ELF Section List type. default_field: false - - name: enrichments.url.port + - name: enrichments.indicator.file.elf.sections.virtual_address level: extended type: long format: string - description: Port of the request, such as 443. - example: 443 + description: ELF Section List virtual address. default_field: false - - name: enrichments.url.query + - name: enrichments.indicator.file.elf.sections.virtual_size level: extended - type: keyword - ignore_above: 1024 - description: 'The query field describes the query string of the request, such - as "q=elasticsearch". - - The `?` is excluded from the query string. If a URL contains no `?`, there - is no query field. If there is a `?` but no query, the query field exists - with an empty string. The `exists` query can be used to differentiate between - the two cases.' + type: long + format: string + description: ELF Section List virtual size. default_field: false - - name: enrichments.url.registered_domain + - name: enrichments.indicator.file.elf.segments level: extended - type: keyword - ignore_above: 1024 - description: 'The highest registered url domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". + type: nested + description: 'An array containing an object for each segment of the ELF file. - This value can be determined precisely with a list like the public suffix - list (http://publicsuffix.org). Trying to approximate this by simply taking - the last two labels will not work well for TLDs such as "co.uk".' - example: example.com + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' default_field: false - - name: enrichments.url.scheme + - name: enrichments.indicator.file.elf.segments.sections level: extended type: keyword ignore_above: 1024 - description: 'Scheme of the request, such as "https". - - Note: The `:` is not part of the scheme.' - example: https + description: ELF object segment sections. default_field: false - - name: enrichments.url.subdomain + - name: enrichments.indicator.file.elf.segments.type level: extended type: keyword ignore_above: 1024 - description: 'The subdomain portion of a fully qualified domain name includes - all of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot - be determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", - the subdomain field should contain "sub2.sub1", with no trailing period.' - example: east + description: ELF object segment type. default_field: false - - name: enrichments.url.top_level_domain + - name: enrichments.indicator.file.elf.shared_libraries level: extended type: keyword ignore_above: 1024 - description: 'The effective top level domain (eTLD), also known as the domain - suffix, is the last part of the domain name. For example, the top level domain - for example.com is "com". - - This value can be determined precisely with a list like the public suffix - list (http://publicsuffix.org). Trying to approximate this by simply taking - the last label will not work well for effective TLDs such as "co.uk".' - example: co.uk + description: List of shared libraries used by this ELF object. default_field: false - - name: enrichments.url.username + - name: enrichments.indicator.file.elf.telfhash level: extended type: keyword ignore_above: 1024 - description: Username of the request. + description: telfhash symbol hash for ELF file. default_field: false - - name: enrichments.x509.alternative_names + - name: enrichments.indicator.file.extension level: extended type: keyword ignore_above: 1024 - description: List of subject alternative names (SAN). Name types vary by certificate - authority and certificate type but commonly contain IP addresses, DNS names - (and wildcards), and email addresses. - example: '*.elastic.co' + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png default_field: false - - name: enrichments.x509.issuer.common_name + - name: enrichments.indicator.file.gid level: extended type: keyword ignore_above: 1024 - description: List of common name (CN) of issuing certificate authority. - example: Example SHA2 High Assurance Server CA + description: Primary group ID (GID) of the file. + example: '1001' default_field: false - - name: enrichments.x509.issuer.country + - name: enrichments.indicator.file.group level: extended type: keyword ignore_above: 1024 - description: List of country (C) codes - example: US + description: Primary group name of the file. + example: alice default_field: false - - name: enrichments.x509.issuer.distinguished_name + - name: enrichments.indicator.file.inode level: extended type: keyword ignore_above: 1024 - description: Distinguished name (DN) of issuing certificate authority. - example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance - Server CA + description: Inode representing the file in the filesystem. + example: '256383' default_field: false - - name: enrichments.x509.issuer.locality + - name: enrichments.indicator.file.mime_type level: extended type: keyword ignore_above: 1024 - description: List of locality names (L) - example: Mountain View + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. default_field: false - - name: enrichments.x509.issuer.organization + - name: enrichments.indicator.file.mode level: extended type: keyword ignore_above: 1024 - description: List of organizations (O) of issuing certificate authority. - example: Example Inc + description: Mode of the file in octal representation. + example: '0640' default_field: false - - name: enrichments.x509.issuer.organizational_unit + - name: enrichments.indicator.file.mtime level: extended - type: keyword - ignore_above: 1024 - description: List of organizational units (OU) of issuing certificate authority. - example: www.example.com + type: date + description: Last time the file content was modified. default_field: false - - name: enrichments.x509.issuer.state_or_province + - name: enrichments.indicator.file.name level: extended type: keyword ignore_above: 1024 - description: List of state or province names (ST, S, or P) - example: California - default_field: false - - name: enrichments.x509.not_after - level: extended - type: date - description: Time at which the certificate is no longer considered valid. - example: 2020-07-16 03:15:39+00:00 - default_field: false - - name: enrichments.x509.not_before - level: extended - type: date - description: Time at which the certificate is first considered valid. - example: 2019-08-16 01:40:25+00:00 + description: Name of the file including the extension, without the directory. + example: example.png default_field: false - - name: enrichments.x509.public_key_algorithm + - name: enrichments.indicator.file.owner level: extended type: keyword ignore_above: 1024 - description: Algorithm used to generate the public key. - example: RSA + description: File owner's username. + example: alice default_field: false - - name: enrichments.x509.public_key_curve + - name: enrichments.indicator.file.path level: extended type: keyword ignore_above: 1024 - description: The curve used by the elliptic curve public key algorithm. This - is algorithm specific. - example: nistp521 - default_field: false - - name: enrichments.x509.public_key_exponent - level: extended - type: long - description: Exponent used to derive the public key. This is algorithm specific. - example: 65537 - index: false - doc_values: false + multi_fields: + - name: text + type: text + norms: false + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png default_field: false - - name: enrichments.x509.public_key_size + - name: enrichments.indicator.file.size level: extended type: long - description: The size of the public key space in bits. - example: 2048 + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 default_field: false - - name: enrichments.x509.serial_number + - name: enrichments.indicator.file.target_path level: extended type: keyword ignore_above: 1024 - description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. - example: 55FBB9C7DEBF09809D12CCAA + multi_fields: + - name: text + type: text + norms: false + description: Target path for symlinks. default_field: false - - name: enrichments.x509.signature_algorithm + - name: enrichments.indicator.file.type level: extended type: keyword ignore_above: 1024 - description: Identifier for certificate signature algorithm. We recommend using - names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - example: SHA256-RSA + description: File type (file, dir, or symlink). + example: file default_field: false - - name: enrichments.x509.subject.common_name + - name: enrichments.indicator.file.uid level: extended type: keyword ignore_above: 1024 - description: List of common names (CN) of subject. - example: shared.global.example.net + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' default_field: false - - name: enrichments.x509.subject.country + - name: enrichments.indicator.first_seen level: extended - type: keyword - ignore_above: 1024 - description: List of country (C) code - example: US + type: date + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' default_field: false - - name: enrichments.x509.subject.distinguished_name - level: extended + - name: enrichments.indicator.geo.city_name + level: core type: keyword ignore_above: 1024 - description: Distinguished name (DN) of the certificate subject entity. - example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + description: City name. + example: Montreal default_field: false - - name: enrichments.x509.subject.locality - level: extended + - name: enrichments.indicator.geo.continent_code + level: core type: keyword ignore_above: 1024 - description: List of locality names (L) - example: San Francisco + description: Two-letter code representing continent's name. + example: NA default_field: false - - name: enrichments.x509.subject.organization - level: extended + - name: enrichments.indicator.geo.continent_name + level: core type: keyword ignore_above: 1024 - description: List of organizations (O) of subject. - example: Example, Inc. + description: Name of the continent. + example: North America default_field: false - - name: enrichments.x509.subject.organizational_unit - level: extended + - name: enrichments.indicator.geo.country_iso_code + level: core type: keyword ignore_above: 1024 - description: List of organizational units (OU) of subject. + description: Country ISO code. + example: CA default_field: false - - name: enrichments.x509.subject.state_or_province - level: extended + - name: enrichments.indicator.geo.country_name + level: core type: keyword ignore_above: 1024 - description: List of state or province names (ST, S, or P) - example: California + description: Country name. + example: Canada + default_field: false + - name: enrichments.indicator.geo.location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' default_field: false - - name: enrichments.x509.version_number + - name: enrichments.indicator.geo.name level: extended type: keyword ignore_above: 1024 - description: Version of x509 format. - example: 3 + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc default_field: false - - name: framework - level: extended + - name: enrichments.indicator.geo.postal_code + level: core type: keyword ignore_above: 1024 - description: Name of the threat framework used to further categorize and classify - the tactic and technique of the reported threat. Framework classification - can be provided by detecting systems, evaluated at ingest time, or retrospectively - tagged to events. - example: MITRE ATT&CK - - name: group.alias - level: extended + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false + - name: enrichments.indicator.geo.region_iso_code + level: core type: keyword ignore_above: 1024 - description: "The alias(es) of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group alias(es)." - example: '[ "Magecart Group 6" ]' + description: Region ISO code. + example: CA-QC default_field: false - - name: group.id - level: extended + - name: enrichments.indicator.geo.region_name + level: core type: keyword ignore_above: 1024 - description: "The id of the group for a set of related intrusion activity that\ - \ are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group id." - example: G0037 + description: Region name. + example: Quebec default_field: false - - name: group.name - level: extended + - name: enrichments.indicator.geo.timezone + level: core type: keyword ignore_above: 1024 - description: "The name of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group name." - example: FIN6 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires default_field: false - - name: group.reference + - name: enrichments.indicator.hash.md5 level: extended type: keyword ignore_above: 1024 - description: "The reference URL of the group for a set of related intrusion\ - \ activity that are tracked by a common name in the security community. While\ - \ not required, you can use a MITRE ATT&CK\xAE group reference URL." - example: https://attack.mitre.org/groups/G0037/ - default_field: false - - name: indicator.as.number - level: extended - type: long - description: Unique number allocated to the autonomous system. The autonomous - system number (ASN) uniquely identifies each network on the Internet. - example: 15169 + description: MD5 hash. default_field: false - - name: indicator.as.organization.name + - name: enrichments.indicator.hash.sha1 level: extended type: keyword ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Organization name. - example: Google LLC + description: SHA1 hash. default_field: false - - name: indicator.confidence + - name: enrichments.indicator.hash.sha256 level: extended type: keyword ignore_above: 1024 - description: "Identifies the confidence rating assigned by the provider using\ - \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ - \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ - \ * WEP Scale (Impossible - Certain)" - example: High + description: SHA256 hash. default_field: false - - name: indicator.description + - name: enrichments.indicator.hash.sha512 level: extended type: keyword ignore_above: 1024 - description: Describes the type of action conducted by the threat. - example: IP x.x.x.x was observed delivering the Angler EK. + description: SHA512 hash. default_field: false - - name: indicator.email.address + - name: enrichments.indicator.hash.ssdeep level: extended type: keyword ignore_above: 1024 - description: Identifies a threat indicator as an email address (irrespective - of direction). - example: phish@example.com + description: SSDEEP hash. default_field: false - - name: indicator.file.accessed + - name: enrichments.indicator.ip + level: extended + type: ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + default_field: false + - name: enrichments.indicator.last_seen level: extended type: date - description: 'Last time the file was accessed. - - Note that not all filesystems keep track of access time.' + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' default_field: false - - name: indicator.file.attributes + - name: enrichments.indicator.marking.tlp level: extended type: keyword ignore_above: 1024 - description: 'Array of file attributes. - - Attributes names will vary by platform. Here''s a non-exhaustive list of values - that are expected in this field: archive, compressed, directory, encrypted, - execute, hidden, read, readonly, system, write.' - example: '["readonly", "system"]' + description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: White default_field: false - - name: indicator.file.code_signature.exists - level: core - type: boolean - description: Boolean to capture if a signature is present. - example: 'true' + - name: enrichments.indicator.modified_at + level: extended + type: date + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' default_field: false - - name: indicator.file.code_signature.signing_id + - name: enrichments.indicator.pe.architecture level: extended type: keyword ignore_above: 1024 - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. - The field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy + description: CPU architecture target for the file. + example: x64 default_field: false - - name: indicator.file.code_signature.status + - name: enrichments.indicator.pe.company level: extended type: keyword ignore_above: 1024 - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation default_field: false - - name: indicator.file.code_signature.subject_name - level: core + - name: enrichments.indicator.pe.description + level: extended type: keyword ignore_above: 1024 - description: Subject name of the code signer - example: Microsoft Corporation + description: Internal description of the file, provided at compile-time. + example: Paint default_field: false - - name: indicator.file.code_signature.team_id + - name: enrichments.indicator.pe.file_version level: extended type: keyword ignore_above: 1024 - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field - is relevant to Apple *OS only.' - example: EQHXZ8M8AV + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 default_field: false - - name: indicator.file.code_signature.trusted + - name: enrichments.indicator.pe.imphash level: extended - type: boolean - description: 'Stores the trust status of the certificate chain. + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. - Validating the trust of the certificate chain may be complicated, and this - field should only be populated by tools that actively check the status.' - example: 'true' + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - - name: indicator.file.code_signature.valid + - name: enrichments.indicator.pe.original_file_name level: extended - type: boolean - description: 'Boolean to capture if the digital signature is verified against - the binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE default_field: false - - name: indicator.file.created + - name: enrichments.indicator.pe.product level: extended - type: date - description: 'File creation time. - - Note that not all filesystems store the creation time.' + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" default_field: false - - name: indicator.file.ctime + - name: enrichments.indicator.port level: extended - type: date - description: 'Last time the file attributes or metadata changed. - - Note that changes to the file content will update `mtime`. This implies `ctime` - will be adjusted at the same time, since `mtime` is an attribute of the file.' + type: long + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 default_field: false - - name: indicator.file.device + - name: enrichments.indicator.provider level: extended type: keyword ignore_above: 1024 - description: Device that is the source of the file. - example: sda + description: The name of the indicator's provider. + example: lrz_urlhaus default_field: false - - name: indicator.file.directory + - name: enrichments.indicator.reference level: extended type: keyword ignore_above: 1024 - description: Directory where the file is located. It should include the drive - letter, when appropriate. - example: /home/alice + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 default_field: false - - name: indicator.file.drive_letter + - name: enrichments.indicator.registry.data.bytes level: extended type: keyword - ignore_above: 1 - description: 'Drive letter where the file is located. This field is only relevant - on Windows. + ignore_above: 1024 + description: 'Original bytes written with base64 encoding. - The value should be uppercase, and not include the colon.' - example: C + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= default_field: false - - name: indicator.file.elf.architecture - level: extended + - name: enrichments.indicator.registry.data.strings + level: core type: keyword ignore_above: 1024 - description: Machine architecture of the ELF file. - example: x86-64 + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' default_field: false - - name: indicator.file.elf.byte_order - level: extended + - name: enrichments.indicator.registry.data.type + level: core type: keyword ignore_above: 1024 - description: Byte sequence of ELF file. - example: Little Endian + description: Standard registry type for encoding contents + example: REG_SZ default_field: false - - name: indicator.file.elf.cpu_type - level: extended + - name: enrichments.indicator.registry.hive + level: core type: keyword ignore_above: 1024 - description: CPU type of the ELF file. - example: Intel - default_field: false - - name: indicator.file.elf.creation_date - level: extended - type: date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - default_field: false - - name: indicator.file.elf.exports - level: extended - type: flattened - description: List of exported element names and types. + description: Abbreviated name for the hive. + example: HKLM default_field: false - - name: indicator.file.elf.header.abi_version - level: extended + - name: enrichments.indicator.registry.key + level: core type: keyword ignore_above: 1024 - description: Version of the ELF Application Binary Interface (ABI). + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe default_field: false - - name: indicator.file.elf.header.class - level: extended + - name: enrichments.indicator.registry.path + level: core type: keyword ignore_above: 1024 - description: Header class of the ELF file. + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger default_field: false - - name: indicator.file.elf.header.data - level: extended + - name: enrichments.indicator.registry.value + level: core type: keyword ignore_above: 1024 - description: Data table of the ELF header. + description: Name of the value written. + example: Debugger default_field: false - - name: indicator.file.elf.header.entrypoint + - name: enrichments.indicator.scanner_stats level: extended type: long - format: string - description: Header entrypoint of the ELF file. + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 default_field: false - - name: indicator.file.elf.header.object_version + - name: enrichments.indicator.sightings level: extended - type: keyword - ignore_above: 1024 - description: '"0x1" for original ELF files.' + type: long + description: Number of times this indicator was observed conducting threat activity. + example: 20 default_field: false - - name: indicator.file.elf.header.os_abi + - name: enrichments.indicator.type level: extended type: keyword ignore_above: 1024 - description: Application Binary Interface (ABI) of the Linux OS. + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ + \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr default_field: false - - name: indicator.file.elf.header.type + - name: enrichments.indicator.url.domain level: extended type: keyword ignore_above: 1024 - description: Header type of the ELF file. + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' + example: www.elastic.co default_field: false - - name: indicator.file.elf.header.version + - name: enrichments.indicator.url.extension level: extended type: keyword ignore_above: 1024 - description: Version of the ELF header. - default_field: false - - name: indicator.file.elf.imports - level: extended - type: flattened - description: List of imported element names and types. - default_field: false - - name: indicator.file.elf.sections - level: extended - type: nested - description: 'An array containing an object for each section of the ELF file. + description: 'The field contains the file extension from the original request + url, excluding the leading dot. - The keys that should be present in these objects are defined by sub-fields - underneath `elf.sections.*`.' - default_field: false - - name: indicator.file.elf.sections.chi2 - level: extended - type: long - format: number - description: Chi-square probability distribution of the section. - default_field: false - - name: indicator.file.elf.sections.entropy - level: extended - type: long - format: number - description: Shannon entropy calculation from the section. + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png default_field: false - - name: indicator.file.elf.sections.flags + - name: enrichments.indicator.url.fragment level: extended type: keyword ignore_above: 1024 - description: ELF Section List flags. + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' default_field: false - - name: indicator.file.elf.sections.name + - name: enrichments.indicator.url.full level: extended type: keyword ignore_above: 1024 - description: ELF Section List name. + multi_fields: + - name: text + type: text + norms: false + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event + source. + example: https://www.elastic.co:443/search?q=elasticsearch#top default_field: false - - name: indicator.file.elf.sections.physical_offset + - name: enrichments.indicator.url.original level: extended type: keyword ignore_above: 1024 - description: ELF Section List offset. - default_field: false - - name: indicator.file.elf.sections.physical_size - level: extended - type: long - format: bytes - description: ELF Section List physical size. + multi_fields: + - name: text + type: text + norms: false + description: 'Unmodified original url as seen in the event source. + + Note that in network monitoring, the observed URL may be a full URL, whereas + in access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch default_field: false - - name: indicator.file.elf.sections.type + - name: enrichments.indicator.url.password level: extended type: keyword ignore_above: 1024 - description: ELF Section List type. + description: Password of the request. default_field: false - - name: indicator.file.elf.sections.virtual_address + - name: enrichments.indicator.url.path level: extended - type: long - format: string - description: ELF Section List virtual address. + type: keyword + ignore_above: 1024 + description: Path of the request, such as "/search". default_field: false - - name: indicator.file.elf.sections.virtual_size + - name: enrichments.indicator.url.port level: extended type: long format: string - description: ELF Section List virtual size. + description: Port of the request, such as 443. + example: 443 default_field: false - - name: indicator.file.elf.segments + - name: enrichments.indicator.url.query level: extended - type: nested - description: 'An array containing an object for each segment of the ELF file. + type: keyword + ignore_above: 1024 + description: 'The query field describes the query string of the request, such + as "q=elasticsearch". - The keys that should be present in these objects are defined by sub-fields - underneath `elf.segments.*`.' + The `?` is excluded from the query string. If a URL contains no `?`, there + is no query field. If there is a `?` but no query, the query field exists + with an empty string. The `exists` query can be used to differentiate between + the two cases.' default_field: false - - name: indicator.file.elf.segments.sections + - name: enrichments.indicator.url.registered_domain level: extended type: keyword ignore_above: 1024 - description: ELF object segment sections. + description: 'The highest registered url domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com default_field: false - - name: indicator.file.elf.segments.type + - name: enrichments.indicator.url.scheme level: extended type: keyword ignore_above: 1024 - description: ELF object segment type. + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https default_field: false - - name: indicator.file.elf.shared_libraries + - name: enrichments.indicator.url.subdomain level: extended type: keyword ignore_above: 1024 - description: List of shared libraries used by this ELF object. + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east default_field: false - - name: indicator.file.elf.telfhash + - name: enrichments.indicator.url.top_level_domain level: extended type: keyword ignore_above: 1024 - description: telfhash symbol hash for ELF file. + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk default_field: false - - name: indicator.file.extension + - name: enrichments.indicator.url.username level: extended type: keyword ignore_above: 1024 - description: 'File extension, excluding the leading dot. - - Note that when the file name has multiple extensions (example.tar.gz), only - the last one should be captured ("gz", not "tar.gz").' - example: png + description: Username of the request. default_field: false - - name: indicator.file.gid + - name: enrichments.indicator.x509.alternative_names level: extended type: keyword ignore_above: 1024 - description: Primary group ID (GID) of the file. - example: '1001' + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' default_field: false - - name: indicator.file.group + - name: enrichments.indicator.x509.issuer.common_name level: extended type: keyword ignore_above: 1024 - description: Primary group name of the file. - example: alice + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA default_field: false - - name: indicator.file.inode + - name: enrichments.indicator.x509.issuer.country level: extended type: keyword ignore_above: 1024 - description: Inode representing the file in the filesystem. - example: '256383' + description: List of country (C) codes + example: US default_field: false - - name: indicator.file.mime_type + - name: enrichments.indicator.x509.issuer.distinguished_name level: extended type: keyword ignore_above: 1024 - description: MIME type should identify the format of the file or stream of bytes + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + default_field: false + - name: enrichments.indicator.x509.issuer.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: Mountain View + default_field: false + - name: enrichments.indicator.x509.issuer.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + default_field: false + - name: enrichments.indicator.x509.issuer.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + default_field: false + - name: enrichments.indicator.x509.issuer.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: enrichments.indicator.x509.not_after + level: extended + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + default_field: false + - name: enrichments.indicator.x509.not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + default_field: false + - name: enrichments.indicator.x509.public_key_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Algorithm used to generate the public key. + example: RSA + default_field: false + - name: enrichments.indicator.x509.public_key_curve + level: extended + type: keyword + ignore_above: 1024 + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + default_field: false + - name: enrichments.indicator.x509.public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + index: false + doc_values: false + default_field: false + - name: enrichments.indicator.x509.public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + default_field: false + - name: enrichments.indicator.x509.serial_number + level: extended + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + default_field: false + - name: enrichments.indicator.x509.signature_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + default_field: false + - name: enrichments.indicator.x509.subject.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common names (CN) of subject. + example: shared.global.example.net + default_field: false + - name: enrichments.indicator.x509.subject.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) code + example: US + default_field: false + - name: enrichments.indicator.x509.subject.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + default_field: false + - name: enrichments.indicator.x509.subject.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: San Francisco + default_field: false + - name: enrichments.indicator.x509.subject.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of subject. + example: Example, Inc. + default_field: false + - name: enrichments.indicator.x509.subject.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of subject. + default_field: false + - name: enrichments.indicator.x509.subject.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: enrichments.indicator.x509.version_number + level: extended + type: keyword + ignore_above: 1024 + description: Version of x509 format. + example: 3 + default_field: false + - name: enrichments.matched.atomic + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com + default_field: false + - name: enrichments.matched.field + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the field of the atomic indicator that matched a local + environment endpoint or network event. + example: file.hash.sha256 + default_field: false + - name: enrichments.matched.id + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + default_field: false + - name: enrichments.matched.index + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 + default_field: false + - name: enrichments.matched.type + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the type of match that caused the event to be enriched + with the given indicator + example: indicator_match_rule + default_field: false + - name: framework + level: extended + type: keyword + ignore_above: 1024 + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification + can be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + - name: group.alias + level: extended + type: keyword + ignore_above: 1024 + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' + default_field: false + - name: group.id + level: extended + type: keyword + ignore_above: 1024 + description: "The id of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group id." + example: G0037 + default_field: false + - name: group.name + level: extended + type: keyword + ignore_above: 1024 + description: "The name of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 + default_field: false + - name: group.reference + level: extended + type: keyword + ignore_above: 1024 + description: "The reference URL of the group for a set of related intrusion\ + \ activity that are tracked by a common name in the security community. While\ + \ not required, you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ + default_field: false + - name: indicator.as.number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + default_field: false + - name: indicator.as.organization.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Organization name. + example: Google LLC + default_field: false + - name: indicator.confidence + level: extended + type: keyword + ignore_above: 1024 + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High + default_field: false + - name: indicator.description + level: extended + type: keyword + ignore_above: 1024 + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + default_field: false + - name: indicator.email.address + level: extended + type: keyword + ignore_above: 1024 + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + default_field: false + - name: indicator.file.accessed + level: extended + type: date + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + default_field: false + - name: indicator.file.attributes + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + default_field: false + - name: indicator.file.code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: indicator.file.code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + default_field: false + - name: indicator.file.code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: indicator.file.code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: indicator.file.code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + default_field: false + - name: indicator.file.code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: indicator.file.code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: indicator.file.created + level: extended + type: date + description: 'File creation time. + + Note that not all filesystems store the creation time.' + default_field: false + - name: indicator.file.ctime + level: extended + type: date + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + default_field: false + - name: indicator.file.device + level: extended + type: keyword + ignore_above: 1024 + description: Device that is the source of the file. + example: sda + default_field: false + - name: indicator.file.directory + level: extended + type: keyword + ignore_above: 1024 + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice + default_field: false + - name: indicator.file.drive_letter + level: extended + type: keyword + ignore_above: 1 + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + default_field: false + - name: indicator.file.elf.architecture + level: extended + type: keyword + ignore_above: 1024 + description: Machine architecture of the ELF file. + example: x86-64 + default_field: false + - name: indicator.file.elf.byte_order + level: extended + type: keyword + ignore_above: 1024 + description: Byte sequence of ELF file. + example: Little Endian + default_field: false + - name: indicator.file.elf.cpu_type + level: extended + type: keyword + ignore_above: 1024 + description: CPU type of the ELF file. + example: Intel + default_field: false + - name: indicator.file.elf.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + default_field: false + - name: indicator.file.elf.exports + level: extended + type: flattened + description: List of exported element names and types. + default_field: false + - name: indicator.file.elf.header.abi_version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the ELF Application Binary Interface (ABI). + default_field: false + - name: indicator.file.elf.header.class + level: extended + type: keyword + ignore_above: 1024 + description: Header class of the ELF file. + default_field: false + - name: indicator.file.elf.header.data + level: extended + type: keyword + ignore_above: 1024 + description: Data table of the ELF header. + default_field: false + - name: indicator.file.elf.header.entrypoint + level: extended + type: long + format: string + description: Header entrypoint of the ELF file. + default_field: false + - name: indicator.file.elf.header.object_version + level: extended + type: keyword + ignore_above: 1024 + description: '"0x1" for original ELF files.' + default_field: false + - name: indicator.file.elf.header.os_abi + level: extended + type: keyword + ignore_above: 1024 + description: Application Binary Interface (ABI) of the Linux OS. + default_field: false + - name: indicator.file.elf.header.type + level: extended + type: keyword + ignore_above: 1024 + description: Header type of the ELF file. + default_field: false + - name: indicator.file.elf.header.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the ELF header. + default_field: false + - name: indicator.file.elf.imports + level: extended + type: flattened + description: List of imported element names and types. + default_field: false + - name: indicator.file.elf.sections + level: extended + type: nested + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + default_field: false + - name: indicator.file.elf.sections.chi2 + level: extended + type: long + format: number + description: Chi-square probability distribution of the section. + default_field: false + - name: indicator.file.elf.sections.entropy + level: extended + type: long + format: number + description: Shannon entropy calculation from the section. + default_field: false + - name: indicator.file.elf.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List flags. + default_field: false + - name: indicator.file.elf.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List name. + default_field: false + - name: indicator.file.elf.sections.physical_offset + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List offset. + default_field: false + - name: indicator.file.elf.sections.physical_size + level: extended + type: long + format: bytes + description: ELF Section List physical size. + default_field: false + - name: indicator.file.elf.sections.type + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List type. + default_field: false + - name: indicator.file.elf.sections.virtual_address + level: extended + type: long + format: string + description: ELF Section List virtual address. + default_field: false + - name: indicator.file.elf.sections.virtual_size + level: extended + type: long + format: string + description: ELF Section List virtual size. + default_field: false + - name: indicator.file.elf.segments + level: extended + type: nested + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + default_field: false + - name: indicator.file.elf.segments.sections + level: extended + type: keyword + ignore_above: 1024 + description: ELF object segment sections. + default_field: false + - name: indicator.file.elf.segments.type + level: extended + type: keyword + ignore_above: 1024 + description: ELF object segment type. + default_field: false + - name: indicator.file.elf.shared_libraries + level: extended + type: keyword + ignore_above: 1024 + description: List of shared libraries used by this ELF object. + default_field: false + - name: indicator.file.elf.telfhash + level: extended + type: keyword + ignore_above: 1024 + description: telfhash symbol hash for ELF file. + default_field: false + - name: indicator.file.extension + level: extended + type: keyword + ignore_above: 1024 + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + default_field: false + - name: indicator.file.gid + level: extended + type: keyword + ignore_above: 1024 + description: Primary group ID (GID) of the file. + example: '1001' + default_field: false + - name: indicator.file.group + level: extended + type: keyword + ignore_above: 1024 + description: Primary group name of the file. + example: alice + default_field: false + - name: indicator.file.inode + level: extended + type: keyword + ignore_above: 1024 + description: Inode representing the file in the filesystem. + example: '256383' + default_field: false + - name: indicator.file.mime_type + level: extended + type: keyword + ignore_above: 1024 + description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. default_field: false - - name: indicator.file.mode + - name: indicator.file.mode + level: extended + type: keyword + ignore_above: 1024 + description: Mode of the file in octal representation. + example: '0640' + default_field: false + - name: indicator.file.mtime + level: extended + type: date + description: Last time the file content was modified. + default_field: false + - name: indicator.file.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the file including the extension, without the directory. + example: example.png + default_field: false + - name: indicator.file.owner + level: extended + type: keyword + ignore_above: 1024 + description: File owner's username. + example: alice + default_field: false + - name: indicator.file.path + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + default_field: false + - name: indicator.file.size + level: extended + type: long + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + default_field: false + - name: indicator.file.target_path + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Target path for symlinks. + default_field: false + - name: indicator.file.type + level: extended + type: keyword + ignore_above: 1024 + description: File type (file, dir, or symlink). + example: file + default_field: false + - name: indicator.file.uid + level: extended + type: keyword + ignore_above: 1024 + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + default_field: false + - name: indicator.first_seen + level: extended + type: date + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.geo.city_name + level: core + type: keyword + ignore_above: 1024 + description: City name. + example: Montreal + default_field: false + - name: indicator.geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false + - name: indicator.geo.continent_name + level: core + type: keyword + ignore_above: 1024 + description: Name of the continent. + example: North America + default_field: false + - name: indicator.geo.country_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Country ISO code. + example: CA + default_field: false + - name: indicator.geo.country_name + level: core + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada + default_field: false + - name: indicator.geo.location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + default_field: false + - name: indicator.geo.name + level: extended + type: keyword + ignore_above: 1024 + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + default_field: false + - name: indicator.geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false + - name: indicator.geo.region_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + default_field: false + - name: indicator.geo.region_name + level: core + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec + default_field: false + - name: indicator.geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false + - name: indicator.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: indicator.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: indicator.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: indicator.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: indicator.hash.ssdeep + level: extended + type: keyword + ignore_above: 1024 + description: SSDEEP hash. + default_field: false + - name: indicator.ip + level: extended + type: ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + default_field: false + - name: indicator.last_seen + level: extended + type: date + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.marking.tlp + level: extended + type: keyword + ignore_above: 1024 + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE + default_field: false + - name: indicator.modified_at + level: extended + type: date + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.pe.architecture level: extended type: keyword ignore_above: 1024 - description: Mode of the file in octal representation. - example: '0640' + description: CPU architecture target for the file. + example: x64 default_field: false - - name: indicator.file.mtime + - name: indicator.pe.company level: extended - type: date - description: Last time the file content was modified. + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation default_field: false - - name: indicator.file.name + - name: indicator.pe.description level: extended type: keyword ignore_above: 1024 - description: Name of the file including the extension, without the directory. - example: example.png + description: Internal description of the file, provided at compile-time. + example: Paint default_field: false - - name: indicator.file.owner + - name: indicator.pe.file_version level: extended type: keyword ignore_above: 1024 - description: File owner's username. - example: alice + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 default_field: false - - name: indicator.file.path + - name: indicator.pe.imphash level: extended type: keyword ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Full path to the file, including the file name. It should include - the drive letter, when appropriate. - example: /home/alice/example.png + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - - name: indicator.file.size + - name: indicator.pe.original_file_name level: extended - type: long - description: 'File size in bytes. - - Only relevant when `file.type` is "file".' - example: 16384 + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE default_field: false - - name: indicator.file.target_path + - name: indicator.pe.product level: extended type: keyword ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - description: Target path for symlinks. + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" default_field: false - - name: indicator.file.type + - name: indicator.port + level: extended + type: long + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + default_field: false + - name: indicator.provider level: extended type: keyword ignore_above: 1024 - description: File type (file, dir, or symlink). - example: file + description: The name of the indicator's provider. + example: lrz_urlhaus default_field: false - - name: indicator.file.uid + - name: indicator.reference level: extended type: keyword ignore_above: 1024 - description: The user ID (UID) or security identifier (SID) of the file owner. - example: '1001' + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 default_field: false - - name: indicator.first_seen + - name: indicator.registry.data.bytes level: extended - type: date - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' + type: keyword + ignore_above: 1024 + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= default_field: false - - name: indicator.geo.city_name + - name: indicator.registry.data.strings level: core type: keyword ignore_above: 1024 - description: City name. - example: Montreal + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' default_field: false - - name: indicator.geo.continent_code + - name: indicator.registry.data.type level: core type: keyword ignore_above: 1024 - description: Two-letter code representing continent's name. - example: NA + description: Standard registry type for encoding contents + example: REG_SZ default_field: false - - name: indicator.geo.continent_name + - name: indicator.registry.hive level: core type: keyword ignore_above: 1024 - description: Name of the continent. - example: North America + description: Abbreviated name for the hive. + example: HKLM default_field: false - - name: indicator.geo.country_iso_code + - name: indicator.registry.key level: core type: keyword ignore_above: 1024 - description: Country ISO code. - example: CA + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe default_field: false - - name: indicator.geo.country_name + - name: indicator.registry.path level: core type: keyword ignore_above: 1024 - description: Country name. - example: Canada + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger default_field: false - - name: indicator.geo.location + - name: indicator.registry.value level: core - type: geo_point - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' + type: keyword + ignore_above: 1024 + description: Name of the value written. + example: Debugger + default_field: false + - name: indicator.scanner_stats + level: extended + type: long + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + default_field: false + - name: indicator.sightings + level: extended + type: long + description: Number of times this indicator was observed conducting threat activity. + example: 20 + default_field: false + - name: indicator.type + level: extended + type: keyword + ignore_above: 1024 + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ + Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr + default_field: false + - name: indicator.url.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' + example: www.elastic.co + default_field: false + - name: indicator.url.extension + level: extended + type: keyword + ignore_above: 1024 + description: 'The field contains the file extension from the original request + url, excluding the leading dot. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + default_field: false + - name: indicator.url.fragment + level: extended + type: keyword + ignore_above: 1024 + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + default_field: false + - name: indicator.url.full + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event + source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + default_field: false + - name: indicator.url.original + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: 'Unmodified original url as seen in the event source. + + Note that in network monitoring, the observed URL may be a full URL, whereas + in access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + default_field: false + - name: indicator.url.password + level: extended + type: keyword + ignore_above: 1024 + description: Password of the request. + default_field: false + - name: indicator.url.path + level: extended + type: keyword + ignore_above: 1024 + description: Path of the request, such as "/search". + default_field: false + - name: indicator.url.port + level: extended + type: long + format: string + description: Port of the request, such as 443. + example: 443 + default_field: false + - name: indicator.url.query + level: extended + type: keyword + ignore_above: 1024 + description: 'The query field describes the query string of the request, such + as "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there + is no query field. If there is a `?` but no query, the query field exists + with an empty string. The `exists` query can be used to differentiate between + the two cases.' default_field: false - - name: indicator.geo.name + - name: indicator.url.registered_domain level: extended type: keyword ignore_above: 1024 - description: 'User-defined description of a location, at the level of granularity - they care about. + description: 'The highest registered url domain, stripped of the subdomain. - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. + For example, the registered domain for "foo.example.com" is "example.com". - Not typically used in automated geolocation.' - example: boston-dc + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com default_field: false - - name: indicator.geo.postal_code - level: core + - name: indicator.url.scheme + level: extended type: keyword ignore_above: 1024 - description: 'Postal code associated with the location. + description: 'Scheme of the request, such as "https". - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 + Note: The `:` is not part of the scheme.' + example: https default_field: false - - name: indicator.geo.region_iso_code - level: core + - name: indicator.url.subdomain + level: extended type: keyword ignore_above: 1024 - description: Region ISO code. - example: CA-QC + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east default_field: false - - name: indicator.geo.region_name - level: core + - name: indicator.url.top_level_domain + level: extended type: keyword ignore_above: 1024 - description: Region name. - example: Quebec + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk default_field: false - - name: indicator.geo.timezone - level: core + - name: indicator.url.username + level: extended type: keyword ignore_above: 1024 - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires + description: Username of the request. default_field: false - - name: indicator.hash.md5 + - name: indicator.x509.alternative_names level: extended type: keyword ignore_above: 1024 - description: MD5 hash. + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' default_field: false - - name: indicator.hash.sha1 + - name: indicator.x509.issuer.common_name level: extended type: keyword ignore_above: 1024 - description: SHA1 hash. + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA default_field: false - - name: indicator.hash.sha256 + - name: indicator.x509.issuer.country level: extended type: keyword ignore_above: 1024 - description: SHA256 hash. + description: List of country (C) codes + example: US default_field: false - - name: indicator.hash.sha512 + - name: indicator.x509.issuer.distinguished_name level: extended type: keyword ignore_above: 1024 - description: SHA512 hash. + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA default_field: false - - name: indicator.hash.ssdeep + - name: indicator.x509.issuer.locality level: extended type: keyword ignore_above: 1024 - description: SSDEEP hash. - default_field: false - - name: indicator.ip - level: extended - type: ip - description: Identifies a threat indicator as an IP address (irrespective of - direction). - example: 1.2.3.4 - default_field: false - - name: indicator.last_seen - level: extended - type: date - description: The date and time when intelligence source last reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' + description: List of locality names (L) + example: Mountain View default_field: false - - name: indicator.marking.tlp + - name: indicator.x509.issuer.organization level: extended type: keyword ignore_above: 1024 - description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: WHITE - default_field: false - - name: indicator.modified_at - level: extended - type: date - description: The date and time when intelligence source last modified information - for this indicator. - example: '2020-11-05T17:25:47.000Z' + description: List of organizations (O) of issuing certificate authority. + example: Example Inc default_field: false - - name: indicator.pe.architecture + - name: indicator.x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 - description: CPU architecture target for the file. - example: x64 + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com default_field: false - - name: indicator.pe.company + - name: indicator.x509.issuer.state_or_province level: extended type: keyword ignore_above: 1024 - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation + description: List of state or province names (ST, S, or P) + example: California default_field: false - - name: indicator.pe.description + - name: indicator.x509.not_after level: extended - type: keyword - ignore_above: 1024 - description: Internal description of the file, provided at compile-time. - example: Paint + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 default_field: false - - name: indicator.pe.file_version + - name: indicator.x509.not_before level: extended - type: keyword - ignore_above: 1024 - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 default_field: false - - name: indicator.pe.imphash + - name: indicator.x509.public_key_algorithm level: extended type: keyword ignore_above: 1024 - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf + description: Algorithm used to generate the public key. + example: RSA default_field: false - - name: indicator.pe.original_file_name + - name: indicator.x509.public_key_curve level: extended type: keyword ignore_above: 1024 - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 default_field: false - - name: indicator.pe.product + - name: indicator.x509.public_key_exponent level: extended - type: keyword - ignore_above: 1024 - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + index: false + doc_values: false default_field: false - - name: indicator.port + - name: indicator.x509.public_key_size level: extended type: long - description: Identifies a threat indicator as a port number (irrespective of - direction). - example: 443 + description: The size of the public key space in bits. + example: 2048 default_field: false - - name: indicator.provider + - name: indicator.x509.serial_number level: extended type: keyword ignore_above: 1024 - description: The name of the indicator's provider. - example: lrz_urlhaus + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA default_field: false - - name: indicator.reference + - name: indicator.x509.signature_algorithm level: extended type: keyword ignore_above: 1024 - description: Reference URL linking to additional information about this indicator. - example: https://system.example.com/indicator/0001234 + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA default_field: false - - name: indicator.registry.data.bytes + - name: indicator.x509.subject.common_name level: extended type: keyword ignore_above: 1024 - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides - better recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + description: List of common names (CN) of subject. + example: shared.global.example.net default_field: false - - name: indicator.registry.data.strings - level: core + - name: indicator.x509.subject.country + level: extended type: keyword ignore_above: 1024 - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single - string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with - one string. For sequences of string with REG_MULTI_SZ, this array will be - variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should - be populated with the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' + description: List of country (C) code + example: US default_field: false - - name: indicator.registry.data.type - level: core + - name: indicator.x509.subject.distinguished_name + level: extended type: keyword ignore_above: 1024 - description: Standard registry type for encoding contents - example: REG_SZ + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - - name: indicator.registry.hive - level: core + - name: indicator.x509.subject.locality + level: extended type: keyword ignore_above: 1024 - description: Abbreviated name for the hive. - example: HKLM + description: List of locality names (L) + example: San Francisco default_field: false - - name: indicator.registry.key - level: core + - name: indicator.x509.subject.organization + level: extended type: keyword ignore_above: 1024 - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + description: List of organizations (O) of subject. + example: Example, Inc. default_field: false - - name: indicator.registry.path - level: core + - name: indicator.x509.subject.organizational_unit + level: extended type: keyword ignore_above: 1024 - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger + description: List of organizational units (OU) of subject. default_field: false - - name: indicator.registry.value - level: core + - name: indicator.x509.subject.state_or_province + level: extended type: keyword ignore_above: 1024 - description: Name of the value written. - example: Debugger - default_field: false - - name: indicator.scanner_stats - level: extended - type: long - description: Count of AV/EDR vendors that successfully detected malicious file - or URL. - example: 4 - default_field: false - - name: indicator.sightings - level: extended - type: long - description: Number of times this indicator was observed conducting threat activity. - example: 20 + description: List of state or province names (ST, S, or P) + example: California default_field: false - - name: indicator.type + - name: indicator.x509.version_number level: extended type: keyword ignore_above: 1024 - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ - Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ - \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ - \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ - \ * user-account\n * windows-registry-key\n * x509-certificate" - example: ipv4-addr + description: Version of x509 format. + example: 3 default_field: false - name: software.id level: extended diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 3d159f8746..ace23db9f2 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -668,15 +668,88 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. 2.0.0-dev,true,threat,threat.enrichments,nested,extended,,,List of objects containing indicators enriching the event. 2.0.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event. -2.0.0-dev,true,threat,threat.enrichments.indicator.as.md5,keyword,extended,,,MD5 hash. -2.0.0-dev,true,threat,threat.enrichments.indicator.as.sha1,keyword,extended,,,SHA1 hash. -2.0.0-dev,true,threat,threat.enrichments.indicator.as.sha256,keyword,extended,,,SHA256 hash. -2.0.0-dev,true,threat,threat.enrichments.indicator.as.sha512,keyword,extended,,,SHA512 hash. -2.0.0-dev,true,threat,threat.enrichments.indicator.as.ssdeep,keyword,extended,,,SSDEEP hash. +2.0.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +2.0.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name. +2.0.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,text,extended,,Google LLC,Organization name. 2.0.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,High,Indicator confidence rating 2.0.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description 2.0.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address +2.0.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +2.0.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +2.0.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +2.0.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +2.0.0-dev,true,threat,threat.enrichments.indicator.file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +2.0.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,text,extended,,,Target path for symlinks. +2.0.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +2.0.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. 2.0.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. +2.0.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name. +2.0.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code. +2.0.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. +2.0.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. +2.0.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name. +2.0.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +2.0.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +2.0.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code. +2.0.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +2.0.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name. +2.0.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +2.0.0-dev,true,threat,threat.enrichments.indicator.hash.md5,keyword,extended,,,MD5 hash. +2.0.0-dev,true,threat,threat.enrichments.indicator.hash.sha1,keyword,extended,,,SHA1 hash. +2.0.0-dev,true,threat,threat.enrichments.indicator.hash.sha256,keyword,extended,,,SHA256 hash. +2.0.0-dev,true,threat,threat.enrichments.indicator.hash.sha512,keyword,extended,,,SHA512 hash. +2.0.0-dev,true,threat,threat.enrichments.indicator.hash.ssdeep,keyword,extended,,,SSDEEP hash. 2.0.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address 2.0.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. 2.0.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,White,Indicator TLP marking @@ -701,51 +774,51 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics 2.0.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed 2.0.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator +2.0.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url. +2.0.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +2.0.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`. +2.0.0-dev,true,threat,threat.enrichments.indicator.url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +2.0.0-dev,true,threat,threat.enrichments.indicator.url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +2.0.0-dev,true,threat,threat.enrichments.indicator.url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +2.0.0-dev,true,threat,threat.enrichments.indicator.url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +2.0.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request. +2.0.0-dev,true,threat,threat.enrichments.indicator.url.path,keyword,extended,,,"Path of the request, such as ""/search""." +2.0.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443." +2.0.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request. +2.0.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +2.0.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url. +2.0.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. +2.0.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +2.0.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request. +2.0.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +2.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +2.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +2.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +2.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +2.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +2.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +2.0.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +2.0.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +2.0.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +2.0.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +2.0.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +2.0.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +2.0.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +2.0.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +2.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +2.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country (C) code +2.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +2.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +2.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +2.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +2.0.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format. 2.0.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value 2.0.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field 2.0.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier 2.0.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index 2.0.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match -2.0.0-dev,true,threat,threat.enrichments.url.domain,keyword,extended,,www.elastic.co,Domain of the url. -2.0.0-dev,true,threat,threat.enrichments.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." -2.0.0-dev,true,threat,threat.enrichments.url.fragment,keyword,extended,,,Portion of the url after the `#`. -2.0.0-dev,true,threat,threat.enrichments.url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -2.0.0-dev,true,threat,threat.enrichments.url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -2.0.0-dev,true,threat,threat.enrichments.url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -2.0.0-dev,true,threat,threat.enrichments.url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -2.0.0-dev,true,threat,threat.enrichments.url.password,keyword,extended,,,Password of the request. -2.0.0-dev,true,threat,threat.enrichments.url.path,keyword,extended,,,"Path of the request, such as ""/search""." -2.0.0-dev,true,threat,threat.enrichments.url.port,long,extended,,443,"Port of the request, such as 443." -2.0.0-dev,true,threat,threat.enrichments.url.query,keyword,extended,,,Query string of the request. -2.0.0-dev,true,threat,threat.enrichments.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -2.0.0-dev,true,threat,threat.enrichments.url.scheme,keyword,extended,,https,Scheme of the url. -2.0.0-dev,true,threat,threat.enrichments.url.subdomain,keyword,extended,,east,The subdomain of the domain. -2.0.0-dev,true,threat,threat.enrichments.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -2.0.0-dev,true,threat,threat.enrichments.url.username,keyword,extended,,,Username of the request. -2.0.0-dev,true,threat,threat.enrichments.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -2.0.0-dev,true,threat,threat.enrichments.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -2.0.0-dev,true,threat,threat.enrichments.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -2.0.0-dev,true,threat,threat.enrichments.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -2.0.0-dev,true,threat,threat.enrichments.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -2.0.0-dev,true,threat,threat.enrichments.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -2.0.0-dev,true,threat,threat.enrichments.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -2.0.0-dev,true,threat,threat.enrichments.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -2.0.0-dev,true,threat,threat.enrichments.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -2.0.0-dev,true,threat,threat.enrichments.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -2.0.0-dev,true,threat,threat.enrichments.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -2.0.0-dev,true,threat,threat.enrichments.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -2.0.0-dev,false,threat,threat.enrichments.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -2.0.0-dev,true,threat,threat.enrichments.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -2.0.0-dev,true,threat,threat.enrichments.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -2.0.0-dev,true,threat,threat.enrichments.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -2.0.0-dev,true,threat,threat.enrichments.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -2.0.0-dev,true,threat,threat.enrichments.x509.subject.country,keyword,extended,array,US,List of country (C) code -2.0.0-dev,true,threat,threat.enrichments.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -2.0.0-dev,true,threat,threat.enrichments.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -2.0.0-dev,true,threat,threat.enrichments.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -2.0.0-dev,true,threat,threat.enrichments.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -2.0.0-dev,true,threat,threat.enrichments.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -2.0.0-dev,true,threat,threat.enrichments.x509.version_number,keyword,extended,,3,Version of x509 format. 2.0.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. 2.0.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group. 2.0.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group. @@ -857,6 +930,46 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics 2.0.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed 2.0.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator +2.0.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url. +2.0.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +2.0.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`. +2.0.0-dev,true,threat,threat.indicator.url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +2.0.0-dev,true,threat,threat.indicator.url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +2.0.0-dev,true,threat,threat.indicator.url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +2.0.0-dev,true,threat,threat.indicator.url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +2.0.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request. +2.0.0-dev,true,threat,threat.indicator.url.path,keyword,extended,,,"Path of the request, such as ""/search""." +2.0.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443." +2.0.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request. +2.0.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +2.0.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url. +2.0.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. +2.0.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +2.0.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request. +2.0.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +2.0.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +2.0.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +2.0.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +2.0.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +2.0.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +2.0.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +2.0.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +2.0.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +2.0.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +2.0.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +2.0.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +2.0.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +2.0.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +2.0.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +2.0.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +2.0.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country (C) code +2.0.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +2.0.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +2.0.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +2.0.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +2.0.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format. 2.0.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software 2.0.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software. 2.0.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 2c8767b73c..db3ae9236e 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -8551,60 +8551,34 @@ threat.enrichments.indicator: normalize: [] short: Object containing indicators enriching the event. type: object -threat.enrichments.indicator.as.md5: - dashed_name: threat-enrichments-indicator-as-md5 - description: MD5 hash. - flat_name: threat.enrichments.indicator.as.md5 - ignore_above: 1024 - level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword -threat.enrichments.indicator.as.sha1: - dashed_name: threat-enrichments-indicator-as-sha1 - description: SHA1 hash. - flat_name: threat.enrichments.indicator.as.sha1 - ignore_above: 1024 - level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword -threat.enrichments.indicator.as.sha256: - dashed_name: threat-enrichments-indicator-as-sha256 - description: SHA256 hash. - flat_name: threat.enrichments.indicator.as.sha256 - ignore_above: 1024 - level: extended - name: sha256 - normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword -threat.enrichments.indicator.as.sha512: - dashed_name: threat-enrichments-indicator-as-sha512 - description: SHA512 hash. - flat_name: threat.enrichments.indicator.as.sha512 - ignore_above: 1024 +threat.enrichments.indicator.as.number: + dashed_name: threat-enrichments-indicator-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: threat.enrichments.indicator.as.number level: extended - name: sha512 + name: number normalize: [] - original_fieldset: hash - short: SHA512 hash. - type: keyword -threat.enrichments.indicator.as.ssdeep: - dashed_name: threat-enrichments-indicator-as-ssdeep - description: SSDEEP hash. - flat_name: threat.enrichments.indicator.as.ssdeep + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long +threat.enrichments.indicator.as.organization.name: + dashed_name: threat-enrichments-indicator-as-organization-name + description: Organization name. + example: Google LLC + flat_name: threat.enrichments.indicator.as.organization.name ignore_above: 1024 level: extended - name: ssdeep + multi_fields: + - flat_name: threat.enrichments.indicator.as.organization.name.text + name: text + norms: false + type: text + name: organization.name normalize: [] - original_fieldset: hash - short: SSDEEP hash. + original_fieldset: as + short: Organization name. type: keyword threat.enrichments.indicator.confidence: beta: This field is beta and subject to change. @@ -8646,2271 +8620,3698 @@ threat.enrichments.indicator.email.address: normalize: [] short: Indicator email address type: keyword -threat.enrichments.indicator.first_seen: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-first-seen - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.indicator.first_seen +threat.enrichments.indicator.file.accessed: + dashed_name: threat-enrichments-indicator-file-accessed + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + flat_name: threat.enrichments.indicator.file.accessed level: extended - name: enrichments.indicator.first_seen + name: accessed normalize: [] - short: Date/time indicator was first reported. + original_fieldset: file + short: Last time the file was accessed. type: date -threat.enrichments.indicator.ip: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-ip - description: Identifies a threat indicator as an IP address (irrespective of direction). - example: 1.2.3.4 - flat_name: threat.enrichments.indicator.ip - level: extended - name: enrichments.indicator.ip - normalize: [] - short: Indicator IP address - type: ip -threat.enrichments.indicator.last_seen: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-last-seen - description: The date and time when intelligence source last reported sighting this - indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.indicator.last_seen +threat.enrichments.indicator.file.attributes: + dashed_name: threat-enrichments-indicator-file-attributes + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, execute, + hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: threat.enrichments.indicator.file.attributes + ignore_above: 1024 level: extended - name: enrichments.indicator.last_seen + name: attributes + normalize: + - array + original_fieldset: file + short: Array of file attributes. + type: keyword +threat.enrichments.indicator.file.code_signature.exists: + dashed_name: threat-enrichments-indicator-file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: threat.enrichments.indicator.file.code_signature.exists + level: core + name: exists normalize: [] - short: Date/time indicator was last reported. - type: date -threat.enrichments.indicator.marking.tlp: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: White - flat_name: threat.enrichments.indicator.marking.tlp + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +threat.enrichments.indicator.file.code_signature.signing_id: + dashed_name: threat-enrichments-indicator-file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: threat.enrichments.indicator.file.code_signature.signing_id ignore_above: 1024 level: extended - name: enrichments.indicator.marking.tlp + name: signing_id normalize: [] - short: Indicator TLP marking + original_fieldset: code_signature + short: The identifier used to sign the process. type: keyword -threat.enrichments.indicator.modified_at: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-modified-at - description: The date and time when intelligence source last modified information - for this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.indicator.modified_at - level: extended - name: enrichments.indicator.modified_at - normalize: [] - short: Date/time indicator was last updated. - type: date -threat.enrichments.indicator.pe.architecture: - dashed_name: threat-enrichments-indicator-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: threat.enrichments.indicator.pe.architecture +threat.enrichments.indicator.file.code_signature.status: + dashed_name: threat-enrichments-indicator-file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: threat.enrichments.indicator.file.code_signature.status ignore_above: 1024 level: extended - name: architecture + name: status normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. + original_fieldset: code_signature + short: Additional information about the certificate status. type: keyword -threat.enrichments.indicator.pe.company: - dashed_name: threat-enrichments-indicator-pe-company - description: Internal company name of the file, provided at compile-time. +threat.enrichments.indicator.file.code_signature.subject_name: + dashed_name: threat-enrichments-indicator-file-code-signature-subject-name + description: Subject name of the code signer example: Microsoft Corporation - flat_name: threat.enrichments.indicator.pe.company + flat_name: threat.enrichments.indicator.file.code_signature.subject_name ignore_above: 1024 - level: extended - name: company + level: core + name: subject_name normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. + original_fieldset: code_signature + short: Subject name of the code signer type: keyword -threat.enrichments.indicator.pe.description: - dashed_name: threat-enrichments-indicator-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: threat.enrichments.indicator.pe.description +threat.enrichments.indicator.file.code_signature.team_id: + dashed_name: threat-enrichments-indicator-file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: threat.enrichments.indicator.file.code_signature.team_id ignore_above: 1024 level: extended - name: description + name: team_id normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. + original_fieldset: code_signature + short: The team identifier used to sign the process. type: keyword -threat.enrichments.indicator.pe.file_version: - dashed_name: threat-enrichments-indicator-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: threat.enrichments.indicator.pe.file_version - ignore_above: 1024 +threat.enrichments.indicator.file.code_signature.trusted: + dashed_name: threat-enrichments-indicator-file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: threat.enrichments.indicator.file.code_signature.trusted level: extended - name: file_version + name: trusted normalize: [] - original_fieldset: pe - short: Process name. - type: keyword -threat.enrichments.indicator.pe.imphash: - dashed_name: threat-enrichments-indicator-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash -- - can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +threat.enrichments.indicator.file.code_signature.valid: + dashed_name: threat-enrichments-indicator-file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: threat.enrichments.indicator.pe.imphash + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: threat.enrichments.indicator.file.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +threat.enrichments.indicator.file.created: + dashed_name: threat-enrichments-indicator-file-created + description: 'File creation time. + + Note that not all filesystems store the creation time.' + flat_name: threat.enrichments.indicator.file.created + level: extended + name: created + normalize: [] + original_fieldset: file + short: File creation time. + type: date +threat.enrichments.indicator.file.ctime: + dashed_name: threat-enrichments-indicator-file-ctime + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: threat.enrichments.indicator.file.ctime + level: extended + name: ctime + normalize: [] + original_fieldset: file + short: Last time the file attributes or metadata changed. + type: date +threat.enrichments.indicator.file.device: + dashed_name: threat-enrichments-indicator-file-device + description: Device that is the source of the file. + example: sda + flat_name: threat.enrichments.indicator.file.device ignore_above: 1024 level: extended - name: imphash + name: device normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. + original_fieldset: file + short: Device that is the source of the file. type: keyword -threat.enrichments.indicator.pe.original_file_name: - dashed_name: threat-enrichments-indicator-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: threat.enrichments.indicator.pe.original_file_name +threat.enrichments.indicator.file.directory: + dashed_name: threat-enrichments-indicator-file-directory + description: Directory where the file is located. It should include the drive letter, + when appropriate. + example: /home/alice + flat_name: threat.enrichments.indicator.file.directory ignore_above: 1024 level: extended - name: original_file_name + name: directory normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. + original_fieldset: file + short: Directory where the file is located. type: keyword -threat.enrichments.indicator.pe.product: - dashed_name: threat-enrichments-indicator-pe-product - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" - flat_name: threat.enrichments.indicator.pe.product - ignore_above: 1024 +threat.enrichments.indicator.file.drive_letter: + dashed_name: threat-enrichments-indicator-file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + flat_name: threat.enrichments.indicator.file.drive_letter + ignore_above: 1 level: extended - name: product + name: drive_letter normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. + original_fieldset: file + short: Drive letter where the file is located. type: keyword -threat.enrichments.indicator.port: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-port - description: Identifies a threat indicator as a port number (irrespective of direction). - example: 443 - flat_name: threat.enrichments.indicator.port - level: extended - name: enrichments.indicator.port - normalize: [] - short: Indicator port - type: long -threat.enrichments.indicator.provider: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-provider - description: The name of the indicator's provider. - example: lrz_urlhaus - flat_name: threat.enrichments.indicator.provider +threat.enrichments.indicator.file.elf.architecture: + dashed_name: threat-enrichments-indicator-file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: threat.enrichments.indicator.file.elf.architecture ignore_above: 1024 level: extended - name: enrichments.indicator.provider + name: architecture normalize: [] - short: Indicator provider + original_fieldset: elf + short: Machine architecture of the ELF file. type: keyword -threat.enrichments.indicator.reference: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-reference - description: Reference URL linking to additional information about this indicator. - example: https://system.example.com/indicator/0001234 - flat_name: threat.enrichments.indicator.reference +threat.enrichments.indicator.file.elf.byte_order: + dashed_name: threat-enrichments-indicator-file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: threat.enrichments.indicator.file.elf.byte_order ignore_above: 1024 level: extended - name: enrichments.indicator.reference + name: byte_order normalize: [] - short: Indicator reference URL + original_fieldset: elf + short: Byte sequence of ELF file. type: keyword -threat.enrichments.indicator.registry.data.bytes: - dashed_name: threat-enrichments-indicator-registry-data-bytes - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides better - recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - flat_name: threat.enrichments.indicator.registry.data.bytes +threat.enrichments.indicator.file.elf.cpu_type: + dashed_name: threat-enrichments-indicator-file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: threat.enrichments.indicator.file.elf.cpu_type ignore_above: 1024 level: extended - name: data.bytes + name: cpu_type normalize: [] - original_fieldset: registry - short: Original bytes written with base64 encoding. + original_fieldset: elf + short: CPU type of the ELF file. type: keyword -threat.enrichments.indicator.registry.data.strings: - dashed_name: threat-enrichments-indicator-registry-data-strings - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single string - registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. - For sequences of string with REG_MULTI_SZ, this array will be variable length. - For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with - the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' - flat_name: threat.enrichments.indicator.registry.data.strings - ignore_above: 1024 - level: core - name: data.strings +threat.enrichments.indicator.file.elf.creation_date: + dashed_name: threat-enrichments-indicator-file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: threat.enrichments.indicator.file.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date +threat.enrichments.indicator.file.elf.exports: + dashed_name: threat-enrichments-indicator-file-elf-exports + description: List of exported element names and types. + flat_name: threat.enrichments.indicator.file.elf.exports + level: extended + name: exports normalize: - array - original_fieldset: registry - short: List of strings representing what was written to the registry. - type: keyword -threat.enrichments.indicator.registry.data.type: - dashed_name: threat-enrichments-indicator-registry-data-type - description: Standard registry type for encoding contents - example: REG_SZ - flat_name: threat.enrichments.indicator.registry.data.type - ignore_above: 1024 - level: core - name: data.type - normalize: [] - original_fieldset: registry - short: Standard registry type for encoding contents - type: keyword -threat.enrichments.indicator.registry.hive: - dashed_name: threat-enrichments-indicator-registry-hive - description: Abbreviated name for the hive. - example: HKLM - flat_name: threat.enrichments.indicator.registry.hive - ignore_above: 1024 - level: core - name: hive - normalize: [] - original_fieldset: registry - short: Abbreviated name for the hive. - type: keyword -threat.enrichments.indicator.registry.key: - dashed_name: threat-enrichments-indicator-registry-key - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - flat_name: threat.enrichments.indicator.registry.key + original_fieldset: elf + short: List of exported element names and types. + type: flattened +threat.enrichments.indicator.file.elf.header.abi_version: + dashed_name: threat-enrichments-indicator-file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: threat.enrichments.indicator.file.elf.header.abi_version ignore_above: 1024 - level: core - name: key + level: extended + name: header.abi_version normalize: [] - original_fieldset: registry - short: Hive-relative path of keys. + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). type: keyword -threat.enrichments.indicator.registry.path: - dashed_name: threat-enrichments-indicator-registry-path - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger - flat_name: threat.enrichments.indicator.registry.path +threat.enrichments.indicator.file.elf.header.class: + dashed_name: threat-enrichments-indicator-file-elf-header-class + description: Header class of the ELF file. + flat_name: threat.enrichments.indicator.file.elf.header.class ignore_above: 1024 - level: core - name: path + level: extended + name: header.class normalize: [] - original_fieldset: registry - short: Full path, including hive, key and value + original_fieldset: elf + short: Header class of the ELF file. type: keyword -threat.enrichments.indicator.registry.value: - dashed_name: threat-enrichments-indicator-registry-value - description: Name of the value written. - example: Debugger - flat_name: threat.enrichments.indicator.registry.value +threat.enrichments.indicator.file.elf.header.data: + dashed_name: threat-enrichments-indicator-file-elf-header-data + description: Data table of the ELF header. + flat_name: threat.enrichments.indicator.file.elf.header.data ignore_above: 1024 - level: core - name: value - normalize: [] - original_fieldset: registry - short: Name of the value written. - type: keyword -threat.enrichments.indicator.scanner_stats: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-scanner-stats - description: Count of AV/EDR vendors that successfully detected malicious file or - URL. - example: 4 - flat_name: threat.enrichments.indicator.scanner_stats level: extended - name: enrichments.indicator.scanner_stats + name: header.data normalize: [] - short: Scanner statistics - type: long -threat.enrichments.indicator.sightings: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-sightings - description: Number of times this indicator was observed conducting threat activity. - example: 20 - flat_name: threat.enrichments.indicator.sightings + original_fieldset: elf + short: Data table of the ELF header. + type: keyword +threat.enrichments.indicator.file.elf.header.entrypoint: + dashed_name: threat-enrichments-indicator-file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: threat.enrichments.indicator.file.elf.header.entrypoint + format: string level: extended - name: enrichments.indicator.sightings + name: header.entrypoint normalize: [] - short: Number of times indicator observed + original_fieldset: elf + short: Header entrypoint of the ELF file. type: long -threat.enrichments.indicator.type: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-type - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ - \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n *\ - \ domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n\ - \ * mutex\n * port\n * process\n * software\n * url\n * user-account\n \ - \ * windows-registry-key\n * x509-certificate" - example: ipv4-addr - flat_name: threat.enrichments.indicator.type +threat.enrichments.indicator.file.elf.header.object_version: + dashed_name: threat-enrichments-indicator-file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: threat.enrichments.indicator.file.elf.header.object_version ignore_above: 1024 level: extended - name: enrichments.indicator.type + name: header.object_version normalize: [] - short: Type of indicator + original_fieldset: elf + short: '"0x1" for original ELF files.' type: keyword -threat.enrichments.matched.atomic: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-atomic - description: Identifies the atomic indicator value that matched a local environment - endpoint or network event. - example: bad-domain.com - flat_name: threat.enrichments.matched.atomic +threat.enrichments.indicator.file.elf.header.os_abi: + dashed_name: threat-enrichments-indicator-file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: threat.enrichments.indicator.file.elf.header.os_abi ignore_above: 1024 level: extended - name: enrichments.matched.atomic + name: header.os_abi normalize: [] - short: Matched indicator value + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. type: keyword -threat.enrichments.matched.field: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-field - description: Identifies the field of the atomic indicator that matched a local environment - endpoint or network event. - example: file.hash.sha256 - flat_name: threat.enrichments.matched.field +threat.enrichments.indicator.file.elf.header.type: + dashed_name: threat-enrichments-indicator-file-elf-header-type + description: Header type of the ELF file. + flat_name: threat.enrichments.indicator.file.elf.header.type ignore_above: 1024 level: extended - name: enrichments.matched.field + name: header.type normalize: [] - short: Matched indicator field + original_fieldset: elf + short: Header type of the ELF file. type: keyword -threat.enrichments.matched.id: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-id - description: Identifies the _id of the indicator document enriching the event. - example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 - flat_name: threat.enrichments.matched.id +threat.enrichments.indicator.file.elf.header.version: + dashed_name: threat-enrichments-indicator-file-elf-header-version + description: Version of the ELF header. + flat_name: threat.enrichments.indicator.file.elf.header.version ignore_above: 1024 level: extended - name: enrichments.matched.id + name: header.version normalize: [] - short: Matched indicator identifier + original_fieldset: elf + short: Version of the ELF header. type: keyword -threat.enrichments.matched.index: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-index - description: Identifies the _index of the indicator document enriching the event. - example: filebeat-8.0.0-2021.05.23-000011 - flat_name: threat.enrichments.matched.index - ignore_above: 1024 +threat.enrichments.indicator.file.elf.imports: + dashed_name: threat-enrichments-indicator-file-elf-imports + description: List of imported element names and types. + flat_name: threat.enrichments.indicator.file.elf.imports level: extended - name: enrichments.matched.index - normalize: [] - short: Matched indicator index - type: keyword -threat.enrichments.matched.type: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-type - description: Identifies the type of match that caused the event to be enriched with - the given indicator - example: indicator_match_rule - flat_name: threat.enrichments.matched.type - ignore_above: 1024 + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened +threat.enrichments.indicator.file.elf.sections: + dashed_name: threat-enrichments-indicator-file-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' + flat_name: threat.enrichments.indicator.file.elf.sections level: extended - name: enrichments.matched.type + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested +threat.enrichments.indicator.file.elf.sections.chi2: + dashed_name: threat-enrichments-indicator-file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: threat.enrichments.indicator.file.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 normalize: [] - short: Type of indicator match - type: keyword -threat.enrichments.url.domain: - dashed_name: threat-enrichments-url-domain - description: 'Domain of the url, such as "www.elastic.co". - - In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field. - - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), - the `[` and `]` characters should also be captured in the `domain` field.' - example: www.elastic.co - flat_name: threat.enrichments.url.domain - ignore_above: 1024 + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long +threat.enrichments.indicator.file.elf.sections.entropy: + dashed_name: threat-enrichments-indicator-file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: threat.enrichments.indicator.file.elf.sections.entropy + format: number level: extended - name: domain + name: sections.entropy normalize: [] - original_fieldset: url - short: Domain of the url. - type: keyword -threat.enrichments.url.extension: - dashed_name: threat-enrichments-url-extension - description: 'The field contains the file extension from the original request url, - excluding the leading dot. - - The file extension is only set if it exists, as not every url has a file extension. - - The leading period must not be included. For example, the value must be "png", - not ".png". - - Note that when the file name has multiple extensions (example.tar.gz), only the - last one should be captured ("gz", not "tar.gz").' - example: png - flat_name: threat.enrichments.url.extension + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long +threat.enrichments.indicator.file.elf.sections.flags: + dashed_name: threat-enrichments-indicator-file-elf-sections-flags + description: ELF Section List flags. + flat_name: threat.enrichments.indicator.file.elf.sections.flags ignore_above: 1024 level: extended - name: extension + name: sections.flags normalize: [] - original_fieldset: url - short: File extension from the request url, excluding the leading dot. + original_fieldset: elf + short: ELF Section List flags. type: keyword -threat.enrichments.url.fragment: - dashed_name: threat-enrichments-url-fragment - description: 'Portion of the url after the `#`, such as "top". - - The `#` is not part of the fragment.' - flat_name: threat.enrichments.url.fragment +threat.enrichments.indicator.file.elf.sections.name: + dashed_name: threat-enrichments-indicator-file-elf-sections-name + description: ELF Section List name. + flat_name: threat.enrichments.indicator.file.elf.sections.name ignore_above: 1024 level: extended - name: fragment + name: sections.name normalize: [] - original_fieldset: url - short: Portion of the url after the `#`. + original_fieldset: elf + short: ELF Section List name. type: keyword -threat.enrichments.url.full: - dashed_name: threat-enrichments-url-full - description: If full URLs are important to your use case, they should be stored - in `url.full`, whether this field is reconstructed or present in the event source. - example: https://www.elastic.co:443/search?q=elasticsearch#top - flat_name: threat.enrichments.url.full +threat.enrichments.indicator.file.elf.sections.physical_offset: + dashed_name: threat-enrichments-indicator-file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: threat.enrichments.indicator.file.elf.sections.physical_offset ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.enrichments.url.full.text - name: text - norms: false - type: text - name: full + name: sections.physical_offset normalize: [] - original_fieldset: url - short: Full unparsed URL. + original_fieldset: elf + short: ELF Section List offset. type: keyword -threat.enrichments.url.original: - dashed_name: threat-enrichments-url-original - description: 'Unmodified original url as seen in the event source. - - Note that in network monitoring, the observed URL may be a full URL, whereas in - access logs, the URL is often just represented as a path. - - This field is meant to represent the URL as it was observed, complete or not.' - example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - flat_name: threat.enrichments.url.original - ignore_above: 1024 +threat.enrichments.indicator.file.elf.sections.physical_size: + dashed_name: threat-enrichments-indicator-file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: threat.enrichments.indicator.file.elf.sections.physical_size + format: bytes level: extended - multi_fields: - - flat_name: threat.enrichments.url.original.text - name: text - norms: false - type: text - name: original + name: sections.physical_size normalize: [] - original_fieldset: url - short: Unmodified original url as seen in the event source. - type: keyword -threat.enrichments.url.password: - dashed_name: threat-enrichments-url-password - description: Password of the request. - flat_name: threat.enrichments.url.password + original_fieldset: elf + short: ELF Section List physical size. + type: long +threat.enrichments.indicator.file.elf.sections.type: + dashed_name: threat-enrichments-indicator-file-elf-sections-type + description: ELF Section List type. + flat_name: threat.enrichments.indicator.file.elf.sections.type ignore_above: 1024 level: extended - name: password + name: sections.type normalize: [] - original_fieldset: url - short: Password of the request. + original_fieldset: elf + short: ELF Section List type. type: keyword -threat.enrichments.url.path: - dashed_name: threat-enrichments-url-path - description: Path of the request, such as "/search". - flat_name: threat.enrichments.url.path - ignore_above: 1024 +threat.enrichments.indicator.file.elf.sections.virtual_address: + dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: threat.enrichments.indicator.file.elf.sections.virtual_address + format: string level: extended - name: path + name: sections.virtual_address normalize: [] - original_fieldset: url - short: Path of the request, such as "/search". - type: keyword -threat.enrichments.url.port: - dashed_name: threat-enrichments-url-port - description: Port of the request, such as 443. - example: 443 - flat_name: threat.enrichments.url.port + original_fieldset: elf + short: ELF Section List virtual address. + type: long +threat.enrichments.indicator.file.elf.sections.virtual_size: + dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: threat.enrichments.indicator.file.elf.sections.virtual_size format: string level: extended - name: port + name: sections.virtual_size normalize: [] - original_fieldset: url - short: Port of the request, such as 443. + original_fieldset: elf + short: ELF Section List virtual size. type: long -threat.enrichments.url.query: - dashed_name: threat-enrichments-url-query - description: 'The query field describes the query string of the request, such as - "q=elasticsearch". +threat.enrichments.indicator.file.elf.segments: + dashed_name: threat-enrichments-indicator-file-elf-segments + description: 'An array containing an object for each segment of the ELF file. - The `?` is excluded from the query string. If a URL contains no `?`, there is - no query field. If there is a `?` but no query, the query field exists with an - empty string. The `exists` query can be used to differentiate between the two - cases.' - flat_name: threat.enrichments.url.query + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' + flat_name: threat.enrichments.indicator.file.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested +threat.enrichments.indicator.file.elf.segments.sections: + dashed_name: threat-enrichments-indicator-file-elf-segments-sections + description: ELF object segment sections. + flat_name: threat.enrichments.indicator.file.elf.segments.sections ignore_above: 1024 level: extended - name: query + name: segments.sections normalize: [] - original_fieldset: url - short: Query string of the request. + original_fieldset: elf + short: ELF object segment sections. type: keyword -threat.enrichments.url.registered_domain: - dashed_name: threat-enrichments-url-registered-domain - description: 'The highest registered url domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix list - (http://publicsuffix.org). Trying to approximate this by simply taking the last - two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: threat.enrichments.url.registered_domain +threat.enrichments.indicator.file.elf.segments.type: + dashed_name: threat-enrichments-indicator-file-elf-segments-type + description: ELF object segment type. + flat_name: threat.enrichments.indicator.file.elf.segments.type ignore_above: 1024 level: extended - name: registered_domain + name: segments.type normalize: [] - original_fieldset: url - short: The highest registered url domain, stripped of the subdomain. + original_fieldset: elf + short: ELF object segment type. type: keyword -threat.enrichments.url.scheme: - dashed_name: threat-enrichments-url-scheme - description: 'Scheme of the request, such as "https". - - Note: The `:` is not part of the scheme.' - example: https - flat_name: threat.enrichments.url.scheme +threat.enrichments.indicator.file.elf.shared_libraries: + dashed_name: threat-enrichments-indicator-file-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: threat.enrichments.indicator.file.elf.shared_libraries ignore_above: 1024 level: extended - name: scheme - normalize: [] - original_fieldset: url - short: Scheme of the url. + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. type: keyword -threat.enrichments.url.subdomain: - dashed_name: threat-enrichments-url-subdomain - description: 'The subdomain portion of a fully qualified domain name includes all - of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot be - determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the - domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the - subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: threat.enrichments.url.subdomain +threat.enrichments.indicator.file.elf.telfhash: + dashed_name: threat-enrichments-indicator-file-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: threat.enrichments.indicator.file.elf.telfhash ignore_above: 1024 level: extended - name: subdomain + name: telfhash normalize: [] - original_fieldset: url - short: The subdomain of the domain. + original_fieldset: elf + short: telfhash hash for ELF file. type: keyword -threat.enrichments.url.top_level_domain: - dashed_name: threat-enrichments-url-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain suffix, - is the last part of the domain name. For example, the top level domain for example.com - is "com". +threat.enrichments.indicator.file.extension: + dashed_name: threat-enrichments-indicator-file-extension + description: 'File extension, excluding the leading dot. - This value can be determined precisely with a list like the public suffix list - (http://publicsuffix.org). Trying to approximate this by simply taking the last - label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: threat.enrichments.url.top_level_domain + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.indicator.file.extension ignore_above: 1024 level: extended - name: top_level_domain + name: extension normalize: [] - original_fieldset: url - short: The effective top level domain (com, org, net, co.uk). + original_fieldset: file + short: File extension, excluding the leading dot. type: keyword -threat.enrichments.url.username: - dashed_name: threat-enrichments-url-username - description: Username of the request. - flat_name: threat.enrichments.url.username +threat.enrichments.indicator.file.gid: + dashed_name: threat-enrichments-indicator-file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: threat.enrichments.indicator.file.gid ignore_above: 1024 level: extended - name: username + name: gid normalize: [] - original_fieldset: url - short: Username of the request. + original_fieldset: file + short: Primary group ID (GID) of the file. type: keyword -threat.enrichments.x509.alternative_names: - dashed_name: threat-enrichments-x509-alternative-names - description: List of subject alternative names (SAN). Name types vary by certificate - authority and certificate type but commonly contain IP addresses, DNS names (and - wildcards), and email addresses. - example: '*.elastic.co' - flat_name: threat.enrichments.x509.alternative_names +threat.enrichments.indicator.file.group: + dashed_name: threat-enrichments-indicator-file-group + description: Primary group name of the file. + example: alice + flat_name: threat.enrichments.indicator.file.group ignore_above: 1024 level: extended - name: alternative_names - normalize: - - array - original_fieldset: x509 - short: List of subject alternative names (SAN). + name: group + normalize: [] + original_fieldset: file + short: Primary group name of the file. type: keyword -threat.enrichments.x509.issuer.common_name: - dashed_name: threat-enrichments-x509-issuer-common-name - description: List of common name (CN) of issuing certificate authority. - example: Example SHA2 High Assurance Server CA - flat_name: threat.enrichments.x509.issuer.common_name +threat.enrichments.indicator.file.inode: + dashed_name: threat-enrichments-indicator-file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: threat.enrichments.indicator.file.inode ignore_above: 1024 level: extended - name: issuer.common_name - normalize: - - array - original_fieldset: x509 - short: List of common name (CN) of issuing certificate authority. + name: inode + normalize: [] + original_fieldset: file + short: Inode representing the file in the filesystem. type: keyword -threat.enrichments.x509.issuer.country: - dashed_name: threat-enrichments-x509-issuer-country - description: List of country (C) codes - example: US - flat_name: threat.enrichments.x509.issuer.country +threat.enrichments.indicator.file.mime_type: + dashed_name: threat-enrichments-indicator-file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official + types], where possible. When more than one type is applicable, the most specific + type should be used. + flat_name: threat.enrichments.indicator.file.mime_type ignore_above: 1024 level: extended - name: issuer.country - normalize: - - array - original_fieldset: x509 - short: List of country (C) codes + name: mime_type + normalize: [] + original_fieldset: file + short: Media type of file, document, or arrangement of bytes. type: keyword -threat.enrichments.x509.issuer.distinguished_name: - dashed_name: threat-enrichments-x509-issuer-distinguished-name - description: Distinguished name (DN) of issuing certificate authority. - example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance - Server CA - flat_name: threat.enrichments.x509.issuer.distinguished_name +threat.enrichments.indicator.file.mode: + dashed_name: threat-enrichments-indicator-file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: threat.enrichments.indicator.file.mode ignore_above: 1024 level: extended - name: issuer.distinguished_name + name: mode normalize: [] - original_fieldset: x509 - short: Distinguished name (DN) of issuing certificate authority. + original_fieldset: file + short: Mode of the file in octal representation. type: keyword -threat.enrichments.x509.issuer.locality: - dashed_name: threat-enrichments-x509-issuer-locality - description: List of locality names (L) - example: Mountain View - flat_name: threat.enrichments.x509.issuer.locality - ignore_above: 1024 +threat.enrichments.indicator.file.mtime: + dashed_name: threat-enrichments-indicator-file-mtime + description: Last time the file content was modified. + flat_name: threat.enrichments.indicator.file.mtime level: extended - name: issuer.locality - normalize: - - array - original_fieldset: x509 - short: List of locality names (L) - type: keyword -threat.enrichments.x509.issuer.organization: - dashed_name: threat-enrichments-x509-issuer-organization - description: List of organizations (O) of issuing certificate authority. - example: Example Inc - flat_name: threat.enrichments.x509.issuer.organization + name: mtime + normalize: [] + original_fieldset: file + short: Last time the file content was modified. + type: date +threat.enrichments.indicator.file.name: + dashed_name: threat-enrichments-indicator-file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: threat.enrichments.indicator.file.name ignore_above: 1024 level: extended - name: issuer.organization - normalize: - - array - original_fieldset: x509 - short: List of organizations (O) of issuing certificate authority. + name: name + normalize: [] + original_fieldset: file + short: Name of the file including the extension, without the directory. type: keyword -threat.enrichments.x509.issuer.organizational_unit: - dashed_name: threat-enrichments-x509-issuer-organizational-unit - description: List of organizational units (OU) of issuing certificate authority. - example: www.example.com - flat_name: threat.enrichments.x509.issuer.organizational_unit +threat.enrichments.indicator.file.owner: + dashed_name: threat-enrichments-indicator-file-owner + description: File owner's username. + example: alice + flat_name: threat.enrichments.indicator.file.owner ignore_above: 1024 level: extended - name: issuer.organizational_unit - normalize: - - array - original_fieldset: x509 - short: List of organizational units (OU) of issuing certificate authority. + name: owner + normalize: [] + original_fieldset: file + short: File owner's username. type: keyword -threat.enrichments.x509.issuer.state_or_province: - dashed_name: threat-enrichments-x509-issuer-state-or-province - description: List of state or province names (ST, S, or P) - example: California - flat_name: threat.enrichments.x509.issuer.state_or_province +threat.enrichments.indicator.file.path: + dashed_name: threat-enrichments-indicator-file-path + description: Full path to the file, including the file name. It should include the + drive letter, when appropriate. + example: /home/alice/example.png + flat_name: threat.enrichments.indicator.file.path ignore_above: 1024 level: extended - name: issuer.state_or_province - normalize: - - array - original_fieldset: x509 - short: List of state or province names (ST, S, or P) - type: keyword -threat.enrichments.x509.not_after: - dashed_name: threat-enrichments-x509-not-after - description: Time at which the certificate is no longer considered valid. - example: 2020-07-16 03:15:39+00:00 - flat_name: threat.enrichments.x509.not_after - level: extended - name: not_after + multi_fields: + - flat_name: threat.enrichments.indicator.file.path.text + name: text + norms: false + type: text + name: path normalize: [] - original_fieldset: x509 - short: Time at which the certificate is no longer considered valid. - type: date -threat.enrichments.x509.not_before: - dashed_name: threat-enrichments-x509-not-before - description: Time at which the certificate is first considered valid. - example: 2019-08-16 01:40:25+00:00 - flat_name: threat.enrichments.x509.not_before + original_fieldset: file + short: Full path to the file, including the file name. + type: keyword +threat.enrichments.indicator.file.size: + dashed_name: threat-enrichments-indicator-file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: threat.enrichments.indicator.file.size level: extended - name: not_before + name: size normalize: [] - original_fieldset: x509 - short: Time at which the certificate is first considered valid. - type: date -threat.enrichments.x509.public_key_algorithm: - dashed_name: threat-enrichments-x509-public-key-algorithm - description: Algorithm used to generate the public key. - example: RSA - flat_name: threat.enrichments.x509.public_key_algorithm + original_fieldset: file + short: File size in bytes. + type: long +threat.enrichments.indicator.file.target_path: + dashed_name: threat-enrichments-indicator-file-target-path + description: Target path for symlinks. + flat_name: threat.enrichments.indicator.file.target_path ignore_above: 1024 level: extended - name: public_key_algorithm + multi_fields: + - flat_name: threat.enrichments.indicator.file.target_path.text + name: text + norms: false + type: text + name: target_path normalize: [] - original_fieldset: x509 - short: Algorithm used to generate the public key. + original_fieldset: file + short: Target path for symlinks. type: keyword -threat.enrichments.x509.public_key_curve: - dashed_name: threat-enrichments-x509-public-key-curve - description: The curve used by the elliptic curve public key algorithm. This is - algorithm specific. - example: nistp521 - flat_name: threat.enrichments.x509.public_key_curve +threat.enrichments.indicator.file.type: + dashed_name: threat-enrichments-indicator-file-type + description: File type (file, dir, or symlink). + example: file + flat_name: threat.enrichments.indicator.file.type ignore_above: 1024 level: extended - name: public_key_curve + name: type normalize: [] - original_fieldset: x509 - short: The curve used by the elliptic curve public key algorithm. This is algorithm - specific. + original_fieldset: file + short: File type (file, dir, or symlink). type: keyword -threat.enrichments.x509.public_key_exponent: - dashed_name: threat-enrichments-x509-public-key-exponent - description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - example: 65537 - flat_name: threat.enrichments.x509.public_key_exponent - index: false +threat.enrichments.indicator.file.uid: + dashed_name: threat-enrichments-indicator-file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: threat.enrichments.indicator.file.uid + ignore_above: 1024 level: extended - name: public_key_exponent + name: uid normalize: [] - original_fieldset: x509 - short: Exponent used to derive the public key. This is algorithm specific. - type: long -threat.enrichments.x509.public_key_size: - dashed_name: threat-enrichments-x509-public-key-size - description: The size of the public key space in bits. - example: 2048 - flat_name: threat.enrichments.x509.public_key_size + original_fieldset: file + short: The user ID (UID) or security identifier (SID) of the file owner. + type: keyword +threat.enrichments.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.first_seen level: extended - name: public_key_size + name: enrichments.indicator.first_seen normalize: [] - original_fieldset: x509 - short: The size of the public key space in bits. - type: long -threat.enrichments.x509.serial_number: - dashed_name: threat-enrichments-x509-serial-number - description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. - example: 55FBB9C7DEBF09809D12CCAA - flat_name: threat.enrichments.x509.serial_number + short: Date/time indicator was first reported. + type: date +threat.enrichments.indicator.geo.city_name: + dashed_name: threat-enrichments-indicator-geo-city-name + description: City name. + example: Montreal + flat_name: threat.enrichments.indicator.geo.city_name ignore_above: 1024 - level: extended - name: serial_number + level: core + name: city_name normalize: [] - original_fieldset: x509 - short: Unique serial number issued by the certificate authority. + original_fieldset: geo + short: City name. type: keyword -threat.enrichments.x509.signature_algorithm: - dashed_name: threat-enrichments-x509-signature-algorithm - description: Identifier for certificate signature algorithm. We recommend using - names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - example: SHA256-RSA - flat_name: threat.enrichments.x509.signature_algorithm +threat.enrichments.indicator.geo.continent_code: + dashed_name: threat-enrichments-indicator-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: threat.enrichments.indicator.geo.continent_code ignore_above: 1024 - level: extended - name: signature_algorithm + level: core + name: continent_code normalize: [] - original_fieldset: x509 - short: Identifier for certificate signature algorithm. + original_fieldset: geo + short: Continent code. type: keyword -threat.enrichments.x509.subject.common_name: - dashed_name: threat-enrichments-x509-subject-common-name - description: List of common names (CN) of subject. - example: shared.global.example.net - flat_name: threat.enrichments.x509.subject.common_name +threat.enrichments.indicator.geo.continent_name: + dashed_name: threat-enrichments-indicator-geo-continent-name + description: Name of the continent. + example: North America + flat_name: threat.enrichments.indicator.geo.continent_name ignore_above: 1024 - level: extended - name: subject.common_name - normalize: - - array - original_fieldset: x509 - short: List of common names (CN) of subject. + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. type: keyword -threat.enrichments.x509.subject.country: - dashed_name: threat-enrichments-x509-subject-country - description: List of country (C) code - example: US - flat_name: threat.enrichments.x509.subject.country +threat.enrichments.indicator.geo.country_iso_code: + dashed_name: threat-enrichments-indicator-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: threat.enrichments.indicator.geo.country_iso_code ignore_above: 1024 - level: extended - name: subject.country - normalize: - - array - original_fieldset: x509 - short: List of country (C) code + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. type: keyword -threat.enrichments.x509.subject.distinguished_name: - dashed_name: threat-enrichments-x509-subject-distinguished-name - description: Distinguished name (DN) of the certificate subject entity. - example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - flat_name: threat.enrichments.x509.subject.distinguished_name +threat.enrichments.indicator.geo.country_name: + dashed_name: threat-enrichments-indicator-geo-country-name + description: Country name. + example: Canada + flat_name: threat.enrichments.indicator.geo.country_name ignore_above: 1024 - level: extended - name: subject.distinguished_name + level: core + name: country_name normalize: [] - original_fieldset: x509 - short: Distinguished name (DN) of the certificate subject entity. + original_fieldset: geo + short: Country name. type: keyword -threat.enrichments.x509.subject.locality: - dashed_name: threat-enrichments-x509-subject-locality - description: List of locality names (L) - example: San Francisco - flat_name: threat.enrichments.x509.subject.locality - ignore_above: 1024 - level: extended - name: subject.locality - normalize: - - array - original_fieldset: x509 - short: List of locality names (L) - type: keyword -threat.enrichments.x509.subject.organization: - dashed_name: threat-enrichments-x509-subject-organization - description: List of organizations (O) of subject. - example: Example, Inc. - flat_name: threat.enrichments.x509.subject.organization +threat.enrichments.indicator.geo.location: + dashed_name: threat-enrichments-indicator-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: threat.enrichments.indicator.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +threat.enrichments.indicator.geo.name: + dashed_name: threat-enrichments-indicator-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: threat.enrichments.indicator.geo.name ignore_above: 1024 level: extended - name: subject.organization - normalize: - - array - original_fieldset: x509 - short: List of organizations (O) of subject. + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. type: keyword -threat.enrichments.x509.subject.organizational_unit: - dashed_name: threat-enrichments-x509-subject-organizational-unit - description: List of organizational units (OU) of subject. - flat_name: threat.enrichments.x509.subject.organizational_unit +threat.enrichments.indicator.geo.postal_code: + dashed_name: threat-enrichments-indicator-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: threat.enrichments.indicator.geo.postal_code ignore_above: 1024 - level: extended - name: subject.organizational_unit - normalize: - - array - original_fieldset: x509 - short: List of organizational units (OU) of subject. + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. type: keyword -threat.enrichments.x509.subject.state_or_province: - dashed_name: threat-enrichments-x509-subject-state-or-province - description: List of state or province names (ST, S, or P) - example: California - flat_name: threat.enrichments.x509.subject.state_or_province +threat.enrichments.indicator.geo.region_iso_code: + dashed_name: threat-enrichments-indicator-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: threat.enrichments.indicator.geo.region_iso_code ignore_above: 1024 - level: extended - name: subject.state_or_province - normalize: - - array - original_fieldset: x509 - short: List of state or province names (ST, S, or P) + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. type: keyword -threat.enrichments.x509.version_number: - dashed_name: threat-enrichments-x509-version-number - description: Version of x509 format. - example: 3 - flat_name: threat.enrichments.x509.version_number +threat.enrichments.indicator.geo.region_name: + dashed_name: threat-enrichments-indicator-geo-region-name + description: Region name. + example: Quebec + flat_name: threat.enrichments.indicator.geo.region_name ignore_above: 1024 - level: extended - name: version_number + level: core + name: region_name normalize: [] - original_fieldset: x509 - short: Version of x509 format. + original_fieldset: geo + short: Region name. type: keyword -threat.framework: - dashed_name: threat-framework - description: Name of the threat framework used to further categorize and classify - the tactic and technique of the reported threat. Framework classification can - be provided by detecting systems, evaluated at ingest time, or retrospectively - tagged to events. - example: MITRE ATT&CK - flat_name: threat.framework +threat.enrichments.indicator.geo.timezone: + dashed_name: threat-enrichments-indicator-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: threat.enrichments.indicator.geo.timezone ignore_above: 1024 - level: extended - name: framework + level: core + name: timezone normalize: [] - short: Threat classification framework. + original_fieldset: geo + short: Time zone. type: keyword -threat.group.alias: - beta: This field is beta and subject to change. - dashed_name: threat-group-alias - description: "The alias(es) of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group alias(es)." - example: '[ "Magecart Group 6" ]' - flat_name: threat.group.alias +threat.enrichments.indicator.hash.md5: + dashed_name: threat-enrichments-indicator-hash-md5 + description: MD5 hash. + flat_name: threat.enrichments.indicator.hash.md5 ignore_above: 1024 level: extended - name: group.alias - normalize: - - array - short: Alias of the group. + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. type: keyword -threat.group.id: - beta: This field is beta and subject to change. - dashed_name: threat-group-id - description: "The id of the group for a set of related intrusion activity that are\ - \ tracked by a common name in the security community. While not required, you\ - \ can use a MITRE ATT&CK\xAE group id." - example: G0037 - flat_name: threat.group.id +threat.enrichments.indicator.hash.sha1: + dashed_name: threat-enrichments-indicator-hash-sha1 + description: SHA1 hash. + flat_name: threat.enrichments.indicator.hash.sha1 ignore_above: 1024 level: extended - name: group.id + name: sha1 normalize: [] - short: ID of the group. + original_fieldset: hash + short: SHA1 hash. type: keyword -threat.group.name: - beta: This field is beta and subject to change. - dashed_name: threat-group-name - description: "The name of the group for a set of related intrusion activity that\ - \ are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group name." - example: FIN6 - flat_name: threat.group.name +threat.enrichments.indicator.hash.sha256: + dashed_name: threat-enrichments-indicator-hash-sha256 + description: SHA256 hash. + flat_name: threat.enrichments.indicator.hash.sha256 ignore_above: 1024 level: extended - name: group.name + name: sha256 normalize: [] - short: Name of the group. + original_fieldset: hash + short: SHA256 hash. type: keyword -threat.group.reference: - beta: This field is beta and subject to change. - dashed_name: threat-group-reference - description: "The reference URL of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group reference URL." - example: https://attack.mitre.org/groups/G0037/ - flat_name: threat.group.reference +threat.enrichments.indicator.hash.sha512: + dashed_name: threat-enrichments-indicator-hash-sha512 + description: SHA512 hash. + flat_name: threat.enrichments.indicator.hash.sha512 ignore_above: 1024 level: extended - name: group.reference + name: sha512 normalize: [] - short: Reference URL of the group. + original_fieldset: hash + short: SHA512 hash. type: keyword -threat.indicator.as.number: - dashed_name: threat-indicator-as-number - description: Unique number allocated to the autonomous system. The autonomous system - number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: threat.indicator.as.number - level: extended - name: number - normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long -threat.indicator.as.organization.name: - dashed_name: threat-indicator-as-organization-name - description: Organization name. - example: Google LLC - flat_name: threat.indicator.as.organization.name +threat.enrichments.indicator.hash.ssdeep: + dashed_name: threat-enrichments-indicator-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.enrichments.indicator.hash.ssdeep ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.indicator.as.organization.name.text - name: text - norms: false - type: text - name: organization.name + name: ssdeep normalize: [] - original_fieldset: as - short: Organization name. + original_fieldset: hash + short: SSDEEP hash. type: keyword -threat.indicator.confidence: +threat.enrichments.indicator.ip: beta: This field is beta and subject to change. - dashed_name: threat-indicator-confidence - description: "Identifies the confidence rating assigned by the provider using STIX\ - \ confidence scales.\nRecommended values:\n * Not Specified, None, Low, Medium,\ - \ High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n * WEP Scale\ - \ (Impossible - Certain)" - example: High - flat_name: threat.indicator.confidence - ignore_above: 1024 + dashed_name: threat-enrichments-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of direction). + example: 1.2.3.4 + flat_name: threat.enrichments.indicator.ip level: extended - name: indicator.confidence + name: enrichments.indicator.ip normalize: [] - short: Indicator confidence rating - type: keyword -threat.indicator.description: + short: Indicator IP address + type: ip +threat.enrichments.indicator.last_seen: beta: This field is beta and subject to change. - dashed_name: threat-indicator-description - description: Describes the type of action conducted by the threat. - example: IP x.x.x.x was observed delivering the Angler EK. - flat_name: threat.indicator.description - ignore_above: 1024 + dashed_name: threat-enrichments-indicator-last-seen + description: The date and time when intelligence source last reported sighting this + indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.last_seen level: extended - name: indicator.description + name: enrichments.indicator.last_seen normalize: [] - short: Indicator description - type: keyword -threat.indicator.email.address: + short: Date/time indicator was last reported. + type: date +threat.enrichments.indicator.marking.tlp: beta: This field is beta and subject to change. - dashed_name: threat-indicator-email-address - description: Identifies a threat indicator as an email address (irrespective of - direction). - example: phish@example.com - flat_name: threat.indicator.email.address + dashed_name: threat-enrichments-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: White + flat_name: threat.enrichments.indicator.marking.tlp ignore_above: 1024 level: extended - name: indicator.email.address + name: enrichments.indicator.marking.tlp normalize: [] - short: Indicator email address + short: Indicator TLP marking type: keyword -threat.indicator.file.accessed: - dashed_name: threat-indicator-file-accessed - description: 'Last time the file was accessed. - - Note that not all filesystems keep track of access time.' - flat_name: threat.indicator.file.accessed +threat.enrichments.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.modified_at level: extended - name: accessed + name: enrichments.indicator.modified_at normalize: [] - original_fieldset: file - short: Last time the file was accessed. + short: Date/time indicator was last updated. type: date -threat.indicator.file.attributes: - dashed_name: threat-indicator-file-attributes - description: 'Array of file attributes. - - Attributes names will vary by platform. Here''s a non-exhaustive list of values - that are expected in this field: archive, compressed, directory, encrypted, execute, - hidden, read, readonly, system, write.' - example: '["readonly", "system"]' - flat_name: threat.indicator.file.attributes +threat.enrichments.indicator.pe.architecture: + dashed_name: threat-enrichments-indicator-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.enrichments.indicator.pe.architecture ignore_above: 1024 level: extended - name: attributes - normalize: - - array - original_fieldset: file - short: Array of file attributes. - type: keyword -threat.indicator.file.code_signature.exists: - dashed_name: threat-indicator-file-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: threat.indicator.file.code_signature.exists - level: core - name: exists + name: architecture normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean -threat.indicator.file.code_signature.signing_id: - dashed_name: threat-indicator-file-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. The - field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: threat.indicator.file.code_signature.signing_id + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword +threat.enrichments.indicator.pe.company: + dashed_name: threat-enrichments-indicator-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.enrichments.indicator.pe.company ignore_above: 1024 level: extended - name: signing_id + name: company normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. type: keyword -threat.indicator.file.code_signature.status: - dashed_name: threat-indicator-file-code-signature-status - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: threat.indicator.file.code_signature.status +threat.enrichments.indicator.pe.description: + dashed_name: threat-enrichments-indicator-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.enrichments.indicator.pe.description ignore_above: 1024 level: extended - name: status + name: description normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. + original_fieldset: pe + short: Internal description of the file, provided at compile-time. type: keyword -threat.indicator.file.code_signature.subject_name: - dashed_name: threat-indicator-file-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: threat.indicator.file.code_signature.subject_name +threat.enrichments.indicator.pe.file_version: + dashed_name: threat-enrichments-indicator-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.enrichments.indicator.pe.file_version ignore_above: 1024 - level: core - name: subject_name + level: extended + name: file_version normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer + original_fieldset: pe + short: Process name. type: keyword -threat.indicator.file.code_signature.team_id: - dashed_name: threat-indicator-file-code-signature-team-id - description: 'The team identifier used to sign the process. +threat.enrichments.indicator.pe.imphash: + dashed_name: threat-enrichments-indicator-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. - This is used to identify the team or vendor of a software product. The field is - relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: threat.indicator.file.code_signature.team_id + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.enrichments.indicator.pe.imphash ignore_above: 1024 level: extended - name: team_id + name: imphash normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. + original_fieldset: pe + short: A hash of the imports in a PE file. type: keyword -threat.indicator.file.code_signature.trusted: - dashed_name: threat-indicator-file-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this field - should only be populated by tools that actively check the status.' - example: 'true' - flat_name: threat.indicator.file.code_signature.trusted - level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean -threat.indicator.file.code_signature.valid: - dashed_name: threat-indicator-file-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against the - binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: threat.indicator.file.code_signature.valid +threat.enrichments.indicator.pe.original_file_name: + dashed_name: threat-enrichments-indicator-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.enrichments.indicator.pe.original_file_name + ignore_above: 1024 level: extended - name: valid + name: original_file_name normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean -threat.indicator.file.created: - dashed_name: threat-indicator-file-created - description: 'File creation time. - - Note that not all filesystems store the creation time.' - flat_name: threat.indicator.file.created + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword +threat.enrichments.indicator.pe.product: + dashed_name: threat-enrichments-indicator-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.enrichments.indicator.pe.product + ignore_above: 1024 level: extended - name: created + name: product normalize: [] - original_fieldset: file - short: File creation time. - type: date -threat.indicator.file.ctime: - dashed_name: threat-indicator-file-ctime - description: 'Last time the file attributes or metadata changed. - - Note that changes to the file content will update `mtime`. This implies `ctime` - will be adjusted at the same time, since `mtime` is an attribute of the file.' - flat_name: threat.indicator.file.ctime + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword +threat.enrichments.indicator.port: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-port + description: Identifies a threat indicator as a port number (irrespective of direction). + example: 443 + flat_name: threat.enrichments.indicator.port level: extended - name: ctime + name: enrichments.indicator.port normalize: [] - original_fieldset: file - short: Last time the file attributes or metadata changed. - type: date -threat.indicator.file.device: - dashed_name: threat-indicator-file-device - description: Device that is the source of the file. - example: sda - flat_name: threat.indicator.file.device + short: Indicator port + type: long +threat.enrichments.indicator.provider: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-provider + description: The name of the indicator's provider. + example: lrz_urlhaus + flat_name: threat.enrichments.indicator.provider ignore_above: 1024 level: extended - name: device + name: enrichments.indicator.provider normalize: [] - original_fieldset: file - short: Device that is the source of the file. + short: Indicator provider type: keyword -threat.indicator.file.directory: - dashed_name: threat-indicator-file-directory - description: Directory where the file is located. It should include the drive letter, - when appropriate. - example: /home/alice - flat_name: threat.indicator.file.directory +threat.enrichments.indicator.reference: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-reference + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + flat_name: threat.enrichments.indicator.reference ignore_above: 1024 level: extended - name: directory + name: enrichments.indicator.reference normalize: [] - original_fieldset: file - short: Directory where the file is located. + short: Indicator reference URL type: keyword -threat.indicator.file.drive_letter: - dashed_name: threat-indicator-file-drive-letter - description: 'Drive letter where the file is located. This field is only relevant - on Windows. +threat.enrichments.indicator.registry.data.bytes: + dashed_name: threat-enrichments-indicator-registry-data-bytes + description: 'Original bytes written with base64 encoding. - The value should be uppercase, and not include the colon.' - example: C - flat_name: threat.indicator.file.drive_letter - ignore_above: 1 - level: extended - name: drive_letter - normalize: [] - original_fieldset: file - short: Drive letter where the file is located. - type: keyword -threat.indicator.file.elf.architecture: - dashed_name: threat-indicator-file-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: threat.indicator.file.elf.architecture + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides better + recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.enrichments.indicator.registry.data.bytes ignore_above: 1024 level: extended - name: architecture + name: data.bytes normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. + original_fieldset: registry + short: Original bytes written with base64 encoding. type: keyword -threat.indicator.file.elf.byte_order: - dashed_name: threat-indicator-file-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: threat.indicator.file.elf.byte_order +threat.enrichments.indicator.registry.data.strings: + dashed_name: threat-enrichments-indicator-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single string + registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. + For sequences of string with REG_MULTI_SZ, this array will be variable length. + For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with + the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.enrichments.indicator.registry.data.strings ignore_above: 1024 - level: extended - name: byte_order - normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. type: keyword -threat.indicator.file.elf.cpu_type: - dashed_name: threat-indicator-file-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: threat.indicator.file.elf.cpu_type +threat.enrichments.indicator.registry.data.type: + dashed_name: threat-enrichments-indicator-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.enrichments.indicator.registry.data.type ignore_above: 1024 - level: extended - name: cpu_type + level: core + name: data.type normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. + original_fieldset: registry + short: Standard registry type for encoding contents type: keyword -threat.indicator.file.elf.creation_date: - dashed_name: threat-indicator-file-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when it - was built or compiled. It can also be faked by malware creators. - flat_name: threat.indicator.file.elf.creation_date - level: extended - name: creation_date +threat.enrichments.indicator.registry.hive: + dashed_name: threat-enrichments-indicator-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.enrichments.indicator.registry.hive + ignore_above: 1024 + level: core + name: hive normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date -threat.indicator.file.elf.exports: - dashed_name: threat-indicator-file-elf-exports - description: List of exported element names and types. - flat_name: threat.indicator.file.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened -threat.indicator.file.elf.header.abi_version: - dashed_name: threat-indicator-file-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: threat.indicator.file.elf.header.abi_version + original_fieldset: registry + short: Abbreviated name for the hive. + type: keyword +threat.enrichments.indicator.registry.key: + dashed_name: threat-enrichments-indicator-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.enrichments.indicator.registry.key ignore_above: 1024 - level: extended - name: header.abi_version + level: core + name: key normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). + original_fieldset: registry + short: Hive-relative path of keys. type: keyword -threat.indicator.file.elf.header.class: - dashed_name: threat-indicator-file-elf-header-class - description: Header class of the ELF file. - flat_name: threat.indicator.file.elf.header.class +threat.enrichments.indicator.registry.path: + dashed_name: threat-enrichments-indicator-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.enrichments.indicator.registry.path ignore_above: 1024 - level: extended - name: header.class + level: core + name: path normalize: [] - original_fieldset: elf - short: Header class of the ELF file. + original_fieldset: registry + short: Full path, including hive, key and value type: keyword -threat.indicator.file.elf.header.data: - dashed_name: threat-indicator-file-elf-header-data - description: Data table of the ELF header. - flat_name: threat.indicator.file.elf.header.data +threat.enrichments.indicator.registry.value: + dashed_name: threat-enrichments-indicator-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.enrichments.indicator.registry.value ignore_above: 1024 - level: extended - name: header.data + level: core + name: value normalize: [] - original_fieldset: elf - short: Data table of the ELF header. + original_fieldset: registry + short: Name of the value written. type: keyword -threat.indicator.file.elf.header.entrypoint: - dashed_name: threat-indicator-file-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: threat.indicator.file.elf.header.entrypoint - format: string +threat.enrichments.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file or + URL. + example: 4 + flat_name: threat.enrichments.indicator.scanner_stats level: extended - name: header.entrypoint + name: enrichments.indicator.scanner_stats normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. + short: Scanner statistics type: long -threat.indicator.file.elf.header.object_version: - dashed_name: threat-indicator-file-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: threat.indicator.file.elf.header.object_version +threat.enrichments.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.enrichments.indicator.sightings + level: extended + name: enrichments.indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long +threat.enrichments.indicator.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ + \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n *\ + \ domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n\ + \ * mutex\n * port\n * process\n * software\n * url\n * user-account\n \ + \ * windows-registry-key\n * x509-certificate" + example: ipv4-addr + flat_name: threat.enrichments.indicator.type ignore_above: 1024 level: extended - name: header.object_version + name: enrichments.indicator.type normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' + short: Type of indicator type: keyword -threat.indicator.file.elf.header.os_abi: - dashed_name: threat-indicator-file-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: threat.indicator.file.elf.header.os_abi +threat.enrichments.indicator.url.domain: + dashed_name: threat-enrichments-indicator-url-domain + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), + the `[` and `]` characters should also be captured in the `domain` field.' + example: www.elastic.co + flat_name: threat.enrichments.indicator.url.domain ignore_above: 1024 level: extended - name: header.os_abi + name: domain normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. + original_fieldset: url + short: Domain of the url. type: keyword -threat.indicator.file.elf.header.type: - dashed_name: threat-indicator-file-elf-header-type - description: Header type of the ELF file. - flat_name: threat.indicator.file.elf.header.type +threat.enrichments.indicator.url.extension: + dashed_name: threat-enrichments-indicator-url-extension + description: 'The field contains the file extension from the original request url, + excluding the leading dot. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.indicator.url.extension ignore_above: 1024 level: extended - name: header.type + name: extension normalize: [] - original_fieldset: elf - short: Header type of the ELF file. + original_fieldset: url + short: File extension from the request url, excluding the leading dot. type: keyword -threat.indicator.file.elf.header.version: - dashed_name: threat-indicator-file-elf-header-version - description: Version of the ELF header. - flat_name: threat.indicator.file.elf.header.version +threat.enrichments.indicator.url.fragment: + dashed_name: threat-enrichments-indicator-url-fragment + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + flat_name: threat.enrichments.indicator.url.fragment ignore_above: 1024 level: extended - name: header.version + name: fragment normalize: [] - original_fieldset: elf - short: Version of the ELF header. + original_fieldset: url + short: Portion of the url after the `#`. type: keyword -threat.indicator.file.elf.imports: - dashed_name: threat-indicator-file-elf-imports - description: List of imported element names and types. - flat_name: threat.indicator.file.elf.imports +threat.enrichments.indicator.url.full: + dashed_name: threat-enrichments-indicator-url-full + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + flat_name: threat.enrichments.indicator.url.full + ignore_above: 1024 level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened -threat.indicator.file.elf.sections: - dashed_name: threat-indicator-file-elf-sections - description: 'An array containing an object for each section of the ELF file. + multi_fields: + - flat_name: threat.enrichments.indicator.url.full.text + name: text + norms: false + type: text + name: full + normalize: [] + original_fieldset: url + short: Full unparsed URL. + type: keyword +threat.enrichments.indicator.url.original: + dashed_name: threat-enrichments-indicator-url-original + description: 'Unmodified original url as seen in the event source. - The keys that should be present in these objects are defined by sub-fields underneath - `elf.sections.*`.' - flat_name: threat.indicator.file.elf.sections - level: extended - name: sections - normalize: - - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested -threat.indicator.file.elf.sections.chi2: - dashed_name: threat-indicator-file-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: threat.indicator.file.elf.sections.chi2 - format: number - level: extended - name: sections.chi2 - normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. - type: long -threat.indicator.file.elf.sections.entropy: - dashed_name: threat-indicator-file-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: threat.indicator.file.elf.sections.entropy - format: number - level: extended - name: sections.entropy - normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long -threat.indicator.file.elf.sections.flags: - dashed_name: threat-indicator-file-elf-sections-flags - description: ELF Section List flags. - flat_name: threat.indicator.file.elf.sections.flags + Note that in network monitoring, the observed URL may be a full URL, whereas in + access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + flat_name: threat.enrichments.indicator.url.original ignore_above: 1024 level: extended - name: sections.flags + multi_fields: + - flat_name: threat.enrichments.indicator.url.original.text + name: text + norms: false + type: text + name: original normalize: [] - original_fieldset: elf - short: ELF Section List flags. + original_fieldset: url + short: Unmodified original url as seen in the event source. type: keyword -threat.indicator.file.elf.sections.name: - dashed_name: threat-indicator-file-elf-sections-name - description: ELF Section List name. - flat_name: threat.indicator.file.elf.sections.name +threat.enrichments.indicator.url.password: + dashed_name: threat-enrichments-indicator-url-password + description: Password of the request. + flat_name: threat.enrichments.indicator.url.password ignore_above: 1024 level: extended - name: sections.name + name: password normalize: [] - original_fieldset: elf - short: ELF Section List name. + original_fieldset: url + short: Password of the request. type: keyword -threat.indicator.file.elf.sections.physical_offset: - dashed_name: threat-indicator-file-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: threat.indicator.file.elf.sections.physical_offset +threat.enrichments.indicator.url.path: + dashed_name: threat-enrichments-indicator-url-path + description: Path of the request, such as "/search". + flat_name: threat.enrichments.indicator.url.path ignore_above: 1024 level: extended - name: sections.physical_offset + name: path normalize: [] - original_fieldset: elf - short: ELF Section List offset. + original_fieldset: url + short: Path of the request, such as "/search". type: keyword -threat.indicator.file.elf.sections.physical_size: - dashed_name: threat-indicator-file-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: threat.indicator.file.elf.sections.physical_size - format: bytes +threat.enrichments.indicator.url.port: + dashed_name: threat-enrichments-indicator-url-port + description: Port of the request, such as 443. + example: 443 + flat_name: threat.enrichments.indicator.url.port + format: string level: extended - name: sections.physical_size + name: port normalize: [] - original_fieldset: elf - short: ELF Section List physical size. + original_fieldset: url + short: Port of the request, such as 443. type: long -threat.indicator.file.elf.sections.type: - dashed_name: threat-indicator-file-elf-sections-type - description: ELF Section List type. - flat_name: threat.indicator.file.elf.sections.type +threat.enrichments.indicator.url.query: + dashed_name: threat-enrichments-indicator-url-query + description: 'The query field describes the query string of the request, such as + "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there is + no query field. If there is a `?` but no query, the query field exists with an + empty string. The `exists` query can be used to differentiate between the two + cases.' + flat_name: threat.enrichments.indicator.url.query ignore_above: 1024 level: extended - name: sections.type + name: query normalize: [] - original_fieldset: elf - short: ELF Section List type. + original_fieldset: url + short: Query string of the request. type: keyword -threat.indicator.file.elf.sections.virtual_address: - dashed_name: threat-indicator-file-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: threat.indicator.file.elf.sections.virtual_address - format: string +threat.enrichments.indicator.url.registered_domain: + dashed_name: threat-enrichments-indicator-url-registered-domain + description: 'The highest registered url domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: threat.enrichments.indicator.url.registered_domain + ignore_above: 1024 level: extended - name: sections.virtual_address + name: registered_domain normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long -threat.indicator.file.elf.sections.virtual_size: - dashed_name: threat-indicator-file-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: threat.indicator.file.elf.sections.virtual_size - format: string + original_fieldset: url + short: The highest registered url domain, stripped of the subdomain. + type: keyword +threat.enrichments.indicator.url.scheme: + dashed_name: threat-enrichments-indicator-url-scheme + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https + flat_name: threat.enrichments.indicator.url.scheme + ignore_above: 1024 level: extended - name: sections.virtual_size + name: scheme normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long -threat.indicator.file.elf.segments: - dashed_name: threat-indicator-file-elf-segments - description: 'An array containing an object for each segment of the ELF file. + original_fieldset: url + short: Scheme of the url. + type: keyword +threat.enrichments.indicator.url.subdomain: + dashed_name: threat-enrichments-indicator-url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. - The keys that should be present in these objects are defined by sub-fields underneath - `elf.segments.*`.' - flat_name: threat.indicator.file.elf.segments + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: threat.enrichments.indicator.url.subdomain + ignore_above: 1024 level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested -threat.indicator.file.elf.segments.sections: - dashed_name: threat-indicator-file-elf-segments-sections - description: ELF object segment sections. - flat_name: threat.indicator.file.elf.segments.sections + name: subdomain + normalize: [] + original_fieldset: url + short: The subdomain of the domain. + type: keyword +threat.enrichments.indicator.url.top_level_domain: + dashed_name: threat-enrichments-indicator-url-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: threat.enrichments.indicator.url.top_level_domain ignore_above: 1024 level: extended - name: segments.sections + name: top_level_domain normalize: [] - original_fieldset: elf - short: ELF object segment sections. + original_fieldset: url + short: The effective top level domain (com, org, net, co.uk). type: keyword -threat.indicator.file.elf.segments.type: - dashed_name: threat-indicator-file-elf-segments-type - description: ELF object segment type. - flat_name: threat.indicator.file.elf.segments.type +threat.enrichments.indicator.url.username: + dashed_name: threat-enrichments-indicator-url-username + description: Username of the request. + flat_name: threat.enrichments.indicator.url.username ignore_above: 1024 level: extended - name: segments.type + name: username normalize: [] - original_fieldset: elf - short: ELF object segment type. + original_fieldset: url + short: Username of the request. type: keyword -threat.indicator.file.elf.shared_libraries: - dashed_name: threat-indicator-file-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: threat.indicator.file.elf.shared_libraries +threat.enrichments.indicator.x509.alternative_names: + dashed_name: threat-enrichments-indicator-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names (and + wildcards), and email addresses. + example: '*.elastic.co' + flat_name: threat.enrichments.indicator.x509.alternative_names ignore_above: 1024 level: extended - name: shared_libraries + name: alternative_names normalize: - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. + original_fieldset: x509 + short: List of subject alternative names (SAN). type: keyword -threat.indicator.file.elf.telfhash: - dashed_name: threat-indicator-file-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: threat.indicator.file.elf.telfhash +threat.enrichments.indicator.x509.issuer.common_name: + dashed_name: threat-enrichments-indicator-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: threat.enrichments.indicator.x509.issuer.common_name ignore_above: 1024 level: extended - name: telfhash - normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. type: keyword -threat.indicator.file.extension: - dashed_name: threat-indicator-file-extension - description: 'File extension, excluding the leading dot. - - Note that when the file name has multiple extensions (example.tar.gz), only the - last one should be captured ("gz", not "tar.gz").' - example: png - flat_name: threat.indicator.file.extension +threat.enrichments.indicator.x509.issuer.country: + dashed_name: threat-enrichments-indicator-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: threat.enrichments.indicator.x509.issuer.country ignore_above: 1024 level: extended - name: extension + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes + type: keyword +threat.enrichments.indicator.x509.issuer.distinguished_name: + dashed_name: threat-enrichments-indicator-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: threat.enrichments.indicator.x509.issuer.distinguished_name + ignore_above: 1024 + level: extended + name: issuer.distinguished_name normalize: [] - original_fieldset: file - short: File extension, excluding the leading dot. + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. type: keyword -threat.indicator.file.gid: - dashed_name: threat-indicator-file-gid - description: Primary group ID (GID) of the file. - example: '1001' +threat.enrichments.indicator.x509.issuer.locality: + dashed_name: threat-enrichments-indicator-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: threat.enrichments.indicator.x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword +threat.enrichments.indicator.x509.issuer.organization: + dashed_name: threat-enrichments-indicator-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: threat.enrichments.indicator.x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. + type: keyword +threat.enrichments.indicator.x509.issuer.organizational_unit: + dashed_name: threat-enrichments-indicator-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: threat.enrichments.indicator.x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword +threat.enrichments.indicator.x509.issuer.state_or_province: + dashed_name: threat-enrichments-indicator-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.indicator.x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +threat.enrichments.indicator.x509.not_after: + dashed_name: threat-enrichments-indicator-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: threat.enrichments.indicator.x509.not_after + level: extended + name: not_after + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date +threat.enrichments.indicator.x509.not_before: + dashed_name: threat-enrichments-indicator-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: threat.enrichments.indicator.x509.not_before + level: extended + name: not_before + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date +threat.enrichments.indicator.x509.public_key_algorithm: + dashed_name: threat-enrichments-indicator-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: threat.enrichments.indicator.x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword +threat.enrichments.indicator.x509.public_key_curve: + dashed_name: threat-enrichments-indicator-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This is + algorithm specific. + example: nistp521 + flat_name: threat.enrichments.indicator.x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword +threat.enrichments.indicator.x509.public_key_exponent: + dashed_name: threat-enrichments-indicator-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: threat.enrichments.indicator.x509.public_key_exponent + index: false + level: extended + name: public_key_exponent + normalize: [] + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long +threat.enrichments.indicator.x509.public_key_size: + dashed_name: threat-enrichments-indicator-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: threat.enrichments.indicator.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + original_fieldset: x509 + short: The size of the public key space in bits. + type: long +threat.enrichments.indicator.x509.serial_number: + dashed_name: threat-enrichments-indicator-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: threat.enrichments.indicator.x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. + type: keyword +threat.enrichments.indicator.x509.signature_algorithm: + dashed_name: threat-enrichments-indicator-x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: threat.enrichments.indicator.x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + original_fieldset: x509 + short: Identifier for certificate signature algorithm. + type: keyword +threat.enrichments.indicator.x509.subject.common_name: + dashed_name: threat-enrichments-indicator-x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: threat.enrichments.indicator.x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: + - array + original_fieldset: x509 + short: List of common names (CN) of subject. + type: keyword +threat.enrichments.indicator.x509.subject.country: + dashed_name: threat-enrichments-indicator-x509-subject-country + description: List of country (C) code + example: US + flat_name: threat.enrichments.indicator.x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code + type: keyword +threat.enrichments.indicator.x509.subject.distinguished_name: + dashed_name: threat-enrichments-indicator-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: threat.enrichments.indicator.x509.subject.distinguished_name + ignore_above: 1024 + level: extended + name: subject.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: keyword +threat.enrichments.indicator.x509.subject.locality: + dashed_name: threat-enrichments-indicator-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: threat.enrichments.indicator.x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword +threat.enrichments.indicator.x509.subject.organization: + dashed_name: threat-enrichments-indicator-x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: threat.enrichments.indicator.x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. + type: keyword +threat.enrichments.indicator.x509.subject.organizational_unit: + dashed_name: threat-enrichments-indicator-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: threat.enrichments.indicator.x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword +threat.enrichments.indicator.x509.subject.state_or_province: + dashed_name: threat-enrichments-indicator-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.indicator.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +threat.enrichments.indicator.x509.version_number: + dashed_name: threat-enrichments-indicator-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: threat.enrichments.indicator.x509.version_number + ignore_above: 1024 + level: extended + name: version_number + normalize: [] + original_fieldset: x509 + short: Version of x509 format. + type: keyword +threat.enrichments.matched.atomic: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-atomic + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com + flat_name: threat.enrichments.matched.atomic + ignore_above: 1024 + level: extended + name: enrichments.matched.atomic + normalize: [] + short: Matched indicator value + type: keyword +threat.enrichments.matched.field: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-field + description: Identifies the field of the atomic indicator that matched a local environment + endpoint or network event. + example: file.hash.sha256 + flat_name: threat.enrichments.matched.field + ignore_above: 1024 + level: extended + name: enrichments.matched.field + normalize: [] + short: Matched indicator field + type: keyword +threat.enrichments.matched.id: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-id + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + flat_name: threat.enrichments.matched.id + ignore_above: 1024 + level: extended + name: enrichments.matched.id + normalize: [] + short: Matched indicator identifier + type: keyword +threat.enrichments.matched.index: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-index + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 + flat_name: threat.enrichments.matched.index + ignore_above: 1024 + level: extended + name: enrichments.matched.index + normalize: [] + short: Matched indicator index + type: keyword +threat.enrichments.matched.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-type + description: Identifies the type of match that caused the event to be enriched with + the given indicator + example: indicator_match_rule + flat_name: threat.enrichments.matched.type + ignore_above: 1024 + level: extended + name: enrichments.matched.type + normalize: [] + short: Type of indicator match + type: keyword +threat.framework: + dashed_name: threat-framework + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification can + be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + flat_name: threat.framework + ignore_above: 1024 + level: extended + name: framework + normalize: [] + short: Threat classification framework. + type: keyword +threat.group.alias: + beta: This field is beta and subject to change. + dashed_name: threat-group-alias + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' + flat_name: threat.group.alias + ignore_above: 1024 + level: extended + name: group.alias + normalize: + - array + short: Alias of the group. + type: keyword +threat.group.id: + beta: This field is beta and subject to change. + dashed_name: threat-group-id + description: "The id of the group for a set of related intrusion activity that are\ + \ tracked by a common name in the security community. While not required, you\ + \ can use a MITRE ATT&CK\xAE group id." + example: G0037 + flat_name: threat.group.id + ignore_above: 1024 + level: extended + name: group.id + normalize: [] + short: ID of the group. + type: keyword +threat.group.name: + beta: This field is beta and subject to change. + dashed_name: threat-group-name + description: "The name of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 + flat_name: threat.group.name + ignore_above: 1024 + level: extended + name: group.name + normalize: [] + short: Name of the group. + type: keyword +threat.group.reference: + beta: This field is beta and subject to change. + dashed_name: threat-group-reference + description: "The reference URL of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ + flat_name: threat.group.reference + ignore_above: 1024 + level: extended + name: group.reference + normalize: [] + short: Reference URL of the group. + type: keyword +threat.indicator.as.number: + dashed_name: threat-indicator-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: threat.indicator.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long +threat.indicator.as.organization.name: + dashed_name: threat-indicator-as-organization-name + description: Organization name. + example: Google LLC + flat_name: threat.indicator.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.indicator.as.organization.name.text + name: text + norms: false + type: text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword +threat.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-confidence + description: "Identifies the confidence rating assigned by the provider using STIX\ + \ confidence scales.\nRecommended values:\n * Not Specified, None, Low, Medium,\ + \ High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n * WEP Scale\ + \ (Impossible - Certain)" + example: High + flat_name: threat.indicator.confidence + ignore_above: 1024 + level: extended + name: indicator.confidence + normalize: [] + short: Indicator confidence rating + type: keyword +threat.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.indicator.description + ignore_above: 1024 + level: extended + name: indicator.description + normalize: [] + short: Indicator description + type: keyword +threat.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective of + direction). + example: phish@example.com + flat_name: threat.indicator.email.address + ignore_above: 1024 + level: extended + name: indicator.email.address + normalize: [] + short: Indicator email address + type: keyword +threat.indicator.file.accessed: + dashed_name: threat-indicator-file-accessed + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + flat_name: threat.indicator.file.accessed + level: extended + name: accessed + normalize: [] + original_fieldset: file + short: Last time the file was accessed. + type: date +threat.indicator.file.attributes: + dashed_name: threat-indicator-file-attributes + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, execute, + hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: threat.indicator.file.attributes + ignore_above: 1024 + level: extended + name: attributes + normalize: + - array + original_fieldset: file + short: Array of file attributes. + type: keyword +threat.indicator.file.code_signature.exists: + dashed_name: threat-indicator-file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: threat.indicator.file.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +threat.indicator.file.code_signature.signing_id: + dashed_name: threat-indicator-file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: threat.indicator.file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword +threat.indicator.file.code_signature.status: + dashed_name: threat-indicator-file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: threat.indicator.file.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +threat.indicator.file.code_signature.subject_name: + dashed_name: threat-indicator-file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: threat.indicator.file.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +threat.indicator.file.code_signature.team_id: + dashed_name: threat-indicator-file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: threat.indicator.file.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword +threat.indicator.file.code_signature.trusted: + dashed_name: threat-indicator-file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: threat.indicator.file.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +threat.indicator.file.code_signature.valid: + dashed_name: threat-indicator-file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: threat.indicator.file.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +threat.indicator.file.created: + dashed_name: threat-indicator-file-created + description: 'File creation time. + + Note that not all filesystems store the creation time.' + flat_name: threat.indicator.file.created + level: extended + name: created + normalize: [] + original_fieldset: file + short: File creation time. + type: date +threat.indicator.file.ctime: + dashed_name: threat-indicator-file-ctime + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: threat.indicator.file.ctime + level: extended + name: ctime + normalize: [] + original_fieldset: file + short: Last time the file attributes or metadata changed. + type: date +threat.indicator.file.device: + dashed_name: threat-indicator-file-device + description: Device that is the source of the file. + example: sda + flat_name: threat.indicator.file.device + ignore_above: 1024 + level: extended + name: device + normalize: [] + original_fieldset: file + short: Device that is the source of the file. + type: keyword +threat.indicator.file.directory: + dashed_name: threat-indicator-file-directory + description: Directory where the file is located. It should include the drive letter, + when appropriate. + example: /home/alice + flat_name: threat.indicator.file.directory + ignore_above: 1024 + level: extended + name: directory + normalize: [] + original_fieldset: file + short: Directory where the file is located. + type: keyword +threat.indicator.file.drive_letter: + dashed_name: threat-indicator-file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + flat_name: threat.indicator.file.drive_letter + ignore_above: 1 + level: extended + name: drive_letter + normalize: [] + original_fieldset: file + short: Drive letter where the file is located. + type: keyword +threat.indicator.file.elf.architecture: + dashed_name: threat-indicator-file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: threat.indicator.file.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword +threat.indicator.file.elf.byte_order: + dashed_name: threat-indicator-file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: threat.indicator.file.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword +threat.indicator.file.elf.cpu_type: + dashed_name: threat-indicator-file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: threat.indicator.file.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword +threat.indicator.file.elf.creation_date: + dashed_name: threat-indicator-file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: threat.indicator.file.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date +threat.indicator.file.elf.exports: + dashed_name: threat-indicator-file-elf-exports + description: List of exported element names and types. + flat_name: threat.indicator.file.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened +threat.indicator.file.elf.header.abi_version: + dashed_name: threat-indicator-file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: threat.indicator.file.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword +threat.indicator.file.elf.header.class: + dashed_name: threat-indicator-file-elf-header-class + description: Header class of the ELF file. + flat_name: threat.indicator.file.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword +threat.indicator.file.elf.header.data: + dashed_name: threat-indicator-file-elf-header-data + description: Data table of the ELF header. + flat_name: threat.indicator.file.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword +threat.indicator.file.elf.header.entrypoint: + dashed_name: threat-indicator-file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: threat.indicator.file.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long +threat.indicator.file.elf.header.object_version: + dashed_name: threat-indicator-file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: threat.indicator.file.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword +threat.indicator.file.elf.header.os_abi: + dashed_name: threat-indicator-file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: threat.indicator.file.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword +threat.indicator.file.elf.header.type: + dashed_name: threat-indicator-file-elf-header-type + description: Header type of the ELF file. + flat_name: threat.indicator.file.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword +threat.indicator.file.elf.header.version: + dashed_name: threat-indicator-file-elf-header-version + description: Version of the ELF header. + flat_name: threat.indicator.file.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword +threat.indicator.file.elf.imports: + dashed_name: threat-indicator-file-elf-imports + description: List of imported element names and types. + flat_name: threat.indicator.file.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened +threat.indicator.file.elf.sections: + dashed_name: threat-indicator-file-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' + flat_name: threat.indicator.file.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested +threat.indicator.file.elf.sections.chi2: + dashed_name: threat-indicator-file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: threat.indicator.file.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long +threat.indicator.file.elf.sections.entropy: + dashed_name: threat-indicator-file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: threat.indicator.file.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long +threat.indicator.file.elf.sections.flags: + dashed_name: threat-indicator-file-elf-sections-flags + description: ELF Section List flags. + flat_name: threat.indicator.file.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword +threat.indicator.file.elf.sections.name: + dashed_name: threat-indicator-file-elf-sections-name + description: ELF Section List name. + flat_name: threat.indicator.file.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword +threat.indicator.file.elf.sections.physical_offset: + dashed_name: threat-indicator-file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: threat.indicator.file.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword +threat.indicator.file.elf.sections.physical_size: + dashed_name: threat-indicator-file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: threat.indicator.file.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long +threat.indicator.file.elf.sections.type: + dashed_name: threat-indicator-file-elf-sections-type + description: ELF Section List type. + flat_name: threat.indicator.file.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword +threat.indicator.file.elf.sections.virtual_address: + dashed_name: threat-indicator-file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: threat.indicator.file.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long +threat.indicator.file.elf.sections.virtual_size: + dashed_name: threat-indicator-file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: threat.indicator.file.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long +threat.indicator.file.elf.segments: + dashed_name: threat-indicator-file-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' + flat_name: threat.indicator.file.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested +threat.indicator.file.elf.segments.sections: + dashed_name: threat-indicator-file-elf-segments-sections + description: ELF object segment sections. + flat_name: threat.indicator.file.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword +threat.indicator.file.elf.segments.type: + dashed_name: threat-indicator-file-elf-segments-type + description: ELF object segment type. + flat_name: threat.indicator.file.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword +threat.indicator.file.elf.shared_libraries: + dashed_name: threat-indicator-file-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: threat.indicator.file.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword +threat.indicator.file.elf.telfhash: + dashed_name: threat-indicator-file-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: threat.indicator.file.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword +threat.indicator.file.extension: + dashed_name: threat-indicator-file-extension + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.indicator.file.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + original_fieldset: file + short: File extension, excluding the leading dot. + type: keyword +threat.indicator.file.gid: + dashed_name: threat-indicator-file-gid + description: Primary group ID (GID) of the file. + example: '1001' flat_name: threat.indicator.file.gid ignore_above: 1024 level: extended - name: gid + name: gid + normalize: [] + original_fieldset: file + short: Primary group ID (GID) of the file. + type: keyword +threat.indicator.file.group: + dashed_name: threat-indicator-file-group + description: Primary group name of the file. + example: alice + flat_name: threat.indicator.file.group + ignore_above: 1024 + level: extended + name: group + normalize: [] + original_fieldset: file + short: Primary group name of the file. + type: keyword +threat.indicator.file.inode: + dashed_name: threat-indicator-file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: threat.indicator.file.inode + ignore_above: 1024 + level: extended + name: inode + normalize: [] + original_fieldset: file + short: Inode representing the file in the filesystem. + type: keyword +threat.indicator.file.mime_type: + dashed_name: threat-indicator-file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official + types], where possible. When more than one type is applicable, the most specific + type should be used. + flat_name: threat.indicator.file.mime_type + ignore_above: 1024 + level: extended + name: mime_type + normalize: [] + original_fieldset: file + short: Media type of file, document, or arrangement of bytes. + type: keyword +threat.indicator.file.mode: + dashed_name: threat-indicator-file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: threat.indicator.file.mode + ignore_above: 1024 + level: extended + name: mode + normalize: [] + original_fieldset: file + short: Mode of the file in octal representation. + type: keyword +threat.indicator.file.mtime: + dashed_name: threat-indicator-file-mtime + description: Last time the file content was modified. + flat_name: threat.indicator.file.mtime + level: extended + name: mtime + normalize: [] + original_fieldset: file + short: Last time the file content was modified. + type: date +threat.indicator.file.name: + dashed_name: threat-indicator-file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: threat.indicator.file.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: file + short: Name of the file including the extension, without the directory. + type: keyword +threat.indicator.file.owner: + dashed_name: threat-indicator-file-owner + description: File owner's username. + example: alice + flat_name: threat.indicator.file.owner + ignore_above: 1024 + level: extended + name: owner + normalize: [] + original_fieldset: file + short: File owner's username. + type: keyword +threat.indicator.file.path: + dashed_name: threat-indicator-file-path + description: Full path to the file, including the file name. It should include the + drive letter, when appropriate. + example: /home/alice/example.png + flat_name: threat.indicator.file.path + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.indicator.file.path.text + name: text + norms: false + type: text + name: path + normalize: [] + original_fieldset: file + short: Full path to the file, including the file name. + type: keyword +threat.indicator.file.size: + dashed_name: threat-indicator-file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: threat.indicator.file.size + level: extended + name: size + normalize: [] + original_fieldset: file + short: File size in bytes. + type: long +threat.indicator.file.target_path: + dashed_name: threat-indicator-file-target-path + description: Target path for symlinks. + flat_name: threat.indicator.file.target_path + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.indicator.file.target_path.text + name: text + norms: false + type: text + name: target_path + normalize: [] + original_fieldset: file + short: Target path for symlinks. + type: keyword +threat.indicator.file.type: + dashed_name: threat-indicator-file-type + description: File type (file, dir, or symlink). + example: file + flat_name: threat.indicator.file.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: file + short: File type (file, dir, or symlink). + type: keyword +threat.indicator.file.uid: + dashed_name: threat-indicator-file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: threat.indicator.file.uid + ignore_above: 1024 + level: extended + name: uid + normalize: [] + original_fieldset: file + short: The user ID (UID) or security identifier (SID) of the file owner. + type: keyword +threat.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.first_seen + level: extended + name: indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date +threat.indicator.geo.city_name: + dashed_name: threat-indicator-geo-city-name + description: City name. + example: Montreal + flat_name: threat.indicator.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +threat.indicator.geo.continent_code: + dashed_name: threat-indicator-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: threat.indicator.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword +threat.indicator.geo.continent_name: + dashed_name: threat-indicator-geo-continent-name + description: Name of the continent. + example: North America + flat_name: threat.indicator.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +threat.indicator.geo.country_iso_code: + dashed_name: threat-indicator-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: threat.indicator.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +threat.indicator.geo.country_name: + dashed_name: threat-indicator-geo-country-name + description: Country name. + example: Canada + flat_name: threat.indicator.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +threat.indicator.geo.location: + dashed_name: threat-indicator-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: threat.indicator.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +threat.indicator.geo.name: + dashed_name: threat-indicator-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: threat.indicator.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword +threat.indicator.geo.postal_code: + dashed_name: threat-indicator-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: threat.indicator.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword +threat.indicator.geo.region_iso_code: + dashed_name: threat-indicator-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: threat.indicator.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +threat.indicator.geo.region_name: + dashed_name: threat-indicator-geo-region-name + description: Region name. + example: Quebec + flat_name: threat.indicator.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +threat.indicator.geo.timezone: + dashed_name: threat-indicator-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: threat.indicator.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword +threat.indicator.hash.md5: + dashed_name: threat-indicator-hash-md5 + description: MD5 hash. + flat_name: threat.indicator.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword +threat.indicator.hash.sha1: + dashed_name: threat-indicator-hash-sha1 + description: SHA1 hash. + flat_name: threat.indicator.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword +threat.indicator.hash.sha256: + dashed_name: threat-indicator-hash-sha256 + description: SHA256 hash. + flat_name: threat.indicator.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword +threat.indicator.hash.sha512: + dashed_name: threat-indicator-hash-sha512 + description: SHA512 hash. + flat_name: threat.indicator.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword +threat.indicator.hash.ssdeep: + dashed_name: threat-indicator-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.indicator.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword +threat.indicator.ip: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of direction). + example: 1.2.3.4 + flat_name: threat.indicator.ip + level: extended + name: indicator.ip + normalize: [] + short: Indicator IP address + type: ip +threat.indicator.last_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-last-seen + description: The date and time when intelligence source last reported sighting this + indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.last_seen + level: extended + name: indicator.last_seen + normalize: [] + short: Date/time indicator was last reported. + type: date +threat.indicator.marking.tlp: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE + flat_name: threat.indicator.marking.tlp + ignore_above: 1024 + level: extended + name: indicator.marking.tlp normalize: [] - original_fieldset: file - short: Primary group ID (GID) of the file. + short: Indicator TLP marking type: keyword -threat.indicator.file.group: - dashed_name: threat-indicator-file-group - description: Primary group name of the file. - example: alice - flat_name: threat.indicator.file.group - ignore_above: 1024 +threat.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.modified_at level: extended - name: group + name: indicator.modified_at normalize: [] - original_fieldset: file - short: Primary group name of the file. - type: keyword -threat.indicator.file.inode: - dashed_name: threat-indicator-file-inode - description: Inode representing the file in the filesystem. - example: '256383' - flat_name: threat.indicator.file.inode + short: Date/time indicator was last updated. + type: date +threat.indicator.pe.architecture: + dashed_name: threat-indicator-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.indicator.pe.architecture ignore_above: 1024 level: extended - name: inode + name: architecture normalize: [] - original_fieldset: file - short: Inode representing the file in the filesystem. + original_fieldset: pe + short: CPU architecture target for the file. type: keyword -threat.indicator.file.mime_type: - dashed_name: threat-indicator-file-mime-type - description: MIME type should identify the format of the file or stream of bytes - using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official - types], where possible. When more than one type is applicable, the most specific - type should be used. - flat_name: threat.indicator.file.mime_type +threat.indicator.pe.company: + dashed_name: threat-indicator-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.indicator.pe.company ignore_above: 1024 level: extended - name: mime_type + name: company normalize: [] - original_fieldset: file - short: Media type of file, document, or arrangement of bytes. + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. type: keyword -threat.indicator.file.mode: - dashed_name: threat-indicator-file-mode - description: Mode of the file in octal representation. - example: '0640' - flat_name: threat.indicator.file.mode +threat.indicator.pe.description: + dashed_name: threat-indicator-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.indicator.pe.description ignore_above: 1024 level: extended - name: mode + name: description normalize: [] - original_fieldset: file - short: Mode of the file in octal representation. + original_fieldset: pe + short: Internal description of the file, provided at compile-time. type: keyword -threat.indicator.file.mtime: - dashed_name: threat-indicator-file-mtime - description: Last time the file content was modified. - flat_name: threat.indicator.file.mtime +threat.indicator.pe.file_version: + dashed_name: threat-indicator-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.indicator.pe.file_version + ignore_above: 1024 level: extended - name: mtime + name: file_version normalize: [] - original_fieldset: file - short: Last time the file content was modified. - type: date -threat.indicator.file.name: - dashed_name: threat-indicator-file-name - description: Name of the file including the extension, without the directory. - example: example.png - flat_name: threat.indicator.file.name + original_fieldset: pe + short: Process name. + type: keyword +threat.indicator.pe.imphash: + dashed_name: threat-indicator-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.indicator.pe.imphash ignore_above: 1024 level: extended - name: name + name: imphash normalize: [] - original_fieldset: file - short: Name of the file including the extension, without the directory. + original_fieldset: pe + short: A hash of the imports in a PE file. type: keyword -threat.indicator.file.owner: - dashed_name: threat-indicator-file-owner - description: File owner's username. - example: alice - flat_name: threat.indicator.file.owner +threat.indicator.pe.original_file_name: + dashed_name: threat-indicator-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.indicator.pe.original_file_name ignore_above: 1024 level: extended - name: owner + name: original_file_name normalize: [] - original_fieldset: file - short: File owner's username. + original_fieldset: pe + short: Internal name of the file, provided at compile-time. type: keyword -threat.indicator.file.path: - dashed_name: threat-indicator-file-path - description: Full path to the file, including the file name. It should include the - drive letter, when appropriate. - example: /home/alice/example.png - flat_name: threat.indicator.file.path +threat.indicator.pe.product: + dashed_name: threat-indicator-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.indicator.pe.product ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.indicator.file.path.text - name: text - norms: false - type: text - name: path + name: product normalize: [] - original_fieldset: file - short: Full path to the file, including the file name. + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. type: keyword -threat.indicator.file.size: - dashed_name: threat-indicator-file-size - description: 'File size in bytes. - - Only relevant when `file.type` is "file".' - example: 16384 - flat_name: threat.indicator.file.size +threat.indicator.port: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-port + description: Identifies a threat indicator as a port number (irrespective of direction). + example: 443 + flat_name: threat.indicator.port level: extended - name: size + name: indicator.port normalize: [] - original_fieldset: file - short: File size in bytes. + short: Indicator port type: long -threat.indicator.file.target_path: - dashed_name: threat-indicator-file-target-path - description: Target path for symlinks. - flat_name: threat.indicator.file.target_path +threat.indicator.provider: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-provider + description: The name of the indicator's provider. + example: lrz_urlhaus + flat_name: threat.indicator.provider ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.indicator.file.target_path.text - name: text - norms: false - type: text - name: target_path + name: indicator.provider normalize: [] - original_fieldset: file - short: Target path for symlinks. + short: Indicator provider type: keyword -threat.indicator.file.type: - dashed_name: threat-indicator-file-type - description: File type (file, dir, or symlink). - example: file - flat_name: threat.indicator.file.type +threat.indicator.reference: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-reference + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + flat_name: threat.indicator.reference ignore_above: 1024 level: extended - name: type + name: indicator.reference normalize: [] - original_fieldset: file - short: File type (file, dir, or symlink). + short: Indicator reference URL type: keyword -threat.indicator.file.uid: - dashed_name: threat-indicator-file-uid - description: The user ID (UID) or security identifier (SID) of the file owner. - example: '1001' - flat_name: threat.indicator.file.uid +threat.indicator.registry.data.bytes: + dashed_name: threat-indicator-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides better + recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.indicator.registry.data.bytes ignore_above: 1024 level: extended - name: uid + name: data.bytes normalize: [] - original_fieldset: file - short: The user ID (UID) or security identifier (SID) of the file owner. + original_fieldset: registry + short: Original bytes written with base64 encoding. type: keyword -threat.indicator.first_seen: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-first-seen - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.first_seen - level: extended - name: indicator.first_seen - normalize: [] - short: Date/time indicator was first reported. - type: date -threat.indicator.geo.city_name: - dashed_name: threat-indicator-geo-city-name - description: City name. - example: Montreal - flat_name: threat.indicator.geo.city_name +threat.indicator.registry.data.strings: + dashed_name: threat-indicator-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single string + registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. + For sequences of string with REG_MULTI_SZ, this array will be variable length. + For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with + the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.indicator.registry.data.strings + ignore_above: 1024 + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: keyword +threat.indicator.registry.data.type: + dashed_name: threat-indicator-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.indicator.registry.data.type ignore_above: 1024 level: core - name: city_name + name: data.type normalize: [] - original_fieldset: geo - short: City name. + original_fieldset: registry + short: Standard registry type for encoding contents type: keyword -threat.indicator.geo.continent_code: - dashed_name: threat-indicator-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: threat.indicator.geo.continent_code +threat.indicator.registry.hive: + dashed_name: threat-indicator-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.indicator.registry.hive ignore_above: 1024 level: core - name: continent_code + name: hive normalize: [] - original_fieldset: geo - short: Continent code. + original_fieldset: registry + short: Abbreviated name for the hive. type: keyword -threat.indicator.geo.continent_name: - dashed_name: threat-indicator-geo-continent-name - description: Name of the continent. - example: North America - flat_name: threat.indicator.geo.continent_name +threat.indicator.registry.key: + dashed_name: threat-indicator-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.indicator.registry.key ignore_above: 1024 level: core - name: continent_name + name: key normalize: [] - original_fieldset: geo - short: Name of the continent. + original_fieldset: registry + short: Hive-relative path of keys. type: keyword -threat.indicator.geo.country_iso_code: - dashed_name: threat-indicator-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: threat.indicator.geo.country_iso_code +threat.indicator.registry.path: + dashed_name: threat-indicator-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.indicator.registry.path ignore_above: 1024 level: core - name: country_iso_code + name: path normalize: [] - original_fieldset: geo - short: Country ISO code. + original_fieldset: registry + short: Full path, including hive, key and value type: keyword -threat.indicator.geo.country_name: - dashed_name: threat-indicator-geo-country-name - description: Country name. - example: Canada - flat_name: threat.indicator.geo.country_name +threat.indicator.registry.value: + dashed_name: threat-indicator-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.indicator.registry.value ignore_above: 1024 level: core - name: country_name + name: value normalize: [] - original_fieldset: geo - short: Country name. + original_fieldset: registry + short: Name of the value written. type: keyword -threat.indicator.geo.location: - dashed_name: threat-indicator-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: threat.indicator.geo.location - level: core - name: location +threat.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file or + URL. + example: 4 + flat_name: threat.indicator.scanner_stats + level: extended + name: indicator.scanner_stats normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point -threat.indicator.geo.name: - dashed_name: threat-indicator-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. + short: Scanner statistics + type: long +threat.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.indicator.sightings + level: extended + name: indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long +threat.indicator.type: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ + Recommended values:\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ + \ * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n * mutex\n\ + \ * port\n * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ + \ * x509-certificate" + example: ipv4-addr + flat_name: threat.indicator.type + ignore_above: 1024 + level: extended + name: indicator.type + normalize: [] + short: Type of indicator + type: keyword +threat.indicator.url.domain: + dashed_name: threat-indicator-url-domain + description: 'Domain of the url, such as "www.elastic.co". - Could be the name of their data centers, the floor number, if this describes a - local physical entity, city names. + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. - Not typically used in automated geolocation.' - example: boston-dc - flat_name: threat.indicator.geo.name + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), + the `[` and `]` characters should also be captured in the `domain` field.' + example: www.elastic.co + flat_name: threat.indicator.url.domain ignore_above: 1024 level: extended - name: name + name: domain normalize: [] - original_fieldset: geo - short: User-defined description of a location. + original_fieldset: url + short: Domain of the url. type: keyword -threat.indicator.geo.postal_code: - dashed_name: threat-indicator-geo-postal-code - description: 'Postal code associated with the location. +threat.indicator.url.extension: + dashed_name: threat-indicator-url-extension + description: 'The field contains the file extension from the original request url, + excluding the leading dot. - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: threat.indicator.geo.postal_code + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.indicator.url.extension ignore_above: 1024 - level: core - name: postal_code + level: extended + name: extension normalize: [] - original_fieldset: geo - short: Postal code. + original_fieldset: url + short: File extension from the request url, excluding the leading dot. type: keyword -threat.indicator.geo.region_iso_code: - dashed_name: threat-indicator-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: threat.indicator.geo.region_iso_code +threat.indicator.url.fragment: + dashed_name: threat-indicator-url-fragment + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + flat_name: threat.indicator.url.fragment ignore_above: 1024 - level: core - name: region_iso_code + level: extended + name: fragment normalize: [] - original_fieldset: geo - short: Region ISO code. + original_fieldset: url + short: Portion of the url after the `#`. type: keyword -threat.indicator.geo.region_name: - dashed_name: threat-indicator-geo-region-name - description: Region name. - example: Quebec - flat_name: threat.indicator.geo.region_name +threat.indicator.url.full: + dashed_name: threat-indicator-url-full + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + flat_name: threat.indicator.url.full ignore_above: 1024 - level: core - name: region_name + level: extended + multi_fields: + - flat_name: threat.indicator.url.full.text + name: text + norms: false + type: text + name: full normalize: [] - original_fieldset: geo - short: Region name. + original_fieldset: url + short: Full unparsed URL. type: keyword -threat.indicator.geo.timezone: - dashed_name: threat-indicator-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: threat.indicator.geo.timezone +threat.indicator.url.original: + dashed_name: threat-indicator-url-original + description: 'Unmodified original url as seen in the event source. + + Note that in network monitoring, the observed URL may be a full URL, whereas in + access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + flat_name: threat.indicator.url.original ignore_above: 1024 - level: core - name: timezone + level: extended + multi_fields: + - flat_name: threat.indicator.url.original.text + name: text + norms: false + type: text + name: original + normalize: [] + original_fieldset: url + short: Unmodified original url as seen in the event source. + type: keyword +threat.indicator.url.password: + dashed_name: threat-indicator-url-password + description: Password of the request. + flat_name: threat.indicator.url.password + ignore_above: 1024 + level: extended + name: password + normalize: [] + original_fieldset: url + short: Password of the request. + type: keyword +threat.indicator.url.path: + dashed_name: threat-indicator-url-path + description: Path of the request, such as "/search". + flat_name: threat.indicator.url.path + ignore_above: 1024 + level: extended + name: path + normalize: [] + original_fieldset: url + short: Path of the request, such as "/search". + type: keyword +threat.indicator.url.port: + dashed_name: threat-indicator-url-port + description: Port of the request, such as 443. + example: 443 + flat_name: threat.indicator.url.port + format: string + level: extended + name: port normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword -threat.indicator.hash.md5: - dashed_name: threat-indicator-hash-md5 - description: MD5 hash. - flat_name: threat.indicator.hash.md5 + original_fieldset: url + short: Port of the request, such as 443. + type: long +threat.indicator.url.query: + dashed_name: threat-indicator-url-query + description: 'The query field describes the query string of the request, such as + "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there is + no query field. If there is a `?` but no query, the query field exists with an + empty string. The `exists` query can be used to differentiate between the two + cases.' + flat_name: threat.indicator.url.query ignore_above: 1024 level: extended - name: md5 + name: query normalize: [] - original_fieldset: hash - short: MD5 hash. + original_fieldset: url + short: Query string of the request. type: keyword -threat.indicator.hash.sha1: - dashed_name: threat-indicator-hash-sha1 - description: SHA1 hash. - flat_name: threat.indicator.hash.sha1 +threat.indicator.url.registered_domain: + dashed_name: threat-indicator-url-registered-domain + description: 'The highest registered url domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: threat.indicator.url.registered_domain ignore_above: 1024 level: extended - name: sha1 + name: registered_domain normalize: [] - original_fieldset: hash - short: SHA1 hash. + original_fieldset: url + short: The highest registered url domain, stripped of the subdomain. type: keyword -threat.indicator.hash.sha256: - dashed_name: threat-indicator-hash-sha256 - description: SHA256 hash. - flat_name: threat.indicator.hash.sha256 +threat.indicator.url.scheme: + dashed_name: threat-indicator-url-scheme + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https + flat_name: threat.indicator.url.scheme ignore_above: 1024 level: extended - name: sha256 + name: scheme normalize: [] - original_fieldset: hash - short: SHA256 hash. + original_fieldset: url + short: Scheme of the url. type: keyword -threat.indicator.hash.sha512: - dashed_name: threat-indicator-hash-sha512 - description: SHA512 hash. - flat_name: threat.indicator.hash.sha512 +threat.indicator.url.subdomain: + dashed_name: threat-indicator-url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: threat.indicator.url.subdomain ignore_above: 1024 level: extended - name: sha512 + name: subdomain normalize: [] - original_fieldset: hash - short: SHA512 hash. + original_fieldset: url + short: The subdomain of the domain. type: keyword -threat.indicator.hash.ssdeep: - dashed_name: threat-indicator-hash-ssdeep - description: SSDEEP hash. - flat_name: threat.indicator.hash.ssdeep +threat.indicator.url.top_level_domain: + dashed_name: threat-indicator-url-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: threat.indicator.url.top_level_domain ignore_above: 1024 level: extended - name: ssdeep + name: top_level_domain normalize: [] - original_fieldset: hash - short: SSDEEP hash. + original_fieldset: url + short: The effective top level domain (com, org, net, co.uk). type: keyword -threat.indicator.ip: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-ip - description: Identifies a threat indicator as an IP address (irrespective of direction). - example: 1.2.3.4 - flat_name: threat.indicator.ip +threat.indicator.url.username: + dashed_name: threat-indicator-url-username + description: Username of the request. + flat_name: threat.indicator.url.username + ignore_above: 1024 level: extended - name: indicator.ip + name: username normalize: [] - short: Indicator IP address - type: ip -threat.indicator.last_seen: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-last-seen - description: The date and time when intelligence source last reported sighting this - indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.last_seen + original_fieldset: url + short: Username of the request. + type: keyword +threat.indicator.x509.alternative_names: + dashed_name: threat-indicator-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names (and + wildcards), and email addresses. + example: '*.elastic.co' + flat_name: threat.indicator.x509.alternative_names + ignore_above: 1024 level: extended - name: indicator.last_seen - normalize: [] - short: Date/time indicator was last reported. - type: date -threat.indicator.marking.tlp: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: WHITE - flat_name: threat.indicator.marking.tlp + name: alternative_names + normalize: + - array + original_fieldset: x509 + short: List of subject alternative names (SAN). + type: keyword +threat.indicator.x509.issuer.common_name: + dashed_name: threat-indicator-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: threat.indicator.x509.issuer.common_name ignore_above: 1024 level: extended - name: indicator.marking.tlp - normalize: [] - short: Indicator TLP marking + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. type: keyword -threat.indicator.modified_at: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-modified-at - description: The date and time when intelligence source last modified information - for this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.modified_at +threat.indicator.x509.issuer.country: + dashed_name: threat-indicator-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: threat.indicator.x509.issuer.country + ignore_above: 1024 level: extended - name: indicator.modified_at - normalize: [] - short: Date/time indicator was last updated. - type: date -threat.indicator.pe.architecture: - dashed_name: threat-indicator-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: threat.indicator.pe.architecture + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes + type: keyword +threat.indicator.x509.issuer.distinguished_name: + dashed_name: threat-indicator-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: threat.indicator.x509.issuer.distinguished_name ignore_above: 1024 level: extended - name: architecture + name: issuer.distinguished_name normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. type: keyword -threat.indicator.pe.company: - dashed_name: threat-indicator-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: threat.indicator.pe.company +threat.indicator.x509.issuer.locality: + dashed_name: threat-indicator-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: threat.indicator.x509.issuer.locality ignore_above: 1024 level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) type: keyword -threat.indicator.pe.description: - dashed_name: threat-indicator-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: threat.indicator.pe.description +threat.indicator.x509.issuer.organization: + dashed_name: threat-indicator-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: threat.indicator.x509.issuer.organization ignore_above: 1024 level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. type: keyword -threat.indicator.pe.file_version: - dashed_name: threat-indicator-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: threat.indicator.pe.file_version +threat.indicator.x509.issuer.organizational_unit: + dashed_name: threat-indicator-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: threat.indicator.x509.issuer.organizational_unit ignore_above: 1024 level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. type: keyword -threat.indicator.pe.imphash: - dashed_name: threat-indicator-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash -- - can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: threat.indicator.pe.imphash +threat.indicator.x509.issuer.state_or_province: + dashed_name: threat-indicator-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.indicator.x509.issuer.state_or_province ignore_above: 1024 level: extended - name: imphash + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +threat.indicator.x509.not_after: + dashed_name: threat-indicator-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: threat.indicator.x509.not_after + level: extended + name: not_after + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date +threat.indicator.x509.not_before: + dashed_name: threat-indicator-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: threat.indicator.x509.not_before + level: extended + name: not_before normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword -threat.indicator.pe.original_file_name: - dashed_name: threat-indicator-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: threat.indicator.pe.original_file_name + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date +threat.indicator.x509.public_key_algorithm: + dashed_name: threat-indicator-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: threat.indicator.x509.public_key_algorithm ignore_above: 1024 level: extended - name: original_file_name + name: public_key_algorithm normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. + original_fieldset: x509 + short: Algorithm used to generate the public key. type: keyword -threat.indicator.pe.product: - dashed_name: threat-indicator-pe-product - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" - flat_name: threat.indicator.pe.product +threat.indicator.x509.public_key_curve: + dashed_name: threat-indicator-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This is + algorithm specific. + example: nistp521 + flat_name: threat.indicator.x509.public_key_curve ignore_above: 1024 level: extended - name: product + name: public_key_curve normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. type: keyword -threat.indicator.port: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-port - description: Identifies a threat indicator as a port number (irrespective of direction). - example: 443 - flat_name: threat.indicator.port +threat.indicator.x509.public_key_exponent: + dashed_name: threat-indicator-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: threat.indicator.x509.public_key_exponent + index: false level: extended - name: indicator.port + name: public_key_exponent normalize: [] - short: Indicator port + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. type: long -threat.indicator.provider: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-provider - description: The name of the indicator's provider. - example: lrz_urlhaus - flat_name: threat.indicator.provider - ignore_above: 1024 +threat.indicator.x509.public_key_size: + dashed_name: threat-indicator-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: threat.indicator.x509.public_key_size level: extended - name: indicator.provider + name: public_key_size normalize: [] - short: Indicator provider - type: keyword -threat.indicator.reference: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-reference - description: Reference URL linking to additional information about this indicator. - example: https://system.example.com/indicator/0001234 - flat_name: threat.indicator.reference + original_fieldset: x509 + short: The size of the public key space in bits. + type: long +threat.indicator.x509.serial_number: + dashed_name: threat-indicator-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: threat.indicator.x509.serial_number ignore_above: 1024 level: extended - name: indicator.reference + name: serial_number normalize: [] - short: Indicator reference URL + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. type: keyword -threat.indicator.registry.data.bytes: - dashed_name: threat-indicator-registry-data-bytes - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides better - recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - flat_name: threat.indicator.registry.data.bytes +threat.indicator.x509.signature_algorithm: + dashed_name: threat-indicator-x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: threat.indicator.x509.signature_algorithm ignore_above: 1024 level: extended - name: data.bytes + name: signature_algorithm normalize: [] - original_fieldset: registry - short: Original bytes written with base64 encoding. + original_fieldset: x509 + short: Identifier for certificate signature algorithm. type: keyword -threat.indicator.registry.data.strings: - dashed_name: threat-indicator-registry-data-strings - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single string - registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. - For sequences of string with REG_MULTI_SZ, this array will be variable length. - For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with - the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' - flat_name: threat.indicator.registry.data.strings +threat.indicator.x509.subject.common_name: + dashed_name: threat-indicator-x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: threat.indicator.x509.subject.common_name ignore_above: 1024 - level: core - name: data.strings + level: extended + name: subject.common_name normalize: - array - original_fieldset: registry - short: List of strings representing what was written to the registry. + original_fieldset: x509 + short: List of common names (CN) of subject. type: keyword -threat.indicator.registry.data.type: - dashed_name: threat-indicator-registry-data-type - description: Standard registry type for encoding contents - example: REG_SZ - flat_name: threat.indicator.registry.data.type +threat.indicator.x509.subject.country: + dashed_name: threat-indicator-x509-subject-country + description: List of country (C) code + example: US + flat_name: threat.indicator.x509.subject.country ignore_above: 1024 - level: core - name: data.type - normalize: [] - original_fieldset: registry - short: Standard registry type for encoding contents + level: extended + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code type: keyword -threat.indicator.registry.hive: - dashed_name: threat-indicator-registry-hive - description: Abbreviated name for the hive. - example: HKLM - flat_name: threat.indicator.registry.hive +threat.indicator.x509.subject.distinguished_name: + dashed_name: threat-indicator-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: threat.indicator.x509.subject.distinguished_name ignore_above: 1024 - level: core - name: hive + level: extended + name: subject.distinguished_name normalize: [] - original_fieldset: registry - short: Abbreviated name for the hive. + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. type: keyword -threat.indicator.registry.key: - dashed_name: threat-indicator-registry-key - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - flat_name: threat.indicator.registry.key +threat.indicator.x509.subject.locality: + dashed_name: threat-indicator-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: threat.indicator.x509.subject.locality ignore_above: 1024 - level: core - name: key - normalize: [] - original_fieldset: registry - short: Hive-relative path of keys. + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) type: keyword -threat.indicator.registry.path: - dashed_name: threat-indicator-registry-path - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger - flat_name: threat.indicator.registry.path +threat.indicator.x509.subject.organization: + dashed_name: threat-indicator-x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: threat.indicator.x509.subject.organization ignore_above: 1024 - level: core - name: path - normalize: [] - original_fieldset: registry - short: Full path, including hive, key and value + level: extended + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. type: keyword -threat.indicator.registry.value: - dashed_name: threat-indicator-registry-value - description: Name of the value written. - example: Debugger - flat_name: threat.indicator.registry.value +threat.indicator.x509.subject.organizational_unit: + dashed_name: threat-indicator-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: threat.indicator.x509.subject.organizational_unit ignore_above: 1024 - level: core - name: value - normalize: [] - original_fieldset: registry - short: Name of the value written. - type: keyword -threat.indicator.scanner_stats: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-scanner-stats - description: Count of AV/EDR vendors that successfully detected malicious file or - URL. - example: 4 - flat_name: threat.indicator.scanner_stats level: extended - name: indicator.scanner_stats - normalize: [] - short: Scanner statistics - type: long -threat.indicator.sightings: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-sightings - description: Number of times this indicator was observed conducting threat activity. - example: 20 - flat_name: threat.indicator.sightings + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword +threat.indicator.x509.subject.state_or_province: + dashed_name: threat-indicator-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.indicator.x509.subject.state_or_province + ignore_above: 1024 level: extended - name: indicator.sightings - normalize: [] - short: Number of times indicator observed - type: long -threat.indicator.type: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-type - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ - Recommended values:\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ - \ * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n * mutex\n\ - \ * port\n * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ - \ * x509-certificate" - example: ipv4-addr - flat_name: threat.indicator.type + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +threat.indicator.x509.version_number: + dashed_name: threat-indicator-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: threat.indicator.x509.version_number ignore_above: 1024 level: extended - name: indicator.type + name: version_number normalize: [] - short: Type of indicator + original_fieldset: x509 + short: Version of x509 format. type: keyword threat.software.id: beta: This field is beta and subject to change. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index ea3b197b3b..06bbe4db3e 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -4585,10 +4585,10 @@ file: at: threat.indicator beta: Reusing the `file` fields in this location is currently considered beta. full: threat.indicator.file - - as: as + - as: file at: threat.enrichments.indicator - beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.indicator.as + beta: Reusing the `file` fields in this location is currently considered beta. + full: threat.enrichments.indicator.file top_level: true reused_here: - full: file.code_signature @@ -4773,10 +4773,10 @@ geo: at: threat.indicator beta: Reusing the `geo` fields in this location is currently considered beta. full: threat.indicator.geo - - as: as + - as: geo at: threat.enrichments.indicator - beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.indicator.as + beta: Reusing the `geo` fields in this location is currently considered beta. + full: threat.enrichments.indicator.geo top_level: false short: Fields describing a location. title: Geo @@ -4909,10 +4909,10 @@ hash: at: threat.indicator beta: Reusing the `hash` fields in this location is currently considered beta. full: threat.indicator.hash - - as: as + - as: hash at: threat.enrichments.indicator - beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.indicator.as + beta: Reusing the `hash` fields in this location is currently considered beta. + full: threat.enrichments.indicator.hash top_level: false short: Hashes, usually file hashes. title: Hash @@ -10258,60 +10258,34 @@ threat: normalize: [] short: Object containing indicators enriching the event. type: object - threat.enrichments.indicator.as.md5: - dashed_name: threat-enrichments-indicator-as-md5 - description: MD5 hash. - flat_name: threat.enrichments.indicator.as.md5 - ignore_above: 1024 - level: extended - name: md5 - normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword - threat.enrichments.indicator.as.sha1: - dashed_name: threat-enrichments-indicator-as-sha1 - description: SHA1 hash. - flat_name: threat.enrichments.indicator.as.sha1 - ignore_above: 1024 - level: extended - name: sha1 - normalize: [] - original_fieldset: hash - short: SHA1 hash. - type: keyword - threat.enrichments.indicator.as.sha256: - dashed_name: threat-enrichments-indicator-as-sha256 - description: SHA256 hash. - flat_name: threat.enrichments.indicator.as.sha256 - ignore_above: 1024 - level: extended - name: sha256 - normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword - threat.enrichments.indicator.as.sha512: - dashed_name: threat-enrichments-indicator-as-sha512 - description: SHA512 hash. - flat_name: threat.enrichments.indicator.as.sha512 - ignore_above: 1024 + threat.enrichments.indicator.as.number: + dashed_name: threat-enrichments-indicator-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: threat.enrichments.indicator.as.number level: extended - name: sha512 + name: number normalize: [] - original_fieldset: hash - short: SHA512 hash. - type: keyword - threat.enrichments.indicator.as.ssdeep: - dashed_name: threat-enrichments-indicator-as-ssdeep - description: SSDEEP hash. - flat_name: threat.enrichments.indicator.as.ssdeep + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long + threat.enrichments.indicator.as.organization.name: + dashed_name: threat-enrichments-indicator-as-organization-name + description: Organization name. + example: Google LLC + flat_name: threat.enrichments.indicator.as.organization.name ignore_above: 1024 level: extended - name: ssdeep + multi_fields: + - flat_name: threat.enrichments.indicator.as.organization.name.text + name: text + norms: false + type: text + name: organization.name normalize: [] - original_fieldset: hash - short: SSDEEP hash. + original_fieldset: as + short: Organization name. type: keyword threat.enrichments.indicator.confidence: beta: This field is beta and subject to change. @@ -10353,2277 +10327,3706 @@ threat: normalize: [] short: Indicator email address type: keyword - threat.enrichments.indicator.first_seen: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-first-seen - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.indicator.first_seen + threat.enrichments.indicator.file.accessed: + dashed_name: threat-enrichments-indicator-file-accessed + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + flat_name: threat.enrichments.indicator.file.accessed level: extended - name: enrichments.indicator.first_seen + name: accessed normalize: [] - short: Date/time indicator was first reported. + original_fieldset: file + short: Last time the file was accessed. type: date - threat.enrichments.indicator.ip: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-ip - description: Identifies a threat indicator as an IP address (irrespective of - direction). - example: 1.2.3.4 - flat_name: threat.enrichments.indicator.ip - level: extended - name: enrichments.indicator.ip - normalize: [] - short: Indicator IP address - type: ip - threat.enrichments.indicator.last_seen: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-last-seen - description: The date and time when intelligence source last reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.indicator.last_seen + threat.enrichments.indicator.file.attributes: + dashed_name: threat-enrichments-indicator-file-attributes + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: threat.enrichments.indicator.file.attributes + ignore_above: 1024 level: extended - name: enrichments.indicator.last_seen + name: attributes + normalize: + - array + original_fieldset: file + short: Array of file attributes. + type: keyword + threat.enrichments.indicator.file.code_signature.exists: + dashed_name: threat-enrichments-indicator-file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: threat.enrichments.indicator.file.code_signature.exists + level: core + name: exists normalize: [] - short: Date/time indicator was last reported. - type: date - threat.enrichments.indicator.marking.tlp: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: White - flat_name: threat.enrichments.indicator.marking.tlp + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + threat.enrichments.indicator.file.code_signature.signing_id: + dashed_name: threat-enrichments-indicator-file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: threat.enrichments.indicator.file.code_signature.signing_id ignore_above: 1024 level: extended - name: enrichments.indicator.marking.tlp + name: signing_id normalize: [] - short: Indicator TLP marking + original_fieldset: code_signature + short: The identifier used to sign the process. type: keyword - threat.enrichments.indicator.modified_at: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-modified-at - description: The date and time when intelligence source last modified information - for this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.indicator.modified_at - level: extended - name: enrichments.indicator.modified_at - normalize: [] - short: Date/time indicator was last updated. - type: date - threat.enrichments.indicator.pe.architecture: - dashed_name: threat-enrichments-indicator-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: threat.enrichments.indicator.pe.architecture + threat.enrichments.indicator.file.code_signature.status: + dashed_name: threat-enrichments-indicator-file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: threat.enrichments.indicator.file.code_signature.status ignore_above: 1024 level: extended - name: architecture + name: status normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. + original_fieldset: code_signature + short: Additional information about the certificate status. type: keyword - threat.enrichments.indicator.pe.company: - dashed_name: threat-enrichments-indicator-pe-company - description: Internal company name of the file, provided at compile-time. + threat.enrichments.indicator.file.code_signature.subject_name: + dashed_name: threat-enrichments-indicator-file-code-signature-subject-name + description: Subject name of the code signer example: Microsoft Corporation - flat_name: threat.enrichments.indicator.pe.company + flat_name: threat.enrichments.indicator.file.code_signature.subject_name ignore_above: 1024 - level: extended - name: company + level: core + name: subject_name normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. + original_fieldset: code_signature + short: Subject name of the code signer type: keyword - threat.enrichments.indicator.pe.description: - dashed_name: threat-enrichments-indicator-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: threat.enrichments.indicator.pe.description + threat.enrichments.indicator.file.code_signature.team_id: + dashed_name: threat-enrichments-indicator-file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: threat.enrichments.indicator.file.code_signature.team_id ignore_above: 1024 level: extended - name: description + name: team_id normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. + original_fieldset: code_signature + short: The team identifier used to sign the process. type: keyword - threat.enrichments.indicator.pe.file_version: - dashed_name: threat-enrichments-indicator-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: threat.enrichments.indicator.pe.file_version - ignore_above: 1024 + threat.enrichments.indicator.file.code_signature.trusted: + dashed_name: threat-enrichments-indicator-file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: threat.enrichments.indicator.file.code_signature.trusted level: extended - name: file_version + name: trusted normalize: [] - original_fieldset: pe - short: Process name. - type: keyword - threat.enrichments.indicator.pe.imphash: - dashed_name: threat-enrichments-indicator-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + threat.enrichments.indicator.file.code_signature.valid: + dashed_name: threat-enrichments-indicator-file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: threat.enrichments.indicator.pe.imphash - ignore_above: 1024 + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: threat.enrichments.indicator.file.code_signature.valid level: extended - name: imphash + name: valid normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. - type: keyword - threat.enrichments.indicator.pe.original_file_name: - dashed_name: threat-enrichments-indicator-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: threat.enrichments.indicator.pe.original_file_name - ignore_above: 1024 + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + threat.enrichments.indicator.file.created: + dashed_name: threat-enrichments-indicator-file-created + description: 'File creation time. + + Note that not all filesystems store the creation time.' + flat_name: threat.enrichments.indicator.file.created level: extended - name: original_file_name + name: created normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: keyword - threat.enrichments.indicator.pe.product: - dashed_name: threat-enrichments-indicator-pe-product - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" - flat_name: threat.enrichments.indicator.pe.product - ignore_above: 1024 - level: extended - name: product - normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. - type: keyword - threat.enrichments.indicator.port: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-port - description: Identifies a threat indicator as a port number (irrespective of - direction). - example: 443 - flat_name: threat.enrichments.indicator.port + original_fieldset: file + short: File creation time. + type: date + threat.enrichments.indicator.file.ctime: + dashed_name: threat-enrichments-indicator-file-ctime + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: threat.enrichments.indicator.file.ctime level: extended - name: enrichments.indicator.port + name: ctime normalize: [] - short: Indicator port - type: long - threat.enrichments.indicator.provider: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-provider - description: The name of the indicator's provider. - example: lrz_urlhaus - flat_name: threat.enrichments.indicator.provider + original_fieldset: file + short: Last time the file attributes or metadata changed. + type: date + threat.enrichments.indicator.file.device: + dashed_name: threat-enrichments-indicator-file-device + description: Device that is the source of the file. + example: sda + flat_name: threat.enrichments.indicator.file.device ignore_above: 1024 level: extended - name: enrichments.indicator.provider + name: device normalize: [] - short: Indicator provider + original_fieldset: file + short: Device that is the source of the file. type: keyword - threat.enrichments.indicator.reference: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-reference - description: Reference URL linking to additional information about this indicator. - example: https://system.example.com/indicator/0001234 - flat_name: threat.enrichments.indicator.reference + threat.enrichments.indicator.file.directory: + dashed_name: threat-enrichments-indicator-file-directory + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice + flat_name: threat.enrichments.indicator.file.directory ignore_above: 1024 level: extended - name: enrichments.indicator.reference + name: directory normalize: [] - short: Indicator reference URL + original_fieldset: file + short: Directory where the file is located. type: keyword - threat.enrichments.indicator.registry.data.bytes: - dashed_name: threat-enrichments-indicator-registry-data-bytes - description: 'Original bytes written with base64 encoding. + threat.enrichments.indicator.file.drive_letter: + dashed_name: threat-enrichments-indicator-file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides - better recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - flat_name: threat.enrichments.indicator.registry.data.bytes - ignore_above: 1024 + The value should be uppercase, and not include the colon.' + example: C + flat_name: threat.enrichments.indicator.file.drive_letter + ignore_above: 1 level: extended - name: data.bytes + name: drive_letter normalize: [] - original_fieldset: registry - short: Original bytes written with base64 encoding. - type: keyword - threat.enrichments.indicator.registry.data.strings: - dashed_name: threat-enrichments-indicator-registry-data-strings - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single - string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with - one string. For sequences of string with REG_MULTI_SZ, this array will be - variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should - be populated with the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' - flat_name: threat.enrichments.indicator.registry.data.strings - ignore_above: 1024 - level: core - name: data.strings - normalize: - - array - original_fieldset: registry - short: List of strings representing what was written to the registry. + original_fieldset: file + short: Drive letter where the file is located. type: keyword - threat.enrichments.indicator.registry.data.type: - dashed_name: threat-enrichments-indicator-registry-data-type - description: Standard registry type for encoding contents - example: REG_SZ - flat_name: threat.enrichments.indicator.registry.data.type + threat.enrichments.indicator.file.elf.architecture: + dashed_name: threat-enrichments-indicator-file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: threat.enrichments.indicator.file.elf.architecture ignore_above: 1024 - level: core - name: data.type + level: extended + name: architecture normalize: [] - original_fieldset: registry - short: Standard registry type for encoding contents + original_fieldset: elf + short: Machine architecture of the ELF file. type: keyword - threat.enrichments.indicator.registry.hive: - dashed_name: threat-enrichments-indicator-registry-hive - description: Abbreviated name for the hive. - example: HKLM - flat_name: threat.enrichments.indicator.registry.hive + threat.enrichments.indicator.file.elf.byte_order: + dashed_name: threat-enrichments-indicator-file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: threat.enrichments.indicator.file.elf.byte_order ignore_above: 1024 - level: core - name: hive + level: extended + name: byte_order normalize: [] - original_fieldset: registry - short: Abbreviated name for the hive. + original_fieldset: elf + short: Byte sequence of ELF file. type: keyword - threat.enrichments.indicator.registry.key: - dashed_name: threat-enrichments-indicator-registry-key - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - flat_name: threat.enrichments.indicator.registry.key + threat.enrichments.indicator.file.elf.cpu_type: + dashed_name: threat-enrichments-indicator-file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: threat.enrichments.indicator.file.elf.cpu_type ignore_above: 1024 - level: core - name: key + level: extended + name: cpu_type normalize: [] - original_fieldset: registry - short: Hive-relative path of keys. + original_fieldset: elf + short: CPU type of the ELF file. type: keyword - threat.enrichments.indicator.registry.path: - dashed_name: threat-enrichments-indicator-registry-path - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger - flat_name: threat.enrichments.indicator.registry.path + threat.enrichments.indicator.file.elf.creation_date: + dashed_name: threat-enrichments-indicator-file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: threat.enrichments.indicator.file.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date + threat.enrichments.indicator.file.elf.exports: + dashed_name: threat-enrichments-indicator-file-elf-exports + description: List of exported element names and types. + flat_name: threat.enrichments.indicator.file.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened + threat.enrichments.indicator.file.elf.header.abi_version: + dashed_name: threat-enrichments-indicator-file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: threat.enrichments.indicator.file.elf.header.abi_version ignore_above: 1024 - level: core - name: path + level: extended + name: header.abi_version normalize: [] - original_fieldset: registry - short: Full path, including hive, key and value + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). type: keyword - threat.enrichments.indicator.registry.value: - dashed_name: threat-enrichments-indicator-registry-value - description: Name of the value written. - example: Debugger - flat_name: threat.enrichments.indicator.registry.value + threat.enrichments.indicator.file.elf.header.class: + dashed_name: threat-enrichments-indicator-file-elf-header-class + description: Header class of the ELF file. + flat_name: threat.enrichments.indicator.file.elf.header.class ignore_above: 1024 - level: core - name: value + level: extended + name: header.class normalize: [] - original_fieldset: registry - short: Name of the value written. + original_fieldset: elf + short: Header class of the ELF file. type: keyword - threat.enrichments.indicator.scanner_stats: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-scanner-stats - description: Count of AV/EDR vendors that successfully detected malicious file - or URL. - example: 4 - flat_name: threat.enrichments.indicator.scanner_stats + threat.enrichments.indicator.file.elf.header.data: + dashed_name: threat-enrichments-indicator-file-elf-header-data + description: Data table of the ELF header. + flat_name: threat.enrichments.indicator.file.elf.header.data + ignore_above: 1024 level: extended - name: enrichments.indicator.scanner_stats + name: header.data normalize: [] - short: Scanner statistics - type: long - threat.enrichments.indicator.sightings: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-sightings - description: Number of times this indicator was observed conducting threat activity. - example: 20 - flat_name: threat.enrichments.indicator.sightings + original_fieldset: elf + short: Data table of the ELF header. + type: keyword + threat.enrichments.indicator.file.elf.header.entrypoint: + dashed_name: threat-enrichments-indicator-file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: threat.enrichments.indicator.file.elf.header.entrypoint + format: string level: extended - name: enrichments.indicator.sightings + name: header.entrypoint normalize: [] - short: Number of times indicator observed + original_fieldset: elf + short: Header entrypoint of the ELF file. type: long - threat.enrichments.indicator.type: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-indicator-type - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ - \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ - \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ - \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ - \ * user-account\n * windows-registry-key\n * x509-certificate" - example: ipv4-addr - flat_name: threat.enrichments.indicator.type + threat.enrichments.indicator.file.elf.header.object_version: + dashed_name: threat-enrichments-indicator-file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: threat.enrichments.indicator.file.elf.header.object_version ignore_above: 1024 level: extended - name: enrichments.indicator.type + name: header.object_version normalize: [] - short: Type of indicator + original_fieldset: elf + short: '"0x1" for original ELF files.' type: keyword - threat.enrichments.matched.atomic: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-atomic - description: Identifies the atomic indicator value that matched a local environment - endpoint or network event. - example: bad-domain.com - flat_name: threat.enrichments.matched.atomic + threat.enrichments.indicator.file.elf.header.os_abi: + dashed_name: threat-enrichments-indicator-file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: threat.enrichments.indicator.file.elf.header.os_abi ignore_above: 1024 level: extended - name: enrichments.matched.atomic + name: header.os_abi normalize: [] - short: Matched indicator value + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. type: keyword - threat.enrichments.matched.field: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-field - description: Identifies the field of the atomic indicator that matched a local - environment endpoint or network event. - example: file.hash.sha256 - flat_name: threat.enrichments.matched.field + threat.enrichments.indicator.file.elf.header.type: + dashed_name: threat-enrichments-indicator-file-elf-header-type + description: Header type of the ELF file. + flat_name: threat.enrichments.indicator.file.elf.header.type ignore_above: 1024 level: extended - name: enrichments.matched.field + name: header.type normalize: [] - short: Matched indicator field + original_fieldset: elf + short: Header type of the ELF file. type: keyword - threat.enrichments.matched.id: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-id - description: Identifies the _id of the indicator document enriching the event. - example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 - flat_name: threat.enrichments.matched.id + threat.enrichments.indicator.file.elf.header.version: + dashed_name: threat-enrichments-indicator-file-elf-header-version + description: Version of the ELF header. + flat_name: threat.enrichments.indicator.file.elf.header.version ignore_above: 1024 level: extended - name: enrichments.matched.id + name: header.version normalize: [] - short: Matched indicator identifier + original_fieldset: elf + short: Version of the ELF header. type: keyword - threat.enrichments.matched.index: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-index - description: Identifies the _index of the indicator document enriching the event. - example: filebeat-8.0.0-2021.05.23-000011 - flat_name: threat.enrichments.matched.index - ignore_above: 1024 + threat.enrichments.indicator.file.elf.imports: + dashed_name: threat-enrichments-indicator-file-elf-imports + description: List of imported element names and types. + flat_name: threat.enrichments.indicator.file.elf.imports level: extended - name: enrichments.matched.index - normalize: [] - short: Matched indicator index - type: keyword - threat.enrichments.matched.type: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-type - description: Identifies the type of match that caused the event to be enriched - with the given indicator - example: indicator_match_rule - flat_name: threat.enrichments.matched.type - ignore_above: 1024 + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened + threat.enrichments.indicator.file.elf.sections: + dashed_name: threat-enrichments-indicator-file-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + flat_name: threat.enrichments.indicator.file.elf.sections level: extended - name: enrichments.matched.type + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested + threat.enrichments.indicator.file.elf.sections.chi2: + dashed_name: threat-enrichments-indicator-file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: threat.enrichments.indicator.file.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 normalize: [] - short: Type of indicator match - type: keyword - threat.enrichments.url.domain: - dashed_name: threat-enrichments-url-domain - description: 'Domain of the url, such as "www.elastic.co". - - In some cases a URL may refer to an IP and/or port directly, without a domain - name. In this case, the IP address would go to the `domain` field. - - If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC - 2732), the `[` and `]` characters should also be captured in the `domain` - field.' - example: www.elastic.co - flat_name: threat.enrichments.url.domain - ignore_above: 1024 + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long + threat.enrichments.indicator.file.elf.sections.entropy: + dashed_name: threat-enrichments-indicator-file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: threat.enrichments.indicator.file.elf.sections.entropy + format: number level: extended - name: domain + name: sections.entropy normalize: [] - original_fieldset: url - short: Domain of the url. - type: keyword - threat.enrichments.url.extension: - dashed_name: threat-enrichments-url-extension - description: 'The field contains the file extension from the original request - url, excluding the leading dot. - - The file extension is only set if it exists, as not every url has a file extension. - - The leading period must not be included. For example, the value must be "png", - not ".png". - - Note that when the file name has multiple extensions (example.tar.gz), only - the last one should be captured ("gz", not "tar.gz").' - example: png - flat_name: threat.enrichments.url.extension + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long + threat.enrichments.indicator.file.elf.sections.flags: + dashed_name: threat-enrichments-indicator-file-elf-sections-flags + description: ELF Section List flags. + flat_name: threat.enrichments.indicator.file.elf.sections.flags ignore_above: 1024 level: extended - name: extension + name: sections.flags normalize: [] - original_fieldset: url - short: File extension from the request url, excluding the leading dot. + original_fieldset: elf + short: ELF Section List flags. type: keyword - threat.enrichments.url.fragment: - dashed_name: threat-enrichments-url-fragment - description: 'Portion of the url after the `#`, such as "top". - - The `#` is not part of the fragment.' - flat_name: threat.enrichments.url.fragment + threat.enrichments.indicator.file.elf.sections.name: + dashed_name: threat-enrichments-indicator-file-elf-sections-name + description: ELF Section List name. + flat_name: threat.enrichments.indicator.file.elf.sections.name ignore_above: 1024 level: extended - name: fragment + name: sections.name normalize: [] - original_fieldset: url - short: Portion of the url after the `#`. + original_fieldset: elf + short: ELF Section List name. type: keyword - threat.enrichments.url.full: - dashed_name: threat-enrichments-url-full - description: If full URLs are important to your use case, they should be stored - in `url.full`, whether this field is reconstructed or present in the event - source. - example: https://www.elastic.co:443/search?q=elasticsearch#top - flat_name: threat.enrichments.url.full + threat.enrichments.indicator.file.elf.sections.physical_offset: + dashed_name: threat-enrichments-indicator-file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: threat.enrichments.indicator.file.elf.sections.physical_offset ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.enrichments.url.full.text - name: text - norms: false - type: text - name: full + name: sections.physical_offset normalize: [] - original_fieldset: url - short: Full unparsed URL. + original_fieldset: elf + short: ELF Section List offset. type: keyword - threat.enrichments.url.original: - dashed_name: threat-enrichments-url-original - description: 'Unmodified original url as seen in the event source. - - Note that in network monitoring, the observed URL may be a full URL, whereas - in access logs, the URL is often just represented as a path. - - This field is meant to represent the URL as it was observed, complete or not.' - example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - flat_name: threat.enrichments.url.original - ignore_above: 1024 + threat.enrichments.indicator.file.elf.sections.physical_size: + dashed_name: threat-enrichments-indicator-file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: threat.enrichments.indicator.file.elf.sections.physical_size + format: bytes level: extended - multi_fields: - - flat_name: threat.enrichments.url.original.text - name: text - norms: false - type: text - name: original + name: sections.physical_size normalize: [] - original_fieldset: url - short: Unmodified original url as seen in the event source. - type: keyword - threat.enrichments.url.password: - dashed_name: threat-enrichments-url-password - description: Password of the request. - flat_name: threat.enrichments.url.password + original_fieldset: elf + short: ELF Section List physical size. + type: long + threat.enrichments.indicator.file.elf.sections.type: + dashed_name: threat-enrichments-indicator-file-elf-sections-type + description: ELF Section List type. + flat_name: threat.enrichments.indicator.file.elf.sections.type ignore_above: 1024 level: extended - name: password + name: sections.type normalize: [] - original_fieldset: url - short: Password of the request. + original_fieldset: elf + short: ELF Section List type. type: keyword - threat.enrichments.url.path: - dashed_name: threat-enrichments-url-path - description: Path of the request, such as "/search". - flat_name: threat.enrichments.url.path - ignore_above: 1024 + threat.enrichments.indicator.file.elf.sections.virtual_address: + dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: threat.enrichments.indicator.file.elf.sections.virtual_address + format: string level: extended - name: path + name: sections.virtual_address normalize: [] - original_fieldset: url - short: Path of the request, such as "/search". - type: keyword - threat.enrichments.url.port: - dashed_name: threat-enrichments-url-port - description: Port of the request, such as 443. - example: 443 - flat_name: threat.enrichments.url.port + original_fieldset: elf + short: ELF Section List virtual address. + type: long + threat.enrichments.indicator.file.elf.sections.virtual_size: + dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: threat.enrichments.indicator.file.elf.sections.virtual_size format: string level: extended - name: port + name: sections.virtual_size normalize: [] - original_fieldset: url - short: Port of the request, such as 443. + original_fieldset: elf + short: ELF Section List virtual size. type: long - threat.enrichments.url.query: - dashed_name: threat-enrichments-url-query - description: 'The query field describes the query string of the request, such - as "q=elasticsearch". + threat.enrichments.indicator.file.elf.segments: + dashed_name: threat-enrichments-indicator-file-elf-segments + description: 'An array containing an object for each segment of the ELF file. - The `?` is excluded from the query string. If a URL contains no `?`, there - is no query field. If there is a `?` but no query, the query field exists - with an empty string. The `exists` query can be used to differentiate between - the two cases.' - flat_name: threat.enrichments.url.query + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + flat_name: threat.enrichments.indicator.file.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested + threat.enrichments.indicator.file.elf.segments.sections: + dashed_name: threat-enrichments-indicator-file-elf-segments-sections + description: ELF object segment sections. + flat_name: threat.enrichments.indicator.file.elf.segments.sections ignore_above: 1024 level: extended - name: query + name: segments.sections normalize: [] - original_fieldset: url - short: Query string of the request. + original_fieldset: elf + short: ELF object segment sections. type: keyword - threat.enrichments.url.registered_domain: - dashed_name: threat-enrichments-url-registered-domain - description: 'The highest registered url domain, stripped of the subdomain. - - For example, the registered domain for "foo.example.com" is "example.com". - - This value can be determined precisely with a list like the public suffix - list (http://publicsuffix.org). Trying to approximate this by simply taking - the last two labels will not work well for TLDs such as "co.uk".' - example: example.com - flat_name: threat.enrichments.url.registered_domain + threat.enrichments.indicator.file.elf.segments.type: + dashed_name: threat-enrichments-indicator-file-elf-segments-type + description: ELF object segment type. + flat_name: threat.enrichments.indicator.file.elf.segments.type ignore_above: 1024 level: extended - name: registered_domain + name: segments.type normalize: [] - original_fieldset: url - short: The highest registered url domain, stripped of the subdomain. + original_fieldset: elf + short: ELF object segment type. type: keyword - threat.enrichments.url.scheme: - dashed_name: threat-enrichments-url-scheme - description: 'Scheme of the request, such as "https". - - Note: The `:` is not part of the scheme.' - example: https - flat_name: threat.enrichments.url.scheme + threat.enrichments.indicator.file.elf.shared_libraries: + dashed_name: threat-enrichments-indicator-file-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: threat.enrichments.indicator.file.elf.shared_libraries ignore_above: 1024 level: extended - name: scheme - normalize: [] - original_fieldset: url - short: Scheme of the url. + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. type: keyword - threat.enrichments.url.subdomain: - dashed_name: threat-enrichments-url-subdomain - description: 'The subdomain portion of a fully qualified domain name includes - all of the names except the host name under the registered_domain. In a partially - qualified domain, or if the the qualification level of the full name cannot - be determined, subdomain contains all of the names below the registered domain. - - For example the subdomain portion of "www.east.mydomain.co.uk" is "east". - If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", - the subdomain field should contain "sub2.sub1", with no trailing period.' - example: east - flat_name: threat.enrichments.url.subdomain + threat.enrichments.indicator.file.elf.telfhash: + dashed_name: threat-enrichments-indicator-file-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: threat.enrichments.indicator.file.elf.telfhash ignore_above: 1024 level: extended - name: subdomain + name: telfhash normalize: [] - original_fieldset: url - short: The subdomain of the domain. + original_fieldset: elf + short: telfhash hash for ELF file. type: keyword - threat.enrichments.url.top_level_domain: - dashed_name: threat-enrichments-url-top-level-domain - description: 'The effective top level domain (eTLD), also known as the domain - suffix, is the last part of the domain name. For example, the top level domain - for example.com is "com". + threat.enrichments.indicator.file.extension: + dashed_name: threat-enrichments-indicator-file-extension + description: 'File extension, excluding the leading dot. - This value can be determined precisely with a list like the public suffix - list (http://publicsuffix.org). Trying to approximate this by simply taking - the last label will not work well for effective TLDs such as "co.uk".' - example: co.uk - flat_name: threat.enrichments.url.top_level_domain + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.indicator.file.extension ignore_above: 1024 level: extended - name: top_level_domain + name: extension normalize: [] - original_fieldset: url - short: The effective top level domain (com, org, net, co.uk). - type: keyword - threat.enrichments.url.username: - dashed_name: threat-enrichments-url-username - description: Username of the request. - flat_name: threat.enrichments.url.username + original_fieldset: file + short: File extension, excluding the leading dot. + type: keyword + threat.enrichments.indicator.file.gid: + dashed_name: threat-enrichments-indicator-file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: threat.enrichments.indicator.file.gid ignore_above: 1024 level: extended - name: username + name: gid normalize: [] - original_fieldset: url - short: Username of the request. + original_fieldset: file + short: Primary group ID (GID) of the file. type: keyword - threat.enrichments.x509.alternative_names: - dashed_name: threat-enrichments-x509-alternative-names - description: List of subject alternative names (SAN). Name types vary by certificate - authority and certificate type but commonly contain IP addresses, DNS names - (and wildcards), and email addresses. - example: '*.elastic.co' - flat_name: threat.enrichments.x509.alternative_names + threat.enrichments.indicator.file.group: + dashed_name: threat-enrichments-indicator-file-group + description: Primary group name of the file. + example: alice + flat_name: threat.enrichments.indicator.file.group ignore_above: 1024 level: extended - name: alternative_names - normalize: - - array - original_fieldset: x509 - short: List of subject alternative names (SAN). + name: group + normalize: [] + original_fieldset: file + short: Primary group name of the file. type: keyword - threat.enrichments.x509.issuer.common_name: - dashed_name: threat-enrichments-x509-issuer-common-name - description: List of common name (CN) of issuing certificate authority. - example: Example SHA2 High Assurance Server CA - flat_name: threat.enrichments.x509.issuer.common_name + threat.enrichments.indicator.file.inode: + dashed_name: threat-enrichments-indicator-file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: threat.enrichments.indicator.file.inode ignore_above: 1024 level: extended - name: issuer.common_name - normalize: - - array - original_fieldset: x509 - short: List of common name (CN) of issuing certificate authority. + name: inode + normalize: [] + original_fieldset: file + short: Inode representing the file in the filesystem. type: keyword - threat.enrichments.x509.issuer.country: - dashed_name: threat-enrichments-x509-issuer-country - description: List of country (C) codes - example: US - flat_name: threat.enrichments.x509.issuer.country + threat.enrichments.indicator.file.mime_type: + dashed_name: threat-enrichments-indicator-file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. + flat_name: threat.enrichments.indicator.file.mime_type ignore_above: 1024 level: extended - name: issuer.country - normalize: - - array - original_fieldset: x509 - short: List of country (C) codes + name: mime_type + normalize: [] + original_fieldset: file + short: Media type of file, document, or arrangement of bytes. type: keyword - threat.enrichments.x509.issuer.distinguished_name: - dashed_name: threat-enrichments-x509-issuer-distinguished-name - description: Distinguished name (DN) of issuing certificate authority. - example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance - Server CA - flat_name: threat.enrichments.x509.issuer.distinguished_name + threat.enrichments.indicator.file.mode: + dashed_name: threat-enrichments-indicator-file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: threat.enrichments.indicator.file.mode ignore_above: 1024 level: extended - name: issuer.distinguished_name + name: mode normalize: [] - original_fieldset: x509 - short: Distinguished name (DN) of issuing certificate authority. + original_fieldset: file + short: Mode of the file in octal representation. type: keyword - threat.enrichments.x509.issuer.locality: - dashed_name: threat-enrichments-x509-issuer-locality - description: List of locality names (L) - example: Mountain View - flat_name: threat.enrichments.x509.issuer.locality - ignore_above: 1024 + threat.enrichments.indicator.file.mtime: + dashed_name: threat-enrichments-indicator-file-mtime + description: Last time the file content was modified. + flat_name: threat.enrichments.indicator.file.mtime level: extended - name: issuer.locality - normalize: - - array - original_fieldset: x509 - short: List of locality names (L) - type: keyword - threat.enrichments.x509.issuer.organization: - dashed_name: threat-enrichments-x509-issuer-organization - description: List of organizations (O) of issuing certificate authority. - example: Example Inc - flat_name: threat.enrichments.x509.issuer.organization + name: mtime + normalize: [] + original_fieldset: file + short: Last time the file content was modified. + type: date + threat.enrichments.indicator.file.name: + dashed_name: threat-enrichments-indicator-file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: threat.enrichments.indicator.file.name ignore_above: 1024 level: extended - name: issuer.organization - normalize: - - array - original_fieldset: x509 - short: List of organizations (O) of issuing certificate authority. + name: name + normalize: [] + original_fieldset: file + short: Name of the file including the extension, without the directory. type: keyword - threat.enrichments.x509.issuer.organizational_unit: - dashed_name: threat-enrichments-x509-issuer-organizational-unit - description: List of organizational units (OU) of issuing certificate authority. - example: www.example.com - flat_name: threat.enrichments.x509.issuer.organizational_unit + threat.enrichments.indicator.file.owner: + dashed_name: threat-enrichments-indicator-file-owner + description: File owner's username. + example: alice + flat_name: threat.enrichments.indicator.file.owner ignore_above: 1024 level: extended - name: issuer.organizational_unit - normalize: - - array - original_fieldset: x509 - short: List of organizational units (OU) of issuing certificate authority. + name: owner + normalize: [] + original_fieldset: file + short: File owner's username. type: keyword - threat.enrichments.x509.issuer.state_or_province: - dashed_name: threat-enrichments-x509-issuer-state-or-province - description: List of state or province names (ST, S, or P) - example: California - flat_name: threat.enrichments.x509.issuer.state_or_province + threat.enrichments.indicator.file.path: + dashed_name: threat-enrichments-indicator-file-path + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + flat_name: threat.enrichments.indicator.file.path ignore_above: 1024 level: extended - name: issuer.state_or_province - normalize: - - array - original_fieldset: x509 - short: List of state or province names (ST, S, or P) + multi_fields: + - flat_name: threat.enrichments.indicator.file.path.text + name: text + norms: false + type: text + name: path + normalize: [] + original_fieldset: file + short: Full path to the file, including the file name. type: keyword - threat.enrichments.x509.not_after: - dashed_name: threat-enrichments-x509-not-after - description: Time at which the certificate is no longer considered valid. - example: 2020-07-16 03:15:39+00:00 - flat_name: threat.enrichments.x509.not_after + threat.enrichments.indicator.file.size: + dashed_name: threat-enrichments-indicator-file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: threat.enrichments.indicator.file.size level: extended - name: not_after + name: size normalize: [] - original_fieldset: x509 - short: Time at which the certificate is no longer considered valid. - type: date - threat.enrichments.x509.not_before: - dashed_name: threat-enrichments-x509-not-before - description: Time at which the certificate is first considered valid. - example: 2019-08-16 01:40:25+00:00 - flat_name: threat.enrichments.x509.not_before + original_fieldset: file + short: File size in bytes. + type: long + threat.enrichments.indicator.file.target_path: + dashed_name: threat-enrichments-indicator-file-target-path + description: Target path for symlinks. + flat_name: threat.enrichments.indicator.file.target_path + ignore_above: 1024 level: extended - name: not_before + multi_fields: + - flat_name: threat.enrichments.indicator.file.target_path.text + name: text + norms: false + type: text + name: target_path normalize: [] - original_fieldset: x509 - short: Time at which the certificate is first considered valid. - type: date - threat.enrichments.x509.public_key_algorithm: - dashed_name: threat-enrichments-x509-public-key-algorithm - description: Algorithm used to generate the public key. - example: RSA - flat_name: threat.enrichments.x509.public_key_algorithm + original_fieldset: file + short: Target path for symlinks. + type: keyword + threat.enrichments.indicator.file.type: + dashed_name: threat-enrichments-indicator-file-type + description: File type (file, dir, or symlink). + example: file + flat_name: threat.enrichments.indicator.file.type ignore_above: 1024 level: extended - name: public_key_algorithm + name: type normalize: [] - original_fieldset: x509 - short: Algorithm used to generate the public key. + original_fieldset: file + short: File type (file, dir, or symlink). type: keyword - threat.enrichments.x509.public_key_curve: - dashed_name: threat-enrichments-x509-public-key-curve - description: The curve used by the elliptic curve public key algorithm. This - is algorithm specific. - example: nistp521 - flat_name: threat.enrichments.x509.public_key_curve + threat.enrichments.indicator.file.uid: + dashed_name: threat-enrichments-indicator-file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: threat.enrichments.indicator.file.uid ignore_above: 1024 level: extended - name: public_key_curve + name: uid normalize: [] - original_fieldset: x509 - short: The curve used by the elliptic curve public key algorithm. This is algorithm - specific. + original_fieldset: file + short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword - threat.enrichments.x509.public_key_exponent: - dashed_name: threat-enrichments-x509-public-key-exponent - description: Exponent used to derive the public key. This is algorithm specific. - doc_values: false - example: 65537 - flat_name: threat.enrichments.x509.public_key_exponent - index: false + threat.enrichments.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.first_seen level: extended - name: public_key_exponent + name: enrichments.indicator.first_seen normalize: [] - original_fieldset: x509 - short: Exponent used to derive the public key. This is algorithm specific. - type: long - threat.enrichments.x509.public_key_size: - dashed_name: threat-enrichments-x509-public-key-size - description: The size of the public key space in bits. - example: 2048 - flat_name: threat.enrichments.x509.public_key_size - level: extended - name: public_key_size + short: Date/time indicator was first reported. + type: date + threat.enrichments.indicator.geo.city_name: + dashed_name: threat-enrichments-indicator-geo-city-name + description: City name. + example: Montreal + flat_name: threat.enrichments.indicator.geo.city_name + ignore_above: 1024 + level: core + name: city_name normalize: [] - original_fieldset: x509 - short: The size of the public key space in bits. - type: long - threat.enrichments.x509.serial_number: - dashed_name: threat-enrichments-x509-serial-number - description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. - example: 55FBB9C7DEBF09809D12CCAA - flat_name: threat.enrichments.x509.serial_number + original_fieldset: geo + short: City name. + type: keyword + threat.enrichments.indicator.geo.continent_code: + dashed_name: threat-enrichments-indicator-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: threat.enrichments.indicator.geo.continent_code ignore_above: 1024 - level: extended - name: serial_number + level: core + name: continent_code normalize: [] - original_fieldset: x509 - short: Unique serial number issued by the certificate authority. + original_fieldset: geo + short: Continent code. type: keyword - threat.enrichments.x509.signature_algorithm: - dashed_name: threat-enrichments-x509-signature-algorithm - description: Identifier for certificate signature algorithm. We recommend using - names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. - example: SHA256-RSA - flat_name: threat.enrichments.x509.signature_algorithm + threat.enrichments.indicator.geo.continent_name: + dashed_name: threat-enrichments-indicator-geo-continent-name + description: Name of the continent. + example: North America + flat_name: threat.enrichments.indicator.geo.continent_name ignore_above: 1024 - level: extended - name: signature_algorithm + level: core + name: continent_name normalize: [] - original_fieldset: x509 - short: Identifier for certificate signature algorithm. + original_fieldset: geo + short: Name of the continent. type: keyword - threat.enrichments.x509.subject.common_name: - dashed_name: threat-enrichments-x509-subject-common-name - description: List of common names (CN) of subject. - example: shared.global.example.net - flat_name: threat.enrichments.x509.subject.common_name + threat.enrichments.indicator.geo.country_iso_code: + dashed_name: threat-enrichments-indicator-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: threat.enrichments.indicator.geo.country_iso_code ignore_above: 1024 - level: extended - name: subject.common_name - normalize: - - array - original_fieldset: x509 - short: List of common names (CN) of subject. + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. type: keyword - threat.enrichments.x509.subject.country: - dashed_name: threat-enrichments-x509-subject-country - description: List of country (C) code - example: US - flat_name: threat.enrichments.x509.subject.country + threat.enrichments.indicator.geo.country_name: + dashed_name: threat-enrichments-indicator-geo-country-name + description: Country name. + example: Canada + flat_name: threat.enrichments.indicator.geo.country_name ignore_above: 1024 - level: extended - name: subject.country - normalize: - - array - original_fieldset: x509 - short: List of country (C) code + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. type: keyword - threat.enrichments.x509.subject.distinguished_name: - dashed_name: threat-enrichments-x509-subject-distinguished-name - description: Distinguished name (DN) of the certificate subject entity. - example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - flat_name: threat.enrichments.x509.subject.distinguished_name + threat.enrichments.indicator.geo.location: + dashed_name: threat-enrichments-indicator-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: threat.enrichments.indicator.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + threat.enrichments.indicator.geo.name: + dashed_name: threat-enrichments-indicator-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: threat.enrichments.indicator.geo.name ignore_above: 1024 level: extended - name: subject.distinguished_name + name: name normalize: [] - original_fieldset: x509 - short: Distinguished name (DN) of the certificate subject entity. + original_fieldset: geo + short: User-defined description of a location. type: keyword - threat.enrichments.x509.subject.locality: - dashed_name: threat-enrichments-x509-subject-locality - description: List of locality names (L) - example: San Francisco - flat_name: threat.enrichments.x509.subject.locality + threat.enrichments.indicator.geo.postal_code: + dashed_name: threat-enrichments-indicator-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: threat.enrichments.indicator.geo.postal_code ignore_above: 1024 - level: extended - name: subject.locality - normalize: - - array - original_fieldset: x509 - short: List of locality names (L) + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. type: keyword - threat.enrichments.x509.subject.organization: - dashed_name: threat-enrichments-x509-subject-organization - description: List of organizations (O) of subject. - example: Example, Inc. - flat_name: threat.enrichments.x509.subject.organization + threat.enrichments.indicator.geo.region_iso_code: + dashed_name: threat-enrichments-indicator-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: threat.enrichments.indicator.geo.region_iso_code ignore_above: 1024 - level: extended - name: subject.organization - normalize: - - array - original_fieldset: x509 - short: List of organizations (O) of subject. + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. type: keyword - threat.enrichments.x509.subject.organizational_unit: - dashed_name: threat-enrichments-x509-subject-organizational-unit - description: List of organizational units (OU) of subject. - flat_name: threat.enrichments.x509.subject.organizational_unit + threat.enrichments.indicator.geo.region_name: + dashed_name: threat-enrichments-indicator-geo-region-name + description: Region name. + example: Quebec + flat_name: threat.enrichments.indicator.geo.region_name ignore_above: 1024 - level: extended - name: subject.organizational_unit - normalize: - - array - original_fieldset: x509 - short: List of organizational units (OU) of subject. + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. type: keyword - threat.enrichments.x509.subject.state_or_province: - dashed_name: threat-enrichments-x509-subject-state-or-province - description: List of state or province names (ST, S, or P) - example: California - flat_name: threat.enrichments.x509.subject.state_or_province + threat.enrichments.indicator.geo.timezone: + dashed_name: threat-enrichments-indicator-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: threat.enrichments.indicator.geo.timezone ignore_above: 1024 - level: extended - name: subject.state_or_province - normalize: - - array - original_fieldset: x509 - short: List of state or province names (ST, S, or P) + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. type: keyword - threat.enrichments.x509.version_number: - dashed_name: threat-enrichments-x509-version-number - description: Version of x509 format. - example: 3 - flat_name: threat.enrichments.x509.version_number + threat.enrichments.indicator.hash.md5: + dashed_name: threat-enrichments-indicator-hash-md5 + description: MD5 hash. + flat_name: threat.enrichments.indicator.hash.md5 ignore_above: 1024 level: extended - name: version_number + name: md5 normalize: [] - original_fieldset: x509 - short: Version of x509 format. + original_fieldset: hash + short: MD5 hash. type: keyword - threat.framework: - dashed_name: threat-framework - description: Name of the threat framework used to further categorize and classify - the tactic and technique of the reported threat. Framework classification - can be provided by detecting systems, evaluated at ingest time, or retrospectively - tagged to events. - example: MITRE ATT&CK - flat_name: threat.framework + threat.enrichments.indicator.hash.sha1: + dashed_name: threat-enrichments-indicator-hash-sha1 + description: SHA1 hash. + flat_name: threat.enrichments.indicator.hash.sha1 ignore_above: 1024 level: extended - name: framework + name: sha1 normalize: [] - short: Threat classification framework. + original_fieldset: hash + short: SHA1 hash. type: keyword - threat.group.alias: - beta: This field is beta and subject to change. - dashed_name: threat-group-alias - description: "The alias(es) of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group alias(es)." - example: '[ "Magecart Group 6" ]' - flat_name: threat.group.alias + threat.enrichments.indicator.hash.sha256: + dashed_name: threat-enrichments-indicator-hash-sha256 + description: SHA256 hash. + flat_name: threat.enrichments.indicator.hash.sha256 ignore_above: 1024 level: extended - name: group.alias - normalize: - - array - short: Alias of the group. + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. type: keyword - threat.group.id: - beta: This field is beta and subject to change. - dashed_name: threat-group-id - description: "The id of the group for a set of related intrusion activity that\ - \ are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group id." - example: G0037 - flat_name: threat.group.id + threat.enrichments.indicator.hash.sha512: + dashed_name: threat-enrichments-indicator-hash-sha512 + description: SHA512 hash. + flat_name: threat.enrichments.indicator.hash.sha512 ignore_above: 1024 level: extended - name: group.id + name: sha512 normalize: [] - short: ID of the group. + original_fieldset: hash + short: SHA512 hash. type: keyword - threat.group.name: - beta: This field is beta and subject to change. - dashed_name: threat-group-name - description: "The name of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group name." - example: FIN6 - flat_name: threat.group.name + threat.enrichments.indicator.hash.ssdeep: + dashed_name: threat-enrichments-indicator-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.enrichments.indicator.hash.ssdeep ignore_above: 1024 level: extended - name: group.name + name: ssdeep normalize: [] - short: Name of the group. + original_fieldset: hash + short: SSDEEP hash. type: keyword - threat.group.reference: + threat.enrichments.indicator.ip: beta: This field is beta and subject to change. - dashed_name: threat-group-reference - description: "The reference URL of the group for a set of related intrusion\ - \ activity that are tracked by a common name in the security community. While\ - \ not required, you can use a MITRE ATT&CK\xAE group reference URL." - example: https://attack.mitre.org/groups/G0037/ - flat_name: threat.group.reference - ignore_above: 1024 + dashed_name: threat-enrichments-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + flat_name: threat.enrichments.indicator.ip level: extended - name: group.reference + name: enrichments.indicator.ip normalize: [] - short: Reference URL of the group. - type: keyword - threat.indicator.as.number: - dashed_name: threat-indicator-as-number - description: Unique number allocated to the autonomous system. The autonomous - system number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: threat.indicator.as.number + short: Indicator IP address + type: ip + threat.enrichments.indicator.last_seen: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-last-seen + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.last_seen level: extended - name: number + name: enrichments.indicator.last_seen normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. - type: long - threat.indicator.as.organization.name: - dashed_name: threat-indicator-as-organization-name - description: Organization name. - example: Google LLC - flat_name: threat.indicator.as.organization.name + short: Date/time indicator was last reported. + type: date + threat.enrichments.indicator.marking.tlp: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: White + flat_name: threat.enrichments.indicator.marking.tlp ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.indicator.as.organization.name.text - name: text - norms: false - type: text - name: organization.name + name: enrichments.indicator.marking.tlp normalize: [] - original_fieldset: as - short: Organization name. + short: Indicator TLP marking type: keyword - threat.indicator.confidence: + threat.enrichments.indicator.modified_at: beta: This field is beta and subject to change. - dashed_name: threat-indicator-confidence - description: "Identifies the confidence rating assigned by the provider using\ - \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ - \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ - \ * WEP Scale (Impossible - Certain)" - example: High - flat_name: threat.indicator.confidence + dashed_name: threat-enrichments-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.modified_at + level: extended + name: enrichments.indicator.modified_at + normalize: [] + short: Date/time indicator was last updated. + type: date + threat.enrichments.indicator.pe.architecture: + dashed_name: threat-enrichments-indicator-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.enrichments.indicator.pe.architecture ignore_above: 1024 level: extended - name: indicator.confidence + name: architecture normalize: [] - short: Indicator confidence rating + original_fieldset: pe + short: CPU architecture target for the file. type: keyword - threat.indicator.description: + threat.enrichments.indicator.pe.company: + dashed_name: threat-enrichments-indicator-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.enrichments.indicator.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + threat.enrichments.indicator.pe.description: + dashed_name: threat-enrichments-indicator-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.enrichments.indicator.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + threat.enrichments.indicator.pe.file_version: + dashed_name: threat-enrichments-indicator-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.enrichments.indicator.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword + threat.enrichments.indicator.pe.imphash: + dashed_name: threat-enrichments-indicator-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.enrichments.indicator.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + threat.enrichments.indicator.pe.original_file_name: + dashed_name: threat-enrichments-indicator-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.enrichments.indicator.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword + threat.enrichments.indicator.pe.product: + dashed_name: threat-enrichments-indicator-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.enrichments.indicator.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword + threat.enrichments.indicator.port: beta: This field is beta and subject to change. - dashed_name: threat-indicator-description - description: Describes the type of action conducted by the threat. - example: IP x.x.x.x was observed delivering the Angler EK. - flat_name: threat.indicator.description + dashed_name: threat-enrichments-indicator-port + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + flat_name: threat.enrichments.indicator.port + level: extended + name: enrichments.indicator.port + normalize: [] + short: Indicator port + type: long + threat.enrichments.indicator.provider: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-provider + description: The name of the indicator's provider. + example: lrz_urlhaus + flat_name: threat.enrichments.indicator.provider ignore_above: 1024 level: extended - name: indicator.description + name: enrichments.indicator.provider normalize: [] - short: Indicator description + short: Indicator provider type: keyword - threat.indicator.email.address: + threat.enrichments.indicator.reference: beta: This field is beta and subject to change. - dashed_name: threat-indicator-email-address - description: Identifies a threat indicator as an email address (irrespective - of direction). - example: phish@example.com - flat_name: threat.indicator.email.address + dashed_name: threat-enrichments-indicator-reference + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + flat_name: threat.enrichments.indicator.reference + ignore_above: 1024 + level: extended + name: enrichments.indicator.reference + normalize: [] + short: Indicator reference URL + type: keyword + threat.enrichments.indicator.registry.data.bytes: + dashed_name: threat-enrichments-indicator-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.enrichments.indicator.registry.data.bytes + ignore_above: 1024 + level: extended + name: data.bytes + normalize: [] + original_fieldset: registry + short: Original bytes written with base64 encoding. + type: keyword + threat.enrichments.indicator.registry.data.strings: + dashed_name: threat-enrichments-indicator-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.enrichments.indicator.registry.data.strings + ignore_above: 1024 + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: keyword + threat.enrichments.indicator.registry.data.type: + dashed_name: threat-enrichments-indicator-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.enrichments.indicator.registry.data.type + ignore_above: 1024 + level: core + name: data.type + normalize: [] + original_fieldset: registry + short: Standard registry type for encoding contents + type: keyword + threat.enrichments.indicator.registry.hive: + dashed_name: threat-enrichments-indicator-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.enrichments.indicator.registry.hive + ignore_above: 1024 + level: core + name: hive + normalize: [] + original_fieldset: registry + short: Abbreviated name for the hive. + type: keyword + threat.enrichments.indicator.registry.key: + dashed_name: threat-enrichments-indicator-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.enrichments.indicator.registry.key + ignore_above: 1024 + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: keyword + threat.enrichments.indicator.registry.path: + dashed_name: threat-enrichments-indicator-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.enrichments.indicator.registry.path + ignore_above: 1024 + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: keyword + threat.enrichments.indicator.registry.value: + dashed_name: threat-enrichments-indicator-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.enrichments.indicator.registry.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. + type: keyword + threat.enrichments.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + flat_name: threat.enrichments.indicator.scanner_stats + level: extended + name: enrichments.indicator.scanner_stats + normalize: [] + short: Scanner statistics + type: long + threat.enrichments.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.enrichments.indicator.sightings + level: extended + name: enrichments.indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long + threat.enrichments.indicator.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ + \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr + flat_name: threat.enrichments.indicator.type + ignore_above: 1024 + level: extended + name: enrichments.indicator.type + normalize: [] + short: Type of indicator + type: keyword + threat.enrichments.indicator.url.domain: + dashed_name: threat-enrichments-indicator-url-domain + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' + example: www.elastic.co + flat_name: threat.enrichments.indicator.url.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: url + short: Domain of the url. + type: keyword + threat.enrichments.indicator.url.extension: + dashed_name: threat-enrichments-indicator-url-extension + description: 'The field contains the file extension from the original request + url, excluding the leading dot. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.indicator.url.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + original_fieldset: url + short: File extension from the request url, excluding the leading dot. + type: keyword + threat.enrichments.indicator.url.fragment: + dashed_name: threat-enrichments-indicator-url-fragment + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + flat_name: threat.enrichments.indicator.url.fragment + ignore_above: 1024 + level: extended + name: fragment + normalize: [] + original_fieldset: url + short: Portion of the url after the `#`. + type: keyword + threat.enrichments.indicator.url.full: + dashed_name: threat-enrichments-indicator-url-full + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event + source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + flat_name: threat.enrichments.indicator.url.full + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.enrichments.indicator.url.full.text + name: text + norms: false + type: text + name: full + normalize: [] + original_fieldset: url + short: Full unparsed URL. + type: keyword + threat.enrichments.indicator.url.original: + dashed_name: threat-enrichments-indicator-url-original + description: 'Unmodified original url as seen in the event source. + + Note that in network monitoring, the observed URL may be a full URL, whereas + in access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + flat_name: threat.enrichments.indicator.url.original + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.enrichments.indicator.url.original.text + name: text + norms: false + type: text + name: original + normalize: [] + original_fieldset: url + short: Unmodified original url as seen in the event source. + type: keyword + threat.enrichments.indicator.url.password: + dashed_name: threat-enrichments-indicator-url-password + description: Password of the request. + flat_name: threat.enrichments.indicator.url.password + ignore_above: 1024 + level: extended + name: password + normalize: [] + original_fieldset: url + short: Password of the request. + type: keyword + threat.enrichments.indicator.url.path: + dashed_name: threat-enrichments-indicator-url-path + description: Path of the request, such as "/search". + flat_name: threat.enrichments.indicator.url.path + ignore_above: 1024 + level: extended + name: path + normalize: [] + original_fieldset: url + short: Path of the request, such as "/search". + type: keyword + threat.enrichments.indicator.url.port: + dashed_name: threat-enrichments-indicator-url-port + description: Port of the request, such as 443. + example: 443 + flat_name: threat.enrichments.indicator.url.port + format: string + level: extended + name: port + normalize: [] + original_fieldset: url + short: Port of the request, such as 443. + type: long + threat.enrichments.indicator.url.query: + dashed_name: threat-enrichments-indicator-url-query + description: 'The query field describes the query string of the request, such + as "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there + is no query field. If there is a `?` but no query, the query field exists + with an empty string. The `exists` query can be used to differentiate between + the two cases.' + flat_name: threat.enrichments.indicator.url.query + ignore_above: 1024 + level: extended + name: query + normalize: [] + original_fieldset: url + short: Query string of the request. + type: keyword + threat.enrichments.indicator.url.registered_domain: + dashed_name: threat-enrichments-indicator-url-registered-domain + description: 'The highest registered url domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: threat.enrichments.indicator.url.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: url + short: The highest registered url domain, stripped of the subdomain. + type: keyword + threat.enrichments.indicator.url.scheme: + dashed_name: threat-enrichments-indicator-url-scheme + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https + flat_name: threat.enrichments.indicator.url.scheme + ignore_above: 1024 + level: extended + name: scheme + normalize: [] + original_fieldset: url + short: Scheme of the url. + type: keyword + threat.enrichments.indicator.url.subdomain: + dashed_name: threat-enrichments-indicator-url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: threat.enrichments.indicator.url.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: url + short: The subdomain of the domain. + type: keyword + threat.enrichments.indicator.url.top_level_domain: + dashed_name: threat-enrichments-indicator-url-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: threat.enrichments.indicator.url.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: url + short: The effective top level domain (com, org, net, co.uk). + type: keyword + threat.enrichments.indicator.url.username: + dashed_name: threat-enrichments-indicator-url-username + description: Username of the request. + flat_name: threat.enrichments.indicator.url.username + ignore_above: 1024 + level: extended + name: username + normalize: [] + original_fieldset: url + short: Username of the request. + type: keyword + threat.enrichments.indicator.x509.alternative_names: + dashed_name: threat-enrichments-indicator-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + flat_name: threat.enrichments.indicator.x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: + - array + original_fieldset: x509 + short: List of subject alternative names (SAN). + type: keyword + threat.enrichments.indicator.x509.issuer.common_name: + dashed_name: threat-enrichments-indicator-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: threat.enrichments.indicator.x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. + type: keyword + threat.enrichments.indicator.x509.issuer.country: + dashed_name: threat-enrichments-indicator-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: threat.enrichments.indicator.x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes + type: keyword + threat.enrichments.indicator.x509.issuer.distinguished_name: + dashed_name: threat-enrichments-indicator-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: threat.enrichments.indicator.x509.issuer.distinguished_name + ignore_above: 1024 + level: extended + name: issuer.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: keyword + threat.enrichments.indicator.x509.issuer.locality: + dashed_name: threat-enrichments-indicator-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: threat.enrichments.indicator.x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword + threat.enrichments.indicator.x509.issuer.organization: + dashed_name: threat-enrichments-indicator-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: threat.enrichments.indicator.x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. + type: keyword + threat.enrichments.indicator.x509.issuer.organizational_unit: + dashed_name: threat-enrichments-indicator-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: threat.enrichments.indicator.x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword + threat.enrichments.indicator.x509.issuer.state_or_province: + dashed_name: threat-enrichments-indicator-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.indicator.x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword + threat.enrichments.indicator.x509.not_after: + dashed_name: threat-enrichments-indicator-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: threat.enrichments.indicator.x509.not_after + level: extended + name: not_after + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date + threat.enrichments.indicator.x509.not_before: + dashed_name: threat-enrichments-indicator-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: threat.enrichments.indicator.x509.not_before + level: extended + name: not_before + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date + threat.enrichments.indicator.x509.public_key_algorithm: + dashed_name: threat-enrichments-indicator-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: threat.enrichments.indicator.x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword + threat.enrichments.indicator.x509.public_key_curve: + dashed_name: threat-enrichments-indicator-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + flat_name: threat.enrichments.indicator.x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword + threat.enrichments.indicator.x509.public_key_exponent: + dashed_name: threat-enrichments-indicator-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: threat.enrichments.indicator.x509.public_key_exponent + index: false + level: extended + name: public_key_exponent + normalize: [] + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long + threat.enrichments.indicator.x509.public_key_size: + dashed_name: threat-enrichments-indicator-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: threat.enrichments.indicator.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + original_fieldset: x509 + short: The size of the public key space in bits. + type: long + threat.enrichments.indicator.x509.serial_number: + dashed_name: threat-enrichments-indicator-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: threat.enrichments.indicator.x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. + type: keyword + threat.enrichments.indicator.x509.signature_algorithm: + dashed_name: threat-enrichments-indicator-x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: threat.enrichments.indicator.x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + original_fieldset: x509 + short: Identifier for certificate signature algorithm. + type: keyword + threat.enrichments.indicator.x509.subject.common_name: + dashed_name: threat-enrichments-indicator-x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: threat.enrichments.indicator.x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: + - array + original_fieldset: x509 + short: List of common names (CN) of subject. + type: keyword + threat.enrichments.indicator.x509.subject.country: + dashed_name: threat-enrichments-indicator-x509-subject-country + description: List of country (C) code + example: US + flat_name: threat.enrichments.indicator.x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code + type: keyword + threat.enrichments.indicator.x509.subject.distinguished_name: + dashed_name: threat-enrichments-indicator-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: threat.enrichments.indicator.x509.subject.distinguished_name + ignore_above: 1024 + level: extended + name: subject.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: keyword + threat.enrichments.indicator.x509.subject.locality: + dashed_name: threat-enrichments-indicator-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: threat.enrichments.indicator.x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword + threat.enrichments.indicator.x509.subject.organization: + dashed_name: threat-enrichments-indicator-x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: threat.enrichments.indicator.x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. + type: keyword + threat.enrichments.indicator.x509.subject.organizational_unit: + dashed_name: threat-enrichments-indicator-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: threat.enrichments.indicator.x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword + threat.enrichments.indicator.x509.subject.state_or_province: + dashed_name: threat-enrichments-indicator-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.indicator.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword + threat.enrichments.indicator.x509.version_number: + dashed_name: threat-enrichments-indicator-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: threat.enrichments.indicator.x509.version_number + ignore_above: 1024 + level: extended + name: version_number + normalize: [] + original_fieldset: x509 + short: Version of x509 format. + type: keyword + threat.enrichments.matched.atomic: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-atomic + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com + flat_name: threat.enrichments.matched.atomic + ignore_above: 1024 + level: extended + name: enrichments.matched.atomic + normalize: [] + short: Matched indicator value + type: keyword + threat.enrichments.matched.field: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-field + description: Identifies the field of the atomic indicator that matched a local + environment endpoint or network event. + example: file.hash.sha256 + flat_name: threat.enrichments.matched.field + ignore_above: 1024 + level: extended + name: enrichments.matched.field + normalize: [] + short: Matched indicator field + type: keyword + threat.enrichments.matched.id: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-id + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + flat_name: threat.enrichments.matched.id + ignore_above: 1024 + level: extended + name: enrichments.matched.id + normalize: [] + short: Matched indicator identifier + type: keyword + threat.enrichments.matched.index: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-index + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 + flat_name: threat.enrichments.matched.index + ignore_above: 1024 + level: extended + name: enrichments.matched.index + normalize: [] + short: Matched indicator index + type: keyword + threat.enrichments.matched.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-type + description: Identifies the type of match that caused the event to be enriched + with the given indicator + example: indicator_match_rule + flat_name: threat.enrichments.matched.type + ignore_above: 1024 + level: extended + name: enrichments.matched.type + normalize: [] + short: Type of indicator match + type: keyword + threat.framework: + dashed_name: threat-framework + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification + can be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + flat_name: threat.framework + ignore_above: 1024 + level: extended + name: framework + normalize: [] + short: Threat classification framework. + type: keyword + threat.group.alias: + beta: This field is beta and subject to change. + dashed_name: threat-group-alias + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' + flat_name: threat.group.alias + ignore_above: 1024 + level: extended + name: group.alias + normalize: + - array + short: Alias of the group. + type: keyword + threat.group.id: + beta: This field is beta and subject to change. + dashed_name: threat-group-id + description: "The id of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group id." + example: G0037 + flat_name: threat.group.id + ignore_above: 1024 + level: extended + name: group.id + normalize: [] + short: ID of the group. + type: keyword + threat.group.name: + beta: This field is beta and subject to change. + dashed_name: threat-group-name + description: "The name of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 + flat_name: threat.group.name + ignore_above: 1024 + level: extended + name: group.name + normalize: [] + short: Name of the group. + type: keyword + threat.group.reference: + beta: This field is beta and subject to change. + dashed_name: threat-group-reference + description: "The reference URL of the group for a set of related intrusion\ + \ activity that are tracked by a common name in the security community. While\ + \ not required, you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ + flat_name: threat.group.reference + ignore_above: 1024 + level: extended + name: group.reference + normalize: [] + short: Reference URL of the group. + type: keyword + threat.indicator.as.number: + dashed_name: threat-indicator-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: threat.indicator.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long + threat.indicator.as.organization.name: + dashed_name: threat-indicator-as-organization-name + description: Organization name. + example: Google LLC + flat_name: threat.indicator.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.indicator.as.organization.name.text + name: text + norms: false + type: text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword + threat.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-confidence + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High + flat_name: threat.indicator.confidence + ignore_above: 1024 + level: extended + name: indicator.confidence + normalize: [] + short: Indicator confidence rating + type: keyword + threat.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.indicator.description + ignore_above: 1024 + level: extended + name: indicator.description + normalize: [] + short: Indicator description + type: keyword + threat.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + flat_name: threat.indicator.email.address + ignore_above: 1024 + level: extended + name: indicator.email.address + normalize: [] + short: Indicator email address + type: keyword + threat.indicator.file.accessed: + dashed_name: threat-indicator-file-accessed + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + flat_name: threat.indicator.file.accessed + level: extended + name: accessed + normalize: [] + original_fieldset: file + short: Last time the file was accessed. + type: date + threat.indicator.file.attributes: + dashed_name: threat-indicator-file-attributes + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: threat.indicator.file.attributes + ignore_above: 1024 + level: extended + name: attributes + normalize: + - array + original_fieldset: file + short: Array of file attributes. + type: keyword + threat.indicator.file.code_signature.exists: + dashed_name: threat-indicator-file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: threat.indicator.file.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + threat.indicator.file.code_signature.signing_id: + dashed_name: threat-indicator-file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: threat.indicator.file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword + threat.indicator.file.code_signature.status: + dashed_name: threat-indicator-file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: threat.indicator.file.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + threat.indicator.file.code_signature.subject_name: + dashed_name: threat-indicator-file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: threat.indicator.file.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + threat.indicator.file.code_signature.team_id: + dashed_name: threat-indicator-file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: threat.indicator.file.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword + threat.indicator.file.code_signature.trusted: + dashed_name: threat-indicator-file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: threat.indicator.file.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + threat.indicator.file.code_signature.valid: + dashed_name: threat-indicator-file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: threat.indicator.file.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + threat.indicator.file.created: + dashed_name: threat-indicator-file-created + description: 'File creation time. + + Note that not all filesystems store the creation time.' + flat_name: threat.indicator.file.created + level: extended + name: created + normalize: [] + original_fieldset: file + short: File creation time. + type: date + threat.indicator.file.ctime: + dashed_name: threat-indicator-file-ctime + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: threat.indicator.file.ctime + level: extended + name: ctime + normalize: [] + original_fieldset: file + short: Last time the file attributes or metadata changed. + type: date + threat.indicator.file.device: + dashed_name: threat-indicator-file-device + description: Device that is the source of the file. + example: sda + flat_name: threat.indicator.file.device + ignore_above: 1024 + level: extended + name: device + normalize: [] + original_fieldset: file + short: Device that is the source of the file. + type: keyword + threat.indicator.file.directory: + dashed_name: threat-indicator-file-directory + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice + flat_name: threat.indicator.file.directory + ignore_above: 1024 + level: extended + name: directory + normalize: [] + original_fieldset: file + short: Directory where the file is located. + type: keyword + threat.indicator.file.drive_letter: + dashed_name: threat-indicator-file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + flat_name: threat.indicator.file.drive_letter + ignore_above: 1 + level: extended + name: drive_letter + normalize: [] + original_fieldset: file + short: Drive letter where the file is located. + type: keyword + threat.indicator.file.elf.architecture: + dashed_name: threat-indicator-file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: threat.indicator.file.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword + threat.indicator.file.elf.byte_order: + dashed_name: threat-indicator-file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: threat.indicator.file.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword + threat.indicator.file.elf.cpu_type: + dashed_name: threat-indicator-file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: threat.indicator.file.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword + threat.indicator.file.elf.creation_date: + dashed_name: threat-indicator-file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: threat.indicator.file.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date + threat.indicator.file.elf.exports: + dashed_name: threat-indicator-file-elf-exports + description: List of exported element names and types. + flat_name: threat.indicator.file.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened + threat.indicator.file.elf.header.abi_version: + dashed_name: threat-indicator-file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: threat.indicator.file.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword + threat.indicator.file.elf.header.class: + dashed_name: threat-indicator-file-elf-header-class + description: Header class of the ELF file. + flat_name: threat.indicator.file.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword + threat.indicator.file.elf.header.data: + dashed_name: threat-indicator-file-elf-header-data + description: Data table of the ELF header. + flat_name: threat.indicator.file.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword + threat.indicator.file.elf.header.entrypoint: + dashed_name: threat-indicator-file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: threat.indicator.file.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + threat.indicator.file.elf.header.object_version: + dashed_name: threat-indicator-file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: threat.indicator.file.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword + threat.indicator.file.elf.header.os_abi: + dashed_name: threat-indicator-file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: threat.indicator.file.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + threat.indicator.file.elf.header.type: + dashed_name: threat-indicator-file-elf-header-type + description: Header type of the ELF file. + flat_name: threat.indicator.file.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword + threat.indicator.file.elf.header.version: + dashed_name: threat-indicator-file-elf-header-version + description: Version of the ELF header. + flat_name: threat.indicator.file.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword + threat.indicator.file.elf.imports: + dashed_name: threat-indicator-file-elf-imports + description: List of imported element names and types. + flat_name: threat.indicator.file.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened + threat.indicator.file.elf.sections: + dashed_name: threat-indicator-file-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + flat_name: threat.indicator.file.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested + threat.indicator.file.elf.sections.chi2: + dashed_name: threat-indicator-file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: threat.indicator.file.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long + threat.indicator.file.elf.sections.entropy: + dashed_name: threat-indicator-file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: threat.indicator.file.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long + threat.indicator.file.elf.sections.flags: + dashed_name: threat-indicator-file-elf-sections-flags + description: ELF Section List flags. + flat_name: threat.indicator.file.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword + threat.indicator.file.elf.sections.name: + dashed_name: threat-indicator-file-elf-sections-name + description: ELF Section List name. + flat_name: threat.indicator.file.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword + threat.indicator.file.elf.sections.physical_offset: + dashed_name: threat-indicator-file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: threat.indicator.file.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword + threat.indicator.file.elf.sections.physical_size: + dashed_name: threat-indicator-file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: threat.indicator.file.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long + threat.indicator.file.elf.sections.type: + dashed_name: threat-indicator-file-elf-sections-type + description: ELF Section List type. + flat_name: threat.indicator.file.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword + threat.indicator.file.elf.sections.virtual_address: + dashed_name: threat-indicator-file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: threat.indicator.file.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long + threat.indicator.file.elf.sections.virtual_size: + dashed_name: threat-indicator-file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: threat.indicator.file.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + threat.indicator.file.elf.segments: + dashed_name: threat-indicator-file-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + flat_name: threat.indicator.file.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested + threat.indicator.file.elf.segments.sections: + dashed_name: threat-indicator-file-elf-segments-sections + description: ELF object segment sections. + flat_name: threat.indicator.file.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword + threat.indicator.file.elf.segments.type: + dashed_name: threat-indicator-file-elf-segments-type + description: ELF object segment type. + flat_name: threat.indicator.file.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword + threat.indicator.file.elf.shared_libraries: + dashed_name: threat-indicator-file-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: threat.indicator.file.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword + threat.indicator.file.elf.telfhash: + dashed_name: threat-indicator-file-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: threat.indicator.file.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword + threat.indicator.file.extension: + dashed_name: threat-indicator-file-extension + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.indicator.file.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + original_fieldset: file + short: File extension, excluding the leading dot. + type: keyword + threat.indicator.file.gid: + dashed_name: threat-indicator-file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: threat.indicator.file.gid + ignore_above: 1024 + level: extended + name: gid + normalize: [] + original_fieldset: file + short: Primary group ID (GID) of the file. + type: keyword + threat.indicator.file.group: + dashed_name: threat-indicator-file-group + description: Primary group name of the file. + example: alice + flat_name: threat.indicator.file.group ignore_above: 1024 level: extended - name: indicator.email.address + name: group normalize: [] - short: Indicator email address + original_fieldset: file + short: Primary group name of the file. type: keyword - threat.indicator.file.accessed: - dashed_name: threat-indicator-file-accessed - description: 'Last time the file was accessed. - - Note that not all filesystems keep track of access time.' - flat_name: threat.indicator.file.accessed + threat.indicator.file.inode: + dashed_name: threat-indicator-file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: threat.indicator.file.inode + ignore_above: 1024 level: extended - name: accessed + name: inode normalize: [] original_fieldset: file - short: Last time the file was accessed. - type: date - threat.indicator.file.attributes: - dashed_name: threat-indicator-file-attributes - description: 'Array of file attributes. - - Attributes names will vary by platform. Here''s a non-exhaustive list of values - that are expected in this field: archive, compressed, directory, encrypted, - execute, hidden, read, readonly, system, write.' - example: '["readonly", "system"]' - flat_name: threat.indicator.file.attributes + short: Inode representing the file in the filesystem. + type: keyword + threat.indicator.file.mime_type: + dashed_name: threat-indicator-file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. + flat_name: threat.indicator.file.mime_type ignore_above: 1024 level: extended - name: attributes - normalize: - - array + name: mime_type + normalize: [] original_fieldset: file - short: Array of file attributes. + short: Media type of file, document, or arrangement of bytes. type: keyword - threat.indicator.file.code_signature.exists: - dashed_name: threat-indicator-file-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: threat.indicator.file.code_signature.exists - level: core - name: exists - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean - threat.indicator.file.code_signature.signing_id: - dashed_name: threat-indicator-file-code-signature-signing-id - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. - The field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: threat.indicator.file.code_signature.signing_id + threat.indicator.file.mode: + dashed_name: threat-indicator-file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: threat.indicator.file.mode ignore_above: 1024 level: extended - name: signing_id + name: mode normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. + original_fieldset: file + short: Mode of the file in octal representation. type: keyword - threat.indicator.file.code_signature.status: - dashed_name: threat-indicator-file-code-signature-status - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: threat.indicator.file.code_signature.status + threat.indicator.file.mtime: + dashed_name: threat-indicator-file-mtime + description: Last time the file content was modified. + flat_name: threat.indicator.file.mtime + level: extended + name: mtime + normalize: [] + original_fieldset: file + short: Last time the file content was modified. + type: date + threat.indicator.file.name: + dashed_name: threat-indicator-file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: threat.indicator.file.name ignore_above: 1024 level: extended - name: status + name: name normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. + original_fieldset: file + short: Name of the file including the extension, without the directory. type: keyword - threat.indicator.file.code_signature.subject_name: - dashed_name: threat-indicator-file-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: threat.indicator.file.code_signature.subject_name + threat.indicator.file.owner: + dashed_name: threat-indicator-file-owner + description: File owner's username. + example: alice + flat_name: threat.indicator.file.owner ignore_above: 1024 - level: core - name: subject_name + level: extended + name: owner normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer + original_fieldset: file + short: File owner's username. type: keyword - threat.indicator.file.code_signature.team_id: - dashed_name: threat-indicator-file-code-signature-team-id - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field - is relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: threat.indicator.file.code_signature.team_id + threat.indicator.file.path: + dashed_name: threat-indicator-file-path + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + flat_name: threat.indicator.file.path ignore_above: 1024 level: extended - name: team_id + multi_fields: + - flat_name: threat.indicator.file.path.text + name: text + norms: false + type: text + name: path normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. + original_fieldset: file + short: Full path to the file, including the file name. type: keyword - threat.indicator.file.code_signature.trusted: - dashed_name: threat-indicator-file-code-signature-trusted - description: 'Stores the trust status of the certificate chain. + threat.indicator.file.size: + dashed_name: threat-indicator-file-size + description: 'File size in bytes. - Validating the trust of the certificate chain may be complicated, and this - field should only be populated by tools that actively check the status.' - example: 'true' - flat_name: threat.indicator.file.code_signature.trusted + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: threat.indicator.file.size level: extended - name: trusted + name: size normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean - threat.indicator.file.code_signature.valid: - dashed_name: threat-indicator-file-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against - the binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: threat.indicator.file.code_signature.valid + original_fieldset: file + short: File size in bytes. + type: long + threat.indicator.file.target_path: + dashed_name: threat-indicator-file-target-path + description: Target path for symlinks. + flat_name: threat.indicator.file.target_path + ignore_above: 1024 level: extended - name: valid + multi_fields: + - flat_name: threat.indicator.file.target_path.text + name: text + norms: false + type: text + name: target_path normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean - threat.indicator.file.created: - dashed_name: threat-indicator-file-created - description: 'File creation time. - - Note that not all filesystems store the creation time.' - flat_name: threat.indicator.file.created + original_fieldset: file + short: Target path for symlinks. + type: keyword + threat.indicator.file.type: + dashed_name: threat-indicator-file-type + description: File type (file, dir, or symlink). + example: file + flat_name: threat.indicator.file.type + ignore_above: 1024 level: extended - name: created + name: type normalize: [] original_fieldset: file - short: File creation time. - type: date - threat.indicator.file.ctime: - dashed_name: threat-indicator-file-ctime - description: 'Last time the file attributes or metadata changed. - - Note that changes to the file content will update `mtime`. This implies `ctime` - will be adjusted at the same time, since `mtime` is an attribute of the file.' - flat_name: threat.indicator.file.ctime + short: File type (file, dir, or symlink). + type: keyword + threat.indicator.file.uid: + dashed_name: threat-indicator-file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: threat.indicator.file.uid + ignore_above: 1024 level: extended - name: ctime + name: uid normalize: [] original_fieldset: file - short: Last time the file attributes or metadata changed. + short: The user ID (UID) or security identifier (SID) of the file owner. + type: keyword + threat.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.first_seen + level: extended + name: indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. type: date - threat.indicator.file.device: - dashed_name: threat-indicator-file-device - description: Device that is the source of the file. - example: sda - flat_name: threat.indicator.file.device + threat.indicator.geo.city_name: + dashed_name: threat-indicator-geo-city-name + description: City name. + example: Montreal + flat_name: threat.indicator.geo.city_name ignore_above: 1024 - level: extended - name: device + level: core + name: city_name normalize: [] - original_fieldset: file - short: Device that is the source of the file. + original_fieldset: geo + short: City name. type: keyword - threat.indicator.file.directory: - dashed_name: threat-indicator-file-directory - description: Directory where the file is located. It should include the drive - letter, when appropriate. - example: /home/alice - flat_name: threat.indicator.file.directory + threat.indicator.geo.continent_code: + dashed_name: threat-indicator-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: threat.indicator.geo.continent_code ignore_above: 1024 - level: extended - name: directory + level: core + name: continent_code normalize: [] - original_fieldset: file - short: Directory where the file is located. + original_fieldset: geo + short: Continent code. type: keyword - threat.indicator.file.drive_letter: - dashed_name: threat-indicator-file-drive-letter - description: 'Drive letter where the file is located. This field is only relevant - on Windows. - - The value should be uppercase, and not include the colon.' - example: C - flat_name: threat.indicator.file.drive_letter - ignore_above: 1 - level: extended - name: drive_letter + threat.indicator.geo.continent_name: + dashed_name: threat-indicator-geo-continent-name + description: Name of the continent. + example: North America + flat_name: threat.indicator.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name normalize: [] - original_fieldset: file - short: Drive letter where the file is located. + original_fieldset: geo + short: Name of the continent. type: keyword - threat.indicator.file.elf.architecture: - dashed_name: threat-indicator-file-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: threat.indicator.file.elf.architecture + threat.indicator.geo.country_iso_code: + dashed_name: threat-indicator-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: threat.indicator.geo.country_iso_code ignore_above: 1024 - level: extended - name: architecture + level: core + name: country_iso_code normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. + original_fieldset: geo + short: Country ISO code. type: keyword - threat.indicator.file.elf.byte_order: - dashed_name: threat-indicator-file-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: threat.indicator.file.elf.byte_order + threat.indicator.geo.country_name: + dashed_name: threat-indicator-geo-country-name + description: Country name. + example: Canada + flat_name: threat.indicator.geo.country_name ignore_above: 1024 - level: extended - name: byte_order + level: core + name: country_name normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. + original_fieldset: geo + short: Country name. type: keyword - threat.indicator.file.elf.cpu_type: - dashed_name: threat-indicator-file-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: threat.indicator.file.elf.cpu_type + threat.indicator.geo.location: + dashed_name: threat-indicator-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: threat.indicator.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + threat.indicator.geo.name: + dashed_name: threat-indicator-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: threat.indicator.geo.name ignore_above: 1024 level: extended - name: cpu_type + name: name normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. + original_fieldset: geo + short: User-defined description of a location. type: keyword - threat.indicator.file.elf.creation_date: - dashed_name: threat-indicator-file-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - flat_name: threat.indicator.file.elf.creation_date - level: extended - name: creation_date + threat.indicator.geo.postal_code: + dashed_name: threat-indicator-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: threat.indicator.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date - threat.indicator.file.elf.exports: - dashed_name: threat-indicator-file-elf-exports - description: List of exported element names and types. - flat_name: threat.indicator.file.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened - threat.indicator.file.elf.header.abi_version: - dashed_name: threat-indicator-file-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: threat.indicator.file.elf.header.abi_version + original_fieldset: geo + short: Postal code. + type: keyword + threat.indicator.geo.region_iso_code: + dashed_name: threat-indicator-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: threat.indicator.geo.region_iso_code ignore_above: 1024 - level: extended - name: header.abi_version + level: core + name: region_iso_code normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). + original_fieldset: geo + short: Region ISO code. type: keyword - threat.indicator.file.elf.header.class: - dashed_name: threat-indicator-file-elf-header-class - description: Header class of the ELF file. - flat_name: threat.indicator.file.elf.header.class + threat.indicator.geo.region_name: + dashed_name: threat-indicator-geo-region-name + description: Region name. + example: Quebec + flat_name: threat.indicator.geo.region_name ignore_above: 1024 - level: extended - name: header.class + level: core + name: region_name normalize: [] - original_fieldset: elf - short: Header class of the ELF file. + original_fieldset: geo + short: Region name. type: keyword - threat.indicator.file.elf.header.data: - dashed_name: threat-indicator-file-elf-header-data - description: Data table of the ELF header. - flat_name: threat.indicator.file.elf.header.data + threat.indicator.geo.timezone: + dashed_name: threat-indicator-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: threat.indicator.geo.timezone ignore_above: 1024 - level: extended - name: header.data + level: core + name: timezone normalize: [] - original_fieldset: elf - short: Data table of the ELF header. + original_fieldset: geo + short: Time zone. type: keyword - threat.indicator.file.elf.header.entrypoint: - dashed_name: threat-indicator-file-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: threat.indicator.file.elf.header.entrypoint - format: string + threat.indicator.hash.md5: + dashed_name: threat-indicator-hash-md5 + description: MD5 hash. + flat_name: threat.indicator.hash.md5 + ignore_above: 1024 level: extended - name: header.entrypoint + name: md5 normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long - threat.indicator.file.elf.header.object_version: - dashed_name: threat-indicator-file-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: threat.indicator.file.elf.header.object_version + original_fieldset: hash + short: MD5 hash. + type: keyword + threat.indicator.hash.sha1: + dashed_name: threat-indicator-hash-sha1 + description: SHA1 hash. + flat_name: threat.indicator.hash.sha1 ignore_above: 1024 level: extended - name: header.object_version + name: sha1 normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' + original_fieldset: hash + short: SHA1 hash. type: keyword - threat.indicator.file.elf.header.os_abi: - dashed_name: threat-indicator-file-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: threat.indicator.file.elf.header.os_abi + threat.indicator.hash.sha256: + dashed_name: threat-indicator-hash-sha256 + description: SHA256 hash. + flat_name: threat.indicator.hash.sha256 ignore_above: 1024 level: extended - name: header.os_abi + name: sha256 normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. - type: keyword - threat.indicator.file.elf.header.type: - dashed_name: threat-indicator-file-elf-header-type - description: Header type of the ELF file. - flat_name: threat.indicator.file.elf.header.type + original_fieldset: hash + short: SHA256 hash. + type: keyword + threat.indicator.hash.sha512: + dashed_name: threat-indicator-hash-sha512 + description: SHA512 hash. + flat_name: threat.indicator.hash.sha512 ignore_above: 1024 level: extended - name: header.type + name: sha512 normalize: [] - original_fieldset: elf - short: Header type of the ELF file. + original_fieldset: hash + short: SHA512 hash. type: keyword - threat.indicator.file.elf.header.version: - dashed_name: threat-indicator-file-elf-header-version - description: Version of the ELF header. - flat_name: threat.indicator.file.elf.header.version + threat.indicator.hash.ssdeep: + dashed_name: threat-indicator-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.indicator.hash.ssdeep ignore_above: 1024 level: extended - name: header.version + name: ssdeep normalize: [] - original_fieldset: elf - short: Version of the ELF header. + original_fieldset: hash + short: SSDEEP hash. type: keyword - threat.indicator.file.elf.imports: - dashed_name: threat-indicator-file-elf-imports - description: List of imported element names and types. - flat_name: threat.indicator.file.elf.imports + threat.indicator.ip: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + flat_name: threat.indicator.ip level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened - threat.indicator.file.elf.sections: - dashed_name: threat-indicator-file-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.sections.*`.' - flat_name: threat.indicator.file.elf.sections + name: indicator.ip + normalize: [] + short: Indicator IP address + type: ip + threat.indicator.last_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-last-seen + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.last_seen level: extended - name: sections - normalize: - - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested - threat.indicator.file.elf.sections.chi2: - dashed_name: threat-indicator-file-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: threat.indicator.file.elf.sections.chi2 - format: number + name: indicator.last_seen + normalize: [] + short: Date/time indicator was last reported. + type: date + threat.indicator.marking.tlp: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE + flat_name: threat.indicator.marking.tlp + ignore_above: 1024 level: extended - name: sections.chi2 + name: indicator.marking.tlp normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. - type: long - threat.indicator.file.elf.sections.entropy: - dashed_name: threat-indicator-file-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: threat.indicator.file.elf.sections.entropy - format: number + short: Indicator TLP marking + type: keyword + threat.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.modified_at level: extended - name: sections.entropy + name: indicator.modified_at normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long - threat.indicator.file.elf.sections.flags: - dashed_name: threat-indicator-file-elf-sections-flags - description: ELF Section List flags. - flat_name: threat.indicator.file.elf.sections.flags + short: Date/time indicator was last updated. + type: date + threat.indicator.pe.architecture: + dashed_name: threat-indicator-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.indicator.pe.architecture ignore_above: 1024 level: extended - name: sections.flags + name: architecture normalize: [] - original_fieldset: elf - short: ELF Section List flags. + original_fieldset: pe + short: CPU architecture target for the file. type: keyword - threat.indicator.file.elf.sections.name: - dashed_name: threat-indicator-file-elf-sections-name - description: ELF Section List name. - flat_name: threat.indicator.file.elf.sections.name + threat.indicator.pe.company: + dashed_name: threat-indicator-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.indicator.pe.company ignore_above: 1024 level: extended - name: sections.name + name: company normalize: [] - original_fieldset: elf - short: ELF Section List name. + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. type: keyword - threat.indicator.file.elf.sections.physical_offset: - dashed_name: threat-indicator-file-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: threat.indicator.file.elf.sections.physical_offset + threat.indicator.pe.description: + dashed_name: threat-indicator-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.indicator.pe.description ignore_above: 1024 level: extended - name: sections.physical_offset + name: description normalize: [] - original_fieldset: elf - short: ELF Section List offset. + original_fieldset: pe + short: Internal description of the file, provided at compile-time. type: keyword - threat.indicator.file.elf.sections.physical_size: - dashed_name: threat-indicator-file-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: threat.indicator.file.elf.sections.physical_size - format: bytes + threat.indicator.pe.file_version: + dashed_name: threat-indicator-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.indicator.pe.file_version + ignore_above: 1024 level: extended - name: sections.physical_size + name: file_version normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long - threat.indicator.file.elf.sections.type: - dashed_name: threat-indicator-file-elf-sections-type - description: ELF Section List type. - flat_name: threat.indicator.file.elf.sections.type + original_fieldset: pe + short: Process name. + type: keyword + threat.indicator.pe.imphash: + dashed_name: threat-indicator-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.indicator.pe.imphash ignore_above: 1024 level: extended - name: sections.type + name: imphash normalize: [] - original_fieldset: elf - short: ELF Section List type. + original_fieldset: pe + short: A hash of the imports in a PE file. type: keyword - threat.indicator.file.elf.sections.virtual_address: - dashed_name: threat-indicator-file-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: threat.indicator.file.elf.sections.virtual_address - format: string + threat.indicator.pe.original_file_name: + dashed_name: threat-indicator-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.indicator.pe.original_file_name + ignore_above: 1024 level: extended - name: sections.virtual_address + name: original_file_name normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long - threat.indicator.file.elf.sections.virtual_size: - dashed_name: threat-indicator-file-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: threat.indicator.file.elf.sections.virtual_size - format: string + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword + threat.indicator.pe.product: + dashed_name: threat-indicator-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.indicator.pe.product + ignore_above: 1024 level: extended - name: sections.virtual_size + name: product normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long - threat.indicator.file.elf.segments: - dashed_name: threat-indicator-file-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.segments.*`.' - flat_name: threat.indicator.file.elf.segments + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword + threat.indicator.port: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-port + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + flat_name: threat.indicator.port level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested - threat.indicator.file.elf.segments.sections: - dashed_name: threat-indicator-file-elf-segments-sections - description: ELF object segment sections. - flat_name: threat.indicator.file.elf.segments.sections + name: indicator.port + normalize: [] + short: Indicator port + type: long + threat.indicator.provider: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-provider + description: The name of the indicator's provider. + example: lrz_urlhaus + flat_name: threat.indicator.provider ignore_above: 1024 level: extended - name: segments.sections + name: indicator.provider normalize: [] - original_fieldset: elf - short: ELF object segment sections. + short: Indicator provider type: keyword - threat.indicator.file.elf.segments.type: - dashed_name: threat-indicator-file-elf-segments-type - description: ELF object segment type. - flat_name: threat.indicator.file.elf.segments.type + threat.indicator.reference: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-reference + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + flat_name: threat.indicator.reference ignore_above: 1024 level: extended - name: segments.type + name: indicator.reference normalize: [] - original_fieldset: elf - short: ELF object segment type. + short: Indicator reference URL type: keyword - threat.indicator.file.elf.shared_libraries: - dashed_name: threat-indicator-file-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: threat.indicator.file.elf.shared_libraries + threat.indicator.registry.data.bytes: + dashed_name: threat-indicator-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.indicator.registry.data.bytes ignore_above: 1024 level: extended - name: shared_libraries + name: data.bytes + normalize: [] + original_fieldset: registry + short: Original bytes written with base64 encoding. + type: keyword + threat.indicator.registry.data.strings: + dashed_name: threat-indicator-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.indicator.registry.data.strings + ignore_above: 1024 + level: core + name: data.strings normalize: - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. + original_fieldset: registry + short: List of strings representing what was written to the registry. type: keyword - threat.indicator.file.elf.telfhash: - dashed_name: threat-indicator-file-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: threat.indicator.file.elf.telfhash + threat.indicator.registry.data.type: + dashed_name: threat-indicator-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.indicator.registry.data.type ignore_above: 1024 - level: extended - name: telfhash + level: core + name: data.type normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. + original_fieldset: registry + short: Standard registry type for encoding contents type: keyword - threat.indicator.file.extension: - dashed_name: threat-indicator-file-extension - description: 'File extension, excluding the leading dot. - - Note that when the file name has multiple extensions (example.tar.gz), only - the last one should be captured ("gz", not "tar.gz").' - example: png - flat_name: threat.indicator.file.extension + threat.indicator.registry.hive: + dashed_name: threat-indicator-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.indicator.registry.hive ignore_above: 1024 - level: extended - name: extension + level: core + name: hive normalize: [] - original_fieldset: file - short: File extension, excluding the leading dot. + original_fieldset: registry + short: Abbreviated name for the hive. type: keyword - threat.indicator.file.gid: - dashed_name: threat-indicator-file-gid - description: Primary group ID (GID) of the file. - example: '1001' - flat_name: threat.indicator.file.gid + threat.indicator.registry.key: + dashed_name: threat-indicator-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.indicator.registry.key ignore_above: 1024 - level: extended - name: gid + level: core + name: key normalize: [] - original_fieldset: file - short: Primary group ID (GID) of the file. + original_fieldset: registry + short: Hive-relative path of keys. type: keyword - threat.indicator.file.group: - dashed_name: threat-indicator-file-group - description: Primary group name of the file. - example: alice - flat_name: threat.indicator.file.group + threat.indicator.registry.path: + dashed_name: threat-indicator-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.indicator.registry.path ignore_above: 1024 - level: extended - name: group + level: core + name: path normalize: [] - original_fieldset: file - short: Primary group name of the file. + original_fieldset: registry + short: Full path, including hive, key and value type: keyword - threat.indicator.file.inode: - dashed_name: threat-indicator-file-inode - description: Inode representing the file in the filesystem. - example: '256383' - flat_name: threat.indicator.file.inode + threat.indicator.registry.value: + dashed_name: threat-indicator-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.indicator.registry.value ignore_above: 1024 - level: extended - name: inode + level: core + name: value normalize: [] - original_fieldset: file - short: Inode representing the file in the filesystem. + original_fieldset: registry + short: Name of the value written. type: keyword - threat.indicator.file.mime_type: - dashed_name: threat-indicator-file-mime-type - description: MIME type should identify the format of the file or stream of bytes - using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA - official types], where possible. When more than one type is applicable, the - most specific type should be used. - flat_name: threat.indicator.file.mime_type - ignore_above: 1024 + threat.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + flat_name: threat.indicator.scanner_stats level: extended - name: mime_type + name: indicator.scanner_stats normalize: [] - original_fieldset: file - short: Media type of file, document, or arrangement of bytes. - type: keyword - threat.indicator.file.mode: - dashed_name: threat-indicator-file-mode - description: Mode of the file in octal representation. - example: '0640' - flat_name: threat.indicator.file.mode + short: Scanner statistics + type: long + threat.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.indicator.sightings + level: extended + name: indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long + threat.indicator.type: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ + Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr + flat_name: threat.indicator.type ignore_above: 1024 level: extended - name: mode + name: indicator.type normalize: [] - original_fieldset: file - short: Mode of the file in octal representation. + short: Type of indicator type: keyword - threat.indicator.file.mtime: - dashed_name: threat-indicator-file-mtime - description: Last time the file content was modified. - flat_name: threat.indicator.file.mtime + threat.indicator.url.domain: + dashed_name: threat-indicator-url-domain + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' + example: www.elastic.co + flat_name: threat.indicator.url.domain + ignore_above: 1024 level: extended - name: mtime + name: domain normalize: [] - original_fieldset: file - short: Last time the file content was modified. - type: date - threat.indicator.file.name: - dashed_name: threat-indicator-file-name - description: Name of the file including the extension, without the directory. - example: example.png - flat_name: threat.indicator.file.name + original_fieldset: url + short: Domain of the url. + type: keyword + threat.indicator.url.extension: + dashed_name: threat-indicator-url-extension + description: 'The field contains the file extension from the original request + url, excluding the leading dot. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.indicator.url.extension ignore_above: 1024 level: extended - name: name + name: extension normalize: [] - original_fieldset: file - short: Name of the file including the extension, without the directory. + original_fieldset: url + short: File extension from the request url, excluding the leading dot. type: keyword - threat.indicator.file.owner: - dashed_name: threat-indicator-file-owner - description: File owner's username. - example: alice - flat_name: threat.indicator.file.owner + threat.indicator.url.fragment: + dashed_name: threat-indicator-url-fragment + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + flat_name: threat.indicator.url.fragment ignore_above: 1024 level: extended - name: owner + name: fragment normalize: [] - original_fieldset: file - short: File owner's username. + original_fieldset: url + short: Portion of the url after the `#`. type: keyword - threat.indicator.file.path: - dashed_name: threat-indicator-file-path - description: Full path to the file, including the file name. It should include - the drive letter, when appropriate. - example: /home/alice/example.png - flat_name: threat.indicator.file.path + threat.indicator.url.full: + dashed_name: threat-indicator-url-full + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event + source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + flat_name: threat.indicator.url.full ignore_above: 1024 level: extended multi_fields: - - flat_name: threat.indicator.file.path.text + - flat_name: threat.indicator.url.full.text name: text norms: false type: text - name: path + name: full normalize: [] - original_fieldset: file - short: Full path to the file, including the file name. + original_fieldset: url + short: Full unparsed URL. type: keyword - threat.indicator.file.size: - dashed_name: threat-indicator-file-size - description: 'File size in bytes. + threat.indicator.url.original: + dashed_name: threat-indicator-url-original + description: 'Unmodified original url as seen in the event source. - Only relevant when `file.type` is "file".' - example: 16384 - flat_name: threat.indicator.file.size - level: extended - name: size - normalize: [] - original_fieldset: file - short: File size in bytes. - type: long - threat.indicator.file.target_path: - dashed_name: threat-indicator-file-target-path - description: Target path for symlinks. - flat_name: threat.indicator.file.target_path + Note that in network monitoring, the observed URL may be a full URL, whereas + in access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + flat_name: threat.indicator.url.original ignore_above: 1024 level: extended multi_fields: - - flat_name: threat.indicator.file.target_path.text + - flat_name: threat.indicator.url.original.text name: text norms: false type: text - name: target_path + name: original normalize: [] - original_fieldset: file - short: Target path for symlinks. + original_fieldset: url + short: Unmodified original url as seen in the event source. type: keyword - threat.indicator.file.type: - dashed_name: threat-indicator-file-type - description: File type (file, dir, or symlink). - example: file - flat_name: threat.indicator.file.type + threat.indicator.url.password: + dashed_name: threat-indicator-url-password + description: Password of the request. + flat_name: threat.indicator.url.password ignore_above: 1024 level: extended - name: type + name: password normalize: [] - original_fieldset: file - short: File type (file, dir, or symlink). + original_fieldset: url + short: Password of the request. type: keyword - threat.indicator.file.uid: - dashed_name: threat-indicator-file-uid - description: The user ID (UID) or security identifier (SID) of the file owner. - example: '1001' - flat_name: threat.indicator.file.uid + threat.indicator.url.path: + dashed_name: threat-indicator-url-path + description: Path of the request, such as "/search". + flat_name: threat.indicator.url.path ignore_above: 1024 level: extended - name: uid + name: path normalize: [] - original_fieldset: file - short: The user ID (UID) or security identifier (SID) of the file owner. + original_fieldset: url + short: Path of the request, such as "/search". type: keyword - threat.indicator.first_seen: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-first-seen - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.first_seen + threat.indicator.url.port: + dashed_name: threat-indicator-url-port + description: Port of the request, such as 443. + example: 443 + flat_name: threat.indicator.url.port + format: string level: extended - name: indicator.first_seen - normalize: [] - short: Date/time indicator was first reported. - type: date - threat.indicator.geo.city_name: - dashed_name: threat-indicator-geo-city-name - description: City name. - example: Montreal - flat_name: threat.indicator.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword - threat.indicator.geo.continent_code: - dashed_name: threat-indicator-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: threat.indicator.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword - threat.indicator.geo.continent_name: - dashed_name: threat-indicator-geo-continent-name - description: Name of the continent. - example: North America - flat_name: threat.indicator.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword - threat.indicator.geo.country_iso_code: - dashed_name: threat-indicator-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: threat.indicator.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code - normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword - threat.indicator.geo.country_name: - dashed_name: threat-indicator-geo-country-name - description: Country name. - example: Canada - flat_name: threat.indicator.geo.country_name - ignore_above: 1024 - level: core - name: country_name - normalize: [] - original_fieldset: geo - short: Country name. - type: keyword - threat.indicator.geo.location: - dashed_name: threat-indicator-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: threat.indicator.geo.location - level: core - name: location + name: port normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point - threat.indicator.geo.name: - dashed_name: threat-indicator-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. + original_fieldset: url + short: Port of the request, such as 443. + type: long + threat.indicator.url.query: + dashed_name: threat-indicator-url-query + description: 'The query field describes the query string of the request, such + as "q=elasticsearch". - Not typically used in automated geolocation.' - example: boston-dc - flat_name: threat.indicator.geo.name + The `?` is excluded from the query string. If a URL contains no `?`, there + is no query field. If there is a `?` but no query, the query field exists + with an empty string. The `exists` query can be used to differentiate between + the two cases.' + flat_name: threat.indicator.url.query ignore_above: 1024 level: extended - name: name + name: query normalize: [] - original_fieldset: geo - short: User-defined description of a location. + original_fieldset: url + short: Query string of the request. type: keyword - threat.indicator.geo.postal_code: - dashed_name: threat-indicator-geo-postal-code - description: 'Postal code associated with the location. + threat.indicator.url.registered_domain: + dashed_name: threat-indicator-url-registered-domain + description: 'The highest registered url domain, stripped of the subdomain. - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: threat.indicator.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword - threat.indicator.geo.region_iso_code: - dashed_name: threat-indicator-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: threat.indicator.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword - threat.indicator.geo.region_name: - dashed_name: threat-indicator-geo-region-name - description: Region name. - example: Quebec - flat_name: threat.indicator.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword - threat.indicator.geo.timezone: - dashed_name: threat-indicator-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: threat.indicator.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword - threat.indicator.hash.md5: - dashed_name: threat-indicator-hash-md5 - description: MD5 hash. - flat_name: threat.indicator.hash.md5 + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: threat.indicator.url.registered_domain ignore_above: 1024 level: extended - name: md5 + name: registered_domain normalize: [] - original_fieldset: hash - short: MD5 hash. + original_fieldset: url + short: The highest registered url domain, stripped of the subdomain. type: keyword - threat.indicator.hash.sha1: - dashed_name: threat-indicator-hash-sha1 - description: SHA1 hash. - flat_name: threat.indicator.hash.sha1 + threat.indicator.url.scheme: + dashed_name: threat-indicator-url-scheme + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https + flat_name: threat.indicator.url.scheme ignore_above: 1024 level: extended - name: sha1 + name: scheme normalize: [] - original_fieldset: hash - short: SHA1 hash. + original_fieldset: url + short: Scheme of the url. type: keyword - threat.indicator.hash.sha256: - dashed_name: threat-indicator-hash-sha256 - description: SHA256 hash. - flat_name: threat.indicator.hash.sha256 + threat.indicator.url.subdomain: + dashed_name: threat-indicator-url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: threat.indicator.url.subdomain ignore_above: 1024 level: extended - name: sha256 + name: subdomain normalize: [] - original_fieldset: hash - short: SHA256 hash. + original_fieldset: url + short: The subdomain of the domain. type: keyword - threat.indicator.hash.sha512: - dashed_name: threat-indicator-hash-sha512 - description: SHA512 hash. - flat_name: threat.indicator.hash.sha512 + threat.indicator.url.top_level_domain: + dashed_name: threat-indicator-url-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: threat.indicator.url.top_level_domain ignore_above: 1024 level: extended - name: sha512 + name: top_level_domain normalize: [] - original_fieldset: hash - short: SHA512 hash. + original_fieldset: url + short: The effective top level domain (com, org, net, co.uk). type: keyword - threat.indicator.hash.ssdeep: - dashed_name: threat-indicator-hash-ssdeep - description: SSDEEP hash. - flat_name: threat.indicator.hash.ssdeep + threat.indicator.url.username: + dashed_name: threat-indicator-url-username + description: Username of the request. + flat_name: threat.indicator.url.username ignore_above: 1024 level: extended - name: ssdeep + name: username normalize: [] - original_fieldset: hash - short: SSDEEP hash. + original_fieldset: url + short: Username of the request. type: keyword - threat.indicator.ip: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-ip - description: Identifies a threat indicator as an IP address (irrespective of - direction). - example: 1.2.3.4 - flat_name: threat.indicator.ip - level: extended - name: indicator.ip - normalize: [] - short: Indicator IP address - type: ip - threat.indicator.last_seen: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-last-seen - description: The date and time when intelligence source last reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.last_seen + threat.indicator.x509.alternative_names: + dashed_name: threat-indicator-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + flat_name: threat.indicator.x509.alternative_names + ignore_above: 1024 level: extended - name: indicator.last_seen - normalize: [] - short: Date/time indicator was last reported. - type: date - threat.indicator.marking.tlp: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: WHITE - flat_name: threat.indicator.marking.tlp + name: alternative_names + normalize: + - array + original_fieldset: x509 + short: List of subject alternative names (SAN). + type: keyword + threat.indicator.x509.issuer.common_name: + dashed_name: threat-indicator-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: threat.indicator.x509.issuer.common_name ignore_above: 1024 level: extended - name: indicator.marking.tlp - normalize: [] - short: Indicator TLP marking + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. type: keyword - threat.indicator.modified_at: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-modified-at - description: The date and time when intelligence source last modified information - for this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.modified_at + threat.indicator.x509.issuer.country: + dashed_name: threat-indicator-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: threat.indicator.x509.issuer.country + ignore_above: 1024 level: extended - name: indicator.modified_at - normalize: [] - short: Date/time indicator was last updated. - type: date - threat.indicator.pe.architecture: - dashed_name: threat-indicator-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: threat.indicator.pe.architecture + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes + type: keyword + threat.indicator.x509.issuer.distinguished_name: + dashed_name: threat-indicator-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: threat.indicator.x509.issuer.distinguished_name ignore_above: 1024 level: extended - name: architecture + name: issuer.distinguished_name normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. type: keyword - threat.indicator.pe.company: - dashed_name: threat-indicator-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: threat.indicator.pe.company + threat.indicator.x509.issuer.locality: + dashed_name: threat-indicator-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: threat.indicator.x509.issuer.locality ignore_above: 1024 level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) type: keyword - threat.indicator.pe.description: - dashed_name: threat-indicator-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: threat.indicator.pe.description + threat.indicator.x509.issuer.organization: + dashed_name: threat-indicator-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: threat.indicator.x509.issuer.organization ignore_above: 1024 level: extended - name: description - normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. type: keyword - threat.indicator.pe.file_version: - dashed_name: threat-indicator-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: threat.indicator.pe.file_version + threat.indicator.x509.issuer.organizational_unit: + dashed_name: threat-indicator-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: threat.indicator.x509.issuer.organizational_unit ignore_above: 1024 level: extended - name: file_version - normalize: [] - original_fieldset: pe - short: Process name. + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. type: keyword - threat.indicator.pe.imphash: - dashed_name: threat-indicator-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: threat.indicator.pe.imphash + threat.indicator.x509.issuer.state_or_province: + dashed_name: threat-indicator-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.indicator.x509.issuer.state_or_province ignore_above: 1024 level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) type: keyword - threat.indicator.pe.original_file_name: - dashed_name: threat-indicator-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: threat.indicator.pe.original_file_name + threat.indicator.x509.not_after: + dashed_name: threat-indicator-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: threat.indicator.x509.not_after + level: extended + name: not_after + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date + threat.indicator.x509.not_before: + dashed_name: threat-indicator-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: threat.indicator.x509.not_before + level: extended + name: not_before + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date + threat.indicator.x509.public_key_algorithm: + dashed_name: threat-indicator-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: threat.indicator.x509.public_key_algorithm ignore_above: 1024 level: extended - name: original_file_name + name: public_key_algorithm normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. + original_fieldset: x509 + short: Algorithm used to generate the public key. type: keyword - threat.indicator.pe.product: - dashed_name: threat-indicator-pe-product - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" - flat_name: threat.indicator.pe.product + threat.indicator.x509.public_key_curve: + dashed_name: threat-indicator-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + flat_name: threat.indicator.x509.public_key_curve ignore_above: 1024 level: extended - name: product + name: public_key_curve normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. type: keyword - threat.indicator.port: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-port - description: Identifies a threat indicator as a port number (irrespective of - direction). - example: 443 - flat_name: threat.indicator.port + threat.indicator.x509.public_key_exponent: + dashed_name: threat-indicator-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: threat.indicator.x509.public_key_exponent + index: false level: extended - name: indicator.port + name: public_key_exponent normalize: [] - short: Indicator port + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. type: long - threat.indicator.provider: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-provider - description: The name of the indicator's provider. - example: lrz_urlhaus - flat_name: threat.indicator.provider - ignore_above: 1024 + threat.indicator.x509.public_key_size: + dashed_name: threat-indicator-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: threat.indicator.x509.public_key_size level: extended - name: indicator.provider + name: public_key_size normalize: [] - short: Indicator provider - type: keyword - threat.indicator.reference: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-reference - description: Reference URL linking to additional information about this indicator. - example: https://system.example.com/indicator/0001234 - flat_name: threat.indicator.reference + original_fieldset: x509 + short: The size of the public key space in bits. + type: long + threat.indicator.x509.serial_number: + dashed_name: threat-indicator-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: threat.indicator.x509.serial_number ignore_above: 1024 level: extended - name: indicator.reference + name: serial_number normalize: [] - short: Indicator reference URL + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. type: keyword - threat.indicator.registry.data.bytes: - dashed_name: threat-indicator-registry-data-bytes - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides - better recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - flat_name: threat.indicator.registry.data.bytes + threat.indicator.x509.signature_algorithm: + dashed_name: threat-indicator-x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: threat.indicator.x509.signature_algorithm ignore_above: 1024 level: extended - name: data.bytes + name: signature_algorithm normalize: [] - original_fieldset: registry - short: Original bytes written with base64 encoding. + original_fieldset: x509 + short: Identifier for certificate signature algorithm. type: keyword - threat.indicator.registry.data.strings: - dashed_name: threat-indicator-registry-data-strings - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single - string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with - one string. For sequences of string with REG_MULTI_SZ, this array will be - variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should - be populated with the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' - flat_name: threat.indicator.registry.data.strings + threat.indicator.x509.subject.common_name: + dashed_name: threat-indicator-x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: threat.indicator.x509.subject.common_name ignore_above: 1024 - level: core - name: data.strings + level: extended + name: subject.common_name normalize: - array - original_fieldset: registry - short: List of strings representing what was written to the registry. + original_fieldset: x509 + short: List of common names (CN) of subject. type: keyword - threat.indicator.registry.data.type: - dashed_name: threat-indicator-registry-data-type - description: Standard registry type for encoding contents - example: REG_SZ - flat_name: threat.indicator.registry.data.type + threat.indicator.x509.subject.country: + dashed_name: threat-indicator-x509-subject-country + description: List of country (C) code + example: US + flat_name: threat.indicator.x509.subject.country ignore_above: 1024 - level: core - name: data.type - normalize: [] - original_fieldset: registry - short: Standard registry type for encoding contents + level: extended + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code type: keyword - threat.indicator.registry.hive: - dashed_name: threat-indicator-registry-hive - description: Abbreviated name for the hive. - example: HKLM - flat_name: threat.indicator.registry.hive + threat.indicator.x509.subject.distinguished_name: + dashed_name: threat-indicator-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: threat.indicator.x509.subject.distinguished_name ignore_above: 1024 - level: core - name: hive + level: extended + name: subject.distinguished_name normalize: [] - original_fieldset: registry - short: Abbreviated name for the hive. + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. type: keyword - threat.indicator.registry.key: - dashed_name: threat-indicator-registry-key - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - flat_name: threat.indicator.registry.key + threat.indicator.x509.subject.locality: + dashed_name: threat-indicator-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: threat.indicator.x509.subject.locality ignore_above: 1024 - level: core - name: key - normalize: [] - original_fieldset: registry - short: Hive-relative path of keys. + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) type: keyword - threat.indicator.registry.path: - dashed_name: threat-indicator-registry-path - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger - flat_name: threat.indicator.registry.path + threat.indicator.x509.subject.organization: + dashed_name: threat-indicator-x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: threat.indicator.x509.subject.organization ignore_above: 1024 - level: core - name: path - normalize: [] - original_fieldset: registry - short: Full path, including hive, key and value + level: extended + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. type: keyword - threat.indicator.registry.value: - dashed_name: threat-indicator-registry-value - description: Name of the value written. - example: Debugger - flat_name: threat.indicator.registry.value + threat.indicator.x509.subject.organizational_unit: + dashed_name: threat-indicator-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: threat.indicator.x509.subject.organizational_unit ignore_above: 1024 - level: core - name: value - normalize: [] - original_fieldset: registry - short: Name of the value written. - type: keyword - threat.indicator.scanner_stats: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-scanner-stats - description: Count of AV/EDR vendors that successfully detected malicious file - or URL. - example: 4 - flat_name: threat.indicator.scanner_stats level: extended - name: indicator.scanner_stats - normalize: [] - short: Scanner statistics - type: long - threat.indicator.sightings: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-sightings - description: Number of times this indicator was observed conducting threat activity. - example: 20 - flat_name: threat.indicator.sightings + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword + threat.indicator.x509.subject.state_or_province: + dashed_name: threat-indicator-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.indicator.x509.subject.state_or_province + ignore_above: 1024 level: extended - name: indicator.sightings - normalize: [] - short: Number of times indicator observed - type: long - threat.indicator.type: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-type - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ - Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ - \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ - \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ - \ * user-account\n * windows-registry-key\n * x509-certificate" - example: ipv4-addr - flat_name: threat.indicator.type + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword + threat.indicator.x509.version_number: + dashed_name: threat-indicator-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: threat.indicator.x509.version_number ignore_above: 1024 level: extended - name: indicator.type + name: version_number normalize: [] - short: Type of indicator + original_fieldset: x509 + short: Version of x509 format. type: keyword threat.software.id: beta: This field is beta and subject to change. @@ -12830,19 +14233,21 @@ threat: name: threat nestings: - threat.enrichments.indicator.as - - threat.enrichments.indicator.as - - threat.enrichments.indicator.as - - threat.enrichments.indicator.as + - threat.enrichments.indicator.file + - threat.enrichments.indicator.geo + - threat.enrichments.indicator.hash - threat.enrichments.indicator.pe - threat.enrichments.indicator.registry - - threat.enrichments.url - - threat.enrichments.x509 + - threat.enrichments.indicator.url + - threat.enrichments.indicator.x509 - threat.indicator.as - threat.indicator.file - threat.indicator.geo - threat.indicator.hash - threat.indicator.pe - threat.indicator.registry + - threat.indicator.url + - threat.indicator.x509 prefix: threat. reused_here: - beta: Reusing the `as` fields in this location is currently considered beta. @@ -12857,24 +14262,24 @@ threat: full: threat.indicator.file schema_name: file short: Fields describing files. - - beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.indicator.as + - beta: Reusing the `file` fields in this location is currently considered beta. + full: threat.enrichments.indicator.file schema_name: file short: Fields describing files. - beta: Reusing the `geo` fields in this location is currently considered beta. full: threat.indicator.geo schema_name: geo short: Fields describing a location. - - beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.indicator.as + - beta: Reusing the `geo` fields in this location is currently considered beta. + full: threat.enrichments.indicator.geo schema_name: geo short: Fields describing a location. - beta: Reusing the `hash` fields in this location is currently considered beta. full: threat.indicator.hash schema_name: hash short: Hashes, usually file hashes. - - beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.indicator.as + - beta: Reusing the `hash` fields in this location is currently considered beta. + full: threat.enrichments.indicator.hash schema_name: hash short: Hashes, usually file hashes. - beta: Reusing the `as` fields in this location is currently considered beta. @@ -12894,11 +14299,19 @@ threat: schema_name: registry short: Fields related to Windows Registry operations. - beta: Reusing the `url` fields in this location is currently considered beta. - full: threat.enrichments.url + full: threat.indicator.url + schema_name: url + short: Fields that let you store URLs in various forms. + - beta: Reusing the `url` fields in this location is currently considered beta. + full: threat.enrichments.indicator.url schema_name: url short: Fields that let you store URLs in various forms. - beta: Reusing the `x509` fields in this location is currently considered beta. - full: threat.enrichments.x509 + full: threat.indicator.x509 + schema_name: x509 + short: These fields contain x509 certificate metadata. + - beta: Reusing the `x509` fields in this location is currently considered beta. + full: threat.enrichments.indicator.x509 schema_name: x509 short: These fields contain x509 certificate metadata. short: Fields to classify events and alerts according to a threat taxonomy. @@ -14181,9 +15594,13 @@ url: reusable: expected: - as: url - at: threat.enrichments + at: threat.indicator + beta: Reusing the `url` fields in this location is currently considered beta. + full: threat.indicator.url + - as: url + at: threat.enrichments.indicator beta: Reusing the `url` fields in this location is currently considered beta. - full: threat.enrichments.url + full: threat.enrichments.indicator.url top_level: true short: Fields that let you store URLs in various forms. title: URL @@ -15486,9 +16903,13 @@ x509: at: file full: file.x509 - as: x509 - at: threat.enrichments + at: threat.indicator + beta: Reusing the `x509` fields in this location is currently considered beta. + full: threat.indicator.x509 + - as: x509 + at: threat.enrichments.indicator beta: Reusing the `x509` fields in this location is currently considered beta. - full: threat.enrichments.x509 + full: threat.enrichments.indicator.x509 - as: x509 at: tls.client full: tls.client.x509 diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 6369597767..b9dc8d7b75 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -3100,46 +3100,355 @@ "properties": { "as": { "properties": { - "md5": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { "ignore_above": 1024, "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" }, - "sha1": { + "attributes": { "ignore_above": 1024, "type": "keyword" }, - "sha256": { + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { "ignore_above": 1024, "type": "keyword" }, - "sha512": { + "directory": { "ignore_above": 1024, "type": "keyword" }, - "ssdeep": { + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { "ignore_above": 1024, "type": "keyword" } } }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" + "first_seen": { + "type": "date" }, - "email": { + "geo": { "properties": { - "address": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { "ignore_above": 1024, "type": "keyword" } } }, - "first_seen": { - "type": "date" + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } }, "ip": { "type": "ip" @@ -3246,206 +3555,206 @@ "type": { "ignore_above": 1024, "type": "keyword" - } - }, - "type": "object" - }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "index": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { + "url": { "properties": { - "common_name": { + "domain": { "ignore_above": 1024, "type": "keyword" }, - "country": { + "extension": { "ignore_above": 1024, "type": "keyword" }, - "distinguished_name": { + "fragment": { "ignore_above": 1024, "type": "keyword" }, - "locality": { + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, "ignore_above": 1024, "type": "keyword" }, - "organization": { + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, "ignore_above": 1024, "type": "keyword" }, - "organizational_unit": { + "password": { "ignore_above": 1024, "type": "keyword" }, - "state_or_province": { + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { "ignore_above": 1024, "type": "keyword" } } }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { + "x509": { "properties": { - "common_name": { + "alternative_names": { "ignore_above": 1024, "type": "keyword" }, - "country": { - "ignore_above": 1024, - "type": "keyword" + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" }, - "distinguished_name": { + "not_before": { + "type": "date" + }, + "public_key_algorithm": { "ignore_above": 1024, "type": "keyword" }, - "locality": { + "public_key_curve": { "ignore_above": 1024, "type": "keyword" }, - "organization": { + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { "ignore_above": 1024, "type": "keyword" }, - "organizational_unit": { + "signature_algorithm": { "ignore_above": 1024, "type": "keyword" }, - "state_or_province": { + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { "ignore_above": 1024, "type": "keyword" } } + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" }, - "version_number": { + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { "ignore_above": 1024, "type": "keyword" } @@ -3937,6 +4246,183 @@ "type": { "ignore_above": 1024, "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 1006c07d11..b544cca3b4 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -3096,46 +3096,355 @@ "properties": { "as": { "properties": { - "md5": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { "ignore_above": 1024, "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" }, - "sha1": { + "attributes": { "ignore_above": 1024, "type": "keyword" }, - "sha256": { + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { "ignore_above": 1024, "type": "keyword" }, - "sha512": { + "directory": { "ignore_above": 1024, "type": "keyword" }, - "ssdeep": { + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { "ignore_above": 1024, "type": "keyword" } } }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" + "first_seen": { + "type": "date" }, - "email": { + "geo": { "properties": { - "address": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { "ignore_above": 1024, "type": "keyword" } } }, - "first_seen": { - "type": "date" + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } }, "ip": { "type": "ip" @@ -3242,206 +3551,206 @@ "type": { "ignore_above": 1024, "type": "keyword" - } - }, - "type": "object" - }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "index": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { + "url": { "properties": { - "common_name": { + "domain": { "ignore_above": 1024, "type": "keyword" }, - "country": { + "extension": { "ignore_above": 1024, "type": "keyword" }, - "distinguished_name": { + "fragment": { "ignore_above": 1024, "type": "keyword" }, - "locality": { + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, "ignore_above": 1024, "type": "keyword" }, - "organization": { + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, "ignore_above": 1024, "type": "keyword" }, - "organizational_unit": { + "password": { "ignore_above": 1024, "type": "keyword" }, - "state_or_province": { + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { "ignore_above": 1024, "type": "keyword" } } }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { + "x509": { "properties": { - "common_name": { + "alternative_names": { "ignore_above": 1024, "type": "keyword" }, - "country": { - "ignore_above": 1024, - "type": "keyword" + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" }, - "distinguished_name": { + "not_before": { + "type": "date" + }, + "public_key_algorithm": { "ignore_above": 1024, "type": "keyword" }, - "locality": { + "public_key_curve": { "ignore_above": 1024, "type": "keyword" }, - "organization": { + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { "ignore_above": 1024, "type": "keyword" }, - "organizational_unit": { + "signature_algorithm": { "ignore_above": 1024, "type": "keyword" }, - "state_or_province": { + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { "ignore_above": 1024, "type": "keyword" } } + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" }, - "version_number": { + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { "ignore_above": 1024, "type": "keyword" } @@ -3933,6 +4242,183 @@ "type": { "ignore_above": 1024, "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, diff --git a/generated/elasticsearch/component/threat.json b/generated/elasticsearch/component/threat.json index f4b17a6f0d..d518789158 100644 --- a/generated/elasticsearch/component/threat.json +++ b/generated/elasticsearch/component/threat.json @@ -14,46 +14,355 @@ "properties": { "as": { "properties": { - "md5": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { "ignore_above": 1024, "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" }, - "sha1": { + "attributes": { "ignore_above": 1024, "type": "keyword" }, - "sha256": { + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { "ignore_above": 1024, "type": "keyword" }, - "sha512": { + "directory": { "ignore_above": 1024, "type": "keyword" }, - "ssdeep": { + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { "ignore_above": 1024, "type": "keyword" } } }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" + "first_seen": { + "type": "date" }, - "email": { + "geo": { "properties": { - "address": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { "ignore_above": 1024, "type": "keyword" } } }, - "first_seen": { - "type": "date" + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } }, "ip": { "type": "ip" @@ -160,206 +469,206 @@ "type": { "ignore_above": 1024, "type": "keyword" - } - }, - "type": "object" - }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "index": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" }, - "issuer": { + "url": { "properties": { - "common_name": { + "domain": { "ignore_above": 1024, "type": "keyword" }, - "country": { + "extension": { "ignore_above": 1024, "type": "keyword" }, - "distinguished_name": { + "fragment": { "ignore_above": 1024, "type": "keyword" }, - "locality": { + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, "ignore_above": 1024, "type": "keyword" }, - "organization": { + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, "ignore_above": 1024, "type": "keyword" }, - "organizational_unit": { + "password": { "ignore_above": 1024, "type": "keyword" }, - "state_or_province": { + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { "ignore_above": 1024, "type": "keyword" } } }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { + "x509": { "properties": { - "common_name": { + "alternative_names": { "ignore_above": 1024, "type": "keyword" }, - "country": { - "ignore_above": 1024, - "type": "keyword" + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" }, - "distinguished_name": { + "not_before": { + "type": "date" + }, + "public_key_algorithm": { "ignore_above": 1024, "type": "keyword" }, - "locality": { + "public_key_curve": { "ignore_above": 1024, "type": "keyword" }, - "organization": { + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { "ignore_above": 1024, "type": "keyword" }, - "organizational_unit": { + "signature_algorithm": { "ignore_above": 1024, "type": "keyword" }, - "state_or_province": { + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { "ignore_above": 1024, "type": "keyword" } } + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" }, - "version_number": { + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { "ignore_above": 1024, "type": "keyword" } @@ -851,6 +1160,183 @@ "type": { "ignore_above": 1024, "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, From 0ad060542d2cee56788b87776fd1d5ca16448e83 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 7 Jul 2021 12:53:19 -0500 Subject: [PATCH 8/8] additional reuseable configuration cleanup --- docs/field-details.asciidoc | 8 ++++---- experimental/generated/ecs/ecs_nested.yml | 18 ++++++++++-------- generated/ecs/ecs_nested.yml | 18 ++++++++++-------- schemas/pe.yml | 4 ++-- schemas/registry.yml | 4 ++-- 5 files changed, 28 insertions(+), 24 deletions(-) diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index d80f250833..d5cc1af1ee 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -8864,7 +8864,7 @@ Hashes, usually file hashes. | `threat.enrichments.indicator.pe.*` -| <>| beta:[ Reusing the `as` fields in this location is currently considered beta.] +| <>| beta:[ Reusing the `pe` fields in this location is currently considered beta.] These fields contain Windows Portable Executable (PE) metadata. @@ -8872,7 +8872,7 @@ These fields contain Windows Portable Executable (PE) metadata. | `threat.enrichments.indicator.registry.*` -| <>| beta:[ Reusing the `as` fields in this location is currently considered beta.] +| <>| beta:[ Reusing the `registry` fields in this location is currently considered beta.] Fields related to Windows Registry operations. @@ -8928,7 +8928,7 @@ Hashes, usually file hashes. | `threat.indicator.pe.*` -| <>| beta:[ Reusing the `as` fields in this location is currently considered beta.] +| <>| beta:[ Reusing the `pe` fields in this location is currently considered beta.] These fields contain Windows Portable Executable (PE) metadata. @@ -8936,7 +8936,7 @@ These fields contain Windows Portable Executable (PE) metadata. | `threat.indicator.registry.*` -| <>| beta:[ Reusing the `as` fields in this location is currently considered beta.] +| <>| beta:[ Reusing the `registry` fields in this location is currently considered beta.] Fields related to Windows Registry operations. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index a38716ece9..15e580531f 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -8193,11 +8193,11 @@ pe: full: process.pe - as: pe at: threat.indicator - beta: Reusing the `as` fields in this location is currently considered beta. + beta: Reusing the `pe` fields in this location is currently considered beta. full: threat.indicator.pe - as: pe at: threat.enrichments.indicator - beta: Reusing the `as` fields in this location is currently considered beta. + beta: Reusing the `pe` fields in this location is currently considered beta. full: threat.enrichments.indicator.pe - as: pe at: threat.enrichments @@ -13035,11 +13035,13 @@ registry: expected: - as: registry at: threat.indicator - beta: Reusing the `as` fields in this location is currently considered beta. + beta: Reusing the `registry` fields in this location is currently considered + beta. full: threat.indicator.registry - as: registry at: threat.enrichments.indicator - beta: Reusing the `as` fields in this location is currently considered beta. + beta: Reusing the `registry` fields in this location is currently considered + beta. full: threat.enrichments.indicator.registry - as: registry at: threat.enrichments @@ -19667,22 +19669,22 @@ threat: full: threat.enrichments.indicator.hash schema_name: hash short: Hashes, usually file hashes. - - beta: Reusing the `as` fields in this location is currently considered beta. + - beta: Reusing the `pe` fields in this location is currently considered beta. full: threat.indicator.pe schema_name: pe short: These fields contain Windows Portable Executable (PE) metadata. - - beta: Reusing the `as` fields in this location is currently considered beta. + - beta: Reusing the `pe` fields in this location is currently considered beta. full: threat.enrichments.indicator.pe schema_name: pe short: These fields contain Windows Portable Executable (PE) metadata. - full: threat.enrichments.pe schema_name: pe short: These fields contain Windows Portable Executable (PE) metadata. - - beta: Reusing the `as` fields in this location is currently considered beta. + - beta: Reusing the `registry` fields in this location is currently considered beta. full: threat.indicator.registry schema_name: registry short: Fields related to Windows Registry operations. - - beta: Reusing the `as` fields in this location is currently considered beta. + - beta: Reusing the `registry` fields in this location is currently considered beta. full: threat.enrichments.indicator.registry schema_name: registry short: Fields related to Windows Registry operations. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 06bbe4db3e..72b51cb1f5 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -7153,11 +7153,11 @@ pe: full: process.pe - as: pe at: threat.indicator - beta: Reusing the `as` fields in this location is currently considered beta. + beta: Reusing the `pe` fields in this location is currently considered beta. full: threat.indicator.pe - as: pe at: threat.enrichments.indicator - beta: Reusing the `as` fields in this location is currently considered beta. + beta: Reusing the `pe` fields in this location is currently considered beta. full: threat.enrichments.indicator.pe top_level: false short: These fields contain Windows Portable Executable (PE) metadata. @@ -8905,11 +8905,13 @@ registry: expected: - as: registry at: threat.indicator - beta: Reusing the `as` fields in this location is currently considered beta. + beta: Reusing the `registry` fields in this location is currently considered + beta. full: threat.indicator.registry - as: registry at: threat.enrichments.indicator - beta: Reusing the `as` fields in this location is currently considered beta. + beta: Reusing the `registry` fields in this location is currently considered + beta. full: threat.enrichments.indicator.registry top_level: true short: Fields related to Windows Registry operations. @@ -14282,19 +14284,19 @@ threat: full: threat.enrichments.indicator.hash schema_name: hash short: Hashes, usually file hashes. - - beta: Reusing the `as` fields in this location is currently considered beta. + - beta: Reusing the `pe` fields in this location is currently considered beta. full: threat.indicator.pe schema_name: pe short: These fields contain Windows Portable Executable (PE) metadata. - - beta: Reusing the `as` fields in this location is currently considered beta. + - beta: Reusing the `pe` fields in this location is currently considered beta. full: threat.enrichments.indicator.pe schema_name: pe short: These fields contain Windows Portable Executable (PE) metadata. - - beta: Reusing the `as` fields in this location is currently considered beta. + - beta: Reusing the `registry` fields in this location is currently considered beta. full: threat.indicator.registry schema_name: registry short: Fields related to Windows Registry operations. - - beta: Reusing the `as` fields in this location is currently considered beta. + - beta: Reusing the `registry` fields in this location is currently considered beta. full: threat.enrichments.indicator.registry schema_name: registry short: Fields related to Windows Registry operations. diff --git a/schemas/pe.yml b/schemas/pe.yml index 92715fef59..937412256e 100644 --- a/schemas/pe.yml +++ b/schemas/pe.yml @@ -12,10 +12,10 @@ - process - at: threat.indicator as: pe - beta: Reusing the `as` fields in this location is currently considered beta. + beta: Reusing the `pe` fields in this location is currently considered beta. - at: threat.enrichments.indicator as: pe - beta: Reusing the `as` fields in this location is currently considered beta. + beta: Reusing the `pe` fields in this location is currently considered beta. fields: - name: original_file_name level: extended diff --git a/schemas/registry.yml b/schemas/registry.yml index 649b3d07a2..72bba7d1ff 100644 --- a/schemas/registry.yml +++ b/schemas/registry.yml @@ -9,10 +9,10 @@ expected: - at: threat.indicator as: registry - beta: Reusing the `as` fields in this location is currently considered beta. + beta: Reusing the `registry` fields in this location is currently considered beta. - at: threat.enrichments.indicator as: registry - beta: Reusing the `as` fields in this location is currently considered beta. + beta: Reusing the `registry` fields in this location is currently considered beta. fields: - name: hive