Skip to content

Commit

Permalink
Stage 2 changes for RFC 0018 - extending the threat.* field set (el…
Browse files Browse the repository at this point in the history
  • Loading branch information
ebeahan authored May 27, 2021
1 parent b3eb38b commit e46c08b
Show file tree
Hide file tree
Showing 16 changed files with 893 additions and 123 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ Thanks, you're awesome :-) -->

* `elf.*` field set added as beta. #1410
* Remove `beta` from `orchestrator` field set. #1417
* Extend `threat.*` field set beta. #1438

#### Improvements

Expand Down
59 changes: 59 additions & 0 deletions code/go/ecs/threat.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

196 changes: 196 additions & 0 deletions docs/field-details.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -7547,6 +7547,202 @@ example: `MITRE ATT&CK`

// ===============================================================

|
[[field-threat-group-alias]]
<<field-threat-group-alias, threat.group.alias>>

| beta:[ This field is beta and subject to change. ]

The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es).

type: keyword


Note: this field should contain an array of values.



example: `[ "Magecart Group 6" ]`

| extended

// ===============================================================

|
[[field-threat-group-id]]
<<field-threat-group-id, threat.group.id>>

| beta:[ This field is beta and subject to change. ]

The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id.

type: keyword



example: `G0037`

| extended

// ===============================================================

|
[[field-threat-group-name]]
<<field-threat-group-name, threat.group.name>>

| beta:[ This field is beta and subject to change. ]

The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name.

type: keyword



example: `FIN6`

| extended

// ===============================================================

|
[[field-threat-group-reference]]
<<field-threat-group-reference, threat.group.reference>>

| beta:[ This field is beta and subject to change. ]

The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL.

type: keyword



example: `https://attack.mitre.org/groups/G0037/`

| extended

// ===============================================================

|
[[field-threat-software-id]]
<<field-threat-software-id, threat.software.id>>

| beta:[ This field is beta and subject to change. ]

The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id.

type: keyword



example: `S0552`

| extended

// ===============================================================

|
[[field-threat-software-name]]
<<field-threat-software-name, threat.software.name>>

| beta:[ This field is beta and subject to change. ]

The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name.

type: keyword



example: `AdFind`

| extended

// ===============================================================

|
[[field-threat-software-platforms]]
<<field-threat-software-platforms, threat.software.platforms>>

| beta:[ This field is beta and subject to change. ]

The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platforms.

Recommended Values:

* AWS

* Azure

* Azure AD

* GCP

* Linux

* macOS

* Network

* Office 365

* SaaS

* Windows

type: keyword


Note: this field should contain an array of values.



example: `[ "Windows" ]`

| extended

// ===============================================================

|
[[field-threat-software-reference]]
<<field-threat-software-reference, threat.software.reference>>

| beta:[ This field is beta and subject to change. ]

The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL.

type: keyword



example: `https://attack.mitre.org/software/S0552/`

| extended

// ===============================================================

|
[[field-threat-software-type]]
<<field-threat-software-type, threat.software.type>>

| beta:[ This field is beta and subject to change. ]

The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type.

Recommended values

* Malware

* Tool

type: keyword



example: `Tool`

| extended

// ===============================================================

|
[[field-threat-tactic-id]]
<<field-threat-tactic-id, threat.tactic.id>>
Expand Down
12 changes: 6 additions & 6 deletions experimental/generated/beats/fields.ecs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7846,12 +7846,12 @@
level: extended
type: keyword
ignore_above: 1024
description: "The platform of the software used by this threat to conduct behavior\
description: "The platforms of the software used by this threat to conduct behavior\
\ commonly modeled using MITRE ATT&CK\xAE. While not required, you can use\
\ a MITRE ATT&CK\xAE software platform.\nExpected values\n * AWS\n * Azure\n\
\ * Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n * Office 365\n\
\ * PRE\n * SaaS\n * Windows"
example: Windows
\ a MITRE ATT&CK\xAE software platforms.\nRecommended Values:\n * AWS\n \
\ * Azure\n * Azure AD\n * GCP\n * Linux\n * macOS\n * Network\n * Office\
\ 365\n * SaaS\n * Windows"
example: '[ "Windows" ]'
default_field: false
- name: software.reference
level: extended
Expand All @@ -7868,7 +7868,7 @@
ignore_above: 1024
description: "The type of software used by this threat to conduct behavior commonly\
\ modeled using MITRE ATT&CK\xAE. While not required, you can use a MITRE\
\ ATT&CK\xAE software type.\nExpected values\n * Malware\n * Tool"
\ ATT&CK\xAE software type.\nRecommended values\n * Malware\n * Tool"
example: Tool
default_field: false
- name: tactic.id
Expand Down
2 changes: 1 addition & 1 deletion experimental/generated/csv/fields.csv
Original file line number Diff line number Diff line change
Expand Up @@ -937,7 +937,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
2.0.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator
2.0.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software
2.0.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software.
2.0.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,,Windows,Platform of the software.
2.0.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software.
2.0.0-dev+exp,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL.
2.0.0-dev+exp,true,threat,threat.software.type,keyword,extended,,Tool,Software type.
2.0.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
Expand Down
Loading

0 comments on commit e46c08b

Please sign in to comment.