diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 7e8d58bf3b..15c44a561c 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -32,8 +32,8 @@ Thanks, you're awesome :-) --> * Extend `threat.*` field set beta. #1438 * Added `event.agent_id_status` field. #1454 * `process.target` and `process.target.parent` added to experimental schema. #1467 -* Threat indicator fields progress to beta stage. #1471 -* `threat.enrichments` beta fields. #1478 +* Threat indicator fields progress to beta stage. #1471, #1504 +* `threat.enrichments` beta fields. #1478, #1504 #### Improvements diff --git a/code/go/ecs/event.go b/code/go/ecs/event.go index 6bfe88880b..c55bc0d364 100644 --- a/code/go/ecs/event.go +++ b/code/go/ecs/event.go @@ -130,8 +130,8 @@ type Event struct { // to `event.severity`. Severity int64 `ecs:"severity"` - // Raw text message of entire event. Used to demonstrate log integrity or - // where the full log message (before splitting it up in multiple parts) + // Raw text message of entire event. Used to demonstrate log integrity or + // where the full log message (before splitting it up in multiple parts) // may be required, e.g. for reindex. // This field is not indexed and doc_values are disabled. It cannot be // searched, but it can be retrieved from `_source`. If users wish to diff --git a/code/go/ecs/threat.go b/code/go/ecs/threat.go index becd75adad..913ebf69ac 100644 --- a/code/go/ecs/threat.go +++ b/code/go/ecs/threat.go @@ -32,8 +32,8 @@ import ( // used by this detected threat, to accomplish the goal (e.g. "endpoint denial // of service"). type Threat struct { - // A list of associated indicators enriching the event, and the context of - // that association/enrichment. + // A list of associated indicators objects enriching the event, and the + // context of that association/enrichment. Enrichments []Enrichments `ecs:"enrichments"` // Name of the threat framework used to further categorize and classify the @@ -135,6 +135,12 @@ type Threat struct { // * RED IndicatorMarkingTlp string `ecs:"indicator.marking.tlp"` + // Reference URL linking to additional information about this indicator. + IndicatorReference string `ecs:"indicator.reference"` + + // The name of the indicator's provider. + IndicatorProvider string `ecs:"indicator.provider"` + // The id of the software used by this threat to conduct behavior commonly // modeled using MITRE ATT&CK®. While not required, you can use a MITRE // ATT&CK® software id. @@ -218,6 +224,86 @@ type Threat struct { } type Enrichments struct { + // Object containing associated indicators enriching the event. + Indicator map[string]interface{} `ecs:"indicator"` + + // The date and time when intelligence source first reported sighting this + // indicator. + IndicatorFirstSeen time.Time `ecs:"indicator.first_seen"` + + // The date and time when intelligence source last reported sighting this + // indicator. + IndicatorLastSeen time.Time `ecs:"indicator.last_seen"` + + // The date and time when intelligence source last modified information for + // this indicator. + IndicatorModifiedAt time.Time `ecs:"indicator.modified_at"` + + // Number of times this indicator was observed conducting threat activity. + IndicatorSightings int64 `ecs:"indicator.sightings"` + + // Type of indicator as represented by Cyber Observable in STIX 2.0. + // Recommended values: + // * autonomous-system + // * artifact + // * directory + // * domain-name + // * email-addr + // * file + // * ipv4-addr + // * ipv6-addr + // * mac-addr + // * mutex + // * port + // * process + // * software + // * url + // * user-account + // * windows-registry-key + // * x509-certificate + IndicatorType string `ecs:"indicator.type"` + + // Describes the type of action conducted by the threat. + IndicatorDescription string `ecs:"indicator.description"` + + // Count of AV/EDR vendors that successfully detected malicious file or + // URL. + IndicatorScannerStats int64 `ecs:"indicator.scanner_stats"` + + // Identifies the confidence rating assigned by the provider using + // STIX confidence scales. Expected values: + // * Not Specified, None, Low, Medium, High + // * 0-10 + // * Admirality Scale (1-6) + // * DNI Scale (5-95) + // * WEP Scale (Impossible - Certain) + IndicatorConfidence string `ecs:"indicator.confidence"` + + // Identifies a threat indicator as an IP address (irrespective of + // direction). + IndicatorIP string `ecs:"indicator.ip"` + + // Identifies a threat indicator as a port number (irrespective of + // direction). + IndicatorPort int64 `ecs:"indicator.port"` + + // Identifies a threat indicator as an email address (irrespective of + // direction). + IndicatorEmailAddress string `ecs:"indicator.email.address"` + + // Traffic Light Protocol sharing markings. Recommended values are: + // * WHITE + // * GREEN + // * AMBER + // * RED + IndicatorMarkingTlp string `ecs:"indicator.marking.tlp"` + + // Reference URL linking to additional information about this indicator. + IndicatorReference string `ecs:"indicator.reference"` + + // The name of the indicator's provider. + IndicatorProvider string `ecs:"indicator.provider"` + // Identifies the atomic indicator value that matched a local environment // endpoint or network event. MatchedAtomic string `ecs:"matched.atomic"` diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 8fb7276c0f..b4875476d6 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -289,7 +289,9 @@ The `as` fields are expected to be nested at: * `source.as` -* `threat.enrichments.as` +* `threat.enrichments.indicator.as` + +* `threat.indicator.as` Note also that the `as` fields are not expected to be used directly at the root of the events. @@ -2779,7 +2781,7 @@ example: `apache` [[field-event-original]] <> -| Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. +| Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. @@ -3034,20 +3036,6 @@ example: `https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38f |===== -[discrete] -==== Field Reuse - -The `event` fields are expected to be nested at: - - -* `threat.enrichments.event` - - -Note also that the `event` fields may be used directly at the root of the events. - - - - [[ecs-file]] === File Fields @@ -3437,7 +3425,9 @@ example: `1001` The `file` fields are expected to be nested at: -* `threat.enrichments.file` +* `threat.enrichments.indicator.file` + +* `threat.indicator.file` Note also that the `file` fields may be used directly at the root of the events. @@ -3712,7 +3702,9 @@ The `geo` fields are expected to be nested at: * `source.geo` -* `threat.enrichments.geo` +* `threat.enrichments.indicator.geo` + +* `threat.indicator.geo` Note also that the `geo` fields are not expected to be used directly at the root of the events. @@ -3912,7 +3904,9 @@ The `hash` fields are expected to be nested at: * `process.hash` -* `threat.enrichments.hash` +* `threat.enrichments.indicator.hash` + +* `threat.indicator.hash` Note also that the `hash` fields are not expected to be used directly at the root of the events. @@ -6168,6 +6162,10 @@ The `pe` fields are expected to be nested at: * `process.pe` +* `threat.enrichments.indicator.pe` + +* `threat.indicator.pe` + Note also that the `pe` fields are not expected to be used directly at the root of the events. @@ -6695,6 +6693,22 @@ example: `Debugger` |===== +[discrete] +==== Field Reuse + +The `registry` fields are expected to be nested at: + + +* `threat.enrichments.indicator.registry` + +* `threat.indicator.registry` + + +Note also that the `registry` fields may be used directly at the root of the events. + + + + [[ecs-related]] === Related Fields @@ -7680,7 +7694,7 @@ These fields are for users to classify alerts from all of their sources (e.g. ID | beta:[ This field is beta and subject to change. ] -A list of associated indicators enriching the event, and the context of that association/enrichment. +A list of associated indicators objects enriching the event, and the context of that association/enrichment. type: nested @@ -7688,6 +7702,328 @@ type: nested +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator]] +<> + +| beta:[ This field is beta and subject to change. ] + +Object containing associated indicators enriching the event. + +type: object + + + + + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-confidence]] +<> + +| beta:[ This field is beta and subject to change. ] + +Identifies the confidence rating assigned by the provider using STIX confidence scales. Expected values: + + * Not Specified, None, Low, Medium, High + + * 0-10 + + * Admirality Scale (1-6) + + * DNI Scale (5-95) + + * WEP Scale (Impossible - Certain) + +type: keyword + + + +example: `High` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-description]] +<> + +| beta:[ This field is beta and subject to change. ] + +Describes the type of action conducted by the threat. + +type: keyword + + + +example: `IP x.x.x.x was observed delivering the Angler EK.` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-email-address]] +<> + +| beta:[ This field is beta and subject to change. ] + +Identifies a threat indicator as an email address (irrespective of direction). + +type: keyword + + + +example: `phish@example.com` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-first-seen]] +<> + +| beta:[ This field is beta and subject to change. ] + +The date and time when intelligence source first reported sighting this indicator. + +type: date + + + +example: `2020-11-05T17:25:47.000Z` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-ip]] +<> + +| beta:[ This field is beta and subject to change. ] + +Identifies a threat indicator as an IP address (irrespective of direction). + +type: ip + + + +example: `1.2.3.4` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-last-seen]] +<> + +| beta:[ This field is beta and subject to change. ] + +The date and time when intelligence source last reported sighting this indicator. + +type: date + + + +example: `2020-11-05T17:25:47.000Z` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-marking-tlp]] +<> + +| beta:[ This field is beta and subject to change. ] + +Traffic Light Protocol sharing markings. Recommended values are: + + * WHITE + + * GREEN + + * AMBER + + * RED + +type: keyword + + + +example: `White` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-modified-at]] +<> + +| beta:[ This field is beta and subject to change. ] + +The date and time when intelligence source last modified information for this indicator. + +type: date + + + +example: `2020-11-05T17:25:47.000Z` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-port]] +<> + +| beta:[ This field is beta and subject to change. ] + +Identifies a threat indicator as a port number (irrespective of direction). + +type: long + + + +example: `443` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-provider]] +<> + +| beta:[ This field is beta and subject to change. ] + +The name of the indicator's provider. + +type: keyword + + + +example: `lrz_urlhaus` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-reference]] +<> + +| beta:[ This field is beta and subject to change. ] + +Reference URL linking to additional information about this indicator. + +type: keyword + + + +example: `https://system.example.com/indicator/0001234` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-scanner-stats]] +<> + +| beta:[ This field is beta and subject to change. ] + +Count of AV/EDR vendors that successfully detected malicious file or URL. + +type: long + + + +example: `4` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-sightings]] +<> + +| beta:[ This field is beta and subject to change. ] + +Number of times this indicator was observed conducting threat activity. + +type: long + + + +example: `20` + +| extended + +// =============================================================== + +| +[[field-threat-enrichments-indicator-type]] +<> + +| beta:[ This field is beta and subject to change. ] + +Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: + + * autonomous-system + + * artifact + + * directory + + * domain-name + + * email-addr + + * file + + * ipv4-addr + + * ipv6-addr + + * mac-addr + + * mutex + + * port + + * process + + * software + + * url + + * user-account + + * windows-registry-key + + * x509-certificate + +type: keyword + + + +example: `ipv4-addr` + | extended // =============================================================== @@ -8057,6 +8393,42 @@ example: `443` // =============================================================== +| +[[field-threat-indicator-provider]] +<> + +| beta:[ This field is beta and subject to change. ] + +The name of the indicator's provider. + +type: keyword + + + +example: `lrz_urlhaus` + +| extended + +// =============================================================== + +| +[[field-threat-indicator-reference]] +<> + +| beta:[ This field is beta and subject to change. ] + +Reference URL linking to additional information about this indicator. + +type: keyword + + + +example: `https://system.example.com/indicator/0001234` + +| extended + +// =============================================================== + | [[field-threat-indicator-scanner-stats]] <> @@ -8470,7 +8842,7 @@ example: `https://attack.mitre.org/techniques/T1059/001/` // =============================================================== -| `threat.enrichments.as.*` +| `threat.enrichments.indicator.as.*` | <>| beta:[ Reusing the `as` fields in this location is currently considered beta.] Fields describing an Autonomous System (Internet routing prefix). @@ -8478,15 +8850,71 @@ Fields describing an Autonomous System (Internet routing prefix). // =============================================================== -| `threat.enrichments.event.*` -| <>| beta:[ Reusing the `event` fields in this location is currently considered beta.] +| `threat.enrichments.indicator.file.*` +| <>| beta:[ Reusing the `file` fields in this location is currently considered beta.] + +Fields describing files. + +// =============================================================== + + +| `threat.enrichments.indicator.geo.*` +| <>| beta:[ Reusing the `geo` fields in this location is currently considered beta.] + +Fields describing a location. + +// =============================================================== + + +| `threat.enrichments.indicator.hash.*` +| <>| beta:[ Reusing the `hash` fields in this location is currently considered beta.] + +Hashes, usually file hashes. + +// =============================================================== + + +| `threat.enrichments.indicator.pe.*` +| <>| beta:[ Reusing the `pe` fields in this location is currently considered beta.] + +These fields contain Windows Portable Executable (PE) metadata. + +// =============================================================== + + +| `threat.enrichments.indicator.registry.*` +| <>| beta:[ Reusing the `registry` fields in this location is currently considered beta.] + +Fields related to Windows Registry operations. + +// =============================================================== + + +| `threat.enrichments.indicator.url.*` +| <>| beta:[ Reusing the `url` fields in this location is currently considered beta.] + +Fields that let you store URLs in various forms. + +// =============================================================== + + +| `threat.enrichments.indicator.x509.*` +| <>| beta:[ Reusing the `x509` fields in this location is currently considered beta.] -Fields breaking down the event details. +These fields contain x509 certificate metadata. // =============================================================== -| `threat.enrichments.file.*` +| `threat.indicator.as.*` +| <>| beta:[ Reusing the `as` fields in this location is currently considered beta.] + +Fields describing an Autonomous System (Internet routing prefix). + +// =============================================================== + + +| `threat.indicator.file.*` | <>| beta:[ Reusing the `file` fields in this location is currently considered beta.] Fields describing files. @@ -8494,7 +8922,7 @@ Fields describing files. // =============================================================== -| `threat.enrichments.geo.*` +| `threat.indicator.geo.*` | <>| beta:[ Reusing the `geo` fields in this location is currently considered beta.] Fields describing a location. @@ -8502,7 +8930,7 @@ Fields describing a location. // =============================================================== -| `threat.enrichments.hash.*` +| `threat.indicator.hash.*` | <>| beta:[ Reusing the `hash` fields in this location is currently considered beta.] Hashes, usually file hashes. @@ -8510,7 +8938,23 @@ Hashes, usually file hashes. // =============================================================== -| `threat.enrichments.url.*` +| `threat.indicator.pe.*` +| <>| beta:[ Reusing the `pe` fields in this location is currently considered beta.] + +These fields contain Windows Portable Executable (PE) metadata. + +// =============================================================== + + +| `threat.indicator.registry.*` +| <>| beta:[ Reusing the `registry` fields in this location is currently considered beta.] + +Fields related to Windows Registry operations. + +// =============================================================== + + +| `threat.indicator.url.*` | <>| beta:[ Reusing the `url` fields in this location is currently considered beta.] Fields that let you store URLs in various forms. @@ -8518,7 +8962,7 @@ Fields that let you store URLs in various forms. // =============================================================== -| `threat.enrichments.x509.*` +| `threat.indicator.x509.*` | <>| beta:[ Reusing the `x509` fields in this location is currently considered beta.] These fields contain x509 certificate metadata. @@ -9408,7 +9852,9 @@ type: keyword The `url` fields are expected to be nested at: -* `threat.enrichments.url` +* `threat.enrichments.indicator.url` + +* `threat.indicator.url` Note also that the `url` fields may be used directly at the root of the events. @@ -10525,7 +10971,9 @@ The `x509` fields are expected to be nested at: * `file.x509` -* `threat.enrichments.x509` +* `threat.enrichments.indicator.x509` + +* `threat.indicator.x509` * `tls.client.x509` diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 5f934d9904..e3fd8b49db 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -1925,8 +1925,8 @@ - name: original level: core type: keyword - description: 'Raw text message of entire event. Used to demonstrate log integrity or - where the full log message (before splitting it up in multiple parts) may + description: 'Raw text message of entire event. Used to demonstrate log integrity + or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, @@ -8254,17 +8254,22 @@ - name: enrichments level: extended type: nested - description: A list of associated indicators enriching the event, and the context - of that association/enrichment. + description: A list of associated indicators objects enriching the event, and + the context of that association/enrichment. default_field: false - - name: enrichments.as.number + - name: enrichments.indicator + level: extended + type: object + description: Object containing associated indicators enriching the event. + default_field: false + - name: enrichments.indicator.as.number level: extended type: long description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. example: 15169 default_field: false - - name: enrichments.as.organization.name + - name: enrichments.indicator.as.organization.name level: extended type: wildcard multi_fields: @@ -8274,345 +8279,1721 @@ description: Organization name. example: Google LLC default_field: false - - name: enrichments.event.action - level: core + - name: enrichments.indicator.confidence + level: extended type: keyword ignore_above: 1024 - description: 'The action captured by the event. - - This describes the information in the event. It is more specific than `event.category`. - Examples are `group-add`, `process-started`, `file-created`. The value is - normally defined by the implementer.' - example: user-password-change + description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ + using\_STIX\_confidence scales. Expected values:\n * Not Specified, None,\ + \ Low, Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High default_field: false - - name: enrichments.event.agent_id_status + - name: enrichments.indicator.description level: extended type: keyword ignore_above: 1024 - description: 'Agents are normally responsible for populating the `agent.id` - field value. If the system receiving events is capable of validating the value - based on authentication information for the client then this field can be - used to reflect the outcome of that validation. - - For example if the agent''s connection is authenticated with mTLS and the - client cert contains the ID of the agent to which the cert was issued then - the `agent.id` value in events can be checked against the certificate. If - the values match then `event.agent_id_status: verified` is added to the event, - otherwise one of the other allowed values should be used. - - If no validation is performed then the field should be omitted. - - The allowed values are: - - `verified` - The `agent.id` field value matches expected value obtained from - auth metadata. - - `mismatch` - The `agent.id` field value does not match the expected value - obtained from auth metadata. + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + default_field: false + - name: enrichments.indicator.email.address + level: extended + type: keyword + ignore_above: 1024 + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + default_field: false + - name: enrichments.indicator.file.accessed + level: extended + type: date + description: 'Last time the file was accessed. - `missing` - There was no `agent.id` field in the event to validate. + Note that not all filesystems keep track of access time.' + default_field: false + - name: enrichments.indicator.file.attributes + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of file attributes. - `auth_metadata_missing` - There was no auth metadata or it was missing information - about the agent ID.' - example: verified + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' default_field: false - - name: enrichments.event.category + - name: enrichments.indicator.file.code_signature.exists level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: enrichments.indicator.file.code_signature.signing_id + level: extended type: keyword ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the - second level in the ECS category hierarchy. - - `event.category` represents the "big buckets" of ECS categories. For example, - filtering on `event.category:process` yields all events relating to process - activity. This field is closely related to `event.type`, which is used as - a subcategory. + description: 'The identifier used to sign the process. - This field is an array. This will allow proper categorization of some events - that fall in multiple categories.' - example: authentication + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy default_field: false - - name: enrichments.event.code + - name: enrichments.indicator.file.code_signature.status level: extended type: keyword ignore_above: 1024 - description: 'Identification code for this event, if one exists. + description: 'Additional information about the certificate status. - Some event sources use event codes to identify messages unambiguously, regardless - of message language or wording adjustments over time. An example of this is - the Windows Event ID.' - example: 4648 + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT default_field: false - - name: enrichments.event.created + - name: enrichments.indicator.file.code_signature.subject_name level: core - type: date - description: 'event.created contains the date/time when the event was first - read by an agent, or by your pipeline. + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: enrichments.indicator.file.code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. - This field is distinct from @timestamp in that @timestamp typically contain - the time extracted from the original event. + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + default_field: false + - name: enrichments.indicator.file.code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. - In most situations, these two timestamps will be slightly different. The difference - can be used to calculate the delay between your source generating an event, - and the time when your agent first processed it. This can be used to monitor - your agent''s or pipeline''s ability to keep up with your event source. + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: enrichments.indicator.file.code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. - In case the two timestamps are identical, @timestamp should be used.' - example: '2016-05-23T08:05:34.857Z' + Leave unpopulated if a certificate was unchecked.' + example: 'true' default_field: false - - name: enrichments.event.dataset - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the dataset. + - name: enrichments.indicator.file.created + level: extended + type: date + description: 'File creation time. - If an event source publishes more than one type of log or events (e.g. access - log, error log), the dataset is used to specify which one the event comes - from. + Note that not all filesystems store the creation time.' + default_field: false + - name: enrichments.indicator.file.ctime + level: extended + type: date + description: 'Last time the file attributes or metadata changed. - It''s recommended but not required to start the dataset name with the module - name, followed by a dot, then the dataset name.' - example: apache.access + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' default_field: false - - name: enrichments.event.duration - level: core - type: long - format: duration - input_format: nanoseconds - output_format: asMilliseconds - output_precision: 1 - description: 'Duration of the event in nanoseconds. + - name: enrichments.indicator.file.device + level: extended + type: keyword + ignore_above: 1024 + description: Device that is the source of the file. + example: sda + default_field: false + - name: enrichments.indicator.file.directory + level: extended + type: wildcard + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice + default_field: false + - name: enrichments.indicator.file.drive_letter + level: extended + type: keyword + ignore_above: 1 + description: 'Drive letter where the file is located. This field is only relevant + on Windows. - If event.start and event.end are known this value should be the difference - between the end and start time.' + The value should be uppercase, and not include the colon.' + example: C + default_field: false + - name: enrichments.indicator.file.elf.architecture + level: extended + type: keyword + ignore_above: 1024 + description: Machine architecture of the ELF file. + example: x86-64 + default_field: false + - name: enrichments.indicator.file.elf.byte_order + level: extended + type: keyword + ignore_above: 1024 + description: Byte sequence of ELF file. + example: Little Endian + default_field: false + - name: enrichments.indicator.file.elf.cpu_type + level: extended + type: keyword + ignore_above: 1024 + description: CPU type of the ELF file. + example: Intel default_field: false - - name: enrichments.event.end + - name: enrichments.indicator.file.elf.creation_date level: extended type: date - description: event.end contains the date when the event ended or when the activity - was last observed. + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + default_field: false + - name: enrichments.indicator.file.elf.exports + level: extended + type: flattened + description: List of exported element names and types. default_field: false - - name: enrichments.event.hash + - name: enrichments.indicator.file.elf.header.abi_version level: extended type: keyword ignore_above: 1024 - description: Hash (perhaps logstash fingerprint) of raw field to be able to - demonstrate log integrity. - example: 123456789012345678901234567890ABCD + description: Version of the ELF Application Binary Interface (ABI). default_field: false - - name: enrichments.event.id - level: core + - name: enrichments.indicator.file.elf.header.class + level: extended + type: keyword + ignore_above: 1024 + description: Header class of the ELF file. + default_field: false + - name: enrichments.indicator.file.elf.header.data + level: extended + type: keyword + ignore_above: 1024 + description: Data table of the ELF header. + default_field: false + - name: enrichments.indicator.file.elf.header.entrypoint + level: extended + type: long + format: string + description: Header entrypoint of the ELF file. + default_field: false + - name: enrichments.indicator.file.elf.header.object_version + level: extended + type: keyword + ignore_above: 1024 + description: '"0x1" for original ELF files.' + default_field: false + - name: enrichments.indicator.file.elf.header.os_abi + level: extended + type: keyword + ignore_above: 1024 + description: Application Binary Interface (ABI) of the Linux OS. + default_field: false + - name: enrichments.indicator.file.elf.header.type + level: extended + type: keyword + ignore_above: 1024 + description: Header type of the ELF file. + default_field: false + - name: enrichments.indicator.file.elf.header.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the ELF header. + default_field: false + - name: enrichments.indicator.file.elf.imports + level: extended + type: flattened + description: List of imported element names and types. + default_field: false + - name: enrichments.indicator.file.elf.sections + level: extended + type: nested + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + default_field: false + - name: enrichments.indicator.file.elf.sections.chi2 + level: extended + type: long + format: number + description: Chi-square probability distribution of the section. + default_field: false + - name: enrichments.indicator.file.elf.sections.entropy + level: extended + type: long + format: number + description: Shannon entropy calculation from the section. + default_field: false + - name: enrichments.indicator.file.elf.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List flags. + default_field: false + - name: enrichments.indicator.file.elf.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List name. + default_field: false + - name: enrichments.indicator.file.elf.sections.physical_offset + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List offset. + default_field: false + - name: enrichments.indicator.file.elf.sections.physical_size + level: extended + type: long + format: bytes + description: ELF Section List physical size. + default_field: false + - name: enrichments.indicator.file.elf.sections.type + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List type. + default_field: false + - name: enrichments.indicator.file.elf.sections.virtual_address + level: extended + type: long + format: string + description: ELF Section List virtual address. + default_field: false + - name: enrichments.indicator.file.elf.sections.virtual_size + level: extended + type: long + format: string + description: ELF Section List virtual size. + default_field: false + - name: enrichments.indicator.file.elf.segments + level: extended + type: nested + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + default_field: false + - name: enrichments.indicator.file.elf.segments.sections + level: extended + type: keyword + ignore_above: 1024 + description: ELF object segment sections. + default_field: false + - name: enrichments.indicator.file.elf.segments.type + level: extended + type: keyword + ignore_above: 1024 + description: ELF object segment type. + default_field: false + - name: enrichments.indicator.file.elf.shared_libraries + level: extended + type: keyword + ignore_above: 1024 + description: List of shared libraries used by this ELF object. + default_field: false + - name: enrichments.indicator.file.elf.telfhash + level: extended + type: keyword + ignore_above: 1024 + description: telfhash symbol hash for ELF file. + default_field: false + - name: enrichments.indicator.file.extension + level: extended + type: keyword + ignore_above: 1024 + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + default_field: false + - name: enrichments.indicator.file.gid + level: extended + type: keyword + ignore_above: 1024 + description: Primary group ID (GID) of the file. + example: '1001' + default_field: false + - name: enrichments.indicator.file.group + level: extended + type: keyword + ignore_above: 1024 + description: Primary group name of the file. + example: alice + default_field: false + - name: enrichments.indicator.file.inode + level: extended + type: keyword + ignore_above: 1024 + description: Inode representing the file in the filesystem. + example: '256383' + default_field: false + - name: enrichments.indicator.file.mime_type + level: extended + type: keyword + ignore_above: 1024 + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. + default_field: false + - name: enrichments.indicator.file.mode + level: extended + type: keyword + ignore_above: 1024 + description: Mode of the file in octal representation. + example: '0640' + default_field: false + - name: enrichments.indicator.file.mtime + level: extended + type: date + description: Last time the file content was modified. + default_field: false + - name: enrichments.indicator.file.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the file including the extension, without the directory. + example: example.png + default_field: false + - name: enrichments.indicator.file.owner + level: extended + type: keyword + ignore_above: 1024 + description: File owner's username. + example: alice + default_field: false + - name: enrichments.indicator.file.path + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + default_field: false + - name: enrichments.indicator.file.size + level: extended + type: long + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + default_field: false + - name: enrichments.indicator.file.target_path + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: Target path for symlinks. + default_field: false + - name: enrichments.indicator.file.type + level: extended + type: keyword + ignore_above: 1024 + description: File type (file, dir, or symlink). + example: file + default_field: false + - name: enrichments.indicator.file.uid + level: extended + type: keyword + ignore_above: 1024 + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + default_field: false + - name: enrichments.indicator.first_seen + level: extended + type: date + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: enrichments.indicator.geo.city_name + level: core + type: keyword + ignore_above: 1024 + description: City name. + example: Montreal + default_field: false + - name: enrichments.indicator.geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false + - name: enrichments.indicator.geo.continent_name + level: core + type: keyword + ignore_above: 1024 + description: Name of the continent. + example: North America + default_field: false + - name: enrichments.indicator.geo.country_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Country ISO code. + example: CA + default_field: false + - name: enrichments.indicator.geo.country_name + level: core + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada + default_field: false + - name: enrichments.indicator.geo.location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + default_field: false + - name: enrichments.indicator.geo.name + level: extended + type: wildcard + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + default_field: false + - name: enrichments.indicator.geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false + - name: enrichments.indicator.geo.region_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + default_field: false + - name: enrichments.indicator.geo.region_name + level: core + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec + default_field: false + - name: enrichments.indicator.geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false + - name: enrichments.indicator.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: enrichments.indicator.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: enrichments.indicator.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: enrichments.indicator.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: enrichments.indicator.hash.ssdeep + level: extended + type: keyword + ignore_above: 1024 + description: SSDEEP hash. + default_field: false + - name: enrichments.indicator.ip + level: extended + type: ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + default_field: false + - name: enrichments.indicator.last_seen + level: extended + type: date + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: enrichments.indicator.marking.tlp + level: extended + type: keyword + ignore_above: 1024 + description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: White + default_field: false + - name: enrichments.indicator.modified_at + level: extended + type: date + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: enrichments.indicator.pe.architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false + - name: enrichments.indicator.pe.authentihash + level: extended + type: keyword + ignore_above: 1024 + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + default_field: false + - name: enrichments.indicator.pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: enrichments.indicator.pe.compile_timestamp + level: extended + type: date + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: enrichments.indicator.pe.compiler.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the compiler + example: Clang + default_field: false + - name: enrichments.indicator.pe.compiler.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the compiler. + example: 11.0.0 + default_field: false + - name: enrichments.indicator.pe.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: enrichments.indicator.pe.debug + level: extended + type: nested + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + default_field: false + - name: enrichments.indicator.pe.debug.offset + level: extended + type: keyword + ignore_above: 1024 + description: Debug offset information. + example: 1296336 + default_field: false + - name: enrichments.indicator.pe.debug.size + level: extended + type: long + format: bytes + description: Size of the debug information. + example: 816 + default_field: false + - name: enrichments.indicator.pe.debug.timestamp + level: extended + type: date + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: enrichments.indicator.pe.debug.type + level: extended + type: keyword + ignore_above: 1024 + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + default_field: false + - name: enrichments.indicator.pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: enrichments.indicator.pe.entry_point + level: extended + type: keyword + ignore_above: 1024 + description: Relative byte offset to the base of the PE file. + example: 25856 + default_field: false + - name: enrichments.indicator.pe.exports + level: extended + type: keyword + ignore_above: 1024 + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + default_field: false + - name: enrichments.indicator.pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: enrichments.indicator.pe.icon.hash.dhash + level: extended + type: keyword + ignore_above: 1024 + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + default_field: false + - name: enrichments.indicator.pe.imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false + - name: enrichments.indicator.pe.imports + level: extended + type: flattened + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + default_field: false + - name: enrichments.indicator.pe.machine_type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + default_field: false + - name: enrichments.indicator.pe.original_file_name + level: extended + type: wildcard + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: enrichments.indicator.pe.packers + level: extended + type: keyword + ignore_above: 1024 + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + default_field: false + - name: enrichments.indicator.pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false + - name: enrichments.indicator.pe.resources + level: extended + type: nested + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + default_field: false + - name: enrichments.indicator.pe.resources.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: -1 + default_field: false + - name: enrichments.indicator.pe.resources.entropy + level: extended + type: long + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + default_field: false + - name: enrichments.indicator.pe.resources.filetype + level: extended + type: keyword + ignore_above: 1024 + description: File type of the resources section. + example: Data + default_field: false + - name: enrichments.indicator.pe.resources.language + level: extended + type: keyword + ignore_above: 1024 + description: Language identification. + example: CHINESE SIMPLIFIED + default_field: false + - name: enrichments.indicator.pe.resources.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + default_field: false + - name: enrichments.indicator.pe.resources.type + level: extended + type: keyword + ignore_above: 1024 + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + default_field: false + - name: enrichments.indicator.pe.rich_header.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + default_field: false + - name: enrichments.indicator.pe.sections + level: extended + type: nested + description: Data about sections of compiled binary PE + default_field: false + - name: enrichments.indicator.pe.sections.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: 3027194 + default_field: false + - name: enrichments.indicator.pe.sections.entropy + level: extended + type: float + description: Measurement of entropy randomness in the file. + example: 6.24 + default_field: false + - name: enrichments.indicator.pe.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: Section flags of the file. + example: rx + default_field: false + - name: enrichments.indicator.pe.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: Section names of the file. + example: .text, .data + default_field: false + - name: enrichments.indicator.pe.sections.raw_size + level: extended + type: long + format: bytes + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + default_field: false + - name: enrichments.indicator.pe.sections.virtual_address + level: extended + type: long + format: bytes + description: Virtual address available to the file. + example: 8192 + default_field: false + - name: enrichments.indicator.port + level: extended + type: long + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + default_field: false + - name: enrichments.indicator.provider + level: extended + type: keyword + ignore_above: 1024 + description: The name of the indicator's provider. + example: lrz_urlhaus + default_field: false + - name: enrichments.indicator.reference + level: extended + type: keyword + ignore_above: 1024 + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + default_field: false + - name: enrichments.indicator.registry.data.bytes + level: extended + type: keyword + ignore_above: 1024 + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + default_field: false + - name: enrichments.indicator.registry.data.strings + level: core + type: wildcard + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + default_field: false + - name: enrichments.indicator.registry.data.type + level: core + type: keyword + ignore_above: 1024 + description: Standard registry type for encoding contents + example: REG_SZ + default_field: false + - name: enrichments.indicator.registry.hive + level: core + type: keyword + ignore_above: 1024 + description: Abbreviated name for the hive. + example: HKLM + default_field: false + - name: enrichments.indicator.registry.key + level: core + type: wildcard + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + default_field: false + - name: enrichments.indicator.registry.path + level: core + type: wildcard + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + default_field: false + - name: enrichments.indicator.registry.value + level: core + type: keyword + ignore_above: 1024 + description: Name of the value written. + example: Debugger + default_field: false + - name: enrichments.indicator.scanner_stats + level: extended + type: long + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + default_field: false + - name: enrichments.indicator.sightings + level: extended + type: long + description: Number of times this indicator was observed conducting threat activity. + example: 20 + default_field: false + - name: enrichments.indicator.type + level: extended + type: keyword + ignore_above: 1024 + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ + \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr + default_field: false + - name: enrichments.indicator.url.domain + level: extended + type: wildcard + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' + example: www.elastic.co + default_field: false + - name: enrichments.indicator.url.extension + level: extended + type: keyword + ignore_above: 1024 + description: 'The field contains the file extension from the original request + url, excluding the leading dot. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + default_field: false + - name: enrichments.indicator.url.fragment + level: extended + type: keyword + ignore_above: 1024 + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + default_field: false + - name: enrichments.indicator.url.full + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event + source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + default_field: false + - name: enrichments.indicator.url.original + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: 'Unmodified original url as seen in the event source. + + Note that in network monitoring, the observed URL may be a full URL, whereas + in access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + default_field: false + - name: enrichments.indicator.url.password + level: extended + type: keyword + ignore_above: 1024 + description: Password of the request. + default_field: false + - name: enrichments.indicator.url.path + level: extended + type: wildcard + description: Path of the request, such as "/search". + default_field: false + - name: enrichments.indicator.url.port + level: extended + type: long + format: string + description: Port of the request, such as 443. + example: 443 + default_field: false + - name: enrichments.indicator.url.query + level: extended + type: keyword + ignore_above: 1024 + description: 'The query field describes the query string of the request, such + as "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there + is no query field. If there is a `?` but no query, the query field exists + with an empty string. The `exists` query can be used to differentiate between + the two cases.' + default_field: false + - name: enrichments.indicator.url.registered_domain + level: extended + type: wildcard + description: 'The highest registered url domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + default_field: false + - name: enrichments.indicator.url.scheme + level: extended + type: keyword + ignore_above: 1024 + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https + default_field: false + - name: enrichments.indicator.url.subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false + - name: enrichments.indicator.url.top_level_domain + level: extended + type: keyword + ignore_above: 1024 + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + default_field: false + - name: enrichments.indicator.url.username + level: extended + type: keyword + ignore_above: 1024 + description: Username of the request. + default_field: false + - name: enrichments.indicator.x509.alternative_names + level: extended + type: keyword + ignore_above: 1024 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + default_field: false + - name: enrichments.indicator.x509.issuer.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + default_field: false + - name: enrichments.indicator.x509.issuer.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) codes + example: US + default_field: false + - name: enrichments.indicator.x509.issuer.distinguished_name + level: extended + type: wildcard + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + default_field: false + - name: enrichments.indicator.x509.issuer.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: Mountain View + default_field: false + - name: enrichments.indicator.x509.issuer.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + default_field: false + - name: enrichments.indicator.x509.issuer.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + default_field: false + - name: enrichments.indicator.x509.issuer.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: enrichments.indicator.x509.not_after + level: extended + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + default_field: false + - name: enrichments.indicator.x509.not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + default_field: false + - name: enrichments.indicator.x509.public_key_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Algorithm used to generate the public key. + example: RSA + default_field: false + - name: enrichments.indicator.x509.public_key_curve + level: extended + type: keyword + ignore_above: 1024 + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + default_field: false + - name: enrichments.indicator.x509.public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + index: false + doc_values: false + default_field: false + - name: enrichments.indicator.x509.public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + default_field: false + - name: enrichments.indicator.x509.serial_number + level: extended + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + default_field: false + - name: enrichments.indicator.x509.signature_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + default_field: false + - name: enrichments.indicator.x509.subject.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common names (CN) of subject. + example: shared.global.example.net + default_field: false + - name: enrichments.indicator.x509.subject.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) code + example: US + default_field: false + - name: enrichments.indicator.x509.subject.distinguished_name + level: extended + type: wildcard + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + default_field: false + - name: enrichments.indicator.x509.subject.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: San Francisco + default_field: false + - name: enrichments.indicator.x509.subject.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of subject. + example: Example, Inc. + default_field: false + - name: enrichments.indicator.x509.subject.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of subject. + default_field: false + - name: enrichments.indicator.x509.subject.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: enrichments.indicator.x509.version_number + level: extended + type: keyword + ignore_above: 1024 + description: Version of x509 format. + example: 3 + default_field: false + - name: enrichments.matched.atomic + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com + default_field: false + - name: enrichments.matched.field + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the field of the atomic indicator that matched a local + environment endpoint or network event. + example: file.hash.sha256 + default_field: false + - name: enrichments.matched.id + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + default_field: false + - name: enrichments.matched.index + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 + default_field: false + - name: enrichments.matched.type + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the type of match that caused the event to be enriched + with the given indicator + example: indicator_match_rule + default_field: false + - name: enrichments.pe.architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false + - name: enrichments.pe.authentihash + level: extended + type: keyword + ignore_above: 1024 + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + default_field: false + - name: enrichments.pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: enrichments.pe.compile_timestamp + level: extended + type: date + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: enrichments.pe.compiler.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the compiler + example: Clang + default_field: false + - name: enrichments.pe.compiler.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the compiler. + example: 11.0.0 + default_field: false + - name: enrichments.pe.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: enrichments.pe.debug + level: extended + type: nested + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + default_field: false + - name: enrichments.pe.debug.offset + level: extended + type: keyword + ignore_above: 1024 + description: Debug offset information. + example: 1296336 + default_field: false + - name: enrichments.pe.debug.size + level: extended + type: long + format: bytes + description: Size of the debug information. + example: 816 + default_field: false + - name: enrichments.pe.debug.timestamp + level: extended + type: date + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: enrichments.pe.debug.type + level: extended + type: keyword + ignore_above: 1024 + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + default_field: false + - name: enrichments.pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: enrichments.pe.entry_point + level: extended + type: keyword + ignore_above: 1024 + description: Relative byte offset to the base of the PE file. + example: 25856 + default_field: false + - name: enrichments.pe.exports + level: extended + type: keyword + ignore_above: 1024 + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + default_field: false + - name: enrichments.pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: enrichments.pe.icon.hash.dhash + level: extended + type: keyword + ignore_above: 1024 + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + default_field: false + - name: enrichments.pe.imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false + - name: enrichments.pe.imports + level: extended + type: flattened + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + default_field: false + - name: enrichments.pe.machine_type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + default_field: false + - name: enrichments.pe.original_file_name + level: extended + type: wildcard + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: enrichments.pe.packers + level: extended + type: keyword + ignore_above: 1024 + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + default_field: false + - name: enrichments.pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false + - name: enrichments.pe.resources + level: extended + type: nested + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + default_field: false + - name: enrichments.pe.resources.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: -1 + default_field: false + - name: enrichments.pe.resources.entropy + level: extended + type: long + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + default_field: false + - name: enrichments.pe.resources.filetype + level: extended + type: keyword + ignore_above: 1024 + description: File type of the resources section. + example: Data + default_field: false + - name: enrichments.pe.resources.language + level: extended + type: keyword + ignore_above: 1024 + description: Language identification. + example: CHINESE SIMPLIFIED + default_field: false + - name: enrichments.pe.resources.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + default_field: false + - name: enrichments.pe.resources.type + level: extended + type: keyword + ignore_above: 1024 + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + default_field: false + - name: enrichments.pe.rich_header.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + default_field: false + - name: enrichments.pe.sections + level: extended + type: nested + description: Data about sections of compiled binary PE + default_field: false + - name: enrichments.pe.sections.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: 3027194 + default_field: false + - name: enrichments.pe.sections.entropy + level: extended + type: float + description: Measurement of entropy randomness in the file. + example: 6.24 + default_field: false + - name: enrichments.pe.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: Section flags of the file. + example: rx + default_field: false + - name: enrichments.pe.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: Section names of the file. + example: .text, .data + default_field: false + - name: enrichments.pe.sections.raw_size + level: extended + type: long + format: bytes + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + default_field: false + - name: enrichments.pe.sections.virtual_address + level: extended + type: long + format: bytes + description: Virtual address available to the file. + example: 8192 + default_field: false + - name: enrichments.registry.data.bytes + level: extended type: keyword ignore_above: 1024 - description: Unique ID to describe the event. - example: 8a4f500d + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= default_field: false - - name: enrichments.event.ingested + - name: enrichments.registry.data.strings level: core - type: date - description: 'Timestamp when an event arrived in the central data store. - - This is different from `@timestamp`, which is when the event originally occurred. It''s - also different from `event.created`, which is meant to capture the first time - an agent saw the event. + type: wildcard + description: 'Content when writing string types. - In normal conditions, assuming no tampering, the timestamps should chronologically - look like this: `@timestamp` < `event.created` < `event.ingested`.' - example: '2016-05-23T08:05:35.101Z' + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' default_field: false - - name: enrichments.event.kind + - name: enrichments.registry.data.type level: core type: keyword ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the - highest level in the ECS category hierarchy. - - `event.kind` gives high-level information about what type of information the - event contains, without being specific to the contents of the event. For example, - values of this field distinguish alert events from metric events. - - The value of this field can be used to inform how these kinds of events should - be handled. They may warrant different retention, different access control, - it may also help understand whether the data coming in at a regular interval - or not.' - example: alert + description: Standard registry type for encoding contents + example: REG_SZ default_field: false - - name: enrichments.event.module + - name: enrichments.registry.hive level: core type: keyword ignore_above: 1024 - description: 'Name of the module this data is coming from. - - If your monitoring agent supports the concept of modules or plugins to process - events of a given source (e.g. Apache logs), `event.module` should contain - the name of this module.' - example: apache + description: Abbreviated name for the hive. + example: HKLM default_field: false - - name: enrichments.event.original + - name: enrichments.registry.key level: core - type: keyword - description: 'Raw text message of entire event. Used to demonstrate log integrity or - where the full log message (before splitting it up in multiple parts) may - be required, e.g. for reindex. - - This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`. If users wish to override this and - index this field, please see `Field data types` in the `Elasticsearch Reference`.' - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| - worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - index: false - doc_values: false + type: wildcard + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + default_field: false + - name: enrichments.registry.path + level: core + type: wildcard + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger default_field: false - - name: enrichments.event.outcome + - name: enrichments.registry.value level: core type: keyword ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the - lowest level in the ECS category hierarchy. - - `event.outcome` simply denotes whether the event represents a success or a - failure from the perspective of the entity that produced the event. - - Note that when a single transaction is described in multiple events, each - event may populate different values of `event.outcome`, according to their - perspective. - - Also note that in the case of a compound event (a single event that contains - multiple logical events), this field should be populated with the value that - best captures the overall success or failure from the perspective of the event - producer. - - Further note that not all events will have an associated outcome. For example, - this field is generally not populated for metric events, events with `event.type:info`, - or any events for which an outcome does not make logical sense.' - example: success + description: Name of the value written. + example: Debugger default_field: false - - name: enrichments.event.provider + - name: framework level: extended type: keyword ignore_above: 1024 - description: 'Source of the event. - - Event transports such as Syslog or the Windows Event Log typically mention - the source of an event. It can be the name of the software that generated - the event (e.g. Sysmon, httpd), or of a subsystem of the operating system - (kernel, Microsoft-Windows-Security-Auditing).' - example: kernel - default_field: false - - name: enrichments.event.reason + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification + can be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + - name: group.alias level: extended type: keyword ignore_above: 1024 - description: 'Reason why this event happened, according to the source. - - This describes the why of a particular action or outcome captured in the event. - Where `event.action` captures the action from the event, `event.reason` describes - why that action was taken. For example, a web proxy with an `event.action` - which denied the request may also populate `event.reason` with the reason - why (e.g. `blocked site`).' - example: Terminated an unexpected process + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' default_field: false - - name: enrichments.event.reference + - name: group.id level: extended type: keyword ignore_above: 1024 - description: 'Reference URL linking to additional information about this event. - - This URL links to a static definition of this event. Alert events, indicated - by `event.kind:alert`, are a common use case for this field.' - example: https://system.example.com/event/#0001234 - default_field: false - - name: enrichments.event.risk_score - level: core - type: float - description: Risk score or priority of the event (e.g. security solutions). - Use your system's original value here. + description: "The id of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group id." + example: G0037 default_field: false - - name: enrichments.event.risk_score_norm + - name: group.name level: extended - type: float - description: 'Normalized risk score or priority of the event, on a scale of - 0 to 100. - - This is mainly useful if you use more than one system that assigns risk scores, - and you want to see a normalized value across all systems.' + type: keyword + ignore_above: 1024 + description: "The name of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 default_field: false - - name: enrichments.event.sequence + - name: group.reference level: extended - type: long - format: string - description: 'Sequence number of the event. - - The sequence number is a value published by some event sources, to make the - exact ordering of events unambiguous, regardless of the timestamp precision.' + type: keyword + ignore_above: 1024 + description: "The reference URL of the group for a set of related intrusion\ + \ activity that are tracked by a common name in the security community. While\ + \ not required, you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ default_field: false - - name: enrichments.event.severity - level: core + - name: indicator.as.number + level: extended type: long - format: string - description: 'The numeric severity of the event according to your event source. - - What the different severity values mean can be different between sources and - use cases. It''s up to the implementer to make sure severities are consistent - across events from the same source. - - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` - is meant to represent the severity according to the event source (e.g. firewall, - IDS). If the event source does not publish its own severity, you may optionally - copy the `log.syslog.severity.code` to `event.severity`.' - example: 7 + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 default_field: false - - name: enrichments.event.start + - name: indicator.as.organization.name level: extended - type: date - description: event.start contains the date when the event started or when the - activity was first observed. + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: Organization name. + example: Google LLC default_field: false - - name: enrichments.event.timezone + - name: indicator.confidence level: extended type: keyword ignore_above: 1024 - description: 'This field should be populated when the event''s timestamp does - not include timezone information already (e.g. default Syslog timestamps). - It''s optional otherwise. - - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), - abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High default_field: false - - name: enrichments.event.type - level: core + - name: indicator.description + level: extended type: keyword ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the - third level in the ECS category hierarchy. - - `event.type` represents a categorization "sub-bucket" that, when used along - with the `event.category` field values, enables filtering events down to a - level appropriate for single visualization. - - This field is an array. This will allow proper categorization of some events - that fall in multiple event types.' + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. default_field: false - - name: enrichments.event.url + - name: indicator.email.address level: extended type: keyword ignore_above: 1024 - description: 'URL linking to an external system to continue investigation of - this event. - - This URL links to another system where in-depth investigation of the specific - occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, - are a common use case for this field.' - example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com default_field: false - - name: enrichments.file.accessed + - name: indicator.file.accessed level: extended type: date description: 'Last time the file was accessed. Note that not all filesystems keep track of access time.' default_field: false - - name: enrichments.file.attributes + - name: indicator.file.attributes level: extended type: keyword ignore_above: 1024 @@ -8623,13 +10004,13 @@ execute, hidden, read, readonly, system, write.' example: '["readonly", "system"]' default_field: false - - name: enrichments.file.code_signature.exists + - name: indicator.file.code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - - name: enrichments.file.code_signature.signing_id + - name: indicator.file.code_signature.signing_id level: extended type: keyword ignore_above: 1024 @@ -8639,7 +10020,7 @@ The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - - name: enrichments.file.code_signature.status + - name: indicator.file.code_signature.status level: extended type: keyword ignore_above: 1024 @@ -8650,14 +10031,14 @@ was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - - name: enrichments.file.code_signature.subject_name + - name: indicator.file.code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - - name: enrichments.file.code_signature.team_id + - name: indicator.file.code_signature.team_id level: extended type: keyword ignore_above: 1024 @@ -8667,7 +10048,7 @@ is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - - name: enrichments.file.code_signature.trusted + - name: indicator.file.code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. @@ -8676,7 +10057,7 @@ field should only be populated by tools that actively check the status.' example: 'true' default_field: false - - name: enrichments.file.code_signature.valid + - name: indicator.file.code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against @@ -8685,14 +10066,14 @@ Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - - name: enrichments.file.created + - name: indicator.file.created level: extended type: date description: 'File creation time. Note that not all filesystems store the creation time.' default_field: false - - name: enrichments.file.ctime + - name: indicator.file.ctime level: extended type: date description: 'Last time the file attributes or metadata changed. @@ -8700,21 +10081,21 @@ Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.' default_field: false - - name: enrichments.file.device + - name: indicator.file.device level: extended type: keyword ignore_above: 1024 description: Device that is the source of the file. example: sda default_field: false - - name: enrichments.file.directory + - name: indicator.file.directory level: extended type: wildcard description: Directory where the file is located. It should include the drive letter, when appropriate. example: /home/alice default_field: false - - name: enrichments.file.drive_letter + - name: indicator.file.drive_letter level: extended type: keyword ignore_above: 1 @@ -8724,92 +10105,92 @@ The value should be uppercase, and not include the colon.' example: C default_field: false - - name: enrichments.file.elf.architecture + - name: indicator.file.elf.architecture level: extended type: keyword ignore_above: 1024 description: Machine architecture of the ELF file. example: x86-64 default_field: false - - name: enrichments.file.elf.byte_order + - name: indicator.file.elf.byte_order level: extended type: keyword ignore_above: 1024 description: Byte sequence of ELF file. example: Little Endian default_field: false - - name: enrichments.file.elf.cpu_type + - name: indicator.file.elf.cpu_type level: extended type: keyword ignore_above: 1024 description: CPU type of the ELF file. example: Intel default_field: false - - name: enrichments.file.elf.creation_date + - name: indicator.file.elf.creation_date level: extended type: date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. default_field: false - - name: enrichments.file.elf.exports + - name: indicator.file.elf.exports level: extended type: flattened description: List of exported element names and types. default_field: false - - name: enrichments.file.elf.header.abi_version + - name: indicator.file.elf.header.abi_version level: extended type: keyword ignore_above: 1024 description: Version of the ELF Application Binary Interface (ABI). default_field: false - - name: enrichments.file.elf.header.class + - name: indicator.file.elf.header.class level: extended type: keyword ignore_above: 1024 description: Header class of the ELF file. default_field: false - - name: enrichments.file.elf.header.data + - name: indicator.file.elf.header.data level: extended type: keyword ignore_above: 1024 description: Data table of the ELF header. default_field: false - - name: enrichments.file.elf.header.entrypoint + - name: indicator.file.elf.header.entrypoint level: extended type: long format: string description: Header entrypoint of the ELF file. default_field: false - - name: enrichments.file.elf.header.object_version + - name: indicator.file.elf.header.object_version level: extended type: keyword ignore_above: 1024 description: '"0x1" for original ELF files.' default_field: false - - name: enrichments.file.elf.header.os_abi + - name: indicator.file.elf.header.os_abi level: extended type: keyword ignore_above: 1024 description: Application Binary Interface (ABI) of the Linux OS. default_field: false - - name: enrichments.file.elf.header.type + - name: indicator.file.elf.header.type level: extended type: keyword ignore_above: 1024 description: Header type of the ELF file. default_field: false - - name: enrichments.file.elf.header.version + - name: indicator.file.elf.header.version level: extended type: keyword ignore_above: 1024 description: Version of the ELF header. default_field: false - - name: enrichments.file.elf.imports + - name: indicator.file.elf.imports level: extended type: flattened description: List of imported element names and types. default_field: false - - name: enrichments.file.elf.sections + - name: indicator.file.elf.sections level: extended type: nested description: 'An array containing an object for each section of the ELF file. @@ -8817,61 +10198,61 @@ The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.' default_field: false - - name: enrichments.file.elf.sections.chi2 + - name: indicator.file.elf.sections.chi2 level: extended type: long format: number description: Chi-square probability distribution of the section. default_field: false - - name: enrichments.file.elf.sections.entropy + - name: indicator.file.elf.sections.entropy level: extended type: long format: number description: Shannon entropy calculation from the section. default_field: false - - name: enrichments.file.elf.sections.flags + - name: indicator.file.elf.sections.flags level: extended type: keyword ignore_above: 1024 description: ELF Section List flags. default_field: false - - name: enrichments.file.elf.sections.name + - name: indicator.file.elf.sections.name level: extended type: keyword ignore_above: 1024 description: ELF Section List name. default_field: false - - name: enrichments.file.elf.sections.physical_offset + - name: indicator.file.elf.sections.physical_offset level: extended type: keyword ignore_above: 1024 description: ELF Section List offset. default_field: false - - name: enrichments.file.elf.sections.physical_size + - name: indicator.file.elf.sections.physical_size level: extended type: long format: bytes description: ELF Section List physical size. default_field: false - - name: enrichments.file.elf.sections.type + - name: indicator.file.elf.sections.type level: extended type: keyword ignore_above: 1024 description: ELF Section List type. default_field: false - - name: enrichments.file.elf.sections.virtual_address + - name: indicator.file.elf.sections.virtual_address level: extended type: long format: string description: ELF Section List virtual address. default_field: false - - name: enrichments.file.elf.sections.virtual_size + - name: indicator.file.elf.sections.virtual_size level: extended type: long format: string description: ELF Section List virtual size. default_field: false - - name: enrichments.file.elf.segments + - name: indicator.file.elf.segments level: extended type: nested description: 'An array containing an object for each segment of the ELF file. @@ -8879,31 +10260,31 @@ The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.' default_field: false - - name: enrichments.file.elf.segments.sections + - name: indicator.file.elf.segments.sections level: extended type: keyword ignore_above: 1024 description: ELF object segment sections. default_field: false - - name: enrichments.file.elf.segments.type + - name: indicator.file.elf.segments.type level: extended type: keyword ignore_above: 1024 description: ELF object segment type. default_field: false - - name: enrichments.file.elf.shared_libraries + - name: indicator.file.elf.shared_libraries level: extended type: keyword ignore_above: 1024 description: List of shared libraries used by this ELF object. default_field: false - - name: enrichments.file.elf.telfhash + - name: indicator.file.elf.telfhash level: extended type: keyword ignore_above: 1024 description: telfhash symbol hash for ELF file. default_field: false - - name: enrichments.file.extension + - name: indicator.file.extension level: extended type: keyword ignore_above: 1024 @@ -8913,28 +10294,28 @@ the last one should be captured ("gz", not "tar.gz").' example: png default_field: false - - name: enrichments.file.gid + - name: indicator.file.gid level: extended type: keyword ignore_above: 1024 description: Primary group ID (GID) of the file. example: '1001' default_field: false - - name: enrichments.file.group + - name: indicator.file.group level: extended type: keyword ignore_above: 1024 description: Primary group name of the file. example: alice default_field: false - - name: enrichments.file.inode + - name: indicator.file.inode level: extended type: keyword ignore_above: 1024 description: Inode representing the file in the filesystem. example: '256383' default_field: false - - name: enrichments.file.mime_type + - name: indicator.file.mime_type level: extended type: keyword ignore_above: 1024 @@ -8943,33 +10324,33 @@ official types], where possible. When more than one type is applicable, the most specific type should be used. default_field: false - - name: enrichments.file.mode + - name: indicator.file.mode level: extended type: keyword ignore_above: 1024 description: Mode of the file in octal representation. example: '0640' default_field: false - - name: enrichments.file.mtime + - name: indicator.file.mtime level: extended type: date description: Last time the file content was modified. default_field: false - - name: enrichments.file.name + - name: indicator.file.name level: extended type: keyword ignore_above: 1024 description: Name of the file including the extension, without the directory. example: example.png default_field: false - - name: enrichments.file.owner + - name: indicator.file.owner level: extended type: keyword ignore_above: 1024 description: File owner's username. example: alice default_field: false - - name: enrichments.file.path + - name: indicator.file.path level: extended type: wildcard multi_fields: @@ -8980,7 +10361,7 @@ the drive letter, when appropriate. example: /home/alice/example.png default_field: false - - name: enrichments.file.size + - name: indicator.file.size level: extended type: long description: 'File size in bytes. @@ -8988,7 +10369,7 @@ Only relevant when `file.type` is "file".' example: 16384 default_field: false - - name: enrichments.file.target_path + - name: indicator.file.target_path level: extended type: wildcard multi_fields: @@ -8997,62 +10378,69 @@ norms: false description: Target path for symlinks. default_field: false - - name: enrichments.file.type + - name: indicator.file.type level: extended type: keyword ignore_above: 1024 description: File type (file, dir, or symlink). example: file default_field: false - - name: enrichments.file.uid + - name: indicator.file.uid level: extended type: keyword ignore_above: 1024 description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' default_field: false - - name: enrichments.geo.city_name + - name: indicator.first_seen + level: extended + type: date + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal default_field: false - - name: enrichments.geo.continent_code + - name: indicator.geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - - name: enrichments.geo.continent_name + - name: indicator.geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America default_field: false - - name: enrichments.geo.country_iso_code + - name: indicator.geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA default_field: false - - name: enrichments.geo.country_name + - name: indicator.geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada default_field: false - - name: enrichments.geo.location + - name: indicator.geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' default_field: false - - name: enrichments.geo.name + - name: indicator.geo.name level: extended type: wildcard description: 'User-defined description of a location, at the level of granularity @@ -9064,7 +10452,7 @@ Not typically used in automated geolocation.' example: boston-dc default_field: false - - name: enrichments.geo.postal_code + - name: indicator.geo.postal_code level: core type: keyword ignore_above: 1024 @@ -9074,206 +10462,197 @@ and will vary widely from country to country.' example: 94040 default_field: false - - name: enrichments.geo.region_iso_code + - name: indicator.geo.region_iso_code level: core type: keyword ignore_above: 1024 description: Region ISO code. example: CA-QC default_field: false - - name: enrichments.geo.region_name + - name: indicator.geo.region_name level: core type: keyword ignore_above: 1024 description: Region name. example: Quebec default_field: false - - name: enrichments.geo.timezone + - name: indicator.geo.timezone level: core type: keyword ignore_above: 1024 description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false - - name: enrichments.hash.md5 + - name: indicator.hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash. default_field: false - - name: enrichments.hash.sha1 + - name: indicator.hash.sha1 level: extended type: keyword ignore_above: 1024 description: SHA1 hash. default_field: false - - name: enrichments.hash.sha256 + - name: indicator.hash.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash. default_field: false - - name: enrichments.hash.sha512 + - name: indicator.hash.sha512 level: extended type: keyword ignore_above: 1024 description: SHA512 hash. default_field: false - - name: enrichments.hash.ssdeep - level: extended - type: keyword - ignore_above: 1024 - description: SSDEEP hash. - default_field: false - - name: enrichments.matched.atomic - level: extended - type: keyword - ignore_above: 1024 - description: Identifies the atomic indicator value that matched a local environment - endpoint or network event. - example: bad-domain.com - default_field: false - - name: enrichments.matched.field - level: extended - type: keyword - ignore_above: 1024 - description: Identifies the field of the atomic indicator that matched a local - environment endpoint or network event. - example: file.hash.sha256 - default_field: false - - name: enrichments.matched.id + - name: indicator.hash.ssdeep level: extended type: keyword ignore_above: 1024 - description: Identifies the _id of the indicator document enriching the event. - example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + description: SSDEEP hash. default_field: false - - name: enrichments.matched.index + - name: indicator.ip level: extended - type: keyword - ignore_above: 1024 - description: Identifies the _index of the indicator document enriching the event. - example: filebeat-8.0.0-2021.05.23-000011 + type: ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 default_field: false - - name: enrichments.matched.type + - name: indicator.last_seen + level: extended + type: date + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.marking.tlp level: extended type: keyword ignore_above: 1024 - description: Identifies the type of match that caused the event to be enriched - with the given indicator - example: indicator_match_rule + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE default_field: false - - name: enrichments.pe.architecture + - name: indicator.modified_at + level: extended + type: date + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.pe.architecture level: extended type: keyword ignore_above: 1024 description: CPU architecture target for the file. example: x64 default_field: false - - name: enrichments.pe.authentihash + - name: indicator.pe.authentihash level: extended type: keyword ignore_above: 1024 description: Authentihash of the PE file. example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 default_field: false - - name: enrichments.pe.company + - name: indicator.pe.company level: extended type: keyword ignore_above: 1024 description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation default_field: false - - name: enrichments.pe.compile_timestamp + - name: indicator.pe.compile_timestamp level: extended type: date description: Compile timestamp of the PE file. example: '2020-11-05T17:25:47.000Z' default_field: false - - name: enrichments.pe.compiler.name + - name: indicator.pe.compiler.name level: extended type: keyword ignore_above: 1024 description: Name of the compiler example: Clang default_field: false - - name: enrichments.pe.compiler.version + - name: indicator.pe.compiler.version level: extended type: keyword ignore_above: 1024 description: Version of the compiler. example: 11.0.0 default_field: false - - name: enrichments.pe.creation_date + - name: indicator.pe.creation_date level: extended type: date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. example: '2020-11-05T17:25:47.000Z' default_field: false - - name: enrichments.pe.debug + - name: indicator.pe.debug level: extended type: nested description: 'An array containing an object for each debug entry, if present. The expected fields for this nested object fall under the `debug.` prefix.' default_field: false - - name: enrichments.pe.debug.offset + - name: indicator.pe.debug.offset level: extended type: keyword ignore_above: 1024 description: Debug offset information. example: 1296336 default_field: false - - name: enrichments.pe.debug.size + - name: indicator.pe.debug.size level: extended type: long format: bytes description: Size of the debug information. example: 816 default_field: false - - name: enrichments.pe.debug.timestamp + - name: indicator.pe.debug.timestamp level: extended type: date description: Timestamp of the debug information. example: '2020-11-05T17:25:47.000Z' default_field: false - - name: enrichments.pe.debug.type + - name: indicator.pe.debug.type level: extended type: keyword ignore_above: 1024 description: Information type generated by the debug options. example: IMAGE_DEBUG_TYPE_POGO default_field: false - - name: enrichments.pe.description + - name: indicator.pe.description level: extended type: keyword ignore_above: 1024 description: Internal description of the file, provided at compile-time. example: Paint default_field: false - - name: enrichments.pe.entry_point + - name: indicator.pe.entry_point level: extended type: keyword ignore_above: 1024 description: Relative byte offset to the base of the PE file. example: 25856 default_field: false - - name: enrichments.pe.exports + - name: indicator.pe.exports level: extended type: keyword ignore_above: 1024 description: List of symbols exported by PE example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' default_field: false - - name: enrichments.pe.file_version + - name: indicator.pe.file_version level: extended type: keyword ignore_above: 1024 description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false - - name: enrichments.pe.icon.hash.dhash + - name: indicator.pe.icon.hash.dhash level: extended type: keyword ignore_above: 1024 @@ -9281,7 +10660,7 @@ or thumbnail. example: b806e17c8e330d82 default_field: false - - name: enrichments.pe.imphash + - name: indicator.pe.imphash level: extended type: keyword ignore_above: 1024 @@ -9292,140 +10671,161 @@ Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - - name: enrichments.pe.imports + - name: indicator.pe.imports level: extended type: flattened description: List of all imported functions example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" }' default_field: false - - name: enrichments.pe.machine_type + - name: indicator.pe.machine_type level: extended type: keyword ignore_above: 1024 description: Machine type of the PE file. example: Intel 386 or later, and compatibles default_field: false - - name: enrichments.pe.original_file_name + - name: indicator.pe.original_file_name level: extended type: wildcard description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false - - name: enrichments.pe.packers + - name: indicator.pe.packers level: extended type: keyword ignore_above: 1024 description: List of packers and tools used. example: '["ASPack v2.12", ".NET executable"]' default_field: false - - name: enrichments.pe.product + - name: indicator.pe.product level: extended type: keyword ignore_above: 1024 description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" default_field: false - - name: enrichments.pe.resources + - name: indicator.pe.resources level: extended type: nested description: 'An array containing an object for each PE resource, if present. The expected fields for this nested object fall under the `resources.` prefix.' default_field: false - - name: enrichments.pe.resources.chi2 + - name: indicator.pe.resources.chi2 level: extended type: long description: Chi-square probability distribution. example: -1 default_field: false - - name: enrichments.pe.resources.entropy + - name: indicator.pe.resources.entropy level: extended type: long description: Measurement of entropy randomness in the resources section. example: 0, 1 default_field: false - - name: enrichments.pe.resources.filetype + - name: indicator.pe.resources.filetype level: extended type: keyword ignore_above: 1024 description: File type of the resources section. example: Data default_field: false - - name: enrichments.pe.resources.language + - name: indicator.pe.resources.language level: extended type: keyword ignore_above: 1024 description: Language identification. example: CHINESE SIMPLIFIED default_field: false - - name: enrichments.pe.resources.sha256 + - name: indicator.pe.resources.sha256 level: extended type: keyword ignore_above: 1024 description: SHA256 hash of resources section. example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 default_field: false - - name: enrichments.pe.resources.type + - name: indicator.pe.resources.type level: extended type: keyword ignore_above: 1024 description: Digest of resource types. example: '["RT_VERSION", "RT_MANIFEST"]' default_field: false - - name: enrichments.pe.rich_header.hash.md5 + - name: indicator.pe.rich_header.hash.md5 level: extended type: keyword ignore_above: 1024 description: MD5 hash of the header for the PE file. example: 5aa1aa0f2b4be70397a1e9e2b87627cd default_field: false - - name: enrichments.pe.sections + - name: indicator.pe.sections level: extended type: nested description: Data about sections of compiled binary PE default_field: false - - name: enrichments.pe.sections.chi2 + - name: indicator.pe.sections.chi2 level: extended type: long description: Chi-square probability distribution. example: 3027194 default_field: false - - name: enrichments.pe.sections.entropy + - name: indicator.pe.sections.entropy level: extended type: float description: Measurement of entropy randomness in the file. example: 6.24 default_field: false - - name: enrichments.pe.sections.flags + - name: indicator.pe.sections.flags level: extended type: keyword ignore_above: 1024 description: Section flags of the file. example: rx default_field: false - - name: enrichments.pe.sections.name + - name: indicator.pe.sections.name level: extended type: keyword ignore_above: 1024 description: Section names of the file. example: .text, .data default_field: false - - name: enrichments.pe.sections.raw_size + - name: indicator.pe.sections.raw_size level: extended type: long format: bytes description: Size of the section or the dize of the initialized data on disk. example: 198144 default_field: false - - name: enrichments.pe.sections.virtual_address + - name: indicator.pe.sections.virtual_address level: extended type: long format: bytes description: Virtual address available to the file. example: 8192 default_field: false - - name: enrichments.registry.data.bytes + - name: indicator.port + level: extended + type: long + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + default_field: false + - name: indicator.provider + level: extended + type: keyword + ignore_above: 1024 + description: The name of the indicator's provider. + example: lrz_urlhaus + default_field: false + - name: indicator.reference + level: extended + type: keyword + ignore_above: 1024 + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + default_field: false + - name: indicator.registry.data.bytes level: extended type: keyword ignore_above: 1024 @@ -9436,7 +10836,7 @@ better recoverability and should be populated for REG_BINARY encoded values.' example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= default_field: false - - name: enrichments.registry.data.strings + - name: indicator.registry.data.strings level: core type: wildcard description: 'Content when writing string types. @@ -9448,41 +10848,65 @@ be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' default_field: false - - name: enrichments.registry.data.type + - name: indicator.registry.data.type level: core type: keyword ignore_above: 1024 description: Standard registry type for encoding contents example: REG_SZ default_field: false - - name: enrichments.registry.hive + - name: indicator.registry.hive level: core type: keyword ignore_above: 1024 description: Abbreviated name for the hive. example: HKLM default_field: false - - name: enrichments.registry.key + - name: indicator.registry.key level: core type: wildcard description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe default_field: false - - name: enrichments.registry.path + - name: indicator.registry.path level: core type: wildcard description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger default_field: false - - name: enrichments.registry.value + - name: indicator.registry.value level: core type: keyword ignore_above: 1024 description: Name of the value written. example: Debugger default_field: false - - name: enrichments.url.domain + - name: indicator.scanner_stats + level: extended + type: long + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + default_field: false + - name: indicator.sightings + level: extended + type: long + description: Number of times this indicator was observed conducting threat activity. + example: 20 + default_field: false + - name: indicator.type + level: extended + type: keyword + ignore_above: 1024 + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ + Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr + default_field: false + - name: indicator.url.domain level: extended type: wildcard description: 'Domain of the url, such as "www.elastic.co". @@ -9495,7 +10919,7 @@ field.' example: www.elastic.co default_field: false - - name: enrichments.url.extension + - name: indicator.url.extension level: extended type: keyword ignore_above: 1024 @@ -9511,7 +10935,7 @@ the last one should be captured ("gz", not "tar.gz").' example: png default_field: false - - name: enrichments.url.fragment + - name: indicator.url.fragment level: extended type: keyword ignore_above: 1024 @@ -9519,7 +10943,7 @@ The `#` is not part of the fragment.' default_field: false - - name: enrichments.url.full + - name: indicator.url.full level: extended type: wildcard multi_fields: @@ -9531,7 +10955,7 @@ source. example: https://www.elastic.co:443/search?q=elasticsearch#top default_field: false - - name: enrichments.url.original + - name: indicator.url.original level: extended type: wildcard multi_fields: @@ -9546,25 +10970,25 @@ This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch default_field: false - - name: enrichments.url.password + - name: indicator.url.password level: extended type: keyword ignore_above: 1024 description: Password of the request. default_field: false - - name: enrichments.url.path + - name: indicator.url.path level: extended type: wildcard description: Path of the request, such as "/search". default_field: false - - name: enrichments.url.port + - name: indicator.url.port level: extended type: long format: string description: Port of the request, such as 443. example: 443 default_field: false - - name: enrichments.url.query + - name: indicator.url.query level: extended type: keyword ignore_above: 1024 @@ -9576,7 +11000,7 @@ with an empty string. The `exists` query can be used to differentiate between the two cases.' default_field: false - - name: enrichments.url.registered_domain + - name: indicator.url.registered_domain level: extended type: wildcard description: 'The highest registered url domain, stripped of the subdomain. @@ -9588,7 +11012,7 @@ the last two labels will not work well for TLDs such as "co.uk".' example: example.com default_field: false - - name: enrichments.url.scheme + - name: indicator.url.scheme level: extended type: keyword ignore_above: 1024 @@ -9597,7 +11021,7 @@ Note: The `:` is not part of the scheme.' example: https default_field: false - - name: enrichments.url.subdomain + - name: indicator.url.subdomain level: extended type: keyword ignore_above: 1024 @@ -9611,7 +11035,7 @@ the subdomain field should contain "sub2.sub1", with no trailing period.' example: east default_field: false - - name: enrichments.url.top_level_domain + - name: indicator.url.top_level_domain level: extended type: keyword ignore_above: 1024 @@ -9624,13 +11048,13 @@ the last label will not work well for effective TLDs such as "co.uk".' example: co.uk default_field: false - - name: enrichments.url.username + - name: indicator.url.username level: extended type: keyword ignore_above: 1024 description: Username of the request. default_field: false - - name: enrichments.x509.alternative_names + - name: indicator.x509.alternative_names level: extended type: keyword ignore_above: 1024 @@ -9639,75 +11063,75 @@ (and wildcards), and email addresses. example: '*.elastic.co' default_field: false - - name: enrichments.x509.issuer.common_name + - name: indicator.x509.issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - - name: enrichments.x509.issuer.country + - name: indicator.x509.issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - - name: enrichments.x509.issuer.distinguished_name + - name: indicator.x509.issuer.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - - name: enrichments.x509.issuer.locality + - name: indicator.x509.issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - - name: enrichments.x509.issuer.organization + - name: indicator.x509.issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - - name: enrichments.x509.issuer.organizational_unit + - name: indicator.x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - - name: enrichments.x509.issuer.state_or_province + - name: indicator.x509.issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - - name: enrichments.x509.not_after + - name: indicator.x509.not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - - name: enrichments.x509.not_before + - name: indicator.x509.not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - - name: enrichments.x509.public_key_algorithm + - name: indicator.x509.public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - - name: enrichments.x509.public_key_curve + - name: indicator.x509.public_key_curve level: extended type: keyword ignore_above: 1024 @@ -9715,7 +11139,7 @@ is algorithm specific. example: nistp521 default_field: false - - name: enrichments.x509.public_key_exponent + - name: indicator.x509.public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. @@ -9723,13 +11147,13 @@ index: false doc_values: false default_field: false - - name: enrichments.x509.public_key_size + - name: indicator.x509.public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - - name: enrichments.x509.serial_number + - name: indicator.x509.serial_number level: extended type: keyword ignore_above: 1024 @@ -9738,7 +11162,7 @@ characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - - name: enrichments.x509.signature_algorithm + - name: indicator.x509.signature_algorithm level: extended type: keyword ignore_above: 1024 @@ -9746,197 +11170,60 @@ names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - - name: enrichments.x509.subject.common_name + - name: indicator.x509.subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - - name: enrichments.x509.subject.country + - name: indicator.x509.subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - - name: enrichments.x509.subject.distinguished_name + - name: indicator.x509.subject.distinguished_name level: extended type: wildcard description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - - name: enrichments.x509.subject.locality + - name: indicator.x509.subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - - name: enrichments.x509.subject.organization + - name: indicator.x509.subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - - name: enrichments.x509.subject.organizational_unit + - name: indicator.x509.subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - - name: enrichments.x509.subject.state_or_province + - name: indicator.x509.subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - - name: enrichments.x509.version_number + - name: indicator.x509.version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false - - name: framework - level: extended - type: keyword - ignore_above: 1024 - description: Name of the threat framework used to further categorize and classify - the tactic and technique of the reported threat. Framework classification - can be provided by detecting systems, evaluated at ingest time, or retrospectively - tagged to events. - example: MITRE ATT&CK - - name: group.alias - level: extended - type: keyword - ignore_above: 1024 - description: "The alias(es) of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group alias(es)." - example: '[ "Magecart Group 6" ]' - default_field: false - - name: group.id - level: extended - type: keyword - ignore_above: 1024 - description: "The id of the group for a set of related intrusion activity that\ - \ are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group id." - example: G0037 - default_field: false - - name: group.name - level: extended - type: keyword - ignore_above: 1024 - description: "The name of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group name." - example: FIN6 - default_field: false - - name: group.reference - level: extended - type: keyword - ignore_above: 1024 - description: "The reference URL of the group for a set of related intrusion\ - \ activity that are tracked by a common name in the security community. While\ - \ not required, you can use a MITRE ATT&CK\xAE group reference URL." - example: https://attack.mitre.org/groups/G0037/ - default_field: false - - name: indicator.confidence - level: extended - type: keyword - ignore_above: 1024 - description: "Identifies the confidence rating assigned by the provider using\ - \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ - \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ - \ * WEP Scale (Impossible - Certain)" - example: High - default_field: false - - name: indicator.description - level: extended - type: keyword - ignore_above: 1024 - description: Describes the type of action conducted by the threat. - example: IP x.x.x.x was observed delivering the Angler EK. - default_field: false - - name: indicator.email.address - level: extended - type: keyword - ignore_above: 1024 - description: Identifies a threat indicator as an email address (irrespective - of direction). - example: phish@example.com - default_field: false - - name: indicator.first_seen - level: extended - type: date - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: indicator.ip - level: extended - type: ip - description: Identifies a threat indicator as an IP address (irrespective of - direction). - example: 1.2.3.4 - default_field: false - - name: indicator.last_seen - level: extended - type: date - description: The date and time when intelligence source last reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: indicator.marking.tlp - level: extended - type: keyword - ignore_above: 1024 - description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: WHITE - default_field: false - - name: indicator.modified_at - level: extended - type: date - description: The date and time when intelligence source last modified information - for this indicator. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: indicator.port - level: extended - type: long - description: Identifies a threat indicator as a port number (irrespective of - direction). - example: 443 - default_field: false - - name: indicator.scanner_stats - level: extended - type: long - description: Count of AV/EDR vendors that successfully detected malicious file - or URL. - example: 4 - default_field: false - - name: indicator.sightings - level: extended - type: long - description: Number of times this indicator was observed conducting threat activity. - example: 20 - default_field: false - - name: indicator.type - level: extended - type: keyword - ignore_above: 1024 - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ - Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ - \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ - \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ - \ * user-account\n * windows-registry-key\n * x509-certificate" - example: ipv4-addr - default_field: false - name: software.id level: extended type: keyword diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 85eb235ed3..fb2a2f1d16 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -1002,111 +1002,185 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.11.0-dev+exp,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. 1.11.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.11.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. -1.11.0-dev+exp,true,threat,threat.enrichments,nested,extended,,,List of indicators enriching the event. -1.11.0-dev+exp,true,threat,threat.enrichments.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.11.0-dev+exp,true,threat,threat.enrichments.as.organization.name,wildcard,extended,,Google LLC,Organization name. -1.11.0-dev+exp,true,threat,threat.enrichments.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.11.0-dev+exp,true,threat,threat.enrichments.event.action,keyword,core,,user-password-change,The action captured by the event. -1.11.0-dev+exp,true,threat,threat.enrichments.event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field. -1.11.0-dev+exp,true,threat,threat.enrichments.event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. -1.11.0-dev+exp,true,threat,threat.enrichments.event.code,keyword,extended,,4648,Identification code for this event. -1.11.0-dev+exp,true,threat,threat.enrichments.event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. -1.11.0-dev+exp,true,threat,threat.enrichments.event.dataset,keyword,core,,apache.access,Name of the dataset. -1.11.0-dev+exp,true,threat,threat.enrichments.event.duration,long,core,,,Duration of the event in nanoseconds. -1.11.0-dev+exp,true,threat,threat.enrichments.event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. -1.11.0-dev+exp,true,threat,threat.enrichments.event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. -1.11.0-dev+exp,true,threat,threat.enrichments.event.id,keyword,core,,8a4f500d,Unique ID to describe the event. -1.11.0-dev+exp,true,threat,threat.enrichments.event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. -1.11.0-dev+exp,true,threat,threat.enrichments.event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. -1.11.0-dev+exp,true,threat,threat.enrichments.event.module,keyword,core,,apache,Name of the module this data is coming from. -1.11.0-dev+exp,false,threat,threat.enrichments.event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. -1.11.0-dev+exp,true,threat,threat.enrichments.event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. -1.11.0-dev+exp,true,threat,threat.enrichments.event.provider,keyword,extended,,kernel,Source of the event. -1.11.0-dev+exp,true,threat,threat.enrichments.event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" -1.11.0-dev+exp,true,threat,threat.enrichments.event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL -1.11.0-dev+exp,true,threat,threat.enrichments.event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. -1.11.0-dev+exp,true,threat,threat.enrichments.event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). -1.11.0-dev+exp,true,threat,threat.enrichments.event.sequence,long,extended,,,Sequence number of the event. -1.11.0-dev+exp,true,threat,threat.enrichments.event.severity,long,core,,7,Numeric severity of the event. -1.11.0-dev+exp,true,threat,threat.enrichments.event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. -1.11.0-dev+exp,true,threat,threat.enrichments.event.timezone,keyword,extended,,,Event time zone. -1.11.0-dev+exp,true,threat,threat.enrichments.event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. -1.11.0-dev+exp,true,threat,threat.enrichments.event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL -1.11.0-dev+exp,true,threat,threat.enrichments.file.accessed,date,extended,,,Last time the file was accessed. -1.11.0-dev+exp,true,threat,threat.enrichments.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -1.11.0-dev+exp,true,threat,threat.enrichments.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.11.0-dev+exp,true,threat,threat.enrichments.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -1.11.0-dev+exp,true,threat,threat.enrichments.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.11.0-dev+exp,true,threat,threat.enrichments.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.11.0-dev+exp,true,threat,threat.enrichments.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -1.11.0-dev+exp,true,threat,threat.enrichments.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.11.0-dev+exp,true,threat,threat.enrichments.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.11.0-dev+exp,true,threat,threat.enrichments.file.created,date,extended,,,File creation time. -1.11.0-dev+exp,true,threat,threat.enrichments.file.ctime,date,extended,,,Last time the file attributes or metadata changed. -1.11.0-dev+exp,true,threat,threat.enrichments.file.device,keyword,extended,,sda,Device that is the source of the file. -1.11.0-dev+exp,true,threat,threat.enrichments.file.directory,wildcard,extended,,/home/alice,Directory where the file is located. -1.11.0-dev+exp,true,threat,threat.enrichments.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.creation_date,date,extended,,,Build or compile date. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.exports,flattened,extended,array,,List of exported element names and types. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.header.class,keyword,extended,,,Header class of the ELF file. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.header.data,keyword,extended,,,Data table of the ELF header. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.header.type,keyword,extended,,,Header type of the ELF file. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.header.version,keyword,extended,,,Version of the ELF header. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.imports,flattened,extended,array,,List of imported element names and types. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.sections,nested,extended,array,,Section information of the ELF file. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.name,keyword,extended,,,ELF Section List name. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.type,keyword,extended,,,ELF Section List type. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.segments,nested,extended,array,,ELF object segment list. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.segments.type,keyword,extended,,,ELF object segment type. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. -1.11.0-dev+exp,true,threat,threat.enrichments.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. -1.11.0-dev+exp,true,threat,threat.enrichments.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." -1.11.0-dev+exp,true,threat,threat.enrichments.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -1.11.0-dev+exp,true,threat,threat.enrichments.file.group,keyword,extended,,alice,Primary group name of the file. -1.11.0-dev+exp,true,threat,threat.enrichments.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -1.11.0-dev+exp,true,threat,threat.enrichments.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -1.11.0-dev+exp,true,threat,threat.enrichments.file.mode,keyword,extended,,0640,Mode of the file in octal representation. -1.11.0-dev+exp,true,threat,threat.enrichments.file.mtime,date,extended,,,Last time the file content was modified. -1.11.0-dev+exp,true,threat,threat.enrichments.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -1.11.0-dev+exp,true,threat,threat.enrichments.file.owner,keyword,extended,,alice,File owner's username. -1.11.0-dev+exp,true,threat,threat.enrichments.file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." -1.11.0-dev+exp,true,threat,threat.enrichments.file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -1.11.0-dev+exp,true,threat,threat.enrichments.file.size,long,extended,,16384,File size in bytes. -1.11.0-dev+exp,true,threat,threat.enrichments.file.target_path,wildcard,extended,,,Target path for symlinks. -1.11.0-dev+exp,true,threat,threat.enrichments.file.target_path.text,text,extended,,,Target path for symlinks. -1.11.0-dev+exp,true,threat,threat.enrichments.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -1.11.0-dev+exp,true,threat,threat.enrichments.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -1.11.0-dev+exp,true,threat,threat.enrichments.geo.city_name,keyword,core,,Montreal,City name. -1.11.0-dev+exp,true,threat,threat.enrichments.geo.continent_code,keyword,core,,NA,Continent code. -1.11.0-dev+exp,true,threat,threat.enrichments.geo.continent_name,keyword,core,,North America,Name of the continent. -1.11.0-dev+exp,true,threat,threat.enrichments.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.11.0-dev+exp,true,threat,threat.enrichments.geo.country_name,keyword,core,,Canada,Country name. -1.11.0-dev+exp,true,threat,threat.enrichments.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.11.0-dev+exp,true,threat,threat.enrichments.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -1.11.0-dev+exp,true,threat,threat.enrichments.geo.postal_code,keyword,core,,94040,Postal code. -1.11.0-dev+exp,true,threat,threat.enrichments.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.11.0-dev+exp,true,threat,threat.enrichments.geo.region_name,keyword,core,,Quebec,Region name. -1.11.0-dev+exp,true,threat,threat.enrichments.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -1.11.0-dev+exp,true,threat,threat.enrichments.hash.md5,keyword,extended,,,MD5 hash. -1.11.0-dev+exp,true,threat,threat.enrichments.hash.sha1,keyword,extended,,,SHA1 hash. -1.11.0-dev+exp,true,threat,threat.enrichments.hash.sha256,keyword,extended,,,SHA256 hash. -1.11.0-dev+exp,true,threat,threat.enrichments.hash.sha512,keyword,extended,,,SHA512 hash. -1.11.0-dev+exp,true,threat,threat.enrichments.hash.ssdeep,keyword,extended,,,SSDEEP hash. +1.11.0-dev+exp,true,threat,threat.enrichments,nested,extended,,,List of objects containing indicators enriching the event. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,High,Indicator confidence rating +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.directory,wildcard,extended,,/home/alice,Directory where the file is located. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path,wildcard,extended,,,Target path for symlinks. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.target_path.text,text,extended,,,Target path for symlinks. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.hash.md5,keyword,extended,,,MD5 hash. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.hash.sha1,keyword,extended,,,SHA1 hash. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.hash.sha256,keyword,extended,,,SHA256 hash. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.hash.sha512,keyword,extended,,,SHA512 hash. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.hash.ssdeep,keyword,extended,,,SSDEEP hash. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,White,Indicator TLP marking +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.compiler.name,keyword,extended,,Clang,Name of the compiler +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.debug,nested,extended,array,,Debug information +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.debug.offset,keyword,extended,,1296336,Debug offset information. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.debug.size,long,extended,,816,Size of the debug information. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.resources,nested,extended,array,,PE resource information +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.sections.flags,keyword,extended,,rx,Section flags of the file. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.domain,wildcard,extended,,www.elastic.co,Domain of the url. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443." +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.11.0-dev+exp,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.11.0-dev+exp,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format. 1.11.0-dev+exp,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value 1.11.0-dev+exp,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field 1.11.0-dev+exp,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier @@ -1157,63 +1231,188 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.11.0-dev+exp,true,threat,threat.enrichments.registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. 1.11.0-dev+exp,true,threat,threat.enrichments.registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" 1.11.0-dev+exp,true,threat,threat.enrichments.registry.value,keyword,core,,Debugger,Name of the value written. -1.11.0-dev+exp,true,threat,threat.enrichments.url.domain,wildcard,extended,,www.elastic.co,Domain of the url. -1.11.0-dev+exp,true,threat,threat.enrichments.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." -1.11.0-dev+exp,true,threat,threat.enrichments.url.fragment,keyword,extended,,,Portion of the url after the `#`. -1.11.0-dev+exp,true,threat,threat.enrichments.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.11.0-dev+exp,true,threat,threat.enrichments.url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.11.0-dev+exp,true,threat,threat.enrichments.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -1.11.0-dev+exp,true,threat,threat.enrichments.url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -1.11.0-dev+exp,true,threat,threat.enrichments.url.password,keyword,extended,,,Password of the request. -1.11.0-dev+exp,true,threat,threat.enrichments.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." -1.11.0-dev+exp,true,threat,threat.enrichments.url.port,long,extended,,443,"Port of the request, such as 443." -1.11.0-dev+exp,true,threat,threat.enrichments.url.query,keyword,extended,,,Query string of the request. -1.11.0-dev+exp,true,threat,threat.enrichments.url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -1.11.0-dev+exp,true,threat,threat.enrichments.url.scheme,keyword,extended,,https,Scheme of the url. -1.11.0-dev+exp,true,threat,threat.enrichments.url.subdomain,keyword,extended,,east,The subdomain of the domain. -1.11.0-dev+exp,true,threat,threat.enrichments.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.11.0-dev+exp,true,threat,threat.enrichments.url.username,keyword,extended,,,Username of the request. -1.11.0-dev+exp,true,threat,threat.enrichments.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -1.11.0-dev+exp,true,threat,threat.enrichments.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -1.11.0-dev+exp,true,threat,threat.enrichments.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.11.0-dev+exp,true,threat,threat.enrichments.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -1.11.0-dev+exp,true,threat,threat.enrichments.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -1.11.0-dev+exp,true,threat,threat.enrichments.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -1.11.0-dev+exp,true,threat,threat.enrichments.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -1.11.0-dev+exp,true,threat,threat.enrichments.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.11.0-dev+exp,true,threat,threat.enrichments.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -1.11.0-dev+exp,true,threat,threat.enrichments.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -1.11.0-dev+exp,true,threat,threat.enrichments.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -1.11.0-dev+exp,true,threat,threat.enrichments.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -1.11.0-dev+exp,false,threat,threat.enrichments.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -1.11.0-dev+exp,true,threat,threat.enrichments.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -1.11.0-dev+exp,true,threat,threat.enrichments.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -1.11.0-dev+exp,true,threat,threat.enrichments.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -1.11.0-dev+exp,true,threat,threat.enrichments.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -1.11.0-dev+exp,true,threat,threat.enrichments.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.11.0-dev+exp,true,threat,threat.enrichments.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -1.11.0-dev+exp,true,threat,threat.enrichments.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -1.11.0-dev+exp,true,threat,threat.enrichments.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -1.11.0-dev+exp,true,threat,threat.enrichments.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -1.11.0-dev+exp,true,threat,threat.enrichments.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.11.0-dev+exp,true,threat,threat.enrichments.x509.version_number,keyword,extended,,3,Version of x509 format. 1.11.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. 1.11.0-dev+exp,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group. 1.11.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group. 1.11.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group. 1.11.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group. +1.11.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.11.0-dev+exp,true,threat,threat.indicator.as.organization.name,wildcard,extended,,Google LLC,Organization name. +1.11.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,text,extended,,Google LLC,Organization name. 1.11.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,High,Indicator confidence rating 1.11.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description 1.11.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address +1.11.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed. +1.11.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +1.11.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.11.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +1.11.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.11.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.11.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +1.11.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.11.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.11.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time. +1.11.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. +1.11.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. +1.11.0-dev+exp,true,threat,threat.indicator.file.directory,wildcard,extended,,/home/alice,Directory where the file is located. +1.11.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +1.11.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +1.11.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +1.11.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +1.11.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +1.11.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +1.11.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +1.11.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. +1.11.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified. +1.11.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +1.11.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username. +1.11.0-dev+exp,true,threat,threat.indicator.file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.11.0-dev+exp,true,threat,threat.indicator.file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.11.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes. +1.11.0-dev+exp,true,threat,threat.indicator.file.target_path,wildcard,extended,,,Target path for symlinks. +1.11.0-dev+exp,true,threat,threat.indicator.file.target_path.text,text,extended,,,Target path for symlinks. +1.11.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +1.11.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. 1.11.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. +1.11.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name. +1.11.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code. +1.11.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. +1.11.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.11.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name. +1.11.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.11.0-dev+exp,true,threat,threat.indicator.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +1.11.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code. +1.11.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.11.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name. +1.11.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +1.11.0-dev+exp,true,threat,threat.indicator.hash.md5,keyword,extended,,,MD5 hash. +1.11.0-dev+exp,true,threat,threat.indicator.hash.sha1,keyword,extended,,,SHA1 hash. +1.11.0-dev+exp,true,threat,threat.indicator.hash.sha256,keyword,extended,,,SHA256 hash. +1.11.0-dev+exp,true,threat,threat.indicator.hash.sha512,keyword,extended,,,SHA512 hash. +1.11.0-dev+exp,true,threat,threat.indicator.hash.ssdeep,keyword,extended,,,SSDEEP hash. 1.11.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address 1.11.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. 1.11.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking 1.11.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. +1.11.0-dev+exp,true,threat,threat.indicator.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.11.0-dev+exp,true,threat,threat.indicator.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. +1.11.0-dev+exp,true,threat,threat.indicator.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.11.0-dev+exp,true,threat,threat.indicator.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. +1.11.0-dev+exp,true,threat,threat.indicator.pe.compiler.name,keyword,extended,,Clang,Name of the compiler +1.11.0-dev+exp,true,threat,threat.indicator.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. +1.11.0-dev+exp,true,threat,threat.indicator.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. +1.11.0-dev+exp,true,threat,threat.indicator.pe.debug,nested,extended,array,,Debug information +1.11.0-dev+exp,true,threat,threat.indicator.pe.debug.offset,keyword,extended,,1296336,Debug offset information. +1.11.0-dev+exp,true,threat,threat.indicator.pe.debug.size,long,extended,,816,Size of the debug information. +1.11.0-dev+exp,true,threat,threat.indicator.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. +1.11.0-dev+exp,true,threat,threat.indicator.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. +1.11.0-dev+exp,true,threat,threat.indicator.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.11.0-dev+exp,true,threat,threat.indicator.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. +1.11.0-dev+exp,true,threat,threat.indicator.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE +1.11.0-dev+exp,true,threat,threat.indicator.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.11.0-dev+exp,true,threat,threat.indicator.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. +1.11.0-dev+exp,true,threat,threat.indicator.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.11.0-dev+exp,true,threat,threat.indicator.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions +1.11.0-dev+exp,true,threat,threat.indicator.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. +1.11.0-dev+exp,true,threat,threat.indicator.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.11.0-dev+exp,true,threat,threat.indicator.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. +1.11.0-dev+exp,true,threat,threat.indicator.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.11.0-dev+exp,true,threat,threat.indicator.pe.resources,nested,extended,array,,PE resource information +1.11.0-dev+exp,true,threat,threat.indicator.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. +1.11.0-dev+exp,true,threat,threat.indicator.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. +1.11.0-dev+exp,true,threat,threat.indicator.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. +1.11.0-dev+exp,true,threat,threat.indicator.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. +1.11.0-dev+exp,true,threat,threat.indicator.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. +1.11.0-dev+exp,true,threat,threat.indicator.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. +1.11.0-dev+exp,true,threat,threat.indicator.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. +1.11.0-dev+exp,true,threat,threat.indicator.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE +1.11.0-dev+exp,true,threat,threat.indicator.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. +1.11.0-dev+exp,true,threat,threat.indicator.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. +1.11.0-dev+exp,true,threat,threat.indicator.pe.sections.flags,keyword,extended,,rx,Section flags of the file. +1.11.0-dev+exp,true,threat,threat.indicator.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. +1.11.0-dev+exp,true,threat,threat.indicator.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. +1.11.0-dev+exp,true,threat,threat.indicator.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. 1.11.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port +1.11.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider +1.11.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL +1.11.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +1.11.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +1.11.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +1.11.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +1.11.0-dev+exp,true,threat,threat.indicator.registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +1.11.0-dev+exp,true,threat,threat.indicator.registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +1.11.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written. 1.11.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics 1.11.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed 1.11.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator +1.11.0-dev+exp,true,threat,threat.indicator.url.domain,wildcard,extended,,www.elastic.co,Domain of the url. +1.11.0-dev+exp,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +1.11.0-dev+exp,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`. +1.11.0-dev+exp,true,threat,threat.indicator.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.11.0-dev+exp,true,threat,threat.indicator.url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.11.0-dev+exp,true,threat,threat.indicator.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.11.0-dev+exp,true,threat,threat.indicator.url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.11.0-dev+exp,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request. +1.11.0-dev+exp,true,threat,threat.indicator.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +1.11.0-dev+exp,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443." +1.11.0-dev+exp,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request. +1.11.0-dev+exp,true,threat,threat.indicator.url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +1.11.0-dev+exp,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url. +1.11.0-dev+exp,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. +1.11.0-dev+exp,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.11.0-dev+exp,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request. +1.11.0-dev+exp,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.11.0-dev+exp,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.11.0-dev+exp,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.11.0-dev+exp,true,threat,threat.indicator.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.11.0-dev+exp,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.11.0-dev+exp,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.11.0-dev+exp,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.11.0-dev+exp,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.11.0-dev+exp,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.11.0-dev+exp,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.11.0-dev+exp,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.11.0-dev+exp,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.11.0-dev+exp,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.11.0-dev+exp,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.11.0-dev+exp,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.11.0-dev+exp,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.11.0-dev+exp,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.11.0-dev+exp,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.11.0-dev+exp,true,threat,threat.indicator.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.11.0-dev+exp,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.11.0-dev+exp,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.11.0-dev+exp,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.11.0-dev+exp,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.11.0-dev+exp,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format. 1.11.0-dev+exp,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software 1.11.0-dev+exp,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software. 1.11.0-dev+exp,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 33b38b9a68..c5107e2436 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -2644,8 +2644,8 @@ event.module: type: keyword event.original: dashed_name: event-original - description: 'Raw text message of entire event. Used to demonstrate log integrity or - where the full log message (before splitting it up in multiple parts) may be + description: 'Raw text message of entire event. Used to demonstrate log integrity + or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, @@ -12423,34 +12423,44 @@ tags: threat.enrichments: beta: This field is beta and subject to change. dashed_name: threat-enrichments - description: A list of associated indicators enriching the event, and the context - of that association/enrichment. + description: A list of associated indicators objects enriching the event, and the + context of that association/enrichment. flat_name: threat.enrichments level: extended name: enrichments normalize: [] - short: List of indicators enriching the event. + short: List of objects containing indicators enriching the event. type: nested -threat.enrichments.as.number: - dashed_name: threat-enrichments-as-number +threat.enrichments.indicator: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator + description: Object containing associated indicators enriching the event. + flat_name: threat.enrichments.indicator + level: extended + name: enrichments.indicator + normalize: [] + short: Object containing indicators enriching the event. + type: object +threat.enrichments.indicator.as.number: + dashed_name: threat-enrichments-indicator-as-number description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. example: 15169 - flat_name: threat.enrichments.as.number + flat_name: threat.enrichments.indicator.as.number level: extended name: number normalize: [] original_fieldset: as short: Unique number allocated to the autonomous system. type: long -threat.enrichments.as.organization.name: - dashed_name: threat-enrichments-as-organization-name +threat.enrichments.indicator.as.organization.name: + dashed_name: threat-enrichments-indicator-as-organization-name description: Organization name. example: Google LLC - flat_name: threat.enrichments.as.organization.name + flat_name: threat.enrichments.indicator.as.organization.name level: extended multi_fields: - - flat_name: threat.enrichments.as.organization.name.text + - flat_name: threat.enrichments.indicator.as.organization.name.text name: text norms: false type: text @@ -12459,836 +12469,2921 @@ threat.enrichments.as.organization.name: original_fieldset: as short: Organization name. type: wildcard -threat.enrichments.event.action: - dashed_name: threat-enrichments-event-action - description: 'The action captured by the event. - - This describes the information in the event. It is more specific than `event.category`. - Examples are `group-add`, `process-started`, `file-created`. The value is normally - defined by the implementer.' - example: user-password-change - flat_name: threat.enrichments.event.action +threat.enrichments.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-confidence + description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ + using\_STIX\_confidence scales. Expected values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n \ + \ * WEP Scale (Impossible - Certain)" + example: High + flat_name: threat.enrichments.indicator.confidence ignore_above: 1024 - level: core - name: action + level: extended + name: enrichments.indicator.confidence normalize: [] - original_fieldset: event - short: The action captured by the event. + short: Indicator confidence rating type: keyword -threat.enrichments.event.agent_id_status: - dashed_name: threat-enrichments-event-agent-id-status - description: 'Agents are normally responsible for populating the `agent.id` field - value. If the system receiving events is capable of validating the value based - on authentication information for the client then this field can be used to reflect - the outcome of that validation. - - For example if the agent''s connection is authenticated with mTLS and the client - cert contains the ID of the agent to which the cert was issued then the `agent.id` - value in events can be checked against the certificate. If the values match then - `event.agent_id_status: verified` is added to the event, otherwise one of the - other allowed values should be used. - - If no validation is performed then the field should be omitted. +threat.enrichments.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.enrichments.indicator.description + ignore_above: 1024 + level: extended + name: enrichments.indicator.description + normalize: [] + short: Indicator description + type: keyword +threat.enrichments.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective of + direction). + example: phish@example.com + flat_name: threat.enrichments.indicator.email.address + ignore_above: 1024 + level: extended + name: enrichments.indicator.email.address + normalize: [] + short: Indicator email address + type: keyword +threat.enrichments.indicator.file.accessed: + dashed_name: threat-enrichments-indicator-file-accessed + description: 'Last time the file was accessed. - The allowed values are: + Note that not all filesystems keep track of access time.' + flat_name: threat.enrichments.indicator.file.accessed + level: extended + name: accessed + normalize: [] + original_fieldset: file + short: Last time the file was accessed. + type: date +threat.enrichments.indicator.file.attributes: + dashed_name: threat-enrichments-indicator-file-attributes + description: 'Array of file attributes. - `verified` - The `agent.id` field value matches expected value obtained from auth - metadata. + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, execute, + hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: threat.enrichments.indicator.file.attributes + ignore_above: 1024 + level: extended + name: attributes + normalize: + - array + original_fieldset: file + short: Array of file attributes. + type: keyword +threat.enrichments.indicator.file.code_signature.exists: + dashed_name: threat-enrichments-indicator-file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: threat.enrichments.indicator.file.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +threat.enrichments.indicator.file.code_signature.signing_id: + dashed_name: threat-enrichments-indicator-file-code-signature-signing-id + description: 'The identifier used to sign the process. - `mismatch` - The `agent.id` field value does not match the expected value obtained - from auth metadata. + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: threat.enrichments.indicator.file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword +threat.enrichments.indicator.file.code_signature.status: + dashed_name: threat-enrichments-indicator-file-code-signature-status + description: 'Additional information about the certificate status. - `missing` - There was no `agent.id` field in the event to validate. + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: threat.enrichments.indicator.file.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +threat.enrichments.indicator.file.code_signature.subject_name: + dashed_name: threat-enrichments-indicator-file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: threat.enrichments.indicator.file.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +threat.enrichments.indicator.file.code_signature.team_id: + dashed_name: threat-enrichments-indicator-file-code-signature-team-id + description: 'The team identifier used to sign the process. - `auth_metadata_missing` - There was no auth metadata or it was missing information - about the agent ID.' - example: verified - flat_name: threat.enrichments.event.agent_id_status + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: threat.enrichments.indicator.file.code_signature.team_id ignore_above: 1024 level: extended - name: agent_id_status + name: team_id normalize: [] - original_fieldset: event - short: Validation status of the event's agent.id field. + original_fieldset: code_signature + short: The team identifier used to sign the process. type: keyword -threat.enrichments.event.category: - allowed_values: - - description: Events in this category are related to the challenge and response - process in which credentials are supplied and verified to allow the creation - of a session. Common sources for these logs are Windows event logs and ssh logs. - Visualize and analyze events in this category to look for failed logins, and - other authentication-related activity. - expected_event_types: - - start - - end - - info - name: authentication - - description: 'Events in the configuration category have to deal with creating, - modifying, or deleting the settings or parameters of an application, process, - or system. +threat.enrichments.indicator.file.code_signature.trusted: + dashed_name: threat-enrichments-indicator-file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. - Example sources include security policy change logs, configuration auditing - logging, and system integrity monitoring.' - expected_event_types: - - access - - change - - creation - - deletion - - info - name: configuration - - description: The database category denotes events and metrics relating to a data - storage and retrieval system. Note that use of this category is not limited - to relational database systems. Examples include event logs from MS SQL, MySQL, - Elasticsearch, MongoDB, etc. Use this category to visualize and analyze database - activity such as accesses and changes. - expected_event_types: - - access - - change - - info - - error - name: database - - description: 'Events in the driver category have to do with operating system device - drivers and similar software entities such as Windows drivers, kernel extensions, - kernel modules, etc. + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: threat.enrichments.indicator.file.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +threat.enrichments.indicator.file.code_signature.valid: + dashed_name: threat-enrichments-indicator-file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. - Use events and metrics in this category to visualize and analyze driver-related - activity and status on hosts.' - expected_event_types: - - change - - end - - info - - start - name: driver - - description: Relating to a set of information that has been created on, or has - existed on a filesystem. Use this category of events to visualize and analyze - the creation, access, and deletions of files. Events in this category can come - from both host-based and network-based sources. An example source of a network-based - detection of a file transfer would be the Zeek file.log. - expected_event_types: - - change - - creation - - deletion - - info - name: file - - description: 'Use this category to visualize and analyze information such as host - inventory or host lifecycle events. + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: threat.enrichments.indicator.file.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +threat.enrichments.indicator.file.created: + dashed_name: threat-enrichments-indicator-file-created + description: 'File creation time. - Most of the events in this category can usually be observed from the outside, - such as from a hypervisor or a control plane''s point of view. Some can also - be seen from within, such as "start" or "end". + Note that not all filesystems store the creation time.' + flat_name: threat.enrichments.indicator.file.created + level: extended + name: created + normalize: [] + original_fieldset: file + short: File creation time. + type: date +threat.enrichments.indicator.file.ctime: + dashed_name: threat-enrichments-indicator-file-ctime + description: 'Last time the file attributes or metadata changed. - Note that this category is for information about hosts themselves; it is not - meant to capture activity "happening on a host".' - expected_event_types: - - access - - change - - end - - info - - start - name: host - - description: Identity and access management (IAM) events relating to users, groups, - and administration. Use this category to visualize and analyze IAM-related logs - and data from active directory, LDAP, Okta, Duo, and other IAM systems. - expected_event_types: - - admin - - change - - creation - - deletion - - group - - info - - user - name: iam - - description: Relating to intrusion detections from IDS/IPS systems and functions, - both network and host-based. Use this category to visualize and analyze intrusion - detection alerts from systems such as Snort, Suricata, and Palo Alto threat - detections. - expected_event_types: - - allowed - - denied - - info - name: intrusion_detection - - description: Malware detection events and alerts. Use this category to visualize - and analyze malware detections from EDR/EPP systems such as Elastic Endpoint - Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems - such as Suricata, or other sources of malware-related events such as Palo Alto - Networks threat logs and Wildfire logs. - expected_event_types: - - info - name: malware - - description: Relating to all network activity, including network connection lifecycle, - network traffic, and essentially any event that includes an IP address. Many - events containing decoded network protocol transactions fit into this category. - Use events in this category to visualize or analyze counts of network ports, - protocols, addresses, geolocation information, etc. - expected_event_types: - - access - - allowed - - connection - - denied - - end - - info - - protocol - - start - name: network - - description: Relating to software packages installed on hosts. Use this category - to visualize and analyze inventory of software installed on various hosts, or - to determine host vulnerability in the absence of vulnerability scan data. - expected_event_types: - - access - - change - - deletion - - info - - installation - - start - name: package - - description: Use this category of events to visualize and analyze process-specific - information such as lifecycle events or process ancestry. - expected_event_types: - - access - - change - - end - - info - - start - name: process - - description: Having to do with settings and assets stored in the Windows registry. - Use this category to visualize and analyze activity such as registry access - and modifications. - expected_event_types: - - access - - change - - creation - - deletion - name: registry - - description: The session category is applied to events and metrics regarding logical - persistent connections to hosts and services. Use this category to visualize - and analyze interactive or automated persistent connections between assets. - Data for this category may come from Windows Event logs, SSH logs, or stateless - sessions such as HTTP cookie-based sessions, etc. - expected_event_types: - - start - - end - - info - name: session - - description: 'Relating to web server access. Use this category to create a dashboard - of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: - events from network observers such as Zeek http log may also be included in - this category.' - expected_event_types: - - access - - error - - info - name: web - dashed_name: threat-enrichments-event-category - description: 'This is one of four ECS Categorization Fields, and indicates the second - level in the ECS category hierarchy. - - `event.category` represents the "big buckets" of ECS categories. For example, - filtering on `event.category:process` yields all events relating to process activity. - This field is closely related to `event.type`, which is used as a subcategory. - - This field is an array. This will allow proper categorization of some events that - fall in multiple categories.' - example: authentication - flat_name: threat.enrichments.event.category + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: threat.enrichments.indicator.file.ctime + level: extended + name: ctime + normalize: [] + original_fieldset: file + short: Last time the file attributes or metadata changed. + type: date +threat.enrichments.indicator.file.device: + dashed_name: threat-enrichments-indicator-file-device + description: Device that is the source of the file. + example: sda + flat_name: threat.enrichments.indicator.file.device ignore_above: 1024 - level: core - name: category - normalize: - - array - original_fieldset: event - short: Event category. The second categorization field in the hierarchy. + level: extended + name: device + normalize: [] + original_fieldset: file + short: Device that is the source of the file. type: keyword -threat.enrichments.event.code: - dashed_name: threat-enrichments-event-code - description: 'Identification code for this event, if one exists. +threat.enrichments.indicator.file.directory: + dashed_name: threat-enrichments-indicator-file-directory + description: Directory where the file is located. It should include the drive letter, + when appropriate. + example: /home/alice + flat_name: threat.enrichments.indicator.file.directory + level: extended + name: directory + normalize: [] + original_fieldset: file + short: Directory where the file is located. + type: wildcard +threat.enrichments.indicator.file.drive_letter: + dashed_name: threat-enrichments-indicator-file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. - Some event sources use event codes to identify messages unambiguously, regardless - of message language or wording adjustments over time. An example of this is the - Windows Event ID.' - example: 4648 - flat_name: threat.enrichments.event.code + The value should be uppercase, and not include the colon.' + example: C + flat_name: threat.enrichments.indicator.file.drive_letter + ignore_above: 1 + level: extended + name: drive_letter + normalize: [] + original_fieldset: file + short: Drive letter where the file is located. + type: keyword +threat.enrichments.indicator.file.elf.architecture: + dashed_name: threat-enrichments-indicator-file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: threat.enrichments.indicator.file.elf.architecture ignore_above: 1024 level: extended - name: code + name: architecture normalize: [] - original_fieldset: event - short: Identification code for this event. + original_fieldset: elf + short: Machine architecture of the ELF file. type: keyword -threat.enrichments.event.created: - dashed_name: threat-enrichments-event-created - description: 'event.created contains the date/time when the event was first read - by an agent, or by your pipeline. - - This field is distinct from @timestamp in that @timestamp typically contain the - time extracted from the original event. - - In most situations, these two timestamps will be slightly different. The difference - can be used to calculate the delay between your source generating an event, and - the time when your agent first processed it. This can be used to monitor your - agent''s or pipeline''s ability to keep up with your event source. - - In case the two timestamps are identical, @timestamp should be used.' - example: '2016-05-23T08:05:34.857Z' - flat_name: threat.enrichments.event.created - level: core - name: created +threat.enrichments.indicator.file.elf.byte_order: + dashed_name: threat-enrichments-indicator-file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: threat.enrichments.indicator.file.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order normalize: [] - original_fieldset: event - short: Time when the event was first read by an agent or by your pipeline. + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword +threat.enrichments.indicator.file.elf.cpu_type: + dashed_name: threat-enrichments-indicator-file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: threat.enrichments.indicator.file.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword +threat.enrichments.indicator.file.elf.creation_date: + dashed_name: threat-enrichments-indicator-file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: threat.enrichments.indicator.file.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. type: date -threat.enrichments.event.dataset: - dashed_name: threat-enrichments-event-dataset - description: 'Name of the dataset. - - If an event source publishes more than one type of log or events (e.g. access - log, error log), the dataset is used to specify which one the event comes from. - - It''s recommended but not required to start the dataset name with the module name, - followed by a dot, then the dataset name.' - example: apache.access - flat_name: threat.enrichments.event.dataset +threat.enrichments.indicator.file.elf.exports: + dashed_name: threat-enrichments-indicator-file-elf-exports + description: List of exported element names and types. + flat_name: threat.enrichments.indicator.file.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened +threat.enrichments.indicator.file.elf.header.abi_version: + dashed_name: threat-enrichments-indicator-file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: threat.enrichments.indicator.file.elf.header.abi_version ignore_above: 1024 - level: core - name: dataset + level: extended + name: header.abi_version normalize: [] - original_fieldset: event - short: Name of the dataset. + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). type: keyword -threat.enrichments.event.duration: - dashed_name: threat-enrichments-event-duration - description: 'Duration of the event in nanoseconds. - - If event.start and event.end are known this value should be the difference between - the end and start time.' - flat_name: threat.enrichments.event.duration - format: duration - input_format: nanoseconds - level: core - name: duration +threat.enrichments.indicator.file.elf.header.class: + dashed_name: threat-enrichments-indicator-file-elf-header-class + description: Header class of the ELF file. + flat_name: threat.enrichments.indicator.file.elf.header.class + ignore_above: 1024 + level: extended + name: header.class normalize: [] - original_fieldset: event - output_format: asMilliseconds - output_precision: 1 - short: Duration of the event in nanoseconds. + original_fieldset: elf + short: Header class of the ELF file. + type: keyword +threat.enrichments.indicator.file.elf.header.data: + dashed_name: threat-enrichments-indicator-file-elf-header-data + description: Data table of the ELF header. + flat_name: threat.enrichments.indicator.file.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword +threat.enrichments.indicator.file.elf.header.entrypoint: + dashed_name: threat-enrichments-indicator-file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: threat.enrichments.indicator.file.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. type: long -threat.enrichments.event.end: - dashed_name: threat-enrichments-event-end - description: event.end contains the date when the event ended or when the activity - was last observed. - flat_name: threat.enrichments.event.end +threat.enrichments.indicator.file.elf.header.object_version: + dashed_name: threat-enrichments-indicator-file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: threat.enrichments.indicator.file.elf.header.object_version + ignore_above: 1024 level: extended - name: end + name: header.object_version normalize: [] - original_fieldset: event - short: event.end contains the date when the event ended or when the activity was - last observed. - type: date -threat.enrichments.event.hash: - dashed_name: threat-enrichments-event-hash - description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate - log integrity. - example: 123456789012345678901234567890ABCD - flat_name: threat.enrichments.event.hash + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword +threat.enrichments.indicator.file.elf.header.os_abi: + dashed_name: threat-enrichments-indicator-file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: threat.enrichments.indicator.file.elf.header.os_abi ignore_above: 1024 level: extended - name: hash + name: header.os_abi normalize: [] - original_fieldset: event - short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate - log integrity. + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. type: keyword -threat.enrichments.event.id: - dashed_name: threat-enrichments-event-id - description: Unique ID to describe the event. - example: 8a4f500d - flat_name: threat.enrichments.event.id +threat.enrichments.indicator.file.elf.header.type: + dashed_name: threat-enrichments-indicator-file-elf-header-type + description: Header type of the ELF file. + flat_name: threat.enrichments.indicator.file.elf.header.type ignore_above: 1024 - level: core - name: id + level: extended + name: header.type normalize: [] - original_fieldset: event - short: Unique ID to describe the event. + original_fieldset: elf + short: Header type of the ELF file. type: keyword -threat.enrichments.event.ingested: - dashed_name: threat-enrichments-event-ingested - description: 'Timestamp when an event arrived in the central data store. - - This is different from `@timestamp`, which is when the event originally occurred. It''s - also different from `event.created`, which is meant to capture the first time - an agent saw the event. - - In normal conditions, assuming no tampering, the timestamps should chronologically - look like this: `@timestamp` < `event.created` < `event.ingested`.' - example: '2016-05-23T08:05:35.101Z' - flat_name: threat.enrichments.event.ingested - level: core - name: ingested +threat.enrichments.indicator.file.elf.header.version: + dashed_name: threat-enrichments-indicator-file-elf-header-version + description: Version of the ELF header. + flat_name: threat.enrichments.indicator.file.elf.header.version + ignore_above: 1024 + level: extended + name: header.version normalize: [] - original_fieldset: event - short: Timestamp when an event arrived in the central data store. - type: date -threat.enrichments.event.kind: - allowed_values: - - description: 'This value indicates an event that describes an alert or notable - event, triggered by a detection rule. - - `event.kind:alert` is often populated for events coming from firewalls, intrusion - detection systems, endpoint detection and response systems, and so on.' - name: alert - - description: This value is the most general and most common value for this field. - It is used to represent events that indicate that something happened. - name: event - - description: 'This value is used to indicate that this event describes a numeric - measurement taken at given point in time. - - Examples include CPU utilization, memory usage, or device temperature. - - Metric events are often collected on a predictable frequency, such as once every - few seconds, or once a minute, but can also be used to describe ad-hoc numeric - metric queries.' - name: metric - - description: 'The state value is similar to metric, indicating that this event - describes a measurement taken at given point in time, except that the measurement - does not result in a numeric value, but rather one of a fixed set of categorical - values that represent conditions or states. - - Examples include periodic events reporting Elasticsearch cluster state (green/yellow/red), - the state of a TCP connection (open, closed, fin_wait, etc.), the state of a - host with respect to a software vulnerability (vulnerable, not vulnerable), - and the state of a system regarding compliance with a regulatory standard (compliant, - not compliant). - - Note that an event that describes a change of state would not use `event.kind:state`, - but instead would use ''event.kind:event'' since a state change fits the more - general event definition of something that happened. - - State events are often collected on a predictable frequency, such as once every - few seconds, once a minute, once an hour, or once a day, but can also be used - to describe ad-hoc state queries.' - name: state - - description: This value indicates that an error occurred during the ingestion - of this event, and that event data may be missing, inconsistent, or incorrect. - `event.kind:pipeline_error` is often associated with parsing errors. - name: pipeline_error - - description: 'This value is used by the Elastic Security app to denote an Elasticsearch - document that was created by a SIEM detection engine rule. + original_fieldset: elf + short: Version of the ELF header. + type: keyword +threat.enrichments.indicator.file.elf.imports: + dashed_name: threat-enrichments-indicator-file-elf-imports + description: List of imported element names and types. + flat_name: threat.enrichments.indicator.file.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened +threat.enrichments.indicator.file.elf.sections: + dashed_name: threat-enrichments-indicator-file-elf-sections + description: 'An array containing an object for each section of the ELF file. - A signal will typically trigger a notification that something meaningful happened - and should be investigated. + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' + flat_name: threat.enrichments.indicator.file.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested +threat.enrichments.indicator.file.elf.sections.chi2: + dashed_name: threat-enrichments-indicator-file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: threat.enrichments.indicator.file.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long +threat.enrichments.indicator.file.elf.sections.entropy: + dashed_name: threat-enrichments-indicator-file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: threat.enrichments.indicator.file.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long +threat.enrichments.indicator.file.elf.sections.flags: + dashed_name: threat-enrichments-indicator-file-elf-sections-flags + description: ELF Section List flags. + flat_name: threat.enrichments.indicator.file.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword +threat.enrichments.indicator.file.elf.sections.name: + dashed_name: threat-enrichments-indicator-file-elf-sections-name + description: ELF Section List name. + flat_name: threat.enrichments.indicator.file.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword +threat.enrichments.indicator.file.elf.sections.physical_offset: + dashed_name: threat-enrichments-indicator-file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: threat.enrichments.indicator.file.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword +threat.enrichments.indicator.file.elf.sections.physical_size: + dashed_name: threat-enrichments-indicator-file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: threat.enrichments.indicator.file.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long +threat.enrichments.indicator.file.elf.sections.type: + dashed_name: threat-enrichments-indicator-file-elf-sections-type + description: ELF Section List type. + flat_name: threat.enrichments.indicator.file.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword +threat.enrichments.indicator.file.elf.sections.virtual_address: + dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: threat.enrichments.indicator.file.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long +threat.enrichments.indicator.file.elf.sections.virtual_size: + dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: threat.enrichments.indicator.file.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long +threat.enrichments.indicator.file.elf.segments: + dashed_name: threat-enrichments-indicator-file-elf-segments + description: 'An array containing an object for each segment of the ELF file. - Usage of this value is reserved, and pipelines should not populate `event.kind` - with the value "signal".' - name: signal - dashed_name: threat-enrichments-event-kind - description: 'This is one of four ECS Categorization Fields, and indicates the highest - level in the ECS category hierarchy. + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' + flat_name: threat.enrichments.indicator.file.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested +threat.enrichments.indicator.file.elf.segments.sections: + dashed_name: threat-enrichments-indicator-file-elf-segments-sections + description: ELF object segment sections. + flat_name: threat.enrichments.indicator.file.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword +threat.enrichments.indicator.file.elf.segments.type: + dashed_name: threat-enrichments-indicator-file-elf-segments-type + description: ELF object segment type. + flat_name: threat.enrichments.indicator.file.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword +threat.enrichments.indicator.file.elf.shared_libraries: + dashed_name: threat-enrichments-indicator-file-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: threat.enrichments.indicator.file.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword +threat.enrichments.indicator.file.elf.telfhash: + dashed_name: threat-enrichments-indicator-file-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: threat.enrichments.indicator.file.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword +threat.enrichments.indicator.file.extension: + dashed_name: threat-enrichments-indicator-file-extension + description: 'File extension, excluding the leading dot. - `event.kind` gives high-level information about what type of information the event - contains, without being specific to the contents of the event. For example, values - of this field distinguish alert events from metric events. + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.indicator.file.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + original_fieldset: file + short: File extension, excluding the leading dot. + type: keyword +threat.enrichments.indicator.file.gid: + dashed_name: threat-enrichments-indicator-file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: threat.enrichments.indicator.file.gid + ignore_above: 1024 + level: extended + name: gid + normalize: [] + original_fieldset: file + short: Primary group ID (GID) of the file. + type: keyword +threat.enrichments.indicator.file.group: + dashed_name: threat-enrichments-indicator-file-group + description: Primary group name of the file. + example: alice + flat_name: threat.enrichments.indicator.file.group + ignore_above: 1024 + level: extended + name: group + normalize: [] + original_fieldset: file + short: Primary group name of the file. + type: keyword +threat.enrichments.indicator.file.inode: + dashed_name: threat-enrichments-indicator-file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: threat.enrichments.indicator.file.inode + ignore_above: 1024 + level: extended + name: inode + normalize: [] + original_fieldset: file + short: Inode representing the file in the filesystem. + type: keyword +threat.enrichments.indicator.file.mime_type: + dashed_name: threat-enrichments-indicator-file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official + types], where possible. When more than one type is applicable, the most specific + type should be used. + flat_name: threat.enrichments.indicator.file.mime_type + ignore_above: 1024 + level: extended + name: mime_type + normalize: [] + original_fieldset: file + short: Media type of file, document, or arrangement of bytes. + type: keyword +threat.enrichments.indicator.file.mode: + dashed_name: threat-enrichments-indicator-file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: threat.enrichments.indicator.file.mode + ignore_above: 1024 + level: extended + name: mode + normalize: [] + original_fieldset: file + short: Mode of the file in octal representation. + type: keyword +threat.enrichments.indicator.file.mtime: + dashed_name: threat-enrichments-indicator-file-mtime + description: Last time the file content was modified. + flat_name: threat.enrichments.indicator.file.mtime + level: extended + name: mtime + normalize: [] + original_fieldset: file + short: Last time the file content was modified. + type: date +threat.enrichments.indicator.file.name: + dashed_name: threat-enrichments-indicator-file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: threat.enrichments.indicator.file.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: file + short: Name of the file including the extension, without the directory. + type: keyword +threat.enrichments.indicator.file.owner: + dashed_name: threat-enrichments-indicator-file-owner + description: File owner's username. + example: alice + flat_name: threat.enrichments.indicator.file.owner + ignore_above: 1024 + level: extended + name: owner + normalize: [] + original_fieldset: file + short: File owner's username. + type: keyword +threat.enrichments.indicator.file.path: + dashed_name: threat-enrichments-indicator-file-path + description: Full path to the file, including the file name. It should include the + drive letter, when appropriate. + example: /home/alice/example.png + flat_name: threat.enrichments.indicator.file.path + level: extended + multi_fields: + - flat_name: threat.enrichments.indicator.file.path.text + name: text + norms: false + type: text + name: path + normalize: [] + original_fieldset: file + short: Full path to the file, including the file name. + type: wildcard +threat.enrichments.indicator.file.size: + dashed_name: threat-enrichments-indicator-file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: threat.enrichments.indicator.file.size + level: extended + name: size + normalize: [] + original_fieldset: file + short: File size in bytes. + type: long +threat.enrichments.indicator.file.target_path: + dashed_name: threat-enrichments-indicator-file-target-path + description: Target path for symlinks. + flat_name: threat.enrichments.indicator.file.target_path + level: extended + multi_fields: + - flat_name: threat.enrichments.indicator.file.target_path.text + name: text + norms: false + type: text + name: target_path + normalize: [] + original_fieldset: file + short: Target path for symlinks. + type: wildcard +threat.enrichments.indicator.file.type: + dashed_name: threat-enrichments-indicator-file-type + description: File type (file, dir, or symlink). + example: file + flat_name: threat.enrichments.indicator.file.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: file + short: File type (file, dir, or symlink). + type: keyword +threat.enrichments.indicator.file.uid: + dashed_name: threat-enrichments-indicator-file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: threat.enrichments.indicator.file.uid + ignore_above: 1024 + level: extended + name: uid + normalize: [] + original_fieldset: file + short: The user ID (UID) or security identifier (SID) of the file owner. + type: keyword +threat.enrichments.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.first_seen + level: extended + name: enrichments.indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date +threat.enrichments.indicator.geo.city_name: + dashed_name: threat-enrichments-indicator-geo-city-name + description: City name. + example: Montreal + flat_name: threat.enrichments.indicator.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +threat.enrichments.indicator.geo.continent_code: + dashed_name: threat-enrichments-indicator-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: threat.enrichments.indicator.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword +threat.enrichments.indicator.geo.continent_name: + dashed_name: threat-enrichments-indicator-geo-continent-name + description: Name of the continent. + example: North America + flat_name: threat.enrichments.indicator.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +threat.enrichments.indicator.geo.country_iso_code: + dashed_name: threat-enrichments-indicator-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: threat.enrichments.indicator.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +threat.enrichments.indicator.geo.country_name: + dashed_name: threat-enrichments-indicator-geo-country-name + description: Country name. + example: Canada + flat_name: threat.enrichments.indicator.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +threat.enrichments.indicator.geo.location: + dashed_name: threat-enrichments-indicator-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: threat.enrichments.indicator.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +threat.enrichments.indicator.geo.name: + dashed_name: threat-enrichments-indicator-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: threat.enrichments.indicator.geo.name + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: wildcard +threat.enrichments.indicator.geo.postal_code: + dashed_name: threat-enrichments-indicator-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: threat.enrichments.indicator.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword +threat.enrichments.indicator.geo.region_iso_code: + dashed_name: threat-enrichments-indicator-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: threat.enrichments.indicator.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +threat.enrichments.indicator.geo.region_name: + dashed_name: threat-enrichments-indicator-geo-region-name + description: Region name. + example: Quebec + flat_name: threat.enrichments.indicator.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +threat.enrichments.indicator.geo.timezone: + dashed_name: threat-enrichments-indicator-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: threat.enrichments.indicator.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword +threat.enrichments.indicator.hash.md5: + dashed_name: threat-enrichments-indicator-hash-md5 + description: MD5 hash. + flat_name: threat.enrichments.indicator.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword +threat.enrichments.indicator.hash.sha1: + dashed_name: threat-enrichments-indicator-hash-sha1 + description: SHA1 hash. + flat_name: threat.enrichments.indicator.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword +threat.enrichments.indicator.hash.sha256: + dashed_name: threat-enrichments-indicator-hash-sha256 + description: SHA256 hash. + flat_name: threat.enrichments.indicator.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword +threat.enrichments.indicator.hash.sha512: + dashed_name: threat-enrichments-indicator-hash-sha512 + description: SHA512 hash. + flat_name: threat.enrichments.indicator.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword +threat.enrichments.indicator.hash.ssdeep: + dashed_name: threat-enrichments-indicator-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.enrichments.indicator.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword +threat.enrichments.indicator.ip: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of direction). + example: 1.2.3.4 + flat_name: threat.enrichments.indicator.ip + level: extended + name: enrichments.indicator.ip + normalize: [] + short: Indicator IP address + type: ip +threat.enrichments.indicator.last_seen: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-last-seen + description: The date and time when intelligence source last reported sighting this + indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.last_seen + level: extended + name: enrichments.indicator.last_seen + normalize: [] + short: Date/time indicator was last reported. + type: date +threat.enrichments.indicator.marking.tlp: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: White + flat_name: threat.enrichments.indicator.marking.tlp + ignore_above: 1024 + level: extended + name: enrichments.indicator.marking.tlp + normalize: [] + short: Indicator TLP marking + type: keyword +threat.enrichments.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.modified_at + level: extended + name: enrichments.indicator.modified_at + normalize: [] + short: Date/time indicator was last updated. + type: date +threat.enrichments.indicator.pe.architecture: + dashed_name: threat-enrichments-indicator-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.enrichments.indicator.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword +threat.enrichments.indicator.pe.authentihash: + dashed_name: threat-enrichments-indicator-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: threat.enrichments.indicator.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword +threat.enrichments.indicator.pe.company: + dashed_name: threat-enrichments-indicator-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.enrichments.indicator.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +threat.enrichments.indicator.pe.compile_timestamp: + dashed_name: threat-enrichments-indicator-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date +threat.enrichments.indicator.pe.compiler.name: + dashed_name: threat-enrichments-indicator-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: threat.enrichments.indicator.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword +threat.enrichments.indicator.pe.compiler.version: + dashed_name: threat-enrichments-indicator-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: threat.enrichments.indicator.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword +threat.enrichments.indicator.pe.creation_date: + dashed_name: threat-enrichments-indicator-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date +threat.enrichments.indicator.pe.debug: + dashed_name: threat-enrichments-indicator-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: threat.enrichments.indicator.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested +threat.enrichments.indicator.pe.debug.offset: + dashed_name: threat-enrichments-indicator-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: threat.enrichments.indicator.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword +threat.enrichments.indicator.pe.debug.size: + dashed_name: threat-enrichments-indicator-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: threat.enrichments.indicator.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long +threat.enrichments.indicator.pe.debug.timestamp: + dashed_name: threat-enrichments-indicator-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date +threat.enrichments.indicator.pe.debug.type: + dashed_name: threat-enrichments-indicator-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: threat.enrichments.indicator.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword +threat.enrichments.indicator.pe.description: + dashed_name: threat-enrichments-indicator-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.enrichments.indicator.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +threat.enrichments.indicator.pe.entry_point: + dashed_name: threat-enrichments-indicator-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: threat.enrichments.indicator.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword +threat.enrichments.indicator.pe.exports: + dashed_name: threat-enrichments-indicator-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: threat.enrichments.indicator.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword +threat.enrichments.indicator.pe.file_version: + dashed_name: threat-enrichments-indicator-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.enrichments.indicator.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword +threat.enrichments.indicator.pe.icon.hash.dhash: + dashed_name: threat-enrichments-indicator-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: threat.enrichments.indicator.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. + type: keyword +threat.enrichments.indicator.pe.imphash: + dashed_name: threat-enrichments-indicator-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.enrichments.indicator.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +threat.enrichments.indicator.pe.imports: + dashed_name: threat-enrichments-indicator-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: threat.enrichments.indicator.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened +threat.enrichments.indicator.pe.machine_type: + dashed_name: threat-enrichments-indicator-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: threat.enrichments.indicator.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword +threat.enrichments.indicator.pe.original_file_name: + dashed_name: threat-enrichments-indicator-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.enrichments.indicator.pe.original_file_name + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: wildcard +threat.enrichments.indicator.pe.packers: + dashed_name: threat-enrichments-indicator-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: threat.enrichments.indicator.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword +threat.enrichments.indicator.pe.product: + dashed_name: threat-enrichments-indicator-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.enrichments.indicator.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword +threat.enrichments.indicator.pe.resources: + dashed_name: threat-enrichments-indicator-pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: threat.enrichments.indicator.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested +threat.enrichments.indicator.pe.resources.chi2: + dashed_name: threat-enrichments-indicator-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: threat.enrichments.indicator.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +threat.enrichments.indicator.pe.resources.entropy: + dashed_name: threat-enrichments-indicator-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: threat.enrichments.indicator.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long +threat.enrichments.indicator.pe.resources.filetype: + dashed_name: threat-enrichments-indicator-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: threat.enrichments.indicator.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword +threat.enrichments.indicator.pe.resources.language: + dashed_name: threat-enrichments-indicator-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: threat.enrichments.indicator.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword +threat.enrichments.indicator.pe.resources.sha256: + dashed_name: threat-enrichments-indicator-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: threat.enrichments.indicator.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword +threat.enrichments.indicator.pe.resources.type: + dashed_name: threat-enrichments-indicator-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: threat.enrichments.indicator.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword +threat.enrichments.indicator.pe.rich_header.hash.md5: + dashed_name: threat-enrichments-indicator-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: threat.enrichments.indicator.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword +threat.enrichments.indicator.pe.sections: + dashed_name: threat-enrichments-indicator-pe-sections + description: Data about sections of compiled binary PE + flat_name: threat.enrichments.indicator.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested +threat.enrichments.indicator.pe.sections.chi2: + dashed_name: threat-enrichments-indicator-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: threat.enrichments.indicator.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +threat.enrichments.indicator.pe.sections.entropy: + dashed_name: threat-enrichments-indicator-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: threat.enrichments.indicator.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float +threat.enrichments.indicator.pe.sections.flags: + dashed_name: threat-enrichments-indicator-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: threat.enrichments.indicator.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword +threat.enrichments.indicator.pe.sections.name: + dashed_name: threat-enrichments-indicator-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: threat.enrichments.indicator.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword +threat.enrichments.indicator.pe.sections.raw_size: + dashed_name: threat-enrichments-indicator-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: threat.enrichments.indicator.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long +threat.enrichments.indicator.pe.sections.virtual_address: + dashed_name: threat-enrichments-indicator-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: threat.enrichments.indicator.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long +threat.enrichments.indicator.port: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-port + description: Identifies a threat indicator as a port number (irrespective of direction). + example: 443 + flat_name: threat.enrichments.indicator.port + level: extended + name: enrichments.indicator.port + normalize: [] + short: Indicator port + type: long +threat.enrichments.indicator.provider: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-provider + description: The name of the indicator's provider. + example: lrz_urlhaus + flat_name: threat.enrichments.indicator.provider + ignore_above: 1024 + level: extended + name: enrichments.indicator.provider + normalize: [] + short: Indicator provider + type: keyword +threat.enrichments.indicator.reference: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-reference + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + flat_name: threat.enrichments.indicator.reference + ignore_above: 1024 + level: extended + name: enrichments.indicator.reference + normalize: [] + short: Indicator reference URL + type: keyword +threat.enrichments.indicator.registry.data.bytes: + dashed_name: threat-enrichments-indicator-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides better + recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.enrichments.indicator.registry.data.bytes + ignore_above: 1024 + level: extended + name: data.bytes + normalize: [] + original_fieldset: registry + short: Original bytes written with base64 encoding. + type: keyword +threat.enrichments.indicator.registry.data.strings: + dashed_name: threat-enrichments-indicator-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single string + registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. + For sequences of string with REG_MULTI_SZ, this array will be variable length. + For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with + the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.enrichments.indicator.registry.data.strings + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: wildcard +threat.enrichments.indicator.registry.data.type: + dashed_name: threat-enrichments-indicator-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.enrichments.indicator.registry.data.type + ignore_above: 1024 + level: core + name: data.type + normalize: [] + original_fieldset: registry + short: Standard registry type for encoding contents + type: keyword +threat.enrichments.indicator.registry.hive: + dashed_name: threat-enrichments-indicator-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.enrichments.indicator.registry.hive + ignore_above: 1024 + level: core + name: hive + normalize: [] + original_fieldset: registry + short: Abbreviated name for the hive. + type: keyword +threat.enrichments.indicator.registry.key: + dashed_name: threat-enrichments-indicator-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.enrichments.indicator.registry.key + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: wildcard +threat.enrichments.indicator.registry.path: + dashed_name: threat-enrichments-indicator-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.enrichments.indicator.registry.path + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: wildcard +threat.enrichments.indicator.registry.value: + dashed_name: threat-enrichments-indicator-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.enrichments.indicator.registry.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. + type: keyword +threat.enrichments.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file or + URL. + example: 4 + flat_name: threat.enrichments.indicator.scanner_stats + level: extended + name: enrichments.indicator.scanner_stats + normalize: [] + short: Scanner statistics + type: long +threat.enrichments.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.enrichments.indicator.sightings + level: extended + name: enrichments.indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long +threat.enrichments.indicator.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ + \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n *\ + \ domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n\ + \ * mutex\n * port\n * process\n * software\n * url\n * user-account\n \ + \ * windows-registry-key\n * x509-certificate" + example: ipv4-addr + flat_name: threat.enrichments.indicator.type + ignore_above: 1024 + level: extended + name: enrichments.indicator.type + normalize: [] + short: Type of indicator + type: keyword +threat.enrichments.indicator.url.domain: + dashed_name: threat-enrichments-indicator-url-domain + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), + the `[` and `]` characters should also be captured in the `domain` field.' + example: www.elastic.co + flat_name: threat.enrichments.indicator.url.domain + level: extended + name: domain + normalize: [] + original_fieldset: url + short: Domain of the url. + type: wildcard +threat.enrichments.indicator.url.extension: + dashed_name: threat-enrichments-indicator-url-extension + description: 'The field contains the file extension from the original request url, + excluding the leading dot. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.indicator.url.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + original_fieldset: url + short: File extension from the request url, excluding the leading dot. + type: keyword +threat.enrichments.indicator.url.fragment: + dashed_name: threat-enrichments-indicator-url-fragment + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + flat_name: threat.enrichments.indicator.url.fragment + ignore_above: 1024 + level: extended + name: fragment + normalize: [] + original_fieldset: url + short: Portion of the url after the `#`. + type: keyword +threat.enrichments.indicator.url.full: + dashed_name: threat-enrichments-indicator-url-full + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + flat_name: threat.enrichments.indicator.url.full + level: extended + multi_fields: + - flat_name: threat.enrichments.indicator.url.full.text + name: text + norms: false + type: text + name: full + normalize: [] + original_fieldset: url + short: Full unparsed URL. + type: wildcard +threat.enrichments.indicator.url.original: + dashed_name: threat-enrichments-indicator-url-original + description: 'Unmodified original url as seen in the event source. + + Note that in network monitoring, the observed URL may be a full URL, whereas in + access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + flat_name: threat.enrichments.indicator.url.original + level: extended + multi_fields: + - flat_name: threat.enrichments.indicator.url.original.text + name: text + norms: false + type: text + name: original + normalize: [] + original_fieldset: url + short: Unmodified original url as seen in the event source. + type: wildcard +threat.enrichments.indicator.url.password: + dashed_name: threat-enrichments-indicator-url-password + description: Password of the request. + flat_name: threat.enrichments.indicator.url.password + ignore_above: 1024 + level: extended + name: password + normalize: [] + original_fieldset: url + short: Password of the request. + type: keyword +threat.enrichments.indicator.url.path: + dashed_name: threat-enrichments-indicator-url-path + description: Path of the request, such as "/search". + flat_name: threat.enrichments.indicator.url.path + level: extended + name: path + normalize: [] + original_fieldset: url + short: Path of the request, such as "/search". + type: wildcard +threat.enrichments.indicator.url.port: + dashed_name: threat-enrichments-indicator-url-port + description: Port of the request, such as 443. + example: 443 + flat_name: threat.enrichments.indicator.url.port + format: string + level: extended + name: port + normalize: [] + original_fieldset: url + short: Port of the request, such as 443. + type: long +threat.enrichments.indicator.url.query: + dashed_name: threat-enrichments-indicator-url-query + description: 'The query field describes the query string of the request, such as + "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there is + no query field. If there is a `?` but no query, the query field exists with an + empty string. The `exists` query can be used to differentiate between the two + cases.' + flat_name: threat.enrichments.indicator.url.query + ignore_above: 1024 + level: extended + name: query + normalize: [] + original_fieldset: url + short: Query string of the request. + type: keyword +threat.enrichments.indicator.url.registered_domain: + dashed_name: threat-enrichments-indicator-url-registered-domain + description: 'The highest registered url domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: threat.enrichments.indicator.url.registered_domain + level: extended + name: registered_domain + normalize: [] + original_fieldset: url + short: The highest registered url domain, stripped of the subdomain. + type: wildcard +threat.enrichments.indicator.url.scheme: + dashed_name: threat-enrichments-indicator-url-scheme + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https + flat_name: threat.enrichments.indicator.url.scheme + ignore_above: 1024 + level: extended + name: scheme + normalize: [] + original_fieldset: url + short: Scheme of the url. + type: keyword +threat.enrichments.indicator.url.subdomain: + dashed_name: threat-enrichments-indicator-url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: threat.enrichments.indicator.url.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: url + short: The subdomain of the domain. + type: keyword +threat.enrichments.indicator.url.top_level_domain: + dashed_name: threat-enrichments-indicator-url-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: threat.enrichments.indicator.url.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: url + short: The effective top level domain (com, org, net, co.uk). + type: keyword +threat.enrichments.indicator.url.username: + dashed_name: threat-enrichments-indicator-url-username + description: Username of the request. + flat_name: threat.enrichments.indicator.url.username + ignore_above: 1024 + level: extended + name: username + normalize: [] + original_fieldset: url + short: Username of the request. + type: keyword +threat.enrichments.indicator.x509.alternative_names: + dashed_name: threat-enrichments-indicator-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names (and + wildcards), and email addresses. + example: '*.elastic.co' + flat_name: threat.enrichments.indicator.x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: + - array + original_fieldset: x509 + short: List of subject alternative names (SAN). + type: keyword +threat.enrichments.indicator.x509.issuer.common_name: + dashed_name: threat-enrichments-indicator-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: threat.enrichments.indicator.x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. + type: keyword +threat.enrichments.indicator.x509.issuer.country: + dashed_name: threat-enrichments-indicator-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: threat.enrichments.indicator.x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes + type: keyword +threat.enrichments.indicator.x509.issuer.distinguished_name: + dashed_name: threat-enrichments-indicator-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: threat.enrichments.indicator.x509.issuer.distinguished_name + level: extended + name: issuer.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: wildcard +threat.enrichments.indicator.x509.issuer.locality: + dashed_name: threat-enrichments-indicator-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: threat.enrichments.indicator.x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword +threat.enrichments.indicator.x509.issuer.organization: + dashed_name: threat-enrichments-indicator-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: threat.enrichments.indicator.x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. + type: keyword +threat.enrichments.indicator.x509.issuer.organizational_unit: + dashed_name: threat-enrichments-indicator-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: threat.enrichments.indicator.x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword +threat.enrichments.indicator.x509.issuer.state_or_province: + dashed_name: threat-enrichments-indicator-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.indicator.x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +threat.enrichments.indicator.x509.not_after: + dashed_name: threat-enrichments-indicator-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: threat.enrichments.indicator.x509.not_after + level: extended + name: not_after + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date +threat.enrichments.indicator.x509.not_before: + dashed_name: threat-enrichments-indicator-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: threat.enrichments.indicator.x509.not_before + level: extended + name: not_before + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date +threat.enrichments.indicator.x509.public_key_algorithm: + dashed_name: threat-enrichments-indicator-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: threat.enrichments.indicator.x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword +threat.enrichments.indicator.x509.public_key_curve: + dashed_name: threat-enrichments-indicator-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This is + algorithm specific. + example: nistp521 + flat_name: threat.enrichments.indicator.x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword +threat.enrichments.indicator.x509.public_key_exponent: + dashed_name: threat-enrichments-indicator-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: threat.enrichments.indicator.x509.public_key_exponent + index: false + level: extended + name: public_key_exponent + normalize: [] + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long +threat.enrichments.indicator.x509.public_key_size: + dashed_name: threat-enrichments-indicator-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: threat.enrichments.indicator.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + original_fieldset: x509 + short: The size of the public key space in bits. + type: long +threat.enrichments.indicator.x509.serial_number: + dashed_name: threat-enrichments-indicator-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: threat.enrichments.indicator.x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. + type: keyword +threat.enrichments.indicator.x509.signature_algorithm: + dashed_name: threat-enrichments-indicator-x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: threat.enrichments.indicator.x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + original_fieldset: x509 + short: Identifier for certificate signature algorithm. + type: keyword +threat.enrichments.indicator.x509.subject.common_name: + dashed_name: threat-enrichments-indicator-x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: threat.enrichments.indicator.x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: + - array + original_fieldset: x509 + short: List of common names (CN) of subject. + type: keyword +threat.enrichments.indicator.x509.subject.country: + dashed_name: threat-enrichments-indicator-x509-subject-country + description: List of country (C) code + example: US + flat_name: threat.enrichments.indicator.x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code + type: keyword +threat.enrichments.indicator.x509.subject.distinguished_name: + dashed_name: threat-enrichments-indicator-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: threat.enrichments.indicator.x509.subject.distinguished_name + level: extended + name: subject.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: wildcard +threat.enrichments.indicator.x509.subject.locality: + dashed_name: threat-enrichments-indicator-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: threat.enrichments.indicator.x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword +threat.enrichments.indicator.x509.subject.organization: + dashed_name: threat-enrichments-indicator-x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: threat.enrichments.indicator.x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. + type: keyword +threat.enrichments.indicator.x509.subject.organizational_unit: + dashed_name: threat-enrichments-indicator-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: threat.enrichments.indicator.x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword +threat.enrichments.indicator.x509.subject.state_or_province: + dashed_name: threat-enrichments-indicator-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.indicator.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +threat.enrichments.indicator.x509.version_number: + dashed_name: threat-enrichments-indicator-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: threat.enrichments.indicator.x509.version_number + ignore_above: 1024 + level: extended + name: version_number + normalize: [] + original_fieldset: x509 + short: Version of x509 format. + type: keyword +threat.enrichments.matched.atomic: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-atomic + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com + flat_name: threat.enrichments.matched.atomic + ignore_above: 1024 + level: extended + name: enrichments.matched.atomic + normalize: [] + short: Matched indicator value + type: keyword +threat.enrichments.matched.field: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-field + description: Identifies the field of the atomic indicator that matched a local environment + endpoint or network event. + example: file.hash.sha256 + flat_name: threat.enrichments.matched.field + ignore_above: 1024 + level: extended + name: enrichments.matched.field + normalize: [] + short: Matched indicator field + type: keyword +threat.enrichments.matched.id: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-id + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + flat_name: threat.enrichments.matched.id + ignore_above: 1024 + level: extended + name: enrichments.matched.id + normalize: [] + short: Matched indicator identifier + type: keyword +threat.enrichments.matched.index: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-index + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 + flat_name: threat.enrichments.matched.index + ignore_above: 1024 + level: extended + name: enrichments.matched.index + normalize: [] + short: Matched indicator index + type: keyword +threat.enrichments.matched.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-type + description: Identifies the type of match that caused the event to be enriched with + the given indicator + example: indicator_match_rule + flat_name: threat.enrichments.matched.type + ignore_above: 1024 + level: extended + name: enrichments.matched.type + normalize: [] + short: Type of indicator match + type: keyword +threat.enrichments.pe.architecture: + dashed_name: threat-enrichments-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.enrichments.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword +threat.enrichments.pe.authentihash: + dashed_name: threat-enrichments-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: threat.enrichments.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword +threat.enrichments.pe.company: + dashed_name: threat-enrichments-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.enrichments.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +threat.enrichments.pe.compile_timestamp: + dashed_name: threat-enrichments-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date +threat.enrichments.pe.compiler.name: + dashed_name: threat-enrichments-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: threat.enrichments.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword +threat.enrichments.pe.compiler.version: + dashed_name: threat-enrichments-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: threat.enrichments.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword +threat.enrichments.pe.creation_date: + dashed_name: threat-enrichments-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date +threat.enrichments.pe.debug: + dashed_name: threat-enrichments-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: threat.enrichments.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested +threat.enrichments.pe.debug.offset: + dashed_name: threat-enrichments-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: threat.enrichments.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword +threat.enrichments.pe.debug.size: + dashed_name: threat-enrichments-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: threat.enrichments.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long +threat.enrichments.pe.debug.timestamp: + dashed_name: threat-enrichments-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date +threat.enrichments.pe.debug.type: + dashed_name: threat-enrichments-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: threat.enrichments.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword +threat.enrichments.pe.description: + dashed_name: threat-enrichments-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.enrichments.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +threat.enrichments.pe.entry_point: + dashed_name: threat-enrichments-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: threat.enrichments.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword +threat.enrichments.pe.exports: + dashed_name: threat-enrichments-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: threat.enrichments.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword +threat.enrichments.pe.file_version: + dashed_name: threat-enrichments-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.enrichments.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword +threat.enrichments.pe.icon.hash.dhash: + dashed_name: threat-enrichments-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: threat.enrichments.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. + type: keyword +threat.enrichments.pe.imphash: + dashed_name: threat-enrichments-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.enrichments.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +threat.enrichments.pe.imports: + dashed_name: threat-enrichments-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: threat.enrichments.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened +threat.enrichments.pe.machine_type: + dashed_name: threat-enrichments-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: threat.enrichments.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword +threat.enrichments.pe.original_file_name: + dashed_name: threat-enrichments-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.enrichments.pe.original_file_name + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: wildcard +threat.enrichments.pe.packers: + dashed_name: threat-enrichments-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: threat.enrichments.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword +threat.enrichments.pe.product: + dashed_name: threat-enrichments-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.enrichments.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword +threat.enrichments.pe.resources: + dashed_name: threat-enrichments-pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: threat.enrichments.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested +threat.enrichments.pe.resources.chi2: + dashed_name: threat-enrichments-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: threat.enrichments.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +threat.enrichments.pe.resources.entropy: + dashed_name: threat-enrichments-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: threat.enrichments.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long +threat.enrichments.pe.resources.filetype: + dashed_name: threat-enrichments-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: threat.enrichments.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword +threat.enrichments.pe.resources.language: + dashed_name: threat-enrichments-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: threat.enrichments.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword +threat.enrichments.pe.resources.sha256: + dashed_name: threat-enrichments-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: threat.enrichments.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword +threat.enrichments.pe.resources.type: + dashed_name: threat-enrichments-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: threat.enrichments.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword +threat.enrichments.pe.rich_header.hash.md5: + dashed_name: threat-enrichments-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: threat.enrichments.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword +threat.enrichments.pe.sections: + dashed_name: threat-enrichments-pe-sections + description: Data about sections of compiled binary PE + flat_name: threat.enrichments.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested +threat.enrichments.pe.sections.chi2: + dashed_name: threat-enrichments-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: threat.enrichments.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +threat.enrichments.pe.sections.entropy: + dashed_name: threat-enrichments-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: threat.enrichments.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float +threat.enrichments.pe.sections.flags: + dashed_name: threat-enrichments-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: threat.enrichments.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword +threat.enrichments.pe.sections.name: + dashed_name: threat-enrichments-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: threat.enrichments.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword +threat.enrichments.pe.sections.raw_size: + dashed_name: threat-enrichments-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: threat.enrichments.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long +threat.enrichments.pe.sections.virtual_address: + dashed_name: threat-enrichments-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: threat.enrichments.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long +threat.enrichments.registry.data.bytes: + dashed_name: threat-enrichments-registry-data-bytes + description: 'Original bytes written with base64 encoding. - The value of this field can be used to inform how these kinds of events should - be handled. They may warrant different retention, different access control, it - may also help understand whether the data coming in at a regular interval or not.' - example: alert - flat_name: threat.enrichments.event.kind + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides better + recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.enrichments.registry.data.bytes ignore_above: 1024 - level: core - name: kind + level: extended + name: data.bytes normalize: [] - original_fieldset: event - short: The kind of the event. The highest categorization field in the hierarchy. + original_fieldset: registry + short: Original bytes written with base64 encoding. type: keyword -threat.enrichments.event.module: - dashed_name: threat-enrichments-event-module - description: 'Name of the module this data is coming from. +threat.enrichments.registry.data.strings: + dashed_name: threat-enrichments-registry-data-strings + description: 'Content when writing string types. - If your monitoring agent supports the concept of modules or plugins to process - events of a given source (e.g. Apache logs), `event.module` should contain the - name of this module.' - example: apache - flat_name: threat.enrichments.event.module + Populated as an array when writing string data to the registry. For single string + registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. + For sequences of string with REG_MULTI_SZ, this array will be variable length. + For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with + the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.enrichments.registry.data.strings + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: wildcard +threat.enrichments.registry.data.type: + dashed_name: threat-enrichments-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.enrichments.registry.data.type ignore_above: 1024 level: core - name: module + name: data.type normalize: [] - original_fieldset: event - short: Name of the module this data is coming from. + original_fieldset: registry + short: Standard registry type for encoding contents type: keyword -threat.enrichments.event.original: - dashed_name: threat-enrichments-event-original - description: 'Raw text message of entire event. Used to demonstrate log integrity or - where the full log message (before splitting it up in multiple parts) may be - required, e.g. for reindex. - - This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`. If users wish to override this and index - this field, please see `Field data types` in the `Elasticsearch Reference`.' - doc_values: false - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| - worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - flat_name: threat.enrichments.event.original - index: false +threat.enrichments.registry.hive: + dashed_name: threat-enrichments-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.enrichments.registry.hive + ignore_above: 1024 level: core - name: original + name: hive normalize: [] - original_fieldset: event - short: Raw text message of entire event. + original_fieldset: registry + short: Abbreviated name for the hive. type: keyword -threat.enrichments.event.outcome: - allowed_values: - - description: Indicates that this event describes a failed result. A common example - is `event.category:file AND event.type:access AND event.outcome:failure` to - indicate that a file access was attempted, but was not successful. - name: failure - - description: Indicates that this event describes a successful result. A common - example is `event.category:file AND event.type:create AND event.outcome:success` - to indicate that a file was successfully created. - name: success - - description: Indicates that this event describes only an attempt for which the - result is unknown from the perspective of the event producer. For example, if - the event contains information only about the request side of a transaction - that results in a response, populating `event.outcome:unknown` in the request - event is appropriate. The unknown value should not be used when an outcome doesn't - make logical sense for the event. In such cases `event.outcome` should not be - populated. - name: unknown - dashed_name: threat-enrichments-event-outcome - description: 'This is one of four ECS Categorization Fields, and indicates the lowest - level in the ECS category hierarchy. - - `event.outcome` simply denotes whether the event represents a success or a failure - from the perspective of the entity that produced the event. - - Note that when a single transaction is described in multiple events, each event - may populate different values of `event.outcome`, according to their perspective. - - Also note that in the case of a compound event (a single event that contains multiple - logical events), this field should be populated with the value that best captures - the overall success or failure from the perspective of the event producer. - - Further note that not all events will have an associated outcome. For example, - this field is generally not populated for metric events, events with `event.type:info`, - or any events for which an outcome does not make logical sense.' - example: success - flat_name: threat.enrichments.event.outcome +threat.enrichments.registry.key: + dashed_name: threat-enrichments-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.enrichments.registry.key + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: wildcard +threat.enrichments.registry.path: + dashed_name: threat-enrichments-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.enrichments.registry.path + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: wildcard +threat.enrichments.registry.value: + dashed_name: threat-enrichments-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.enrichments.registry.value ignore_above: 1024 level: core - name: outcome + name: value normalize: [] - original_fieldset: event - short: The outcome of the event. The lowest level categorization field in the hierarchy. + original_fieldset: registry + short: Name of the value written. type: keyword -threat.enrichments.event.provider: - dashed_name: threat-enrichments-event-provider - description: 'Source of the event. - - Event transports such as Syslog or the Windows Event Log typically mention the - source of an event. It can be the name of the software that generated the event - (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).' - example: kernel - flat_name: threat.enrichments.event.provider +threat.framework: + dashed_name: threat-framework + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification can + be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + flat_name: threat.framework ignore_above: 1024 level: extended - name: provider + name: framework normalize: [] - original_fieldset: event - short: Source of the event. + short: Threat classification framework. type: keyword -threat.enrichments.event.reason: - dashed_name: threat-enrichments-event-reason - description: 'Reason why this event happened, according to the source. - - This describes the why of a particular action or outcome captured in the event. - Where `event.action` captures the action from the event, `event.reason` describes - why that action was taken. For example, a web proxy with an `event.action` which - denied the request may also populate `event.reason` with the reason why (e.g. - `blocked site`).' - example: Terminated an unexpected process - flat_name: threat.enrichments.event.reason +threat.group.alias: + beta: This field is beta and subject to change. + dashed_name: threat-group-alias + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' + flat_name: threat.group.alias ignore_above: 1024 level: extended - name: reason - normalize: [] - original_fieldset: event - short: Reason why this event happened, according to the source + name: group.alias + normalize: + - array + short: Alias of the group. type: keyword -threat.enrichments.event.reference: - dashed_name: threat-enrichments-event-reference - description: 'Reference URL linking to additional information about this event. - - This URL links to a static definition of this event. Alert events, indicated by - `event.kind:alert`, are a common use case for this field.' - example: https://system.example.com/event/#0001234 - flat_name: threat.enrichments.event.reference +threat.group.id: + beta: This field is beta and subject to change. + dashed_name: threat-group-id + description: "The id of the group for a set of related intrusion activity that are\ + \ tracked by a common name in the security community. While not required, you\ + \ can use a MITRE ATT&CK\xAE group id." + example: G0037 + flat_name: threat.group.id ignore_above: 1024 level: extended - name: reference + name: group.id normalize: [] - original_fieldset: event - short: Event reference URL + short: ID of the group. type: keyword -threat.enrichments.event.risk_score: - dashed_name: threat-enrichments-event-risk-score - description: Risk score or priority of the event (e.g. security solutions). Use - your system's original value here. - flat_name: threat.enrichments.event.risk_score - level: core - name: risk_score +threat.group.name: + beta: This field is beta and subject to change. + dashed_name: threat-group-name + description: "The name of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 + flat_name: threat.group.name + ignore_above: 1024 + level: extended + name: group.name normalize: [] - original_fieldset: event - short: Risk score or priority of the event (e.g. security solutions). Use your system's - original value here. - type: float -threat.enrichments.event.risk_score_norm: - dashed_name: threat-enrichments-event-risk-score-norm - description: 'Normalized risk score or priority of the event, on a scale of 0 to - 100. - - This is mainly useful if you use more than one system that assigns risk scores, - and you want to see a normalized value across all systems.' - flat_name: threat.enrichments.event.risk_score_norm + short: Name of the group. + type: keyword +threat.group.reference: + beta: This field is beta and subject to change. + dashed_name: threat-group-reference + description: "The reference URL of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ + flat_name: threat.group.reference + ignore_above: 1024 level: extended - name: risk_score_norm + name: group.reference normalize: [] - original_fieldset: event - short: Normalized risk score or priority of the event (0-100). - type: float -threat.enrichments.event.sequence: - dashed_name: threat-enrichments-event-sequence - description: 'Sequence number of the event. - - The sequence number is a value published by some event sources, to make the exact - ordering of events unambiguous, regardless of the timestamp precision.' - flat_name: threat.enrichments.event.sequence - format: string + short: Reference URL of the group. + type: keyword +threat.indicator.as.number: + dashed_name: threat-indicator-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: threat.indicator.as.number level: extended - name: sequence - normalize: [] - original_fieldset: event - short: Sequence number of the event. - type: long -threat.enrichments.event.severity: - dashed_name: threat-enrichments-event-severity - description: 'The numeric severity of the event according to your event source. - - What the different severity values mean can be different between sources and use - cases. It''s up to the implementer to make sure severities are consistent across - events from the same source. - - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is - meant to represent the severity according to the event source (e.g. firewall, - IDS). If the event source does not publish its own severity, you may optionally - copy the `log.syslog.severity.code` to `event.severity`.' - example: 7 - flat_name: threat.enrichments.event.severity - format: string - level: core - name: severity + name: number normalize: [] - original_fieldset: event - short: Numeric severity of the event. + original_fieldset: as + short: Unique number allocated to the autonomous system. type: long -threat.enrichments.event.start: - dashed_name: threat-enrichments-event-start - description: event.start contains the date when the event started or when the activity - was first observed. - flat_name: threat.enrichments.event.start +threat.indicator.as.organization.name: + dashed_name: threat-indicator-as-organization-name + description: Organization name. + example: Google LLC + flat_name: threat.indicator.as.organization.name level: extended - name: start + multi_fields: + - flat_name: threat.indicator.as.organization.name.text + name: text + norms: false + type: text + name: organization.name normalize: [] - original_fieldset: event - short: event.start contains the date when the event started or when the activity - was first observed. - type: date -threat.enrichments.event.timezone: - dashed_name: threat-enrichments-event-timezone - description: 'This field should be populated when the event''s timestamp does not - include timezone information already (e.g. default Syslog timestamps). It''s optional - otherwise. - - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated - (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' - flat_name: threat.enrichments.event.timezone + original_fieldset: as + short: Organization name. + type: wildcard +threat.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-confidence + description: "Identifies the confidence rating assigned by the provider using STIX\ + \ confidence scales.\nRecommended values:\n * Not Specified, None, Low, Medium,\ + \ High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n * WEP Scale\ + \ (Impossible - Certain)" + example: High + flat_name: threat.indicator.confidence ignore_above: 1024 level: extended - name: timezone + name: indicator.confidence normalize: [] - original_fieldset: event - short: Event time zone. + short: Indicator confidence rating type: keyword -threat.enrichments.event.type: - allowed_values: - - description: The access event type is used for the subset of events within a category - that indicate that something was accessed. Common examples include `event.category:database - AND event.type:access`, or `event.category:file AND event.type:access`. Note - for file access, both directory listings and file opens should be included in - this subcategory. You can further distinguish access operations using the ECS - `event.action` field. - name: access - - description: 'The admin event type is used for the subset of events within a category - that are related to admin objects. For example, administrative changes within - an IAM framework that do not specifically affect a user or group (e.g., adding - new applications to a federation solution or connecting discrete forests in - Active Directory) would fall into this subcategory. Common example: `event.category:iam - AND event.type:change AND event.type:admin`. You can further distinguish admin - operations using the ECS `event.action` field.' - name: admin - - description: The allowed event type is used for the subset of events within a - category that indicate that something was allowed. Common examples include `event.category:network - AND event.type:connection AND event.type:allowed` (to indicate a network firewall - event for which the firewall disposition was to allow the connection to complete) - and `event.category:intrusion_detection AND event.type:allowed` (to indicate - a network intrusion prevention system event for which the IPS disposition was - to allow the connection to complete). You can further distinguish allowed operations - using the ECS `event.action` field, populating with values of your choosing, - such as "allow", "detect", or "pass". - name: allowed - - description: The change event type is used for the subset of events within a category - that indicate that something has changed. If semantics best describe an event - as modified, then include them in this subcategory. Common examples include - `event.category:process AND event.type:change`, and `event.category:file AND - event.type:change`. You can further distinguish change operations using the - ECS `event.action` field. - name: change - - description: Used primarily with `event.category:network` this value is used for - the subset of network traffic that includes sufficient information for the event - to be included in flow or connection analysis. Events in this subcategory will - contain at least source and destination IP addresses, source and destination - TCP/UDP ports, and will usually contain counts of bytes and/or packets transferred. - Events in this subcategory may contain unidirectional or bidirectional information, - including summary information. Use this subcategory to visualize and analyze - network connections. Flow analysis, including Netflow, IPFIX, and other flow-related - events fit in this subcategory. Note that firewall events from many Next-Generation - Firewall (NGFW) devices will also fit into this subcategory. A common filter - for flow/connection information would be `event.category:network AND event.type:connection - AND event.type:end` (to view or analyze all completed network connections, ignoring - mid-flow reports). You can further distinguish connection events using the ECS - `event.action` field, populating with values of your choosing, such as "timeout", - or "reset". - name: connection - - description: The "creation" event type is used for the subset of events within - a category that indicate that something was created. A common example is `event.category:file - AND event.type:creation`. - name: creation - - description: The deletion event type is used for the subset of events within a - category that indicate that something was deleted. A common example is `event.category:file - AND event.type:deletion` to indicate that a file has been deleted. - name: deletion - - description: The denied event type is used for the subset of events within a category - that indicate that something was denied. Common examples include `event.category:network - AND event.type:denied` (to indicate a network firewall event for which the firewall - disposition was to deny the connection) and `event.category:intrusion_detection - AND event.type:denied` (to indicate a network intrusion prevention system event - for which the IPS disposition was to deny the connection to complete). You can - further distinguish denied operations using the ECS `event.action` field, populating - with values of your choosing, such as "blocked", "dropped", or "quarantined". - name: denied - - description: The end event type is used for the subset of events within a category - that indicate something has ended. A common example is `event.category:process - AND event.type:end`. - name: end - - description: The error event type is used for the subset of events within a category - that indicate or describe an error. A common example is `event.category:database - AND event.type:error`. Note that pipeline errors that occur during the event - ingestion process should not use this `event.type` value. Instead, they should - use `event.kind:pipeline_error`. - name: error - - description: 'The group event type is used for the subset of events within a category - that are related to group objects. Common example: `event.category:iam AND event.type:creation - AND event.type:group`. You can further distinguish group operations using the - ECS `event.action` field.' - name: group - - description: The info event type is used for the subset of events within a category - that indicate that they are purely informational, and don't report a state change, - or any type of action. For example, an initial run of a file integrity monitoring - system (FIM), where an agent reports all files under management, would fall - into the "info" subcategory. Similarly, an event containing a dump of all currently - running processes (as opposed to reporting that a process started/ended) would - fall into the "info" subcategory. An additional common examples is `event.category:intrusion_detection - AND event.type:info`. - name: info - - description: The installation event type is used for the subset of events within - a category that indicate that something was installed. A common example is `event.category:package` - AND `event.type:installation`. - name: installation - - description: The protocol event type is used for the subset of events within a - category that indicate that they contain protocol details or analysis, beyond - simply identifying the protocol. Generally, network events that contain specific - protocol details will fall into this subcategory. A common example is `event.category:network - AND event.type:protocol AND event.type:connection AND event.type:end` (to indicate - that the event is a network connection event sent at the end of a connection - that also includes a protocol detail breakdown). Note that events that only - indicate the name or id of the protocol should not use the protocol value. Further - note that when the protocol subcategory is used, the identified protocol is - populated in the ECS `network.protocol` field. - name: protocol - - description: The start event type is used for the subset of events within a category - that indicate something has started. A common example is `event.category:process - AND event.type:start`. - name: start - - description: 'The user event type is used for the subset of events within a category - that are related to user objects. Common example: `event.category:iam AND event.type:deletion - AND event.type:user`. You can further distinguish user operations using the - ECS `event.action` field.' - name: user - dashed_name: threat-enrichments-event-type - description: 'This is one of four ECS Categorization Fields, and indicates the third - level in the ECS category hierarchy. - - `event.type` represents a categorization "sub-bucket" that, when used along with - the `event.category` field values, enables filtering events down to a level appropriate - for single visualization. - - This field is an array. This will allow proper categorization of some events that - fall in multiple event types.' - flat_name: threat.enrichments.event.type +threat.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.indicator.description ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: event - short: Event type. The third categorization field in the hierarchy. + level: extended + name: indicator.description + normalize: [] + short: Indicator description type: keyword -threat.enrichments.event.url: - dashed_name: threat-enrichments-event-url - description: 'URL linking to an external system to continue investigation of this - event. - - This URL links to another system where in-depth investigation of the specific - occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, - are a common use case for this field.' - example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe - flat_name: threat.enrichments.event.url +threat.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective of + direction). + example: phish@example.com + flat_name: threat.indicator.email.address ignore_above: 1024 level: extended - name: url + name: indicator.email.address normalize: [] - original_fieldset: event - short: Event investigation URL + short: Indicator email address type: keyword -threat.enrichments.file.accessed: - dashed_name: threat-enrichments-file-accessed +threat.indicator.file.accessed: + dashed_name: threat-indicator-file-accessed description: 'Last time the file was accessed. Note that not all filesystems keep track of access time.' - flat_name: threat.enrichments.file.accessed + flat_name: threat.indicator.file.accessed level: extended name: accessed normalize: [] original_fieldset: file short: Last time the file was accessed. type: date -threat.enrichments.file.attributes: - dashed_name: threat-enrichments-file-attributes +threat.indicator.file.attributes: + dashed_name: threat-indicator-file-attributes description: 'Array of file attributes. Attributes names will vary by platform. Here''s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.' example: '["readonly", "system"]' - flat_name: threat.enrichments.file.attributes + flat_name: threat.indicator.file.attributes ignore_above: 1024 level: extended name: attributes @@ -13297,25 +15392,25 @@ threat.enrichments.file.attributes: original_fieldset: file short: Array of file attributes. type: keyword -threat.enrichments.file.code_signature.exists: - dashed_name: threat-enrichments-file-code-signature-exists +threat.indicator.file.code_signature.exists: + dashed_name: threat-indicator-file-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' - flat_name: threat.enrichments.file.code_signature.exists + flat_name: threat.indicator.file.code_signature.exists level: core name: exists normalize: [] original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean -threat.enrichments.file.code_signature.signing_id: - dashed_name: threat-enrichments-file-code-signature-signing-id +threat.indicator.file.code_signature.signing_id: + dashed_name: threat-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy - flat_name: threat.enrichments.file.code_signature.signing_id + flat_name: threat.indicator.file.code_signature.signing_id ignore_above: 1024 level: extended name: signing_id @@ -13323,15 +15418,15 @@ threat.enrichments.file.code_signature.signing_id: original_fieldset: code_signature short: The identifier used to sign the process. type: keyword -threat.enrichments.file.code_signature.status: - dashed_name: threat-enrichments-file-code-signature-status +threat.indicator.file.code_signature.status: + dashed_name: threat-indicator-file-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT - flat_name: threat.enrichments.file.code_signature.status + flat_name: threat.indicator.file.code_signature.status ignore_above: 1024 level: extended name: status @@ -13339,11 +15434,11 @@ threat.enrichments.file.code_signature.status: original_fieldset: code_signature short: Additional information about the certificate status. type: keyword -threat.enrichments.file.code_signature.subject_name: - dashed_name: threat-enrichments-file-code-signature-subject-name +threat.indicator.file.code_signature.subject_name: + dashed_name: threat-indicator-file-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation - flat_name: threat.enrichments.file.code_signature.subject_name + flat_name: threat.indicator.file.code_signature.subject_name ignore_above: 1024 level: core name: subject_name @@ -13351,14 +15446,14 @@ threat.enrichments.file.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword -threat.enrichments.file.code_signature.team_id: - dashed_name: threat-enrichments-file-code-signature-team-id +threat.indicator.file.code_signature.team_id: + dashed_name: threat-indicator-file-code-signature-team-id description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV - flat_name: threat.enrichments.file.code_signature.team_id + flat_name: threat.indicator.file.code_signature.team_id ignore_above: 1024 level: extended name: team_id @@ -13366,28 +15461,28 @@ threat.enrichments.file.code_signature.team_id: original_fieldset: code_signature short: The team identifier used to sign the process. type: keyword -threat.enrichments.file.code_signature.trusted: - dashed_name: threat-enrichments-file-code-signature-trusted +threat.indicator.file.code_signature.trusted: + dashed_name: threat-indicator-file-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' - flat_name: threat.enrichments.file.code_signature.trusted + flat_name: threat.indicator.file.code_signature.trusted level: extended name: trusted normalize: [] original_fieldset: code_signature short: Stores the trust status of the certificate chain. type: boolean -threat.enrichments.file.code_signature.valid: - dashed_name: threat-enrichments-file-code-signature-valid +threat.indicator.file.code_signature.valid: + dashed_name: threat-indicator-file-code-signature-valid description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' - flat_name: threat.enrichments.file.code_signature.valid + flat_name: threat.indicator.file.code_signature.valid level: extended name: valid normalize: [] @@ -13395,36 +15490,36 @@ threat.enrichments.file.code_signature.valid: short: Boolean to capture if the digital signature is verified against the binary content. type: boolean -threat.enrichments.file.created: - dashed_name: threat-enrichments-file-created +threat.indicator.file.created: + dashed_name: threat-indicator-file-created description: 'File creation time. Note that not all filesystems store the creation time.' - flat_name: threat.enrichments.file.created + flat_name: threat.indicator.file.created level: extended name: created normalize: [] original_fieldset: file short: File creation time. type: date -threat.enrichments.file.ctime: - dashed_name: threat-enrichments-file-ctime +threat.indicator.file.ctime: + dashed_name: threat-indicator-file-ctime description: 'Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.' - flat_name: threat.enrichments.file.ctime + flat_name: threat.indicator.file.ctime level: extended name: ctime normalize: [] original_fieldset: file short: Last time the file attributes or metadata changed. type: date -threat.enrichments.file.device: - dashed_name: threat-enrichments-file-device +threat.indicator.file.device: + dashed_name: threat-indicator-file-device description: Device that is the source of the file. example: sda - flat_name: threat.enrichments.file.device + flat_name: threat.indicator.file.device ignore_above: 1024 level: extended name: device @@ -13432,26 +15527,26 @@ threat.enrichments.file.device: original_fieldset: file short: Device that is the source of the file. type: keyword -threat.enrichments.file.directory: - dashed_name: threat-enrichments-file-directory +threat.indicator.file.directory: + dashed_name: threat-indicator-file-directory description: Directory where the file is located. It should include the drive letter, when appropriate. example: /home/alice - flat_name: threat.enrichments.file.directory + flat_name: threat.indicator.file.directory level: extended name: directory normalize: [] original_fieldset: file short: Directory where the file is located. type: wildcard -threat.enrichments.file.drive_letter: - dashed_name: threat-enrichments-file-drive-letter +threat.indicator.file.drive_letter: + dashed_name: threat-indicator-file-drive-letter description: 'Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.' example: C - flat_name: threat.enrichments.file.drive_letter + flat_name: threat.indicator.file.drive_letter ignore_above: 1 level: extended name: drive_letter @@ -13459,11 +15554,11 @@ threat.enrichments.file.drive_letter: original_fieldset: file short: Drive letter where the file is located. type: keyword -threat.enrichments.file.elf.architecture: - dashed_name: threat-enrichments-file-elf-architecture +threat.indicator.file.elf.architecture: + dashed_name: threat-indicator-file-elf-architecture description: Machine architecture of the ELF file. example: x86-64 - flat_name: threat.enrichments.file.elf.architecture + flat_name: threat.indicator.file.elf.architecture ignore_above: 1024 level: extended name: architecture @@ -13471,11 +15566,11 @@ threat.enrichments.file.elf.architecture: original_fieldset: elf short: Machine architecture of the ELF file. type: keyword -threat.enrichments.file.elf.byte_order: - dashed_name: threat-enrichments-file-elf-byte-order +threat.indicator.file.elf.byte_order: + dashed_name: threat-indicator-file-elf-byte-order description: Byte sequence of ELF file. example: Little Endian - flat_name: threat.enrichments.file.elf.byte_order + flat_name: threat.indicator.file.elf.byte_order ignore_above: 1024 level: extended name: byte_order @@ -13483,11 +15578,11 @@ threat.enrichments.file.elf.byte_order: original_fieldset: elf short: Byte sequence of ELF file. type: keyword -threat.enrichments.file.elf.cpu_type: - dashed_name: threat-enrichments-file-elf-cpu-type +threat.indicator.file.elf.cpu_type: + dashed_name: threat-indicator-file-elf-cpu-type description: CPU type of the ELF file. example: Intel - flat_name: threat.enrichments.file.elf.cpu_type + flat_name: threat.indicator.file.elf.cpu_type ignore_above: 1024 level: extended name: cpu_type @@ -13495,21 +15590,21 @@ threat.enrichments.file.elf.cpu_type: original_fieldset: elf short: CPU type of the ELF file. type: keyword -threat.enrichments.file.elf.creation_date: - dashed_name: threat-enrichments-file-elf-creation-date +threat.indicator.file.elf.creation_date: + dashed_name: threat-indicator-file-elf-creation-date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. - flat_name: threat.enrichments.file.elf.creation_date + flat_name: threat.indicator.file.elf.creation_date level: extended name: creation_date normalize: [] original_fieldset: elf short: Build or compile date. type: date -threat.enrichments.file.elf.exports: - dashed_name: threat-enrichments-file-elf-exports +threat.indicator.file.elf.exports: + dashed_name: threat-indicator-file-elf-exports description: List of exported element names and types. - flat_name: threat.enrichments.file.elf.exports + flat_name: threat.indicator.file.elf.exports level: extended name: exports normalize: @@ -13517,10 +15612,10 @@ threat.enrichments.file.elf.exports: original_fieldset: elf short: List of exported element names and types. type: flattened -threat.enrichments.file.elf.header.abi_version: - dashed_name: threat-enrichments-file-elf-header-abi-version +threat.indicator.file.elf.header.abi_version: + dashed_name: threat-indicator-file-elf-header-abi-version description: Version of the ELF Application Binary Interface (ABI). - flat_name: threat.enrichments.file.elf.header.abi_version + flat_name: threat.indicator.file.elf.header.abi_version ignore_above: 1024 level: extended name: header.abi_version @@ -13528,10 +15623,10 @@ threat.enrichments.file.elf.header.abi_version: original_fieldset: elf short: Version of the ELF Application Binary Interface (ABI). type: keyword -threat.enrichments.file.elf.header.class: - dashed_name: threat-enrichments-file-elf-header-class +threat.indicator.file.elf.header.class: + dashed_name: threat-indicator-file-elf-header-class description: Header class of the ELF file. - flat_name: threat.enrichments.file.elf.header.class + flat_name: threat.indicator.file.elf.header.class ignore_above: 1024 level: extended name: header.class @@ -13539,10 +15634,10 @@ threat.enrichments.file.elf.header.class: original_fieldset: elf short: Header class of the ELF file. type: keyword -threat.enrichments.file.elf.header.data: - dashed_name: threat-enrichments-file-elf-header-data +threat.indicator.file.elf.header.data: + dashed_name: threat-indicator-file-elf-header-data description: Data table of the ELF header. - flat_name: threat.enrichments.file.elf.header.data + flat_name: threat.indicator.file.elf.header.data ignore_above: 1024 level: extended name: header.data @@ -13550,10 +15645,10 @@ threat.enrichments.file.elf.header.data: original_fieldset: elf short: Data table of the ELF header. type: keyword -threat.enrichments.file.elf.header.entrypoint: - dashed_name: threat-enrichments-file-elf-header-entrypoint +threat.indicator.file.elf.header.entrypoint: + dashed_name: threat-indicator-file-elf-header-entrypoint description: Header entrypoint of the ELF file. - flat_name: threat.enrichments.file.elf.header.entrypoint + flat_name: threat.indicator.file.elf.header.entrypoint format: string level: extended name: header.entrypoint @@ -13561,10 +15656,10 @@ threat.enrichments.file.elf.header.entrypoint: original_fieldset: elf short: Header entrypoint of the ELF file. type: long -threat.enrichments.file.elf.header.object_version: - dashed_name: threat-enrichments-file-elf-header-object-version +threat.indicator.file.elf.header.object_version: + dashed_name: threat-indicator-file-elf-header-object-version description: '"0x1" for original ELF files.' - flat_name: threat.enrichments.file.elf.header.object_version + flat_name: threat.indicator.file.elf.header.object_version ignore_above: 1024 level: extended name: header.object_version @@ -13572,10 +15667,10 @@ threat.enrichments.file.elf.header.object_version: original_fieldset: elf short: '"0x1" for original ELF files.' type: keyword -threat.enrichments.file.elf.header.os_abi: - dashed_name: threat-enrichments-file-elf-header-os-abi +threat.indicator.file.elf.header.os_abi: + dashed_name: threat-indicator-file-elf-header-os-abi description: Application Binary Interface (ABI) of the Linux OS. - flat_name: threat.enrichments.file.elf.header.os_abi + flat_name: threat.indicator.file.elf.header.os_abi ignore_above: 1024 level: extended name: header.os_abi @@ -13583,10 +15678,10 @@ threat.enrichments.file.elf.header.os_abi: original_fieldset: elf short: Application Binary Interface (ABI) of the Linux OS. type: keyword -threat.enrichments.file.elf.header.type: - dashed_name: threat-enrichments-file-elf-header-type +threat.indicator.file.elf.header.type: + dashed_name: threat-indicator-file-elf-header-type description: Header type of the ELF file. - flat_name: threat.enrichments.file.elf.header.type + flat_name: threat.indicator.file.elf.header.type ignore_above: 1024 level: extended name: header.type @@ -13594,10 +15689,10 @@ threat.enrichments.file.elf.header.type: original_fieldset: elf short: Header type of the ELF file. type: keyword -threat.enrichments.file.elf.header.version: - dashed_name: threat-enrichments-file-elf-header-version +threat.indicator.file.elf.header.version: + dashed_name: threat-indicator-file-elf-header-version description: Version of the ELF header. - flat_name: threat.enrichments.file.elf.header.version + flat_name: threat.indicator.file.elf.header.version ignore_above: 1024 level: extended name: header.version @@ -13605,10 +15700,10 @@ threat.enrichments.file.elf.header.version: original_fieldset: elf short: Version of the ELF header. type: keyword -threat.enrichments.file.elf.imports: - dashed_name: threat-enrichments-file-elf-imports +threat.indicator.file.elf.imports: + dashed_name: threat-indicator-file-elf-imports description: List of imported element names and types. - flat_name: threat.enrichments.file.elf.imports + flat_name: threat.indicator.file.elf.imports level: extended name: imports normalize: @@ -13616,13 +15711,13 @@ threat.enrichments.file.elf.imports: original_fieldset: elf short: List of imported element names and types. type: flattened -threat.enrichments.file.elf.sections: - dashed_name: threat-enrichments-file-elf-sections +threat.indicator.file.elf.sections: + dashed_name: threat-indicator-file-elf-sections description: 'An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.' - flat_name: threat.enrichments.file.elf.sections + flat_name: threat.indicator.file.elf.sections level: extended name: sections normalize: @@ -13630,10 +15725,10 @@ threat.enrichments.file.elf.sections: original_fieldset: elf short: Section information of the ELF file. type: nested -threat.enrichments.file.elf.sections.chi2: - dashed_name: threat-enrichments-file-elf-sections-chi2 +threat.indicator.file.elf.sections.chi2: + dashed_name: threat-indicator-file-elf-sections-chi2 description: Chi-square probability distribution of the section. - flat_name: threat.enrichments.file.elf.sections.chi2 + flat_name: threat.indicator.file.elf.sections.chi2 format: number level: extended name: sections.chi2 @@ -13641,10 +15736,10 @@ threat.enrichments.file.elf.sections.chi2: original_fieldset: elf short: Chi-square probability distribution of the section. type: long -threat.enrichments.file.elf.sections.entropy: - dashed_name: threat-enrichments-file-elf-sections-entropy +threat.indicator.file.elf.sections.entropy: + dashed_name: threat-indicator-file-elf-sections-entropy description: Shannon entropy calculation from the section. - flat_name: threat.enrichments.file.elf.sections.entropy + flat_name: threat.indicator.file.elf.sections.entropy format: number level: extended name: sections.entropy @@ -13652,10 +15747,10 @@ threat.enrichments.file.elf.sections.entropy: original_fieldset: elf short: Shannon entropy calculation from the section. type: long -threat.enrichments.file.elf.sections.flags: - dashed_name: threat-enrichments-file-elf-sections-flags +threat.indicator.file.elf.sections.flags: + dashed_name: threat-indicator-file-elf-sections-flags description: ELF Section List flags. - flat_name: threat.enrichments.file.elf.sections.flags + flat_name: threat.indicator.file.elf.sections.flags ignore_above: 1024 level: extended name: sections.flags @@ -13663,10 +15758,10 @@ threat.enrichments.file.elf.sections.flags: original_fieldset: elf short: ELF Section List flags. type: keyword -threat.enrichments.file.elf.sections.name: - dashed_name: threat-enrichments-file-elf-sections-name +threat.indicator.file.elf.sections.name: + dashed_name: threat-indicator-file-elf-sections-name description: ELF Section List name. - flat_name: threat.enrichments.file.elf.sections.name + flat_name: threat.indicator.file.elf.sections.name ignore_above: 1024 level: extended name: sections.name @@ -13674,10 +15769,10 @@ threat.enrichments.file.elf.sections.name: original_fieldset: elf short: ELF Section List name. type: keyword -threat.enrichments.file.elf.sections.physical_offset: - dashed_name: threat-enrichments-file-elf-sections-physical-offset +threat.indicator.file.elf.sections.physical_offset: + dashed_name: threat-indicator-file-elf-sections-physical-offset description: ELF Section List offset. - flat_name: threat.enrichments.file.elf.sections.physical_offset + flat_name: threat.indicator.file.elf.sections.physical_offset ignore_above: 1024 level: extended name: sections.physical_offset @@ -13685,10 +15780,10 @@ threat.enrichments.file.elf.sections.physical_offset: original_fieldset: elf short: ELF Section List offset. type: keyword -threat.enrichments.file.elf.sections.physical_size: - dashed_name: threat-enrichments-file-elf-sections-physical-size +threat.indicator.file.elf.sections.physical_size: + dashed_name: threat-indicator-file-elf-sections-physical-size description: ELF Section List physical size. - flat_name: threat.enrichments.file.elf.sections.physical_size + flat_name: threat.indicator.file.elf.sections.physical_size format: bytes level: extended name: sections.physical_size @@ -13696,10 +15791,10 @@ threat.enrichments.file.elf.sections.physical_size: original_fieldset: elf short: ELF Section List physical size. type: long -threat.enrichments.file.elf.sections.type: - dashed_name: threat-enrichments-file-elf-sections-type +threat.indicator.file.elf.sections.type: + dashed_name: threat-indicator-file-elf-sections-type description: ELF Section List type. - flat_name: threat.enrichments.file.elf.sections.type + flat_name: threat.indicator.file.elf.sections.type ignore_above: 1024 level: extended name: sections.type @@ -13707,10 +15802,10 @@ threat.enrichments.file.elf.sections.type: original_fieldset: elf short: ELF Section List type. type: keyword -threat.enrichments.file.elf.sections.virtual_address: - dashed_name: threat-enrichments-file-elf-sections-virtual-address +threat.indicator.file.elf.sections.virtual_address: + dashed_name: threat-indicator-file-elf-sections-virtual-address description: ELF Section List virtual address. - flat_name: threat.enrichments.file.elf.sections.virtual_address + flat_name: threat.indicator.file.elf.sections.virtual_address format: string level: extended name: sections.virtual_address @@ -13718,10 +15813,10 @@ threat.enrichments.file.elf.sections.virtual_address: original_fieldset: elf short: ELF Section List virtual address. type: long -threat.enrichments.file.elf.sections.virtual_size: - dashed_name: threat-enrichments-file-elf-sections-virtual-size +threat.indicator.file.elf.sections.virtual_size: + dashed_name: threat-indicator-file-elf-sections-virtual-size description: ELF Section List virtual size. - flat_name: threat.enrichments.file.elf.sections.virtual_size + flat_name: threat.indicator.file.elf.sections.virtual_size format: string level: extended name: sections.virtual_size @@ -13729,13 +15824,13 @@ threat.enrichments.file.elf.sections.virtual_size: original_fieldset: elf short: ELF Section List virtual size. type: long -threat.enrichments.file.elf.segments: - dashed_name: threat-enrichments-file-elf-segments +threat.indicator.file.elf.segments: + dashed_name: threat-indicator-file-elf-segments description: 'An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.' - flat_name: threat.enrichments.file.elf.segments + flat_name: threat.indicator.file.elf.segments level: extended name: segments normalize: @@ -13743,10 +15838,10 @@ threat.enrichments.file.elf.segments: original_fieldset: elf short: ELF object segment list. type: nested -threat.enrichments.file.elf.segments.sections: - dashed_name: threat-enrichments-file-elf-segments-sections +threat.indicator.file.elf.segments.sections: + dashed_name: threat-indicator-file-elf-segments-sections description: ELF object segment sections. - flat_name: threat.enrichments.file.elf.segments.sections + flat_name: threat.indicator.file.elf.segments.sections ignore_above: 1024 level: extended name: segments.sections @@ -13754,10 +15849,10 @@ threat.enrichments.file.elf.segments.sections: original_fieldset: elf short: ELF object segment sections. type: keyword -threat.enrichments.file.elf.segments.type: - dashed_name: threat-enrichments-file-elf-segments-type +threat.indicator.file.elf.segments.type: + dashed_name: threat-indicator-file-elf-segments-type description: ELF object segment type. - flat_name: threat.enrichments.file.elf.segments.type + flat_name: threat.indicator.file.elf.segments.type ignore_above: 1024 level: extended name: segments.type @@ -13765,10 +15860,10 @@ threat.enrichments.file.elf.segments.type: original_fieldset: elf short: ELF object segment type. type: keyword -threat.enrichments.file.elf.shared_libraries: - dashed_name: threat-enrichments-file-elf-shared-libraries +threat.indicator.file.elf.shared_libraries: + dashed_name: threat-indicator-file-elf-shared-libraries description: List of shared libraries used by this ELF object. - flat_name: threat.enrichments.file.elf.shared_libraries + flat_name: threat.indicator.file.elf.shared_libraries ignore_above: 1024 level: extended name: shared_libraries @@ -13777,10 +15872,10 @@ threat.enrichments.file.elf.shared_libraries: original_fieldset: elf short: List of shared libraries used by this ELF object. type: keyword -threat.enrichments.file.elf.telfhash: - dashed_name: threat-enrichments-file-elf-telfhash +threat.indicator.file.elf.telfhash: + dashed_name: threat-indicator-file-elf-telfhash description: telfhash symbol hash for ELF file. - flat_name: threat.enrichments.file.elf.telfhash + flat_name: threat.indicator.file.elf.telfhash ignore_above: 1024 level: extended name: telfhash @@ -13788,14 +15883,14 @@ threat.enrichments.file.elf.telfhash: original_fieldset: elf short: telfhash hash for ELF file. type: keyword -threat.enrichments.file.extension: - dashed_name: threat-enrichments-file-extension +threat.indicator.file.extension: + dashed_name: threat-indicator-file-extension description: 'File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png - flat_name: threat.enrichments.file.extension + flat_name: threat.indicator.file.extension ignore_above: 1024 level: extended name: extension @@ -13803,11 +15898,11 @@ threat.enrichments.file.extension: original_fieldset: file short: File extension, excluding the leading dot. type: keyword -threat.enrichments.file.gid: - dashed_name: threat-enrichments-file-gid +threat.indicator.file.gid: + dashed_name: threat-indicator-file-gid description: Primary group ID (GID) of the file. example: '1001' - flat_name: threat.enrichments.file.gid + flat_name: threat.indicator.file.gid ignore_above: 1024 level: extended name: gid @@ -13815,11 +15910,11 @@ threat.enrichments.file.gid: original_fieldset: file short: Primary group ID (GID) of the file. type: keyword -threat.enrichments.file.group: - dashed_name: threat-enrichments-file-group +threat.indicator.file.group: + dashed_name: threat-indicator-file-group description: Primary group name of the file. example: alice - flat_name: threat.enrichments.file.group + flat_name: threat.indicator.file.group ignore_above: 1024 level: extended name: group @@ -13827,11 +15922,11 @@ threat.enrichments.file.group: original_fieldset: file short: Primary group name of the file. type: keyword -threat.enrichments.file.inode: - dashed_name: threat-enrichments-file-inode +threat.indicator.file.inode: + dashed_name: threat-indicator-file-inode description: Inode representing the file in the filesystem. example: '256383' - flat_name: threat.enrichments.file.inode + flat_name: threat.indicator.file.inode ignore_above: 1024 level: extended name: inode @@ -13839,13 +15934,13 @@ threat.enrichments.file.inode: original_fieldset: file short: Inode representing the file in the filesystem. type: keyword -threat.enrichments.file.mime_type: - dashed_name: threat-enrichments-file-mime-type +threat.indicator.file.mime_type: + dashed_name: threat-indicator-file-mime-type description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - flat_name: threat.enrichments.file.mime_type + flat_name: threat.indicator.file.mime_type ignore_above: 1024 level: extended name: mime_type @@ -13853,11 +15948,11 @@ threat.enrichments.file.mime_type: original_fieldset: file short: Media type of file, document, or arrangement of bytes. type: keyword -threat.enrichments.file.mode: - dashed_name: threat-enrichments-file-mode +threat.indicator.file.mode: + dashed_name: threat-indicator-file-mode description: Mode of the file in octal representation. example: '0640' - flat_name: threat.enrichments.file.mode + flat_name: threat.indicator.file.mode ignore_above: 1024 level: extended name: mode @@ -13865,21 +15960,21 @@ threat.enrichments.file.mode: original_fieldset: file short: Mode of the file in octal representation. type: keyword -threat.enrichments.file.mtime: - dashed_name: threat-enrichments-file-mtime +threat.indicator.file.mtime: + dashed_name: threat-indicator-file-mtime description: Last time the file content was modified. - flat_name: threat.enrichments.file.mtime + flat_name: threat.indicator.file.mtime level: extended name: mtime normalize: [] original_fieldset: file short: Last time the file content was modified. type: date -threat.enrichments.file.name: - dashed_name: threat-enrichments-file-name +threat.indicator.file.name: + dashed_name: threat-indicator-file-name description: Name of the file including the extension, without the directory. example: example.png - flat_name: threat.enrichments.file.name + flat_name: threat.indicator.file.name ignore_above: 1024 level: extended name: name @@ -13887,11 +15982,11 @@ threat.enrichments.file.name: original_fieldset: file short: Name of the file including the extension, without the directory. type: keyword -threat.enrichments.file.owner: - dashed_name: threat-enrichments-file-owner +threat.indicator.file.owner: + dashed_name: threat-indicator-file-owner description: File owner's username. example: alice - flat_name: threat.enrichments.file.owner + flat_name: threat.indicator.file.owner ignore_above: 1024 level: extended name: owner @@ -13899,15 +15994,15 @@ threat.enrichments.file.owner: original_fieldset: file short: File owner's username. type: keyword -threat.enrichments.file.path: - dashed_name: threat-enrichments-file-path +threat.indicator.file.path: + dashed_name: threat-indicator-file-path description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png - flat_name: threat.enrichments.file.path + flat_name: threat.indicator.file.path level: extended multi_fields: - - flat_name: threat.enrichments.file.path.text + - flat_name: threat.indicator.file.path.text name: text norms: false type: text @@ -13916,26 +16011,26 @@ threat.enrichments.file.path: original_fieldset: file short: Full path to the file, including the file name. type: wildcard -threat.enrichments.file.size: - dashed_name: threat-enrichments-file-size +threat.indicator.file.size: + dashed_name: threat-indicator-file-size description: 'File size in bytes. Only relevant when `file.type` is "file".' example: 16384 - flat_name: threat.enrichments.file.size + flat_name: threat.indicator.file.size level: extended name: size normalize: [] original_fieldset: file short: File size in bytes. type: long -threat.enrichments.file.target_path: - dashed_name: threat-enrichments-file-target-path +threat.indicator.file.target_path: + dashed_name: threat-indicator-file-target-path description: Target path for symlinks. - flat_name: threat.enrichments.file.target_path + flat_name: threat.indicator.file.target_path level: extended multi_fields: - - flat_name: threat.enrichments.file.target_path.text + - flat_name: threat.indicator.file.target_path.text name: text norms: false type: text @@ -13944,11 +16039,11 @@ threat.enrichments.file.target_path: original_fieldset: file short: Target path for symlinks. type: wildcard -threat.enrichments.file.type: - dashed_name: threat-enrichments-file-type +threat.indicator.file.type: + dashed_name: threat-indicator-file-type description: File type (file, dir, or symlink). example: file - flat_name: threat.enrichments.file.type + flat_name: threat.indicator.file.type ignore_above: 1024 level: extended name: type @@ -13956,11 +16051,11 @@ threat.enrichments.file.type: original_fieldset: file short: File type (file, dir, or symlink). type: keyword -threat.enrichments.file.uid: - dashed_name: threat-enrichments-file-uid +threat.indicator.file.uid: + dashed_name: threat-indicator-file-uid description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' - flat_name: threat.enrichments.file.uid + flat_name: threat.indicator.file.uid ignore_above: 1024 level: extended name: uid @@ -13968,11 +16063,23 @@ threat.enrichments.file.uid: original_fieldset: file short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword -threat.enrichments.geo.city_name: - dashed_name: threat-enrichments-geo-city-name +threat.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.first_seen + level: extended + name: indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date +threat.indicator.geo.city_name: + dashed_name: threat-indicator-geo-city-name description: City name. example: Montreal - flat_name: threat.enrichments.geo.city_name + flat_name: threat.indicator.geo.city_name ignore_above: 1024 level: core name: city_name @@ -13980,11 +16087,11 @@ threat.enrichments.geo.city_name: original_fieldset: geo short: City name. type: keyword -threat.enrichments.geo.continent_code: - dashed_name: threat-enrichments-geo-continent-code +threat.indicator.geo.continent_code: + dashed_name: threat-indicator-geo-continent-code description: Two-letter code representing continent's name. example: NA - flat_name: threat.enrichments.geo.continent_code + flat_name: threat.indicator.geo.continent_code ignore_above: 1024 level: core name: continent_code @@ -13992,11 +16099,11 @@ threat.enrichments.geo.continent_code: original_fieldset: geo short: Continent code. type: keyword -threat.enrichments.geo.continent_name: - dashed_name: threat-enrichments-geo-continent-name +threat.indicator.geo.continent_name: + dashed_name: threat-indicator-geo-continent-name description: Name of the continent. example: North America - flat_name: threat.enrichments.geo.continent_name + flat_name: threat.indicator.geo.continent_name ignore_above: 1024 level: core name: continent_name @@ -14004,11 +16111,11 @@ threat.enrichments.geo.continent_name: original_fieldset: geo short: Name of the continent. type: keyword -threat.enrichments.geo.country_iso_code: - dashed_name: threat-enrichments-geo-country-iso-code +threat.indicator.geo.country_iso_code: + dashed_name: threat-indicator-geo-country-iso-code description: Country ISO code. example: CA - flat_name: threat.enrichments.geo.country_iso_code + flat_name: threat.indicator.geo.country_iso_code ignore_above: 1024 level: core name: country_iso_code @@ -14016,11 +16123,11 @@ threat.enrichments.geo.country_iso_code: original_fieldset: geo short: Country ISO code. type: keyword -threat.enrichments.geo.country_name: - dashed_name: threat-enrichments-geo-country-name +threat.indicator.geo.country_name: + dashed_name: threat-indicator-geo-country-name description: Country name. example: Canada - flat_name: threat.enrichments.geo.country_name + flat_name: threat.indicator.geo.country_name ignore_above: 1024 level: core name: country_name @@ -14028,19 +16135,19 @@ threat.enrichments.geo.country_name: original_fieldset: geo short: Country name. type: keyword -threat.enrichments.geo.location: - dashed_name: threat-enrichments-geo-location +threat.indicator.geo.location: + dashed_name: threat-indicator-geo-location description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: threat.enrichments.geo.location + flat_name: threat.indicator.geo.location level: core name: location normalize: [] original_fieldset: geo short: Longitude and latitude. type: geo_point -threat.enrichments.geo.name: - dashed_name: threat-enrichments-geo-name +threat.indicator.geo.name: + dashed_name: threat-indicator-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -14049,21 +16156,21 @@ threat.enrichments.geo.name: Not typically used in automated geolocation.' example: boston-dc - flat_name: threat.enrichments.geo.name + flat_name: threat.indicator.geo.name level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. type: wildcard -threat.enrichments.geo.postal_code: - dashed_name: threat-enrichments-geo-postal-code +threat.indicator.geo.postal_code: + dashed_name: threat-indicator-geo-postal-code description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 - flat_name: threat.enrichments.geo.postal_code + flat_name: threat.indicator.geo.postal_code ignore_above: 1024 level: core name: postal_code @@ -14071,11 +16178,11 @@ threat.enrichments.geo.postal_code: original_fieldset: geo short: Postal code. type: keyword -threat.enrichments.geo.region_iso_code: - dashed_name: threat-enrichments-geo-region-iso-code +threat.indicator.geo.region_iso_code: + dashed_name: threat-indicator-geo-region-iso-code description: Region ISO code. example: CA-QC - flat_name: threat.enrichments.geo.region_iso_code + flat_name: threat.indicator.geo.region_iso_code ignore_above: 1024 level: core name: region_iso_code @@ -14083,11 +16190,11 @@ threat.enrichments.geo.region_iso_code: original_fieldset: geo short: Region ISO code. type: keyword -threat.enrichments.geo.region_name: - dashed_name: threat-enrichments-geo-region-name +threat.indicator.geo.region_name: + dashed_name: threat-indicator-geo-region-name description: Region name. example: Quebec - flat_name: threat.enrichments.geo.region_name + flat_name: threat.indicator.geo.region_name ignore_above: 1024 level: core name: region_name @@ -14095,11 +16202,11 @@ threat.enrichments.geo.region_name: original_fieldset: geo short: Region name. type: keyword -threat.enrichments.geo.timezone: - dashed_name: threat-enrichments-geo-timezone +threat.indicator.geo.timezone: + dashed_name: threat-indicator-geo-timezone description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires - flat_name: threat.enrichments.geo.timezone + flat_name: threat.indicator.geo.timezone ignore_above: 1024 level: core name: timezone @@ -14107,10 +16214,10 @@ threat.enrichments.geo.timezone: original_fieldset: geo short: Time zone. type: keyword -threat.enrichments.hash.md5: - dashed_name: threat-enrichments-hash-md5 +threat.indicator.hash.md5: + dashed_name: threat-indicator-hash-md5 description: MD5 hash. - flat_name: threat.enrichments.hash.md5 + flat_name: threat.indicator.hash.md5 ignore_above: 1024 level: extended name: md5 @@ -14118,10 +16225,10 @@ threat.enrichments.hash.md5: original_fieldset: hash short: MD5 hash. type: keyword -threat.enrichments.hash.sha1: - dashed_name: threat-enrichments-hash-sha1 +threat.indicator.hash.sha1: + dashed_name: threat-indicator-hash-sha1 description: SHA1 hash. - flat_name: threat.enrichments.hash.sha1 + flat_name: threat.indicator.hash.sha1 ignore_above: 1024 level: extended name: sha1 @@ -14129,10 +16236,10 @@ threat.enrichments.hash.sha1: original_fieldset: hash short: SHA1 hash. type: keyword -threat.enrichments.hash.sha256: - dashed_name: threat-enrichments-hash-sha256 +threat.indicator.hash.sha256: + dashed_name: threat-indicator-hash-sha256 description: SHA256 hash. - flat_name: threat.enrichments.hash.sha256 + flat_name: threat.indicator.hash.sha256 ignore_above: 1024 level: extended name: sha256 @@ -14140,96 +16247,81 @@ threat.enrichments.hash.sha256: original_fieldset: hash short: SHA256 hash. type: keyword -threat.enrichments.hash.sha512: - dashed_name: threat-enrichments-hash-sha512 +threat.indicator.hash.sha512: + dashed_name: threat-indicator-hash-sha512 description: SHA512 hash. - flat_name: threat.enrichments.hash.sha512 + flat_name: threat.indicator.hash.sha512 ignore_above: 1024 level: extended name: sha512 normalize: [] original_fieldset: hash - short: SHA512 hash. - type: keyword -threat.enrichments.hash.ssdeep: - dashed_name: threat-enrichments-hash-ssdeep - description: SSDEEP hash. - flat_name: threat.enrichments.hash.ssdeep - ignore_above: 1024 - level: extended - name: ssdeep - normalize: [] - original_fieldset: hash - short: SSDEEP hash. - type: keyword -threat.enrichments.matched.atomic: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-atomic - description: Identifies the atomic indicator value that matched a local environment - endpoint or network event. - example: bad-domain.com - flat_name: threat.enrichments.matched.atomic + short: SHA512 hash. + type: keyword +threat.indicator.hash.ssdeep: + dashed_name: threat-indicator-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.indicator.hash.ssdeep ignore_above: 1024 level: extended - name: enrichments.matched.atomic + name: ssdeep normalize: [] - short: Matched indicator value + original_fieldset: hash + short: SSDEEP hash. type: keyword -threat.enrichments.matched.field: +threat.indicator.ip: beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-field - description: Identifies the field of the atomic indicator that matched a local environment - endpoint or network event. - example: file.hash.sha256 - flat_name: threat.enrichments.matched.field - ignore_above: 1024 + dashed_name: threat-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of direction). + example: 1.2.3.4 + flat_name: threat.indicator.ip level: extended - name: enrichments.matched.field + name: indicator.ip normalize: [] - short: Matched indicator field - type: keyword -threat.enrichments.matched.id: + short: Indicator IP address + type: ip +threat.indicator.last_seen: beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-id - description: Identifies the _id of the indicator document enriching the event. - example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 - flat_name: threat.enrichments.matched.id - ignore_above: 1024 + dashed_name: threat-indicator-last-seen + description: The date and time when intelligence source last reported sighting this + indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.last_seen level: extended - name: enrichments.matched.id + name: indicator.last_seen normalize: [] - short: Matched indicator identifier - type: keyword -threat.enrichments.matched.index: + short: Date/time indicator was last reported. + type: date +threat.indicator.marking.tlp: beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-index - description: Identifies the _index of the indicator document enriching the event. - example: filebeat-8.0.0-2021.05.23-000011 - flat_name: threat.enrichments.matched.index + dashed_name: threat-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE + flat_name: threat.indicator.marking.tlp ignore_above: 1024 level: extended - name: enrichments.matched.index + name: indicator.marking.tlp normalize: [] - short: Matched indicator index + short: Indicator TLP marking type: keyword -threat.enrichments.matched.type: +threat.indicator.modified_at: beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-type - description: Identifies the type of match that caused the event to be enriched with - the given indicator - example: indicator_match_rule - flat_name: threat.enrichments.matched.type - ignore_above: 1024 + dashed_name: threat-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.modified_at level: extended - name: enrichments.matched.type + name: indicator.modified_at normalize: [] - short: Type of indicator match - type: keyword -threat.enrichments.pe.architecture: - dashed_name: threat-enrichments-pe-architecture + short: Date/time indicator was last updated. + type: date +threat.indicator.pe.architecture: + dashed_name: threat-indicator-pe-architecture description: CPU architecture target for the file. example: x64 - flat_name: threat.enrichments.pe.architecture + flat_name: threat.indicator.pe.architecture ignore_above: 1024 level: extended name: architecture @@ -14237,11 +16329,11 @@ threat.enrichments.pe.architecture: original_fieldset: pe short: CPU architecture target for the file. type: keyword -threat.enrichments.pe.authentihash: - dashed_name: threat-enrichments-pe-authentihash +threat.indicator.pe.authentihash: + dashed_name: threat-indicator-pe-authentihash description: Authentihash of the PE file. example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: threat.enrichments.pe.authentihash + flat_name: threat.indicator.pe.authentihash ignore_above: 1024 level: extended name: authentihash @@ -14249,11 +16341,11 @@ threat.enrichments.pe.authentihash: original_fieldset: pe short: Authentihash of the PE file. type: keyword -threat.enrichments.pe.company: - dashed_name: threat-enrichments-pe-company +threat.indicator.pe.company: + dashed_name: threat-indicator-pe-company description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation - flat_name: threat.enrichments.pe.company + flat_name: threat.indicator.pe.company ignore_above: 1024 level: extended name: company @@ -14261,22 +16353,22 @@ threat.enrichments.pe.company: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword -threat.enrichments.pe.compile_timestamp: - dashed_name: threat-enrichments-pe-compile-timestamp +threat.indicator.pe.compile_timestamp: + dashed_name: threat-indicator-pe-compile-timestamp description: Compile timestamp of the PE file. example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.pe.compile_timestamp + flat_name: threat.indicator.pe.compile_timestamp level: extended name: compile_timestamp normalize: [] original_fieldset: pe short: Compile timestamp of the PE file. type: date -threat.enrichments.pe.compiler.name: - dashed_name: threat-enrichments-pe-compiler-name +threat.indicator.pe.compiler.name: + dashed_name: threat-indicator-pe-compiler-name description: Name of the compiler example: Clang - flat_name: threat.enrichments.pe.compiler.name + flat_name: threat.indicator.pe.compiler.name ignore_above: 1024 level: extended name: compiler.name @@ -14284,11 +16376,11 @@ threat.enrichments.pe.compiler.name: original_fieldset: pe short: Name of the compiler type: keyword -threat.enrichments.pe.compiler.version: - dashed_name: threat-enrichments-pe-compiler-version +threat.indicator.pe.compiler.version: + dashed_name: threat-indicator-pe-compiler-version description: Version of the compiler. example: 11.0.0 - flat_name: threat.enrichments.pe.compiler.version + flat_name: threat.indicator.pe.compiler.version ignore_above: 1024 level: extended name: compiler.version @@ -14296,24 +16388,24 @@ threat.enrichments.pe.compiler.version: original_fieldset: pe short: Version of the compiler. type: keyword -threat.enrichments.pe.creation_date: - dashed_name: threat-enrichments-pe-creation-date +threat.indicator.pe.creation_date: + dashed_name: threat-indicator-pe-creation-date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.pe.creation_date + flat_name: threat.indicator.pe.creation_date level: extended name: creation_date normalize: [] original_fieldset: pe short: Build or compile date. type: date -threat.enrichments.pe.debug: - dashed_name: threat-enrichments-pe-debug +threat.indicator.pe.debug: + dashed_name: threat-indicator-pe-debug description: 'An array containing an object for each debug entry, if present. The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: threat.enrichments.pe.debug + flat_name: threat.indicator.pe.debug level: extended name: debug normalize: @@ -14321,11 +16413,11 @@ threat.enrichments.pe.debug: original_fieldset: pe short: Debug information type: nested -threat.enrichments.pe.debug.offset: - dashed_name: threat-enrichments-pe-debug-offset +threat.indicator.pe.debug.offset: + dashed_name: threat-indicator-pe-debug-offset description: Debug offset information. example: 1296336 - flat_name: threat.enrichments.pe.debug.offset + flat_name: threat.indicator.pe.debug.offset ignore_above: 1024 level: extended name: debug.offset @@ -14333,11 +16425,11 @@ threat.enrichments.pe.debug.offset: original_fieldset: pe short: Debug offset information. type: keyword -threat.enrichments.pe.debug.size: - dashed_name: threat-enrichments-pe-debug-size +threat.indicator.pe.debug.size: + dashed_name: threat-indicator-pe-debug-size description: Size of the debug information. example: 816 - flat_name: threat.enrichments.pe.debug.size + flat_name: threat.indicator.pe.debug.size format: bytes level: extended name: debug.size @@ -14345,22 +16437,22 @@ threat.enrichments.pe.debug.size: original_fieldset: pe short: Size of the debug information. type: long -threat.enrichments.pe.debug.timestamp: - dashed_name: threat-enrichments-pe-debug-timestamp +threat.indicator.pe.debug.timestamp: + dashed_name: threat-indicator-pe-debug-timestamp description: Timestamp of the debug information. example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.pe.debug.timestamp + flat_name: threat.indicator.pe.debug.timestamp level: extended name: debug.timestamp normalize: [] original_fieldset: pe short: Timestamp of the debug information. type: date -threat.enrichments.pe.debug.type: - dashed_name: threat-enrichments-pe-debug-type +threat.indicator.pe.debug.type: + dashed_name: threat-indicator-pe-debug-type description: Information type generated by the debug options. example: IMAGE_DEBUG_TYPE_POGO - flat_name: threat.enrichments.pe.debug.type + flat_name: threat.indicator.pe.debug.type ignore_above: 1024 level: extended name: debug.type @@ -14368,11 +16460,11 @@ threat.enrichments.pe.debug.type: original_fieldset: pe short: Information type generated by the debug options. type: keyword -threat.enrichments.pe.description: - dashed_name: threat-enrichments-pe-description +threat.indicator.pe.description: + dashed_name: threat-indicator-pe-description description: Internal description of the file, provided at compile-time. example: Paint - flat_name: threat.enrichments.pe.description + flat_name: threat.indicator.pe.description ignore_above: 1024 level: extended name: description @@ -14380,11 +16472,11 @@ threat.enrichments.pe.description: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword -threat.enrichments.pe.entry_point: - dashed_name: threat-enrichments-pe-entry-point +threat.indicator.pe.entry_point: + dashed_name: threat-indicator-pe-entry-point description: Relative byte offset to the base of the PE file. example: 25856 - flat_name: threat.enrichments.pe.entry_point + flat_name: threat.indicator.pe.entry_point ignore_above: 1024 level: extended name: entry_point @@ -14392,11 +16484,11 @@ threat.enrichments.pe.entry_point: original_fieldset: pe short: Relative byte offset to the base of the PE file. type: keyword -threat.enrichments.pe.exports: - dashed_name: threat-enrichments-pe-exports +threat.indicator.pe.exports: + dashed_name: threat-indicator-pe-exports description: List of symbols exported by PE example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: threat.enrichments.pe.exports + flat_name: threat.indicator.pe.exports ignore_above: 1024 level: extended name: exports @@ -14405,11 +16497,11 @@ threat.enrichments.pe.exports: original_fieldset: pe short: List of symbols exported by PE type: keyword -threat.enrichments.pe.file_version: - dashed_name: threat-enrichments-pe-file-version +threat.indicator.pe.file_version: + dashed_name: threat-indicator-pe-file-version description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 - flat_name: threat.enrichments.pe.file_version + flat_name: threat.indicator.pe.file_version ignore_above: 1024 level: extended name: file_version @@ -14417,12 +16509,12 @@ threat.enrichments.pe.file_version: original_fieldset: pe short: Process name. type: keyword -threat.enrichments.pe.icon.hash.dhash: - dashed_name: threat-enrichments-pe-icon-hash-dhash +threat.indicator.pe.icon.hash.dhash: + dashed_name: threat-indicator-pe-icon-hash-dhash description: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. example: b806e17c8e330d82 - flat_name: threat.enrichments.pe.icon.hash.dhash + flat_name: threat.indicator.pe.icon.hash.dhash ignore_above: 1024 level: extended name: icon.hash.dhash @@ -14430,15 +16522,15 @@ threat.enrichments.pe.icon.hash.dhash: original_fieldset: pe short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. type: keyword -threat.enrichments.pe.imphash: - dashed_name: threat-enrichments-pe-imphash +threat.indicator.pe.imphash: + dashed_name: threat-indicator-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: threat.enrichments.pe.imphash + flat_name: threat.indicator.pe.imphash ignore_above: 1024 level: extended name: imphash @@ -14446,23 +16538,23 @@ threat.enrichments.pe.imphash: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword -threat.enrichments.pe.imports: - dashed_name: threat-enrichments-pe-imports +threat.indicator.pe.imports: + dashed_name: threat-indicator-pe-imports description: List of all imported functions example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" }' - flat_name: threat.enrichments.pe.imports + flat_name: threat.indicator.pe.imports level: extended name: imports normalize: [] original_fieldset: pe short: List of all imported functions type: flattened -threat.enrichments.pe.machine_type: - dashed_name: threat-enrichments-pe-machine-type +threat.indicator.pe.machine_type: + dashed_name: threat-indicator-pe-machine-type description: Machine type of the PE file. example: Intel 386 or later, and compatibles - flat_name: threat.enrichments.pe.machine_type + flat_name: threat.indicator.pe.machine_type ignore_above: 1024 level: extended name: machine_type @@ -14470,22 +16562,22 @@ threat.enrichments.pe.machine_type: original_fieldset: pe short: Machine type of the PE file. type: keyword -threat.enrichments.pe.original_file_name: - dashed_name: threat-enrichments-pe-original-file-name +threat.indicator.pe.original_file_name: + dashed_name: threat-indicator-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE - flat_name: threat.enrichments.pe.original_file_name + flat_name: threat.indicator.pe.original_file_name level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard -threat.enrichments.pe.packers: - dashed_name: threat-enrichments-pe-packers +threat.indicator.pe.packers: + dashed_name: threat-indicator-pe-packers description: List of packers and tools used. example: '["ASPack v2.12", ".NET executable"]' - flat_name: threat.enrichments.pe.packers + flat_name: threat.indicator.pe.packers ignore_above: 1024 level: extended name: packers @@ -14494,11 +16586,11 @@ threat.enrichments.pe.packers: original_fieldset: pe short: List of packers and tools used. type: keyword -threat.enrichments.pe.product: - dashed_name: threat-enrichments-pe-product +threat.indicator.pe.product: + dashed_name: threat-indicator-pe-product description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" - flat_name: threat.enrichments.pe.product + flat_name: threat.indicator.pe.product ignore_above: 1024 level: extended name: product @@ -14506,12 +16598,12 @@ threat.enrichments.pe.product: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword -threat.enrichments.pe.resources: - dashed_name: threat-enrichments-pe-resources +threat.indicator.pe.resources: + dashed_name: threat-indicator-pe-resources description: 'An array containing an object for each PE resource, if present. The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: threat.enrichments.pe.resources + flat_name: threat.indicator.pe.resources level: extended name: resources normalize: @@ -14519,33 +16611,33 @@ threat.enrichments.pe.resources: original_fieldset: pe short: PE resource information type: nested -threat.enrichments.pe.resources.chi2: - dashed_name: threat-enrichments-pe-resources-chi2 +threat.indicator.pe.resources.chi2: + dashed_name: threat-indicator-pe-resources-chi2 description: Chi-square probability distribution. example: -1 - flat_name: threat.enrichments.pe.resources.chi2 + flat_name: threat.indicator.pe.resources.chi2 level: extended name: resources.chi2 normalize: [] original_fieldset: pe short: Chi-square probability distribution. type: long -threat.enrichments.pe.resources.entropy: - dashed_name: threat-enrichments-pe-resources-entropy +threat.indicator.pe.resources.entropy: + dashed_name: threat-indicator-pe-resources-entropy description: Measurement of entropy randomness in the resources section. example: 0, 1 - flat_name: threat.enrichments.pe.resources.entropy + flat_name: threat.indicator.pe.resources.entropy level: extended name: resources.entropy normalize: [] original_fieldset: pe short: Measurement of entropy randomness in the resources section. type: long -threat.enrichments.pe.resources.filetype: - dashed_name: threat-enrichments-pe-resources-filetype +threat.indicator.pe.resources.filetype: + dashed_name: threat-indicator-pe-resources-filetype description: File type of the resources section. example: Data - flat_name: threat.enrichments.pe.resources.filetype + flat_name: threat.indicator.pe.resources.filetype ignore_above: 1024 level: extended name: resources.filetype @@ -14553,11 +16645,11 @@ threat.enrichments.pe.resources.filetype: original_fieldset: pe short: File type of the resources section. type: keyword -threat.enrichments.pe.resources.language: - dashed_name: threat-enrichments-pe-resources-language +threat.indicator.pe.resources.language: + dashed_name: threat-indicator-pe-resources-language description: Language identification. example: CHINESE SIMPLIFIED - flat_name: threat.enrichments.pe.resources.language + flat_name: threat.indicator.pe.resources.language ignore_above: 1024 level: extended name: resources.language @@ -14565,11 +16657,11 @@ threat.enrichments.pe.resources.language: original_fieldset: pe short: Language identification. type: keyword -threat.enrichments.pe.resources.sha256: - dashed_name: threat-enrichments-pe-resources-sha256 +threat.indicator.pe.resources.sha256: + dashed_name: threat-indicator-pe-resources-sha256 description: SHA256 hash of resources section. example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: threat.enrichments.pe.resources.sha256 + flat_name: threat.indicator.pe.resources.sha256 ignore_above: 1024 level: extended name: resources.sha256 @@ -14577,11 +16669,11 @@ threat.enrichments.pe.resources.sha256: original_fieldset: pe short: SHA256 hash of resources section. type: keyword -threat.enrichments.pe.resources.type: - dashed_name: threat-enrichments-pe-resources-type +threat.indicator.pe.resources.type: + dashed_name: threat-indicator-pe-resources-type description: Digest of resource types. example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: threat.enrichments.pe.resources.type + flat_name: threat.indicator.pe.resources.type ignore_above: 1024 level: extended name: resources.type @@ -14590,11 +16682,11 @@ threat.enrichments.pe.resources.type: original_fieldset: pe short: List of resource types. type: keyword -threat.enrichments.pe.rich_header.hash.md5: - dashed_name: threat-enrichments-pe-rich-header-hash-md5 +threat.indicator.pe.rich_header.hash.md5: + dashed_name: threat-indicator-pe-rich-header-hash-md5 description: MD5 hash of the header for the PE file. example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: threat.enrichments.pe.rich_header.hash.md5 + flat_name: threat.indicator.pe.rich_header.hash.md5 ignore_above: 1024 level: extended name: rich_header.hash.md5 @@ -14602,10 +16694,10 @@ threat.enrichments.pe.rich_header.hash.md5: original_fieldset: pe short: MD5 hash of the header for the PE file. type: keyword -threat.enrichments.pe.sections: - dashed_name: threat-enrichments-pe-sections +threat.indicator.pe.sections: + dashed_name: threat-indicator-pe-sections description: Data about sections of compiled binary PE - flat_name: threat.enrichments.pe.sections + flat_name: threat.indicator.pe.sections level: extended name: sections normalize: @@ -14613,33 +16705,33 @@ threat.enrichments.pe.sections: original_fieldset: pe short: Data about sections of the compiled binary PE type: nested -threat.enrichments.pe.sections.chi2: - dashed_name: threat-enrichments-pe-sections-chi2 +threat.indicator.pe.sections.chi2: + dashed_name: threat-indicator-pe-sections-chi2 description: Chi-square probability distribution. example: 3027194 - flat_name: threat.enrichments.pe.sections.chi2 + flat_name: threat.indicator.pe.sections.chi2 level: extended name: sections.chi2 normalize: [] original_fieldset: pe short: Chi-square probability distribution. type: long -threat.enrichments.pe.sections.entropy: - dashed_name: threat-enrichments-pe-sections-entropy +threat.indicator.pe.sections.entropy: + dashed_name: threat-indicator-pe-sections-entropy description: Measurement of entropy randomness in the file. example: 6.24 - flat_name: threat.enrichments.pe.sections.entropy + flat_name: threat.indicator.pe.sections.entropy level: extended name: sections.entropy normalize: [] original_fieldset: pe short: Measurement of entropy randomness in the file. type: float -threat.enrichments.pe.sections.flags: - dashed_name: threat-enrichments-pe-sections-flags +threat.indicator.pe.sections.flags: + dashed_name: threat-indicator-pe-sections-flags description: Section flags of the file. example: rx - flat_name: threat.enrichments.pe.sections.flags + flat_name: threat.indicator.pe.sections.flags ignore_above: 1024 level: extended name: sections.flags @@ -14647,11 +16739,11 @@ threat.enrichments.pe.sections.flags: original_fieldset: pe short: Section flags of the file. type: keyword -threat.enrichments.pe.sections.name: - dashed_name: threat-enrichments-pe-sections-name +threat.indicator.pe.sections.name: + dashed_name: threat-indicator-pe-sections-name description: Section names of the file. example: .text, .data - flat_name: threat.enrichments.pe.sections.name + flat_name: threat.indicator.pe.sections.name ignore_above: 1024 level: extended name: sections.name @@ -14659,11 +16751,11 @@ threat.enrichments.pe.sections.name: original_fieldset: pe short: Section names of the file. type: keyword -threat.enrichments.pe.sections.raw_size: - dashed_name: threat-enrichments-pe-sections-raw-size +threat.indicator.pe.sections.raw_size: + dashed_name: threat-indicator-pe-sections-raw-size description: Size of the section or the dize of the initialized data on disk. example: 198144 - flat_name: threat.enrichments.pe.sections.raw_size + flat_name: threat.indicator.pe.sections.raw_size format: bytes level: extended name: sections.raw_size @@ -14671,11 +16763,11 @@ threat.enrichments.pe.sections.raw_size: original_fieldset: pe short: Size of the section or the dize of the initialized data on disk. type: long -threat.enrichments.pe.sections.virtual_address: - dashed_name: threat-enrichments-pe-sections-virtual-address +threat.indicator.pe.sections.virtual_address: + dashed_name: threat-indicator-pe-sections-virtual-address description: Virtual address available to the file. example: 8192 - flat_name: threat.enrichments.pe.sections.virtual_address + flat_name: threat.indicator.pe.sections.virtual_address format: bytes level: extended name: sections.virtual_address @@ -14683,15 +16775,50 @@ threat.enrichments.pe.sections.virtual_address: original_fieldset: pe short: Virtual address available to the file. type: long -threat.enrichments.registry.data.bytes: - dashed_name: threat-enrichments-registry-data-bytes +threat.indicator.port: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-port + description: Identifies a threat indicator as a port number (irrespective of direction). + example: 443 + flat_name: threat.indicator.port + level: extended + name: indicator.port + normalize: [] + short: Indicator port + type: long +threat.indicator.provider: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-provider + description: The name of the indicator's provider. + example: lrz_urlhaus + flat_name: threat.indicator.provider + ignore_above: 1024 + level: extended + name: indicator.provider + normalize: [] + short: Indicator provider + type: keyword +threat.indicator.reference: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-reference + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + flat_name: threat.indicator.reference + ignore_above: 1024 + level: extended + name: indicator.reference + normalize: [] + short: Indicator reference URL + type: keyword +threat.indicator.registry.data.bytes: + dashed_name: threat-indicator-registry-data-bytes description: 'Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.' example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - flat_name: threat.enrichments.registry.data.bytes + flat_name: threat.indicator.registry.data.bytes ignore_above: 1024 level: extended name: data.bytes @@ -14699,8 +16826,8 @@ threat.enrichments.registry.data.bytes: original_fieldset: registry short: Original bytes written with base64 encoding. type: keyword -threat.enrichments.registry.data.strings: - dashed_name: threat-enrichments-registry-data-strings +threat.indicator.registry.data.strings: + dashed_name: threat-indicator-registry-data-strings description: 'Content when writing string types. Populated as an array when writing string data to the registry. For single string @@ -14709,7 +16836,7 @@ threat.enrichments.registry.data.strings: For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' - flat_name: threat.enrichments.registry.data.strings + flat_name: threat.indicator.registry.data.strings level: core name: data.strings normalize: @@ -14717,11 +16844,11 @@ threat.enrichments.registry.data.strings: original_fieldset: registry short: List of strings representing what was written to the registry. type: wildcard -threat.enrichments.registry.data.type: - dashed_name: threat-enrichments-registry-data-type +threat.indicator.registry.data.type: + dashed_name: threat-indicator-registry-data-type description: Standard registry type for encoding contents example: REG_SZ - flat_name: threat.enrichments.registry.data.type + flat_name: threat.indicator.registry.data.type ignore_above: 1024 level: core name: data.type @@ -14729,11 +16856,11 @@ threat.enrichments.registry.data.type: original_fieldset: registry short: Standard registry type for encoding contents type: keyword -threat.enrichments.registry.hive: - dashed_name: threat-enrichments-registry-hive +threat.indicator.registry.hive: + dashed_name: threat-indicator-registry-hive description: Abbreviated name for the hive. example: HKLM - flat_name: threat.enrichments.registry.hive + flat_name: threat.indicator.registry.hive ignore_above: 1024 level: core name: hive @@ -14741,43 +16868,82 @@ threat.enrichments.registry.hive: original_fieldset: registry short: Abbreviated name for the hive. type: keyword -threat.enrichments.registry.key: - dashed_name: threat-enrichments-registry-key +threat.indicator.registry.key: + dashed_name: threat-indicator-registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - flat_name: threat.enrichments.registry.key + flat_name: threat.indicator.registry.key level: core name: key normalize: [] original_fieldset: registry short: Hive-relative path of keys. type: wildcard -threat.enrichments.registry.path: - dashed_name: threat-enrichments-registry-path +threat.indicator.registry.path: + dashed_name: threat-indicator-registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger - flat_name: threat.enrichments.registry.path + flat_name: threat.indicator.registry.path level: core name: path normalize: [] - original_fieldset: registry - short: Full path, including hive, key and value - type: wildcard -threat.enrichments.registry.value: - dashed_name: threat-enrichments-registry-value - description: Name of the value written. - example: Debugger - flat_name: threat.enrichments.registry.value + original_fieldset: registry + short: Full path, including hive, key and value + type: wildcard +threat.indicator.registry.value: + dashed_name: threat-indicator-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.indicator.registry.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. + type: keyword +threat.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file or + URL. + example: 4 + flat_name: threat.indicator.scanner_stats + level: extended + name: indicator.scanner_stats + normalize: [] + short: Scanner statistics + type: long +threat.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.indicator.sightings + level: extended + name: indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long +threat.indicator.type: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ + Recommended values:\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ + \ * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n * mutex\n\ + \ * port\n * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ + \ * x509-certificate" + example: ipv4-addr + flat_name: threat.indicator.type ignore_above: 1024 - level: core - name: value + level: extended + name: indicator.type normalize: [] - original_fieldset: registry - short: Name of the value written. + short: Type of indicator type: keyword -threat.enrichments.url.domain: - dashed_name: threat-enrichments-url-domain +threat.indicator.url.domain: + dashed_name: threat-indicator-url-domain description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain @@ -14786,15 +16952,15 @@ threat.enrichments.url.domain: If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.' example: www.elastic.co - flat_name: threat.enrichments.url.domain + flat_name: threat.indicator.url.domain level: extended name: domain normalize: [] original_fieldset: url short: Domain of the url. type: wildcard -threat.enrichments.url.extension: - dashed_name: threat-enrichments-url-extension +threat.indicator.url.extension: + dashed_name: threat-indicator-url-extension description: 'The field contains the file extension from the original request url, excluding the leading dot. @@ -14806,7 +16972,7 @@ threat.enrichments.url.extension: Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png - flat_name: threat.enrichments.url.extension + flat_name: threat.indicator.url.extension ignore_above: 1024 level: extended name: extension @@ -14814,12 +16980,12 @@ threat.enrichments.url.extension: original_fieldset: url short: File extension from the request url, excluding the leading dot. type: keyword -threat.enrichments.url.fragment: - dashed_name: threat-enrichments-url-fragment +threat.indicator.url.fragment: + dashed_name: threat-indicator-url-fragment description: 'Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.' - flat_name: threat.enrichments.url.fragment + flat_name: threat.indicator.url.fragment ignore_above: 1024 level: extended name: fragment @@ -14827,15 +16993,15 @@ threat.enrichments.url.fragment: original_fieldset: url short: Portion of the url after the `#`. type: keyword -threat.enrichments.url.full: - dashed_name: threat-enrichments-url-full +threat.indicator.url.full: + dashed_name: threat-indicator-url-full description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top - flat_name: threat.enrichments.url.full + flat_name: threat.indicator.url.full level: extended multi_fields: - - flat_name: threat.enrichments.url.full.text + - flat_name: threat.indicator.url.full.text name: text norms: false type: text @@ -14844,8 +17010,8 @@ threat.enrichments.url.full: original_fieldset: url short: Full unparsed URL. type: wildcard -threat.enrichments.url.original: - dashed_name: threat-enrichments-url-original +threat.indicator.url.original: + dashed_name: threat-indicator-url-original description: 'Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in @@ -14853,10 +17019,10 @@ threat.enrichments.url.original: This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - flat_name: threat.enrichments.url.original + flat_name: threat.indicator.url.original level: extended multi_fields: - - flat_name: threat.enrichments.url.original.text + - flat_name: threat.indicator.url.original.text name: text norms: false type: text @@ -14865,10 +17031,10 @@ threat.enrichments.url.original: original_fieldset: url short: Unmodified original url as seen in the event source. type: wildcard -threat.enrichments.url.password: - dashed_name: threat-enrichments-url-password +threat.indicator.url.password: + dashed_name: threat-indicator-url-password description: Password of the request. - flat_name: threat.enrichments.url.password + flat_name: threat.indicator.url.password ignore_above: 1024 level: extended name: password @@ -14876,21 +17042,21 @@ threat.enrichments.url.password: original_fieldset: url short: Password of the request. type: keyword -threat.enrichments.url.path: - dashed_name: threat-enrichments-url-path +threat.indicator.url.path: + dashed_name: threat-indicator-url-path description: Path of the request, such as "/search". - flat_name: threat.enrichments.url.path + flat_name: threat.indicator.url.path level: extended name: path normalize: [] original_fieldset: url short: Path of the request, such as "/search". type: wildcard -threat.enrichments.url.port: - dashed_name: threat-enrichments-url-port +threat.indicator.url.port: + dashed_name: threat-indicator-url-port description: Port of the request, such as 443. example: 443 - flat_name: threat.enrichments.url.port + flat_name: threat.indicator.url.port format: string level: extended name: port @@ -14898,8 +17064,8 @@ threat.enrichments.url.port: original_fieldset: url short: Port of the request, such as 443. type: long -threat.enrichments.url.query: - dashed_name: threat-enrichments-url-query +threat.indicator.url.query: + dashed_name: threat-indicator-url-query description: 'The query field describes the query string of the request, such as "q=elasticsearch". @@ -14907,7 +17073,7 @@ threat.enrichments.url.query: no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' - flat_name: threat.enrichments.url.query + flat_name: threat.indicator.url.query ignore_above: 1024 level: extended name: query @@ -14915,8 +17081,8 @@ threat.enrichments.url.query: original_fieldset: url short: Query string of the request. type: keyword -threat.enrichments.url.registered_domain: - dashed_name: threat-enrichments-url-registered-domain +threat.indicator.url.registered_domain: + dashed_name: threat-indicator-url-registered-domain description: 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -14925,20 +17091,20 @@ threat.enrichments.url.registered_domain: (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - flat_name: threat.enrichments.url.registered_domain + flat_name: threat.indicator.url.registered_domain level: extended name: registered_domain normalize: [] original_fieldset: url short: The highest registered url domain, stripped of the subdomain. type: wildcard -threat.enrichments.url.scheme: - dashed_name: threat-enrichments-url-scheme +threat.indicator.url.scheme: + dashed_name: threat-indicator-url-scheme description: 'Scheme of the request, such as "https". Note: The `:` is not part of the scheme.' example: https - flat_name: threat.enrichments.url.scheme + flat_name: threat.indicator.url.scheme ignore_above: 1024 level: extended name: scheme @@ -14946,8 +17112,8 @@ threat.enrichments.url.scheme: original_fieldset: url short: Scheme of the url. type: keyword -threat.enrichments.url.subdomain: - dashed_name: threat-enrichments-url-subdomain +threat.indicator.url.subdomain: + dashed_name: threat-indicator-url-subdomain description: 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be @@ -14957,7 +17123,7 @@ threat.enrichments.url.subdomain: domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: east - flat_name: threat.enrichments.url.subdomain + flat_name: threat.indicator.url.subdomain ignore_above: 1024 level: extended name: subdomain @@ -14965,8 +17131,8 @@ threat.enrichments.url.subdomain: original_fieldset: url short: The subdomain of the domain. type: keyword -threat.enrichments.url.top_level_domain: - dashed_name: threat-enrichments-url-top-level-domain +threat.indicator.url.top_level_domain: + dashed_name: threat-indicator-url-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". @@ -14975,7 +17141,7 @@ threat.enrichments.url.top_level_domain: (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - flat_name: threat.enrichments.url.top_level_domain + flat_name: threat.indicator.url.top_level_domain ignore_above: 1024 level: extended name: top_level_domain @@ -14983,10 +17149,10 @@ threat.enrichments.url.top_level_domain: original_fieldset: url short: The effective top level domain (com, org, net, co.uk). type: keyword -threat.enrichments.url.username: - dashed_name: threat-enrichments-url-username +threat.indicator.url.username: + dashed_name: threat-indicator-url-username description: Username of the request. - flat_name: threat.enrichments.url.username + flat_name: threat.indicator.url.username ignore_above: 1024 level: extended name: username @@ -14994,13 +17160,13 @@ threat.enrichments.url.username: original_fieldset: url short: Username of the request. type: keyword -threat.enrichments.x509.alternative_names: - dashed_name: threat-enrichments-x509-alternative-names +threat.indicator.x509.alternative_names: + dashed_name: threat-indicator-x509-alternative-names description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: '*.elastic.co' - flat_name: threat.enrichments.x509.alternative_names + flat_name: threat.indicator.x509.alternative_names ignore_above: 1024 level: extended name: alternative_names @@ -15009,11 +17175,11 @@ threat.enrichments.x509.alternative_names: original_fieldset: x509 short: List of subject alternative names (SAN). type: keyword -threat.enrichments.x509.issuer.common_name: - dashed_name: threat-enrichments-x509-issuer-common-name +threat.indicator.x509.issuer.common_name: + dashed_name: threat-indicator-x509-issuer-common-name description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA - flat_name: threat.enrichments.x509.issuer.common_name + flat_name: threat.indicator.x509.issuer.common_name ignore_above: 1024 level: extended name: issuer.common_name @@ -15022,11 +17188,11 @@ threat.enrichments.x509.issuer.common_name: original_fieldset: x509 short: List of common name (CN) of issuing certificate authority. type: keyword -threat.enrichments.x509.issuer.country: - dashed_name: threat-enrichments-x509-issuer-country +threat.indicator.x509.issuer.country: + dashed_name: threat-indicator-x509-issuer-country description: List of country (C) codes example: US - flat_name: threat.enrichments.x509.issuer.country + flat_name: threat.indicator.x509.issuer.country ignore_above: 1024 level: extended name: issuer.country @@ -15035,23 +17201,23 @@ threat.enrichments.x509.issuer.country: original_fieldset: x509 short: List of country (C) codes type: keyword -threat.enrichments.x509.issuer.distinguished_name: - dashed_name: threat-enrichments-x509-issuer-distinguished-name +threat.indicator.x509.issuer.distinguished_name: + dashed_name: threat-indicator-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA - flat_name: threat.enrichments.x509.issuer.distinguished_name + flat_name: threat.indicator.x509.issuer.distinguished_name level: extended name: issuer.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. type: wildcard -threat.enrichments.x509.issuer.locality: - dashed_name: threat-enrichments-x509-issuer-locality +threat.indicator.x509.issuer.locality: + dashed_name: threat-indicator-x509-issuer-locality description: List of locality names (L) example: Mountain View - flat_name: threat.enrichments.x509.issuer.locality + flat_name: threat.indicator.x509.issuer.locality ignore_above: 1024 level: extended name: issuer.locality @@ -15060,11 +17226,11 @@ threat.enrichments.x509.issuer.locality: original_fieldset: x509 short: List of locality names (L) type: keyword -threat.enrichments.x509.issuer.organization: - dashed_name: threat-enrichments-x509-issuer-organization +threat.indicator.x509.issuer.organization: + dashed_name: threat-indicator-x509-issuer-organization description: List of organizations (O) of issuing certificate authority. example: Example Inc - flat_name: threat.enrichments.x509.issuer.organization + flat_name: threat.indicator.x509.issuer.organization ignore_above: 1024 level: extended name: issuer.organization @@ -15073,11 +17239,11 @@ threat.enrichments.x509.issuer.organization: original_fieldset: x509 short: List of organizations (O) of issuing certificate authority. type: keyword -threat.enrichments.x509.issuer.organizational_unit: - dashed_name: threat-enrichments-x509-issuer-organizational-unit +threat.indicator.x509.issuer.organizational_unit: + dashed_name: threat-indicator-x509-issuer-organizational-unit description: List of organizational units (OU) of issuing certificate authority. example: www.example.com - flat_name: threat.enrichments.x509.issuer.organizational_unit + flat_name: threat.indicator.x509.issuer.organizational_unit ignore_above: 1024 level: extended name: issuer.organizational_unit @@ -15086,11 +17252,11 @@ threat.enrichments.x509.issuer.organizational_unit: original_fieldset: x509 short: List of organizational units (OU) of issuing certificate authority. type: keyword -threat.enrichments.x509.issuer.state_or_province: - dashed_name: threat-enrichments-x509-issuer-state-or-province +threat.indicator.x509.issuer.state_or_province: + dashed_name: threat-indicator-x509-issuer-state-or-province description: List of state or province names (ST, S, or P) example: California - flat_name: threat.enrichments.x509.issuer.state_or_province + flat_name: threat.indicator.x509.issuer.state_or_province ignore_above: 1024 level: extended name: issuer.state_or_province @@ -15099,33 +17265,33 @@ threat.enrichments.x509.issuer.state_or_province: original_fieldset: x509 short: List of state or province names (ST, S, or P) type: keyword -threat.enrichments.x509.not_after: - dashed_name: threat-enrichments-x509-not-after +threat.indicator.x509.not_after: + dashed_name: threat-indicator-x509-not-after description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 - flat_name: threat.enrichments.x509.not_after + flat_name: threat.indicator.x509.not_after level: extended name: not_after normalize: [] original_fieldset: x509 short: Time at which the certificate is no longer considered valid. type: date -threat.enrichments.x509.not_before: - dashed_name: threat-enrichments-x509-not-before +threat.indicator.x509.not_before: + dashed_name: threat-indicator-x509-not-before description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 - flat_name: threat.enrichments.x509.not_before + flat_name: threat.indicator.x509.not_before level: extended name: not_before normalize: [] original_fieldset: x509 short: Time at which the certificate is first considered valid. type: date -threat.enrichments.x509.public_key_algorithm: - dashed_name: threat-enrichments-x509-public-key-algorithm +threat.indicator.x509.public_key_algorithm: + dashed_name: threat-indicator-x509-public-key-algorithm description: Algorithm used to generate the public key. example: RSA - flat_name: threat.enrichments.x509.public_key_algorithm + flat_name: threat.indicator.x509.public_key_algorithm ignore_above: 1024 level: extended name: public_key_algorithm @@ -15133,12 +17299,12 @@ threat.enrichments.x509.public_key_algorithm: original_fieldset: x509 short: Algorithm used to generate the public key. type: keyword -threat.enrichments.x509.public_key_curve: - dashed_name: threat-enrichments-x509-public-key-curve +threat.indicator.x509.public_key_curve: + dashed_name: threat-indicator-x509-public-key-curve description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 - flat_name: threat.enrichments.x509.public_key_curve + flat_name: threat.indicator.x509.public_key_curve ignore_above: 1024 level: extended name: public_key_curve @@ -15147,12 +17313,12 @@ threat.enrichments.x509.public_key_curve: short: The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword -threat.enrichments.x509.public_key_exponent: - dashed_name: threat-enrichments-x509-public-key-exponent +threat.indicator.x509.public_key_exponent: + dashed_name: threat-indicator-x509-public-key-exponent description: Exponent used to derive the public key. This is algorithm specific. doc_values: false example: 65537 - flat_name: threat.enrichments.x509.public_key_exponent + flat_name: threat.indicator.x509.public_key_exponent index: false level: extended name: public_key_exponent @@ -15160,24 +17326,24 @@ threat.enrichments.x509.public_key_exponent: original_fieldset: x509 short: Exponent used to derive the public key. This is algorithm specific. type: long -threat.enrichments.x509.public_key_size: - dashed_name: threat-enrichments-x509-public-key-size +threat.indicator.x509.public_key_size: + dashed_name: threat-indicator-x509-public-key-size description: The size of the public key space in bits. example: 2048 - flat_name: threat.enrichments.x509.public_key_size + flat_name: threat.indicator.x509.public_key_size level: extended name: public_key_size normalize: [] original_fieldset: x509 short: The size of the public key space in bits. type: long -threat.enrichments.x509.serial_number: - dashed_name: threat-enrichments-x509-serial-number +threat.indicator.x509.serial_number: + dashed_name: threat-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA - flat_name: threat.enrichments.x509.serial_number + flat_name: threat.indicator.x509.serial_number ignore_above: 1024 level: extended name: serial_number @@ -15185,12 +17351,12 @@ threat.enrichments.x509.serial_number: original_fieldset: x509 short: Unique serial number issued by the certificate authority. type: keyword -threat.enrichments.x509.signature_algorithm: - dashed_name: threat-enrichments-x509-signature-algorithm +threat.indicator.x509.signature_algorithm: + dashed_name: threat-indicator-x509-signature-algorithm description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA - flat_name: threat.enrichments.x509.signature_algorithm + flat_name: threat.indicator.x509.signature_algorithm ignore_above: 1024 level: extended name: signature_algorithm @@ -15198,11 +17364,11 @@ threat.enrichments.x509.signature_algorithm: original_fieldset: x509 short: Identifier for certificate signature algorithm. type: keyword -threat.enrichments.x509.subject.common_name: - dashed_name: threat-enrichments-x509-subject-common-name +threat.indicator.x509.subject.common_name: + dashed_name: threat-indicator-x509-subject-common-name description: List of common names (CN) of subject. example: shared.global.example.net - flat_name: threat.enrichments.x509.subject.common_name + flat_name: threat.indicator.x509.subject.common_name ignore_above: 1024 level: extended name: subject.common_name @@ -15211,11 +17377,11 @@ threat.enrichments.x509.subject.common_name: original_fieldset: x509 short: List of common names (CN) of subject. type: keyword -threat.enrichments.x509.subject.country: - dashed_name: threat-enrichments-x509-subject-country +threat.indicator.x509.subject.country: + dashed_name: threat-indicator-x509-subject-country description: List of country (C) code example: US - flat_name: threat.enrichments.x509.subject.country + flat_name: threat.indicator.x509.subject.country ignore_above: 1024 level: extended name: subject.country @@ -15224,22 +17390,22 @@ threat.enrichments.x509.subject.country: original_fieldset: x509 short: List of country (C) code type: keyword -threat.enrichments.x509.subject.distinguished_name: - dashed_name: threat-enrichments-x509-subject-distinguished-name +threat.indicator.x509.subject.distinguished_name: + dashed_name: threat-indicator-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - flat_name: threat.enrichments.x509.subject.distinguished_name + flat_name: threat.indicator.x509.subject.distinguished_name level: extended name: subject.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. type: wildcard -threat.enrichments.x509.subject.locality: - dashed_name: threat-enrichments-x509-subject-locality +threat.indicator.x509.subject.locality: + dashed_name: threat-indicator-x509-subject-locality description: List of locality names (L) example: San Francisco - flat_name: threat.enrichments.x509.subject.locality + flat_name: threat.indicator.x509.subject.locality ignore_above: 1024 level: extended name: subject.locality @@ -15248,11 +17414,11 @@ threat.enrichments.x509.subject.locality: original_fieldset: x509 short: List of locality names (L) type: keyword -threat.enrichments.x509.subject.organization: - dashed_name: threat-enrichments-x509-subject-organization +threat.indicator.x509.subject.organization: + dashed_name: threat-indicator-x509-subject-organization description: List of organizations (O) of subject. example: Example, Inc. - flat_name: threat.enrichments.x509.subject.organization + flat_name: threat.indicator.x509.subject.organization ignore_above: 1024 level: extended name: subject.organization @@ -15261,10 +17427,10 @@ threat.enrichments.x509.subject.organization: original_fieldset: x509 short: List of organizations (O) of subject. type: keyword -threat.enrichments.x509.subject.organizational_unit: - dashed_name: threat-enrichments-x509-subject-organizational-unit +threat.indicator.x509.subject.organizational_unit: + dashed_name: threat-indicator-x509-subject-organizational-unit description: List of organizational units (OU) of subject. - flat_name: threat.enrichments.x509.subject.organizational_unit + flat_name: threat.indicator.x509.subject.organizational_unit ignore_above: 1024 level: extended name: subject.organizational_unit @@ -15273,11 +17439,11 @@ threat.enrichments.x509.subject.organizational_unit: original_fieldset: x509 short: List of organizational units (OU) of subject. type: keyword -threat.enrichments.x509.subject.state_or_province: - dashed_name: threat-enrichments-x509-subject-state-or-province +threat.indicator.x509.subject.state_or_province: + dashed_name: threat-indicator-x509-subject-state-or-province description: List of state or province names (ST, S, or P) example: California - flat_name: threat.enrichments.x509.subject.state_or_province + flat_name: threat.indicator.x509.subject.state_or_province ignore_above: 1024 level: extended name: subject.state_or_province @@ -15286,11 +17452,11 @@ threat.enrichments.x509.subject.state_or_province: original_fieldset: x509 short: List of state or province names (ST, S, or P) type: keyword -threat.enrichments.x509.version_number: - dashed_name: threat-enrichments-x509-version-number +threat.indicator.x509.version_number: + dashed_name: threat-indicator-x509-version-number description: Version of x509 format. example: 3 - flat_name: threat.enrichments.x509.version_number + flat_name: threat.indicator.x509.version_number ignore_above: 1024 level: extended name: version_number @@ -15298,227 +17464,6 @@ threat.enrichments.x509.version_number: original_fieldset: x509 short: Version of x509 format. type: keyword -threat.framework: - dashed_name: threat-framework - description: Name of the threat framework used to further categorize and classify - the tactic and technique of the reported threat. Framework classification can - be provided by detecting systems, evaluated at ingest time, or retrospectively - tagged to events. - example: MITRE ATT&CK - flat_name: threat.framework - ignore_above: 1024 - level: extended - name: framework - normalize: [] - short: Threat classification framework. - type: keyword -threat.group.alias: - beta: This field is beta and subject to change. - dashed_name: threat-group-alias - description: "The alias(es) of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group alias(es)." - example: '[ "Magecart Group 6" ]' - flat_name: threat.group.alias - ignore_above: 1024 - level: extended - name: group.alias - normalize: - - array - short: Alias of the group. - type: keyword -threat.group.id: - beta: This field is beta and subject to change. - dashed_name: threat-group-id - description: "The id of the group for a set of related intrusion activity that are\ - \ tracked by a common name in the security community. While not required, you\ - \ can use a MITRE ATT&CK\xAE group id." - example: G0037 - flat_name: threat.group.id - ignore_above: 1024 - level: extended - name: group.id - normalize: [] - short: ID of the group. - type: keyword -threat.group.name: - beta: This field is beta and subject to change. - dashed_name: threat-group-name - description: "The name of the group for a set of related intrusion activity that\ - \ are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group name." - example: FIN6 - flat_name: threat.group.name - ignore_above: 1024 - level: extended - name: group.name - normalize: [] - short: Name of the group. - type: keyword -threat.group.reference: - beta: This field is beta and subject to change. - dashed_name: threat-group-reference - description: "The reference URL of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group reference URL." - example: https://attack.mitre.org/groups/G0037/ - flat_name: threat.group.reference - ignore_above: 1024 - level: extended - name: group.reference - normalize: [] - short: Reference URL of the group. - type: keyword -threat.indicator.confidence: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-confidence - description: "Identifies the confidence rating assigned by the provider using STIX\ - \ confidence scales.\nRecommended values:\n * Not Specified, None, Low, Medium,\ - \ High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n * WEP Scale\ - \ (Impossible - Certain)" - example: High - flat_name: threat.indicator.confidence - ignore_above: 1024 - level: extended - name: indicator.confidence - normalize: [] - short: Indicator confidence rating - type: keyword -threat.indicator.description: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-description - description: Describes the type of action conducted by the threat. - example: IP x.x.x.x was observed delivering the Angler EK. - flat_name: threat.indicator.description - ignore_above: 1024 - level: extended - name: indicator.description - normalize: [] - short: Indicator description - type: keyword -threat.indicator.email.address: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-email-address - description: Identifies a threat indicator as an email address (irrespective of - direction). - example: phish@example.com - flat_name: threat.indicator.email.address - ignore_above: 1024 - level: extended - name: indicator.email.address - normalize: [] - short: Indicator email address - type: keyword -threat.indicator.first_seen: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-first-seen - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.first_seen - level: extended - name: indicator.first_seen - normalize: [] - short: Date/time indicator was first reported. - type: date -threat.indicator.ip: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-ip - description: Identifies a threat indicator as an IP address (irrespective of direction). - example: 1.2.3.4 - flat_name: threat.indicator.ip - level: extended - name: indicator.ip - normalize: [] - short: Indicator IP address - type: ip -threat.indicator.last_seen: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-last-seen - description: The date and time when intelligence source last reported sighting this - indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.last_seen - level: extended - name: indicator.last_seen - normalize: [] - short: Date/time indicator was last reported. - type: date -threat.indicator.marking.tlp: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: WHITE - flat_name: threat.indicator.marking.tlp - ignore_above: 1024 - level: extended - name: indicator.marking.tlp - normalize: [] - short: Indicator TLP marking - type: keyword -threat.indicator.modified_at: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-modified-at - description: The date and time when intelligence source last modified information - for this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.modified_at - level: extended - name: indicator.modified_at - normalize: [] - short: Date/time indicator was last updated. - type: date -threat.indicator.port: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-port - description: Identifies a threat indicator as a port number (irrespective of direction). - example: 443 - flat_name: threat.indicator.port - level: extended - name: indicator.port - normalize: [] - short: Indicator port - type: long -threat.indicator.scanner_stats: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-scanner-stats - description: Count of AV/EDR vendors that successfully detected malicious file or - URL. - example: 4 - flat_name: threat.indicator.scanner_stats - level: extended - name: indicator.scanner_stats - normalize: [] - short: Scanner statistics - type: long -threat.indicator.sightings: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-sightings - description: Number of times this indicator was observed conducting threat activity. - example: 20 - flat_name: threat.indicator.sightings - level: extended - name: indicator.sightings - normalize: [] - short: Number of times indicator observed - type: long -threat.indicator.type: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-type - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ - Recommended values:\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ - \ * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n * mutex\n\ - \ * port\n * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ - \ * x509-certificate" - example: ipv4-addr - flat_name: threat.indicator.type - ignore_above: 1024 - level: extended - name: indicator.type - normalize: [] - short: Type of indicator - type: keyword threat.software.id: beta: This field is beta and subject to change. dashed_name: threat-software-id diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 0f4513a6e5..c693fd57f4 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -150,9 +150,13 @@ as: at: source full: source.as - as: as - at: threat.enrichments + at: threat.indicator + beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.indicator.as + - as: as + at: threat.enrichments.indicator beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.as + full: threat.enrichments.indicator.as top_level: false short: Fields describing an Autonomous System (Internet routing prefix). title: Autonomous System @@ -3422,8 +3426,8 @@ event: type: keyword event.original: dashed_name: event-original - description: 'Raw text message of entire event. Used to demonstrate log integrity or - where the full log message (before splitting it up in multiple parts) may + description: 'Raw text message of entire event. Used to demonstrate log integrity + or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, @@ -3773,13 +3777,6 @@ event: group: 2 name: event prefix: event. - reusable: - expected: - - as: event - at: threat.enrichments - beta: Reusing the `event` fields in this location is currently considered beta. - full: threat.enrichments.event - top_level: true short: Fields breaking down the event details. title: Event type: group @@ -5301,9 +5298,13 @@ file: reusable: expected: - as: file - at: threat.enrichments + at: threat.indicator beta: Reusing the `file` fields in this location is currently considered beta. - full: threat.enrichments.file + full: threat.indicator.file + - as: file + at: threat.enrichments.indicator + beta: Reusing the `file` fields in this location is currently considered beta. + full: threat.enrichments.indicator.file top_level: true reused_here: - full: file.code_signature @@ -5484,9 +5485,13 @@ geo: at: source full: source.geo - as: geo - at: threat.enrichments + at: threat.indicator + beta: Reusing the `geo` fields in this location is currently considered beta. + full: threat.indicator.geo + - as: geo + at: threat.enrichments.indicator beta: Reusing the `geo` fields in this location is currently considered beta. - full: threat.enrichments.geo + full: threat.enrichments.indicator.geo top_level: false short: Fields describing a location. title: Geo @@ -5616,9 +5621,13 @@ hash: at: dll full: dll.hash - as: hash - at: threat.enrichments + at: threat.indicator + beta: Reusing the `hash` fields in this location is currently considered beta. + full: threat.indicator.hash + - as: hash + at: threat.enrichments.indicator beta: Reusing the `hash` fields in this location is currently considered beta. - full: threat.enrichments.hash + full: threat.enrichments.indicator.hash top_level: false short: Hashes, usually file hashes. title: Hash @@ -8320,6 +8329,14 @@ pe: - as: pe at: process full: process.pe + - as: pe + at: threat.indicator + beta: Reusing the `pe` fields in this location is currently considered beta. + full: threat.indicator.pe + - as: pe + at: threat.enrichments.indicator + beta: Reusing the `pe` fields in this location is currently considered beta. + full: threat.enrichments.indicator.pe - as: pe at: threat.enrichments full: threat.enrichments.pe @@ -13154,6 +13171,16 @@ registry: prefix: registry. reusable: expected: + - as: registry + at: threat.indicator + beta: Reusing the `registry` fields in this location is currently considered + beta. + full: threat.indicator.registry + - as: registry + at: threat.enrichments.indicator + beta: Reusing the `registry` fields in this location is currently considered + beta. + full: threat.enrichments.indicator.registry - as: registry at: threat.enrichments full: threat.enrichments.registry @@ -14472,34 +14499,44 @@ threat: threat.enrichments: beta: This field is beta and subject to change. dashed_name: threat-enrichments - description: A list of associated indicators enriching the event, and the context - of that association/enrichment. + description: A list of associated indicators objects enriching the event, and + the context of that association/enrichment. flat_name: threat.enrichments level: extended name: enrichments normalize: [] - short: List of indicators enriching the event. + short: List of objects containing indicators enriching the event. type: nested - threat.enrichments.as.number: - dashed_name: threat-enrichments-as-number + threat.enrichments.indicator: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator + description: Object containing associated indicators enriching the event. + flat_name: threat.enrichments.indicator + level: extended + name: enrichments.indicator + normalize: [] + short: Object containing indicators enriching the event. + type: object + threat.enrichments.indicator.as.number: + dashed_name: threat-enrichments-indicator-as-number description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. example: 15169 - flat_name: threat.enrichments.as.number + flat_name: threat.enrichments.indicator.as.number level: extended name: number normalize: [] original_fieldset: as short: Unique number allocated to the autonomous system. type: long - threat.enrichments.as.organization.name: - dashed_name: threat-enrichments-as-organization-name + threat.enrichments.indicator.as.organization.name: + dashed_name: threat-enrichments-indicator-as-organization-name description: Organization name. example: Google LLC - flat_name: threat.enrichments.as.organization.name + flat_name: threat.enrichments.indicator.as.organization.name level: extended multi_fields: - - flat_name: threat.enrichments.as.organization.name.text + - flat_name: threat.enrichments.indicator.as.organization.name.text name: text norms: false type: text @@ -14508,852 +14545,2927 @@ threat: original_fieldset: as short: Organization name. type: wildcard - threat.enrichments.event.action: - dashed_name: threat-enrichments-event-action - description: 'The action captured by the event. - - This describes the information in the event. It is more specific than `event.category`. - Examples are `group-add`, `process-started`, `file-created`. The value is - normally defined by the implementer.' - example: user-password-change - flat_name: threat.enrichments.event.action + threat.enrichments.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-confidence + description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ + using\_STIX\_confidence scales. Expected values:\n * Not Specified, None,\ + \ Low, Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High + flat_name: threat.enrichments.indicator.confidence ignore_above: 1024 - level: core - name: action + level: extended + name: enrichments.indicator.confidence normalize: [] - original_fieldset: event - short: The action captured by the event. + short: Indicator confidence rating type: keyword - threat.enrichments.event.agent_id_status: - dashed_name: threat-enrichments-event-agent-id-status - description: 'Agents are normally responsible for populating the `agent.id` - field value. If the system receiving events is capable of validating the value - based on authentication information for the client then this field can be - used to reflect the outcome of that validation. - - For example if the agent''s connection is authenticated with mTLS and the - client cert contains the ID of the agent to which the cert was issued then - the `agent.id` value in events can be checked against the certificate. If - the values match then `event.agent_id_status: verified` is added to the event, - otherwise one of the other allowed values should be used. - - If no validation is performed then the field should be omitted. + threat.enrichments.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.enrichments.indicator.description + ignore_above: 1024 + level: extended + name: enrichments.indicator.description + normalize: [] + short: Indicator description + type: keyword + threat.enrichments.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + flat_name: threat.enrichments.indicator.email.address + ignore_above: 1024 + level: extended + name: enrichments.indicator.email.address + normalize: [] + short: Indicator email address + type: keyword + threat.enrichments.indicator.file.accessed: + dashed_name: threat-enrichments-indicator-file-accessed + description: 'Last time the file was accessed. - The allowed values are: + Note that not all filesystems keep track of access time.' + flat_name: threat.enrichments.indicator.file.accessed + level: extended + name: accessed + normalize: [] + original_fieldset: file + short: Last time the file was accessed. + type: date + threat.enrichments.indicator.file.attributes: + dashed_name: threat-enrichments-indicator-file-attributes + description: 'Array of file attributes. - `verified` - The `agent.id` field value matches expected value obtained from - auth metadata. + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: threat.enrichments.indicator.file.attributes + ignore_above: 1024 + level: extended + name: attributes + normalize: + - array + original_fieldset: file + short: Array of file attributes. + type: keyword + threat.enrichments.indicator.file.code_signature.exists: + dashed_name: threat-enrichments-indicator-file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: threat.enrichments.indicator.file.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + threat.enrichments.indicator.file.code_signature.signing_id: + dashed_name: threat-enrichments-indicator-file-code-signature-signing-id + description: 'The identifier used to sign the process. - `mismatch` - The `agent.id` field value does not match the expected value - obtained from auth metadata. + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: threat.enrichments.indicator.file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword + threat.enrichments.indicator.file.code_signature.status: + dashed_name: threat-enrichments-indicator-file-code-signature-status + description: 'Additional information about the certificate status. - `missing` - There was no `agent.id` field in the event to validate. + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: threat.enrichments.indicator.file.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + threat.enrichments.indicator.file.code_signature.subject_name: + dashed_name: threat-enrichments-indicator-file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: threat.enrichments.indicator.file.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + threat.enrichments.indicator.file.code_signature.team_id: + dashed_name: threat-enrichments-indicator-file-code-signature-team-id + description: 'The team identifier used to sign the process. - `auth_metadata_missing` - There was no auth metadata or it was missing information - about the agent ID.' - example: verified - flat_name: threat.enrichments.event.agent_id_status + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: threat.enrichments.indicator.file.code_signature.team_id ignore_above: 1024 level: extended - name: agent_id_status + name: team_id normalize: [] - original_fieldset: event - short: Validation status of the event's agent.id field. + original_fieldset: code_signature + short: The team identifier used to sign the process. type: keyword - threat.enrichments.event.category: - allowed_values: - - description: Events in this category are related to the challenge and response - process in which credentials are supplied and verified to allow the creation - of a session. Common sources for these logs are Windows event logs and ssh - logs. Visualize and analyze events in this category to look for failed logins, - and other authentication-related activity. - expected_event_types: - - start - - end - - info - name: authentication - - description: 'Events in the configuration category have to deal with creating, - modifying, or deleting the settings or parameters of an application, process, - or system. + threat.enrichments.indicator.file.code_signature.trusted: + dashed_name: threat-enrichments-indicator-file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. - Example sources include security policy change logs, configuration auditing - logging, and system integrity monitoring.' - expected_event_types: - - access - - change - - creation - - deletion - - info - name: configuration - - description: The database category denotes events and metrics relating to - a data storage and retrieval system. Note that use of this category is not - limited to relational database systems. Examples include event logs from - MS SQL, MySQL, Elasticsearch, MongoDB, etc. Use this category to visualize - and analyze database activity such as accesses and changes. - expected_event_types: - - access - - change - - info - - error - name: database - - description: 'Events in the driver category have to do with operating system - device drivers and similar software entities such as Windows drivers, kernel - extensions, kernel modules, etc. + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: threat.enrichments.indicator.file.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + threat.enrichments.indicator.file.code_signature.valid: + dashed_name: threat-enrichments-indicator-file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. - Use events and metrics in this category to visualize and analyze driver-related - activity and status on hosts.' - expected_event_types: - - change - - end - - info - - start - name: driver - - description: Relating to a set of information that has been created on, or - has existed on a filesystem. Use this category of events to visualize and - analyze the creation, access, and deletions of files. Events in this category - can come from both host-based and network-based sources. An example source - of a network-based detection of a file transfer would be the Zeek file.log. - expected_event_types: - - change - - creation - - deletion - - info - name: file - - description: 'Use this category to visualize and analyze information such - as host inventory or host lifecycle events. + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: threat.enrichments.indicator.file.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + threat.enrichments.indicator.file.created: + dashed_name: threat-enrichments-indicator-file-created + description: 'File creation time. - Most of the events in this category can usually be observed from the outside, - such as from a hypervisor or a control plane''s point of view. Some can - also be seen from within, such as "start" or "end". + Note that not all filesystems store the creation time.' + flat_name: threat.enrichments.indicator.file.created + level: extended + name: created + normalize: [] + original_fieldset: file + short: File creation time. + type: date + threat.enrichments.indicator.file.ctime: + dashed_name: threat-enrichments-indicator-file-ctime + description: 'Last time the file attributes or metadata changed. - Note that this category is for information about hosts themselves; it is - not meant to capture activity "happening on a host".' - expected_event_types: - - access - - change - - end - - info - - start - name: host - - description: Identity and access management (IAM) events relating to users, - groups, and administration. Use this category to visualize and analyze IAM-related - logs and data from active directory, LDAP, Okta, Duo, and other IAM systems. - expected_event_types: - - admin - - change - - creation - - deletion - - group - - info - - user - name: iam - - description: Relating to intrusion detections from IDS/IPS systems and functions, - both network and host-based. Use this category to visualize and analyze - intrusion detection alerts from systems such as Snort, Suricata, and Palo - Alto threat detections. - expected_event_types: - - allowed - - denied - - info - name: intrusion_detection - - description: Malware detection events and alerts. Use this category to visualize - and analyze malware detections from EDR/EPP systems such as Elastic Endpoint - Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS - systems such as Suricata, or other sources of malware-related events such - as Palo Alto Networks threat logs and Wildfire logs. - expected_event_types: - - info - name: malware - - description: Relating to all network activity, including network connection - lifecycle, network traffic, and essentially any event that includes an IP - address. Many events containing decoded network protocol transactions fit - into this category. Use events in this category to visualize or analyze - counts of network ports, protocols, addresses, geolocation information, - etc. - expected_event_types: - - access - - allowed - - connection - - denied - - end - - info - - protocol - - start - name: network - - description: Relating to software packages installed on hosts. Use this category - to visualize and analyze inventory of software installed on various hosts, - or to determine host vulnerability in the absence of vulnerability scan - data. - expected_event_types: - - access - - change - - deletion - - info - - installation - - start - name: package - - description: Use this category of events to visualize and analyze process-specific - information such as lifecycle events or process ancestry. - expected_event_types: - - access - - change - - end - - info - - start - name: process - - description: Having to do with settings and assets stored in the Windows registry. - Use this category to visualize and analyze activity such as registry access - and modifications. - expected_event_types: - - access - - change - - creation - - deletion - name: registry - - description: The session category is applied to events and metrics regarding - logical persistent connections to hosts and services. Use this category - to visualize and analyze interactive or automated persistent connections - between assets. Data for this category may come from Windows Event logs, - SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc. - expected_event_types: - - start - - end - - info - name: session - - description: 'Relating to web server access. Use this category to create a - dashboard of web server/proxy activity from apache, IIS, nginx web servers, - etc. Note: events from network observers such as Zeek http log may also - be included in this category.' - expected_event_types: - - access - - error - - info - name: web - dashed_name: threat-enrichments-event-category - description: 'This is one of four ECS Categorization Fields, and indicates the - second level in the ECS category hierarchy. + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: threat.enrichments.indicator.file.ctime + level: extended + name: ctime + normalize: [] + original_fieldset: file + short: Last time the file attributes or metadata changed. + type: date + threat.enrichments.indicator.file.device: + dashed_name: threat-enrichments-indicator-file-device + description: Device that is the source of the file. + example: sda + flat_name: threat.enrichments.indicator.file.device + ignore_above: 1024 + level: extended + name: device + normalize: [] + original_fieldset: file + short: Device that is the source of the file. + type: keyword + threat.enrichments.indicator.file.directory: + dashed_name: threat-enrichments-indicator-file-directory + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice + flat_name: threat.enrichments.indicator.file.directory + level: extended + name: directory + normalize: [] + original_fieldset: file + short: Directory where the file is located. + type: wildcard + threat.enrichments.indicator.file.drive_letter: + dashed_name: threat-enrichments-indicator-file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + flat_name: threat.enrichments.indicator.file.drive_letter + ignore_above: 1 + level: extended + name: drive_letter + normalize: [] + original_fieldset: file + short: Drive letter where the file is located. + type: keyword + threat.enrichments.indicator.file.elf.architecture: + dashed_name: threat-enrichments-indicator-file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: threat.enrichments.indicator.file.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword + threat.enrichments.indicator.file.elf.byte_order: + dashed_name: threat-enrichments-indicator-file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: threat.enrichments.indicator.file.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword + threat.enrichments.indicator.file.elf.cpu_type: + dashed_name: threat-enrichments-indicator-file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: threat.enrichments.indicator.file.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword + threat.enrichments.indicator.file.elf.creation_date: + dashed_name: threat-enrichments-indicator-file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: threat.enrichments.indicator.file.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date + threat.enrichments.indicator.file.elf.exports: + dashed_name: threat-enrichments-indicator-file-elf-exports + description: List of exported element names and types. + flat_name: threat.enrichments.indicator.file.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened + threat.enrichments.indicator.file.elf.header.abi_version: + dashed_name: threat-enrichments-indicator-file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: threat.enrichments.indicator.file.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword + threat.enrichments.indicator.file.elf.header.class: + dashed_name: threat-enrichments-indicator-file-elf-header-class + description: Header class of the ELF file. + flat_name: threat.enrichments.indicator.file.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword + threat.enrichments.indicator.file.elf.header.data: + dashed_name: threat-enrichments-indicator-file-elf-header-data + description: Data table of the ELF header. + flat_name: threat.enrichments.indicator.file.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword + threat.enrichments.indicator.file.elf.header.entrypoint: + dashed_name: threat-enrichments-indicator-file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: threat.enrichments.indicator.file.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + threat.enrichments.indicator.file.elf.header.object_version: + dashed_name: threat-enrichments-indicator-file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: threat.enrichments.indicator.file.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword + threat.enrichments.indicator.file.elf.header.os_abi: + dashed_name: threat-enrichments-indicator-file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: threat.enrichments.indicator.file.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + threat.enrichments.indicator.file.elf.header.type: + dashed_name: threat-enrichments-indicator-file-elf-header-type + description: Header type of the ELF file. + flat_name: threat.enrichments.indicator.file.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword + threat.enrichments.indicator.file.elf.header.version: + dashed_name: threat-enrichments-indicator-file-elf-header-version + description: Version of the ELF header. + flat_name: threat.enrichments.indicator.file.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword + threat.enrichments.indicator.file.elf.imports: + dashed_name: threat-enrichments-indicator-file-elf-imports + description: List of imported element names and types. + flat_name: threat.enrichments.indicator.file.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened + threat.enrichments.indicator.file.elf.sections: + dashed_name: threat-enrichments-indicator-file-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + flat_name: threat.enrichments.indicator.file.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested + threat.enrichments.indicator.file.elf.sections.chi2: + dashed_name: threat-enrichments-indicator-file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: threat.enrichments.indicator.file.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long + threat.enrichments.indicator.file.elf.sections.entropy: + dashed_name: threat-enrichments-indicator-file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: threat.enrichments.indicator.file.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long + threat.enrichments.indicator.file.elf.sections.flags: + dashed_name: threat-enrichments-indicator-file-elf-sections-flags + description: ELF Section List flags. + flat_name: threat.enrichments.indicator.file.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword + threat.enrichments.indicator.file.elf.sections.name: + dashed_name: threat-enrichments-indicator-file-elf-sections-name + description: ELF Section List name. + flat_name: threat.enrichments.indicator.file.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword + threat.enrichments.indicator.file.elf.sections.physical_offset: + dashed_name: threat-enrichments-indicator-file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: threat.enrichments.indicator.file.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword + threat.enrichments.indicator.file.elf.sections.physical_size: + dashed_name: threat-enrichments-indicator-file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: threat.enrichments.indicator.file.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long + threat.enrichments.indicator.file.elf.sections.type: + dashed_name: threat-enrichments-indicator-file-elf-sections-type + description: ELF Section List type. + flat_name: threat.enrichments.indicator.file.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword + threat.enrichments.indicator.file.elf.sections.virtual_address: + dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: threat.enrichments.indicator.file.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long + threat.enrichments.indicator.file.elf.sections.virtual_size: + dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: threat.enrichments.indicator.file.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + threat.enrichments.indicator.file.elf.segments: + dashed_name: threat-enrichments-indicator-file-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + flat_name: threat.enrichments.indicator.file.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested + threat.enrichments.indicator.file.elf.segments.sections: + dashed_name: threat-enrichments-indicator-file-elf-segments-sections + description: ELF object segment sections. + flat_name: threat.enrichments.indicator.file.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword + threat.enrichments.indicator.file.elf.segments.type: + dashed_name: threat-enrichments-indicator-file-elf-segments-type + description: ELF object segment type. + flat_name: threat.enrichments.indicator.file.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword + threat.enrichments.indicator.file.elf.shared_libraries: + dashed_name: threat-enrichments-indicator-file-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: threat.enrichments.indicator.file.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword + threat.enrichments.indicator.file.elf.telfhash: + dashed_name: threat-enrichments-indicator-file-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: threat.enrichments.indicator.file.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword + threat.enrichments.indicator.file.extension: + dashed_name: threat-enrichments-indicator-file-extension + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.indicator.file.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + original_fieldset: file + short: File extension, excluding the leading dot. + type: keyword + threat.enrichments.indicator.file.gid: + dashed_name: threat-enrichments-indicator-file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: threat.enrichments.indicator.file.gid + ignore_above: 1024 + level: extended + name: gid + normalize: [] + original_fieldset: file + short: Primary group ID (GID) of the file. + type: keyword + threat.enrichments.indicator.file.group: + dashed_name: threat-enrichments-indicator-file-group + description: Primary group name of the file. + example: alice + flat_name: threat.enrichments.indicator.file.group + ignore_above: 1024 + level: extended + name: group + normalize: [] + original_fieldset: file + short: Primary group name of the file. + type: keyword + threat.enrichments.indicator.file.inode: + dashed_name: threat-enrichments-indicator-file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: threat.enrichments.indicator.file.inode + ignore_above: 1024 + level: extended + name: inode + normalize: [] + original_fieldset: file + short: Inode representing the file in the filesystem. + type: keyword + threat.enrichments.indicator.file.mime_type: + dashed_name: threat-enrichments-indicator-file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. + flat_name: threat.enrichments.indicator.file.mime_type + ignore_above: 1024 + level: extended + name: mime_type + normalize: [] + original_fieldset: file + short: Media type of file, document, or arrangement of bytes. + type: keyword + threat.enrichments.indicator.file.mode: + dashed_name: threat-enrichments-indicator-file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: threat.enrichments.indicator.file.mode + ignore_above: 1024 + level: extended + name: mode + normalize: [] + original_fieldset: file + short: Mode of the file in octal representation. + type: keyword + threat.enrichments.indicator.file.mtime: + dashed_name: threat-enrichments-indicator-file-mtime + description: Last time the file content was modified. + flat_name: threat.enrichments.indicator.file.mtime + level: extended + name: mtime + normalize: [] + original_fieldset: file + short: Last time the file content was modified. + type: date + threat.enrichments.indicator.file.name: + dashed_name: threat-enrichments-indicator-file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: threat.enrichments.indicator.file.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: file + short: Name of the file including the extension, without the directory. + type: keyword + threat.enrichments.indicator.file.owner: + dashed_name: threat-enrichments-indicator-file-owner + description: File owner's username. + example: alice + flat_name: threat.enrichments.indicator.file.owner + ignore_above: 1024 + level: extended + name: owner + normalize: [] + original_fieldset: file + short: File owner's username. + type: keyword + threat.enrichments.indicator.file.path: + dashed_name: threat-enrichments-indicator-file-path + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + flat_name: threat.enrichments.indicator.file.path + level: extended + multi_fields: + - flat_name: threat.enrichments.indicator.file.path.text + name: text + norms: false + type: text + name: path + normalize: [] + original_fieldset: file + short: Full path to the file, including the file name. + type: wildcard + threat.enrichments.indicator.file.size: + dashed_name: threat-enrichments-indicator-file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: threat.enrichments.indicator.file.size + level: extended + name: size + normalize: [] + original_fieldset: file + short: File size in bytes. + type: long + threat.enrichments.indicator.file.target_path: + dashed_name: threat-enrichments-indicator-file-target-path + description: Target path for symlinks. + flat_name: threat.enrichments.indicator.file.target_path + level: extended + multi_fields: + - flat_name: threat.enrichments.indicator.file.target_path.text + name: text + norms: false + type: text + name: target_path + normalize: [] + original_fieldset: file + short: Target path for symlinks. + type: wildcard + threat.enrichments.indicator.file.type: + dashed_name: threat-enrichments-indicator-file-type + description: File type (file, dir, or symlink). + example: file + flat_name: threat.enrichments.indicator.file.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: file + short: File type (file, dir, or symlink). + type: keyword + threat.enrichments.indicator.file.uid: + dashed_name: threat-enrichments-indicator-file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: threat.enrichments.indicator.file.uid + ignore_above: 1024 + level: extended + name: uid + normalize: [] + original_fieldset: file + short: The user ID (UID) or security identifier (SID) of the file owner. + type: keyword + threat.enrichments.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.first_seen + level: extended + name: enrichments.indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date + threat.enrichments.indicator.geo.city_name: + dashed_name: threat-enrichments-indicator-geo-city-name + description: City name. + example: Montreal + flat_name: threat.enrichments.indicator.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + threat.enrichments.indicator.geo.continent_code: + dashed_name: threat-enrichments-indicator-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: threat.enrichments.indicator.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword + threat.enrichments.indicator.geo.continent_name: + dashed_name: threat-enrichments-indicator-geo-continent-name + description: Name of the continent. + example: North America + flat_name: threat.enrichments.indicator.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + threat.enrichments.indicator.geo.country_iso_code: + dashed_name: threat-enrichments-indicator-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: threat.enrichments.indicator.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + threat.enrichments.indicator.geo.country_name: + dashed_name: threat-enrichments-indicator-geo-country-name + description: Country name. + example: Canada + flat_name: threat.enrichments.indicator.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + threat.enrichments.indicator.geo.location: + dashed_name: threat-enrichments-indicator-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: threat.enrichments.indicator.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + threat.enrichments.indicator.geo.name: + dashed_name: threat-enrichments-indicator-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: threat.enrichments.indicator.geo.name + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: wildcard + threat.enrichments.indicator.geo.postal_code: + dashed_name: threat-enrichments-indicator-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: threat.enrichments.indicator.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword + threat.enrichments.indicator.geo.region_iso_code: + dashed_name: threat-enrichments-indicator-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: threat.enrichments.indicator.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + threat.enrichments.indicator.geo.region_name: + dashed_name: threat-enrichments-indicator-geo-region-name + description: Region name. + example: Quebec + flat_name: threat.enrichments.indicator.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + threat.enrichments.indicator.geo.timezone: + dashed_name: threat-enrichments-indicator-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: threat.enrichments.indicator.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword + threat.enrichments.indicator.hash.md5: + dashed_name: threat-enrichments-indicator-hash-md5 + description: MD5 hash. + flat_name: threat.enrichments.indicator.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword + threat.enrichments.indicator.hash.sha1: + dashed_name: threat-enrichments-indicator-hash-sha1 + description: SHA1 hash. + flat_name: threat.enrichments.indicator.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword + threat.enrichments.indicator.hash.sha256: + dashed_name: threat-enrichments-indicator-hash-sha256 + description: SHA256 hash. + flat_name: threat.enrichments.indicator.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword + threat.enrichments.indicator.hash.sha512: + dashed_name: threat-enrichments-indicator-hash-sha512 + description: SHA512 hash. + flat_name: threat.enrichments.indicator.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword + threat.enrichments.indicator.hash.ssdeep: + dashed_name: threat-enrichments-indicator-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.enrichments.indicator.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword + threat.enrichments.indicator.ip: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + flat_name: threat.enrichments.indicator.ip + level: extended + name: enrichments.indicator.ip + normalize: [] + short: Indicator IP address + type: ip + threat.enrichments.indicator.last_seen: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-last-seen + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.last_seen + level: extended + name: enrichments.indicator.last_seen + normalize: [] + short: Date/time indicator was last reported. + type: date + threat.enrichments.indicator.marking.tlp: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: White + flat_name: threat.enrichments.indicator.marking.tlp + ignore_above: 1024 + level: extended + name: enrichments.indicator.marking.tlp + normalize: [] + short: Indicator TLP marking + type: keyword + threat.enrichments.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.modified_at + level: extended + name: enrichments.indicator.modified_at + normalize: [] + short: Date/time indicator was last updated. + type: date + threat.enrichments.indicator.pe.architecture: + dashed_name: threat-enrichments-indicator-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.enrichments.indicator.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword + threat.enrichments.indicator.pe.authentihash: + dashed_name: threat-enrichments-indicator-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: threat.enrichments.indicator.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword + threat.enrichments.indicator.pe.company: + dashed_name: threat-enrichments-indicator-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.enrichments.indicator.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + threat.enrichments.indicator.pe.compile_timestamp: + dashed_name: threat-enrichments-indicator-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date + threat.enrichments.indicator.pe.compiler.name: + dashed_name: threat-enrichments-indicator-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: threat.enrichments.indicator.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword + threat.enrichments.indicator.pe.compiler.version: + dashed_name: threat-enrichments-indicator-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: threat.enrichments.indicator.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword + threat.enrichments.indicator.pe.creation_date: + dashed_name: threat-enrichments-indicator-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date + threat.enrichments.indicator.pe.debug: + dashed_name: threat-enrichments-indicator-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: threat.enrichments.indicator.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested + threat.enrichments.indicator.pe.debug.offset: + dashed_name: threat-enrichments-indicator-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: threat.enrichments.indicator.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword + threat.enrichments.indicator.pe.debug.size: + dashed_name: threat-enrichments-indicator-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: threat.enrichments.indicator.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long + threat.enrichments.indicator.pe.debug.timestamp: + dashed_name: threat-enrichments-indicator-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date + threat.enrichments.indicator.pe.debug.type: + dashed_name: threat-enrichments-indicator-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: threat.enrichments.indicator.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword + threat.enrichments.indicator.pe.description: + dashed_name: threat-enrichments-indicator-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.enrichments.indicator.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + threat.enrichments.indicator.pe.entry_point: + dashed_name: threat-enrichments-indicator-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: threat.enrichments.indicator.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword + threat.enrichments.indicator.pe.exports: + dashed_name: threat-enrichments-indicator-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: threat.enrichments.indicator.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword + threat.enrichments.indicator.pe.file_version: + dashed_name: threat-enrichments-indicator-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.enrichments.indicator.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword + threat.enrichments.indicator.pe.icon.hash.dhash: + dashed_name: threat-enrichments-indicator-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: threat.enrichments.indicator.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or + thumbnail. + type: keyword + threat.enrichments.indicator.pe.imphash: + dashed_name: threat-enrichments-indicator-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.enrichments.indicator.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + threat.enrichments.indicator.pe.imports: + dashed_name: threat-enrichments-indicator-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: threat.enrichments.indicator.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened + threat.enrichments.indicator.pe.machine_type: + dashed_name: threat-enrichments-indicator-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: threat.enrichments.indicator.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword + threat.enrichments.indicator.pe.original_file_name: + dashed_name: threat-enrichments-indicator-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.enrichments.indicator.pe.original_file_name + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: wildcard + threat.enrichments.indicator.pe.packers: + dashed_name: threat-enrichments-indicator-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: threat.enrichments.indicator.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword + threat.enrichments.indicator.pe.product: + dashed_name: threat-enrichments-indicator-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.enrichments.indicator.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword + threat.enrichments.indicator.pe.resources: + dashed_name: threat-enrichments-indicator-pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: threat.enrichments.indicator.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested + threat.enrichments.indicator.pe.resources.chi2: + dashed_name: threat-enrichments-indicator-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: threat.enrichments.indicator.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + threat.enrichments.indicator.pe.resources.entropy: + dashed_name: threat-enrichments-indicator-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: threat.enrichments.indicator.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long + threat.enrichments.indicator.pe.resources.filetype: + dashed_name: threat-enrichments-indicator-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: threat.enrichments.indicator.pe.resources.filetype + ignore_above: 1024 + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. + type: keyword + threat.enrichments.indicator.pe.resources.language: + dashed_name: threat-enrichments-indicator-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: threat.enrichments.indicator.pe.resources.language + ignore_above: 1024 + level: extended + name: resources.language + normalize: [] + original_fieldset: pe + short: Language identification. + type: keyword + threat.enrichments.indicator.pe.resources.sha256: + dashed_name: threat-enrichments-indicator-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: threat.enrichments.indicator.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 + normalize: [] + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword + threat.enrichments.indicator.pe.resources.type: + dashed_name: threat-enrichments-indicator-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: threat.enrichments.indicator.pe.resources.type + ignore_above: 1024 + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword + threat.enrichments.indicator.pe.rich_header.hash.md5: + dashed_name: threat-enrichments-indicator-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: threat.enrichments.indicator.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword + threat.enrichments.indicator.pe.sections: + dashed_name: threat-enrichments-indicator-pe-sections + description: Data about sections of compiled binary PE + flat_name: threat.enrichments.indicator.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested + threat.enrichments.indicator.pe.sections.chi2: + dashed_name: threat-enrichments-indicator-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: threat.enrichments.indicator.pe.sections.chi2 + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + threat.enrichments.indicator.pe.sections.entropy: + dashed_name: threat-enrichments-indicator-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: threat.enrichments.indicator.pe.sections.entropy + level: extended + name: sections.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float + threat.enrichments.indicator.pe.sections.flags: + dashed_name: threat-enrichments-indicator-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: threat.enrichments.indicator.pe.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: pe + short: Section flags of the file. + type: keyword + threat.enrichments.indicator.pe.sections.name: + dashed_name: threat-enrichments-indicator-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: threat.enrichments.indicator.pe.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: pe + short: Section names of the file. + type: keyword + threat.enrichments.indicator.pe.sections.raw_size: + dashed_name: threat-enrichments-indicator-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: threat.enrichments.indicator.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size + normalize: [] + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long + threat.enrichments.indicator.pe.sections.virtual_address: + dashed_name: threat-enrichments-indicator-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: threat.enrichments.indicator.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long + threat.enrichments.indicator.port: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-port + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + flat_name: threat.enrichments.indicator.port + level: extended + name: enrichments.indicator.port + normalize: [] + short: Indicator port + type: long + threat.enrichments.indicator.provider: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-provider + description: The name of the indicator's provider. + example: lrz_urlhaus + flat_name: threat.enrichments.indicator.provider + ignore_above: 1024 + level: extended + name: enrichments.indicator.provider + normalize: [] + short: Indicator provider + type: keyword + threat.enrichments.indicator.reference: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-reference + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + flat_name: threat.enrichments.indicator.reference + ignore_above: 1024 + level: extended + name: enrichments.indicator.reference + normalize: [] + short: Indicator reference URL + type: keyword + threat.enrichments.indicator.registry.data.bytes: + dashed_name: threat-enrichments-indicator-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.enrichments.indicator.registry.data.bytes + ignore_above: 1024 + level: extended + name: data.bytes + normalize: [] + original_fieldset: registry + short: Original bytes written with base64 encoding. + type: keyword + threat.enrichments.indicator.registry.data.strings: + dashed_name: threat-enrichments-indicator-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.enrichments.indicator.registry.data.strings + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: wildcard + threat.enrichments.indicator.registry.data.type: + dashed_name: threat-enrichments-indicator-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.enrichments.indicator.registry.data.type + ignore_above: 1024 + level: core + name: data.type + normalize: [] + original_fieldset: registry + short: Standard registry type for encoding contents + type: keyword + threat.enrichments.indicator.registry.hive: + dashed_name: threat-enrichments-indicator-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.enrichments.indicator.registry.hive + ignore_above: 1024 + level: core + name: hive + normalize: [] + original_fieldset: registry + short: Abbreviated name for the hive. + type: keyword + threat.enrichments.indicator.registry.key: + dashed_name: threat-enrichments-indicator-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.enrichments.indicator.registry.key + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: wildcard + threat.enrichments.indicator.registry.path: + dashed_name: threat-enrichments-indicator-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.enrichments.indicator.registry.path + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: wildcard + threat.enrichments.indicator.registry.value: + dashed_name: threat-enrichments-indicator-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.enrichments.indicator.registry.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. + type: keyword + threat.enrichments.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + flat_name: threat.enrichments.indicator.scanner_stats + level: extended + name: enrichments.indicator.scanner_stats + normalize: [] + short: Scanner statistics + type: long + threat.enrichments.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.enrichments.indicator.sightings + level: extended + name: enrichments.indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long + threat.enrichments.indicator.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ + \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr + flat_name: threat.enrichments.indicator.type + ignore_above: 1024 + level: extended + name: enrichments.indicator.type + normalize: [] + short: Type of indicator + type: keyword + threat.enrichments.indicator.url.domain: + dashed_name: threat-enrichments-indicator-url-domain + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' + example: www.elastic.co + flat_name: threat.enrichments.indicator.url.domain + level: extended + name: domain + normalize: [] + original_fieldset: url + short: Domain of the url. + type: wildcard + threat.enrichments.indicator.url.extension: + dashed_name: threat-enrichments-indicator-url-extension + description: 'The field contains the file extension from the original request + url, excluding the leading dot. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.indicator.url.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + original_fieldset: url + short: File extension from the request url, excluding the leading dot. + type: keyword + threat.enrichments.indicator.url.fragment: + dashed_name: threat-enrichments-indicator-url-fragment + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + flat_name: threat.enrichments.indicator.url.fragment + ignore_above: 1024 + level: extended + name: fragment + normalize: [] + original_fieldset: url + short: Portion of the url after the `#`. + type: keyword + threat.enrichments.indicator.url.full: + dashed_name: threat-enrichments-indicator-url-full + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event + source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + flat_name: threat.enrichments.indicator.url.full + level: extended + multi_fields: + - flat_name: threat.enrichments.indicator.url.full.text + name: text + norms: false + type: text + name: full + normalize: [] + original_fieldset: url + short: Full unparsed URL. + type: wildcard + threat.enrichments.indicator.url.original: + dashed_name: threat-enrichments-indicator-url-original + description: 'Unmodified original url as seen in the event source. + + Note that in network monitoring, the observed URL may be a full URL, whereas + in access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + flat_name: threat.enrichments.indicator.url.original + level: extended + multi_fields: + - flat_name: threat.enrichments.indicator.url.original.text + name: text + norms: false + type: text + name: original + normalize: [] + original_fieldset: url + short: Unmodified original url as seen in the event source. + type: wildcard + threat.enrichments.indicator.url.password: + dashed_name: threat-enrichments-indicator-url-password + description: Password of the request. + flat_name: threat.enrichments.indicator.url.password + ignore_above: 1024 + level: extended + name: password + normalize: [] + original_fieldset: url + short: Password of the request. + type: keyword + threat.enrichments.indicator.url.path: + dashed_name: threat-enrichments-indicator-url-path + description: Path of the request, such as "/search". + flat_name: threat.enrichments.indicator.url.path + level: extended + name: path + normalize: [] + original_fieldset: url + short: Path of the request, such as "/search". + type: wildcard + threat.enrichments.indicator.url.port: + dashed_name: threat-enrichments-indicator-url-port + description: Port of the request, such as 443. + example: 443 + flat_name: threat.enrichments.indicator.url.port + format: string + level: extended + name: port + normalize: [] + original_fieldset: url + short: Port of the request, such as 443. + type: long + threat.enrichments.indicator.url.query: + dashed_name: threat-enrichments-indicator-url-query + description: 'The query field describes the query string of the request, such + as "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there + is no query field. If there is a `?` but no query, the query field exists + with an empty string. The `exists` query can be used to differentiate between + the two cases.' + flat_name: threat.enrichments.indicator.url.query + ignore_above: 1024 + level: extended + name: query + normalize: [] + original_fieldset: url + short: Query string of the request. + type: keyword + threat.enrichments.indicator.url.registered_domain: + dashed_name: threat-enrichments-indicator-url-registered-domain + description: 'The highest registered url domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: threat.enrichments.indicator.url.registered_domain + level: extended + name: registered_domain + normalize: [] + original_fieldset: url + short: The highest registered url domain, stripped of the subdomain. + type: wildcard + threat.enrichments.indicator.url.scheme: + dashed_name: threat-enrichments-indicator-url-scheme + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https + flat_name: threat.enrichments.indicator.url.scheme + ignore_above: 1024 + level: extended + name: scheme + normalize: [] + original_fieldset: url + short: Scheme of the url. + type: keyword + threat.enrichments.indicator.url.subdomain: + dashed_name: threat-enrichments-indicator-url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: threat.enrichments.indicator.url.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: url + short: The subdomain of the domain. + type: keyword + threat.enrichments.indicator.url.top_level_domain: + dashed_name: threat-enrichments-indicator-url-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: threat.enrichments.indicator.url.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: url + short: The effective top level domain (com, org, net, co.uk). + type: keyword + threat.enrichments.indicator.url.username: + dashed_name: threat-enrichments-indicator-url-username + description: Username of the request. + flat_name: threat.enrichments.indicator.url.username + ignore_above: 1024 + level: extended + name: username + normalize: [] + original_fieldset: url + short: Username of the request. + type: keyword + threat.enrichments.indicator.x509.alternative_names: + dashed_name: threat-enrichments-indicator-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + flat_name: threat.enrichments.indicator.x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: + - array + original_fieldset: x509 + short: List of subject alternative names (SAN). + type: keyword + threat.enrichments.indicator.x509.issuer.common_name: + dashed_name: threat-enrichments-indicator-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: threat.enrichments.indicator.x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. + type: keyword + threat.enrichments.indicator.x509.issuer.country: + dashed_name: threat-enrichments-indicator-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: threat.enrichments.indicator.x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes + type: keyword + threat.enrichments.indicator.x509.issuer.distinguished_name: + dashed_name: threat-enrichments-indicator-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: threat.enrichments.indicator.x509.issuer.distinguished_name + level: extended + name: issuer.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: wildcard + threat.enrichments.indicator.x509.issuer.locality: + dashed_name: threat-enrichments-indicator-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: threat.enrichments.indicator.x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword + threat.enrichments.indicator.x509.issuer.organization: + dashed_name: threat-enrichments-indicator-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: threat.enrichments.indicator.x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. + type: keyword + threat.enrichments.indicator.x509.issuer.organizational_unit: + dashed_name: threat-enrichments-indicator-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: threat.enrichments.indicator.x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword + threat.enrichments.indicator.x509.issuer.state_or_province: + dashed_name: threat-enrichments-indicator-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.indicator.x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword + threat.enrichments.indicator.x509.not_after: + dashed_name: threat-enrichments-indicator-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: threat.enrichments.indicator.x509.not_after + level: extended + name: not_after + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date + threat.enrichments.indicator.x509.not_before: + dashed_name: threat-enrichments-indicator-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: threat.enrichments.indicator.x509.not_before + level: extended + name: not_before + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date + threat.enrichments.indicator.x509.public_key_algorithm: + dashed_name: threat-enrichments-indicator-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: threat.enrichments.indicator.x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword + threat.enrichments.indicator.x509.public_key_curve: + dashed_name: threat-enrichments-indicator-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + flat_name: threat.enrichments.indicator.x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword + threat.enrichments.indicator.x509.public_key_exponent: + dashed_name: threat-enrichments-indicator-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: threat.enrichments.indicator.x509.public_key_exponent + index: false + level: extended + name: public_key_exponent + normalize: [] + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long + threat.enrichments.indicator.x509.public_key_size: + dashed_name: threat-enrichments-indicator-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: threat.enrichments.indicator.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + original_fieldset: x509 + short: The size of the public key space in bits. + type: long + threat.enrichments.indicator.x509.serial_number: + dashed_name: threat-enrichments-indicator-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: threat.enrichments.indicator.x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. + type: keyword + threat.enrichments.indicator.x509.signature_algorithm: + dashed_name: threat-enrichments-indicator-x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: threat.enrichments.indicator.x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + original_fieldset: x509 + short: Identifier for certificate signature algorithm. + type: keyword + threat.enrichments.indicator.x509.subject.common_name: + dashed_name: threat-enrichments-indicator-x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: threat.enrichments.indicator.x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: + - array + original_fieldset: x509 + short: List of common names (CN) of subject. + type: keyword + threat.enrichments.indicator.x509.subject.country: + dashed_name: threat-enrichments-indicator-x509-subject-country + description: List of country (C) code + example: US + flat_name: threat.enrichments.indicator.x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code + type: keyword + threat.enrichments.indicator.x509.subject.distinguished_name: + dashed_name: threat-enrichments-indicator-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: threat.enrichments.indicator.x509.subject.distinguished_name + level: extended + name: subject.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: wildcard + threat.enrichments.indicator.x509.subject.locality: + dashed_name: threat-enrichments-indicator-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: threat.enrichments.indicator.x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword + threat.enrichments.indicator.x509.subject.organization: + dashed_name: threat-enrichments-indicator-x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: threat.enrichments.indicator.x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. + type: keyword + threat.enrichments.indicator.x509.subject.organizational_unit: + dashed_name: threat-enrichments-indicator-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: threat.enrichments.indicator.x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword + threat.enrichments.indicator.x509.subject.state_or_province: + dashed_name: threat-enrichments-indicator-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.indicator.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword + threat.enrichments.indicator.x509.version_number: + dashed_name: threat-enrichments-indicator-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: threat.enrichments.indicator.x509.version_number + ignore_above: 1024 + level: extended + name: version_number + normalize: [] + original_fieldset: x509 + short: Version of x509 format. + type: keyword + threat.enrichments.matched.atomic: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-atomic + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com + flat_name: threat.enrichments.matched.atomic + ignore_above: 1024 + level: extended + name: enrichments.matched.atomic + normalize: [] + short: Matched indicator value + type: keyword + threat.enrichments.matched.field: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-field + description: Identifies the field of the atomic indicator that matched a local + environment endpoint or network event. + example: file.hash.sha256 + flat_name: threat.enrichments.matched.field + ignore_above: 1024 + level: extended + name: enrichments.matched.field + normalize: [] + short: Matched indicator field + type: keyword + threat.enrichments.matched.id: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-id + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + flat_name: threat.enrichments.matched.id + ignore_above: 1024 + level: extended + name: enrichments.matched.id + normalize: [] + short: Matched indicator identifier + type: keyword + threat.enrichments.matched.index: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-index + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 + flat_name: threat.enrichments.matched.index + ignore_above: 1024 + level: extended + name: enrichments.matched.index + normalize: [] + short: Matched indicator index + type: keyword + threat.enrichments.matched.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-type + description: Identifies the type of match that caused the event to be enriched + with the given indicator + example: indicator_match_rule + flat_name: threat.enrichments.matched.type + ignore_above: 1024 + level: extended + name: enrichments.matched.type + normalize: [] + short: Type of indicator match + type: keyword + threat.enrichments.pe.architecture: + dashed_name: threat-enrichments-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.enrichments.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword + threat.enrichments.pe.authentihash: + dashed_name: threat-enrichments-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: threat.enrichments.pe.authentihash + ignore_above: 1024 + level: extended + name: authentihash + normalize: [] + original_fieldset: pe + short: Authentihash of the PE file. + type: keyword + threat.enrichments.pe.company: + dashed_name: threat-enrichments-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.enrichments.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + threat.enrichments.pe.compile_timestamp: + dashed_name: threat-enrichments-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date + threat.enrichments.pe.compiler.name: + dashed_name: threat-enrichments-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: threat.enrichments.pe.compiler.name + ignore_above: 1024 + level: extended + name: compiler.name + normalize: [] + original_fieldset: pe + short: Name of the compiler + type: keyword + threat.enrichments.pe.compiler.version: + dashed_name: threat-enrichments-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: threat.enrichments.pe.compiler.version + ignore_above: 1024 + level: extended + name: compiler.version + normalize: [] + original_fieldset: pe + short: Version of the compiler. + type: keyword + threat.enrichments.pe.creation_date: + dashed_name: threat-enrichments-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: pe + short: Build or compile date. + type: date + threat.enrichments.pe.debug: + dashed_name: threat-enrichments-pe-debug + description: 'An array containing an object for each debug entry, if present. - `event.category` represents the "big buckets" of ECS categories. For example, - filtering on `event.category:process` yields all events relating to process - activity. This field is closely related to `event.type`, which is used as - a subcategory. + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: threat.enrichments.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested + threat.enrichments.pe.debug.offset: + dashed_name: threat-enrichments-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: threat.enrichments.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword + threat.enrichments.pe.debug.size: + dashed_name: threat-enrichments-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: threat.enrichments.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long + threat.enrichments.pe.debug.timestamp: + dashed_name: threat-enrichments-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date + threat.enrichments.pe.debug.type: + dashed_name: threat-enrichments-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: threat.enrichments.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword + threat.enrichments.pe.description: + dashed_name: threat-enrichments-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.enrichments.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + threat.enrichments.pe.entry_point: + dashed_name: threat-enrichments-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: threat.enrichments.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword + threat.enrichments.pe.exports: + dashed_name: threat-enrichments-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: threat.enrichments.pe.exports + ignore_above: 1024 + level: extended + name: exports + normalize: + - array + original_fieldset: pe + short: List of symbols exported by PE + type: keyword + threat.enrichments.pe.file_version: + dashed_name: threat-enrichments-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.enrichments.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword + threat.enrichments.pe.icon.hash.dhash: + dashed_name: threat-enrichments-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: threat.enrichments.pe.icon.hash.dhash + ignore_above: 1024 + level: extended + name: icon.hash.dhash + normalize: [] + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or + thumbnail. + type: keyword + threat.enrichments.pe.imphash: + dashed_name: threat-enrichments-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. - This field is an array. This will allow proper categorization of some events - that fall in multiple categories.' - example: authentication - flat_name: threat.enrichments.event.category + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.enrichments.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + threat.enrichments.pe.imports: + dashed_name: threat-enrichments-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: threat.enrichments.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened + threat.enrichments.pe.machine_type: + dashed_name: threat-enrichments-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: threat.enrichments.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword + threat.enrichments.pe.original_file_name: + dashed_name: threat-enrichments-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.enrichments.pe.original_file_name + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: wildcard + threat.enrichments.pe.packers: + dashed_name: threat-enrichments-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: threat.enrichments.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword + threat.enrichments.pe.product: + dashed_name: threat-enrichments-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.enrichments.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword + threat.enrichments.pe.resources: + dashed_name: threat-enrichments-pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: threat.enrichments.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested + threat.enrichments.pe.resources.chi2: + dashed_name: threat-enrichments-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: threat.enrichments.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + threat.enrichments.pe.resources.entropy: + dashed_name: threat-enrichments-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: threat.enrichments.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long + threat.enrichments.pe.resources.filetype: + dashed_name: threat-enrichments-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: threat.enrichments.pe.resources.filetype ignore_above: 1024 - level: core - name: category - normalize: - - array - original_fieldset: event - short: Event category. The second categorization field in the hierarchy. + level: extended + name: resources.filetype + normalize: [] + original_fieldset: pe + short: File type of the resources section. type: keyword - threat.enrichments.event.code: - dashed_name: threat-enrichments-event-code - description: 'Identification code for this event, if one exists. - - Some event sources use event codes to identify messages unambiguously, regardless - of message language or wording adjustments over time. An example of this is - the Windows Event ID.' - example: 4648 - flat_name: threat.enrichments.event.code + threat.enrichments.pe.resources.language: + dashed_name: threat-enrichments-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: threat.enrichments.pe.resources.language ignore_above: 1024 level: extended - name: code + name: resources.language normalize: [] - original_fieldset: event - short: Identification code for this event. + original_fieldset: pe + short: Language identification. type: keyword - threat.enrichments.event.created: - dashed_name: threat-enrichments-event-created - description: 'event.created contains the date/time when the event was first - read by an agent, or by your pipeline. - - This field is distinct from @timestamp in that @timestamp typically contain - the time extracted from the original event. - - In most situations, these two timestamps will be slightly different. The difference - can be used to calculate the delay between your source generating an event, - and the time when your agent first processed it. This can be used to monitor - your agent''s or pipeline''s ability to keep up with your event source. - - In case the two timestamps are identical, @timestamp should be used.' - example: '2016-05-23T08:05:34.857Z' - flat_name: threat.enrichments.event.created - level: core - name: created + threat.enrichments.pe.resources.sha256: + dashed_name: threat-enrichments-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: threat.enrichments.pe.resources.sha256 + ignore_above: 1024 + level: extended + name: resources.sha256 normalize: [] - original_fieldset: event - short: Time when the event was first read by an agent or by your pipeline. - type: date - threat.enrichments.event.dataset: - dashed_name: threat-enrichments-event-dataset - description: 'Name of the dataset. - - If an event source publishes more than one type of log or events (e.g. access - log, error log), the dataset is used to specify which one the event comes - from. - - It''s recommended but not required to start the dataset name with the module - name, followed by a dot, then the dataset name.' - example: apache.access - flat_name: threat.enrichments.event.dataset + original_fieldset: pe + short: SHA256 hash of resources section. + type: keyword + threat.enrichments.pe.resources.type: + dashed_name: threat-enrichments-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: threat.enrichments.pe.resources.type ignore_above: 1024 - level: core - name: dataset + level: extended + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. + type: keyword + threat.enrichments.pe.rich_header.hash.md5: + dashed_name: threat-enrichments-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: threat.enrichments.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 normalize: [] - original_fieldset: event - short: Name of the dataset. + original_fieldset: pe + short: MD5 hash of the header for the PE file. type: keyword - threat.enrichments.event.duration: - dashed_name: threat-enrichments-event-duration - description: 'Duration of the event in nanoseconds. - - If event.start and event.end are known this value should be the difference - between the end and start time.' - flat_name: threat.enrichments.event.duration - format: duration - input_format: nanoseconds - level: core - name: duration + threat.enrichments.pe.sections: + dashed_name: threat-enrichments-pe-sections + description: Data about sections of compiled binary PE + flat_name: threat.enrichments.pe.sections + level: extended + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested + threat.enrichments.pe.sections.chi2: + dashed_name: threat-enrichments-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: threat.enrichments.pe.sections.chi2 + level: extended + name: sections.chi2 normalize: [] - original_fieldset: event - output_format: asMilliseconds - output_precision: 1 - short: Duration of the event in nanoseconds. + original_fieldset: pe + short: Chi-square probability distribution. type: long - threat.enrichments.event.end: - dashed_name: threat-enrichments-event-end - description: event.end contains the date when the event ended or when the activity - was last observed. - flat_name: threat.enrichments.event.end + threat.enrichments.pe.sections.entropy: + dashed_name: threat-enrichments-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: threat.enrichments.pe.sections.entropy level: extended - name: end + name: sections.entropy normalize: [] - original_fieldset: event - short: event.end contains the date when the event ended or when the activity - was last observed. - type: date - threat.enrichments.event.hash: - dashed_name: threat-enrichments-event-hash - description: Hash (perhaps logstash fingerprint) of raw field to be able to - demonstrate log integrity. - example: 123456789012345678901234567890ABCD - flat_name: threat.enrichments.event.hash + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float + threat.enrichments.pe.sections.flags: + dashed_name: threat-enrichments-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: threat.enrichments.pe.sections.flags ignore_above: 1024 level: extended - name: hash + name: sections.flags normalize: [] - original_fieldset: event - short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate - log integrity. + original_fieldset: pe + short: Section flags of the file. type: keyword - threat.enrichments.event.id: - dashed_name: threat-enrichments-event-id - description: Unique ID to describe the event. - example: 8a4f500d - flat_name: threat.enrichments.event.id + threat.enrichments.pe.sections.name: + dashed_name: threat-enrichments-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: threat.enrichments.pe.sections.name ignore_above: 1024 - level: core - name: id + level: extended + name: sections.name normalize: [] - original_fieldset: event - short: Unique ID to describe the event. + original_fieldset: pe + short: Section names of the file. type: keyword - threat.enrichments.event.ingested: - dashed_name: threat-enrichments-event-ingested - description: 'Timestamp when an event arrived in the central data store. - - This is different from `@timestamp`, which is when the event originally occurred. It''s - also different from `event.created`, which is meant to capture the first time - an agent saw the event. - - In normal conditions, assuming no tampering, the timestamps should chronologically - look like this: `@timestamp` < `event.created` < `event.ingested`.' - example: '2016-05-23T08:05:35.101Z' - flat_name: threat.enrichments.event.ingested - level: core - name: ingested + threat.enrichments.pe.sections.raw_size: + dashed_name: threat-enrichments-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: threat.enrichments.pe.sections.raw_size + format: bytes + level: extended + name: sections.raw_size normalize: [] - original_fieldset: event - short: Timestamp when an event arrived in the central data store. - type: date - threat.enrichments.event.kind: - allowed_values: - - description: 'This value indicates an event that describes an alert or notable - event, triggered by a detection rule. - - `event.kind:alert` is often populated for events coming from firewalls, - intrusion detection systems, endpoint detection and response systems, and - so on.' - name: alert - - description: This value is the most general and most common value for this - field. It is used to represent events that indicate that something happened. - name: event - - description: 'This value is used to indicate that this event describes a numeric - measurement taken at given point in time. - - Examples include CPU utilization, memory usage, or device temperature. - - Metric events are often collected on a predictable frequency, such as once - every few seconds, or once a minute, but can also be used to describe ad-hoc - numeric metric queries.' - name: metric - - description: 'The state value is similar to metric, indicating that this event - describes a measurement taken at given point in time, except that the measurement - does not result in a numeric value, but rather one of a fixed set of categorical - values that represent conditions or states. - - Examples include periodic events reporting Elasticsearch cluster state (green/yellow/red), - the state of a TCP connection (open, closed, fin_wait, etc.), the state - of a host with respect to a software vulnerability (vulnerable, not vulnerable), - and the state of a system regarding compliance with a regulatory standard - (compliant, not compliant). - - Note that an event that describes a change of state would not use `event.kind:state`, - but instead would use ''event.kind:event'' since a state change fits the - more general event definition of something that happened. - - State events are often collected on a predictable frequency, such as once - every few seconds, once a minute, once an hour, or once a day, but can also - be used to describe ad-hoc state queries.' - name: state - - description: This value indicates that an error occurred during the ingestion - of this event, and that event data may be missing, inconsistent, or incorrect. - `event.kind:pipeline_error` is often associated with parsing errors. - name: pipeline_error - - description: 'This value is used by the Elastic Security app to denote an - Elasticsearch document that was created by a SIEM detection engine rule. - - A signal will typically trigger a notification that something meaningful - happened and should be investigated. - - Usage of this value is reserved, and pipelines should not populate `event.kind` - with the value "signal".' - name: signal - dashed_name: threat-enrichments-event-kind - description: 'This is one of four ECS Categorization Fields, and indicates the - highest level in the ECS category hierarchy. - - `event.kind` gives high-level information about what type of information the - event contains, without being specific to the contents of the event. For example, - values of this field distinguish alert events from metric events. + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long + threat.enrichments.pe.sections.virtual_address: + dashed_name: threat-enrichments-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: threat.enrichments.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long + threat.enrichments.registry.data.bytes: + dashed_name: threat-enrichments-registry-data-bytes + description: 'Original bytes written with base64 encoding. - The value of this field can be used to inform how these kinds of events should - be handled. They may warrant different retention, different access control, - it may also help understand whether the data coming in at a regular interval - or not.' - example: alert - flat_name: threat.enrichments.event.kind + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.enrichments.registry.data.bytes ignore_above: 1024 - level: core - name: kind + level: extended + name: data.bytes normalize: [] - original_fieldset: event - short: The kind of the event. The highest categorization field in the hierarchy. + original_fieldset: registry + short: Original bytes written with base64 encoding. type: keyword - threat.enrichments.event.module: - dashed_name: threat-enrichments-event-module - description: 'Name of the module this data is coming from. + threat.enrichments.registry.data.strings: + dashed_name: threat-enrichments-registry-data-strings + description: 'Content when writing string types. - If your monitoring agent supports the concept of modules or plugins to process - events of a given source (e.g. Apache logs), `event.module` should contain - the name of this module.' - example: apache - flat_name: threat.enrichments.event.module + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.enrichments.registry.data.strings + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: wildcard + threat.enrichments.registry.data.type: + dashed_name: threat-enrichments-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.enrichments.registry.data.type ignore_above: 1024 level: core - name: module + name: data.type normalize: [] - original_fieldset: event - short: Name of the module this data is coming from. + original_fieldset: registry + short: Standard registry type for encoding contents type: keyword - threat.enrichments.event.original: - dashed_name: threat-enrichments-event-original - description: 'Raw text message of entire event. Used to demonstrate log integrity or - where the full log message (before splitting it up in multiple parts) may - be required, e.g. for reindex. - - This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`. If users wish to override this and - index this field, please see `Field data types` in the `Elasticsearch Reference`.' - doc_values: false - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| - worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - flat_name: threat.enrichments.event.original - index: false + threat.enrichments.registry.hive: + dashed_name: threat-enrichments-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.enrichments.registry.hive + ignore_above: 1024 level: core - name: original + name: hive normalize: [] - original_fieldset: event - short: Raw text message of entire event. + original_fieldset: registry + short: Abbreviated name for the hive. type: keyword - threat.enrichments.event.outcome: - allowed_values: - - description: Indicates that this event describes a failed result. A common - example is `event.category:file AND event.type:access AND event.outcome:failure` - to indicate that a file access was attempted, but was not successful. - name: failure - - description: Indicates that this event describes a successful result. A common - example is `event.category:file AND event.type:create AND event.outcome:success` - to indicate that a file was successfully created. - name: success - - description: Indicates that this event describes only an attempt for which - the result is unknown from the perspective of the event producer. For example, - if the event contains information only about the request side of a transaction - that results in a response, populating `event.outcome:unknown` in the request - event is appropriate. The unknown value should not be used when an outcome - doesn't make logical sense for the event. In such cases `event.outcome` - should not be populated. - name: unknown - dashed_name: threat-enrichments-event-outcome - description: 'This is one of four ECS Categorization Fields, and indicates the - lowest level in the ECS category hierarchy. - - `event.outcome` simply denotes whether the event represents a success or a - failure from the perspective of the entity that produced the event. - - Note that when a single transaction is described in multiple events, each - event may populate different values of `event.outcome`, according to their - perspective. - - Also note that in the case of a compound event (a single event that contains - multiple logical events), this field should be populated with the value that - best captures the overall success or failure from the perspective of the event - producer. - - Further note that not all events will have an associated outcome. For example, - this field is generally not populated for metric events, events with `event.type:info`, - or any events for which an outcome does not make logical sense.' - example: success - flat_name: threat.enrichments.event.outcome + threat.enrichments.registry.key: + dashed_name: threat-enrichments-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.enrichments.registry.key + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: wildcard + threat.enrichments.registry.path: + dashed_name: threat-enrichments-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.enrichments.registry.path + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: wildcard + threat.enrichments.registry.value: + dashed_name: threat-enrichments-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.enrichments.registry.value ignore_above: 1024 level: core - name: outcome + name: value normalize: [] - original_fieldset: event - short: The outcome of the event. The lowest level categorization field in the - hierarchy. + original_fieldset: registry + short: Name of the value written. type: keyword - threat.enrichments.event.provider: - dashed_name: threat-enrichments-event-provider - description: 'Source of the event. - - Event transports such as Syslog or the Windows Event Log typically mention - the source of an event. It can be the name of the software that generated - the event (e.g. Sysmon, httpd), or of a subsystem of the operating system - (kernel, Microsoft-Windows-Security-Auditing).' - example: kernel - flat_name: threat.enrichments.event.provider + threat.framework: + dashed_name: threat-framework + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification + can be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + flat_name: threat.framework ignore_above: 1024 level: extended - name: provider + name: framework normalize: [] - original_fieldset: event - short: Source of the event. + short: Threat classification framework. type: keyword - threat.enrichments.event.reason: - dashed_name: threat-enrichments-event-reason - description: 'Reason why this event happened, according to the source. - - This describes the why of a particular action or outcome captured in the event. - Where `event.action` captures the action from the event, `event.reason` describes - why that action was taken. For example, a web proxy with an `event.action` - which denied the request may also populate `event.reason` with the reason - why (e.g. `blocked site`).' - example: Terminated an unexpected process - flat_name: threat.enrichments.event.reason + threat.group.alias: + beta: This field is beta and subject to change. + dashed_name: threat-group-alias + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' + flat_name: threat.group.alias ignore_above: 1024 level: extended - name: reason - normalize: [] - original_fieldset: event - short: Reason why this event happened, according to the source + name: group.alias + normalize: + - array + short: Alias of the group. type: keyword - threat.enrichments.event.reference: - dashed_name: threat-enrichments-event-reference - description: 'Reference URL linking to additional information about this event. - - This URL links to a static definition of this event. Alert events, indicated - by `event.kind:alert`, are a common use case for this field.' - example: https://system.example.com/event/#0001234 - flat_name: threat.enrichments.event.reference + threat.group.id: + beta: This field is beta and subject to change. + dashed_name: threat-group-id + description: "The id of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group id." + example: G0037 + flat_name: threat.group.id ignore_above: 1024 level: extended - name: reference + name: group.id normalize: [] - original_fieldset: event - short: Event reference URL + short: ID of the group. type: keyword - threat.enrichments.event.risk_score: - dashed_name: threat-enrichments-event-risk-score - description: Risk score or priority of the event (e.g. security solutions). - Use your system's original value here. - flat_name: threat.enrichments.event.risk_score - level: core - name: risk_score + threat.group.name: + beta: This field is beta and subject to change. + dashed_name: threat-group-name + description: "The name of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 + flat_name: threat.group.name + ignore_above: 1024 + level: extended + name: group.name normalize: [] - original_fieldset: event - short: Risk score or priority of the event (e.g. security solutions). Use your - system's original value here. - type: float - threat.enrichments.event.risk_score_norm: - dashed_name: threat-enrichments-event-risk-score-norm - description: 'Normalized risk score or priority of the event, on a scale of - 0 to 100. - - This is mainly useful if you use more than one system that assigns risk scores, - and you want to see a normalized value across all systems.' - flat_name: threat.enrichments.event.risk_score_norm + short: Name of the group. + type: keyword + threat.group.reference: + beta: This field is beta and subject to change. + dashed_name: threat-group-reference + description: "The reference URL of the group for a set of related intrusion\ + \ activity that are tracked by a common name in the security community. While\ + \ not required, you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ + flat_name: threat.group.reference + ignore_above: 1024 level: extended - name: risk_score_norm + name: group.reference normalize: [] - original_fieldset: event - short: Normalized risk score or priority of the event (0-100). - type: float - threat.enrichments.event.sequence: - dashed_name: threat-enrichments-event-sequence - description: 'Sequence number of the event. - - The sequence number is a value published by some event sources, to make the - exact ordering of events unambiguous, regardless of the timestamp precision.' - flat_name: threat.enrichments.event.sequence - format: string + short: Reference URL of the group. + type: keyword + threat.indicator.as.number: + dashed_name: threat-indicator-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: threat.indicator.as.number level: extended - name: sequence - normalize: [] - original_fieldset: event - short: Sequence number of the event. - type: long - threat.enrichments.event.severity: - dashed_name: threat-enrichments-event-severity - description: 'The numeric severity of the event according to your event source. - - What the different severity values mean can be different between sources and - use cases. It''s up to the implementer to make sure severities are consistent - across events from the same source. - - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` - is meant to represent the severity according to the event source (e.g. firewall, - IDS). If the event source does not publish its own severity, you may optionally - copy the `log.syslog.severity.code` to `event.severity`.' - example: 7 - flat_name: threat.enrichments.event.severity - format: string - level: core - name: severity + name: number normalize: [] - original_fieldset: event - short: Numeric severity of the event. + original_fieldset: as + short: Unique number allocated to the autonomous system. type: long - threat.enrichments.event.start: - dashed_name: threat-enrichments-event-start - description: event.start contains the date when the event started or when the - activity was first observed. - flat_name: threat.enrichments.event.start + threat.indicator.as.organization.name: + dashed_name: threat-indicator-as-organization-name + description: Organization name. + example: Google LLC + flat_name: threat.indicator.as.organization.name level: extended - name: start + multi_fields: + - flat_name: threat.indicator.as.organization.name.text + name: text + norms: false + type: text + name: organization.name normalize: [] - original_fieldset: event - short: event.start contains the date when the event started or when the activity - was first observed. - type: date - threat.enrichments.event.timezone: - dashed_name: threat-enrichments-event-timezone - description: 'This field should be populated when the event''s timestamp does - not include timezone information already (e.g. default Syslog timestamps). - It''s optional otherwise. - - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), - abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' - flat_name: threat.enrichments.event.timezone + original_fieldset: as + short: Organization name. + type: wildcard + threat.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-confidence + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High + flat_name: threat.indicator.confidence ignore_above: 1024 level: extended - name: timezone + name: indicator.confidence normalize: [] - original_fieldset: event - short: Event time zone. + short: Indicator confidence rating type: keyword - threat.enrichments.event.type: - allowed_values: - - description: The access event type is used for the subset of events within - a category that indicate that something was accessed. Common examples include - `event.category:database AND event.type:access`, or `event.category:file - AND event.type:access`. Note for file access, both directory listings and - file opens should be included in this subcategory. You can further distinguish - access operations using the ECS `event.action` field. - name: access - - description: 'The admin event type is used for the subset of events within - a category that are related to admin objects. For example, administrative - changes within an IAM framework that do not specifically affect a user or - group (e.g., adding new applications to a federation solution or connecting - discrete forests in Active Directory) would fall into this subcategory. - Common example: `event.category:iam AND event.type:change AND event.type:admin`. - You can further distinguish admin operations using the ECS `event.action` - field.' - name: admin - - description: The allowed event type is used for the subset of events within - a category that indicate that something was allowed. Common examples include - `event.category:network AND event.type:connection AND event.type:allowed` - (to indicate a network firewall event for which the firewall disposition - was to allow the connection to complete) and `event.category:intrusion_detection - AND event.type:allowed` (to indicate a network intrusion prevention system - event for which the IPS disposition was to allow the connection to complete). - You can further distinguish allowed operations using the ECS `event.action` - field, populating with values of your choosing, such as "allow", "detect", - or "pass". - name: allowed - - description: The change event type is used for the subset of events within - a category that indicate that something has changed. If semantics best describe - an event as modified, then include them in this subcategory. Common examples - include `event.category:process AND event.type:change`, and `event.category:file - AND event.type:change`. You can further distinguish change operations using - the ECS `event.action` field. - name: change - - description: Used primarily with `event.category:network` this value is used - for the subset of network traffic that includes sufficient information for - the event to be included in flow or connection analysis. Events in this - subcategory will contain at least source and destination IP addresses, source - and destination TCP/UDP ports, and will usually contain counts of bytes - and/or packets transferred. Events in this subcategory may contain unidirectional - or bidirectional information, including summary information. Use this subcategory - to visualize and analyze network connections. Flow analysis, including Netflow, - IPFIX, and other flow-related events fit in this subcategory. Note that - firewall events from many Next-Generation Firewall (NGFW) devices will also - fit into this subcategory. A common filter for flow/connection information - would be `event.category:network AND event.type:connection AND event.type:end` - (to view or analyze all completed network connections, ignoring mid-flow - reports). You can further distinguish connection events using the ECS `event.action` - field, populating with values of your choosing, such as "timeout", or "reset". - name: connection - - description: The "creation" event type is used for the subset of events within - a category that indicate that something was created. A common example is - `event.category:file AND event.type:creation`. - name: creation - - description: The deletion event type is used for the subset of events within - a category that indicate that something was deleted. A common example is - `event.category:file AND event.type:deletion` to indicate that a file has - been deleted. - name: deletion - - description: The denied event type is used for the subset of events within - a category that indicate that something was denied. Common examples include - `event.category:network AND event.type:denied` (to indicate a network firewall - event for which the firewall disposition was to deny the connection) and - `event.category:intrusion_detection AND event.type:denied` (to indicate - a network intrusion prevention system event for which the IPS disposition - was to deny the connection to complete). You can further distinguish denied - operations using the ECS `event.action` field, populating with values of - your choosing, such as "blocked", "dropped", or "quarantined". - name: denied - - description: The end event type is used for the subset of events within a - category that indicate something has ended. A common example is `event.category:process - AND event.type:end`. - name: end - - description: The error event type is used for the subset of events within - a category that indicate or describe an error. A common example is `event.category:database - AND event.type:error`. Note that pipeline errors that occur during the event - ingestion process should not use this `event.type` value. Instead, they - should use `event.kind:pipeline_error`. - name: error - - description: 'The group event type is used for the subset of events within - a category that are related to group objects. Common example: `event.category:iam - AND event.type:creation AND event.type:group`. You can further distinguish - group operations using the ECS `event.action` field.' - name: group - - description: The info event type is used for the subset of events within a - category that indicate that they are purely informational, and don't report - a state change, or any type of action. For example, an initial run of a - file integrity monitoring system (FIM), where an agent reports all files - under management, would fall into the "info" subcategory. Similarly, an - event containing a dump of all currently running processes (as opposed to - reporting that a process started/ended) would fall into the "info" subcategory. - An additional common examples is `event.category:intrusion_detection AND - event.type:info`. - name: info - - description: The installation event type is used for the subset of events - within a category that indicate that something was installed. A common example - is `event.category:package` AND `event.type:installation`. - name: installation - - description: The protocol event type is used for the subset of events within - a category that indicate that they contain protocol details or analysis, - beyond simply identifying the protocol. Generally, network events that contain - specific protocol details will fall into this subcategory. A common example - is `event.category:network AND event.type:protocol AND event.type:connection - AND event.type:end` (to indicate that the event is a network connection - event sent at the end of a connection that also includes a protocol detail - breakdown). Note that events that only indicate the name or id of the protocol - should not use the protocol value. Further note that when the protocol subcategory - is used, the identified protocol is populated in the ECS `network.protocol` - field. - name: protocol - - description: The start event type is used for the subset of events within - a category that indicate something has started. A common example is `event.category:process - AND event.type:start`. - name: start - - description: 'The user event type is used for the subset of events within - a category that are related to user objects. Common example: `event.category:iam - AND event.type:deletion AND event.type:user`. You can further distinguish - user operations using the ECS `event.action` field.' - name: user - dashed_name: threat-enrichments-event-type - description: 'This is one of four ECS Categorization Fields, and indicates the - third level in the ECS category hierarchy. - - `event.type` represents a categorization "sub-bucket" that, when used along - with the `event.category` field values, enables filtering events down to a - level appropriate for single visualization. - - This field is an array. This will allow proper categorization of some events - that fall in multiple event types.' - flat_name: threat.enrichments.event.type + threat.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.indicator.description ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: event - short: Event type. The third categorization field in the hierarchy. + level: extended + name: indicator.description + normalize: [] + short: Indicator description type: keyword - threat.enrichments.event.url: - dashed_name: threat-enrichments-event-url - description: 'URL linking to an external system to continue investigation of - this event. - - This URL links to another system where in-depth investigation of the specific - occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, - are a common use case for this field.' - example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe - flat_name: threat.enrichments.event.url + threat.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + flat_name: threat.indicator.email.address ignore_above: 1024 level: extended - name: url + name: indicator.email.address normalize: [] - original_fieldset: event - short: Event investigation URL + short: Indicator email address type: keyword - threat.enrichments.file.accessed: - dashed_name: threat-enrichments-file-accessed + threat.indicator.file.accessed: + dashed_name: threat-indicator-file-accessed description: 'Last time the file was accessed. Note that not all filesystems keep track of access time.' - flat_name: threat.enrichments.file.accessed + flat_name: threat.indicator.file.accessed level: extended name: accessed normalize: [] original_fieldset: file short: Last time the file was accessed. type: date - threat.enrichments.file.attributes: - dashed_name: threat-enrichments-file-attributes + threat.indicator.file.attributes: + dashed_name: threat-indicator-file-attributes description: 'Array of file attributes. Attributes names will vary by platform. Here''s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.' example: '["readonly", "system"]' - flat_name: threat.enrichments.file.attributes + flat_name: threat.indicator.file.attributes ignore_above: 1024 level: extended name: attributes @@ -15362,25 +17474,25 @@ threat: original_fieldset: file short: Array of file attributes. type: keyword - threat.enrichments.file.code_signature.exists: - dashed_name: threat-enrichments-file-code-signature-exists + threat.indicator.file.code_signature.exists: + dashed_name: threat-indicator-file-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' - flat_name: threat.enrichments.file.code_signature.exists + flat_name: threat.indicator.file.code_signature.exists level: core name: exists normalize: [] original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean - threat.enrichments.file.code_signature.signing_id: - dashed_name: threat-enrichments-file-code-signature-signing-id + threat.indicator.file.code_signature.signing_id: + dashed_name: threat-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy - flat_name: threat.enrichments.file.code_signature.signing_id + flat_name: threat.indicator.file.code_signature.signing_id ignore_above: 1024 level: extended name: signing_id @@ -15388,15 +17500,15 @@ threat: original_fieldset: code_signature short: The identifier used to sign the process. type: keyword - threat.enrichments.file.code_signature.status: - dashed_name: threat-enrichments-file-code-signature-status + threat.indicator.file.code_signature.status: + dashed_name: threat-indicator-file-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT - flat_name: threat.enrichments.file.code_signature.status + flat_name: threat.indicator.file.code_signature.status ignore_above: 1024 level: extended name: status @@ -15404,11 +17516,11 @@ threat: original_fieldset: code_signature short: Additional information about the certificate status. type: keyword - threat.enrichments.file.code_signature.subject_name: - dashed_name: threat-enrichments-file-code-signature-subject-name + threat.indicator.file.code_signature.subject_name: + dashed_name: threat-indicator-file-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation - flat_name: threat.enrichments.file.code_signature.subject_name + flat_name: threat.indicator.file.code_signature.subject_name ignore_above: 1024 level: core name: subject_name @@ -15416,14 +17528,14 @@ threat: original_fieldset: code_signature short: Subject name of the code signer type: keyword - threat.enrichments.file.code_signature.team_id: - dashed_name: threat-enrichments-file-code-signature-team-id + threat.indicator.file.code_signature.team_id: + dashed_name: threat-indicator-file-code-signature-team-id description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV - flat_name: threat.enrichments.file.code_signature.team_id + flat_name: threat.indicator.file.code_signature.team_id ignore_above: 1024 level: extended name: team_id @@ -15431,28 +17543,28 @@ threat: original_fieldset: code_signature short: The team identifier used to sign the process. type: keyword - threat.enrichments.file.code_signature.trusted: - dashed_name: threat-enrichments-file-code-signature-trusted + threat.indicator.file.code_signature.trusted: + dashed_name: threat-indicator-file-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' - flat_name: threat.enrichments.file.code_signature.trusted + flat_name: threat.indicator.file.code_signature.trusted level: extended name: trusted normalize: [] original_fieldset: code_signature short: Stores the trust status of the certificate chain. type: boolean - threat.enrichments.file.code_signature.valid: - dashed_name: threat-enrichments-file-code-signature-valid + threat.indicator.file.code_signature.valid: + dashed_name: threat-indicator-file-code-signature-valid description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' - flat_name: threat.enrichments.file.code_signature.valid + flat_name: threat.indicator.file.code_signature.valid level: extended name: valid normalize: [] @@ -15460,36 +17572,36 @@ threat: short: Boolean to capture if the digital signature is verified against the binary content. type: boolean - threat.enrichments.file.created: - dashed_name: threat-enrichments-file-created + threat.indicator.file.created: + dashed_name: threat-indicator-file-created description: 'File creation time. Note that not all filesystems store the creation time.' - flat_name: threat.enrichments.file.created + flat_name: threat.indicator.file.created level: extended name: created normalize: [] original_fieldset: file short: File creation time. type: date - threat.enrichments.file.ctime: - dashed_name: threat-enrichments-file-ctime + threat.indicator.file.ctime: + dashed_name: threat-indicator-file-ctime description: 'Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.' - flat_name: threat.enrichments.file.ctime + flat_name: threat.indicator.file.ctime level: extended name: ctime normalize: [] original_fieldset: file short: Last time the file attributes or metadata changed. type: date - threat.enrichments.file.device: - dashed_name: threat-enrichments-file-device + threat.indicator.file.device: + dashed_name: threat-indicator-file-device description: Device that is the source of the file. example: sda - flat_name: threat.enrichments.file.device + flat_name: threat.indicator.file.device ignore_above: 1024 level: extended name: device @@ -15497,26 +17609,26 @@ threat: original_fieldset: file short: Device that is the source of the file. type: keyword - threat.enrichments.file.directory: - dashed_name: threat-enrichments-file-directory + threat.indicator.file.directory: + dashed_name: threat-indicator-file-directory description: Directory where the file is located. It should include the drive letter, when appropriate. example: /home/alice - flat_name: threat.enrichments.file.directory + flat_name: threat.indicator.file.directory level: extended name: directory normalize: [] original_fieldset: file short: Directory where the file is located. type: wildcard - threat.enrichments.file.drive_letter: - dashed_name: threat-enrichments-file-drive-letter + threat.indicator.file.drive_letter: + dashed_name: threat-indicator-file-drive-letter description: 'Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.' example: C - flat_name: threat.enrichments.file.drive_letter + flat_name: threat.indicator.file.drive_letter ignore_above: 1 level: extended name: drive_letter @@ -15524,11 +17636,11 @@ threat: original_fieldset: file short: Drive letter where the file is located. type: keyword - threat.enrichments.file.elf.architecture: - dashed_name: threat-enrichments-file-elf-architecture + threat.indicator.file.elf.architecture: + dashed_name: threat-indicator-file-elf-architecture description: Machine architecture of the ELF file. example: x86-64 - flat_name: threat.enrichments.file.elf.architecture + flat_name: threat.indicator.file.elf.architecture ignore_above: 1024 level: extended name: architecture @@ -15536,11 +17648,11 @@ threat: original_fieldset: elf short: Machine architecture of the ELF file. type: keyword - threat.enrichments.file.elf.byte_order: - dashed_name: threat-enrichments-file-elf-byte-order + threat.indicator.file.elf.byte_order: + dashed_name: threat-indicator-file-elf-byte-order description: Byte sequence of ELF file. example: Little Endian - flat_name: threat.enrichments.file.elf.byte_order + flat_name: threat.indicator.file.elf.byte_order ignore_above: 1024 level: extended name: byte_order @@ -15548,11 +17660,11 @@ threat: original_fieldset: elf short: Byte sequence of ELF file. type: keyword - threat.enrichments.file.elf.cpu_type: - dashed_name: threat-enrichments-file-elf-cpu-type + threat.indicator.file.elf.cpu_type: + dashed_name: threat-indicator-file-elf-cpu-type description: CPU type of the ELF file. example: Intel - flat_name: threat.enrichments.file.elf.cpu_type + flat_name: threat.indicator.file.elf.cpu_type ignore_above: 1024 level: extended name: cpu_type @@ -15560,21 +17672,21 @@ threat: original_fieldset: elf short: CPU type of the ELF file. type: keyword - threat.enrichments.file.elf.creation_date: - dashed_name: threat-enrichments-file-elf-creation-date + threat.indicator.file.elf.creation_date: + dashed_name: threat-indicator-file-elf-creation-date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. - flat_name: threat.enrichments.file.elf.creation_date + flat_name: threat.indicator.file.elf.creation_date level: extended name: creation_date normalize: [] original_fieldset: elf short: Build or compile date. type: date - threat.enrichments.file.elf.exports: - dashed_name: threat-enrichments-file-elf-exports + threat.indicator.file.elf.exports: + dashed_name: threat-indicator-file-elf-exports description: List of exported element names and types. - flat_name: threat.enrichments.file.elf.exports + flat_name: threat.indicator.file.elf.exports level: extended name: exports normalize: @@ -15582,10 +17694,10 @@ threat: original_fieldset: elf short: List of exported element names and types. type: flattened - threat.enrichments.file.elf.header.abi_version: - dashed_name: threat-enrichments-file-elf-header-abi-version + threat.indicator.file.elf.header.abi_version: + dashed_name: threat-indicator-file-elf-header-abi-version description: Version of the ELF Application Binary Interface (ABI). - flat_name: threat.enrichments.file.elf.header.abi_version + flat_name: threat.indicator.file.elf.header.abi_version ignore_above: 1024 level: extended name: header.abi_version @@ -15593,10 +17705,10 @@ threat: original_fieldset: elf short: Version of the ELF Application Binary Interface (ABI). type: keyword - threat.enrichments.file.elf.header.class: - dashed_name: threat-enrichments-file-elf-header-class + threat.indicator.file.elf.header.class: + dashed_name: threat-indicator-file-elf-header-class description: Header class of the ELF file. - flat_name: threat.enrichments.file.elf.header.class + flat_name: threat.indicator.file.elf.header.class ignore_above: 1024 level: extended name: header.class @@ -15604,10 +17716,10 @@ threat: original_fieldset: elf short: Header class of the ELF file. type: keyword - threat.enrichments.file.elf.header.data: - dashed_name: threat-enrichments-file-elf-header-data + threat.indicator.file.elf.header.data: + dashed_name: threat-indicator-file-elf-header-data description: Data table of the ELF header. - flat_name: threat.enrichments.file.elf.header.data + flat_name: threat.indicator.file.elf.header.data ignore_above: 1024 level: extended name: header.data @@ -15615,10 +17727,10 @@ threat: original_fieldset: elf short: Data table of the ELF header. type: keyword - threat.enrichments.file.elf.header.entrypoint: - dashed_name: threat-enrichments-file-elf-header-entrypoint + threat.indicator.file.elf.header.entrypoint: + dashed_name: threat-indicator-file-elf-header-entrypoint description: Header entrypoint of the ELF file. - flat_name: threat.enrichments.file.elf.header.entrypoint + flat_name: threat.indicator.file.elf.header.entrypoint format: string level: extended name: header.entrypoint @@ -15626,10 +17738,10 @@ threat: original_fieldset: elf short: Header entrypoint of the ELF file. type: long - threat.enrichments.file.elf.header.object_version: - dashed_name: threat-enrichments-file-elf-header-object-version + threat.indicator.file.elf.header.object_version: + dashed_name: threat-indicator-file-elf-header-object-version description: '"0x1" for original ELF files.' - flat_name: threat.enrichments.file.elf.header.object_version + flat_name: threat.indicator.file.elf.header.object_version ignore_above: 1024 level: extended name: header.object_version @@ -15637,10 +17749,10 @@ threat: original_fieldset: elf short: '"0x1" for original ELF files.' type: keyword - threat.enrichments.file.elf.header.os_abi: - dashed_name: threat-enrichments-file-elf-header-os-abi + threat.indicator.file.elf.header.os_abi: + dashed_name: threat-indicator-file-elf-header-os-abi description: Application Binary Interface (ABI) of the Linux OS. - flat_name: threat.enrichments.file.elf.header.os_abi + flat_name: threat.indicator.file.elf.header.os_abi ignore_above: 1024 level: extended name: header.os_abi @@ -15648,10 +17760,10 @@ threat: original_fieldset: elf short: Application Binary Interface (ABI) of the Linux OS. type: keyword - threat.enrichments.file.elf.header.type: - dashed_name: threat-enrichments-file-elf-header-type + threat.indicator.file.elf.header.type: + dashed_name: threat-indicator-file-elf-header-type description: Header type of the ELF file. - flat_name: threat.enrichments.file.elf.header.type + flat_name: threat.indicator.file.elf.header.type ignore_above: 1024 level: extended name: header.type @@ -15659,10 +17771,10 @@ threat: original_fieldset: elf short: Header type of the ELF file. type: keyword - threat.enrichments.file.elf.header.version: - dashed_name: threat-enrichments-file-elf-header-version + threat.indicator.file.elf.header.version: + dashed_name: threat-indicator-file-elf-header-version description: Version of the ELF header. - flat_name: threat.enrichments.file.elf.header.version + flat_name: threat.indicator.file.elf.header.version ignore_above: 1024 level: extended name: header.version @@ -15670,10 +17782,10 @@ threat: original_fieldset: elf short: Version of the ELF header. type: keyword - threat.enrichments.file.elf.imports: - dashed_name: threat-enrichments-file-elf-imports + threat.indicator.file.elf.imports: + dashed_name: threat-indicator-file-elf-imports description: List of imported element names and types. - flat_name: threat.enrichments.file.elf.imports + flat_name: threat.indicator.file.elf.imports level: extended name: imports normalize: @@ -15681,13 +17793,13 @@ threat: original_fieldset: elf short: List of imported element names and types. type: flattened - threat.enrichments.file.elf.sections: - dashed_name: threat-enrichments-file-elf-sections + threat.indicator.file.elf.sections: + dashed_name: threat-indicator-file-elf-sections description: 'An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.' - flat_name: threat.enrichments.file.elf.sections + flat_name: threat.indicator.file.elf.sections level: extended name: sections normalize: @@ -15695,10 +17807,10 @@ threat: original_fieldset: elf short: Section information of the ELF file. type: nested - threat.enrichments.file.elf.sections.chi2: - dashed_name: threat-enrichments-file-elf-sections-chi2 + threat.indicator.file.elf.sections.chi2: + dashed_name: threat-indicator-file-elf-sections-chi2 description: Chi-square probability distribution of the section. - flat_name: threat.enrichments.file.elf.sections.chi2 + flat_name: threat.indicator.file.elf.sections.chi2 format: number level: extended name: sections.chi2 @@ -15706,10 +17818,10 @@ threat: original_fieldset: elf short: Chi-square probability distribution of the section. type: long - threat.enrichments.file.elf.sections.entropy: - dashed_name: threat-enrichments-file-elf-sections-entropy + threat.indicator.file.elf.sections.entropy: + dashed_name: threat-indicator-file-elf-sections-entropy description: Shannon entropy calculation from the section. - flat_name: threat.enrichments.file.elf.sections.entropy + flat_name: threat.indicator.file.elf.sections.entropy format: number level: extended name: sections.entropy @@ -15717,10 +17829,10 @@ threat: original_fieldset: elf short: Shannon entropy calculation from the section. type: long - threat.enrichments.file.elf.sections.flags: - dashed_name: threat-enrichments-file-elf-sections-flags + threat.indicator.file.elf.sections.flags: + dashed_name: threat-indicator-file-elf-sections-flags description: ELF Section List flags. - flat_name: threat.enrichments.file.elf.sections.flags + flat_name: threat.indicator.file.elf.sections.flags ignore_above: 1024 level: extended name: sections.flags @@ -15728,10 +17840,10 @@ threat: original_fieldset: elf short: ELF Section List flags. type: keyword - threat.enrichments.file.elf.sections.name: - dashed_name: threat-enrichments-file-elf-sections-name + threat.indicator.file.elf.sections.name: + dashed_name: threat-indicator-file-elf-sections-name description: ELF Section List name. - flat_name: threat.enrichments.file.elf.sections.name + flat_name: threat.indicator.file.elf.sections.name ignore_above: 1024 level: extended name: sections.name @@ -15739,10 +17851,10 @@ threat: original_fieldset: elf short: ELF Section List name. type: keyword - threat.enrichments.file.elf.sections.physical_offset: - dashed_name: threat-enrichments-file-elf-sections-physical-offset + threat.indicator.file.elf.sections.physical_offset: + dashed_name: threat-indicator-file-elf-sections-physical-offset description: ELF Section List offset. - flat_name: threat.enrichments.file.elf.sections.physical_offset + flat_name: threat.indicator.file.elf.sections.physical_offset ignore_above: 1024 level: extended name: sections.physical_offset @@ -15750,10 +17862,10 @@ threat: original_fieldset: elf short: ELF Section List offset. type: keyword - threat.enrichments.file.elf.sections.physical_size: - dashed_name: threat-enrichments-file-elf-sections-physical-size + threat.indicator.file.elf.sections.physical_size: + dashed_name: threat-indicator-file-elf-sections-physical-size description: ELF Section List physical size. - flat_name: threat.enrichments.file.elf.sections.physical_size + flat_name: threat.indicator.file.elf.sections.physical_size format: bytes level: extended name: sections.physical_size @@ -15761,10 +17873,10 @@ threat: original_fieldset: elf short: ELF Section List physical size. type: long - threat.enrichments.file.elf.sections.type: - dashed_name: threat-enrichments-file-elf-sections-type + threat.indicator.file.elf.sections.type: + dashed_name: threat-indicator-file-elf-sections-type description: ELF Section List type. - flat_name: threat.enrichments.file.elf.sections.type + flat_name: threat.indicator.file.elf.sections.type ignore_above: 1024 level: extended name: sections.type @@ -15772,10 +17884,10 @@ threat: original_fieldset: elf short: ELF Section List type. type: keyword - threat.enrichments.file.elf.sections.virtual_address: - dashed_name: threat-enrichments-file-elf-sections-virtual-address + threat.indicator.file.elf.sections.virtual_address: + dashed_name: threat-indicator-file-elf-sections-virtual-address description: ELF Section List virtual address. - flat_name: threat.enrichments.file.elf.sections.virtual_address + flat_name: threat.indicator.file.elf.sections.virtual_address format: string level: extended name: sections.virtual_address @@ -15783,10 +17895,10 @@ threat: original_fieldset: elf short: ELF Section List virtual address. type: long - threat.enrichments.file.elf.sections.virtual_size: - dashed_name: threat-enrichments-file-elf-sections-virtual-size + threat.indicator.file.elf.sections.virtual_size: + dashed_name: threat-indicator-file-elf-sections-virtual-size description: ELF Section List virtual size. - flat_name: threat.enrichments.file.elf.sections.virtual_size + flat_name: threat.indicator.file.elf.sections.virtual_size format: string level: extended name: sections.virtual_size @@ -15794,13 +17906,13 @@ threat: original_fieldset: elf short: ELF Section List virtual size. type: long - threat.enrichments.file.elf.segments: - dashed_name: threat-enrichments-file-elf-segments + threat.indicator.file.elf.segments: + dashed_name: threat-indicator-file-elf-segments description: 'An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.' - flat_name: threat.enrichments.file.elf.segments + flat_name: threat.indicator.file.elf.segments level: extended name: segments normalize: @@ -15808,10 +17920,10 @@ threat: original_fieldset: elf short: ELF object segment list. type: nested - threat.enrichments.file.elf.segments.sections: - dashed_name: threat-enrichments-file-elf-segments-sections + threat.indicator.file.elf.segments.sections: + dashed_name: threat-indicator-file-elf-segments-sections description: ELF object segment sections. - flat_name: threat.enrichments.file.elf.segments.sections + flat_name: threat.indicator.file.elf.segments.sections ignore_above: 1024 level: extended name: segments.sections @@ -15819,10 +17931,10 @@ threat: original_fieldset: elf short: ELF object segment sections. type: keyword - threat.enrichments.file.elf.segments.type: - dashed_name: threat-enrichments-file-elf-segments-type + threat.indicator.file.elf.segments.type: + dashed_name: threat-indicator-file-elf-segments-type description: ELF object segment type. - flat_name: threat.enrichments.file.elf.segments.type + flat_name: threat.indicator.file.elf.segments.type ignore_above: 1024 level: extended name: segments.type @@ -15830,10 +17942,10 @@ threat: original_fieldset: elf short: ELF object segment type. type: keyword - threat.enrichments.file.elf.shared_libraries: - dashed_name: threat-enrichments-file-elf-shared-libraries + threat.indicator.file.elf.shared_libraries: + dashed_name: threat-indicator-file-elf-shared-libraries description: List of shared libraries used by this ELF object. - flat_name: threat.enrichments.file.elf.shared_libraries + flat_name: threat.indicator.file.elf.shared_libraries ignore_above: 1024 level: extended name: shared_libraries @@ -15842,10 +17954,10 @@ threat: original_fieldset: elf short: List of shared libraries used by this ELF object. type: keyword - threat.enrichments.file.elf.telfhash: - dashed_name: threat-enrichments-file-elf-telfhash + threat.indicator.file.elf.telfhash: + dashed_name: threat-indicator-file-elf-telfhash description: telfhash symbol hash for ELF file. - flat_name: threat.enrichments.file.elf.telfhash + flat_name: threat.indicator.file.elf.telfhash ignore_above: 1024 level: extended name: telfhash @@ -15853,14 +17965,14 @@ threat: original_fieldset: elf short: telfhash hash for ELF file. type: keyword - threat.enrichments.file.extension: - dashed_name: threat-enrichments-file-extension + threat.indicator.file.extension: + dashed_name: threat-indicator-file-extension description: 'File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png - flat_name: threat.enrichments.file.extension + flat_name: threat.indicator.file.extension ignore_above: 1024 level: extended name: extension @@ -15868,11 +17980,11 @@ threat: original_fieldset: file short: File extension, excluding the leading dot. type: keyword - threat.enrichments.file.gid: - dashed_name: threat-enrichments-file-gid + threat.indicator.file.gid: + dashed_name: threat-indicator-file-gid description: Primary group ID (GID) of the file. example: '1001' - flat_name: threat.enrichments.file.gid + flat_name: threat.indicator.file.gid ignore_above: 1024 level: extended name: gid @@ -15880,11 +17992,11 @@ threat: original_fieldset: file short: Primary group ID (GID) of the file. type: keyword - threat.enrichments.file.group: - dashed_name: threat-enrichments-file-group + threat.indicator.file.group: + dashed_name: threat-indicator-file-group description: Primary group name of the file. example: alice - flat_name: threat.enrichments.file.group + flat_name: threat.indicator.file.group ignore_above: 1024 level: extended name: group @@ -15892,11 +18004,11 @@ threat: original_fieldset: file short: Primary group name of the file. type: keyword - threat.enrichments.file.inode: - dashed_name: threat-enrichments-file-inode + threat.indicator.file.inode: + dashed_name: threat-indicator-file-inode description: Inode representing the file in the filesystem. example: '256383' - flat_name: threat.enrichments.file.inode + flat_name: threat.indicator.file.inode ignore_above: 1024 level: extended name: inode @@ -15904,13 +18016,13 @@ threat: original_fieldset: file short: Inode representing the file in the filesystem. type: keyword - threat.enrichments.file.mime_type: - dashed_name: threat-enrichments-file-mime-type + threat.indicator.file.mime_type: + dashed_name: threat-indicator-file-mime-type description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - flat_name: threat.enrichments.file.mime_type + flat_name: threat.indicator.file.mime_type ignore_above: 1024 level: extended name: mime_type @@ -15918,11 +18030,11 @@ threat: original_fieldset: file short: Media type of file, document, or arrangement of bytes. type: keyword - threat.enrichments.file.mode: - dashed_name: threat-enrichments-file-mode + threat.indicator.file.mode: + dashed_name: threat-indicator-file-mode description: Mode of the file in octal representation. example: '0640' - flat_name: threat.enrichments.file.mode + flat_name: threat.indicator.file.mode ignore_above: 1024 level: extended name: mode @@ -15930,21 +18042,21 @@ threat: original_fieldset: file short: Mode of the file in octal representation. type: keyword - threat.enrichments.file.mtime: - dashed_name: threat-enrichments-file-mtime + threat.indicator.file.mtime: + dashed_name: threat-indicator-file-mtime description: Last time the file content was modified. - flat_name: threat.enrichments.file.mtime + flat_name: threat.indicator.file.mtime level: extended name: mtime normalize: [] original_fieldset: file short: Last time the file content was modified. type: date - threat.enrichments.file.name: - dashed_name: threat-enrichments-file-name + threat.indicator.file.name: + dashed_name: threat-indicator-file-name description: Name of the file including the extension, without the directory. example: example.png - flat_name: threat.enrichments.file.name + flat_name: threat.indicator.file.name ignore_above: 1024 level: extended name: name @@ -15952,11 +18064,11 @@ threat: original_fieldset: file short: Name of the file including the extension, without the directory. type: keyword - threat.enrichments.file.owner: - dashed_name: threat-enrichments-file-owner + threat.indicator.file.owner: + dashed_name: threat-indicator-file-owner description: File owner's username. example: alice - flat_name: threat.enrichments.file.owner + flat_name: threat.indicator.file.owner ignore_above: 1024 level: extended name: owner @@ -15964,15 +18076,15 @@ threat: original_fieldset: file short: File owner's username. type: keyword - threat.enrichments.file.path: - dashed_name: threat-enrichments-file-path + threat.indicator.file.path: + dashed_name: threat-indicator-file-path description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png - flat_name: threat.enrichments.file.path + flat_name: threat.indicator.file.path level: extended multi_fields: - - flat_name: threat.enrichments.file.path.text + - flat_name: threat.indicator.file.path.text name: text norms: false type: text @@ -15981,26 +18093,26 @@ threat: original_fieldset: file short: Full path to the file, including the file name. type: wildcard - threat.enrichments.file.size: - dashed_name: threat-enrichments-file-size + threat.indicator.file.size: + dashed_name: threat-indicator-file-size description: 'File size in bytes. Only relevant when `file.type` is "file".' example: 16384 - flat_name: threat.enrichments.file.size + flat_name: threat.indicator.file.size level: extended name: size normalize: [] original_fieldset: file short: File size in bytes. type: long - threat.enrichments.file.target_path: - dashed_name: threat-enrichments-file-target-path + threat.indicator.file.target_path: + dashed_name: threat-indicator-file-target-path description: Target path for symlinks. - flat_name: threat.enrichments.file.target_path + flat_name: threat.indicator.file.target_path level: extended multi_fields: - - flat_name: threat.enrichments.file.target_path.text + - flat_name: threat.indicator.file.target_path.text name: text norms: false type: text @@ -16009,11 +18121,11 @@ threat: original_fieldset: file short: Target path for symlinks. type: wildcard - threat.enrichments.file.type: - dashed_name: threat-enrichments-file-type + threat.indicator.file.type: + dashed_name: threat-indicator-file-type description: File type (file, dir, or symlink). example: file - flat_name: threat.enrichments.file.type + flat_name: threat.indicator.file.type ignore_above: 1024 level: extended name: type @@ -16021,11 +18133,11 @@ threat: original_fieldset: file short: File type (file, dir, or symlink). type: keyword - threat.enrichments.file.uid: - dashed_name: threat-enrichments-file-uid + threat.indicator.file.uid: + dashed_name: threat-indicator-file-uid description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' - flat_name: threat.enrichments.file.uid + flat_name: threat.indicator.file.uid ignore_above: 1024 level: extended name: uid @@ -16033,11 +18145,23 @@ threat: original_fieldset: file short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword - threat.enrichments.geo.city_name: - dashed_name: threat-enrichments-geo-city-name + threat.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.first_seen + level: extended + name: indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date + threat.indicator.geo.city_name: + dashed_name: threat-indicator-geo-city-name description: City name. example: Montreal - flat_name: threat.enrichments.geo.city_name + flat_name: threat.indicator.geo.city_name ignore_above: 1024 level: core name: city_name @@ -16045,11 +18169,11 @@ threat: original_fieldset: geo short: City name. type: keyword - threat.enrichments.geo.continent_code: - dashed_name: threat-enrichments-geo-continent-code + threat.indicator.geo.continent_code: + dashed_name: threat-indicator-geo-continent-code description: Two-letter code representing continent's name. example: NA - flat_name: threat.enrichments.geo.continent_code + flat_name: threat.indicator.geo.continent_code ignore_above: 1024 level: core name: continent_code @@ -16057,11 +18181,11 @@ threat: original_fieldset: geo short: Continent code. type: keyword - threat.enrichments.geo.continent_name: - dashed_name: threat-enrichments-geo-continent-name + threat.indicator.geo.continent_name: + dashed_name: threat-indicator-geo-continent-name description: Name of the continent. example: North America - flat_name: threat.enrichments.geo.continent_name + flat_name: threat.indicator.geo.continent_name ignore_above: 1024 level: core name: continent_name @@ -16069,11 +18193,11 @@ threat: original_fieldset: geo short: Name of the continent. type: keyword - threat.enrichments.geo.country_iso_code: - dashed_name: threat-enrichments-geo-country-iso-code + threat.indicator.geo.country_iso_code: + dashed_name: threat-indicator-geo-country-iso-code description: Country ISO code. example: CA - flat_name: threat.enrichments.geo.country_iso_code + flat_name: threat.indicator.geo.country_iso_code ignore_above: 1024 level: core name: country_iso_code @@ -16081,11 +18205,11 @@ threat: original_fieldset: geo short: Country ISO code. type: keyword - threat.enrichments.geo.country_name: - dashed_name: threat-enrichments-geo-country-name + threat.indicator.geo.country_name: + dashed_name: threat-indicator-geo-country-name description: Country name. example: Canada - flat_name: threat.enrichments.geo.country_name + flat_name: threat.indicator.geo.country_name ignore_above: 1024 level: core name: country_name @@ -16093,19 +18217,19 @@ threat: original_fieldset: geo short: Country name. type: keyword - threat.enrichments.geo.location: - dashed_name: threat-enrichments-geo-location + threat.indicator.geo.location: + dashed_name: threat-indicator-geo-location description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: threat.enrichments.geo.location + flat_name: threat.indicator.geo.location level: core name: location normalize: [] original_fieldset: geo short: Longitude and latitude. type: geo_point - threat.enrichments.geo.name: - dashed_name: threat-enrichments-geo-name + threat.indicator.geo.name: + dashed_name: threat-indicator-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -16114,21 +18238,21 @@ threat: Not typically used in automated geolocation.' example: boston-dc - flat_name: threat.enrichments.geo.name + flat_name: threat.indicator.geo.name level: extended name: name normalize: [] original_fieldset: geo short: User-defined description of a location. type: wildcard - threat.enrichments.geo.postal_code: - dashed_name: threat-enrichments-geo-postal-code + threat.indicator.geo.postal_code: + dashed_name: threat-indicator-geo-postal-code description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 - flat_name: threat.enrichments.geo.postal_code + flat_name: threat.indicator.geo.postal_code ignore_above: 1024 level: core name: postal_code @@ -16136,11 +18260,11 @@ threat: original_fieldset: geo short: Postal code. type: keyword - threat.enrichments.geo.region_iso_code: - dashed_name: threat-enrichments-geo-region-iso-code + threat.indicator.geo.region_iso_code: + dashed_name: threat-indicator-geo-region-iso-code description: Region ISO code. example: CA-QC - flat_name: threat.enrichments.geo.region_iso_code + flat_name: threat.indicator.geo.region_iso_code ignore_above: 1024 level: core name: region_iso_code @@ -16148,11 +18272,11 @@ threat: original_fieldset: geo short: Region ISO code. type: keyword - threat.enrichments.geo.region_name: - dashed_name: threat-enrichments-geo-region-name + threat.indicator.geo.region_name: + dashed_name: threat-indicator-geo-region-name description: Region name. example: Quebec - flat_name: threat.enrichments.geo.region_name + flat_name: threat.indicator.geo.region_name ignore_above: 1024 level: core name: region_name @@ -16160,11 +18284,11 @@ threat: original_fieldset: geo short: Region name. type: keyword - threat.enrichments.geo.timezone: - dashed_name: threat-enrichments-geo-timezone + threat.indicator.geo.timezone: + dashed_name: threat-indicator-geo-timezone description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires - flat_name: threat.enrichments.geo.timezone + flat_name: threat.indicator.geo.timezone ignore_above: 1024 level: core name: timezone @@ -16172,10 +18296,10 @@ threat: original_fieldset: geo short: Time zone. type: keyword - threat.enrichments.hash.md5: - dashed_name: threat-enrichments-hash-md5 + threat.indicator.hash.md5: + dashed_name: threat-indicator-hash-md5 description: MD5 hash. - flat_name: threat.enrichments.hash.md5 + flat_name: threat.indicator.hash.md5 ignore_above: 1024 level: extended name: md5 @@ -16183,10 +18307,10 @@ threat: original_fieldset: hash short: MD5 hash. type: keyword - threat.enrichments.hash.sha1: - dashed_name: threat-enrichments-hash-sha1 + threat.indicator.hash.sha1: + dashed_name: threat-indicator-hash-sha1 description: SHA1 hash. - flat_name: threat.enrichments.hash.sha1 + flat_name: threat.indicator.hash.sha1 ignore_above: 1024 level: extended name: sha1 @@ -16194,10 +18318,10 @@ threat: original_fieldset: hash short: SHA1 hash. type: keyword - threat.enrichments.hash.sha256: - dashed_name: threat-enrichments-hash-sha256 + threat.indicator.hash.sha256: + dashed_name: threat-indicator-hash-sha256 description: SHA256 hash. - flat_name: threat.enrichments.hash.sha256 + flat_name: threat.indicator.hash.sha256 ignore_above: 1024 level: extended name: sha256 @@ -16205,10 +18329,10 @@ threat: original_fieldset: hash short: SHA256 hash. type: keyword - threat.enrichments.hash.sha512: - dashed_name: threat-enrichments-hash-sha512 + threat.indicator.hash.sha512: + dashed_name: threat-indicator-hash-sha512 description: SHA512 hash. - flat_name: threat.enrichments.hash.sha512 + flat_name: threat.indicator.hash.sha512 ignore_above: 1024 level: extended name: sha512 @@ -16216,10 +18340,10 @@ threat: original_fieldset: hash short: SHA512 hash. type: keyword - threat.enrichments.hash.ssdeep: - dashed_name: threat-enrichments-hash-ssdeep + threat.indicator.hash.ssdeep: + dashed_name: threat-indicator-hash-ssdeep description: SSDEEP hash. - flat_name: threat.enrichments.hash.ssdeep + flat_name: threat.indicator.hash.ssdeep ignore_above: 1024 level: extended name: ssdeep @@ -16227,74 +18351,60 @@ threat: original_fieldset: hash short: SSDEEP hash. type: keyword - threat.enrichments.matched.atomic: - beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-atomic - description: Identifies the atomic indicator value that matched a local environment - endpoint or network event. - example: bad-domain.com - flat_name: threat.enrichments.matched.atomic - ignore_above: 1024 - level: extended - name: enrichments.matched.atomic - normalize: [] - short: Matched indicator value - type: keyword - threat.enrichments.matched.field: + threat.indicator.ip: beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-field - description: Identifies the field of the atomic indicator that matched a local - environment endpoint or network event. - example: file.hash.sha256 - flat_name: threat.enrichments.matched.field - ignore_above: 1024 + dashed_name: threat-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + flat_name: threat.indicator.ip level: extended - name: enrichments.matched.field + name: indicator.ip normalize: [] - short: Matched indicator field - type: keyword - threat.enrichments.matched.id: + short: Indicator IP address + type: ip + threat.indicator.last_seen: beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-id - description: Identifies the _id of the indicator document enriching the event. - example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 - flat_name: threat.enrichments.matched.id - ignore_above: 1024 + dashed_name: threat-indicator-last-seen + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.last_seen level: extended - name: enrichments.matched.id + name: indicator.last_seen normalize: [] - short: Matched indicator identifier - type: keyword - threat.enrichments.matched.index: + short: Date/time indicator was last reported. + type: date + threat.indicator.marking.tlp: beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-index - description: Identifies the _index of the indicator document enriching the event. - example: filebeat-8.0.0-2021.05.23-000011 - flat_name: threat.enrichments.matched.index + dashed_name: threat-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE + flat_name: threat.indicator.marking.tlp ignore_above: 1024 level: extended - name: enrichments.matched.index + name: indicator.marking.tlp normalize: [] - short: Matched indicator index + short: Indicator TLP marking type: keyword - threat.enrichments.matched.type: + threat.indicator.modified_at: beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-type - description: Identifies the type of match that caused the event to be enriched - with the given indicator - example: indicator_match_rule - flat_name: threat.enrichments.matched.type - ignore_above: 1024 + dashed_name: threat-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.modified_at level: extended - name: enrichments.matched.type + name: indicator.modified_at normalize: [] - short: Type of indicator match - type: keyword - threat.enrichments.pe.architecture: - dashed_name: threat-enrichments-pe-architecture + short: Date/time indicator was last updated. + type: date + threat.indicator.pe.architecture: + dashed_name: threat-indicator-pe-architecture description: CPU architecture target for the file. example: x64 - flat_name: threat.enrichments.pe.architecture + flat_name: threat.indicator.pe.architecture ignore_above: 1024 level: extended name: architecture @@ -16302,11 +18412,11 @@ threat: original_fieldset: pe short: CPU architecture target for the file. type: keyword - threat.enrichments.pe.authentihash: - dashed_name: threat-enrichments-pe-authentihash + threat.indicator.pe.authentihash: + dashed_name: threat-indicator-pe-authentihash description: Authentihash of the PE file. example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: threat.enrichments.pe.authentihash + flat_name: threat.indicator.pe.authentihash ignore_above: 1024 level: extended name: authentihash @@ -16314,11 +18424,11 @@ threat: original_fieldset: pe short: Authentihash of the PE file. type: keyword - threat.enrichments.pe.company: - dashed_name: threat-enrichments-pe-company + threat.indicator.pe.company: + dashed_name: threat-indicator-pe-company description: Internal company name of the file, provided at compile-time. example: Microsoft Corporation - flat_name: threat.enrichments.pe.company + flat_name: threat.indicator.pe.company ignore_above: 1024 level: extended name: company @@ -16326,22 +18436,22 @@ threat: original_fieldset: pe short: Internal company name of the file, provided at compile-time. type: keyword - threat.enrichments.pe.compile_timestamp: - dashed_name: threat-enrichments-pe-compile-timestamp + threat.indicator.pe.compile_timestamp: + dashed_name: threat-indicator-pe-compile-timestamp description: Compile timestamp of the PE file. example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.pe.compile_timestamp + flat_name: threat.indicator.pe.compile_timestamp level: extended name: compile_timestamp normalize: [] original_fieldset: pe short: Compile timestamp of the PE file. type: date - threat.enrichments.pe.compiler.name: - dashed_name: threat-enrichments-pe-compiler-name + threat.indicator.pe.compiler.name: + dashed_name: threat-indicator-pe-compiler-name description: Name of the compiler example: Clang - flat_name: threat.enrichments.pe.compiler.name + flat_name: threat.indicator.pe.compiler.name ignore_above: 1024 level: extended name: compiler.name @@ -16349,11 +18459,11 @@ threat: original_fieldset: pe short: Name of the compiler type: keyword - threat.enrichments.pe.compiler.version: - dashed_name: threat-enrichments-pe-compiler-version + threat.indicator.pe.compiler.version: + dashed_name: threat-indicator-pe-compiler-version description: Version of the compiler. example: 11.0.0 - flat_name: threat.enrichments.pe.compiler.version + flat_name: threat.indicator.pe.compiler.version ignore_above: 1024 level: extended name: compiler.version @@ -16361,24 +18471,24 @@ threat: original_fieldset: pe short: Version of the compiler. type: keyword - threat.enrichments.pe.creation_date: - dashed_name: threat-enrichments-pe-creation-date + threat.indicator.pe.creation_date: + dashed_name: threat-indicator-pe-creation-date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.pe.creation_date + flat_name: threat.indicator.pe.creation_date level: extended name: creation_date normalize: [] original_fieldset: pe short: Build or compile date. type: date - threat.enrichments.pe.debug: - dashed_name: threat-enrichments-pe-debug + threat.indicator.pe.debug: + dashed_name: threat-indicator-pe-debug description: 'An array containing an object for each debug entry, if present. The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: threat.enrichments.pe.debug + flat_name: threat.indicator.pe.debug level: extended name: debug normalize: @@ -16386,11 +18496,11 @@ threat: original_fieldset: pe short: Debug information type: nested - threat.enrichments.pe.debug.offset: - dashed_name: threat-enrichments-pe-debug-offset + threat.indicator.pe.debug.offset: + dashed_name: threat-indicator-pe-debug-offset description: Debug offset information. example: 1296336 - flat_name: threat.enrichments.pe.debug.offset + flat_name: threat.indicator.pe.debug.offset ignore_above: 1024 level: extended name: debug.offset @@ -16398,11 +18508,11 @@ threat: original_fieldset: pe short: Debug offset information. type: keyword - threat.enrichments.pe.debug.size: - dashed_name: threat-enrichments-pe-debug-size + threat.indicator.pe.debug.size: + dashed_name: threat-indicator-pe-debug-size description: Size of the debug information. example: 816 - flat_name: threat.enrichments.pe.debug.size + flat_name: threat.indicator.pe.debug.size format: bytes level: extended name: debug.size @@ -16410,22 +18520,22 @@ threat: original_fieldset: pe short: Size of the debug information. type: long - threat.enrichments.pe.debug.timestamp: - dashed_name: threat-enrichments-pe-debug-timestamp + threat.indicator.pe.debug.timestamp: + dashed_name: threat-indicator-pe-debug-timestamp description: Timestamp of the debug information. example: '2020-11-05T17:25:47.000Z' - flat_name: threat.enrichments.pe.debug.timestamp + flat_name: threat.indicator.pe.debug.timestamp level: extended name: debug.timestamp normalize: [] original_fieldset: pe short: Timestamp of the debug information. type: date - threat.enrichments.pe.debug.type: - dashed_name: threat-enrichments-pe-debug-type + threat.indicator.pe.debug.type: + dashed_name: threat-indicator-pe-debug-type description: Information type generated by the debug options. example: IMAGE_DEBUG_TYPE_POGO - flat_name: threat.enrichments.pe.debug.type + flat_name: threat.indicator.pe.debug.type ignore_above: 1024 level: extended name: debug.type @@ -16433,11 +18543,11 @@ threat: original_fieldset: pe short: Information type generated by the debug options. type: keyword - threat.enrichments.pe.description: - dashed_name: threat-enrichments-pe-description + threat.indicator.pe.description: + dashed_name: threat-indicator-pe-description description: Internal description of the file, provided at compile-time. example: Paint - flat_name: threat.enrichments.pe.description + flat_name: threat.indicator.pe.description ignore_above: 1024 level: extended name: description @@ -16445,11 +18555,11 @@ threat: original_fieldset: pe short: Internal description of the file, provided at compile-time. type: keyword - threat.enrichments.pe.entry_point: - dashed_name: threat-enrichments-pe-entry-point + threat.indicator.pe.entry_point: + dashed_name: threat-indicator-pe-entry-point description: Relative byte offset to the base of the PE file. example: 25856 - flat_name: threat.enrichments.pe.entry_point + flat_name: threat.indicator.pe.entry_point ignore_above: 1024 level: extended name: entry_point @@ -16457,11 +18567,11 @@ threat: original_fieldset: pe short: Relative byte offset to the base of the PE file. type: keyword - threat.enrichments.pe.exports: - dashed_name: threat-enrichments-pe-exports + threat.indicator.pe.exports: + dashed_name: threat-indicator-pe-exports description: List of symbols exported by PE example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: threat.enrichments.pe.exports + flat_name: threat.indicator.pe.exports ignore_above: 1024 level: extended name: exports @@ -16470,11 +18580,11 @@ threat: original_fieldset: pe short: List of symbols exported by PE type: keyword - threat.enrichments.pe.file_version: - dashed_name: threat-enrichments-pe-file-version + threat.indicator.pe.file_version: + dashed_name: threat-indicator-pe-file-version description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 - flat_name: threat.enrichments.pe.file_version + flat_name: threat.indicator.pe.file_version ignore_above: 1024 level: extended name: file_version @@ -16482,12 +18592,12 @@ threat: original_fieldset: pe short: Process name. type: keyword - threat.enrichments.pe.icon.hash.dhash: - dashed_name: threat-enrichments-pe-icon-hash-dhash + threat.indicator.pe.icon.hash.dhash: + dashed_name: threat-indicator-pe-icon-hash-dhash description: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. example: b806e17c8e330d82 - flat_name: threat.enrichments.pe.icon.hash.dhash + flat_name: threat.indicator.pe.icon.hash.dhash ignore_above: 1024 level: extended name: icon.hash.dhash @@ -16496,15 +18606,15 @@ threat: short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. type: keyword - threat.enrichments.pe.imphash: - dashed_name: threat-enrichments-pe-imphash + threat.indicator.pe.imphash: + dashed_name: threat-indicator-pe-imphash description: 'A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: threat.enrichments.pe.imphash + flat_name: threat.indicator.pe.imphash ignore_above: 1024 level: extended name: imphash @@ -16512,23 +18622,23 @@ threat: original_fieldset: pe short: A hash of the imports in a PE file. type: keyword - threat.enrichments.pe.imports: - dashed_name: threat-enrichments-pe-imports + threat.indicator.pe.imports: + dashed_name: threat-indicator-pe-imports description: List of all imported functions example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" }' - flat_name: threat.enrichments.pe.imports + flat_name: threat.indicator.pe.imports level: extended name: imports normalize: [] original_fieldset: pe short: List of all imported functions type: flattened - threat.enrichments.pe.machine_type: - dashed_name: threat-enrichments-pe-machine-type + threat.indicator.pe.machine_type: + dashed_name: threat-indicator-pe-machine-type description: Machine type of the PE file. example: Intel 386 or later, and compatibles - flat_name: threat.enrichments.pe.machine_type + flat_name: threat.indicator.pe.machine_type ignore_above: 1024 level: extended name: machine_type @@ -16536,22 +18646,22 @@ threat: original_fieldset: pe short: Machine type of the PE file. type: keyword - threat.enrichments.pe.original_file_name: - dashed_name: threat-enrichments-pe-original-file-name + threat.indicator.pe.original_file_name: + dashed_name: threat-indicator-pe-original-file-name description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE - flat_name: threat.enrichments.pe.original_file_name + flat_name: threat.indicator.pe.original_file_name level: extended name: original_file_name normalize: [] original_fieldset: pe short: Internal name of the file, provided at compile-time. type: wildcard - threat.enrichments.pe.packers: - dashed_name: threat-enrichments-pe-packers + threat.indicator.pe.packers: + dashed_name: threat-indicator-pe-packers description: List of packers and tools used. example: '["ASPack v2.12", ".NET executable"]' - flat_name: threat.enrichments.pe.packers + flat_name: threat.indicator.pe.packers ignore_above: 1024 level: extended name: packers @@ -16560,11 +18670,11 @@ threat: original_fieldset: pe short: List of packers and tools used. type: keyword - threat.enrichments.pe.product: - dashed_name: threat-enrichments-pe-product + threat.indicator.pe.product: + dashed_name: threat-indicator-pe-product description: Internal product name of the file, provided at compile-time. example: "Microsoft\xAE Windows\xAE Operating System" - flat_name: threat.enrichments.pe.product + flat_name: threat.indicator.pe.product ignore_above: 1024 level: extended name: product @@ -16572,12 +18682,12 @@ threat: original_fieldset: pe short: Internal product name of the file, provided at compile-time. type: keyword - threat.enrichments.pe.resources: - dashed_name: threat-enrichments-pe-resources + threat.indicator.pe.resources: + dashed_name: threat-indicator-pe-resources description: 'An array containing an object for each PE resource, if present. The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: threat.enrichments.pe.resources + flat_name: threat.indicator.pe.resources level: extended name: resources normalize: @@ -16585,33 +18695,33 @@ threat: original_fieldset: pe short: PE resource information type: nested - threat.enrichments.pe.resources.chi2: - dashed_name: threat-enrichments-pe-resources-chi2 + threat.indicator.pe.resources.chi2: + dashed_name: threat-indicator-pe-resources-chi2 description: Chi-square probability distribution. example: -1 - flat_name: threat.enrichments.pe.resources.chi2 + flat_name: threat.indicator.pe.resources.chi2 level: extended name: resources.chi2 normalize: [] original_fieldset: pe short: Chi-square probability distribution. type: long - threat.enrichments.pe.resources.entropy: - dashed_name: threat-enrichments-pe-resources-entropy + threat.indicator.pe.resources.entropy: + dashed_name: threat-indicator-pe-resources-entropy description: Measurement of entropy randomness in the resources section. example: 0, 1 - flat_name: threat.enrichments.pe.resources.entropy + flat_name: threat.indicator.pe.resources.entropy level: extended name: resources.entropy normalize: [] original_fieldset: pe short: Measurement of entropy randomness in the resources section. type: long - threat.enrichments.pe.resources.filetype: - dashed_name: threat-enrichments-pe-resources-filetype + threat.indicator.pe.resources.filetype: + dashed_name: threat-indicator-pe-resources-filetype description: File type of the resources section. example: Data - flat_name: threat.enrichments.pe.resources.filetype + flat_name: threat.indicator.pe.resources.filetype ignore_above: 1024 level: extended name: resources.filetype @@ -16619,11 +18729,11 @@ threat: original_fieldset: pe short: File type of the resources section. type: keyword - threat.enrichments.pe.resources.language: - dashed_name: threat-enrichments-pe-resources-language + threat.indicator.pe.resources.language: + dashed_name: threat-indicator-pe-resources-language description: Language identification. example: CHINESE SIMPLIFIED - flat_name: threat.enrichments.pe.resources.language + flat_name: threat.indicator.pe.resources.language ignore_above: 1024 level: extended name: resources.language @@ -16631,11 +18741,11 @@ threat: original_fieldset: pe short: Language identification. type: keyword - threat.enrichments.pe.resources.sha256: - dashed_name: threat-enrichments-pe-resources-sha256 + threat.indicator.pe.resources.sha256: + dashed_name: threat-indicator-pe-resources-sha256 description: SHA256 hash of resources section. example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: threat.enrichments.pe.resources.sha256 + flat_name: threat.indicator.pe.resources.sha256 ignore_above: 1024 level: extended name: resources.sha256 @@ -16643,11 +18753,11 @@ threat: original_fieldset: pe short: SHA256 hash of resources section. type: keyword - threat.enrichments.pe.resources.type: - dashed_name: threat-enrichments-pe-resources-type + threat.indicator.pe.resources.type: + dashed_name: threat-indicator-pe-resources-type description: Digest of resource types. example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: threat.enrichments.pe.resources.type + flat_name: threat.indicator.pe.resources.type ignore_above: 1024 level: extended name: resources.type @@ -16656,11 +18766,11 @@ threat: original_fieldset: pe short: List of resource types. type: keyword - threat.enrichments.pe.rich_header.hash.md5: - dashed_name: threat-enrichments-pe-rich-header-hash-md5 + threat.indicator.pe.rich_header.hash.md5: + dashed_name: threat-indicator-pe-rich-header-hash-md5 description: MD5 hash of the header for the PE file. example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: threat.enrichments.pe.rich_header.hash.md5 + flat_name: threat.indicator.pe.rich_header.hash.md5 ignore_above: 1024 level: extended name: rich_header.hash.md5 @@ -16668,10 +18778,10 @@ threat: original_fieldset: pe short: MD5 hash of the header for the PE file. type: keyword - threat.enrichments.pe.sections: - dashed_name: threat-enrichments-pe-sections + threat.indicator.pe.sections: + dashed_name: threat-indicator-pe-sections description: Data about sections of compiled binary PE - flat_name: threat.enrichments.pe.sections + flat_name: threat.indicator.pe.sections level: extended name: sections normalize: @@ -16679,33 +18789,33 @@ threat: original_fieldset: pe short: Data about sections of the compiled binary PE type: nested - threat.enrichments.pe.sections.chi2: - dashed_name: threat-enrichments-pe-sections-chi2 + threat.indicator.pe.sections.chi2: + dashed_name: threat-indicator-pe-sections-chi2 description: Chi-square probability distribution. example: 3027194 - flat_name: threat.enrichments.pe.sections.chi2 + flat_name: threat.indicator.pe.sections.chi2 level: extended name: sections.chi2 normalize: [] original_fieldset: pe short: Chi-square probability distribution. type: long - threat.enrichments.pe.sections.entropy: - dashed_name: threat-enrichments-pe-sections-entropy + threat.indicator.pe.sections.entropy: + dashed_name: threat-indicator-pe-sections-entropy description: Measurement of entropy randomness in the file. example: 6.24 - flat_name: threat.enrichments.pe.sections.entropy + flat_name: threat.indicator.pe.sections.entropy level: extended name: sections.entropy normalize: [] original_fieldset: pe short: Measurement of entropy randomness in the file. type: float - threat.enrichments.pe.sections.flags: - dashed_name: threat-enrichments-pe-sections-flags + threat.indicator.pe.sections.flags: + dashed_name: threat-indicator-pe-sections-flags description: Section flags of the file. example: rx - flat_name: threat.enrichments.pe.sections.flags + flat_name: threat.indicator.pe.sections.flags ignore_above: 1024 level: extended name: sections.flags @@ -16713,11 +18823,11 @@ threat: original_fieldset: pe short: Section flags of the file. type: keyword - threat.enrichments.pe.sections.name: - dashed_name: threat-enrichments-pe-sections-name + threat.indicator.pe.sections.name: + dashed_name: threat-indicator-pe-sections-name description: Section names of the file. example: .text, .data - flat_name: threat.enrichments.pe.sections.name + flat_name: threat.indicator.pe.sections.name ignore_above: 1024 level: extended name: sections.name @@ -16725,11 +18835,11 @@ threat: original_fieldset: pe short: Section names of the file. type: keyword - threat.enrichments.pe.sections.raw_size: - dashed_name: threat-enrichments-pe-sections-raw-size + threat.indicator.pe.sections.raw_size: + dashed_name: threat-indicator-pe-sections-raw-size description: Size of the section or the dize of the initialized data on disk. example: 198144 - flat_name: threat.enrichments.pe.sections.raw_size + flat_name: threat.indicator.pe.sections.raw_size format: bytes level: extended name: sections.raw_size @@ -16737,11 +18847,11 @@ threat: original_fieldset: pe short: Size of the section or the dize of the initialized data on disk. type: long - threat.enrichments.pe.sections.virtual_address: - dashed_name: threat-enrichments-pe-sections-virtual-address + threat.indicator.pe.sections.virtual_address: + dashed_name: threat-indicator-pe-sections-virtual-address description: Virtual address available to the file. example: 8192 - flat_name: threat.enrichments.pe.sections.virtual_address + flat_name: threat.indicator.pe.sections.virtual_address format: bytes level: extended name: sections.virtual_address @@ -16749,15 +18859,51 @@ threat: original_fieldset: pe short: Virtual address available to the file. type: long - threat.enrichments.registry.data.bytes: - dashed_name: threat-enrichments-registry-data-bytes + threat.indicator.port: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-port + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + flat_name: threat.indicator.port + level: extended + name: indicator.port + normalize: [] + short: Indicator port + type: long + threat.indicator.provider: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-provider + description: The name of the indicator's provider. + example: lrz_urlhaus + flat_name: threat.indicator.provider + ignore_above: 1024 + level: extended + name: indicator.provider + normalize: [] + short: Indicator provider + type: keyword + threat.indicator.reference: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-reference + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + flat_name: threat.indicator.reference + ignore_above: 1024 + level: extended + name: indicator.reference + normalize: [] + short: Indicator reference URL + type: keyword + threat.indicator.registry.data.bytes: + dashed_name: threat-indicator-registry-data-bytes description: 'Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.' example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - flat_name: threat.enrichments.registry.data.bytes + flat_name: threat.indicator.registry.data.bytes ignore_above: 1024 level: extended name: data.bytes @@ -16765,8 +18911,8 @@ threat: original_fieldset: registry short: Original bytes written with base64 encoding. type: keyword - threat.enrichments.registry.data.strings: - dashed_name: threat-enrichments-registry-data-strings + threat.indicator.registry.data.strings: + dashed_name: threat-indicator-registry-data-strings description: 'Content when writing string types. Populated as an array when writing string data to the registry. For single @@ -16775,7 +18921,7 @@ threat: variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`).' example: '["C:\rta\red_ttp\bin\myapp.exe"]' - flat_name: threat.enrichments.registry.data.strings + flat_name: threat.indicator.registry.data.strings level: core name: data.strings normalize: @@ -16783,11 +18929,11 @@ threat: original_fieldset: registry short: List of strings representing what was written to the registry. type: wildcard - threat.enrichments.registry.data.type: - dashed_name: threat-enrichments-registry-data-type + threat.indicator.registry.data.type: + dashed_name: threat-indicator-registry-data-type description: Standard registry type for encoding contents example: REG_SZ - flat_name: threat.enrichments.registry.data.type + flat_name: threat.indicator.registry.data.type ignore_above: 1024 level: core name: data.type @@ -16795,11 +18941,11 @@ threat: original_fieldset: registry short: Standard registry type for encoding contents type: keyword - threat.enrichments.registry.hive: - dashed_name: threat-enrichments-registry-hive + threat.indicator.registry.hive: + dashed_name: threat-indicator-registry-hive description: Abbreviated name for the hive. example: HKLM - flat_name: threat.enrichments.registry.hive + flat_name: threat.indicator.registry.hive ignore_above: 1024 level: core name: hive @@ -16807,34 +18953,34 @@ threat: original_fieldset: registry short: Abbreviated name for the hive. type: keyword - threat.enrichments.registry.key: - dashed_name: threat-enrichments-registry-key + threat.indicator.registry.key: + dashed_name: threat-indicator-registry-key description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - flat_name: threat.enrichments.registry.key + flat_name: threat.indicator.registry.key level: core name: key normalize: [] original_fieldset: registry short: Hive-relative path of keys. type: wildcard - threat.enrichments.registry.path: - dashed_name: threat-enrichments-registry-path + threat.indicator.registry.path: + dashed_name: threat-indicator-registry-path description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger - flat_name: threat.enrichments.registry.path + flat_name: threat.indicator.registry.path level: core name: path normalize: [] original_fieldset: registry short: Full path, including hive, key and value type: wildcard - threat.enrichments.registry.value: - dashed_name: threat-enrichments-registry-value + threat.indicator.registry.value: + dashed_name: threat-indicator-registry-value description: Name of the value written. example: Debugger - flat_name: threat.enrichments.registry.value + flat_name: threat.indicator.registry.value ignore_above: 1024 level: core name: value @@ -16842,8 +18988,47 @@ threat: original_fieldset: registry short: Name of the value written. type: keyword - threat.enrichments.url.domain: - dashed_name: threat-enrichments-url-domain + threat.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + flat_name: threat.indicator.scanner_stats + level: extended + name: indicator.scanner_stats + normalize: [] + short: Scanner statistics + type: long + threat.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.indicator.sightings + level: extended + name: indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long + threat.indicator.type: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ + Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr + flat_name: threat.indicator.type + ignore_above: 1024 + level: extended + name: indicator.type + normalize: [] + short: Type of indicator + type: keyword + threat.indicator.url.domain: + dashed_name: threat-indicator-url-domain description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain @@ -16853,15 +19038,15 @@ threat: 2732), the `[` and `]` characters should also be captured in the `domain` field.' example: www.elastic.co - flat_name: threat.enrichments.url.domain + flat_name: threat.indicator.url.domain level: extended name: domain normalize: [] original_fieldset: url short: Domain of the url. type: wildcard - threat.enrichments.url.extension: - dashed_name: threat-enrichments-url-extension + threat.indicator.url.extension: + dashed_name: threat-indicator-url-extension description: 'The field contains the file extension from the original request url, excluding the leading dot. @@ -16873,7 +19058,7 @@ threat: Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png - flat_name: threat.enrichments.url.extension + flat_name: threat.indicator.url.extension ignore_above: 1024 level: extended name: extension @@ -16881,12 +19066,12 @@ threat: original_fieldset: url short: File extension from the request url, excluding the leading dot. type: keyword - threat.enrichments.url.fragment: - dashed_name: threat-enrichments-url-fragment + threat.indicator.url.fragment: + dashed_name: threat-indicator-url-fragment description: 'Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.' - flat_name: threat.enrichments.url.fragment + flat_name: threat.indicator.url.fragment ignore_above: 1024 level: extended name: fragment @@ -16894,16 +19079,16 @@ threat: original_fieldset: url short: Portion of the url after the `#`. type: keyword - threat.enrichments.url.full: - dashed_name: threat-enrichments-url-full + threat.indicator.url.full: + dashed_name: threat-indicator-url-full description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top - flat_name: threat.enrichments.url.full + flat_name: threat.indicator.url.full level: extended multi_fields: - - flat_name: threat.enrichments.url.full.text + - flat_name: threat.indicator.url.full.text name: text norms: false type: text @@ -16912,8 +19097,8 @@ threat: original_fieldset: url short: Full unparsed URL. type: wildcard - threat.enrichments.url.original: - dashed_name: threat-enrichments-url-original + threat.indicator.url.original: + dashed_name: threat-indicator-url-original description: 'Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas @@ -16921,10 +19106,10 @@ threat: This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - flat_name: threat.enrichments.url.original + flat_name: threat.indicator.url.original level: extended multi_fields: - - flat_name: threat.enrichments.url.original.text + - flat_name: threat.indicator.url.original.text name: text norms: false type: text @@ -16933,10 +19118,10 @@ threat: original_fieldset: url short: Unmodified original url as seen in the event source. type: wildcard - threat.enrichments.url.password: - dashed_name: threat-enrichments-url-password + threat.indicator.url.password: + dashed_name: threat-indicator-url-password description: Password of the request. - flat_name: threat.enrichments.url.password + flat_name: threat.indicator.url.password ignore_above: 1024 level: extended name: password @@ -16944,21 +19129,21 @@ threat: original_fieldset: url short: Password of the request. type: keyword - threat.enrichments.url.path: - dashed_name: threat-enrichments-url-path + threat.indicator.url.path: + dashed_name: threat-indicator-url-path description: Path of the request, such as "/search". - flat_name: threat.enrichments.url.path + flat_name: threat.indicator.url.path level: extended name: path normalize: [] original_fieldset: url short: Path of the request, such as "/search". type: wildcard - threat.enrichments.url.port: - dashed_name: threat-enrichments-url-port + threat.indicator.url.port: + dashed_name: threat-indicator-url-port description: Port of the request, such as 443. example: 443 - flat_name: threat.enrichments.url.port + flat_name: threat.indicator.url.port format: string level: extended name: port @@ -16966,8 +19151,8 @@ threat: original_fieldset: url short: Port of the request, such as 443. type: long - threat.enrichments.url.query: - dashed_name: threat-enrichments-url-query + threat.indicator.url.query: + dashed_name: threat-indicator-url-query description: 'The query field describes the query string of the request, such as "q=elasticsearch". @@ -16975,7 +19160,7 @@ threat: is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' - flat_name: threat.enrichments.url.query + flat_name: threat.indicator.url.query ignore_above: 1024 level: extended name: query @@ -16983,8 +19168,8 @@ threat: original_fieldset: url short: Query string of the request. type: keyword - threat.enrichments.url.registered_domain: - dashed_name: threat-enrichments-url-registered-domain + threat.indicator.url.registered_domain: + dashed_name: threat-indicator-url-registered-domain description: 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -16993,20 +19178,20 @@ threat: list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - flat_name: threat.enrichments.url.registered_domain + flat_name: threat.indicator.url.registered_domain level: extended name: registered_domain normalize: [] original_fieldset: url short: The highest registered url domain, stripped of the subdomain. type: wildcard - threat.enrichments.url.scheme: - dashed_name: threat-enrichments-url-scheme + threat.indicator.url.scheme: + dashed_name: threat-indicator-url-scheme description: 'Scheme of the request, such as "https". Note: The `:` is not part of the scheme.' example: https - flat_name: threat.enrichments.url.scheme + flat_name: threat.indicator.url.scheme ignore_above: 1024 level: extended name: scheme @@ -17014,8 +19199,8 @@ threat: original_fieldset: url short: Scheme of the url. type: keyword - threat.enrichments.url.subdomain: - dashed_name: threat-enrichments-url-subdomain + threat.indicator.url.subdomain: + dashed_name: threat-indicator-url-subdomain description: 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot @@ -17025,7 +19210,7 @@ threat: If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: east - flat_name: threat.enrichments.url.subdomain + flat_name: threat.indicator.url.subdomain ignore_above: 1024 level: extended name: subdomain @@ -17033,8 +19218,8 @@ threat: original_fieldset: url short: The subdomain of the domain. type: keyword - threat.enrichments.url.top_level_domain: - dashed_name: threat-enrichments-url-top-level-domain + threat.indicator.url.top_level_domain: + dashed_name: threat-indicator-url-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". @@ -17043,7 +19228,7 @@ threat: list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - flat_name: threat.enrichments.url.top_level_domain + flat_name: threat.indicator.url.top_level_domain ignore_above: 1024 level: extended name: top_level_domain @@ -17051,10 +19236,10 @@ threat: original_fieldset: url short: The effective top level domain (com, org, net, co.uk). type: keyword - threat.enrichments.url.username: - dashed_name: threat-enrichments-url-username + threat.indicator.url.username: + dashed_name: threat-indicator-url-username description: Username of the request. - flat_name: threat.enrichments.url.username + flat_name: threat.indicator.url.username ignore_above: 1024 level: extended name: username @@ -17062,13 +19247,13 @@ threat: original_fieldset: url short: Username of the request. type: keyword - threat.enrichments.x509.alternative_names: - dashed_name: threat-enrichments-x509-alternative-names + threat.indicator.x509.alternative_names: + dashed_name: threat-indicator-x509-alternative-names description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: '*.elastic.co' - flat_name: threat.enrichments.x509.alternative_names + flat_name: threat.indicator.x509.alternative_names ignore_above: 1024 level: extended name: alternative_names @@ -17077,11 +19262,11 @@ threat: original_fieldset: x509 short: List of subject alternative names (SAN). type: keyword - threat.enrichments.x509.issuer.common_name: - dashed_name: threat-enrichments-x509-issuer-common-name + threat.indicator.x509.issuer.common_name: + dashed_name: threat-indicator-x509-issuer-common-name description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA - flat_name: threat.enrichments.x509.issuer.common_name + flat_name: threat.indicator.x509.issuer.common_name ignore_above: 1024 level: extended name: issuer.common_name @@ -17090,11 +19275,11 @@ threat: original_fieldset: x509 short: List of common name (CN) of issuing certificate authority. type: keyword - threat.enrichments.x509.issuer.country: - dashed_name: threat-enrichments-x509-issuer-country + threat.indicator.x509.issuer.country: + dashed_name: threat-indicator-x509-issuer-country description: List of country (C) codes example: US - flat_name: threat.enrichments.x509.issuer.country + flat_name: threat.indicator.x509.issuer.country ignore_above: 1024 level: extended name: issuer.country @@ -17103,23 +19288,23 @@ threat: original_fieldset: x509 short: List of country (C) codes type: keyword - threat.enrichments.x509.issuer.distinguished_name: - dashed_name: threat-enrichments-x509-issuer-distinguished-name + threat.indicator.x509.issuer.distinguished_name: + dashed_name: threat-indicator-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA - flat_name: threat.enrichments.x509.issuer.distinguished_name + flat_name: threat.indicator.x509.issuer.distinguished_name level: extended name: issuer.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. type: wildcard - threat.enrichments.x509.issuer.locality: - dashed_name: threat-enrichments-x509-issuer-locality + threat.indicator.x509.issuer.locality: + dashed_name: threat-indicator-x509-issuer-locality description: List of locality names (L) example: Mountain View - flat_name: threat.enrichments.x509.issuer.locality + flat_name: threat.indicator.x509.issuer.locality ignore_above: 1024 level: extended name: issuer.locality @@ -17128,11 +19313,11 @@ threat: original_fieldset: x509 short: List of locality names (L) type: keyword - threat.enrichments.x509.issuer.organization: - dashed_name: threat-enrichments-x509-issuer-organization + threat.indicator.x509.issuer.organization: + dashed_name: threat-indicator-x509-issuer-organization description: List of organizations (O) of issuing certificate authority. example: Example Inc - flat_name: threat.enrichments.x509.issuer.organization + flat_name: threat.indicator.x509.issuer.organization ignore_above: 1024 level: extended name: issuer.organization @@ -17141,11 +19326,11 @@ threat: original_fieldset: x509 short: List of organizations (O) of issuing certificate authority. type: keyword - threat.enrichments.x509.issuer.organizational_unit: - dashed_name: threat-enrichments-x509-issuer-organizational-unit + threat.indicator.x509.issuer.organizational_unit: + dashed_name: threat-indicator-x509-issuer-organizational-unit description: List of organizational units (OU) of issuing certificate authority. example: www.example.com - flat_name: threat.enrichments.x509.issuer.organizational_unit + flat_name: threat.indicator.x509.issuer.organizational_unit ignore_above: 1024 level: extended name: issuer.organizational_unit @@ -17154,11 +19339,11 @@ threat: original_fieldset: x509 short: List of organizational units (OU) of issuing certificate authority. type: keyword - threat.enrichments.x509.issuer.state_or_province: - dashed_name: threat-enrichments-x509-issuer-state-or-province + threat.indicator.x509.issuer.state_or_province: + dashed_name: threat-indicator-x509-issuer-state-or-province description: List of state or province names (ST, S, or P) example: California - flat_name: threat.enrichments.x509.issuer.state_or_province + flat_name: threat.indicator.x509.issuer.state_or_province ignore_above: 1024 level: extended name: issuer.state_or_province @@ -17167,33 +19352,33 @@ threat: original_fieldset: x509 short: List of state or province names (ST, S, or P) type: keyword - threat.enrichments.x509.not_after: - dashed_name: threat-enrichments-x509-not-after + threat.indicator.x509.not_after: + dashed_name: threat-indicator-x509-not-after description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 - flat_name: threat.enrichments.x509.not_after + flat_name: threat.indicator.x509.not_after level: extended name: not_after normalize: [] original_fieldset: x509 short: Time at which the certificate is no longer considered valid. type: date - threat.enrichments.x509.not_before: - dashed_name: threat-enrichments-x509-not-before + threat.indicator.x509.not_before: + dashed_name: threat-indicator-x509-not-before description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 - flat_name: threat.enrichments.x509.not_before + flat_name: threat.indicator.x509.not_before level: extended name: not_before normalize: [] original_fieldset: x509 short: Time at which the certificate is first considered valid. type: date - threat.enrichments.x509.public_key_algorithm: - dashed_name: threat-enrichments-x509-public-key-algorithm + threat.indicator.x509.public_key_algorithm: + dashed_name: threat-indicator-x509-public-key-algorithm description: Algorithm used to generate the public key. example: RSA - flat_name: threat.enrichments.x509.public_key_algorithm + flat_name: threat.indicator.x509.public_key_algorithm ignore_above: 1024 level: extended name: public_key_algorithm @@ -17201,12 +19386,12 @@ threat: original_fieldset: x509 short: Algorithm used to generate the public key. type: keyword - threat.enrichments.x509.public_key_curve: - dashed_name: threat-enrichments-x509-public-key-curve + threat.indicator.x509.public_key_curve: + dashed_name: threat-indicator-x509-public-key-curve description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 - flat_name: threat.enrichments.x509.public_key_curve + flat_name: threat.indicator.x509.public_key_curve ignore_above: 1024 level: extended name: public_key_curve @@ -17215,12 +19400,12 @@ threat: short: The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword - threat.enrichments.x509.public_key_exponent: - dashed_name: threat-enrichments-x509-public-key-exponent + threat.indicator.x509.public_key_exponent: + dashed_name: threat-indicator-x509-public-key-exponent description: Exponent used to derive the public key. This is algorithm specific. doc_values: false example: 65537 - flat_name: threat.enrichments.x509.public_key_exponent + flat_name: threat.indicator.x509.public_key_exponent index: false level: extended name: public_key_exponent @@ -17228,24 +19413,24 @@ threat: original_fieldset: x509 short: Exponent used to derive the public key. This is algorithm specific. type: long - threat.enrichments.x509.public_key_size: - dashed_name: threat-enrichments-x509-public-key-size + threat.indicator.x509.public_key_size: + dashed_name: threat-indicator-x509-public-key-size description: The size of the public key space in bits. example: 2048 - flat_name: threat.enrichments.x509.public_key_size + flat_name: threat.indicator.x509.public_key_size level: extended name: public_key_size normalize: [] original_fieldset: x509 short: The size of the public key space in bits. type: long - threat.enrichments.x509.serial_number: - dashed_name: threat-enrichments-x509-serial-number + threat.indicator.x509.serial_number: + dashed_name: threat-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA - flat_name: threat.enrichments.x509.serial_number + flat_name: threat.indicator.x509.serial_number ignore_above: 1024 level: extended name: serial_number @@ -17253,12 +19438,12 @@ threat: original_fieldset: x509 short: Unique serial number issued by the certificate authority. type: keyword - threat.enrichments.x509.signature_algorithm: - dashed_name: threat-enrichments-x509-signature-algorithm + threat.indicator.x509.signature_algorithm: + dashed_name: threat-indicator-x509-signature-algorithm description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA - flat_name: threat.enrichments.x509.signature_algorithm + flat_name: threat.indicator.x509.signature_algorithm ignore_above: 1024 level: extended name: signature_algorithm @@ -17266,11 +19451,11 @@ threat: original_fieldset: x509 short: Identifier for certificate signature algorithm. type: keyword - threat.enrichments.x509.subject.common_name: - dashed_name: threat-enrichments-x509-subject-common-name + threat.indicator.x509.subject.common_name: + dashed_name: threat-indicator-x509-subject-common-name description: List of common names (CN) of subject. example: shared.global.example.net - flat_name: threat.enrichments.x509.subject.common_name + flat_name: threat.indicator.x509.subject.common_name ignore_above: 1024 level: extended name: subject.common_name @@ -17279,11 +19464,11 @@ threat: original_fieldset: x509 short: List of common names (CN) of subject. type: keyword - threat.enrichments.x509.subject.country: - dashed_name: threat-enrichments-x509-subject-country + threat.indicator.x509.subject.country: + dashed_name: threat-indicator-x509-subject-country description: List of country (C) code example: US - flat_name: threat.enrichments.x509.subject.country + flat_name: threat.indicator.x509.subject.country ignore_above: 1024 level: extended name: subject.country @@ -17292,22 +19477,22 @@ threat: original_fieldset: x509 short: List of country (C) code type: keyword - threat.enrichments.x509.subject.distinguished_name: - dashed_name: threat-enrichments-x509-subject-distinguished-name + threat.indicator.x509.subject.distinguished_name: + dashed_name: threat-indicator-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - flat_name: threat.enrichments.x509.subject.distinguished_name + flat_name: threat.indicator.x509.subject.distinguished_name level: extended name: subject.distinguished_name normalize: [] original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. type: wildcard - threat.enrichments.x509.subject.locality: - dashed_name: threat-enrichments-x509-subject-locality + threat.indicator.x509.subject.locality: + dashed_name: threat-indicator-x509-subject-locality description: List of locality names (L) example: San Francisco - flat_name: threat.enrichments.x509.subject.locality + flat_name: threat.indicator.x509.subject.locality ignore_above: 1024 level: extended name: subject.locality @@ -17316,11 +19501,11 @@ threat: original_fieldset: x509 short: List of locality names (L) type: keyword - threat.enrichments.x509.subject.organization: - dashed_name: threat-enrichments-x509-subject-organization + threat.indicator.x509.subject.organization: + dashed_name: threat-indicator-x509-subject-organization description: List of organizations (O) of subject. example: Example, Inc. - flat_name: threat.enrichments.x509.subject.organization + flat_name: threat.indicator.x509.subject.organization ignore_above: 1024 level: extended name: subject.organization @@ -17329,10 +19514,10 @@ threat: original_fieldset: x509 short: List of organizations (O) of subject. type: keyword - threat.enrichments.x509.subject.organizational_unit: - dashed_name: threat-enrichments-x509-subject-organizational-unit + threat.indicator.x509.subject.organizational_unit: + dashed_name: threat-indicator-x509-subject-organizational-unit description: List of organizational units (OU) of subject. - flat_name: threat.enrichments.x509.subject.organizational_unit + flat_name: threat.indicator.x509.subject.organizational_unit ignore_above: 1024 level: extended name: subject.organizational_unit @@ -17341,11 +19526,11 @@ threat: original_fieldset: x509 short: List of organizational units (OU) of subject. type: keyword - threat.enrichments.x509.subject.state_or_province: - dashed_name: threat-enrichments-x509-subject-state-or-province + threat.indicator.x509.subject.state_or_province: + dashed_name: threat-indicator-x509-subject-state-or-province description: List of state or province names (ST, S, or P) example: California - flat_name: threat.enrichments.x509.subject.state_or_province + flat_name: threat.indicator.x509.subject.state_or_province ignore_above: 1024 level: extended name: subject.state_or_province @@ -17354,11 +19539,11 @@ threat: original_fieldset: x509 short: List of state or province names (ST, S, or P) type: keyword - threat.enrichments.x509.version_number: - dashed_name: threat-enrichments-x509-version-number + threat.indicator.x509.version_number: + dashed_name: threat-indicator-x509-version-number description: Version of x509 format. example: 3 - flat_name: threat.enrichments.x509.version_number + flat_name: threat.indicator.x509.version_number ignore_above: 1024 level: extended name: version_number @@ -17366,229 +19551,6 @@ threat: original_fieldset: x509 short: Version of x509 format. type: keyword - threat.framework: - dashed_name: threat-framework - description: Name of the threat framework used to further categorize and classify - the tactic and technique of the reported threat. Framework classification - can be provided by detecting systems, evaluated at ingest time, or retrospectively - tagged to events. - example: MITRE ATT&CK - flat_name: threat.framework - ignore_above: 1024 - level: extended - name: framework - normalize: [] - short: Threat classification framework. - type: keyword - threat.group.alias: - beta: This field is beta and subject to change. - dashed_name: threat-group-alias - description: "The alias(es) of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group alias(es)." - example: '[ "Magecart Group 6" ]' - flat_name: threat.group.alias - ignore_above: 1024 - level: extended - name: group.alias - normalize: - - array - short: Alias of the group. - type: keyword - threat.group.id: - beta: This field is beta and subject to change. - dashed_name: threat-group-id - description: "The id of the group for a set of related intrusion activity that\ - \ are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group id." - example: G0037 - flat_name: threat.group.id - ignore_above: 1024 - level: extended - name: group.id - normalize: [] - short: ID of the group. - type: keyword - threat.group.name: - beta: This field is beta and subject to change. - dashed_name: threat-group-name - description: "The name of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group name." - example: FIN6 - flat_name: threat.group.name - ignore_above: 1024 - level: extended - name: group.name - normalize: [] - short: Name of the group. - type: keyword - threat.group.reference: - beta: This field is beta and subject to change. - dashed_name: threat-group-reference - description: "The reference URL of the group for a set of related intrusion\ - \ activity that are tracked by a common name in the security community. While\ - \ not required, you can use a MITRE ATT&CK\xAE group reference URL." - example: https://attack.mitre.org/groups/G0037/ - flat_name: threat.group.reference - ignore_above: 1024 - level: extended - name: group.reference - normalize: [] - short: Reference URL of the group. - type: keyword - threat.indicator.confidence: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-confidence - description: "Identifies the confidence rating assigned by the provider using\ - \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ - \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ - \ * WEP Scale (Impossible - Certain)" - example: High - flat_name: threat.indicator.confidence - ignore_above: 1024 - level: extended - name: indicator.confidence - normalize: [] - short: Indicator confidence rating - type: keyword - threat.indicator.description: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-description - description: Describes the type of action conducted by the threat. - example: IP x.x.x.x was observed delivering the Angler EK. - flat_name: threat.indicator.description - ignore_above: 1024 - level: extended - name: indicator.description - normalize: [] - short: Indicator description - type: keyword - threat.indicator.email.address: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-email-address - description: Identifies a threat indicator as an email address (irrespective - of direction). - example: phish@example.com - flat_name: threat.indicator.email.address - ignore_above: 1024 - level: extended - name: indicator.email.address - normalize: [] - short: Indicator email address - type: keyword - threat.indicator.first_seen: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-first-seen - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.first_seen - level: extended - name: indicator.first_seen - normalize: [] - short: Date/time indicator was first reported. - type: date - threat.indicator.ip: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-ip - description: Identifies a threat indicator as an IP address (irrespective of - direction). - example: 1.2.3.4 - flat_name: threat.indicator.ip - level: extended - name: indicator.ip - normalize: [] - short: Indicator IP address - type: ip - threat.indicator.last_seen: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-last-seen - description: The date and time when intelligence source last reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.last_seen - level: extended - name: indicator.last_seen - normalize: [] - short: Date/time indicator was last reported. - type: date - threat.indicator.marking.tlp: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: WHITE - flat_name: threat.indicator.marking.tlp - ignore_above: 1024 - level: extended - name: indicator.marking.tlp - normalize: [] - short: Indicator TLP marking - type: keyword - threat.indicator.modified_at: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-modified-at - description: The date and time when intelligence source last modified information - for this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.modified_at - level: extended - name: indicator.modified_at - normalize: [] - short: Date/time indicator was last updated. - type: date - threat.indicator.port: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-port - description: Identifies a threat indicator as a port number (irrespective of - direction). - example: 443 - flat_name: threat.indicator.port - level: extended - name: indicator.port - normalize: [] - short: Indicator port - type: long - threat.indicator.scanner_stats: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-scanner-stats - description: Count of AV/EDR vendors that successfully detected malicious file - or URL. - example: 4 - flat_name: threat.indicator.scanner_stats - level: extended - name: indicator.scanner_stats - normalize: [] - short: Scanner statistics - type: long - threat.indicator.sightings: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-sightings - description: Number of times this indicator was observed conducting threat activity. - example: 20 - flat_name: threat.indicator.sightings - level: extended - name: indicator.sightings - normalize: [] - short: Number of times indicator observed - type: long - threat.indicator.type: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-type - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ - Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ - \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ - \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ - \ * user-account\n * windows-registry-key\n * x509-certificate" - example: ipv4-addr - flat_name: threat.indicator.type - ignore_above: 1024 - level: extended - name: indicator.type - normalize: [] - short: Type of indicator - type: keyword threat.software.id: beta: This field is beta and subject to change. dashed_name: threat-software-id @@ -17793,49 +19755,94 @@ threat: group: 2 name: threat nestings: - - threat.enrichments.as - - threat.enrichments.event - - threat.enrichments.file - - threat.enrichments.geo - - threat.enrichments.hash + - threat.enrichments.indicator.as + - threat.enrichments.indicator.file + - threat.enrichments.indicator.geo + - threat.enrichments.indicator.hash + - threat.enrichments.indicator.pe + - threat.enrichments.indicator.registry + - threat.enrichments.indicator.url + - threat.enrichments.indicator.x509 - threat.enrichments.pe - threat.enrichments.registry - - threat.enrichments.url - - threat.enrichments.x509 + - threat.indicator.as + - threat.indicator.file + - threat.indicator.geo + - threat.indicator.hash + - threat.indicator.pe + - threat.indicator.registry + - threat.indicator.url + - threat.indicator.x509 prefix: threat. reused_here: - beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.as + full: threat.indicator.as schema_name: as short: Fields describing an Autonomous System (Internet routing prefix). - - beta: Reusing the `event` fields in this location is currently considered beta. - full: threat.enrichments.event - schema_name: event - short: Fields breaking down the event details. + - beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.indicator.as + schema_name: as + short: Fields describing an Autonomous System (Internet routing prefix). + - beta: Reusing the `file` fields in this location is currently considered beta. + full: threat.indicator.file + schema_name: file + short: Fields describing files. - beta: Reusing the `file` fields in this location is currently considered beta. - full: threat.enrichments.file + full: threat.enrichments.indicator.file schema_name: file short: Fields describing files. - beta: Reusing the `geo` fields in this location is currently considered beta. - full: threat.enrichments.geo + full: threat.indicator.geo + schema_name: geo + short: Fields describing a location. + - beta: Reusing the `geo` fields in this location is currently considered beta. + full: threat.enrichments.indicator.geo schema_name: geo short: Fields describing a location. - beta: Reusing the `hash` fields in this location is currently considered beta. - full: threat.enrichments.hash + full: threat.indicator.hash + schema_name: hash + short: Hashes, usually file hashes. + - beta: Reusing the `hash` fields in this location is currently considered beta. + full: threat.enrichments.indicator.hash schema_name: hash short: Hashes, usually file hashes. + - beta: Reusing the `pe` fields in this location is currently considered beta. + full: threat.indicator.pe + schema_name: pe + short: These fields contain Windows Portable Executable (PE) metadata. + - beta: Reusing the `pe` fields in this location is currently considered beta. + full: threat.enrichments.indicator.pe + schema_name: pe + short: These fields contain Windows Portable Executable (PE) metadata. - full: threat.enrichments.pe schema_name: pe short: These fields contain Windows Portable Executable (PE) metadata. + - beta: Reusing the `registry` fields in this location is currently considered beta. + full: threat.indicator.registry + schema_name: registry + short: Fields related to Windows Registry operations. + - beta: Reusing the `registry` fields in this location is currently considered beta. + full: threat.enrichments.indicator.registry + schema_name: registry + short: Fields related to Windows Registry operations. - full: threat.enrichments.registry schema_name: registry short: Fields related to Windows Registry operations. - beta: Reusing the `url` fields in this location is currently considered beta. - full: threat.enrichments.url + full: threat.indicator.url schema_name: url short: Fields that let you store URLs in various forms. + - beta: Reusing the `url` fields in this location is currently considered beta. + full: threat.enrichments.indicator.url + schema_name: url + short: Fields that let you store URLs in various forms. + - beta: Reusing the `x509` fields in this location is currently considered beta. + full: threat.indicator.x509 + schema_name: x509 + short: These fields contain x509 certificate metadata. - beta: Reusing the `x509` fields in this location is currently considered beta. - full: threat.enrichments.x509 + full: threat.enrichments.indicator.x509 schema_name: x509 short: These fields contain x509 certificate metadata. short: Fields to classify events and alerts according to a threat taxonomy. @@ -19105,9 +21112,13 @@ url: reusable: expected: - as: url - at: threat.enrichments + at: threat.indicator + beta: Reusing the `url` fields in this location is currently considered beta. + full: threat.indicator.url + - as: url + at: threat.enrichments.indicator beta: Reusing the `url` fields in this location is currently considered beta. - full: threat.enrichments.url + full: threat.enrichments.indicator.url top_level: true short: Fields that let you store URLs in various forms. title: URL @@ -20398,9 +22409,13 @@ x509: at: file full: file.x509 - as: x509 - at: threat.enrichments + at: threat.indicator + beta: Reusing the `x509` fields in this location is currently considered beta. + full: threat.indicator.x509 + - as: x509 + at: threat.enrichments.indicator beta: Reusing the `x509` fields in this location is currently considered beta. - full: threat.enrichments.x509 + full: threat.enrichments.indicator.x509 - as: x509 at: tls.client full: tls.client.x509 diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index f48bdb75f2..c6fd98f285 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -4471,6 +4471,1019 @@ "threat": { "properties": { "enrichments": { + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "type": "wildcard" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "wildcard" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "type": "wildcard" + }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "type": "wildcard" + }, + "path": { + "type": "wildcard" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "type": "wildcard" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "type": "wildcard" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "type": "wildcard" + }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "type": "wildcard" + }, + "path": { + "type": "wildcard" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "nested" + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "indicator": { "properties": { "as": { "properties": { @@ -4492,101 +5505,17 @@ } } }, - "event": { + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "agent_id_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { + "address": { "ignore_above": 1024, "type": "keyword" } @@ -4830,6 +5759,9 @@ } } }, + "first_seen": { + "type": "date" + }, "geo": { "properties": { "city_name": { @@ -4900,30 +5832,23 @@ } } }, - "matched": { + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "index": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { + "tlp": { "ignore_above": 1024, "type": "keyword" } } }, + "modified_at": { + "type": "date" + }, "pe": { "properties": { "architecture": { @@ -5091,6 +6016,17 @@ } } }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, "registry": { "properties": { "data": { @@ -5124,6 +6060,16 @@ } } }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "url": { "properties": { "domain": { @@ -5294,84 +6240,6 @@ } } } - }, - "type": "nested" - }, - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "indicator": { - "properties": { - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "first_seen": { - "type": "date" - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "modified_at": { - "type": "date" - }, - "port": { - "type": "long" - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } } }, "software": { diff --git a/experimental/generated/elasticsearch/component/threat.json b/experimental/generated/elasticsearch/component/threat.json index a72dd9595b..e39c80b25d 100644 --- a/experimental/generated/elasticsearch/component/threat.json +++ b/experimental/generated/elasticsearch/component/threat.json @@ -9,6 +9,1019 @@ "threat": { "properties": { "enrichments": { + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "type": "wildcard" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "wildcard" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "type": "wildcard" + }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "type": "wildcard" + }, + "path": { + "type": "wildcard" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "type": "wildcard" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "type": "wildcard" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentihash": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "compile_timestamp": { + "type": "date" + }, + "compiler": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_date": { + "type": "date" + }, + "debug": { + "properties": { + "offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "exports": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "icon": { + "properties": { + "hash": { + "properties": { + "dhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flattened" + }, + "machine_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "type": "wildcard" + }, + "packers": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "resources": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "rich_header": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "float" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_size": { + "type": "long" + }, + "virtual_address": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "type": "wildcard" + }, + "path": { + "type": "wildcard" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "nested" + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "indicator": { "properties": { "as": { "properties": { @@ -30,101 +1043,17 @@ } } }, - "event": { + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "agent_id_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { + "address": { "ignore_above": 1024, "type": "keyword" } @@ -368,6 +1297,9 @@ } } }, + "first_seen": { + "type": "date" + }, "geo": { "properties": { "city_name": { @@ -438,30 +1370,23 @@ } } }, - "matched": { + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "index": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { + "tlp": { "ignore_above": 1024, "type": "keyword" } } }, + "modified_at": { + "type": "date" + }, "pe": { "properties": { "architecture": { @@ -629,6 +1554,17 @@ } } }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, "registry": { "properties": { "data": { @@ -662,6 +1598,16 @@ } } }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "url": { "properties": { "domain": { @@ -832,84 +1778,6 @@ } } } - }, - "type": "nested" - }, - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "indicator": { - "properties": { - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "first_seen": { - "type": "date" - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "modified_at": { - "type": "date" - }, - "port": { - "type": "long" - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } } }, "software": { diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index b6ef8dd3d2..1e19b157c6 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1737,8 +1737,8 @@ - name: original level: core type: keyword - description: 'Raw text message of entire event. Used to demonstrate log integrity or - where the full log message (before splitting it up in multiple parts) may + description: 'Raw text message of entire event. Used to demonstrate log integrity + or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, @@ -5925,17 +5925,22 @@ - name: enrichments level: extended type: nested - description: A list of associated indicators enriching the event, and the context - of that association/enrichment. + description: A list of associated indicators objects enriching the event, and + the context of that association/enrichment. default_field: false - - name: enrichments.as.number + - name: enrichments.indicator + level: extended + type: object + description: Object containing associated indicators enriching the event. + default_field: false + - name: enrichments.indicator.as.number level: extended type: long description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. example: 15169 default_field: false - - name: enrichments.as.organization.name + - name: enrichments.indicator.as.organization.name level: extended type: keyword ignore_above: 1024 @@ -5946,345 +5951,1208 @@ description: Organization name. example: Google LLC default_field: false - - name: enrichments.event.action - level: core + - name: enrichments.indicator.confidence + level: extended type: keyword ignore_above: 1024 - description: 'The action captured by the event. - - This describes the information in the event. It is more specific than `event.category`. - Examples are `group-add`, `process-started`, `file-created`. The value is - normally defined by the implementer.' - example: user-password-change + description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ + using\_STIX\_confidence scales. Expected values:\n * Not Specified, None,\ + \ Low, Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High default_field: false - - name: enrichments.event.agent_id_status + - name: enrichments.indicator.description level: extended type: keyword ignore_above: 1024 - description: 'Agents are normally responsible for populating the `agent.id` - field value. If the system receiving events is capable of validating the value - based on authentication information for the client then this field can be - used to reflect the outcome of that validation. - - For example if the agent''s connection is authenticated with mTLS and the - client cert contains the ID of the agent to which the cert was issued then - the `agent.id` value in events can be checked against the certificate. If - the values match then `event.agent_id_status: verified` is added to the event, - otherwise one of the other allowed values should be used. - - If no validation is performed then the field should be omitted. - - The allowed values are: - - `verified` - The `agent.id` field value matches expected value obtained from - auth metadata. - - `mismatch` - The `agent.id` field value does not match the expected value - obtained from auth metadata. - - `missing` - There was no `agent.id` field in the event to validate. - - `auth_metadata_missing` - There was no auth metadata or it was missing information - about the agent ID.' - example: verified + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. default_field: false - - name: enrichments.event.category - level: core + - name: enrichments.indicator.email.address + level: extended type: keyword ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the - second level in the ECS category hierarchy. - - `event.category` represents the "big buckets" of ECS categories. For example, - filtering on `event.category:process` yields all events relating to process - activity. This field is closely related to `event.type`, which is used as - a subcategory. + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + default_field: false + - name: enrichments.indicator.file.accessed + level: extended + type: date + description: 'Last time the file was accessed. - This field is an array. This will allow proper categorization of some events - that fall in multiple categories.' - example: authentication + Note that not all filesystems keep track of access time.' default_field: false - - name: enrichments.event.code + - name: enrichments.indicator.file.attributes level: extended type: keyword ignore_above: 1024 - description: 'Identification code for this event, if one exists. + description: 'Array of file attributes. - Some event sources use event codes to identify messages unambiguously, regardless - of message language or wording adjustments over time. An example of this is - the Windows Event ID.' - example: 4648 + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' default_field: false - - name: enrichments.event.created + - name: enrichments.indicator.file.code_signature.exists level: core - type: date - description: 'event.created contains the date/time when the event was first - read by an agent, or by your pipeline. - - This field is distinct from @timestamp in that @timestamp typically contain - the time extracted from the original event. + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: enrichments.indicator.file.code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. - In most situations, these two timestamps will be slightly different. The difference - can be used to calculate the delay between your source generating an event, - and the time when your agent first processed it. This can be used to monitor - your agent''s or pipeline''s ability to keep up with your event source. + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + default_field: false + - name: enrichments.indicator.file.code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. - In case the two timestamps are identical, @timestamp should be used.' - example: '2016-05-23T08:05:34.857Z' + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT default_field: false - - name: enrichments.event.dataset + - name: enrichments.indicator.file.code_signature.subject_name level: core type: keyword ignore_above: 1024 - description: 'Name of the dataset. + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: enrichments.indicator.file.code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. - If an event source publishes more than one type of log or events (e.g. access - log, error log), the dataset is used to specify which one the event comes - from. + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + default_field: false + - name: enrichments.indicator.file.code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. - It''s recommended but not required to start the dataset name with the module - name, followed by a dot, then the dataset name.' - example: apache.access + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' default_field: false - - name: enrichments.event.duration - level: core - type: long - format: duration - input_format: nanoseconds - output_format: asMilliseconds - output_precision: 1 - description: 'Duration of the event in nanoseconds. + - name: enrichments.indicator.file.code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. - If event.start and event.end are known this value should be the difference - between the end and start time.' + Leave unpopulated if a certificate was unchecked.' + example: 'true' default_field: false - - name: enrichments.event.end + - name: enrichments.indicator.file.created level: extended type: date - description: event.end contains the date when the event ended or when the activity - was last observed. + description: 'File creation time. + + Note that not all filesystems store the creation time.' + default_field: false + - name: enrichments.indicator.file.ctime + level: extended + type: date + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' default_field: false - - name: enrichments.event.hash + - name: enrichments.indicator.file.device level: extended type: keyword ignore_above: 1024 - description: Hash (perhaps logstash fingerprint) of raw field to be able to - demonstrate log integrity. - example: 123456789012345678901234567890ABCD + description: Device that is the source of the file. + example: sda default_field: false - - name: enrichments.event.id - level: core + - name: enrichments.indicator.file.directory + level: extended type: keyword ignore_above: 1024 - description: Unique ID to describe the event. - example: 8a4f500d + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice default_field: false - - name: enrichments.event.ingested - level: core - type: date - description: 'Timestamp when an event arrived in the central data store. - - This is different from `@timestamp`, which is when the event originally occurred. It''s - also different from `event.created`, which is meant to capture the first time - an agent saw the event. + - name: enrichments.indicator.file.drive_letter + level: extended + type: keyword + ignore_above: 1 + description: 'Drive letter where the file is located. This field is only relevant + on Windows. - In normal conditions, assuming no tampering, the timestamps should chronologically - look like this: `@timestamp` < `event.created` < `event.ingested`.' - example: '2016-05-23T08:05:35.101Z' + The value should be uppercase, and not include the colon.' + example: C default_field: false - - name: enrichments.event.kind - level: core + - name: enrichments.indicator.file.elf.architecture + level: extended type: keyword ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the - highest level in the ECS category hierarchy. - - `event.kind` gives high-level information about what type of information the - event contains, without being specific to the contents of the event. For example, - values of this field distinguish alert events from metric events. - - The value of this field can be used to inform how these kinds of events should - be handled. They may warrant different retention, different access control, - it may also help understand whether the data coming in at a regular interval - or not.' - example: alert + description: Machine architecture of the ELF file. + example: x86-64 default_field: false - - name: enrichments.event.module - level: core + - name: enrichments.indicator.file.elf.byte_order + level: extended type: keyword ignore_above: 1024 - description: 'Name of the module this data is coming from. - - If your monitoring agent supports the concept of modules or plugins to process - events of a given source (e.g. Apache logs), `event.module` should contain - the name of this module.' - example: apache + description: Byte sequence of ELF file. + example: Little Endian default_field: false - - name: enrichments.event.original - level: core + - name: enrichments.indicator.file.elf.cpu_type + level: extended type: keyword - description: 'Raw text message of entire event. Used to demonstrate log integrity or - where the full log message (before splitting it up in multiple parts) may - be required, e.g. for reindex. - - This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`. If users wish to override this and - index this field, please see `Field data types` in the `Elasticsearch Reference`.' - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| - worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - index: false - doc_values: false + ignore_above: 1024 + description: CPU type of the ELF file. + example: Intel default_field: false - - name: enrichments.event.outcome - level: core + - name: enrichments.indicator.file.elf.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + default_field: false + - name: enrichments.indicator.file.elf.exports + level: extended + type: flattened + description: List of exported element names and types. + default_field: false + - name: enrichments.indicator.file.elf.header.abi_version + level: extended type: keyword ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the - lowest level in the ECS category hierarchy. - - `event.outcome` simply denotes whether the event represents a success or a - failure from the perspective of the entity that produced the event. - - Note that when a single transaction is described in multiple events, each - event may populate different values of `event.outcome`, according to their - perspective. - - Also note that in the case of a compound event (a single event that contains - multiple logical events), this field should be populated with the value that - best captures the overall success or failure from the perspective of the event - producer. - - Further note that not all events will have an associated outcome. For example, - this field is generally not populated for metric events, events with `event.type:info`, - or any events for which an outcome does not make logical sense.' - example: success + description: Version of the ELF Application Binary Interface (ABI). + default_field: false + - name: enrichments.indicator.file.elf.header.class + level: extended + type: keyword + ignore_above: 1024 + description: Header class of the ELF file. + default_field: false + - name: enrichments.indicator.file.elf.header.data + level: extended + type: keyword + ignore_above: 1024 + description: Data table of the ELF header. + default_field: false + - name: enrichments.indicator.file.elf.header.entrypoint + level: extended + type: long + format: string + description: Header entrypoint of the ELF file. + default_field: false + - name: enrichments.indicator.file.elf.header.object_version + level: extended + type: keyword + ignore_above: 1024 + description: '"0x1" for original ELF files.' + default_field: false + - name: enrichments.indicator.file.elf.header.os_abi + level: extended + type: keyword + ignore_above: 1024 + description: Application Binary Interface (ABI) of the Linux OS. + default_field: false + - name: enrichments.indicator.file.elf.header.type + level: extended + type: keyword + ignore_above: 1024 + description: Header type of the ELF file. + default_field: false + - name: enrichments.indicator.file.elf.header.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the ELF header. + default_field: false + - name: enrichments.indicator.file.elf.imports + level: extended + type: flattened + description: List of imported element names and types. + default_field: false + - name: enrichments.indicator.file.elf.sections + level: extended + type: nested + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + default_field: false + - name: enrichments.indicator.file.elf.sections.chi2 + level: extended + type: long + format: number + description: Chi-square probability distribution of the section. + default_field: false + - name: enrichments.indicator.file.elf.sections.entropy + level: extended + type: long + format: number + description: Shannon entropy calculation from the section. + default_field: false + - name: enrichments.indicator.file.elf.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List flags. + default_field: false + - name: enrichments.indicator.file.elf.sections.name + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List name. + default_field: false + - name: enrichments.indicator.file.elf.sections.physical_offset + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List offset. + default_field: false + - name: enrichments.indicator.file.elf.sections.physical_size + level: extended + type: long + format: bytes + description: ELF Section List physical size. + default_field: false + - name: enrichments.indicator.file.elf.sections.type + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List type. + default_field: false + - name: enrichments.indicator.file.elf.sections.virtual_address + level: extended + type: long + format: string + description: ELF Section List virtual address. + default_field: false + - name: enrichments.indicator.file.elf.sections.virtual_size + level: extended + type: long + format: string + description: ELF Section List virtual size. + default_field: false + - name: enrichments.indicator.file.elf.segments + level: extended + type: nested + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + default_field: false + - name: enrichments.indicator.file.elf.segments.sections + level: extended + type: keyword + ignore_above: 1024 + description: ELF object segment sections. + default_field: false + - name: enrichments.indicator.file.elf.segments.type + level: extended + type: keyword + ignore_above: 1024 + description: ELF object segment type. + default_field: false + - name: enrichments.indicator.file.elf.shared_libraries + level: extended + type: keyword + ignore_above: 1024 + description: List of shared libraries used by this ELF object. + default_field: false + - name: enrichments.indicator.file.elf.telfhash + level: extended + type: keyword + ignore_above: 1024 + description: telfhash symbol hash for ELF file. + default_field: false + - name: enrichments.indicator.file.extension + level: extended + type: keyword + ignore_above: 1024 + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + default_field: false + - name: enrichments.indicator.file.gid + level: extended + type: keyword + ignore_above: 1024 + description: Primary group ID (GID) of the file. + example: '1001' + default_field: false + - name: enrichments.indicator.file.group + level: extended + type: keyword + ignore_above: 1024 + description: Primary group name of the file. + example: alice + default_field: false + - name: enrichments.indicator.file.inode + level: extended + type: keyword + ignore_above: 1024 + description: Inode representing the file in the filesystem. + example: '256383' + default_field: false + - name: enrichments.indicator.file.mime_type + level: extended + type: keyword + ignore_above: 1024 + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. + default_field: false + - name: enrichments.indicator.file.mode + level: extended + type: keyword + ignore_above: 1024 + description: Mode of the file in octal representation. + example: '0640' + default_field: false + - name: enrichments.indicator.file.mtime + level: extended + type: date + description: Last time the file content was modified. + default_field: false + - name: enrichments.indicator.file.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the file including the extension, without the directory. + example: example.png + default_field: false + - name: enrichments.indicator.file.owner + level: extended + type: keyword + ignore_above: 1024 + description: File owner's username. + example: alice + default_field: false + - name: enrichments.indicator.file.path + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + default_field: false + - name: enrichments.indicator.file.size + level: extended + type: long + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + default_field: false + - name: enrichments.indicator.file.target_path + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Target path for symlinks. + default_field: false + - name: enrichments.indicator.file.type + level: extended + type: keyword + ignore_above: 1024 + description: File type (file, dir, or symlink). + example: file + default_field: false + - name: enrichments.indicator.file.uid + level: extended + type: keyword + ignore_above: 1024 + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + default_field: false + - name: enrichments.indicator.first_seen + level: extended + type: date + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: enrichments.indicator.geo.city_name + level: core + type: keyword + ignore_above: 1024 + description: City name. + example: Montreal + default_field: false + - name: enrichments.indicator.geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false + - name: enrichments.indicator.geo.continent_name + level: core + type: keyword + ignore_above: 1024 + description: Name of the continent. + example: North America + default_field: false + - name: enrichments.indicator.geo.country_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Country ISO code. + example: CA + default_field: false + - name: enrichments.indicator.geo.country_name + level: core + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada + default_field: false + - name: enrichments.indicator.geo.location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + default_field: false + - name: enrichments.indicator.geo.name + level: extended + type: keyword + ignore_above: 1024 + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + default_field: false + - name: enrichments.indicator.geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false + - name: enrichments.indicator.geo.region_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + default_field: false + - name: enrichments.indicator.geo.region_name + level: core + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec + default_field: false + - name: enrichments.indicator.geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false + - name: enrichments.indicator.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: enrichments.indicator.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: enrichments.indicator.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: enrichments.indicator.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: enrichments.indicator.hash.ssdeep + level: extended + type: keyword + ignore_above: 1024 + description: SSDEEP hash. + default_field: false + - name: enrichments.indicator.ip + level: extended + type: ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + default_field: false + - name: enrichments.indicator.last_seen + level: extended + type: date + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: enrichments.indicator.marking.tlp + level: extended + type: keyword + ignore_above: 1024 + description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: White + default_field: false + - name: enrichments.indicator.modified_at + level: extended + type: date + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: enrichments.indicator.pe.architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false + - name: enrichments.indicator.pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: enrichments.indicator.pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: enrichments.indicator.pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: enrichments.indicator.pe.imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false + - name: enrichments.indicator.pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: enrichments.indicator.pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false + - name: enrichments.indicator.port + level: extended + type: long + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + default_field: false + - name: enrichments.indicator.provider + level: extended + type: keyword + ignore_above: 1024 + description: The name of the indicator's provider. + example: lrz_urlhaus + default_field: false + - name: enrichments.indicator.reference + level: extended + type: keyword + ignore_above: 1024 + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + default_field: false + - name: enrichments.indicator.registry.data.bytes + level: extended + type: keyword + ignore_above: 1024 + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + default_field: false + - name: enrichments.indicator.registry.data.strings + level: core + type: keyword + ignore_above: 1024 + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + default_field: false + - name: enrichments.indicator.registry.data.type + level: core + type: keyword + ignore_above: 1024 + description: Standard registry type for encoding contents + example: REG_SZ + default_field: false + - name: enrichments.indicator.registry.hive + level: core + type: keyword + ignore_above: 1024 + description: Abbreviated name for the hive. + example: HKLM + default_field: false + - name: enrichments.indicator.registry.key + level: core + type: keyword + ignore_above: 1024 + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + default_field: false + - name: enrichments.indicator.registry.path + level: core + type: keyword + ignore_above: 1024 + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + default_field: false + - name: enrichments.indicator.registry.value + level: core + type: keyword + ignore_above: 1024 + description: Name of the value written. + example: Debugger + default_field: false + - name: enrichments.indicator.scanner_stats + level: extended + type: long + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + default_field: false + - name: enrichments.indicator.sightings + level: extended + type: long + description: Number of times this indicator was observed conducting threat activity. + example: 20 + default_field: false + - name: enrichments.indicator.type + level: extended + type: keyword + ignore_above: 1024 + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ + \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr + default_field: false + - name: enrichments.indicator.url.domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' + example: www.elastic.co + default_field: false + - name: enrichments.indicator.url.extension + level: extended + type: keyword + ignore_above: 1024 + description: 'The field contains the file extension from the original request + url, excluding the leading dot. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + default_field: false + - name: enrichments.indicator.url.fragment + level: extended + type: keyword + ignore_above: 1024 + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + default_field: false + - name: enrichments.indicator.url.full + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event + source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + default_field: false + - name: enrichments.indicator.url.original + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: 'Unmodified original url as seen in the event source. + + Note that in network monitoring, the observed URL may be a full URL, whereas + in access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + default_field: false + - name: enrichments.indicator.url.password + level: extended + type: keyword + ignore_above: 1024 + description: Password of the request. + default_field: false + - name: enrichments.indicator.url.path + level: extended + type: keyword + ignore_above: 1024 + description: Path of the request, such as "/search". + default_field: false + - name: enrichments.indicator.url.port + level: extended + type: long + format: string + description: Port of the request, such as 443. + example: 443 + default_field: false + - name: enrichments.indicator.url.query + level: extended + type: keyword + ignore_above: 1024 + description: 'The query field describes the query string of the request, such + as "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there + is no query field. If there is a `?` but no query, the query field exists + with an empty string. The `exists` query can be used to differentiate between + the two cases.' + default_field: false + - name: enrichments.indicator.url.registered_domain + level: extended + type: keyword + ignore_above: 1024 + description: 'The highest registered url domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + default_field: false + - name: enrichments.indicator.url.scheme + level: extended + type: keyword + ignore_above: 1024 + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https + default_field: false + - name: enrichments.indicator.url.subdomain + level: extended + type: keyword + ignore_above: 1024 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + default_field: false + - name: enrichments.indicator.url.top_level_domain + level: extended + type: keyword + ignore_above: 1024 + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + default_field: false + - name: enrichments.indicator.url.username + level: extended + type: keyword + ignore_above: 1024 + description: Username of the request. + default_field: false + - name: enrichments.indicator.x509.alternative_names + level: extended + type: keyword + ignore_above: 1024 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + default_field: false + - name: enrichments.indicator.x509.issuer.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + default_field: false + - name: enrichments.indicator.x509.issuer.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) codes + example: US + default_field: false + - name: enrichments.indicator.x509.issuer.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + default_field: false + - name: enrichments.indicator.x509.issuer.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: Mountain View + default_field: false + - name: enrichments.indicator.x509.issuer.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + default_field: false + - name: enrichments.indicator.x509.issuer.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + default_field: false + - name: enrichments.indicator.x509.issuer.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: enrichments.indicator.x509.not_after + level: extended + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + default_field: false + - name: enrichments.indicator.x509.not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + default_field: false + - name: enrichments.indicator.x509.public_key_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Algorithm used to generate the public key. + example: RSA + default_field: false + - name: enrichments.indicator.x509.public_key_curve + level: extended + type: keyword + ignore_above: 1024 + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + default_field: false + - name: enrichments.indicator.x509.public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + index: false + doc_values: false + default_field: false + - name: enrichments.indicator.x509.public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + default_field: false + - name: enrichments.indicator.x509.serial_number + level: extended + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + default_field: false + - name: enrichments.indicator.x509.signature_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + default_field: false + - name: enrichments.indicator.x509.subject.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common names (CN) of subject. + example: shared.global.example.net + default_field: false + - name: enrichments.indicator.x509.subject.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) code + example: US + default_field: false + - name: enrichments.indicator.x509.subject.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + default_field: false + - name: enrichments.indicator.x509.subject.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: San Francisco + default_field: false + - name: enrichments.indicator.x509.subject.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of subject. + example: Example, Inc. + default_field: false + - name: enrichments.indicator.x509.subject.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of subject. + default_field: false + - name: enrichments.indicator.x509.subject.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: enrichments.indicator.x509.version_number + level: extended + type: keyword + ignore_above: 1024 + description: Version of x509 format. + example: 3 + default_field: false + - name: enrichments.matched.atomic + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com + default_field: false + - name: enrichments.matched.field + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the field of the atomic indicator that matched a local + environment endpoint or network event. + example: file.hash.sha256 default_field: false - - name: enrichments.event.provider + - name: enrichments.matched.id level: extended type: keyword ignore_above: 1024 - description: 'Source of the event. - - Event transports such as Syslog or the Windows Event Log typically mention - the source of an event. It can be the name of the software that generated - the event (e.g. Sysmon, httpd), or of a subsystem of the operating system - (kernel, Microsoft-Windows-Security-Auditing).' - example: kernel + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 default_field: false - - name: enrichments.event.reason + - name: enrichments.matched.index level: extended type: keyword ignore_above: 1024 - description: 'Reason why this event happened, according to the source. - - This describes the why of a particular action or outcome captured in the event. - Where `event.action` captures the action from the event, `event.reason` describes - why that action was taken. For example, a web proxy with an `event.action` - which denied the request may also populate `event.reason` with the reason - why (e.g. `blocked site`).' - example: Terminated an unexpected process + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 default_field: false - - name: enrichments.event.reference + - name: enrichments.matched.type level: extended type: keyword ignore_above: 1024 - description: 'Reference URL linking to additional information about this event. - - This URL links to a static definition of this event. Alert events, indicated - by `event.kind:alert`, are a common use case for this field.' - example: https://system.example.com/event/#0001234 + description: Identifies the type of match that caused the event to be enriched + with the given indicator + example: indicator_match_rule default_field: false - - name: enrichments.event.risk_score - level: core - type: float - description: Risk score or priority of the event (e.g. security solutions). - Use your system's original value here. + - name: framework + level: extended + type: keyword + ignore_above: 1024 + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification + can be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + - name: group.alias + level: extended + type: keyword + ignore_above: 1024 + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' default_field: false - - name: enrichments.event.risk_score_norm + - name: group.id level: extended - type: float - description: 'Normalized risk score or priority of the event, on a scale of - 0 to 100. - - This is mainly useful if you use more than one system that assigns risk scores, - and you want to see a normalized value across all systems.' + type: keyword + ignore_above: 1024 + description: "The id of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group id." + example: G0037 default_field: false - - name: enrichments.event.sequence + - name: group.name level: extended - type: long - format: string - description: 'Sequence number of the event. - - The sequence number is a value published by some event sources, to make the - exact ordering of events unambiguous, regardless of the timestamp precision.' + type: keyword + ignore_above: 1024 + description: "The name of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 default_field: false - - name: enrichments.event.severity - level: core + - name: group.reference + level: extended + type: keyword + ignore_above: 1024 + description: "The reference URL of the group for a set of related intrusion\ + \ activity that are tracked by a common name in the security community. While\ + \ not required, you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ + default_field: false + - name: indicator.as.number + level: extended type: long - format: string - description: 'The numeric severity of the event according to your event source. - - What the different severity values mean can be different between sources and - use cases. It''s up to the implementer to make sure severities are consistent - across events from the same source. - - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` - is meant to represent the severity according to the event source (e.g. firewall, - IDS). If the event source does not publish its own severity, you may optionally - copy the `log.syslog.severity.code` to `event.severity`.' - example: 7 + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 default_field: false - - name: enrichments.event.start + - name: indicator.as.organization.name level: extended - type: date - description: event.start contains the date when the event started or when the - activity was first observed. + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: Organization name. + example: Google LLC default_field: false - - name: enrichments.event.timezone + - name: indicator.confidence level: extended type: keyword ignore_above: 1024 - description: 'This field should be populated when the event''s timestamp does - not include timezone information already (e.g. default Syslog timestamps). - It''s optional otherwise. - - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), - abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High default_field: false - - name: enrichments.event.type - level: core + - name: indicator.description + level: extended type: keyword ignore_above: 1024 - description: 'This is one of four ECS Categorization Fields, and indicates the - third level in the ECS category hierarchy. - - `event.type` represents a categorization "sub-bucket" that, when used along - with the `event.category` field values, enables filtering events down to a - level appropriate for single visualization. - - This field is an array. This will allow proper categorization of some events - that fall in multiple event types.' + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. default_field: false - - name: enrichments.event.url + - name: indicator.email.address level: extended type: keyword ignore_above: 1024 - description: 'URL linking to an external system to continue investigation of - this event. - - This URL links to another system where in-depth investigation of the specific - occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, - are a common use case for this field.' - example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com default_field: false - - name: enrichments.file.accessed + - name: indicator.file.accessed level: extended type: date description: 'Last time the file was accessed. Note that not all filesystems keep track of access time.' default_field: false - - name: enrichments.file.attributes + - name: indicator.file.attributes level: extended type: keyword ignore_above: 1024 @@ -6295,13 +7163,13 @@ execute, hidden, read, readonly, system, write.' example: '["readonly", "system"]' default_field: false - - name: enrichments.file.code_signature.exists + - name: indicator.file.code_signature.exists level: core type: boolean description: Boolean to capture if a signature is present. example: 'true' default_field: false - - name: enrichments.file.code_signature.signing_id + - name: indicator.file.code_signature.signing_id level: extended type: keyword ignore_above: 1024 @@ -6311,7 +7179,7 @@ The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy default_field: false - - name: enrichments.file.code_signature.status + - name: indicator.file.code_signature.status level: extended type: keyword ignore_above: 1024 @@ -6322,14 +7190,14 @@ was unchecked.' example: ERROR_UNTRUSTED_ROOT default_field: false - - name: enrichments.file.code_signature.subject_name + - name: indicator.file.code_signature.subject_name level: core type: keyword ignore_above: 1024 description: Subject name of the code signer example: Microsoft Corporation default_field: false - - name: enrichments.file.code_signature.team_id + - name: indicator.file.code_signature.team_id level: extended type: keyword ignore_above: 1024 @@ -6339,7 +7207,7 @@ is relevant to Apple *OS only.' example: EQHXZ8M8AV default_field: false - - name: enrichments.file.code_signature.trusted + - name: indicator.file.code_signature.trusted level: extended type: boolean description: 'Stores the trust status of the certificate chain. @@ -6348,7 +7216,7 @@ field should only be populated by tools that actively check the status.' example: 'true' default_field: false - - name: enrichments.file.code_signature.valid + - name: indicator.file.code_signature.valid level: extended type: boolean description: 'Boolean to capture if the digital signature is verified against @@ -6357,14 +7225,14 @@ Leave unpopulated if a certificate was unchecked.' example: 'true' default_field: false - - name: enrichments.file.created + - name: indicator.file.created level: extended type: date description: 'File creation time. Note that not all filesystems store the creation time.' default_field: false - - name: enrichments.file.ctime + - name: indicator.file.ctime level: extended type: date description: 'Last time the file attributes or metadata changed. @@ -6372,14 +7240,14 @@ Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.' default_field: false - - name: enrichments.file.device + - name: indicator.file.device level: extended type: keyword ignore_above: 1024 description: Device that is the source of the file. example: sda default_field: false - - name: enrichments.file.directory + - name: indicator.file.directory level: extended type: keyword ignore_above: 1024 @@ -6387,7 +7255,7 @@ letter, when appropriate. example: /home/alice default_field: false - - name: enrichments.file.drive_letter + - name: indicator.file.drive_letter level: extended type: keyword ignore_above: 1 @@ -6397,92 +7265,92 @@ The value should be uppercase, and not include the colon.' example: C default_field: false - - name: enrichments.file.elf.architecture + - name: indicator.file.elf.architecture level: extended type: keyword ignore_above: 1024 description: Machine architecture of the ELF file. example: x86-64 default_field: false - - name: enrichments.file.elf.byte_order + - name: indicator.file.elf.byte_order level: extended type: keyword ignore_above: 1024 description: Byte sequence of ELF file. example: Little Endian default_field: false - - name: enrichments.file.elf.cpu_type + - name: indicator.file.elf.cpu_type level: extended type: keyword ignore_above: 1024 description: CPU type of the ELF file. example: Intel default_field: false - - name: enrichments.file.elf.creation_date + - name: indicator.file.elf.creation_date level: extended type: date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. default_field: false - - name: enrichments.file.elf.exports + - name: indicator.file.elf.exports level: extended type: flattened description: List of exported element names and types. default_field: false - - name: enrichments.file.elf.header.abi_version + - name: indicator.file.elf.header.abi_version level: extended type: keyword ignore_above: 1024 description: Version of the ELF Application Binary Interface (ABI). default_field: false - - name: enrichments.file.elf.header.class + - name: indicator.file.elf.header.class level: extended type: keyword ignore_above: 1024 description: Header class of the ELF file. default_field: false - - name: enrichments.file.elf.header.data + - name: indicator.file.elf.header.data level: extended type: keyword ignore_above: 1024 description: Data table of the ELF header. default_field: false - - name: enrichments.file.elf.header.entrypoint + - name: indicator.file.elf.header.entrypoint level: extended type: long format: string description: Header entrypoint of the ELF file. default_field: false - - name: enrichments.file.elf.header.object_version + - name: indicator.file.elf.header.object_version level: extended type: keyword ignore_above: 1024 description: '"0x1" for original ELF files.' default_field: false - - name: enrichments.file.elf.header.os_abi + - name: indicator.file.elf.header.os_abi level: extended type: keyword ignore_above: 1024 description: Application Binary Interface (ABI) of the Linux OS. default_field: false - - name: enrichments.file.elf.header.type + - name: indicator.file.elf.header.type level: extended type: keyword ignore_above: 1024 description: Header type of the ELF file. default_field: false - - name: enrichments.file.elf.header.version + - name: indicator.file.elf.header.version level: extended type: keyword ignore_above: 1024 description: Version of the ELF header. default_field: false - - name: enrichments.file.elf.imports + - name: indicator.file.elf.imports level: extended type: flattened description: List of imported element names and types. default_field: false - - name: enrichments.file.elf.sections + - name: indicator.file.elf.sections level: extended type: nested description: 'An array containing an object for each section of the ELF file. @@ -6490,61 +7358,61 @@ The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.' default_field: false - - name: enrichments.file.elf.sections.chi2 + - name: indicator.file.elf.sections.chi2 level: extended type: long format: number description: Chi-square probability distribution of the section. default_field: false - - name: enrichments.file.elf.sections.entropy + - name: indicator.file.elf.sections.entropy level: extended type: long format: number description: Shannon entropy calculation from the section. default_field: false - - name: enrichments.file.elf.sections.flags + - name: indicator.file.elf.sections.flags level: extended type: keyword ignore_above: 1024 description: ELF Section List flags. default_field: false - - name: enrichments.file.elf.sections.name + - name: indicator.file.elf.sections.name level: extended type: keyword ignore_above: 1024 description: ELF Section List name. default_field: false - - name: enrichments.file.elf.sections.physical_offset + - name: indicator.file.elf.sections.physical_offset level: extended type: keyword ignore_above: 1024 description: ELF Section List offset. default_field: false - - name: enrichments.file.elf.sections.physical_size + - name: indicator.file.elf.sections.physical_size level: extended type: long format: bytes description: ELF Section List physical size. default_field: false - - name: enrichments.file.elf.sections.type + - name: indicator.file.elf.sections.type level: extended type: keyword ignore_above: 1024 description: ELF Section List type. default_field: false - - name: enrichments.file.elf.sections.virtual_address + - name: indicator.file.elf.sections.virtual_address level: extended type: long format: string description: ELF Section List virtual address. default_field: false - - name: enrichments.file.elf.sections.virtual_size + - name: indicator.file.elf.sections.virtual_size level: extended type: long format: string description: ELF Section List virtual size. default_field: false - - name: enrichments.file.elf.segments + - name: indicator.file.elf.segments level: extended type: nested description: 'An array containing an object for each segment of the ELF file. @@ -6552,31 +7420,31 @@ The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.' default_field: false - - name: enrichments.file.elf.segments.sections + - name: indicator.file.elf.segments.sections level: extended type: keyword ignore_above: 1024 description: ELF object segment sections. default_field: false - - name: enrichments.file.elf.segments.type + - name: indicator.file.elf.segments.type level: extended type: keyword ignore_above: 1024 description: ELF object segment type. default_field: false - - name: enrichments.file.elf.shared_libraries + - name: indicator.file.elf.shared_libraries level: extended type: keyword ignore_above: 1024 description: List of shared libraries used by this ELF object. default_field: false - - name: enrichments.file.elf.telfhash + - name: indicator.file.elf.telfhash level: extended type: keyword ignore_above: 1024 description: telfhash symbol hash for ELF file. default_field: false - - name: enrichments.file.extension + - name: indicator.file.extension level: extended type: keyword ignore_above: 1024 @@ -6586,28 +7454,28 @@ the last one should be captured ("gz", not "tar.gz").' example: png default_field: false - - name: enrichments.file.gid + - name: indicator.file.gid level: extended type: keyword ignore_above: 1024 description: Primary group ID (GID) of the file. example: '1001' default_field: false - - name: enrichments.file.group + - name: indicator.file.group level: extended type: keyword ignore_above: 1024 description: Primary group name of the file. example: alice default_field: false - - name: enrichments.file.inode + - name: indicator.file.inode level: extended type: keyword ignore_above: 1024 description: Inode representing the file in the filesystem. example: '256383' default_field: false - - name: enrichments.file.mime_type + - name: indicator.file.mime_type level: extended type: keyword ignore_above: 1024 @@ -6616,33 +7484,33 @@ official types], where possible. When more than one type is applicable, the most specific type should be used. default_field: false - - name: enrichments.file.mode + - name: indicator.file.mode level: extended type: keyword ignore_above: 1024 description: Mode of the file in octal representation. example: '0640' default_field: false - - name: enrichments.file.mtime + - name: indicator.file.mtime level: extended type: date description: Last time the file content was modified. default_field: false - - name: enrichments.file.name + - name: indicator.file.name level: extended type: keyword ignore_above: 1024 description: Name of the file including the extension, without the directory. example: example.png default_field: false - - name: enrichments.file.owner + - name: indicator.file.owner level: extended type: keyword ignore_above: 1024 description: File owner's username. example: alice default_field: false - - name: enrichments.file.path + - name: indicator.file.path level: extended type: keyword ignore_above: 1024 @@ -6654,7 +7522,7 @@ the drive letter, when appropriate. example: /home/alice/example.png default_field: false - - name: enrichments.file.size + - name: indicator.file.size level: extended type: long description: 'File size in bytes. @@ -6662,7 +7530,7 @@ Only relevant when `file.type` is "file".' example: 16384 default_field: false - - name: enrichments.file.target_path + - name: indicator.file.target_path level: extended type: keyword ignore_above: 1024 @@ -6672,62 +7540,69 @@ norms: false description: Target path for symlinks. default_field: false - - name: enrichments.file.type + - name: indicator.file.type level: extended type: keyword ignore_above: 1024 description: File type (file, dir, or symlink). example: file default_field: false - - name: enrichments.file.uid + - name: indicator.file.uid level: extended type: keyword ignore_above: 1024 description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' default_field: false - - name: enrichments.geo.city_name + - name: indicator.first_seen + level: extended + type: date + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.geo.city_name level: core type: keyword ignore_above: 1024 description: City name. example: Montreal default_field: false - - name: enrichments.geo.continent_code + - name: indicator.geo.continent_code level: core type: keyword ignore_above: 1024 description: Two-letter code representing continent's name. example: NA default_field: false - - name: enrichments.geo.continent_name + - name: indicator.geo.continent_name level: core type: keyword ignore_above: 1024 description: Name of the continent. example: North America default_field: false - - name: enrichments.geo.country_iso_code + - name: indicator.geo.country_iso_code level: core type: keyword ignore_above: 1024 description: Country ISO code. example: CA default_field: false - - name: enrichments.geo.country_name + - name: indicator.geo.country_name level: core type: keyword ignore_above: 1024 description: Country name. example: Canada default_field: false - - name: enrichments.geo.location + - name: indicator.geo.location level: core type: geo_point description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' default_field: false - - name: enrichments.geo.name + - name: indicator.geo.name level: extended type: keyword ignore_above: 1024 @@ -6740,106 +7615,255 @@ Not typically used in automated geolocation.' example: boston-dc default_field: false - - name: enrichments.geo.postal_code - level: core + - name: indicator.geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false + - name: indicator.geo.region_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + default_field: false + - name: indicator.geo.region_name + level: core + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec + default_field: false + - name: indicator.geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false + - name: indicator.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: indicator.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: indicator.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: indicator.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: indicator.hash.ssdeep + level: extended + type: keyword + ignore_above: 1024 + description: SSDEEP hash. + default_field: false + - name: indicator.ip + level: extended + type: ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + default_field: false + - name: indicator.last_seen + level: extended + type: date + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.marking.tlp + level: extended + type: keyword + ignore_above: 1024 + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE + default_field: false + - name: indicator.modified_at + level: extended + type: date + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.pe.architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false + - name: indicator.pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: indicator.pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: indicator.pe.file_version + level: extended type: keyword ignore_above: 1024 - description: 'Postal code associated with the location. - - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 default_field: false - - name: enrichments.geo.region_iso_code - level: core + - name: indicator.pe.imphash + level: extended type: keyword ignore_above: 1024 - description: Region ISO code. - example: CA-QC + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - - name: enrichments.geo.region_name - level: core + - name: indicator.pe.original_file_name + level: extended type: keyword ignore_above: 1024 - description: Region name. - example: Quebec + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE default_field: false - - name: enrichments.geo.timezone - level: core + - name: indicator.pe.product + level: extended type: keyword ignore_above: 1024 - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" default_field: false - - name: enrichments.hash.md5 + - name: indicator.port + level: extended + type: long + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + default_field: false + - name: indicator.provider level: extended type: keyword ignore_above: 1024 - description: MD5 hash. + description: The name of the indicator's provider. + example: lrz_urlhaus default_field: false - - name: enrichments.hash.sha1 + - name: indicator.reference level: extended type: keyword ignore_above: 1024 - description: SHA1 hash. + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 default_field: false - - name: enrichments.hash.sha256 + - name: indicator.registry.data.bytes level: extended type: keyword ignore_above: 1024 - description: SHA256 hash. + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= default_field: false - - name: enrichments.hash.sha512 - level: extended + - name: indicator.registry.data.strings + level: core type: keyword ignore_above: 1024 - description: SHA512 hash. + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' default_field: false - - name: enrichments.hash.ssdeep - level: extended + - name: indicator.registry.data.type + level: core type: keyword ignore_above: 1024 - description: SSDEEP hash. + description: Standard registry type for encoding contents + example: REG_SZ default_field: false - - name: enrichments.matched.atomic - level: extended + - name: indicator.registry.hive + level: core type: keyword ignore_above: 1024 - description: Identifies the atomic indicator value that matched a local environment - endpoint or network event. - example: bad-domain.com + description: Abbreviated name for the hive. + example: HKLM default_field: false - - name: enrichments.matched.field - level: extended + - name: indicator.registry.key + level: core type: keyword ignore_above: 1024 - description: Identifies the field of the atomic indicator that matched a local - environment endpoint or network event. - example: file.hash.sha256 + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe default_field: false - - name: enrichments.matched.id - level: extended + - name: indicator.registry.path + level: core type: keyword ignore_above: 1024 - description: Identifies the _id of the indicator document enriching the event. - example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger default_field: false - - name: enrichments.matched.index - level: extended + - name: indicator.registry.value + level: core type: keyword ignore_above: 1024 - description: Identifies the _index of the indicator document enriching the event. - example: filebeat-8.0.0-2021.05.23-000011 + description: Name of the value written. + example: Debugger default_field: false - - name: enrichments.matched.type + - name: indicator.scanner_stats + level: extended + type: long + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + default_field: false + - name: indicator.sightings + level: extended + type: long + description: Number of times this indicator was observed conducting threat activity. + example: 20 + default_field: false + - name: indicator.type level: extended type: keyword ignore_above: 1024 - description: Identifies the type of match that caused the event to be enriched - with the given indicator - example: indicator_match_rule + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ + Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr default_field: false - - name: enrichments.url.domain + - name: indicator.url.domain level: extended type: keyword ignore_above: 1024 @@ -6853,7 +7877,7 @@ field.' example: www.elastic.co default_field: false - - name: enrichments.url.extension + - name: indicator.url.extension level: extended type: keyword ignore_above: 1024 @@ -6869,7 +7893,7 @@ the last one should be captured ("gz", not "tar.gz").' example: png default_field: false - - name: enrichments.url.fragment + - name: indicator.url.fragment level: extended type: keyword ignore_above: 1024 @@ -6877,7 +7901,7 @@ The `#` is not part of the fragment.' default_field: false - - name: enrichments.url.full + - name: indicator.url.full level: extended type: keyword ignore_above: 1024 @@ -6890,7 +7914,7 @@ source. example: https://www.elastic.co:443/search?q=elasticsearch#top default_field: false - - name: enrichments.url.original + - name: indicator.url.original level: extended type: keyword ignore_above: 1024 @@ -6906,26 +7930,26 @@ This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch default_field: false - - name: enrichments.url.password + - name: indicator.url.password level: extended type: keyword ignore_above: 1024 description: Password of the request. default_field: false - - name: enrichments.url.path + - name: indicator.url.path level: extended type: keyword ignore_above: 1024 description: Path of the request, such as "/search". default_field: false - - name: enrichments.url.port + - name: indicator.url.port level: extended type: long format: string description: Port of the request, such as 443. example: 443 default_field: false - - name: enrichments.url.query + - name: indicator.url.query level: extended type: keyword ignore_above: 1024 @@ -6937,7 +7961,7 @@ with an empty string. The `exists` query can be used to differentiate between the two cases.' default_field: false - - name: enrichments.url.registered_domain + - name: indicator.url.registered_domain level: extended type: keyword ignore_above: 1024 @@ -6950,7 +7974,7 @@ the last two labels will not work well for TLDs such as "co.uk".' example: example.com default_field: false - - name: enrichments.url.scheme + - name: indicator.url.scheme level: extended type: keyword ignore_above: 1024 @@ -6959,7 +7983,7 @@ Note: The `:` is not part of the scheme.' example: https default_field: false - - name: enrichments.url.subdomain + - name: indicator.url.subdomain level: extended type: keyword ignore_above: 1024 @@ -6973,7 +7997,7 @@ the subdomain field should contain "sub2.sub1", with no trailing period.' example: east default_field: false - - name: enrichments.url.top_level_domain + - name: indicator.url.top_level_domain level: extended type: keyword ignore_above: 1024 @@ -6986,13 +8010,13 @@ the last label will not work well for effective TLDs such as "co.uk".' example: co.uk default_field: false - - name: enrichments.url.username + - name: indicator.url.username level: extended type: keyword ignore_above: 1024 description: Username of the request. default_field: false - - name: enrichments.x509.alternative_names + - name: indicator.x509.alternative_names level: extended type: keyword ignore_above: 1024 @@ -7001,21 +8025,21 @@ (and wildcards), and email addresses. example: '*.elastic.co' default_field: false - - name: enrichments.x509.issuer.common_name + - name: indicator.x509.issuer.common_name level: extended type: keyword ignore_above: 1024 description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA default_field: false - - name: enrichments.x509.issuer.country + - name: indicator.x509.issuer.country level: extended type: keyword ignore_above: 1024 description: List of country (C) codes example: US default_field: false - - name: enrichments.x509.issuer.distinguished_name + - name: indicator.x509.issuer.distinguished_name level: extended type: keyword ignore_above: 1024 @@ -7023,54 +8047,54 @@ example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA default_field: false - - name: enrichments.x509.issuer.locality + - name: indicator.x509.issuer.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: Mountain View default_field: false - - name: enrichments.x509.issuer.organization + - name: indicator.x509.issuer.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of issuing certificate authority. example: Example Inc default_field: false - - name: enrichments.x509.issuer.organizational_unit + - name: indicator.x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of issuing certificate authority. example: www.example.com default_field: false - - name: enrichments.x509.issuer.state_or_province + - name: indicator.x509.issuer.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - - name: enrichments.x509.not_after + - name: indicator.x509.not_after level: extended type: date description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 default_field: false - - name: enrichments.x509.not_before + - name: indicator.x509.not_before level: extended type: date description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 default_field: false - - name: enrichments.x509.public_key_algorithm + - name: indicator.x509.public_key_algorithm level: extended type: keyword ignore_above: 1024 description: Algorithm used to generate the public key. example: RSA default_field: false - - name: enrichments.x509.public_key_curve + - name: indicator.x509.public_key_curve level: extended type: keyword ignore_above: 1024 @@ -7078,7 +8102,7 @@ is algorithm specific. example: nistp521 default_field: false - - name: enrichments.x509.public_key_exponent + - name: indicator.x509.public_key_exponent level: extended type: long description: Exponent used to derive the public key. This is algorithm specific. @@ -7086,13 +8110,13 @@ index: false doc_values: false default_field: false - - name: enrichments.x509.public_key_size + - name: indicator.x509.public_key_size level: extended type: long description: The size of the public key space in bits. example: 2048 default_field: false - - name: enrichments.x509.serial_number + - name: indicator.x509.serial_number level: extended type: keyword ignore_above: 1024 @@ -7101,7 +8125,7 @@ characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false - - name: enrichments.x509.signature_algorithm + - name: indicator.x509.signature_algorithm level: extended type: keyword ignore_above: 1024 @@ -7109,198 +8133,61 @@ names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA default_field: false - - name: enrichments.x509.subject.common_name + - name: indicator.x509.subject.common_name level: extended type: keyword ignore_above: 1024 description: List of common names (CN) of subject. example: shared.global.example.net default_field: false - - name: enrichments.x509.subject.country + - name: indicator.x509.subject.country level: extended type: keyword ignore_above: 1024 description: List of country (C) code example: US default_field: false - - name: enrichments.x509.subject.distinguished_name + - name: indicator.x509.subject.distinguished_name level: extended type: keyword ignore_above: 1024 description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - - name: enrichments.x509.subject.locality + - name: indicator.x509.subject.locality level: extended type: keyword ignore_above: 1024 description: List of locality names (L) example: San Francisco default_field: false - - name: enrichments.x509.subject.organization + - name: indicator.x509.subject.organization level: extended type: keyword ignore_above: 1024 description: List of organizations (O) of subject. example: Example, Inc. default_field: false - - name: enrichments.x509.subject.organizational_unit + - name: indicator.x509.subject.organizational_unit level: extended type: keyword ignore_above: 1024 description: List of organizational units (OU) of subject. default_field: false - - name: enrichments.x509.subject.state_or_province + - name: indicator.x509.subject.state_or_province level: extended type: keyword ignore_above: 1024 description: List of state or province names (ST, S, or P) example: California default_field: false - - name: enrichments.x509.version_number + - name: indicator.x509.version_number level: extended type: keyword ignore_above: 1024 description: Version of x509 format. example: 3 default_field: false - - name: framework - level: extended - type: keyword - ignore_above: 1024 - description: Name of the threat framework used to further categorize and classify - the tactic and technique of the reported threat. Framework classification - can be provided by detecting systems, evaluated at ingest time, or retrospectively - tagged to events. - example: MITRE ATT&CK - - name: group.alias - level: extended - type: keyword - ignore_above: 1024 - description: "The alias(es) of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group alias(es)." - example: '[ "Magecart Group 6" ]' - default_field: false - - name: group.id - level: extended - type: keyword - ignore_above: 1024 - description: "The id of the group for a set of related intrusion activity that\ - \ are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group id." - example: G0037 - default_field: false - - name: group.name - level: extended - type: keyword - ignore_above: 1024 - description: "The name of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group name." - example: FIN6 - default_field: false - - name: group.reference - level: extended - type: keyword - ignore_above: 1024 - description: "The reference URL of the group for a set of related intrusion\ - \ activity that are tracked by a common name in the security community. While\ - \ not required, you can use a MITRE ATT&CK\xAE group reference URL." - example: https://attack.mitre.org/groups/G0037/ - default_field: false - - name: indicator.confidence - level: extended - type: keyword - ignore_above: 1024 - description: "Identifies the confidence rating assigned by the provider using\ - \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ - \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ - \ * WEP Scale (Impossible - Certain)" - example: High - default_field: false - - name: indicator.description - level: extended - type: keyword - ignore_above: 1024 - description: Describes the type of action conducted by the threat. - example: IP x.x.x.x was observed delivering the Angler EK. - default_field: false - - name: indicator.email.address - level: extended - type: keyword - ignore_above: 1024 - description: Identifies a threat indicator as an email address (irrespective - of direction). - example: phish@example.com - default_field: false - - name: indicator.first_seen - level: extended - type: date - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: indicator.ip - level: extended - type: ip - description: Identifies a threat indicator as an IP address (irrespective of - direction). - example: 1.2.3.4 - default_field: false - - name: indicator.last_seen - level: extended - type: date - description: The date and time when intelligence source last reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: indicator.marking.tlp - level: extended - type: keyword - ignore_above: 1024 - description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: WHITE - default_field: false - - name: indicator.modified_at - level: extended - type: date - description: The date and time when intelligence source last modified information - for this indicator. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: indicator.port - level: extended - type: long - description: Identifies a threat indicator as a port number (irrespective of - direction). - example: 443 - default_field: false - - name: indicator.scanner_stats - level: extended - type: long - description: Count of AV/EDR vendors that successfully detected malicious file - or URL. - example: 4 - default_field: false - - name: indicator.sightings - level: extended - type: long - description: Number of times this indicator was observed conducting threat activity. - example: 20 - default_field: false - - name: indicator.type - level: extended - type: keyword - ignore_above: 1024 - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ - Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ - \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ - \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ - \ * user-account\n * windows-registry-key\n * x509-certificate" - example: ipv4-addr - default_field: false - name: software.id level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 25fc04d27d..1a56f341f4 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -678,173 +678,310 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.11.0-dev,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. 1.11.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.11.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. -1.11.0-dev,true,threat,threat.enrichments,nested,extended,,,List of indicators enriching the event. -1.11.0-dev,true,threat,threat.enrichments.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -1.11.0-dev,true,threat,threat.enrichments.as.organization.name,keyword,extended,,Google LLC,Organization name. -1.11.0-dev,true,threat,threat.enrichments.as.organization.name.text,text,extended,,Google LLC,Organization name. -1.11.0-dev,true,threat,threat.enrichments.event.action,keyword,core,,user-password-change,The action captured by the event. -1.11.0-dev,true,threat,threat.enrichments.event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field. -1.11.0-dev,true,threat,threat.enrichments.event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. -1.11.0-dev,true,threat,threat.enrichments.event.code,keyword,extended,,4648,Identification code for this event. -1.11.0-dev,true,threat,threat.enrichments.event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. -1.11.0-dev,true,threat,threat.enrichments.event.dataset,keyword,core,,apache.access,Name of the dataset. -1.11.0-dev,true,threat,threat.enrichments.event.duration,long,core,,,Duration of the event in nanoseconds. -1.11.0-dev,true,threat,threat.enrichments.event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. -1.11.0-dev,true,threat,threat.enrichments.event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. -1.11.0-dev,true,threat,threat.enrichments.event.id,keyword,core,,8a4f500d,Unique ID to describe the event. -1.11.0-dev,true,threat,threat.enrichments.event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. -1.11.0-dev,true,threat,threat.enrichments.event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. -1.11.0-dev,true,threat,threat.enrichments.event.module,keyword,core,,apache,Name of the module this data is coming from. -1.11.0-dev,false,threat,threat.enrichments.event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. -1.11.0-dev,true,threat,threat.enrichments.event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. -1.11.0-dev,true,threat,threat.enrichments.event.provider,keyword,extended,,kernel,Source of the event. -1.11.0-dev,true,threat,threat.enrichments.event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" -1.11.0-dev,true,threat,threat.enrichments.event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL -1.11.0-dev,true,threat,threat.enrichments.event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. -1.11.0-dev,true,threat,threat.enrichments.event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). -1.11.0-dev,true,threat,threat.enrichments.event.sequence,long,extended,,,Sequence number of the event. -1.11.0-dev,true,threat,threat.enrichments.event.severity,long,core,,7,Numeric severity of the event. -1.11.0-dev,true,threat,threat.enrichments.event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. -1.11.0-dev,true,threat,threat.enrichments.event.timezone,keyword,extended,,,Event time zone. -1.11.0-dev,true,threat,threat.enrichments.event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. -1.11.0-dev,true,threat,threat.enrichments.event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL -1.11.0-dev,true,threat,threat.enrichments.file.accessed,date,extended,,,Last time the file was accessed. -1.11.0-dev,true,threat,threat.enrichments.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -1.11.0-dev,true,threat,threat.enrichments.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -1.11.0-dev,true,threat,threat.enrichments.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -1.11.0-dev,true,threat,threat.enrichments.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -1.11.0-dev,true,threat,threat.enrichments.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -1.11.0-dev,true,threat,threat.enrichments.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -1.11.0-dev,true,threat,threat.enrichments.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -1.11.0-dev,true,threat,threat.enrichments.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -1.11.0-dev,true,threat,threat.enrichments.file.created,date,extended,,,File creation time. -1.11.0-dev,true,threat,threat.enrichments.file.ctime,date,extended,,,Last time the file attributes or metadata changed. -1.11.0-dev,true,threat,threat.enrichments.file.device,keyword,extended,,sda,Device that is the source of the file. -1.11.0-dev,true,threat,threat.enrichments.file.directory,keyword,extended,,/home/alice,Directory where the file is located. -1.11.0-dev,true,threat,threat.enrichments.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -1.11.0-dev,true,threat,threat.enrichments.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -1.11.0-dev,true,threat,threat.enrichments.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. -1.11.0-dev,true,threat,threat.enrichments.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -1.11.0-dev,true,threat,threat.enrichments.file.elf.creation_date,date,extended,,,Build or compile date. -1.11.0-dev,true,threat,threat.enrichments.file.elf.exports,flattened,extended,array,,List of exported element names and types. -1.11.0-dev,true,threat,threat.enrichments.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -1.11.0-dev,true,threat,threat.enrichments.file.elf.header.class,keyword,extended,,,Header class of the ELF file. -1.11.0-dev,true,threat,threat.enrichments.file.elf.header.data,keyword,extended,,,Data table of the ELF header. -1.11.0-dev,true,threat,threat.enrichments.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -1.11.0-dev,true,threat,threat.enrichments.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -1.11.0-dev,true,threat,threat.enrichments.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -1.11.0-dev,true,threat,threat.enrichments.file.elf.header.type,keyword,extended,,,Header type of the ELF file. -1.11.0-dev,true,threat,threat.enrichments.file.elf.header.version,keyword,extended,,,Version of the ELF header. -1.11.0-dev,true,threat,threat.enrichments.file.elf.imports,flattened,extended,array,,List of imported element names and types. -1.11.0-dev,true,threat,threat.enrichments.file.elf.sections,nested,extended,array,,Section information of the ELF file. -1.11.0-dev,true,threat,threat.enrichments.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -1.11.0-dev,true,threat,threat.enrichments.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -1.11.0-dev,true,threat,threat.enrichments.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. -1.11.0-dev,true,threat,threat.enrichments.file.elf.sections.name,keyword,extended,,,ELF Section List name. -1.11.0-dev,true,threat,threat.enrichments.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -1.11.0-dev,true,threat,threat.enrichments.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -1.11.0-dev,true,threat,threat.enrichments.file.elf.sections.type,keyword,extended,,,ELF Section List type. -1.11.0-dev,true,threat,threat.enrichments.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -1.11.0-dev,true,threat,threat.enrichments.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -1.11.0-dev,true,threat,threat.enrichments.file.elf.segments,nested,extended,array,,ELF object segment list. -1.11.0-dev,true,threat,threat.enrichments.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. -1.11.0-dev,true,threat,threat.enrichments.file.elf.segments.type,keyword,extended,,,ELF object segment type. -1.11.0-dev,true,threat,threat.enrichments.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. -1.11.0-dev,true,threat,threat.enrichments.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. -1.11.0-dev,true,threat,threat.enrichments.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." -1.11.0-dev,true,threat,threat.enrichments.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -1.11.0-dev,true,threat,threat.enrichments.file.group,keyword,extended,,alice,Primary group name of the file. -1.11.0-dev,true,threat,threat.enrichments.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -1.11.0-dev,true,threat,threat.enrichments.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -1.11.0-dev,true,threat,threat.enrichments.file.mode,keyword,extended,,0640,Mode of the file in octal representation. -1.11.0-dev,true,threat,threat.enrichments.file.mtime,date,extended,,,Last time the file content was modified. -1.11.0-dev,true,threat,threat.enrichments.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -1.11.0-dev,true,threat,threat.enrichments.file.owner,keyword,extended,,alice,File owner's username. -1.11.0-dev,true,threat,threat.enrichments.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." -1.11.0-dev,true,threat,threat.enrichments.file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -1.11.0-dev,true,threat,threat.enrichments.file.size,long,extended,,16384,File size in bytes. -1.11.0-dev,true,threat,threat.enrichments.file.target_path,keyword,extended,,,Target path for symlinks. -1.11.0-dev,true,threat,threat.enrichments.file.target_path.text,text,extended,,,Target path for symlinks. -1.11.0-dev,true,threat,threat.enrichments.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -1.11.0-dev,true,threat,threat.enrichments.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. -1.11.0-dev,true,threat,threat.enrichments.geo.city_name,keyword,core,,Montreal,City name. -1.11.0-dev,true,threat,threat.enrichments.geo.continent_code,keyword,core,,NA,Continent code. -1.11.0-dev,true,threat,threat.enrichments.geo.continent_name,keyword,core,,North America,Name of the continent. -1.11.0-dev,true,threat,threat.enrichments.geo.country_iso_code,keyword,core,,CA,Country ISO code. -1.11.0-dev,true,threat,threat.enrichments.geo.country_name,keyword,core,,Canada,Country name. -1.11.0-dev,true,threat,threat.enrichments.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -1.11.0-dev,true,threat,threat.enrichments.geo.name,keyword,extended,,boston-dc,User-defined description of a location. -1.11.0-dev,true,threat,threat.enrichments.geo.postal_code,keyword,core,,94040,Postal code. -1.11.0-dev,true,threat,threat.enrichments.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -1.11.0-dev,true,threat,threat.enrichments.geo.region_name,keyword,core,,Quebec,Region name. -1.11.0-dev,true,threat,threat.enrichments.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -1.11.0-dev,true,threat,threat.enrichments.hash.md5,keyword,extended,,,MD5 hash. -1.11.0-dev,true,threat,threat.enrichments.hash.sha1,keyword,extended,,,SHA1 hash. -1.11.0-dev,true,threat,threat.enrichments.hash.sha256,keyword,extended,,,SHA256 hash. -1.11.0-dev,true,threat,threat.enrichments.hash.sha512,keyword,extended,,,SHA512 hash. -1.11.0-dev,true,threat,threat.enrichments.hash.ssdeep,keyword,extended,,,SSDEEP hash. +1.11.0-dev,true,threat,threat.enrichments,nested,extended,,,List of objects containing indicators enriching the event. +1.11.0-dev,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event. +1.11.0-dev,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.11.0-dev,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name. +1.11.0-dev,true,threat,threat.enrichments.indicator.as.organization.name.text,text,extended,,Google LLC,Organization name. +1.11.0-dev,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,High,Indicator confidence rating +1.11.0-dev,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description +1.11.0-dev,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address +1.11.0-dev,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.11.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +1.11.0-dev,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +1.11.0-dev,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +1.11.0-dev,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.11.0-dev,true,threat,threat.enrichments.indicator.file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.11.0-dev,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.target_path.text,text,extended,,,Target path for symlinks. +1.11.0-dev,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +1.11.0-dev,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +1.11.0-dev,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. +1.11.0-dev,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name. +1.11.0-dev,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code. +1.11.0-dev,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. +1.11.0-dev,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.11.0-dev,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name. +1.11.0-dev,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.11.0-dev,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.11.0-dev,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code. +1.11.0-dev,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.11.0-dev,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name. +1.11.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +1.11.0-dev,true,threat,threat.enrichments.indicator.hash.md5,keyword,extended,,,MD5 hash. +1.11.0-dev,true,threat,threat.enrichments.indicator.hash.sha1,keyword,extended,,,SHA1 hash. +1.11.0-dev,true,threat,threat.enrichments.indicator.hash.sha256,keyword,extended,,,SHA256 hash. +1.11.0-dev,true,threat,threat.enrichments.indicator.hash.sha512,keyword,extended,,,SHA512 hash. +1.11.0-dev,true,threat,threat.enrichments.indicator.hash.ssdeep,keyword,extended,,,SSDEEP hash. +1.11.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address +1.11.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. +1.11.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,White,Indicator TLP marking +1.11.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. +1.11.0-dev,true,threat,threat.enrichments.indicator.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.11.0-dev,true,threat,threat.enrichments.indicator.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.11.0-dev,true,threat,threat.enrichments.indicator.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.11.0-dev,true,threat,threat.enrichments.indicator.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.11.0-dev,true,threat,threat.enrichments.indicator.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.11.0-dev,true,threat,threat.enrichments.indicator.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.11.0-dev,true,threat,threat.enrichments.indicator.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +1.11.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port +1.11.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider +1.11.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL +1.11.0-dev,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +1.11.0-dev,true,threat,threat.enrichments.indicator.registry.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +1.11.0-dev,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +1.11.0-dev,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +1.11.0-dev,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +1.11.0-dev,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +1.11.0-dev,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written. +1.11.0-dev,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics +1.11.0-dev,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed +1.11.0-dev,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator +1.11.0-dev,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url. +1.11.0-dev,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +1.11.0-dev,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`. +1.11.0-dev,true,threat,threat.enrichments.indicator.url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.11.0-dev,true,threat,threat.enrichments.indicator.url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.11.0-dev,true,threat,threat.enrichments.indicator.url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.11.0-dev,true,threat,threat.enrichments.indicator.url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.11.0-dev,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request. +1.11.0-dev,true,threat,threat.enrichments.indicator.url.path,keyword,extended,,,"Path of the request, such as ""/search""." +1.11.0-dev,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443." +1.11.0-dev,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request. +1.11.0-dev,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +1.11.0-dev,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url. +1.11.0-dev,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. +1.11.0-dev,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.11.0-dev,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request. +1.11.0-dev,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.11.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.11.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.11.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.11.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.11.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.11.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.11.0-dev,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.11.0-dev,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.11.0-dev,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.11.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.11.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.11.0-dev,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.11.0-dev,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.11.0-dev,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.11.0-dev,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.11.0-dev,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.11.0-dev,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.11.0-dev,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.11.0-dev,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.11.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.11.0-dev,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.11.0-dev,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.11.0-dev,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format. 1.11.0-dev,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value 1.11.0-dev,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field 1.11.0-dev,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier 1.11.0-dev,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index 1.11.0-dev,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match -1.11.0-dev,true,threat,threat.enrichments.url.domain,keyword,extended,,www.elastic.co,Domain of the url. -1.11.0-dev,true,threat,threat.enrichments.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." -1.11.0-dev,true,threat,threat.enrichments.url.fragment,keyword,extended,,,Portion of the url after the `#`. -1.11.0-dev,true,threat,threat.enrichments.url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.11.0-dev,true,threat,threat.enrichments.url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. -1.11.0-dev,true,threat,threat.enrichments.url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -1.11.0-dev,true,threat,threat.enrichments.url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. -1.11.0-dev,true,threat,threat.enrichments.url.password,keyword,extended,,,Password of the request. -1.11.0-dev,true,threat,threat.enrichments.url.path,keyword,extended,,,"Path of the request, such as ""/search""." -1.11.0-dev,true,threat,threat.enrichments.url.port,long,extended,,443,"Port of the request, such as 443." -1.11.0-dev,true,threat,threat.enrichments.url.query,keyword,extended,,,Query string of the request. -1.11.0-dev,true,threat,threat.enrichments.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." -1.11.0-dev,true,threat,threat.enrichments.url.scheme,keyword,extended,,https,Scheme of the url. -1.11.0-dev,true,threat,threat.enrichments.url.subdomain,keyword,extended,,east,The subdomain of the domain. -1.11.0-dev,true,threat,threat.enrichments.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." -1.11.0-dev,true,threat,threat.enrichments.url.username,keyword,extended,,,Username of the request. -1.11.0-dev,true,threat,threat.enrichments.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). -1.11.0-dev,true,threat,threat.enrichments.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. -1.11.0-dev,true,threat,threat.enrichments.x509.issuer.country,keyword,extended,array,US,List of country (C) codes -1.11.0-dev,true,threat,threat.enrichments.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. -1.11.0-dev,true,threat,threat.enrichments.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) -1.11.0-dev,true,threat,threat.enrichments.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. -1.11.0-dev,true,threat,threat.enrichments.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. -1.11.0-dev,true,threat,threat.enrichments.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.11.0-dev,true,threat,threat.enrichments.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. -1.11.0-dev,true,threat,threat.enrichments.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. -1.11.0-dev,true,threat,threat.enrichments.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. -1.11.0-dev,true,threat,threat.enrichments.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. -1.11.0-dev,false,threat,threat.enrichments.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. -1.11.0-dev,true,threat,threat.enrichments.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. -1.11.0-dev,true,threat,threat.enrichments.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. -1.11.0-dev,true,threat,threat.enrichments.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. -1.11.0-dev,true,threat,threat.enrichments.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. -1.11.0-dev,true,threat,threat.enrichments.x509.subject.country,keyword,extended,array,US,List of country (C) code -1.11.0-dev,true,threat,threat.enrichments.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. -1.11.0-dev,true,threat,threat.enrichments.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) -1.11.0-dev,true,threat,threat.enrichments.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. -1.11.0-dev,true,threat,threat.enrichments.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. -1.11.0-dev,true,threat,threat.enrichments.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" -1.11.0-dev,true,threat,threat.enrichments.x509.version_number,keyword,extended,,3,Version of x509 format. 1.11.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. 1.11.0-dev,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group. 1.11.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group. 1.11.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group. 1.11.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group. +1.11.0-dev,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +1.11.0-dev,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name. +1.11.0-dev,true,threat,threat.indicator.as.organization.name.text,text,extended,,Google LLC,Organization name. 1.11.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,High,Indicator confidence rating 1.11.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description 1.11.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address +1.11.0-dev,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed. +1.11.0-dev,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +1.11.0-dev,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +1.11.0-dev,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +1.11.0-dev,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +1.11.0-dev,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +1.11.0-dev,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +1.11.0-dev,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +1.11.0-dev,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +1.11.0-dev,true,threat,threat.indicator.file.created,date,extended,,,File creation time. +1.11.0-dev,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. +1.11.0-dev,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. +1.11.0-dev,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located. +1.11.0-dev,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +1.11.0-dev,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +1.11.0-dev,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +1.11.0-dev,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +1.11.0-dev,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date. +1.11.0-dev,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types. +1.11.0-dev,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +1.11.0-dev,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. +1.11.0-dev,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. +1.11.0-dev,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +1.11.0-dev,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +1.11.0-dev,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +1.11.0-dev,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. +1.11.0-dev,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. +1.11.0-dev,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types. +1.11.0-dev,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. +1.11.0-dev,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +1.11.0-dev,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +1.11.0-dev,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +1.11.0-dev,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. +1.11.0-dev,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +1.11.0-dev,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +1.11.0-dev,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. +1.11.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +1.11.0-dev,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +1.11.0-dev,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. +1.11.0-dev,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +1.11.0-dev,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. +1.11.0-dev,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +1.11.0-dev,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +1.11.0-dev,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +1.11.0-dev,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +1.11.0-dev,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +1.11.0-dev,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +1.11.0-dev,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +1.11.0-dev,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. +1.11.0-dev,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified. +1.11.0-dev,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +1.11.0-dev,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username. +1.11.0-dev,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.11.0-dev,true,threat,threat.indicator.file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +1.11.0-dev,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes. +1.11.0-dev,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks. +1.11.0-dev,true,threat,threat.indicator.file.target_path.text,text,extended,,,Target path for symlinks. +1.11.0-dev,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +1.11.0-dev,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. 1.11.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. +1.11.0-dev,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name. +1.11.0-dev,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code. +1.11.0-dev,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. +1.11.0-dev,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. +1.11.0-dev,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name. +1.11.0-dev,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +1.11.0-dev,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +1.11.0-dev,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code. +1.11.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +1.11.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name. +1.11.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +1.11.0-dev,true,threat,threat.indicator.hash.md5,keyword,extended,,,MD5 hash. +1.11.0-dev,true,threat,threat.indicator.hash.sha1,keyword,extended,,,SHA1 hash. +1.11.0-dev,true,threat,threat.indicator.hash.sha256,keyword,extended,,,SHA256 hash. +1.11.0-dev,true,threat,threat.indicator.hash.sha512,keyword,extended,,,SHA512 hash. +1.11.0-dev,true,threat,threat.indicator.hash.ssdeep,keyword,extended,,,SSDEEP hash. 1.11.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address 1.11.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. 1.11.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking 1.11.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. +1.11.0-dev,true,threat,threat.indicator.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +1.11.0-dev,true,threat,threat.indicator.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +1.11.0-dev,true,threat,threat.indicator.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +1.11.0-dev,true,threat,threat.indicator.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +1.11.0-dev,true,threat,threat.indicator.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +1.11.0-dev,true,threat,threat.indicator.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +1.11.0-dev,true,threat,threat.indicator.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." 1.11.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port +1.11.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider +1.11.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL +1.11.0-dev,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +1.11.0-dev,true,threat,threat.indicator.registry.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +1.11.0-dev,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +1.11.0-dev,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +1.11.0-dev,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +1.11.0-dev,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +1.11.0-dev,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written. 1.11.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics 1.11.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed 1.11.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator +1.11.0-dev,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url. +1.11.0-dev,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +1.11.0-dev,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`. +1.11.0-dev,true,threat,threat.indicator.url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.11.0-dev,true,threat,threat.indicator.url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +1.11.0-dev,true,threat,threat.indicator.url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.11.0-dev,true,threat,threat.indicator.url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +1.11.0-dev,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request. +1.11.0-dev,true,threat,threat.indicator.url.path,keyword,extended,,,"Path of the request, such as ""/search""." +1.11.0-dev,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443." +1.11.0-dev,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request. +1.11.0-dev,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +1.11.0-dev,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url. +1.11.0-dev,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. +1.11.0-dev,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +1.11.0-dev,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request. +1.11.0-dev,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +1.11.0-dev,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +1.11.0-dev,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +1.11.0-dev,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +1.11.0-dev,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +1.11.0-dev,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +1.11.0-dev,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +1.11.0-dev,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.11.0-dev,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +1.11.0-dev,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +1.11.0-dev,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +1.11.0-dev,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +1.11.0-dev,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +1.11.0-dev,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +1.11.0-dev,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +1.11.0-dev,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +1.11.0-dev,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +1.11.0-dev,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country (C) code +1.11.0-dev,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +1.11.0-dev,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +1.11.0-dev,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +1.11.0-dev,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +1.11.0-dev,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +1.11.0-dev,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format. 1.11.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software 1.11.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software. 1.11.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 7b76c45932..53fbd0472e 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -2294,8 +2294,8 @@ event.module: type: keyword event.original: dashed_name: event-original - description: 'Raw text message of entire event. Used to demonstrate log integrity or - where the full log message (before splitting it up in multiple parts) may be + description: 'Raw text message of entire event. Used to demonstrate log integrity + or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, @@ -8669,35 +8669,45 @@ tags: threat.enrichments: beta: This field is beta and subject to change. dashed_name: threat-enrichments - description: A list of associated indicators enriching the event, and the context - of that association/enrichment. + description: A list of associated indicators objects enriching the event, and the + context of that association/enrichment. flat_name: threat.enrichments level: extended name: enrichments normalize: [] - short: List of indicators enriching the event. + short: List of objects containing indicators enriching the event. type: nested -threat.enrichments.as.number: - dashed_name: threat-enrichments-as-number +threat.enrichments.indicator: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator + description: Object containing associated indicators enriching the event. + flat_name: threat.enrichments.indicator + level: extended + name: enrichments.indicator + normalize: [] + short: Object containing indicators enriching the event. + type: object +threat.enrichments.indicator.as.number: + dashed_name: threat-enrichments-indicator-as-number description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. example: 15169 - flat_name: threat.enrichments.as.number + flat_name: threat.enrichments.indicator.as.number level: extended name: number normalize: [] original_fieldset: as short: Unique number allocated to the autonomous system. type: long -threat.enrichments.as.organization.name: - dashed_name: threat-enrichments-as-organization-name +threat.enrichments.indicator.as.organization.name: + dashed_name: threat-enrichments-indicator-as-organization-name description: Organization name. example: Google LLC - flat_name: threat.enrichments.as.organization.name + flat_name: threat.enrichments.indicator.as.organization.name ignore_above: 1024 level: extended multi_fields: - - flat_name: threat.enrichments.as.organization.name.text + - flat_name: threat.enrichments.indicator.as.organization.name.text name: text norms: false type: text @@ -8706,836 +8716,2015 @@ threat.enrichments.as.organization.name: original_fieldset: as short: Organization name. type: keyword -threat.enrichments.event.action: - dashed_name: threat-enrichments-event-action - description: 'The action captured by the event. - - This describes the information in the event. It is more specific than `event.category`. - Examples are `group-add`, `process-started`, `file-created`. The value is normally - defined by the implementer.' - example: user-password-change - flat_name: threat.enrichments.event.action +threat.enrichments.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-confidence + description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ + using\_STIX\_confidence scales. Expected values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n \ + \ * WEP Scale (Impossible - Certain)" + example: High + flat_name: threat.enrichments.indicator.confidence ignore_above: 1024 - level: core - name: action + level: extended + name: enrichments.indicator.confidence normalize: [] - original_fieldset: event - short: The action captured by the event. + short: Indicator confidence rating type: keyword -threat.enrichments.event.agent_id_status: - dashed_name: threat-enrichments-event-agent-id-status - description: 'Agents are normally responsible for populating the `agent.id` field - value. If the system receiving events is capable of validating the value based - on authentication information for the client then this field can be used to reflect - the outcome of that validation. - - For example if the agent''s connection is authenticated with mTLS and the client - cert contains the ID of the agent to which the cert was issued then the `agent.id` - value in events can be checked against the certificate. If the values match then - `event.agent_id_status: verified` is added to the event, otherwise one of the - other allowed values should be used. - - If no validation is performed then the field should be omitted. +threat.enrichments.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.enrichments.indicator.description + ignore_above: 1024 + level: extended + name: enrichments.indicator.description + normalize: [] + short: Indicator description + type: keyword +threat.enrichments.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective of + direction). + example: phish@example.com + flat_name: threat.enrichments.indicator.email.address + ignore_above: 1024 + level: extended + name: enrichments.indicator.email.address + normalize: [] + short: Indicator email address + type: keyword +threat.enrichments.indicator.file.accessed: + dashed_name: threat-enrichments-indicator-file-accessed + description: 'Last time the file was accessed. - The allowed values are: + Note that not all filesystems keep track of access time.' + flat_name: threat.enrichments.indicator.file.accessed + level: extended + name: accessed + normalize: [] + original_fieldset: file + short: Last time the file was accessed. + type: date +threat.enrichments.indicator.file.attributes: + dashed_name: threat-enrichments-indicator-file-attributes + description: 'Array of file attributes. - `verified` - The `agent.id` field value matches expected value obtained from auth - metadata. + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, execute, + hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: threat.enrichments.indicator.file.attributes + ignore_above: 1024 + level: extended + name: attributes + normalize: + - array + original_fieldset: file + short: Array of file attributes. + type: keyword +threat.enrichments.indicator.file.code_signature.exists: + dashed_name: threat-enrichments-indicator-file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: threat.enrichments.indicator.file.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +threat.enrichments.indicator.file.code_signature.signing_id: + dashed_name: threat-enrichments-indicator-file-code-signature-signing-id + description: 'The identifier used to sign the process. - `mismatch` - The `agent.id` field value does not match the expected value obtained - from auth metadata. + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: threat.enrichments.indicator.file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword +threat.enrichments.indicator.file.code_signature.status: + dashed_name: threat-enrichments-indicator-file-code-signature-status + description: 'Additional information about the certificate status. - `missing` - There was no `agent.id` field in the event to validate. + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: threat.enrichments.indicator.file.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +threat.enrichments.indicator.file.code_signature.subject_name: + dashed_name: threat-enrichments-indicator-file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: threat.enrichments.indicator.file.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +threat.enrichments.indicator.file.code_signature.team_id: + dashed_name: threat-enrichments-indicator-file-code-signature-team-id + description: 'The team identifier used to sign the process. - `auth_metadata_missing` - There was no auth metadata or it was missing information - about the agent ID.' - example: verified - flat_name: threat.enrichments.event.agent_id_status + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: threat.enrichments.indicator.file.code_signature.team_id ignore_above: 1024 level: extended - name: agent_id_status + name: team_id normalize: [] - original_fieldset: event - short: Validation status of the event's agent.id field. + original_fieldset: code_signature + short: The team identifier used to sign the process. type: keyword -threat.enrichments.event.category: - allowed_values: - - description: Events in this category are related to the challenge and response - process in which credentials are supplied and verified to allow the creation - of a session. Common sources for these logs are Windows event logs and ssh logs. - Visualize and analyze events in this category to look for failed logins, and - other authentication-related activity. - expected_event_types: - - start - - end - - info - name: authentication - - description: 'Events in the configuration category have to deal with creating, - modifying, or deleting the settings or parameters of an application, process, - or system. +threat.enrichments.indicator.file.code_signature.trusted: + dashed_name: threat-enrichments-indicator-file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. - Example sources include security policy change logs, configuration auditing - logging, and system integrity monitoring.' - expected_event_types: - - access - - change - - creation - - deletion - - info - name: configuration - - description: The database category denotes events and metrics relating to a data - storage and retrieval system. Note that use of this category is not limited - to relational database systems. Examples include event logs from MS SQL, MySQL, - Elasticsearch, MongoDB, etc. Use this category to visualize and analyze database - activity such as accesses and changes. - expected_event_types: - - access - - change - - info - - error - name: database - - description: 'Events in the driver category have to do with operating system device - drivers and similar software entities such as Windows drivers, kernel extensions, - kernel modules, etc. + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: threat.enrichments.indicator.file.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +threat.enrichments.indicator.file.code_signature.valid: + dashed_name: threat-enrichments-indicator-file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. - Use events and metrics in this category to visualize and analyze driver-related - activity and status on hosts.' - expected_event_types: - - change - - end - - info - - start - name: driver - - description: Relating to a set of information that has been created on, or has - existed on a filesystem. Use this category of events to visualize and analyze - the creation, access, and deletions of files. Events in this category can come - from both host-based and network-based sources. An example source of a network-based - detection of a file transfer would be the Zeek file.log. - expected_event_types: - - change - - creation - - deletion - - info - name: file - - description: 'Use this category to visualize and analyze information such as host - inventory or host lifecycle events. + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: threat.enrichments.indicator.file.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +threat.enrichments.indicator.file.created: + dashed_name: threat-enrichments-indicator-file-created + description: 'File creation time. - Most of the events in this category can usually be observed from the outside, - such as from a hypervisor or a control plane''s point of view. Some can also - be seen from within, such as "start" or "end". + Note that not all filesystems store the creation time.' + flat_name: threat.enrichments.indicator.file.created + level: extended + name: created + normalize: [] + original_fieldset: file + short: File creation time. + type: date +threat.enrichments.indicator.file.ctime: + dashed_name: threat-enrichments-indicator-file-ctime + description: 'Last time the file attributes or metadata changed. - Note that this category is for information about hosts themselves; it is not - meant to capture activity "happening on a host".' - expected_event_types: - - access - - change - - end - - info - - start - name: host - - description: Identity and access management (IAM) events relating to users, groups, - and administration. Use this category to visualize and analyze IAM-related logs - and data from active directory, LDAP, Okta, Duo, and other IAM systems. - expected_event_types: - - admin - - change - - creation - - deletion - - group - - info - - user - name: iam - - description: Relating to intrusion detections from IDS/IPS systems and functions, - both network and host-based. Use this category to visualize and analyze intrusion - detection alerts from systems such as Snort, Suricata, and Palo Alto threat - detections. - expected_event_types: - - allowed - - denied - - info - name: intrusion_detection - - description: Malware detection events and alerts. Use this category to visualize - and analyze malware detections from EDR/EPP systems such as Elastic Endpoint - Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems - such as Suricata, or other sources of malware-related events such as Palo Alto - Networks threat logs and Wildfire logs. - expected_event_types: - - info - name: malware - - description: Relating to all network activity, including network connection lifecycle, - network traffic, and essentially any event that includes an IP address. Many - events containing decoded network protocol transactions fit into this category. - Use events in this category to visualize or analyze counts of network ports, - protocols, addresses, geolocation information, etc. - expected_event_types: - - access - - allowed - - connection - - denied - - end - - info - - protocol - - start - name: network - - description: Relating to software packages installed on hosts. Use this category - to visualize and analyze inventory of software installed on various hosts, or - to determine host vulnerability in the absence of vulnerability scan data. - expected_event_types: - - access - - change - - deletion - - info - - installation - - start - name: package - - description: Use this category of events to visualize and analyze process-specific - information such as lifecycle events or process ancestry. - expected_event_types: - - access - - change - - end - - info - - start - name: process - - description: Having to do with settings and assets stored in the Windows registry. - Use this category to visualize and analyze activity such as registry access - and modifications. - expected_event_types: - - access - - change - - creation - - deletion - name: registry - - description: The session category is applied to events and metrics regarding logical - persistent connections to hosts and services. Use this category to visualize - and analyze interactive or automated persistent connections between assets. - Data for this category may come from Windows Event logs, SSH logs, or stateless - sessions such as HTTP cookie-based sessions, etc. - expected_event_types: - - start - - end - - info - name: session - - description: 'Relating to web server access. Use this category to create a dashboard - of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: - events from network observers such as Zeek http log may also be included in - this category.' - expected_event_types: - - access - - error - - info - name: web - dashed_name: threat-enrichments-event-category - description: 'This is one of four ECS Categorization Fields, and indicates the second - level in the ECS category hierarchy. - - `event.category` represents the "big buckets" of ECS categories. For example, - filtering on `event.category:process` yields all events relating to process activity. - This field is closely related to `event.type`, which is used as a subcategory. - - This field is an array. This will allow proper categorization of some events that - fall in multiple categories.' - example: authentication - flat_name: threat.enrichments.event.category + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: threat.enrichments.indicator.file.ctime + level: extended + name: ctime + normalize: [] + original_fieldset: file + short: Last time the file attributes or metadata changed. + type: date +threat.enrichments.indicator.file.device: + dashed_name: threat-enrichments-indicator-file-device + description: Device that is the source of the file. + example: sda + flat_name: threat.enrichments.indicator.file.device ignore_above: 1024 - level: core - name: category - normalize: - - array - original_fieldset: event - short: Event category. The second categorization field in the hierarchy. + level: extended + name: device + normalize: [] + original_fieldset: file + short: Device that is the source of the file. type: keyword -threat.enrichments.event.code: - dashed_name: threat-enrichments-event-code - description: 'Identification code for this event, if one exists. - - Some event sources use event codes to identify messages unambiguously, regardless - of message language or wording adjustments over time. An example of this is the - Windows Event ID.' - example: 4648 - flat_name: threat.enrichments.event.code +threat.enrichments.indicator.file.directory: + dashed_name: threat-enrichments-indicator-file-directory + description: Directory where the file is located. It should include the drive letter, + when appropriate. + example: /home/alice + flat_name: threat.enrichments.indicator.file.directory ignore_above: 1024 level: extended - name: code + name: directory normalize: [] - original_fieldset: event - short: Identification code for this event. + original_fieldset: file + short: Directory where the file is located. type: keyword -threat.enrichments.event.created: - dashed_name: threat-enrichments-event-created - description: 'event.created contains the date/time when the event was first read - by an agent, or by your pipeline. - - This field is distinct from @timestamp in that @timestamp typically contain the - time extracted from the original event. - - In most situations, these two timestamps will be slightly different. The difference - can be used to calculate the delay between your source generating an event, and - the time when your agent first processed it. This can be used to monitor your - agent''s or pipeline''s ability to keep up with your event source. +threat.enrichments.indicator.file.drive_letter: + dashed_name: threat-enrichments-indicator-file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. - In case the two timestamps are identical, @timestamp should be used.' - example: '2016-05-23T08:05:34.857Z' - flat_name: threat.enrichments.event.created - level: core - name: created + The value should be uppercase, and not include the colon.' + example: C + flat_name: threat.enrichments.indicator.file.drive_letter + ignore_above: 1 + level: extended + name: drive_letter normalize: [] - original_fieldset: event - short: Time when the event was first read by an agent or by your pipeline. - type: date -threat.enrichments.event.dataset: - dashed_name: threat-enrichments-event-dataset - description: 'Name of the dataset. - - If an event source publishes more than one type of log or events (e.g. access - log, error log), the dataset is used to specify which one the event comes from. - - It''s recommended but not required to start the dataset name with the module name, - followed by a dot, then the dataset name.' - example: apache.access - flat_name: threat.enrichments.event.dataset + original_fieldset: file + short: Drive letter where the file is located. + type: keyword +threat.enrichments.indicator.file.elf.architecture: + dashed_name: threat-enrichments-indicator-file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: threat.enrichments.indicator.file.elf.architecture ignore_above: 1024 - level: core - name: dataset + level: extended + name: architecture normalize: [] - original_fieldset: event - short: Name of the dataset. + original_fieldset: elf + short: Machine architecture of the ELF file. type: keyword -threat.enrichments.event.duration: - dashed_name: threat-enrichments-event-duration - description: 'Duration of the event in nanoseconds. - - If event.start and event.end are known this value should be the difference between - the end and start time.' - flat_name: threat.enrichments.event.duration - format: duration - input_format: nanoseconds - level: core - name: duration +threat.enrichments.indicator.file.elf.byte_order: + dashed_name: threat-enrichments-indicator-file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: threat.enrichments.indicator.file.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order normalize: [] - original_fieldset: event - output_format: asMilliseconds - output_precision: 1 - short: Duration of the event in nanoseconds. - type: long -threat.enrichments.event.end: - dashed_name: threat-enrichments-event-end - description: event.end contains the date when the event ended or when the activity - was last observed. - flat_name: threat.enrichments.event.end + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword +threat.enrichments.indicator.file.elf.cpu_type: + dashed_name: threat-enrichments-indicator-file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: threat.enrichments.indicator.file.elf.cpu_type + ignore_above: 1024 level: extended - name: end + name: cpu_type normalize: [] - original_fieldset: event - short: event.end contains the date when the event ended or when the activity was - last observed. + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword +threat.enrichments.indicator.file.elf.creation_date: + dashed_name: threat-enrichments-indicator-file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: threat.enrichments.indicator.file.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. type: date -threat.enrichments.event.hash: - dashed_name: threat-enrichments-event-hash - description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate - log integrity. - example: 123456789012345678901234567890ABCD - flat_name: threat.enrichments.event.hash +threat.enrichments.indicator.file.elf.exports: + dashed_name: threat-enrichments-indicator-file-elf-exports + description: List of exported element names and types. + flat_name: threat.enrichments.indicator.file.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened +threat.enrichments.indicator.file.elf.header.abi_version: + dashed_name: threat-enrichments-indicator-file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: threat.enrichments.indicator.file.elf.header.abi_version ignore_above: 1024 level: extended - name: hash + name: header.abi_version normalize: [] - original_fieldset: event - short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate - log integrity. + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). type: keyword -threat.enrichments.event.id: - dashed_name: threat-enrichments-event-id - description: Unique ID to describe the event. - example: 8a4f500d - flat_name: threat.enrichments.event.id +threat.enrichments.indicator.file.elf.header.class: + dashed_name: threat-enrichments-indicator-file-elf-header-class + description: Header class of the ELF file. + flat_name: threat.enrichments.indicator.file.elf.header.class ignore_above: 1024 - level: core - name: id + level: extended + name: header.class normalize: [] - original_fieldset: event - short: Unique ID to describe the event. + original_fieldset: elf + short: Header class of the ELF file. type: keyword -threat.enrichments.event.ingested: - dashed_name: threat-enrichments-event-ingested - description: 'Timestamp when an event arrived in the central data store. - - This is different from `@timestamp`, which is when the event originally occurred. It''s - also different from `event.created`, which is meant to capture the first time - an agent saw the event. - - In normal conditions, assuming no tampering, the timestamps should chronologically - look like this: `@timestamp` < `event.created` < `event.ingested`.' - example: '2016-05-23T08:05:35.101Z' - flat_name: threat.enrichments.event.ingested - level: core - name: ingested +threat.enrichments.indicator.file.elf.header.data: + dashed_name: threat-enrichments-indicator-file-elf-header-data + description: Data table of the ELF header. + flat_name: threat.enrichments.indicator.file.elf.header.data + ignore_above: 1024 + level: extended + name: header.data normalize: [] - original_fieldset: event - short: Timestamp when an event arrived in the central data store. - type: date -threat.enrichments.event.kind: - allowed_values: - - description: 'This value indicates an event that describes an alert or notable - event, triggered by a detection rule. - - `event.kind:alert` is often populated for events coming from firewalls, intrusion - detection systems, endpoint detection and response systems, and so on.' - name: alert - - description: This value is the most general and most common value for this field. - It is used to represent events that indicate that something happened. - name: event - - description: 'This value is used to indicate that this event describes a numeric - measurement taken at given point in time. - - Examples include CPU utilization, memory usage, or device temperature. - - Metric events are often collected on a predictable frequency, such as once every - few seconds, or once a minute, but can also be used to describe ad-hoc numeric - metric queries.' - name: metric - - description: 'The state value is similar to metric, indicating that this event - describes a measurement taken at given point in time, except that the measurement - does not result in a numeric value, but rather one of a fixed set of categorical - values that represent conditions or states. - - Examples include periodic events reporting Elasticsearch cluster state (green/yellow/red), - the state of a TCP connection (open, closed, fin_wait, etc.), the state of a - host with respect to a software vulnerability (vulnerable, not vulnerable), - and the state of a system regarding compliance with a regulatory standard (compliant, - not compliant). - - Note that an event that describes a change of state would not use `event.kind:state`, - but instead would use ''event.kind:event'' since a state change fits the more - general event definition of something that happened. - - State events are often collected on a predictable frequency, such as once every - few seconds, once a minute, once an hour, or once a day, but can also be used - to describe ad-hoc state queries.' - name: state - - description: This value indicates that an error occurred during the ingestion - of this event, and that event data may be missing, inconsistent, or incorrect. - `event.kind:pipeline_error` is often associated with parsing errors. - name: pipeline_error - - description: 'This value is used by the Elastic Security app to denote an Elasticsearch - document that was created by a SIEM detection engine rule. - - A signal will typically trigger a notification that something meaningful happened - and should be investigated. - - Usage of this value is reserved, and pipelines should not populate `event.kind` - with the value "signal".' - name: signal - dashed_name: threat-enrichments-event-kind - description: 'This is one of four ECS Categorization Fields, and indicates the highest - level in the ECS category hierarchy. - - `event.kind` gives high-level information about what type of information the event - contains, without being specific to the contents of the event. For example, values - of this field distinguish alert events from metric events. - - The value of this field can be used to inform how these kinds of events should - be handled. They may warrant different retention, different access control, it - may also help understand whether the data coming in at a regular interval or not.' - example: alert - flat_name: threat.enrichments.event.kind + original_fieldset: elf + short: Data table of the ELF header. + type: keyword +threat.enrichments.indicator.file.elf.header.entrypoint: + dashed_name: threat-enrichments-indicator-file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: threat.enrichments.indicator.file.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long +threat.enrichments.indicator.file.elf.header.object_version: + dashed_name: threat-enrichments-indicator-file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: threat.enrichments.indicator.file.elf.header.object_version ignore_above: 1024 - level: core - name: kind + level: extended + name: header.object_version normalize: [] - original_fieldset: event - short: The kind of the event. The highest categorization field in the hierarchy. + original_fieldset: elf + short: '"0x1" for original ELF files.' type: keyword -threat.enrichments.event.module: - dashed_name: threat-enrichments-event-module - description: 'Name of the module this data is coming from. - - If your monitoring agent supports the concept of modules or plugins to process - events of a given source (e.g. Apache logs), `event.module` should contain the - name of this module.' - example: apache - flat_name: threat.enrichments.event.module +threat.enrichments.indicator.file.elf.header.os_abi: + dashed_name: threat-enrichments-indicator-file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: threat.enrichments.indicator.file.elf.header.os_abi ignore_above: 1024 - level: core - name: module + level: extended + name: header.os_abi normalize: [] - original_fieldset: event - short: Name of the module this data is coming from. + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. type: keyword -threat.enrichments.event.original: - dashed_name: threat-enrichments-event-original - description: 'Raw text message of entire event. Used to demonstrate log integrity or - where the full log message (before splitting it up in multiple parts) may be - required, e.g. for reindex. - - This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`. If users wish to override this and index - this field, please see `Field data types` in the `Elasticsearch Reference`.' - doc_values: false - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| - worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - flat_name: threat.enrichments.event.original - index: false - level: core - name: original +threat.enrichments.indicator.file.elf.header.type: + dashed_name: threat-enrichments-indicator-file-elf-header-type + description: Header type of the ELF file. + flat_name: threat.enrichments.indicator.file.elf.header.type + ignore_above: 1024 + level: extended + name: header.type normalize: [] - original_fieldset: event - short: Raw text message of entire event. + original_fieldset: elf + short: Header type of the ELF file. type: keyword -threat.enrichments.event.outcome: - allowed_values: - - description: Indicates that this event describes a failed result. A common example - is `event.category:file AND event.type:access AND event.outcome:failure` to - indicate that a file access was attempted, but was not successful. - name: failure - - description: Indicates that this event describes a successful result. A common - example is `event.category:file AND event.type:create AND event.outcome:success` - to indicate that a file was successfully created. - name: success - - description: Indicates that this event describes only an attempt for which the - result is unknown from the perspective of the event producer. For example, if - the event contains information only about the request side of a transaction - that results in a response, populating `event.outcome:unknown` in the request - event is appropriate. The unknown value should not be used when an outcome doesn't - make logical sense for the event. In such cases `event.outcome` should not be - populated. - name: unknown - dashed_name: threat-enrichments-event-outcome - description: 'This is one of four ECS Categorization Fields, and indicates the lowest - level in the ECS category hierarchy. - - `event.outcome` simply denotes whether the event represents a success or a failure - from the perspective of the entity that produced the event. - - Note that when a single transaction is described in multiple events, each event - may populate different values of `event.outcome`, according to their perspective. - - Also note that in the case of a compound event (a single event that contains multiple - logical events), this field should be populated with the value that best captures - the overall success or failure from the perspective of the event producer. - - Further note that not all events will have an associated outcome. For example, - this field is generally not populated for metric events, events with `event.type:info`, - or any events for which an outcome does not make logical sense.' - example: success - flat_name: threat.enrichments.event.outcome +threat.enrichments.indicator.file.elf.header.version: + dashed_name: threat-enrichments-indicator-file-elf-header-version + description: Version of the ELF header. + flat_name: threat.enrichments.indicator.file.elf.header.version ignore_above: 1024 - level: core - name: outcome + level: extended + name: header.version normalize: [] - original_fieldset: event - short: The outcome of the event. The lowest level categorization field in the hierarchy. + original_fieldset: elf + short: Version of the ELF header. type: keyword -threat.enrichments.event.provider: - dashed_name: threat-enrichments-event-provider - description: 'Source of the event. +threat.enrichments.indicator.file.elf.imports: + dashed_name: threat-enrichments-indicator-file-elf-imports + description: List of imported element names and types. + flat_name: threat.enrichments.indicator.file.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened +threat.enrichments.indicator.file.elf.sections: + dashed_name: threat-enrichments-indicator-file-elf-sections + description: 'An array containing an object for each section of the ELF file. - Event transports such as Syslog or the Windows Event Log typically mention the - source of an event. It can be the name of the software that generated the event - (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).' - example: kernel - flat_name: threat.enrichments.event.provider + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' + flat_name: threat.enrichments.indicator.file.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested +threat.enrichments.indicator.file.elf.sections.chi2: + dashed_name: threat-enrichments-indicator-file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: threat.enrichments.indicator.file.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long +threat.enrichments.indicator.file.elf.sections.entropy: + dashed_name: threat-enrichments-indicator-file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: threat.enrichments.indicator.file.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long +threat.enrichments.indicator.file.elf.sections.flags: + dashed_name: threat-enrichments-indicator-file-elf-sections-flags + description: ELF Section List flags. + flat_name: threat.enrichments.indicator.file.elf.sections.flags ignore_above: 1024 level: extended - name: provider + name: sections.flags normalize: [] - original_fieldset: event - short: Source of the event. + original_fieldset: elf + short: ELF Section List flags. type: keyword -threat.enrichments.event.reason: - dashed_name: threat-enrichments-event-reason - description: 'Reason why this event happened, according to the source. - - This describes the why of a particular action or outcome captured in the event. - Where `event.action` captures the action from the event, `event.reason` describes - why that action was taken. For example, a web proxy with an `event.action` which - denied the request may also populate `event.reason` with the reason why (e.g. - `blocked site`).' - example: Terminated an unexpected process - flat_name: threat.enrichments.event.reason +threat.enrichments.indicator.file.elf.sections.name: + dashed_name: threat-enrichments-indicator-file-elf-sections-name + description: ELF Section List name. + flat_name: threat.enrichments.indicator.file.elf.sections.name ignore_above: 1024 level: extended - name: reason + name: sections.name normalize: [] - original_fieldset: event - short: Reason why this event happened, according to the source + original_fieldset: elf + short: ELF Section List name. type: keyword -threat.enrichments.event.reference: - dashed_name: threat-enrichments-event-reference - description: 'Reference URL linking to additional information about this event. - - This URL links to a static definition of this event. Alert events, indicated by - `event.kind:alert`, are a common use case for this field.' - example: https://system.example.com/event/#0001234 - flat_name: threat.enrichments.event.reference +threat.enrichments.indicator.file.elf.sections.physical_offset: + dashed_name: threat-enrichments-indicator-file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: threat.enrichments.indicator.file.elf.sections.physical_offset ignore_above: 1024 level: extended - name: reference + name: sections.physical_offset normalize: [] - original_fieldset: event - short: Event reference URL + original_fieldset: elf + short: ELF Section List offset. type: keyword -threat.enrichments.event.risk_score: - dashed_name: threat-enrichments-event-risk-score - description: Risk score or priority of the event (e.g. security solutions). Use - your system's original value here. - flat_name: threat.enrichments.event.risk_score - level: core - name: risk_score +threat.enrichments.indicator.file.elf.sections.physical_size: + dashed_name: threat-enrichments-indicator-file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: threat.enrichments.indicator.file.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size normalize: [] - original_fieldset: event - short: Risk score or priority of the event (e.g. security solutions). Use your system's - original value here. - type: float -threat.enrichments.event.risk_score_norm: - dashed_name: threat-enrichments-event-risk-score-norm - description: 'Normalized risk score or priority of the event, on a scale of 0 to - 100. - - This is mainly useful if you use more than one system that assigns risk scores, - and you want to see a normalized value across all systems.' - flat_name: threat.enrichments.event.risk_score_norm + original_fieldset: elf + short: ELF Section List physical size. + type: long +threat.enrichments.indicator.file.elf.sections.type: + dashed_name: threat-enrichments-indicator-file-elf-sections-type + description: ELF Section List type. + flat_name: threat.enrichments.indicator.file.elf.sections.type + ignore_above: 1024 level: extended - name: risk_score_norm + name: sections.type normalize: [] - original_fieldset: event - short: Normalized risk score or priority of the event (0-100). - type: float -threat.enrichments.event.sequence: - dashed_name: threat-enrichments-event-sequence - description: 'Sequence number of the event. - - The sequence number is a value published by some event sources, to make the exact - ordering of events unambiguous, regardless of the timestamp precision.' - flat_name: threat.enrichments.event.sequence + original_fieldset: elf + short: ELF Section List type. + type: keyword +threat.enrichments.indicator.file.elf.sections.virtual_address: + dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: threat.enrichments.indicator.file.elf.sections.virtual_address format: string level: extended - name: sequence + name: sections.virtual_address normalize: [] - original_fieldset: event - short: Sequence number of the event. + original_fieldset: elf + short: ELF Section List virtual address. type: long -threat.enrichments.event.severity: - dashed_name: threat-enrichments-event-severity - description: 'The numeric severity of the event according to your event source. - - What the different severity values mean can be different between sources and use - cases. It''s up to the implementer to make sure severities are consistent across - events from the same source. - - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is - meant to represent the severity according to the event source (e.g. firewall, - IDS). If the event source does not publish its own severity, you may optionally - copy the `log.syslog.severity.code` to `event.severity`.' - example: 7 - flat_name: threat.enrichments.event.severity +threat.enrichments.indicator.file.elf.sections.virtual_size: + dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: threat.enrichments.indicator.file.elf.sections.virtual_size format: string - level: core - name: severity + level: extended + name: sections.virtual_size normalize: [] - original_fieldset: event - short: Numeric severity of the event. + original_fieldset: elf + short: ELF Section List virtual size. type: long -threat.enrichments.event.start: - dashed_name: threat-enrichments-event-start - description: event.start contains the date when the event started or when the activity - was first observed. - flat_name: threat.enrichments.event.start +threat.enrichments.indicator.file.elf.segments: + dashed_name: threat-enrichments-indicator-file-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' + flat_name: threat.enrichments.indicator.file.elf.segments level: extended - name: start + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested +threat.enrichments.indicator.file.elf.segments.sections: + dashed_name: threat-enrichments-indicator-file-elf-segments-sections + description: ELF object segment sections. + flat_name: threat.enrichments.indicator.file.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections normalize: [] - original_fieldset: event - short: event.start contains the date when the event started or when the activity - was first observed. - type: date -threat.enrichments.event.timezone: - dashed_name: threat-enrichments-event-timezone - description: 'This field should be populated when the event''s timestamp does not - include timezone information already (e.g. default Syslog timestamps). It''s optional - otherwise. - - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated - (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' - flat_name: threat.enrichments.event.timezone + original_fieldset: elf + short: ELF object segment sections. + type: keyword +threat.enrichments.indicator.file.elf.segments.type: + dashed_name: threat-enrichments-indicator-file-elf-segments-type + description: ELF object segment type. + flat_name: threat.enrichments.indicator.file.elf.segments.type ignore_above: 1024 level: extended - name: timezone + name: segments.type normalize: [] - original_fieldset: event - short: Event time zone. + original_fieldset: elf + short: ELF object segment type. type: keyword -threat.enrichments.event.type: - allowed_values: - - description: The access event type is used for the subset of events within a category - that indicate that something was accessed. Common examples include `event.category:database - AND event.type:access`, or `event.category:file AND event.type:access`. Note - for file access, both directory listings and file opens should be included in - this subcategory. You can further distinguish access operations using the ECS - `event.action` field. - name: access - - description: 'The admin event type is used for the subset of events within a category - that are related to admin objects. For example, administrative changes within - an IAM framework that do not specifically affect a user or group (e.g., adding - new applications to a federation solution or connecting discrete forests in - Active Directory) would fall into this subcategory. Common example: `event.category:iam - AND event.type:change AND event.type:admin`. You can further distinguish admin - operations using the ECS `event.action` field.' - name: admin - - description: The allowed event type is used for the subset of events within a - category that indicate that something was allowed. Common examples include `event.category:network - AND event.type:connection AND event.type:allowed` (to indicate a network firewall - event for which the firewall disposition was to allow the connection to complete) - and `event.category:intrusion_detection AND event.type:allowed` (to indicate - a network intrusion prevention system event for which the IPS disposition was - to allow the connection to complete). You can further distinguish allowed operations - using the ECS `event.action` field, populating with values of your choosing, - such as "allow", "detect", or "pass". - name: allowed - - description: The change event type is used for the subset of events within a category - that indicate that something has changed. If semantics best describe an event - as modified, then include them in this subcategory. Common examples include - `event.category:process AND event.type:change`, and `event.category:file AND - event.type:change`. You can further distinguish change operations using the - ECS `event.action` field. - name: change - - description: Used primarily with `event.category:network` this value is used for - the subset of network traffic that includes sufficient information for the event - to be included in flow or connection analysis. Events in this subcategory will - contain at least source and destination IP addresses, source and destination - TCP/UDP ports, and will usually contain counts of bytes and/or packets transferred. - Events in this subcategory may contain unidirectional or bidirectional information, - including summary information. Use this subcategory to visualize and analyze - network connections. Flow analysis, including Netflow, IPFIX, and other flow-related - events fit in this subcategory. Note that firewall events from many Next-Generation - Firewall (NGFW) devices will also fit into this subcategory. A common filter - for flow/connection information would be `event.category:network AND event.type:connection - AND event.type:end` (to view or analyze all completed network connections, ignoring - mid-flow reports). You can further distinguish connection events using the ECS - `event.action` field, populating with values of your choosing, such as "timeout", - or "reset". - name: connection - - description: The "creation" event type is used for the subset of events within - a category that indicate that something was created. A common example is `event.category:file - AND event.type:creation`. - name: creation - - description: The deletion event type is used for the subset of events within a - category that indicate that something was deleted. A common example is `event.category:file - AND event.type:deletion` to indicate that a file has been deleted. - name: deletion - - description: The denied event type is used for the subset of events within a category - that indicate that something was denied. Common examples include `event.category:network - AND event.type:denied` (to indicate a network firewall event for which the firewall - disposition was to deny the connection) and `event.category:intrusion_detection - AND event.type:denied` (to indicate a network intrusion prevention system event - for which the IPS disposition was to deny the connection to complete). You can - further distinguish denied operations using the ECS `event.action` field, populating - with values of your choosing, such as "blocked", "dropped", or "quarantined". - name: denied - - description: The end event type is used for the subset of events within a category - that indicate something has ended. A common example is `event.category:process - AND event.type:end`. - name: end - - description: The error event type is used for the subset of events within a category - that indicate or describe an error. A common example is `event.category:database - AND event.type:error`. Note that pipeline errors that occur during the event - ingestion process should not use this `event.type` value. Instead, they should - use `event.kind:pipeline_error`. - name: error - - description: 'The group event type is used for the subset of events within a category - that are related to group objects. Common example: `event.category:iam AND event.type:creation - AND event.type:group`. You can further distinguish group operations using the - ECS `event.action` field.' - name: group - - description: The info event type is used for the subset of events within a category - that indicate that they are purely informational, and don't report a state change, - or any type of action. For example, an initial run of a file integrity monitoring - system (FIM), where an agent reports all files under management, would fall - into the "info" subcategory. Similarly, an event containing a dump of all currently - running processes (as opposed to reporting that a process started/ended) would - fall into the "info" subcategory. An additional common examples is `event.category:intrusion_detection - AND event.type:info`. - name: info - - description: The installation event type is used for the subset of events within - a category that indicate that something was installed. A common example is `event.category:package` - AND `event.type:installation`. - name: installation - - description: The protocol event type is used for the subset of events within a - category that indicate that they contain protocol details or analysis, beyond - simply identifying the protocol. Generally, network events that contain specific - protocol details will fall into this subcategory. A common example is `event.category:network - AND event.type:protocol AND event.type:connection AND event.type:end` (to indicate - that the event is a network connection event sent at the end of a connection - that also includes a protocol detail breakdown). Note that events that only - indicate the name or id of the protocol should not use the protocol value. Further - note that when the protocol subcategory is used, the identified protocol is - populated in the ECS `network.protocol` field. - name: protocol - - description: The start event type is used for the subset of events within a category - that indicate something has started. A common example is `event.category:process - AND event.type:start`. - name: start - - description: 'The user event type is used for the subset of events within a category - that are related to user objects. Common example: `event.category:iam AND event.type:deletion - AND event.type:user`. You can further distinguish user operations using the - ECS `event.action` field.' - name: user - dashed_name: threat-enrichments-event-type - description: 'This is one of four ECS Categorization Fields, and indicates the third - level in the ECS category hierarchy. - - `event.type` represents a categorization "sub-bucket" that, when used along with - the `event.category` field values, enables filtering events down to a level appropriate - for single visualization. - - This field is an array. This will allow proper categorization of some events that - fall in multiple event types.' - flat_name: threat.enrichments.event.type +threat.enrichments.indicator.file.elf.shared_libraries: + dashed_name: threat-enrichments-indicator-file-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: threat.enrichments.indicator.file.elf.shared_libraries ignore_above: 1024 - level: core - name: type + level: extended + name: shared_libraries normalize: - array - original_fieldset: event - short: Event type. The third categorization field in the hierarchy. + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword +threat.enrichments.indicator.file.elf.telfhash: + dashed_name: threat-enrichments-indicator-file-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: threat.enrichments.indicator.file.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword +threat.enrichments.indicator.file.extension: + dashed_name: threat-enrichments-indicator-file-extension + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.indicator.file.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + original_fieldset: file + short: File extension, excluding the leading dot. + type: keyword +threat.enrichments.indicator.file.gid: + dashed_name: threat-enrichments-indicator-file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: threat.enrichments.indicator.file.gid + ignore_above: 1024 + level: extended + name: gid + normalize: [] + original_fieldset: file + short: Primary group ID (GID) of the file. + type: keyword +threat.enrichments.indicator.file.group: + dashed_name: threat-enrichments-indicator-file-group + description: Primary group name of the file. + example: alice + flat_name: threat.enrichments.indicator.file.group + ignore_above: 1024 + level: extended + name: group + normalize: [] + original_fieldset: file + short: Primary group name of the file. + type: keyword +threat.enrichments.indicator.file.inode: + dashed_name: threat-enrichments-indicator-file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: threat.enrichments.indicator.file.inode + ignore_above: 1024 + level: extended + name: inode + normalize: [] + original_fieldset: file + short: Inode representing the file in the filesystem. + type: keyword +threat.enrichments.indicator.file.mime_type: + dashed_name: threat-enrichments-indicator-file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official + types], where possible. When more than one type is applicable, the most specific + type should be used. + flat_name: threat.enrichments.indicator.file.mime_type + ignore_above: 1024 + level: extended + name: mime_type + normalize: [] + original_fieldset: file + short: Media type of file, document, or arrangement of bytes. + type: keyword +threat.enrichments.indicator.file.mode: + dashed_name: threat-enrichments-indicator-file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: threat.enrichments.indicator.file.mode + ignore_above: 1024 + level: extended + name: mode + normalize: [] + original_fieldset: file + short: Mode of the file in octal representation. + type: keyword +threat.enrichments.indicator.file.mtime: + dashed_name: threat-enrichments-indicator-file-mtime + description: Last time the file content was modified. + flat_name: threat.enrichments.indicator.file.mtime + level: extended + name: mtime + normalize: [] + original_fieldset: file + short: Last time the file content was modified. + type: date +threat.enrichments.indicator.file.name: + dashed_name: threat-enrichments-indicator-file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: threat.enrichments.indicator.file.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: file + short: Name of the file including the extension, without the directory. + type: keyword +threat.enrichments.indicator.file.owner: + dashed_name: threat-enrichments-indicator-file-owner + description: File owner's username. + example: alice + flat_name: threat.enrichments.indicator.file.owner + ignore_above: 1024 + level: extended + name: owner + normalize: [] + original_fieldset: file + short: File owner's username. + type: keyword +threat.enrichments.indicator.file.path: + dashed_name: threat-enrichments-indicator-file-path + description: Full path to the file, including the file name. It should include the + drive letter, when appropriate. + example: /home/alice/example.png + flat_name: threat.enrichments.indicator.file.path + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.enrichments.indicator.file.path.text + name: text + norms: false + type: text + name: path + normalize: [] + original_fieldset: file + short: Full path to the file, including the file name. + type: keyword +threat.enrichments.indicator.file.size: + dashed_name: threat-enrichments-indicator-file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: threat.enrichments.indicator.file.size + level: extended + name: size + normalize: [] + original_fieldset: file + short: File size in bytes. + type: long +threat.enrichments.indicator.file.target_path: + dashed_name: threat-enrichments-indicator-file-target-path + description: Target path for symlinks. + flat_name: threat.enrichments.indicator.file.target_path + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.enrichments.indicator.file.target_path.text + name: text + norms: false + type: text + name: target_path + normalize: [] + original_fieldset: file + short: Target path for symlinks. + type: keyword +threat.enrichments.indicator.file.type: + dashed_name: threat-enrichments-indicator-file-type + description: File type (file, dir, or symlink). + example: file + flat_name: threat.enrichments.indicator.file.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: file + short: File type (file, dir, or symlink). + type: keyword +threat.enrichments.indicator.file.uid: + dashed_name: threat-enrichments-indicator-file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: threat.enrichments.indicator.file.uid + ignore_above: 1024 + level: extended + name: uid + normalize: [] + original_fieldset: file + short: The user ID (UID) or security identifier (SID) of the file owner. + type: keyword +threat.enrichments.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.first_seen + level: extended + name: enrichments.indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date +threat.enrichments.indicator.geo.city_name: + dashed_name: threat-enrichments-indicator-geo-city-name + description: City name. + example: Montreal + flat_name: threat.enrichments.indicator.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +threat.enrichments.indicator.geo.continent_code: + dashed_name: threat-enrichments-indicator-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: threat.enrichments.indicator.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword +threat.enrichments.indicator.geo.continent_name: + dashed_name: threat-enrichments-indicator-geo-continent-name + description: Name of the continent. + example: North America + flat_name: threat.enrichments.indicator.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +threat.enrichments.indicator.geo.country_iso_code: + dashed_name: threat-enrichments-indicator-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: threat.enrichments.indicator.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +threat.enrichments.indicator.geo.country_name: + dashed_name: threat-enrichments-indicator-geo-country-name + description: Country name. + example: Canada + flat_name: threat.enrichments.indicator.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +threat.enrichments.indicator.geo.location: + dashed_name: threat-enrichments-indicator-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: threat.enrichments.indicator.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +threat.enrichments.indicator.geo.name: + dashed_name: threat-enrichments-indicator-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: threat.enrichments.indicator.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword +threat.enrichments.indicator.geo.postal_code: + dashed_name: threat-enrichments-indicator-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: threat.enrichments.indicator.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword +threat.enrichments.indicator.geo.region_iso_code: + dashed_name: threat-enrichments-indicator-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: threat.enrichments.indicator.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +threat.enrichments.indicator.geo.region_name: + dashed_name: threat-enrichments-indicator-geo-region-name + description: Region name. + example: Quebec + flat_name: threat.enrichments.indicator.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +threat.enrichments.indicator.geo.timezone: + dashed_name: threat-enrichments-indicator-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: threat.enrichments.indicator.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword +threat.enrichments.indicator.hash.md5: + dashed_name: threat-enrichments-indicator-hash-md5 + description: MD5 hash. + flat_name: threat.enrichments.indicator.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword +threat.enrichments.indicator.hash.sha1: + dashed_name: threat-enrichments-indicator-hash-sha1 + description: SHA1 hash. + flat_name: threat.enrichments.indicator.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword +threat.enrichments.indicator.hash.sha256: + dashed_name: threat-enrichments-indicator-hash-sha256 + description: SHA256 hash. + flat_name: threat.enrichments.indicator.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword +threat.enrichments.indicator.hash.sha512: + dashed_name: threat-enrichments-indicator-hash-sha512 + description: SHA512 hash. + flat_name: threat.enrichments.indicator.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword +threat.enrichments.indicator.hash.ssdeep: + dashed_name: threat-enrichments-indicator-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.enrichments.indicator.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword +threat.enrichments.indicator.ip: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of direction). + example: 1.2.3.4 + flat_name: threat.enrichments.indicator.ip + level: extended + name: enrichments.indicator.ip + normalize: [] + short: Indicator IP address + type: ip +threat.enrichments.indicator.last_seen: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-last-seen + description: The date and time when intelligence source last reported sighting this + indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.last_seen + level: extended + name: enrichments.indicator.last_seen + normalize: [] + short: Date/time indicator was last reported. + type: date +threat.enrichments.indicator.marking.tlp: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: White + flat_name: threat.enrichments.indicator.marking.tlp + ignore_above: 1024 + level: extended + name: enrichments.indicator.marking.tlp + normalize: [] + short: Indicator TLP marking + type: keyword +threat.enrichments.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.modified_at + level: extended + name: enrichments.indicator.modified_at + normalize: [] + short: Date/time indicator was last updated. + type: date +threat.enrichments.indicator.pe.architecture: + dashed_name: threat-enrichments-indicator-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.enrichments.indicator.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword +threat.enrichments.indicator.pe.company: + dashed_name: threat-enrichments-indicator-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.enrichments.indicator.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +threat.enrichments.indicator.pe.description: + dashed_name: threat-enrichments-indicator-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.enrichments.indicator.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +threat.enrichments.indicator.pe.file_version: + dashed_name: threat-enrichments-indicator-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.enrichments.indicator.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword +threat.enrichments.indicator.pe.imphash: + dashed_name: threat-enrichments-indicator-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.enrichments.indicator.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +threat.enrichments.indicator.pe.original_file_name: + dashed_name: threat-enrichments-indicator-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.enrichments.indicator.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword +threat.enrichments.indicator.pe.product: + dashed_name: threat-enrichments-indicator-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.enrichments.indicator.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword +threat.enrichments.indicator.port: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-port + description: Identifies a threat indicator as a port number (irrespective of direction). + example: 443 + flat_name: threat.enrichments.indicator.port + level: extended + name: enrichments.indicator.port + normalize: [] + short: Indicator port + type: long +threat.enrichments.indicator.provider: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-provider + description: The name of the indicator's provider. + example: lrz_urlhaus + flat_name: threat.enrichments.indicator.provider + ignore_above: 1024 + level: extended + name: enrichments.indicator.provider + normalize: [] + short: Indicator provider + type: keyword +threat.enrichments.indicator.reference: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-reference + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + flat_name: threat.enrichments.indicator.reference + ignore_above: 1024 + level: extended + name: enrichments.indicator.reference + normalize: [] + short: Indicator reference URL + type: keyword +threat.enrichments.indicator.registry.data.bytes: + dashed_name: threat-enrichments-indicator-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides better + recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.enrichments.indicator.registry.data.bytes + ignore_above: 1024 + level: extended + name: data.bytes + normalize: [] + original_fieldset: registry + short: Original bytes written with base64 encoding. + type: keyword +threat.enrichments.indicator.registry.data.strings: + dashed_name: threat-enrichments-indicator-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single string + registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. + For sequences of string with REG_MULTI_SZ, this array will be variable length. + For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with + the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.enrichments.indicator.registry.data.strings + ignore_above: 1024 + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: keyword +threat.enrichments.indicator.registry.data.type: + dashed_name: threat-enrichments-indicator-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.enrichments.indicator.registry.data.type + ignore_above: 1024 + level: core + name: data.type + normalize: [] + original_fieldset: registry + short: Standard registry type for encoding contents + type: keyword +threat.enrichments.indicator.registry.hive: + dashed_name: threat-enrichments-indicator-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.enrichments.indicator.registry.hive + ignore_above: 1024 + level: core + name: hive + normalize: [] + original_fieldset: registry + short: Abbreviated name for the hive. + type: keyword +threat.enrichments.indicator.registry.key: + dashed_name: threat-enrichments-indicator-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.enrichments.indicator.registry.key + ignore_above: 1024 + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: keyword +threat.enrichments.indicator.registry.path: + dashed_name: threat-enrichments-indicator-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.enrichments.indicator.registry.path + ignore_above: 1024 + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: keyword +threat.enrichments.indicator.registry.value: + dashed_name: threat-enrichments-indicator-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.enrichments.indicator.registry.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. + type: keyword +threat.enrichments.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file or + URL. + example: 4 + flat_name: threat.enrichments.indicator.scanner_stats + level: extended + name: enrichments.indicator.scanner_stats + normalize: [] + short: Scanner statistics + type: long +threat.enrichments.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.enrichments.indicator.sightings + level: extended + name: enrichments.indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long +threat.enrichments.indicator.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ + \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n *\ + \ domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n\ + \ * mutex\n * port\n * process\n * software\n * url\n * user-account\n \ + \ * windows-registry-key\n * x509-certificate" + example: ipv4-addr + flat_name: threat.enrichments.indicator.type + ignore_above: 1024 + level: extended + name: enrichments.indicator.type + normalize: [] + short: Type of indicator + type: keyword +threat.enrichments.indicator.url.domain: + dashed_name: threat-enrichments-indicator-url-domain + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), + the `[` and `]` characters should also be captured in the `domain` field.' + example: www.elastic.co + flat_name: threat.enrichments.indicator.url.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: url + short: Domain of the url. + type: keyword +threat.enrichments.indicator.url.extension: + dashed_name: threat-enrichments-indicator-url-extension + description: 'The field contains the file extension from the original request url, + excluding the leading dot. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.indicator.url.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + original_fieldset: url + short: File extension from the request url, excluding the leading dot. + type: keyword +threat.enrichments.indicator.url.fragment: + dashed_name: threat-enrichments-indicator-url-fragment + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + flat_name: threat.enrichments.indicator.url.fragment + ignore_above: 1024 + level: extended + name: fragment + normalize: [] + original_fieldset: url + short: Portion of the url after the `#`. + type: keyword +threat.enrichments.indicator.url.full: + dashed_name: threat-enrichments-indicator-url-full + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + flat_name: threat.enrichments.indicator.url.full + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.enrichments.indicator.url.full.text + name: text + norms: false + type: text + name: full + normalize: [] + original_fieldset: url + short: Full unparsed URL. + type: keyword +threat.enrichments.indicator.url.original: + dashed_name: threat-enrichments-indicator-url-original + description: 'Unmodified original url as seen in the event source. + + Note that in network monitoring, the observed URL may be a full URL, whereas in + access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + flat_name: threat.enrichments.indicator.url.original + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.enrichments.indicator.url.original.text + name: text + norms: false + type: text + name: original + normalize: [] + original_fieldset: url + short: Unmodified original url as seen in the event source. + type: keyword +threat.enrichments.indicator.url.password: + dashed_name: threat-enrichments-indicator-url-password + description: Password of the request. + flat_name: threat.enrichments.indicator.url.password + ignore_above: 1024 + level: extended + name: password + normalize: [] + original_fieldset: url + short: Password of the request. + type: keyword +threat.enrichments.indicator.url.path: + dashed_name: threat-enrichments-indicator-url-path + description: Path of the request, such as "/search". + flat_name: threat.enrichments.indicator.url.path + ignore_above: 1024 + level: extended + name: path + normalize: [] + original_fieldset: url + short: Path of the request, such as "/search". + type: keyword +threat.enrichments.indicator.url.port: + dashed_name: threat-enrichments-indicator-url-port + description: Port of the request, such as 443. + example: 443 + flat_name: threat.enrichments.indicator.url.port + format: string + level: extended + name: port + normalize: [] + original_fieldset: url + short: Port of the request, such as 443. + type: long +threat.enrichments.indicator.url.query: + dashed_name: threat-enrichments-indicator-url-query + description: 'The query field describes the query string of the request, such as + "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there is + no query field. If there is a `?` but no query, the query field exists with an + empty string. The `exists` query can be used to differentiate between the two + cases.' + flat_name: threat.enrichments.indicator.url.query + ignore_above: 1024 + level: extended + name: query + normalize: [] + original_fieldset: url + short: Query string of the request. + type: keyword +threat.enrichments.indicator.url.registered_domain: + dashed_name: threat-enrichments-indicator-url-registered-domain + description: 'The highest registered url domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: threat.enrichments.indicator.url.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: url + short: The highest registered url domain, stripped of the subdomain. + type: keyword +threat.enrichments.indicator.url.scheme: + dashed_name: threat-enrichments-indicator-url-scheme + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https + flat_name: threat.enrichments.indicator.url.scheme + ignore_above: 1024 + level: extended + name: scheme + normalize: [] + original_fieldset: url + short: Scheme of the url. + type: keyword +threat.enrichments.indicator.url.subdomain: + dashed_name: threat-enrichments-indicator-url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: threat.enrichments.indicator.url.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: url + short: The subdomain of the domain. + type: keyword +threat.enrichments.indicator.url.top_level_domain: + dashed_name: threat-enrichments-indicator-url-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: threat.enrichments.indicator.url.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: url + short: The effective top level domain (com, org, net, co.uk). + type: keyword +threat.enrichments.indicator.url.username: + dashed_name: threat-enrichments-indicator-url-username + description: Username of the request. + flat_name: threat.enrichments.indicator.url.username + ignore_above: 1024 + level: extended + name: username + normalize: [] + original_fieldset: url + short: Username of the request. + type: keyword +threat.enrichments.indicator.x509.alternative_names: + dashed_name: threat-enrichments-indicator-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names (and + wildcards), and email addresses. + example: '*.elastic.co' + flat_name: threat.enrichments.indicator.x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: + - array + original_fieldset: x509 + short: List of subject alternative names (SAN). + type: keyword +threat.enrichments.indicator.x509.issuer.common_name: + dashed_name: threat-enrichments-indicator-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: threat.enrichments.indicator.x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. + type: keyword +threat.enrichments.indicator.x509.issuer.country: + dashed_name: threat-enrichments-indicator-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: threat.enrichments.indicator.x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes + type: keyword +threat.enrichments.indicator.x509.issuer.distinguished_name: + dashed_name: threat-enrichments-indicator-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: threat.enrichments.indicator.x509.issuer.distinguished_name + ignore_above: 1024 + level: extended + name: issuer.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: keyword +threat.enrichments.indicator.x509.issuer.locality: + dashed_name: threat-enrichments-indicator-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: threat.enrichments.indicator.x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword +threat.enrichments.indicator.x509.issuer.organization: + dashed_name: threat-enrichments-indicator-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: threat.enrichments.indicator.x509.issuer.organization + ignore_above: 1024 + level: extended + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. + type: keyword +threat.enrichments.indicator.x509.issuer.organizational_unit: + dashed_name: threat-enrichments-indicator-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: threat.enrichments.indicator.x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword +threat.enrichments.indicator.x509.issuer.state_or_province: + dashed_name: threat-enrichments-indicator-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.indicator.x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +threat.enrichments.indicator.x509.not_after: + dashed_name: threat-enrichments-indicator-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: threat.enrichments.indicator.x509.not_after + level: extended + name: not_after + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. + type: date +threat.enrichments.indicator.x509.not_before: + dashed_name: threat-enrichments-indicator-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: threat.enrichments.indicator.x509.not_before + level: extended + name: not_before + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date +threat.enrichments.indicator.x509.public_key_algorithm: + dashed_name: threat-enrichments-indicator-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: threat.enrichments.indicator.x509.public_key_algorithm + ignore_above: 1024 + level: extended + name: public_key_algorithm + normalize: [] + original_fieldset: x509 + short: Algorithm used to generate the public key. + type: keyword +threat.enrichments.indicator.x509.public_key_curve: + dashed_name: threat-enrichments-indicator-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This is + algorithm specific. + example: nistp521 + flat_name: threat.enrichments.indicator.x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve + normalize: [] + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword +threat.enrichments.indicator.x509.public_key_exponent: + dashed_name: threat-enrichments-indicator-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: threat.enrichments.indicator.x509.public_key_exponent + index: false + level: extended + name: public_key_exponent + normalize: [] + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. + type: long +threat.enrichments.indicator.x509.public_key_size: + dashed_name: threat-enrichments-indicator-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: threat.enrichments.indicator.x509.public_key_size + level: extended + name: public_key_size + normalize: [] + original_fieldset: x509 + short: The size of the public key space in bits. + type: long +threat.enrichments.indicator.x509.serial_number: + dashed_name: threat-enrichments-indicator-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: threat.enrichments.indicator.x509.serial_number + ignore_above: 1024 + level: extended + name: serial_number + normalize: [] + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. + type: keyword +threat.enrichments.indicator.x509.signature_algorithm: + dashed_name: threat-enrichments-indicator-x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: threat.enrichments.indicator.x509.signature_algorithm + ignore_above: 1024 + level: extended + name: signature_algorithm + normalize: [] + original_fieldset: x509 + short: Identifier for certificate signature algorithm. + type: keyword +threat.enrichments.indicator.x509.subject.common_name: + dashed_name: threat-enrichments-indicator-x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: threat.enrichments.indicator.x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: + - array + original_fieldset: x509 + short: List of common names (CN) of subject. + type: keyword +threat.enrichments.indicator.x509.subject.country: + dashed_name: threat-enrichments-indicator-x509-subject-country + description: List of country (C) code + example: US + flat_name: threat.enrichments.indicator.x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code + type: keyword +threat.enrichments.indicator.x509.subject.distinguished_name: + dashed_name: threat-enrichments-indicator-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: threat.enrichments.indicator.x509.subject.distinguished_name + ignore_above: 1024 + level: extended + name: subject.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: keyword +threat.enrichments.indicator.x509.subject.locality: + dashed_name: threat-enrichments-indicator-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: threat.enrichments.indicator.x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword +threat.enrichments.indicator.x509.subject.organization: + dashed_name: threat-enrichments-indicator-x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: threat.enrichments.indicator.x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. + type: keyword +threat.enrichments.indicator.x509.subject.organizational_unit: + dashed_name: threat-enrichments-indicator-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: threat.enrichments.indicator.x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword +threat.enrichments.indicator.x509.subject.state_or_province: + dashed_name: threat-enrichments-indicator-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.indicator.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +threat.enrichments.indicator.x509.version_number: + dashed_name: threat-enrichments-indicator-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: threat.enrichments.indicator.x509.version_number + ignore_above: 1024 + level: extended + name: version_number + normalize: [] + original_fieldset: x509 + short: Version of x509 format. + type: keyword +threat.enrichments.matched.atomic: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-atomic + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com + flat_name: threat.enrichments.matched.atomic + ignore_above: 1024 + level: extended + name: enrichments.matched.atomic + normalize: [] + short: Matched indicator value + type: keyword +threat.enrichments.matched.field: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-field + description: Identifies the field of the atomic indicator that matched a local environment + endpoint or network event. + example: file.hash.sha256 + flat_name: threat.enrichments.matched.field + ignore_above: 1024 + level: extended + name: enrichments.matched.field + normalize: [] + short: Matched indicator field + type: keyword +threat.enrichments.matched.id: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-id + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + flat_name: threat.enrichments.matched.id + ignore_above: 1024 + level: extended + name: enrichments.matched.id + normalize: [] + short: Matched indicator identifier + type: keyword +threat.enrichments.matched.index: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-index + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 + flat_name: threat.enrichments.matched.index + ignore_above: 1024 + level: extended + name: enrichments.matched.index + normalize: [] + short: Matched indicator index + type: keyword +threat.enrichments.matched.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-type + description: Identifies the type of match that caused the event to be enriched with + the given indicator + example: indicator_match_rule + flat_name: threat.enrichments.matched.type + ignore_above: 1024 + level: extended + name: enrichments.matched.type + normalize: [] + short: Type of indicator match + type: keyword +threat.framework: + dashed_name: threat-framework + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification can + be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + flat_name: threat.framework + ignore_above: 1024 + level: extended + name: framework + normalize: [] + short: Threat classification framework. + type: keyword +threat.group.alias: + beta: This field is beta and subject to change. + dashed_name: threat-group-alias + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' + flat_name: threat.group.alias + ignore_above: 1024 + level: extended + name: group.alias + normalize: + - array + short: Alias of the group. + type: keyword +threat.group.id: + beta: This field is beta and subject to change. + dashed_name: threat-group-id + description: "The id of the group for a set of related intrusion activity that are\ + \ tracked by a common name in the security community. While not required, you\ + \ can use a MITRE ATT&CK\xAE group id." + example: G0037 + flat_name: threat.group.id + ignore_above: 1024 + level: extended + name: group.id + normalize: [] + short: ID of the group. + type: keyword +threat.group.name: + beta: This field is beta and subject to change. + dashed_name: threat-group-name + description: "The name of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 + flat_name: threat.group.name + ignore_above: 1024 + level: extended + name: group.name + normalize: [] + short: Name of the group. + type: keyword +threat.group.reference: + beta: This field is beta and subject to change. + dashed_name: threat-group-reference + description: "The reference URL of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ + flat_name: threat.group.reference + ignore_above: 1024 + level: extended + name: group.reference + normalize: [] + short: Reference URL of the group. + type: keyword +threat.indicator.as.number: + dashed_name: threat-indicator-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: threat.indicator.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long +threat.indicator.as.organization.name: + dashed_name: threat-indicator-as-organization-name + description: Organization name. + example: Google LLC + flat_name: threat.indicator.as.organization.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.indicator.as.organization.name.text + name: text + norms: false + type: text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: keyword +threat.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-confidence + description: "Identifies the confidence rating assigned by the provider using STIX\ + \ confidence scales.\nRecommended values:\n * Not Specified, None, Low, Medium,\ + \ High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n * WEP Scale\ + \ (Impossible - Certain)" + example: High + flat_name: threat.indicator.confidence + ignore_above: 1024 + level: extended + name: indicator.confidence + normalize: [] + short: Indicator confidence rating + type: keyword +threat.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.indicator.description + ignore_above: 1024 + level: extended + name: indicator.description + normalize: [] + short: Indicator description type: keyword -threat.enrichments.event.url: - dashed_name: threat-enrichments-event-url - description: 'URL linking to an external system to continue investigation of this - event. - - This URL links to another system where in-depth investigation of the specific - occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, - are a common use case for this field.' - example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe - flat_name: threat.enrichments.event.url +threat.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective of + direction). + example: phish@example.com + flat_name: threat.indicator.email.address ignore_above: 1024 level: extended - name: url + name: indicator.email.address normalize: [] - original_fieldset: event - short: Event investigation URL + short: Indicator email address type: keyword -threat.enrichments.file.accessed: - dashed_name: threat-enrichments-file-accessed +threat.indicator.file.accessed: + dashed_name: threat-indicator-file-accessed description: 'Last time the file was accessed. Note that not all filesystems keep track of access time.' - flat_name: threat.enrichments.file.accessed + flat_name: threat.indicator.file.accessed level: extended name: accessed normalize: [] original_fieldset: file short: Last time the file was accessed. type: date -threat.enrichments.file.attributes: - dashed_name: threat-enrichments-file-attributes +threat.indicator.file.attributes: + dashed_name: threat-indicator-file-attributes description: 'Array of file attributes. Attributes names will vary by platform. Here''s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.' example: '["readonly", "system"]' - flat_name: threat.enrichments.file.attributes + flat_name: threat.indicator.file.attributes ignore_above: 1024 level: extended name: attributes @@ -9544,25 +10733,25 @@ threat.enrichments.file.attributes: original_fieldset: file short: Array of file attributes. type: keyword -threat.enrichments.file.code_signature.exists: - dashed_name: threat-enrichments-file-code-signature-exists +threat.indicator.file.code_signature.exists: + dashed_name: threat-indicator-file-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' - flat_name: threat.enrichments.file.code_signature.exists + flat_name: threat.indicator.file.code_signature.exists level: core name: exists normalize: [] original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean -threat.enrichments.file.code_signature.signing_id: - dashed_name: threat-enrichments-file-code-signature-signing-id +threat.indicator.file.code_signature.signing_id: + dashed_name: threat-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy - flat_name: threat.enrichments.file.code_signature.signing_id + flat_name: threat.indicator.file.code_signature.signing_id ignore_above: 1024 level: extended name: signing_id @@ -9570,15 +10759,15 @@ threat.enrichments.file.code_signature.signing_id: original_fieldset: code_signature short: The identifier used to sign the process. type: keyword -threat.enrichments.file.code_signature.status: - dashed_name: threat-enrichments-file-code-signature-status +threat.indicator.file.code_signature.status: + dashed_name: threat-indicator-file-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT - flat_name: threat.enrichments.file.code_signature.status + flat_name: threat.indicator.file.code_signature.status ignore_above: 1024 level: extended name: status @@ -9586,11 +10775,11 @@ threat.enrichments.file.code_signature.status: original_fieldset: code_signature short: Additional information about the certificate status. type: keyword -threat.enrichments.file.code_signature.subject_name: - dashed_name: threat-enrichments-file-code-signature-subject-name +threat.indicator.file.code_signature.subject_name: + dashed_name: threat-indicator-file-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation - flat_name: threat.enrichments.file.code_signature.subject_name + flat_name: threat.indicator.file.code_signature.subject_name ignore_above: 1024 level: core name: subject_name @@ -9598,14 +10787,14 @@ threat.enrichments.file.code_signature.subject_name: original_fieldset: code_signature short: Subject name of the code signer type: keyword -threat.enrichments.file.code_signature.team_id: - dashed_name: threat-enrichments-file-code-signature-team-id +threat.indicator.file.code_signature.team_id: + dashed_name: threat-indicator-file-code-signature-team-id description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV - flat_name: threat.enrichments.file.code_signature.team_id + flat_name: threat.indicator.file.code_signature.team_id ignore_above: 1024 level: extended name: team_id @@ -9613,28 +10802,28 @@ threat.enrichments.file.code_signature.team_id: original_fieldset: code_signature short: The team identifier used to sign the process. type: keyword -threat.enrichments.file.code_signature.trusted: - dashed_name: threat-enrichments-file-code-signature-trusted +threat.indicator.file.code_signature.trusted: + dashed_name: threat-indicator-file-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' - flat_name: threat.enrichments.file.code_signature.trusted + flat_name: threat.indicator.file.code_signature.trusted level: extended name: trusted normalize: [] original_fieldset: code_signature short: Stores the trust status of the certificate chain. type: boolean -threat.enrichments.file.code_signature.valid: - dashed_name: threat-enrichments-file-code-signature-valid +threat.indicator.file.code_signature.valid: + dashed_name: threat-indicator-file-code-signature-valid description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' - flat_name: threat.enrichments.file.code_signature.valid + flat_name: threat.indicator.file.code_signature.valid level: extended name: valid normalize: [] @@ -9642,36 +10831,36 @@ threat.enrichments.file.code_signature.valid: short: Boolean to capture if the digital signature is verified against the binary content. type: boolean -threat.enrichments.file.created: - dashed_name: threat-enrichments-file-created +threat.indicator.file.created: + dashed_name: threat-indicator-file-created description: 'File creation time. Note that not all filesystems store the creation time.' - flat_name: threat.enrichments.file.created + flat_name: threat.indicator.file.created level: extended name: created normalize: [] original_fieldset: file short: File creation time. type: date -threat.enrichments.file.ctime: - dashed_name: threat-enrichments-file-ctime +threat.indicator.file.ctime: + dashed_name: threat-indicator-file-ctime description: 'Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.' - flat_name: threat.enrichments.file.ctime + flat_name: threat.indicator.file.ctime level: extended name: ctime normalize: [] original_fieldset: file short: Last time the file attributes or metadata changed. type: date -threat.enrichments.file.device: - dashed_name: threat-enrichments-file-device +threat.indicator.file.device: + dashed_name: threat-indicator-file-device description: Device that is the source of the file. example: sda - flat_name: threat.enrichments.file.device + flat_name: threat.indicator.file.device ignore_above: 1024 level: extended name: device @@ -9679,12 +10868,12 @@ threat.enrichments.file.device: original_fieldset: file short: Device that is the source of the file. type: keyword -threat.enrichments.file.directory: - dashed_name: threat-enrichments-file-directory +threat.indicator.file.directory: + dashed_name: threat-indicator-file-directory description: Directory where the file is located. It should include the drive letter, when appropriate. example: /home/alice - flat_name: threat.enrichments.file.directory + flat_name: threat.indicator.file.directory ignore_above: 1024 level: extended name: directory @@ -9692,14 +10881,14 @@ threat.enrichments.file.directory: original_fieldset: file short: Directory where the file is located. type: keyword -threat.enrichments.file.drive_letter: - dashed_name: threat-enrichments-file-drive-letter +threat.indicator.file.drive_letter: + dashed_name: threat-indicator-file-drive-letter description: 'Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.' example: C - flat_name: threat.enrichments.file.drive_letter + flat_name: threat.indicator.file.drive_letter ignore_above: 1 level: extended name: drive_letter @@ -9707,11 +10896,11 @@ threat.enrichments.file.drive_letter: original_fieldset: file short: Drive letter where the file is located. type: keyword -threat.enrichments.file.elf.architecture: - dashed_name: threat-enrichments-file-elf-architecture +threat.indicator.file.elf.architecture: + dashed_name: threat-indicator-file-elf-architecture description: Machine architecture of the ELF file. example: x86-64 - flat_name: threat.enrichments.file.elf.architecture + flat_name: threat.indicator.file.elf.architecture ignore_above: 1024 level: extended name: architecture @@ -9719,11 +10908,11 @@ threat.enrichments.file.elf.architecture: original_fieldset: elf short: Machine architecture of the ELF file. type: keyword -threat.enrichments.file.elf.byte_order: - dashed_name: threat-enrichments-file-elf-byte-order +threat.indicator.file.elf.byte_order: + dashed_name: threat-indicator-file-elf-byte-order description: Byte sequence of ELF file. example: Little Endian - flat_name: threat.enrichments.file.elf.byte_order + flat_name: threat.indicator.file.elf.byte_order ignore_above: 1024 level: extended name: byte_order @@ -9731,11 +10920,11 @@ threat.enrichments.file.elf.byte_order: original_fieldset: elf short: Byte sequence of ELF file. type: keyword -threat.enrichments.file.elf.cpu_type: - dashed_name: threat-enrichments-file-elf-cpu-type +threat.indicator.file.elf.cpu_type: + dashed_name: threat-indicator-file-elf-cpu-type description: CPU type of the ELF file. example: Intel - flat_name: threat.enrichments.file.elf.cpu_type + flat_name: threat.indicator.file.elf.cpu_type ignore_above: 1024 level: extended name: cpu_type @@ -9743,21 +10932,21 @@ threat.enrichments.file.elf.cpu_type: original_fieldset: elf short: CPU type of the ELF file. type: keyword -threat.enrichments.file.elf.creation_date: - dashed_name: threat-enrichments-file-elf-creation-date +threat.indicator.file.elf.creation_date: + dashed_name: threat-indicator-file-elf-creation-date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. - flat_name: threat.enrichments.file.elf.creation_date + flat_name: threat.indicator.file.elf.creation_date level: extended name: creation_date normalize: [] original_fieldset: elf short: Build or compile date. type: date -threat.enrichments.file.elf.exports: - dashed_name: threat-enrichments-file-elf-exports +threat.indicator.file.elf.exports: + dashed_name: threat-indicator-file-elf-exports description: List of exported element names and types. - flat_name: threat.enrichments.file.elf.exports + flat_name: threat.indicator.file.elf.exports level: extended name: exports normalize: @@ -9765,10 +10954,10 @@ threat.enrichments.file.elf.exports: original_fieldset: elf short: List of exported element names and types. type: flattened -threat.enrichments.file.elf.header.abi_version: - dashed_name: threat-enrichments-file-elf-header-abi-version +threat.indicator.file.elf.header.abi_version: + dashed_name: threat-indicator-file-elf-header-abi-version description: Version of the ELF Application Binary Interface (ABI). - flat_name: threat.enrichments.file.elf.header.abi_version + flat_name: threat.indicator.file.elf.header.abi_version ignore_above: 1024 level: extended name: header.abi_version @@ -9776,10 +10965,10 @@ threat.enrichments.file.elf.header.abi_version: original_fieldset: elf short: Version of the ELF Application Binary Interface (ABI). type: keyword -threat.enrichments.file.elf.header.class: - dashed_name: threat-enrichments-file-elf-header-class +threat.indicator.file.elf.header.class: + dashed_name: threat-indicator-file-elf-header-class description: Header class of the ELF file. - flat_name: threat.enrichments.file.elf.header.class + flat_name: threat.indicator.file.elf.header.class ignore_above: 1024 level: extended name: header.class @@ -9787,10 +10976,10 @@ threat.enrichments.file.elf.header.class: original_fieldset: elf short: Header class of the ELF file. type: keyword -threat.enrichments.file.elf.header.data: - dashed_name: threat-enrichments-file-elf-header-data +threat.indicator.file.elf.header.data: + dashed_name: threat-indicator-file-elf-header-data description: Data table of the ELF header. - flat_name: threat.enrichments.file.elf.header.data + flat_name: threat.indicator.file.elf.header.data ignore_above: 1024 level: extended name: header.data @@ -9798,10 +10987,10 @@ threat.enrichments.file.elf.header.data: original_fieldset: elf short: Data table of the ELF header. type: keyword -threat.enrichments.file.elf.header.entrypoint: - dashed_name: threat-enrichments-file-elf-header-entrypoint +threat.indicator.file.elf.header.entrypoint: + dashed_name: threat-indicator-file-elf-header-entrypoint description: Header entrypoint of the ELF file. - flat_name: threat.enrichments.file.elf.header.entrypoint + flat_name: threat.indicator.file.elf.header.entrypoint format: string level: extended name: header.entrypoint @@ -9809,10 +10998,10 @@ threat.enrichments.file.elf.header.entrypoint: original_fieldset: elf short: Header entrypoint of the ELF file. type: long -threat.enrichments.file.elf.header.object_version: - dashed_name: threat-enrichments-file-elf-header-object-version +threat.indicator.file.elf.header.object_version: + dashed_name: threat-indicator-file-elf-header-object-version description: '"0x1" for original ELF files.' - flat_name: threat.enrichments.file.elf.header.object_version + flat_name: threat.indicator.file.elf.header.object_version ignore_above: 1024 level: extended name: header.object_version @@ -9820,10 +11009,10 @@ threat.enrichments.file.elf.header.object_version: original_fieldset: elf short: '"0x1" for original ELF files.' type: keyword -threat.enrichments.file.elf.header.os_abi: - dashed_name: threat-enrichments-file-elf-header-os-abi +threat.indicator.file.elf.header.os_abi: + dashed_name: threat-indicator-file-elf-header-os-abi description: Application Binary Interface (ABI) of the Linux OS. - flat_name: threat.enrichments.file.elf.header.os_abi + flat_name: threat.indicator.file.elf.header.os_abi ignore_above: 1024 level: extended name: header.os_abi @@ -9831,10 +11020,10 @@ threat.enrichments.file.elf.header.os_abi: original_fieldset: elf short: Application Binary Interface (ABI) of the Linux OS. type: keyword -threat.enrichments.file.elf.header.type: - dashed_name: threat-enrichments-file-elf-header-type +threat.indicator.file.elf.header.type: + dashed_name: threat-indicator-file-elf-header-type description: Header type of the ELF file. - flat_name: threat.enrichments.file.elf.header.type + flat_name: threat.indicator.file.elf.header.type ignore_above: 1024 level: extended name: header.type @@ -9842,10 +11031,10 @@ threat.enrichments.file.elf.header.type: original_fieldset: elf short: Header type of the ELF file. type: keyword -threat.enrichments.file.elf.header.version: - dashed_name: threat-enrichments-file-elf-header-version +threat.indicator.file.elf.header.version: + dashed_name: threat-indicator-file-elf-header-version description: Version of the ELF header. - flat_name: threat.enrichments.file.elf.header.version + flat_name: threat.indicator.file.elf.header.version ignore_above: 1024 level: extended name: header.version @@ -9853,10 +11042,10 @@ threat.enrichments.file.elf.header.version: original_fieldset: elf short: Version of the ELF header. type: keyword -threat.enrichments.file.elf.imports: - dashed_name: threat-enrichments-file-elf-imports +threat.indicator.file.elf.imports: + dashed_name: threat-indicator-file-elf-imports description: List of imported element names and types. - flat_name: threat.enrichments.file.elf.imports + flat_name: threat.indicator.file.elf.imports level: extended name: imports normalize: @@ -9864,13 +11053,13 @@ threat.enrichments.file.elf.imports: original_fieldset: elf short: List of imported element names and types. type: flattened -threat.enrichments.file.elf.sections: - dashed_name: threat-enrichments-file-elf-sections +threat.indicator.file.elf.sections: + dashed_name: threat-indicator-file-elf-sections description: 'An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.' - flat_name: threat.enrichments.file.elf.sections + flat_name: threat.indicator.file.elf.sections level: extended name: sections normalize: @@ -9878,10 +11067,10 @@ threat.enrichments.file.elf.sections: original_fieldset: elf short: Section information of the ELF file. type: nested -threat.enrichments.file.elf.sections.chi2: - dashed_name: threat-enrichments-file-elf-sections-chi2 +threat.indicator.file.elf.sections.chi2: + dashed_name: threat-indicator-file-elf-sections-chi2 description: Chi-square probability distribution of the section. - flat_name: threat.enrichments.file.elf.sections.chi2 + flat_name: threat.indicator.file.elf.sections.chi2 format: number level: extended name: sections.chi2 @@ -9889,10 +11078,10 @@ threat.enrichments.file.elf.sections.chi2: original_fieldset: elf short: Chi-square probability distribution of the section. type: long -threat.enrichments.file.elf.sections.entropy: - dashed_name: threat-enrichments-file-elf-sections-entropy +threat.indicator.file.elf.sections.entropy: + dashed_name: threat-indicator-file-elf-sections-entropy description: Shannon entropy calculation from the section. - flat_name: threat.enrichments.file.elf.sections.entropy + flat_name: threat.indicator.file.elf.sections.entropy format: number level: extended name: sections.entropy @@ -9900,10 +11089,10 @@ threat.enrichments.file.elf.sections.entropy: original_fieldset: elf short: Shannon entropy calculation from the section. type: long -threat.enrichments.file.elf.sections.flags: - dashed_name: threat-enrichments-file-elf-sections-flags +threat.indicator.file.elf.sections.flags: + dashed_name: threat-indicator-file-elf-sections-flags description: ELF Section List flags. - flat_name: threat.enrichments.file.elf.sections.flags + flat_name: threat.indicator.file.elf.sections.flags ignore_above: 1024 level: extended name: sections.flags @@ -9911,10 +11100,10 @@ threat.enrichments.file.elf.sections.flags: original_fieldset: elf short: ELF Section List flags. type: keyword -threat.enrichments.file.elf.sections.name: - dashed_name: threat-enrichments-file-elf-sections-name +threat.indicator.file.elf.sections.name: + dashed_name: threat-indicator-file-elf-sections-name description: ELF Section List name. - flat_name: threat.enrichments.file.elf.sections.name + flat_name: threat.indicator.file.elf.sections.name ignore_above: 1024 level: extended name: sections.name @@ -9922,10 +11111,10 @@ threat.enrichments.file.elf.sections.name: original_fieldset: elf short: ELF Section List name. type: keyword -threat.enrichments.file.elf.sections.physical_offset: - dashed_name: threat-enrichments-file-elf-sections-physical-offset +threat.indicator.file.elf.sections.physical_offset: + dashed_name: threat-indicator-file-elf-sections-physical-offset description: ELF Section List offset. - flat_name: threat.enrichments.file.elf.sections.physical_offset + flat_name: threat.indicator.file.elf.sections.physical_offset ignore_above: 1024 level: extended name: sections.physical_offset @@ -9933,10 +11122,10 @@ threat.enrichments.file.elf.sections.physical_offset: original_fieldset: elf short: ELF Section List offset. type: keyword -threat.enrichments.file.elf.sections.physical_size: - dashed_name: threat-enrichments-file-elf-sections-physical-size +threat.indicator.file.elf.sections.physical_size: + dashed_name: threat-indicator-file-elf-sections-physical-size description: ELF Section List physical size. - flat_name: threat.enrichments.file.elf.sections.physical_size + flat_name: threat.indicator.file.elf.sections.physical_size format: bytes level: extended name: sections.physical_size @@ -9944,10 +11133,10 @@ threat.enrichments.file.elf.sections.physical_size: original_fieldset: elf short: ELF Section List physical size. type: long -threat.enrichments.file.elf.sections.type: - dashed_name: threat-enrichments-file-elf-sections-type +threat.indicator.file.elf.sections.type: + dashed_name: threat-indicator-file-elf-sections-type description: ELF Section List type. - flat_name: threat.enrichments.file.elf.sections.type + flat_name: threat.indicator.file.elf.sections.type ignore_above: 1024 level: extended name: sections.type @@ -9955,10 +11144,10 @@ threat.enrichments.file.elf.sections.type: original_fieldset: elf short: ELF Section List type. type: keyword -threat.enrichments.file.elf.sections.virtual_address: - dashed_name: threat-enrichments-file-elf-sections-virtual-address +threat.indicator.file.elf.sections.virtual_address: + dashed_name: threat-indicator-file-elf-sections-virtual-address description: ELF Section List virtual address. - flat_name: threat.enrichments.file.elf.sections.virtual_address + flat_name: threat.indicator.file.elf.sections.virtual_address format: string level: extended name: sections.virtual_address @@ -9966,10 +11155,10 @@ threat.enrichments.file.elf.sections.virtual_address: original_fieldset: elf short: ELF Section List virtual address. type: long -threat.enrichments.file.elf.sections.virtual_size: - dashed_name: threat-enrichments-file-elf-sections-virtual-size +threat.indicator.file.elf.sections.virtual_size: + dashed_name: threat-indicator-file-elf-sections-virtual-size description: ELF Section List virtual size. - flat_name: threat.enrichments.file.elf.sections.virtual_size + flat_name: threat.indicator.file.elf.sections.virtual_size format: string level: extended name: sections.virtual_size @@ -9977,13 +11166,13 @@ threat.enrichments.file.elf.sections.virtual_size: original_fieldset: elf short: ELF Section List virtual size. type: long -threat.enrichments.file.elf.segments: - dashed_name: threat-enrichments-file-elf-segments +threat.indicator.file.elf.segments: + dashed_name: threat-indicator-file-elf-segments description: 'An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.' - flat_name: threat.enrichments.file.elf.segments + flat_name: threat.indicator.file.elf.segments level: extended name: segments normalize: @@ -9991,10 +11180,10 @@ threat.enrichments.file.elf.segments: original_fieldset: elf short: ELF object segment list. type: nested -threat.enrichments.file.elf.segments.sections: - dashed_name: threat-enrichments-file-elf-segments-sections +threat.indicator.file.elf.segments.sections: + dashed_name: threat-indicator-file-elf-segments-sections description: ELF object segment sections. - flat_name: threat.enrichments.file.elf.segments.sections + flat_name: threat.indicator.file.elf.segments.sections ignore_above: 1024 level: extended name: segments.sections @@ -10002,10 +11191,10 @@ threat.enrichments.file.elf.segments.sections: original_fieldset: elf short: ELF object segment sections. type: keyword -threat.enrichments.file.elf.segments.type: - dashed_name: threat-enrichments-file-elf-segments-type +threat.indicator.file.elf.segments.type: + dashed_name: threat-indicator-file-elf-segments-type description: ELF object segment type. - flat_name: threat.enrichments.file.elf.segments.type + flat_name: threat.indicator.file.elf.segments.type ignore_above: 1024 level: extended name: segments.type @@ -10013,10 +11202,10 @@ threat.enrichments.file.elf.segments.type: original_fieldset: elf short: ELF object segment type. type: keyword -threat.enrichments.file.elf.shared_libraries: - dashed_name: threat-enrichments-file-elf-shared-libraries +threat.indicator.file.elf.shared_libraries: + dashed_name: threat-indicator-file-elf-shared-libraries description: List of shared libraries used by this ELF object. - flat_name: threat.enrichments.file.elf.shared_libraries + flat_name: threat.indicator.file.elf.shared_libraries ignore_above: 1024 level: extended name: shared_libraries @@ -10025,10 +11214,10 @@ threat.enrichments.file.elf.shared_libraries: original_fieldset: elf short: List of shared libraries used by this ELF object. type: keyword -threat.enrichments.file.elf.telfhash: - dashed_name: threat-enrichments-file-elf-telfhash +threat.indicator.file.elf.telfhash: + dashed_name: threat-indicator-file-elf-telfhash description: telfhash symbol hash for ELF file. - flat_name: threat.enrichments.file.elf.telfhash + flat_name: threat.indicator.file.elf.telfhash ignore_above: 1024 level: extended name: telfhash @@ -10036,14 +11225,14 @@ threat.enrichments.file.elf.telfhash: original_fieldset: elf short: telfhash hash for ELF file. type: keyword -threat.enrichments.file.extension: - dashed_name: threat-enrichments-file-extension +threat.indicator.file.extension: + dashed_name: threat-indicator-file-extension description: 'File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png - flat_name: threat.enrichments.file.extension + flat_name: threat.indicator.file.extension ignore_above: 1024 level: extended name: extension @@ -10051,11 +11240,11 @@ threat.enrichments.file.extension: original_fieldset: file short: File extension, excluding the leading dot. type: keyword -threat.enrichments.file.gid: - dashed_name: threat-enrichments-file-gid +threat.indicator.file.gid: + dashed_name: threat-indicator-file-gid description: Primary group ID (GID) of the file. example: '1001' - flat_name: threat.enrichments.file.gid + flat_name: threat.indicator.file.gid ignore_above: 1024 level: extended name: gid @@ -10063,11 +11252,11 @@ threat.enrichments.file.gid: original_fieldset: file short: Primary group ID (GID) of the file. type: keyword -threat.enrichments.file.group: - dashed_name: threat-enrichments-file-group +threat.indicator.file.group: + dashed_name: threat-indicator-file-group description: Primary group name of the file. example: alice - flat_name: threat.enrichments.file.group + flat_name: threat.indicator.file.group ignore_above: 1024 level: extended name: group @@ -10075,11 +11264,11 @@ threat.enrichments.file.group: original_fieldset: file short: Primary group name of the file. type: keyword -threat.enrichments.file.inode: - dashed_name: threat-enrichments-file-inode +threat.indicator.file.inode: + dashed_name: threat-indicator-file-inode description: Inode representing the file in the filesystem. example: '256383' - flat_name: threat.enrichments.file.inode + flat_name: threat.indicator.file.inode ignore_above: 1024 level: extended name: inode @@ -10087,13 +11276,13 @@ threat.enrichments.file.inode: original_fieldset: file short: Inode representing the file in the filesystem. type: keyword -threat.enrichments.file.mime_type: - dashed_name: threat-enrichments-file-mime-type +threat.indicator.file.mime_type: + dashed_name: threat-indicator-file-mime-type description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - flat_name: threat.enrichments.file.mime_type + flat_name: threat.indicator.file.mime_type ignore_above: 1024 level: extended name: mime_type @@ -10101,11 +11290,11 @@ threat.enrichments.file.mime_type: original_fieldset: file short: Media type of file, document, or arrangement of bytes. type: keyword -threat.enrichments.file.mode: - dashed_name: threat-enrichments-file-mode +threat.indicator.file.mode: + dashed_name: threat-indicator-file-mode description: Mode of the file in octal representation. example: '0640' - flat_name: threat.enrichments.file.mode + flat_name: threat.indicator.file.mode ignore_above: 1024 level: extended name: mode @@ -10113,21 +11302,21 @@ threat.enrichments.file.mode: original_fieldset: file short: Mode of the file in octal representation. type: keyword -threat.enrichments.file.mtime: - dashed_name: threat-enrichments-file-mtime +threat.indicator.file.mtime: + dashed_name: threat-indicator-file-mtime description: Last time the file content was modified. - flat_name: threat.enrichments.file.mtime + flat_name: threat.indicator.file.mtime level: extended name: mtime normalize: [] original_fieldset: file short: Last time the file content was modified. type: date -threat.enrichments.file.name: - dashed_name: threat-enrichments-file-name +threat.indicator.file.name: + dashed_name: threat-indicator-file-name description: Name of the file including the extension, without the directory. example: example.png - flat_name: threat.enrichments.file.name + flat_name: threat.indicator.file.name ignore_above: 1024 level: extended name: name @@ -10135,11 +11324,11 @@ threat.enrichments.file.name: original_fieldset: file short: Name of the file including the extension, without the directory. type: keyword -threat.enrichments.file.owner: - dashed_name: threat-enrichments-file-owner +threat.indicator.file.owner: + dashed_name: threat-indicator-file-owner description: File owner's username. example: alice - flat_name: threat.enrichments.file.owner + flat_name: threat.indicator.file.owner ignore_above: 1024 level: extended name: owner @@ -10147,16 +11336,16 @@ threat.enrichments.file.owner: original_fieldset: file short: File owner's username. type: keyword -threat.enrichments.file.path: - dashed_name: threat-enrichments-file-path +threat.indicator.file.path: + dashed_name: threat-indicator-file-path description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png - flat_name: threat.enrichments.file.path + flat_name: threat.indicator.file.path ignore_above: 1024 level: extended multi_fields: - - flat_name: threat.enrichments.file.path.text + - flat_name: threat.indicator.file.path.text name: text norms: false type: text @@ -10165,27 +11354,27 @@ threat.enrichments.file.path: original_fieldset: file short: Full path to the file, including the file name. type: keyword -threat.enrichments.file.size: - dashed_name: threat-enrichments-file-size +threat.indicator.file.size: + dashed_name: threat-indicator-file-size description: 'File size in bytes. Only relevant when `file.type` is "file".' example: 16384 - flat_name: threat.enrichments.file.size + flat_name: threat.indicator.file.size level: extended name: size normalize: [] original_fieldset: file short: File size in bytes. type: long -threat.enrichments.file.target_path: - dashed_name: threat-enrichments-file-target-path +threat.indicator.file.target_path: + dashed_name: threat-indicator-file-target-path description: Target path for symlinks. - flat_name: threat.enrichments.file.target_path + flat_name: threat.indicator.file.target_path ignore_above: 1024 level: extended multi_fields: - - flat_name: threat.enrichments.file.target_path.text + - flat_name: threat.indicator.file.target_path.text name: text norms: false type: text @@ -10194,11 +11383,11 @@ threat.enrichments.file.target_path: original_fieldset: file short: Target path for symlinks. type: keyword -threat.enrichments.file.type: - dashed_name: threat-enrichments-file-type +threat.indicator.file.type: + dashed_name: threat-indicator-file-type description: File type (file, dir, or symlink). example: file - flat_name: threat.enrichments.file.type + flat_name: threat.indicator.file.type ignore_above: 1024 level: extended name: type @@ -10206,11 +11395,11 @@ threat.enrichments.file.type: original_fieldset: file short: File type (file, dir, or symlink). type: keyword -threat.enrichments.file.uid: - dashed_name: threat-enrichments-file-uid +threat.indicator.file.uid: + dashed_name: threat-indicator-file-uid description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' - flat_name: threat.enrichments.file.uid + flat_name: threat.indicator.file.uid ignore_above: 1024 level: extended name: uid @@ -10218,11 +11407,23 @@ threat.enrichments.file.uid: original_fieldset: file short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword -threat.enrichments.geo.city_name: - dashed_name: threat-enrichments-geo-city-name +threat.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.first_seen + level: extended + name: indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date +threat.indicator.geo.city_name: + dashed_name: threat-indicator-geo-city-name description: City name. example: Montreal - flat_name: threat.enrichments.geo.city_name + flat_name: threat.indicator.geo.city_name ignore_above: 1024 level: core name: city_name @@ -10230,11 +11431,11 @@ threat.enrichments.geo.city_name: original_fieldset: geo short: City name. type: keyword -threat.enrichments.geo.continent_code: - dashed_name: threat-enrichments-geo-continent-code +threat.indicator.geo.continent_code: + dashed_name: threat-indicator-geo-continent-code description: Two-letter code representing continent's name. example: NA - flat_name: threat.enrichments.geo.continent_code + flat_name: threat.indicator.geo.continent_code ignore_above: 1024 level: core name: continent_code @@ -10242,11 +11443,11 @@ threat.enrichments.geo.continent_code: original_fieldset: geo short: Continent code. type: keyword -threat.enrichments.geo.continent_name: - dashed_name: threat-enrichments-geo-continent-name +threat.indicator.geo.continent_name: + dashed_name: threat-indicator-geo-continent-name description: Name of the continent. example: North America - flat_name: threat.enrichments.geo.continent_name + flat_name: threat.indicator.geo.continent_name ignore_above: 1024 level: core name: continent_name @@ -10254,11 +11455,11 @@ threat.enrichments.geo.continent_name: original_fieldset: geo short: Name of the continent. type: keyword -threat.enrichments.geo.country_iso_code: - dashed_name: threat-enrichments-geo-country-iso-code +threat.indicator.geo.country_iso_code: + dashed_name: threat-indicator-geo-country-iso-code description: Country ISO code. example: CA - flat_name: threat.enrichments.geo.country_iso_code + flat_name: threat.indicator.geo.country_iso_code ignore_above: 1024 level: core name: country_iso_code @@ -10266,11 +11467,11 @@ threat.enrichments.geo.country_iso_code: original_fieldset: geo short: Country ISO code. type: keyword -threat.enrichments.geo.country_name: - dashed_name: threat-enrichments-geo-country-name +threat.indicator.geo.country_name: + dashed_name: threat-indicator-geo-country-name description: Country name. example: Canada - flat_name: threat.enrichments.geo.country_name + flat_name: threat.indicator.geo.country_name ignore_above: 1024 level: core name: country_name @@ -10278,19 +11479,19 @@ threat.enrichments.geo.country_name: original_fieldset: geo short: Country name. type: keyword -threat.enrichments.geo.location: - dashed_name: threat-enrichments-geo-location +threat.indicator.geo.location: + dashed_name: threat-indicator-geo-location description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: threat.enrichments.geo.location + flat_name: threat.indicator.geo.location level: core name: location normalize: [] original_fieldset: geo short: Longitude and latitude. type: geo_point -threat.enrichments.geo.name: - dashed_name: threat-enrichments-geo-name +threat.indicator.geo.name: + dashed_name: threat-indicator-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -10299,7 +11500,7 @@ threat.enrichments.geo.name: Not typically used in automated geolocation.' example: boston-dc - flat_name: threat.enrichments.geo.name + flat_name: threat.indicator.geo.name ignore_above: 1024 level: extended name: name @@ -10307,14 +11508,14 @@ threat.enrichments.geo.name: original_fieldset: geo short: User-defined description of a location. type: keyword -threat.enrichments.geo.postal_code: - dashed_name: threat-enrichments-geo-postal-code +threat.indicator.geo.postal_code: + dashed_name: threat-indicator-geo-postal-code description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 - flat_name: threat.enrichments.geo.postal_code + flat_name: threat.indicator.geo.postal_code ignore_above: 1024 level: core name: postal_code @@ -10322,11 +11523,11 @@ threat.enrichments.geo.postal_code: original_fieldset: geo short: Postal code. type: keyword -threat.enrichments.geo.region_iso_code: - dashed_name: threat-enrichments-geo-region-iso-code +threat.indicator.geo.region_iso_code: + dashed_name: threat-indicator-geo-region-iso-code description: Region ISO code. example: CA-QC - flat_name: threat.enrichments.geo.region_iso_code + flat_name: threat.indicator.geo.region_iso_code ignore_above: 1024 level: core name: region_iso_code @@ -10334,11 +11535,11 @@ threat.enrichments.geo.region_iso_code: original_fieldset: geo short: Region ISO code. type: keyword -threat.enrichments.geo.region_name: - dashed_name: threat-enrichments-geo-region-name +threat.indicator.geo.region_name: + dashed_name: threat-indicator-geo-region-name description: Region name. example: Quebec - flat_name: threat.enrichments.geo.region_name + flat_name: threat.indicator.geo.region_name ignore_above: 1024 level: core name: region_name @@ -10346,11 +11547,11 @@ threat.enrichments.geo.region_name: original_fieldset: geo short: Region name. type: keyword -threat.enrichments.geo.timezone: - dashed_name: threat-enrichments-geo-timezone +threat.indicator.geo.timezone: + dashed_name: threat-indicator-geo-timezone description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires - flat_name: threat.enrichments.geo.timezone + flat_name: threat.indicator.geo.timezone ignore_above: 1024 level: core name: timezone @@ -10358,10 +11559,10 @@ threat.enrichments.geo.timezone: original_fieldset: geo short: Time zone. type: keyword -threat.enrichments.hash.md5: - dashed_name: threat-enrichments-hash-md5 +threat.indicator.hash.md5: + dashed_name: threat-indicator-hash-md5 description: MD5 hash. - flat_name: threat.enrichments.hash.md5 + flat_name: threat.indicator.hash.md5 ignore_above: 1024 level: extended name: md5 @@ -10369,10 +11570,10 @@ threat.enrichments.hash.md5: original_fieldset: hash short: MD5 hash. type: keyword -threat.enrichments.hash.sha1: - dashed_name: threat-enrichments-hash-sha1 +threat.indicator.hash.sha1: + dashed_name: threat-indicator-hash-sha1 description: SHA1 hash. - flat_name: threat.enrichments.hash.sha1 + flat_name: threat.indicator.hash.sha1 ignore_above: 1024 level: extended name: sha1 @@ -10380,10 +11581,10 @@ threat.enrichments.hash.sha1: original_fieldset: hash short: SHA1 hash. type: keyword -threat.enrichments.hash.sha256: - dashed_name: threat-enrichments-hash-sha256 +threat.indicator.hash.sha256: + dashed_name: threat-indicator-hash-sha256 description: SHA256 hash. - flat_name: threat.enrichments.hash.sha256 + flat_name: threat.indicator.hash.sha256 ignore_above: 1024 level: extended name: sha256 @@ -10391,10 +11592,10 @@ threat.enrichments.hash.sha256: original_fieldset: hash short: SHA256 hash. type: keyword -threat.enrichments.hash.sha512: - dashed_name: threat-enrichments-hash-sha512 +threat.indicator.hash.sha512: + dashed_name: threat-indicator-hash-sha512 description: SHA512 hash. - flat_name: threat.enrichments.hash.sha512 + flat_name: threat.indicator.hash.sha512 ignore_above: 1024 level: extended name: sha512 @@ -10402,10 +11603,10 @@ threat.enrichments.hash.sha512: original_fieldset: hash short: SHA512 hash. type: keyword -threat.enrichments.hash.ssdeep: - dashed_name: threat-enrichments-hash-ssdeep +threat.indicator.hash.ssdeep: + dashed_name: threat-indicator-hash-ssdeep description: SSDEEP hash. - flat_name: threat.enrichments.hash.ssdeep + flat_name: threat.indicator.hash.ssdeep ignore_above: 1024 level: extended name: ssdeep @@ -10413,71 +11614,314 @@ threat.enrichments.hash.ssdeep: original_fieldset: hash short: SSDEEP hash. type: keyword -threat.enrichments.matched.atomic: +threat.indicator.ip: beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-atomic - description: Identifies the atomic indicator value that matched a local environment - endpoint or network event. - example: bad-domain.com - flat_name: threat.enrichments.matched.atomic + dashed_name: threat-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of direction). + example: 1.2.3.4 + flat_name: threat.indicator.ip + level: extended + name: indicator.ip + normalize: [] + short: Indicator IP address + type: ip +threat.indicator.last_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-last-seen + description: The date and time when intelligence source last reported sighting this + indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.last_seen + level: extended + name: indicator.last_seen + normalize: [] + short: Date/time indicator was last reported. + type: date +threat.indicator.marking.tlp: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE + flat_name: threat.indicator.marking.tlp ignore_above: 1024 level: extended - name: enrichments.matched.atomic + name: indicator.marking.tlp normalize: [] - short: Matched indicator value + short: Indicator TLP marking type: keyword -threat.enrichments.matched.field: +threat.indicator.modified_at: beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-field - description: Identifies the field of the atomic indicator that matched a local environment - endpoint or network event. - example: file.hash.sha256 - flat_name: threat.enrichments.matched.field + dashed_name: threat-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.modified_at + level: extended + name: indicator.modified_at + normalize: [] + short: Date/time indicator was last updated. + type: date +threat.indicator.pe.architecture: + dashed_name: threat-indicator-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.indicator.pe.architecture ignore_above: 1024 level: extended - name: enrichments.matched.field + name: architecture normalize: [] - short: Matched indicator field + original_fieldset: pe + short: CPU architecture target for the file. type: keyword -threat.enrichments.matched.id: +threat.indicator.pe.company: + dashed_name: threat-indicator-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.indicator.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +threat.indicator.pe.description: + dashed_name: threat-indicator-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.indicator.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +threat.indicator.pe.file_version: + dashed_name: threat-indicator-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.indicator.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword +threat.indicator.pe.imphash: + dashed_name: threat-indicator-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.indicator.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +threat.indicator.pe.original_file_name: + dashed_name: threat-indicator-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.indicator.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword +threat.indicator.pe.product: + dashed_name: threat-indicator-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.indicator.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword +threat.indicator.port: beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-id - description: Identifies the _id of the indicator document enriching the event. - example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 - flat_name: threat.enrichments.matched.id + dashed_name: threat-indicator-port + description: Identifies a threat indicator as a port number (irrespective of direction). + example: 443 + flat_name: threat.indicator.port + level: extended + name: indicator.port + normalize: [] + short: Indicator port + type: long +threat.indicator.provider: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-provider + description: The name of the indicator's provider. + example: lrz_urlhaus + flat_name: threat.indicator.provider ignore_above: 1024 level: extended - name: enrichments.matched.id + name: indicator.provider normalize: [] - short: Matched indicator identifier + short: Indicator provider type: keyword -threat.enrichments.matched.index: +threat.indicator.reference: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-reference + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + flat_name: threat.indicator.reference + ignore_above: 1024 + level: extended + name: indicator.reference + normalize: [] + short: Indicator reference URL + type: keyword +threat.indicator.registry.data.bytes: + dashed_name: threat-indicator-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides better + recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.indicator.registry.data.bytes + ignore_above: 1024 + level: extended + name: data.bytes + normalize: [] + original_fieldset: registry + short: Original bytes written with base64 encoding. + type: keyword +threat.indicator.registry.data.strings: + dashed_name: threat-indicator-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single string + registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. + For sequences of string with REG_MULTI_SZ, this array will be variable length. + For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with + the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.indicator.registry.data.strings + ignore_above: 1024 + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: keyword +threat.indicator.registry.data.type: + dashed_name: threat-indicator-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.indicator.registry.data.type + ignore_above: 1024 + level: core + name: data.type + normalize: [] + original_fieldset: registry + short: Standard registry type for encoding contents + type: keyword +threat.indicator.registry.hive: + dashed_name: threat-indicator-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.indicator.registry.hive + ignore_above: 1024 + level: core + name: hive + normalize: [] + original_fieldset: registry + short: Abbreviated name for the hive. + type: keyword +threat.indicator.registry.key: + dashed_name: threat-indicator-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.indicator.registry.key + ignore_above: 1024 + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: keyword +threat.indicator.registry.path: + dashed_name: threat-indicator-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.indicator.registry.path + ignore_above: 1024 + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: keyword +threat.indicator.registry.value: + dashed_name: threat-indicator-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.indicator.registry.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. + type: keyword +threat.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file or + URL. + example: 4 + flat_name: threat.indicator.scanner_stats + level: extended + name: indicator.scanner_stats + normalize: [] + short: Scanner statistics + type: long +threat.indicator.sightings: beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-index - description: Identifies the _index of the indicator document enriching the event. - example: filebeat-8.0.0-2021.05.23-000011 - flat_name: threat.enrichments.matched.index - ignore_above: 1024 + dashed_name: threat-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.indicator.sightings level: extended - name: enrichments.matched.index + name: indicator.sightings normalize: [] - short: Matched indicator index - type: keyword -threat.enrichments.matched.type: + short: Number of times indicator observed + type: long +threat.indicator.type: beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-type - description: Identifies the type of match that caused the event to be enriched with - the given indicator - example: indicator_match_rule - flat_name: threat.enrichments.matched.type + dashed_name: threat-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ + Recommended values:\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ + \ * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n * mutex\n\ + \ * port\n * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ + \ * x509-certificate" + example: ipv4-addr + flat_name: threat.indicator.type ignore_above: 1024 level: extended - name: enrichments.matched.type + name: indicator.type normalize: [] - short: Type of indicator match + short: Type of indicator type: keyword -threat.enrichments.url.domain: - dashed_name: threat-enrichments-url-domain +threat.indicator.url.domain: + dashed_name: threat-indicator-url-domain description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain @@ -10486,7 +11930,7 @@ threat.enrichments.url.domain: If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field.' example: www.elastic.co - flat_name: threat.enrichments.url.domain + flat_name: threat.indicator.url.domain ignore_above: 1024 level: extended name: domain @@ -10494,8 +11938,8 @@ threat.enrichments.url.domain: original_fieldset: url short: Domain of the url. type: keyword -threat.enrichments.url.extension: - dashed_name: threat-enrichments-url-extension +threat.indicator.url.extension: + dashed_name: threat-indicator-url-extension description: 'The field contains the file extension from the original request url, excluding the leading dot. @@ -10507,7 +11951,7 @@ threat.enrichments.url.extension: Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png - flat_name: threat.enrichments.url.extension + flat_name: threat.indicator.url.extension ignore_above: 1024 level: extended name: extension @@ -10515,12 +11959,12 @@ threat.enrichments.url.extension: original_fieldset: url short: File extension from the request url, excluding the leading dot. type: keyword -threat.enrichments.url.fragment: - dashed_name: threat-enrichments-url-fragment +threat.indicator.url.fragment: + dashed_name: threat-indicator-url-fragment description: 'Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.' - flat_name: threat.enrichments.url.fragment + flat_name: threat.indicator.url.fragment ignore_above: 1024 level: extended name: fragment @@ -10528,16 +11972,16 @@ threat.enrichments.url.fragment: original_fieldset: url short: Portion of the url after the `#`. type: keyword -threat.enrichments.url.full: - dashed_name: threat-enrichments-url-full +threat.indicator.url.full: + dashed_name: threat-indicator-url-full description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top - flat_name: threat.enrichments.url.full + flat_name: threat.indicator.url.full ignore_above: 1024 level: extended multi_fields: - - flat_name: threat.enrichments.url.full.text + - flat_name: threat.indicator.url.full.text name: text norms: false type: text @@ -10546,8 +11990,8 @@ threat.enrichments.url.full: original_fieldset: url short: Full unparsed URL. type: keyword -threat.enrichments.url.original: - dashed_name: threat-enrichments-url-original +threat.indicator.url.original: + dashed_name: threat-indicator-url-original description: 'Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in @@ -10555,11 +11999,11 @@ threat.enrichments.url.original: This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - flat_name: threat.enrichments.url.original + flat_name: threat.indicator.url.original ignore_above: 1024 level: extended multi_fields: - - flat_name: threat.enrichments.url.original.text + - flat_name: threat.indicator.url.original.text name: text norms: false type: text @@ -10568,10 +12012,10 @@ threat.enrichments.url.original: original_fieldset: url short: Unmodified original url as seen in the event source. type: keyword -threat.enrichments.url.password: - dashed_name: threat-enrichments-url-password +threat.indicator.url.password: + dashed_name: threat-indicator-url-password description: Password of the request. - flat_name: threat.enrichments.url.password + flat_name: threat.indicator.url.password ignore_above: 1024 level: extended name: password @@ -10579,10 +12023,10 @@ threat.enrichments.url.password: original_fieldset: url short: Password of the request. type: keyword -threat.enrichments.url.path: - dashed_name: threat-enrichments-url-path +threat.indicator.url.path: + dashed_name: threat-indicator-url-path description: Path of the request, such as "/search". - flat_name: threat.enrichments.url.path + flat_name: threat.indicator.url.path ignore_above: 1024 level: extended name: path @@ -10590,11 +12034,11 @@ threat.enrichments.url.path: original_fieldset: url short: Path of the request, such as "/search". type: keyword -threat.enrichments.url.port: - dashed_name: threat-enrichments-url-port +threat.indicator.url.port: + dashed_name: threat-indicator-url-port description: Port of the request, such as 443. example: 443 - flat_name: threat.enrichments.url.port + flat_name: threat.indicator.url.port format: string level: extended name: port @@ -10602,8 +12046,8 @@ threat.enrichments.url.port: original_fieldset: url short: Port of the request, such as 443. type: long -threat.enrichments.url.query: - dashed_name: threat-enrichments-url-query +threat.indicator.url.query: + dashed_name: threat-indicator-url-query description: 'The query field describes the query string of the request, such as "q=elasticsearch". @@ -10611,7 +12055,7 @@ threat.enrichments.url.query: no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' - flat_name: threat.enrichments.url.query + flat_name: threat.indicator.url.query ignore_above: 1024 level: extended name: query @@ -10619,8 +12063,8 @@ threat.enrichments.url.query: original_fieldset: url short: Query string of the request. type: keyword -threat.enrichments.url.registered_domain: - dashed_name: threat-enrichments-url-registered-domain +threat.indicator.url.registered_domain: + dashed_name: threat-indicator-url-registered-domain description: 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -10629,7 +12073,7 @@ threat.enrichments.url.registered_domain: (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - flat_name: threat.enrichments.url.registered_domain + flat_name: threat.indicator.url.registered_domain ignore_above: 1024 level: extended name: registered_domain @@ -10637,13 +12081,13 @@ threat.enrichments.url.registered_domain: original_fieldset: url short: The highest registered url domain, stripped of the subdomain. type: keyword -threat.enrichments.url.scheme: - dashed_name: threat-enrichments-url-scheme +threat.indicator.url.scheme: + dashed_name: threat-indicator-url-scheme description: 'Scheme of the request, such as "https". Note: The `:` is not part of the scheme.' example: https - flat_name: threat.enrichments.url.scheme + flat_name: threat.indicator.url.scheme ignore_above: 1024 level: extended name: scheme @@ -10651,8 +12095,8 @@ threat.enrichments.url.scheme: original_fieldset: url short: Scheme of the url. type: keyword -threat.enrichments.url.subdomain: - dashed_name: threat-enrichments-url-subdomain +threat.indicator.url.subdomain: + dashed_name: threat-indicator-url-subdomain description: 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be @@ -10662,7 +12106,7 @@ threat.enrichments.url.subdomain: domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: east - flat_name: threat.enrichments.url.subdomain + flat_name: threat.indicator.url.subdomain ignore_above: 1024 level: extended name: subdomain @@ -10670,8 +12114,8 @@ threat.enrichments.url.subdomain: original_fieldset: url short: The subdomain of the domain. type: keyword -threat.enrichments.url.top_level_domain: - dashed_name: threat-enrichments-url-top-level-domain +threat.indicator.url.top_level_domain: + dashed_name: threat-indicator-url-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". @@ -10680,7 +12124,7 @@ threat.enrichments.url.top_level_domain: (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - flat_name: threat.enrichments.url.top_level_domain + flat_name: threat.indicator.url.top_level_domain ignore_above: 1024 level: extended name: top_level_domain @@ -10688,10 +12132,10 @@ threat.enrichments.url.top_level_domain: original_fieldset: url short: The effective top level domain (com, org, net, co.uk). type: keyword -threat.enrichments.url.username: - dashed_name: threat-enrichments-url-username +threat.indicator.url.username: + dashed_name: threat-indicator-url-username description: Username of the request. - flat_name: threat.enrichments.url.username + flat_name: threat.indicator.url.username ignore_above: 1024 level: extended name: username @@ -10699,13 +12143,13 @@ threat.enrichments.url.username: original_fieldset: url short: Username of the request. type: keyword -threat.enrichments.x509.alternative_names: - dashed_name: threat-enrichments-x509-alternative-names +threat.indicator.x509.alternative_names: + dashed_name: threat-indicator-x509-alternative-names description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: '*.elastic.co' - flat_name: threat.enrichments.x509.alternative_names + flat_name: threat.indicator.x509.alternative_names ignore_above: 1024 level: extended name: alternative_names @@ -10714,11 +12158,11 @@ threat.enrichments.x509.alternative_names: original_fieldset: x509 short: List of subject alternative names (SAN). type: keyword -threat.enrichments.x509.issuer.common_name: - dashed_name: threat-enrichments-x509-issuer-common-name +threat.indicator.x509.issuer.common_name: + dashed_name: threat-indicator-x509-issuer-common-name description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA - flat_name: threat.enrichments.x509.issuer.common_name + flat_name: threat.indicator.x509.issuer.common_name ignore_above: 1024 level: extended name: issuer.common_name @@ -10727,11 +12171,11 @@ threat.enrichments.x509.issuer.common_name: original_fieldset: x509 short: List of common name (CN) of issuing certificate authority. type: keyword -threat.enrichments.x509.issuer.country: - dashed_name: threat-enrichments-x509-issuer-country +threat.indicator.x509.issuer.country: + dashed_name: threat-indicator-x509-issuer-country description: List of country (C) codes example: US - flat_name: threat.enrichments.x509.issuer.country + flat_name: threat.indicator.x509.issuer.country ignore_above: 1024 level: extended name: issuer.country @@ -10740,12 +12184,12 @@ threat.enrichments.x509.issuer.country: original_fieldset: x509 short: List of country (C) codes type: keyword -threat.enrichments.x509.issuer.distinguished_name: - dashed_name: threat-enrichments-x509-issuer-distinguished-name +threat.indicator.x509.issuer.distinguished_name: + dashed_name: threat-indicator-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA - flat_name: threat.enrichments.x509.issuer.distinguished_name + flat_name: threat.indicator.x509.issuer.distinguished_name ignore_above: 1024 level: extended name: issuer.distinguished_name @@ -10753,11 +12197,11 @@ threat.enrichments.x509.issuer.distinguished_name: original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. type: keyword -threat.enrichments.x509.issuer.locality: - dashed_name: threat-enrichments-x509-issuer-locality +threat.indicator.x509.issuer.locality: + dashed_name: threat-indicator-x509-issuer-locality description: List of locality names (L) example: Mountain View - flat_name: threat.enrichments.x509.issuer.locality + flat_name: threat.indicator.x509.issuer.locality ignore_above: 1024 level: extended name: issuer.locality @@ -10766,11 +12210,11 @@ threat.enrichments.x509.issuer.locality: original_fieldset: x509 short: List of locality names (L) type: keyword -threat.enrichments.x509.issuer.organization: - dashed_name: threat-enrichments-x509-issuer-organization +threat.indicator.x509.issuer.organization: + dashed_name: threat-indicator-x509-issuer-organization description: List of organizations (O) of issuing certificate authority. example: Example Inc - flat_name: threat.enrichments.x509.issuer.organization + flat_name: threat.indicator.x509.issuer.organization ignore_above: 1024 level: extended name: issuer.organization @@ -10779,11 +12223,11 @@ threat.enrichments.x509.issuer.organization: original_fieldset: x509 short: List of organizations (O) of issuing certificate authority. type: keyword -threat.enrichments.x509.issuer.organizational_unit: - dashed_name: threat-enrichments-x509-issuer-organizational-unit +threat.indicator.x509.issuer.organizational_unit: + dashed_name: threat-indicator-x509-issuer-organizational-unit description: List of organizational units (OU) of issuing certificate authority. example: www.example.com - flat_name: threat.enrichments.x509.issuer.organizational_unit + flat_name: threat.indicator.x509.issuer.organizational_unit ignore_above: 1024 level: extended name: issuer.organizational_unit @@ -10792,11 +12236,11 @@ threat.enrichments.x509.issuer.organizational_unit: original_fieldset: x509 short: List of organizational units (OU) of issuing certificate authority. type: keyword -threat.enrichments.x509.issuer.state_or_province: - dashed_name: threat-enrichments-x509-issuer-state-or-province +threat.indicator.x509.issuer.state_or_province: + dashed_name: threat-indicator-x509-issuer-state-or-province description: List of state or province names (ST, S, or P) example: California - flat_name: threat.enrichments.x509.issuer.state_or_province + flat_name: threat.indicator.x509.issuer.state_or_province ignore_above: 1024 level: extended name: issuer.state_or_province @@ -10805,33 +12249,33 @@ threat.enrichments.x509.issuer.state_or_province: original_fieldset: x509 short: List of state or province names (ST, S, or P) type: keyword -threat.enrichments.x509.not_after: - dashed_name: threat-enrichments-x509-not-after +threat.indicator.x509.not_after: + dashed_name: threat-indicator-x509-not-after description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 - flat_name: threat.enrichments.x509.not_after + flat_name: threat.indicator.x509.not_after level: extended name: not_after normalize: [] original_fieldset: x509 short: Time at which the certificate is no longer considered valid. type: date -threat.enrichments.x509.not_before: - dashed_name: threat-enrichments-x509-not-before +threat.indicator.x509.not_before: + dashed_name: threat-indicator-x509-not-before description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 - flat_name: threat.enrichments.x509.not_before + flat_name: threat.indicator.x509.not_before level: extended name: not_before normalize: [] original_fieldset: x509 short: Time at which the certificate is first considered valid. type: date -threat.enrichments.x509.public_key_algorithm: - dashed_name: threat-enrichments-x509-public-key-algorithm +threat.indicator.x509.public_key_algorithm: + dashed_name: threat-indicator-x509-public-key-algorithm description: Algorithm used to generate the public key. example: RSA - flat_name: threat.enrichments.x509.public_key_algorithm + flat_name: threat.indicator.x509.public_key_algorithm ignore_above: 1024 level: extended name: public_key_algorithm @@ -10839,12 +12283,12 @@ threat.enrichments.x509.public_key_algorithm: original_fieldset: x509 short: Algorithm used to generate the public key. type: keyword -threat.enrichments.x509.public_key_curve: - dashed_name: threat-enrichments-x509-public-key-curve +threat.indicator.x509.public_key_curve: + dashed_name: threat-indicator-x509-public-key-curve description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 - flat_name: threat.enrichments.x509.public_key_curve + flat_name: threat.indicator.x509.public_key_curve ignore_above: 1024 level: extended name: public_key_curve @@ -10853,12 +12297,12 @@ threat.enrichments.x509.public_key_curve: short: The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword -threat.enrichments.x509.public_key_exponent: - dashed_name: threat-enrichments-x509-public-key-exponent +threat.indicator.x509.public_key_exponent: + dashed_name: threat-indicator-x509-public-key-exponent description: Exponent used to derive the public key. This is algorithm specific. doc_values: false example: 65537 - flat_name: threat.enrichments.x509.public_key_exponent + flat_name: threat.indicator.x509.public_key_exponent index: false level: extended name: public_key_exponent @@ -10866,24 +12310,24 @@ threat.enrichments.x509.public_key_exponent: original_fieldset: x509 short: Exponent used to derive the public key. This is algorithm specific. type: long -threat.enrichments.x509.public_key_size: - dashed_name: threat-enrichments-x509-public-key-size +threat.indicator.x509.public_key_size: + dashed_name: threat-indicator-x509-public-key-size description: The size of the public key space in bits. example: 2048 - flat_name: threat.enrichments.x509.public_key_size + flat_name: threat.indicator.x509.public_key_size level: extended name: public_key_size normalize: [] original_fieldset: x509 short: The size of the public key space in bits. type: long -threat.enrichments.x509.serial_number: - dashed_name: threat-enrichments-x509-serial-number +threat.indicator.x509.serial_number: + dashed_name: threat-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA - flat_name: threat.enrichments.x509.serial_number + flat_name: threat.indicator.x509.serial_number ignore_above: 1024 level: extended name: serial_number @@ -10891,12 +12335,12 @@ threat.enrichments.x509.serial_number: original_fieldset: x509 short: Unique serial number issued by the certificate authority. type: keyword -threat.enrichments.x509.signature_algorithm: - dashed_name: threat-enrichments-x509-signature-algorithm +threat.indicator.x509.signature_algorithm: + dashed_name: threat-indicator-x509-signature-algorithm description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA - flat_name: threat.enrichments.x509.signature_algorithm + flat_name: threat.indicator.x509.signature_algorithm ignore_above: 1024 level: extended name: signature_algorithm @@ -10904,11 +12348,11 @@ threat.enrichments.x509.signature_algorithm: original_fieldset: x509 short: Identifier for certificate signature algorithm. type: keyword -threat.enrichments.x509.subject.common_name: - dashed_name: threat-enrichments-x509-subject-common-name +threat.indicator.x509.subject.common_name: + dashed_name: threat-indicator-x509-subject-common-name description: List of common names (CN) of subject. example: shared.global.example.net - flat_name: threat.enrichments.x509.subject.common_name + flat_name: threat.indicator.x509.subject.common_name ignore_above: 1024 level: extended name: subject.common_name @@ -10917,11 +12361,11 @@ threat.enrichments.x509.subject.common_name: original_fieldset: x509 short: List of common names (CN) of subject. type: keyword -threat.enrichments.x509.subject.country: - dashed_name: threat-enrichments-x509-subject-country +threat.indicator.x509.subject.country: + dashed_name: threat-indicator-x509-subject-country description: List of country (C) code example: US - flat_name: threat.enrichments.x509.subject.country + flat_name: threat.indicator.x509.subject.country ignore_above: 1024 level: extended name: subject.country @@ -10930,11 +12374,11 @@ threat.enrichments.x509.subject.country: original_fieldset: x509 short: List of country (C) code type: keyword -threat.enrichments.x509.subject.distinguished_name: - dashed_name: threat-enrichments-x509-subject-distinguished-name +threat.indicator.x509.subject.distinguished_name: + dashed_name: threat-indicator-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - flat_name: threat.enrichments.x509.subject.distinguished_name + flat_name: threat.indicator.x509.subject.distinguished_name ignore_above: 1024 level: extended name: subject.distinguished_name @@ -10942,11 +12386,11 @@ threat.enrichments.x509.subject.distinguished_name: original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. type: keyword -threat.enrichments.x509.subject.locality: - dashed_name: threat-enrichments-x509-subject-locality +threat.indicator.x509.subject.locality: + dashed_name: threat-indicator-x509-subject-locality description: List of locality names (L) example: San Francisco - flat_name: threat.enrichments.x509.subject.locality + flat_name: threat.indicator.x509.subject.locality ignore_above: 1024 level: extended name: subject.locality @@ -10955,11 +12399,11 @@ threat.enrichments.x509.subject.locality: original_fieldset: x509 short: List of locality names (L) type: keyword -threat.enrichments.x509.subject.organization: - dashed_name: threat-enrichments-x509-subject-organization +threat.indicator.x509.subject.organization: + dashed_name: threat-indicator-x509-subject-organization description: List of organizations (O) of subject. example: Example, Inc. - flat_name: threat.enrichments.x509.subject.organization + flat_name: threat.indicator.x509.subject.organization ignore_above: 1024 level: extended name: subject.organization @@ -10968,10 +12412,10 @@ threat.enrichments.x509.subject.organization: original_fieldset: x509 short: List of organizations (O) of subject. type: keyword -threat.enrichments.x509.subject.organizational_unit: - dashed_name: threat-enrichments-x509-subject-organizational-unit +threat.indicator.x509.subject.organizational_unit: + dashed_name: threat-indicator-x509-subject-organizational-unit description: List of organizational units (OU) of subject. - flat_name: threat.enrichments.x509.subject.organizational_unit + flat_name: threat.indicator.x509.subject.organizational_unit ignore_above: 1024 level: extended name: subject.organizational_unit @@ -10980,11 +12424,11 @@ threat.enrichments.x509.subject.organizational_unit: original_fieldset: x509 short: List of organizational units (OU) of subject. type: keyword -threat.enrichments.x509.subject.state_or_province: - dashed_name: threat-enrichments-x509-subject-state-or-province +threat.indicator.x509.subject.state_or_province: + dashed_name: threat-indicator-x509-subject-state-or-province description: List of state or province names (ST, S, or P) example: California - flat_name: threat.enrichments.x509.subject.state_or_province + flat_name: threat.indicator.x509.subject.state_or_province ignore_above: 1024 level: extended name: subject.state_or_province @@ -10993,11 +12437,11 @@ threat.enrichments.x509.subject.state_or_province: original_fieldset: x509 short: List of state or province names (ST, S, or P) type: keyword -threat.enrichments.x509.version_number: - dashed_name: threat-enrichments-x509-version-number +threat.indicator.x509.version_number: + dashed_name: threat-indicator-x509-version-number description: Version of x509 format. example: 3 - flat_name: threat.enrichments.x509.version_number + flat_name: threat.indicator.x509.version_number ignore_above: 1024 level: extended name: version_number @@ -11005,227 +12449,6 @@ threat.enrichments.x509.version_number: original_fieldset: x509 short: Version of x509 format. type: keyword -threat.framework: - dashed_name: threat-framework - description: Name of the threat framework used to further categorize and classify - the tactic and technique of the reported threat. Framework classification can - be provided by detecting systems, evaluated at ingest time, or retrospectively - tagged to events. - example: MITRE ATT&CK - flat_name: threat.framework - ignore_above: 1024 - level: extended - name: framework - normalize: [] - short: Threat classification framework. - type: keyword -threat.group.alias: - beta: This field is beta and subject to change. - dashed_name: threat-group-alias - description: "The alias(es) of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group alias(es)." - example: '[ "Magecart Group 6" ]' - flat_name: threat.group.alias - ignore_above: 1024 - level: extended - name: group.alias - normalize: - - array - short: Alias of the group. - type: keyword -threat.group.id: - beta: This field is beta and subject to change. - dashed_name: threat-group-id - description: "The id of the group for a set of related intrusion activity that are\ - \ tracked by a common name in the security community. While not required, you\ - \ can use a MITRE ATT&CK\xAE group id." - example: G0037 - flat_name: threat.group.id - ignore_above: 1024 - level: extended - name: group.id - normalize: [] - short: ID of the group. - type: keyword -threat.group.name: - beta: This field is beta and subject to change. - dashed_name: threat-group-name - description: "The name of the group for a set of related intrusion activity that\ - \ are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group name." - example: FIN6 - flat_name: threat.group.name - ignore_above: 1024 - level: extended - name: group.name - normalize: [] - short: Name of the group. - type: keyword -threat.group.reference: - beta: This field is beta and subject to change. - dashed_name: threat-group-reference - description: "The reference URL of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group reference URL." - example: https://attack.mitre.org/groups/G0037/ - flat_name: threat.group.reference - ignore_above: 1024 - level: extended - name: group.reference - normalize: [] - short: Reference URL of the group. - type: keyword -threat.indicator.confidence: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-confidence - description: "Identifies the confidence rating assigned by the provider using STIX\ - \ confidence scales.\nRecommended values:\n * Not Specified, None, Low, Medium,\ - \ High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n * WEP Scale\ - \ (Impossible - Certain)" - example: High - flat_name: threat.indicator.confidence - ignore_above: 1024 - level: extended - name: indicator.confidence - normalize: [] - short: Indicator confidence rating - type: keyword -threat.indicator.description: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-description - description: Describes the type of action conducted by the threat. - example: IP x.x.x.x was observed delivering the Angler EK. - flat_name: threat.indicator.description - ignore_above: 1024 - level: extended - name: indicator.description - normalize: [] - short: Indicator description - type: keyword -threat.indicator.email.address: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-email-address - description: Identifies a threat indicator as an email address (irrespective of - direction). - example: phish@example.com - flat_name: threat.indicator.email.address - ignore_above: 1024 - level: extended - name: indicator.email.address - normalize: [] - short: Indicator email address - type: keyword -threat.indicator.first_seen: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-first-seen - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.first_seen - level: extended - name: indicator.first_seen - normalize: [] - short: Date/time indicator was first reported. - type: date -threat.indicator.ip: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-ip - description: Identifies a threat indicator as an IP address (irrespective of direction). - example: 1.2.3.4 - flat_name: threat.indicator.ip - level: extended - name: indicator.ip - normalize: [] - short: Indicator IP address - type: ip -threat.indicator.last_seen: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-last-seen - description: The date and time when intelligence source last reported sighting this - indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.last_seen - level: extended - name: indicator.last_seen - normalize: [] - short: Date/time indicator was last reported. - type: date -threat.indicator.marking.tlp: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: WHITE - flat_name: threat.indicator.marking.tlp - ignore_above: 1024 - level: extended - name: indicator.marking.tlp - normalize: [] - short: Indicator TLP marking - type: keyword -threat.indicator.modified_at: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-modified-at - description: The date and time when intelligence source last modified information - for this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.modified_at - level: extended - name: indicator.modified_at - normalize: [] - short: Date/time indicator was last updated. - type: date -threat.indicator.port: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-port - description: Identifies a threat indicator as a port number (irrespective of direction). - example: 443 - flat_name: threat.indicator.port - level: extended - name: indicator.port - normalize: [] - short: Indicator port - type: long -threat.indicator.scanner_stats: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-scanner-stats - description: Count of AV/EDR vendors that successfully detected malicious file or - URL. - example: 4 - flat_name: threat.indicator.scanner_stats - level: extended - name: indicator.scanner_stats - normalize: [] - short: Scanner statistics - type: long -threat.indicator.sightings: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-sightings - description: Number of times this indicator was observed conducting threat activity. - example: 20 - flat_name: threat.indicator.sightings - level: extended - name: indicator.sightings - normalize: [] - short: Number of times indicator observed - type: long -threat.indicator.type: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-type - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ - Recommended values:\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ - \ * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n * mutex\n\ - \ * port\n * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ - \ * x509-certificate" - example: ipv4-addr - flat_name: threat.indicator.type - ignore_above: 1024 - level: extended - name: indicator.type - normalize: [] - short: Type of indicator - type: keyword threat.software.id: beta: This field is beta and subject to change. dashed_name: threat-software-id diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 51c2904fd9..7fc71db9d2 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -152,9 +152,13 @@ as: at: source full: source.as - as: as - at: threat.enrichments + at: threat.indicator beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.as + full: threat.indicator.as + - as: as + at: threat.enrichments.indicator + beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.indicator.as top_level: false short: Fields describing an Autonomous System (Internet routing prefix). title: Autonomous System @@ -3072,8 +3076,8 @@ event: type: keyword event.original: dashed_name: event-original - description: 'Raw text message of entire event. Used to demonstrate log integrity or - where the full log message (before splitting it up in multiple parts) may + description: 'Raw text message of entire event. Used to demonstrate log integrity + or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, @@ -3423,13 +3427,6 @@ event: group: 2 name: event prefix: event. - reusable: - expected: - - as: event - at: threat.enrichments - beta: Reusing the `event` fields in this location is currently considered beta. - full: threat.enrichments.event - top_level: true short: Fields breaking down the event details. title: Event type: group @@ -4585,9 +4582,13 @@ file: reusable: expected: - as: file - at: threat.enrichments + at: threat.indicator + beta: Reusing the `file` fields in this location is currently considered beta. + full: threat.indicator.file + - as: file + at: threat.enrichments.indicator beta: Reusing the `file` fields in this location is currently considered beta. - full: threat.enrichments.file + full: threat.enrichments.indicator.file top_level: true reused_here: - full: file.code_signature @@ -4769,9 +4770,13 @@ geo: at: source full: source.geo - as: geo - at: threat.enrichments + at: threat.indicator + beta: Reusing the `geo` fields in this location is currently considered beta. + full: threat.indicator.geo + - as: geo + at: threat.enrichments.indicator beta: Reusing the `geo` fields in this location is currently considered beta. - full: threat.enrichments.geo + full: threat.enrichments.indicator.geo top_level: false short: Fields describing a location. title: Geo @@ -4901,9 +4906,13 @@ hash: at: dll full: dll.hash - as: hash - at: threat.enrichments + at: threat.indicator + beta: Reusing the `hash` fields in this location is currently considered beta. + full: threat.indicator.hash + - as: hash + at: threat.enrichments.indicator beta: Reusing the `hash` fields in this location is currently considered beta. - full: threat.enrichments.hash + full: threat.enrichments.indicator.hash top_level: false short: Hashes, usually file hashes. title: Hash @@ -7283,6 +7292,14 @@ pe: - as: pe at: process full: process.pe + - as: pe + at: threat.indicator + beta: Reusing the `pe` fields in this location is currently considered beta. + full: threat.indicator.pe + - as: pe + at: threat.enrichments.indicator + beta: Reusing the `pe` fields in this location is currently considered beta. + full: threat.enrichments.indicator.pe top_level: false short: These fields contain Windows Portable Executable (PE) metadata. title: PE Header @@ -9025,6 +9042,19 @@ registry: group: 2 name: registry prefix: registry. + reusable: + expected: + - as: registry + at: threat.indicator + beta: Reusing the `registry` fields in this location is currently considered + beta. + full: threat.indicator.registry + - as: registry + at: threat.enrichments.indicator + beta: Reusing the `registry` fields in this location is currently considered + beta. + full: threat.enrichments.indicator.registry + top_level: true short: Fields related to Windows Registry operations. title: Registry type: group @@ -10353,35 +10383,45 @@ threat: threat.enrichments: beta: This field is beta and subject to change. dashed_name: threat-enrichments - description: A list of associated indicators enriching the event, and the context - of that association/enrichment. + description: A list of associated indicators objects enriching the event, and + the context of that association/enrichment. flat_name: threat.enrichments level: extended name: enrichments normalize: [] - short: List of indicators enriching the event. + short: List of objects containing indicators enriching the event. type: nested - threat.enrichments.as.number: - dashed_name: threat-enrichments-as-number + threat.enrichments.indicator: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator + description: Object containing associated indicators enriching the event. + flat_name: threat.enrichments.indicator + level: extended + name: enrichments.indicator + normalize: [] + short: Object containing indicators enriching the event. + type: object + threat.enrichments.indicator.as.number: + dashed_name: threat-enrichments-indicator-as-number description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. example: 15169 - flat_name: threat.enrichments.as.number + flat_name: threat.enrichments.indicator.as.number level: extended name: number normalize: [] original_fieldset: as short: Unique number allocated to the autonomous system. type: long - threat.enrichments.as.organization.name: - dashed_name: threat-enrichments-as-organization-name + threat.enrichments.indicator.as.organization.name: + dashed_name: threat-enrichments-indicator-as-organization-name description: Organization name. example: Google LLC - flat_name: threat.enrichments.as.organization.name + flat_name: threat.enrichments.indicator.as.organization.name ignore_above: 1024 level: extended multi_fields: - - flat_name: threat.enrichments.as.organization.name.text + - flat_name: threat.enrichments.indicator.as.organization.name.text name: text norms: false type: text @@ -10390,852 +10430,2019 @@ threat: original_fieldset: as short: Organization name. type: keyword - threat.enrichments.event.action: - dashed_name: threat-enrichments-event-action - description: 'The action captured by the event. - - This describes the information in the event. It is more specific than `event.category`. - Examples are `group-add`, `process-started`, `file-created`. The value is - normally defined by the implementer.' - example: user-password-change - flat_name: threat.enrichments.event.action + threat.enrichments.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-confidence + description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ + using\_STIX\_confidence scales. Expected values:\n * Not Specified, None,\ + \ Low, Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High + flat_name: threat.enrichments.indicator.confidence ignore_above: 1024 - level: core - name: action + level: extended + name: enrichments.indicator.confidence normalize: [] - original_fieldset: event - short: The action captured by the event. + short: Indicator confidence rating type: keyword - threat.enrichments.event.agent_id_status: - dashed_name: threat-enrichments-event-agent-id-status - description: 'Agents are normally responsible for populating the `agent.id` - field value. If the system receiving events is capable of validating the value - based on authentication information for the client then this field can be - used to reflect the outcome of that validation. - - For example if the agent''s connection is authenticated with mTLS and the - client cert contains the ID of the agent to which the cert was issued then - the `agent.id` value in events can be checked against the certificate. If - the values match then `event.agent_id_status: verified` is added to the event, - otherwise one of the other allowed values should be used. - - If no validation is performed then the field should be omitted. + threat.enrichments.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.enrichments.indicator.description + ignore_above: 1024 + level: extended + name: enrichments.indicator.description + normalize: [] + short: Indicator description + type: keyword + threat.enrichments.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + flat_name: threat.enrichments.indicator.email.address + ignore_above: 1024 + level: extended + name: enrichments.indicator.email.address + normalize: [] + short: Indicator email address + type: keyword + threat.enrichments.indicator.file.accessed: + dashed_name: threat-enrichments-indicator-file-accessed + description: 'Last time the file was accessed. - The allowed values are: + Note that not all filesystems keep track of access time.' + flat_name: threat.enrichments.indicator.file.accessed + level: extended + name: accessed + normalize: [] + original_fieldset: file + short: Last time the file was accessed. + type: date + threat.enrichments.indicator.file.attributes: + dashed_name: threat-enrichments-indicator-file-attributes + description: 'Array of file attributes. - `verified` - The `agent.id` field value matches expected value obtained from - auth metadata. + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: threat.enrichments.indicator.file.attributes + ignore_above: 1024 + level: extended + name: attributes + normalize: + - array + original_fieldset: file + short: Array of file attributes. + type: keyword + threat.enrichments.indicator.file.code_signature.exists: + dashed_name: threat-enrichments-indicator-file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: threat.enrichments.indicator.file.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + threat.enrichments.indicator.file.code_signature.signing_id: + dashed_name: threat-enrichments-indicator-file-code-signature-signing-id + description: 'The identifier used to sign the process. - `mismatch` - The `agent.id` field value does not match the expected value - obtained from auth metadata. + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: threat.enrichments.indicator.file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword + threat.enrichments.indicator.file.code_signature.status: + dashed_name: threat-enrichments-indicator-file-code-signature-status + description: 'Additional information about the certificate status. - `missing` - There was no `agent.id` field in the event to validate. + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: threat.enrichments.indicator.file.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + threat.enrichments.indicator.file.code_signature.subject_name: + dashed_name: threat-enrichments-indicator-file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: threat.enrichments.indicator.file.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + threat.enrichments.indicator.file.code_signature.team_id: + dashed_name: threat-enrichments-indicator-file-code-signature-team-id + description: 'The team identifier used to sign the process. - `auth_metadata_missing` - There was no auth metadata or it was missing information - about the agent ID.' - example: verified - flat_name: threat.enrichments.event.agent_id_status + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: threat.enrichments.indicator.file.code_signature.team_id ignore_above: 1024 level: extended - name: agent_id_status + name: team_id normalize: [] - original_fieldset: event - short: Validation status of the event's agent.id field. + original_fieldset: code_signature + short: The team identifier used to sign the process. type: keyword - threat.enrichments.event.category: - allowed_values: - - description: Events in this category are related to the challenge and response - process in which credentials are supplied and verified to allow the creation - of a session. Common sources for these logs are Windows event logs and ssh - logs. Visualize and analyze events in this category to look for failed logins, - and other authentication-related activity. - expected_event_types: - - start - - end - - info - name: authentication - - description: 'Events in the configuration category have to deal with creating, - modifying, or deleting the settings or parameters of an application, process, - or system. + threat.enrichments.indicator.file.code_signature.trusted: + dashed_name: threat-enrichments-indicator-file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. - Example sources include security policy change logs, configuration auditing - logging, and system integrity monitoring.' - expected_event_types: - - access - - change - - creation - - deletion - - info - name: configuration - - description: The database category denotes events and metrics relating to - a data storage and retrieval system. Note that use of this category is not - limited to relational database systems. Examples include event logs from - MS SQL, MySQL, Elasticsearch, MongoDB, etc. Use this category to visualize - and analyze database activity such as accesses and changes. - expected_event_types: - - access - - change - - info - - error - name: database - - description: 'Events in the driver category have to do with operating system - device drivers and similar software entities such as Windows drivers, kernel - extensions, kernel modules, etc. + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: threat.enrichments.indicator.file.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + threat.enrichments.indicator.file.code_signature.valid: + dashed_name: threat-enrichments-indicator-file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. - Use events and metrics in this category to visualize and analyze driver-related - activity and status on hosts.' - expected_event_types: - - change - - end - - info - - start - name: driver - - description: Relating to a set of information that has been created on, or - has existed on a filesystem. Use this category of events to visualize and - analyze the creation, access, and deletions of files. Events in this category - can come from both host-based and network-based sources. An example source - of a network-based detection of a file transfer would be the Zeek file.log. - expected_event_types: - - change - - creation - - deletion - - info - name: file - - description: 'Use this category to visualize and analyze information such - as host inventory or host lifecycle events. + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: threat.enrichments.indicator.file.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + threat.enrichments.indicator.file.created: + dashed_name: threat-enrichments-indicator-file-created + description: 'File creation time. - Most of the events in this category can usually be observed from the outside, - such as from a hypervisor or a control plane''s point of view. Some can - also be seen from within, such as "start" or "end". + Note that not all filesystems store the creation time.' + flat_name: threat.enrichments.indicator.file.created + level: extended + name: created + normalize: [] + original_fieldset: file + short: File creation time. + type: date + threat.enrichments.indicator.file.ctime: + dashed_name: threat-enrichments-indicator-file-ctime + description: 'Last time the file attributes or metadata changed. - Note that this category is for information about hosts themselves; it is - not meant to capture activity "happening on a host".' - expected_event_types: - - access - - change - - end - - info - - start - name: host - - description: Identity and access management (IAM) events relating to users, - groups, and administration. Use this category to visualize and analyze IAM-related - logs and data from active directory, LDAP, Okta, Duo, and other IAM systems. - expected_event_types: - - admin - - change - - creation - - deletion - - group - - info - - user - name: iam - - description: Relating to intrusion detections from IDS/IPS systems and functions, - both network and host-based. Use this category to visualize and analyze - intrusion detection alerts from systems such as Snort, Suricata, and Palo - Alto threat detections. - expected_event_types: - - allowed - - denied - - info - name: intrusion_detection - - description: Malware detection events and alerts. Use this category to visualize - and analyze malware detections from EDR/EPP systems such as Elastic Endpoint - Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS - systems such as Suricata, or other sources of malware-related events such - as Palo Alto Networks threat logs and Wildfire logs. - expected_event_types: - - info - name: malware - - description: Relating to all network activity, including network connection - lifecycle, network traffic, and essentially any event that includes an IP - address. Many events containing decoded network protocol transactions fit - into this category. Use events in this category to visualize or analyze - counts of network ports, protocols, addresses, geolocation information, - etc. - expected_event_types: - - access - - allowed - - connection - - denied - - end - - info - - protocol - - start - name: network - - description: Relating to software packages installed on hosts. Use this category - to visualize and analyze inventory of software installed on various hosts, - or to determine host vulnerability in the absence of vulnerability scan - data. - expected_event_types: - - access - - change - - deletion - - info - - installation - - start - name: package - - description: Use this category of events to visualize and analyze process-specific - information such as lifecycle events or process ancestry. - expected_event_types: - - access - - change - - end - - info - - start - name: process - - description: Having to do with settings and assets stored in the Windows registry. - Use this category to visualize and analyze activity such as registry access - and modifications. - expected_event_types: - - access - - change - - creation - - deletion - name: registry - - description: The session category is applied to events and metrics regarding - logical persistent connections to hosts and services. Use this category - to visualize and analyze interactive or automated persistent connections - between assets. Data for this category may come from Windows Event logs, - SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc. - expected_event_types: - - start - - end - - info - name: session - - description: 'Relating to web server access. Use this category to create a - dashboard of web server/proxy activity from apache, IIS, nginx web servers, - etc. Note: events from network observers such as Zeek http log may also - be included in this category.' - expected_event_types: - - access - - error - - info - name: web - dashed_name: threat-enrichments-event-category - description: 'This is one of four ECS Categorization Fields, and indicates the - second level in the ECS category hierarchy. + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: threat.enrichments.indicator.file.ctime + level: extended + name: ctime + normalize: [] + original_fieldset: file + short: Last time the file attributes or metadata changed. + type: date + threat.enrichments.indicator.file.device: + dashed_name: threat-enrichments-indicator-file-device + description: Device that is the source of the file. + example: sda + flat_name: threat.enrichments.indicator.file.device + ignore_above: 1024 + level: extended + name: device + normalize: [] + original_fieldset: file + short: Device that is the source of the file. + type: keyword + threat.enrichments.indicator.file.directory: + dashed_name: threat-enrichments-indicator-file-directory + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice + flat_name: threat.enrichments.indicator.file.directory + ignore_above: 1024 + level: extended + name: directory + normalize: [] + original_fieldset: file + short: Directory where the file is located. + type: keyword + threat.enrichments.indicator.file.drive_letter: + dashed_name: threat-enrichments-indicator-file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + flat_name: threat.enrichments.indicator.file.drive_letter + ignore_above: 1 + level: extended + name: drive_letter + normalize: [] + original_fieldset: file + short: Drive letter where the file is located. + type: keyword + threat.enrichments.indicator.file.elf.architecture: + dashed_name: threat-enrichments-indicator-file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: threat.enrichments.indicator.file.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword + threat.enrichments.indicator.file.elf.byte_order: + dashed_name: threat-enrichments-indicator-file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: threat.enrichments.indicator.file.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword + threat.enrichments.indicator.file.elf.cpu_type: + dashed_name: threat-enrichments-indicator-file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: threat.enrichments.indicator.file.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword + threat.enrichments.indicator.file.elf.creation_date: + dashed_name: threat-enrichments-indicator-file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: threat.enrichments.indicator.file.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date + threat.enrichments.indicator.file.elf.exports: + dashed_name: threat-enrichments-indicator-file-elf-exports + description: List of exported element names and types. + flat_name: threat.enrichments.indicator.file.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened + threat.enrichments.indicator.file.elf.header.abi_version: + dashed_name: threat-enrichments-indicator-file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: threat.enrichments.indicator.file.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword + threat.enrichments.indicator.file.elf.header.class: + dashed_name: threat-enrichments-indicator-file-elf-header-class + description: Header class of the ELF file. + flat_name: threat.enrichments.indicator.file.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword + threat.enrichments.indicator.file.elf.header.data: + dashed_name: threat-enrichments-indicator-file-elf-header-data + description: Data table of the ELF header. + flat_name: threat.enrichments.indicator.file.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword + threat.enrichments.indicator.file.elf.header.entrypoint: + dashed_name: threat-enrichments-indicator-file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: threat.enrichments.indicator.file.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + threat.enrichments.indicator.file.elf.header.object_version: + dashed_name: threat-enrichments-indicator-file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: threat.enrichments.indicator.file.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword + threat.enrichments.indicator.file.elf.header.os_abi: + dashed_name: threat-enrichments-indicator-file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: threat.enrichments.indicator.file.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + threat.enrichments.indicator.file.elf.header.type: + dashed_name: threat-enrichments-indicator-file-elf-header-type + description: Header type of the ELF file. + flat_name: threat.enrichments.indicator.file.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword + threat.enrichments.indicator.file.elf.header.version: + dashed_name: threat-enrichments-indicator-file-elf-header-version + description: Version of the ELF header. + flat_name: threat.enrichments.indicator.file.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword + threat.enrichments.indicator.file.elf.imports: + dashed_name: threat-enrichments-indicator-file-elf-imports + description: List of imported element names and types. + flat_name: threat.enrichments.indicator.file.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened + threat.enrichments.indicator.file.elf.sections: + dashed_name: threat-enrichments-indicator-file-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + flat_name: threat.enrichments.indicator.file.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested + threat.enrichments.indicator.file.elf.sections.chi2: + dashed_name: threat-enrichments-indicator-file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: threat.enrichments.indicator.file.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long + threat.enrichments.indicator.file.elf.sections.entropy: + dashed_name: threat-enrichments-indicator-file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: threat.enrichments.indicator.file.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long + threat.enrichments.indicator.file.elf.sections.flags: + dashed_name: threat-enrichments-indicator-file-elf-sections-flags + description: ELF Section List flags. + flat_name: threat.enrichments.indicator.file.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword + threat.enrichments.indicator.file.elf.sections.name: + dashed_name: threat-enrichments-indicator-file-elf-sections-name + description: ELF Section List name. + flat_name: threat.enrichments.indicator.file.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword + threat.enrichments.indicator.file.elf.sections.physical_offset: + dashed_name: threat-enrichments-indicator-file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: threat.enrichments.indicator.file.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword + threat.enrichments.indicator.file.elf.sections.physical_size: + dashed_name: threat-enrichments-indicator-file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: threat.enrichments.indicator.file.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long + threat.enrichments.indicator.file.elf.sections.type: + dashed_name: threat-enrichments-indicator-file-elf-sections-type + description: ELF Section List type. + flat_name: threat.enrichments.indicator.file.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword + threat.enrichments.indicator.file.elf.sections.virtual_address: + dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: threat.enrichments.indicator.file.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long + threat.enrichments.indicator.file.elf.sections.virtual_size: + dashed_name: threat-enrichments-indicator-file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: threat.enrichments.indicator.file.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + threat.enrichments.indicator.file.elf.segments: + dashed_name: threat-enrichments-indicator-file-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + flat_name: threat.enrichments.indicator.file.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested + threat.enrichments.indicator.file.elf.segments.sections: + dashed_name: threat-enrichments-indicator-file-elf-segments-sections + description: ELF object segment sections. + flat_name: threat.enrichments.indicator.file.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword + threat.enrichments.indicator.file.elf.segments.type: + dashed_name: threat-enrichments-indicator-file-elf-segments-type + description: ELF object segment type. + flat_name: threat.enrichments.indicator.file.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword + threat.enrichments.indicator.file.elf.shared_libraries: + dashed_name: threat-enrichments-indicator-file-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: threat.enrichments.indicator.file.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword + threat.enrichments.indicator.file.elf.telfhash: + dashed_name: threat-enrichments-indicator-file-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: threat.enrichments.indicator.file.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword + threat.enrichments.indicator.file.extension: + dashed_name: threat-enrichments-indicator-file-extension + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.indicator.file.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + original_fieldset: file + short: File extension, excluding the leading dot. + type: keyword + threat.enrichments.indicator.file.gid: + dashed_name: threat-enrichments-indicator-file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: threat.enrichments.indicator.file.gid + ignore_above: 1024 + level: extended + name: gid + normalize: [] + original_fieldset: file + short: Primary group ID (GID) of the file. + type: keyword + threat.enrichments.indicator.file.group: + dashed_name: threat-enrichments-indicator-file-group + description: Primary group name of the file. + example: alice + flat_name: threat.enrichments.indicator.file.group + ignore_above: 1024 + level: extended + name: group + normalize: [] + original_fieldset: file + short: Primary group name of the file. + type: keyword + threat.enrichments.indicator.file.inode: + dashed_name: threat-enrichments-indicator-file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: threat.enrichments.indicator.file.inode + ignore_above: 1024 + level: extended + name: inode + normalize: [] + original_fieldset: file + short: Inode representing the file in the filesystem. + type: keyword + threat.enrichments.indicator.file.mime_type: + dashed_name: threat-enrichments-indicator-file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. + flat_name: threat.enrichments.indicator.file.mime_type + ignore_above: 1024 + level: extended + name: mime_type + normalize: [] + original_fieldset: file + short: Media type of file, document, or arrangement of bytes. + type: keyword + threat.enrichments.indicator.file.mode: + dashed_name: threat-enrichments-indicator-file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: threat.enrichments.indicator.file.mode + ignore_above: 1024 + level: extended + name: mode + normalize: [] + original_fieldset: file + short: Mode of the file in octal representation. + type: keyword + threat.enrichments.indicator.file.mtime: + dashed_name: threat-enrichments-indicator-file-mtime + description: Last time the file content was modified. + flat_name: threat.enrichments.indicator.file.mtime + level: extended + name: mtime + normalize: [] + original_fieldset: file + short: Last time the file content was modified. + type: date + threat.enrichments.indicator.file.name: + dashed_name: threat-enrichments-indicator-file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: threat.enrichments.indicator.file.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: file + short: Name of the file including the extension, without the directory. + type: keyword + threat.enrichments.indicator.file.owner: + dashed_name: threat-enrichments-indicator-file-owner + description: File owner's username. + example: alice + flat_name: threat.enrichments.indicator.file.owner + ignore_above: 1024 + level: extended + name: owner + normalize: [] + original_fieldset: file + short: File owner's username. + type: keyword + threat.enrichments.indicator.file.path: + dashed_name: threat-enrichments-indicator-file-path + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + flat_name: threat.enrichments.indicator.file.path + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.enrichments.indicator.file.path.text + name: text + norms: false + type: text + name: path + normalize: [] + original_fieldset: file + short: Full path to the file, including the file name. + type: keyword + threat.enrichments.indicator.file.size: + dashed_name: threat-enrichments-indicator-file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: threat.enrichments.indicator.file.size + level: extended + name: size + normalize: [] + original_fieldset: file + short: File size in bytes. + type: long + threat.enrichments.indicator.file.target_path: + dashed_name: threat-enrichments-indicator-file-target-path + description: Target path for symlinks. + flat_name: threat.enrichments.indicator.file.target_path + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.enrichments.indicator.file.target_path.text + name: text + norms: false + type: text + name: target_path + normalize: [] + original_fieldset: file + short: Target path for symlinks. + type: keyword + threat.enrichments.indicator.file.type: + dashed_name: threat-enrichments-indicator-file-type + description: File type (file, dir, or symlink). + example: file + flat_name: threat.enrichments.indicator.file.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: file + short: File type (file, dir, or symlink). + type: keyword + threat.enrichments.indicator.file.uid: + dashed_name: threat-enrichments-indicator-file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: threat.enrichments.indicator.file.uid + ignore_above: 1024 + level: extended + name: uid + normalize: [] + original_fieldset: file + short: The user ID (UID) or security identifier (SID) of the file owner. + type: keyword + threat.enrichments.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.first_seen + level: extended + name: enrichments.indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date + threat.enrichments.indicator.geo.city_name: + dashed_name: threat-enrichments-indicator-geo-city-name + description: City name. + example: Montreal + flat_name: threat.enrichments.indicator.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + threat.enrichments.indicator.geo.continent_code: + dashed_name: threat-enrichments-indicator-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: threat.enrichments.indicator.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword + threat.enrichments.indicator.geo.continent_name: + dashed_name: threat-enrichments-indicator-geo-continent-name + description: Name of the continent. + example: North America + flat_name: threat.enrichments.indicator.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + threat.enrichments.indicator.geo.country_iso_code: + dashed_name: threat-enrichments-indicator-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: threat.enrichments.indicator.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + threat.enrichments.indicator.geo.country_name: + dashed_name: threat-enrichments-indicator-geo-country-name + description: Country name. + example: Canada + flat_name: threat.enrichments.indicator.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + threat.enrichments.indicator.geo.location: + dashed_name: threat-enrichments-indicator-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: threat.enrichments.indicator.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + threat.enrichments.indicator.geo.name: + dashed_name: threat-enrichments-indicator-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: threat.enrichments.indicator.geo.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: keyword + threat.enrichments.indicator.geo.postal_code: + dashed_name: threat-enrichments-indicator-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: threat.enrichments.indicator.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword + threat.enrichments.indicator.geo.region_iso_code: + dashed_name: threat-enrichments-indicator-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: threat.enrichments.indicator.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + threat.enrichments.indicator.geo.region_name: + dashed_name: threat-enrichments-indicator-geo-region-name + description: Region name. + example: Quebec + flat_name: threat.enrichments.indicator.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + threat.enrichments.indicator.geo.timezone: + dashed_name: threat-enrichments-indicator-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: threat.enrichments.indicator.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword + threat.enrichments.indicator.hash.md5: + dashed_name: threat-enrichments-indicator-hash-md5 + description: MD5 hash. + flat_name: threat.enrichments.indicator.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword + threat.enrichments.indicator.hash.sha1: + dashed_name: threat-enrichments-indicator-hash-sha1 + description: SHA1 hash. + flat_name: threat.enrichments.indicator.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword + threat.enrichments.indicator.hash.sha256: + dashed_name: threat-enrichments-indicator-hash-sha256 + description: SHA256 hash. + flat_name: threat.enrichments.indicator.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword + threat.enrichments.indicator.hash.sha512: + dashed_name: threat-enrichments-indicator-hash-sha512 + description: SHA512 hash. + flat_name: threat.enrichments.indicator.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword + threat.enrichments.indicator.hash.ssdeep: + dashed_name: threat-enrichments-indicator-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.enrichments.indicator.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword + threat.enrichments.indicator.ip: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + flat_name: threat.enrichments.indicator.ip + level: extended + name: enrichments.indicator.ip + normalize: [] + short: Indicator IP address + type: ip + threat.enrichments.indicator.last_seen: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-last-seen + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.last_seen + level: extended + name: enrichments.indicator.last_seen + normalize: [] + short: Date/time indicator was last reported. + type: date + threat.enrichments.indicator.marking.tlp: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings. Recommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: White + flat_name: threat.enrichments.indicator.marking.tlp + ignore_above: 1024 + level: extended + name: enrichments.indicator.marking.tlp + normalize: [] + short: Indicator TLP marking + type: keyword + threat.enrichments.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.indicator.modified_at + level: extended + name: enrichments.indicator.modified_at + normalize: [] + short: Date/time indicator was last updated. + type: date + threat.enrichments.indicator.pe.architecture: + dashed_name: threat-enrichments-indicator-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.enrichments.indicator.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword + threat.enrichments.indicator.pe.company: + dashed_name: threat-enrichments-indicator-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.enrichments.indicator.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + threat.enrichments.indicator.pe.description: + dashed_name: threat-enrichments-indicator-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.enrichments.indicator.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + threat.enrichments.indicator.pe.file_version: + dashed_name: threat-enrichments-indicator-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.enrichments.indicator.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword + threat.enrichments.indicator.pe.imphash: + dashed_name: threat-enrichments-indicator-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.enrichments.indicator.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + threat.enrichments.indicator.pe.original_file_name: + dashed_name: threat-enrichments-indicator-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.enrichments.indicator.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword + threat.enrichments.indicator.pe.product: + dashed_name: threat-enrichments-indicator-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.enrichments.indicator.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword + threat.enrichments.indicator.port: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-port + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + flat_name: threat.enrichments.indicator.port + level: extended + name: enrichments.indicator.port + normalize: [] + short: Indicator port + type: long + threat.enrichments.indicator.provider: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-provider + description: The name of the indicator's provider. + example: lrz_urlhaus + flat_name: threat.enrichments.indicator.provider + ignore_above: 1024 + level: extended + name: enrichments.indicator.provider + normalize: [] + short: Indicator provider + type: keyword + threat.enrichments.indicator.reference: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-reference + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + flat_name: threat.enrichments.indicator.reference + ignore_above: 1024 + level: extended + name: enrichments.indicator.reference + normalize: [] + short: Indicator reference URL + type: keyword + threat.enrichments.indicator.registry.data.bytes: + dashed_name: threat-enrichments-indicator-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.enrichments.indicator.registry.data.bytes + ignore_above: 1024 + level: extended + name: data.bytes + normalize: [] + original_fieldset: registry + short: Original bytes written with base64 encoding. + type: keyword + threat.enrichments.indicator.registry.data.strings: + dashed_name: threat-enrichments-indicator-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.enrichments.indicator.registry.data.strings + ignore_above: 1024 + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: keyword + threat.enrichments.indicator.registry.data.type: + dashed_name: threat-enrichments-indicator-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.enrichments.indicator.registry.data.type + ignore_above: 1024 + level: core + name: data.type + normalize: [] + original_fieldset: registry + short: Standard registry type for encoding contents + type: keyword + threat.enrichments.indicator.registry.hive: + dashed_name: threat-enrichments-indicator-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.enrichments.indicator.registry.hive + ignore_above: 1024 + level: core + name: hive + normalize: [] + original_fieldset: registry + short: Abbreviated name for the hive. + type: keyword + threat.enrichments.indicator.registry.key: + dashed_name: threat-enrichments-indicator-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.enrichments.indicator.registry.key + ignore_above: 1024 + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: keyword + threat.enrichments.indicator.registry.path: + dashed_name: threat-enrichments-indicator-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.enrichments.indicator.registry.path + ignore_above: 1024 + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: keyword + threat.enrichments.indicator.registry.value: + dashed_name: threat-enrichments-indicator-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.enrichments.indicator.registry.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. + type: keyword + threat.enrichments.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + flat_name: threat.enrichments.indicator.scanner_stats + level: extended + name: enrichments.indicator.scanner_stats + normalize: [] + short: Scanner statistics + type: long + threat.enrichments.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.enrichments.indicator.sightings + level: extended + name: enrichments.indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long + threat.enrichments.indicator.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\ + \ Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr + flat_name: threat.enrichments.indicator.type + ignore_above: 1024 + level: extended + name: enrichments.indicator.type + normalize: [] + short: Type of indicator + type: keyword + threat.enrichments.indicator.url.domain: + dashed_name: threat-enrichments-indicator-url-domain + description: 'Domain of the url, such as "www.elastic.co". - `event.category` represents the "big buckets" of ECS categories. For example, - filtering on `event.category:process` yields all events relating to process - activity. This field is closely related to `event.type`, which is used as - a subcategory. + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. - This field is an array. This will allow proper categorization of some events - that fall in multiple categories.' - example: authentication - flat_name: threat.enrichments.event.category + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' + example: www.elastic.co + flat_name: threat.enrichments.indicator.url.domain + ignore_above: 1024 + level: extended + name: domain + normalize: [] + original_fieldset: url + short: Domain of the url. + type: keyword + threat.enrichments.indicator.url.extension: + dashed_name: threat-enrichments-indicator-url-extension + description: 'The field contains the file extension from the original request + url, excluding the leading dot. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.indicator.url.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + original_fieldset: url + short: File extension from the request url, excluding the leading dot. + type: keyword + threat.enrichments.indicator.url.fragment: + dashed_name: threat-enrichments-indicator-url-fragment + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + flat_name: threat.enrichments.indicator.url.fragment + ignore_above: 1024 + level: extended + name: fragment + normalize: [] + original_fieldset: url + short: Portion of the url after the `#`. + type: keyword + threat.enrichments.indicator.url.full: + dashed_name: threat-enrichments-indicator-url-full + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event + source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + flat_name: threat.enrichments.indicator.url.full + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.enrichments.indicator.url.full.text + name: text + norms: false + type: text + name: full + normalize: [] + original_fieldset: url + short: Full unparsed URL. + type: keyword + threat.enrichments.indicator.url.original: + dashed_name: threat-enrichments-indicator-url-original + description: 'Unmodified original url as seen in the event source. + + Note that in network monitoring, the observed URL may be a full URL, whereas + in access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + flat_name: threat.enrichments.indicator.url.original + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.enrichments.indicator.url.original.text + name: text + norms: false + type: text + name: original + normalize: [] + original_fieldset: url + short: Unmodified original url as seen in the event source. + type: keyword + threat.enrichments.indicator.url.password: + dashed_name: threat-enrichments-indicator-url-password + description: Password of the request. + flat_name: threat.enrichments.indicator.url.password + ignore_above: 1024 + level: extended + name: password + normalize: [] + original_fieldset: url + short: Password of the request. + type: keyword + threat.enrichments.indicator.url.path: + dashed_name: threat-enrichments-indicator-url-path + description: Path of the request, such as "/search". + flat_name: threat.enrichments.indicator.url.path + ignore_above: 1024 + level: extended + name: path + normalize: [] + original_fieldset: url + short: Path of the request, such as "/search". + type: keyword + threat.enrichments.indicator.url.port: + dashed_name: threat-enrichments-indicator-url-port + description: Port of the request, such as 443. + example: 443 + flat_name: threat.enrichments.indicator.url.port + format: string + level: extended + name: port + normalize: [] + original_fieldset: url + short: Port of the request, such as 443. + type: long + threat.enrichments.indicator.url.query: + dashed_name: threat-enrichments-indicator-url-query + description: 'The query field describes the query string of the request, such + as "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there + is no query field. If there is a `?` but no query, the query field exists + with an empty string. The `exists` query can be used to differentiate between + the two cases.' + flat_name: threat.enrichments.indicator.url.query + ignore_above: 1024 + level: extended + name: query + normalize: [] + original_fieldset: url + short: Query string of the request. + type: keyword + threat.enrichments.indicator.url.registered_domain: + dashed_name: threat-enrichments-indicator-url-registered-domain + description: 'The highest registered url domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: threat.enrichments.indicator.url.registered_domain + ignore_above: 1024 + level: extended + name: registered_domain + normalize: [] + original_fieldset: url + short: The highest registered url domain, stripped of the subdomain. + type: keyword + threat.enrichments.indicator.url.scheme: + dashed_name: threat-enrichments-indicator-url-scheme + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https + flat_name: threat.enrichments.indicator.url.scheme + ignore_above: 1024 + level: extended + name: scheme + normalize: [] + original_fieldset: url + short: Scheme of the url. + type: keyword + threat.enrichments.indicator.url.subdomain: + dashed_name: threat-enrichments-indicator-url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: threat.enrichments.indicator.url.subdomain + ignore_above: 1024 + level: extended + name: subdomain + normalize: [] + original_fieldset: url + short: The subdomain of the domain. + type: keyword + threat.enrichments.indicator.url.top_level_domain: + dashed_name: threat-enrichments-indicator-url-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: threat.enrichments.indicator.url.top_level_domain + ignore_above: 1024 + level: extended + name: top_level_domain + normalize: [] + original_fieldset: url + short: The effective top level domain (com, org, net, co.uk). + type: keyword + threat.enrichments.indicator.url.username: + dashed_name: threat-enrichments-indicator-url-username + description: Username of the request. + flat_name: threat.enrichments.indicator.url.username + ignore_above: 1024 + level: extended + name: username + normalize: [] + original_fieldset: url + short: Username of the request. + type: keyword + threat.enrichments.indicator.x509.alternative_names: + dashed_name: threat-enrichments-indicator-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + flat_name: threat.enrichments.indicator.x509.alternative_names + ignore_above: 1024 + level: extended + name: alternative_names + normalize: + - array + original_fieldset: x509 + short: List of subject alternative names (SAN). + type: keyword + threat.enrichments.indicator.x509.issuer.common_name: + dashed_name: threat-enrichments-indicator-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: threat.enrichments.indicator.x509.issuer.common_name + ignore_above: 1024 + level: extended + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. + type: keyword + threat.enrichments.indicator.x509.issuer.country: + dashed_name: threat-enrichments-indicator-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: threat.enrichments.indicator.x509.issuer.country + ignore_above: 1024 + level: extended + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes + type: keyword + threat.enrichments.indicator.x509.issuer.distinguished_name: + dashed_name: threat-enrichments-indicator-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: threat.enrichments.indicator.x509.issuer.distinguished_name + ignore_above: 1024 + level: extended + name: issuer.distinguished_name + normalize: [] + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: keyword + threat.enrichments.indicator.x509.issuer.locality: + dashed_name: threat-enrichments-indicator-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: threat.enrichments.indicator.x509.issuer.locality ignore_above: 1024 - level: core - name: category + level: extended + name: issuer.locality normalize: - array - original_fieldset: event - short: Event category. The second categorization field in the hierarchy. + original_fieldset: x509 + short: List of locality names (L) type: keyword - threat.enrichments.event.code: - dashed_name: threat-enrichments-event-code - description: 'Identification code for this event, if one exists. - - Some event sources use event codes to identify messages unambiguously, regardless - of message language or wording adjustments over time. An example of this is - the Windows Event ID.' - example: 4648 - flat_name: threat.enrichments.event.code + threat.enrichments.indicator.x509.issuer.organization: + dashed_name: threat-enrichments-indicator-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: threat.enrichments.indicator.x509.issuer.organization ignore_above: 1024 level: extended - name: code - normalize: [] - original_fieldset: event - short: Identification code for this event. + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. type: keyword - threat.enrichments.event.created: - dashed_name: threat-enrichments-event-created - description: 'event.created contains the date/time when the event was first - read by an agent, or by your pipeline. - - This field is distinct from @timestamp in that @timestamp typically contain - the time extracted from the original event. - - In most situations, these two timestamps will be slightly different. The difference - can be used to calculate the delay between your source generating an event, - and the time when your agent first processed it. This can be used to monitor - your agent''s or pipeline''s ability to keep up with your event source. - - In case the two timestamps are identical, @timestamp should be used.' - example: '2016-05-23T08:05:34.857Z' - flat_name: threat.enrichments.event.created - level: core - name: created + threat.enrichments.indicator.x509.issuer.organizational_unit: + dashed_name: threat-enrichments-indicator-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: threat.enrichments.indicator.x509.issuer.organizational_unit + ignore_above: 1024 + level: extended + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. + type: keyword + threat.enrichments.indicator.x509.issuer.state_or_province: + dashed_name: threat-enrichments-indicator-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.indicator.x509.issuer.state_or_province + ignore_above: 1024 + level: extended + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword + threat.enrichments.indicator.x509.not_after: + dashed_name: threat-enrichments-indicator-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: threat.enrichments.indicator.x509.not_after + level: extended + name: not_after normalize: [] - original_fieldset: event - short: Time when the event was first read by an agent or by your pipeline. + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. type: date - threat.enrichments.event.dataset: - dashed_name: threat-enrichments-event-dataset - description: 'Name of the dataset. - - If an event source publishes more than one type of log or events (e.g. access - log, error log), the dataset is used to specify which one the event comes - from. - - It''s recommended but not required to start the dataset name with the module - name, followed by a dot, then the dataset name.' - example: apache.access - flat_name: threat.enrichments.event.dataset + threat.enrichments.indicator.x509.not_before: + dashed_name: threat-enrichments-indicator-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: threat.enrichments.indicator.x509.not_before + level: extended + name: not_before + normalize: [] + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date + threat.enrichments.indicator.x509.public_key_algorithm: + dashed_name: threat-enrichments-indicator-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: threat.enrichments.indicator.x509.public_key_algorithm ignore_above: 1024 - level: core - name: dataset + level: extended + name: public_key_algorithm normalize: [] - original_fieldset: event - short: Name of the dataset. + original_fieldset: x509 + short: Algorithm used to generate the public key. type: keyword - threat.enrichments.event.duration: - dashed_name: threat-enrichments-event-duration - description: 'Duration of the event in nanoseconds. - - If event.start and event.end are known this value should be the difference - between the end and start time.' - flat_name: threat.enrichments.event.duration - format: duration - input_format: nanoseconds - level: core - name: duration + threat.enrichments.indicator.x509.public_key_curve: + dashed_name: threat-enrichments-indicator-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + flat_name: threat.enrichments.indicator.x509.public_key_curve + ignore_above: 1024 + level: extended + name: public_key_curve normalize: [] - original_fieldset: event - output_format: asMilliseconds - output_precision: 1 - short: Duration of the event in nanoseconds. + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. + type: keyword + threat.enrichments.indicator.x509.public_key_exponent: + dashed_name: threat-enrichments-indicator-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: threat.enrichments.indicator.x509.public_key_exponent + index: false + level: extended + name: public_key_exponent + normalize: [] + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. type: long - threat.enrichments.event.end: - dashed_name: threat-enrichments-event-end - description: event.end contains the date when the event ended or when the activity - was last observed. - flat_name: threat.enrichments.event.end + threat.enrichments.indicator.x509.public_key_size: + dashed_name: threat-enrichments-indicator-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: threat.enrichments.indicator.x509.public_key_size level: extended - name: end + name: public_key_size normalize: [] - original_fieldset: event - short: event.end contains the date when the event ended or when the activity - was last observed. - type: date - threat.enrichments.event.hash: - dashed_name: threat-enrichments-event-hash - description: Hash (perhaps logstash fingerprint) of raw field to be able to - demonstrate log integrity. - example: 123456789012345678901234567890ABCD - flat_name: threat.enrichments.event.hash + original_fieldset: x509 + short: The size of the public key space in bits. + type: long + threat.enrichments.indicator.x509.serial_number: + dashed_name: threat-enrichments-indicator-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: threat.enrichments.indicator.x509.serial_number ignore_above: 1024 level: extended - name: hash + name: serial_number normalize: [] - original_fieldset: event - short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate - log integrity. + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. type: keyword - threat.enrichments.event.id: - dashed_name: threat-enrichments-event-id - description: Unique ID to describe the event. - example: 8a4f500d - flat_name: threat.enrichments.event.id + threat.enrichments.indicator.x509.signature_algorithm: + dashed_name: threat-enrichments-indicator-x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: threat.enrichments.indicator.x509.signature_algorithm ignore_above: 1024 - level: core - name: id + level: extended + name: signature_algorithm normalize: [] - original_fieldset: event - short: Unique ID to describe the event. + original_fieldset: x509 + short: Identifier for certificate signature algorithm. type: keyword - threat.enrichments.event.ingested: - dashed_name: threat-enrichments-event-ingested - description: 'Timestamp when an event arrived in the central data store. - - This is different from `@timestamp`, which is when the event originally occurred. It''s - also different from `event.created`, which is meant to capture the first time - an agent saw the event. - - In normal conditions, assuming no tampering, the timestamps should chronologically - look like this: `@timestamp` < `event.created` < `event.ingested`.' - example: '2016-05-23T08:05:35.101Z' - flat_name: threat.enrichments.event.ingested - level: core - name: ingested - normalize: [] - original_fieldset: event - short: Timestamp when an event arrived in the central data store. - type: date - threat.enrichments.event.kind: - allowed_values: - - description: 'This value indicates an event that describes an alert or notable - event, triggered by a detection rule. - - `event.kind:alert` is often populated for events coming from firewalls, - intrusion detection systems, endpoint detection and response systems, and - so on.' - name: alert - - description: This value is the most general and most common value for this - field. It is used to represent events that indicate that something happened. - name: event - - description: 'This value is used to indicate that this event describes a numeric - measurement taken at given point in time. - - Examples include CPU utilization, memory usage, or device temperature. - - Metric events are often collected on a predictable frequency, such as once - every few seconds, or once a minute, but can also be used to describe ad-hoc - numeric metric queries.' - name: metric - - description: 'The state value is similar to metric, indicating that this event - describes a measurement taken at given point in time, except that the measurement - does not result in a numeric value, but rather one of a fixed set of categorical - values that represent conditions or states. - - Examples include periodic events reporting Elasticsearch cluster state (green/yellow/red), - the state of a TCP connection (open, closed, fin_wait, etc.), the state - of a host with respect to a software vulnerability (vulnerable, not vulnerable), - and the state of a system regarding compliance with a regulatory standard - (compliant, not compliant). - - Note that an event that describes a change of state would not use `event.kind:state`, - but instead would use ''event.kind:event'' since a state change fits the - more general event definition of something that happened. - - State events are often collected on a predictable frequency, such as once - every few seconds, once a minute, once an hour, or once a day, but can also - be used to describe ad-hoc state queries.' - name: state - - description: This value indicates that an error occurred during the ingestion - of this event, and that event data may be missing, inconsistent, or incorrect. - `event.kind:pipeline_error` is often associated with parsing errors. - name: pipeline_error - - description: 'This value is used by the Elastic Security app to denote an - Elasticsearch document that was created by a SIEM detection engine rule. - - A signal will typically trigger a notification that something meaningful - happened and should be investigated. - - Usage of this value is reserved, and pipelines should not populate `event.kind` - with the value "signal".' - name: signal - dashed_name: threat-enrichments-event-kind - description: 'This is one of four ECS Categorization Fields, and indicates the - highest level in the ECS category hierarchy. - - `event.kind` gives high-level information about what type of information the - event contains, without being specific to the contents of the event. For example, - values of this field distinguish alert events from metric events. - - The value of this field can be used to inform how these kinds of events should - be handled. They may warrant different retention, different access control, - it may also help understand whether the data coming in at a regular interval - or not.' - example: alert - flat_name: threat.enrichments.event.kind + threat.enrichments.indicator.x509.subject.common_name: + dashed_name: threat-enrichments-indicator-x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: threat.enrichments.indicator.x509.subject.common_name + ignore_above: 1024 + level: extended + name: subject.common_name + normalize: + - array + original_fieldset: x509 + short: List of common names (CN) of subject. + type: keyword + threat.enrichments.indicator.x509.subject.country: + dashed_name: threat-enrichments-indicator-x509-subject-country + description: List of country (C) code + example: US + flat_name: threat.enrichments.indicator.x509.subject.country + ignore_above: 1024 + level: extended + name: subject.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) code + type: keyword + threat.enrichments.indicator.x509.subject.distinguished_name: + dashed_name: threat-enrichments-indicator-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: threat.enrichments.indicator.x509.subject.distinguished_name ignore_above: 1024 - level: core - name: kind + level: extended + name: subject.distinguished_name normalize: [] - original_fieldset: event - short: The kind of the event. The highest categorization field in the hierarchy. + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. type: keyword - threat.enrichments.event.module: - dashed_name: threat-enrichments-event-module - description: 'Name of the module this data is coming from. - - If your monitoring agent supports the concept of modules or plugins to process - events of a given source (e.g. Apache logs), `event.module` should contain - the name of this module.' - example: apache - flat_name: threat.enrichments.event.module + threat.enrichments.indicator.x509.subject.locality: + dashed_name: threat-enrichments-indicator-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: threat.enrichments.indicator.x509.subject.locality ignore_above: 1024 - level: core - name: module + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) + type: keyword + threat.enrichments.indicator.x509.subject.organization: + dashed_name: threat-enrichments-indicator-x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: threat.enrichments.indicator.x509.subject.organization + ignore_above: 1024 + level: extended + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. + type: keyword + threat.enrichments.indicator.x509.subject.organizational_unit: + dashed_name: threat-enrichments-indicator-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: threat.enrichments.indicator.x509.subject.organizational_unit + ignore_above: 1024 + level: extended + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. + type: keyword + threat.enrichments.indicator.x509.subject.state_or_province: + dashed_name: threat-enrichments-indicator-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.indicator.x509.subject.state_or_province + ignore_above: 1024 + level: extended + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword + threat.enrichments.indicator.x509.version_number: + dashed_name: threat-enrichments-indicator-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: threat.enrichments.indicator.x509.version_number + ignore_above: 1024 + level: extended + name: version_number normalize: [] - original_fieldset: event - short: Name of the module this data is coming from. + original_fieldset: x509 + short: Version of x509 format. type: keyword - threat.enrichments.event.original: - dashed_name: threat-enrichments-event-original - description: 'Raw text message of entire event. Used to demonstrate log integrity or - where the full log message (before splitting it up in multiple parts) may - be required, e.g. for reindex. - - This field is not indexed and doc_values are disabled. It cannot be searched, - but it can be retrieved from `_source`. If users wish to override this and - index this field, please see `Field data types` in the `Elasticsearch Reference`.' - doc_values: false - example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| - worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 - flat_name: threat.enrichments.event.original - index: false - level: core - name: original + threat.enrichments.matched.atomic: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-atomic + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com + flat_name: threat.enrichments.matched.atomic + ignore_above: 1024 + level: extended + name: enrichments.matched.atomic normalize: [] - original_fieldset: event - short: Raw text message of entire event. + short: Matched indicator value type: keyword - threat.enrichments.event.outcome: - allowed_values: - - description: Indicates that this event describes a failed result. A common - example is `event.category:file AND event.type:access AND event.outcome:failure` - to indicate that a file access was attempted, but was not successful. - name: failure - - description: Indicates that this event describes a successful result. A common - example is `event.category:file AND event.type:create AND event.outcome:success` - to indicate that a file was successfully created. - name: success - - description: Indicates that this event describes only an attempt for which - the result is unknown from the perspective of the event producer. For example, - if the event contains information only about the request side of a transaction - that results in a response, populating `event.outcome:unknown` in the request - event is appropriate. The unknown value should not be used when an outcome - doesn't make logical sense for the event. In such cases `event.outcome` - should not be populated. - name: unknown - dashed_name: threat-enrichments-event-outcome - description: 'This is one of four ECS Categorization Fields, and indicates the - lowest level in the ECS category hierarchy. - - `event.outcome` simply denotes whether the event represents a success or a - failure from the perspective of the entity that produced the event. - - Note that when a single transaction is described in multiple events, each - event may populate different values of `event.outcome`, according to their - perspective. - - Also note that in the case of a compound event (a single event that contains - multiple logical events), this field should be populated with the value that - best captures the overall success or failure from the perspective of the event - producer. - - Further note that not all events will have an associated outcome. For example, - this field is generally not populated for metric events, events with `event.type:info`, - or any events for which an outcome does not make logical sense.' - example: success - flat_name: threat.enrichments.event.outcome + threat.enrichments.matched.field: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-field + description: Identifies the field of the atomic indicator that matched a local + environment endpoint or network event. + example: file.hash.sha256 + flat_name: threat.enrichments.matched.field ignore_above: 1024 - level: core - name: outcome + level: extended + name: enrichments.matched.field normalize: [] - original_fieldset: event - short: The outcome of the event. The lowest level categorization field in the - hierarchy. + short: Matched indicator field type: keyword - threat.enrichments.event.provider: - dashed_name: threat-enrichments-event-provider - description: 'Source of the event. - - Event transports such as Syslog or the Windows Event Log typically mention - the source of an event. It can be the name of the software that generated - the event (e.g. Sysmon, httpd), or of a subsystem of the operating system - (kernel, Microsoft-Windows-Security-Auditing).' - example: kernel - flat_name: threat.enrichments.event.provider + threat.enrichments.matched.id: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-id + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + flat_name: threat.enrichments.matched.id ignore_above: 1024 level: extended - name: provider + name: enrichments.matched.id normalize: [] - original_fieldset: event - short: Source of the event. + short: Matched indicator identifier type: keyword - threat.enrichments.event.reason: - dashed_name: threat-enrichments-event-reason - description: 'Reason why this event happened, according to the source. - - This describes the why of a particular action or outcome captured in the event. - Where `event.action` captures the action from the event, `event.reason` describes - why that action was taken. For example, a web proxy with an `event.action` - which denied the request may also populate `event.reason` with the reason - why (e.g. `blocked site`).' - example: Terminated an unexpected process - flat_name: threat.enrichments.event.reason + threat.enrichments.matched.index: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-index + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 + flat_name: threat.enrichments.matched.index ignore_above: 1024 level: extended - name: reason + name: enrichments.matched.index normalize: [] - original_fieldset: event - short: Reason why this event happened, according to the source + short: Matched indicator index type: keyword - threat.enrichments.event.reference: - dashed_name: threat-enrichments-event-reference - description: 'Reference URL linking to additional information about this event. - - This URL links to a static definition of this event. Alert events, indicated - by `event.kind:alert`, are a common use case for this field.' - example: https://system.example.com/event/#0001234 - flat_name: threat.enrichments.event.reference + threat.enrichments.matched.type: + beta: This field is beta and subject to change. + dashed_name: threat-enrichments-matched-type + description: Identifies the type of match that caused the event to be enriched + with the given indicator + example: indicator_match_rule + flat_name: threat.enrichments.matched.type ignore_above: 1024 level: extended - name: reference + name: enrichments.matched.type normalize: [] - original_fieldset: event - short: Event reference URL + short: Type of indicator match type: keyword - threat.enrichments.event.risk_score: - dashed_name: threat-enrichments-event-risk-score - description: Risk score or priority of the event (e.g. security solutions). - Use your system's original value here. - flat_name: threat.enrichments.event.risk_score - level: core - name: risk_score + threat.framework: + dashed_name: threat-framework + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification + can be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + flat_name: threat.framework + ignore_above: 1024 + level: extended + name: framework normalize: [] - original_fieldset: event - short: Risk score or priority of the event (e.g. security solutions). Use your - system's original value here. - type: float - threat.enrichments.event.risk_score_norm: - dashed_name: threat-enrichments-event-risk-score-norm - description: 'Normalized risk score or priority of the event, on a scale of - 0 to 100. - - This is mainly useful if you use more than one system that assigns risk scores, - and you want to see a normalized value across all systems.' - flat_name: threat.enrichments.event.risk_score_norm + short: Threat classification framework. + type: keyword + threat.group.alias: + beta: This field is beta and subject to change. + dashed_name: threat-group-alias + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' + flat_name: threat.group.alias + ignore_above: 1024 + level: extended + name: group.alias + normalize: + - array + short: Alias of the group. + type: keyword + threat.group.id: + beta: This field is beta and subject to change. + dashed_name: threat-group-id + description: "The id of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group id." + example: G0037 + flat_name: threat.group.id + ignore_above: 1024 + level: extended + name: group.id + normalize: [] + short: ID of the group. + type: keyword + threat.group.name: + beta: This field is beta and subject to change. + dashed_name: threat-group-name + description: "The name of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 + flat_name: threat.group.name + ignore_above: 1024 + level: extended + name: group.name + normalize: [] + short: Name of the group. + type: keyword + threat.group.reference: + beta: This field is beta and subject to change. + dashed_name: threat-group-reference + description: "The reference URL of the group for a set of related intrusion\ + \ activity that are tracked by a common name in the security community. While\ + \ not required, you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ + flat_name: threat.group.reference + ignore_above: 1024 level: extended - name: risk_score_norm + name: group.reference normalize: [] - original_fieldset: event - short: Normalized risk score or priority of the event (0-100). - type: float - threat.enrichments.event.sequence: - dashed_name: threat-enrichments-event-sequence - description: 'Sequence number of the event. - - The sequence number is a value published by some event sources, to make the - exact ordering of events unambiguous, regardless of the timestamp precision.' - flat_name: threat.enrichments.event.sequence - format: string + short: Reference URL of the group. + type: keyword + threat.indicator.as.number: + dashed_name: threat-indicator-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: threat.indicator.as.number level: extended - name: sequence - normalize: [] - original_fieldset: event - short: Sequence number of the event. - type: long - threat.enrichments.event.severity: - dashed_name: threat-enrichments-event-severity - description: 'The numeric severity of the event according to your event source. - - What the different severity values mean can be different between sources and - use cases. It''s up to the implementer to make sure severities are consistent - across events from the same source. - - The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` - is meant to represent the severity according to the event source (e.g. firewall, - IDS). If the event source does not publish its own severity, you may optionally - copy the `log.syslog.severity.code` to `event.severity`.' - example: 7 - flat_name: threat.enrichments.event.severity - format: string - level: core - name: severity + name: number normalize: [] - original_fieldset: event - short: Numeric severity of the event. + original_fieldset: as + short: Unique number allocated to the autonomous system. type: long - threat.enrichments.event.start: - dashed_name: threat-enrichments-event-start - description: event.start contains the date when the event started or when the - activity was first observed. - flat_name: threat.enrichments.event.start + threat.indicator.as.organization.name: + dashed_name: threat-indicator-as-organization-name + description: Organization name. + example: Google LLC + flat_name: threat.indicator.as.organization.name + ignore_above: 1024 level: extended - name: start + multi_fields: + - flat_name: threat.indicator.as.organization.name.text + name: text + norms: false + type: text + name: organization.name normalize: [] - original_fieldset: event - short: event.start contains the date when the event started or when the activity - was first observed. - type: date - threat.enrichments.event.timezone: - dashed_name: threat-enrichments-event-timezone - description: 'This field should be populated when the event''s timestamp does - not include timezone information already (e.g. default Syslog timestamps). - It''s optional otherwise. - - Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), - abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' - flat_name: threat.enrichments.event.timezone + original_fieldset: as + short: Organization name. + type: keyword + threat.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-confidence + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High + flat_name: threat.indicator.confidence ignore_above: 1024 level: extended - name: timezone + name: indicator.confidence normalize: [] - original_fieldset: event - short: Event time zone. + short: Indicator confidence rating type: keyword - threat.enrichments.event.type: - allowed_values: - - description: The access event type is used for the subset of events within - a category that indicate that something was accessed. Common examples include - `event.category:database AND event.type:access`, or `event.category:file - AND event.type:access`. Note for file access, both directory listings and - file opens should be included in this subcategory. You can further distinguish - access operations using the ECS `event.action` field. - name: access - - description: 'The admin event type is used for the subset of events within - a category that are related to admin objects. For example, administrative - changes within an IAM framework that do not specifically affect a user or - group (e.g., adding new applications to a federation solution or connecting - discrete forests in Active Directory) would fall into this subcategory. - Common example: `event.category:iam AND event.type:change AND event.type:admin`. - You can further distinguish admin operations using the ECS `event.action` - field.' - name: admin - - description: The allowed event type is used for the subset of events within - a category that indicate that something was allowed. Common examples include - `event.category:network AND event.type:connection AND event.type:allowed` - (to indicate a network firewall event for which the firewall disposition - was to allow the connection to complete) and `event.category:intrusion_detection - AND event.type:allowed` (to indicate a network intrusion prevention system - event for which the IPS disposition was to allow the connection to complete). - You can further distinguish allowed operations using the ECS `event.action` - field, populating with values of your choosing, such as "allow", "detect", - or "pass". - name: allowed - - description: The change event type is used for the subset of events within - a category that indicate that something has changed. If semantics best describe - an event as modified, then include them in this subcategory. Common examples - include `event.category:process AND event.type:change`, and `event.category:file - AND event.type:change`. You can further distinguish change operations using - the ECS `event.action` field. - name: change - - description: Used primarily with `event.category:network` this value is used - for the subset of network traffic that includes sufficient information for - the event to be included in flow or connection analysis. Events in this - subcategory will contain at least source and destination IP addresses, source - and destination TCP/UDP ports, and will usually contain counts of bytes - and/or packets transferred. Events in this subcategory may contain unidirectional - or bidirectional information, including summary information. Use this subcategory - to visualize and analyze network connections. Flow analysis, including Netflow, - IPFIX, and other flow-related events fit in this subcategory. Note that - firewall events from many Next-Generation Firewall (NGFW) devices will also - fit into this subcategory. A common filter for flow/connection information - would be `event.category:network AND event.type:connection AND event.type:end` - (to view or analyze all completed network connections, ignoring mid-flow - reports). You can further distinguish connection events using the ECS `event.action` - field, populating with values of your choosing, such as "timeout", or "reset". - name: connection - - description: The "creation" event type is used for the subset of events within - a category that indicate that something was created. A common example is - `event.category:file AND event.type:creation`. - name: creation - - description: The deletion event type is used for the subset of events within - a category that indicate that something was deleted. A common example is - `event.category:file AND event.type:deletion` to indicate that a file has - been deleted. - name: deletion - - description: The denied event type is used for the subset of events within - a category that indicate that something was denied. Common examples include - `event.category:network AND event.type:denied` (to indicate a network firewall - event for which the firewall disposition was to deny the connection) and - `event.category:intrusion_detection AND event.type:denied` (to indicate - a network intrusion prevention system event for which the IPS disposition - was to deny the connection to complete). You can further distinguish denied - operations using the ECS `event.action` field, populating with values of - your choosing, such as "blocked", "dropped", or "quarantined". - name: denied - - description: The end event type is used for the subset of events within a - category that indicate something has ended. A common example is `event.category:process - AND event.type:end`. - name: end - - description: The error event type is used for the subset of events within - a category that indicate or describe an error. A common example is `event.category:database - AND event.type:error`. Note that pipeline errors that occur during the event - ingestion process should not use this `event.type` value. Instead, they - should use `event.kind:pipeline_error`. - name: error - - description: 'The group event type is used for the subset of events within - a category that are related to group objects. Common example: `event.category:iam - AND event.type:creation AND event.type:group`. You can further distinguish - group operations using the ECS `event.action` field.' - name: group - - description: The info event type is used for the subset of events within a - category that indicate that they are purely informational, and don't report - a state change, or any type of action. For example, an initial run of a - file integrity monitoring system (FIM), where an agent reports all files - under management, would fall into the "info" subcategory. Similarly, an - event containing a dump of all currently running processes (as opposed to - reporting that a process started/ended) would fall into the "info" subcategory. - An additional common examples is `event.category:intrusion_detection AND - event.type:info`. - name: info - - description: The installation event type is used for the subset of events - within a category that indicate that something was installed. A common example - is `event.category:package` AND `event.type:installation`. - name: installation - - description: The protocol event type is used for the subset of events within - a category that indicate that they contain protocol details or analysis, - beyond simply identifying the protocol. Generally, network events that contain - specific protocol details will fall into this subcategory. A common example - is `event.category:network AND event.type:protocol AND event.type:connection - AND event.type:end` (to indicate that the event is a network connection - event sent at the end of a connection that also includes a protocol detail - breakdown). Note that events that only indicate the name or id of the protocol - should not use the protocol value. Further note that when the protocol subcategory - is used, the identified protocol is populated in the ECS `network.protocol` - field. - name: protocol - - description: The start event type is used for the subset of events within - a category that indicate something has started. A common example is `event.category:process - AND event.type:start`. - name: start - - description: 'The user event type is used for the subset of events within - a category that are related to user objects. Common example: `event.category:iam - AND event.type:deletion AND event.type:user`. You can further distinguish - user operations using the ECS `event.action` field.' - name: user - dashed_name: threat-enrichments-event-type - description: 'This is one of four ECS Categorization Fields, and indicates the - third level in the ECS category hierarchy. - - `event.type` represents a categorization "sub-bucket" that, when used along - with the `event.category` field values, enables filtering events down to a - level appropriate for single visualization. - - This field is an array. This will allow proper categorization of some events - that fall in multiple event types.' - flat_name: threat.enrichments.event.type + threat.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.indicator.description ignore_above: 1024 - level: core - name: type - normalize: - - array - original_fieldset: event - short: Event type. The third categorization field in the hierarchy. + level: extended + name: indicator.description + normalize: [] + short: Indicator description type: keyword - threat.enrichments.event.url: - dashed_name: threat-enrichments-event-url - description: 'URL linking to an external system to continue investigation of - this event. - - This URL links to another system where in-depth investigation of the specific - occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, - are a common use case for this field.' - example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe - flat_name: threat.enrichments.event.url + threat.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + flat_name: threat.indicator.email.address ignore_above: 1024 level: extended - name: url + name: indicator.email.address normalize: [] - original_fieldset: event - short: Event investigation URL + short: Indicator email address type: keyword - threat.enrichments.file.accessed: - dashed_name: threat-enrichments-file-accessed + threat.indicator.file.accessed: + dashed_name: threat-indicator-file-accessed description: 'Last time the file was accessed. Note that not all filesystems keep track of access time.' - flat_name: threat.enrichments.file.accessed + flat_name: threat.indicator.file.accessed level: extended name: accessed normalize: [] original_fieldset: file short: Last time the file was accessed. type: date - threat.enrichments.file.attributes: - dashed_name: threat-enrichments-file-attributes + threat.indicator.file.attributes: + dashed_name: threat-indicator-file-attributes description: 'Array of file attributes. Attributes names will vary by platform. Here''s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.' example: '["readonly", "system"]' - flat_name: threat.enrichments.file.attributes + flat_name: threat.indicator.file.attributes ignore_above: 1024 level: extended name: attributes @@ -11244,25 +12451,25 @@ threat: original_fieldset: file short: Array of file attributes. type: keyword - threat.enrichments.file.code_signature.exists: - dashed_name: threat-enrichments-file-code-signature-exists + threat.indicator.file.code_signature.exists: + dashed_name: threat-indicator-file-code-signature-exists description: Boolean to capture if a signature is present. example: 'true' - flat_name: threat.enrichments.file.code_signature.exists + flat_name: threat.indicator.file.code_signature.exists level: core name: exists normalize: [] original_fieldset: code_signature short: Boolean to capture if a signature is present. type: boolean - threat.enrichments.file.code_signature.signing_id: - dashed_name: threat-enrichments-file-code-signature-signing-id + threat.indicator.file.code_signature.signing_id: + dashed_name: threat-indicator-file-code-signature-signing-id description: 'The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.' example: com.apple.xpc.proxy - flat_name: threat.enrichments.file.code_signature.signing_id + flat_name: threat.indicator.file.code_signature.signing_id ignore_above: 1024 level: extended name: signing_id @@ -11270,15 +12477,15 @@ threat: original_fieldset: code_signature short: The identifier used to sign the process. type: keyword - threat.enrichments.file.code_signature.status: - dashed_name: threat-enrichments-file-code-signature-status + threat.indicator.file.code_signature.status: + dashed_name: threat-indicator-file-code-signature-status description: 'Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.' example: ERROR_UNTRUSTED_ROOT - flat_name: threat.enrichments.file.code_signature.status + flat_name: threat.indicator.file.code_signature.status ignore_above: 1024 level: extended name: status @@ -11286,11 +12493,11 @@ threat: original_fieldset: code_signature short: Additional information about the certificate status. type: keyword - threat.enrichments.file.code_signature.subject_name: - dashed_name: threat-enrichments-file-code-signature-subject-name + threat.indicator.file.code_signature.subject_name: + dashed_name: threat-indicator-file-code-signature-subject-name description: Subject name of the code signer example: Microsoft Corporation - flat_name: threat.enrichments.file.code_signature.subject_name + flat_name: threat.indicator.file.code_signature.subject_name ignore_above: 1024 level: core name: subject_name @@ -11298,14 +12505,14 @@ threat: original_fieldset: code_signature short: Subject name of the code signer type: keyword - threat.enrichments.file.code_signature.team_id: - dashed_name: threat-enrichments-file-code-signature-team-id + threat.indicator.file.code_signature.team_id: + dashed_name: threat-indicator-file-code-signature-team-id description: 'The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV - flat_name: threat.enrichments.file.code_signature.team_id + flat_name: threat.indicator.file.code_signature.team_id ignore_above: 1024 level: extended name: team_id @@ -11313,28 +12520,28 @@ threat: original_fieldset: code_signature short: The team identifier used to sign the process. type: keyword - threat.enrichments.file.code_signature.trusted: - dashed_name: threat-enrichments-file-code-signature-trusted + threat.indicator.file.code_signature.trusted: + dashed_name: threat-indicator-file-code-signature-trusted description: 'Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.' example: 'true' - flat_name: threat.enrichments.file.code_signature.trusted + flat_name: threat.indicator.file.code_signature.trusted level: extended name: trusted normalize: [] original_fieldset: code_signature short: Stores the trust status of the certificate chain. type: boolean - threat.enrichments.file.code_signature.valid: - dashed_name: threat-enrichments-file-code-signature-valid + threat.indicator.file.code_signature.valid: + dashed_name: threat-indicator-file-code-signature-valid description: 'Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.' example: 'true' - flat_name: threat.enrichments.file.code_signature.valid + flat_name: threat.indicator.file.code_signature.valid level: extended name: valid normalize: [] @@ -11342,36 +12549,36 @@ threat: short: Boolean to capture if the digital signature is verified against the binary content. type: boolean - threat.enrichments.file.created: - dashed_name: threat-enrichments-file-created + threat.indicator.file.created: + dashed_name: threat-indicator-file-created description: 'File creation time. Note that not all filesystems store the creation time.' - flat_name: threat.enrichments.file.created + flat_name: threat.indicator.file.created level: extended name: created normalize: [] original_fieldset: file short: File creation time. type: date - threat.enrichments.file.ctime: - dashed_name: threat-enrichments-file-ctime + threat.indicator.file.ctime: + dashed_name: threat-indicator-file-ctime description: 'Last time the file attributes or metadata changed. Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.' - flat_name: threat.enrichments.file.ctime + flat_name: threat.indicator.file.ctime level: extended name: ctime normalize: [] original_fieldset: file short: Last time the file attributes or metadata changed. type: date - threat.enrichments.file.device: - dashed_name: threat-enrichments-file-device + threat.indicator.file.device: + dashed_name: threat-indicator-file-device description: Device that is the source of the file. example: sda - flat_name: threat.enrichments.file.device + flat_name: threat.indicator.file.device ignore_above: 1024 level: extended name: device @@ -11379,12 +12586,12 @@ threat: original_fieldset: file short: Device that is the source of the file. type: keyword - threat.enrichments.file.directory: - dashed_name: threat-enrichments-file-directory + threat.indicator.file.directory: + dashed_name: threat-indicator-file-directory description: Directory where the file is located. It should include the drive letter, when appropriate. example: /home/alice - flat_name: threat.enrichments.file.directory + flat_name: threat.indicator.file.directory ignore_above: 1024 level: extended name: directory @@ -11392,14 +12599,14 @@ threat: original_fieldset: file short: Directory where the file is located. type: keyword - threat.enrichments.file.drive_letter: - dashed_name: threat-enrichments-file-drive-letter + threat.indicator.file.drive_letter: + dashed_name: threat-indicator-file-drive-letter description: 'Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.' example: C - flat_name: threat.enrichments.file.drive_letter + flat_name: threat.indicator.file.drive_letter ignore_above: 1 level: extended name: drive_letter @@ -11407,11 +12614,11 @@ threat: original_fieldset: file short: Drive letter where the file is located. type: keyword - threat.enrichments.file.elf.architecture: - dashed_name: threat-enrichments-file-elf-architecture + threat.indicator.file.elf.architecture: + dashed_name: threat-indicator-file-elf-architecture description: Machine architecture of the ELF file. example: x86-64 - flat_name: threat.enrichments.file.elf.architecture + flat_name: threat.indicator.file.elf.architecture ignore_above: 1024 level: extended name: architecture @@ -11419,11 +12626,11 @@ threat: original_fieldset: elf short: Machine architecture of the ELF file. type: keyword - threat.enrichments.file.elf.byte_order: - dashed_name: threat-enrichments-file-elf-byte-order + threat.indicator.file.elf.byte_order: + dashed_name: threat-indicator-file-elf-byte-order description: Byte sequence of ELF file. example: Little Endian - flat_name: threat.enrichments.file.elf.byte_order + flat_name: threat.indicator.file.elf.byte_order ignore_above: 1024 level: extended name: byte_order @@ -11431,11 +12638,11 @@ threat: original_fieldset: elf short: Byte sequence of ELF file. type: keyword - threat.enrichments.file.elf.cpu_type: - dashed_name: threat-enrichments-file-elf-cpu-type + threat.indicator.file.elf.cpu_type: + dashed_name: threat-indicator-file-elf-cpu-type description: CPU type of the ELF file. example: Intel - flat_name: threat.enrichments.file.elf.cpu_type + flat_name: threat.indicator.file.elf.cpu_type ignore_above: 1024 level: extended name: cpu_type @@ -11443,21 +12650,21 @@ threat: original_fieldset: elf short: CPU type of the ELF file. type: keyword - threat.enrichments.file.elf.creation_date: - dashed_name: threat-enrichments-file-elf-creation-date + threat.indicator.file.elf.creation_date: + dashed_name: threat-indicator-file-elf-creation-date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. - flat_name: threat.enrichments.file.elf.creation_date + flat_name: threat.indicator.file.elf.creation_date level: extended name: creation_date normalize: [] original_fieldset: elf short: Build or compile date. type: date - threat.enrichments.file.elf.exports: - dashed_name: threat-enrichments-file-elf-exports + threat.indicator.file.elf.exports: + dashed_name: threat-indicator-file-elf-exports description: List of exported element names and types. - flat_name: threat.enrichments.file.elf.exports + flat_name: threat.indicator.file.elf.exports level: extended name: exports normalize: @@ -11465,10 +12672,10 @@ threat: original_fieldset: elf short: List of exported element names and types. type: flattened - threat.enrichments.file.elf.header.abi_version: - dashed_name: threat-enrichments-file-elf-header-abi-version + threat.indicator.file.elf.header.abi_version: + dashed_name: threat-indicator-file-elf-header-abi-version description: Version of the ELF Application Binary Interface (ABI). - flat_name: threat.enrichments.file.elf.header.abi_version + flat_name: threat.indicator.file.elf.header.abi_version ignore_above: 1024 level: extended name: header.abi_version @@ -11476,10 +12683,10 @@ threat: original_fieldset: elf short: Version of the ELF Application Binary Interface (ABI). type: keyword - threat.enrichments.file.elf.header.class: - dashed_name: threat-enrichments-file-elf-header-class + threat.indicator.file.elf.header.class: + dashed_name: threat-indicator-file-elf-header-class description: Header class of the ELF file. - flat_name: threat.enrichments.file.elf.header.class + flat_name: threat.indicator.file.elf.header.class ignore_above: 1024 level: extended name: header.class @@ -11487,10 +12694,10 @@ threat: original_fieldset: elf short: Header class of the ELF file. type: keyword - threat.enrichments.file.elf.header.data: - dashed_name: threat-enrichments-file-elf-header-data + threat.indicator.file.elf.header.data: + dashed_name: threat-indicator-file-elf-header-data description: Data table of the ELF header. - flat_name: threat.enrichments.file.elf.header.data + flat_name: threat.indicator.file.elf.header.data ignore_above: 1024 level: extended name: header.data @@ -11498,10 +12705,10 @@ threat: original_fieldset: elf short: Data table of the ELF header. type: keyword - threat.enrichments.file.elf.header.entrypoint: - dashed_name: threat-enrichments-file-elf-header-entrypoint + threat.indicator.file.elf.header.entrypoint: + dashed_name: threat-indicator-file-elf-header-entrypoint description: Header entrypoint of the ELF file. - flat_name: threat.enrichments.file.elf.header.entrypoint + flat_name: threat.indicator.file.elf.header.entrypoint format: string level: extended name: header.entrypoint @@ -11509,10 +12716,10 @@ threat: original_fieldset: elf short: Header entrypoint of the ELF file. type: long - threat.enrichments.file.elf.header.object_version: - dashed_name: threat-enrichments-file-elf-header-object-version + threat.indicator.file.elf.header.object_version: + dashed_name: threat-indicator-file-elf-header-object-version description: '"0x1" for original ELF files.' - flat_name: threat.enrichments.file.elf.header.object_version + flat_name: threat.indicator.file.elf.header.object_version ignore_above: 1024 level: extended name: header.object_version @@ -11520,10 +12727,10 @@ threat: original_fieldset: elf short: '"0x1" for original ELF files.' type: keyword - threat.enrichments.file.elf.header.os_abi: - dashed_name: threat-enrichments-file-elf-header-os-abi + threat.indicator.file.elf.header.os_abi: + dashed_name: threat-indicator-file-elf-header-os-abi description: Application Binary Interface (ABI) of the Linux OS. - flat_name: threat.enrichments.file.elf.header.os_abi + flat_name: threat.indicator.file.elf.header.os_abi ignore_above: 1024 level: extended name: header.os_abi @@ -11531,10 +12738,10 @@ threat: original_fieldset: elf short: Application Binary Interface (ABI) of the Linux OS. type: keyword - threat.enrichments.file.elf.header.type: - dashed_name: threat-enrichments-file-elf-header-type + threat.indicator.file.elf.header.type: + dashed_name: threat-indicator-file-elf-header-type description: Header type of the ELF file. - flat_name: threat.enrichments.file.elf.header.type + flat_name: threat.indicator.file.elf.header.type ignore_above: 1024 level: extended name: header.type @@ -11542,10 +12749,10 @@ threat: original_fieldset: elf short: Header type of the ELF file. type: keyword - threat.enrichments.file.elf.header.version: - dashed_name: threat-enrichments-file-elf-header-version + threat.indicator.file.elf.header.version: + dashed_name: threat-indicator-file-elf-header-version description: Version of the ELF header. - flat_name: threat.enrichments.file.elf.header.version + flat_name: threat.indicator.file.elf.header.version ignore_above: 1024 level: extended name: header.version @@ -11553,10 +12760,10 @@ threat: original_fieldset: elf short: Version of the ELF header. type: keyword - threat.enrichments.file.elf.imports: - dashed_name: threat-enrichments-file-elf-imports + threat.indicator.file.elf.imports: + dashed_name: threat-indicator-file-elf-imports description: List of imported element names and types. - flat_name: threat.enrichments.file.elf.imports + flat_name: threat.indicator.file.elf.imports level: extended name: imports normalize: @@ -11564,13 +12771,13 @@ threat: original_fieldset: elf short: List of imported element names and types. type: flattened - threat.enrichments.file.elf.sections: - dashed_name: threat-enrichments-file-elf-sections + threat.indicator.file.elf.sections: + dashed_name: threat-indicator-file-elf-sections description: 'An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.*`.' - flat_name: threat.enrichments.file.elf.sections + flat_name: threat.indicator.file.elf.sections level: extended name: sections normalize: @@ -11578,10 +12785,10 @@ threat: original_fieldset: elf short: Section information of the ELF file. type: nested - threat.enrichments.file.elf.sections.chi2: - dashed_name: threat-enrichments-file-elf-sections-chi2 + threat.indicator.file.elf.sections.chi2: + dashed_name: threat-indicator-file-elf-sections-chi2 description: Chi-square probability distribution of the section. - flat_name: threat.enrichments.file.elf.sections.chi2 + flat_name: threat.indicator.file.elf.sections.chi2 format: number level: extended name: sections.chi2 @@ -11589,10 +12796,10 @@ threat: original_fieldset: elf short: Chi-square probability distribution of the section. type: long - threat.enrichments.file.elf.sections.entropy: - dashed_name: threat-enrichments-file-elf-sections-entropy + threat.indicator.file.elf.sections.entropy: + dashed_name: threat-indicator-file-elf-sections-entropy description: Shannon entropy calculation from the section. - flat_name: threat.enrichments.file.elf.sections.entropy + flat_name: threat.indicator.file.elf.sections.entropy format: number level: extended name: sections.entropy @@ -11600,10 +12807,10 @@ threat: original_fieldset: elf short: Shannon entropy calculation from the section. type: long - threat.enrichments.file.elf.sections.flags: - dashed_name: threat-enrichments-file-elf-sections-flags + threat.indicator.file.elf.sections.flags: + dashed_name: threat-indicator-file-elf-sections-flags description: ELF Section List flags. - flat_name: threat.enrichments.file.elf.sections.flags + flat_name: threat.indicator.file.elf.sections.flags ignore_above: 1024 level: extended name: sections.flags @@ -11611,10 +12818,10 @@ threat: original_fieldset: elf short: ELF Section List flags. type: keyword - threat.enrichments.file.elf.sections.name: - dashed_name: threat-enrichments-file-elf-sections-name + threat.indicator.file.elf.sections.name: + dashed_name: threat-indicator-file-elf-sections-name description: ELF Section List name. - flat_name: threat.enrichments.file.elf.sections.name + flat_name: threat.indicator.file.elf.sections.name ignore_above: 1024 level: extended name: sections.name @@ -11622,10 +12829,10 @@ threat: original_fieldset: elf short: ELF Section List name. type: keyword - threat.enrichments.file.elf.sections.physical_offset: - dashed_name: threat-enrichments-file-elf-sections-physical-offset + threat.indicator.file.elf.sections.physical_offset: + dashed_name: threat-indicator-file-elf-sections-physical-offset description: ELF Section List offset. - flat_name: threat.enrichments.file.elf.sections.physical_offset + flat_name: threat.indicator.file.elf.sections.physical_offset ignore_above: 1024 level: extended name: sections.physical_offset @@ -11633,10 +12840,10 @@ threat: original_fieldset: elf short: ELF Section List offset. type: keyword - threat.enrichments.file.elf.sections.physical_size: - dashed_name: threat-enrichments-file-elf-sections-physical-size + threat.indicator.file.elf.sections.physical_size: + dashed_name: threat-indicator-file-elf-sections-physical-size description: ELF Section List physical size. - flat_name: threat.enrichments.file.elf.sections.physical_size + flat_name: threat.indicator.file.elf.sections.physical_size format: bytes level: extended name: sections.physical_size @@ -11644,10 +12851,10 @@ threat: original_fieldset: elf short: ELF Section List physical size. type: long - threat.enrichments.file.elf.sections.type: - dashed_name: threat-enrichments-file-elf-sections-type + threat.indicator.file.elf.sections.type: + dashed_name: threat-indicator-file-elf-sections-type description: ELF Section List type. - flat_name: threat.enrichments.file.elf.sections.type + flat_name: threat.indicator.file.elf.sections.type ignore_above: 1024 level: extended name: sections.type @@ -11655,10 +12862,10 @@ threat: original_fieldset: elf short: ELF Section List type. type: keyword - threat.enrichments.file.elf.sections.virtual_address: - dashed_name: threat-enrichments-file-elf-sections-virtual-address + threat.indicator.file.elf.sections.virtual_address: + dashed_name: threat-indicator-file-elf-sections-virtual-address description: ELF Section List virtual address. - flat_name: threat.enrichments.file.elf.sections.virtual_address + flat_name: threat.indicator.file.elf.sections.virtual_address format: string level: extended name: sections.virtual_address @@ -11666,10 +12873,10 @@ threat: original_fieldset: elf short: ELF Section List virtual address. type: long - threat.enrichments.file.elf.sections.virtual_size: - dashed_name: threat-enrichments-file-elf-sections-virtual-size + threat.indicator.file.elf.sections.virtual_size: + dashed_name: threat-indicator-file-elf-sections-virtual-size description: ELF Section List virtual size. - flat_name: threat.enrichments.file.elf.sections.virtual_size + flat_name: threat.indicator.file.elf.sections.virtual_size format: string level: extended name: sections.virtual_size @@ -11677,13 +12884,13 @@ threat: original_fieldset: elf short: ELF Section List virtual size. type: long - threat.enrichments.file.elf.segments: - dashed_name: threat-enrichments-file-elf-segments + threat.indicator.file.elf.segments: + dashed_name: threat-indicator-file-elf-segments description: 'An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.*`.' - flat_name: threat.enrichments.file.elf.segments + flat_name: threat.indicator.file.elf.segments level: extended name: segments normalize: @@ -11691,10 +12898,10 @@ threat: original_fieldset: elf short: ELF object segment list. type: nested - threat.enrichments.file.elf.segments.sections: - dashed_name: threat-enrichments-file-elf-segments-sections + threat.indicator.file.elf.segments.sections: + dashed_name: threat-indicator-file-elf-segments-sections description: ELF object segment sections. - flat_name: threat.enrichments.file.elf.segments.sections + flat_name: threat.indicator.file.elf.segments.sections ignore_above: 1024 level: extended name: segments.sections @@ -11702,10 +12909,10 @@ threat: original_fieldset: elf short: ELF object segment sections. type: keyword - threat.enrichments.file.elf.segments.type: - dashed_name: threat-enrichments-file-elf-segments-type + threat.indicator.file.elf.segments.type: + dashed_name: threat-indicator-file-elf-segments-type description: ELF object segment type. - flat_name: threat.enrichments.file.elf.segments.type + flat_name: threat.indicator.file.elf.segments.type ignore_above: 1024 level: extended name: segments.type @@ -11713,10 +12920,10 @@ threat: original_fieldset: elf short: ELF object segment type. type: keyword - threat.enrichments.file.elf.shared_libraries: - dashed_name: threat-enrichments-file-elf-shared-libraries + threat.indicator.file.elf.shared_libraries: + dashed_name: threat-indicator-file-elf-shared-libraries description: List of shared libraries used by this ELF object. - flat_name: threat.enrichments.file.elf.shared_libraries + flat_name: threat.indicator.file.elf.shared_libraries ignore_above: 1024 level: extended name: shared_libraries @@ -11725,10 +12932,10 @@ threat: original_fieldset: elf short: List of shared libraries used by this ELF object. type: keyword - threat.enrichments.file.elf.telfhash: - dashed_name: threat-enrichments-file-elf-telfhash + threat.indicator.file.elf.telfhash: + dashed_name: threat-indicator-file-elf-telfhash description: telfhash symbol hash for ELF file. - flat_name: threat.enrichments.file.elf.telfhash + flat_name: threat.indicator.file.elf.telfhash ignore_above: 1024 level: extended name: telfhash @@ -11736,14 +12943,14 @@ threat: original_fieldset: elf short: telfhash hash for ELF file. type: keyword - threat.enrichments.file.extension: - dashed_name: threat-enrichments-file-extension + threat.indicator.file.extension: + dashed_name: threat-indicator-file-extension description: 'File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png - flat_name: threat.enrichments.file.extension + flat_name: threat.indicator.file.extension ignore_above: 1024 level: extended name: extension @@ -11751,11 +12958,11 @@ threat: original_fieldset: file short: File extension, excluding the leading dot. type: keyword - threat.enrichments.file.gid: - dashed_name: threat-enrichments-file-gid + threat.indicator.file.gid: + dashed_name: threat-indicator-file-gid description: Primary group ID (GID) of the file. example: '1001' - flat_name: threat.enrichments.file.gid + flat_name: threat.indicator.file.gid ignore_above: 1024 level: extended name: gid @@ -11763,11 +12970,11 @@ threat: original_fieldset: file short: Primary group ID (GID) of the file. type: keyword - threat.enrichments.file.group: - dashed_name: threat-enrichments-file-group + threat.indicator.file.group: + dashed_name: threat-indicator-file-group description: Primary group name of the file. example: alice - flat_name: threat.enrichments.file.group + flat_name: threat.indicator.file.group ignore_above: 1024 level: extended name: group @@ -11775,11 +12982,11 @@ threat: original_fieldset: file short: Primary group name of the file. type: keyword - threat.enrichments.file.inode: - dashed_name: threat-enrichments-file-inode + threat.indicator.file.inode: + dashed_name: threat-indicator-file-inode description: Inode representing the file in the filesystem. example: '256383' - flat_name: threat.enrichments.file.inode + flat_name: threat.indicator.file.inode ignore_above: 1024 level: extended name: inode @@ -11787,13 +12994,13 @@ threat: original_fieldset: file short: Inode representing the file in the filesystem. type: keyword - threat.enrichments.file.mime_type: - dashed_name: threat-enrichments-file-mime-type + threat.indicator.file.mime_type: + dashed_name: threat-indicator-file-mime-type description: MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. - flat_name: threat.enrichments.file.mime_type + flat_name: threat.indicator.file.mime_type ignore_above: 1024 level: extended name: mime_type @@ -11801,11 +13008,11 @@ threat: original_fieldset: file short: Media type of file, document, or arrangement of bytes. type: keyword - threat.enrichments.file.mode: - dashed_name: threat-enrichments-file-mode + threat.indicator.file.mode: + dashed_name: threat-indicator-file-mode description: Mode of the file in octal representation. example: '0640' - flat_name: threat.enrichments.file.mode + flat_name: threat.indicator.file.mode ignore_above: 1024 level: extended name: mode @@ -11813,21 +13020,21 @@ threat: original_fieldset: file short: Mode of the file in octal representation. type: keyword - threat.enrichments.file.mtime: - dashed_name: threat-enrichments-file-mtime + threat.indicator.file.mtime: + dashed_name: threat-indicator-file-mtime description: Last time the file content was modified. - flat_name: threat.enrichments.file.mtime + flat_name: threat.indicator.file.mtime level: extended name: mtime normalize: [] original_fieldset: file short: Last time the file content was modified. type: date - threat.enrichments.file.name: - dashed_name: threat-enrichments-file-name + threat.indicator.file.name: + dashed_name: threat-indicator-file-name description: Name of the file including the extension, without the directory. example: example.png - flat_name: threat.enrichments.file.name + flat_name: threat.indicator.file.name ignore_above: 1024 level: extended name: name @@ -11835,11 +13042,11 @@ threat: original_fieldset: file short: Name of the file including the extension, without the directory. type: keyword - threat.enrichments.file.owner: - dashed_name: threat-enrichments-file-owner + threat.indicator.file.owner: + dashed_name: threat-indicator-file-owner description: File owner's username. example: alice - flat_name: threat.enrichments.file.owner + flat_name: threat.indicator.file.owner ignore_above: 1024 level: extended name: owner @@ -11847,16 +13054,16 @@ threat: original_fieldset: file short: File owner's username. type: keyword - threat.enrichments.file.path: - dashed_name: threat-enrichments-file-path + threat.indicator.file.path: + dashed_name: threat-indicator-file-path description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png - flat_name: threat.enrichments.file.path + flat_name: threat.indicator.file.path ignore_above: 1024 level: extended multi_fields: - - flat_name: threat.enrichments.file.path.text + - flat_name: threat.indicator.file.path.text name: text norms: false type: text @@ -11865,27 +13072,27 @@ threat: original_fieldset: file short: Full path to the file, including the file name. type: keyword - threat.enrichments.file.size: - dashed_name: threat-enrichments-file-size + threat.indicator.file.size: + dashed_name: threat-indicator-file-size description: 'File size in bytes. Only relevant when `file.type` is "file".' example: 16384 - flat_name: threat.enrichments.file.size + flat_name: threat.indicator.file.size level: extended name: size normalize: [] original_fieldset: file short: File size in bytes. type: long - threat.enrichments.file.target_path: - dashed_name: threat-enrichments-file-target-path + threat.indicator.file.target_path: + dashed_name: threat-indicator-file-target-path description: Target path for symlinks. - flat_name: threat.enrichments.file.target_path + flat_name: threat.indicator.file.target_path ignore_above: 1024 level: extended multi_fields: - - flat_name: threat.enrichments.file.target_path.text + - flat_name: threat.indicator.file.target_path.text name: text norms: false type: text @@ -11894,11 +13101,11 @@ threat: original_fieldset: file short: Target path for symlinks. type: keyword - threat.enrichments.file.type: - dashed_name: threat-enrichments-file-type + threat.indicator.file.type: + dashed_name: threat-indicator-file-type description: File type (file, dir, or symlink). example: file - flat_name: threat.enrichments.file.type + flat_name: threat.indicator.file.type ignore_above: 1024 level: extended name: type @@ -11906,23 +13113,35 @@ threat: original_fieldset: file short: File type (file, dir, or symlink). type: keyword - threat.enrichments.file.uid: - dashed_name: threat-enrichments-file-uid + threat.indicator.file.uid: + dashed_name: threat-indicator-file-uid description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' - flat_name: threat.enrichments.file.uid + flat_name: threat.indicator.file.uid ignore_above: 1024 level: extended name: uid normalize: [] - original_fieldset: file - short: The user ID (UID) or security identifier (SID) of the file owner. - type: keyword - threat.enrichments.geo.city_name: - dashed_name: threat-enrichments-geo-city-name + original_fieldset: file + short: The user ID (UID) or security identifier (SID) of the file owner. + type: keyword + threat.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.first_seen + level: extended + name: indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date + threat.indicator.geo.city_name: + dashed_name: threat-indicator-geo-city-name description: City name. example: Montreal - flat_name: threat.enrichments.geo.city_name + flat_name: threat.indicator.geo.city_name ignore_above: 1024 level: core name: city_name @@ -11930,11 +13149,11 @@ threat: original_fieldset: geo short: City name. type: keyword - threat.enrichments.geo.continent_code: - dashed_name: threat-enrichments-geo-continent-code + threat.indicator.geo.continent_code: + dashed_name: threat-indicator-geo-continent-code description: Two-letter code representing continent's name. example: NA - flat_name: threat.enrichments.geo.continent_code + flat_name: threat.indicator.geo.continent_code ignore_above: 1024 level: core name: continent_code @@ -11942,11 +13161,11 @@ threat: original_fieldset: geo short: Continent code. type: keyword - threat.enrichments.geo.continent_name: - dashed_name: threat-enrichments-geo-continent-name + threat.indicator.geo.continent_name: + dashed_name: threat-indicator-geo-continent-name description: Name of the continent. example: North America - flat_name: threat.enrichments.geo.continent_name + flat_name: threat.indicator.geo.continent_name ignore_above: 1024 level: core name: continent_name @@ -11954,11 +13173,11 @@ threat: original_fieldset: geo short: Name of the continent. type: keyword - threat.enrichments.geo.country_iso_code: - dashed_name: threat-enrichments-geo-country-iso-code + threat.indicator.geo.country_iso_code: + dashed_name: threat-indicator-geo-country-iso-code description: Country ISO code. example: CA - flat_name: threat.enrichments.geo.country_iso_code + flat_name: threat.indicator.geo.country_iso_code ignore_above: 1024 level: core name: country_iso_code @@ -11966,11 +13185,11 @@ threat: original_fieldset: geo short: Country ISO code. type: keyword - threat.enrichments.geo.country_name: - dashed_name: threat-enrichments-geo-country-name + threat.indicator.geo.country_name: + dashed_name: threat-indicator-geo-country-name description: Country name. example: Canada - flat_name: threat.enrichments.geo.country_name + flat_name: threat.indicator.geo.country_name ignore_above: 1024 level: core name: country_name @@ -11978,19 +13197,19 @@ threat: original_fieldset: geo short: Country name. type: keyword - threat.enrichments.geo.location: - dashed_name: threat-enrichments-geo-location + threat.indicator.geo.location: + dashed_name: threat-indicator-geo-location description: Longitude and latitude. example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: threat.enrichments.geo.location + flat_name: threat.indicator.geo.location level: core name: location normalize: [] original_fieldset: geo short: Longitude and latitude. type: geo_point - threat.enrichments.geo.name: - dashed_name: threat-enrichments-geo-name + threat.indicator.geo.name: + dashed_name: threat-indicator-geo-name description: 'User-defined description of a location, at the level of granularity they care about. @@ -11999,7 +13218,7 @@ threat: Not typically used in automated geolocation.' example: boston-dc - flat_name: threat.enrichments.geo.name + flat_name: threat.indicator.geo.name ignore_above: 1024 level: extended name: name @@ -12007,14 +13226,14 @@ threat: original_fieldset: geo short: User-defined description of a location. type: keyword - threat.enrichments.geo.postal_code: - dashed_name: threat-enrichments-geo-postal-code + threat.indicator.geo.postal_code: + dashed_name: threat-indicator-geo-postal-code description: 'Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.' example: 94040 - flat_name: threat.enrichments.geo.postal_code + flat_name: threat.indicator.geo.postal_code ignore_above: 1024 level: core name: postal_code @@ -12022,11 +13241,11 @@ threat: original_fieldset: geo short: Postal code. type: keyword - threat.enrichments.geo.region_iso_code: - dashed_name: threat-enrichments-geo-region-iso-code + threat.indicator.geo.region_iso_code: + dashed_name: threat-indicator-geo-region-iso-code description: Region ISO code. example: CA-QC - flat_name: threat.enrichments.geo.region_iso_code + flat_name: threat.indicator.geo.region_iso_code ignore_above: 1024 level: core name: region_iso_code @@ -12034,11 +13253,11 @@ threat: original_fieldset: geo short: Region ISO code. type: keyword - threat.enrichments.geo.region_name: - dashed_name: threat-enrichments-geo-region-name + threat.indicator.geo.region_name: + dashed_name: threat-indicator-geo-region-name description: Region name. example: Quebec - flat_name: threat.enrichments.geo.region_name + flat_name: threat.indicator.geo.region_name ignore_above: 1024 level: core name: region_name @@ -12046,11 +13265,11 @@ threat: original_fieldset: geo short: Region name. type: keyword - threat.enrichments.geo.timezone: - dashed_name: threat-enrichments-geo-timezone + threat.indicator.geo.timezone: + dashed_name: threat-indicator-geo-timezone description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires - flat_name: threat.enrichments.geo.timezone + flat_name: threat.indicator.geo.timezone ignore_above: 1024 level: core name: timezone @@ -12058,10 +13277,10 @@ threat: original_fieldset: geo short: Time zone. type: keyword - threat.enrichments.hash.md5: - dashed_name: threat-enrichments-hash-md5 + threat.indicator.hash.md5: + dashed_name: threat-indicator-hash-md5 description: MD5 hash. - flat_name: threat.enrichments.hash.md5 + flat_name: threat.indicator.hash.md5 ignore_above: 1024 level: extended name: md5 @@ -12069,10 +13288,10 @@ threat: original_fieldset: hash short: MD5 hash. type: keyword - threat.enrichments.hash.sha1: - dashed_name: threat-enrichments-hash-sha1 + threat.indicator.hash.sha1: + dashed_name: threat-indicator-hash-sha1 description: SHA1 hash. - flat_name: threat.enrichments.hash.sha1 + flat_name: threat.indicator.hash.sha1 ignore_above: 1024 level: extended name: sha1 @@ -12080,10 +13299,10 @@ threat: original_fieldset: hash short: SHA1 hash. type: keyword - threat.enrichments.hash.sha256: - dashed_name: threat-enrichments-hash-sha256 + threat.indicator.hash.sha256: + dashed_name: threat-indicator-hash-sha256 description: SHA256 hash. - flat_name: threat.enrichments.hash.sha256 + flat_name: threat.indicator.hash.sha256 ignore_above: 1024 level: extended name: sha256 @@ -12091,10 +13310,10 @@ threat: original_fieldset: hash short: SHA256 hash. type: keyword - threat.enrichments.hash.sha512: - dashed_name: threat-enrichments-hash-sha512 + threat.indicator.hash.sha512: + dashed_name: threat-indicator-hash-sha512 description: SHA512 hash. - flat_name: threat.enrichments.hash.sha512 + flat_name: threat.indicator.hash.sha512 ignore_above: 1024 level: extended name: sha512 @@ -12102,10 +13321,10 @@ threat: original_fieldset: hash short: SHA512 hash. type: keyword - threat.enrichments.hash.ssdeep: - dashed_name: threat-enrichments-hash-ssdeep + threat.indicator.hash.ssdeep: + dashed_name: threat-indicator-hash-ssdeep description: SSDEEP hash. - flat_name: threat.enrichments.hash.ssdeep + flat_name: threat.indicator.hash.ssdeep ignore_above: 1024 level: extended name: ssdeep @@ -12113,71 +13332,316 @@ threat: original_fieldset: hash short: SSDEEP hash. type: keyword - threat.enrichments.matched.atomic: + threat.indicator.ip: beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-atomic - description: Identifies the atomic indicator value that matched a local environment - endpoint or network event. - example: bad-domain.com - flat_name: threat.enrichments.matched.atomic + dashed_name: threat-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + flat_name: threat.indicator.ip + level: extended + name: indicator.ip + normalize: [] + short: Indicator IP address + type: ip + threat.indicator.last_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-last-seen + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.last_seen + level: extended + name: indicator.last_seen + normalize: [] + short: Date/time indicator was last reported. + type: date + threat.indicator.marking.tlp: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE + flat_name: threat.indicator.marking.tlp ignore_above: 1024 level: extended - name: enrichments.matched.atomic + name: indicator.marking.tlp normalize: [] - short: Matched indicator value + short: Indicator TLP marking type: keyword - threat.enrichments.matched.field: + threat.indicator.modified_at: beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-field - description: Identifies the field of the atomic indicator that matched a local - environment endpoint or network event. - example: file.hash.sha256 - flat_name: threat.enrichments.matched.field + dashed_name: threat-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.modified_at + level: extended + name: indicator.modified_at + normalize: [] + short: Date/time indicator was last updated. + type: date + threat.indicator.pe.architecture: + dashed_name: threat-indicator-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.indicator.pe.architecture ignore_above: 1024 level: extended - name: enrichments.matched.field + name: architecture normalize: [] - short: Matched indicator field + original_fieldset: pe + short: CPU architecture target for the file. type: keyword - threat.enrichments.matched.id: + threat.indicator.pe.company: + dashed_name: threat-indicator-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.indicator.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + threat.indicator.pe.description: + dashed_name: threat-indicator-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.indicator.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + threat.indicator.pe.file_version: + dashed_name: threat-indicator-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.indicator.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword + threat.indicator.pe.imphash: + dashed_name: threat-indicator-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.indicator.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + threat.indicator.pe.original_file_name: + dashed_name: threat-indicator-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.indicator.pe.original_file_name + ignore_above: 1024 + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: keyword + threat.indicator.pe.product: + dashed_name: threat-indicator-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.indicator.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword + threat.indicator.port: beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-id - description: Identifies the _id of the indicator document enriching the event. - example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 - flat_name: threat.enrichments.matched.id + dashed_name: threat-indicator-port + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + flat_name: threat.indicator.port + level: extended + name: indicator.port + normalize: [] + short: Indicator port + type: long + threat.indicator.provider: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-provider + description: The name of the indicator's provider. + example: lrz_urlhaus + flat_name: threat.indicator.provider ignore_above: 1024 level: extended - name: enrichments.matched.id + name: indicator.provider normalize: [] - short: Matched indicator identifier + short: Indicator provider type: keyword - threat.enrichments.matched.index: + threat.indicator.reference: beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-index - description: Identifies the _index of the indicator document enriching the event. - example: filebeat-8.0.0-2021.05.23-000011 - flat_name: threat.enrichments.matched.index + dashed_name: threat-indicator-reference + description: Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + flat_name: threat.indicator.reference ignore_above: 1024 level: extended - name: enrichments.matched.index + name: indicator.reference normalize: [] - short: Matched indicator index + short: Indicator reference URL type: keyword - threat.enrichments.matched.type: + threat.indicator.registry.data.bytes: + dashed_name: threat-indicator-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.indicator.registry.data.bytes + ignore_above: 1024 + level: extended + name: data.bytes + normalize: [] + original_fieldset: registry + short: Original bytes written with base64 encoding. + type: keyword + threat.indicator.registry.data.strings: + dashed_name: threat-indicator-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.indicator.registry.data.strings + ignore_above: 1024 + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: keyword + threat.indicator.registry.data.type: + dashed_name: threat-indicator-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.indicator.registry.data.type + ignore_above: 1024 + level: core + name: data.type + normalize: [] + original_fieldset: registry + short: Standard registry type for encoding contents + type: keyword + threat.indicator.registry.hive: + dashed_name: threat-indicator-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.indicator.registry.hive + ignore_above: 1024 + level: core + name: hive + normalize: [] + original_fieldset: registry + short: Abbreviated name for the hive. + type: keyword + threat.indicator.registry.key: + dashed_name: threat-indicator-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.indicator.registry.key + ignore_above: 1024 + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: keyword + threat.indicator.registry.path: + dashed_name: threat-indicator-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.indicator.registry.path + ignore_above: 1024 + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: keyword + threat.indicator.registry.value: + dashed_name: threat-indicator-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.indicator.registry.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. + type: keyword + threat.indicator.scanner_stats: beta: This field is beta and subject to change. - dashed_name: threat-enrichments-matched-type - description: Identifies the type of match that caused the event to be enriched - with the given indicator - example: indicator_match_rule - flat_name: threat.enrichments.matched.type + dashed_name: threat-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + flat_name: threat.indicator.scanner_stats + level: extended + name: indicator.scanner_stats + normalize: [] + short: Scanner statistics + type: long + threat.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.indicator.sightings + level: extended + name: indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long + threat.indicator.type: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ + Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr + flat_name: threat.indicator.type ignore_above: 1024 level: extended - name: enrichments.matched.type + name: indicator.type normalize: [] - short: Type of indicator match + short: Type of indicator type: keyword - threat.enrichments.url.domain: - dashed_name: threat-enrichments-url-domain + threat.indicator.url.domain: + dashed_name: threat-indicator-url-domain description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain @@ -12187,7 +13651,7 @@ threat: 2732), the `[` and `]` characters should also be captured in the `domain` field.' example: www.elastic.co - flat_name: threat.enrichments.url.domain + flat_name: threat.indicator.url.domain ignore_above: 1024 level: extended name: domain @@ -12195,8 +13659,8 @@ threat: original_fieldset: url short: Domain of the url. type: keyword - threat.enrichments.url.extension: - dashed_name: threat-enrichments-url-extension + threat.indicator.url.extension: + dashed_name: threat-indicator-url-extension description: 'The field contains the file extension from the original request url, excluding the leading dot. @@ -12208,7 +13672,7 @@ threat: Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").' example: png - flat_name: threat.enrichments.url.extension + flat_name: threat.indicator.url.extension ignore_above: 1024 level: extended name: extension @@ -12216,12 +13680,12 @@ threat: original_fieldset: url short: File extension from the request url, excluding the leading dot. type: keyword - threat.enrichments.url.fragment: - dashed_name: threat-enrichments-url-fragment + threat.indicator.url.fragment: + dashed_name: threat-indicator-url-fragment description: 'Portion of the url after the `#`, such as "top". The `#` is not part of the fragment.' - flat_name: threat.enrichments.url.fragment + flat_name: threat.indicator.url.fragment ignore_above: 1024 level: extended name: fragment @@ -12229,17 +13693,17 @@ threat: original_fieldset: url short: Portion of the url after the `#`. type: keyword - threat.enrichments.url.full: - dashed_name: threat-enrichments-url-full + threat.indicator.url.full: + dashed_name: threat-indicator-url-full description: If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. example: https://www.elastic.co:443/search?q=elasticsearch#top - flat_name: threat.enrichments.url.full + flat_name: threat.indicator.url.full ignore_above: 1024 level: extended multi_fields: - - flat_name: threat.enrichments.url.full.text + - flat_name: threat.indicator.url.full.text name: text norms: false type: text @@ -12248,8 +13712,8 @@ threat: original_fieldset: url short: Full unparsed URL. type: keyword - threat.enrichments.url.original: - dashed_name: threat-enrichments-url-original + threat.indicator.url.original: + dashed_name: threat-indicator-url-original description: 'Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas @@ -12257,11 +13721,11 @@ threat: This field is meant to represent the URL as it was observed, complete or not.' example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - flat_name: threat.enrichments.url.original + flat_name: threat.indicator.url.original ignore_above: 1024 level: extended multi_fields: - - flat_name: threat.enrichments.url.original.text + - flat_name: threat.indicator.url.original.text name: text norms: false type: text @@ -12270,10 +13734,10 @@ threat: original_fieldset: url short: Unmodified original url as seen in the event source. type: keyword - threat.enrichments.url.password: - dashed_name: threat-enrichments-url-password + threat.indicator.url.password: + dashed_name: threat-indicator-url-password description: Password of the request. - flat_name: threat.enrichments.url.password + flat_name: threat.indicator.url.password ignore_above: 1024 level: extended name: password @@ -12281,10 +13745,10 @@ threat: original_fieldset: url short: Password of the request. type: keyword - threat.enrichments.url.path: - dashed_name: threat-enrichments-url-path + threat.indicator.url.path: + dashed_name: threat-indicator-url-path description: Path of the request, such as "/search". - flat_name: threat.enrichments.url.path + flat_name: threat.indicator.url.path ignore_above: 1024 level: extended name: path @@ -12292,11 +13756,11 @@ threat: original_fieldset: url short: Path of the request, such as "/search". type: keyword - threat.enrichments.url.port: - dashed_name: threat-enrichments-url-port + threat.indicator.url.port: + dashed_name: threat-indicator-url-port description: Port of the request, such as 443. example: 443 - flat_name: threat.enrichments.url.port + flat_name: threat.indicator.url.port format: string level: extended name: port @@ -12304,8 +13768,8 @@ threat: original_fieldset: url short: Port of the request, such as 443. type: long - threat.enrichments.url.query: - dashed_name: threat-enrichments-url-query + threat.indicator.url.query: + dashed_name: threat-indicator-url-query description: 'The query field describes the query string of the request, such as "q=elasticsearch". @@ -12313,7 +13777,7 @@ threat: is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.' - flat_name: threat.enrichments.url.query + flat_name: threat.indicator.url.query ignore_above: 1024 level: extended name: query @@ -12321,8 +13785,8 @@ threat: original_fieldset: url short: Query string of the request. type: keyword - threat.enrichments.url.registered_domain: - dashed_name: threat-enrichments-url-registered-domain + threat.indicator.url.registered_domain: + dashed_name: threat-indicator-url-registered-domain description: 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -12331,7 +13795,7 @@ threat: list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' example: example.com - flat_name: threat.enrichments.url.registered_domain + flat_name: threat.indicator.url.registered_domain ignore_above: 1024 level: extended name: registered_domain @@ -12339,13 +13803,13 @@ threat: original_fieldset: url short: The highest registered url domain, stripped of the subdomain. type: keyword - threat.enrichments.url.scheme: - dashed_name: threat-enrichments-url-scheme + threat.indicator.url.scheme: + dashed_name: threat-indicator-url-scheme description: 'Scheme of the request, such as "https". Note: The `:` is not part of the scheme.' example: https - flat_name: threat.enrichments.url.scheme + flat_name: threat.indicator.url.scheme ignore_above: 1024 level: extended name: scheme @@ -12353,8 +13817,8 @@ threat: original_fieldset: url short: Scheme of the url. type: keyword - threat.enrichments.url.subdomain: - dashed_name: threat-enrichments-url-subdomain + threat.indicator.url.subdomain: + dashed_name: threat-indicator-url-subdomain description: 'The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot @@ -12364,7 +13828,7 @@ threat: If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.' example: east - flat_name: threat.enrichments.url.subdomain + flat_name: threat.indicator.url.subdomain ignore_above: 1024 level: extended name: subdomain @@ -12372,8 +13836,8 @@ threat: original_fieldset: url short: The subdomain of the domain. type: keyword - threat.enrichments.url.top_level_domain: - dashed_name: threat-enrichments-url-top-level-domain + threat.indicator.url.top_level_domain: + dashed_name: threat-indicator-url-top-level-domain description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". @@ -12382,7 +13846,7 @@ threat: list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".' example: co.uk - flat_name: threat.enrichments.url.top_level_domain + flat_name: threat.indicator.url.top_level_domain ignore_above: 1024 level: extended name: top_level_domain @@ -12390,10 +13854,10 @@ threat: original_fieldset: url short: The effective top level domain (com, org, net, co.uk). type: keyword - threat.enrichments.url.username: - dashed_name: threat-enrichments-url-username + threat.indicator.url.username: + dashed_name: threat-indicator-url-username description: Username of the request. - flat_name: threat.enrichments.url.username + flat_name: threat.indicator.url.username ignore_above: 1024 level: extended name: username @@ -12401,13 +13865,13 @@ threat: original_fieldset: url short: Username of the request. type: keyword - threat.enrichments.x509.alternative_names: - dashed_name: threat-enrichments-x509-alternative-names + threat.indicator.x509.alternative_names: + dashed_name: threat-indicator-x509-alternative-names description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. example: '*.elastic.co' - flat_name: threat.enrichments.x509.alternative_names + flat_name: threat.indicator.x509.alternative_names ignore_above: 1024 level: extended name: alternative_names @@ -12416,11 +13880,11 @@ threat: original_fieldset: x509 short: List of subject alternative names (SAN). type: keyword - threat.enrichments.x509.issuer.common_name: - dashed_name: threat-enrichments-x509-issuer-common-name + threat.indicator.x509.issuer.common_name: + dashed_name: threat-indicator-x509-issuer-common-name description: List of common name (CN) of issuing certificate authority. example: Example SHA2 High Assurance Server CA - flat_name: threat.enrichments.x509.issuer.common_name + flat_name: threat.indicator.x509.issuer.common_name ignore_above: 1024 level: extended name: issuer.common_name @@ -12429,11 +13893,11 @@ threat: original_fieldset: x509 short: List of common name (CN) of issuing certificate authority. type: keyword - threat.enrichments.x509.issuer.country: - dashed_name: threat-enrichments-x509-issuer-country + threat.indicator.x509.issuer.country: + dashed_name: threat-indicator-x509-issuer-country description: List of country (C) codes example: US - flat_name: threat.enrichments.x509.issuer.country + flat_name: threat.indicator.x509.issuer.country ignore_above: 1024 level: extended name: issuer.country @@ -12442,12 +13906,12 @@ threat: original_fieldset: x509 short: List of country (C) codes type: keyword - threat.enrichments.x509.issuer.distinguished_name: - dashed_name: threat-enrichments-x509-issuer-distinguished-name + threat.indicator.x509.issuer.distinguished_name: + dashed_name: threat-indicator-x509-issuer-distinguished-name description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA - flat_name: threat.enrichments.x509.issuer.distinguished_name + flat_name: threat.indicator.x509.issuer.distinguished_name ignore_above: 1024 level: extended name: issuer.distinguished_name @@ -12455,11 +13919,11 @@ threat: original_fieldset: x509 short: Distinguished name (DN) of issuing certificate authority. type: keyword - threat.enrichments.x509.issuer.locality: - dashed_name: threat-enrichments-x509-issuer-locality + threat.indicator.x509.issuer.locality: + dashed_name: threat-indicator-x509-issuer-locality description: List of locality names (L) example: Mountain View - flat_name: threat.enrichments.x509.issuer.locality + flat_name: threat.indicator.x509.issuer.locality ignore_above: 1024 level: extended name: issuer.locality @@ -12468,11 +13932,11 @@ threat: original_fieldset: x509 short: List of locality names (L) type: keyword - threat.enrichments.x509.issuer.organization: - dashed_name: threat-enrichments-x509-issuer-organization + threat.indicator.x509.issuer.organization: + dashed_name: threat-indicator-x509-issuer-organization description: List of organizations (O) of issuing certificate authority. example: Example Inc - flat_name: threat.enrichments.x509.issuer.organization + flat_name: threat.indicator.x509.issuer.organization ignore_above: 1024 level: extended name: issuer.organization @@ -12481,11 +13945,11 @@ threat: original_fieldset: x509 short: List of organizations (O) of issuing certificate authority. type: keyword - threat.enrichments.x509.issuer.organizational_unit: - dashed_name: threat-enrichments-x509-issuer-organizational-unit + threat.indicator.x509.issuer.organizational_unit: + dashed_name: threat-indicator-x509-issuer-organizational-unit description: List of organizational units (OU) of issuing certificate authority. example: www.example.com - flat_name: threat.enrichments.x509.issuer.organizational_unit + flat_name: threat.indicator.x509.issuer.organizational_unit ignore_above: 1024 level: extended name: issuer.organizational_unit @@ -12494,11 +13958,11 @@ threat: original_fieldset: x509 short: List of organizational units (OU) of issuing certificate authority. type: keyword - threat.enrichments.x509.issuer.state_or_province: - dashed_name: threat-enrichments-x509-issuer-state-or-province + threat.indicator.x509.issuer.state_or_province: + dashed_name: threat-indicator-x509-issuer-state-or-province description: List of state or province names (ST, S, or P) example: California - flat_name: threat.enrichments.x509.issuer.state_or_province + flat_name: threat.indicator.x509.issuer.state_or_province ignore_above: 1024 level: extended name: issuer.state_or_province @@ -12507,33 +13971,33 @@ threat: original_fieldset: x509 short: List of state or province names (ST, S, or P) type: keyword - threat.enrichments.x509.not_after: - dashed_name: threat-enrichments-x509-not-after + threat.indicator.x509.not_after: + dashed_name: threat-indicator-x509-not-after description: Time at which the certificate is no longer considered valid. example: 2020-07-16 03:15:39+00:00 - flat_name: threat.enrichments.x509.not_after + flat_name: threat.indicator.x509.not_after level: extended name: not_after normalize: [] original_fieldset: x509 short: Time at which the certificate is no longer considered valid. type: date - threat.enrichments.x509.not_before: - dashed_name: threat-enrichments-x509-not-before + threat.indicator.x509.not_before: + dashed_name: threat-indicator-x509-not-before description: Time at which the certificate is first considered valid. example: 2019-08-16 01:40:25+00:00 - flat_name: threat.enrichments.x509.not_before + flat_name: threat.indicator.x509.not_before level: extended name: not_before normalize: [] original_fieldset: x509 short: Time at which the certificate is first considered valid. type: date - threat.enrichments.x509.public_key_algorithm: - dashed_name: threat-enrichments-x509-public-key-algorithm + threat.indicator.x509.public_key_algorithm: + dashed_name: threat-indicator-x509-public-key-algorithm description: Algorithm used to generate the public key. example: RSA - flat_name: threat.enrichments.x509.public_key_algorithm + flat_name: threat.indicator.x509.public_key_algorithm ignore_above: 1024 level: extended name: public_key_algorithm @@ -12541,12 +14005,12 @@ threat: original_fieldset: x509 short: Algorithm used to generate the public key. type: keyword - threat.enrichments.x509.public_key_curve: - dashed_name: threat-enrichments-x509-public-key-curve + threat.indicator.x509.public_key_curve: + dashed_name: threat-indicator-x509-public-key-curve description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 - flat_name: threat.enrichments.x509.public_key_curve + flat_name: threat.indicator.x509.public_key_curve ignore_above: 1024 level: extended name: public_key_curve @@ -12555,12 +14019,12 @@ threat: short: The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword - threat.enrichments.x509.public_key_exponent: - dashed_name: threat-enrichments-x509-public-key-exponent + threat.indicator.x509.public_key_exponent: + dashed_name: threat-indicator-x509-public-key-exponent description: Exponent used to derive the public key. This is algorithm specific. doc_values: false example: 65537 - flat_name: threat.enrichments.x509.public_key_exponent + flat_name: threat.indicator.x509.public_key_exponent index: false level: extended name: public_key_exponent @@ -12568,24 +14032,24 @@ threat: original_fieldset: x509 short: Exponent used to derive the public key. This is algorithm specific. type: long - threat.enrichments.x509.public_key_size: - dashed_name: threat-enrichments-x509-public-key-size + threat.indicator.x509.public_key_size: + dashed_name: threat-indicator-x509-public-key-size description: The size of the public key space in bits. example: 2048 - flat_name: threat.enrichments.x509.public_key_size + flat_name: threat.indicator.x509.public_key_size level: extended name: public_key_size normalize: [] original_fieldset: x509 short: The size of the public key space in bits. type: long - threat.enrichments.x509.serial_number: - dashed_name: threat-enrichments-x509-serial-number + threat.indicator.x509.serial_number: + dashed_name: threat-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA - flat_name: threat.enrichments.x509.serial_number + flat_name: threat.indicator.x509.serial_number ignore_above: 1024 level: extended name: serial_number @@ -12593,12 +14057,12 @@ threat: original_fieldset: x509 short: Unique serial number issued by the certificate authority. type: keyword - threat.enrichments.x509.signature_algorithm: - dashed_name: threat-enrichments-x509-signature-algorithm + threat.indicator.x509.signature_algorithm: + dashed_name: threat-indicator-x509-signature-algorithm description: Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. example: SHA256-RSA - flat_name: threat.enrichments.x509.signature_algorithm + flat_name: threat.indicator.x509.signature_algorithm ignore_above: 1024 level: extended name: signature_algorithm @@ -12606,11 +14070,11 @@ threat: original_fieldset: x509 short: Identifier for certificate signature algorithm. type: keyword - threat.enrichments.x509.subject.common_name: - dashed_name: threat-enrichments-x509-subject-common-name + threat.indicator.x509.subject.common_name: + dashed_name: threat-indicator-x509-subject-common-name description: List of common names (CN) of subject. example: shared.global.example.net - flat_name: threat.enrichments.x509.subject.common_name + flat_name: threat.indicator.x509.subject.common_name ignore_above: 1024 level: extended name: subject.common_name @@ -12619,11 +14083,11 @@ threat: original_fieldset: x509 short: List of common names (CN) of subject. type: keyword - threat.enrichments.x509.subject.country: - dashed_name: threat-enrichments-x509-subject-country + threat.indicator.x509.subject.country: + dashed_name: threat-indicator-x509-subject-country description: List of country (C) code example: US - flat_name: threat.enrichments.x509.subject.country + flat_name: threat.indicator.x509.subject.country ignore_above: 1024 level: extended name: subject.country @@ -12632,11 +14096,11 @@ threat: original_fieldset: x509 short: List of country (C) code type: keyword - threat.enrichments.x509.subject.distinguished_name: - dashed_name: threat-enrichments-x509-subject-distinguished-name + threat.indicator.x509.subject.distinguished_name: + dashed_name: threat-indicator-x509-subject-distinguished-name description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net - flat_name: threat.enrichments.x509.subject.distinguished_name + flat_name: threat.indicator.x509.subject.distinguished_name ignore_above: 1024 level: extended name: subject.distinguished_name @@ -12644,11 +14108,11 @@ threat: original_fieldset: x509 short: Distinguished name (DN) of the certificate subject entity. type: keyword - threat.enrichments.x509.subject.locality: - dashed_name: threat-enrichments-x509-subject-locality + threat.indicator.x509.subject.locality: + dashed_name: threat-indicator-x509-subject-locality description: List of locality names (L) example: San Francisco - flat_name: threat.enrichments.x509.subject.locality + flat_name: threat.indicator.x509.subject.locality ignore_above: 1024 level: extended name: subject.locality @@ -12657,11 +14121,11 @@ threat: original_fieldset: x509 short: List of locality names (L) type: keyword - threat.enrichments.x509.subject.organization: - dashed_name: threat-enrichments-x509-subject-organization + threat.indicator.x509.subject.organization: + dashed_name: threat-indicator-x509-subject-organization description: List of organizations (O) of subject. example: Example, Inc. - flat_name: threat.enrichments.x509.subject.organization + flat_name: threat.indicator.x509.subject.organization ignore_above: 1024 level: extended name: subject.organization @@ -12670,10 +14134,10 @@ threat: original_fieldset: x509 short: List of organizations (O) of subject. type: keyword - threat.enrichments.x509.subject.organizational_unit: - dashed_name: threat-enrichments-x509-subject-organizational-unit + threat.indicator.x509.subject.organizational_unit: + dashed_name: threat-indicator-x509-subject-organizational-unit description: List of organizational units (OU) of subject. - flat_name: threat.enrichments.x509.subject.organizational_unit + flat_name: threat.indicator.x509.subject.organizational_unit ignore_above: 1024 level: extended name: subject.organizational_unit @@ -12682,11 +14146,11 @@ threat: original_fieldset: x509 short: List of organizational units (OU) of subject. type: keyword - threat.enrichments.x509.subject.state_or_province: - dashed_name: threat-enrichments-x509-subject-state-or-province + threat.indicator.x509.subject.state_or_province: + dashed_name: threat-indicator-x509-subject-state-or-province description: List of state or province names (ST, S, or P) example: California - flat_name: threat.enrichments.x509.subject.state_or_province + flat_name: threat.indicator.x509.subject.state_or_province ignore_above: 1024 level: extended name: subject.state_or_province @@ -12695,11 +14159,11 @@ threat: original_fieldset: x509 short: List of state or province names (ST, S, or P) type: keyword - threat.enrichments.x509.version_number: - dashed_name: threat-enrichments-x509-version-number + threat.indicator.x509.version_number: + dashed_name: threat-indicator-x509-version-number description: Version of x509 format. example: 3 - flat_name: threat.enrichments.x509.version_number + flat_name: threat.indicator.x509.version_number ignore_above: 1024 level: extended name: version_number @@ -12707,229 +14171,6 @@ threat: original_fieldset: x509 short: Version of x509 format. type: keyword - threat.framework: - dashed_name: threat-framework - description: Name of the threat framework used to further categorize and classify - the tactic and technique of the reported threat. Framework classification - can be provided by detecting systems, evaluated at ingest time, or retrospectively - tagged to events. - example: MITRE ATT&CK - flat_name: threat.framework - ignore_above: 1024 - level: extended - name: framework - normalize: [] - short: Threat classification framework. - type: keyword - threat.group.alias: - beta: This field is beta and subject to change. - dashed_name: threat-group-alias - description: "The alias(es) of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group alias(es)." - example: '[ "Magecart Group 6" ]' - flat_name: threat.group.alias - ignore_above: 1024 - level: extended - name: group.alias - normalize: - - array - short: Alias of the group. - type: keyword - threat.group.id: - beta: This field is beta and subject to change. - dashed_name: threat-group-id - description: "The id of the group for a set of related intrusion activity that\ - \ are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group id." - example: G0037 - flat_name: threat.group.id - ignore_above: 1024 - level: extended - name: group.id - normalize: [] - short: ID of the group. - type: keyword - threat.group.name: - beta: This field is beta and subject to change. - dashed_name: threat-group-name - description: "The name of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group name." - example: FIN6 - flat_name: threat.group.name - ignore_above: 1024 - level: extended - name: group.name - normalize: [] - short: Name of the group. - type: keyword - threat.group.reference: - beta: This field is beta and subject to change. - dashed_name: threat-group-reference - description: "The reference URL of the group for a set of related intrusion\ - \ activity that are tracked by a common name in the security community. While\ - \ not required, you can use a MITRE ATT&CK\xAE group reference URL." - example: https://attack.mitre.org/groups/G0037/ - flat_name: threat.group.reference - ignore_above: 1024 - level: extended - name: group.reference - normalize: [] - short: Reference URL of the group. - type: keyword - threat.indicator.confidence: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-confidence - description: "Identifies the confidence rating assigned by the provider using\ - \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ - \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ - \ * WEP Scale (Impossible - Certain)" - example: High - flat_name: threat.indicator.confidence - ignore_above: 1024 - level: extended - name: indicator.confidence - normalize: [] - short: Indicator confidence rating - type: keyword - threat.indicator.description: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-description - description: Describes the type of action conducted by the threat. - example: IP x.x.x.x was observed delivering the Angler EK. - flat_name: threat.indicator.description - ignore_above: 1024 - level: extended - name: indicator.description - normalize: [] - short: Indicator description - type: keyword - threat.indicator.email.address: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-email-address - description: Identifies a threat indicator as an email address (irrespective - of direction). - example: phish@example.com - flat_name: threat.indicator.email.address - ignore_above: 1024 - level: extended - name: indicator.email.address - normalize: [] - short: Indicator email address - type: keyword - threat.indicator.first_seen: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-first-seen - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.first_seen - level: extended - name: indicator.first_seen - normalize: [] - short: Date/time indicator was first reported. - type: date - threat.indicator.ip: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-ip - description: Identifies a threat indicator as an IP address (irrespective of - direction). - example: 1.2.3.4 - flat_name: threat.indicator.ip - level: extended - name: indicator.ip - normalize: [] - short: Indicator IP address - type: ip - threat.indicator.last_seen: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-last-seen - description: The date and time when intelligence source last reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.last_seen - level: extended - name: indicator.last_seen - normalize: [] - short: Date/time indicator was last reported. - type: date - threat.indicator.marking.tlp: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ - \ * WHITE\n * GREEN\n * AMBER\n * RED" - example: WHITE - flat_name: threat.indicator.marking.tlp - ignore_above: 1024 - level: extended - name: indicator.marking.tlp - normalize: [] - short: Indicator TLP marking - type: keyword - threat.indicator.modified_at: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-modified-at - description: The date and time when intelligence source last modified information - for this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.modified_at - level: extended - name: indicator.modified_at - normalize: [] - short: Date/time indicator was last updated. - type: date - threat.indicator.port: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-port - description: Identifies a threat indicator as a port number (irrespective of - direction). - example: 443 - flat_name: threat.indicator.port - level: extended - name: indicator.port - normalize: [] - short: Indicator port - type: long - threat.indicator.scanner_stats: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-scanner-stats - description: Count of AV/EDR vendors that successfully detected malicious file - or URL. - example: 4 - flat_name: threat.indicator.scanner_stats - level: extended - name: indicator.scanner_stats - normalize: [] - short: Scanner statistics - type: long - threat.indicator.sightings: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-sightings - description: Number of times this indicator was observed conducting threat activity. - example: 20 - flat_name: threat.indicator.sightings - level: extended - name: indicator.sightings - normalize: [] - short: Number of times indicator observed - type: long - threat.indicator.type: - beta: This field is beta and subject to change. - dashed_name: threat-indicator-type - description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ - Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ - \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ - \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ - \ * user-account\n * windows-registry-key\n * x509-certificate" - example: ipv4-addr - flat_name: threat.indicator.type - ignore_above: 1024 - level: extended - name: indicator.type - normalize: [] - short: Type of indicator - type: keyword threat.software.id: beta: This field is beta and subject to change. dashed_name: threat-software-id @@ -13134,41 +14375,86 @@ threat: group: 2 name: threat nestings: - - threat.enrichments.as - - threat.enrichments.event - - threat.enrichments.file - - threat.enrichments.geo - - threat.enrichments.hash - - threat.enrichments.url - - threat.enrichments.x509 + - threat.enrichments.indicator.as + - threat.enrichments.indicator.file + - threat.enrichments.indicator.geo + - threat.enrichments.indicator.hash + - threat.enrichments.indicator.pe + - threat.enrichments.indicator.registry + - threat.enrichments.indicator.url + - threat.enrichments.indicator.x509 + - threat.indicator.as + - threat.indicator.file + - threat.indicator.geo + - threat.indicator.hash + - threat.indicator.pe + - threat.indicator.registry + - threat.indicator.url + - threat.indicator.x509 prefix: threat. reused_here: - beta: Reusing the `as` fields in this location is currently considered beta. - full: threat.enrichments.as + full: threat.indicator.as + schema_name: as + short: Fields describing an Autonomous System (Internet routing prefix). + - beta: Reusing the `as` fields in this location is currently considered beta. + full: threat.enrichments.indicator.as schema_name: as short: Fields describing an Autonomous System (Internet routing prefix). - - beta: Reusing the `event` fields in this location is currently considered beta. - full: threat.enrichments.event - schema_name: event - short: Fields breaking down the event details. - beta: Reusing the `file` fields in this location is currently considered beta. - full: threat.enrichments.file + full: threat.indicator.file + schema_name: file + short: Fields describing files. + - beta: Reusing the `file` fields in this location is currently considered beta. + full: threat.enrichments.indicator.file schema_name: file short: Fields describing files. - beta: Reusing the `geo` fields in this location is currently considered beta. - full: threat.enrichments.geo + full: threat.indicator.geo schema_name: geo short: Fields describing a location. + - beta: Reusing the `geo` fields in this location is currently considered beta. + full: threat.enrichments.indicator.geo + schema_name: geo + short: Fields describing a location. + - beta: Reusing the `hash` fields in this location is currently considered beta. + full: threat.indicator.hash + schema_name: hash + short: Hashes, usually file hashes. - beta: Reusing the `hash` fields in this location is currently considered beta. - full: threat.enrichments.hash + full: threat.enrichments.indicator.hash schema_name: hash short: Hashes, usually file hashes. + - beta: Reusing the `pe` fields in this location is currently considered beta. + full: threat.indicator.pe + schema_name: pe + short: These fields contain Windows Portable Executable (PE) metadata. + - beta: Reusing the `pe` fields in this location is currently considered beta. + full: threat.enrichments.indicator.pe + schema_name: pe + short: These fields contain Windows Portable Executable (PE) metadata. + - beta: Reusing the `registry` fields in this location is currently considered beta. + full: threat.indicator.registry + schema_name: registry + short: Fields related to Windows Registry operations. + - beta: Reusing the `registry` fields in this location is currently considered beta. + full: threat.enrichments.indicator.registry + schema_name: registry + short: Fields related to Windows Registry operations. + - beta: Reusing the `url` fields in this location is currently considered beta. + full: threat.indicator.url + schema_name: url + short: Fields that let you store URLs in various forms. - beta: Reusing the `url` fields in this location is currently considered beta. - full: threat.enrichments.url + full: threat.enrichments.indicator.url schema_name: url short: Fields that let you store URLs in various forms. - beta: Reusing the `x509` fields in this location is currently considered beta. - full: threat.enrichments.x509 + full: threat.indicator.x509 + schema_name: x509 + short: These fields contain x509 certificate metadata. + - beta: Reusing the `x509` fields in this location is currently considered beta. + full: threat.enrichments.indicator.x509 schema_name: x509 short: These fields contain x509 certificate metadata. short: Fields to classify events and alerts according to a threat taxonomy. @@ -14451,9 +15737,13 @@ url: reusable: expected: - as: url - at: threat.enrichments + at: threat.indicator beta: Reusing the `url` fields in this location is currently considered beta. - full: threat.enrichments.url + full: threat.indicator.url + - as: url + at: threat.enrichments.indicator + beta: Reusing the `url` fields in this location is currently considered beta. + full: threat.enrichments.indicator.url top_level: true short: Fields that let you store URLs in various forms. title: URL @@ -15761,9 +17051,13 @@ x509: at: file full: file.x509 - as: x509 - at: threat.enrichments + at: threat.indicator + beta: Reusing the `x509` fields in this location is currently considered beta. + full: threat.indicator.x509 + - as: x509 + at: threat.enrichments.indicator beta: Reusing the `x509` fields in this location is currently considered beta. - full: threat.enrichments.x509 + full: threat.enrichments.indicator.x509 - as: x509 at: tls.client full: tls.client.x509 diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index a75aebd248..cfc7df9502 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -3155,6 +3155,699 @@ "threat": { "properties": { "enrichments": { + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "nested" + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "indicator": { "properties": { "as": { "properties": { @@ -3177,101 +3870,17 @@ } } }, - "event": { + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "agent_id_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { + "address": { "ignore_above": 1024, "type": "keyword" } @@ -3518,6 +4127,9 @@ } } }, + "first_seen": { + "type": "date" + }, "geo": { "properties": { "city_name": { @@ -3589,30 +4201,112 @@ } } }, - "matched": { + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { "properties": { - "atomic": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "pe": { + "properties": { + "architecture": { "ignore_above": 1024, "type": "keyword" }, - "field": { + "company": { "ignore_above": 1024, "type": "keyword" }, - "id": { + "description": { "ignore_above": 1024, "type": "keyword" }, - "index": { + "file_version": { "ignore_above": 1024, "type": "keyword" }, - "type": { + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { "ignore_above": 1024, "type": "keyword" } } }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "url": { "properties": { "domain": { @@ -3790,84 +4484,6 @@ } } } - }, - "type": "nested" - }, - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "indicator": { - "properties": { - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "first_seen": { - "type": "date" - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "modified_at": { - "type": "date" - }, - "port": { - "type": "long" - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } } }, "software": { diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 5d3bd6105e..e7879e0def 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -3151,6 +3151,699 @@ "threat": { "properties": { "enrichments": { + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "nested" + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "indicator": { "properties": { "as": { "properties": { @@ -3173,101 +3866,17 @@ } } }, - "event": { + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "agent_id_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { + "address": { "ignore_above": 1024, "type": "keyword" } @@ -3514,6 +4123,9 @@ } } }, + "first_seen": { + "type": "date" + }, "geo": { "properties": { "city_name": { @@ -3585,30 +4197,112 @@ } } }, - "matched": { + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { "properties": { - "atomic": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "pe": { + "properties": { + "architecture": { "ignore_above": 1024, "type": "keyword" }, - "field": { + "company": { "ignore_above": 1024, "type": "keyword" }, - "id": { + "description": { "ignore_above": 1024, "type": "keyword" }, - "index": { + "file_version": { "ignore_above": 1024, "type": "keyword" }, - "type": { + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { "ignore_above": 1024, "type": "keyword" } } }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "url": { "properties": { "domain": { @@ -3786,84 +4480,6 @@ } } } - }, - "type": "nested" - }, - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "indicator": { - "properties": { - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "first_seen": { - "type": "date" - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "modified_at": { - "type": "date" - }, - "port": { - "type": "long" - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } } }, "software": { diff --git a/generated/elasticsearch/component/threat.json b/generated/elasticsearch/component/threat.json index c0d439cb35..f816ec597b 100644 --- a/generated/elasticsearch/component/threat.json +++ b/generated/elasticsearch/component/threat.json @@ -9,6 +9,699 @@ "threat": { "properties": { "enrichments": { + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "nested" + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "indicator": { "properties": { "as": { "properties": { @@ -31,101 +724,17 @@ } } }, - "event": { + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "agent_id_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { + "address": { "ignore_above": 1024, "type": "keyword" } @@ -372,6 +981,9 @@ } } }, + "first_seen": { + "type": "date" + }, "geo": { "properties": { "city_name": { @@ -443,30 +1055,112 @@ } } }, - "matched": { + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { "properties": { - "atomic": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "pe": { + "properties": { + "architecture": { "ignore_above": 1024, "type": "keyword" }, - "field": { + "company": { "ignore_above": 1024, "type": "keyword" }, - "id": { + "description": { "ignore_above": 1024, "type": "keyword" }, - "index": { + "file_version": { "ignore_above": 1024, "type": "keyword" }, - "type": { + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { "ignore_above": 1024, "type": "keyword" } } }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "url": { "properties": { "domain": { @@ -644,84 +1338,6 @@ } } } - }, - "type": "nested" - }, - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "indicator": { - "properties": { - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "first_seen": { - "type": "date" - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "modified_at": { - "type": "date" - }, - "port": { - "type": "long" - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } } }, "software": { diff --git a/schemas/as.yml b/schemas/as.yml index d75d4edaee..be0ac01547 100644 --- a/schemas/as.yml +++ b/schemas/as.yml @@ -15,7 +15,10 @@ - destination - server - source - - at: threat.enrichments + - at: threat.indicator + as: as + beta: Reusing the `as` fields in this location is currently considered beta. + - at: threat.enrichments.indicator as: as beta: Reusing the `as` fields in this location is currently considered beta. type: group diff --git a/schemas/event.yml b/schemas/event.yml index 7d4033398c..e20722df7e 100644 --- a/schemas/event.yml +++ b/schemas/event.yml @@ -17,12 +17,7 @@ See the `event.kind` definition in this section for additional details about metric and state events. type: group - reusable: - top_level: true - expected: - - at: threat.enrichments - as: event - beta: Reusing the `event` fields in this location is currently considered beta. + fields: - name: id @@ -593,8 +588,8 @@ dst=2.1.2.2spt=1232" short: Raw text message of entire event. description: > - Raw text message of entire event. Used to demonstrate log integrity - or where the full log message (before splitting it up in multiple + Raw text message of entire event. Used to demonstrate log integrity + or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be diff --git a/schemas/file.yml b/schemas/file.yml index c42559d156..9b52b2520e 100644 --- a/schemas/file.yml +++ b/schemas/file.yml @@ -13,7 +13,10 @@ reusable: top_level: true expected: - - at: threat.enrichments + - at: threat.indicator + as: file + beta: Reusing the `file` fields in this location is currently considered beta. + - at: threat.enrichments.indicator as: file beta: Reusing the `file` fields in this location is currently considered beta. fields: diff --git a/schemas/geo.yml b/schemas/geo.yml index ddc6b0bccb..aef1a86f30 100644 --- a/schemas/geo.yml +++ b/schemas/geo.yml @@ -17,7 +17,10 @@ - host - server - source - - at: threat.enrichments + - at: threat.indicator + as: geo + beta: Reusing the `geo` fields in this location is currently considered beta. + - at: threat.enrichments.indicator as: geo beta: Reusing the `geo` fields in this location is currently considered beta. type: group diff --git a/schemas/hash.yml b/schemas/hash.yml index 17b0d008c2..33cb0f556b 100644 --- a/schemas/hash.yml +++ b/schemas/hash.yml @@ -21,7 +21,10 @@ - file - process - dll - - at: threat.enrichments + - at: threat.indicator + as: hash + beta: Reusing the `hash` fields in this location is currently considered beta. + - at: threat.enrichments.indicator as: hash beta: Reusing the `hash` fields in this location is currently considered beta. diff --git a/schemas/pe.yml b/schemas/pe.yml index 126fb16136..937412256e 100644 --- a/schemas/pe.yml +++ b/schemas/pe.yml @@ -10,6 +10,12 @@ - file - dll - process + - at: threat.indicator + as: pe + beta: Reusing the `pe` fields in this location is currently considered beta. + - at: threat.enrichments.indicator + as: pe + beta: Reusing the `pe` fields in this location is currently considered beta. fields: - name: original_file_name level: extended diff --git a/schemas/registry.yml b/schemas/registry.yml index bf8670d84e..72bba7d1ff 100644 --- a/schemas/registry.yml +++ b/schemas/registry.yml @@ -4,6 +4,15 @@ group: 2 description: Fields related to Windows Registry operations. type: group + reusable: + top_level: true + expected: + - at: threat.indicator + as: registry + beta: Reusing the `registry` fields in this location is currently considered beta. + - at: threat.enrichments.indicator + as: registry + beta: Reusing the `registry` fields in this location is currently considered beta. fields: - name: hive diff --git a/schemas/threat.yml b/schemas/threat.yml index 0e20fe332a..87287b7eb5 100644 --- a/schemas/threat.yml +++ b/schemas/threat.yml @@ -17,10 +17,174 @@ - name: enrichments level: extended type: nested - short: List of indicators enriching the event. + short: List of objects containing indicators enriching the event. beta: This field is beta and subject to change. description: > - A list of associated indicators enriching the event, and the context of that association/enrichment. + A list of associated indicators objects enriching the event, and the context of + that association/enrichment. + + - name: enrichments.indicator + level: extended + type: object + short: Object containing indicators enriching the event. + beta: This field is beta and subject to change. + description: > + Object containing associated indicators enriching the event. + + - name: enrichments.indicator.first_seen + level: extended + type: date + short: Date/time indicator was first reported. + beta: This field is beta and subject to change. + description: > + The date and time when intelligence source first reported sighting this indicator. + example: "2020-11-05T17:25:47.000Z" + + - name: enrichments.indicator.last_seen + level: extended + type: date + short: Date/time indicator was last reported. + beta: This field is beta and subject to change. + description: > + The date and time when intelligence source last reported sighting this indicator. + example: "2020-11-05T17:25:47.000Z" + + - name: enrichments.indicator.modified_at + level: extended + type: date + short: Date/time indicator was last updated. + beta: This field is beta and subject to change. + description: > + The date and time when intelligence source last modified information for this indicator. + example: "2020-11-05T17:25:47.000Z" + + - name: enrichments.indicator.sightings + level: extended + type: long + short: Number of times indicator observed + beta: This field is beta and subject to change. + description: > + Number of times this indicator was observed conducting threat activity. + example: 20 + + - name: enrichments.indicator.type + level: extended + type: keyword + short: Type of indicator + beta: This field is beta and subject to change. + description: > + Type of indicator as represented by Cyber Observable in STIX 2.0. + Recommended values: + * autonomous-system + * artifact + * directory + * domain-name + * email-addr + * file + * ipv4-addr + * ipv6-addr + * mac-addr + * mutex + * port + * process + * software + * url + * user-account + * windows-registry-key + * x509-certificate + example: ipv4-addr + + - name: enrichments.indicator.description + level: extended + type: keyword + short: Indicator description + beta: This field is beta and subject to change. + description: > + Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + + - name: enrichments.indicator.scanner_stats + level: extended + type: long + short: Scanner statistics + beta: This field is beta and subject to change. + description: > + Count of AV/EDR vendors that successfully detected malicious file or URL. + example: 4 + + - name: enrichments.indicator.confidence + level: extended + type: keyword + short: Indicator confidence rating + beta: This field is beta and subject to change. + description: > + Identifies the confidence rating assigned by the provider using STIX confidence scales. + Expected values: + * Not Specified, None, Low, Medium, High + * 0-10 + * Admirality Scale (1-6) + * DNI Scale (5-95) + * WEP Scale (Impossible - Certain) + example: High + + - name: enrichments.indicator.ip + level: extended + type: ip + short: Indicator IP address + beta: This field is beta and subject to change. + description: > + Identifies a threat indicator as an IP address (irrespective of direction). + example: 1.2.3.4 + + - name: enrichments.indicator.port + level: extended + type: long + short: Indicator port + beta: This field is beta and subject to change. + description: > + Identifies a threat indicator as a port number (irrespective of direction). + example: 443 + + - name: enrichments.indicator.email.address + level: extended + type: keyword + short: Indicator email address + beta: This field is beta and subject to change. + description: > + Identifies a threat indicator as an email address (irrespective of direction). + example: phish@example.com + + - name: enrichments.indicator.marking.tlp + level: extended + type: keyword + short: Indicator TLP marking + beta: This field is beta and subject to change. + description: > + Traffic Light Protocol sharing markings. + Recommended values are: + * WHITE + * GREEN + * AMBER + * RED + example: White + + - name: enrichments.indicator.reference + level: extended + type: keyword + short: Indicator reference URL + beta: This field is beta and subject to change. + description: > + Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + + - name: enrichments.indicator.provider + level: extended + type: keyword + short: Indicator provider + beta: This field is beta and subject to change. + description: > + The name of the indicator's provider. + example: lrz_urlhaus - name: enrichments.matched.atomic level: extended @@ -271,6 +435,24 @@ example: WHITE + - name: indicator.reference + level: extended + type: keyword + short: Indicator reference URL + beta: This field is beta and subject to change. + description: > + Reference URL linking to additional information about this indicator. + example: https://system.example.com/indicator/0001234 + + - name: indicator.provider + level: extended + type: keyword + short: Indicator provider + beta: This field is beta and subject to change. + description: > + The name of the indicator's provider. + example: lrz_urlhaus + - name: software.id level: extended type: keyword diff --git a/schemas/url.yml b/schemas/url.yml index 1d68bc55e8..5fc48c54f6 100644 --- a/schemas/url.yml +++ b/schemas/url.yml @@ -9,7 +9,10 @@ reusable: top_level: true expected: - - at: threat.enrichments + - at: threat.indicator + as: url + beta: Reusing the `url` fields in this location is currently considered beta. + - at: threat.enrichments.indicator as: url beta: Reusing the `url` fields in this location is currently considered beta. fields: diff --git a/schemas/x509.yml b/schemas/x509.yml index d37db9807a..f60f65099d 100644 --- a/schemas/x509.yml +++ b/schemas/x509.yml @@ -17,7 +17,10 @@ top_level: false expected: - file - - at: threat.enrichments + - at: threat.indicator + as: x509 + beta: Reusing the `x509` fields in this location is currently considered beta. + - at: threat.enrichments.indicator as: x509 beta: Reusing the `x509` fields in this location is currently considered beta. - tls.client