Skip to content

Commit

Permalink
[1.x] Add threat.technique.subtechnique (#951) (#956)
Browse files Browse the repository at this point in the history
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
  • Loading branch information
ebeahan and rw-access authored Aug 31, 2020
1 parent 4b6742b commit 357ce24
Show file tree
Hide file tree
Showing 10 changed files with 367 additions and 94 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.next.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ Thanks, you're awesome :-) -->

### Schema Changes

* Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtecqhniques. #951

#### Breaking changes

#### Bugfixes
Expand Down
39 changes: 27 additions & 12 deletions code/go/ecs/threat.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

78 changes: 66 additions & 12 deletions docs/field-details.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -5418,7 +5418,7 @@ example: `MITRE ATT&CK`
// ===============================================================

| threat.tactic.id
| The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )
| The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )

type: keyword

Expand All @@ -5427,14 +5427,14 @@ Note: this field should contain an array of values.



example: `TA0040`
example: `TA0002`

| extended

// ===============================================================

| threat.tactic.name
| Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/)
| Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)

type: keyword

Expand All @@ -5443,14 +5443,14 @@ Note: this field should contain an array of values.



example: `impact`
example: `Execution`

| extended

// ===============================================================

| threat.tactic.reference
| The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )
| The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )

type: keyword

Expand All @@ -5459,14 +5459,14 @@ Note: this field should contain an array of values.



example: `https://attack.mitre.org/tactics/TA0040/`
example: `https://attack.mitre.org/tactics/TA0002/`

| extended

// ===============================================================

| threat.technique.id
| The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)
| The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)

type: keyword

Expand All @@ -5475,14 +5475,14 @@ Note: this field should contain an array of values.



example: `T1499`
example: `T1059`

| extended

// ===============================================================

| threat.technique.name
| The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)
| The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)

type: keyword

Expand All @@ -5497,14 +5497,14 @@ Note: this field should contain an array of values.



example: `Endpoint Denial of Service`
example: `Command and Scripting Interpreter`

| extended

// ===============================================================

| threat.technique.reference
| The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/ )
| The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)

type: keyword

Expand All @@ -5513,7 +5513,61 @@ Note: this field should contain an array of values.



example: `https://attack.mitre.org/techniques/T1499/`
example: `https://attack.mitre.org/techniques/T1059/`

| extended

// ===============================================================

| threat.technique.subtechnique.id
| The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)

type: keyword


Note: this field should contain an array of values.



example: `T1059.001`

| extended

// ===============================================================

| threat.technique.subtechnique.name
| The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)

type: keyword

Multi-fields:

* threat.technique.subtechnique.name.text (type: text)




Note: this field should contain an array of values.



example: `PowerShell`

| extended

// ===============================================================

| threat.technique.subtechnique.reference
| The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)

type: keyword


Note: this field should contain an array of values.



example: `https://attack.mitre.org/techniques/T1059/001/`

| extended

Expand Down
53 changes: 40 additions & 13 deletions generated/beats/fields.ecs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4538,30 +4538,30 @@
type: keyword
ignore_above: 1024
description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\
\ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )"
example: TA0040
\ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )"
example: TA0002
- name: tactic.name
level: extended
type: keyword
ignore_above: 1024
description: "Name of the type of tactic used by this threat. You can use a\
\ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/)"
example: impact
\ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)"
example: Execution
- name: tactic.reference
level: extended
type: keyword
ignore_above: 1024
description: "The reference url of tactic used by this threat. You can use a\
\ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/\
\ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\
\ )"
example: https://attack.mitre.org/tactics/TA0040/
example: https://attack.mitre.org/tactics/TA0002/
- name: technique.id
level: extended
type: keyword
ignore_above: 1024
description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\
\ technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)"
example: T1499
\ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
example: T1059
- name: technique.name
level: extended
type: keyword
Expand All @@ -4572,16 +4572,43 @@
norms: false
default_field: false
description: "The name of technique used by this threat. You can use a MITRE\
\ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)"
example: Endpoint Denial of Service
\ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
example: Command and Scripting Interpreter
- name: technique.reference
level: extended
type: keyword
ignore_above: 1024
description: "The reference url of technique used by this threat. You can use\
\ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/\
\ )"
example: https://attack.mitre.org/techniques/T1499/
\ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
example: https://attack.mitre.org/techniques/T1059/
- name: technique.subtechnique.id
level: extended
type: keyword
ignore_above: 1024
description: "The full id of subtechnique used by this threat. You can use a\
\ MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
example: T1059.001
default_field: false
- name: technique.subtechnique.name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: text
norms: false
description: "The name of subtechnique used by this threat. You can use a MITRE\
\ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
example: PowerShell
default_field: false
- name: technique.subtechnique.reference
level: extended
type: keyword
ignore_above: 1024
description: "The reference url of subtechnique used by this threat. You can\
\ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
example: https://attack.mitre.org/techniques/T1059/001/
default_field: false
- name: tls
title: TLS
group: 2
Expand Down
18 changes: 11 additions & 7 deletions generated/csv/fields.csv
Original file line number Diff line number Diff line change
Expand Up @@ -534,13 +534,17 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
1.7.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
1.7.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
1.7.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
1.7.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0040,Threat tactic id.
1.7.0-dev,true,threat,threat.tactic.name,keyword,extended,array,impact,Threat tactic.
1.7.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0040/,Threat tactic URL reference.
1.7.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1499,Threat technique id.
1.7.0-dev,true,threat,threat.technique.name,keyword,extended,array,Endpoint Denial of Service,Threat technique name.
1.7.0-dev,true,threat,threat.technique.name.text,text,extended,,Endpoint Denial of Service,Threat technique name.
1.7.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1499/,Threat technique URL reference.
1.7.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
1.7.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
1.7.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
1.7.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
1.7.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
1.7.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name.
1.7.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
1.7.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
1.7.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
1.7.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name.
1.7.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
1.7.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
1.7.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
1.7.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
Expand Down
Loading

0 comments on commit 357ce24

Please sign in to comment.