From 357ce2431baf9acbafaf670c98312b0b33bad8fd Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Mon, 31 Aug 2020 17:12:58 -0500 Subject: [PATCH] [1.x] Add threat.technique.subtechnique (#951) (#956) Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> --- CHANGELOG.next.md | 2 + code/go/ecs/threat.go | 39 +++++++---- docs/field-details.asciidoc | 78 ++++++++++++++++++---- generated/beats/fields.ecs.yml | 53 +++++++++++---- generated/csv/fields.csv | 18 +++-- generated/ecs/ecs_flat.yml | 69 +++++++++++++++---- generated/ecs/ecs_nested.yml | 69 +++++++++++++++---- generated/elasticsearch/6/template.json | 22 ++++++ generated/elasticsearch/7/template.json | 22 ++++++ schemas/threat.yml | 89 ++++++++++++++++++------- 10 files changed, 367 insertions(+), 94 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index be22c73fed..cadc21ef98 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -10,6 +10,8 @@ Thanks, you're awesome :-) --> ### Schema Changes +* Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtecqhniques. #951 + #### Breaking changes #### Bugfixes diff --git a/code/go/ecs/threat.go b/code/go/ecs/threat.go index a77aa888e1..0df5e08049 100644 --- a/code/go/ecs/threat.go +++ b/code/go/ecs/threat.go @@ -34,30 +34,45 @@ type Threat struct { // retrospectively tagged to events. Framework string `ecs:"framework"` + // The id of tactic used by this threat. You can use a MITRE ATT&CK® + // tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) + TacticID string `ecs:"tactic.id"` + // Name of the type of tactic used by this threat. You can use a MITRE // ATT&CK® tactic, for example. (ex. - // https://attack.mitre.org/tactics/TA0040/) + // https://attack.mitre.org/tactics/TA0002/) TacticName string `ecs:"tactic.name"` - // The id of tactic used by this threat. You can use a MITRE ATT&CK® - // tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) - TacticID string `ecs:"tactic.id"` - // The reference url of tactic used by this threat. You can use a MITRE // ATT&CK® tactic, for example. (ex. - // https://attack.mitre.org/tactics/TA0040/ ) + // https://attack.mitre.org/tactics/TA0002/ ) TacticReference string `ecs:"tactic.reference"` - // The name of technique used by this threat. You can use a MITRE ATT&CK® - // technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) - TechniqueName string `ecs:"technique.name"` - // The id of technique used by this threat. You can use a MITRE ATT&CK® - // technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) + // technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) TechniqueID string `ecs:"technique.id"` + // The name of technique used by this threat. You can use a MITRE ATT&CK® + // technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) + TechniqueName string `ecs:"technique.name"` + // The reference url of technique used by this threat. You can use a MITRE // ATT&CK® technique, for example. (ex. - // https://attack.mitre.org/techniques/T1499/ ) + // https://attack.mitre.org/techniques/T1059/) TechniqueReference string `ecs:"technique.reference"` + + // The full id of subtechnique used by this threat. You can use a MITRE + // ATT&CK® subtechnique, for example. (ex. + // https://attack.mitre.org/techniques/T1059/001/) + TechniqueSubtechniqueID string `ecs:"technique.subtechnique.id"` + + // The name of subtechnique used by this threat. You can use a MITRE + // ATT&CK® subtechnique, for example. (ex. + // https://attack.mitre.org/techniques/T1059/001/) + TechniqueSubtechniqueName string `ecs:"technique.subtechnique.name"` + + // The reference url of subtechnique used by this threat. You can use a + // MITRE ATT&CK® subtechnique, for example. (ex. + // https://attack.mitre.org/techniques/T1059/001/) + TechniqueSubtechniqueReference string `ecs:"technique.subtechnique.reference"` } diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 3e38c16c45..b39f2c2949 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -5418,7 +5418,7 @@ example: `MITRE ATT&CK` // =============================================================== | threat.tactic.id -| The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +| The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword @@ -5427,14 +5427,14 @@ Note: this field should contain an array of values. -example: `TA0040` +example: `TA0002` | extended // =============================================================== | threat.tactic.name -| Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/) +| Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) type: keyword @@ -5443,14 +5443,14 @@ Note: this field should contain an array of values. -example: `impact` +example: `Execution` | extended // =============================================================== | threat.tactic.reference -| The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +| The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword @@ -5459,14 +5459,14 @@ Note: this field should contain an array of values. -example: `https://attack.mitre.org/tactics/TA0040/` +example: `https://attack.mitre.org/tactics/TA0002/` | extended // =============================================================== | threat.technique.id -| The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) +| The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword @@ -5475,14 +5475,14 @@ Note: this field should contain an array of values. -example: `T1499` +example: `T1059` | extended // =============================================================== | threat.technique.name -| The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) +| The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword @@ -5497,14 +5497,14 @@ Note: this field should contain an array of values. -example: `Endpoint Denial of Service` +example: `Command and Scripting Interpreter` | extended // =============================================================== | threat.technique.reference -| The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +| The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword @@ -5513,7 +5513,61 @@ Note: this field should contain an array of values. -example: `https://attack.mitre.org/techniques/T1499/` +example: `https://attack.mitre.org/techniques/T1059/` + +| extended + +// =============================================================== + +| threat.technique.subtechnique.id +| The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) + +type: keyword + + +Note: this field should contain an array of values. + + + +example: `T1059.001` + +| extended + +// =============================================================== + +| threat.technique.subtechnique.name +| The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) + +type: keyword + +Multi-fields: + +* threat.technique.subtechnique.name.text (type: text) + + + + +Note: this field should contain an array of values. + + + +example: `PowerShell` + +| extended + +// =============================================================== + +| threat.technique.subtechnique.reference +| The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) + +type: keyword + + +Note: this field should contain an array of values. + + + +example: `https://attack.mitre.org/techniques/T1059/001/` | extended diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 28c195fff2..782d1fdd50 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -4538,30 +4538,30 @@ type: keyword ignore_above: 1024 description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\ - \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )" - example: TA0040 + \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )" + example: TA0002 - name: tactic.name level: extended type: keyword ignore_above: 1024 description: "Name of the type of tactic used by this threat. You can use a\ - \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/)" - example: impact + \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)" + example: Execution - name: tactic.reference level: extended type: keyword ignore_above: 1024 description: "The reference url of tactic used by this threat. You can use a\ - \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/\ + \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\ \ )" - example: https://attack.mitre.org/tactics/TA0040/ + example: https://attack.mitre.org/tactics/TA0002/ - name: technique.id level: extended type: keyword ignore_above: 1024 description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\ - \ technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)" - example: T1499 + \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: T1059 - name: technique.name level: extended type: keyword @@ -4572,16 +4572,43 @@ norms: false default_field: false description: "The name of technique used by this threat. You can use a MITRE\ - \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)" - example: Endpoint Denial of Service + \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: Command and Scripting Interpreter - name: technique.reference level: extended type: keyword ignore_above: 1024 description: "The reference url of technique used by this threat. You can use\ - \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/\ - \ )" - example: https://attack.mitre.org/techniques/T1499/ + \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: https://attack.mitre.org/techniques/T1059/ + - name: technique.subtechnique.id + level: extended + type: keyword + ignore_above: 1024 + description: "The full id of subtechnique used by this threat. You can use a\ + \ MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: T1059.001 + default_field: false + - name: technique.subtechnique.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + description: "The name of subtechnique used by this threat. You can use a MITRE\ + \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: PowerShell + default_field: false + - name: technique.subtechnique.reference + level: extended + type: keyword + ignore_above: 1024 + description: "The reference url of subtechnique used by this threat. You can\ + \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: https://attack.mitre.org/techniques/T1059/001/ + default_field: false - name: tls title: TLS group: 2 diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 9487929101..593be1ee68 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -534,13 +534,17 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 1.7.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 1.7.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. 1.7.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. -1.7.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0040,Threat tactic id. -1.7.0-dev,true,threat,threat.tactic.name,keyword,extended,array,impact,Threat tactic. -1.7.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0040/,Threat tactic URL reference. -1.7.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1499,Threat technique id. -1.7.0-dev,true,threat,threat.technique.name,keyword,extended,array,Endpoint Denial of Service,Threat technique name. -1.7.0-dev,true,threat,threat.technique.name.text,text,extended,,Endpoint Denial of Service,Threat technique name. -1.7.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1499/,Threat technique URL reference. +1.7.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. +1.7.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. +1.7.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. +1.7.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. +1.7.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. +1.7.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name. +1.7.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. +1.7.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. +1.7.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. +1.7.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name. +1.7.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. 1.7.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. 1.7.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. 1.7.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the client. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index f8110a362b..08a1c79cb4 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -6850,8 +6850,8 @@ threat.framework: threat.tactic.id: dashed_name: threat-tactic-id description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\ - \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )" - example: TA0040 + \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )" + example: TA0002 flat_name: threat.tactic.id ignore_above: 1024 level: extended @@ -6863,8 +6863,8 @@ threat.tactic.id: threat.tactic.name: dashed_name: threat-tactic-name description: "Name of the type of tactic used by this threat. You can use a MITRE\ - \ ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/)" - example: impact + \ ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)" + example: Execution flat_name: threat.tactic.name ignore_above: 1024 level: extended @@ -6876,9 +6876,9 @@ threat.tactic.name: threat.tactic.reference: dashed_name: threat-tactic-reference description: "The reference url of tactic used by this threat. You can use a MITRE\ - \ ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/\ + \ ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\ \ )" - example: https://attack.mitre.org/tactics/TA0040/ + example: https://attack.mitre.org/tactics/TA0002/ flat_name: threat.tactic.reference ignore_above: 1024 level: extended @@ -6890,8 +6890,8 @@ threat.tactic.reference: threat.technique.id: dashed_name: threat-technique-id description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\ - \ technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)" - example: T1499 + \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: T1059 flat_name: threat.technique.id ignore_above: 1024 level: extended @@ -6903,8 +6903,8 @@ threat.technique.id: threat.technique.name: dashed_name: threat-technique-name description: "The name of technique used by this threat. You can use a MITRE ATT&CK\xAE\ - \ technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)" - example: Endpoint Denial of Service + \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: Command and Scripting Interpreter flat_name: threat.technique.name ignore_above: 1024 level: extended @@ -6921,9 +6921,8 @@ threat.technique.name: threat.technique.reference: dashed_name: threat-technique-reference description: "The reference url of technique used by this threat. You can use a\ - \ MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/\ - \ )" - example: https://attack.mitre.org/techniques/T1499/ + \ MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: https://attack.mitre.org/techniques/T1059/ flat_name: threat.technique.reference ignore_above: 1024 level: extended @@ -6932,6 +6931,50 @@ threat.technique.reference: - array short: Threat technique URL reference. type: keyword +threat.technique.subtechnique.id: + dashed_name: threat-technique-subtechnique-id + description: "The full id of subtechnique used by this threat. You can use a MITRE\ + \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: T1059.001 + flat_name: threat.technique.subtechnique.id + ignore_above: 1024 + level: extended + name: technique.subtechnique.id + normalize: + - array + short: Threat subtechnique id. + type: keyword +threat.technique.subtechnique.name: + dashed_name: threat-technique-subtechnique-name + description: "The name of subtechnique used by this threat. You can use a MITRE\ + \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: PowerShell + flat_name: threat.technique.subtechnique.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.technique.subtechnique.name.text + name: text + norms: false + type: text + name: technique.subtechnique.name + normalize: + - array + short: Threat subtechnique name. + type: keyword +threat.technique.subtechnique.reference: + dashed_name: threat-technique-subtechnique-reference + description: "The reference url of subtechnique used by this threat. You can use\ + \ a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: https://attack.mitre.org/techniques/T1059/001/ + flat_name: threat.technique.subtechnique.reference + ignore_above: 1024 + level: extended + name: technique.subtechnique.reference + normalize: + - array + short: Threat subtechnique URL reference. + type: keyword tls.cipher: dashed_name: tls-cipher description: String indicating the cipher used during the current connection. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 13b273fcfb..926f834242 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -8022,8 +8022,8 @@ threat: threat.tactic.id: dashed_name: threat-tactic-id description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\ - \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )" - example: TA0040 + \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )" + example: TA0002 flat_name: threat.tactic.id ignore_above: 1024 level: extended @@ -8035,8 +8035,8 @@ threat: threat.tactic.name: dashed_name: threat-tactic-name description: "Name of the type of tactic used by this threat. You can use a\ - \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/)" - example: impact + \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)" + example: Execution flat_name: threat.tactic.name ignore_above: 1024 level: extended @@ -8048,9 +8048,9 @@ threat: threat.tactic.reference: dashed_name: threat-tactic-reference description: "The reference url of tactic used by this threat. You can use a\ - \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/\ + \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\ \ )" - example: https://attack.mitre.org/tactics/TA0040/ + example: https://attack.mitre.org/tactics/TA0002/ flat_name: threat.tactic.reference ignore_above: 1024 level: extended @@ -8062,8 +8062,8 @@ threat: threat.technique.id: dashed_name: threat-technique-id description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\ - \ technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)" - example: T1499 + \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: T1059 flat_name: threat.technique.id ignore_above: 1024 level: extended @@ -8075,8 +8075,8 @@ threat: threat.technique.name: dashed_name: threat-technique-name description: "The name of technique used by this threat. You can use a MITRE\ - \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)" - example: Endpoint Denial of Service + \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: Command and Scripting Interpreter flat_name: threat.technique.name ignore_above: 1024 level: extended @@ -8093,9 +8093,8 @@ threat: threat.technique.reference: dashed_name: threat-technique-reference description: "The reference url of technique used by this threat. You can use\ - \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/\ - \ )" - example: https://attack.mitre.org/techniques/T1499/ + \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: https://attack.mitre.org/techniques/T1059/ flat_name: threat.technique.reference ignore_above: 1024 level: extended @@ -8104,6 +8103,50 @@ threat: - array short: Threat technique URL reference. type: keyword + threat.technique.subtechnique.id: + dashed_name: threat-technique-subtechnique-id + description: "The full id of subtechnique used by this threat. You can use a\ + \ MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: T1059.001 + flat_name: threat.technique.subtechnique.id + ignore_above: 1024 + level: extended + name: technique.subtechnique.id + normalize: + - array + short: Threat subtechnique id. + type: keyword + threat.technique.subtechnique.name: + dashed_name: threat-technique-subtechnique-name + description: "The name of subtechnique used by this threat. You can use a MITRE\ + \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: PowerShell + flat_name: threat.technique.subtechnique.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.technique.subtechnique.name.text + name: text + norms: false + type: text + name: technique.subtechnique.name + normalize: + - array + short: Threat subtechnique name. + type: keyword + threat.technique.subtechnique.reference: + dashed_name: threat-technique-subtechnique-reference + description: "The reference url of subtechnique used by this threat. You can\ + \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: https://attack.mitre.org/techniques/T1059/001/ + flat_name: threat.technique.subtechnique.reference + ignore_above: 1024 + level: extended + name: technique.subtechnique.reference + normalize: + - array + short: Threat subtechnique URL reference. + type: keyword group: 2 name: threat prefix: threat. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 6f98745d9b..b16d3576ce 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -2571,6 +2571,28 @@ "reference": { "ignore_above": 1024, "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } } } } diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 177889f92d..08071d1b91 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -2570,6 +2570,28 @@ "reference": { "ignore_above": 1024, "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } } } } diff --git a/schemas/threat.yml b/schemas/threat.yml index d24fa0fc75..62477b28a1 100644 --- a/schemas/threat.yml +++ b/schemas/threat.yml @@ -24,39 +24,53 @@ example: MITRE ATT&CK - - name: tactic.name + - name: tactic.id level: extended type: keyword - short: Threat tactic. + short: Threat tactic id. description: > - Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. - (ex. https://attack.mitre.org/tactics/TA0040/) + The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. + (ex. https://attack.mitre.org/tactics/TA0002/ ) - example: impact + example: TA0002 normalize: - array - - name: tactic.id + - name: tactic.name level: extended type: keyword - short: Threat tactic id. + short: Threat tactic. description: > - The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. - (ex. https://attack.mitre.org/tactics/TA0040/ ) + Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. + (ex. https://attack.mitre.org/tactics/TA0002/) - example: TA0040 + example: Execution normalize: - array + - name: tactic.reference level: extended type: keyword short: Threat tactic URL reference. description: > The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. - (ex. https://attack.mitre.org/tactics/TA0040/ ) + (ex. https://attack.mitre.org/tactics/TA0002/ ) - example: https://attack.mitre.org/tactics/TA0040/ + example: https://attack.mitre.org/tactics/TA0002/ + normalize: + - array + + + - name: technique.id + level: extended + type: keyword + short: Threat technique id. + description: > + The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. + (ex. https://attack.mitre.org/techniques/T1059/) + + example: T1059 normalize: - array @@ -69,32 +83,59 @@ short: Threat technique name. description: > The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. - (ex. https://attack.mitre.org/techniques/T1499/) + (ex. https://attack.mitre.org/techniques/T1059/) - example: Endpoint Denial of Service + example: Command and Scripting Interpreter normalize: - array - - name: technique.id + - name: technique.reference level: extended type: keyword - short: Threat technique id. + short: Threat technique URL reference. description: > - The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. - (ex. https://attack.mitre.org/techniques/T1499/) + The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. + (ex. https://attack.mitre.org/techniques/T1059/) - example: T1499 + example: https://attack.mitre.org/techniques/T1059/ normalize: - array - - name: technique.reference + - name: technique.subtechnique.id level: extended type: keyword - short: Threat technique URL reference. + short: Threat subtechnique id. description: > - The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. - (ex. https://attack.mitre.org/techniques/T1499/ ) + The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. + (ex. https://attack.mitre.org/techniques/T1059/001/) + + example: T1059.001 + normalize: + - array + + - name: technique.subtechnique.name + level: extended + type: keyword + multi_fields: + - type: text + name: text + short: Threat subtechnique name. + description: > + The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. + (ex. https://attack.mitre.org/techniques/T1059/001/) + + example: PowerShell + normalize: + - array + + - name: technique.subtechnique.reference + level: extended + type: keyword + short: Threat subtechnique URL reference. + description: > + The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. + (ex. https://attack.mitre.org/techniques/T1059/001/) - example: https://attack.mitre.org/techniques/T1499/ + example: https://attack.mitre.org/techniques/T1059/001/ normalize: - array