diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index ad713b3658..85038f1cf8 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -4925,6 +4925,589 @@ can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. example: MITRE ATT&CK + - name: indicator.as.number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + default_field: false + - name: indicator.as.organization.name + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: Organization name. + example: Google LLC + default_field: false + - name: indicator.confidence + level: extended + type: keyword + ignore_above: 1024 + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nExpected values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High + default_field: false + - name: indicator.dataset + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the name of specific dataset from the intelligence source. + example: threatintel.abusemalware + default_field: false + - name: indicator.description + level: extended + type: wildcard + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + default_field: false + - name: indicator.domain + level: extended + type: keyword + ignore_above: 1024 + description: Identifies a threat indicator as a domain (irrespective of direction). + example: example.com + default_field: false + - name: indicator.email.address + level: extended + type: keyword + ignore_above: 1024 + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + default_field: false + - name: indicator.file.accessed + level: extended + type: date + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + default_field: false + - name: indicator.file.attributes + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + default_field: false + - name: indicator.file.code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: indicator.file.code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: indicator.file.code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: indicator.file.code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: indicator.file.code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: indicator.file.created + level: extended + type: date + description: 'File creation time. + + Note that not all filesystems store the creation time.' + default_field: false + - name: indicator.file.ctime + level: extended + type: date + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + default_field: false + - name: indicator.file.device + level: extended + type: keyword + ignore_above: 1024 + description: Device that is the source of the file. + example: sda + default_field: false + - name: indicator.file.directory + level: extended + type: wildcard + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice + default_field: false + - name: indicator.file.drive_letter + level: extended + type: keyword + ignore_above: 1 + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + default_field: false + - name: indicator.file.extension + level: extended + type: keyword + ignore_above: 1024 + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + default_field: false + - name: indicator.file.gid + level: extended + type: keyword + ignore_above: 1024 + description: Primary group ID (GID) of the file. + example: '1001' + default_field: false + - name: indicator.file.group + level: extended + type: keyword + ignore_above: 1024 + description: Primary group name of the file. + example: alice + default_field: false + - name: indicator.file.inode + level: extended + type: keyword + ignore_above: 1024 + description: Inode representing the file in the filesystem. + example: '256383' + default_field: false + - name: indicator.file.mime_type + level: extended + type: keyword + ignore_above: 1024 + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. + default_field: false + - name: indicator.file.mode + level: extended + type: keyword + ignore_above: 1024 + description: Mode of the file in octal representation. + example: '0640' + default_field: false + - name: indicator.file.mtime + level: extended + type: date + description: Last time the file content was modified. + default_field: false + - name: indicator.file.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the file including the extension, without the directory. + example: example.png + default_field: false + - name: indicator.file.owner + level: extended + type: keyword + ignore_above: 1024 + description: File owner's username. + example: alice + default_field: false + - name: indicator.file.path + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + default_field: false + - name: indicator.file.size + level: extended + type: long + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + default_field: false + - name: indicator.file.target_path + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: Target path for symlinks. + default_field: false + - name: indicator.file.type + level: extended + type: keyword + ignore_above: 1024 + description: File type (file, dir, or symlink). + example: file + default_field: false + - name: indicator.file.uid + level: extended + type: keyword + ignore_above: 1024 + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + default_field: false + - name: indicator.first_seen + level: extended + type: date + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.geo.city_name + level: core + type: keyword + ignore_above: 1024 + description: City name. + example: Montreal + default_field: false + - name: indicator.geo.continent_code + level: core + type: keyword + ignore_above: 1024 + description: Two-letter code representing continent's name. + example: NA + default_field: false + - name: indicator.geo.continent_name + level: core + type: keyword + ignore_above: 1024 + description: Name of the continent. + example: North America + default_field: false + - name: indicator.geo.country_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Country ISO code. + example: CA + default_field: false + - name: indicator.geo.country_name + level: core + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada + default_field: false + - name: indicator.geo.location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + default_field: false + - name: indicator.geo.name + level: extended + type: wildcard + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + default_field: false + - name: indicator.geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false + - name: indicator.geo.region_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + default_field: false + - name: indicator.geo.region_name + level: core + type: keyword + ignore_above: 1024 + description: Region name. + example: Quebec + default_field: false + - name: indicator.geo.timezone + level: core + type: keyword + ignore_above: 1024 + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + default_field: false + - name: indicator.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: indicator.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: indicator.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: indicator.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: indicator.hash.ssdeep + level: extended + type: keyword + ignore_above: 1024 + description: SSDEEP hash. + default_field: false + - name: indicator.ip + level: extended + type: ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + default_field: false + - name: indicator.last_seen + level: extended + type: date + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.marking.tlp + level: extended + type: keyword + ignore_above: 1024 + description: "Traffic Light Protocol sharing markings.\nExpected values are:\n\ + \ * White\n * Green\n * Amber\n * Red" + example: White + default_field: false + - name: indicator.matched.atomic + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the atomic indicator that matched a local environment + endpoint or network event. + example: example.com + default_field: false + - name: indicator.matched.field + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the field of the atomic indicator that matched a local + environment endpoint or network event. + example: file.hash.sha256 + default_field: false + - name: indicator.matched.type + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the type of the atomic indicator that matched a local + environment endpoint or network event. + example: domain-name + default_field: false + - name: indicator.module + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the name of specific module this data is coming from. + example: threatintel + default_field: false + - name: indicator.pe.architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false + - name: indicator.pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: indicator.pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: indicator.pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: indicator.pe.imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false + - name: indicator.pe.original_file_name + level: extended + type: wildcard + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: indicator.pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false + - name: indicator.port + level: extended + type: long + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + default_field: false + - name: indicator.provider + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the name of the intelligence provider. + example: VirusTotal + default_field: false + - name: indicator.registry.data.bytes + level: extended + type: keyword + ignore_above: 1024 + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + default_field: false + - name: indicator.registry.data.strings + level: core + type: wildcard + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + default_field: false + - name: indicator.registry.data.type + level: core + type: keyword + ignore_above: 1024 + description: Standard registry type for encoding contents + example: REG_SZ + default_field: false + - name: indicator.registry.hive + level: core + type: keyword + ignore_above: 1024 + description: Abbreviated name for the hive. + example: HKLM + default_field: false + - name: indicator.registry.key + level: core + type: wildcard + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + default_field: false + - name: indicator.registry.path + level: core + type: wildcard + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + default_field: false + - name: indicator.registry.value + level: core + type: keyword + ignore_above: 1024 + description: Name of the value written. + example: Debugger + default_field: false + - name: indicator.scanner_stats + level: extended + type: long + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + default_field: false + - name: indicator.sightings + level: extended + type: long + description: Number of times this indicator was observed conducting threat activity. + example: 20 + default_field: false + - name: indicator.type + level: extended + type: keyword + ignore_above: 1024 + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ + Expected values\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ + \ * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n *\ + \ mutex\n * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ + \ * x-509-certificate" + example: ipv4-addr + default_field: false - name: tactic.id level: extended type: keyword diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 6c9e5db81c..e54c814afa 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -574,6 +574,85 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 2.0.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. 2.0.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. +2.0.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +2.0.0-dev+exp,true,threat,threat.indicator.as.organization.name,wildcard,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,text,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,High,Indicator confidence rating +2.0.0-dev+exp,true,threat,threat.indicator.dataset,keyword,extended,,threatintel.abusemalware,Indicator dataset +2.0.0-dev+exp,true,threat,threat.indicator.description,wildcard,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description +2.0.0-dev+exp,true,threat,threat.indicator.domain,keyword,extended,,example.com,Indicator domain name +2.0.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address +2.0.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed. +2.0.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +2.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +2.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +2.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +2.0.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time. +2.0.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. +2.0.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. +2.0.0-dev+exp,true,threat,threat.indicator.file.directory,wildcard,extended,,/home/alice,Directory where the file is located. +2.0.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +2.0.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +2.0.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +2.0.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +2.0.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +2.0.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +2.0.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. +2.0.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified. +2.0.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +2.0.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username. +2.0.0-dev+exp,true,threat,threat.indicator.file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." +2.0.0-dev+exp,true,threat,threat.indicator.file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +2.0.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes. +2.0.0-dev+exp,true,threat,threat.indicator.file.target_path,wildcard,extended,,,Target path for symlinks. +2.0.0-dev+exp,true,threat,threat.indicator.file.target_path.text,text,extended,,,Target path for symlinks. +2.0.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +2.0.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +2.0.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. +2.0.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name. +2.0.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code. +2.0.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. +2.0.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. +2.0.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name. +2.0.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +2.0.0-dev+exp,true,threat,threat.indicator.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +2.0.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code. +2.0.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +2.0.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name. +2.0.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +2.0.0-dev+exp,true,threat,threat.indicator.hash.md5,keyword,extended,,,MD5 hash. +2.0.0-dev+exp,true,threat,threat.indicator.hash.sha1,keyword,extended,,,SHA1 hash. +2.0.0-dev+exp,true,threat,threat.indicator.hash.sha256,keyword,extended,,,SHA256 hash. +2.0.0-dev+exp,true,threat,threat.indicator.hash.sha512,keyword,extended,,,SHA512 hash. +2.0.0-dev+exp,true,threat,threat.indicator.hash.ssdeep,keyword,extended,,,SSDEEP hash. +2.0.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address +2.0.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. +2.0.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,White,Indicator TLP marking +2.0.0-dev+exp,true,threat,threat.indicator.matched.atomic,keyword,extended,,example.com,Indicator atomic match +2.0.0-dev+exp,true,threat,threat.indicator.matched.field,keyword,extended,,file.hash.sha256,Indicator field match +2.0.0-dev+exp,true,threat,threat.indicator.matched.type,keyword,extended,,domain-name,Indicator type match +2.0.0-dev+exp,true,threat,threat.indicator.module,keyword,extended,,threatintel,Indicator module +2.0.0-dev+exp,true,threat,threat.indicator.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +2.0.0-dev+exp,true,threat,threat.indicator.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +2.0.0-dev+exp,true,threat,threat.indicator.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +2.0.0-dev+exp,true,threat,threat.indicator.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +2.0.0-dev+exp,true,threat,threat.indicator.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +2.0.0-dev+exp,true,threat,threat.indicator.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev+exp,true,threat,threat.indicator.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +2.0.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port +2.0.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,VirusTotal,Identifies the name of the intelligence provider. +2.0.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +2.0.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +2.0.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +2.0.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +2.0.0-dev+exp,true,threat,threat.indicator.registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +2.0.0-dev+exp,true,threat,threat.indicator.registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +2.0.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written. +2.0.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics +2.0.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed +2.0.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator 2.0.0-dev+exp,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. 2.0.0-dev+exp,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. 2.0.0-dev+exp,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 54583bb5ad..3d18d0f8d6 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -7371,6 +7371,955 @@ threat.framework: normalize: [] short: Threat classification framework. type: keyword +threat.indicator.as.number: + dashed_name: threat-indicator-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: threat.indicator.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long +threat.indicator.as.organization.name: + dashed_name: threat-indicator-as-organization-name + description: Organization name. + example: Google LLC + flat_name: threat.indicator.as.organization.name + level: extended + multi_fields: + - flat_name: threat.indicator.as.organization.name.text + name: text + norms: false + type: text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: wildcard +threat.indicator.confidence: + dashed_name: threat-indicator-confidence + description: "Identifies the confidence rating assigned by the provider using STIX\ + \ confidence scales.\nExpected values:\n * Not Specified, None, Low, Medium,\ + \ High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n * WEP Scale\ + \ (Impossible - Certain)" + example: High + flat_name: threat.indicator.confidence + ignore_above: 1024 + level: extended + name: indicator.confidence + normalize: [] + short: Indicator confidence rating + type: keyword +threat.indicator.dataset: + dashed_name: threat-indicator-dataset + description: Identifies the name of specific dataset from the intelligence source. + example: threatintel.abusemalware + flat_name: threat.indicator.dataset + ignore_above: 1024 + level: extended + name: indicator.dataset + normalize: [] + short: Indicator dataset + type: keyword +threat.indicator.description: + dashed_name: threat-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.indicator.description + level: extended + name: indicator.description + normalize: [] + short: Indicator description + type: wildcard +threat.indicator.domain: + dashed_name: threat-indicator-domain + description: Identifies a threat indicator as a domain (irrespective of direction). + example: example.com + flat_name: threat.indicator.domain + ignore_above: 1024 + level: extended + name: indicator.domain + normalize: [] + short: Indicator domain name + type: keyword +threat.indicator.email.address: + dashed_name: threat-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective of + direction). + example: phish@example.com + flat_name: threat.indicator.email.address + ignore_above: 1024 + level: extended + name: indicator.email.address + normalize: [] + short: Indicator email address + type: keyword +threat.indicator.file.accessed: + dashed_name: threat-indicator-file-accessed + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + flat_name: threat.indicator.file.accessed + level: extended + name: accessed + normalize: [] + original_fieldset: file + short: Last time the file was accessed. + type: date +threat.indicator.file.attributes: + dashed_name: threat-indicator-file-attributes + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, execute, + hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: threat.indicator.file.attributes + ignore_above: 1024 + level: extended + name: attributes + normalize: + - array + original_fieldset: file + short: Array of file attributes. + type: keyword +threat.indicator.file.code_signature.exists: + dashed_name: threat-indicator-file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: threat.indicator.file.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +threat.indicator.file.code_signature.status: + dashed_name: threat-indicator-file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: threat.indicator.file.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +threat.indicator.file.code_signature.subject_name: + dashed_name: threat-indicator-file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: threat.indicator.file.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +threat.indicator.file.code_signature.trusted: + dashed_name: threat-indicator-file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: threat.indicator.file.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +threat.indicator.file.code_signature.valid: + dashed_name: threat-indicator-file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: threat.indicator.file.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +threat.indicator.file.created: + dashed_name: threat-indicator-file-created + description: 'File creation time. + + Note that not all filesystems store the creation time.' + flat_name: threat.indicator.file.created + level: extended + name: created + normalize: [] + original_fieldset: file + short: File creation time. + type: date +threat.indicator.file.ctime: + dashed_name: threat-indicator-file-ctime + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: threat.indicator.file.ctime + level: extended + name: ctime + normalize: [] + original_fieldset: file + short: Last time the file attributes or metadata changed. + type: date +threat.indicator.file.device: + dashed_name: threat-indicator-file-device + description: Device that is the source of the file. + example: sda + flat_name: threat.indicator.file.device + ignore_above: 1024 + level: extended + name: device + normalize: [] + original_fieldset: file + short: Device that is the source of the file. + type: keyword +threat.indicator.file.directory: + dashed_name: threat-indicator-file-directory + description: Directory where the file is located. It should include the drive letter, + when appropriate. + example: /home/alice + flat_name: threat.indicator.file.directory + level: extended + name: directory + normalize: [] + original_fieldset: file + short: Directory where the file is located. + type: wildcard +threat.indicator.file.drive_letter: + dashed_name: threat-indicator-file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + flat_name: threat.indicator.file.drive_letter + ignore_above: 1 + level: extended + name: drive_letter + normalize: [] + original_fieldset: file + short: Drive letter where the file is located. + type: keyword +threat.indicator.file.extension: + dashed_name: threat-indicator-file-extension + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.indicator.file.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + original_fieldset: file + short: File extension, excluding the leading dot. + type: keyword +threat.indicator.file.gid: + dashed_name: threat-indicator-file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: threat.indicator.file.gid + ignore_above: 1024 + level: extended + name: gid + normalize: [] + original_fieldset: file + short: Primary group ID (GID) of the file. + type: keyword +threat.indicator.file.group: + dashed_name: threat-indicator-file-group + description: Primary group name of the file. + example: alice + flat_name: threat.indicator.file.group + ignore_above: 1024 + level: extended + name: group + normalize: [] + original_fieldset: file + short: Primary group name of the file. + type: keyword +threat.indicator.file.inode: + dashed_name: threat-indicator-file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: threat.indicator.file.inode + ignore_above: 1024 + level: extended + name: inode + normalize: [] + original_fieldset: file + short: Inode representing the file in the filesystem. + type: keyword +threat.indicator.file.mime_type: + dashed_name: threat-indicator-file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official + types], where possible. When more than one type is applicable, the most specific + type should be used. + flat_name: threat.indicator.file.mime_type + ignore_above: 1024 + level: extended + name: mime_type + normalize: [] + original_fieldset: file + short: Media type of file, document, or arrangement of bytes. + type: keyword +threat.indicator.file.mode: + dashed_name: threat-indicator-file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: threat.indicator.file.mode + ignore_above: 1024 + level: extended + name: mode + normalize: [] + original_fieldset: file + short: Mode of the file in octal representation. + type: keyword +threat.indicator.file.mtime: + dashed_name: threat-indicator-file-mtime + description: Last time the file content was modified. + flat_name: threat.indicator.file.mtime + level: extended + name: mtime + normalize: [] + original_fieldset: file + short: Last time the file content was modified. + type: date +threat.indicator.file.name: + dashed_name: threat-indicator-file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: threat.indicator.file.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: file + short: Name of the file including the extension, without the directory. + type: keyword +threat.indicator.file.owner: + dashed_name: threat-indicator-file-owner + description: File owner's username. + example: alice + flat_name: threat.indicator.file.owner + ignore_above: 1024 + level: extended + name: owner + normalize: [] + original_fieldset: file + short: File owner's username. + type: keyword +threat.indicator.file.path: + dashed_name: threat-indicator-file-path + description: Full path to the file, including the file name. It should include the + drive letter, when appropriate. + example: /home/alice/example.png + flat_name: threat.indicator.file.path + level: extended + multi_fields: + - flat_name: threat.indicator.file.path.text + name: text + norms: false + type: text + name: path + normalize: [] + original_fieldset: file + short: Full path to the file, including the file name. + type: wildcard +threat.indicator.file.size: + dashed_name: threat-indicator-file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: threat.indicator.file.size + level: extended + name: size + normalize: [] + original_fieldset: file + short: File size in bytes. + type: long +threat.indicator.file.target_path: + dashed_name: threat-indicator-file-target-path + description: Target path for symlinks. + flat_name: threat.indicator.file.target_path + level: extended + multi_fields: + - flat_name: threat.indicator.file.target_path.text + name: text + norms: false + type: text + name: target_path + normalize: [] + original_fieldset: file + short: Target path for symlinks. + type: wildcard +threat.indicator.file.type: + dashed_name: threat-indicator-file-type + description: File type (file, dir, or symlink). + example: file + flat_name: threat.indicator.file.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: file + short: File type (file, dir, or symlink). + type: keyword +threat.indicator.file.uid: + dashed_name: threat-indicator-file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: threat.indicator.file.uid + ignore_above: 1024 + level: extended + name: uid + normalize: [] + original_fieldset: file + short: The user ID (UID) or security identifier (SID) of the file owner. + type: keyword +threat.indicator.first_seen: + dashed_name: threat-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.first_seen + level: extended + name: indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date +threat.indicator.geo.city_name: + dashed_name: threat-indicator-geo-city-name + description: City name. + example: Montreal + flat_name: threat.indicator.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword +threat.indicator.geo.continent_code: + dashed_name: threat-indicator-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: threat.indicator.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword +threat.indicator.geo.continent_name: + dashed_name: threat-indicator-geo-continent-name + description: Name of the continent. + example: North America + flat_name: threat.indicator.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword +threat.indicator.geo.country_iso_code: + dashed_name: threat-indicator-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: threat.indicator.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword +threat.indicator.geo.country_name: + dashed_name: threat-indicator-geo-country-name + description: Country name. + example: Canada + flat_name: threat.indicator.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword +threat.indicator.geo.location: + dashed_name: threat-indicator-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: threat.indicator.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +threat.indicator.geo.name: + dashed_name: threat-indicator-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: threat.indicator.geo.name + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: wildcard +threat.indicator.geo.postal_code: + dashed_name: threat-indicator-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: threat.indicator.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword +threat.indicator.geo.region_iso_code: + dashed_name: threat-indicator-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: threat.indicator.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword +threat.indicator.geo.region_name: + dashed_name: threat-indicator-geo-region-name + description: Region name. + example: Quebec + flat_name: threat.indicator.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword +threat.indicator.geo.timezone: + dashed_name: threat-indicator-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: threat.indicator.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword +threat.indicator.hash.md5: + dashed_name: threat-indicator-hash-md5 + description: MD5 hash. + flat_name: threat.indicator.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword +threat.indicator.hash.sha1: + dashed_name: threat-indicator-hash-sha1 + description: SHA1 hash. + flat_name: threat.indicator.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword +threat.indicator.hash.sha256: + dashed_name: threat-indicator-hash-sha256 + description: SHA256 hash. + flat_name: threat.indicator.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword +threat.indicator.hash.sha512: + dashed_name: threat-indicator-hash-sha512 + description: SHA512 hash. + flat_name: threat.indicator.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword +threat.indicator.hash.ssdeep: + dashed_name: threat-indicator-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.indicator.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword +threat.indicator.ip: + dashed_name: threat-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of direction). + example: 1.2.3.4 + flat_name: threat.indicator.ip + level: extended + name: indicator.ip + normalize: [] + short: Indicator IP address + type: ip +threat.indicator.last_seen: + dashed_name: threat-indicator-last-seen + description: The date and time when intelligence source last reported sighting this + indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.last_seen + level: extended + name: indicator.last_seen + normalize: [] + short: Date/time indicator was last reported. + type: date +threat.indicator.marking.tlp: + dashed_name: threat-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings.\nExpected values are:\n \ + \ * White\n * Green\n * Amber\n * Red" + example: White + flat_name: threat.indicator.marking.tlp + ignore_above: 1024 + level: extended + name: indicator.marking.tlp + normalize: [] + short: Indicator TLP marking + type: keyword +threat.indicator.matched.atomic: + dashed_name: threat-indicator-matched-atomic + description: Identifies the atomic indicator that matched a local environment endpoint + or network event. + example: example.com + flat_name: threat.indicator.matched.atomic + ignore_above: 1024 + level: extended + name: indicator.matched.atomic + normalize: [] + short: Indicator atomic match + type: keyword +threat.indicator.matched.field: + dashed_name: threat-indicator-matched-field + description: Identifies the field of the atomic indicator that matched a local environment + endpoint or network event. + example: file.hash.sha256 + flat_name: threat.indicator.matched.field + ignore_above: 1024 + level: extended + name: indicator.matched.field + normalize: [] + short: Indicator field match + type: keyword +threat.indicator.matched.type: + dashed_name: threat-indicator-matched-type + description: Identifies the type of the atomic indicator that matched a local environment + endpoint or network event. + example: domain-name + flat_name: threat.indicator.matched.type + ignore_above: 1024 + level: extended + name: indicator.matched.type + normalize: [] + short: Indicator type match + type: keyword +threat.indicator.module: + dashed_name: threat-indicator-module + description: Identifies the name of specific module this data is coming from. + example: threatintel + flat_name: threat.indicator.module + ignore_above: 1024 + level: extended + name: indicator.module + normalize: [] + short: Indicator module + type: keyword +threat.indicator.pe.architecture: + dashed_name: threat-indicator-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.indicator.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword +threat.indicator.pe.company: + dashed_name: threat-indicator-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.indicator.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +threat.indicator.pe.description: + dashed_name: threat-indicator-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.indicator.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword +threat.indicator.pe.file_version: + dashed_name: threat-indicator-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.indicator.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword +threat.indicator.pe.imphash: + dashed_name: threat-indicator-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.indicator.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword +threat.indicator.pe.original_file_name: + dashed_name: threat-indicator-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.indicator.pe.original_file_name + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: wildcard +threat.indicator.pe.product: + dashed_name: threat-indicator-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.indicator.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword +threat.indicator.port: + dashed_name: threat-indicator-port + description: Identifies a threat indicator as a port number (irrespective of direction). + example: 443 + flat_name: threat.indicator.port + level: extended + name: indicator.port + normalize: [] + short: Indicator port + type: long +threat.indicator.provider: + dashed_name: threat-indicator-provider + description: Identifies the name of the intelligence provider. + example: VirusTotal + flat_name: threat.indicator.provider + ignore_above: 1024 + level: extended + name: indicator.provider + normalize: [] + short: Identifies the name of the intelligence provider. + type: keyword +threat.indicator.registry.data.bytes: + dashed_name: threat-indicator-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides better + recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.indicator.registry.data.bytes + ignore_above: 1024 + level: extended + name: data.bytes + normalize: [] + original_fieldset: registry + short: Original bytes written with base64 encoding. + type: keyword +threat.indicator.registry.data.strings: + dashed_name: threat-indicator-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single string + registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. + For sequences of string with REG_MULTI_SZ, this array will be variable length. + For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with + the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.indicator.registry.data.strings + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: wildcard +threat.indicator.registry.data.type: + dashed_name: threat-indicator-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.indicator.registry.data.type + ignore_above: 1024 + level: core + name: data.type + normalize: [] + original_fieldset: registry + short: Standard registry type for encoding contents + type: keyword +threat.indicator.registry.hive: + dashed_name: threat-indicator-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.indicator.registry.hive + ignore_above: 1024 + level: core + name: hive + normalize: [] + original_fieldset: registry + short: Abbreviated name for the hive. + type: keyword +threat.indicator.registry.key: + dashed_name: threat-indicator-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.indicator.registry.key + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: wildcard +threat.indicator.registry.path: + dashed_name: threat-indicator-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.indicator.registry.path + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: wildcard +threat.indicator.registry.value: + dashed_name: threat-indicator-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.indicator.registry.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. + type: keyword +threat.indicator.scanner_stats: + dashed_name: threat-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file or + URL. + example: 4 + flat_name: threat.indicator.scanner_stats + level: extended + name: indicator.scanner_stats + normalize: [] + short: Scanner statistics + type: long +threat.indicator.sightings: + dashed_name: threat-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.indicator.sightings + level: extended + name: indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long +threat.indicator.type: + dashed_name: threat-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ + Expected values\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ + \ * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n * mutex\n\ + \ * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ + \ * x-509-certificate" + example: ipv4-addr + flat_name: threat.indicator.type + ignore_above: 1024 + level: extended + name: indicator.type + normalize: [] + short: Type of indicator + type: keyword threat.tactic.id: dashed_name: threat-tactic-id description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\ diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index a0bb8d6a76..e4c4e996b9 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -149,6 +149,9 @@ as: - as: as at: source full: source.as + - as: as + at: threat.indicator + full: threat.indicator.as top_level: false short: Fields describing an Autonomous System (Internet routing prefix). title: Autonomous System @@ -3767,6 +3770,12 @@ file: - file.pe - file.x509 prefix: file. + reusable: + expected: + - as: file + at: threat.indicator + full: threat.indicator.file + top_level: true reused_here: - full: file.code_signature schema_name: code_signature @@ -3941,6 +3950,9 @@ geo: - as: geo at: source full: source.geo + - as: geo + at: threat.indicator + full: threat.indicator.geo top_level: false short: Fields describing a location. title: Geo @@ -4069,6 +4081,9 @@ hash: - as: hash at: dll full: dll.hash + - as: hash + at: threat.indicator + full: threat.indicator.hash top_level: false short: Hashes, usually file hashes. title: Hash @@ -6326,6 +6341,9 @@ pe: - as: pe at: process full: process.pe + - as: pe + at: threat.indicator + full: threat.indicator.pe top_level: false short: These fields contain Windows Portable Executable (PE) metadata. title: PE Header @@ -7327,6 +7345,12 @@ registry: group: 2 name: registry prefix: registry. + reusable: + expected: + - as: registry + at: threat.indicator + full: threat.indicator.registry + top_level: true short: Fields related to Windows Registry operations. title: Registry type: group @@ -8652,137 +8676,1114 @@ threat: normalize: [] short: Threat classification framework. type: keyword - threat.tactic.id: - dashed_name: threat-tactic-id - description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\ - \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )" - example: TA0002 - flat_name: threat.tactic.id + threat.indicator.as.number: + dashed_name: threat-indicator-as-number + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: threat.indicator.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long + threat.indicator.as.organization.name: + dashed_name: threat-indicator-as-organization-name + description: Organization name. + example: Google LLC + flat_name: threat.indicator.as.organization.name + level: extended + multi_fields: + - flat_name: threat.indicator.as.organization.name.text + name: text + norms: false + type: text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: wildcard + threat.indicator.confidence: + dashed_name: threat-indicator-confidence + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nExpected values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High + flat_name: threat.indicator.confidence ignore_above: 1024 level: extended - name: tactic.id - normalize: - - array - short: Threat tactic id. + name: indicator.confidence + normalize: [] + short: Indicator confidence rating type: keyword - threat.tactic.name: - dashed_name: threat-tactic-name - description: "Name of the type of tactic used by this threat. You can use a\ - \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)" - example: Execution - flat_name: threat.tactic.name + threat.indicator.dataset: + dashed_name: threat-indicator-dataset + description: Identifies the name of specific dataset from the intelligence source. + example: threatintel.abusemalware + flat_name: threat.indicator.dataset ignore_above: 1024 level: extended - name: tactic.name - normalize: - - array - short: Threat tactic. + name: indicator.dataset + normalize: [] + short: Indicator dataset type: keyword - threat.tactic.reference: - dashed_name: threat-tactic-reference - description: "The reference url of tactic used by this threat. You can use a\ - \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\ - \ )" - example: https://attack.mitre.org/tactics/TA0002/ - flat_name: threat.tactic.reference + threat.indicator.description: + dashed_name: threat-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.indicator.description + level: extended + name: indicator.description + normalize: [] + short: Indicator description + type: wildcard + threat.indicator.domain: + dashed_name: threat-indicator-domain + description: Identifies a threat indicator as a domain (irrespective of direction). + example: example.com + flat_name: threat.indicator.domain ignore_above: 1024 level: extended - name: tactic.reference - normalize: - - array - short: Threat tactic URL reference. + name: indicator.domain + normalize: [] + short: Indicator domain name type: keyword - threat.technique.id: - dashed_name: threat-technique-id - description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\ - \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" - example: T1059 - flat_name: threat.technique.id + threat.indicator.email.address: + dashed_name: threat-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + flat_name: threat.indicator.email.address ignore_above: 1024 level: extended - name: technique.id - normalize: - - array - short: Threat technique id. + name: indicator.email.address + normalize: [] + short: Indicator email address type: keyword - threat.technique.name: - dashed_name: threat-technique-name - description: "The name of technique used by this threat. You can use a MITRE\ - \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" - example: Command and Scripting Interpreter - flat_name: threat.technique.name + threat.indicator.file.accessed: + dashed_name: threat-indicator-file-accessed + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + flat_name: threat.indicator.file.accessed + level: extended + name: accessed + normalize: [] + original_fieldset: file + short: Last time the file was accessed. + type: date + threat.indicator.file.attributes: + dashed_name: threat-indicator-file-attributes + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: threat.indicator.file.attributes ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.technique.name.text - name: text - norms: false - type: text - name: technique.name + name: attributes normalize: - array - short: Threat technique name. + original_fieldset: file + short: Array of file attributes. type: keyword - threat.technique.reference: - dashed_name: threat-technique-reference - description: "The reference url of technique used by this threat. You can use\ - \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" - example: https://attack.mitre.org/techniques/T1059/ - flat_name: threat.technique.reference + threat.indicator.file.code_signature.exists: + dashed_name: threat-indicator-file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: threat.indicator.file.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + threat.indicator.file.code_signature.status: + dashed_name: threat-indicator-file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: threat.indicator.file.code_signature.status ignore_above: 1024 level: extended - name: technique.reference - normalize: - - array - short: Threat technique URL reference. + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. type: keyword - threat.technique.subtechnique.id: - dashed_name: threat-technique-subtechnique-id - description: "The full id of subtechnique used by this threat. You can use a\ - \ MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" - example: T1059.001 - flat_name: threat.technique.subtechnique.id + threat.indicator.file.code_signature.subject_name: + dashed_name: threat-indicator-file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: threat.indicator.file.code_signature.subject_name ignore_above: 1024 - level: extended - name: technique.subtechnique.id - normalize: - - array - short: Threat subtechnique id. + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer type: keyword - threat.technique.subtechnique.name: - dashed_name: threat-technique-subtechnique-name - description: "The name of subtechnique used by this threat. You can use a MITRE\ - \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" - example: PowerShell - flat_name: threat.technique.subtechnique.name + threat.indicator.file.code_signature.trusted: + dashed_name: threat-indicator-file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: threat.indicator.file.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + threat.indicator.file.code_signature.valid: + dashed_name: threat-indicator-file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: threat.indicator.file.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + threat.indicator.file.created: + dashed_name: threat-indicator-file-created + description: 'File creation time. + + Note that not all filesystems store the creation time.' + flat_name: threat.indicator.file.created + level: extended + name: created + normalize: [] + original_fieldset: file + short: File creation time. + type: date + threat.indicator.file.ctime: + dashed_name: threat-indicator-file-ctime + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: threat.indicator.file.ctime + level: extended + name: ctime + normalize: [] + original_fieldset: file + short: Last time the file attributes or metadata changed. + type: date + threat.indicator.file.device: + dashed_name: threat-indicator-file-device + description: Device that is the source of the file. + example: sda + flat_name: threat.indicator.file.device ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.technique.subtechnique.name.text - name: text - norms: false - type: text - name: technique.subtechnique.name - normalize: - - array - short: Threat subtechnique name. + name: device + normalize: [] + original_fieldset: file + short: Device that is the source of the file. type: keyword - threat.technique.subtechnique.reference: - dashed_name: threat-technique-subtechnique-reference - description: "The reference url of subtechnique used by this threat. You can\ - \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" - example: https://attack.mitre.org/techniques/T1059/001/ - flat_name: threat.technique.subtechnique.reference + threat.indicator.file.directory: + dashed_name: threat-indicator-file-directory + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice + flat_name: threat.indicator.file.directory + level: extended + name: directory + normalize: [] + original_fieldset: file + short: Directory where the file is located. + type: wildcard + threat.indicator.file.drive_letter: + dashed_name: threat-indicator-file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + flat_name: threat.indicator.file.drive_letter + ignore_above: 1 + level: extended + name: drive_letter + normalize: [] + original_fieldset: file + short: Drive letter where the file is located. + type: keyword + threat.indicator.file.extension: + dashed_name: threat-indicator-file-extension + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.indicator.file.extension ignore_above: 1024 level: extended - name: technique.subtechnique.reference - normalize: - - array - short: Threat subtechnique URL reference. + name: extension + normalize: [] + original_fieldset: file + short: File extension, excluding the leading dot. type: keyword - group: 2 - name: threat - prefix: threat. + threat.indicator.file.gid: + dashed_name: threat-indicator-file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: threat.indicator.file.gid + ignore_above: 1024 + level: extended + name: gid + normalize: [] + original_fieldset: file + short: Primary group ID (GID) of the file. + type: keyword + threat.indicator.file.group: + dashed_name: threat-indicator-file-group + description: Primary group name of the file. + example: alice + flat_name: threat.indicator.file.group + ignore_above: 1024 + level: extended + name: group + normalize: [] + original_fieldset: file + short: Primary group name of the file. + type: keyword + threat.indicator.file.inode: + dashed_name: threat-indicator-file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: threat.indicator.file.inode + ignore_above: 1024 + level: extended + name: inode + normalize: [] + original_fieldset: file + short: Inode representing the file in the filesystem. + type: keyword + threat.indicator.file.mime_type: + dashed_name: threat-indicator-file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. + flat_name: threat.indicator.file.mime_type + ignore_above: 1024 + level: extended + name: mime_type + normalize: [] + original_fieldset: file + short: Media type of file, document, or arrangement of bytes. + type: keyword + threat.indicator.file.mode: + dashed_name: threat-indicator-file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: threat.indicator.file.mode + ignore_above: 1024 + level: extended + name: mode + normalize: [] + original_fieldset: file + short: Mode of the file in octal representation. + type: keyword + threat.indicator.file.mtime: + dashed_name: threat-indicator-file-mtime + description: Last time the file content was modified. + flat_name: threat.indicator.file.mtime + level: extended + name: mtime + normalize: [] + original_fieldset: file + short: Last time the file content was modified. + type: date + threat.indicator.file.name: + dashed_name: threat-indicator-file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: threat.indicator.file.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: file + short: Name of the file including the extension, without the directory. + type: keyword + threat.indicator.file.owner: + dashed_name: threat-indicator-file-owner + description: File owner's username. + example: alice + flat_name: threat.indicator.file.owner + ignore_above: 1024 + level: extended + name: owner + normalize: [] + original_fieldset: file + short: File owner's username. + type: keyword + threat.indicator.file.path: + dashed_name: threat-indicator-file-path + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + flat_name: threat.indicator.file.path + level: extended + multi_fields: + - flat_name: threat.indicator.file.path.text + name: text + norms: false + type: text + name: path + normalize: [] + original_fieldset: file + short: Full path to the file, including the file name. + type: wildcard + threat.indicator.file.size: + dashed_name: threat-indicator-file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: threat.indicator.file.size + level: extended + name: size + normalize: [] + original_fieldset: file + short: File size in bytes. + type: long + threat.indicator.file.target_path: + dashed_name: threat-indicator-file-target-path + description: Target path for symlinks. + flat_name: threat.indicator.file.target_path + level: extended + multi_fields: + - flat_name: threat.indicator.file.target_path.text + name: text + norms: false + type: text + name: target_path + normalize: [] + original_fieldset: file + short: Target path for symlinks. + type: wildcard + threat.indicator.file.type: + dashed_name: threat-indicator-file-type + description: File type (file, dir, or symlink). + example: file + flat_name: threat.indicator.file.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: file + short: File type (file, dir, or symlink). + type: keyword + threat.indicator.file.uid: + dashed_name: threat-indicator-file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: threat.indicator.file.uid + ignore_above: 1024 + level: extended + name: uid + normalize: [] + original_fieldset: file + short: The user ID (UID) or security identifier (SID) of the file owner. + type: keyword + threat.indicator.first_seen: + dashed_name: threat-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.first_seen + level: extended + name: indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date + threat.indicator.geo.city_name: + dashed_name: threat-indicator-geo-city-name + description: City name. + example: Montreal + flat_name: threat.indicator.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + threat.indicator.geo.continent_code: + dashed_name: threat-indicator-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: threat.indicator.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword + threat.indicator.geo.continent_name: + dashed_name: threat-indicator-geo-continent-name + description: Name of the continent. + example: North America + flat_name: threat.indicator.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + threat.indicator.geo.country_iso_code: + dashed_name: threat-indicator-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: threat.indicator.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + threat.indicator.geo.country_name: + dashed_name: threat-indicator-geo-country-name + description: Country name. + example: Canada + flat_name: threat.indicator.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + threat.indicator.geo.location: + dashed_name: threat-indicator-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: threat.indicator.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + threat.indicator.geo.name: + dashed_name: threat-indicator-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: threat.indicator.geo.name + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: wildcard + threat.indicator.geo.postal_code: + dashed_name: threat-indicator-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: threat.indicator.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword + threat.indicator.geo.region_iso_code: + dashed_name: threat-indicator-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: threat.indicator.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + threat.indicator.geo.region_name: + dashed_name: threat-indicator-geo-region-name + description: Region name. + example: Quebec + flat_name: threat.indicator.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + threat.indicator.geo.timezone: + dashed_name: threat-indicator-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: threat.indicator.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword + threat.indicator.hash.md5: + dashed_name: threat-indicator-hash-md5 + description: MD5 hash. + flat_name: threat.indicator.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword + threat.indicator.hash.sha1: + dashed_name: threat-indicator-hash-sha1 + description: SHA1 hash. + flat_name: threat.indicator.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword + threat.indicator.hash.sha256: + dashed_name: threat-indicator-hash-sha256 + description: SHA256 hash. + flat_name: threat.indicator.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword + threat.indicator.hash.sha512: + dashed_name: threat-indicator-hash-sha512 + description: SHA512 hash. + flat_name: threat.indicator.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword + threat.indicator.hash.ssdeep: + dashed_name: threat-indicator-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.indicator.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword + threat.indicator.ip: + dashed_name: threat-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + flat_name: threat.indicator.ip + level: extended + name: indicator.ip + normalize: [] + short: Indicator IP address + type: ip + threat.indicator.last_seen: + dashed_name: threat-indicator-last-seen + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.last_seen + level: extended + name: indicator.last_seen + normalize: [] + short: Date/time indicator was last reported. + type: date + threat.indicator.marking.tlp: + dashed_name: threat-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings.\nExpected values are:\n\ + \ * White\n * Green\n * Amber\n * Red" + example: White + flat_name: threat.indicator.marking.tlp + ignore_above: 1024 + level: extended + name: indicator.marking.tlp + normalize: [] + short: Indicator TLP marking + type: keyword + threat.indicator.matched.atomic: + dashed_name: threat-indicator-matched-atomic + description: Identifies the atomic indicator that matched a local environment + endpoint or network event. + example: example.com + flat_name: threat.indicator.matched.atomic + ignore_above: 1024 + level: extended + name: indicator.matched.atomic + normalize: [] + short: Indicator atomic match + type: keyword + threat.indicator.matched.field: + dashed_name: threat-indicator-matched-field + description: Identifies the field of the atomic indicator that matched a local + environment endpoint or network event. + example: file.hash.sha256 + flat_name: threat.indicator.matched.field + ignore_above: 1024 + level: extended + name: indicator.matched.field + normalize: [] + short: Indicator field match + type: keyword + threat.indicator.matched.type: + dashed_name: threat-indicator-matched-type + description: Identifies the type of the atomic indicator that matched a local + environment endpoint or network event. + example: domain-name + flat_name: threat.indicator.matched.type + ignore_above: 1024 + level: extended + name: indicator.matched.type + normalize: [] + short: Indicator type match + type: keyword + threat.indicator.module: + dashed_name: threat-indicator-module + description: Identifies the name of specific module this data is coming from. + example: threatintel + flat_name: threat.indicator.module + ignore_above: 1024 + level: extended + name: indicator.module + normalize: [] + short: Indicator module + type: keyword + threat.indicator.pe.architecture: + dashed_name: threat-indicator-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.indicator.pe.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword + threat.indicator.pe.company: + dashed_name: threat-indicator-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.indicator.pe.company + ignore_above: 1024 + level: extended + name: company + normalize: [] + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword + threat.indicator.pe.description: + dashed_name: threat-indicator-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.indicator.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + threat.indicator.pe.file_version: + dashed_name: threat-indicator-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.indicator.pe.file_version + ignore_above: 1024 + level: extended + name: file_version + normalize: [] + original_fieldset: pe + short: Process name. + type: keyword + threat.indicator.pe.imphash: + dashed_name: threat-indicator-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.indicator.pe.imphash + ignore_above: 1024 + level: extended + name: imphash + normalize: [] + original_fieldset: pe + short: A hash of the imports in a PE file. + type: keyword + threat.indicator.pe.original_file_name: + dashed_name: threat-indicator-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.indicator.pe.original_file_name + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: wildcard + threat.indicator.pe.product: + dashed_name: threat-indicator-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.indicator.pe.product + ignore_above: 1024 + level: extended + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword + threat.indicator.port: + dashed_name: threat-indicator-port + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + flat_name: threat.indicator.port + level: extended + name: indicator.port + normalize: [] + short: Indicator port + type: long + threat.indicator.provider: + dashed_name: threat-indicator-provider + description: Identifies the name of the intelligence provider. + example: VirusTotal + flat_name: threat.indicator.provider + ignore_above: 1024 + level: extended + name: indicator.provider + normalize: [] + short: Identifies the name of the intelligence provider. + type: keyword + threat.indicator.registry.data.bytes: + dashed_name: threat-indicator-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.indicator.registry.data.bytes + ignore_above: 1024 + level: extended + name: data.bytes + normalize: [] + original_fieldset: registry + short: Original bytes written with base64 encoding. + type: keyword + threat.indicator.registry.data.strings: + dashed_name: threat-indicator-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.indicator.registry.data.strings + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: wildcard + threat.indicator.registry.data.type: + dashed_name: threat-indicator-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.indicator.registry.data.type + ignore_above: 1024 + level: core + name: data.type + normalize: [] + original_fieldset: registry + short: Standard registry type for encoding contents + type: keyword + threat.indicator.registry.hive: + dashed_name: threat-indicator-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.indicator.registry.hive + ignore_above: 1024 + level: core + name: hive + normalize: [] + original_fieldset: registry + short: Abbreviated name for the hive. + type: keyword + threat.indicator.registry.key: + dashed_name: threat-indicator-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.indicator.registry.key + level: core + name: key + normalize: [] + original_fieldset: registry + short: Hive-relative path of keys. + type: wildcard + threat.indicator.registry.path: + dashed_name: threat-indicator-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.indicator.registry.path + level: core + name: path + normalize: [] + original_fieldset: registry + short: Full path, including hive, key and value + type: wildcard + threat.indicator.registry.value: + dashed_name: threat-indicator-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.indicator.registry.value + ignore_above: 1024 + level: core + name: value + normalize: [] + original_fieldset: registry + short: Name of the value written. + type: keyword + threat.indicator.scanner_stats: + dashed_name: threat-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + flat_name: threat.indicator.scanner_stats + level: extended + name: indicator.scanner_stats + normalize: [] + short: Scanner statistics + type: long + threat.indicator.sightings: + dashed_name: threat-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.indicator.sightings + level: extended + name: indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long + threat.indicator.type: + dashed_name: threat-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ + Expected values\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ + \ * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n *\ + \ mutex\n * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ + \ * x-509-certificate" + example: ipv4-addr + flat_name: threat.indicator.type + ignore_above: 1024 + level: extended + name: indicator.type + normalize: [] + short: Type of indicator + type: keyword + threat.tactic.id: + dashed_name: threat-tactic-id + description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\ + \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )" + example: TA0002 + flat_name: threat.tactic.id + ignore_above: 1024 + level: extended + name: tactic.id + normalize: + - array + short: Threat tactic id. + type: keyword + threat.tactic.name: + dashed_name: threat-tactic-name + description: "Name of the type of tactic used by this threat. You can use a\ + \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)" + example: Execution + flat_name: threat.tactic.name + ignore_above: 1024 + level: extended + name: tactic.name + normalize: + - array + short: Threat tactic. + type: keyword + threat.tactic.reference: + dashed_name: threat-tactic-reference + description: "The reference url of tactic used by this threat. You can use a\ + \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\ + \ )" + example: https://attack.mitre.org/tactics/TA0002/ + flat_name: threat.tactic.reference + ignore_above: 1024 + level: extended + name: tactic.reference + normalize: + - array + short: Threat tactic URL reference. + type: keyword + threat.technique.id: + dashed_name: threat-technique-id + description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\ + \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: T1059 + flat_name: threat.technique.id + ignore_above: 1024 + level: extended + name: technique.id + normalize: + - array + short: Threat technique id. + type: keyword + threat.technique.name: + dashed_name: threat-technique-name + description: "The name of technique used by this threat. You can use a MITRE\ + \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: Command and Scripting Interpreter + flat_name: threat.technique.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.technique.name.text + name: text + norms: false + type: text + name: technique.name + normalize: + - array + short: Threat technique name. + type: keyword + threat.technique.reference: + dashed_name: threat-technique-reference + description: "The reference url of technique used by this threat. You can use\ + \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)" + example: https://attack.mitre.org/techniques/T1059/ + flat_name: threat.technique.reference + ignore_above: 1024 + level: extended + name: technique.reference + normalize: + - array + short: Threat technique URL reference. + type: keyword + threat.technique.subtechnique.id: + dashed_name: threat-technique-subtechnique-id + description: "The full id of subtechnique used by this threat. You can use a\ + \ MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: T1059.001 + flat_name: threat.technique.subtechnique.id + ignore_above: 1024 + level: extended + name: technique.subtechnique.id + normalize: + - array + short: Threat subtechnique id. + type: keyword + threat.technique.subtechnique.name: + dashed_name: threat-technique-subtechnique-name + description: "The name of subtechnique used by this threat. You can use a MITRE\ + \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: PowerShell + flat_name: threat.technique.subtechnique.name + ignore_above: 1024 + level: extended + multi_fields: + - flat_name: threat.technique.subtechnique.name.text + name: text + norms: false + type: text + name: technique.subtechnique.name + normalize: + - array + short: Threat subtechnique name. + type: keyword + threat.technique.subtechnique.reference: + dashed_name: threat-technique-subtechnique-reference + description: "The reference url of subtechnique used by this threat. You can\ + \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)" + example: https://attack.mitre.org/techniques/T1059/001/ + flat_name: threat.technique.subtechnique.reference + ignore_above: 1024 + level: extended + name: technique.subtechnique.reference + normalize: + - array + short: Threat subtechnique URL reference. + type: keyword + group: 2 + name: threat + nestings: + - threat.indicator.as + - threat.indicator.file + - threat.indicator.geo + - threat.indicator.hash + - threat.indicator.pe + - threat.indicator.registry + prefix: threat. + reused_here: + - full: threat.indicator.as + schema_name: as + short: Fields describing an Autonomous System (Internet routing prefix). + - full: threat.indicator.file + schema_name: file + short: Fields describing files. + - full: threat.indicator.geo + schema_name: geo + short: Fields describing a location. + - full: threat.indicator.hash + schema_name: hash + short: Hashes, usually file hashes. + - full: threat.indicator.pe + schema_name: pe + short: These fields contain Windows Portable Executable (PE) metadata. + - full: threat.indicator.registry + schema_name: registry + short: Fields related to Windows Registry operations. short: Fields to classify events and alerts according to a threat taxonomy. title: Threat type: group diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 0eabce58f9..c8eaed99f8 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -2647,6 +2647,354 @@ "ignore_above": 1024, "type": "keyword" }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "type": "wildcard" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "type": "wildcard" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "wildcard" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "type": "wildcard" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "type": "wildcard" + }, + "path": { + "type": "wildcard" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "tactic": { "properties": { "id": { diff --git a/experimental/generated/elasticsearch/component/threat.json b/experimental/generated/elasticsearch/component/threat.json index 9d7cd6d7fe..7bd22127dc 100644 --- a/experimental/generated/elasticsearch/component/threat.json +++ b/experimental/generated/elasticsearch/component/threat.json @@ -12,6 +12,354 @@ "ignore_above": 1024, "type": "keyword" }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "type": "wildcard" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "type": "wildcard" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "wildcard" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "type": "wildcard" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "type": "wildcard" + }, + "path": { + "type": "wildcard" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "tactic": { "properties": { "id": {