Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add threat.technique.subtechnique #951

Merged
merged 5 commits into from
Aug 26, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.next.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ Thanks, you're awesome :-) -->

### Schema Changes

* Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtecqhniques. #951

#### Breaking changes

#### Bugfixes
Expand Down
39 changes: 27 additions & 12 deletions code/go/ecs/threat.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

78 changes: 66 additions & 12 deletions docs/field-details.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -5418,7 +5418,7 @@ example: `MITRE ATT&CK`
// ===============================================================

| threat.tactic.id
| The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )
| The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )

type: keyword

Expand All @@ -5427,14 +5427,14 @@ Note: this field should contain an array of values.



example: `TA0040`
example: `TA0002`

| extended

// ===============================================================

| threat.tactic.name
| Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/)
| Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)

type: keyword

Expand All @@ -5443,14 +5443,14 @@ Note: this field should contain an array of values.



example: `impact`
example: `Execution`

| extended

// ===============================================================

| threat.tactic.reference
| The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )
| The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )

type: keyword

Expand All @@ -5459,14 +5459,14 @@ Note: this field should contain an array of values.



example: `https://attack.mitre.org/tactics/TA0040/`
example: `https://attack.mitre.org/tactics/TA0002/`

| extended

// ===============================================================

| threat.technique.id
| The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)
| The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)

type: keyword

Expand All @@ -5475,14 +5475,14 @@ Note: this field should contain an array of values.



example: `T1499`
example: `T1059`

| extended

// ===============================================================

| threat.technique.name
| The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)
| The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)

type: keyword

Expand All @@ -5497,14 +5497,14 @@ Note: this field should contain an array of values.



example: `Endpoint Denial of Service`
example: `Command and Scripting Interpreter`

| extended

// ===============================================================

| threat.technique.reference
| The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/ )
| The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)

type: keyword

Expand All @@ -5513,7 +5513,61 @@ Note: this field should contain an array of values.



example: `https://attack.mitre.org/techniques/T1499/`
example: `https://attack.mitre.org/techniques/T1059/`

| extended

// ===============================================================

| threat.technique.subtechnique.id
| The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)

type: keyword


Note: this field should contain an array of values.



example: `T1059.001`

| extended

// ===============================================================

| threat.technique.subtechnique.name
| The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)

type: keyword

Multi-fields:

* threat.technique.subtechnique.name.text (type: text)




Note: this field should contain an array of values.



example: `PowerShell`

| extended

// ===============================================================

| threat.technique.subtechnique.reference
| The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)

type: keyword


Note: this field should contain an array of values.



example: `https://attack.mitre.org/techniques/T1059/001/`

| extended

Expand Down
53 changes: 40 additions & 13 deletions generated/beats/fields.ecs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4538,30 +4538,30 @@
type: keyword
ignore_above: 1024
description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\
\ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )"
example: TA0040
\ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )"
example: TA0002
- name: tactic.name
level: extended
type: keyword
ignore_above: 1024
description: "Name of the type of tactic used by this threat. You can use a\
\ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/)"
example: impact
\ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)"
example: Execution
- name: tactic.reference
level: extended
type: keyword
ignore_above: 1024
description: "The reference url of tactic used by this threat. You can use a\
\ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/\
\ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\
\ )"
example: https://attack.mitre.org/tactics/TA0040/
example: https://attack.mitre.org/tactics/TA0002/
- name: technique.id
level: extended
type: keyword
ignore_above: 1024
description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\
\ technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)"
example: T1499
\ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
example: T1059
- name: technique.name
level: extended
type: keyword
Expand All @@ -4572,16 +4572,43 @@
norms: false
default_field: false
description: "The name of technique used by this threat. You can use a MITRE\
\ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)"
example: Endpoint Denial of Service
\ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
example: Command and Scripting Interpreter
- name: technique.reference
level: extended
type: keyword
ignore_above: 1024
description: "The reference url of technique used by this threat. You can use\
\ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/\
\ )"
example: https://attack.mitre.org/techniques/T1499/
\ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
example: https://attack.mitre.org/techniques/T1059/
- name: technique.subtechnique.id
level: extended
type: keyword
ignore_above: 1024
description: "The full id of subtechnique used by this threat. You can use a\
\ MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
example: T1059.001
default_field: false
- name: technique.subtechnique.name
level: extended
type: keyword
ignore_above: 1024
multi_fields:
- name: text
type: text
norms: false
description: "The name of subtechnique used by this threat. You can use a MITRE\
\ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
example: PowerShell
default_field: false
- name: technique.subtechnique.reference
level: extended
type: keyword
ignore_above: 1024
description: "The reference url of subtechnique used by this threat. You can\
\ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
example: https://attack.mitre.org/techniques/T1059/001/
default_field: false
- name: tls
title: TLS
group: 2
Expand Down
18 changes: 11 additions & 7 deletions generated/csv/fields.csv
Original file line number Diff line number Diff line change
Expand Up @@ -534,13 +534,17 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
2.0.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
2.0.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
2.0.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
2.0.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0040,Threat tactic id.
2.0.0-dev,true,threat,threat.tactic.name,keyword,extended,array,impact,Threat tactic.
2.0.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0040/,Threat tactic URL reference.
2.0.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1499,Threat technique id.
2.0.0-dev,true,threat,threat.technique.name,keyword,extended,array,Endpoint Denial of Service,Threat technique name.
2.0.0-dev,true,threat,threat.technique.name.text,text,extended,,Endpoint Denial of Service,Threat technique name.
2.0.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1499/,Threat technique URL reference.
2.0.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
2.0.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
2.0.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
2.0.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
2.0.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
2.0.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name.
2.0.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
2.0.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
2.0.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
2.0.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name.
2.0.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
2.0.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
2.0.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
2.0.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the client.
Expand Down
Loading