Skip to content

[RFC] Extend Threat Fieldset - Stage 2 Proposal #1395

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
peasead merged 10 commits into from
May 25, 2021
Merged

[RFC] Extend Threat Fieldset - Stage 2 Proposal #1395

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
be16e71
Merge pull request #1 from elastic/master
peasead May 5, 2021
73303c5
stage 2 RFC commit
peasead May 5, 2021
e4d4679
add PR
peasead May 5, 2021
e29c0dd
made platform references plural
peasead May 17, 2021
7379c9f
Merge branch 'master' into extend-threat-stage-2
peasead May 18, 2021
1fcd351
removed PRE from software.platforms
peasead May 19, 2021
a339245
Update rfcs/text/0018/threat.yml
peasead May 20, 2021
5f4ef68
Merge branch 'master' into extend-threat-stage-2
peasead May 24, 2021
189756d
updated type to be recommended vs. expected
peasead May 25, 2021
faf8ae5
Merge branch 'extend-threat-stage-2' of github.com:peasead/ecs into e…
peasead May 25, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions rfcs/text/0018-extend-threat-group-software.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# 0018: Extend Threat Fieldset
<!-- Leave this ID at 0000. The ECS team will assign a unique, contiguous RFC number upon merging the initial stage of this RFC. -->

- Stage: **1 (draft)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
- Date: **2021-04-06** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->
- Stage: **2 (candidate)** <!-- Update to reflect target stage. See https://elastic.github.io/ecs/stages.html -->
- Date: **2021-00-00** <!-- The ECS team sets this date at merge time. This is the date of the latest stage advancement. -->

<!--
As you work on your RFC, use the "Stage N" comments to guide you in what you should focus on, for the stage you're targeting.
Expand Down Expand Up @@ -31,7 +31,7 @@ Field | Type | Example | Description
--- | --- | --- | ---
threat.software.id | keyword | S0552 | The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id.
threat.software.name | keyword | AdFind | The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name.
threat.software.platforms | keyword | Windows | The platform of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platform.
threat.software.platforms | keyword | Windows | The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platforms.
threat.software.reference | keyword | https://attack.mitre.org/software/S0552/ | The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL.
threat.software.type | keyword | Tool | The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type.
threat.group.alias | keyword | FIN6, ITG08, Magecart Group 6, etc | The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es).
Expand Down Expand Up @@ -103,6 +103,7 @@ Stage 2: Included a real world example source document. Ideally this example com
Examples are from MITRE's [enterprise matrix](https://github.com/mitre/cti/blob/master/enterprise-attack/enterprise-attack.json).

```yml
// Software Source Data
{
"external_references": [
{
Expand All @@ -118,6 +119,7 @@ Examples are from MITRE's [enterprise matrix](https://github.com/mitre/cti/blob/
}
```
```yml
// Group Source Data
{
"name": "FIN6",
"external_references": [
Expand Down Expand Up @@ -203,6 +205,7 @@ e.g.:

* Stage 0: https://github.com/elastic/ecs/pull/1300
* Stage 1: https://github.com/elastic/ecs/pull/1335
* Stage 2: https://github.com/elastic/ecs/pull/1395

<!--
* Stage 1: https://github.com/elastic/ecs/pull/NNN
Expand Down
9 changes: 4 additions & 5 deletions rfcs/text/0018/threat.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,11 @@
- name: software.platforms
level: extended
type: keyword
short: Platform of the software.
short: platforms of the software.
description: >
The platform of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platform.
The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platforms.

Expected values
Recommended Values:
* AWS
* Azure
* Azure AD
Expand All @@ -37,7 +37,6 @@
* macOS
* Network
* Office 365
* PRE
* SaaS
* Windows

Expand All @@ -59,7 +58,7 @@
description: >
The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type.

Expected values
Recommended values
* Malware
* Tool

Expand Down