diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 1cdd94d0ae..113b16e8e6 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -24,7 +24,8 @@ Thanks, you're awesome :-) --> * `elf.*` field set added as beta. #1410 * Remove `beta` from `orchestrator` field set. #1417 * Extend `threat.*` field set beta. #1438 -* Added `event.agent_id_status` field. #1454 +* Added `event.agent_id_status` field. #1454 +* `threat.enrichments` added to the experimental schema. #1457 #### Improvements diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 44df213ac8..6585d231df 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -6813,1018 +6813,1708 @@ \ \"endpoint denial of service\")." type: group fields: - - name: framework + - name: enrichments + level: extended + type: nested + description: A list of associated indicators enriching the event, and the context + of that association/enrichment. + default_field: false + - name: enrichments.as.number + level: extended + type: long + description: Unique number allocated to the autonomous system. The autonomous + system number (ASN) uniquely identifies each network on the Internet. + example: 15169 + default_field: false + - name: enrichments.as.organization.name + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: Organization name. + example: Google LLC + default_field: false + - name: enrichments.event.action + level: core + type: keyword + ignore_above: 1024 + description: 'The action captured by the event. + + This describes the information in the event. It is more specific than `event.category`. + Examples are `group-add`, `process-started`, `file-created`. The value is + normally defined by the implementer.' + example: user-password-change + default_field: false + - name: enrichments.event.agent_id_status + level: extended + type: keyword + ignore_above: 1024 + description: 'Agents are normally responsible for populating the `agent.id` + field value. If the system receiving events is capable of validating the value + based on authentication information for the client then this field can be + used to reflect the outcome of that validation. + + For example if the agent''s connection is authenticated with mTLS and the + client cert contains the ID of the agent to which the cert was issued then + the `agent.id` value in events can be checked against the certificate. If + the values match then `event.agent_id_status: verified` is added to the event, + otherwise one of the other allowed values should be used. + + If no validation is performed then the field should be omitted. + + The allowed values are: + + `verified` - The `agent.id` field value matches expected value obtained from + auth metadata. + + `mismatch` - The `agent.id` field value does not match the expected value + obtained from auth metadata. + + `missing` - There was no `agent.id` field in the event to validate. + + `auth_metadata_missing` - There was no auth metadata or it was missing information + about the agent ID.' + example: verified + default_field: false + - name: enrichments.event.category + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + second level in the ECS category hierarchy. + + `event.category` represents the "big buckets" of ECS categories. For example, + filtering on `event.category:process` yields all events relating to process + activity. This field is closely related to `event.type`, which is used as + a subcategory. + + This field is an array. This will allow proper categorization of some events + that fall in multiple categories.' + example: authentication + default_field: false + - name: enrichments.event.code + level: extended + type: keyword + ignore_above: 1024 + description: 'Identification code for this event, if one exists. + + Some event sources use event codes to identify messages unambiguously, regardless + of message language or wording adjustments over time. An example of this is + the Windows Event ID.' + example: 4648 + default_field: false + - name: enrichments.event.created + level: core + type: date + description: 'event.created contains the date/time when the event was first + read by an agent, or by your pipeline. + + This field is distinct from @timestamp in that @timestamp typically contain + the time extracted from the original event. + + In most situations, these two timestamps will be slightly different. The difference + can be used to calculate the delay between your source generating an event, + and the time when your agent first processed it. This can be used to monitor + your agent''s or pipeline''s ability to keep up with your event source. + + In case the two timestamps are identical, @timestamp should be used.' + example: '2016-05-23T08:05:34.857Z' + default_field: false + - name: enrichments.event.dataset + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the dataset. + + If an event source publishes more than one type of log or events (e.g. access + log, error log), the dataset is used to specify which one the event comes + from. + + It''s recommended but not required to start the dataset name with the module + name, followed by a dot, then the dataset name.' + example: apache.access + default_field: false + - name: enrichments.event.duration + level: core + type: long + format: duration + input_format: nanoseconds + output_format: asMilliseconds + output_precision: 1 + description: 'Duration of the event in nanoseconds. + + If event.start and event.end are known this value should be the difference + between the end and start time.' + default_field: false + - name: enrichments.event.end + level: extended + type: date + description: event.end contains the date when the event ended or when the activity + was last observed. + default_field: false + - name: enrichments.event.hash + level: extended + type: keyword + ignore_above: 1024 + description: Hash (perhaps logstash fingerprint) of raw field to be able to + demonstrate log integrity. + example: 123456789012345678901234567890ABCD + default_field: false + - name: enrichments.event.id + level: core + type: keyword + ignore_above: 1024 + description: Unique ID to describe the event. + example: 8a4f500d + default_field: false + - name: enrichments.event.ingested + level: core + type: date + description: 'Timestamp when an event arrived in the central data store. + + This is different from `@timestamp`, which is when the event originally occurred. It''s + also different from `event.created`, which is meant to capture the first time + an agent saw the event. + + In normal conditions, assuming no tampering, the timestamps should chronologically + look like this: `@timestamp` < `event.created` < `event.ingested`.' + example: '2016-05-23T08:05:35.101Z' + default_field: false + - name: enrichments.event.kind + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + highest level in the ECS category hierarchy. + + `event.kind` gives high-level information about what type of information the + event contains, without being specific to the contents of the event. For example, + values of this field distinguish alert events from metric events. + + The value of this field can be used to inform how these kinds of events should + be handled. They may warrant different retention, different access control, + it may also help understand whether the data coming in at a regular interval + or not.' + example: alert + default_field: false + - name: enrichments.event.module + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the module this data is coming from. + + If your monitoring agent supports the concept of modules or plugins to process + events of a given source (e.g. Apache logs), `event.module` should contain + the name of this module.' + example: apache + default_field: false + - name: enrichments.event.original + level: core + type: keyword + ignore_above: 1024 + description: 'Raw text message of entire event. Used to demonstrate log integrity. + + This field is not indexed and doc_values are disabled. It cannot be searched, + but it can be retrieved from `_source`. If users wish to override this and + index this field, consider using the wildcard data type.' + example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| + worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 + index: false + default_field: false + - name: enrichments.event.outcome + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + lowest level in the ECS category hierarchy. + + `event.outcome` simply denotes whether the event represents a success or a + failure from the perspective of the entity that produced the event. + + Note that when a single transaction is described in multiple events, each + event may populate different values of `event.outcome`, according to their + perspective. + + Also note that in the case of a compound event (a single event that contains + multiple logical events), this field should be populated with the value that + best captures the overall success or failure from the perspective of the event + producer. + + Further note that not all events will have an associated outcome. For example, + this field is generally not populated for metric events, events with `event.type:info`, + or any events for which an outcome does not make logical sense.' + example: success + default_field: false + - name: enrichments.event.provider + level: extended + type: keyword + ignore_above: 1024 + description: 'Source of the event. + + Event transports such as Syslog or the Windows Event Log typically mention + the source of an event. It can be the name of the software that generated + the event (e.g. Sysmon, httpd), or of a subsystem of the operating system + (kernel, Microsoft-Windows-Security-Auditing).' + example: kernel + default_field: false + - name: enrichments.event.reason + level: extended + type: keyword + ignore_above: 1024 + description: 'Reason why this event happened, according to the source. + + This describes the why of a particular action or outcome captured in the event. + Where `event.action` captures the action from the event, `event.reason` describes + why that action was taken. For example, a web proxy with an `event.action` + which denied the request may also populate `event.reason` with the reason + why (e.g. `blocked site`).' + example: Terminated an unexpected process + default_field: false + - name: enrichments.event.reference + level: extended + type: keyword + ignore_above: 1024 + description: 'Reference URL linking to additional information about this event. + + This URL links to a static definition of this event. Alert events, indicated + by `event.kind:alert`, are a common use case for this field.' + example: https://system.example.com/event/#0001234 + default_field: false + - name: enrichments.event.risk_score + level: core + type: float + description: Risk score or priority of the event (e.g. security solutions). + Use your system's original value here. + default_field: false + - name: enrichments.event.risk_score_norm + level: extended + type: float + description: 'Normalized risk score or priority of the event, on a scale of + 0 to 100. + + This is mainly useful if you use more than one system that assigns risk scores, + and you want to see a normalized value across all systems.' + default_field: false + - name: enrichments.event.sequence + level: extended + type: long + format: string + description: 'Sequence number of the event. + + The sequence number is a value published by some event sources, to make the + exact ordering of events unambiguous, regardless of the timestamp precision.' + default_field: false + - name: enrichments.event.severity + level: core + type: long + format: string + description: 'The numeric severity of the event according to your event source. + + What the different severity values mean can be different between sources and + use cases. It''s up to the implementer to make sure severities are consistent + across events from the same source. + + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` + is meant to represent the severity according to the event source (e.g. firewall, + IDS). If the event source does not publish its own severity, you may optionally + copy the `log.syslog.severity.code` to `event.severity`.' + example: 7 + default_field: false + - name: enrichments.event.start + level: extended + type: date + description: event.start contains the date when the event started or when the + activity was first observed. + default_field: false + - name: enrichments.event.timezone level: extended type: keyword ignore_above: 1024 - description: Name of the threat framework used to further categorize and classify - the tactic and technique of the reported threat. Framework classification - can be provided by detecting systems, evaluated at ingest time, or retrospectively - tagged to events. - example: MITRE ATT&CK - - name: group.alias + description: 'This field should be populated when the event''s timestamp does + not include timezone information already (e.g. default Syslog timestamps). + It''s optional otherwise. + + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), + abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' + default_field: false + - name: enrichments.event.type + level: core + type: keyword + ignore_above: 1024 + description: 'This is one of four ECS Categorization Fields, and indicates the + third level in the ECS category hierarchy. + + `event.type` represents a categorization "sub-bucket" that, when used along + with the `event.category` field values, enables filtering events down to a + level appropriate for single visualization. + + This field is an array. This will allow proper categorization of some events + that fall in multiple event types.' + default_field: false + - name: enrichments.event.url level: extended type: keyword ignore_above: 1024 - description: "The alias(es) of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group alias(es)." - example: '[ "Magecart Group 6" ]' + description: 'URL linking to an external system to continue investigation of + this event. + + This URL links to another system where in-depth investigation of the specific + occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, + are a common use case for this field.' + example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + default_field: false + - name: enrichments.file.accessed + level: extended + type: date + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + default_field: false + - name: enrichments.file.attributes + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + default_field: false + - name: enrichments.file.code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: enrichments.file.code_signature.signing_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + default_field: false + - name: enrichments.file.code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: enrichments.file.code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: enrichments.file.code_signature.team_id + level: extended + type: keyword + ignore_above: 1024 + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + default_field: false + - name: enrichments.file.code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: enrichments.file.code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: enrichments.file.created + level: extended + type: date + description: 'File creation time. + + Note that not all filesystems store the creation time.' + default_field: false + - name: enrichments.file.ctime + level: extended + type: date + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + default_field: false + - name: enrichments.file.device + level: extended + type: keyword + ignore_above: 1024 + description: Device that is the source of the file. + example: sda + default_field: false + - name: enrichments.file.directory + level: extended + type: wildcard + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice + default_field: false + - name: enrichments.file.drive_letter + level: extended + type: keyword + ignore_above: 1 + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + default_field: false + - name: enrichments.file.elf.architecture + level: extended + type: keyword + ignore_above: 1024 + description: Machine architecture of the ELF file. + example: x86-64 + default_field: false + - name: enrichments.file.elf.byte_order + level: extended + type: keyword + ignore_above: 1024 + description: Byte sequence of ELF file. + example: Little Endian + default_field: false + - name: enrichments.file.elf.cpu_type + level: extended + type: keyword + ignore_above: 1024 + description: CPU type of the ELF file. + example: Intel + default_field: false + - name: enrichments.file.elf.creation_date + level: extended + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + default_field: false + - name: enrichments.file.elf.exports + level: extended + type: flattened + description: List of exported element names and types. + default_field: false + - name: enrichments.file.elf.header.abi_version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the ELF Application Binary Interface (ABI). + default_field: false + - name: enrichments.file.elf.header.class + level: extended + type: keyword + ignore_above: 1024 + description: Header class of the ELF file. + default_field: false + - name: enrichments.file.elf.header.data + level: extended + type: keyword + ignore_above: 1024 + description: Data table of the ELF header. + default_field: false + - name: enrichments.file.elf.header.entrypoint + level: extended + type: long + format: string + description: Header entrypoint of the ELF file. + default_field: false + - name: enrichments.file.elf.header.object_version + level: extended + type: keyword + ignore_above: 1024 + description: '"0x1" for original ELF files.' + default_field: false + - name: enrichments.file.elf.header.os_abi + level: extended + type: keyword + ignore_above: 1024 + description: Application Binary Interface (ABI) of the Linux OS. + default_field: false + - name: enrichments.file.elf.header.type + level: extended + type: keyword + ignore_above: 1024 + description: Header type of the ELF file. + default_field: false + - name: enrichments.file.elf.header.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the ELF header. + default_field: false + - name: enrichments.file.elf.imports + level: extended + type: flattened + description: List of imported element names and types. + default_field: false + - name: enrichments.file.elf.sections + level: extended + type: nested + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + default_field: false + - name: enrichments.file.elf.sections.chi2 + level: extended + type: long + format: number + description: Chi-square probability distribution of the section. + default_field: false + - name: enrichments.file.elf.sections.entropy + level: extended + type: long + format: number + description: Shannon entropy calculation from the section. + default_field: false + - name: enrichments.file.elf.sections.flags + level: extended + type: keyword + ignore_above: 1024 + description: ELF Section List flags. default_field: false - - name: group.id + - name: enrichments.file.elf.sections.name level: extended type: keyword ignore_above: 1024 - description: "The id of the group for a set of related intrusion activity that\ - \ are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group id." - example: G0037 + description: ELF Section List name. default_field: false - - name: group.name + - name: enrichments.file.elf.sections.physical_offset level: extended type: keyword ignore_above: 1024 - description: "The name of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group name." - example: FIN6 + description: ELF Section List offset. default_field: false - - name: group.reference + - name: enrichments.file.elf.sections.physical_size + level: extended + type: long + format: bytes + description: ELF Section List physical size. + default_field: false + - name: enrichments.file.elf.sections.type level: extended type: keyword ignore_above: 1024 - description: "The reference URL of the group for a set of related intrusion\ - \ activity that are tracked by a common name in the security community. While\ - \ not required, you can use a MITRE ATT&CK\xAE group reference URL." - example: https://attack.mitre.org/groups/G0037/ + description: ELF Section List type. default_field: false - - name: indicator.as.number + - name: enrichments.file.elf.sections.virtual_address level: extended type: long - description: Unique number allocated to the autonomous system. The autonomous - system number (ASN) uniquely identifies each network on the Internet. - example: 15169 + format: string + description: ELF Section List virtual address. default_field: false - - name: indicator.as.organization.name + - name: enrichments.file.elf.sections.virtual_size level: extended - type: wildcard - multi_fields: - - name: text - type: text - norms: false - description: Organization name. - example: Google LLC + type: long + format: string + description: ELF Section List virtual size. default_field: false - - name: indicator.confidence + - name: enrichments.file.elf.segments level: extended - type: keyword - ignore_above: 1024 - description: "Identifies the confidence rating assigned by the provider using\ - \ STIX confidence scales.\nExpected values:\n * Not Specified, None, Low,\ - \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ - \ * WEP Scale (Impossible - Certain)" - example: High + type: nested + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' default_field: false - - name: indicator.dataset + - name: enrichments.file.elf.segments.sections level: extended type: keyword ignore_above: 1024 - description: Identifies the name of specific dataset from the intelligence source. - example: threatintel.abusemalware + description: ELF object segment sections. default_field: false - - name: indicator.description + - name: enrichments.file.elf.segments.type level: extended - type: wildcard - description: Describes the type of action conducted by the threat. - example: IP x.x.x.x was observed delivering the Angler EK. + type: keyword + ignore_above: 1024 + description: ELF object segment type. default_field: false - - name: indicator.domain + - name: enrichments.file.elf.shared_libraries level: extended type: keyword ignore_above: 1024 - description: Identifies a threat indicator as a domain (irrespective of direction). - example: example.com + description: List of shared libraries used by this ELF object. default_field: false - - name: indicator.email.address + - name: enrichments.file.elf.telfhash level: extended type: keyword ignore_above: 1024 - description: Identifies a threat indicator as an email address (irrespective - of direction). - example: phish@example.com + description: telfhash symbol hash for ELF file. default_field: false - - name: indicator.file.accessed + - name: enrichments.file.extension level: extended - type: date - description: 'Last time the file was accessed. + type: keyword + ignore_above: 1024 + description: 'File extension, excluding the leading dot. - Note that not all filesystems keep track of access time.' + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png default_field: false - - name: indicator.file.attributes + - name: enrichments.file.gid level: extended type: keyword ignore_above: 1024 - description: 'Array of file attributes. - - Attributes names will vary by platform. Here''s a non-exhaustive list of values - that are expected in this field: archive, compressed, directory, encrypted, - execute, hidden, read, readonly, system, write.' - example: '["readonly", "system"]' + description: Primary group ID (GID) of the file. + example: '1001' default_field: false - - name: indicator.file.code_signature.exists - level: core - type: boolean - description: Boolean to capture if a signature is present. - example: 'true' + - name: enrichments.file.group + level: extended + type: keyword + ignore_above: 1024 + description: Primary group name of the file. + example: alice default_field: false - - name: indicator.file.code_signature.signing_id + - name: enrichments.file.inode level: extended type: keyword ignore_above: 1024 - description: 'The identifier used to sign the process. - - This is used to identify the application manufactured by a software vendor. - The field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy + description: Inode representing the file in the filesystem. + example: '256383' default_field: false - - name: indicator.file.code_signature.status + - name: enrichments.file.mime_type level: extended type: keyword ignore_above: 1024 - description: 'Additional information about the certificate status. - - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. default_field: false - - name: indicator.file.code_signature.subject_name - level: core + - name: enrichments.file.mode + level: extended type: keyword ignore_above: 1024 - description: Subject name of the code signer - example: Microsoft Corporation + description: Mode of the file in octal representation. + example: '0640' default_field: false - - name: indicator.file.code_signature.team_id + - name: enrichments.file.mtime + level: extended + type: date + description: Last time the file content was modified. + default_field: false + - name: enrichments.file.name level: extended type: keyword ignore_above: 1024 - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field - is relevant to Apple *OS only.' - example: EQHXZ8M8AV + description: Name of the file including the extension, without the directory. + example: example.png default_field: false - - name: indicator.file.code_signature.trusted + - name: enrichments.file.owner level: extended - type: boolean - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this - field should only be populated by tools that actively check the status.' - example: 'true' + type: keyword + ignore_above: 1024 + description: File owner's username. + example: alice default_field: false - - name: indicator.file.code_signature.valid + - name: enrichments.file.path level: extended - type: boolean - description: 'Boolean to capture if the digital signature is verified against - the binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png default_field: false - - name: indicator.file.created + - name: enrichments.file.size level: extended - type: date - description: 'File creation time. + type: long + description: 'File size in bytes. - Note that not all filesystems store the creation time.' + Only relevant when `file.type` is "file".' + example: 16384 default_field: false - - name: indicator.file.ctime + - name: enrichments.file.target_path level: extended - type: date - description: 'Last time the file attributes or metadata changed. - - Note that changes to the file content will update `mtime`. This implies `ctime` - will be adjusted at the same time, since `mtime` is an attribute of the file.' + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: Target path for symlinks. default_field: false - - name: indicator.file.device + - name: enrichments.file.type level: extended type: keyword ignore_above: 1024 - description: Device that is the source of the file. - example: sda + description: File type (file, dir, or symlink). + example: file default_field: false - - name: indicator.file.directory + - name: enrichments.file.uid level: extended - type: wildcard - description: Directory where the file is located. It should include the drive - letter, when appropriate. - example: /home/alice + type: keyword + ignore_above: 1024 + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' default_field: false - - name: indicator.file.drive_letter - level: extended + - name: enrichments.geo.city_name + level: core type: keyword - ignore_above: 1 - description: 'Drive letter where the file is located. This field is only relevant - on Windows. - - The value should be uppercase, and not include the colon.' - example: C + ignore_above: 1024 + description: City name. + example: Montreal default_field: false - - name: indicator.file.elf.architecture - level: extended + - name: enrichments.geo.continent_code + level: core type: keyword ignore_above: 1024 - description: Machine architecture of the ELF file. - example: x86-64 + description: Two-letter code representing continent's name. + example: NA default_field: false - - name: indicator.file.elf.byte_order - level: extended + - name: enrichments.geo.continent_name + level: core type: keyword ignore_above: 1024 - description: Byte sequence of ELF file. - example: Little Endian + description: Name of the continent. + example: North America default_field: false - - name: indicator.file.elf.cpu_type - level: extended + - name: enrichments.geo.country_iso_code + level: core type: keyword ignore_above: 1024 - description: CPU type of the ELF file. - example: Intel + description: Country ISO code. + example: CA default_field: false - - name: indicator.file.elf.creation_date - level: extended - type: date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. + - name: enrichments.geo.country_name + level: core + type: keyword + ignore_above: 1024 + description: Country name. + example: Canada default_field: false - - name: indicator.file.elf.exports - level: extended - type: flattened - description: List of exported element names and types. + - name: enrichments.geo.location + level: core + type: geo_point + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' default_field: false - - name: indicator.file.elf.header.abi_version + - name: enrichments.geo.name level: extended + type: wildcard + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + default_field: false + - name: enrichments.geo.postal_code + level: core + type: keyword + ignore_above: 1024 + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + default_field: false + - name: enrichments.geo.region_iso_code + level: core + type: keyword + ignore_above: 1024 + description: Region ISO code. + example: CA-QC + default_field: false + - name: enrichments.geo.region_name + level: core type: keyword ignore_above: 1024 - description: Version of the ELF Application Binary Interface (ABI). + description: Region name. + example: Quebec default_field: false - - name: indicator.file.elf.header.class - level: extended + - name: enrichments.geo.timezone + level: core type: keyword ignore_above: 1024 - description: Header class of the ELF file. + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires default_field: false - - name: indicator.file.elf.header.data + - name: enrichments.hash.md5 level: extended type: keyword ignore_above: 1024 - description: Data table of the ELF header. + description: MD5 hash. default_field: false - - name: indicator.file.elf.header.entrypoint + - name: enrichments.hash.sha1 level: extended - type: long - format: string - description: Header entrypoint of the ELF file. + type: keyword + ignore_above: 1024 + description: SHA1 hash. default_field: false - - name: indicator.file.elf.header.object_version + - name: enrichments.hash.sha256 level: extended type: keyword ignore_above: 1024 - description: '"0x1" for original ELF files.' + description: SHA256 hash. default_field: false - - name: indicator.file.elf.header.os_abi + - name: enrichments.hash.sha512 level: extended type: keyword ignore_above: 1024 - description: Application Binary Interface (ABI) of the Linux OS. + description: SHA512 hash. default_field: false - - name: indicator.file.elf.header.type + - name: enrichments.hash.ssdeep level: extended type: keyword ignore_above: 1024 - description: Header type of the ELF file. + description: SSDEEP hash. default_field: false - - name: indicator.file.elf.header.version + - name: enrichments.matched.atomic level: extended type: keyword ignore_above: 1024 - description: Version of the ELF header. + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com default_field: false - - name: indicator.file.elf.imports + - name: enrichments.matched.field level: extended - type: flattened - description: List of imported element names and types. + type: keyword + ignore_above: 1024 + description: Identifies the field of the atomic indicator that matched a local + environment endpoint or network event. + example: file.hash.sha256 default_field: false - - name: indicator.file.elf.sections + - name: enrichments.matched.id level: extended - type: nested - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.sections.*`.' + type: keyword + ignore_above: 1024 + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 default_field: false - - name: indicator.file.elf.sections.chi2 + - name: enrichments.matched.index level: extended - type: long - format: number - description: Chi-square probability distribution of the section. + type: keyword + ignore_above: 1024 + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 default_field: false - - name: indicator.file.elf.sections.entropy + - name: enrichments.matched.type level: extended - type: long - format: number - description: Shannon entropy calculation from the section. + type: keyword + ignore_above: 1024 + description: Identifies the type of match that caused the event to be enriched + with the given indicator + example: indicator_match_rule default_field: false - - name: indicator.file.elf.sections.flags + - name: enrichments.pe.architecture level: extended type: keyword ignore_above: 1024 - description: ELF Section List flags. + description: CPU architecture target for the file. + example: x64 default_field: false - - name: indicator.file.elf.sections.name + - name: enrichments.pe.authentihash level: extended type: keyword ignore_above: 1024 - description: ELF Section List name. + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 default_field: false - - name: indicator.file.elf.sections.physical_offset + - name: enrichments.pe.company level: extended type: keyword ignore_above: 1024 - description: ELF Section List offset. + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation default_field: false - - name: indicator.file.elf.sections.physical_size + - name: enrichments.pe.compile_timestamp level: extended - type: long - format: bytes - description: ELF Section List physical size. + type: date + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' default_field: false - - name: indicator.file.elf.sections.type + - name: enrichments.pe.compiler.name level: extended type: keyword ignore_above: 1024 - description: ELF Section List type. + description: Name of the compiler + example: Clang default_field: false - - name: indicator.file.elf.sections.virtual_address + - name: enrichments.pe.compiler.version level: extended - type: long - format: string - description: ELF Section List virtual address. + type: keyword + ignore_above: 1024 + description: Version of the compiler. + example: 11.0.0 default_field: false - - name: indicator.file.elf.sections.virtual_size + - name: enrichments.pe.creation_date level: extended - type: long - format: string - description: ELF Section List virtual size. + type: date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' default_field: false - - name: indicator.file.elf.segments + - name: enrichments.pe.debug level: extended type: nested - description: 'An array containing an object for each segment of the ELF file. + description: 'An array containing an object for each debug entry, if present. - The keys that should be present in these objects are defined by sub-fields - underneath `elf.segments.*`.' + The expected fields for this nested object fall under the `debug.` prefix.' default_field: false - - name: indicator.file.elf.segments.sections + - name: enrichments.pe.debug.offset level: extended type: keyword ignore_above: 1024 - description: ELF object segment sections. + description: Debug offset information. + example: 1296336 default_field: false - - name: indicator.file.elf.segments.type + - name: enrichments.pe.debug.size level: extended - type: keyword - ignore_above: 1024 - description: ELF object segment type. + type: long + format: bytes + description: Size of the debug information. + example: 816 + default_field: false + - name: enrichments.pe.debug.timestamp + level: extended + type: date + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' default_field: false - - name: indicator.file.elf.shared_libraries + - name: enrichments.pe.debug.type level: extended type: keyword ignore_above: 1024 - description: List of shared libraries used by this ELF object. + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO default_field: false - - name: indicator.file.elf.telfhash + - name: enrichments.pe.description level: extended type: keyword ignore_above: 1024 - description: telfhash symbol hash for ELF file. + description: Internal description of the file, provided at compile-time. + example: Paint default_field: false - - name: indicator.file.extension + - name: enrichments.pe.entry_point level: extended type: keyword ignore_above: 1024 - description: 'File extension, excluding the leading dot. - - Note that when the file name has multiple extensions (example.tar.gz), only - the last one should be captured ("gz", not "tar.gz").' - example: png + description: Relative byte offset to the base of the PE file. + example: 25856 default_field: false - - name: indicator.file.gid + - name: enrichments.pe.exports level: extended type: keyword ignore_above: 1024 - description: Primary group ID (GID) of the file. - example: '1001' + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' default_field: false - - name: indicator.file.group + - name: enrichments.pe.file_version level: extended type: keyword ignore_above: 1024 - description: Primary group name of the file. - example: alice + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 default_field: false - - name: indicator.file.inode + - name: enrichments.pe.icon.hash.dhash level: extended type: keyword ignore_above: 1024 - description: Inode representing the file in the filesystem. - example: '256383' + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 default_field: false - - name: indicator.file.mime_type + - name: enrichments.pe.imphash level: extended type: keyword ignore_above: 1024 - description: MIME type should identify the format of the file or stream of bytes - using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA - official types], where possible. When more than one type is applicable, the - most specific type should be used. + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf default_field: false - - name: indicator.file.mode + - name: enrichments.pe.imports + level: extended + type: flattened + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + default_field: false + - name: enrichments.pe.machine_type level: extended type: keyword ignore_above: 1024 - description: Mode of the file in octal representation. - example: '0640' + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles default_field: false - - name: indicator.file.mtime + - name: enrichments.pe.original_file_name level: extended - type: date - description: Last time the file content was modified. + type: wildcard + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE default_field: false - - name: indicator.file.name + - name: enrichments.pe.packers level: extended type: keyword ignore_above: 1024 - description: Name of the file including the extension, without the directory. - example: example.png + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' default_field: false - - name: indicator.file.owner + - name: enrichments.pe.product level: extended type: keyword ignore_above: 1024 - description: File owner's username. - example: alice + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" default_field: false - - name: indicator.file.path + - name: enrichments.pe.resources level: extended - type: wildcard - multi_fields: - - name: text - type: text - norms: false - description: Full path to the file, including the file name. It should include - the drive letter, when appropriate. - example: /home/alice/example.png + type: nested + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' default_field: false - - name: indicator.file.size + - name: enrichments.pe.resources.chi2 level: extended type: long - description: 'File size in bytes. - - Only relevant when `file.type` is "file".' - example: 16384 + description: Chi-square probability distribution. + example: -1 default_field: false - - name: indicator.file.target_path + - name: enrichments.pe.resources.entropy level: extended - type: wildcard - multi_fields: - - name: text - type: text - norms: false - description: Target path for symlinks. + type: long + description: Measurement of entropy randomness in the resources section. + example: 0, 1 default_field: false - - name: indicator.file.type + - name: enrichments.pe.resources.filetype level: extended type: keyword ignore_above: 1024 - description: File type (file, dir, or symlink). - example: file + description: File type of the resources section. + example: Data default_field: false - - name: indicator.file.uid + - name: enrichments.pe.resources.language level: extended type: keyword ignore_above: 1024 - description: The user ID (UID) or security identifier (SID) of the file owner. - example: '1001' + description: Language identification. + example: CHINESE SIMPLIFIED default_field: false - - name: indicator.first_seen + - name: enrichments.pe.resources.sha256 level: extended - type: date - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: indicator.geo.city_name - level: core type: keyword ignore_above: 1024 - description: City name. - example: Montreal + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 default_field: false - - name: indicator.geo.continent_code - level: core + - name: enrichments.pe.resources.type + level: extended type: keyword ignore_above: 1024 - description: Two-letter code representing continent's name. - example: NA + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' default_field: false - - name: indicator.geo.continent_name - level: core + - name: enrichments.pe.rich_header.hash.md5 + level: extended type: keyword ignore_above: 1024 - description: Name of the continent. - example: North America + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd default_field: false - - name: indicator.geo.country_iso_code - level: core + - name: enrichments.pe.sections + level: extended + type: nested + description: Data about sections of compiled binary PE + default_field: false + - name: enrichments.pe.sections.chi2 + level: extended + type: long + description: Chi-square probability distribution. + example: 3027194 + default_field: false + - name: enrichments.pe.sections.entropy + level: extended + type: float + description: Measurement of entropy randomness in the file. + example: 6.24 + default_field: false + - name: enrichments.pe.sections.flags + level: extended type: keyword ignore_above: 1024 - description: Country ISO code. - example: CA + description: Section flags of the file. + example: rx default_field: false - - name: indicator.geo.country_name - level: core + - name: enrichments.pe.sections.name + level: extended type: keyword ignore_above: 1024 - description: Country name. - example: Canada + description: Section names of the file. + example: .text, .data default_field: false - - name: indicator.geo.location - level: core - type: geo_point - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' + - name: enrichments.pe.sections.raw_size + level: extended + type: long + format: bytes + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + default_field: false + - name: enrichments.pe.sections.virtual_address + level: extended + type: long + format: bytes + description: Virtual address available to the file. + example: 8192 default_field: false - - name: indicator.geo.name + - name: enrichments.registry.data.bytes level: extended - type: wildcard - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. + type: keyword + ignore_above: 1024 + description: 'Original bytes written with base64 encoding. - Not typically used in automated geolocation.' - example: boston-dc + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= default_field: false - - name: indicator.geo.postal_code + - name: enrichments.registry.data.strings level: core - type: keyword - ignore_above: 1024 - description: 'Postal code associated with the location. + type: wildcard + description: 'Content when writing string types. - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' default_field: false - - name: indicator.geo.region_iso_code + - name: enrichments.registry.data.type level: core type: keyword ignore_above: 1024 - description: Region ISO code. - example: CA-QC + description: Standard registry type for encoding contents + example: REG_SZ default_field: false - - name: indicator.geo.region_name + - name: enrichments.registry.hive level: core type: keyword ignore_above: 1024 - description: Region name. - example: Quebec + description: Abbreviated name for the hive. + example: HKLM + default_field: false + - name: enrichments.registry.key + level: core + type: wildcard + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + default_field: false + - name: enrichments.registry.path + level: core + type: wildcard + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger default_field: false - - name: indicator.geo.timezone + - name: enrichments.registry.value level: core type: keyword ignore_above: 1024 - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires + description: Name of the value written. + example: Debugger default_field: false - - name: indicator.hash.md5 + - name: enrichments.url.domain level: extended - type: keyword - ignore_above: 1024 - description: MD5 hash. + type: wildcard + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' + example: www.elastic.co default_field: false - - name: indicator.hash.sha1 + - name: enrichments.url.extension level: extended type: keyword ignore_above: 1024 - description: SHA1 hash. + description: 'The field contains the file extension from the original request + url, excluding the leading dot. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png default_field: false - - name: indicator.hash.sha256 + - name: enrichments.url.fragment level: extended type: keyword ignore_above: 1024 - description: SHA256 hash. + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' default_field: false - - name: indicator.hash.sha512 + - name: enrichments.url.full level: extended - type: keyword - ignore_above: 1024 - description: SHA512 hash. + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event + source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + default_field: false + - name: enrichments.url.original + level: extended + type: wildcard + multi_fields: + - name: text + type: text + norms: false + description: 'Unmodified original url as seen in the event source. + + Note that in network monitoring, the observed URL may be a full URL, whereas + in access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch default_field: false - - name: indicator.hash.ssdeep + - name: enrichments.url.password level: extended type: keyword ignore_above: 1024 - description: SSDEEP hash. + description: Password of the request. default_field: false - - name: indicator.ip + - name: enrichments.url.path level: extended - type: ip - description: Identifies a threat indicator as an IP address (irrespective of - direction). - example: 1.2.3.4 + type: wildcard + description: Path of the request, such as "/search". default_field: false - - name: indicator.last_seen + - name: enrichments.url.port level: extended - type: date - description: The date and time when intelligence source last reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' + type: long + format: string + description: Port of the request, such as 443. + example: 443 default_field: false - - name: indicator.marking.tlp + - name: enrichments.url.query level: extended type: keyword ignore_above: 1024 - description: "Traffic Light Protocol sharing markings.\nExpected values are:\n\ - \ * White\n * Green\n * Amber\n * Red" - example: White + description: 'The query field describes the query string of the request, such + as "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there + is no query field. If there is a `?` but no query, the query field exists + with an empty string. The `exists` query can be used to differentiate between + the two cases.' default_field: false - - name: indicator.matched.atomic + - name: enrichments.url.registered_domain + level: extended + type: wildcard + description: 'The highest registered url domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + default_field: false + - name: enrichments.url.scheme level: extended type: keyword ignore_above: 1024 - description: Identifies the atomic indicator that matched a local environment - endpoint or network event. - example: example.com + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https default_field: false - - name: indicator.matched.field + - name: enrichments.url.subdomain level: extended type: keyword ignore_above: 1024 - description: Identifies the field of the atomic indicator that matched a local - environment endpoint or network event. - example: file.hash.sha256 + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east default_field: false - - name: indicator.matched.type + - name: enrichments.url.top_level_domain level: extended type: keyword ignore_above: 1024 - description: Identifies the type of the atomic indicator that matched a local - environment endpoint or network event. - example: domain-name + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk default_field: false - - name: indicator.module + - name: enrichments.url.username level: extended type: keyword ignore_above: 1024 - description: Identifies the name of specific module this data is coming from. - example: threatintel + description: Username of the request. default_field: false - - name: indicator.pe.architecture + - name: enrichments.x509.alternative_names level: extended type: keyword ignore_above: 1024 - description: CPU architecture target for the file. - example: x64 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' default_field: false - - name: indicator.pe.authentihash + - name: enrichments.x509.issuer.common_name level: extended type: keyword ignore_above: 1024 - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA default_field: false - - name: indicator.pe.company + - name: enrichments.x509.issuer.country level: extended type: keyword ignore_above: 1024 - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation + description: List of country (C) codes + example: US default_field: false - - name: indicator.pe.compile_timestamp + - name: enrichments.x509.issuer.distinguished_name level: extended - type: date - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' + type: wildcard + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA default_field: false - - name: indicator.pe.compiler.name + - name: enrichments.x509.issuer.locality level: extended type: keyword ignore_above: 1024 - description: Name of the compiler - example: Clang + description: List of locality names (L) + example: Mountain View default_field: false - - name: indicator.pe.compiler.version + - name: enrichments.x509.issuer.organization level: extended type: keyword ignore_above: 1024 - description: Version of the compiler. - example: 11.0.0 - default_field: false - - name: indicator.pe.creation_date - level: extended - type: date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: indicator.pe.debug - level: extended - type: nested - description: 'An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix.' + description: List of organizations (O) of issuing certificate authority. + example: Example Inc default_field: false - - name: indicator.pe.debug.offset + - name: enrichments.x509.issuer.organizational_unit level: extended type: keyword ignore_above: 1024 - description: Debug offset information. - example: 1296336 + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com default_field: false - - name: indicator.pe.debug.size + - name: enrichments.x509.issuer.state_or_province level: extended - type: long - format: bytes - description: Size of the debug information. - example: 816 + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California default_field: false - - name: indicator.pe.debug.timestamp + - name: enrichments.x509.not_after level: extended type: date - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - default_field: false - - name: indicator.pe.debug.type - level: extended - type: keyword - ignore_above: 1024 - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 default_field: false - - name: indicator.pe.description + - name: enrichments.x509.not_before level: extended - type: keyword - ignore_above: 1024 - description: Internal description of the file, provided at compile-time. - example: Paint + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 default_field: false - - name: indicator.pe.entry_point + - name: enrichments.x509.public_key_algorithm level: extended type: keyword ignore_above: 1024 - description: Relative byte offset to the base of the PE file. - example: 25856 + description: Algorithm used to generate the public key. + example: RSA default_field: false - - name: indicator.pe.exports + - name: enrichments.x509.public_key_curve level: extended type: keyword ignore_above: 1024 - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 default_field: false - - name: indicator.pe.file_version + - name: enrichments.x509.public_key_exponent level: extended - type: keyword - ignore_above: 1024 - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + index: false + default_field: false + - name: enrichments.x509.public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 default_field: false - - name: indicator.pe.icon.hash.dhash + - name: enrichments.x509.serial_number level: extended type: keyword ignore_above: 1024 - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA default_field: false - - name: indicator.pe.imphash + - name: enrichments.x509.signature_algorithm level: extended type: keyword ignore_above: 1024 - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA default_field: false - - name: indicator.pe.imports + - name: enrichments.x509.subject.common_name level: extended - type: flattened - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' + type: keyword + ignore_above: 1024 + description: List of common names (CN) of subject. + example: shared.global.example.net default_field: false - - name: indicator.pe.machine_type + - name: enrichments.x509.subject.country level: extended type: keyword ignore_above: 1024 - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles + description: List of country (C) code + example: US default_field: false - - name: indicator.pe.original_file_name + - name: enrichments.x509.subject.distinguished_name level: extended type: wildcard - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false - - name: indicator.pe.packers + - name: enrichments.x509.subject.locality level: extended type: keyword ignore_above: 1024 - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' + description: List of locality names (L) + example: San Francisco default_field: false - - name: indicator.pe.product + - name: enrichments.x509.subject.organization level: extended type: keyword ignore_above: 1024 - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" + description: List of organizations (O) of subject. + example: Example, Inc. default_field: false - - name: indicator.pe.resources + - name: enrichments.x509.subject.organizational_unit level: extended - type: nested - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of subject. default_field: false - - name: indicator.pe.resources.chi2 + - name: enrichments.x509.subject.state_or_province level: extended - type: long - description: Chi-square probability distribution. - example: -1 + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California default_field: false - - name: indicator.pe.resources.entropy + - name: enrichments.x509.version_number level: extended - type: long - description: Measurement of entropy randomness in the resources section. - example: 0, 1 + type: keyword + ignore_above: 1024 + description: Version of x509 format. + example: 3 default_field: false - - name: indicator.pe.resources.filetype + - name: framework level: extended type: keyword ignore_above: 1024 - description: File type of the resources section. - example: Data - default_field: false - - name: indicator.pe.resources.language + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification + can be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + - name: group.alias level: extended type: keyword ignore_above: 1024 - description: Language identification. - example: CHINESE SIMPLIFIED + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' default_field: false - - name: indicator.pe.resources.sha256 + - name: group.id level: extended type: keyword ignore_above: 1024 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + description: "The id of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group id." + example: G0037 default_field: false - - name: indicator.pe.resources.type + - name: group.name level: extended type: keyword ignore_above: 1024 - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' + description: "The name of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 default_field: false - - name: indicator.pe.rich_header.hash.md5 + - name: group.reference level: extended type: keyword ignore_above: 1024 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd + description: "The reference URL of the group for a set of related intrusion\ + \ activity that are tracked by a common name in the security community. While\ + \ not required, you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ default_field: false - - name: indicator.pe.sections + - name: indicator.confidence level: extended - type: nested - description: Data about sections of compiled binary PE + type: keyword + ignore_above: 1024 + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nExpected values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High default_field: false - - name: indicator.pe.sections.chi2 + - name: indicator.dataset level: extended - type: long - description: Chi-square probability distribution. - example: 3027194 + type: keyword + ignore_above: 1024 + description: Identifies the name of specific dataset from the intelligence source. + example: threatintel.abusemalware default_field: false - - name: indicator.pe.sections.entropy + - name: indicator.description level: extended - type: float - description: Measurement of entropy randomness in the file. - example: 6.24 + type: wildcard + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. default_field: false - - name: indicator.pe.sections.flags + - name: indicator.domain level: extended type: keyword ignore_above: 1024 - description: Section flags of the file. - example: rx + description: Identifies a threat indicator as a domain (irrespective of direction). + example: example.com default_field: false - - name: indicator.pe.sections.name + - name: indicator.email.address level: extended type: keyword ignore_above: 1024 - description: Section names of the file. - example: .text, .data + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com default_field: false - - name: indicator.pe.sections.raw_size + - name: indicator.first_seen level: extended - type: long - format: bytes - description: Size of the section or the dize of the initialized data on disk. - example: 198144 + type: date + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' default_field: false - - name: indicator.pe.sections.virtual_address + - name: indicator.ip level: extended - type: long - format: bytes - description: Virtual address available to the file. - example: 8192 + type: ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 default_field: false - - name: indicator.port + - name: indicator.last_seen level: extended - type: long - description: Identifies a threat indicator as a port number (irrespective of - direction). - example: 443 + type: date + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' default_field: false - - name: indicator.provider + - name: indicator.marking.tlp level: extended type: keyword ignore_above: 1024 - description: Identifies the name of the intelligence provider. - example: VirusTotal + description: "Traffic Light Protocol sharing markings.\nExpected values are:\n\ + \ * White\n * Green\n * Amber\n * Red" + example: White default_field: false - - name: indicator.registry.data.bytes + - name: indicator.matched.atomic level: extended type: keyword ignore_above: 1024 - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides - better recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - default_field: false - - name: indicator.registry.data.strings - level: core - type: wildcard - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single - string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with - one string. For sequences of string with REG_MULTI_SZ, this array will be - variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should - be populated with the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' + description: Identifies the atomic indicator that matched a local environment + endpoint or network event. + example: example.com default_field: false - - name: indicator.registry.data.type - level: core + - name: indicator.matched.field + level: extended type: keyword ignore_above: 1024 - description: Standard registry type for encoding contents - example: REG_SZ + description: Identifies the field of the atomic indicator that matched a local + environment endpoint or network event. + example: file.hash.sha256 default_field: false - - name: indicator.registry.hive - level: core + - name: indicator.matched.type + level: extended type: keyword ignore_above: 1024 - description: Abbreviated name for the hive. - example: HKLM + description: Identifies the type of the atomic indicator that matched a local + environment endpoint or network event. + example: domain-name default_field: false - - name: indicator.registry.key - level: core - type: wildcard - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + - name: indicator.module + level: extended + type: keyword + ignore_above: 1024 + description: Identifies the name of specific module this data is coming from. + example: threatintel default_field: false - - name: indicator.registry.path - level: core - type: wildcard - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger + - name: indicator.port + level: extended + type: long + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 default_field: false - - name: indicator.registry.value - level: core + - name: indicator.provider + level: extended type: keyword ignore_above: 1024 - description: Name of the value written. - example: Debugger + description: Identifies the name of the intelligence provider. + example: VirusTotal default_field: false - name: indicator.scanner_stats level: extended diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index ca8216c555..287ac08d20 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -790,95 +790,212 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,source,source.user.name.text,text,core,,albert,Short name or login of the user. 2.0.0-dev+exp,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. 2.0.0-dev+exp,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. +2.0.0-dev+exp,true,threat,threat.enrichments,nested,extended,,,List of indicators enriching the event. +2.0.0-dev+exp,true,threat,threat.enrichments.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +2.0.0-dev+exp,true,threat,threat.enrichments.as.organization.name,wildcard,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,threat,threat.enrichments.as.organization.name.text,text,extended,,Google LLC,Organization name. +2.0.0-dev+exp,true,threat,threat.enrichments.event.action,keyword,core,,user-password-change,The action captured by the event. +2.0.0-dev+exp,true,threat,threat.enrichments.event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field. +2.0.0-dev+exp,true,threat,threat.enrichments.event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. +2.0.0-dev+exp,true,threat,threat.enrichments.event.code,keyword,extended,,4648,Identification code for this event. +2.0.0-dev+exp,true,threat,threat.enrichments.event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. +2.0.0-dev+exp,true,threat,threat.enrichments.event.dataset,keyword,core,,apache.access,Name of the dataset. +2.0.0-dev+exp,true,threat,threat.enrichments.event.duration,long,core,,,Duration of the event in nanoseconds. +2.0.0-dev+exp,true,threat,threat.enrichments.event.end,date,extended,,,event.end contains the date when the event ended or when the activity was last observed. +2.0.0-dev+exp,true,threat,threat.enrichments.event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. +2.0.0-dev+exp,true,threat,threat.enrichments.event.id,keyword,core,,8a4f500d,Unique ID to describe the event. +2.0.0-dev+exp,true,threat,threat.enrichments.event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. +2.0.0-dev+exp,true,threat,threat.enrichments.event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. +2.0.0-dev+exp,true,threat,threat.enrichments.event.module,keyword,core,,apache,Name of the module this data is coming from. +2.0.0-dev+exp,false,threat,threat.enrichments.event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. +2.0.0-dev+exp,true,threat,threat.enrichments.event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. +2.0.0-dev+exp,true,threat,threat.enrichments.event.provider,keyword,extended,,kernel,Source of the event. +2.0.0-dev+exp,true,threat,threat.enrichments.event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" +2.0.0-dev+exp,true,threat,threat.enrichments.event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL +2.0.0-dev+exp,true,threat,threat.enrichments.event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +2.0.0-dev+exp,true,threat,threat.enrichments.event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). +2.0.0-dev+exp,true,threat,threat.enrichments.event.sequence,long,extended,,,Sequence number of the event. +2.0.0-dev+exp,true,threat,threat.enrichments.event.severity,long,core,,7,Numeric severity of the event. +2.0.0-dev+exp,true,threat,threat.enrichments.event.start,date,extended,,,event.start contains the date when the event started or when the activity was first observed. +2.0.0-dev+exp,true,threat,threat.enrichments.event.timezone,keyword,extended,,,Event time zone. +2.0.0-dev+exp,true,threat,threat.enrichments.event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. +2.0.0-dev+exp,true,threat,threat.enrichments.event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL +2.0.0-dev+exp,true,threat,threat.enrichments.file.accessed,date,extended,,,Last time the file was accessed. +2.0.0-dev+exp,true,threat,threat.enrichments.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +2.0.0-dev+exp,true,threat,threat.enrichments.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +2.0.0-dev+exp,true,threat,threat.enrichments.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +2.0.0-dev+exp,true,threat,threat.enrichments.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +2.0.0-dev+exp,true,threat,threat.enrichments.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +2.0.0-dev+exp,true,threat,threat.enrichments.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +2.0.0-dev+exp,true,threat,threat.enrichments.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +2.0.0-dev+exp,true,threat,threat.enrichments.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +2.0.0-dev+exp,true,threat,threat.enrichments.file.created,date,extended,,,File creation time. +2.0.0-dev+exp,true,threat,threat.enrichments.file.ctime,date,extended,,,Last time the file attributes or metadata changed. +2.0.0-dev+exp,true,threat,threat.enrichments.file.device,keyword,extended,,sda,Device that is the source of the file. +2.0.0-dev+exp,true,threat,threat.enrichments.file.directory,wildcard,extended,,/home/alice,Directory where the file is located. +2.0.0-dev+exp,true,threat,threat.enrichments.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.creation_date,date,extended,,,Build or compile date. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.exports,flattened,extended,array,,List of exported element names and types. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.header.class,keyword,extended,,,Header class of the ELF file. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.header.data,keyword,extended,,,Data table of the ELF header. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.header.type,keyword,extended,,,Header type of the ELF file. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.header.version,keyword,extended,,,Version of the ELF header. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.imports,flattened,extended,array,,List of imported element names and types. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.sections,nested,extended,array,,Section information of the ELF file. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.name,keyword,extended,,,ELF Section List name. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.type,keyword,extended,,,ELF Section List type. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.segments,nested,extended,array,,ELF object segment list. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.segments.type,keyword,extended,,,ELF object segment type. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +2.0.0-dev+exp,true,threat,threat.enrichments.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +2.0.0-dev+exp,true,threat,threat.enrichments.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +2.0.0-dev+exp,true,threat,threat.enrichments.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +2.0.0-dev+exp,true,threat,threat.enrichments.file.group,keyword,extended,,alice,Primary group name of the file. +2.0.0-dev+exp,true,threat,threat.enrichments.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +2.0.0-dev+exp,true,threat,threat.enrichments.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +2.0.0-dev+exp,true,threat,threat.enrichments.file.mode,keyword,extended,,0640,Mode of the file in octal representation. +2.0.0-dev+exp,true,threat,threat.enrichments.file.mtime,date,extended,,,Last time the file content was modified. +2.0.0-dev+exp,true,threat,threat.enrichments.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +2.0.0-dev+exp,true,threat,threat.enrichments.file.owner,keyword,extended,,alice,File owner's username. +2.0.0-dev+exp,true,threat,threat.enrichments.file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." +2.0.0-dev+exp,true,threat,threat.enrichments.file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." +2.0.0-dev+exp,true,threat,threat.enrichments.file.size,long,extended,,16384,File size in bytes. +2.0.0-dev+exp,true,threat,threat.enrichments.file.target_path,wildcard,extended,,,Target path for symlinks. +2.0.0-dev+exp,true,threat,threat.enrichments.file.target_path.text,text,extended,,,Target path for symlinks. +2.0.0-dev+exp,true,threat,threat.enrichments.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +2.0.0-dev+exp,true,threat,threat.enrichments.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +2.0.0-dev+exp,true,threat,threat.enrichments.geo.city_name,keyword,core,,Montreal,City name. +2.0.0-dev+exp,true,threat,threat.enrichments.geo.continent_code,keyword,core,,NA,Continent code. +2.0.0-dev+exp,true,threat,threat.enrichments.geo.continent_name,keyword,core,,North America,Name of the continent. +2.0.0-dev+exp,true,threat,threat.enrichments.geo.country_iso_code,keyword,core,,CA,Country ISO code. +2.0.0-dev+exp,true,threat,threat.enrichments.geo.country_name,keyword,core,,Canada,Country name. +2.0.0-dev+exp,true,threat,threat.enrichments.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +2.0.0-dev+exp,true,threat,threat.enrichments.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. +2.0.0-dev+exp,true,threat,threat.enrichments.geo.postal_code,keyword,core,,94040,Postal code. +2.0.0-dev+exp,true,threat,threat.enrichments.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +2.0.0-dev+exp,true,threat,threat.enrichments.geo.region_name,keyword,core,,Quebec,Region name. +2.0.0-dev+exp,true,threat,threat.enrichments.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +2.0.0-dev+exp,true,threat,threat.enrichments.hash.md5,keyword,extended,,,MD5 hash. +2.0.0-dev+exp,true,threat,threat.enrichments.hash.sha1,keyword,extended,,,SHA1 hash. +2.0.0-dev+exp,true,threat,threat.enrichments.hash.sha256,keyword,extended,,,SHA256 hash. +2.0.0-dev+exp,true,threat,threat.enrichments.hash.sha512,keyword,extended,,,SHA512 hash. +2.0.0-dev+exp,true,threat,threat.enrichments.hash.ssdeep,keyword,extended,,,SSDEEP hash. +2.0.0-dev+exp,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value +2.0.0-dev+exp,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field +2.0.0-dev+exp,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier +2.0.0-dev+exp,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index +2.0.0-dev+exp,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match +2.0.0-dev+exp,true,threat,threat.enrichments.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +2.0.0-dev+exp,true,threat,threat.enrichments.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.compiler.name,keyword,extended,,Clang,Name of the compiler +2.0.0-dev+exp,true,threat,threat.enrichments.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.debug,nested,extended,array,,Debug information +2.0.0-dev+exp,true,threat,threat.enrichments.pe.debug.offset,keyword,extended,,1296336,Debug offset information. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.debug.size,long,extended,,816,Size of the debug information. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +2.0.0-dev+exp,true,threat,threat.enrichments.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE +2.0.0-dev+exp,true,threat,threat.enrichments.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions +2.0.0-dev+exp,true,threat,threat.enrichments.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +2.0.0-dev+exp,true,threat,threat.enrichments.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +2.0.0-dev+exp,true,threat,threat.enrichments.pe.resources,nested,extended,array,,PE resource information +2.0.0-dev+exp,true,threat,threat.enrichments.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE +2.0.0-dev+exp,true,threat,threat.enrichments.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.sections.flags,keyword,extended,,rx,Section flags of the file. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. +2.0.0-dev+exp,true,threat,threat.enrichments.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. +2.0.0-dev+exp,true,threat,threat.enrichments.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +2.0.0-dev+exp,true,threat,threat.enrichments.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +2.0.0-dev+exp,true,threat,threat.enrichments.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +2.0.0-dev+exp,true,threat,threat.enrichments.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +2.0.0-dev+exp,true,threat,threat.enrichments.registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +2.0.0-dev+exp,true,threat,threat.enrichments.registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +2.0.0-dev+exp,true,threat,threat.enrichments.registry.value,keyword,core,,Debugger,Name of the value written. +2.0.0-dev+exp,true,threat,threat.enrichments.url.domain,wildcard,extended,,www.elastic.co,Domain of the url. +2.0.0-dev+exp,true,threat,threat.enrichments.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +2.0.0-dev+exp,true,threat,threat.enrichments.url.fragment,keyword,extended,,,Portion of the url after the `#`. +2.0.0-dev+exp,true,threat,threat.enrichments.url.full,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +2.0.0-dev+exp,true,threat,threat.enrichments.url.full.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +2.0.0-dev+exp,true,threat,threat.enrichments.url.original,wildcard,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +2.0.0-dev+exp,true,threat,threat.enrichments.url.original.text,text,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +2.0.0-dev+exp,true,threat,threat.enrichments.url.password,keyword,extended,,,Password of the request. +2.0.0-dev+exp,true,threat,threat.enrichments.url.path,wildcard,extended,,,"Path of the request, such as ""/search""." +2.0.0-dev+exp,true,threat,threat.enrichments.url.port,long,extended,,443,"Port of the request, such as 443." +2.0.0-dev+exp,true,threat,threat.enrichments.url.query,keyword,extended,,,Query string of the request. +2.0.0-dev+exp,true,threat,threat.enrichments.url.registered_domain,wildcard,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +2.0.0-dev+exp,true,threat,threat.enrichments.url.scheme,keyword,extended,,https,Scheme of the url. +2.0.0-dev+exp,true,threat,threat.enrichments.url.subdomain,keyword,extended,,east,The subdomain of the domain. +2.0.0-dev+exp,true,threat,threat.enrichments.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +2.0.0-dev+exp,true,threat,threat.enrichments.url.username,keyword,extended,,,Username of the request. +2.0.0-dev+exp,true,threat,threat.enrichments.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +2.0.0-dev+exp,true,threat,threat.enrichments.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +2.0.0-dev+exp,true,threat,threat.enrichments.x509.issuer.country,keyword,extended,array,US,List of country (C) codes +2.0.0-dev+exp,true,threat,threat.enrichments.x509.issuer.distinguished_name,wildcard,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +2.0.0-dev+exp,true,threat,threat.enrichments.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +2.0.0-dev+exp,true,threat,threat.enrichments.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +2.0.0-dev+exp,true,threat,threat.enrichments.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +2.0.0-dev+exp,true,threat,threat.enrichments.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev+exp,true,threat,threat.enrichments.x509.not_after,date,extended,,2020-07-16 03:15:39+00:00,Time at which the certificate is no longer considered valid. +2.0.0-dev+exp,true,threat,threat.enrichments.x509.not_before,date,extended,,2019-08-16 01:40:25+00:00,Time at which the certificate is first considered valid. +2.0.0-dev+exp,true,threat,threat.enrichments.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +2.0.0-dev+exp,true,threat,threat.enrichments.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +2.0.0-dev+exp,false,threat,threat.enrichments.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +2.0.0-dev+exp,true,threat,threat.enrichments.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +2.0.0-dev+exp,true,threat,threat.enrichments.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +2.0.0-dev+exp,true,threat,threat.enrichments.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +2.0.0-dev+exp,true,threat,threat.enrichments.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +2.0.0-dev+exp,true,threat,threat.enrichments.x509.subject.country,keyword,extended,array,US,List of country (C) code +2.0.0-dev+exp,true,threat,threat.enrichments.x509.subject.distinguished_name,wildcard,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +2.0.0-dev+exp,true,threat,threat.enrichments.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +2.0.0-dev+exp,true,threat,threat.enrichments.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +2.0.0-dev+exp,true,threat,threat.enrichments.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +2.0.0-dev+exp,true,threat,threat.enrichments.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +2.0.0-dev+exp,true,threat,threat.enrichments.x509.version_number,keyword,extended,,3,Version of x509 format. 2.0.0-dev+exp,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. 2.0.0-dev+exp,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group. 2.0.0-dev+exp,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group. 2.0.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group. 2.0.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group. -2.0.0-dev+exp,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. -2.0.0-dev+exp,true,threat,threat.indicator.as.organization.name,wildcard,extended,,Google LLC,Organization name. -2.0.0-dev+exp,true,threat,threat.indicator.as.organization.name.text,text,extended,,Google LLC,Organization name. 2.0.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,High,Indicator confidence rating 2.0.0-dev+exp,true,threat,threat.indicator.dataset,keyword,extended,,threatintel.abusemalware,Indicator dataset 2.0.0-dev+exp,true,threat,threat.indicator.description,wildcard,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description 2.0.0-dev+exp,true,threat,threat.indicator.domain,keyword,extended,,example.com,Indicator domain name 2.0.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address -2.0.0-dev+exp,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed. -2.0.0-dev+exp,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. -2.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. -2.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. -2.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. -2.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer -2.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. -2.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. -2.0.0-dev+exp,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. -2.0.0-dev+exp,true,threat,threat.indicator.file.created,date,extended,,,File creation time. -2.0.0-dev+exp,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. -2.0.0-dev+exp,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. -2.0.0-dev+exp,true,threat,threat.indicator.file.directory,wildcard,extended,,/home/alice,Directory where the file is located. -2.0.0-dev+exp,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.exports,flattened,extended,array,,List of exported element names and types. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.imports,flattened,extended,array,,List of imported element names and types. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. -2.0.0-dev+exp,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. -2.0.0-dev+exp,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." -2.0.0-dev+exp,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. -2.0.0-dev+exp,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. -2.0.0-dev+exp,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. -2.0.0-dev+exp,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." -2.0.0-dev+exp,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. -2.0.0-dev+exp,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified. -2.0.0-dev+exp,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." -2.0.0-dev+exp,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username. -2.0.0-dev+exp,true,threat,threat.indicator.file.path,wildcard,extended,,/home/alice/example.png,"Full path to the file, including the file name." -2.0.0-dev+exp,true,threat,threat.indicator.file.path.text,text,extended,,/home/alice/example.png,"Full path to the file, including the file name." -2.0.0-dev+exp,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes. -2.0.0-dev+exp,true,threat,threat.indicator.file.target_path,wildcard,extended,,,Target path for symlinks. -2.0.0-dev+exp,true,threat,threat.indicator.file.target_path.text,text,extended,,,Target path for symlinks. -2.0.0-dev+exp,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." -2.0.0-dev+exp,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. 2.0.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. -2.0.0-dev+exp,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name. -2.0.0-dev+exp,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code. -2.0.0-dev+exp,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. -2.0.0-dev+exp,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. -2.0.0-dev+exp,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name. -2.0.0-dev+exp,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. -2.0.0-dev+exp,true,threat,threat.indicator.geo.name,wildcard,extended,,boston-dc,User-defined description of a location. -2.0.0-dev+exp,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code. -2.0.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. -2.0.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name. -2.0.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. -2.0.0-dev+exp,true,threat,threat.indicator.hash.md5,keyword,extended,,,MD5 hash. -2.0.0-dev+exp,true,threat,threat.indicator.hash.sha1,keyword,extended,,,SHA1 hash. -2.0.0-dev+exp,true,threat,threat.indicator.hash.sha256,keyword,extended,,,SHA256 hash. -2.0.0-dev+exp,true,threat,threat.indicator.hash.sha512,keyword,extended,,,SHA512 hash. -2.0.0-dev+exp,true,threat,threat.indicator.hash.ssdeep,keyword,extended,,,SSDEEP hash. 2.0.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address 2.0.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. 2.0.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,White,Indicator TLP marking @@ -886,53 +1003,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,threat,threat.indicator.matched.field,keyword,extended,,file.hash.sha256,Indicator field match 2.0.0-dev+exp,true,threat,threat.indicator.matched.type,keyword,extended,,domain-name,Indicator type match 2.0.0-dev+exp,true,threat,threat.indicator.module,keyword,extended,,threatintel,Indicator module -2.0.0-dev+exp,true,threat,threat.indicator.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. -2.0.0-dev+exp,true,threat,threat.indicator.pe.authentihash,keyword,extended,,ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78,Authentihash of the PE file. -2.0.0-dev+exp,true,threat,threat.indicator.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." -2.0.0-dev+exp,true,threat,threat.indicator.pe.compile_timestamp,date,extended,,2020-11-05T17:25:47.000Z,Compile timestamp of the PE file. -2.0.0-dev+exp,true,threat,threat.indicator.pe.compiler.name,keyword,extended,,Clang,Name of the compiler -2.0.0-dev+exp,true,threat,threat.indicator.pe.compiler.version,keyword,extended,,11.0.0,Version of the compiler. -2.0.0-dev+exp,true,threat,threat.indicator.pe.creation_date,date,extended,,2020-11-05T17:25:47.000Z,Build or compile date. -2.0.0-dev+exp,true,threat,threat.indicator.pe.debug,nested,extended,array,,Debug information -2.0.0-dev+exp,true,threat,threat.indicator.pe.debug.offset,keyword,extended,,1296336,Debug offset information. -2.0.0-dev+exp,true,threat,threat.indicator.pe.debug.size,long,extended,,816,Size of the debug information. -2.0.0-dev+exp,true,threat,threat.indicator.pe.debug.timestamp,date,extended,,2020-11-05T17:25:47.000Z,Timestamp of the debug information. -2.0.0-dev+exp,true,threat,threat.indicator.pe.debug.type,keyword,extended,,IMAGE_DEBUG_TYPE_POGO,Information type generated by the debug options. -2.0.0-dev+exp,true,threat,threat.indicator.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." -2.0.0-dev+exp,true,threat,threat.indicator.pe.entry_point,keyword,extended,,25856,Relative byte offset to the base of the PE file. -2.0.0-dev+exp,true,threat,threat.indicator.pe.exports,keyword,extended,array,"[""DllInstall"", ""DllRegisterServer"", ""DllUnregisterServer""]",List of symbols exported by PE -2.0.0-dev+exp,true,threat,threat.indicator.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. -2.0.0-dev+exp,true,threat,threat.indicator.pe.icon.hash.dhash,keyword,extended,,b806e17c8e330d82,Difference Hash (dhash) to find files with a visually similar icon or thumbnail. -2.0.0-dev+exp,true,threat,threat.indicator.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. -2.0.0-dev+exp,true,threat,threat.indicator.pe.imports,flattened,extended,,"{ ""library_name"" : ""mscoree.dll"", ""imported_functions"" : ""GetFileVersionInfoSizeA"" }",List of all imported functions -2.0.0-dev+exp,true,threat,threat.indicator.pe.machine_type,keyword,extended,,"Intel 386 or later, and compatibles",Machine type of the PE file. -2.0.0-dev+exp,true,threat,threat.indicator.pe.original_file_name,wildcard,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." -2.0.0-dev+exp,true,threat,threat.indicator.pe.packers,keyword,extended,array,"[""ASPack v2.12"", "".NET executable""]",List of packers and tools used. -2.0.0-dev+exp,true,threat,threat.indicator.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." -2.0.0-dev+exp,true,threat,threat.indicator.pe.resources,nested,extended,array,,PE resource information -2.0.0-dev+exp,true,threat,threat.indicator.pe.resources.chi2,long,extended,,-1,Chi-square probability distribution. -2.0.0-dev+exp,true,threat,threat.indicator.pe.resources.entropy,long,extended,,"0, 1",Measurement of entropy randomness in the resources section. -2.0.0-dev+exp,true,threat,threat.indicator.pe.resources.filetype,keyword,extended,,Data,File type of the resources section. -2.0.0-dev+exp,true,threat,threat.indicator.pe.resources.language,keyword,extended,,CHINESE SIMPLIFIED,Language identification. -2.0.0-dev+exp,true,threat,threat.indicator.pe.resources.sha256,keyword,extended,,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,SHA256 hash of resources section. -2.0.0-dev+exp,true,threat,threat.indicator.pe.resources.type,keyword,extended,array,"[""RT_VERSION"", ""RT_MANIFEST""]",List of resource types. -2.0.0-dev+exp,true,threat,threat.indicator.pe.rich_header.hash.md5,keyword,extended,,5aa1aa0f2b4be70397a1e9e2b87627cd,MD5 hash of the header for the PE file. -2.0.0-dev+exp,true,threat,threat.indicator.pe.sections,nested,extended,array,,Data about sections of the compiled binary PE -2.0.0-dev+exp,true,threat,threat.indicator.pe.sections.chi2,long,extended,,3027194,Chi-square probability distribution. -2.0.0-dev+exp,true,threat,threat.indicator.pe.sections.entropy,float,extended,,6.24,Measurement of entropy randomness in the file. -2.0.0-dev+exp,true,threat,threat.indicator.pe.sections.flags,keyword,extended,,rx,Section flags of the file. -2.0.0-dev+exp,true,threat,threat.indicator.pe.sections.name,keyword,extended,,".text, .data",Section names of the file. -2.0.0-dev+exp,true,threat,threat.indicator.pe.sections.raw_size,long,extended,,198144,Size of the section or the dize of the initialized data on disk. -2.0.0-dev+exp,true,threat,threat.indicator.pe.sections.virtual_address,long,extended,,8192,Virtual address available to the file. 2.0.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port 2.0.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,VirusTotal,Identifies the name of the intelligence provider. -2.0.0-dev+exp,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. -2.0.0-dev+exp,true,threat,threat.indicator.registry.data.strings,wildcard,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. -2.0.0-dev+exp,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents -2.0.0-dev+exp,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. -2.0.0-dev+exp,true,threat,threat.indicator.registry.key,wildcard,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. -2.0.0-dev+exp,true,threat,threat.indicator.registry.path,wildcard,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" -2.0.0-dev+exp,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written. 2.0.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics 2.0.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed 2.0.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 30b39960eb..6944ab3d44 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -9939,1606 +9939,3097 @@ tags: - array short: List of keywords used to tag each event. type: keyword -threat.framework: - dashed_name: threat-framework - description: Name of the threat framework used to further categorize and classify - the tactic and technique of the reported threat. Framework classification can - be provided by detecting systems, evaluated at ingest time, or retrospectively - tagged to events. - example: MITRE ATT&CK - flat_name: threat.framework +threat.enrichments: + dashed_name: threat-enrichments + description: A list of associated indicators enriching the event, and the context + of that association/enrichment. + flat_name: threat.enrichments + level: extended + name: enrichments + normalize: [] + short: List of indicators enriching the event. + type: nested +threat.enrichments.as.number: + dashed_name: threat-enrichments-as-number + description: Unique number allocated to the autonomous system. The autonomous system + number (ASN) uniquely identifies each network on the Internet. + example: 15169 + flat_name: threat.enrichments.as.number + level: extended + name: number + normalize: [] + original_fieldset: as + short: Unique number allocated to the autonomous system. + type: long +threat.enrichments.as.organization.name: + dashed_name: threat-enrichments-as-organization-name + description: Organization name. + example: Google LLC + flat_name: threat.enrichments.as.organization.name + level: extended + multi_fields: + - flat_name: threat.enrichments.as.organization.name.text + name: text + norms: false + type: text + name: organization.name + normalize: [] + original_fieldset: as + short: Organization name. + type: wildcard +threat.enrichments.event.action: + dashed_name: threat-enrichments-event-action + description: 'The action captured by the event. + + This describes the information in the event. It is more specific than `event.category`. + Examples are `group-add`, `process-started`, `file-created`. The value is normally + defined by the implementer.' + example: user-password-change + flat_name: threat.enrichments.event.action + ignore_above: 1024 + level: core + name: action + normalize: [] + original_fieldset: event + short: The action captured by the event. + type: keyword +threat.enrichments.event.agent_id_status: + dashed_name: threat-enrichments-event-agent-id-status + description: 'Agents are normally responsible for populating the `agent.id` field + value. If the system receiving events is capable of validating the value based + on authentication information for the client then this field can be used to reflect + the outcome of that validation. + + For example if the agent''s connection is authenticated with mTLS and the client + cert contains the ID of the agent to which the cert was issued then the `agent.id` + value in events can be checked against the certificate. If the values match then + `event.agent_id_status: verified` is added to the event, otherwise one of the + other allowed values should be used. + + If no validation is performed then the field should be omitted. + + The allowed values are: + + `verified` - The `agent.id` field value matches expected value obtained from auth + metadata. + + `mismatch` - The `agent.id` field value does not match the expected value obtained + from auth metadata. + + `missing` - There was no `agent.id` field in the event to validate. + + `auth_metadata_missing` - There was no auth metadata or it was missing information + about the agent ID.' + example: verified + flat_name: threat.enrichments.event.agent_id_status + ignore_above: 1024 + level: extended + name: agent_id_status + normalize: [] + original_fieldset: event + short: Validation status of the event's agent.id field. + type: keyword +threat.enrichments.event.category: + allowed_values: + - description: Events in this category are related to the challenge and response + process in which credentials are supplied and verified to allow the creation + of a session. Common sources for these logs are Windows event logs and ssh logs. + Visualize and analyze events in this category to look for failed logins, and + other authentication-related activity. + expected_event_types: + - start + - end + - info + name: authentication + - description: 'Events in the configuration category have to deal with creating, + modifying, or deleting the settings or parameters of an application, process, + or system. + + Example sources include security policy change logs, configuration auditing + logging, and system integrity monitoring.' + expected_event_types: + - access + - change + - creation + - deletion + - info + name: configuration + - description: The database category denotes events and metrics relating to a data + storage and retrieval system. Note that use of this category is not limited + to relational database systems. Examples include event logs from MS SQL, MySQL, + Elasticsearch, MongoDB, etc. Use this category to visualize and analyze database + activity such as accesses and changes. + expected_event_types: + - access + - change + - info + - error + name: database + - description: 'Events in the driver category have to do with operating system device + drivers and similar software entities such as Windows drivers, kernel extensions, + kernel modules, etc. + + Use events and metrics in this category to visualize and analyze driver-related + activity and status on hosts.' + expected_event_types: + - change + - end + - info + - start + name: driver + - description: Relating to a set of information that has been created on, or has + existed on a filesystem. Use this category of events to visualize and analyze + the creation, access, and deletions of files. Events in this category can come + from both host-based and network-based sources. An example source of a network-based + detection of a file transfer would be the Zeek file.log. + expected_event_types: + - change + - creation + - deletion + - info + name: file + - description: 'Use this category to visualize and analyze information such as host + inventory or host lifecycle events. + + Most of the events in this category can usually be observed from the outside, + such as from a hypervisor or a control plane''s point of view. Some can also + be seen from within, such as "start" or "end". + + Note that this category is for information about hosts themselves; it is not + meant to capture activity "happening on a host".' + expected_event_types: + - access + - change + - end + - info + - start + name: host + - description: Identity and access management (IAM) events relating to users, groups, + and administration. Use this category to visualize and analyze IAM-related logs + and data from active directory, LDAP, Okta, Duo, and other IAM systems. + expected_event_types: + - admin + - change + - creation + - deletion + - group + - info + - user + name: iam + - description: Relating to intrusion detections from IDS/IPS systems and functions, + both network and host-based. Use this category to visualize and analyze intrusion + detection alerts from systems such as Snort, Suricata, and Palo Alto threat + detections. + expected_event_types: + - allowed + - denied + - info + name: intrusion_detection + - description: Malware detection events and alerts. Use this category to visualize + and analyze malware detections from EDR/EPP systems such as Elastic Endpoint + Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS systems + such as Suricata, or other sources of malware-related events such as Palo Alto + Networks threat logs and Wildfire logs. + expected_event_types: + - info + name: malware + - description: Relating to all network activity, including network connection lifecycle, + network traffic, and essentially any event that includes an IP address. Many + events containing decoded network protocol transactions fit into this category. + Use events in this category to visualize or analyze counts of network ports, + protocols, addresses, geolocation information, etc. + expected_event_types: + - access + - allowed + - connection + - denied + - end + - info + - protocol + - start + name: network + - description: Relating to software packages installed on hosts. Use this category + to visualize and analyze inventory of software installed on various hosts, or + to determine host vulnerability in the absence of vulnerability scan data. + expected_event_types: + - access + - change + - deletion + - info + - installation + - start + name: package + - description: Use this category of events to visualize and analyze process-specific + information such as lifecycle events or process ancestry. + expected_event_types: + - access + - change + - end + - info + - start + name: process + - description: Having to do with settings and assets stored in the Windows registry. + Use this category to visualize and analyze activity such as registry access + and modifications. + expected_event_types: + - access + - change + - creation + - deletion + name: registry + - description: The session category is applied to events and metrics regarding logical + persistent connections to hosts and services. Use this category to visualize + and analyze interactive or automated persistent connections between assets. + Data for this category may come from Windows Event logs, SSH logs, or stateless + sessions such as HTTP cookie-based sessions, etc. + expected_event_types: + - start + - end + - info + name: session + - description: 'Relating to web server access. Use this category to create a dashboard + of web server/proxy activity from apache, IIS, nginx web servers, etc. Note: + events from network observers such as Zeek http log may also be included in + this category.' + expected_event_types: + - access + - error + - info + name: web + dashed_name: threat-enrichments-event-category + description: 'This is one of four ECS Categorization Fields, and indicates the second + level in the ECS category hierarchy. + + `event.category` represents the "big buckets" of ECS categories. For example, + filtering on `event.category:process` yields all events relating to process activity. + This field is closely related to `event.type`, which is used as a subcategory. + + This field is an array. This will allow proper categorization of some events that + fall in multiple categories.' + example: authentication + flat_name: threat.enrichments.event.category + ignore_above: 1024 + level: core + name: category + normalize: + - array + original_fieldset: event + short: Event category. The second categorization field in the hierarchy. + type: keyword +threat.enrichments.event.code: + dashed_name: threat-enrichments-event-code + description: 'Identification code for this event, if one exists. + + Some event sources use event codes to identify messages unambiguously, regardless + of message language or wording adjustments over time. An example of this is the + Windows Event ID.' + example: 4648 + flat_name: threat.enrichments.event.code + ignore_above: 1024 + level: extended + name: code + normalize: [] + original_fieldset: event + short: Identification code for this event. + type: keyword +threat.enrichments.event.created: + dashed_name: threat-enrichments-event-created + description: 'event.created contains the date/time when the event was first read + by an agent, or by your pipeline. + + This field is distinct from @timestamp in that @timestamp typically contain the + time extracted from the original event. + + In most situations, these two timestamps will be slightly different. The difference + can be used to calculate the delay between your source generating an event, and + the time when your agent first processed it. This can be used to monitor your + agent''s or pipeline''s ability to keep up with your event source. + + In case the two timestamps are identical, @timestamp should be used.' + example: '2016-05-23T08:05:34.857Z' + flat_name: threat.enrichments.event.created + level: core + name: created + normalize: [] + original_fieldset: event + short: Time when the event was first read by an agent or by your pipeline. + type: date +threat.enrichments.event.dataset: + dashed_name: threat-enrichments-event-dataset + description: 'Name of the dataset. + + If an event source publishes more than one type of log or events (e.g. access + log, error log), the dataset is used to specify which one the event comes from. + + It''s recommended but not required to start the dataset name with the module name, + followed by a dot, then the dataset name.' + example: apache.access + flat_name: threat.enrichments.event.dataset + ignore_above: 1024 + level: core + name: dataset + normalize: [] + original_fieldset: event + short: Name of the dataset. + type: keyword +threat.enrichments.event.duration: + dashed_name: threat-enrichments-event-duration + description: 'Duration of the event in nanoseconds. + + If event.start and event.end are known this value should be the difference between + the end and start time.' + flat_name: threat.enrichments.event.duration + format: duration + input_format: nanoseconds + level: core + name: duration + normalize: [] + original_fieldset: event + output_format: asMilliseconds + output_precision: 1 + short: Duration of the event in nanoseconds. + type: long +threat.enrichments.event.end: + dashed_name: threat-enrichments-event-end + description: event.end contains the date when the event ended or when the activity + was last observed. + flat_name: threat.enrichments.event.end + level: extended + name: end + normalize: [] + original_fieldset: event + short: event.end contains the date when the event ended or when the activity was + last observed. + type: date +threat.enrichments.event.hash: + dashed_name: threat-enrichments-event-hash + description: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate + log integrity. + example: 123456789012345678901234567890ABCD + flat_name: threat.enrichments.event.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: event + short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate + log integrity. + type: keyword +threat.enrichments.event.id: + dashed_name: threat-enrichments-event-id + description: Unique ID to describe the event. + example: 8a4f500d + flat_name: threat.enrichments.event.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: event + short: Unique ID to describe the event. + type: keyword +threat.enrichments.event.ingested: + dashed_name: threat-enrichments-event-ingested + description: 'Timestamp when an event arrived in the central data store. + + This is different from `@timestamp`, which is when the event originally occurred. It''s + also different from `event.created`, which is meant to capture the first time + an agent saw the event. + + In normal conditions, assuming no tampering, the timestamps should chronologically + look like this: `@timestamp` < `event.created` < `event.ingested`.' + example: '2016-05-23T08:05:35.101Z' + flat_name: threat.enrichments.event.ingested + level: core + name: ingested + normalize: [] + original_fieldset: event + short: Timestamp when an event arrived in the central data store. + type: date +threat.enrichments.event.kind: + allowed_values: + - description: 'This value indicates an event that describes an alert or notable + event, triggered by a detection rule. + + `event.kind:alert` is often populated for events coming from firewalls, intrusion + detection systems, endpoint detection and response systems, and so on.' + name: alert + - description: This value is the most general and most common value for this field. + It is used to represent events that indicate that something happened. + name: event + - description: 'This value is used to indicate that this event describes a numeric + measurement taken at given point in time. + + Examples include CPU utilization, memory usage, or device temperature. + + Metric events are often collected on a predictable frequency, such as once every + few seconds, or once a minute, but can also be used to describe ad-hoc numeric + metric queries.' + name: metric + - description: 'The state value is similar to metric, indicating that this event + describes a measurement taken at given point in time, except that the measurement + does not result in a numeric value, but rather one of a fixed set of categorical + values that represent conditions or states. + + Examples include periodic events reporting Elasticsearch cluster state (green/yellow/red), + the state of a TCP connection (open, closed, fin_wait, etc.), the state of a + host with respect to a software vulnerability (vulnerable, not vulnerable), + and the state of a system regarding compliance with a regulatory standard (compliant, + not compliant). + + Note that an event that describes a change of state would not use `event.kind:state`, + but instead would use ''event.kind:event'' since a state change fits the more + general event definition of something that happened. + + State events are often collected on a predictable frequency, such as once every + few seconds, once a minute, once an hour, or once a day, but can also be used + to describe ad-hoc state queries.' + name: state + - description: This value indicates that an error occurred during the ingestion + of this event, and that event data may be missing, inconsistent, or incorrect. + `event.kind:pipeline_error` is often associated with parsing errors. + name: pipeline_error + - description: 'This value is used by the Elastic Security app to denote an Elasticsearch + document that was created by a SIEM detection engine rule. + + A signal will typically trigger a notification that something meaningful happened + and should be investigated. + + Usage of this value is reserved, and pipelines should not populate `event.kind` + with the value "signal".' + name: signal + dashed_name: threat-enrichments-event-kind + description: 'This is one of four ECS Categorization Fields, and indicates the highest + level in the ECS category hierarchy. + + `event.kind` gives high-level information about what type of information the event + contains, without being specific to the contents of the event. For example, values + of this field distinguish alert events from metric events. + + The value of this field can be used to inform how these kinds of events should + be handled. They may warrant different retention, different access control, it + may also help understand whether the data coming in at a regular interval or not.' + example: alert + flat_name: threat.enrichments.event.kind + ignore_above: 1024 + level: core + name: kind + normalize: [] + original_fieldset: event + short: The kind of the event. The highest categorization field in the hierarchy. + type: keyword +threat.enrichments.event.module: + dashed_name: threat-enrichments-event-module + description: 'Name of the module this data is coming from. + + If your monitoring agent supports the concept of modules or plugins to process + events of a given source (e.g. Apache logs), `event.module` should contain the + name of this module.' + example: apache + flat_name: threat.enrichments.event.module + ignore_above: 1024 + level: core + name: module + normalize: [] + original_fieldset: event + short: Name of the module this data is coming from. + type: keyword +threat.enrichments.event.original: + dashed_name: threat-enrichments-event-original + description: 'Raw text message of entire event. Used to demonstrate log integrity. + + This field is not indexed and doc_values are disabled. It cannot be searched, + but it can be retrieved from `_source`. If users wish to override this and index + this field, consider using the wildcard data type.' + doc_values: false + example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| + worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 + flat_name: threat.enrichments.event.original + ignore_above: 1024 + index: false + level: core + name: original + normalize: [] + original_fieldset: event + short: Raw text message of entire event. + type: keyword +threat.enrichments.event.outcome: + allowed_values: + - description: Indicates that this event describes a failed result. A common example + is `event.category:file AND event.type:access AND event.outcome:failure` to + indicate that a file access was attempted, but was not successful. + name: failure + - description: Indicates that this event describes a successful result. A common + example is `event.category:file AND event.type:create AND event.outcome:success` + to indicate that a file was successfully created. + name: success + - description: Indicates that this event describes only an attempt for which the + result is unknown from the perspective of the event producer. For example, if + the event contains information only about the request side of a transaction + that results in a response, populating `event.outcome:unknown` in the request + event is appropriate. The unknown value should not be used when an outcome doesn't + make logical sense for the event. In such cases `event.outcome` should not be + populated. + name: unknown + dashed_name: threat-enrichments-event-outcome + description: 'This is one of four ECS Categorization Fields, and indicates the lowest + level in the ECS category hierarchy. + + `event.outcome` simply denotes whether the event represents a success or a failure + from the perspective of the entity that produced the event. + + Note that when a single transaction is described in multiple events, each event + may populate different values of `event.outcome`, according to their perspective. + + Also note that in the case of a compound event (a single event that contains multiple + logical events), this field should be populated with the value that best captures + the overall success or failure from the perspective of the event producer. + + Further note that not all events will have an associated outcome. For example, + this field is generally not populated for metric events, events with `event.type:info`, + or any events for which an outcome does not make logical sense.' + example: success + flat_name: threat.enrichments.event.outcome + ignore_above: 1024 + level: core + name: outcome + normalize: [] + original_fieldset: event + short: The outcome of the event. The lowest level categorization field in the hierarchy. + type: keyword +threat.enrichments.event.provider: + dashed_name: threat-enrichments-event-provider + description: 'Source of the event. + + Event transports such as Syslog or the Windows Event Log typically mention the + source of an event. It can be the name of the software that generated the event + (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).' + example: kernel + flat_name: threat.enrichments.event.provider + ignore_above: 1024 + level: extended + name: provider + normalize: [] + original_fieldset: event + short: Source of the event. + type: keyword +threat.enrichments.event.reason: + dashed_name: threat-enrichments-event-reason + description: 'Reason why this event happened, according to the source. + + This describes the why of a particular action or outcome captured in the event. + Where `event.action` captures the action from the event, `event.reason` describes + why that action was taken. For example, a web proxy with an `event.action` which + denied the request may also populate `event.reason` with the reason why (e.g. + `blocked site`).' + example: Terminated an unexpected process + flat_name: threat.enrichments.event.reason + ignore_above: 1024 + level: extended + name: reason + normalize: [] + original_fieldset: event + short: Reason why this event happened, according to the source + type: keyword +threat.enrichments.event.reference: + dashed_name: threat-enrichments-event-reference + description: 'Reference URL linking to additional information about this event. + + This URL links to a static definition of this event. Alert events, indicated by + `event.kind:alert`, are a common use case for this field.' + example: https://system.example.com/event/#0001234 + flat_name: threat.enrichments.event.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: event + short: Event reference URL + type: keyword +threat.enrichments.event.risk_score: + dashed_name: threat-enrichments-event-risk-score + description: Risk score or priority of the event (e.g. security solutions). Use + your system's original value here. + flat_name: threat.enrichments.event.risk_score + level: core + name: risk_score + normalize: [] + original_fieldset: event + short: Risk score or priority of the event (e.g. security solutions). Use your system's + original value here. + type: float +threat.enrichments.event.risk_score_norm: + dashed_name: threat-enrichments-event-risk-score-norm + description: 'Normalized risk score or priority of the event, on a scale of 0 to + 100. + + This is mainly useful if you use more than one system that assigns risk scores, + and you want to see a normalized value across all systems.' + flat_name: threat.enrichments.event.risk_score_norm + level: extended + name: risk_score_norm + normalize: [] + original_fieldset: event + short: Normalized risk score or priority of the event (0-100). + type: float +threat.enrichments.event.sequence: + dashed_name: threat-enrichments-event-sequence + description: 'Sequence number of the event. + + The sequence number is a value published by some event sources, to make the exact + ordering of events unambiguous, regardless of the timestamp precision.' + flat_name: threat.enrichments.event.sequence + format: string + level: extended + name: sequence + normalize: [] + original_fieldset: event + short: Sequence number of the event. + type: long +threat.enrichments.event.severity: + dashed_name: threat-enrichments-event-severity + description: 'The numeric severity of the event according to your event source. + + What the different severity values mean can be different between sources and use + cases. It''s up to the implementer to make sure severities are consistent across + events from the same source. + + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is + meant to represent the severity according to the event source (e.g. firewall, + IDS). If the event source does not publish its own severity, you may optionally + copy the `log.syslog.severity.code` to `event.severity`.' + example: 7 + flat_name: threat.enrichments.event.severity + format: string + level: core + name: severity + normalize: [] + original_fieldset: event + short: Numeric severity of the event. + type: long +threat.enrichments.event.start: + dashed_name: threat-enrichments-event-start + description: event.start contains the date when the event started or when the activity + was first observed. + flat_name: threat.enrichments.event.start + level: extended + name: start + normalize: [] + original_fieldset: event + short: event.start contains the date when the event started or when the activity + was first observed. + type: date +threat.enrichments.event.timezone: + dashed_name: threat-enrichments-event-timezone + description: 'This field should be populated when the event''s timestamp does not + include timezone information already (e.g. default Syslog timestamps). It''s optional + otherwise. + + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated + (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' + flat_name: threat.enrichments.event.timezone + ignore_above: 1024 + level: extended + name: timezone + normalize: [] + original_fieldset: event + short: Event time zone. + type: keyword +threat.enrichments.event.type: + allowed_values: + - description: The access event type is used for the subset of events within a category + that indicate that something was accessed. Common examples include `event.category:database + AND event.type:access`, or `event.category:file AND event.type:access`. Note + for file access, both directory listings and file opens should be included in + this subcategory. You can further distinguish access operations using the ECS + `event.action` field. + name: access + - description: 'The admin event type is used for the subset of events within a category + that are related to admin objects. For example, administrative changes within + an IAM framework that do not specifically affect a user or group (e.g., adding + new applications to a federation solution or connecting discrete forests in + Active Directory) would fall into this subcategory. Common example: `event.category:iam + AND event.type:change AND event.type:admin`. You can further distinguish admin + operations using the ECS `event.action` field.' + name: admin + - description: The allowed event type is used for the subset of events within a + category that indicate that something was allowed. Common examples include `event.category:network + AND event.type:connection AND event.type:allowed` (to indicate a network firewall + event for which the firewall disposition was to allow the connection to complete) + and `event.category:intrusion_detection AND event.type:allowed` (to indicate + a network intrusion prevention system event for which the IPS disposition was + to allow the connection to complete). You can further distinguish allowed operations + using the ECS `event.action` field, populating with values of your choosing, + such as "allow", "detect", or "pass". + name: allowed + - description: The change event type is used for the subset of events within a category + that indicate that something has changed. If semantics best describe an event + as modified, then include them in this subcategory. Common examples include + `event.category:process AND event.type:change`, and `event.category:file AND + event.type:change`. You can further distinguish change operations using the + ECS `event.action` field. + name: change + - description: Used primarily with `event.category:network` this value is used for + the subset of network traffic that includes sufficient information for the event + to be included in flow or connection analysis. Events in this subcategory will + contain at least source and destination IP addresses, source and destination + TCP/UDP ports, and will usually contain counts of bytes and/or packets transferred. + Events in this subcategory may contain unidirectional or bidirectional information, + including summary information. Use this subcategory to visualize and analyze + network connections. Flow analysis, including Netflow, IPFIX, and other flow-related + events fit in this subcategory. Note that firewall events from many Next-Generation + Firewall (NGFW) devices will also fit into this subcategory. A common filter + for flow/connection information would be `event.category:network AND event.type:connection + AND event.type:end` (to view or analyze all completed network connections, ignoring + mid-flow reports). You can further distinguish connection events using the ECS + `event.action` field, populating with values of your choosing, such as "timeout", + or "reset". + name: connection + - description: The "creation" event type is used for the subset of events within + a category that indicate that something was created. A common example is `event.category:file + AND event.type:creation`. + name: creation + - description: The deletion event type is used for the subset of events within a + category that indicate that something was deleted. A common example is `event.category:file + AND event.type:deletion` to indicate that a file has been deleted. + name: deletion + - description: The denied event type is used for the subset of events within a category + that indicate that something was denied. Common examples include `event.category:network + AND event.type:denied` (to indicate a network firewall event for which the firewall + disposition was to deny the connection) and `event.category:intrusion_detection + AND event.type:denied` (to indicate a network intrusion prevention system event + for which the IPS disposition was to deny the connection to complete). You can + further distinguish denied operations using the ECS `event.action` field, populating + with values of your choosing, such as "blocked", "dropped", or "quarantined". + name: denied + - description: The end event type is used for the subset of events within a category + that indicate something has ended. A common example is `event.category:process + AND event.type:end`. + name: end + - description: The error event type is used for the subset of events within a category + that indicate or describe an error. A common example is `event.category:database + AND event.type:error`. Note that pipeline errors that occur during the event + ingestion process should not use this `event.type` value. Instead, they should + use `event.kind:pipeline_error`. + name: error + - description: 'The group event type is used for the subset of events within a category + that are related to group objects. Common example: `event.category:iam AND event.type:creation + AND event.type:group`. You can further distinguish group operations using the + ECS `event.action` field.' + name: group + - description: The info event type is used for the subset of events within a category + that indicate that they are purely informational, and don't report a state change, + or any type of action. For example, an initial run of a file integrity monitoring + system (FIM), where an agent reports all files under management, would fall + into the "info" subcategory. Similarly, an event containing a dump of all currently + running processes (as opposed to reporting that a process started/ended) would + fall into the "info" subcategory. An additional common examples is `event.category:intrusion_detection + AND event.type:info`. + name: info + - description: The installation event type is used for the subset of events within + a category that indicate that something was installed. A common example is `event.category:package` + AND `event.type:installation`. + name: installation + - description: The protocol event type is used for the subset of events within a + category that indicate that they contain protocol details or analysis, beyond + simply identifying the protocol. Generally, network events that contain specific + protocol details will fall into this subcategory. A common example is `event.category:network + AND event.type:protocol AND event.type:connection AND event.type:end` (to indicate + that the event is a network connection event sent at the end of a connection + that also includes a protocol detail breakdown). Note that events that only + indicate the name or id of the protocol should not use the protocol value. Further + note that when the protocol subcategory is used, the identified protocol is + populated in the ECS `network.protocol` field. + name: protocol + - description: The start event type is used for the subset of events within a category + that indicate something has started. A common example is `event.category:process + AND event.type:start`. + name: start + - description: 'The user event type is used for the subset of events within a category + that are related to user objects. Common example: `event.category:iam AND event.type:deletion + AND event.type:user`. You can further distinguish user operations using the + ECS `event.action` field.' + name: user + dashed_name: threat-enrichments-event-type + description: 'This is one of four ECS Categorization Fields, and indicates the third + level in the ECS category hierarchy. + + `event.type` represents a categorization "sub-bucket" that, when used along with + the `event.category` field values, enables filtering events down to a level appropriate + for single visualization. + + This field is an array. This will allow proper categorization of some events that + fall in multiple event types.' + flat_name: threat.enrichments.event.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: event + short: Event type. The third categorization field in the hierarchy. + type: keyword +threat.enrichments.event.url: + dashed_name: threat-enrichments-event-url + description: 'URL linking to an external system to continue investigation of this + event. + + This URL links to another system where in-depth investigation of the specific + occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, + are a common use case for this field.' + example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + flat_name: threat.enrichments.event.url + ignore_above: 1024 + level: extended + name: url + normalize: [] + original_fieldset: event + short: Event investigation URL + type: keyword +threat.enrichments.file.accessed: + dashed_name: threat-enrichments-file-accessed + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + flat_name: threat.enrichments.file.accessed + level: extended + name: accessed + normalize: [] + original_fieldset: file + short: Last time the file was accessed. + type: date +threat.enrichments.file.attributes: + dashed_name: threat-enrichments-file-attributes + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, execute, + hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: threat.enrichments.file.attributes + ignore_above: 1024 + level: extended + name: attributes + normalize: + - array + original_fieldset: file + short: Array of file attributes. + type: keyword +threat.enrichments.file.code_signature.exists: + dashed_name: threat-enrichments-file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: threat.enrichments.file.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean +threat.enrichments.file.code_signature.signing_id: + dashed_name: threat-enrichments-file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. The + field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: threat.enrichments.file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword +threat.enrichments.file.code_signature.status: + dashed_name: threat-enrichments-file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: threat.enrichments.file.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword +threat.enrichments.file.code_signature.subject_name: + dashed_name: threat-enrichments-file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: threat.enrichments.file.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword +threat.enrichments.file.code_signature.team_id: + dashed_name: threat-enrichments-file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field is + relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: threat.enrichments.file.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword +threat.enrichments.file.code_signature.trusted: + dashed_name: threat-enrichments-file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this field + should only be populated by tools that actively check the status.' + example: 'true' + flat_name: threat.enrichments.file.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean +threat.enrichments.file.code_signature.valid: + dashed_name: threat-enrichments-file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against the + binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + flat_name: threat.enrichments.file.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean +threat.enrichments.file.created: + dashed_name: threat-enrichments-file-created + description: 'File creation time. + + Note that not all filesystems store the creation time.' + flat_name: threat.enrichments.file.created + level: extended + name: created + normalize: [] + original_fieldset: file + short: File creation time. + type: date +threat.enrichments.file.ctime: + dashed_name: threat-enrichments-file-ctime + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: threat.enrichments.file.ctime + level: extended + name: ctime + normalize: [] + original_fieldset: file + short: Last time the file attributes or metadata changed. + type: date +threat.enrichments.file.device: + dashed_name: threat-enrichments-file-device + description: Device that is the source of the file. + example: sda + flat_name: threat.enrichments.file.device + ignore_above: 1024 + level: extended + name: device + normalize: [] + original_fieldset: file + short: Device that is the source of the file. + type: keyword +threat.enrichments.file.directory: + dashed_name: threat-enrichments-file-directory + description: Directory where the file is located. It should include the drive letter, + when appropriate. + example: /home/alice + flat_name: threat.enrichments.file.directory + level: extended + name: directory + normalize: [] + original_fieldset: file + short: Directory where the file is located. + type: wildcard +threat.enrichments.file.drive_letter: + dashed_name: threat-enrichments-file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + flat_name: threat.enrichments.file.drive_letter + ignore_above: 1 + level: extended + name: drive_letter + normalize: [] + original_fieldset: file + short: Drive letter where the file is located. + type: keyword +threat.enrichments.file.elf.architecture: + dashed_name: threat-enrichments-file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: threat.enrichments.file.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword +threat.enrichments.file.elf.byte_order: + dashed_name: threat-enrichments-file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: threat.enrichments.file.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword +threat.enrichments.file.elf.cpu_type: + dashed_name: threat-enrichments-file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: threat.enrichments.file.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword +threat.enrichments.file.elf.creation_date: + dashed_name: threat-enrichments-file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + flat_name: threat.enrichments.file.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date +threat.enrichments.file.elf.exports: + dashed_name: threat-enrichments-file-elf-exports + description: List of exported element names and types. + flat_name: threat.enrichments.file.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened +threat.enrichments.file.elf.header.abi_version: + dashed_name: threat-enrichments-file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: threat.enrichments.file.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword +threat.enrichments.file.elf.header.class: + dashed_name: threat-enrichments-file-elf-header-class + description: Header class of the ELF file. + flat_name: threat.enrichments.file.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword +threat.enrichments.file.elf.header.data: + dashed_name: threat-enrichments-file-elf-header-data + description: Data table of the ELF header. + flat_name: threat.enrichments.file.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword +threat.enrichments.file.elf.header.entrypoint: + dashed_name: threat-enrichments-file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: threat.enrichments.file.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long +threat.enrichments.file.elf.header.object_version: + dashed_name: threat-enrichments-file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: threat.enrichments.file.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword +threat.enrichments.file.elf.header.os_abi: + dashed_name: threat-enrichments-file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: threat.enrichments.file.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword +threat.enrichments.file.elf.header.type: + dashed_name: threat-enrichments-file-elf-header-type + description: Header type of the ELF file. + flat_name: threat.enrichments.file.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword +threat.enrichments.file.elf.header.version: + dashed_name: threat-enrichments-file-elf-header-version + description: Version of the ELF header. + flat_name: threat.enrichments.file.elf.header.version ignore_above: 1024 level: extended - name: framework + name: header.version normalize: [] - short: Threat classification framework. + original_fieldset: elf + short: Version of the ELF header. type: keyword -threat.group.alias: - beta: This field is beta and subject to change. - dashed_name: threat-group-alias - description: "The alias(es) of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group alias(es)." - example: '[ "Magecart Group 6" ]' - flat_name: threat.group.alias +threat.enrichments.file.elf.imports: + dashed_name: threat-enrichments-file-elf-imports + description: List of imported element names and types. + flat_name: threat.enrichments.file.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened +threat.enrichments.file.elf.sections: + dashed_name: threat-enrichments-file-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.sections.*`.' + flat_name: threat.enrichments.file.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested +threat.enrichments.file.elf.sections.chi2: + dashed_name: threat-enrichments-file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: threat.enrichments.file.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long +threat.enrichments.file.elf.sections.entropy: + dashed_name: threat-enrichments-file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: threat.enrichments.file.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long +threat.enrichments.file.elf.sections.flags: + dashed_name: threat-enrichments-file-elf-sections-flags + description: ELF Section List flags. + flat_name: threat.enrichments.file.elf.sections.flags ignore_above: 1024 level: extended - name: group.alias + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword +threat.enrichments.file.elf.sections.name: + dashed_name: threat-enrichments-file-elf-sections-name + description: ELF Section List name. + flat_name: threat.enrichments.file.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword +threat.enrichments.file.elf.sections.physical_offset: + dashed_name: threat-enrichments-file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: threat.enrichments.file.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword +threat.enrichments.file.elf.sections.physical_size: + dashed_name: threat-enrichments-file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: threat.enrichments.file.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long +threat.enrichments.file.elf.sections.type: + dashed_name: threat-enrichments-file-elf-sections-type + description: ELF Section List type. + flat_name: threat.enrichments.file.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword +threat.enrichments.file.elf.sections.virtual_address: + dashed_name: threat-enrichments-file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: threat.enrichments.file.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long +threat.enrichments.file.elf.sections.virtual_size: + dashed_name: threat-enrichments-file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: threat.enrichments.file.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long +threat.enrichments.file.elf.segments: + dashed_name: threat-enrichments-file-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields underneath + `elf.segments.*`.' + flat_name: threat.enrichments.file.elf.segments + level: extended + name: segments normalize: - array - short: Alias of the group. + original_fieldset: elf + short: ELF object segment list. + type: nested +threat.enrichments.file.elf.segments.sections: + dashed_name: threat-enrichments-file-elf-segments-sections + description: ELF object segment sections. + flat_name: threat.enrichments.file.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. type: keyword -threat.group.id: - beta: This field is beta and subject to change. - dashed_name: threat-group-id - description: "The id of the group for a set of related intrusion activity that are\ - \ tracked by a common name in the security community. While not required, you\ - \ can use a MITRE ATT&CK\xAE group id." - example: G0037 - flat_name: threat.group.id +threat.enrichments.file.elf.segments.type: + dashed_name: threat-enrichments-file-elf-segments-type + description: ELF object segment type. + flat_name: threat.enrichments.file.elf.segments.type ignore_above: 1024 level: extended - name: group.id + name: segments.type normalize: [] - short: ID of the group. + original_fieldset: elf + short: ELF object segment type. type: keyword -threat.group.name: - beta: This field is beta and subject to change. - dashed_name: threat-group-name - description: "The name of the group for a set of related intrusion activity that\ - \ are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group name." - example: FIN6 - flat_name: threat.group.name +threat.enrichments.file.elf.shared_libraries: + dashed_name: threat-enrichments-file-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: threat.enrichments.file.elf.shared_libraries ignore_above: 1024 level: extended - name: group.name + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword +threat.enrichments.file.elf.telfhash: + dashed_name: threat-enrichments-file-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: threat.enrichments.file.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash normalize: [] - short: Name of the group. + original_fieldset: elf + short: telfhash hash for ELF file. type: keyword -threat.group.reference: - beta: This field is beta and subject to change. - dashed_name: threat-group-reference - description: "The reference URL of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group reference URL." - example: https://attack.mitre.org/groups/G0037/ - flat_name: threat.group.reference +threat.enrichments.file.extension: + dashed_name: threat-enrichments-file-extension + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.file.extension ignore_above: 1024 level: extended - name: group.reference + name: extension + normalize: [] + original_fieldset: file + short: File extension, excluding the leading dot. + type: keyword +threat.enrichments.file.gid: + dashed_name: threat-enrichments-file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: threat.enrichments.file.gid + ignore_above: 1024 + level: extended + name: gid + normalize: [] + original_fieldset: file + short: Primary group ID (GID) of the file. + type: keyword +threat.enrichments.file.group: + dashed_name: threat-enrichments-file-group + description: Primary group name of the file. + example: alice + flat_name: threat.enrichments.file.group + ignore_above: 1024 + level: extended + name: group + normalize: [] + original_fieldset: file + short: Primary group name of the file. + type: keyword +threat.enrichments.file.inode: + dashed_name: threat-enrichments-file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: threat.enrichments.file.inode + ignore_above: 1024 + level: extended + name: inode + normalize: [] + original_fieldset: file + short: Inode representing the file in the filesystem. + type: keyword +threat.enrichments.file.mime_type: + dashed_name: threat-enrichments-file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official + types], where possible. When more than one type is applicable, the most specific + type should be used. + flat_name: threat.enrichments.file.mime_type + ignore_above: 1024 + level: extended + name: mime_type + normalize: [] + original_fieldset: file + short: Media type of file, document, or arrangement of bytes. + type: keyword +threat.enrichments.file.mode: + dashed_name: threat-enrichments-file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: threat.enrichments.file.mode + ignore_above: 1024 + level: extended + name: mode + normalize: [] + original_fieldset: file + short: Mode of the file in octal representation. + type: keyword +threat.enrichments.file.mtime: + dashed_name: threat-enrichments-file-mtime + description: Last time the file content was modified. + flat_name: threat.enrichments.file.mtime + level: extended + name: mtime + normalize: [] + original_fieldset: file + short: Last time the file content was modified. + type: date +threat.enrichments.file.name: + dashed_name: threat-enrichments-file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: threat.enrichments.file.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: file + short: Name of the file including the extension, without the directory. + type: keyword +threat.enrichments.file.owner: + dashed_name: threat-enrichments-file-owner + description: File owner's username. + example: alice + flat_name: threat.enrichments.file.owner + ignore_above: 1024 + level: extended + name: owner + normalize: [] + original_fieldset: file + short: File owner's username. + type: keyword +threat.enrichments.file.path: + dashed_name: threat-enrichments-file-path + description: Full path to the file, including the file name. It should include the + drive letter, when appropriate. + example: /home/alice/example.png + flat_name: threat.enrichments.file.path + level: extended + multi_fields: + - flat_name: threat.enrichments.file.path.text + name: text + norms: false + type: text + name: path normalize: [] - short: Reference URL of the group. - type: keyword -threat.indicator.as.number: - dashed_name: threat-indicator-as-number - description: Unique number allocated to the autonomous system. The autonomous system - number (ASN) uniquely identifies each network on the Internet. - example: 15169 - flat_name: threat.indicator.as.number + original_fieldset: file + short: Full path to the file, including the file name. + type: wildcard +threat.enrichments.file.size: + dashed_name: threat-enrichments-file-size + description: 'File size in bytes. + + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: threat.enrichments.file.size level: extended - name: number + name: size normalize: [] - original_fieldset: as - short: Unique number allocated to the autonomous system. + original_fieldset: file + short: File size in bytes. type: long -threat.indicator.as.organization.name: - dashed_name: threat-indicator-as-organization-name - description: Organization name. - example: Google LLC - flat_name: threat.indicator.as.organization.name +threat.enrichments.file.target_path: + dashed_name: threat-enrichments-file-target-path + description: Target path for symlinks. + flat_name: threat.enrichments.file.target_path level: extended multi_fields: - - flat_name: threat.indicator.as.organization.name.text + - flat_name: threat.enrichments.file.target_path.text name: text norms: false type: text - name: organization.name + name: target_path normalize: [] - original_fieldset: as - short: Organization name. + original_fieldset: file + short: Target path for symlinks. type: wildcard -threat.indicator.confidence: - dashed_name: threat-indicator-confidence - description: "Identifies the confidence rating assigned by the provider using STIX\ - \ confidence scales.\nExpected values:\n * Not Specified, None, Low, Medium,\ - \ High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n * WEP Scale\ - \ (Impossible - Certain)" - example: High - flat_name: threat.indicator.confidence +threat.enrichments.file.type: + dashed_name: threat-enrichments-file-type + description: File type (file, dir, or symlink). + example: file + flat_name: threat.enrichments.file.type ignore_above: 1024 level: extended - name: indicator.confidence + name: type normalize: [] - short: Indicator confidence rating + original_fieldset: file + short: File type (file, dir, or symlink). type: keyword -threat.indicator.dataset: - dashed_name: threat-indicator-dataset - description: Identifies the name of specific dataset from the intelligence source. - example: threatintel.abusemalware - flat_name: threat.indicator.dataset +threat.enrichments.file.uid: + dashed_name: threat-enrichments-file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: threat.enrichments.file.uid ignore_above: 1024 level: extended - name: indicator.dataset + name: uid normalize: [] - short: Indicator dataset + original_fieldset: file + short: The user ID (UID) or security identifier (SID) of the file owner. type: keyword -threat.indicator.description: - dashed_name: threat-indicator-description - description: Describes the type of action conducted by the threat. - example: IP x.x.x.x was observed delivering the Angler EK. - flat_name: threat.indicator.description - level: extended - name: indicator.description +threat.enrichments.geo.city_name: + dashed_name: threat-enrichments-geo-city-name + description: City name. + example: Montreal + flat_name: threat.enrichments.geo.city_name + ignore_above: 1024 + level: core + name: city_name normalize: [] - short: Indicator description - type: wildcard -threat.indicator.domain: - dashed_name: threat-indicator-domain - description: Identifies a threat indicator as a domain (irrespective of direction). - example: example.com - flat_name: threat.indicator.domain + original_fieldset: geo + short: City name. + type: keyword +threat.enrichments.geo.continent_code: + dashed_name: threat-enrichments-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: threat.enrichments.geo.continent_code ignore_above: 1024 - level: extended - name: indicator.domain + level: core + name: continent_code normalize: [] - short: Indicator domain name + original_fieldset: geo + short: Continent code. type: keyword -threat.indicator.email.address: - dashed_name: threat-indicator-email-address - description: Identifies a threat indicator as an email address (irrespective of - direction). - example: phish@example.com - flat_name: threat.indicator.email.address +threat.enrichments.geo.continent_name: + dashed_name: threat-enrichments-geo-continent-name + description: Name of the continent. + example: North America + flat_name: threat.enrichments.geo.continent_name ignore_above: 1024 - level: extended - name: indicator.email.address + level: core + name: continent_name normalize: [] - short: Indicator email address + original_fieldset: geo + short: Name of the continent. type: keyword -threat.indicator.file.accessed: - dashed_name: threat-indicator-file-accessed - description: 'Last time the file was accessed. - - Note that not all filesystems keep track of access time.' - flat_name: threat.indicator.file.accessed - level: extended - name: accessed +threat.enrichments.geo.country_iso_code: + dashed_name: threat-enrichments-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: threat.enrichments.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code normalize: [] - original_fieldset: file - short: Last time the file was accessed. - type: date -threat.indicator.file.attributes: - dashed_name: threat-indicator-file-attributes - description: 'Array of file attributes. - - Attributes names will vary by platform. Here''s a non-exhaustive list of values - that are expected in this field: archive, compressed, directory, encrypted, execute, - hidden, read, readonly, system, write.' - example: '["readonly", "system"]' - flat_name: threat.indicator.file.attributes + original_fieldset: geo + short: Country ISO code. + type: keyword +threat.enrichments.geo.country_name: + dashed_name: threat-enrichments-geo-country-name + description: Country name. + example: Canada + flat_name: threat.enrichments.geo.country_name ignore_above: 1024 - level: extended - name: attributes - normalize: - - array - original_fieldset: file - short: Array of file attributes. + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. type: keyword -threat.indicator.file.code_signature.exists: - dashed_name: threat-indicator-file-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: threat.indicator.file.code_signature.exists +threat.enrichments.geo.location: + dashed_name: threat-enrichments-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: threat.enrichments.geo.location level: core - name: exists + name: location normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean -threat.indicator.file.code_signature.signing_id: - dashed_name: threat-indicator-file-code-signature-signing-id - description: 'The identifier used to sign the process. + original_fieldset: geo + short: Longitude and latitude. + type: geo_point +threat.enrichments.geo.name: + dashed_name: threat-enrichments-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. - This is used to identify the application manufactured by a software vendor. The - field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: threat.indicator.file.code_signature.signing_id - ignore_above: 1024 + Could be the name of their data centers, the floor number, if this describes a + local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: threat.enrichments.geo.name level: extended - name: signing_id + name: name normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. - type: keyword -threat.indicator.file.code_signature.status: - dashed_name: threat-indicator-file-code-signature-status - description: 'Additional information about the certificate status. + original_fieldset: geo + short: User-defined description of a location. + type: wildcard +threat.enrichments.geo.postal_code: + dashed_name: threat-enrichments-geo-postal-code + description: 'Postal code associated with the location. - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: threat.indicator.file.code_signature.status + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: threat.enrichments.geo.postal_code ignore_above: 1024 - level: extended - name: status + level: core + name: postal_code normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. + original_fieldset: geo + short: Postal code. type: keyword -threat.indicator.file.code_signature.subject_name: - dashed_name: threat-indicator-file-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: threat.indicator.file.code_signature.subject_name +threat.enrichments.geo.region_iso_code: + dashed_name: threat-enrichments-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: threat.enrichments.geo.region_iso_code ignore_above: 1024 level: core - name: subject_name + name: region_iso_code normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer + original_fieldset: geo + short: Region ISO code. type: keyword -threat.indicator.file.code_signature.team_id: - dashed_name: threat-indicator-file-code-signature-team-id - description: 'The team identifier used to sign the process. - - This is used to identify the team or vendor of a software product. The field is - relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: threat.indicator.file.code_signature.team_id +threat.enrichments.geo.region_name: + dashed_name: threat-enrichments-geo-region-name + description: Region name. + example: Quebec + flat_name: threat.enrichments.geo.region_name ignore_above: 1024 - level: extended - name: team_id + level: core + name: region_name normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. + original_fieldset: geo + short: Region name. type: keyword -threat.indicator.file.code_signature.trusted: - dashed_name: threat-indicator-file-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this field - should only be populated by tools that actively check the status.' - example: 'true' - flat_name: threat.indicator.file.code_signature.trusted - level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean -threat.indicator.file.code_signature.valid: - dashed_name: threat-indicator-file-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against the - binary content. - - Leave unpopulated if a certificate was unchecked.' - example: 'true' - flat_name: threat.indicator.file.code_signature.valid - level: extended - name: valid - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean -threat.indicator.file.created: - dashed_name: threat-indicator-file-created - description: 'File creation time. - - Note that not all filesystems store the creation time.' - flat_name: threat.indicator.file.created - level: extended - name: created - normalize: [] - original_fieldset: file - short: File creation time. - type: date -threat.indicator.file.ctime: - dashed_name: threat-indicator-file-ctime - description: 'Last time the file attributes or metadata changed. - - Note that changes to the file content will update `mtime`. This implies `ctime` - will be adjusted at the same time, since `mtime` is an attribute of the file.' - flat_name: threat.indicator.file.ctime - level: extended - name: ctime - normalize: [] - original_fieldset: file - short: Last time the file attributes or metadata changed. - type: date -threat.indicator.file.device: - dashed_name: threat-indicator-file-device - description: Device that is the source of the file. - example: sda - flat_name: threat.indicator.file.device +threat.enrichments.geo.timezone: + dashed_name: threat-enrichments-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: threat.enrichments.geo.timezone ignore_above: 1024 - level: extended - name: device + level: core + name: timezone normalize: [] - original_fieldset: file - short: Device that is the source of the file. + original_fieldset: geo + short: Time zone. type: keyword -threat.indicator.file.directory: - dashed_name: threat-indicator-file-directory - description: Directory where the file is located. It should include the drive letter, - when appropriate. - example: /home/alice - flat_name: threat.indicator.file.directory - level: extended - name: directory - normalize: [] - original_fieldset: file - short: Directory where the file is located. - type: wildcard -threat.indicator.file.drive_letter: - dashed_name: threat-indicator-file-drive-letter - description: 'Drive letter where the file is located. This field is only relevant - on Windows. - - The value should be uppercase, and not include the colon.' - example: C - flat_name: threat.indicator.file.drive_letter - ignore_above: 1 +threat.enrichments.hash.md5: + dashed_name: threat-enrichments-hash-md5 + description: MD5 hash. + flat_name: threat.enrichments.hash.md5 + ignore_above: 1024 level: extended - name: drive_letter + name: md5 normalize: [] - original_fieldset: file - short: Drive letter where the file is located. + original_fieldset: hash + short: MD5 hash. type: keyword -threat.indicator.file.elf.architecture: - dashed_name: threat-indicator-file-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: threat.indicator.file.elf.architecture +threat.enrichments.hash.sha1: + dashed_name: threat-enrichments-hash-sha1 + description: SHA1 hash. + flat_name: threat.enrichments.hash.sha1 ignore_above: 1024 level: extended - name: architecture + name: sha1 normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. + original_fieldset: hash + short: SHA1 hash. type: keyword -threat.indicator.file.elf.byte_order: - dashed_name: threat-indicator-file-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: threat.indicator.file.elf.byte_order +threat.enrichments.hash.sha256: + dashed_name: threat-enrichments-hash-sha256 + description: SHA256 hash. + flat_name: threat.enrichments.hash.sha256 ignore_above: 1024 level: extended - name: byte_order + name: sha256 normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. + original_fieldset: hash + short: SHA256 hash. type: keyword -threat.indicator.file.elf.cpu_type: - dashed_name: threat-indicator-file-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: threat.indicator.file.elf.cpu_type +threat.enrichments.hash.sha512: + dashed_name: threat-enrichments-hash-sha512 + description: SHA512 hash. + flat_name: threat.enrichments.hash.sha512 ignore_above: 1024 level: extended - name: cpu_type + name: sha512 normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. + original_fieldset: hash + short: SHA512 hash. type: keyword -threat.indicator.file.elf.creation_date: - dashed_name: threat-indicator-file-elf-creation-date - description: Extracted when possible from the file's metadata. Indicates when it - was built or compiled. It can also be faked by malware creators. - flat_name: threat.indicator.file.elf.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: elf - short: Build or compile date. - type: date -threat.indicator.file.elf.exports: - dashed_name: threat-indicator-file-elf-exports - description: List of exported element names and types. - flat_name: threat.indicator.file.elf.exports - level: extended - name: exports - normalize: - - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened -threat.indicator.file.elf.header.abi_version: - dashed_name: threat-indicator-file-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: threat.indicator.file.elf.header.abi_version +threat.enrichments.hash.ssdeep: + dashed_name: threat-enrichments-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.enrichments.hash.ssdeep ignore_above: 1024 level: extended - name: header.abi_version + name: ssdeep normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). + original_fieldset: hash + short: SSDEEP hash. type: keyword -threat.indicator.file.elf.header.class: - dashed_name: threat-indicator-file-elf-header-class - description: Header class of the ELF file. - flat_name: threat.indicator.file.elf.header.class +threat.enrichments.matched.atomic: + dashed_name: threat-enrichments-matched-atomic + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com + flat_name: threat.enrichments.matched.atomic ignore_above: 1024 level: extended - name: header.class + name: enrichments.matched.atomic normalize: [] - original_fieldset: elf - short: Header class of the ELF file. + short: Matched indicator value type: keyword -threat.indicator.file.elf.header.data: - dashed_name: threat-indicator-file-elf-header-data - description: Data table of the ELF header. - flat_name: threat.indicator.file.elf.header.data +threat.enrichments.matched.field: + dashed_name: threat-enrichments-matched-field + description: Identifies the field of the atomic indicator that matched a local environment + endpoint or network event. + example: file.hash.sha256 + flat_name: threat.enrichments.matched.field ignore_above: 1024 level: extended - name: header.data + name: enrichments.matched.field normalize: [] - original_fieldset: elf - short: Data table of the ELF header. + short: Matched indicator field type: keyword -threat.indicator.file.elf.header.entrypoint: - dashed_name: threat-indicator-file-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: threat.indicator.file.elf.header.entrypoint - format: string +threat.enrichments.matched.id: + dashed_name: threat-enrichments-matched-id + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + flat_name: threat.enrichments.matched.id + ignore_above: 1024 level: extended - name: header.entrypoint + name: enrichments.matched.id normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long -threat.indicator.file.elf.header.object_version: - dashed_name: threat-indicator-file-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: threat.indicator.file.elf.header.object_version + short: Matched indicator identifier + type: keyword +threat.enrichments.matched.index: + dashed_name: threat-enrichments-matched-index + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 + flat_name: threat.enrichments.matched.index ignore_above: 1024 level: extended - name: header.object_version + name: enrichments.matched.index normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' + short: Matched indicator index type: keyword -threat.indicator.file.elf.header.os_abi: - dashed_name: threat-indicator-file-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: threat.indicator.file.elf.header.os_abi +threat.enrichments.matched.type: + dashed_name: threat-enrichments-matched-type + description: Identifies the type of match that caused the event to be enriched with + the given indicator + example: indicator_match_rule + flat_name: threat.enrichments.matched.type ignore_above: 1024 level: extended - name: header.os_abi + name: enrichments.matched.type normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. + short: Type of indicator match type: keyword -threat.indicator.file.elf.header.type: - dashed_name: threat-indicator-file-elf-header-type - description: Header type of the ELF file. - flat_name: threat.indicator.file.elf.header.type +threat.enrichments.pe.architecture: + dashed_name: threat-enrichments-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.enrichments.pe.architecture ignore_above: 1024 level: extended - name: header.type + name: architecture normalize: [] - original_fieldset: elf - short: Header type of the ELF file. + original_fieldset: pe + short: CPU architecture target for the file. type: keyword -threat.indicator.file.elf.header.version: - dashed_name: threat-indicator-file-elf-header-version - description: Version of the ELF header. - flat_name: threat.indicator.file.elf.header.version +threat.enrichments.pe.authentihash: + dashed_name: threat-enrichments-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: threat.enrichments.pe.authentihash ignore_above: 1024 level: extended - name: header.version + name: authentihash normalize: [] - original_fieldset: elf - short: Version of the ELF header. + original_fieldset: pe + short: Authentihash of the PE file. type: keyword -threat.indicator.file.elf.imports: - dashed_name: threat-indicator-file-elf-imports - description: List of imported element names and types. - flat_name: threat.indicator.file.elf.imports - level: extended - name: imports - normalize: - - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened -threat.indicator.file.elf.sections: - dashed_name: threat-indicator-file-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.sections.*`.' - flat_name: threat.indicator.file.elf.sections - level: extended - name: sections - normalize: - - array - original_fieldset: elf - short: Section information of the ELF file. - type: nested -threat.indicator.file.elf.sections.chi2: - dashed_name: threat-indicator-file-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: threat.indicator.file.elf.sections.chi2 - format: number +threat.enrichments.pe.company: + dashed_name: threat-enrichments-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.enrichments.pe.company + ignore_above: 1024 level: extended - name: sections.chi2 + name: company normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. - type: long -threat.indicator.file.elf.sections.entropy: - dashed_name: threat-indicator-file-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: threat.indicator.file.elf.sections.entropy - format: number + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. + type: keyword +threat.enrichments.pe.compile_timestamp: + dashed_name: threat-enrichments-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.compile_timestamp level: extended - name: sections.entropy + name: compile_timestamp normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long -threat.indicator.file.elf.sections.flags: - dashed_name: threat-indicator-file-elf-sections-flags - description: ELF Section List flags. - flat_name: threat.indicator.file.elf.sections.flags + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date +threat.enrichments.pe.compiler.name: + dashed_name: threat-enrichments-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: threat.enrichments.pe.compiler.name ignore_above: 1024 level: extended - name: sections.flags + name: compiler.name normalize: [] - original_fieldset: elf - short: ELF Section List flags. + original_fieldset: pe + short: Name of the compiler type: keyword -threat.indicator.file.elf.sections.name: - dashed_name: threat-indicator-file-elf-sections-name - description: ELF Section List name. - flat_name: threat.indicator.file.elf.sections.name +threat.enrichments.pe.compiler.version: + dashed_name: threat-enrichments-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: threat.enrichments.pe.compiler.version ignore_above: 1024 level: extended - name: sections.name + name: compiler.version normalize: [] - original_fieldset: elf - short: ELF Section List name. + original_fieldset: pe + short: Version of the compiler. type: keyword -threat.indicator.file.elf.sections.physical_offset: - dashed_name: threat-indicator-file-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: threat.indicator.file.elf.sections.physical_offset - ignore_above: 1024 +threat.enrichments.pe.creation_date: + dashed_name: threat-enrichments-pe-creation-date + description: Extracted when possible from the file's metadata. Indicates when it + was built or compiled. It can also be faked by malware creators. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.creation_date level: extended - name: sections.physical_offset + name: creation_date normalize: [] - original_fieldset: elf - short: ELF Section List offset. - type: keyword -threat.indicator.file.elf.sections.physical_size: - dashed_name: threat-indicator-file-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: threat.indicator.file.elf.sections.physical_size - format: bytes + original_fieldset: pe + short: Build or compile date. + type: date +threat.enrichments.pe.debug: + dashed_name: threat-enrichments-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: threat.enrichments.pe.debug level: extended - name: sections.physical_size - normalize: [] - original_fieldset: elf - short: ELF Section List physical size. - type: long -threat.indicator.file.elf.sections.type: - dashed_name: threat-indicator-file-elf-sections-type - description: ELF Section List type. - flat_name: threat.indicator.file.elf.sections.type + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested +threat.enrichments.pe.debug.offset: + dashed_name: threat-enrichments-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: threat.enrichments.pe.debug.offset ignore_above: 1024 level: extended - name: sections.type + name: debug.offset normalize: [] - original_fieldset: elf - short: ELF Section List type. + original_fieldset: pe + short: Debug offset information. type: keyword -threat.indicator.file.elf.sections.virtual_address: - dashed_name: threat-indicator-file-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: threat.indicator.file.elf.sections.virtual_address - format: string +threat.enrichments.pe.debug.size: + dashed_name: threat-enrichments-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: threat.enrichments.pe.debug.size + format: bytes level: extended - name: sections.virtual_address + name: debug.size normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. + original_fieldset: pe + short: Size of the debug information. type: long -threat.indicator.file.elf.sections.virtual_size: - dashed_name: threat-indicator-file-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: threat.indicator.file.elf.sections.virtual_size - format: string +threat.enrichments.pe.debug.timestamp: + dashed_name: threat-enrichments-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.debug.timestamp level: extended - name: sections.virtual_size + name: debug.timestamp normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. - type: long -threat.indicator.file.elf.segments: - dashed_name: threat-indicator-file-elf-segments - description: 'An array containing an object for each segment of the ELF file. - - The keys that should be present in these objects are defined by sub-fields underneath - `elf.segments.*`.' - flat_name: threat.indicator.file.elf.segments + original_fieldset: pe + short: Timestamp of the debug information. + type: date +threat.enrichments.pe.debug.type: + dashed_name: threat-enrichments-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: threat.enrichments.pe.debug.type + ignore_above: 1024 level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested -threat.indicator.file.elf.segments.sections: - dashed_name: threat-indicator-file-elf-segments-sections - description: ELF object segment sections. - flat_name: threat.indicator.file.elf.segments.sections + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword +threat.enrichments.pe.description: + dashed_name: threat-enrichments-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.enrichments.pe.description ignore_above: 1024 level: extended - name: segments.sections + name: description normalize: [] - original_fieldset: elf - short: ELF object segment sections. + original_fieldset: pe + short: Internal description of the file, provided at compile-time. type: keyword -threat.indicator.file.elf.segments.type: - dashed_name: threat-indicator-file-elf-segments-type - description: ELF object segment type. - flat_name: threat.indicator.file.elf.segments.type +threat.enrichments.pe.entry_point: + dashed_name: threat-enrichments-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: threat.enrichments.pe.entry_point ignore_above: 1024 level: extended - name: segments.type + name: entry_point normalize: [] - original_fieldset: elf - short: ELF object segment type. + original_fieldset: pe + short: Relative byte offset to the base of the PE file. type: keyword -threat.indicator.file.elf.shared_libraries: - dashed_name: threat-indicator-file-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: threat.indicator.file.elf.shared_libraries +threat.enrichments.pe.exports: + dashed_name: threat-enrichments-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: threat.enrichments.pe.exports ignore_above: 1024 level: extended - name: shared_libraries + name: exports normalize: - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. + original_fieldset: pe + short: List of symbols exported by PE type: keyword -threat.indicator.file.elf.telfhash: - dashed_name: threat-indicator-file-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: threat.indicator.file.elf.telfhash +threat.enrichments.pe.file_version: + dashed_name: threat-enrichments-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.enrichments.pe.file_version ignore_above: 1024 level: extended - name: telfhash + name: file_version normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. + original_fieldset: pe + short: Process name. type: keyword -threat.indicator.file.extension: - dashed_name: threat-indicator-file-extension - description: 'File extension, excluding the leading dot. - - Note that when the file name has multiple extensions (example.tar.gz), only the - last one should be captured ("gz", not "tar.gz").' - example: png - flat_name: threat.indicator.file.extension +threat.enrichments.pe.icon.hash.dhash: + dashed_name: threat-enrichments-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: threat.enrichments.pe.icon.hash.dhash ignore_above: 1024 level: extended - name: extension + name: icon.hash.dhash normalize: [] - original_fieldset: file - short: File extension, excluding the leading dot. + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. type: keyword -threat.indicator.file.gid: - dashed_name: threat-indicator-file-gid - description: Primary group ID (GID) of the file. - example: '1001' - flat_name: threat.indicator.file.gid +threat.enrichments.pe.imphash: + dashed_name: threat-enrichments-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash -- + can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.enrichments.pe.imphash ignore_above: 1024 level: extended - name: gid + name: imphash normalize: [] - original_fieldset: file - short: Primary group ID (GID) of the file. + original_fieldset: pe + short: A hash of the imports in a PE file. type: keyword -threat.indicator.file.group: - dashed_name: threat-indicator-file-group - description: Primary group name of the file. - example: alice - flat_name: threat.indicator.file.group +threat.enrichments.pe.imports: + dashed_name: threat-enrichments-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: threat.enrichments.pe.imports + level: extended + name: imports + normalize: [] + original_fieldset: pe + short: List of all imported functions + type: flattened +threat.enrichments.pe.machine_type: + dashed_name: threat-enrichments-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: threat.enrichments.pe.machine_type ignore_above: 1024 level: extended - name: group + name: machine_type normalize: [] - original_fieldset: file - short: Primary group name of the file. + original_fieldset: pe + short: Machine type of the PE file. type: keyword -threat.indicator.file.inode: - dashed_name: threat-indicator-file-inode - description: Inode representing the file in the filesystem. - example: '256383' - flat_name: threat.indicator.file.inode - ignore_above: 1024 +threat.enrichments.pe.original_file_name: + dashed_name: threat-enrichments-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.enrichments.pe.original_file_name level: extended - name: inode + name: original_file_name normalize: [] - original_fieldset: file - short: Inode representing the file in the filesystem. + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: wildcard +threat.enrichments.pe.packers: + dashed_name: threat-enrichments-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: threat.enrichments.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. type: keyword -threat.indicator.file.mime_type: - dashed_name: threat-indicator-file-mime-type - description: MIME type should identify the format of the file or stream of bytes - using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official - types], where possible. When more than one type is applicable, the most specific - type should be used. - flat_name: threat.indicator.file.mime_type +threat.enrichments.pe.product: + dashed_name: threat-enrichments-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.enrichments.pe.product ignore_above: 1024 level: extended - name: mime_type + name: product normalize: [] - original_fieldset: file - short: Media type of file, document, or arrangement of bytes. + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. type: keyword -threat.indicator.file.mode: - dashed_name: threat-indicator-file-mode - description: Mode of the file in octal representation. - example: '0640' - flat_name: threat.indicator.file.mode +threat.enrichments.pe.resources: + dashed_name: threat-enrichments-pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: threat.enrichments.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested +threat.enrichments.pe.resources.chi2: + dashed_name: threat-enrichments-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: threat.enrichments.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long +threat.enrichments.pe.resources.entropy: + dashed_name: threat-enrichments-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: threat.enrichments.pe.resources.entropy + level: extended + name: resources.entropy + normalize: [] + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long +threat.enrichments.pe.resources.filetype: + dashed_name: threat-enrichments-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: threat.enrichments.pe.resources.filetype ignore_above: 1024 level: extended - name: mode + name: resources.filetype normalize: [] - original_fieldset: file - short: Mode of the file in octal representation. + original_fieldset: pe + short: File type of the resources section. type: keyword -threat.indicator.file.mtime: - dashed_name: threat-indicator-file-mtime - description: Last time the file content was modified. - flat_name: threat.indicator.file.mtime +threat.enrichments.pe.resources.language: + dashed_name: threat-enrichments-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: threat.enrichments.pe.resources.language + ignore_above: 1024 level: extended - name: mtime + name: resources.language normalize: [] - original_fieldset: file - short: Last time the file content was modified. - type: date -threat.indicator.file.name: - dashed_name: threat-indicator-file-name - description: Name of the file including the extension, without the directory. - example: example.png - flat_name: threat.indicator.file.name + original_fieldset: pe + short: Language identification. + type: keyword +threat.enrichments.pe.resources.sha256: + dashed_name: threat-enrichments-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: threat.enrichments.pe.resources.sha256 ignore_above: 1024 level: extended - name: name + name: resources.sha256 normalize: [] - original_fieldset: file - short: Name of the file including the extension, without the directory. + original_fieldset: pe + short: SHA256 hash of resources section. type: keyword -threat.indicator.file.owner: - dashed_name: threat-indicator-file-owner - description: File owner's username. - example: alice - flat_name: threat.indicator.file.owner +threat.enrichments.pe.resources.type: + dashed_name: threat-enrichments-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: threat.enrichments.pe.resources.type ignore_above: 1024 level: extended - name: owner - normalize: [] - original_fieldset: file - short: File owner's username. + name: resources.type + normalize: + - array + original_fieldset: pe + short: List of resource types. type: keyword -threat.indicator.file.path: - dashed_name: threat-indicator-file-path - description: Full path to the file, including the file name. It should include the - drive letter, when appropriate. - example: /home/alice/example.png - flat_name: threat.indicator.file.path +threat.enrichments.pe.rich_header.hash.md5: + dashed_name: threat-enrichments-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: threat.enrichments.pe.rich_header.hash.md5 + ignore_above: 1024 level: extended - multi_fields: - - flat_name: threat.indicator.file.path.text - name: text - norms: false - type: text - name: path + name: rich_header.hash.md5 normalize: [] - original_fieldset: file - short: Full path to the file, including the file name. - type: wildcard -threat.indicator.file.size: - dashed_name: threat-indicator-file-size - description: 'File size in bytes. - - Only relevant when `file.type` is "file".' - example: 16384 - flat_name: threat.indicator.file.size + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword +threat.enrichments.pe.sections: + dashed_name: threat-enrichments-pe-sections + description: Data about sections of compiled binary PE + flat_name: threat.enrichments.pe.sections level: extended - name: size + name: sections + normalize: + - array + original_fieldset: pe + short: Data about sections of the compiled binary PE + type: nested +threat.enrichments.pe.sections.chi2: + dashed_name: threat-enrichments-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: threat.enrichments.pe.sections.chi2 + level: extended + name: sections.chi2 normalize: [] - original_fieldset: file - short: File size in bytes. + original_fieldset: pe + short: Chi-square probability distribution. type: long -threat.indicator.file.target_path: - dashed_name: threat-indicator-file-target-path - description: Target path for symlinks. - flat_name: threat.indicator.file.target_path +threat.enrichments.pe.sections.entropy: + dashed_name: threat-enrichments-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: threat.enrichments.pe.sections.entropy level: extended - multi_fields: - - flat_name: threat.indicator.file.target_path.text - name: text - norms: false - type: text - name: target_path + name: sections.entropy normalize: [] - original_fieldset: file - short: Target path for symlinks. - type: wildcard -threat.indicator.file.type: - dashed_name: threat-indicator-file-type - description: File type (file, dir, or symlink). - example: file - flat_name: threat.indicator.file.type + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float +threat.enrichments.pe.sections.flags: + dashed_name: threat-enrichments-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: threat.enrichments.pe.sections.flags ignore_above: 1024 level: extended - name: type + name: sections.flags normalize: [] - original_fieldset: file - short: File type (file, dir, or symlink). + original_fieldset: pe + short: Section flags of the file. type: keyword -threat.indicator.file.uid: - dashed_name: threat-indicator-file-uid - description: The user ID (UID) or security identifier (SID) of the file owner. - example: '1001' - flat_name: threat.indicator.file.uid +threat.enrichments.pe.sections.name: + dashed_name: threat-enrichments-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: threat.enrichments.pe.sections.name ignore_above: 1024 level: extended - name: uid + name: sections.name normalize: [] - original_fieldset: file - short: The user ID (UID) or security identifier (SID) of the file owner. + original_fieldset: pe + short: Section names of the file. type: keyword -threat.indicator.first_seen: - dashed_name: threat-indicator-first-seen - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.first_seen +threat.enrichments.pe.sections.raw_size: + dashed_name: threat-enrichments-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: threat.enrichments.pe.sections.raw_size + format: bytes level: extended - name: indicator.first_seen + name: sections.raw_size normalize: [] - short: Date/time indicator was first reported. - type: date -threat.indicator.geo.city_name: - dashed_name: threat-indicator-geo-city-name - description: City name. - example: Montreal - flat_name: threat.indicator.geo.city_name + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. + type: long +threat.enrichments.pe.sections.virtual_address: + dashed_name: threat-enrichments-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: threat.enrichments.pe.sections.virtual_address + format: bytes + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: pe + short: Virtual address available to the file. + type: long +threat.enrichments.registry.data.bytes: + dashed_name: threat-enrichments-registry-data-bytes + description: 'Original bytes written with base64 encoding. + + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides better + recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.enrichments.registry.data.bytes ignore_above: 1024 - level: core - name: city_name + level: extended + name: data.bytes normalize: [] - original_fieldset: geo - short: City name. + original_fieldset: registry + short: Original bytes written with base64 encoding. type: keyword -threat.indicator.geo.continent_code: - dashed_name: threat-indicator-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: threat.indicator.geo.continent_code +threat.enrichments.registry.data.strings: + dashed_name: threat-enrichments-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single string + registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. + For sequences of string with REG_MULTI_SZ, this array will be variable length. + For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with + the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.enrichments.registry.data.strings + level: core + name: data.strings + normalize: + - array + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: wildcard +threat.enrichments.registry.data.type: + dashed_name: threat-enrichments-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.enrichments.registry.data.type ignore_above: 1024 level: core - name: continent_code + name: data.type normalize: [] - original_fieldset: geo - short: Continent code. + original_fieldset: registry + short: Standard registry type for encoding contents type: keyword -threat.indicator.geo.continent_name: - dashed_name: threat-indicator-geo-continent-name - description: Name of the continent. - example: North America - flat_name: threat.indicator.geo.continent_name +threat.enrichments.registry.hive: + dashed_name: threat-enrichments-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.enrichments.registry.hive ignore_above: 1024 level: core - name: continent_name + name: hive normalize: [] - original_fieldset: geo - short: Name of the continent. + original_fieldset: registry + short: Abbreviated name for the hive. type: keyword -threat.indicator.geo.country_iso_code: - dashed_name: threat-indicator-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: threat.indicator.geo.country_iso_code - ignore_above: 1024 +threat.enrichments.registry.key: + dashed_name: threat-enrichments-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.enrichments.registry.key level: core - name: country_iso_code + name: key normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword -threat.indicator.geo.country_name: - dashed_name: threat-indicator-geo-country-name - description: Country name. - example: Canada - flat_name: threat.indicator.geo.country_name - ignore_above: 1024 + original_fieldset: registry + short: Hive-relative path of keys. + type: wildcard +threat.enrichments.registry.path: + dashed_name: threat-enrichments-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.enrichments.registry.path level: core - name: country_name + name: path normalize: [] - original_fieldset: geo - short: Country name. - type: keyword -threat.indicator.geo.location: - dashed_name: threat-indicator-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: threat.indicator.geo.location + original_fieldset: registry + short: Full path, including hive, key and value + type: wildcard +threat.enrichments.registry.value: + dashed_name: threat-enrichments-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.enrichments.registry.value + ignore_above: 1024 level: core - name: location + name: value normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point -threat.indicator.geo.name: - dashed_name: threat-indicator-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. + original_fieldset: registry + short: Name of the value written. + type: keyword +threat.enrichments.url.domain: + dashed_name: threat-enrichments-url-domain + description: 'Domain of the url, such as "www.elastic.co". - Could be the name of their data centers, the floor number, if this describes a - local physical entity, city names. + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. - Not typically used in automated geolocation.' - example: boston-dc - flat_name: threat.indicator.geo.name + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), + the `[` and `]` characters should also be captured in the `domain` field.' + example: www.elastic.co + flat_name: threat.enrichments.url.domain level: extended - name: name + name: domain normalize: [] - original_fieldset: geo - short: User-defined description of a location. + original_fieldset: url + short: Domain of the url. type: wildcard -threat.indicator.geo.postal_code: - dashed_name: threat-indicator-geo-postal-code - description: 'Postal code associated with the location. +threat.enrichments.url.extension: + dashed_name: threat-enrichments-url-extension + description: 'The field contains the file extension from the original request url, + excluding the leading dot. - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: threat.indicator.geo.postal_code + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only the + last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.url.extension ignore_above: 1024 - level: core - name: postal_code + level: extended + name: extension normalize: [] - original_fieldset: geo - short: Postal code. + original_fieldset: url + short: File extension from the request url, excluding the leading dot. type: keyword -threat.indicator.geo.region_iso_code: - dashed_name: threat-indicator-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: threat.indicator.geo.region_iso_code +threat.enrichments.url.fragment: + dashed_name: threat-enrichments-url-fragment + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + flat_name: threat.enrichments.url.fragment ignore_above: 1024 - level: core - name: region_iso_code + level: extended + name: fragment normalize: [] - original_fieldset: geo - short: Region ISO code. + original_fieldset: url + short: Portion of the url after the `#`. type: keyword -threat.indicator.geo.region_name: - dashed_name: threat-indicator-geo-region-name - description: Region name. - example: Quebec - flat_name: threat.indicator.geo.region_name - ignore_above: 1024 - level: core - name: region_name +threat.enrichments.url.full: + dashed_name: threat-enrichments-url-full + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + flat_name: threat.enrichments.url.full + level: extended + multi_fields: + - flat_name: threat.enrichments.url.full.text + name: text + norms: false + type: text + name: full normalize: [] - original_fieldset: geo - short: Region name. - type: keyword -threat.indicator.geo.timezone: - dashed_name: threat-indicator-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: threat.indicator.geo.timezone - ignore_above: 1024 - level: core - name: timezone + original_fieldset: url + short: Full unparsed URL. + type: wildcard +threat.enrichments.url.original: + dashed_name: threat-enrichments-url-original + description: 'Unmodified original url as seen in the event source. + + Note that in network monitoring, the observed URL may be a full URL, whereas in + access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + flat_name: threat.enrichments.url.original + level: extended + multi_fields: + - flat_name: threat.enrichments.url.original.text + name: text + norms: false + type: text + name: original normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword -threat.indicator.hash.md5: - dashed_name: threat-indicator-hash-md5 - description: MD5 hash. - flat_name: threat.indicator.hash.md5 + original_fieldset: url + short: Unmodified original url as seen in the event source. + type: wildcard +threat.enrichments.url.password: + dashed_name: threat-enrichments-url-password + description: Password of the request. + flat_name: threat.enrichments.url.password ignore_above: 1024 level: extended - name: md5 + name: password normalize: [] - original_fieldset: hash - short: MD5 hash. + original_fieldset: url + short: Password of the request. type: keyword -threat.indicator.hash.sha1: - dashed_name: threat-indicator-hash-sha1 - description: SHA1 hash. - flat_name: threat.indicator.hash.sha1 +threat.enrichments.url.path: + dashed_name: threat-enrichments-url-path + description: Path of the request, such as "/search". + flat_name: threat.enrichments.url.path + level: extended + name: path + normalize: [] + original_fieldset: url + short: Path of the request, such as "/search". + type: wildcard +threat.enrichments.url.port: + dashed_name: threat-enrichments-url-port + description: Port of the request, such as 443. + example: 443 + flat_name: threat.enrichments.url.port + format: string + level: extended + name: port + normalize: [] + original_fieldset: url + short: Port of the request, such as 443. + type: long +threat.enrichments.url.query: + dashed_name: threat-enrichments-url-query + description: 'The query field describes the query string of the request, such as + "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there is + no query field. If there is a `?` but no query, the query field exists with an + empty string. The `exists` query can be used to differentiate between the two + cases.' + flat_name: threat.enrichments.url.query ignore_above: 1024 level: extended - name: sha1 + name: query normalize: [] - original_fieldset: hash - short: SHA1 hash. + original_fieldset: url + short: Query string of the request. type: keyword -threat.indicator.hash.sha256: - dashed_name: threat-indicator-hash-sha256 - description: SHA256 hash. - flat_name: threat.indicator.hash.sha256 - ignore_above: 1024 +threat.enrichments.url.registered_domain: + dashed_name: threat-enrichments-url-registered-domain + description: 'The highest registered url domain, stripped of the subdomain. + + For example, the registered domain for "foo.example.com" is "example.com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: threat.enrichments.url.registered_domain level: extended - name: sha256 + name: registered_domain normalize: [] - original_fieldset: hash - short: SHA256 hash. - type: keyword -threat.indicator.hash.sha512: - dashed_name: threat-indicator-hash-sha512 - description: SHA512 hash. - flat_name: threat.indicator.hash.sha512 + original_fieldset: url + short: The highest registered url domain, stripped of the subdomain. + type: wildcard +threat.enrichments.url.scheme: + dashed_name: threat-enrichments-url-scheme + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https + flat_name: threat.enrichments.url.scheme ignore_above: 1024 level: extended - name: sha512 + name: scheme normalize: [] - original_fieldset: hash - short: SHA512 hash. + original_fieldset: url + short: Scheme of the url. type: keyword -threat.indicator.hash.ssdeep: - dashed_name: threat-indicator-hash-ssdeep - description: SSDEEP hash. - flat_name: threat.indicator.hash.ssdeep +threat.enrichments.url.subdomain: + dashed_name: threat-enrichments-url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes all + of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot be + determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the + domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the + subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: threat.enrichments.url.subdomain ignore_above: 1024 level: extended - name: ssdeep + name: subdomain normalize: [] - original_fieldset: hash - short: SSDEEP hash. + original_fieldset: url + short: The subdomain of the domain. type: keyword -threat.indicator.ip: - dashed_name: threat-indicator-ip - description: Identifies a threat indicator as an IP address (irrespective of direction). - example: 1.2.3.4 - flat_name: threat.indicator.ip - level: extended - name: indicator.ip - normalize: [] - short: Indicator IP address - type: ip -threat.indicator.last_seen: - dashed_name: threat-indicator-last-seen - description: The date and time when intelligence source last reported sighting this - indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.last_seen - level: extended - name: indicator.last_seen - normalize: [] - short: Date/time indicator was last reported. - type: date -threat.indicator.marking.tlp: - dashed_name: threat-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings.\nExpected values are:\n \ - \ * White\n * Green\n * Amber\n * Red" - example: White - flat_name: threat.indicator.marking.tlp +threat.enrichments.url.top_level_domain: + dashed_name: threat-enrichments-url-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain suffix, + is the last part of the domain name. For example, the top level domain for example.com + is "com". + + This value can be determined precisely with a list like the public suffix list + (http://publicsuffix.org). Trying to approximate this by simply taking the last + label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: threat.enrichments.url.top_level_domain ignore_above: 1024 level: extended - name: indicator.marking.tlp + name: top_level_domain normalize: [] - short: Indicator TLP marking + original_fieldset: url + short: The effective top level domain (com, org, net, co.uk). type: keyword -threat.indicator.matched.atomic: - dashed_name: threat-indicator-matched-atomic - description: Identifies the atomic indicator that matched a local environment endpoint - or network event. - example: example.com - flat_name: threat.indicator.matched.atomic +threat.enrichments.url.username: + dashed_name: threat-enrichments-url-username + description: Username of the request. + flat_name: threat.enrichments.url.username ignore_above: 1024 level: extended - name: indicator.matched.atomic + name: username normalize: [] - short: Indicator atomic match + original_fieldset: url + short: Username of the request. type: keyword -threat.indicator.matched.field: - dashed_name: threat-indicator-matched-field - description: Identifies the field of the atomic indicator that matched a local environment - endpoint or network event. - example: file.hash.sha256 - flat_name: threat.indicator.matched.field +threat.enrichments.x509.alternative_names: + dashed_name: threat-enrichments-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names (and + wildcards), and email addresses. + example: '*.elastic.co' + flat_name: threat.enrichments.x509.alternative_names ignore_above: 1024 level: extended - name: indicator.matched.field - normalize: [] - short: Indicator field match + name: alternative_names + normalize: + - array + original_fieldset: x509 + short: List of subject alternative names (SAN). type: keyword -threat.indicator.matched.type: - dashed_name: threat-indicator-matched-type - description: Identifies the type of the atomic indicator that matched a local environment - endpoint or network event. - example: domain-name - flat_name: threat.indicator.matched.type +threat.enrichments.x509.issuer.common_name: + dashed_name: threat-enrichments-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: threat.enrichments.x509.issuer.common_name ignore_above: 1024 level: extended - name: indicator.matched.type - normalize: [] - short: Indicator type match + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. type: keyword -threat.indicator.module: - dashed_name: threat-indicator-module - description: Identifies the name of specific module this data is coming from. - example: threatintel - flat_name: threat.indicator.module +threat.enrichments.x509.issuer.country: + dashed_name: threat-enrichments-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: threat.enrichments.x509.issuer.country ignore_above: 1024 level: extended - name: indicator.module + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes + type: keyword +threat.enrichments.x509.issuer.distinguished_name: + dashed_name: threat-enrichments-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: threat.enrichments.x509.issuer.distinguished_name + level: extended + name: issuer.distinguished_name normalize: [] - short: Indicator module + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: wildcard +threat.enrichments.x509.issuer.locality: + dashed_name: threat-enrichments-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: threat.enrichments.x509.issuer.locality + ignore_above: 1024 + level: extended + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) type: keyword -threat.indicator.pe.architecture: - dashed_name: threat-indicator-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: threat.indicator.pe.architecture +threat.enrichments.x509.issuer.organization: + dashed_name: threat-enrichments-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: threat.enrichments.x509.issuer.organization ignore_above: 1024 level: extended - name: architecture - normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. type: keyword -threat.indicator.pe.authentihash: - dashed_name: threat-indicator-pe-authentihash - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: threat.indicator.pe.authentihash +threat.enrichments.x509.issuer.organizational_unit: + dashed_name: threat-enrichments-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: threat.enrichments.x509.issuer.organizational_unit ignore_above: 1024 level: extended - name: authentihash - normalize: [] - original_fieldset: pe - short: Authentihash of the PE file. + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. type: keyword -threat.indicator.pe.company: - dashed_name: threat-indicator-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: threat.indicator.pe.company +threat.enrichments.x509.issuer.state_or_province: + dashed_name: threat-enrichments-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.x509.issuer.state_or_province ignore_above: 1024 level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) type: keyword -threat.indicator.pe.compile_timestamp: - dashed_name: threat-indicator-pe-compile-timestamp - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.pe.compile_timestamp +threat.enrichments.x509.not_after: + dashed_name: threat-enrichments-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: threat.enrichments.x509.not_after level: extended - name: compile_timestamp + name: not_after normalize: [] - original_fieldset: pe - short: Compile timestamp of the PE file. + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. type: date -threat.indicator.pe.compiler.name: - dashed_name: threat-indicator-pe-compiler-name - description: Name of the compiler - example: Clang - flat_name: threat.indicator.pe.compiler.name - ignore_above: 1024 +threat.enrichments.x509.not_before: + dashed_name: threat-enrichments-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: threat.enrichments.x509.not_before level: extended - name: compiler.name + name: not_before normalize: [] - original_fieldset: pe - short: Name of the compiler - type: keyword -threat.indicator.pe.compiler.version: - dashed_name: threat-indicator-pe-compiler-version - description: Version of the compiler. - example: 11.0.0 - flat_name: threat.indicator.pe.compiler.version + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date +threat.enrichments.x509.public_key_algorithm: + dashed_name: threat-enrichments-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: threat.enrichments.x509.public_key_algorithm ignore_above: 1024 level: extended - name: compiler.version + name: public_key_algorithm normalize: [] - original_fieldset: pe - short: Version of the compiler. + original_fieldset: x509 + short: Algorithm used to generate the public key. type: keyword -threat.indicator.pe.creation_date: - dashed_name: threat-indicator-pe-creation-date - description: Extracted when possible from the file's metadata. Indicates when it - was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.pe.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: pe - short: Build or compile date. - type: date -threat.indicator.pe.debug: - dashed_name: threat-indicator-pe-debug - description: 'An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: threat.indicator.pe.debug - level: extended - name: debug - normalize: - - array - original_fieldset: pe - short: Debug information - type: nested -threat.indicator.pe.debug.offset: - dashed_name: threat-indicator-pe-debug-offset - description: Debug offset information. - example: 1296336 - flat_name: threat.indicator.pe.debug.offset +threat.enrichments.x509.public_key_curve: + dashed_name: threat-enrichments-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This is + algorithm specific. + example: nistp521 + flat_name: threat.enrichments.x509.public_key_curve ignore_above: 1024 level: extended - name: debug.offset + name: public_key_curve normalize: [] - original_fieldset: pe - short: Debug offset information. + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. type: keyword -threat.indicator.pe.debug.size: - dashed_name: threat-indicator-pe-debug-size - description: Size of the debug information. - example: 816 - flat_name: threat.indicator.pe.debug.size - format: bytes +threat.enrichments.x509.public_key_exponent: + dashed_name: threat-enrichments-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: threat.enrichments.x509.public_key_exponent + index: false level: extended - name: debug.size + name: public_key_exponent normalize: [] - original_fieldset: pe - short: Size of the debug information. + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. type: long -threat.indicator.pe.debug.timestamp: - dashed_name: threat-indicator-pe-debug-timestamp - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.pe.debug.timestamp +threat.enrichments.x509.public_key_size: + dashed_name: threat-enrichments-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: threat.enrichments.x509.public_key_size level: extended - name: debug.timestamp + name: public_key_size normalize: [] - original_fieldset: pe - short: Timestamp of the debug information. - type: date -threat.indicator.pe.debug.type: - dashed_name: threat-indicator-pe-debug-type - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - flat_name: threat.indicator.pe.debug.type + original_fieldset: x509 + short: The size of the public key space in bits. + type: long +threat.enrichments.x509.serial_number: + dashed_name: threat-enrichments-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: threat.enrichments.x509.serial_number ignore_above: 1024 level: extended - name: debug.type + name: serial_number normalize: [] - original_fieldset: pe - short: Information type generated by the debug options. + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. type: keyword -threat.indicator.pe.description: - dashed_name: threat-indicator-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: threat.indicator.pe.description +threat.enrichments.x509.signature_algorithm: + dashed_name: threat-enrichments-x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: threat.enrichments.x509.signature_algorithm ignore_above: 1024 level: extended - name: description + name: signature_algorithm normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. + original_fieldset: x509 + short: Identifier for certificate signature algorithm. type: keyword -threat.indicator.pe.entry_point: - dashed_name: threat-indicator-pe-entry-point - description: Relative byte offset to the base of the PE file. - example: 25856 - flat_name: threat.indicator.pe.entry_point +threat.enrichments.x509.subject.common_name: + dashed_name: threat-enrichments-x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: threat.enrichments.x509.subject.common_name ignore_above: 1024 level: extended - name: entry_point - normalize: [] - original_fieldset: pe - short: Relative byte offset to the base of the PE file. + name: subject.common_name + normalize: + - array + original_fieldset: x509 + short: List of common names (CN) of subject. type: keyword -threat.indicator.pe.exports: - dashed_name: threat-indicator-pe-exports - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: threat.indicator.pe.exports +threat.enrichments.x509.subject.country: + dashed_name: threat-enrichments-x509-subject-country + description: List of country (C) code + example: US + flat_name: threat.enrichments.x509.subject.country ignore_above: 1024 level: extended - name: exports + name: subject.country normalize: - array - original_fieldset: pe - short: List of symbols exported by PE + original_fieldset: x509 + short: List of country (C) code type: keyword -threat.indicator.pe.file_version: - dashed_name: threat-indicator-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: threat.indicator.pe.file_version - ignore_above: 1024 +threat.enrichments.x509.subject.distinguished_name: + dashed_name: threat-enrichments-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: threat.enrichments.x509.subject.distinguished_name level: extended - name: file_version + name: subject.distinguished_name normalize: [] - original_fieldset: pe - short: Process name. + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: wildcard +threat.enrichments.x509.subject.locality: + dashed_name: threat-enrichments-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: threat.enrichments.x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) type: keyword -threat.indicator.pe.icon.hash.dhash: - dashed_name: threat-indicator-pe-icon-hash-dhash - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - flat_name: threat.indicator.pe.icon.hash.dhash +threat.enrichments.x509.subject.organization: + dashed_name: threat-enrichments-x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: threat.enrichments.x509.subject.organization ignore_above: 1024 level: extended - name: icon.hash.dhash - normalize: [] - original_fieldset: pe - short: Difference Hash (dhash) to find files with a visually similar icon or thumbnail. + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. type: keyword -threat.indicator.pe.imphash: - dashed_name: threat-indicator-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash -- - can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: threat.indicator.pe.imphash +threat.enrichments.x509.subject.organizational_unit: + dashed_name: threat-enrichments-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: threat.enrichments.x509.subject.organizational_unit ignore_above: 1024 level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. type: keyword -threat.indicator.pe.imports: - dashed_name: threat-indicator-pe-imports - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - flat_name: threat.indicator.pe.imports +threat.enrichments.x509.subject.state_or_province: + dashed_name: threat-enrichments-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.x509.subject.state_or_province + ignore_above: 1024 level: extended - name: imports - normalize: [] - original_fieldset: pe - short: List of all imported functions - type: flattened -threat.indicator.pe.machine_type: - dashed_name: threat-indicator-pe-machine-type - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - flat_name: threat.indicator.pe.machine_type + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword +threat.enrichments.x509.version_number: + dashed_name: threat-enrichments-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: threat.enrichments.x509.version_number ignore_above: 1024 level: extended - name: machine_type + name: version_number normalize: [] - original_fieldset: pe - short: Machine type of the PE file. + original_fieldset: x509 + short: Version of x509 format. type: keyword -threat.indicator.pe.original_file_name: - dashed_name: threat-indicator-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: threat.indicator.pe.original_file_name +threat.framework: + dashed_name: threat-framework + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification can + be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + flat_name: threat.framework + ignore_above: 1024 level: extended - name: original_file_name + name: framework normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: wildcard -threat.indicator.pe.packers: - dashed_name: threat-indicator-pe-packers - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - flat_name: threat.indicator.pe.packers + short: Threat classification framework. + type: keyword +threat.group.alias: + beta: This field is beta and subject to change. + dashed_name: threat-group-alias + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' + flat_name: threat.group.alias ignore_above: 1024 level: extended - name: packers + name: group.alias normalize: - array - original_fieldset: pe - short: List of packers and tools used. + short: Alias of the group. type: keyword -threat.indicator.pe.product: - dashed_name: threat-indicator-pe-product - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" - flat_name: threat.indicator.pe.product +threat.group.id: + beta: This field is beta and subject to change. + dashed_name: threat-group-id + description: "The id of the group for a set of related intrusion activity that are\ + \ tracked by a common name in the security community. While not required, you\ + \ can use a MITRE ATT&CK\xAE group id." + example: G0037 + flat_name: threat.group.id ignore_above: 1024 level: extended - name: product + name: group.id normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. + short: ID of the group. type: keyword -threat.indicator.pe.resources: - dashed_name: threat-indicator-pe-resources - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: threat.indicator.pe.resources - level: extended - name: resources - normalize: - - array - original_fieldset: pe - short: PE resource information - type: nested -threat.indicator.pe.resources.chi2: - dashed_name: threat-indicator-pe-resources-chi2 - description: Chi-square probability distribution. - example: -1 - flat_name: threat.indicator.pe.resources.chi2 +threat.group.name: + beta: This field is beta and subject to change. + dashed_name: threat-group-name + description: "The name of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 + flat_name: threat.group.name + ignore_above: 1024 level: extended - name: resources.chi2 + name: group.name normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long -threat.indicator.pe.resources.entropy: - dashed_name: threat-indicator-pe-resources-entropy - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - flat_name: threat.indicator.pe.resources.entropy + short: Name of the group. + type: keyword +threat.group.reference: + beta: This field is beta and subject to change. + dashed_name: threat-group-reference + description: "The reference URL of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ + flat_name: threat.group.reference + ignore_above: 1024 level: extended - name: resources.entropy + name: group.reference normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the resources section. - type: long -threat.indicator.pe.resources.filetype: - dashed_name: threat-indicator-pe-resources-filetype - description: File type of the resources section. - example: Data - flat_name: threat.indicator.pe.resources.filetype + short: Reference URL of the group. + type: keyword +threat.indicator.confidence: + dashed_name: threat-indicator-confidence + description: "Identifies the confidence rating assigned by the provider using STIX\ + \ confidence scales.\nExpected values:\n * Not Specified, None, Low, Medium,\ + \ High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n * WEP Scale\ + \ (Impossible - Certain)" + example: High + flat_name: threat.indicator.confidence ignore_above: 1024 level: extended - name: resources.filetype + name: indicator.confidence normalize: [] - original_fieldset: pe - short: File type of the resources section. + short: Indicator confidence rating type: keyword -threat.indicator.pe.resources.language: - dashed_name: threat-indicator-pe-resources-language - description: Language identification. - example: CHINESE SIMPLIFIED - flat_name: threat.indicator.pe.resources.language +threat.indicator.dataset: + dashed_name: threat-indicator-dataset + description: Identifies the name of specific dataset from the intelligence source. + example: threatintel.abusemalware + flat_name: threat.indicator.dataset ignore_above: 1024 level: extended - name: resources.language + name: indicator.dataset normalize: [] - original_fieldset: pe - short: Language identification. + short: Indicator dataset type: keyword -threat.indicator.pe.resources.sha256: - dashed_name: threat-indicator-pe-resources-sha256 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: threat.indicator.pe.resources.sha256 - ignore_above: 1024 +threat.indicator.description: + dashed_name: threat-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.indicator.description level: extended - name: resources.sha256 + name: indicator.description normalize: [] - original_fieldset: pe - short: SHA256 hash of resources section. - type: keyword -threat.indicator.pe.resources.type: - dashed_name: threat-indicator-pe-resources-type - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: threat.indicator.pe.resources.type + short: Indicator description + type: wildcard +threat.indicator.domain: + dashed_name: threat-indicator-domain + description: Identifies a threat indicator as a domain (irrespective of direction). + example: example.com + flat_name: threat.indicator.domain ignore_above: 1024 level: extended - name: resources.type - normalize: - - array - original_fieldset: pe - short: List of resource types. + name: indicator.domain + normalize: [] + short: Indicator domain name type: keyword -threat.indicator.pe.rich_header.hash.md5: - dashed_name: threat-indicator-pe-rich-header-hash-md5 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: threat.indicator.pe.rich_header.hash.md5 +threat.indicator.email.address: + dashed_name: threat-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective of + direction). + example: phish@example.com + flat_name: threat.indicator.email.address ignore_above: 1024 level: extended - name: rich_header.hash.md5 + name: indicator.email.address normalize: [] - original_fieldset: pe - short: MD5 hash of the header for the PE file. + short: Indicator email address type: keyword -threat.indicator.pe.sections: - dashed_name: threat-indicator-pe-sections - description: Data about sections of compiled binary PE - flat_name: threat.indicator.pe.sections +threat.indicator.first_seen: + dashed_name: threat-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.first_seen level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Data about sections of the compiled binary PE - type: nested -threat.indicator.pe.sections.chi2: - dashed_name: threat-indicator-pe-sections-chi2 - description: Chi-square probability distribution. - example: 3027194 - flat_name: threat.indicator.pe.sections.chi2 + name: indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date +threat.indicator.ip: + dashed_name: threat-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of direction). + example: 1.2.3.4 + flat_name: threat.indicator.ip level: extended - name: sections.chi2 + name: indicator.ip normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long -threat.indicator.pe.sections.entropy: - dashed_name: threat-indicator-pe-sections-entropy - description: Measurement of entropy randomness in the file. - example: 6.24 - flat_name: threat.indicator.pe.sections.entropy + short: Indicator IP address + type: ip +threat.indicator.last_seen: + dashed_name: threat-indicator-last-seen + description: The date and time when intelligence source last reported sighting this + indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.last_seen level: extended - name: sections.entropy + name: indicator.last_seen normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the file. - type: float -threat.indicator.pe.sections.flags: - dashed_name: threat-indicator-pe-sections-flags - description: Section flags of the file. - example: rx - flat_name: threat.indicator.pe.sections.flags + short: Date/time indicator was last reported. + type: date +threat.indicator.marking.tlp: + dashed_name: threat-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings.\nExpected values are:\n \ + \ * White\n * Green\n * Amber\n * Red" + example: White + flat_name: threat.indicator.marking.tlp ignore_above: 1024 level: extended - name: sections.flags + name: indicator.marking.tlp normalize: [] - original_fieldset: pe - short: Section flags of the file. + short: Indicator TLP marking type: keyword -threat.indicator.pe.sections.name: - dashed_name: threat-indicator-pe-sections-name - description: Section names of the file. - example: .text, .data - flat_name: threat.indicator.pe.sections.name +threat.indicator.matched.atomic: + dashed_name: threat-indicator-matched-atomic + description: Identifies the atomic indicator that matched a local environment endpoint + or network event. + example: example.com + flat_name: threat.indicator.matched.atomic ignore_above: 1024 level: extended - name: sections.name + name: indicator.matched.atomic normalize: [] - original_fieldset: pe - short: Section names of the file. + short: Indicator atomic match type: keyword -threat.indicator.pe.sections.raw_size: - dashed_name: threat-indicator-pe-sections-raw-size - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - flat_name: threat.indicator.pe.sections.raw_size - format: bytes +threat.indicator.matched.field: + dashed_name: threat-indicator-matched-field + description: Identifies the field of the atomic indicator that matched a local environment + endpoint or network event. + example: file.hash.sha256 + flat_name: threat.indicator.matched.field + ignore_above: 1024 level: extended - name: sections.raw_size + name: indicator.matched.field normalize: [] - original_fieldset: pe - short: Size of the section or the dize of the initialized data on disk. - type: long -threat.indicator.pe.sections.virtual_address: - dashed_name: threat-indicator-pe-sections-virtual-address - description: Virtual address available to the file. - example: 8192 - flat_name: threat.indicator.pe.sections.virtual_address - format: bytes + short: Indicator field match + type: keyword +threat.indicator.matched.type: + dashed_name: threat-indicator-matched-type + description: Identifies the type of the atomic indicator that matched a local environment + endpoint or network event. + example: domain-name + flat_name: threat.indicator.matched.type + ignore_above: 1024 level: extended - name: sections.virtual_address + name: indicator.matched.type normalize: [] - original_fieldset: pe - short: Virtual address available to the file. - type: long + short: Indicator type match + type: keyword +threat.indicator.module: + dashed_name: threat-indicator-module + description: Identifies the name of specific module this data is coming from. + example: threatintel + flat_name: threat.indicator.module + ignore_above: 1024 + level: extended + name: indicator.module + normalize: [] + short: Indicator module + type: keyword threat.indicator.port: dashed_name: threat-indicator-port description: Identifies a threat indicator as a port number (irrespective of direction). @@ -11560,99 +13051,6 @@ threat.indicator.provider: normalize: [] short: Identifies the name of the intelligence provider. type: keyword -threat.indicator.registry.data.bytes: - dashed_name: threat-indicator-registry-data-bytes - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides better - recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - flat_name: threat.indicator.registry.data.bytes - ignore_above: 1024 - level: extended - name: data.bytes - normalize: [] - original_fieldset: registry - short: Original bytes written with base64 encoding. - type: keyword -threat.indicator.registry.data.strings: - dashed_name: threat-indicator-registry-data-strings - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single string - registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. - For sequences of string with REG_MULTI_SZ, this array will be variable length. - For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with - the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' - flat_name: threat.indicator.registry.data.strings - level: core - name: data.strings - normalize: - - array - original_fieldset: registry - short: List of strings representing what was written to the registry. - type: wildcard -threat.indicator.registry.data.type: - dashed_name: threat-indicator-registry-data-type - description: Standard registry type for encoding contents - example: REG_SZ - flat_name: threat.indicator.registry.data.type - ignore_above: 1024 - level: core - name: data.type - normalize: [] - original_fieldset: registry - short: Standard registry type for encoding contents - type: keyword -threat.indicator.registry.hive: - dashed_name: threat-indicator-registry-hive - description: Abbreviated name for the hive. - example: HKLM - flat_name: threat.indicator.registry.hive - ignore_above: 1024 - level: core - name: hive - normalize: [] - original_fieldset: registry - short: Abbreviated name for the hive. - type: keyword -threat.indicator.registry.key: - dashed_name: threat-indicator-registry-key - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - flat_name: threat.indicator.registry.key - level: core - name: key - normalize: [] - original_fieldset: registry - short: Hive-relative path of keys. - type: wildcard -threat.indicator.registry.path: - dashed_name: threat-indicator-registry-path - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger - flat_name: threat.indicator.registry.path - level: core - name: path - normalize: [] - original_fieldset: registry - short: Full path, including hive, key and value - type: wildcard -threat.indicator.registry.value: - dashed_name: threat-indicator-registry-value - description: Name of the value written. - example: Debugger - flat_name: threat.indicator.registry.value - ignore_above: 1024 - level: core - name: value - normalize: [] - original_fieldset: registry - short: Name of the value written. - type: keyword threat.indicator.scanner_stats: dashed_name: threat-indicator-scanner-stats description: Count of AV/EDR vendors that successfully detected malicious file or diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 20d58629f8..7fc6b056b3 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -150,8 +150,8 @@ as: at: source full: source.as - as: as - at: threat.indicator - full: threat.indicator.as + at: threat.enrichments + full: threat.enrichments.as top_level: false short: Fields describing an Autonomous System (Internet routing prefix). title: Autonomous System @@ -3771,6 +3771,12 @@ event: group: 2 name: event prefix: event. + reusable: + expected: + - as: event + at: threat.enrichments + full: threat.enrichments.event + top_level: true short: Fields breaking down the event details. title: Event type: group @@ -5292,8 +5298,8 @@ file: reusable: expected: - as: file - at: threat.indicator - full: threat.indicator.file + at: threat.enrichments + full: threat.enrichments.file top_level: true reused_here: - full: file.code_signature @@ -5474,8 +5480,8 @@ geo: at: source full: source.geo - as: geo - at: threat.indicator - full: threat.indicator.geo + at: threat.enrichments + full: threat.enrichments.geo top_level: false short: Fields describing a location. title: Geo @@ -5605,8 +5611,8 @@ hash: at: dll full: dll.hash - as: hash - at: threat.indicator - full: threat.indicator.hash + at: threat.enrichments + full: threat.enrichments.hash top_level: false short: Hashes, usually file hashes. title: Hash @@ -8168,8 +8174,8 @@ pe: at: process full: process.pe - as: pe - at: threat.indicator - full: threat.indicator.pe + at: threat.enrichments + full: threat.enrichments.pe top_level: false short: These fields contain Windows Portable Executable (PE) metadata. title: PE Header @@ -10642,8 +10648,8 @@ registry: reusable: expected: - as: registry - at: threat.indicator - full: threat.indicator.registry + at: threat.enrichments + full: threat.enrichments.registry top_level: true short: Fields related to Windows Registry operations. title: Registry @@ -11956,97 +11962,36 @@ threat: \ kind of approach is used by this detected threat, to accomplish the goal (e.g.\ \ \"endpoint denial of service\")." fields: - threat.framework: - dashed_name: threat-framework - description: Name of the threat framework used to further categorize and classify - the tactic and technique of the reported threat. Framework classification - can be provided by detecting systems, evaluated at ingest time, or retrospectively - tagged to events. - example: MITRE ATT&CK - flat_name: threat.framework - ignore_above: 1024 - level: extended - name: framework - normalize: [] - short: Threat classification framework. - type: keyword - threat.group.alias: - beta: This field is beta and subject to change. - dashed_name: threat-group-alias - description: "The alias(es) of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group alias(es)." - example: '[ "Magecart Group 6" ]' - flat_name: threat.group.alias - ignore_above: 1024 - level: extended - name: group.alias - normalize: - - array - short: Alias of the group. - type: keyword - threat.group.id: - beta: This field is beta and subject to change. - dashed_name: threat-group-id - description: "The id of the group for a set of related intrusion activity that\ - \ are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group id." - example: G0037 - flat_name: threat.group.id - ignore_above: 1024 - level: extended - name: group.id - normalize: [] - short: ID of the group. - type: keyword - threat.group.name: - beta: This field is beta and subject to change. - dashed_name: threat-group-name - description: "The name of the group for a set of related intrusion activity\ - \ that are tracked by a common name in the security community. While not required,\ - \ you can use a MITRE ATT&CK\xAE group name." - example: FIN6 - flat_name: threat.group.name - ignore_above: 1024 - level: extended - name: group.name - normalize: [] - short: Name of the group. - type: keyword - threat.group.reference: - beta: This field is beta and subject to change. - dashed_name: threat-group-reference - description: "The reference URL of the group for a set of related intrusion\ - \ activity that are tracked by a common name in the security community. While\ - \ not required, you can use a MITRE ATT&CK\xAE group reference URL." - example: https://attack.mitre.org/groups/G0037/ - flat_name: threat.group.reference - ignore_above: 1024 + threat.enrichments: + dashed_name: threat-enrichments + description: A list of associated indicators enriching the event, and the context + of that association/enrichment. + flat_name: threat.enrichments level: extended - name: group.reference + name: enrichments normalize: [] - short: Reference URL of the group. - type: keyword - threat.indicator.as.number: - dashed_name: threat-indicator-as-number + short: List of indicators enriching the event. + type: nested + threat.enrichments.as.number: + dashed_name: threat-enrichments-as-number description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. example: 15169 - flat_name: threat.indicator.as.number + flat_name: threat.enrichments.as.number level: extended name: number normalize: [] original_fieldset: as short: Unique number allocated to the autonomous system. type: long - threat.indicator.as.organization.name: - dashed_name: threat-indicator-as-organization-name + threat.enrichments.as.organization.name: + dashed_name: threat-enrichments-as-organization-name description: Organization name. example: Google LLC - flat_name: threat.indicator.as.organization.name + flat_name: threat.enrichments.as.organization.name level: extended multi_fields: - - flat_name: threat.indicator.as.organization.name.text + - flat_name: threat.enrichments.as.organization.name.text name: text norms: false type: text @@ -12055,1509 +12000,3079 @@ threat: original_fieldset: as short: Organization name. type: wildcard - threat.indicator.confidence: - dashed_name: threat-indicator-confidence - description: "Identifies the confidence rating assigned by the provider using\ - \ STIX confidence scales.\nExpected values:\n * Not Specified, None, Low,\ - \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ - \ * WEP Scale (Impossible - Certain)" - example: High - flat_name: threat.indicator.confidence - ignore_above: 1024 - level: extended - name: indicator.confidence - normalize: [] - short: Indicator confidence rating - type: keyword - threat.indicator.dataset: - dashed_name: threat-indicator-dataset - description: Identifies the name of specific dataset from the intelligence source. - example: threatintel.abusemalware - flat_name: threat.indicator.dataset - ignore_above: 1024 - level: extended - name: indicator.dataset - normalize: [] - short: Indicator dataset - type: keyword - threat.indicator.description: - dashed_name: threat-indicator-description - description: Describes the type of action conducted by the threat. - example: IP x.x.x.x was observed delivering the Angler EK. - flat_name: threat.indicator.description - level: extended - name: indicator.description - normalize: [] - short: Indicator description - type: wildcard - threat.indicator.domain: - dashed_name: threat-indicator-domain - description: Identifies a threat indicator as a domain (irrespective of direction). - example: example.com - flat_name: threat.indicator.domain - ignore_above: 1024 - level: extended - name: indicator.domain - normalize: [] - short: Indicator domain name - type: keyword - threat.indicator.email.address: - dashed_name: threat-indicator-email-address - description: Identifies a threat indicator as an email address (irrespective - of direction). - example: phish@example.com - flat_name: threat.indicator.email.address + threat.enrichments.event.action: + dashed_name: threat-enrichments-event-action + description: 'The action captured by the event. + + This describes the information in the event. It is more specific than `event.category`. + Examples are `group-add`, `process-started`, `file-created`. The value is + normally defined by the implementer.' + example: user-password-change + flat_name: threat.enrichments.event.action ignore_above: 1024 - level: extended - name: indicator.email.address + level: core + name: action normalize: [] - short: Indicator email address + original_fieldset: event + short: The action captured by the event. type: keyword - threat.indicator.file.accessed: - dashed_name: threat-indicator-file-accessed - description: 'Last time the file was accessed. + threat.enrichments.event.agent_id_status: + dashed_name: threat-enrichments-event-agent-id-status + description: 'Agents are normally responsible for populating the `agent.id` + field value. If the system receiving events is capable of validating the value + based on authentication information for the client then this field can be + used to reflect the outcome of that validation. - Note that not all filesystems keep track of access time.' - flat_name: threat.indicator.file.accessed - level: extended - name: accessed - normalize: [] - original_fieldset: file - short: Last time the file was accessed. - type: date - threat.indicator.file.attributes: - dashed_name: threat-indicator-file-attributes - description: 'Array of file attributes. + For example if the agent''s connection is authenticated with mTLS and the + client cert contains the ID of the agent to which the cert was issued then + the `agent.id` value in events can be checked against the certificate. If + the values match then `event.agent_id_status: verified` is added to the event, + otherwise one of the other allowed values should be used. - Attributes names will vary by platform. Here''s a non-exhaustive list of values - that are expected in this field: archive, compressed, directory, encrypted, - execute, hidden, read, readonly, system, write.' - example: '["readonly", "system"]' - flat_name: threat.indicator.file.attributes - ignore_above: 1024 - level: extended - name: attributes - normalize: - - array - original_fieldset: file - short: Array of file attributes. - type: keyword - threat.indicator.file.code_signature.exists: - dashed_name: threat-indicator-file-code-signature-exists - description: Boolean to capture if a signature is present. - example: 'true' - flat_name: threat.indicator.file.code_signature.exists - level: core - name: exists - normalize: [] - original_fieldset: code_signature - short: Boolean to capture if a signature is present. - type: boolean - threat.indicator.file.code_signature.signing_id: - dashed_name: threat-indicator-file-code-signature-signing-id - description: 'The identifier used to sign the process. + If no validation is performed then the field should be omitted. - This is used to identify the application manufactured by a software vendor. - The field is relevant to Apple *OS only.' - example: com.apple.xpc.proxy - flat_name: threat.indicator.file.code_signature.signing_id - ignore_above: 1024 - level: extended - name: signing_id - normalize: [] - original_fieldset: code_signature - short: The identifier used to sign the process. - type: keyword - threat.indicator.file.code_signature.status: - dashed_name: threat-indicator-file-code-signature-status - description: 'Additional information about the certificate status. + The allowed values are: - This is useful for logging cryptographic errors with the certificate validity - or trust status. Leave unpopulated if the validity or trust of the certificate - was unchecked.' - example: ERROR_UNTRUSTED_ROOT - flat_name: threat.indicator.file.code_signature.status - ignore_above: 1024 - level: extended - name: status - normalize: [] - original_fieldset: code_signature - short: Additional information about the certificate status. - type: keyword - threat.indicator.file.code_signature.subject_name: - dashed_name: threat-indicator-file-code-signature-subject-name - description: Subject name of the code signer - example: Microsoft Corporation - flat_name: threat.indicator.file.code_signature.subject_name - ignore_above: 1024 - level: core - name: subject_name - normalize: [] - original_fieldset: code_signature - short: Subject name of the code signer - type: keyword - threat.indicator.file.code_signature.team_id: - dashed_name: threat-indicator-file-code-signature-team-id - description: 'The team identifier used to sign the process. + `verified` - The `agent.id` field value matches expected value obtained from + auth metadata. - This is used to identify the team or vendor of a software product. The field - is relevant to Apple *OS only.' - example: EQHXZ8M8AV - flat_name: threat.indicator.file.code_signature.team_id + `mismatch` - The `agent.id` field value does not match the expected value + obtained from auth metadata. + + `missing` - There was no `agent.id` field in the event to validate. + + `auth_metadata_missing` - There was no auth metadata or it was missing information + about the agent ID.' + example: verified + flat_name: threat.enrichments.event.agent_id_status ignore_above: 1024 level: extended - name: team_id + name: agent_id_status normalize: [] - original_fieldset: code_signature - short: The team identifier used to sign the process. + original_fieldset: event + short: Validation status of the event's agent.id field. type: keyword - threat.indicator.file.code_signature.trusted: - dashed_name: threat-indicator-file-code-signature-trusted - description: 'Stores the trust status of the certificate chain. - - Validating the trust of the certificate chain may be complicated, and this - field should only be populated by tools that actively check the status.' - example: 'true' - flat_name: threat.indicator.file.code_signature.trusted - level: extended - name: trusted - normalize: [] - original_fieldset: code_signature - short: Stores the trust status of the certificate chain. - type: boolean - threat.indicator.file.code_signature.valid: - dashed_name: threat-indicator-file-code-signature-valid - description: 'Boolean to capture if the digital signature is verified against - the binary content. + threat.enrichments.event.category: + allowed_values: + - description: Events in this category are related to the challenge and response + process in which credentials are supplied and verified to allow the creation + of a session. Common sources for these logs are Windows event logs and ssh + logs. Visualize and analyze events in this category to look for failed logins, + and other authentication-related activity. + expected_event_types: + - start + - end + - info + name: authentication + - description: 'Events in the configuration category have to deal with creating, + modifying, or deleting the settings or parameters of an application, process, + or system. - Leave unpopulated if a certificate was unchecked.' + Example sources include security policy change logs, configuration auditing + logging, and system integrity monitoring.' + expected_event_types: + - access + - change + - creation + - deletion + - info + name: configuration + - description: The database category denotes events and metrics relating to + a data storage and retrieval system. Note that use of this category is not + limited to relational database systems. Examples include event logs from + MS SQL, MySQL, Elasticsearch, MongoDB, etc. Use this category to visualize + and analyze database activity such as accesses and changes. + expected_event_types: + - access + - change + - info + - error + name: database + - description: 'Events in the driver category have to do with operating system + device drivers and similar software entities such as Windows drivers, kernel + extensions, kernel modules, etc. + + Use events and metrics in this category to visualize and analyze driver-related + activity and status on hosts.' + expected_event_types: + - change + - end + - info + - start + name: driver + - description: Relating to a set of information that has been created on, or + has existed on a filesystem. Use this category of events to visualize and + analyze the creation, access, and deletions of files. Events in this category + can come from both host-based and network-based sources. An example source + of a network-based detection of a file transfer would be the Zeek file.log. + expected_event_types: + - change + - creation + - deletion + - info + name: file + - description: 'Use this category to visualize and analyze information such + as host inventory or host lifecycle events. + + Most of the events in this category can usually be observed from the outside, + such as from a hypervisor or a control plane''s point of view. Some can + also be seen from within, such as "start" or "end". + + Note that this category is for information about hosts themselves; it is + not meant to capture activity "happening on a host".' + expected_event_types: + - access + - change + - end + - info + - start + name: host + - description: Identity and access management (IAM) events relating to users, + groups, and administration. Use this category to visualize and analyze IAM-related + logs and data from active directory, LDAP, Okta, Duo, and other IAM systems. + expected_event_types: + - admin + - change + - creation + - deletion + - group + - info + - user + name: iam + - description: Relating to intrusion detections from IDS/IPS systems and functions, + both network and host-based. Use this category to visualize and analyze + intrusion detection alerts from systems such as Snort, Suricata, and Palo + Alto threat detections. + expected_event_types: + - allowed + - denied + - info + name: intrusion_detection + - description: Malware detection events and alerts. Use this category to visualize + and analyze malware detections from EDR/EPP systems such as Elastic Endpoint + Security, Symantec Endpoint Protection, Crowdstrike, and network IDS/IPS + systems such as Suricata, or other sources of malware-related events such + as Palo Alto Networks threat logs and Wildfire logs. + expected_event_types: + - info + name: malware + - description: Relating to all network activity, including network connection + lifecycle, network traffic, and essentially any event that includes an IP + address. Many events containing decoded network protocol transactions fit + into this category. Use events in this category to visualize or analyze + counts of network ports, protocols, addresses, geolocation information, + etc. + expected_event_types: + - access + - allowed + - connection + - denied + - end + - info + - protocol + - start + name: network + - description: Relating to software packages installed on hosts. Use this category + to visualize and analyze inventory of software installed on various hosts, + or to determine host vulnerability in the absence of vulnerability scan + data. + expected_event_types: + - access + - change + - deletion + - info + - installation + - start + name: package + - description: Use this category of events to visualize and analyze process-specific + information such as lifecycle events or process ancestry. + expected_event_types: + - access + - change + - end + - info + - start + name: process + - description: Having to do with settings and assets stored in the Windows registry. + Use this category to visualize and analyze activity such as registry access + and modifications. + expected_event_types: + - access + - change + - creation + - deletion + name: registry + - description: The session category is applied to events and metrics regarding + logical persistent connections to hosts and services. Use this category + to visualize and analyze interactive or automated persistent connections + between assets. Data for this category may come from Windows Event logs, + SSH logs, or stateless sessions such as HTTP cookie-based sessions, etc. + expected_event_types: + - start + - end + - info + name: session + - description: 'Relating to web server access. Use this category to create a + dashboard of web server/proxy activity from apache, IIS, nginx web servers, + etc. Note: events from network observers such as Zeek http log may also + be included in this category.' + expected_event_types: + - access + - error + - info + name: web + dashed_name: threat-enrichments-event-category + description: 'This is one of four ECS Categorization Fields, and indicates the + second level in the ECS category hierarchy. + + `event.category` represents the "big buckets" of ECS categories. For example, + filtering on `event.category:process` yields all events relating to process + activity. This field is closely related to `event.type`, which is used as + a subcategory. + + This field is an array. This will allow proper categorization of some events + that fall in multiple categories.' + example: authentication + flat_name: threat.enrichments.event.category + ignore_above: 1024 + level: core + name: category + normalize: + - array + original_fieldset: event + short: Event category. The second categorization field in the hierarchy. + type: keyword + threat.enrichments.event.code: + dashed_name: threat-enrichments-event-code + description: 'Identification code for this event, if one exists. + + Some event sources use event codes to identify messages unambiguously, regardless + of message language or wording adjustments over time. An example of this is + the Windows Event ID.' + example: 4648 + flat_name: threat.enrichments.event.code + ignore_above: 1024 + level: extended + name: code + normalize: [] + original_fieldset: event + short: Identification code for this event. + type: keyword + threat.enrichments.event.created: + dashed_name: threat-enrichments-event-created + description: 'event.created contains the date/time when the event was first + read by an agent, or by your pipeline. + + This field is distinct from @timestamp in that @timestamp typically contain + the time extracted from the original event. + + In most situations, these two timestamps will be slightly different. The difference + can be used to calculate the delay between your source generating an event, + and the time when your agent first processed it. This can be used to monitor + your agent''s or pipeline''s ability to keep up with your event source. + + In case the two timestamps are identical, @timestamp should be used.' + example: '2016-05-23T08:05:34.857Z' + flat_name: threat.enrichments.event.created + level: core + name: created + normalize: [] + original_fieldset: event + short: Time when the event was first read by an agent or by your pipeline. + type: date + threat.enrichments.event.dataset: + dashed_name: threat-enrichments-event-dataset + description: 'Name of the dataset. + + If an event source publishes more than one type of log or events (e.g. access + log, error log), the dataset is used to specify which one the event comes + from. + + It''s recommended but not required to start the dataset name with the module + name, followed by a dot, then the dataset name.' + example: apache.access + flat_name: threat.enrichments.event.dataset + ignore_above: 1024 + level: core + name: dataset + normalize: [] + original_fieldset: event + short: Name of the dataset. + type: keyword + threat.enrichments.event.duration: + dashed_name: threat-enrichments-event-duration + description: 'Duration of the event in nanoseconds. + + If event.start and event.end are known this value should be the difference + between the end and start time.' + flat_name: threat.enrichments.event.duration + format: duration + input_format: nanoseconds + level: core + name: duration + normalize: [] + original_fieldset: event + output_format: asMilliseconds + output_precision: 1 + short: Duration of the event in nanoseconds. + type: long + threat.enrichments.event.end: + dashed_name: threat-enrichments-event-end + description: event.end contains the date when the event ended or when the activity + was last observed. + flat_name: threat.enrichments.event.end + level: extended + name: end + normalize: [] + original_fieldset: event + short: event.end contains the date when the event ended or when the activity + was last observed. + type: date + threat.enrichments.event.hash: + dashed_name: threat-enrichments-event-hash + description: Hash (perhaps logstash fingerprint) of raw field to be able to + demonstrate log integrity. + example: 123456789012345678901234567890ABCD + flat_name: threat.enrichments.event.hash + ignore_above: 1024 + level: extended + name: hash + normalize: [] + original_fieldset: event + short: Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate + log integrity. + type: keyword + threat.enrichments.event.id: + dashed_name: threat-enrichments-event-id + description: Unique ID to describe the event. + example: 8a4f500d + flat_name: threat.enrichments.event.id + ignore_above: 1024 + level: core + name: id + normalize: [] + original_fieldset: event + short: Unique ID to describe the event. + type: keyword + threat.enrichments.event.ingested: + dashed_name: threat-enrichments-event-ingested + description: 'Timestamp when an event arrived in the central data store. + + This is different from `@timestamp`, which is when the event originally occurred. It''s + also different from `event.created`, which is meant to capture the first time + an agent saw the event. + + In normal conditions, assuming no tampering, the timestamps should chronologically + look like this: `@timestamp` < `event.created` < `event.ingested`.' + example: '2016-05-23T08:05:35.101Z' + flat_name: threat.enrichments.event.ingested + level: core + name: ingested + normalize: [] + original_fieldset: event + short: Timestamp when an event arrived in the central data store. + type: date + threat.enrichments.event.kind: + allowed_values: + - description: 'This value indicates an event that describes an alert or notable + event, triggered by a detection rule. + + `event.kind:alert` is often populated for events coming from firewalls, + intrusion detection systems, endpoint detection and response systems, and + so on.' + name: alert + - description: This value is the most general and most common value for this + field. It is used to represent events that indicate that something happened. + name: event + - description: 'This value is used to indicate that this event describes a numeric + measurement taken at given point in time. + + Examples include CPU utilization, memory usage, or device temperature. + + Metric events are often collected on a predictable frequency, such as once + every few seconds, or once a minute, but can also be used to describe ad-hoc + numeric metric queries.' + name: metric + - description: 'The state value is similar to metric, indicating that this event + describes a measurement taken at given point in time, except that the measurement + does not result in a numeric value, but rather one of a fixed set of categorical + values that represent conditions or states. + + Examples include periodic events reporting Elasticsearch cluster state (green/yellow/red), + the state of a TCP connection (open, closed, fin_wait, etc.), the state + of a host with respect to a software vulnerability (vulnerable, not vulnerable), + and the state of a system regarding compliance with a regulatory standard + (compliant, not compliant). + + Note that an event that describes a change of state would not use `event.kind:state`, + but instead would use ''event.kind:event'' since a state change fits the + more general event definition of something that happened. + + State events are often collected on a predictable frequency, such as once + every few seconds, once a minute, once an hour, or once a day, but can also + be used to describe ad-hoc state queries.' + name: state + - description: This value indicates that an error occurred during the ingestion + of this event, and that event data may be missing, inconsistent, or incorrect. + `event.kind:pipeline_error` is often associated with parsing errors. + name: pipeline_error + - description: 'This value is used by the Elastic Security app to denote an + Elasticsearch document that was created by a SIEM detection engine rule. + + A signal will typically trigger a notification that something meaningful + happened and should be investigated. + + Usage of this value is reserved, and pipelines should not populate `event.kind` + with the value "signal".' + name: signal + dashed_name: threat-enrichments-event-kind + description: 'This is one of four ECS Categorization Fields, and indicates the + highest level in the ECS category hierarchy. + + `event.kind` gives high-level information about what type of information the + event contains, without being specific to the contents of the event. For example, + values of this field distinguish alert events from metric events. + + The value of this field can be used to inform how these kinds of events should + be handled. They may warrant different retention, different access control, + it may also help understand whether the data coming in at a regular interval + or not.' + example: alert + flat_name: threat.enrichments.event.kind + ignore_above: 1024 + level: core + name: kind + normalize: [] + original_fieldset: event + short: The kind of the event. The highest categorization field in the hierarchy. + type: keyword + threat.enrichments.event.module: + dashed_name: threat-enrichments-event-module + description: 'Name of the module this data is coming from. + + If your monitoring agent supports the concept of modules or plugins to process + events of a given source (e.g. Apache logs), `event.module` should contain + the name of this module.' + example: apache + flat_name: threat.enrichments.event.module + ignore_above: 1024 + level: core + name: module + normalize: [] + original_fieldset: event + short: Name of the module this data is coming from. + type: keyword + threat.enrichments.event.original: + dashed_name: threat-enrichments-event-original + description: 'Raw text message of entire event. Used to demonstrate log integrity. + + This field is not indexed and doc_values are disabled. It cannot be searched, + but it can be retrieved from `_source`. If users wish to override this and + index this field, consider using the wildcard data type.' + doc_values: false + example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| + worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 + flat_name: threat.enrichments.event.original + ignore_above: 1024 + index: false + level: core + name: original + normalize: [] + original_fieldset: event + short: Raw text message of entire event. + type: keyword + threat.enrichments.event.outcome: + allowed_values: + - description: Indicates that this event describes a failed result. A common + example is `event.category:file AND event.type:access AND event.outcome:failure` + to indicate that a file access was attempted, but was not successful. + name: failure + - description: Indicates that this event describes a successful result. A common + example is `event.category:file AND event.type:create AND event.outcome:success` + to indicate that a file was successfully created. + name: success + - description: Indicates that this event describes only an attempt for which + the result is unknown from the perspective of the event producer. For example, + if the event contains information only about the request side of a transaction + that results in a response, populating `event.outcome:unknown` in the request + event is appropriate. The unknown value should not be used when an outcome + doesn't make logical sense for the event. In such cases `event.outcome` + should not be populated. + name: unknown + dashed_name: threat-enrichments-event-outcome + description: 'This is one of four ECS Categorization Fields, and indicates the + lowest level in the ECS category hierarchy. + + `event.outcome` simply denotes whether the event represents a success or a + failure from the perspective of the entity that produced the event. + + Note that when a single transaction is described in multiple events, each + event may populate different values of `event.outcome`, according to their + perspective. + + Also note that in the case of a compound event (a single event that contains + multiple logical events), this field should be populated with the value that + best captures the overall success or failure from the perspective of the event + producer. + + Further note that not all events will have an associated outcome. For example, + this field is generally not populated for metric events, events with `event.type:info`, + or any events for which an outcome does not make logical sense.' + example: success + flat_name: threat.enrichments.event.outcome + ignore_above: 1024 + level: core + name: outcome + normalize: [] + original_fieldset: event + short: The outcome of the event. The lowest level categorization field in the + hierarchy. + type: keyword + threat.enrichments.event.provider: + dashed_name: threat-enrichments-event-provider + description: 'Source of the event. + + Event transports such as Syslog or the Windows Event Log typically mention + the source of an event. It can be the name of the software that generated + the event (e.g. Sysmon, httpd), or of a subsystem of the operating system + (kernel, Microsoft-Windows-Security-Auditing).' + example: kernel + flat_name: threat.enrichments.event.provider + ignore_above: 1024 + level: extended + name: provider + normalize: [] + original_fieldset: event + short: Source of the event. + type: keyword + threat.enrichments.event.reason: + dashed_name: threat-enrichments-event-reason + description: 'Reason why this event happened, according to the source. + + This describes the why of a particular action or outcome captured in the event. + Where `event.action` captures the action from the event, `event.reason` describes + why that action was taken. For example, a web proxy with an `event.action` + which denied the request may also populate `event.reason` with the reason + why (e.g. `blocked site`).' + example: Terminated an unexpected process + flat_name: threat.enrichments.event.reason + ignore_above: 1024 + level: extended + name: reason + normalize: [] + original_fieldset: event + short: Reason why this event happened, according to the source + type: keyword + threat.enrichments.event.reference: + dashed_name: threat-enrichments-event-reference + description: 'Reference URL linking to additional information about this event. + + This URL links to a static definition of this event. Alert events, indicated + by `event.kind:alert`, are a common use case for this field.' + example: https://system.example.com/event/#0001234 + flat_name: threat.enrichments.event.reference + ignore_above: 1024 + level: extended + name: reference + normalize: [] + original_fieldset: event + short: Event reference URL + type: keyword + threat.enrichments.event.risk_score: + dashed_name: threat-enrichments-event-risk-score + description: Risk score or priority of the event (e.g. security solutions). + Use your system's original value here. + flat_name: threat.enrichments.event.risk_score + level: core + name: risk_score + normalize: [] + original_fieldset: event + short: Risk score or priority of the event (e.g. security solutions). Use your + system's original value here. + type: float + threat.enrichments.event.risk_score_norm: + dashed_name: threat-enrichments-event-risk-score-norm + description: 'Normalized risk score or priority of the event, on a scale of + 0 to 100. + + This is mainly useful if you use more than one system that assigns risk scores, + and you want to see a normalized value across all systems.' + flat_name: threat.enrichments.event.risk_score_norm + level: extended + name: risk_score_norm + normalize: [] + original_fieldset: event + short: Normalized risk score or priority of the event (0-100). + type: float + threat.enrichments.event.sequence: + dashed_name: threat-enrichments-event-sequence + description: 'Sequence number of the event. + + The sequence number is a value published by some event sources, to make the + exact ordering of events unambiguous, regardless of the timestamp precision.' + flat_name: threat.enrichments.event.sequence + format: string + level: extended + name: sequence + normalize: [] + original_fieldset: event + short: Sequence number of the event. + type: long + threat.enrichments.event.severity: + dashed_name: threat-enrichments-event-severity + description: 'The numeric severity of the event according to your event source. + + What the different severity values mean can be different between sources and + use cases. It''s up to the implementer to make sure severities are consistent + across events from the same source. + + The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` + is meant to represent the severity according to the event source (e.g. firewall, + IDS). If the event source does not publish its own severity, you may optionally + copy the `log.syslog.severity.code` to `event.severity`.' + example: 7 + flat_name: threat.enrichments.event.severity + format: string + level: core + name: severity + normalize: [] + original_fieldset: event + short: Numeric severity of the event. + type: long + threat.enrichments.event.start: + dashed_name: threat-enrichments-event-start + description: event.start contains the date when the event started or when the + activity was first observed. + flat_name: threat.enrichments.event.start + level: extended + name: start + normalize: [] + original_fieldset: event + short: event.start contains the date when the event started or when the activity + was first observed. + type: date + threat.enrichments.event.timezone: + dashed_name: threat-enrichments-event-timezone + description: 'This field should be populated when the event''s timestamp does + not include timezone information already (e.g. default Syslog timestamps). + It''s optional otherwise. + + Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), + abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").' + flat_name: threat.enrichments.event.timezone + ignore_above: 1024 + level: extended + name: timezone + normalize: [] + original_fieldset: event + short: Event time zone. + type: keyword + threat.enrichments.event.type: + allowed_values: + - description: The access event type is used for the subset of events within + a category that indicate that something was accessed. Common examples include + `event.category:database AND event.type:access`, or `event.category:file + AND event.type:access`. Note for file access, both directory listings and + file opens should be included in this subcategory. You can further distinguish + access operations using the ECS `event.action` field. + name: access + - description: 'The admin event type is used for the subset of events within + a category that are related to admin objects. For example, administrative + changes within an IAM framework that do not specifically affect a user or + group (e.g., adding new applications to a federation solution or connecting + discrete forests in Active Directory) would fall into this subcategory. + Common example: `event.category:iam AND event.type:change AND event.type:admin`. + You can further distinguish admin operations using the ECS `event.action` + field.' + name: admin + - description: The allowed event type is used for the subset of events within + a category that indicate that something was allowed. Common examples include + `event.category:network AND event.type:connection AND event.type:allowed` + (to indicate a network firewall event for which the firewall disposition + was to allow the connection to complete) and `event.category:intrusion_detection + AND event.type:allowed` (to indicate a network intrusion prevention system + event for which the IPS disposition was to allow the connection to complete). + You can further distinguish allowed operations using the ECS `event.action` + field, populating with values of your choosing, such as "allow", "detect", + or "pass". + name: allowed + - description: The change event type is used for the subset of events within + a category that indicate that something has changed. If semantics best describe + an event as modified, then include them in this subcategory. Common examples + include `event.category:process AND event.type:change`, and `event.category:file + AND event.type:change`. You can further distinguish change operations using + the ECS `event.action` field. + name: change + - description: Used primarily with `event.category:network` this value is used + for the subset of network traffic that includes sufficient information for + the event to be included in flow or connection analysis. Events in this + subcategory will contain at least source and destination IP addresses, source + and destination TCP/UDP ports, and will usually contain counts of bytes + and/or packets transferred. Events in this subcategory may contain unidirectional + or bidirectional information, including summary information. Use this subcategory + to visualize and analyze network connections. Flow analysis, including Netflow, + IPFIX, and other flow-related events fit in this subcategory. Note that + firewall events from many Next-Generation Firewall (NGFW) devices will also + fit into this subcategory. A common filter for flow/connection information + would be `event.category:network AND event.type:connection AND event.type:end` + (to view or analyze all completed network connections, ignoring mid-flow + reports). You can further distinguish connection events using the ECS `event.action` + field, populating with values of your choosing, such as "timeout", or "reset". + name: connection + - description: The "creation" event type is used for the subset of events within + a category that indicate that something was created. A common example is + `event.category:file AND event.type:creation`. + name: creation + - description: The deletion event type is used for the subset of events within + a category that indicate that something was deleted. A common example is + `event.category:file AND event.type:deletion` to indicate that a file has + been deleted. + name: deletion + - description: The denied event type is used for the subset of events within + a category that indicate that something was denied. Common examples include + `event.category:network AND event.type:denied` (to indicate a network firewall + event for which the firewall disposition was to deny the connection) and + `event.category:intrusion_detection AND event.type:denied` (to indicate + a network intrusion prevention system event for which the IPS disposition + was to deny the connection to complete). You can further distinguish denied + operations using the ECS `event.action` field, populating with values of + your choosing, such as "blocked", "dropped", or "quarantined". + name: denied + - description: The end event type is used for the subset of events within a + category that indicate something has ended. A common example is `event.category:process + AND event.type:end`. + name: end + - description: The error event type is used for the subset of events within + a category that indicate or describe an error. A common example is `event.category:database + AND event.type:error`. Note that pipeline errors that occur during the event + ingestion process should not use this `event.type` value. Instead, they + should use `event.kind:pipeline_error`. + name: error + - description: 'The group event type is used for the subset of events within + a category that are related to group objects. Common example: `event.category:iam + AND event.type:creation AND event.type:group`. You can further distinguish + group operations using the ECS `event.action` field.' + name: group + - description: The info event type is used for the subset of events within a + category that indicate that they are purely informational, and don't report + a state change, or any type of action. For example, an initial run of a + file integrity monitoring system (FIM), where an agent reports all files + under management, would fall into the "info" subcategory. Similarly, an + event containing a dump of all currently running processes (as opposed to + reporting that a process started/ended) would fall into the "info" subcategory. + An additional common examples is `event.category:intrusion_detection AND + event.type:info`. + name: info + - description: The installation event type is used for the subset of events + within a category that indicate that something was installed. A common example + is `event.category:package` AND `event.type:installation`. + name: installation + - description: The protocol event type is used for the subset of events within + a category that indicate that they contain protocol details or analysis, + beyond simply identifying the protocol. Generally, network events that contain + specific protocol details will fall into this subcategory. A common example + is `event.category:network AND event.type:protocol AND event.type:connection + AND event.type:end` (to indicate that the event is a network connection + event sent at the end of a connection that also includes a protocol detail + breakdown). Note that events that only indicate the name or id of the protocol + should not use the protocol value. Further note that when the protocol subcategory + is used, the identified protocol is populated in the ECS `network.protocol` + field. + name: protocol + - description: The start event type is used for the subset of events within + a category that indicate something has started. A common example is `event.category:process + AND event.type:start`. + name: start + - description: 'The user event type is used for the subset of events within + a category that are related to user objects. Common example: `event.category:iam + AND event.type:deletion AND event.type:user`. You can further distinguish + user operations using the ECS `event.action` field.' + name: user + dashed_name: threat-enrichments-event-type + description: 'This is one of four ECS Categorization Fields, and indicates the + third level in the ECS category hierarchy. + + `event.type` represents a categorization "sub-bucket" that, when used along + with the `event.category` field values, enables filtering events down to a + level appropriate for single visualization. + + This field is an array. This will allow proper categorization of some events + that fall in multiple event types.' + flat_name: threat.enrichments.event.type + ignore_above: 1024 + level: core + name: type + normalize: + - array + original_fieldset: event + short: Event type. The third categorization field in the hierarchy. + type: keyword + threat.enrichments.event.url: + dashed_name: threat-enrichments-event-url + description: 'URL linking to an external system to continue investigation of + this event. + + This URL links to another system where in-depth investigation of the specific + occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, + are a common use case for this field.' + example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + flat_name: threat.enrichments.event.url + ignore_above: 1024 + level: extended + name: url + normalize: [] + original_fieldset: event + short: Event investigation URL + type: keyword + threat.enrichments.file.accessed: + dashed_name: threat-enrichments-file-accessed + description: 'Last time the file was accessed. + + Note that not all filesystems keep track of access time.' + flat_name: threat.enrichments.file.accessed + level: extended + name: accessed + normalize: [] + original_fieldset: file + short: Last time the file was accessed. + type: date + threat.enrichments.file.attributes: + dashed_name: threat-enrichments-file-attributes + description: 'Array of file attributes. + + Attributes names will vary by platform. Here''s a non-exhaustive list of values + that are expected in this field: archive, compressed, directory, encrypted, + execute, hidden, read, readonly, system, write.' + example: '["readonly", "system"]' + flat_name: threat.enrichments.file.attributes + ignore_above: 1024 + level: extended + name: attributes + normalize: + - array + original_fieldset: file + short: Array of file attributes. + type: keyword + threat.enrichments.file.code_signature.exists: + dashed_name: threat-enrichments-file-code-signature-exists + description: Boolean to capture if a signature is present. + example: 'true' + flat_name: threat.enrichments.file.code_signature.exists + level: core + name: exists + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if a signature is present. + type: boolean + threat.enrichments.file.code_signature.signing_id: + dashed_name: threat-enrichments-file-code-signature-signing-id + description: 'The identifier used to sign the process. + + This is used to identify the application manufactured by a software vendor. + The field is relevant to Apple *OS only.' + example: com.apple.xpc.proxy + flat_name: threat.enrichments.file.code_signature.signing_id + ignore_above: 1024 + level: extended + name: signing_id + normalize: [] + original_fieldset: code_signature + short: The identifier used to sign the process. + type: keyword + threat.enrichments.file.code_signature.status: + dashed_name: threat-enrichments-file-code-signature-status + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + flat_name: threat.enrichments.file.code_signature.status + ignore_above: 1024 + level: extended + name: status + normalize: [] + original_fieldset: code_signature + short: Additional information about the certificate status. + type: keyword + threat.enrichments.file.code_signature.subject_name: + dashed_name: threat-enrichments-file-code-signature-subject-name + description: Subject name of the code signer + example: Microsoft Corporation + flat_name: threat.enrichments.file.code_signature.subject_name + ignore_above: 1024 + level: core + name: subject_name + normalize: [] + original_fieldset: code_signature + short: Subject name of the code signer + type: keyword + threat.enrichments.file.code_signature.team_id: + dashed_name: threat-enrichments-file-code-signature-team-id + description: 'The team identifier used to sign the process. + + This is used to identify the team or vendor of a software product. The field + is relevant to Apple *OS only.' + example: EQHXZ8M8AV + flat_name: threat.enrichments.file.code_signature.team_id + ignore_above: 1024 + level: extended + name: team_id + normalize: [] + original_fieldset: code_signature + short: The team identifier used to sign the process. + type: keyword + threat.enrichments.file.code_signature.trusted: + dashed_name: threat-enrichments-file-code-signature-trusted + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + flat_name: threat.enrichments.file.code_signature.trusted + level: extended + name: trusted + normalize: [] + original_fieldset: code_signature + short: Stores the trust status of the certificate chain. + type: boolean + threat.enrichments.file.code_signature.valid: + dashed_name: threat-enrichments-file-code-signature-valid + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' example: 'true' - flat_name: threat.indicator.file.code_signature.valid + flat_name: threat.enrichments.file.code_signature.valid + level: extended + name: valid + normalize: [] + original_fieldset: code_signature + short: Boolean to capture if the digital signature is verified against the binary + content. + type: boolean + threat.enrichments.file.created: + dashed_name: threat-enrichments-file-created + description: 'File creation time. + + Note that not all filesystems store the creation time.' + flat_name: threat.enrichments.file.created + level: extended + name: created + normalize: [] + original_fieldset: file + short: File creation time. + type: date + threat.enrichments.file.ctime: + dashed_name: threat-enrichments-file-ctime + description: 'Last time the file attributes or metadata changed. + + Note that changes to the file content will update `mtime`. This implies `ctime` + will be adjusted at the same time, since `mtime` is an attribute of the file.' + flat_name: threat.enrichments.file.ctime + level: extended + name: ctime + normalize: [] + original_fieldset: file + short: Last time the file attributes or metadata changed. + type: date + threat.enrichments.file.device: + dashed_name: threat-enrichments-file-device + description: Device that is the source of the file. + example: sda + flat_name: threat.enrichments.file.device + ignore_above: 1024 + level: extended + name: device + normalize: [] + original_fieldset: file + short: Device that is the source of the file. + type: keyword + threat.enrichments.file.directory: + dashed_name: threat-enrichments-file-directory + description: Directory where the file is located. It should include the drive + letter, when appropriate. + example: /home/alice + flat_name: threat.enrichments.file.directory + level: extended + name: directory + normalize: [] + original_fieldset: file + short: Directory where the file is located. + type: wildcard + threat.enrichments.file.drive_letter: + dashed_name: threat-enrichments-file-drive-letter + description: 'Drive letter where the file is located. This field is only relevant + on Windows. + + The value should be uppercase, and not include the colon.' + example: C + flat_name: threat.enrichments.file.drive_letter + ignore_above: 1 + level: extended + name: drive_letter + normalize: [] + original_fieldset: file + short: Drive letter where the file is located. + type: keyword + threat.enrichments.file.elf.architecture: + dashed_name: threat-enrichments-file-elf-architecture + description: Machine architecture of the ELF file. + example: x86-64 + flat_name: threat.enrichments.file.elf.architecture + ignore_above: 1024 + level: extended + name: architecture + normalize: [] + original_fieldset: elf + short: Machine architecture of the ELF file. + type: keyword + threat.enrichments.file.elf.byte_order: + dashed_name: threat-enrichments-file-elf-byte-order + description: Byte sequence of ELF file. + example: Little Endian + flat_name: threat.enrichments.file.elf.byte_order + ignore_above: 1024 + level: extended + name: byte_order + normalize: [] + original_fieldset: elf + short: Byte sequence of ELF file. + type: keyword + threat.enrichments.file.elf.cpu_type: + dashed_name: threat-enrichments-file-elf-cpu-type + description: CPU type of the ELF file. + example: Intel + flat_name: threat.enrichments.file.elf.cpu_type + ignore_above: 1024 + level: extended + name: cpu_type + normalize: [] + original_fieldset: elf + short: CPU type of the ELF file. + type: keyword + threat.enrichments.file.elf.creation_date: + dashed_name: threat-enrichments-file-elf-creation-date + description: Extracted when possible from the file's metadata. Indicates when + it was built or compiled. It can also be faked by malware creators. + flat_name: threat.enrichments.file.elf.creation_date + level: extended + name: creation_date + normalize: [] + original_fieldset: elf + short: Build or compile date. + type: date + threat.enrichments.file.elf.exports: + dashed_name: threat-enrichments-file-elf-exports + description: List of exported element names and types. + flat_name: threat.enrichments.file.elf.exports + level: extended + name: exports + normalize: + - array + original_fieldset: elf + short: List of exported element names and types. + type: flattened + threat.enrichments.file.elf.header.abi_version: + dashed_name: threat-enrichments-file-elf-header-abi-version + description: Version of the ELF Application Binary Interface (ABI). + flat_name: threat.enrichments.file.elf.header.abi_version + ignore_above: 1024 + level: extended + name: header.abi_version + normalize: [] + original_fieldset: elf + short: Version of the ELF Application Binary Interface (ABI). + type: keyword + threat.enrichments.file.elf.header.class: + dashed_name: threat-enrichments-file-elf-header-class + description: Header class of the ELF file. + flat_name: threat.enrichments.file.elf.header.class + ignore_above: 1024 + level: extended + name: header.class + normalize: [] + original_fieldset: elf + short: Header class of the ELF file. + type: keyword + threat.enrichments.file.elf.header.data: + dashed_name: threat-enrichments-file-elf-header-data + description: Data table of the ELF header. + flat_name: threat.enrichments.file.elf.header.data + ignore_above: 1024 + level: extended + name: header.data + normalize: [] + original_fieldset: elf + short: Data table of the ELF header. + type: keyword + threat.enrichments.file.elf.header.entrypoint: + dashed_name: threat-enrichments-file-elf-header-entrypoint + description: Header entrypoint of the ELF file. + flat_name: threat.enrichments.file.elf.header.entrypoint + format: string + level: extended + name: header.entrypoint + normalize: [] + original_fieldset: elf + short: Header entrypoint of the ELF file. + type: long + threat.enrichments.file.elf.header.object_version: + dashed_name: threat-enrichments-file-elf-header-object-version + description: '"0x1" for original ELF files.' + flat_name: threat.enrichments.file.elf.header.object_version + ignore_above: 1024 + level: extended + name: header.object_version + normalize: [] + original_fieldset: elf + short: '"0x1" for original ELF files.' + type: keyword + threat.enrichments.file.elf.header.os_abi: + dashed_name: threat-enrichments-file-elf-header-os-abi + description: Application Binary Interface (ABI) of the Linux OS. + flat_name: threat.enrichments.file.elf.header.os_abi + ignore_above: 1024 + level: extended + name: header.os_abi + normalize: [] + original_fieldset: elf + short: Application Binary Interface (ABI) of the Linux OS. + type: keyword + threat.enrichments.file.elf.header.type: + dashed_name: threat-enrichments-file-elf-header-type + description: Header type of the ELF file. + flat_name: threat.enrichments.file.elf.header.type + ignore_above: 1024 + level: extended + name: header.type + normalize: [] + original_fieldset: elf + short: Header type of the ELF file. + type: keyword + threat.enrichments.file.elf.header.version: + dashed_name: threat-enrichments-file-elf-header-version + description: Version of the ELF header. + flat_name: threat.enrichments.file.elf.header.version + ignore_above: 1024 + level: extended + name: header.version + normalize: [] + original_fieldset: elf + short: Version of the ELF header. + type: keyword + threat.enrichments.file.elf.imports: + dashed_name: threat-enrichments-file-elf-imports + description: List of imported element names and types. + flat_name: threat.enrichments.file.elf.imports + level: extended + name: imports + normalize: + - array + original_fieldset: elf + short: List of imported element names and types. + type: flattened + threat.enrichments.file.elf.sections: + dashed_name: threat-enrichments-file-elf-sections + description: 'An array containing an object for each section of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.sections.*`.' + flat_name: threat.enrichments.file.elf.sections + level: extended + name: sections + normalize: + - array + original_fieldset: elf + short: Section information of the ELF file. + type: nested + threat.enrichments.file.elf.sections.chi2: + dashed_name: threat-enrichments-file-elf-sections-chi2 + description: Chi-square probability distribution of the section. + flat_name: threat.enrichments.file.elf.sections.chi2 + format: number + level: extended + name: sections.chi2 + normalize: [] + original_fieldset: elf + short: Chi-square probability distribution of the section. + type: long + threat.enrichments.file.elf.sections.entropy: + dashed_name: threat-enrichments-file-elf-sections-entropy + description: Shannon entropy calculation from the section. + flat_name: threat.enrichments.file.elf.sections.entropy + format: number + level: extended + name: sections.entropy + normalize: [] + original_fieldset: elf + short: Shannon entropy calculation from the section. + type: long + threat.enrichments.file.elf.sections.flags: + dashed_name: threat-enrichments-file-elf-sections-flags + description: ELF Section List flags. + flat_name: threat.enrichments.file.elf.sections.flags + ignore_above: 1024 + level: extended + name: sections.flags + normalize: [] + original_fieldset: elf + short: ELF Section List flags. + type: keyword + threat.enrichments.file.elf.sections.name: + dashed_name: threat-enrichments-file-elf-sections-name + description: ELF Section List name. + flat_name: threat.enrichments.file.elf.sections.name + ignore_above: 1024 + level: extended + name: sections.name + normalize: [] + original_fieldset: elf + short: ELF Section List name. + type: keyword + threat.enrichments.file.elf.sections.physical_offset: + dashed_name: threat-enrichments-file-elf-sections-physical-offset + description: ELF Section List offset. + flat_name: threat.enrichments.file.elf.sections.physical_offset + ignore_above: 1024 + level: extended + name: sections.physical_offset + normalize: [] + original_fieldset: elf + short: ELF Section List offset. + type: keyword + threat.enrichments.file.elf.sections.physical_size: + dashed_name: threat-enrichments-file-elf-sections-physical-size + description: ELF Section List physical size. + flat_name: threat.enrichments.file.elf.sections.physical_size + format: bytes + level: extended + name: sections.physical_size + normalize: [] + original_fieldset: elf + short: ELF Section List physical size. + type: long + threat.enrichments.file.elf.sections.type: + dashed_name: threat-enrichments-file-elf-sections-type + description: ELF Section List type. + flat_name: threat.enrichments.file.elf.sections.type + ignore_above: 1024 + level: extended + name: sections.type + normalize: [] + original_fieldset: elf + short: ELF Section List type. + type: keyword + threat.enrichments.file.elf.sections.virtual_address: + dashed_name: threat-enrichments-file-elf-sections-virtual-address + description: ELF Section List virtual address. + flat_name: threat.enrichments.file.elf.sections.virtual_address + format: string + level: extended + name: sections.virtual_address + normalize: [] + original_fieldset: elf + short: ELF Section List virtual address. + type: long + threat.enrichments.file.elf.sections.virtual_size: + dashed_name: threat-enrichments-file-elf-sections-virtual-size + description: ELF Section List virtual size. + flat_name: threat.enrichments.file.elf.sections.virtual_size + format: string + level: extended + name: sections.virtual_size + normalize: [] + original_fieldset: elf + short: ELF Section List virtual size. + type: long + threat.enrichments.file.elf.segments: + dashed_name: threat-enrichments-file-elf-segments + description: 'An array containing an object for each segment of the ELF file. + + The keys that should be present in these objects are defined by sub-fields + underneath `elf.segments.*`.' + flat_name: threat.enrichments.file.elf.segments + level: extended + name: segments + normalize: + - array + original_fieldset: elf + short: ELF object segment list. + type: nested + threat.enrichments.file.elf.segments.sections: + dashed_name: threat-enrichments-file-elf-segments-sections + description: ELF object segment sections. + flat_name: threat.enrichments.file.elf.segments.sections + ignore_above: 1024 + level: extended + name: segments.sections + normalize: [] + original_fieldset: elf + short: ELF object segment sections. + type: keyword + threat.enrichments.file.elf.segments.type: + dashed_name: threat-enrichments-file-elf-segments-type + description: ELF object segment type. + flat_name: threat.enrichments.file.elf.segments.type + ignore_above: 1024 + level: extended + name: segments.type + normalize: [] + original_fieldset: elf + short: ELF object segment type. + type: keyword + threat.enrichments.file.elf.shared_libraries: + dashed_name: threat-enrichments-file-elf-shared-libraries + description: List of shared libraries used by this ELF object. + flat_name: threat.enrichments.file.elf.shared_libraries + ignore_above: 1024 + level: extended + name: shared_libraries + normalize: + - array + original_fieldset: elf + short: List of shared libraries used by this ELF object. + type: keyword + threat.enrichments.file.elf.telfhash: + dashed_name: threat-enrichments-file-elf-telfhash + description: telfhash symbol hash for ELF file. + flat_name: threat.enrichments.file.elf.telfhash + ignore_above: 1024 + level: extended + name: telfhash + normalize: [] + original_fieldset: elf + short: telfhash hash for ELF file. + type: keyword + threat.enrichments.file.extension: + dashed_name: threat-enrichments-file-extension + description: 'File extension, excluding the leading dot. + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.file.extension + ignore_above: 1024 + level: extended + name: extension + normalize: [] + original_fieldset: file + short: File extension, excluding the leading dot. + type: keyword + threat.enrichments.file.gid: + dashed_name: threat-enrichments-file-gid + description: Primary group ID (GID) of the file. + example: '1001' + flat_name: threat.enrichments.file.gid + ignore_above: 1024 + level: extended + name: gid + normalize: [] + original_fieldset: file + short: Primary group ID (GID) of the file. + type: keyword + threat.enrichments.file.group: + dashed_name: threat-enrichments-file-group + description: Primary group name of the file. + example: alice + flat_name: threat.enrichments.file.group + ignore_above: 1024 + level: extended + name: group + normalize: [] + original_fieldset: file + short: Primary group name of the file. + type: keyword + threat.enrichments.file.inode: + dashed_name: threat-enrichments-file-inode + description: Inode representing the file in the filesystem. + example: '256383' + flat_name: threat.enrichments.file.inode + ignore_above: 1024 + level: extended + name: inode + normalize: [] + original_fieldset: file + short: Inode representing the file in the filesystem. + type: keyword + threat.enrichments.file.mime_type: + dashed_name: threat-enrichments-file-mime-type + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. + flat_name: threat.enrichments.file.mime_type + ignore_above: 1024 + level: extended + name: mime_type + normalize: [] + original_fieldset: file + short: Media type of file, document, or arrangement of bytes. + type: keyword + threat.enrichments.file.mode: + dashed_name: threat-enrichments-file-mode + description: Mode of the file in octal representation. + example: '0640' + flat_name: threat.enrichments.file.mode + ignore_above: 1024 level: extended - name: valid + name: mode normalize: [] - original_fieldset: code_signature - short: Boolean to capture if the digital signature is verified against the binary - content. - type: boolean - threat.indicator.file.created: - dashed_name: threat-indicator-file-created - description: 'File creation time. - - Note that not all filesystems store the creation time.' - flat_name: threat.indicator.file.created + original_fieldset: file + short: Mode of the file in octal representation. + type: keyword + threat.enrichments.file.mtime: + dashed_name: threat-enrichments-file-mtime + description: Last time the file content was modified. + flat_name: threat.enrichments.file.mtime level: extended - name: created + name: mtime normalize: [] original_fieldset: file - short: File creation time. + short: Last time the file content was modified. type: date - threat.indicator.file.ctime: - dashed_name: threat-indicator-file-ctime - description: 'Last time the file attributes or metadata changed. + threat.enrichments.file.name: + dashed_name: threat-enrichments-file-name + description: Name of the file including the extension, without the directory. + example: example.png + flat_name: threat.enrichments.file.name + ignore_above: 1024 + level: extended + name: name + normalize: [] + original_fieldset: file + short: Name of the file including the extension, without the directory. + type: keyword + threat.enrichments.file.owner: + dashed_name: threat-enrichments-file-owner + description: File owner's username. + example: alice + flat_name: threat.enrichments.file.owner + ignore_above: 1024 + level: extended + name: owner + normalize: [] + original_fieldset: file + short: File owner's username. + type: keyword + threat.enrichments.file.path: + dashed_name: threat-enrichments-file-path + description: Full path to the file, including the file name. It should include + the drive letter, when appropriate. + example: /home/alice/example.png + flat_name: threat.enrichments.file.path + level: extended + multi_fields: + - flat_name: threat.enrichments.file.path.text + name: text + norms: false + type: text + name: path + normalize: [] + original_fieldset: file + short: Full path to the file, including the file name. + type: wildcard + threat.enrichments.file.size: + dashed_name: threat-enrichments-file-size + description: 'File size in bytes. - Note that changes to the file content will update `mtime`. This implies `ctime` - will be adjusted at the same time, since `mtime` is an attribute of the file.' - flat_name: threat.indicator.file.ctime + Only relevant when `file.type` is "file".' + example: 16384 + flat_name: threat.enrichments.file.size + level: extended + name: size + normalize: [] + original_fieldset: file + short: File size in bytes. + type: long + threat.enrichments.file.target_path: + dashed_name: threat-enrichments-file-target-path + description: Target path for symlinks. + flat_name: threat.enrichments.file.target_path + level: extended + multi_fields: + - flat_name: threat.enrichments.file.target_path.text + name: text + norms: false + type: text + name: target_path + normalize: [] + original_fieldset: file + short: Target path for symlinks. + type: wildcard + threat.enrichments.file.type: + dashed_name: threat-enrichments-file-type + description: File type (file, dir, or symlink). + example: file + flat_name: threat.enrichments.file.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: file + short: File type (file, dir, or symlink). + type: keyword + threat.enrichments.file.uid: + dashed_name: threat-enrichments-file-uid + description: The user ID (UID) or security identifier (SID) of the file owner. + example: '1001' + flat_name: threat.enrichments.file.uid + ignore_above: 1024 + level: extended + name: uid + normalize: [] + original_fieldset: file + short: The user ID (UID) or security identifier (SID) of the file owner. + type: keyword + threat.enrichments.geo.city_name: + dashed_name: threat-enrichments-geo-city-name + description: City name. + example: Montreal + flat_name: threat.enrichments.geo.city_name + ignore_above: 1024 + level: core + name: city_name + normalize: [] + original_fieldset: geo + short: City name. + type: keyword + threat.enrichments.geo.continent_code: + dashed_name: threat-enrichments-geo-continent-code + description: Two-letter code representing continent's name. + example: NA + flat_name: threat.enrichments.geo.continent_code + ignore_above: 1024 + level: core + name: continent_code + normalize: [] + original_fieldset: geo + short: Continent code. + type: keyword + threat.enrichments.geo.continent_name: + dashed_name: threat-enrichments-geo-continent-name + description: Name of the continent. + example: North America + flat_name: threat.enrichments.geo.continent_name + ignore_above: 1024 + level: core + name: continent_name + normalize: [] + original_fieldset: geo + short: Name of the continent. + type: keyword + threat.enrichments.geo.country_iso_code: + dashed_name: threat-enrichments-geo-country-iso-code + description: Country ISO code. + example: CA + flat_name: threat.enrichments.geo.country_iso_code + ignore_above: 1024 + level: core + name: country_iso_code + normalize: [] + original_fieldset: geo + short: Country ISO code. + type: keyword + threat.enrichments.geo.country_name: + dashed_name: threat-enrichments-geo-country-name + description: Country name. + example: Canada + flat_name: threat.enrichments.geo.country_name + ignore_above: 1024 + level: core + name: country_name + normalize: [] + original_fieldset: geo + short: Country name. + type: keyword + threat.enrichments.geo.location: + dashed_name: threat-enrichments-geo-location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + flat_name: threat.enrichments.geo.location + level: core + name: location + normalize: [] + original_fieldset: geo + short: Longitude and latitude. + type: geo_point + threat.enrichments.geo.name: + dashed_name: threat-enrichments-geo-name + description: 'User-defined description of a location, at the level of granularity + they care about. + + Could be the name of their data centers, the floor number, if this describes + a local physical entity, city names. + + Not typically used in automated geolocation.' + example: boston-dc + flat_name: threat.enrichments.geo.name + level: extended + name: name + normalize: [] + original_fieldset: geo + short: User-defined description of a location. + type: wildcard + threat.enrichments.geo.postal_code: + dashed_name: threat-enrichments-geo-postal-code + description: 'Postal code associated with the location. + + Values appropriate for this field may also be known as a postcode or ZIP code + and will vary widely from country to country.' + example: 94040 + flat_name: threat.enrichments.geo.postal_code + ignore_above: 1024 + level: core + name: postal_code + normalize: [] + original_fieldset: geo + short: Postal code. + type: keyword + threat.enrichments.geo.region_iso_code: + dashed_name: threat-enrichments-geo-region-iso-code + description: Region ISO code. + example: CA-QC + flat_name: threat.enrichments.geo.region_iso_code + ignore_above: 1024 + level: core + name: region_iso_code + normalize: [] + original_fieldset: geo + short: Region ISO code. + type: keyword + threat.enrichments.geo.region_name: + dashed_name: threat-enrichments-geo-region-name + description: Region name. + example: Quebec + flat_name: threat.enrichments.geo.region_name + ignore_above: 1024 + level: core + name: region_name + normalize: [] + original_fieldset: geo + short: Region name. + type: keyword + threat.enrichments.geo.timezone: + dashed_name: threat-enrichments-geo-timezone + description: The time zone of the location, such as IANA time zone name. + example: America/Argentina/Buenos_Aires + flat_name: threat.enrichments.geo.timezone + ignore_above: 1024 + level: core + name: timezone + normalize: [] + original_fieldset: geo + short: Time zone. + type: keyword + threat.enrichments.hash.md5: + dashed_name: threat-enrichments-hash-md5 + description: MD5 hash. + flat_name: threat.enrichments.hash.md5 + ignore_above: 1024 + level: extended + name: md5 + normalize: [] + original_fieldset: hash + short: MD5 hash. + type: keyword + threat.enrichments.hash.sha1: + dashed_name: threat-enrichments-hash-sha1 + description: SHA1 hash. + flat_name: threat.enrichments.hash.sha1 + ignore_above: 1024 + level: extended + name: sha1 + normalize: [] + original_fieldset: hash + short: SHA1 hash. + type: keyword + threat.enrichments.hash.sha256: + dashed_name: threat-enrichments-hash-sha256 + description: SHA256 hash. + flat_name: threat.enrichments.hash.sha256 + ignore_above: 1024 + level: extended + name: sha256 + normalize: [] + original_fieldset: hash + short: SHA256 hash. + type: keyword + threat.enrichments.hash.sha512: + dashed_name: threat-enrichments-hash-sha512 + description: SHA512 hash. + flat_name: threat.enrichments.hash.sha512 + ignore_above: 1024 + level: extended + name: sha512 + normalize: [] + original_fieldset: hash + short: SHA512 hash. + type: keyword + threat.enrichments.hash.ssdeep: + dashed_name: threat-enrichments-hash-ssdeep + description: SSDEEP hash. + flat_name: threat.enrichments.hash.ssdeep + ignore_above: 1024 + level: extended + name: ssdeep + normalize: [] + original_fieldset: hash + short: SSDEEP hash. + type: keyword + threat.enrichments.matched.atomic: + dashed_name: threat-enrichments-matched-atomic + description: Identifies the atomic indicator value that matched a local environment + endpoint or network event. + example: bad-domain.com + flat_name: threat.enrichments.matched.atomic + ignore_above: 1024 + level: extended + name: enrichments.matched.atomic + normalize: [] + short: Matched indicator value + type: keyword + threat.enrichments.matched.field: + dashed_name: threat-enrichments-matched-field + description: Identifies the field of the atomic indicator that matched a local + environment endpoint or network event. + example: file.hash.sha256 + flat_name: threat.enrichments.matched.field + ignore_above: 1024 + level: extended + name: enrichments.matched.field + normalize: [] + short: Matched indicator field + type: keyword + threat.enrichments.matched.id: + dashed_name: threat-enrichments-matched-id + description: Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + flat_name: threat.enrichments.matched.id + ignore_above: 1024 + level: extended + name: enrichments.matched.id + normalize: [] + short: Matched indicator identifier + type: keyword + threat.enrichments.matched.index: + dashed_name: threat-enrichments-matched-index + description: Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 + flat_name: threat.enrichments.matched.index + ignore_above: 1024 level: extended - name: ctime + name: enrichments.matched.index normalize: [] - original_fieldset: file - short: Last time the file attributes or metadata changed. - type: date - threat.indicator.file.device: - dashed_name: threat-indicator-file-device - description: Device that is the source of the file. - example: sda - flat_name: threat.indicator.file.device + short: Matched indicator index + type: keyword + threat.enrichments.matched.type: + dashed_name: threat-enrichments-matched-type + description: Identifies the type of match that caused the event to be enriched + with the given indicator + example: indicator_match_rule + flat_name: threat.enrichments.matched.type ignore_above: 1024 level: extended - name: device + name: enrichments.matched.type normalize: [] - original_fieldset: file - short: Device that is the source of the file. + short: Type of indicator match type: keyword - threat.indicator.file.directory: - dashed_name: threat-indicator-file-directory - description: Directory where the file is located. It should include the drive - letter, when appropriate. - example: /home/alice - flat_name: threat.indicator.file.directory + threat.enrichments.pe.architecture: + dashed_name: threat-enrichments-pe-architecture + description: CPU architecture target for the file. + example: x64 + flat_name: threat.enrichments.pe.architecture + ignore_above: 1024 level: extended - name: directory + name: architecture normalize: [] - original_fieldset: file - short: Directory where the file is located. - type: wildcard - threat.indicator.file.drive_letter: - dashed_name: threat-indicator-file-drive-letter - description: 'Drive letter where the file is located. This field is only relevant - on Windows. - - The value should be uppercase, and not include the colon.' - example: C - flat_name: threat.indicator.file.drive_letter - ignore_above: 1 + original_fieldset: pe + short: CPU architecture target for the file. + type: keyword + threat.enrichments.pe.authentihash: + dashed_name: threat-enrichments-pe-authentihash + description: Authentihash of the PE file. + example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 + flat_name: threat.enrichments.pe.authentihash + ignore_above: 1024 level: extended - name: drive_letter + name: authentihash normalize: [] - original_fieldset: file - short: Drive letter where the file is located. + original_fieldset: pe + short: Authentihash of the PE file. type: keyword - threat.indicator.file.elf.architecture: - dashed_name: threat-indicator-file-elf-architecture - description: Machine architecture of the ELF file. - example: x86-64 - flat_name: threat.indicator.file.elf.architecture + threat.enrichments.pe.company: + dashed_name: threat-enrichments-pe-company + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + flat_name: threat.enrichments.pe.company ignore_above: 1024 level: extended - name: architecture + name: company normalize: [] - original_fieldset: elf - short: Machine architecture of the ELF file. + original_fieldset: pe + short: Internal company name of the file, provided at compile-time. type: keyword - threat.indicator.file.elf.byte_order: - dashed_name: threat-indicator-file-elf-byte-order - description: Byte sequence of ELF file. - example: Little Endian - flat_name: threat.indicator.file.elf.byte_order + threat.enrichments.pe.compile_timestamp: + dashed_name: threat-enrichments-pe-compile-timestamp + description: Compile timestamp of the PE file. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.compile_timestamp + level: extended + name: compile_timestamp + normalize: [] + original_fieldset: pe + short: Compile timestamp of the PE file. + type: date + threat.enrichments.pe.compiler.name: + dashed_name: threat-enrichments-pe-compiler-name + description: Name of the compiler + example: Clang + flat_name: threat.enrichments.pe.compiler.name ignore_above: 1024 level: extended - name: byte_order + name: compiler.name normalize: [] - original_fieldset: elf - short: Byte sequence of ELF file. + original_fieldset: pe + short: Name of the compiler type: keyword - threat.indicator.file.elf.cpu_type: - dashed_name: threat-indicator-file-elf-cpu-type - description: CPU type of the ELF file. - example: Intel - flat_name: threat.indicator.file.elf.cpu_type + threat.enrichments.pe.compiler.version: + dashed_name: threat-enrichments-pe-compiler-version + description: Version of the compiler. + example: 11.0.0 + flat_name: threat.enrichments.pe.compiler.version ignore_above: 1024 level: extended - name: cpu_type + name: compiler.version normalize: [] - original_fieldset: elf - short: CPU type of the ELF file. + original_fieldset: pe + short: Version of the compiler. type: keyword - threat.indicator.file.elf.creation_date: - dashed_name: threat-indicator-file-elf-creation-date + threat.enrichments.pe.creation_date: + dashed_name: threat-enrichments-pe-creation-date description: Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. - flat_name: threat.indicator.file.elf.creation_date + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.creation_date level: extended name: creation_date normalize: [] - original_fieldset: elf + original_fieldset: pe short: Build or compile date. type: date - threat.indicator.file.elf.exports: - dashed_name: threat-indicator-file-elf-exports - description: List of exported element names and types. - flat_name: threat.indicator.file.elf.exports + threat.enrichments.pe.debug: + dashed_name: threat-enrichments-pe-debug + description: 'An array containing an object for each debug entry, if present. + + The expected fields for this nested object fall under the `debug.` prefix.' + flat_name: threat.enrichments.pe.debug + level: extended + name: debug + normalize: + - array + original_fieldset: pe + short: Debug information + type: nested + threat.enrichments.pe.debug.offset: + dashed_name: threat-enrichments-pe-debug-offset + description: Debug offset information. + example: 1296336 + flat_name: threat.enrichments.pe.debug.offset + ignore_above: 1024 + level: extended + name: debug.offset + normalize: [] + original_fieldset: pe + short: Debug offset information. + type: keyword + threat.enrichments.pe.debug.size: + dashed_name: threat-enrichments-pe-debug-size + description: Size of the debug information. + example: 816 + flat_name: threat.enrichments.pe.debug.size + format: bytes + level: extended + name: debug.size + normalize: [] + original_fieldset: pe + short: Size of the debug information. + type: long + threat.enrichments.pe.debug.timestamp: + dashed_name: threat-enrichments-pe-debug-timestamp + description: Timestamp of the debug information. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.enrichments.pe.debug.timestamp + level: extended + name: debug.timestamp + normalize: [] + original_fieldset: pe + short: Timestamp of the debug information. + type: date + threat.enrichments.pe.debug.type: + dashed_name: threat-enrichments-pe-debug-type + description: Information type generated by the debug options. + example: IMAGE_DEBUG_TYPE_POGO + flat_name: threat.enrichments.pe.debug.type + ignore_above: 1024 + level: extended + name: debug.type + normalize: [] + original_fieldset: pe + short: Information type generated by the debug options. + type: keyword + threat.enrichments.pe.description: + dashed_name: threat-enrichments-pe-description + description: Internal description of the file, provided at compile-time. + example: Paint + flat_name: threat.enrichments.pe.description + ignore_above: 1024 + level: extended + name: description + normalize: [] + original_fieldset: pe + short: Internal description of the file, provided at compile-time. + type: keyword + threat.enrichments.pe.entry_point: + dashed_name: threat-enrichments-pe-entry-point + description: Relative byte offset to the base of the PE file. + example: 25856 + flat_name: threat.enrichments.pe.entry_point + ignore_above: 1024 + level: extended + name: entry_point + normalize: [] + original_fieldset: pe + short: Relative byte offset to the base of the PE file. + type: keyword + threat.enrichments.pe.exports: + dashed_name: threat-enrichments-pe-exports + description: List of symbols exported by PE + example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' + flat_name: threat.enrichments.pe.exports + ignore_above: 1024 level: extended name: exports normalize: - array - original_fieldset: elf - short: List of exported element names and types. - type: flattened - threat.indicator.file.elf.header.abi_version: - dashed_name: threat-indicator-file-elf-header-abi-version - description: Version of the ELF Application Binary Interface (ABI). - flat_name: threat.indicator.file.elf.header.abi_version + original_fieldset: pe + short: List of symbols exported by PE + type: keyword + threat.enrichments.pe.file_version: + dashed_name: threat-enrichments-pe-file-version + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + flat_name: threat.enrichments.pe.file_version ignore_above: 1024 level: extended - name: header.abi_version + name: file_version normalize: [] - original_fieldset: elf - short: Version of the ELF Application Binary Interface (ABI). + original_fieldset: pe + short: Process name. type: keyword - threat.indicator.file.elf.header.class: - dashed_name: threat-indicator-file-elf-header-class - description: Header class of the ELF file. - flat_name: threat.indicator.file.elf.header.class + threat.enrichments.pe.icon.hash.dhash: + dashed_name: threat-enrichments-pe-icon-hash-dhash + description: Difference Hash (dhash) to find files with a visually similar icon + or thumbnail. + example: b806e17c8e330d82 + flat_name: threat.enrichments.pe.icon.hash.dhash ignore_above: 1024 level: extended - name: header.class + name: icon.hash.dhash normalize: [] - original_fieldset: elf - short: Header class of the ELF file. + original_fieldset: pe + short: Difference Hash (dhash) to find files with a visually similar icon or + thumbnail. type: keyword - threat.indicator.file.elf.header.data: - dashed_name: threat-indicator-file-elf-header-data - description: Data table of the ELF header. - flat_name: threat.indicator.file.elf.header.data + threat.enrichments.pe.imphash: + dashed_name: threat-enrichments-pe-imphash + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + flat_name: threat.enrichments.pe.imphash ignore_above: 1024 level: extended - name: header.data + name: imphash normalize: [] - original_fieldset: elf - short: Data table of the ELF header. + original_fieldset: pe + short: A hash of the imports in a PE file. type: keyword - threat.indicator.file.elf.header.entrypoint: - dashed_name: threat-indicator-file-elf-header-entrypoint - description: Header entrypoint of the ELF file. - flat_name: threat.indicator.file.elf.header.entrypoint - format: string + threat.enrichments.pe.imports: + dashed_name: threat-enrichments-pe-imports + description: List of all imported functions + example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" + }' + flat_name: threat.enrichments.pe.imports level: extended - name: header.entrypoint + name: imports normalize: [] - original_fieldset: elf - short: Header entrypoint of the ELF file. - type: long - threat.indicator.file.elf.header.object_version: - dashed_name: threat-indicator-file-elf-header-object-version - description: '"0x1" for original ELF files.' - flat_name: threat.indicator.file.elf.header.object_version + original_fieldset: pe + short: List of all imported functions + type: flattened + threat.enrichments.pe.machine_type: + dashed_name: threat-enrichments-pe-machine-type + description: Machine type of the PE file. + example: Intel 386 or later, and compatibles + flat_name: threat.enrichments.pe.machine_type + ignore_above: 1024 + level: extended + name: machine_type + normalize: [] + original_fieldset: pe + short: Machine type of the PE file. + type: keyword + threat.enrichments.pe.original_file_name: + dashed_name: threat-enrichments-pe-original-file-name + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + flat_name: threat.enrichments.pe.original_file_name + level: extended + name: original_file_name + normalize: [] + original_fieldset: pe + short: Internal name of the file, provided at compile-time. + type: wildcard + threat.enrichments.pe.packers: + dashed_name: threat-enrichments-pe-packers + description: List of packers and tools used. + example: '["ASPack v2.12", ".NET executable"]' + flat_name: threat.enrichments.pe.packers + ignore_above: 1024 + level: extended + name: packers + normalize: + - array + original_fieldset: pe + short: List of packers and tools used. + type: keyword + threat.enrichments.pe.product: + dashed_name: threat-enrichments-pe-product + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + flat_name: threat.enrichments.pe.product ignore_above: 1024 level: extended - name: header.object_version + name: product + normalize: [] + original_fieldset: pe + short: Internal product name of the file, provided at compile-time. + type: keyword + threat.enrichments.pe.resources: + dashed_name: threat-enrichments-pe-resources + description: 'An array containing an object for each PE resource, if present. + + The expected fields for this nested object fall under the `resources.` prefix.' + flat_name: threat.enrichments.pe.resources + level: extended + name: resources + normalize: + - array + original_fieldset: pe + short: PE resource information + type: nested + threat.enrichments.pe.resources.chi2: + dashed_name: threat-enrichments-pe-resources-chi2 + description: Chi-square probability distribution. + example: -1 + flat_name: threat.enrichments.pe.resources.chi2 + level: extended + name: resources.chi2 + normalize: [] + original_fieldset: pe + short: Chi-square probability distribution. + type: long + threat.enrichments.pe.resources.entropy: + dashed_name: threat-enrichments-pe-resources-entropy + description: Measurement of entropy randomness in the resources section. + example: 0, 1 + flat_name: threat.enrichments.pe.resources.entropy + level: extended + name: resources.entropy normalize: [] - original_fieldset: elf - short: '"0x1" for original ELF files.' - type: keyword - threat.indicator.file.elf.header.os_abi: - dashed_name: threat-indicator-file-elf-header-os-abi - description: Application Binary Interface (ABI) of the Linux OS. - flat_name: threat.indicator.file.elf.header.os_abi + original_fieldset: pe + short: Measurement of entropy randomness in the resources section. + type: long + threat.enrichments.pe.resources.filetype: + dashed_name: threat-enrichments-pe-resources-filetype + description: File type of the resources section. + example: Data + flat_name: threat.enrichments.pe.resources.filetype ignore_above: 1024 level: extended - name: header.os_abi + name: resources.filetype normalize: [] - original_fieldset: elf - short: Application Binary Interface (ABI) of the Linux OS. + original_fieldset: pe + short: File type of the resources section. type: keyword - threat.indicator.file.elf.header.type: - dashed_name: threat-indicator-file-elf-header-type - description: Header type of the ELF file. - flat_name: threat.indicator.file.elf.header.type + threat.enrichments.pe.resources.language: + dashed_name: threat-enrichments-pe-resources-language + description: Language identification. + example: CHINESE SIMPLIFIED + flat_name: threat.enrichments.pe.resources.language ignore_above: 1024 level: extended - name: header.type + name: resources.language normalize: [] - original_fieldset: elf - short: Header type of the ELF file. + original_fieldset: pe + short: Language identification. type: keyword - threat.indicator.file.elf.header.version: - dashed_name: threat-indicator-file-elf-header-version - description: Version of the ELF header. - flat_name: threat.indicator.file.elf.header.version + threat.enrichments.pe.resources.sha256: + dashed_name: threat-enrichments-pe-resources-sha256 + description: SHA256 hash of resources section. + example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + flat_name: threat.enrichments.pe.resources.sha256 ignore_above: 1024 level: extended - name: header.version + name: resources.sha256 normalize: [] - original_fieldset: elf - short: Version of the ELF header. + original_fieldset: pe + short: SHA256 hash of resources section. type: keyword - threat.indicator.file.elf.imports: - dashed_name: threat-indicator-file-elf-imports - description: List of imported element names and types. - flat_name: threat.indicator.file.elf.imports + threat.enrichments.pe.resources.type: + dashed_name: threat-enrichments-pe-resources-type + description: Digest of resource types. + example: '["RT_VERSION", "RT_MANIFEST"]' + flat_name: threat.enrichments.pe.resources.type + ignore_above: 1024 level: extended - name: imports + name: resources.type normalize: - array - original_fieldset: elf - short: List of imported element names and types. - type: flattened - threat.indicator.file.elf.sections: - dashed_name: threat-indicator-file-elf-sections - description: 'An array containing an object for each section of the ELF file. - - The keys that should be present in these objects are defined by sub-fields - underneath `elf.sections.*`.' - flat_name: threat.indicator.file.elf.sections + original_fieldset: pe + short: List of resource types. + type: keyword + threat.enrichments.pe.rich_header.hash.md5: + dashed_name: threat-enrichments-pe-rich-header-hash-md5 + description: MD5 hash of the header for the PE file. + example: 5aa1aa0f2b4be70397a1e9e2b87627cd + flat_name: threat.enrichments.pe.rich_header.hash.md5 + ignore_above: 1024 + level: extended + name: rich_header.hash.md5 + normalize: [] + original_fieldset: pe + short: MD5 hash of the header for the PE file. + type: keyword + threat.enrichments.pe.sections: + dashed_name: threat-enrichments-pe-sections + description: Data about sections of compiled binary PE + flat_name: threat.enrichments.pe.sections level: extended name: sections normalize: - array - original_fieldset: elf - short: Section information of the ELF file. + original_fieldset: pe + short: Data about sections of the compiled binary PE type: nested - threat.indicator.file.elf.sections.chi2: - dashed_name: threat-indicator-file-elf-sections-chi2 - description: Chi-square probability distribution of the section. - flat_name: threat.indicator.file.elf.sections.chi2 - format: number + threat.enrichments.pe.sections.chi2: + dashed_name: threat-enrichments-pe-sections-chi2 + description: Chi-square probability distribution. + example: 3027194 + flat_name: threat.enrichments.pe.sections.chi2 level: extended name: sections.chi2 normalize: [] - original_fieldset: elf - short: Chi-square probability distribution of the section. + original_fieldset: pe + short: Chi-square probability distribution. type: long - threat.indicator.file.elf.sections.entropy: - dashed_name: threat-indicator-file-elf-sections-entropy - description: Shannon entropy calculation from the section. - flat_name: threat.indicator.file.elf.sections.entropy - format: number + threat.enrichments.pe.sections.entropy: + dashed_name: threat-enrichments-pe-sections-entropy + description: Measurement of entropy randomness in the file. + example: 6.24 + flat_name: threat.enrichments.pe.sections.entropy level: extended name: sections.entropy normalize: [] - original_fieldset: elf - short: Shannon entropy calculation from the section. - type: long - threat.indicator.file.elf.sections.flags: - dashed_name: threat-indicator-file-elf-sections-flags - description: ELF Section List flags. - flat_name: threat.indicator.file.elf.sections.flags + original_fieldset: pe + short: Measurement of entropy randomness in the file. + type: float + threat.enrichments.pe.sections.flags: + dashed_name: threat-enrichments-pe-sections-flags + description: Section flags of the file. + example: rx + flat_name: threat.enrichments.pe.sections.flags ignore_above: 1024 level: extended name: sections.flags normalize: [] - original_fieldset: elf - short: ELF Section List flags. + original_fieldset: pe + short: Section flags of the file. type: keyword - threat.indicator.file.elf.sections.name: - dashed_name: threat-indicator-file-elf-sections-name - description: ELF Section List name. - flat_name: threat.indicator.file.elf.sections.name + threat.enrichments.pe.sections.name: + dashed_name: threat-enrichments-pe-sections-name + description: Section names of the file. + example: .text, .data + flat_name: threat.enrichments.pe.sections.name ignore_above: 1024 level: extended name: sections.name normalize: [] - original_fieldset: elf - short: ELF Section List name. - type: keyword - threat.indicator.file.elf.sections.physical_offset: - dashed_name: threat-indicator-file-elf-sections-physical-offset - description: ELF Section List offset. - flat_name: threat.indicator.file.elf.sections.physical_offset - ignore_above: 1024 - level: extended - name: sections.physical_offset - normalize: [] - original_fieldset: elf - short: ELF Section List offset. + original_fieldset: pe + short: Section names of the file. type: keyword - threat.indicator.file.elf.sections.physical_size: - dashed_name: threat-indicator-file-elf-sections-physical-size - description: ELF Section List physical size. - flat_name: threat.indicator.file.elf.sections.physical_size + threat.enrichments.pe.sections.raw_size: + dashed_name: threat-enrichments-pe-sections-raw-size + description: Size of the section or the dize of the initialized data on disk. + example: 198144 + flat_name: threat.enrichments.pe.sections.raw_size format: bytes level: extended - name: sections.physical_size + name: sections.raw_size normalize: [] - original_fieldset: elf - short: ELF Section List physical size. + original_fieldset: pe + short: Size of the section or the dize of the initialized data on disk. type: long - threat.indicator.file.elf.sections.type: - dashed_name: threat-indicator-file-elf-sections-type - description: ELF Section List type. - flat_name: threat.indicator.file.elf.sections.type - ignore_above: 1024 - level: extended - name: sections.type - normalize: [] - original_fieldset: elf - short: ELF Section List type. - type: keyword - threat.indicator.file.elf.sections.virtual_address: - dashed_name: threat-indicator-file-elf-sections-virtual-address - description: ELF Section List virtual address. - flat_name: threat.indicator.file.elf.sections.virtual_address - format: string + threat.enrichments.pe.sections.virtual_address: + dashed_name: threat-enrichments-pe-sections-virtual-address + description: Virtual address available to the file. + example: 8192 + flat_name: threat.enrichments.pe.sections.virtual_address + format: bytes level: extended name: sections.virtual_address normalize: [] - original_fieldset: elf - short: ELF Section List virtual address. - type: long - threat.indicator.file.elf.sections.virtual_size: - dashed_name: threat-indicator-file-elf-sections-virtual-size - description: ELF Section List virtual size. - flat_name: threat.indicator.file.elf.sections.virtual_size - format: string - level: extended - name: sections.virtual_size - normalize: [] - original_fieldset: elf - short: ELF Section List virtual size. + original_fieldset: pe + short: Virtual address available to the file. type: long - threat.indicator.file.elf.segments: - dashed_name: threat-indicator-file-elf-segments - description: 'An array containing an object for each segment of the ELF file. + threat.enrichments.registry.data.bytes: + dashed_name: threat-enrichments-registry-data-bytes + description: 'Original bytes written with base64 encoding. - The keys that should be present in these objects are defined by sub-fields - underneath `elf.segments.*`.' - flat_name: threat.indicator.file.elf.segments - level: extended - name: segments - normalize: - - array - original_fieldset: elf - short: ELF object segment list. - type: nested - threat.indicator.file.elf.segments.sections: - dashed_name: threat-indicator-file-elf-segments-sections - description: ELF object segment sections. - flat_name: threat.indicator.file.elf.segments.sections - ignore_above: 1024 - level: extended - name: segments.sections - normalize: [] - original_fieldset: elf - short: ELF object segment sections. - type: keyword - threat.indicator.file.elf.segments.type: - dashed_name: threat-indicator-file-elf-segments-type - description: ELF object segment type. - flat_name: threat.indicator.file.elf.segments.type + For Windows registry operations, such as SetValueEx and RegQueryValueEx, this + corresponds to the data pointed by `lp_data`. This is optional but provides + better recoverability and should be populated for REG_BINARY encoded values.' + example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + flat_name: threat.enrichments.registry.data.bytes ignore_above: 1024 level: extended - name: segments.type + name: data.bytes normalize: [] - original_fieldset: elf - short: ELF object segment type. + original_fieldset: registry + short: Original bytes written with base64 encoding. type: keyword - threat.indicator.file.elf.shared_libraries: - dashed_name: threat-indicator-file-elf-shared-libraries - description: List of shared libraries used by this ELF object. - flat_name: threat.indicator.file.elf.shared_libraries - ignore_above: 1024 - level: extended - name: shared_libraries + threat.enrichments.registry.data.strings: + dashed_name: threat-enrichments-registry-data-strings + description: 'Content when writing string types. + + Populated as an array when writing string data to the registry. For single + string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with + one string. For sequences of string with REG_MULTI_SZ, this array will be + variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should + be populated with the decimal representation (e.g `"1"`).' + example: '["C:\rta\red_ttp\bin\myapp.exe"]' + flat_name: threat.enrichments.registry.data.strings + level: core + name: data.strings normalize: - array - original_fieldset: elf - short: List of shared libraries used by this ELF object. - type: keyword - threat.indicator.file.elf.telfhash: - dashed_name: threat-indicator-file-elf-telfhash - description: telfhash symbol hash for ELF file. - flat_name: threat.indicator.file.elf.telfhash - ignore_above: 1024 - level: extended - name: telfhash - normalize: [] - original_fieldset: elf - short: telfhash hash for ELF file. - type: keyword - threat.indicator.file.extension: - dashed_name: threat-indicator-file-extension - description: 'File extension, excluding the leading dot. - - Note that when the file name has multiple extensions (example.tar.gz), only - the last one should be captured ("gz", not "tar.gz").' - example: png - flat_name: threat.indicator.file.extension - ignore_above: 1024 - level: extended - name: extension - normalize: [] - original_fieldset: file - short: File extension, excluding the leading dot. - type: keyword - threat.indicator.file.gid: - dashed_name: threat-indicator-file-gid - description: Primary group ID (GID) of the file. - example: '1001' - flat_name: threat.indicator.file.gid + original_fieldset: registry + short: List of strings representing what was written to the registry. + type: wildcard + threat.enrichments.registry.data.type: + dashed_name: threat-enrichments-registry-data-type + description: Standard registry type for encoding contents + example: REG_SZ + flat_name: threat.enrichments.registry.data.type ignore_above: 1024 - level: extended - name: gid + level: core + name: data.type normalize: [] - original_fieldset: file - short: Primary group ID (GID) of the file. + original_fieldset: registry + short: Standard registry type for encoding contents type: keyword - threat.indicator.file.group: - dashed_name: threat-indicator-file-group - description: Primary group name of the file. - example: alice - flat_name: threat.indicator.file.group + threat.enrichments.registry.hive: + dashed_name: threat-enrichments-registry-hive + description: Abbreviated name for the hive. + example: HKLM + flat_name: threat.enrichments.registry.hive ignore_above: 1024 - level: extended - name: group + level: core + name: hive normalize: [] - original_fieldset: file - short: Primary group name of the file. + original_fieldset: registry + short: Abbreviated name for the hive. type: keyword - threat.indicator.file.inode: - dashed_name: threat-indicator-file-inode - description: Inode representing the file in the filesystem. - example: '256383' - flat_name: threat.indicator.file.inode - ignore_above: 1024 - level: extended - name: inode + threat.enrichments.registry.key: + dashed_name: threat-enrichments-registry-key + description: Hive-relative path of keys. + example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + flat_name: threat.enrichments.registry.key + level: core + name: key normalize: [] - original_fieldset: file - short: Inode representing the file in the filesystem. - type: keyword - threat.indicator.file.mime_type: - dashed_name: threat-indicator-file-mime-type - description: MIME type should identify the format of the file or stream of bytes - using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA - official types], where possible. When more than one type is applicable, the - most specific type should be used. - flat_name: threat.indicator.file.mime_type - ignore_above: 1024 - level: extended - name: mime_type + original_fieldset: registry + short: Hive-relative path of keys. + type: wildcard + threat.enrichments.registry.path: + dashed_name: threat-enrichments-registry-path + description: Full path, including hive, key and value + example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution + Options\winword.exe\Debugger + flat_name: threat.enrichments.registry.path + level: core + name: path normalize: [] - original_fieldset: file - short: Media type of file, document, or arrangement of bytes. - type: keyword - threat.indicator.file.mode: - dashed_name: threat-indicator-file-mode - description: Mode of the file in octal representation. - example: '0640' - flat_name: threat.indicator.file.mode + original_fieldset: registry + short: Full path, including hive, key and value + type: wildcard + threat.enrichments.registry.value: + dashed_name: threat-enrichments-registry-value + description: Name of the value written. + example: Debugger + flat_name: threat.enrichments.registry.value ignore_above: 1024 - level: extended - name: mode + level: core + name: value normalize: [] - original_fieldset: file - short: Mode of the file in octal representation. + original_fieldset: registry + short: Name of the value written. type: keyword - threat.indicator.file.mtime: - dashed_name: threat-indicator-file-mtime - description: Last time the file content was modified. - flat_name: threat.indicator.file.mtime + threat.enrichments.url.domain: + dashed_name: threat-enrichments-url-domain + description: 'Domain of the url, such as "www.elastic.co". + + In some cases a URL may refer to an IP and/or port directly, without a domain + name. In this case, the IP address would go to the `domain` field. + + If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC + 2732), the `[` and `]` characters should also be captured in the `domain` + field.' + example: www.elastic.co + flat_name: threat.enrichments.url.domain level: extended - name: mtime + name: domain normalize: [] - original_fieldset: file - short: Last time the file content was modified. - type: date - threat.indicator.file.name: - dashed_name: threat-indicator-file-name - description: Name of the file including the extension, without the directory. - example: example.png - flat_name: threat.indicator.file.name + original_fieldset: url + short: Domain of the url. + type: wildcard + threat.enrichments.url.extension: + dashed_name: threat-enrichments-url-extension + description: 'The field contains the file extension from the original request + url, excluding the leading dot. + + The file extension is only set if it exists, as not every url has a file extension. + + The leading period must not be included. For example, the value must be "png", + not ".png". + + Note that when the file name has multiple extensions (example.tar.gz), only + the last one should be captured ("gz", not "tar.gz").' + example: png + flat_name: threat.enrichments.url.extension ignore_above: 1024 level: extended - name: name + name: extension normalize: [] - original_fieldset: file - short: Name of the file including the extension, without the directory. + original_fieldset: url + short: File extension from the request url, excluding the leading dot. type: keyword - threat.indicator.file.owner: - dashed_name: threat-indicator-file-owner - description: File owner's username. - example: alice - flat_name: threat.indicator.file.owner + threat.enrichments.url.fragment: + dashed_name: threat-enrichments-url-fragment + description: 'Portion of the url after the `#`, such as "top". + + The `#` is not part of the fragment.' + flat_name: threat.enrichments.url.fragment ignore_above: 1024 level: extended - name: owner + name: fragment normalize: [] - original_fieldset: file - short: File owner's username. + original_fieldset: url + short: Portion of the url after the `#`. type: keyword - threat.indicator.file.path: - dashed_name: threat-indicator-file-path - description: Full path to the file, including the file name. It should include - the drive letter, when appropriate. - example: /home/alice/example.png - flat_name: threat.indicator.file.path + threat.enrichments.url.full: + dashed_name: threat-enrichments-url-full + description: If full URLs are important to your use case, they should be stored + in `url.full`, whether this field is reconstructed or present in the event + source. + example: https://www.elastic.co:443/search?q=elasticsearch#top + flat_name: threat.enrichments.url.full level: extended multi_fields: - - flat_name: threat.indicator.file.path.text + - flat_name: threat.enrichments.url.full.text name: text norms: false type: text - name: path + name: full normalize: [] - original_fieldset: file - short: Full path to the file, including the file name. + original_fieldset: url + short: Full unparsed URL. type: wildcard - threat.indicator.file.size: - dashed_name: threat-indicator-file-size - description: 'File size in bytes. + threat.enrichments.url.original: + dashed_name: threat-enrichments-url-original + description: 'Unmodified original url as seen in the event source. - Only relevant when `file.type` is "file".' - example: 16384 - flat_name: threat.indicator.file.size - level: extended - name: size - normalize: [] - original_fieldset: file - short: File size in bytes. - type: long - threat.indicator.file.target_path: - dashed_name: threat-indicator-file-target-path - description: Target path for symlinks. - flat_name: threat.indicator.file.target_path + Note that in network monitoring, the observed URL may be a full URL, whereas + in access logs, the URL is often just represented as a path. + + This field is meant to represent the URL as it was observed, complete or not.' + example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + flat_name: threat.enrichments.url.original level: extended multi_fields: - - flat_name: threat.indicator.file.target_path.text + - flat_name: threat.enrichments.url.original.text name: text norms: false type: text - name: target_path + name: original normalize: [] - original_fieldset: file - short: Target path for symlinks. + original_fieldset: url + short: Unmodified original url as seen in the event source. type: wildcard - threat.indicator.file.type: - dashed_name: threat-indicator-file-type - description: File type (file, dir, or symlink). - example: file - flat_name: threat.indicator.file.type + threat.enrichments.url.password: + dashed_name: threat-enrichments-url-password + description: Password of the request. + flat_name: threat.enrichments.url.password ignore_above: 1024 level: extended - name: type + name: password normalize: [] - original_fieldset: file - short: File type (file, dir, or symlink). + original_fieldset: url + short: Password of the request. type: keyword - threat.indicator.file.uid: - dashed_name: threat-indicator-file-uid - description: The user ID (UID) or security identifier (SID) of the file owner. - example: '1001' - flat_name: threat.indicator.file.uid - ignore_above: 1024 + threat.enrichments.url.path: + dashed_name: threat-enrichments-url-path + description: Path of the request, such as "/search". + flat_name: threat.enrichments.url.path level: extended - name: uid + name: path normalize: [] - original_fieldset: file - short: The user ID (UID) or security identifier (SID) of the file owner. - type: keyword - threat.indicator.first_seen: - dashed_name: threat-indicator-first-seen - description: The date and time when intelligence source first reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.first_seen + original_fieldset: url + short: Path of the request, such as "/search". + type: wildcard + threat.enrichments.url.port: + dashed_name: threat-enrichments-url-port + description: Port of the request, such as 443. + example: 443 + flat_name: threat.enrichments.url.port + format: string level: extended - name: indicator.first_seen - normalize: [] - short: Date/time indicator was first reported. - type: date - threat.indicator.geo.city_name: - dashed_name: threat-indicator-geo-city-name - description: City name. - example: Montreal - flat_name: threat.indicator.geo.city_name - ignore_above: 1024 - level: core - name: city_name - normalize: [] - original_fieldset: geo - short: City name. - type: keyword - threat.indicator.geo.continent_code: - dashed_name: threat-indicator-geo-continent-code - description: Two-letter code representing continent's name. - example: NA - flat_name: threat.indicator.geo.continent_code - ignore_above: 1024 - level: core - name: continent_code - normalize: [] - original_fieldset: geo - short: Continent code. - type: keyword - threat.indicator.geo.continent_name: - dashed_name: threat-indicator-geo-continent-name - description: Name of the continent. - example: North America - flat_name: threat.indicator.geo.continent_name - ignore_above: 1024 - level: core - name: continent_name - normalize: [] - original_fieldset: geo - short: Name of the continent. - type: keyword - threat.indicator.geo.country_iso_code: - dashed_name: threat-indicator-geo-country-iso-code - description: Country ISO code. - example: CA - flat_name: threat.indicator.geo.country_iso_code - ignore_above: 1024 - level: core - name: country_iso_code + name: port normalize: [] - original_fieldset: geo - short: Country ISO code. - type: keyword - threat.indicator.geo.country_name: - dashed_name: threat-indicator-geo-country-name - description: Country name. - example: Canada - flat_name: threat.indicator.geo.country_name + original_fieldset: url + short: Port of the request, such as 443. + type: long + threat.enrichments.url.query: + dashed_name: threat-enrichments-url-query + description: 'The query field describes the query string of the request, such + as "q=elasticsearch". + + The `?` is excluded from the query string. If a URL contains no `?`, there + is no query field. If there is a `?` but no query, the query field exists + with an empty string. The `exists` query can be used to differentiate between + the two cases.' + flat_name: threat.enrichments.url.query ignore_above: 1024 - level: core - name: country_name + level: extended + name: query normalize: [] - original_fieldset: geo - short: Country name. + original_fieldset: url + short: Query string of the request. type: keyword - threat.indicator.geo.location: - dashed_name: threat-indicator-geo-location - description: Longitude and latitude. - example: '{ "lon": -73.614830, "lat": 45.505918 }' - flat_name: threat.indicator.geo.location - level: core - name: location - normalize: [] - original_fieldset: geo - short: Longitude and latitude. - type: geo_point - threat.indicator.geo.name: - dashed_name: threat-indicator-geo-name - description: 'User-defined description of a location, at the level of granularity - they care about. - - Could be the name of their data centers, the floor number, if this describes - a local physical entity, city names. + threat.enrichments.url.registered_domain: + dashed_name: threat-enrichments-url-registered-domain + description: 'The highest registered url domain, stripped of the subdomain. - Not typically used in automated geolocation.' - example: boston-dc - flat_name: threat.indicator.geo.name - level: extended - name: name - normalize: [] - original_fieldset: geo - short: User-defined description of a location. - type: wildcard - threat.indicator.geo.postal_code: - dashed_name: threat-indicator-geo-postal-code - description: 'Postal code associated with the location. + For example, the registered domain for "foo.example.com" is "example.com". - Values appropriate for this field may also be known as a postcode or ZIP code - and will vary widely from country to country.' - example: 94040 - flat_name: threat.indicator.geo.postal_code - ignore_above: 1024 - level: core - name: postal_code - normalize: [] - original_fieldset: geo - short: Postal code. - type: keyword - threat.indicator.geo.region_iso_code: - dashed_name: threat-indicator-geo-region-iso-code - description: Region ISO code. - example: CA-QC - flat_name: threat.indicator.geo.region_iso_code - ignore_above: 1024 - level: core - name: region_iso_code - normalize: [] - original_fieldset: geo - short: Region ISO code. - type: keyword - threat.indicator.geo.region_name: - dashed_name: threat-indicator-geo-region-name - description: Region name. - example: Quebec - flat_name: threat.indicator.geo.region_name - ignore_above: 1024 - level: core - name: region_name - normalize: [] - original_fieldset: geo - short: Region name. - type: keyword - threat.indicator.geo.timezone: - dashed_name: threat-indicator-geo-timezone - description: The time zone of the location, such as IANA time zone name. - example: America/Argentina/Buenos_Aires - flat_name: threat.indicator.geo.timezone - ignore_above: 1024 - level: core - name: timezone - normalize: [] - original_fieldset: geo - short: Time zone. - type: keyword - threat.indicator.hash.md5: - dashed_name: threat-indicator-hash-md5 - description: MD5 hash. - flat_name: threat.indicator.hash.md5 - ignore_above: 1024 + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last two labels will not work well for TLDs such as "co.uk".' + example: example.com + flat_name: threat.enrichments.url.registered_domain level: extended - name: md5 + name: registered_domain normalize: [] - original_fieldset: hash - short: MD5 hash. - type: keyword - threat.indicator.hash.sha1: - dashed_name: threat-indicator-hash-sha1 - description: SHA1 hash. - flat_name: threat.indicator.hash.sha1 + original_fieldset: url + short: The highest registered url domain, stripped of the subdomain. + type: wildcard + threat.enrichments.url.scheme: + dashed_name: threat-enrichments-url-scheme + description: 'Scheme of the request, such as "https". + + Note: The `:` is not part of the scheme.' + example: https + flat_name: threat.enrichments.url.scheme ignore_above: 1024 level: extended - name: sha1 + name: scheme normalize: [] - original_fieldset: hash - short: SHA1 hash. + original_fieldset: url + short: Scheme of the url. type: keyword - threat.indicator.hash.sha256: - dashed_name: threat-indicator-hash-sha256 - description: SHA256 hash. - flat_name: threat.indicator.hash.sha256 + threat.enrichments.url.subdomain: + dashed_name: threat-enrichments-url-subdomain + description: 'The subdomain portion of a fully qualified domain name includes + all of the names except the host name under the registered_domain. In a partially + qualified domain, or if the the qualification level of the full name cannot + be determined, subdomain contains all of the names below the registered domain. + + For example the subdomain portion of "www.east.mydomain.co.uk" is "east". + If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", + the subdomain field should contain "sub2.sub1", with no trailing period.' + example: east + flat_name: threat.enrichments.url.subdomain ignore_above: 1024 level: extended - name: sha256 + name: subdomain normalize: [] - original_fieldset: hash - short: SHA256 hash. + original_fieldset: url + short: The subdomain of the domain. type: keyword - threat.indicator.hash.sha512: - dashed_name: threat-indicator-hash-sha512 - description: SHA512 hash. - flat_name: threat.indicator.hash.sha512 + threat.enrichments.url.top_level_domain: + dashed_name: threat-enrichments-url-top-level-domain + description: 'The effective top level domain (eTLD), also known as the domain + suffix, is the last part of the domain name. For example, the top level domain + for example.com is "com". + + This value can be determined precisely with a list like the public suffix + list (http://publicsuffix.org). Trying to approximate this by simply taking + the last label will not work well for effective TLDs such as "co.uk".' + example: co.uk + flat_name: threat.enrichments.url.top_level_domain ignore_above: 1024 level: extended - name: sha512 + name: top_level_domain normalize: [] - original_fieldset: hash - short: SHA512 hash. + original_fieldset: url + short: The effective top level domain (com, org, net, co.uk). type: keyword - threat.indicator.hash.ssdeep: - dashed_name: threat-indicator-hash-ssdeep - description: SSDEEP hash. - flat_name: threat.indicator.hash.ssdeep + threat.enrichments.url.username: + dashed_name: threat-enrichments-url-username + description: Username of the request. + flat_name: threat.enrichments.url.username ignore_above: 1024 level: extended - name: ssdeep + name: username normalize: [] - original_fieldset: hash - short: SSDEEP hash. + original_fieldset: url + short: Username of the request. type: keyword - threat.indicator.ip: - dashed_name: threat-indicator-ip - description: Identifies a threat indicator as an IP address (irrespective of - direction). - example: 1.2.3.4 - flat_name: threat.indicator.ip - level: extended - name: indicator.ip - normalize: [] - short: Indicator IP address - type: ip - threat.indicator.last_seen: - dashed_name: threat-indicator-last-seen - description: The date and time when intelligence source last reported sighting - this indicator. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.last_seen - level: extended - name: indicator.last_seen - normalize: [] - short: Date/time indicator was last reported. - type: date - threat.indicator.marking.tlp: - dashed_name: threat-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings.\nExpected values are:\n\ - \ * White\n * Green\n * Amber\n * Red" - example: White - flat_name: threat.indicator.marking.tlp + threat.enrichments.x509.alternative_names: + dashed_name: threat-enrichments-x509-alternative-names + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + flat_name: threat.enrichments.x509.alternative_names ignore_above: 1024 level: extended - name: indicator.marking.tlp - normalize: [] - short: Indicator TLP marking + name: alternative_names + normalize: + - array + original_fieldset: x509 + short: List of subject alternative names (SAN). type: keyword - threat.indicator.matched.atomic: - dashed_name: threat-indicator-matched-atomic - description: Identifies the atomic indicator that matched a local environment - endpoint or network event. - example: example.com - flat_name: threat.indicator.matched.atomic + threat.enrichments.x509.issuer.common_name: + dashed_name: threat-enrichments-x509-issuer-common-name + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + flat_name: threat.enrichments.x509.issuer.common_name ignore_above: 1024 level: extended - name: indicator.matched.atomic - normalize: [] - short: Indicator atomic match + name: issuer.common_name + normalize: + - array + original_fieldset: x509 + short: List of common name (CN) of issuing certificate authority. type: keyword - threat.indicator.matched.field: - dashed_name: threat-indicator-matched-field - description: Identifies the field of the atomic indicator that matched a local - environment endpoint or network event. - example: file.hash.sha256 - flat_name: threat.indicator.matched.field + threat.enrichments.x509.issuer.country: + dashed_name: threat-enrichments-x509-issuer-country + description: List of country (C) codes + example: US + flat_name: threat.enrichments.x509.issuer.country ignore_above: 1024 level: extended - name: indicator.matched.field - normalize: [] - short: Indicator field match + name: issuer.country + normalize: + - array + original_fieldset: x509 + short: List of country (C) codes type: keyword - threat.indicator.matched.type: - dashed_name: threat-indicator-matched-type - description: Identifies the type of the atomic indicator that matched a local - environment endpoint or network event. - example: domain-name - flat_name: threat.indicator.matched.type - ignore_above: 1024 + threat.enrichments.x509.issuer.distinguished_name: + dashed_name: threat-enrichments-x509-issuer-distinguished-name + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + flat_name: threat.enrichments.x509.issuer.distinguished_name level: extended - name: indicator.matched.type + name: issuer.distinguished_name normalize: [] - short: Indicator type match - type: keyword - threat.indicator.module: - dashed_name: threat-indicator-module - description: Identifies the name of specific module this data is coming from. - example: threatintel - flat_name: threat.indicator.module + original_fieldset: x509 + short: Distinguished name (DN) of issuing certificate authority. + type: wildcard + threat.enrichments.x509.issuer.locality: + dashed_name: threat-enrichments-x509-issuer-locality + description: List of locality names (L) + example: Mountain View + flat_name: threat.enrichments.x509.issuer.locality ignore_above: 1024 level: extended - name: indicator.module - normalize: [] - short: Indicator module + name: issuer.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) type: keyword - threat.indicator.pe.architecture: - dashed_name: threat-indicator-pe-architecture - description: CPU architecture target for the file. - example: x64 - flat_name: threat.indicator.pe.architecture + threat.enrichments.x509.issuer.organization: + dashed_name: threat-enrichments-x509-issuer-organization + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + flat_name: threat.enrichments.x509.issuer.organization ignore_above: 1024 level: extended - name: architecture - normalize: [] - original_fieldset: pe - short: CPU architecture target for the file. + name: issuer.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of issuing certificate authority. type: keyword - threat.indicator.pe.authentihash: - dashed_name: threat-indicator-pe-authentihash - description: Authentihash of the PE file. - example: ac9555d914bbb112ecc5f15bb9887ca8371f493ab0941344e976bb8410c8aa78 - flat_name: threat.indicator.pe.authentihash + threat.enrichments.x509.issuer.organizational_unit: + dashed_name: threat-enrichments-x509-issuer-organizational-unit + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + flat_name: threat.enrichments.x509.issuer.organizational_unit ignore_above: 1024 level: extended - name: authentihash - normalize: [] - original_fieldset: pe - short: Authentihash of the PE file. + name: issuer.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of issuing certificate authority. type: keyword - threat.indicator.pe.company: - dashed_name: threat-indicator-pe-company - description: Internal company name of the file, provided at compile-time. - example: Microsoft Corporation - flat_name: threat.indicator.pe.company + threat.enrichments.x509.issuer.state_or_province: + dashed_name: threat-enrichments-x509-issuer-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.x509.issuer.state_or_province ignore_above: 1024 level: extended - name: company - normalize: [] - original_fieldset: pe - short: Internal company name of the file, provided at compile-time. + name: issuer.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) type: keyword - threat.indicator.pe.compile_timestamp: - dashed_name: threat-indicator-pe-compile-timestamp - description: Compile timestamp of the PE file. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.pe.compile_timestamp + threat.enrichments.x509.not_after: + dashed_name: threat-enrichments-x509-not-after + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + flat_name: threat.enrichments.x509.not_after level: extended - name: compile_timestamp + name: not_after normalize: [] - original_fieldset: pe - short: Compile timestamp of the PE file. + original_fieldset: x509 + short: Time at which the certificate is no longer considered valid. type: date - threat.indicator.pe.compiler.name: - dashed_name: threat-indicator-pe-compiler-name - description: Name of the compiler - example: Clang - flat_name: threat.indicator.pe.compiler.name - ignore_above: 1024 + threat.enrichments.x509.not_before: + dashed_name: threat-enrichments-x509-not-before + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + flat_name: threat.enrichments.x509.not_before level: extended - name: compiler.name + name: not_before normalize: [] - original_fieldset: pe - short: Name of the compiler - type: keyword - threat.indicator.pe.compiler.version: - dashed_name: threat-indicator-pe-compiler-version - description: Version of the compiler. - example: 11.0.0 - flat_name: threat.indicator.pe.compiler.version + original_fieldset: x509 + short: Time at which the certificate is first considered valid. + type: date + threat.enrichments.x509.public_key_algorithm: + dashed_name: threat-enrichments-x509-public-key-algorithm + description: Algorithm used to generate the public key. + example: RSA + flat_name: threat.enrichments.x509.public_key_algorithm ignore_above: 1024 level: extended - name: compiler.version + name: public_key_algorithm normalize: [] - original_fieldset: pe - short: Version of the compiler. + original_fieldset: x509 + short: Algorithm used to generate the public key. type: keyword - threat.indicator.pe.creation_date: - dashed_name: threat-indicator-pe-creation-date - description: Extracted when possible from the file's metadata. Indicates when - it was built or compiled. It can also be faked by malware creators. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.pe.creation_date - level: extended - name: creation_date - normalize: [] - original_fieldset: pe - short: Build or compile date. - type: date - threat.indicator.pe.debug: - dashed_name: threat-indicator-pe-debug - description: 'An array containing an object for each debug entry, if present. - - The expected fields for this nested object fall under the `debug.` prefix.' - flat_name: threat.indicator.pe.debug - level: extended - name: debug - normalize: - - array - original_fieldset: pe - short: Debug information - type: nested - threat.indicator.pe.debug.offset: - dashed_name: threat-indicator-pe-debug-offset - description: Debug offset information. - example: 1296336 - flat_name: threat.indicator.pe.debug.offset + threat.enrichments.x509.public_key_curve: + dashed_name: threat-enrichments-x509-public-key-curve + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + flat_name: threat.enrichments.x509.public_key_curve ignore_above: 1024 level: extended - name: debug.offset + name: public_key_curve normalize: [] - original_fieldset: pe - short: Debug offset information. + original_fieldset: x509 + short: The curve used by the elliptic curve public key algorithm. This is algorithm + specific. type: keyword - threat.indicator.pe.debug.size: - dashed_name: threat-indicator-pe-debug-size - description: Size of the debug information. - example: 816 - flat_name: threat.indicator.pe.debug.size - format: bytes + threat.enrichments.x509.public_key_exponent: + dashed_name: threat-enrichments-x509-public-key-exponent + description: Exponent used to derive the public key. This is algorithm specific. + doc_values: false + example: 65537 + flat_name: threat.enrichments.x509.public_key_exponent + index: false level: extended - name: debug.size + name: public_key_exponent normalize: [] - original_fieldset: pe - short: Size of the debug information. + original_fieldset: x509 + short: Exponent used to derive the public key. This is algorithm specific. type: long - threat.indicator.pe.debug.timestamp: - dashed_name: threat-indicator-pe-debug-timestamp - description: Timestamp of the debug information. - example: '2020-11-05T17:25:47.000Z' - flat_name: threat.indicator.pe.debug.timestamp + threat.enrichments.x509.public_key_size: + dashed_name: threat-enrichments-x509-public-key-size + description: The size of the public key space in bits. + example: 2048 + flat_name: threat.enrichments.x509.public_key_size level: extended - name: debug.timestamp + name: public_key_size normalize: [] - original_fieldset: pe - short: Timestamp of the debug information. - type: date - threat.indicator.pe.debug.type: - dashed_name: threat-indicator-pe-debug-type - description: Information type generated by the debug options. - example: IMAGE_DEBUG_TYPE_POGO - flat_name: threat.indicator.pe.debug.type + original_fieldset: x509 + short: The size of the public key space in bits. + type: long + threat.enrichments.x509.serial_number: + dashed_name: threat-enrichments-x509-serial-number + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + flat_name: threat.enrichments.x509.serial_number ignore_above: 1024 level: extended - name: debug.type + name: serial_number normalize: [] - original_fieldset: pe - short: Information type generated by the debug options. + original_fieldset: x509 + short: Unique serial number issued by the certificate authority. type: keyword - threat.indicator.pe.description: - dashed_name: threat-indicator-pe-description - description: Internal description of the file, provided at compile-time. - example: Paint - flat_name: threat.indicator.pe.description + threat.enrichments.x509.signature_algorithm: + dashed_name: threat-enrichments-x509-signature-algorithm + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + flat_name: threat.enrichments.x509.signature_algorithm ignore_above: 1024 level: extended - name: description + name: signature_algorithm normalize: [] - original_fieldset: pe - short: Internal description of the file, provided at compile-time. + original_fieldset: x509 + short: Identifier for certificate signature algorithm. type: keyword - threat.indicator.pe.entry_point: - dashed_name: threat-indicator-pe-entry-point - description: Relative byte offset to the base of the PE file. - example: 25856 - flat_name: threat.indicator.pe.entry_point + threat.enrichments.x509.subject.common_name: + dashed_name: threat-enrichments-x509-subject-common-name + description: List of common names (CN) of subject. + example: shared.global.example.net + flat_name: threat.enrichments.x509.subject.common_name ignore_above: 1024 level: extended - name: entry_point - normalize: [] - original_fieldset: pe - short: Relative byte offset to the base of the PE file. + name: subject.common_name + normalize: + - array + original_fieldset: x509 + short: List of common names (CN) of subject. type: keyword - threat.indicator.pe.exports: - dashed_name: threat-indicator-pe-exports - description: List of symbols exported by PE - example: '["DllInstall", "DllRegisterServer", "DllUnregisterServer"]' - flat_name: threat.indicator.pe.exports + threat.enrichments.x509.subject.country: + dashed_name: threat-enrichments-x509-subject-country + description: List of country (C) code + example: US + flat_name: threat.enrichments.x509.subject.country ignore_above: 1024 level: extended - name: exports + name: subject.country normalize: - array - original_fieldset: pe - short: List of symbols exported by PE + original_fieldset: x509 + short: List of country (C) code type: keyword - threat.indicator.pe.file_version: - dashed_name: threat-indicator-pe-file-version - description: Internal version of the file, provided at compile-time. - example: 6.3.9600.17415 - flat_name: threat.indicator.pe.file_version - ignore_above: 1024 + threat.enrichments.x509.subject.distinguished_name: + dashed_name: threat-enrichments-x509-subject-distinguished-name + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + flat_name: threat.enrichments.x509.subject.distinguished_name level: extended - name: file_version + name: subject.distinguished_name normalize: [] - original_fieldset: pe - short: Process name. + original_fieldset: x509 + short: Distinguished name (DN) of the certificate subject entity. + type: wildcard + threat.enrichments.x509.subject.locality: + dashed_name: threat-enrichments-x509-subject-locality + description: List of locality names (L) + example: San Francisco + flat_name: threat.enrichments.x509.subject.locality + ignore_above: 1024 + level: extended + name: subject.locality + normalize: + - array + original_fieldset: x509 + short: List of locality names (L) type: keyword - threat.indicator.pe.icon.hash.dhash: - dashed_name: threat-indicator-pe-icon-hash-dhash - description: Difference Hash (dhash) to find files with a visually similar icon - or thumbnail. - example: b806e17c8e330d82 - flat_name: threat.indicator.pe.icon.hash.dhash + threat.enrichments.x509.subject.organization: + dashed_name: threat-enrichments-x509-subject-organization + description: List of organizations (O) of subject. + example: Example, Inc. + flat_name: threat.enrichments.x509.subject.organization ignore_above: 1024 level: extended - name: icon.hash.dhash - normalize: [] - original_fieldset: pe - short: Difference Hash (dhash) to find files with a visually similar icon or - thumbnail. + name: subject.organization + normalize: + - array + original_fieldset: x509 + short: List of organizations (O) of subject. type: keyword - threat.indicator.pe.imphash: - dashed_name: threat-indicator-pe-imphash - description: 'A hash of the imports in a PE file. An imphash -- or import hash - -- can be used to fingerprint binaries even after recompilation or other code-level - transformations have occurred, which would change more traditional hash values. - - Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' - example: 0c6803c4e922103c4dca5963aad36ddf - flat_name: threat.indicator.pe.imphash + threat.enrichments.x509.subject.organizational_unit: + dashed_name: threat-enrichments-x509-subject-organizational-unit + description: List of organizational units (OU) of subject. + flat_name: threat.enrichments.x509.subject.organizational_unit ignore_above: 1024 level: extended - name: imphash - normalize: [] - original_fieldset: pe - short: A hash of the imports in a PE file. + name: subject.organizational_unit + normalize: + - array + original_fieldset: x509 + short: List of organizational units (OU) of subject. type: keyword - threat.indicator.pe.imports: - dashed_name: threat-indicator-pe-imports - description: List of all imported functions - example: '{ "library_name" : "mscoree.dll", "imported_functions" : "GetFileVersionInfoSizeA" - }' - flat_name: threat.indicator.pe.imports + threat.enrichments.x509.subject.state_or_province: + dashed_name: threat-enrichments-x509-subject-state-or-province + description: List of state or province names (ST, S, or P) + example: California + flat_name: threat.enrichments.x509.subject.state_or_province + ignore_above: 1024 level: extended - name: imports - normalize: [] - original_fieldset: pe - short: List of all imported functions - type: flattened - threat.indicator.pe.machine_type: - dashed_name: threat-indicator-pe-machine-type - description: Machine type of the PE file. - example: Intel 386 or later, and compatibles - flat_name: threat.indicator.pe.machine_type + name: subject.state_or_province + normalize: + - array + original_fieldset: x509 + short: List of state or province names (ST, S, or P) + type: keyword + threat.enrichments.x509.version_number: + dashed_name: threat-enrichments-x509-version-number + description: Version of x509 format. + example: 3 + flat_name: threat.enrichments.x509.version_number ignore_above: 1024 level: extended - name: machine_type + name: version_number normalize: [] - original_fieldset: pe - short: Machine type of the PE file. + original_fieldset: x509 + short: Version of x509 format. type: keyword - threat.indicator.pe.original_file_name: - dashed_name: threat-indicator-pe-original-file-name - description: Internal name of the file, provided at compile-time. - example: MSPAINT.EXE - flat_name: threat.indicator.pe.original_file_name + threat.framework: + dashed_name: threat-framework + description: Name of the threat framework used to further categorize and classify + the tactic and technique of the reported threat. Framework classification + can be provided by detecting systems, evaluated at ingest time, or retrospectively + tagged to events. + example: MITRE ATT&CK + flat_name: threat.framework + ignore_above: 1024 level: extended - name: original_file_name + name: framework normalize: [] - original_fieldset: pe - short: Internal name of the file, provided at compile-time. - type: wildcard - threat.indicator.pe.packers: - dashed_name: threat-indicator-pe-packers - description: List of packers and tools used. - example: '["ASPack v2.12", ".NET executable"]' - flat_name: threat.indicator.pe.packers + short: Threat classification framework. + type: keyword + threat.group.alias: + beta: This field is beta and subject to change. + dashed_name: threat-group-alias + description: "The alias(es) of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group alias(es)." + example: '[ "Magecart Group 6" ]' + flat_name: threat.group.alias ignore_above: 1024 level: extended - name: packers + name: group.alias normalize: - array - original_fieldset: pe - short: List of packers and tools used. + short: Alias of the group. type: keyword - threat.indicator.pe.product: - dashed_name: threat-indicator-pe-product - description: Internal product name of the file, provided at compile-time. - example: "Microsoft\xAE Windows\xAE Operating System" - flat_name: threat.indicator.pe.product + threat.group.id: + beta: This field is beta and subject to change. + dashed_name: threat-group-id + description: "The id of the group for a set of related intrusion activity that\ + \ are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group id." + example: G0037 + flat_name: threat.group.id ignore_above: 1024 level: extended - name: product + name: group.id normalize: [] - original_fieldset: pe - short: Internal product name of the file, provided at compile-time. + short: ID of the group. type: keyword - threat.indicator.pe.resources: - dashed_name: threat-indicator-pe-resources - description: 'An array containing an object for each PE resource, if present. - - The expected fields for this nested object fall under the `resources.` prefix.' - flat_name: threat.indicator.pe.resources - level: extended - name: resources - normalize: - - array - original_fieldset: pe - short: PE resource information - type: nested - threat.indicator.pe.resources.chi2: - dashed_name: threat-indicator-pe-resources-chi2 - description: Chi-square probability distribution. - example: -1 - flat_name: threat.indicator.pe.resources.chi2 + threat.group.name: + beta: This field is beta and subject to change. + dashed_name: threat-group-name + description: "The name of the group for a set of related intrusion activity\ + \ that are tracked by a common name in the security community. While not required,\ + \ you can use a MITRE ATT&CK\xAE group name." + example: FIN6 + flat_name: threat.group.name + ignore_above: 1024 level: extended - name: resources.chi2 + name: group.name normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long - threat.indicator.pe.resources.entropy: - dashed_name: threat-indicator-pe-resources-entropy - description: Measurement of entropy randomness in the resources section. - example: 0, 1 - flat_name: threat.indicator.pe.resources.entropy + short: Name of the group. + type: keyword + threat.group.reference: + beta: This field is beta and subject to change. + dashed_name: threat-group-reference + description: "The reference URL of the group for a set of related intrusion\ + \ activity that are tracked by a common name in the security community. While\ + \ not required, you can use a MITRE ATT&CK\xAE group reference URL." + example: https://attack.mitre.org/groups/G0037/ + flat_name: threat.group.reference + ignore_above: 1024 level: extended - name: resources.entropy + name: group.reference normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the resources section. - type: long - threat.indicator.pe.resources.filetype: - dashed_name: threat-indicator-pe-resources-filetype - description: File type of the resources section. - example: Data - flat_name: threat.indicator.pe.resources.filetype + short: Reference URL of the group. + type: keyword + threat.indicator.confidence: + dashed_name: threat-indicator-confidence + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nExpected values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High + flat_name: threat.indicator.confidence ignore_above: 1024 level: extended - name: resources.filetype + name: indicator.confidence normalize: [] - original_fieldset: pe - short: File type of the resources section. + short: Indicator confidence rating type: keyword - threat.indicator.pe.resources.language: - dashed_name: threat-indicator-pe-resources-language - description: Language identification. - example: CHINESE SIMPLIFIED - flat_name: threat.indicator.pe.resources.language + threat.indicator.dataset: + dashed_name: threat-indicator-dataset + description: Identifies the name of specific dataset from the intelligence source. + example: threatintel.abusemalware + flat_name: threat.indicator.dataset ignore_above: 1024 level: extended - name: resources.language + name: indicator.dataset normalize: [] - original_fieldset: pe - short: Language identification. + short: Indicator dataset type: keyword - threat.indicator.pe.resources.sha256: - dashed_name: threat-indicator-pe-resources-sha256 - description: SHA256 hash of resources section. - example: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - flat_name: threat.indicator.pe.resources.sha256 - ignore_above: 1024 + threat.indicator.description: + dashed_name: threat-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.indicator.description level: extended - name: resources.sha256 + name: indicator.description normalize: [] - original_fieldset: pe - short: SHA256 hash of resources section. - type: keyword - threat.indicator.pe.resources.type: - dashed_name: threat-indicator-pe-resources-type - description: Digest of resource types. - example: '["RT_VERSION", "RT_MANIFEST"]' - flat_name: threat.indicator.pe.resources.type + short: Indicator description + type: wildcard + threat.indicator.domain: + dashed_name: threat-indicator-domain + description: Identifies a threat indicator as a domain (irrespective of direction). + example: example.com + flat_name: threat.indicator.domain ignore_above: 1024 level: extended - name: resources.type - normalize: - - array - original_fieldset: pe - short: List of resource types. + name: indicator.domain + normalize: [] + short: Indicator domain name type: keyword - threat.indicator.pe.rich_header.hash.md5: - dashed_name: threat-indicator-pe-rich-header-hash-md5 - description: MD5 hash of the header for the PE file. - example: 5aa1aa0f2b4be70397a1e9e2b87627cd - flat_name: threat.indicator.pe.rich_header.hash.md5 + threat.indicator.email.address: + dashed_name: threat-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + flat_name: threat.indicator.email.address ignore_above: 1024 level: extended - name: rich_header.hash.md5 + name: indicator.email.address normalize: [] - original_fieldset: pe - short: MD5 hash of the header for the PE file. + short: Indicator email address type: keyword - threat.indicator.pe.sections: - dashed_name: threat-indicator-pe-sections - description: Data about sections of compiled binary PE - flat_name: threat.indicator.pe.sections + threat.indicator.first_seen: + dashed_name: threat-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.first_seen level: extended - name: sections - normalize: - - array - original_fieldset: pe - short: Data about sections of the compiled binary PE - type: nested - threat.indicator.pe.sections.chi2: - dashed_name: threat-indicator-pe-sections-chi2 - description: Chi-square probability distribution. - example: 3027194 - flat_name: threat.indicator.pe.sections.chi2 + name: indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date + threat.indicator.ip: + dashed_name: threat-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + flat_name: threat.indicator.ip level: extended - name: sections.chi2 + name: indicator.ip normalize: [] - original_fieldset: pe - short: Chi-square probability distribution. - type: long - threat.indicator.pe.sections.entropy: - dashed_name: threat-indicator-pe-sections-entropy - description: Measurement of entropy randomness in the file. - example: 6.24 - flat_name: threat.indicator.pe.sections.entropy + short: Indicator IP address + type: ip + threat.indicator.last_seen: + dashed_name: threat-indicator-last-seen + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.last_seen level: extended - name: sections.entropy + name: indicator.last_seen normalize: [] - original_fieldset: pe - short: Measurement of entropy randomness in the file. - type: float - threat.indicator.pe.sections.flags: - dashed_name: threat-indicator-pe-sections-flags - description: Section flags of the file. - example: rx - flat_name: threat.indicator.pe.sections.flags + short: Date/time indicator was last reported. + type: date + threat.indicator.marking.tlp: + dashed_name: threat-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings.\nExpected values are:\n\ + \ * White\n * Green\n * Amber\n * Red" + example: White + flat_name: threat.indicator.marking.tlp ignore_above: 1024 level: extended - name: sections.flags + name: indicator.marking.tlp normalize: [] - original_fieldset: pe - short: Section flags of the file. + short: Indicator TLP marking type: keyword - threat.indicator.pe.sections.name: - dashed_name: threat-indicator-pe-sections-name - description: Section names of the file. - example: .text, .data - flat_name: threat.indicator.pe.sections.name + threat.indicator.matched.atomic: + dashed_name: threat-indicator-matched-atomic + description: Identifies the atomic indicator that matched a local environment + endpoint or network event. + example: example.com + flat_name: threat.indicator.matched.atomic ignore_above: 1024 level: extended - name: sections.name + name: indicator.matched.atomic normalize: [] - original_fieldset: pe - short: Section names of the file. + short: Indicator atomic match type: keyword - threat.indicator.pe.sections.raw_size: - dashed_name: threat-indicator-pe-sections-raw-size - description: Size of the section or the dize of the initialized data on disk. - example: 198144 - flat_name: threat.indicator.pe.sections.raw_size - format: bytes + threat.indicator.matched.field: + dashed_name: threat-indicator-matched-field + description: Identifies the field of the atomic indicator that matched a local + environment endpoint or network event. + example: file.hash.sha256 + flat_name: threat.indicator.matched.field + ignore_above: 1024 level: extended - name: sections.raw_size + name: indicator.matched.field normalize: [] - original_fieldset: pe - short: Size of the section or the dize of the initialized data on disk. - type: long - threat.indicator.pe.sections.virtual_address: - dashed_name: threat-indicator-pe-sections-virtual-address - description: Virtual address available to the file. - example: 8192 - flat_name: threat.indicator.pe.sections.virtual_address - format: bytes + short: Indicator field match + type: keyword + threat.indicator.matched.type: + dashed_name: threat-indicator-matched-type + description: Identifies the type of the atomic indicator that matched a local + environment endpoint or network event. + example: domain-name + flat_name: threat.indicator.matched.type + ignore_above: 1024 level: extended - name: sections.virtual_address + name: indicator.matched.type normalize: [] - original_fieldset: pe - short: Virtual address available to the file. - type: long + short: Indicator type match + type: keyword + threat.indicator.module: + dashed_name: threat-indicator-module + description: Identifies the name of specific module this data is coming from. + example: threatintel + flat_name: threat.indicator.module + ignore_above: 1024 + level: extended + name: indicator.module + normalize: [] + short: Indicator module + type: keyword threat.indicator.port: dashed_name: threat-indicator-port description: Identifies a threat indicator as a port number (irrespective of @@ -13580,99 +15095,6 @@ threat: normalize: [] short: Identifies the name of the intelligence provider. type: keyword - threat.indicator.registry.data.bytes: - dashed_name: threat-indicator-registry-data-bytes - description: 'Original bytes written with base64 encoding. - - For Windows registry operations, such as SetValueEx and RegQueryValueEx, this - corresponds to the data pointed by `lp_data`. This is optional but provides - better recoverability and should be populated for REG_BINARY encoded values.' - example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - flat_name: threat.indicator.registry.data.bytes - ignore_above: 1024 - level: extended - name: data.bytes - normalize: [] - original_fieldset: registry - short: Original bytes written with base64 encoding. - type: keyword - threat.indicator.registry.data.strings: - dashed_name: threat-indicator-registry-data-strings - description: 'Content when writing string types. - - Populated as an array when writing string data to the registry. For single - string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with - one string. For sequences of string with REG_MULTI_SZ, this array will be - variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should - be populated with the decimal representation (e.g `"1"`).' - example: '["C:\rta\red_ttp\bin\myapp.exe"]' - flat_name: threat.indicator.registry.data.strings - level: core - name: data.strings - normalize: - - array - original_fieldset: registry - short: List of strings representing what was written to the registry. - type: wildcard - threat.indicator.registry.data.type: - dashed_name: threat-indicator-registry-data-type - description: Standard registry type for encoding contents - example: REG_SZ - flat_name: threat.indicator.registry.data.type - ignore_above: 1024 - level: core - name: data.type - normalize: [] - original_fieldset: registry - short: Standard registry type for encoding contents - type: keyword - threat.indicator.registry.hive: - dashed_name: threat-indicator-registry-hive - description: Abbreviated name for the hive. - example: HKLM - flat_name: threat.indicator.registry.hive - ignore_above: 1024 - level: core - name: hive - normalize: [] - original_fieldset: registry - short: Abbreviated name for the hive. - type: keyword - threat.indicator.registry.key: - dashed_name: threat-indicator-registry-key - description: Hive-relative path of keys. - example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - flat_name: threat.indicator.registry.key - level: core - name: key - normalize: [] - original_fieldset: registry - short: Hive-relative path of keys. - type: wildcard - threat.indicator.registry.path: - dashed_name: threat-indicator-registry-path - description: Full path, including hive, key and value - example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution - Options\winword.exe\Debugger - flat_name: threat.indicator.registry.path - level: core - name: path - normalize: [] - original_fieldset: registry - short: Full path, including hive, key and value - type: wildcard - threat.indicator.registry.value: - dashed_name: threat-indicator-registry-value - description: Name of the value written. - example: Debugger - flat_name: threat.indicator.registry.value - ignore_above: 1024 - level: core - name: value - normalize: [] - original_fieldset: registry - short: Name of the value written. - type: keyword threat.indicator.scanner_stats: dashed_name: threat-indicator-scanner-stats description: Count of AV/EDR vendors that successfully detected malicious file @@ -13913,32 +15335,44 @@ threat: group: 2 name: threat nestings: - - threat.indicator.as - - threat.indicator.file - - threat.indicator.geo - - threat.indicator.hash - - threat.indicator.pe - - threat.indicator.registry + - threat.enrichments.as + - threat.enrichments.event + - threat.enrichments.file + - threat.enrichments.geo + - threat.enrichments.hash + - threat.enrichments.pe + - threat.enrichments.registry + - threat.enrichments.url + - threat.enrichments.x509 prefix: threat. reused_here: - - full: threat.indicator.as + - full: threat.enrichments.as schema_name: as short: Fields describing an Autonomous System (Internet routing prefix). - - full: threat.indicator.file + - full: threat.enrichments.event + schema_name: event + short: Fields breaking down the event details. + - full: threat.enrichments.file schema_name: file short: Fields describing files. - - full: threat.indicator.geo + - full: threat.enrichments.geo schema_name: geo short: Fields describing a location. - - full: threat.indicator.hash + - full: threat.enrichments.hash schema_name: hash short: Hashes, usually file hashes. - - full: threat.indicator.pe + - full: threat.enrichments.pe schema_name: pe short: These fields contain Windows Portable Executable (PE) metadata. - - full: threat.indicator.registry + - full: threat.enrichments.registry schema_name: registry short: Fields related to Windows Registry operations. + - full: threat.enrichments.url + schema_name: url + short: Fields that let you store URLs in various forms. + - full: threat.enrichments.x509 + schema_name: x509 + short: These fields contain x509 certificate metadata. short: Fields to classify events and alerts according to a threat taxonomy. title: Threat type: group @@ -15203,6 +16637,12 @@ url: group: 2 name: url prefix: url. + reusable: + expected: + - as: url + at: threat.enrichments + full: threat.enrichments.url + top_level: true short: Fields that let you store URLs in various forms. title: URL type: group @@ -16492,6 +17932,9 @@ x509: - as: x509 at: tls.server full: tls.server.x509 + - as: x509 + at: threat.enrichments + full: threat.enrichments.x509 top_level: false short: These fields contain x509 certificate metadata. title: x509 Certificate diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 60c5f99962..88f49a5494 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -3565,31 +3565,7 @@ }, "threat": { "properties": { - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "indicator": { + "enrichments": { "properties": { "as": { "properties": { @@ -3611,24 +3587,102 @@ } } }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "type": "wildcard" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { + "event": { "properties": { - "address": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { "ignore_above": 1024, "type": "keyword" } @@ -3872,9 +3926,6 @@ } } }, - "first_seen": { - "type": "date" - }, "geo": { "properties": { "city_name": { @@ -3945,20 +3996,6 @@ } } }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, "matched": { "properties": { "atomic": { @@ -3969,16 +4006,20 @@ "ignore_above": 1024, "type": "keyword" }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, "type": { "ignore_above": 1024, "type": "keyword" } } }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, "pe": { "properties": { "architecture": { @@ -4146,13 +4187,6 @@ } } }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, "registry": { "properties": { "data": { @@ -4186,6 +4220,272 @@ } } }, + "url": { + "properties": { + "domain": { + "type": "wildcard" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "type": "wildcard" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "nested" + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "indicator": { + "properties": { + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "type": "wildcard" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "type": "date" + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, "scanner_stats": { "type": "long" }, diff --git a/experimental/generated/elasticsearch/component/threat.json b/experimental/generated/elasticsearch/component/threat.json index 123ee68bdc..1051a7fe38 100644 --- a/experimental/generated/elasticsearch/component/threat.json +++ b/experimental/generated/elasticsearch/component/threat.json @@ -8,31 +8,7 @@ "properties": { "threat": { "properties": { - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "indicator": { + "enrichments": { "properties": { "as": { "properties": { @@ -54,24 +30,102 @@ } } }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "type": "wildcard" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { + "event": { "properties": { - "address": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { "ignore_above": 1024, "type": "keyword" } @@ -315,9 +369,6 @@ } } }, - "first_seen": { - "type": "date" - }, "geo": { "properties": { "city_name": { @@ -388,20 +439,6 @@ } } }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, "matched": { "properties": { "atomic": { @@ -412,16 +449,20 @@ "ignore_above": 1024, "type": "keyword" }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, "type": { "ignore_above": 1024, "type": "keyword" } } }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, "pe": { "properties": { "architecture": { @@ -589,13 +630,6 @@ } } }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, "registry": { "properties": { "data": { @@ -629,6 +663,272 @@ } } }, + "url": { + "properties": { + "domain": { + "type": "wildcard" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "type": "wildcard" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "type": "wildcard" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "type": "wildcard" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "nested" + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "indicator": { + "properties": { + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "type": "wildcard" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "type": "date" + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, "scanner_stats": { "type": "long" }, diff --git a/experimental/schemas/as.yml b/experimental/schemas/as.yml index 8971f535d9..550b5d3d6f 100644 --- a/experimental/schemas/as.yml +++ b/experimental/schemas/as.yml @@ -2,7 +2,7 @@ - name: as reusable: expected: - - threat.indicator + - threat.enrichments fields: - name: organization.name diff --git a/experimental/schemas/event.yml b/experimental/schemas/event.yml new file mode 100644 index 0000000000..7157d5e7d4 --- /dev/null +++ b/experimental/schemas/event.yml @@ -0,0 +1,5 @@ +--- +- name: event + reusable: + expected: + - threat.enrichments diff --git a/experimental/schemas/file.yml b/experimental/schemas/file.yml index a53f9ea3ff..779fbc948a 100644 --- a/experimental/schemas/file.yml +++ b/experimental/schemas/file.yml @@ -2,7 +2,7 @@ - name: file reusable: expected: - - threat.indicator + - threat.enrichments fields: - name: directory diff --git a/experimental/schemas/geo.yml b/experimental/schemas/geo.yml index cbacd44b6e..9bc1393b25 100644 --- a/experimental/schemas/geo.yml +++ b/experimental/schemas/geo.yml @@ -2,7 +2,7 @@ - name: geo reusable: expected: - - threat.indicator + - threat.enrichments fields: - name: name diff --git a/experimental/schemas/hash.yml b/experimental/schemas/hash.yml index 957ad48503..51394d118d 100644 --- a/experimental/schemas/hash.yml +++ b/experimental/schemas/hash.yml @@ -2,4 +2,4 @@ - name: hash reusable: expected: - - threat.indicator + - threat.enrichments diff --git a/experimental/schemas/pe.yml b/experimental/schemas/pe.yml index c5ef5c8349..3d1e577fc1 100644 --- a/experimental/schemas/pe.yml +++ b/experimental/schemas/pe.yml @@ -2,7 +2,7 @@ - name: pe reusable: expected: - - threat.indicator + - threat.enrichments fields: - name: original_file_name diff --git a/experimental/schemas/registry.yml b/experimental/schemas/registry.yml index ac9ac7e66c..74d007f633 100644 --- a/experimental/schemas/registry.yml +++ b/experimental/schemas/registry.yml @@ -2,7 +2,7 @@ - name: registry reusable: expected: - - threat.indicator + - threat.enrichments fields: - name: key diff --git a/experimental/schemas/threat.yml b/experimental/schemas/threat.yml index 523f909f06..ab47291ecf 100644 --- a/experimental/schemas/threat.yml +++ b/experimental/schemas/threat.yml @@ -3,6 +3,53 @@ fields: + - name: enrichments + level: extended + type: nested + short: List of indicators enriching the event. + description: > + A list of associated indicators enriching the event, and the context of that association/enrichment. + + - name: enrichments.matched.atomic + level: extended + type: keyword + short: Matched indicator value + description: > + Identifies the atomic indicator value that matched a local environment endpoint or network event. + example: bad-domain.com + + - name: enrichments.matched.field + level: extended + type: keyword + short: Matched indicator field + description: > + Identifies the field of the atomic indicator that matched a local environment endpoint or network event. + example: file.hash.sha256 + + - name: enrichments.matched.id + level: extended + type: keyword + short: Matched indicator identifier + description: > + Identifies the _id of the indicator document enriching the event. + example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5 + + - name: enrichments.matched.index + level: extended + type: keyword + short: Matched indicator index + description: > + Identifies the _index of the indicator document enriching the event. + example: filebeat-8.0.0-2021.05.23-000011 + + - name: enrichments.matched.type + level: extended + type: keyword + short: Type of indicator match + description: > + Identifies the type of match that caused the event to be enriched with the given indicator + example: indicator_match_rule + - name: indicator.first_seen level: extended type: date diff --git a/experimental/schemas/url.yml b/experimental/schemas/url.yml index 0d5f66c36a..90a6162c7d 100644 --- a/experimental/schemas/url.yml +++ b/experimental/schemas/url.yml @@ -1,5 +1,9 @@ --- - name: url + reusable: + expected: + - threat.enrichments + fields: - name: original type: wildcard diff --git a/experimental/schemas/x509.yml b/experimental/schemas/x509.yml index d1c7d8af6b..2184c74271 100644 --- a/experimental/schemas/x509.yml +++ b/experimental/schemas/x509.yml @@ -1,5 +1,9 @@ --- - name: x509 + reusable: + expected: + - threat.enrichments + fields: - name: issuer.distinguished_name type: wildcard