From 9de4ee5d5a38b8a8355dcfbcf69559ddf5679a5e Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 23 Jun 2021 16:18:43 -0500 Subject: [PATCH 1/7] remove experimental threat definitions --- experimental/schemas/threat.yml | 192 -------------------------------- 1 file changed, 192 deletions(-) diff --git a/experimental/schemas/threat.yml b/experimental/schemas/threat.yml index ab47291ecf..5f90586e8e 100644 --- a/experimental/schemas/threat.yml +++ b/experimental/schemas/threat.yml @@ -49,195 +49,3 @@ description: > Identifies the type of match that caused the event to be enriched with the given indicator example: indicator_match_rule - - - name: indicator.first_seen - level: extended - type: date - short: Date/time indicator was first reported. - description: > - The date and time when intelligence source first reported sighting this indicator. - - example: "2020-11-05T17:25:47.000Z" - - - name: indicator.last_seen - level: extended - type: date - short: Date/time indicator was last reported. - description: > - The date and time when intelligence source last reported sighting this indicator. - - example: "2020-11-05T17:25:47.000Z" - - - name: indicator.sightings - level: extended - type: long - short: Number of times indicator observed - description: > - Number of times this indicator was observed conducting threat activity. - - example: 20 - - - name: indicator.type - level: extended - type: keyword - short: Type of indicator - description: > - Type of indicator as represented by Cyber Observable in STIX 2.0. - - Expected values - * autonomous-system - * artifact - * directory - * domain-name - * email-addr - * file - * ipv4-addr - * ipv6-addr - * mac-addr - * mutex - * process - * software - * url - * user-account - * windows-registry-key - * x-509-certificate - - example: ipv4-addr - - - name: indicator.description - level: extended - type: wildcard - short: Indicator description - description: > - Describes the type of action conducted by the threat. - - example: IP x.x.x.x was observed delivering the Angler EK. - - - name: indicator.scanner_stats - level: extended - type: long - short: Scanner statistics - description: > - Count of AV/EDR vendors that successfully detected malicious file or URL. - - example: 4 - - - name: indicator.provider - level: extended - type: keyword - description: > - Identifies the name of the intelligence provider. - - example: VirusTotal - - - name: indicator.confidence - level: extended - type: keyword - short: Indicator confidence rating - description: > - Identifies the confidence rating assigned by the provider using STIX confidence scales. - - Expected values: - * Not Specified, None, Low, Medium, High - * 0-10 - * Admirality Scale (1-6) - * DNI Scale (5-95) - * WEP Scale (Impossible - Certain) - - example: High - - - name: indicator.module - level: extended - type: keyword - short: Indicator module - description: > - Identifies the name of specific module this data is coming from. - - example: threatintel - - - name: indicator.dataset - level: extended - type: keyword - short: Indicator dataset - description: > - Identifies the name of specific dataset from the intelligence source. - - example: threatintel.abusemalware - - - name: indicator.ip - level: extended - type: ip - short: Indicator IP address - description: > - Identifies a threat indicator as an IP address (irrespective of direction). - - example: 1.2.3.4 - - - name: indicator.domain - level: extended - type: keyword - short: Indicator domain name - description: > - Identifies a threat indicator as a domain (irrespective of direction). - - example: example.com - - - name: indicator.port - level: extended - type: long - short: Indicator port - description: > - Identifies a threat indicator as a port number (irrespective of direction). - - example: 443 - - - name: indicator.email.address - level: extended - type: keyword - short: Indicator email address - description: > - Identifies a threat indicator as an email address (irrespective of direction). - - example: phish@example.com - - - name: indicator.marking.tlp - level: extended - type: keyword - short: Indicator TLP marking - description: > - Traffic Light Protocol sharing markings. - - Expected values are: - * White - * Green - * Amber - * Red - - example: White - - - name: indicator.matched.atomic - level: extended - type: keyword - short: Indicator atomic match - description: > - Identifies the atomic indicator that matched a local environment endpoint or network event. - - example: example.com - - - name: indicator.matched.field - level: extended - type: keyword - short: Indicator field match - description: > - Identifies the field of the atomic indicator that matched a local environment endpoint or network event. - - example: file.hash.sha256 - - - name: indicator.matched.type - level: extended - type: keyword - short: Indicator type match - description: > - Identifies the type of the atomic indicator that matched a local environment endpoint or network event. - - example: domain-name From f3fcec141a9c5b9a0d95a5629e27e66c9383d3af Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 23 Jun 2021 16:23:13 -0500 Subject: [PATCH 2/7] add threat intel RFC beta fields --- schemas/threat.yml | 152 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 152 insertions(+) diff --git a/schemas/threat.yml b/schemas/threat.yml index acb36a2115..7d3098c3d4 100644 --- a/schemas/threat.yml +++ b/schemas/threat.yml @@ -66,6 +66,158 @@ example: "https://attack.mitre.org/groups/G0037/" + - name: indicator.first_seen + level: extended + type: date + short: Date/time indicator was first reported. + beta: This field is beta and subject to change. + description: > + The date and time when intelligence source first reported sighting this indicator. + + example: "2020-11-05T17:25:47.000Z" + + - name: indicator.last_seen + level: extended + type: date + short: Date/time indicator was last reported. + beta: This field is beta and subject to change. + description: > + The date and time when intelligence source last reported sighting this indicator. + + example: "2020-11-05T17:25:47.000Z" + + - name: indicator.modified_at + level: extended + type: date + short: Date/time indicator was last updated. + beta: This field is beta and subject to change. + description: > + The date and time when intelligence source last modified information for this indicator. + + example: "2020-11-05T17:25:47.000Z" + + - name: indicator.sightings + level: extended + type: long + short: Number of times indicator observed + beta: This field is beta and subject to change. + description: > + Number of times this indicator was observed conducting threat activity. + + example: 20 + + - name: indicator.type + level: extended + type: keyword + short: Type of indicator + beta: This field is beta and subject to change. + description: > + Type of indicator as represented by Cyber Observable in STIX 2.0. + + Recommended values: + * autonomous-system + * artifact + * directory + * domain-name + * email-addr + * file + * ipv4-addr + * ipv6-addr + * mac-addr + * mutex + * port + * process + * software + * url + * user-account + * windows-registry-key + * x509-certificate + + example: ipv4-addr + + - name: indicator.description + level: extended + type: keyword + short: Indicator description + beta: This field is beta and subject to change. + description: > + Describes the type of action conducted by the threat. + + example: IP x.x.x.x was observed delivering the Angler EK. + + - name: indicator.scanner_stats + level: extended + type: long + short: Scanner statistics + beta: This field is beta and subject to change. + description: > + Count of AV/EDR vendors that successfully detected malicious file or URL. + + example: 4 + + - name: indicator.confidence + level: extended + type: keyword + short: Indicator confidence rating + beta: This field is beta and subject to change. + description: > + Identifies the confidence rating assigned by the provider using STIX confidence scales. + + Expected values: + * Not Specified, None, Low, Medium, High + * 0-10 + * Admirality Scale (1-6) + * DNI Scale (5-95) + * WEP Scale (Impossible - Certain) + + example: High + + - name: indicator.ip + level: extended + type: ip + short: Indicator IP address + beta: This field is beta and subject to change. + description: > + Identifies a threat indicator as an IP address (irrespective of direction). + + example: 1.2.3.4 + + - name: indicator.port + level: extended + type: long + short: Indicator port + beta: This field is beta and subject to change. + description: > + Identifies a threat indicator as a port number (irrespective of direction). + + example: 443 + + - name: indicator.email.address + level: extended + type: keyword + short: Indicator email address + beta: This field is beta and subject to change. + description: > + Identifies a threat indicator as an email address (irrespective of direction). + + example: phish@example.com + + - name: indicator.marking.tlp + level: extended + type: keyword + short: Indicator TLP marking + beta: This field is beta and subject to change. + description: > + Traffic Light Protocol sharing markings. + + Recommended values are: + * WHITE + * GREEN + * AMBER + * RED + + example: WHITE + - name: software.id level: extended type: keyword From 3201f1383c82e71d28191a9bb0c2a3c13ed84f3d Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 23 Jun 2021 16:25:34 -0500 Subject: [PATCH 3/7] add artifacts --- code/go/ecs/threat.go | 77 +++++ docs/field-details.asciidoc | 274 ++++++++++++++++++ experimental/generated/beats/fields.ecs.yml | 76 +---- experimental/generated/csv/fields.csv | 12 +- experimental/generated/ecs/ecs_flat.yml | 120 ++------ experimental/generated/ecs/ecs_nested.yml | 120 ++------ .../generated/elasticsearch/7/template.json | 32 +- .../elasticsearch/component/threat.json | 32 +- generated/beats/fields.ecs.yml | 92 ++++++ generated/csv/fields.csv | 12 + generated/ecs/ecs_flat.yml | 150 ++++++++++ generated/ecs/ecs_nested.yml | 152 ++++++++++ generated/elasticsearch/6/template.json | 53 ++++ generated/elasticsearch/7/template.json | 53 ++++ generated/elasticsearch/component/threat.json | 53 ++++ 15 files changed, 1003 insertions(+), 305 deletions(-) diff --git a/code/go/ecs/threat.go b/code/go/ecs/threat.go index ae3ef6f0b4..f85d510f86 100644 --- a/code/go/ecs/threat.go +++ b/code/go/ecs/threat.go @@ -19,6 +19,10 @@ package ecs +import ( + "time" +) + // Fields to classify events and alerts according to a threat taxonomy such as // the MITRE ATT&CK® framework. // These fields are for users to classify alerts from all of their sources @@ -54,6 +58,79 @@ type Threat struct { // required, you can use a MITRE ATT&CK® group reference URL. GroupReference string `ecs:"group.reference"` + // The date and time when intelligence source first reported sighting this + // indicator. + IndicatorFirstSeen time.Time `ecs:"indicator.first_seen"` + + // The date and time when intelligence source last reported sighting this + // indicator. + IndicatorLastSeen time.Time `ecs:"indicator.last_seen"` + + // The date and time when intelligence source last modified information for + // this indicator. + IndicatorModifiedAt time.Time `ecs:"indicator.modified_at"` + + // Number of times this indicator was observed conducting threat activity. + IndicatorSightings int64 `ecs:"indicator.sightings"` + + // Type of indicator as represented by Cyber Observable in STIX 2.0. + // Recommended values: + // * autonomous-system + // * artifact + // * directory + // * domain-name + // * email-addr + // * file + // * ipv4-addr + // * ipv6-addr + // * mac-addr + // * mutex + // * port + // * process + // * software + // * url + // * user-account + // * windows-registry-key + // * x509-certificate + IndicatorType string `ecs:"indicator.type"` + + // Describes the type of action conducted by the threat. + IndicatorDescription string `ecs:"indicator.description"` + + // Count of AV/EDR vendors that successfully detected malicious file or + // URL. + IndicatorScannerStats int64 `ecs:"indicator.scanner_stats"` + + // Identifies the confidence rating assigned by the provider using + // STIX confidence scales. + // Expected values: + // * Not Specified, None, Low, Medium, High + // * 0-10 + // * Admirality Scale (1-6) + // * DNI Scale (5-95) + // * WEP Scale (Impossible - Certain) + IndicatorConfidence string `ecs:"indicator.confidence"` + + // Identifies a threat indicator as an IP address (irrespective of + // direction). + IndicatorIP string `ecs:"indicator.ip"` + + // Identifies a threat indicator as a port number (irrespective of + // direction). + IndicatorPort int64 `ecs:"indicator.port"` + + // Identifies a threat indicator as an email address (irrespective of + // direction). + IndicatorEmailAddress string `ecs:"indicator.email.address"` + + // Traffic Light Protocol sharing markings. + // Recommended values are: + // * WHITE + // * GREEN + // * AMBER + // * RED + IndicatorMarkingTlp string `ecs:"indicator.marking.tlp"` + // The id of the software used by this threat to conduct behavior commonly // modeled using MITRE ATT&CK®. While not required, you can use a MITRE // ATT&CK® software id. diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 5dcbaf9b0f..cb2aa17731 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -7648,6 +7648,280 @@ example: `https://attack.mitre.org/groups/G0037/` // =============================================================== +| +[[field-threat-indicator-confidence]] +<> + +| beta:[ This field is beta and subject to change. ] + +Identifies the confidence rating assigned by the provider using STIX confidence scales. + +Expected values: + + * Not Specified, None, Low, Medium, High + + * 0-10 + + * Admirality Scale (1-6) + + * DNI Scale (5-95) + + * WEP Scale (Impossible - Certain) + +type: keyword + + + +example: `High` + +| extended + +// =============================================================== + +| +[[field-threat-indicator-description]] +<> + +| beta:[ This field is beta and subject to change. ] + +Describes the type of action conducted by the threat. + +type: keyword + + + +example: `IP x.x.x.x was observed delivering the Angler EK.` + +| extended + +// =============================================================== + +| +[[field-threat-indicator-email-address]] +<> + +| beta:[ This field is beta and subject to change. ] + +Identifies a threat indicator as an email address (irrespective of direction). + +type: keyword + + + +example: `phish@example.com` + +| extended + +// =============================================================== + +| +[[field-threat-indicator-first-seen]] +<> + +| beta:[ This field is beta and subject to change. ] + +The date and time when intelligence source first reported sighting this indicator. + +type: date + + + +example: `2020-11-05T17:25:47.000Z` + +| extended + +// =============================================================== + +| +[[field-threat-indicator-ip]] +<> + +| beta:[ This field is beta and subject to change. ] + +Identifies a threat indicator as an IP address (irrespective of direction). + +type: ip + + + +example: `1.2.3.4` + +| extended + +// =============================================================== + +| +[[field-threat-indicator-last-seen]] +<> + +| beta:[ This field is beta and subject to change. ] + +The date and time when intelligence source last reported sighting this indicator. + +type: date + + + +example: `2020-11-05T17:25:47.000Z` + +| extended + +// =============================================================== + +| +[[field-threat-indicator-marking-tlp]] +<> + +| beta:[ This field is beta and subject to change. ] + +Traffic Light Protocol sharing markings. + +Recommended values are: + + * WHITE + + * GREEN + + * AMBER + + * RED + +type: keyword + + + +example: `WHITE` + +| extended + +// =============================================================== + +| +[[field-threat-indicator-modified-at]] +<> + +| beta:[ This field is beta and subject to change. ] + +The date and time when intelligence source last modified information for this indicator. + +type: date + + + +example: `2020-11-05T17:25:47.000Z` + +| extended + +// =============================================================== + +| +[[field-threat-indicator-port]] +<> + +| beta:[ This field is beta and subject to change. ] + +Identifies a threat indicator as a port number (irrespective of direction). + +type: long + + + +example: `443` + +| extended + +// =============================================================== + +| +[[field-threat-indicator-scanner-stats]] +<> + +| beta:[ This field is beta and subject to change. ] + +Count of AV/EDR vendors that successfully detected malicious file or URL. + +type: long + + + +example: `4` + +| extended + +// =============================================================== + +| +[[field-threat-indicator-sightings]] +<> + +| beta:[ This field is beta and subject to change. ] + +Number of times this indicator was observed conducting threat activity. + +type: long + + + +example: `20` + +| extended + +// =============================================================== + +| +[[field-threat-indicator-type]] +<> + +| beta:[ This field is beta and subject to change. ] + +Type of indicator as represented by Cyber Observable in STIX 2.0. + +Recommended values: + + * autonomous-system + + * artifact + + * directory + + * domain-name + + * email-addr + + * file + + * ipv4-addr + + * ipv6-addr + + * mac-addr + + * mutex + + * port + + * process + + * software + + * url + + * user-account + + * windows-registry-key + + * x509-certificate + +type: keyword + + + +example: `ipv4-addr` + +| extended + +// =============================================================== + | [[field-threat-software-id]] <> diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index c3d7bdc129..3996dbf200 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -9766,32 +9766,19 @@ level: extended type: keyword ignore_above: 1024 - description: "Identifies the confidence rating assigned by the provider using\ - \ STIX confidence scales.\nExpected values:\n * Not Specified, None, Low,\ - \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ + using\_STIX\_confidence scales.\nExpected values:\n * Not Specified, None,\ + \ Low, Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ \ * WEP Scale (Impossible - Certain)" example: High default_field: false - - name: indicator.dataset + - name: indicator.description level: extended type: keyword ignore_above: 1024 - description: Identifies the name of specific dataset from the intelligence source. - example: threatintel.abusemalware - default_field: false - - name: indicator.description - level: extended - type: wildcard description: Describes the type of action conducted by the threat. example: IP x.x.x.x was observed delivering the Angler EK. default_field: false - - name: indicator.domain - level: extended - type: keyword - ignore_above: 1024 - description: Identifies a threat indicator as a domain (irrespective of direction). - example: example.com - default_field: false - name: indicator.email.address level: extended type: keyword @@ -9825,40 +9812,16 @@ level: extended type: keyword ignore_above: 1024 - description: "Traffic Light Protocol sharing markings.\nExpected values are:\n\ - \ * White\n * Green\n * Amber\n * Red" - example: White - default_field: false - - name: indicator.matched.atomic - level: extended - type: keyword - ignore_above: 1024 - description: Identifies the atomic indicator that matched a local environment - endpoint or network event. - example: example.com - default_field: false - - name: indicator.matched.field - level: extended - type: keyword - ignore_above: 1024 - description: Identifies the field of the atomic indicator that matched a local - environment endpoint or network event. - example: file.hash.sha256 - default_field: false - - name: indicator.matched.type - level: extended - type: keyword - ignore_above: 1024 - description: Identifies the type of the atomic indicator that matched a local - environment endpoint or network event. - example: domain-name + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE default_field: false - - name: indicator.module + - name: indicator.modified_at level: extended - type: keyword - ignore_above: 1024 - description: Identifies the name of specific module this data is coming from. - example: threatintel + type: date + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' default_field: false - name: indicator.port level: extended @@ -9867,13 +9830,6 @@ direction). example: 443 default_field: false - - name: indicator.provider - level: extended - type: keyword - ignore_above: 1024 - description: Identifies the name of the intelligence provider. - example: VirusTotal - default_field: false - name: indicator.scanner_stats level: extended type: long @@ -9892,10 +9848,10 @@ type: keyword ignore_above: 1024 description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ - Expected values\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ - \ * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n *\ - \ mutex\n * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ - \ * x-509-certificate" + Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" example: ipv4-addr default_field: false - name: software.id diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 3a0175d51c..1b172ff1a4 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -1191,20 +1191,14 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group. 2.0.0-dev+exp,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group. 2.0.0-dev+exp,true,threat,threat.indicator.confidence,keyword,extended,,High,Indicator confidence rating -2.0.0-dev+exp,true,threat,threat.indicator.dataset,keyword,extended,,threatintel.abusemalware,Indicator dataset -2.0.0-dev+exp,true,threat,threat.indicator.description,wildcard,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description -2.0.0-dev+exp,true,threat,threat.indicator.domain,keyword,extended,,example.com,Indicator domain name +2.0.0-dev+exp,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description 2.0.0-dev+exp,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address 2.0.0-dev+exp,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. 2.0.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address 2.0.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. -2.0.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,White,Indicator TLP marking -2.0.0-dev+exp,true,threat,threat.indicator.matched.atomic,keyword,extended,,example.com,Indicator atomic match -2.0.0-dev+exp,true,threat,threat.indicator.matched.field,keyword,extended,,file.hash.sha256,Indicator field match -2.0.0-dev+exp,true,threat,threat.indicator.matched.type,keyword,extended,,domain-name,Indicator type match -2.0.0-dev+exp,true,threat,threat.indicator.module,keyword,extended,,threatintel,Indicator module +2.0.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking +2.0.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. 2.0.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port -2.0.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,VirusTotal,Identifies the name of the intelligence provider. 2.0.0-dev+exp,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics 2.0.0-dev+exp,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed 2.0.0-dev+exp,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index a7bf1d33b4..6dddd0ef63 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -15226,11 +15226,12 @@ threat.group.reference: short: Reference URL of the group. type: keyword threat.indicator.confidence: + beta: This field is beta and subject to change. dashed_name: threat-indicator-confidence - description: "Identifies the confidence rating assigned by the provider using STIX\ - \ confidence scales.\nExpected values:\n * Not Specified, None, Low, Medium,\ - \ High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n * WEP Scale\ - \ (Impossible - Certain)" + description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ + using\_STIX\_confidence scales.\nExpected values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n \ + \ * WEP Scale (Impossible - Certain)" example: High flat_name: threat.indicator.confidence ignore_above: 1024 @@ -15239,39 +15240,20 @@ threat.indicator.confidence: normalize: [] short: Indicator confidence rating type: keyword -threat.indicator.dataset: - dashed_name: threat-indicator-dataset - description: Identifies the name of specific dataset from the intelligence source. - example: threatintel.abusemalware - flat_name: threat.indicator.dataset - ignore_above: 1024 - level: extended - name: indicator.dataset - normalize: [] - short: Indicator dataset - type: keyword threat.indicator.description: + beta: This field is beta and subject to change. dashed_name: threat-indicator-description description: Describes the type of action conducted by the threat. example: IP x.x.x.x was observed delivering the Angler EK. flat_name: threat.indicator.description + ignore_above: 1024 level: extended name: indicator.description normalize: [] short: Indicator description - type: wildcard -threat.indicator.domain: - dashed_name: threat-indicator-domain - description: Identifies a threat indicator as a domain (irrespective of direction). - example: example.com - flat_name: threat.indicator.domain - ignore_above: 1024 - level: extended - name: indicator.domain - normalize: [] - short: Indicator domain name type: keyword threat.indicator.email.address: + beta: This field is beta and subject to change. dashed_name: threat-indicator-email-address description: Identifies a threat indicator as an email address (irrespective of direction). @@ -15284,6 +15266,7 @@ threat.indicator.email.address: short: Indicator email address type: keyword threat.indicator.first_seen: + beta: This field is beta and subject to change. dashed_name: threat-indicator-first-seen description: The date and time when intelligence source first reported sighting this indicator. @@ -15295,6 +15278,7 @@ threat.indicator.first_seen: short: Date/time indicator was first reported. type: date threat.indicator.ip: + beta: This field is beta and subject to change. dashed_name: threat-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of direction). example: 1.2.3.4 @@ -15305,6 +15289,7 @@ threat.indicator.ip: short: Indicator IP address type: ip threat.indicator.last_seen: + beta: This field is beta and subject to change. dashed_name: threat-indicator-last-seen description: The date and time when intelligence source last reported sighting this indicator. @@ -15316,10 +15301,11 @@ threat.indicator.last_seen: short: Date/time indicator was last reported. type: date threat.indicator.marking.tlp: + beta: This field is beta and subject to change. dashed_name: threat-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings.\nExpected values are:\n \ - \ * White\n * Green\n * Amber\n * Red" - example: White + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE flat_name: threat.indicator.marking.tlp ignore_above: 1024 level: extended @@ -15327,54 +15313,20 @@ threat.indicator.marking.tlp: normalize: [] short: Indicator TLP marking type: keyword -threat.indicator.matched.atomic: - dashed_name: threat-indicator-matched-atomic - description: Identifies the atomic indicator that matched a local environment endpoint - or network event. - example: example.com - flat_name: threat.indicator.matched.atomic - ignore_above: 1024 - level: extended - name: indicator.matched.atomic - normalize: [] - short: Indicator atomic match - type: keyword -threat.indicator.matched.field: - dashed_name: threat-indicator-matched-field - description: Identifies the field of the atomic indicator that matched a local environment - endpoint or network event. - example: file.hash.sha256 - flat_name: threat.indicator.matched.field - ignore_above: 1024 - level: extended - name: indicator.matched.field - normalize: [] - short: Indicator field match - type: keyword -threat.indicator.matched.type: - dashed_name: threat-indicator-matched-type - description: Identifies the type of the atomic indicator that matched a local environment - endpoint or network event. - example: domain-name - flat_name: threat.indicator.matched.type - ignore_above: 1024 - level: extended - name: indicator.matched.type - normalize: [] - short: Indicator type match - type: keyword -threat.indicator.module: - dashed_name: threat-indicator-module - description: Identifies the name of specific module this data is coming from. - example: threatintel - flat_name: threat.indicator.module - ignore_above: 1024 +threat.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.modified_at level: extended - name: indicator.module + name: indicator.modified_at normalize: [] - short: Indicator module - type: keyword + short: Date/time indicator was last updated. + type: date threat.indicator.port: + beta: This field is beta and subject to change. dashed_name: threat-indicator-port description: Identifies a threat indicator as a port number (irrespective of direction). example: 443 @@ -15384,18 +15336,8 @@ threat.indicator.port: normalize: [] short: Indicator port type: long -threat.indicator.provider: - dashed_name: threat-indicator-provider - description: Identifies the name of the intelligence provider. - example: VirusTotal - flat_name: threat.indicator.provider - ignore_above: 1024 - level: extended - name: indicator.provider - normalize: [] - short: Identifies the name of the intelligence provider. - type: keyword threat.indicator.scanner_stats: + beta: This field is beta and subject to change. dashed_name: threat-indicator-scanner-stats description: Count of AV/EDR vendors that successfully detected malicious file or URL. @@ -15407,6 +15349,7 @@ threat.indicator.scanner_stats: short: Scanner statistics type: long threat.indicator.sightings: + beta: This field is beta and subject to change. dashed_name: threat-indicator-sightings description: Number of times this indicator was observed conducting threat activity. example: 20 @@ -15417,12 +15360,13 @@ threat.indicator.sightings: short: Number of times indicator observed type: long threat.indicator.type: + beta: This field is beta and subject to change. dashed_name: threat-indicator-type description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ - Expected values\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ + Recommended values:\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ \ * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n * mutex\n\ - \ * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ - \ * x-509-certificate" + \ * port\n * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ + \ * x509-certificate" example: ipv4-addr flat_name: threat.indicator.type ignore_above: 1024 diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 69b48d72b9..026812f137 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -17284,10 +17284,11 @@ threat: short: Reference URL of the group. type: keyword threat.indicator.confidence: + beta: This field is beta and subject to change. dashed_name: threat-indicator-confidence - description: "Identifies the confidence rating assigned by the provider using\ - \ STIX confidence scales.\nExpected values:\n * Not Specified, None, Low,\ - \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ + using\_STIX\_confidence scales.\nExpected values:\n * Not Specified, None,\ + \ Low, Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ \ * WEP Scale (Impossible - Certain)" example: High flat_name: threat.indicator.confidence @@ -17297,39 +17298,20 @@ threat: normalize: [] short: Indicator confidence rating type: keyword - threat.indicator.dataset: - dashed_name: threat-indicator-dataset - description: Identifies the name of specific dataset from the intelligence source. - example: threatintel.abusemalware - flat_name: threat.indicator.dataset - ignore_above: 1024 - level: extended - name: indicator.dataset - normalize: [] - short: Indicator dataset - type: keyword threat.indicator.description: + beta: This field is beta and subject to change. dashed_name: threat-indicator-description description: Describes the type of action conducted by the threat. example: IP x.x.x.x was observed delivering the Angler EK. flat_name: threat.indicator.description + ignore_above: 1024 level: extended name: indicator.description normalize: [] short: Indicator description - type: wildcard - threat.indicator.domain: - dashed_name: threat-indicator-domain - description: Identifies a threat indicator as a domain (irrespective of direction). - example: example.com - flat_name: threat.indicator.domain - ignore_above: 1024 - level: extended - name: indicator.domain - normalize: [] - short: Indicator domain name type: keyword threat.indicator.email.address: + beta: This field is beta and subject to change. dashed_name: threat-indicator-email-address description: Identifies a threat indicator as an email address (irrespective of direction). @@ -17342,6 +17324,7 @@ threat: short: Indicator email address type: keyword threat.indicator.first_seen: + beta: This field is beta and subject to change. dashed_name: threat-indicator-first-seen description: The date and time when intelligence source first reported sighting this indicator. @@ -17353,6 +17336,7 @@ threat: short: Date/time indicator was first reported. type: date threat.indicator.ip: + beta: This field is beta and subject to change. dashed_name: threat-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of direction). @@ -17364,6 +17348,7 @@ threat: short: Indicator IP address type: ip threat.indicator.last_seen: + beta: This field is beta and subject to change. dashed_name: threat-indicator-last-seen description: The date and time when intelligence source last reported sighting this indicator. @@ -17375,10 +17360,11 @@ threat: short: Date/time indicator was last reported. type: date threat.indicator.marking.tlp: + beta: This field is beta and subject to change. dashed_name: threat-indicator-marking-tlp - description: "Traffic Light Protocol sharing markings.\nExpected values are:\n\ - \ * White\n * Green\n * Amber\n * Red" - example: White + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE flat_name: threat.indicator.marking.tlp ignore_above: 1024 level: extended @@ -17386,54 +17372,20 @@ threat: normalize: [] short: Indicator TLP marking type: keyword - threat.indicator.matched.atomic: - dashed_name: threat-indicator-matched-atomic - description: Identifies the atomic indicator that matched a local environment - endpoint or network event. - example: example.com - flat_name: threat.indicator.matched.atomic - ignore_above: 1024 - level: extended - name: indicator.matched.atomic - normalize: [] - short: Indicator atomic match - type: keyword - threat.indicator.matched.field: - dashed_name: threat-indicator-matched-field - description: Identifies the field of the atomic indicator that matched a local - environment endpoint or network event. - example: file.hash.sha256 - flat_name: threat.indicator.matched.field - ignore_above: 1024 - level: extended - name: indicator.matched.field - normalize: [] - short: Indicator field match - type: keyword - threat.indicator.matched.type: - dashed_name: threat-indicator-matched-type - description: Identifies the type of the atomic indicator that matched a local - environment endpoint or network event. - example: domain-name - flat_name: threat.indicator.matched.type - ignore_above: 1024 - level: extended - name: indicator.matched.type - normalize: [] - short: Indicator type match - type: keyword - threat.indicator.module: - dashed_name: threat-indicator-module - description: Identifies the name of specific module this data is coming from. - example: threatintel - flat_name: threat.indicator.module - ignore_above: 1024 + threat.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.modified_at level: extended - name: indicator.module + name: indicator.modified_at normalize: [] - short: Indicator module - type: keyword + short: Date/time indicator was last updated. + type: date threat.indicator.port: + beta: This field is beta and subject to change. dashed_name: threat-indicator-port description: Identifies a threat indicator as a port number (irrespective of direction). @@ -17444,18 +17396,8 @@ threat: normalize: [] short: Indicator port type: long - threat.indicator.provider: - dashed_name: threat-indicator-provider - description: Identifies the name of the intelligence provider. - example: VirusTotal - flat_name: threat.indicator.provider - ignore_above: 1024 - level: extended - name: indicator.provider - normalize: [] - short: Identifies the name of the intelligence provider. - type: keyword threat.indicator.scanner_stats: + beta: This field is beta and subject to change. dashed_name: threat-indicator-scanner-stats description: Count of AV/EDR vendors that successfully detected malicious file or URL. @@ -17467,6 +17409,7 @@ threat: short: Scanner statistics type: long threat.indicator.sightings: + beta: This field is beta and subject to change. dashed_name: threat-indicator-sightings description: Number of times this indicator was observed conducting threat activity. example: 20 @@ -17477,12 +17420,13 @@ threat: short: Number of times indicator observed type: long threat.indicator.type: + beta: This field is beta and subject to change. dashed_name: threat-indicator-type description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ - Expected values\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ - \ * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n *\ - \ mutex\n * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ - \ * x-509-certificate" + Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" example: ipv4-addr flat_name: threat.indicator.type ignore_above: 1024 diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index 19d0662bf3..242fe59e52 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -5273,14 +5273,7 @@ "ignore_above": 1024, "type": "keyword" }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, "description": { - "type": "wildcard" - }, - "domain": { "ignore_above": 1024, "type": "keyword" }, @@ -5309,33 +5302,12 @@ } } }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "module": { - "ignore_above": 1024, - "type": "keyword" + "modified_at": { + "type": "date" }, "port": { "type": "long" }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, "scanner_stats": { "type": "long" }, diff --git a/experimental/generated/elasticsearch/component/threat.json b/experimental/generated/elasticsearch/component/threat.json index 1051a7fe38..a00a91d0a8 100644 --- a/experimental/generated/elasticsearch/component/threat.json +++ b/experimental/generated/elasticsearch/component/threat.json @@ -866,14 +866,7 @@ "ignore_above": 1024, "type": "keyword" }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, "description": { - "type": "wildcard" - }, - "domain": { "ignore_above": 1024, "type": "keyword" }, @@ -902,33 +895,12 @@ } } }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "module": { - "ignore_above": 1024, - "type": "keyword" + "modified_at": { + "type": "date" }, "port": { "type": "long" }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, "scanner_stats": { "type": "long" }, diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index a5a457cb33..dd572e8846 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -5884,6 +5884,98 @@ \ not required, you can use a MITRE ATT&CK\xAE group reference URL." example: https://attack.mitre.org/groups/G0037/ default_field: false + - name: indicator.confidence + level: extended + type: keyword + ignore_above: 1024 + description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ + using\_STIX\_confidence scales.\nExpected values:\n * Not Specified, None,\ + \ Low, Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High + default_field: false + - name: indicator.description + level: extended + type: keyword + ignore_above: 1024 + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + default_field: false + - name: indicator.email.address + level: extended + type: keyword + ignore_above: 1024 + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + default_field: false + - name: indicator.first_seen + level: extended + type: date + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.ip + level: extended + type: ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + default_field: false + - name: indicator.last_seen + level: extended + type: date + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.marking.tlp + level: extended + type: keyword + ignore_above: 1024 + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE + default_field: false + - name: indicator.modified_at + level: extended + type: date + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + default_field: false + - name: indicator.port + level: extended + type: long + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + default_field: false + - name: indicator.scanner_stats + level: extended + type: long + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + default_field: false + - name: indicator.sightings + level: extended + type: long + description: Number of times this indicator was observed conducting threat activity. + example: 20 + default_field: false + - name: indicator.type + level: extended + type: keyword + ignore_above: 1024 + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ + Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr + default_field: false - name: software.id level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 4e3f6e337a..9c4ac09ba6 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -671,6 +671,18 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group. 2.0.0-dev,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group. 2.0.0-dev,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group. +2.0.0-dev,true,threat,threat.indicator.confidence,keyword,extended,,High,Indicator confidence rating +2.0.0-dev,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description +2.0.0-dev,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address +2.0.0-dev,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. +2.0.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address +2.0.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. +2.0.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking +2.0.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. +2.0.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port +2.0.0-dev,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics +2.0.0-dev,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed +2.0.0-dev,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator 2.0.0-dev,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software 2.0.0-dev,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software. 2.0.0-dev,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index a9472ee8f3..5382135b00 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -8598,6 +8598,156 @@ threat.group.reference: normalize: [] short: Reference URL of the group. type: keyword +threat.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-confidence + description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ + using\_STIX\_confidence scales.\nExpected values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n \ + \ * WEP Scale (Impossible - Certain)" + example: High + flat_name: threat.indicator.confidence + ignore_above: 1024 + level: extended + name: indicator.confidence + normalize: [] + short: Indicator confidence rating + type: keyword +threat.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.indicator.description + ignore_above: 1024 + level: extended + name: indicator.description + normalize: [] + short: Indicator description + type: keyword +threat.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective of + direction). + example: phish@example.com + flat_name: threat.indicator.email.address + ignore_above: 1024 + level: extended + name: indicator.email.address + normalize: [] + short: Indicator email address + type: keyword +threat.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.first_seen + level: extended + name: indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date +threat.indicator.ip: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of direction). + example: 1.2.3.4 + flat_name: threat.indicator.ip + level: extended + name: indicator.ip + normalize: [] + short: Indicator IP address + type: ip +threat.indicator.last_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-last-seen + description: The date and time when intelligence source last reported sighting this + indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.last_seen + level: extended + name: indicator.last_seen + normalize: [] + short: Date/time indicator was last reported. + type: date +threat.indicator.marking.tlp: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE + flat_name: threat.indicator.marking.tlp + ignore_above: 1024 + level: extended + name: indicator.marking.tlp + normalize: [] + short: Indicator TLP marking + type: keyword +threat.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.modified_at + level: extended + name: indicator.modified_at + normalize: [] + short: Date/time indicator was last updated. + type: date +threat.indicator.port: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-port + description: Identifies a threat indicator as a port number (irrespective of direction). + example: 443 + flat_name: threat.indicator.port + level: extended + name: indicator.port + normalize: [] + short: Indicator port + type: long +threat.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file or + URL. + example: 4 + flat_name: threat.indicator.scanner_stats + level: extended + name: indicator.scanner_stats + normalize: [] + short: Scanner statistics + type: long +threat.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.indicator.sightings + level: extended + name: indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long +threat.indicator.type: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ + Recommended values:\n * autonomous-system\n * artifact\n * directory\n * domain-name\n\ + \ * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n * mac-addr\n * mutex\n\ + \ * port\n * process\n * software\n * url\n * user-account\n * windows-registry-key\n\ + \ * x509-certificate" + example: ipv4-addr + flat_name: threat.indicator.type + ignore_above: 1024 + level: extended + name: indicator.type + normalize: [] + short: Type of indicator + type: keyword threat.software.id: beta: This field is beta and subject to change. dashed_name: threat-software-id diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 95ab530b55..769f35d09c 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -10251,6 +10251,158 @@ threat: normalize: [] short: Reference URL of the group. type: keyword + threat.indicator.confidence: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-confidence + description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ + using\_STIX\_confidence scales.\nExpected values:\n * Not Specified, None,\ + \ Low, Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" + example: High + flat_name: threat.indicator.confidence + ignore_above: 1024 + level: extended + name: indicator.confidence + normalize: [] + short: Indicator confidence rating + type: keyword + threat.indicator.description: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-description + description: Describes the type of action conducted by the threat. + example: IP x.x.x.x was observed delivering the Angler EK. + flat_name: threat.indicator.description + ignore_above: 1024 + level: extended + name: indicator.description + normalize: [] + short: Indicator description + type: keyword + threat.indicator.email.address: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-email-address + description: Identifies a threat indicator as an email address (irrespective + of direction). + example: phish@example.com + flat_name: threat.indicator.email.address + ignore_above: 1024 + level: extended + name: indicator.email.address + normalize: [] + short: Indicator email address + type: keyword + threat.indicator.first_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-first-seen + description: The date and time when intelligence source first reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.first_seen + level: extended + name: indicator.first_seen + normalize: [] + short: Date/time indicator was first reported. + type: date + threat.indicator.ip: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-ip + description: Identifies a threat indicator as an IP address (irrespective of + direction). + example: 1.2.3.4 + flat_name: threat.indicator.ip + level: extended + name: indicator.ip + normalize: [] + short: Indicator IP address + type: ip + threat.indicator.last_seen: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-last-seen + description: The date and time when intelligence source last reported sighting + this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.last_seen + level: extended + name: indicator.last_seen + normalize: [] + short: Date/time indicator was last reported. + type: date + threat.indicator.marking.tlp: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-marking-tlp + description: "Traffic Light Protocol sharing markings.\nRecommended values are:\n\ + \ * WHITE\n * GREEN\n * AMBER\n * RED" + example: WHITE + flat_name: threat.indicator.marking.tlp + ignore_above: 1024 + level: extended + name: indicator.marking.tlp + normalize: [] + short: Indicator TLP marking + type: keyword + threat.indicator.modified_at: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-modified-at + description: The date and time when intelligence source last modified information + for this indicator. + example: '2020-11-05T17:25:47.000Z' + flat_name: threat.indicator.modified_at + level: extended + name: indicator.modified_at + normalize: [] + short: Date/time indicator was last updated. + type: date + threat.indicator.port: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-port + description: Identifies a threat indicator as a port number (irrespective of + direction). + example: 443 + flat_name: threat.indicator.port + level: extended + name: indicator.port + normalize: [] + short: Indicator port + type: long + threat.indicator.scanner_stats: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-scanner-stats + description: Count of AV/EDR vendors that successfully detected malicious file + or URL. + example: 4 + flat_name: threat.indicator.scanner_stats + level: extended + name: indicator.scanner_stats + normalize: [] + short: Scanner statistics + type: long + threat.indicator.sightings: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-sightings + description: Number of times this indicator was observed conducting threat activity. + example: 20 + flat_name: threat.indicator.sightings + level: extended + name: indicator.sightings + normalize: [] + short: Number of times indicator observed + type: long + threat.indicator.type: + beta: This field is beta and subject to change. + dashed_name: threat-indicator-type + description: "Type of indicator as represented by Cyber Observable in STIX 2.0.\n\ + Recommended values:\n * autonomous-system\n * artifact\n * directory\n\ + \ * domain-name\n * email-addr\n * file\n * ipv4-addr\n * ipv6-addr\n\ + \ * mac-addr\n * mutex\n * port\n * process\n * software\n * url\n \ + \ * user-account\n * windows-registry-key\n * x509-certificate" + example: ipv4-addr + flat_name: threat.indicator.type + ignore_above: 1024 + level: extended + name: indicator.type + normalize: [] + short: Type of indicator + type: keyword threat.software.id: beta: This field is beta and subject to change. dashed_name: threat-software-id diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 39f4ad8f0e..88a7df924d 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -3121,6 +3121,59 @@ } } }, + "indicator": { + "properties": { + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "type": "date" + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "port": { + "type": "long" + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "software": { "properties": { "id": { diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 3dbad41f84..fce5155323 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -3117,6 +3117,59 @@ } } }, + "indicator": { + "properties": { + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "type": "date" + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "port": { + "type": "long" + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "software": { "properties": { "id": { diff --git a/generated/elasticsearch/component/threat.json b/generated/elasticsearch/component/threat.json index e976bd78fa..299b73c8bc 100644 --- a/generated/elasticsearch/component/threat.json +++ b/generated/elasticsearch/component/threat.json @@ -32,6 +32,59 @@ } } }, + "indicator": { + "properties": { + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "type": "date" + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "port": { + "type": "long" + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "software": { "properties": { "id": { From 1a2e72e2376c75026e25928de4bee12d4c2d9001 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 23 Jun 2021 16:35:43 -0500 Subject: [PATCH 4/7] s/expected/recommended --- code/go/ecs/threat.go | 2 +- docs/field-details.asciidoc | 2 +- experimental/generated/beats/fields.ecs.yml | 2 +- experimental/generated/ecs/ecs_flat.yml | 6 +++--- experimental/generated/ecs/ecs_nested.yml | 2 +- generated/beats/fields.ecs.yml | 2 +- generated/ecs/ecs_flat.yml | 6 +++--- generated/ecs/ecs_nested.yml | 2 +- schemas/threat.yml | 2 +- 9 files changed, 13 insertions(+), 13 deletions(-) diff --git a/code/go/ecs/threat.go b/code/go/ecs/threat.go index f85d510f86..918de5bc8b 100644 --- a/code/go/ecs/threat.go +++ b/code/go/ecs/threat.go @@ -103,7 +103,7 @@ type Threat struct { // Identifies the confidence rating assigned by the provider using // STIX confidence scales. - // Expected values: + // Recommended values: // * Not Specified, None, Low, Medium, High // * 0-10 // * Admirality Scale (1-6) diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index cb2aa17731..872ee15f25 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -7656,7 +7656,7 @@ example: `https://attack.mitre.org/groups/G0037/` Identifies the confidence rating assigned by the provider using STIX confidence scales. -Expected values: +Recommended values: * Not Specified, None, Low, Medium, High diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 3996dbf200..d28e57917a 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -9767,7 +9767,7 @@ type: keyword ignore_above: 1024 description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ - using\_STIX\_confidence scales.\nExpected values:\n * Not Specified, None,\ + using\_STIX\_confidence scales.\nRecommended values:\n * Not Specified, None,\ \ Low, Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ \ * WEP Scale (Impossible - Certain)" example: High diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 6dddd0ef63..06f7b7f850 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -15229,9 +15229,9 @@ threat.indicator.confidence: beta: This field is beta and subject to change. dashed_name: threat-indicator-confidence description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ - using\_STIX\_confidence scales.\nExpected values:\n * Not Specified, None, Low,\ - \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n \ - \ * WEP Scale (Impossible - Certain)" + using\_STIX\_confidence scales.\nRecommended values:\n * Not Specified, None,\ + \ Low, Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" example: High flat_name: threat.indicator.confidence ignore_above: 1024 diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 026812f137..173c9c152b 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -17287,7 +17287,7 @@ threat: beta: This field is beta and subject to change. dashed_name: threat-indicator-confidence description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ - using\_STIX\_confidence scales.\nExpected values:\n * Not Specified, None,\ + using\_STIX\_confidence scales.\nRecommended values:\n * Not Specified, None,\ \ Low, Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ \ * WEP Scale (Impossible - Certain)" example: High diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index dd572e8846..f40f0729d7 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -5889,7 +5889,7 @@ type: keyword ignore_above: 1024 description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ - using\_STIX\_confidence scales.\nExpected values:\n * Not Specified, None,\ + using\_STIX\_confidence scales.\nRecommended values:\n * Not Specified, None,\ \ Low, Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ \ * WEP Scale (Impossible - Certain)" example: High diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 5382135b00..a8514f01a9 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -8602,9 +8602,9 @@ threat.indicator.confidence: beta: This field is beta and subject to change. dashed_name: threat-indicator-confidence description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ - using\_STIX\_confidence scales.\nExpected values:\n * Not Specified, None, Low,\ - \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n \ - \ * WEP Scale (Impossible - Certain)" + using\_STIX\_confidence scales.\nRecommended values:\n * Not Specified, None,\ + \ Low, Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + \ * WEP Scale (Impossible - Certain)" example: High flat_name: threat.indicator.confidence ignore_above: 1024 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 769f35d09c..db5ca8c67e 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -10255,7 +10255,7 @@ threat: beta: This field is beta and subject to change. dashed_name: threat-indicator-confidence description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ - using\_STIX\_confidence scales.\nExpected values:\n * Not Specified, None,\ + using\_STIX\_confidence scales.\nRecommended values:\n * Not Specified, None,\ \ Low, Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ \ * WEP Scale (Impossible - Certain)" example: High diff --git a/schemas/threat.yml b/schemas/threat.yml index 7d3098c3d4..565e9c24c3 100644 --- a/schemas/threat.yml +++ b/schemas/threat.yml @@ -163,7 +163,7 @@ description: > Identifies the confidence rating assigned by the provider using STIX confidence scales. - Expected values: + Recommended values: * Not Specified, None, Low, Medium, High * 0-10 * Admirality Scale (1-6) From fa8c46afe64149b419b73153118969311c929522 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Wed, 23 Jun 2021 16:55:52 -0500 Subject: [PATCH 5/7] add changelog --- CHANGELOG.next.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 1d21131b04..59cd2a73be 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -27,6 +27,7 @@ Thanks, you're awesome :-) --> * Added `event.agent_id_status` field. #1454 * `threat.enrichments` added to the experimental schema. #1457 * `process.target` and `process.target.parent` added to experimental schema. #1467 +* Threat indicator fields progress to beta stage. #1471 #### Improvements From c7461e3000ff333e5de8412ff42049b773e6a8a2 Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Mon, 28 Jun 2021 11:45:15 -0500 Subject: [PATCH 6/7] spaces anomaly --- schemas/threat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/schemas/threat.yml b/schemas/threat.yml index 565e9c24c3..8b55fc49a8 100644 --- a/schemas/threat.yml +++ b/schemas/threat.yml @@ -161,7 +161,7 @@ short: Indicator confidence rating beta: This field is beta and subject to change. description: > - Identifies the confidence rating assigned by the provider using STIX confidence scales. + Identifies the confidence rating assigned by the provider using STIX confidence scales. Recommended values: * Not Specified, None, Low, Medium, High From ffb9889dac93ad85f0d1dbb225fecaa2f396c80d Mon Sep 17 00:00:00 2001 From: Eric Beahan Date: Mon, 28 Jun 2021 11:46:08 -0500 Subject: [PATCH 7/7] artifacts --- code/go/ecs/threat.go | 4 ++-- docs/field-details.asciidoc | 2 +- experimental/generated/beats/fields.ecs.yml | 6 +++--- experimental/generated/ecs/ecs_flat.yml | 8 ++++---- experimental/generated/ecs/ecs_nested.yml | 6 +++--- generated/beats/fields.ecs.yml | 6 +++--- generated/ecs/ecs_flat.yml | 8 ++++---- generated/ecs/ecs_nested.yml | 6 +++--- 8 files changed, 23 insertions(+), 23 deletions(-) diff --git a/code/go/ecs/threat.go b/code/go/ecs/threat.go index 918de5bc8b..ec7d1a4ee8 100644 --- a/code/go/ecs/threat.go +++ b/code/go/ecs/threat.go @@ -101,8 +101,8 @@ type Threat struct { // URL. IndicatorScannerStats int64 `ecs:"indicator.scanner_stats"` - // Identifies the confidence rating assigned by the provider using - // STIX confidence scales. + // Identifies the confidence rating assigned by the provider using STIX + // confidence scales. // Recommended values: // * Not Specified, None, Low, Medium, High // * 0-10 diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 872ee15f25..7bf034320d 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -7654,7 +7654,7 @@ example: `https://attack.mitre.org/groups/G0037/` | beta:[ This field is beta and subject to change. ] -Identifies the confidence rating assigned by the provider using STIX confidence scales. +Identifies the confidence rating assigned by the provider using STIX confidence scales. Recommended values: diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index d28e57917a..3d154db918 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -9766,9 +9766,9 @@ level: extended type: keyword ignore_above: 1024 - description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ - using\_STIX\_confidence scales.\nRecommended values:\n * Not Specified, None,\ - \ Low, Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ \ * WEP Scale (Impossible - Certain)" example: High default_field: false diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 06f7b7f850..aa1523f8c5 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -15228,10 +15228,10 @@ threat.group.reference: threat.indicator.confidence: beta: This field is beta and subject to change. dashed_name: threat-indicator-confidence - description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ - using\_STIX\_confidence scales.\nRecommended values:\n * Not Specified, None,\ - \ Low, Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ - \ * WEP Scale (Impossible - Certain)" + description: "Identifies the confidence rating assigned by the provider using STIX\ + \ confidence scales.\nRecommended values:\n * Not Specified, None, Low, Medium,\ + \ High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n * WEP Scale\ + \ (Impossible - Certain)" example: High flat_name: threat.indicator.confidence ignore_above: 1024 diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 173c9c152b..3418de7619 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -17286,9 +17286,9 @@ threat: threat.indicator.confidence: beta: This field is beta and subject to change. dashed_name: threat-indicator-confidence - description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ - using\_STIX\_confidence scales.\nRecommended values:\n * Not Specified, None,\ - \ Low, Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ \ * WEP Scale (Impossible - Certain)" example: High flat_name: threat.indicator.confidence diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index f40f0729d7..14369286f8 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -5888,9 +5888,9 @@ level: extended type: keyword ignore_above: 1024 - description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ - using\_STIX\_confidence scales.\nRecommended values:\n * Not Specified, None,\ - \ Low, Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ \ * WEP Scale (Impossible - Certain)" example: High default_field: false diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index a8514f01a9..79339c40c1 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -8601,10 +8601,10 @@ threat.group.reference: threat.indicator.confidence: beta: This field is beta and subject to change. dashed_name: threat-indicator-confidence - description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ - using\_STIX\_confidence scales.\nRecommended values:\n * Not Specified, None,\ - \ Low, Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ - \ * WEP Scale (Impossible - Certain)" + description: "Identifies the confidence rating assigned by the provider using STIX\ + \ confidence scales.\nRecommended values:\n * Not Specified, None, Low, Medium,\ + \ High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n * WEP Scale\ + \ (Impossible - Certain)" example: High flat_name: threat.indicator.confidence ignore_above: 1024 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index db5ca8c67e..6744bc4444 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -10254,9 +10254,9 @@ threat: threat.indicator.confidence: beta: This field is beta and subject to change. dashed_name: threat-indicator-confidence - description: "Identifies\_the\_confidence\_rating\_assigned\_by\_the\_provider\_\ - using\_STIX\_confidence scales.\nRecommended values:\n * Not Specified, None,\ - \ Low, Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ + description: "Identifies the confidence rating assigned by the provider using\ + \ STIX confidence scales.\nRecommended values:\n * Not Specified, None, Low,\ + \ Medium, High\n * 0-10\n * Admirality Scale (1-6)\n * DNI Scale (5-95)\n\ \ * WEP Scale (Impossible - Certain)" example: High flat_name: threat.indicator.confidence