From 69b811457c25dbff3763a1242e4465cbaf75cab7 Mon Sep 17 00:00:00 2001 From: Brett Fitzpatrick Date: Wed, 27 Mar 2024 11:55:18 -0400 Subject: [PATCH] Resolves GH-2252 --- CHANGELOG.next.md | 1 + docs/fields/field-details.asciidoc | 21 +++++++++++++++++++ experimental/generated/beats/fields.ecs.yml | 11 ++++++++++ experimental/generated/csv/fields.csv | 1 + experimental/generated/ecs/ecs_flat.yml | 16 ++++++++++++++ experimental/generated/ecs/ecs_nested.yml | 16 ++++++++++++++ .../composable/component/threat.json | 4 ++++ .../elasticsearch/legacy/template.json | 4 ++++ generated/beats/fields.ecs.yml | 11 ++++++++++ generated/csv/fields.csv | 1 + generated/ecs/ecs_flat.yml | 16 ++++++++++++++ generated/ecs/ecs_nested.yml | 16 ++++++++++++++ .../composable/component/threat.json | 4 ++++ generated/elasticsearch/legacy/template.json | 4 ++++ schemas/threat.yml | 14 +++++++++++++ 15 files changed, 140 insertions(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index b67cd5af8..e3eb6b418 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -19,6 +19,7 @@ Thanks, you're awesome :-) --> * Added `volume.*` as beta field set. #2269 * Advanced `process.env_vars` to GA. #2315 * Advanced `process.io` and `process.tty` fields to GA. #2317 +* Added `threat.indicator.id`. #2252 #### Improvements diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc index ad2f9d8ab..c2d5cade3 100644 --- a/docs/fields/field-details.asciidoc +++ b/docs/fields/field-details.asciidoc @@ -10953,6 +10953,27 @@ example: `2020-11-05T17:25:47.000Z` // =============================================================== +| +[[field-threat-indicator-id]] +<> + +a| The ID of the indicator used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. This field can have multiple values to allow for the identification of the same indicator across systems that use different ID formats. + +While not required, a common approach is to use a STIX 2.x indicator ID. + +type: keyword + + +Note: this field should contain an array of values. + + + +example: `[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]` + +| extended + +// =============================================================== + | [[field-threat-indicator-ip]] <> diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 27ee873ef..2ba8ee01a 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -11645,6 +11645,17 @@ description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false + - name: indicator.id + level: extended + type: keyword + ignore_above: 1024 + description: "The ID of the indicator used by this threat to conduct behavior\ + \ commonly modeled using MITRE ATT&CK\xAE. This field can have multiple values\ + \ to allow for the identification of the same indicator across systems that\ + \ use different ID formats.\nWhile not required, a common approach is to use\ + \ a STIX 2.x indicator ID." + example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]' + default_field: false - name: indicator.ip level: extended type: ip diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 2f9837c98..360d88507 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -1500,6 +1500,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 8.12.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name. 8.12.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +8.12.0-dev+exp,true,threat,threat.indicator.id,keyword,extended,array,[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37],ID of the indicator 8.12.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address 8.12.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. 8.12.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index e3c678dd5..766b64686 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -18960,6 +18960,22 @@ threat.indicator.geo.timezone: original_fieldset: geo short: Time zone. type: keyword +threat.indicator.id: + dashed_name: threat-indicator-id + description: "The ID of the indicator used by this threat to conduct behavior commonly\ + \ modeled using MITRE ATT&CK\xAE. This field can have multiple values to allow\ + \ for the identification of the same indicator across systems that use different\ + \ ID formats.\nWhile not required, a common approach is to use a STIX 2.x indicator\ + \ ID." + example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]' + flat_name: threat.indicator.id + ignore_above: 1024 + level: extended + name: indicator.id + normalize: + - array + short: ID of the indicator + type: keyword threat.indicator.ip: dashed_name: threat-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of direction). diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index dd47d98b2..5ffa13984 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -21632,6 +21632,22 @@ threat: original_fieldset: geo short: Time zone. type: keyword + threat.indicator.id: + dashed_name: threat-indicator-id + description: "The ID of the indicator used by this threat to conduct behavior\ + \ commonly modeled using MITRE ATT&CK\xAE. This field can have multiple values\ + \ to allow for the identification of the same indicator across systems that\ + \ use different ID formats.\nWhile not required, a common approach is to use\ + \ a STIX 2.x indicator ID." + example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]' + flat_name: threat.indicator.id + ignore_above: 1024 + level: extended + name: indicator.id + normalize: + - array + short: ID of the indicator + type: keyword threat.indicator.ip: dashed_name: threat-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json index c49f84573..7f002d5bb 100644 --- a/experimental/generated/elasticsearch/composable/component/threat.json +++ b/experimental/generated/elasticsearch/composable/component/threat.json @@ -1522,6 +1522,10 @@ } } }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "ip": { "type": "ip" }, diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json index 6ecdd5d57..1dc48de29 100644 --- a/experimental/generated/elasticsearch/legacy/template.json +++ b/experimental/generated/elasticsearch/legacy/template.json @@ -6727,6 +6727,10 @@ } } }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "ip": { "type": "ip" }, diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 0c45bd930..af875b79f 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -11595,6 +11595,17 @@ description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false + - name: indicator.id + level: extended + type: keyword + ignore_above: 1024 + description: "The ID of the indicator used by this threat to conduct behavior\ + \ commonly modeled using MITRE ATT&CK\xAE. This field can have multiple values\ + \ to allow for the identification of the same indicator across systems that\ + \ use different ID formats.\nWhile not required, a common approach is to use\ + \ a STIX 2.x indicator ID." + example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]' + default_field: false - name: indicator.ip level: extended type: ip diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index d9bd84920..3ca25f144 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -1493,6 +1493,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 8.12.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name. 8.12.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +8.12.0-dev,true,threat,threat.indicator.id,keyword,extended,array,[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37],ID of the indicator 8.12.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address 8.12.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. 8.12.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 468e30d9c..e867cae5e 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -18891,6 +18891,22 @@ threat.indicator.geo.timezone: original_fieldset: geo short: Time zone. type: keyword +threat.indicator.id: + dashed_name: threat-indicator-id + description: "The ID of the indicator used by this threat to conduct behavior commonly\ + \ modeled using MITRE ATT&CK\xAE. This field can have multiple values to allow\ + \ for the identification of the same indicator across systems that use different\ + \ ID formats.\nWhile not required, a common approach is to use a STIX 2.x indicator\ + \ ID." + example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]' + flat_name: threat.indicator.id + ignore_above: 1024 + level: extended + name: indicator.id + normalize: + - array + short: ID of the indicator + type: keyword threat.indicator.ip: dashed_name: threat-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of direction). diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 4aec3d3fd..004d353e3 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -21552,6 +21552,22 @@ threat: original_fieldset: geo short: Time zone. type: keyword + threat.indicator.id: + dashed_name: threat-indicator-id + description: "The ID of the indicator used by this threat to conduct behavior\ + \ commonly modeled using MITRE ATT&CK\xAE. This field can have multiple values\ + \ to allow for the identification of the same indicator across systems that\ + \ use different ID formats.\nWhile not required, a common approach is to use\ + \ a STIX 2.x indicator ID." + example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]' + flat_name: threat.indicator.id + ignore_above: 1024 + level: extended + name: indicator.id + normalize: + - array + short: ID of the indicator + type: keyword threat.indicator.ip: dashed_name: threat-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json index 178ab4359..17d9b1e77 100644 --- a/generated/elasticsearch/composable/component/threat.json +++ b/generated/elasticsearch/composable/component/threat.json @@ -1522,6 +1522,10 @@ } } }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "ip": { "type": "ip" }, diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json index 4ac844151..0e26f7302 100644 --- a/generated/elasticsearch/legacy/template.json +++ b/generated/elasticsearch/legacy/template.json @@ -6685,6 +6685,10 @@ } } }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "ip": { "type": "ip" }, diff --git a/schemas/threat.yml b/schemas/threat.yml index a9cb54494..fd8d87510 100644 --- a/schemas/threat.yml +++ b/schemas/threat.yml @@ -514,6 +514,20 @@ The name of the indicator's provider. example: lrz_urlhaus + - name: indicator.id + level: extended + type: keyword + short: ID of the indicator + description: > + The ID of the indicator used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. + This field can have multiple values to allow for the identification of the same indicator across systems + that use different ID formats. + + While not required, a common approach is to use a STIX 2.x indicator ID. + example: "[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]" + normalize: + - array + - name: software.id level: extended type: keyword