diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index b67cd5af89..7e9715ae7b 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -19,6 +19,7 @@ Thanks, you're awesome :-) --> * Added `volume.*` as beta field set. #2269 * Advanced `process.env_vars` to GA. #2315 * Advanced `process.io` and `process.tty` fields to GA. #2317 +* Added `threat.indicator.id`. #2324 #### Improvements diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc index ad2f9d8ab1..c2d5cade31 100644 --- a/docs/fields/field-details.asciidoc +++ b/docs/fields/field-details.asciidoc @@ -10953,6 +10953,27 @@ example: `2020-11-05T17:25:47.000Z` // =============================================================== +| +[[field-threat-indicator-id]] +<> + +a| The ID of the indicator used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. This field can have multiple values to allow for the identification of the same indicator across systems that use different ID formats. + +While not required, a common approach is to use a STIX 2.x indicator ID. + +type: keyword + + +Note: this field should contain an array of values. + + + +example: `[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]` + +| extended + +// =============================================================== + | [[field-threat-indicator-ip]] <> diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 27ee873efa..2ba8ee01ac 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -11645,6 +11645,17 @@ description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false + - name: indicator.id + level: extended + type: keyword + ignore_above: 1024 + description: "The ID of the indicator used by this threat to conduct behavior\ + \ commonly modeled using MITRE ATT&CK\xAE. This field can have multiple values\ + \ to allow for the identification of the same indicator across systems that\ + \ use different ID formats.\nWhile not required, a common approach is to use\ + \ a STIX 2.x indicator ID." + example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]' + default_field: false - name: indicator.ip level: extended type: ip diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 2f9837c989..360d885076 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -1500,6 +1500,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 8.12.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name. 8.12.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +8.12.0-dev+exp,true,threat,threat.indicator.id,keyword,extended,array,[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37],ID of the indicator 8.12.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address 8.12.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. 8.12.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index e3c678dd5c..766b646865 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -18960,6 +18960,22 @@ threat.indicator.geo.timezone: original_fieldset: geo short: Time zone. type: keyword +threat.indicator.id: + dashed_name: threat-indicator-id + description: "The ID of the indicator used by this threat to conduct behavior commonly\ + \ modeled using MITRE ATT&CK\xAE. This field can have multiple values to allow\ + \ for the identification of the same indicator across systems that use different\ + \ ID formats.\nWhile not required, a common approach is to use a STIX 2.x indicator\ + \ ID." + example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]' + flat_name: threat.indicator.id + ignore_above: 1024 + level: extended + name: indicator.id + normalize: + - array + short: ID of the indicator + type: keyword threat.indicator.ip: dashed_name: threat-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of direction). diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index dd47d98b2f..5ffa13984b 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -21632,6 +21632,22 @@ threat: original_fieldset: geo short: Time zone. type: keyword + threat.indicator.id: + dashed_name: threat-indicator-id + description: "The ID of the indicator used by this threat to conduct behavior\ + \ commonly modeled using MITRE ATT&CK\xAE. This field can have multiple values\ + \ to allow for the identification of the same indicator across systems that\ + \ use different ID formats.\nWhile not required, a common approach is to use\ + \ a STIX 2.x indicator ID." + example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]' + flat_name: threat.indicator.id + ignore_above: 1024 + level: extended + name: indicator.id + normalize: + - array + short: ID of the indicator + type: keyword threat.indicator.ip: dashed_name: threat-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json index c49f845733..7f002d5bb7 100644 --- a/experimental/generated/elasticsearch/composable/component/threat.json +++ b/experimental/generated/elasticsearch/composable/component/threat.json @@ -1522,6 +1522,10 @@ } } }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "ip": { "type": "ip" }, diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json index 6ecdd5d57e..1dc48de290 100644 --- a/experimental/generated/elasticsearch/legacy/template.json +++ b/experimental/generated/elasticsearch/legacy/template.json @@ -6727,6 +6727,10 @@ } } }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "ip": { "type": "ip" }, diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 0c45bd930d..af875b79f0 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -11595,6 +11595,17 @@ description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false + - name: indicator.id + level: extended + type: keyword + ignore_above: 1024 + description: "The ID of the indicator used by this threat to conduct behavior\ + \ commonly modeled using MITRE ATT&CK\xAE. This field can have multiple values\ + \ to allow for the identification of the same indicator across systems that\ + \ use different ID formats.\nWhile not required, a common approach is to use\ + \ a STIX 2.x indicator ID." + example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]' + default_field: false - name: indicator.ip level: extended type: ip diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index d9bd84920e..3ca25f1445 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -1493,6 +1493,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 8.12.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name. 8.12.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +8.12.0-dev,true,threat,threat.indicator.id,keyword,extended,array,[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37],ID of the indicator 8.12.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address 8.12.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. 8.12.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 468e30d9c6..e867cae5e6 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -18891,6 +18891,22 @@ threat.indicator.geo.timezone: original_fieldset: geo short: Time zone. type: keyword +threat.indicator.id: + dashed_name: threat-indicator-id + description: "The ID of the indicator used by this threat to conduct behavior commonly\ + \ modeled using MITRE ATT&CK\xAE. This field can have multiple values to allow\ + \ for the identification of the same indicator across systems that use different\ + \ ID formats.\nWhile not required, a common approach is to use a STIX 2.x indicator\ + \ ID." + example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]' + flat_name: threat.indicator.id + ignore_above: 1024 + level: extended + name: indicator.id + normalize: + - array + short: ID of the indicator + type: keyword threat.indicator.ip: dashed_name: threat-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of direction). diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 4aec3d3fd5..004d353e36 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -21552,6 +21552,22 @@ threat: original_fieldset: geo short: Time zone. type: keyword + threat.indicator.id: + dashed_name: threat-indicator-id + description: "The ID of the indicator used by this threat to conduct behavior\ + \ commonly modeled using MITRE ATT&CK\xAE. This field can have multiple values\ + \ to allow for the identification of the same indicator across systems that\ + \ use different ID formats.\nWhile not required, a common approach is to use\ + \ a STIX 2.x indicator ID." + example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]' + flat_name: threat.indicator.id + ignore_above: 1024 + level: extended + name: indicator.id + normalize: + - array + short: ID of the indicator + type: keyword threat.indicator.ip: dashed_name: threat-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json index 178ab4359c..17d9b1e77f 100644 --- a/generated/elasticsearch/composable/component/threat.json +++ b/generated/elasticsearch/composable/component/threat.json @@ -1522,6 +1522,10 @@ } } }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "ip": { "type": "ip" }, diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json index 4ac8441518..0e26f73020 100644 --- a/generated/elasticsearch/legacy/template.json +++ b/generated/elasticsearch/legacy/template.json @@ -6685,6 +6685,10 @@ } } }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "ip": { "type": "ip" }, diff --git a/schemas/threat.yml b/schemas/threat.yml index a9cb544948..fd8d875102 100644 --- a/schemas/threat.yml +++ b/schemas/threat.yml @@ -514,6 +514,20 @@ The name of the indicator's provider. example: lrz_urlhaus + - name: indicator.id + level: extended + type: keyword + short: ID of the indicator + description: > + The ID of the indicator used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. + This field can have multiple values to allow for the identification of the same indicator across systems + that use different ID formats. + + While not required, a common approach is to use a STIX 2.x indicator ID. + example: "[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]" + normalize: + - array + - name: software.id level: extended type: keyword