diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 64e3c1b3a..03a25006a 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -17,6 +17,7 @@ Thanks, you're awesome :-) --> #### Added * Added `volume.*` as beta field set. #2269 +* Added `threat.indicator.id` [#2252](https://github.com/elastic/ecs/issues/2252) #### Improvements diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc index b71ae31f6..06d9c444d 100644 --- a/docs/fields/field-details.asciidoc +++ b/docs/fields/field-details.asciidoc @@ -10977,6 +10977,27 @@ example: `2020-11-05T17:25:47.000Z` // =============================================================== +| +[[field-threat-indicator-id]] +<> + +a| The id of the indicator used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. This field can have multiple values to allow for the identification of the same indicator across systems that use different ID formats. + +While not required, a common approach is to use a STIX 2.x indicator id. + +type: keyword + + +Note: this field should contain an array of values. + + + +example: `[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]` + +| extended + +// =============================================================== + | [[field-threat-indicator-ip]] <> diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 27ee873ef..2ce808781 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -11645,6 +11645,17 @@ description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false + - name: indicator.id + level: extended + type: keyword + ignore_above: 1024 + description: "The id of the indicator used by this threat to conduct behavior\ + \ commonly modeled using MITRE ATT&CK\xAE. This field can have multiple values\ + \ to allow for the identification of the same indicator across systems that\ + \ use different ID formats.\nWhile not required, a common approach is to use\ + \ a STIX 2.x indicator id." + example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]' + default_field: false - name: indicator.ip level: extended type: ip diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 2f9837c98..360d88507 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -1500,6 +1500,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 8.12.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name. 8.12.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +8.12.0-dev+exp,true,threat,threat.indicator.id,keyword,extended,array,[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37],ID of the indicator 8.12.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address 8.12.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. 8.12.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 9b74b8e01..c508334f8 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -18972,6 +18972,22 @@ threat.indicator.geo.timezone: original_fieldset: geo short: Time zone. type: keyword +threat.indicator.id: + dashed_name: threat-indicator-id + description: "The id of the indicator used by this threat to conduct behavior commonly\ + \ modeled using MITRE ATT&CK\xAE. This field can have multiple values to allow\ + \ for the identification of the same indicator across systems that use different\ + \ ID formats.\nWhile not required, a common approach is to use a STIX 2.x indicator\ + \ id." + example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]' + flat_name: threat.indicator.id + ignore_above: 1024 + level: extended + name: indicator.id + normalize: + - array + short: ID of the indicator + type: keyword threat.indicator.ip: dashed_name: threat-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of direction). diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 0eee0300d..9c366d5cc 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -21644,6 +21644,22 @@ threat: original_fieldset: geo short: Time zone. type: keyword + threat.indicator.id: + dashed_name: threat-indicator-id + description: "The id of the indicator used by this threat to conduct behavior\ + \ commonly modeled using MITRE ATT&CK\xAE. This field can have multiple values\ + \ to allow for the identification of the same indicator across systems that\ + \ use different ID formats.\nWhile not required, a common approach is to use\ + \ a STIX 2.x indicator id." + example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]' + flat_name: threat.indicator.id + ignore_above: 1024 + level: extended + name: indicator.id + normalize: + - array + short: ID of the indicator + type: keyword threat.indicator.ip: dashed_name: threat-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json index c49f84573..7f002d5bb 100644 --- a/experimental/generated/elasticsearch/composable/component/threat.json +++ b/experimental/generated/elasticsearch/composable/component/threat.json @@ -1522,6 +1522,10 @@ } } }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "ip": { "type": "ip" }, diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json index 6ecdd5d57..1dc48de29 100644 --- a/experimental/generated/elasticsearch/legacy/template.json +++ b/experimental/generated/elasticsearch/legacy/template.json @@ -6727,6 +6727,10 @@ } } }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "ip": { "type": "ip" }, diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 0c45bd930..a9ea92405 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -11595,6 +11595,17 @@ description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false + - name: indicator.id + level: extended + type: keyword + ignore_above: 1024 + description: "The id of the indicator used by this threat to conduct behavior\ + \ commonly modeled using MITRE ATT&CK\xAE. This field can have multiple values\ + \ to allow for the identification of the same indicator across systems that\ + \ use different ID formats.\nWhile not required, a common approach is to use\ + \ a STIX 2.x indicator id." + example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]' + default_field: false - name: indicator.ip level: extended type: ip diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index d9bd84920..3ca25f144 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -1493,6 +1493,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 8.12.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name. 8.12.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +8.12.0-dev,true,threat,threat.indicator.id,keyword,extended,array,[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37],ID of the indicator 8.12.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address 8.12.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. 8.12.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index e5f035baa..524cbe278 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -18903,6 +18903,22 @@ threat.indicator.geo.timezone: original_fieldset: geo short: Time zone. type: keyword +threat.indicator.id: + dashed_name: threat-indicator-id + description: "The id of the indicator used by this threat to conduct behavior commonly\ + \ modeled using MITRE ATT&CK\xAE. This field can have multiple values to allow\ + \ for the identification of the same indicator across systems that use different\ + \ ID formats.\nWhile not required, a common approach is to use a STIX 2.x indicator\ + \ id." + example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]' + flat_name: threat.indicator.id + ignore_above: 1024 + level: extended + name: indicator.id + normalize: + - array + short: ID of the indicator + type: keyword threat.indicator.ip: dashed_name: threat-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of direction). diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 048948d37..4344da029 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -21564,6 +21564,22 @@ threat: original_fieldset: geo short: Time zone. type: keyword + threat.indicator.id: + dashed_name: threat-indicator-id + description: "The id of the indicator used by this threat to conduct behavior\ + \ commonly modeled using MITRE ATT&CK\xAE. This field can have multiple values\ + \ to allow for the identification of the same indicator across systems that\ + \ use different ID formats.\nWhile not required, a common approach is to use\ + \ a STIX 2.x indicator id." + example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]' + flat_name: threat.indicator.id + ignore_above: 1024 + level: extended + name: indicator.id + normalize: + - array + short: ID of the indicator + type: keyword threat.indicator.ip: dashed_name: threat-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json index 178ab4359..17d9b1e77 100644 --- a/generated/elasticsearch/composable/component/threat.json +++ b/generated/elasticsearch/composable/component/threat.json @@ -1522,6 +1522,10 @@ } } }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "ip": { "type": "ip" }, diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json index 4ac844151..0e26f7302 100644 --- a/generated/elasticsearch/legacy/template.json +++ b/generated/elasticsearch/legacy/template.json @@ -6685,6 +6685,10 @@ } } }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "ip": { "type": "ip" }, diff --git a/schemas/threat.yml b/schemas/threat.yml index a9cb54494..b339b622a 100644 --- a/schemas/threat.yml +++ b/schemas/threat.yml @@ -514,6 +514,20 @@ The name of the indicator's provider. example: lrz_urlhaus + - name: indicator.id + level: extended + type: keyword + short: ID of the indicator + description: > + The id of the indicator used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. + This field can have multiple values to allow for the identification of the same indicator across systems + that use different ID formats. + + While not required, a common approach is to use a STIX 2.x indicator id. + example: "[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]" + normalize: + - array + - name: software.id level: extended type: keyword