From 507f5b5e1850d9237ff0b82c313f5475024f0a6c Mon Sep 17 00:00:00 2001 From: Brett Fitzpatrick Date: Thu, 21 Dec 2023 12:33:32 -0500 Subject: [PATCH 1/3] added new field: threat.indicator.id, resolves GH-2252 --- schemas/threat.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/schemas/threat.yml b/schemas/threat.yml index a9cb54494..d6ea15eae 100644 --- a/schemas/threat.yml +++ b/schemas/threat.yml @@ -514,6 +514,20 @@ The name of the indicator's provider. example: lrz_urlhaus + - name: indicator.id + level: extended + type: keyword + short: ID of the indicator + description: > + The id of the indicator used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. + This field can have multiple values to allow for the identification of the same indicator across systems + that use different ID formats. + + While not required, a common approach is to use a STIX 2.x indicator id. + example: "indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37" + normalize: + - array + - name: software.id level: extended type: keyword From e82d19e52716387d938e86f28ed20a850c959491 Mon Sep 17 00:00:00 2001 From: Brett Fitzpatrick Date: Thu, 21 Dec 2023 12:49:11 -0500 Subject: [PATCH 2/3] updated example + added changelog entry --- CHANGELOG.next.md | 1 + schemas/threat.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 64e3c1b3a..03a25006a 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -17,6 +17,7 @@ Thanks, you're awesome :-) --> #### Added * Added `volume.*` as beta field set. #2269 +* Added `threat.indicator.id` [#2252](https://github.com/elastic/ecs/issues/2252) #### Improvements diff --git a/schemas/threat.yml b/schemas/threat.yml index d6ea15eae..b339b622a 100644 --- a/schemas/threat.yml +++ b/schemas/threat.yml @@ -524,7 +524,7 @@ that use different ID formats. While not required, a common approach is to use a STIX 2.x indicator id. - example: "indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37" + example: "[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]" normalize: - array From 6468e0d68c3ec866e450abd054a6342eabb2b571 Mon Sep 17 00:00:00 2001 From: Brett Fitzpatrick Date: Thu, 21 Dec 2023 13:14:05 -0500 Subject: [PATCH 3/3] added generated files --- docs/fields/field-details.asciidoc | 21 +++++++++++++++++++ experimental/generated/beats/fields.ecs.yml | 11 ++++++++++ experimental/generated/csv/fields.csv | 1 + experimental/generated/ecs/ecs_flat.yml | 16 ++++++++++++++ experimental/generated/ecs/ecs_nested.yml | 16 ++++++++++++++ .../composable/component/threat.json | 4 ++++ .../elasticsearch/legacy/template.json | 4 ++++ generated/beats/fields.ecs.yml | 11 ++++++++++ generated/csv/fields.csv | 1 + generated/ecs/ecs_flat.yml | 16 ++++++++++++++ generated/ecs/ecs_nested.yml | 16 ++++++++++++++ .../composable/component/threat.json | 4 ++++ generated/elasticsearch/legacy/template.json | 4 ++++ 13 files changed, 125 insertions(+) diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc index b71ae31f6..06d9c444d 100644 --- a/docs/fields/field-details.asciidoc +++ b/docs/fields/field-details.asciidoc @@ -10977,6 +10977,27 @@ example: `2020-11-05T17:25:47.000Z` // =============================================================== +| +[[field-threat-indicator-id]] +<> + +a| The id of the indicator used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. This field can have multiple values to allow for the identification of the same indicator across systems that use different ID formats. + +While not required, a common approach is to use a STIX 2.x indicator id. + +type: keyword + + +Note: this field should contain an array of values. + + + +example: `[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]` + +| extended + +// =============================================================== + | [[field-threat-indicator-ip]] <> diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 27ee873ef..2ce808781 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -11645,6 +11645,17 @@ description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false + - name: indicator.id + level: extended + type: keyword + ignore_above: 1024 + description: "The id of the indicator used by this threat to conduct behavior\ + \ commonly modeled using MITRE ATT&CK\xAE. This field can have multiple values\ + \ to allow for the identification of the same indicator across systems that\ + \ use different ID formats.\nWhile not required, a common approach is to use\ + \ a STIX 2.x indicator id." + example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]' + default_field: false - name: indicator.ip level: extended type: ip diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index 2f9837c98..360d88507 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -1500,6 +1500,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev+exp,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 8.12.0-dev+exp,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name. 8.12.0-dev+exp,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +8.12.0-dev+exp,true,threat,threat.indicator.id,keyword,extended,array,[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37],ID of the indicator 8.12.0-dev+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address 8.12.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. 8.12.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 9b74b8e01..c508334f8 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -18972,6 +18972,22 @@ threat.indicator.geo.timezone: original_fieldset: geo short: Time zone. type: keyword +threat.indicator.id: + dashed_name: threat-indicator-id + description: "The id of the indicator used by this threat to conduct behavior commonly\ + \ modeled using MITRE ATT&CK\xAE. This field can have multiple values to allow\ + \ for the identification of the same indicator across systems that use different\ + \ ID formats.\nWhile not required, a common approach is to use a STIX 2.x indicator\ + \ id." + example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]' + flat_name: threat.indicator.id + ignore_above: 1024 + level: extended + name: indicator.id + normalize: + - array + short: ID of the indicator + type: keyword threat.indicator.ip: dashed_name: threat-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of direction). diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 0eee0300d..9c366d5cc 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -21644,6 +21644,22 @@ threat: original_fieldset: geo short: Time zone. type: keyword + threat.indicator.id: + dashed_name: threat-indicator-id + description: "The id of the indicator used by this threat to conduct behavior\ + \ commonly modeled using MITRE ATT&CK\xAE. This field can have multiple values\ + \ to allow for the identification of the same indicator across systems that\ + \ use different ID formats.\nWhile not required, a common approach is to use\ + \ a STIX 2.x indicator id." + example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]' + flat_name: threat.indicator.id + ignore_above: 1024 + level: extended + name: indicator.id + normalize: + - array + short: ID of the indicator + type: keyword threat.indicator.ip: dashed_name: threat-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of diff --git a/experimental/generated/elasticsearch/composable/component/threat.json b/experimental/generated/elasticsearch/composable/component/threat.json index c49f84573..7f002d5bb 100644 --- a/experimental/generated/elasticsearch/composable/component/threat.json +++ b/experimental/generated/elasticsearch/composable/component/threat.json @@ -1522,6 +1522,10 @@ } } }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "ip": { "type": "ip" }, diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json index 6ecdd5d57..1dc48de29 100644 --- a/experimental/generated/elasticsearch/legacy/template.json +++ b/experimental/generated/elasticsearch/legacy/template.json @@ -6727,6 +6727,10 @@ } } }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "ip": { "type": "ip" }, diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 0c45bd930..a9ea92405 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -11595,6 +11595,17 @@ description: The time zone of the location, such as IANA time zone name. example: America/Argentina/Buenos_Aires default_field: false + - name: indicator.id + level: extended + type: keyword + ignore_above: 1024 + description: "The id of the indicator used by this threat to conduct behavior\ + \ commonly modeled using MITRE ATT&CK\xAE. This field can have multiple values\ + \ to allow for the identification of the same indicator across systems that\ + \ use different ID formats.\nWhile not required, a common approach is to use\ + \ a STIX 2.x indicator id." + example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]' + default_field: false - name: indicator.ip level: extended type: ip diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index d9bd84920..3ca25f144 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -1493,6 +1493,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.12.0-dev,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. 8.12.0-dev,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name. 8.12.0-dev,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +8.12.0-dev,true,threat,threat.indicator.id,keyword,extended,array,[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37],ID of the indicator 8.12.0-dev,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address 8.12.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. 8.12.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index e5f035baa..524cbe278 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -18903,6 +18903,22 @@ threat.indicator.geo.timezone: original_fieldset: geo short: Time zone. type: keyword +threat.indicator.id: + dashed_name: threat-indicator-id + description: "The id of the indicator used by this threat to conduct behavior commonly\ + \ modeled using MITRE ATT&CK\xAE. This field can have multiple values to allow\ + \ for the identification of the same indicator across systems that use different\ + \ ID formats.\nWhile not required, a common approach is to use a STIX 2.x indicator\ + \ id." + example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]' + flat_name: threat.indicator.id + ignore_above: 1024 + level: extended + name: indicator.id + normalize: + - array + short: ID of the indicator + type: keyword threat.indicator.ip: dashed_name: threat-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of direction). diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 048948d37..4344da029 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -21564,6 +21564,22 @@ threat: original_fieldset: geo short: Time zone. type: keyword + threat.indicator.id: + dashed_name: threat-indicator-id + description: "The id of the indicator used by this threat to conduct behavior\ + \ commonly modeled using MITRE ATT&CK\xAE. This field can have multiple values\ + \ to allow for the identification of the same indicator across systems that\ + \ use different ID formats.\nWhile not required, a common approach is to use\ + \ a STIX 2.x indicator id." + example: '[indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]' + flat_name: threat.indicator.id + ignore_above: 1024 + level: extended + name: indicator.id + normalize: + - array + short: ID of the indicator + type: keyword threat.indicator.ip: dashed_name: threat-indicator-ip description: Identifies a threat indicator as an IP address (irrespective of diff --git a/generated/elasticsearch/composable/component/threat.json b/generated/elasticsearch/composable/component/threat.json index 178ab4359..17d9b1e77 100644 --- a/generated/elasticsearch/composable/component/threat.json +++ b/generated/elasticsearch/composable/component/threat.json @@ -1522,6 +1522,10 @@ } } }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "ip": { "type": "ip" }, diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json index 4ac844151..0e26f7302 100644 --- a/generated/elasticsearch/legacy/template.json +++ b/generated/elasticsearch/legacy/template.json @@ -6685,6 +6685,10 @@ } } }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "ip": { "type": "ip" },