Module threat

elastic_common_schema::ecs

Module threat 

Source
Expand description

Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. “impact”). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. “endpoint denial of service”).

Constants§

THREAT_ENRICHMENTS
A list of associated indicators objects enriching the event, and the context of that association/enrichment.
THREAT_ENRICHMENTS_INDICATOR
Object containing associated indicators enriching the event.
THREAT_ENRICHMENTS_INDICATOR_AS_NUMBER
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
THREAT_ENRICHMENTS_INDICATOR_AS_ORGANIZATION_NAME
Organization name.
THREAT_ENRICHMENTS_INDICATOR_CONFIDENCE
Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.
THREAT_ENRICHMENTS_INDICATOR_DESCRIPTION
Describes the type of action conducted by the threat.
THREAT_ENRICHMENTS_INDICATOR_EMAIL_ADDRESS
Identifies a threat indicator as an email address (irrespective of direction).
THREAT_ENRICHMENTS_INDICATOR_FILE_ACCESSED
Last time the file was accessed. Note that not all filesystems keep track of access time.
THREAT_ENRICHMENTS_INDICATOR_FILE_ATTRIBUTES
Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
THREAT_ENRICHMENTS_INDICATOR_FILE_CODE_SIGNATURE_DIGEST_ALGORITHM
The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
THREAT_ENRICHMENTS_INDICATOR_FILE_CODE_SIGNATURE_EXISTS
Boolean to capture if a signature is present.
THREAT_ENRICHMENTS_INDICATOR_FILE_CODE_SIGNATURE_SIGNING_ID
The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
THREAT_ENRICHMENTS_INDICATOR_FILE_CODE_SIGNATURE_STATUS
Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
THREAT_ENRICHMENTS_INDICATOR_FILE_CODE_SIGNATURE_SUBJECT_NAME
Subject name of the code signer
THREAT_ENRICHMENTS_INDICATOR_FILE_CODE_SIGNATURE_TEAM_ID
The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
THREAT_ENRICHMENTS_INDICATOR_FILE_CODE_SIGNATURE_TIMESTAMP
Date and time when the code signature was generated and signed.
THREAT_ENRICHMENTS_INDICATOR_FILE_CODE_SIGNATURE_TRUSTED
Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
THREAT_ENRICHMENTS_INDICATOR_FILE_CODE_SIGNATURE_VALID
Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
THREAT_ENRICHMENTS_INDICATOR_FILE_CREATED
File creation time. Note that not all filesystems store the creation time.
THREAT_ENRICHMENTS_INDICATOR_FILE_CTIME
Last time the file attributes or metadata changed. Note that changes to the file content will update mtime. This implies ctime will be adjusted at the same time, since mtime is an attribute of the file.
THREAT_ENRICHMENTS_INDICATOR_FILE_DEVICE
Device that is the source of the file.
THREAT_ENRICHMENTS_INDICATOR_FILE_DIRECTORY
Directory where the file is located. It should include the drive letter, when appropriate.
THREAT_ENRICHMENTS_INDICATOR_FILE_DRIVE_LETTER
Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_ARCHITECTURE
Machine architecture of the ELF file.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_BYTE_ORDER
Byte sequence of ELF file.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_CPU_TYPE
CPU type of the ELF file.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_CREATION_DATE
Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_EXPORTS
List of exported element names and types.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_GO_IMPORTS
List of imported Go language element names and types.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_GO_IMPORTS_NAMES_ENTROPY
Shannon entropy calculation from the list of Go imports.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_GO_IMPORTS_NAMES_VAR_ENTROPY
Variance for Shannon entropy calculation from the list of Go imports.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_GO_IMPORT_HASH
A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available here.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_GO_STRIPPED
Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_HEADER_ABI_VERSION
Version of the ELF Application Binary Interface (ABI).
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_HEADER_CLASS
Header class of the ELF file.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_HEADER_DATA
Data table of the ELF header.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_HEADER_ENTRYPOINT
Header entrypoint of the ELF file.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_HEADER_OBJECT_VERSION
“0x1” for original ELF files.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_HEADER_OS_ABI
Application Binary Interface (ABI) of the Linux OS.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_HEADER_TYPE
Header type of the ELF file.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_HEADER_VERSION
Version of the ELF header.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_IMPORTS
List of imported element names and types.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_IMPORTS_NAMES_ENTROPY
Shannon entropy calculation from the list of imported element names and types.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_IMPORTS_NAMES_VAR_ENTROPY
Variance for Shannon entropy calculation from the list of imported element names and types.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_IMPORT_HASH
A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is an ELF implementation of the Windows PE imphash.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_SECTIONS
An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath elf.sections.*.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_SECTIONS_CHI2
Chi-square probability distribution of the section.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_SECTIONS_ENTROPY
Shannon entropy calculation from the section.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_SECTIONS_FLAGS
ELF Section List flags.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_SECTIONS_NAME
ELF Section List name.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_SECTIONS_PHYSICAL_OFFSET
ELF Section List offset.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_SECTIONS_PHYSICAL_SIZE
ELF Section List physical size.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_SECTIONS_TYPE
ELF Section List type.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_SECTIONS_VAR_ENTROPY
Variance for Shannon entropy calculation from the section.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_SECTIONS_VIRTUAL_ADDRESS
ELF Section List virtual address.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_SECTIONS_VIRTUAL_SIZE
ELF Section List virtual size.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_SEGMENTS
An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath elf.segments.*.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_SEGMENTS_SECTIONS
ELF object segment sections.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_SEGMENTS_TYPE
ELF object segment type.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_SHARED_LIBRARIES
List of shared libraries used by this ELF object.
THREAT_ENRICHMENTS_INDICATOR_FILE_ELF_TELFHASH
telfhash symbol hash for ELF file.
THREAT_ENRICHMENTS_INDICATOR_FILE_EXTENSION
File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured (“gz”, not “tar.gz”).
THREAT_ENRICHMENTS_INDICATOR_FILE_FORK_NAME
A fork is additional data associated with a filesystem object. On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: C:\path\to\filename.extension:some_fork_name, and some_fork_name is the value that should populate fork_name. filename.extension should populate file.name, and extension should populate file.extension. The full path, file.path, will include the fork name.
THREAT_ENRICHMENTS_INDICATOR_FILE_GID
Primary group ID (GID) of the file.
THREAT_ENRICHMENTS_INDICATOR_FILE_GROUP
Primary group name of the file.
THREAT_ENRICHMENTS_INDICATOR_FILE_HASH_MD5
MD5 hash.
THREAT_ENRICHMENTS_INDICATOR_FILE_HASH_SHA1
SHA1 hash.
THREAT_ENRICHMENTS_INDICATOR_FILE_HASH_SHA256
SHA256 hash.
THREAT_ENRICHMENTS_INDICATOR_FILE_HASH_SHA384
SHA384 hash.
THREAT_ENRICHMENTS_INDICATOR_FILE_HASH_SHA512
SHA512 hash.
THREAT_ENRICHMENTS_INDICATOR_FILE_HASH_SSDEEP
SSDEEP hash.
THREAT_ENRICHMENTS_INDICATOR_FILE_HASH_TLSH
TLSH hash.
THREAT_ENRICHMENTS_INDICATOR_FILE_INODE
Inode representing the file in the filesystem.
THREAT_ENRICHMENTS_INDICATOR_FILE_MIME_TYPE
MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.
THREAT_ENRICHMENTS_INDICATOR_FILE_MODE
Mode of the file in octal representation.
THREAT_ENRICHMENTS_INDICATOR_FILE_MTIME
Last time the file content was modified.
THREAT_ENRICHMENTS_INDICATOR_FILE_NAME
Name of the file including the extension, without the directory.
THREAT_ENRICHMENTS_INDICATOR_FILE_OWNER
File owner’s username.
THREAT_ENRICHMENTS_INDICATOR_FILE_PATH
Full path to the file, including the file name. It should include the drive letter, when appropriate.
THREAT_ENRICHMENTS_INDICATOR_FILE_PE_ARCHITECTURE
CPU architecture target for the file.
THREAT_ENRICHMENTS_INDICATOR_FILE_PE_COMPANY
Internal company name of the file, provided at compile-time.
THREAT_ENRICHMENTS_INDICATOR_FILE_PE_DESCRIPTION
Internal description of the file, provided at compile-time.
THREAT_ENRICHMENTS_INDICATOR_FILE_PE_FILE_VERSION
Internal version of the file, provided at compile-time.
THREAT_ENRICHMENTS_INDICATOR_FILE_PE_GO_IMPORTS
List of imported Go language element names and types.
THREAT_ENRICHMENTS_INDICATOR_FILE_PE_GO_IMPORTS_NAMES_ENTROPY
Shannon entropy calculation from the list of Go imports.
THREAT_ENRICHMENTS_INDICATOR_FILE_PE_GO_IMPORTS_NAMES_VAR_ENTROPY
Variance for Shannon entropy calculation from the list of Go imports.
THREAT_ENRICHMENTS_INDICATOR_FILE_PE_GO_IMPORT_HASH
A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available here.
THREAT_ENRICHMENTS_INDICATOR_FILE_PE_GO_STRIPPED
Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
THREAT_ENRICHMENTS_INDICATOR_FILE_PE_IMPHASH
A hash of the imports in a PE file. An imphash – or import hash – can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
THREAT_ENRICHMENTS_INDICATOR_FILE_PE_IMPORTS
List of imported element names and types.
THREAT_ENRICHMENTS_INDICATOR_FILE_PE_IMPORTS_NAMES_ENTROPY
Shannon entropy calculation from the list of imported element names and types.
THREAT_ENRICHMENTS_INDICATOR_FILE_PE_IMPORTS_NAMES_VAR_ENTROPY
Variance for Shannon entropy calculation from the list of imported element names and types.
THREAT_ENRICHMENTS_INDICATOR_FILE_PE_IMPORT_HASH
A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for imphash.
THREAT_ENRICHMENTS_INDICATOR_FILE_PE_ORIGINAL_FILE_NAME
Internal name of the file, provided at compile-time.
THREAT_ENRICHMENTS_INDICATOR_FILE_PE_PEHASH
A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.
THREAT_ENRICHMENTS_INDICATOR_FILE_PE_PRODUCT
Internal product name of the file, provided at compile-time.
THREAT_ENRICHMENTS_INDICATOR_FILE_PE_SECTIONS
An array containing an object for each section of the PE file. The keys that should be present in these objects are defined by sub-fields underneath pe.sections.*.
THREAT_ENRICHMENTS_INDICATOR_FILE_PE_SECTIONS_ENTROPY
Shannon entropy calculation from the section.
THREAT_ENRICHMENTS_INDICATOR_FILE_PE_SECTIONS_NAME
PE Section List name.
THREAT_ENRICHMENTS_INDICATOR_FILE_PE_SECTIONS_PHYSICAL_SIZE
PE Section List physical size.
THREAT_ENRICHMENTS_INDICATOR_FILE_PE_SECTIONS_VAR_ENTROPY
Variance for Shannon entropy calculation from the section.
THREAT_ENRICHMENTS_INDICATOR_FILE_PE_SECTIONS_VIRTUAL_SIZE
PE Section List virtual size. This is always the same as physical_size.
THREAT_ENRICHMENTS_INDICATOR_FILE_SIZE
File size in bytes. Only relevant when file.type is “file”.
THREAT_ENRICHMENTS_INDICATOR_FILE_TARGET_PATH
Target path for symlinks.
THREAT_ENRICHMENTS_INDICATOR_FILE_TYPE
File type (file, dir, or symlink).
THREAT_ENRICHMENTS_INDICATOR_FILE_UID
The user ID (UID) or security identifier (SID) of the file owner.
THREAT_ENRICHMENTS_INDICATOR_FILE_X509_ALTERNATIVE_NAMES
List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
THREAT_ENRICHMENTS_INDICATOR_FILE_X509_ISSUER_COMMON_NAME
List of common name (CN) of issuing certificate authority.
THREAT_ENRICHMENTS_INDICATOR_FILE_X509_ISSUER_COUNTRY
List of country (C) codes
THREAT_ENRICHMENTS_INDICATOR_FILE_X509_ISSUER_DISTINGUISHED_NAME
Distinguished name (DN) of issuing certificate authority.
THREAT_ENRICHMENTS_INDICATOR_FILE_X509_ISSUER_LOCALITY
List of locality names (L)
THREAT_ENRICHMENTS_INDICATOR_FILE_X509_ISSUER_ORGANIZATION
List of organizations (O) of issuing certificate authority.
THREAT_ENRICHMENTS_INDICATOR_FILE_X509_ISSUER_ORGANIZATIONAL_UNIT
List of organizational units (OU) of issuing certificate authority.
THREAT_ENRICHMENTS_INDICATOR_FILE_X509_ISSUER_STATE_OR_PROVINCE
List of state or province names (ST, S, or P)
THREAT_ENRICHMENTS_INDICATOR_FILE_X509_NOT_AFTER
Time at which the certificate is no longer considered valid.
THREAT_ENRICHMENTS_INDICATOR_FILE_X509_NOT_BEFORE
Time at which the certificate is first considered valid.
THREAT_ENRICHMENTS_INDICATOR_FILE_X509_PUBLIC_KEY_ALGORITHM
Algorithm used to generate the public key.
THREAT_ENRICHMENTS_INDICATOR_FILE_X509_PUBLIC_KEY_CURVE
The curve used by the elliptic curve public key algorithm. This is algorithm specific.
THREAT_ENRICHMENTS_INDICATOR_FILE_X509_PUBLIC_KEY_EXPONENT
Exponent used to derive the public key. This is algorithm specific.
THREAT_ENRICHMENTS_INDICATOR_FILE_X509_PUBLIC_KEY_SIZE
The size of the public key space in bits.
THREAT_ENRICHMENTS_INDICATOR_FILE_X509_SERIAL_NUMBER
Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
THREAT_ENRICHMENTS_INDICATOR_FILE_X509_SIGNATURE_ALGORITHM
Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
THREAT_ENRICHMENTS_INDICATOR_FILE_X509_SUBJECT_COMMON_NAME
List of common names (CN) of subject.
THREAT_ENRICHMENTS_INDICATOR_FILE_X509_SUBJECT_COUNTRY
List of country (C) code
THREAT_ENRICHMENTS_INDICATOR_FILE_X509_SUBJECT_DISTINGUISHED_NAME
Distinguished name (DN) of the certificate subject entity.
THREAT_ENRICHMENTS_INDICATOR_FILE_X509_SUBJECT_LOCALITY
List of locality names (L)
THREAT_ENRICHMENTS_INDICATOR_FILE_X509_SUBJECT_ORGANIZATION
List of organizations (O) of subject.
THREAT_ENRICHMENTS_INDICATOR_FILE_X509_SUBJECT_ORGANIZATIONAL_UNIT
List of organizational units (OU) of subject.
THREAT_ENRICHMENTS_INDICATOR_FILE_X509_SUBJECT_STATE_OR_PROVINCE
List of state or province names (ST, S, or P)
THREAT_ENRICHMENTS_INDICATOR_FILE_X509_VERSION_NUMBER
Version of x509 format.
THREAT_ENRICHMENTS_INDICATOR_FIRST_SEEN
The date and time when intelligence source first reported sighting this indicator.
THREAT_ENRICHMENTS_INDICATOR_GEO_CITY_NAME
City name.
THREAT_ENRICHMENTS_INDICATOR_GEO_CONTINENT_CODE
Two-letter code representing continent’s name.
THREAT_ENRICHMENTS_INDICATOR_GEO_CONTINENT_NAME
Name of the continent.
THREAT_ENRICHMENTS_INDICATOR_GEO_COUNTRY_ISO_CODE
Country ISO code.
THREAT_ENRICHMENTS_INDICATOR_GEO_COUNTRY_NAME
Country name.
THREAT_ENRICHMENTS_INDICATOR_GEO_LOCATION
Longitude and latitude.
THREAT_ENRICHMENTS_INDICATOR_GEO_NAME
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
THREAT_ENRICHMENTS_INDICATOR_GEO_POSTAL_CODE
Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
THREAT_ENRICHMENTS_INDICATOR_GEO_REGION_ISO_CODE
Region ISO code.
THREAT_ENRICHMENTS_INDICATOR_GEO_REGION_NAME
Region name.
THREAT_ENRICHMENTS_INDICATOR_GEO_TIMEZONE
The time zone of the location, such as IANA time zone name.
THREAT_ENRICHMENTS_INDICATOR_IP
Identifies a threat indicator as an IP address (irrespective of direction).
THREAT_ENRICHMENTS_INDICATOR_LAST_SEEN
The date and time when intelligence source last reported sighting this indicator.
THREAT_ENRICHMENTS_INDICATOR_MARKING_TLP
Traffic Light Protocol sharing markings.
THREAT_ENRICHMENTS_INDICATOR_MARKING_TLP_VERSION
Traffic Light Protocol version.
THREAT_ENRICHMENTS_INDICATOR_MODIFIED_AT
The date and time when intelligence source last modified information for this indicator.
THREAT_ENRICHMENTS_INDICATOR_NAME
The display name indicator in an UI friendly format URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name.
THREAT_ENRICHMENTS_INDICATOR_PORT
Identifies a threat indicator as a port number (irrespective of direction).
THREAT_ENRICHMENTS_INDICATOR_PROVIDER
The name of the indicator’s provider.
THREAT_ENRICHMENTS_INDICATOR_REFERENCE
Reference URL linking to additional information about this indicator.
THREAT_ENRICHMENTS_INDICATOR_REGISTRY_DATA_BYTES
Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by lp_data. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
THREAT_ENRICHMENTS_INDICATOR_REGISTRY_DATA_STRINGS
Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g "1").
THREAT_ENRICHMENTS_INDICATOR_REGISTRY_DATA_TYPE
Standard registry type for encoding contents
THREAT_ENRICHMENTS_INDICATOR_REGISTRY_HIVE
Abbreviated name for the hive.
THREAT_ENRICHMENTS_INDICATOR_REGISTRY_KEY
Hive-relative path of keys.
THREAT_ENRICHMENTS_INDICATOR_REGISTRY_PATH
Full path, including hive, key and value
THREAT_ENRICHMENTS_INDICATOR_REGISTRY_VALUE
Name of the value written.
THREAT_ENRICHMENTS_INDICATOR_SCANNER_STATS
Count of AV/EDR vendors that successfully detected malicious file or URL.
THREAT_ENRICHMENTS_INDICATOR_SIGHTINGS
Number of times this indicator was observed conducting threat activity.
THREAT_ENRICHMENTS_INDICATOR_TYPE
Type of indicator as represented by Cyber Observable in STIX 2.0.
THREAT_ENRICHMENTS_INDICATOR_URL_DOMAIN
Domain of the url, such as “www.elastic.co”. In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the domain field. If the URL contains a literal IPv6 address enclosed by [ and ] (IETF RFC 2732), the [ and ] characters should also be captured in the domain field.
THREAT_ENRICHMENTS_INDICATOR_URL_EXTENSION
The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be “png”, not “.png”. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured (“gz”, not “tar.gz”).
THREAT_ENRICHMENTS_INDICATOR_URL_FRAGMENT
Portion of the url after the #, such as “top”. The # is not part of the fragment.
THREAT_ENRICHMENTS_INDICATOR_URL_FULL
If full URLs are important to your use case, they should be stored in url.full, whether this field is reconstructed or present in the event source.
THREAT_ENRICHMENTS_INDICATOR_URL_ORIGINAL
Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.
THREAT_ENRICHMENTS_INDICATOR_URL_PASSWORD
Password of the request.
THREAT_ENRICHMENTS_INDICATOR_URL_PATH
Path of the request, such as “/search”.
THREAT_ENRICHMENTS_INDICATOR_URL_PORT
Port of the request, such as 443.
THREAT_ENRICHMENTS_INDICATOR_URL_QUERY
The query field describes the query string of the request, such as “q=elasticsearch”. The ? is excluded from the query string. If a URL contains no ?, there is no query field. If there is a ? but no query, the query field exists with an empty string. The exists query can be used to differentiate between the two cases.
THREAT_ENRICHMENTS_INDICATOR_URL_REGISTERED_DOMAIN
The highest registered url domain, stripped of the subdomain. For example, the registered domain for “foo.example.com” is “example.com”. This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as “co.uk”.
THREAT_ENRICHMENTS_INDICATOR_URL_SCHEME
Scheme of the request, such as “https”. Note: The : is not part of the scheme.
THREAT_ENRICHMENTS_INDICATOR_URL_SUBDOMAIN
The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of “www.east.mydomain.co.uk” is “east”. If the domain has multiple levels of subdomain, such as “sub2.sub1.example.com”, the subdomain field should contain “sub2.sub1”, with no trailing period.
THREAT_ENRICHMENTS_INDICATOR_URL_TOP_LEVEL_DOMAIN
The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is “com”. This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as “co.uk”.
THREAT_ENRICHMENTS_INDICATOR_URL_USERNAME
Username of the request.
THREAT_ENRICHMENTS_INDICATOR_X509_ALTERNATIVE_NAMES
List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
THREAT_ENRICHMENTS_INDICATOR_X509_ISSUER_COMMON_NAME
List of common name (CN) of issuing certificate authority.
THREAT_ENRICHMENTS_INDICATOR_X509_ISSUER_COUNTRY
List of country (C) codes
THREAT_ENRICHMENTS_INDICATOR_X509_ISSUER_DISTINGUISHED_NAME
Distinguished name (DN) of issuing certificate authority.
THREAT_ENRICHMENTS_INDICATOR_X509_ISSUER_LOCALITY
List of locality names (L)
THREAT_ENRICHMENTS_INDICATOR_X509_ISSUER_ORGANIZATION
List of organizations (O) of issuing certificate authority.
THREAT_ENRICHMENTS_INDICATOR_X509_ISSUER_ORGANIZATIONAL_UNIT
List of organizational units (OU) of issuing certificate authority.
THREAT_ENRICHMENTS_INDICATOR_X509_ISSUER_STATE_OR_PROVINCE
List of state or province names (ST, S, or P)
THREAT_ENRICHMENTS_INDICATOR_X509_NOT_AFTER
Time at which the certificate is no longer considered valid.
THREAT_ENRICHMENTS_INDICATOR_X509_NOT_BEFORE
Time at which the certificate is first considered valid.
THREAT_ENRICHMENTS_INDICATOR_X509_PUBLIC_KEY_ALGORITHM
Algorithm used to generate the public key.
THREAT_ENRICHMENTS_INDICATOR_X509_PUBLIC_KEY_CURVE
The curve used by the elliptic curve public key algorithm. This is algorithm specific.
THREAT_ENRICHMENTS_INDICATOR_X509_PUBLIC_KEY_EXPONENT
Exponent used to derive the public key. This is algorithm specific.
THREAT_ENRICHMENTS_INDICATOR_X509_PUBLIC_KEY_SIZE
The size of the public key space in bits.
THREAT_ENRICHMENTS_INDICATOR_X509_SERIAL_NUMBER
Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
THREAT_ENRICHMENTS_INDICATOR_X509_SIGNATURE_ALGORITHM
Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
THREAT_ENRICHMENTS_INDICATOR_X509_SUBJECT_COMMON_NAME
List of common names (CN) of subject.
THREAT_ENRICHMENTS_INDICATOR_X509_SUBJECT_COUNTRY
List of country (C) code
THREAT_ENRICHMENTS_INDICATOR_X509_SUBJECT_DISTINGUISHED_NAME
Distinguished name (DN) of the certificate subject entity.
THREAT_ENRICHMENTS_INDICATOR_X509_SUBJECT_LOCALITY
List of locality names (L)
THREAT_ENRICHMENTS_INDICATOR_X509_SUBJECT_ORGANIZATION
List of organizations (O) of subject.
THREAT_ENRICHMENTS_INDICATOR_X509_SUBJECT_ORGANIZATIONAL_UNIT
List of organizational units (OU) of subject.
THREAT_ENRICHMENTS_INDICATOR_X509_SUBJECT_STATE_OR_PROVINCE
List of state or province names (ST, S, or P)
THREAT_ENRICHMENTS_INDICATOR_X509_VERSION_NUMBER
Version of x509 format.
THREAT_ENRICHMENTS_MATCHED_ATOMIC
Identifies the atomic indicator value that matched a local environment endpoint or network event.
THREAT_ENRICHMENTS_MATCHED_FIELD
Identifies the field of the atomic indicator that matched a local environment endpoint or network event.
THREAT_ENRICHMENTS_MATCHED_ID
Identifies the _id of the indicator document enriching the event.
THREAT_ENRICHMENTS_MATCHED_INDEX
Identifies the _index of the indicator document enriching the event.
THREAT_ENRICHMENTS_MATCHED_OCCURRED
Indicates when the indicator match was generated
THREAT_ENRICHMENTS_MATCHED_TYPE
Identifies the type of match that caused the event to be enriched with the given indicator
THREAT_FEED_DASHBOARD_ID
The saved object ID of the dashboard belonging to the threat feed for displaying dashboard links to threat feeds in Kibana.
THREAT_FEED_DESCRIPTION
Description of the threat feed in a UI friendly format.
THREAT_FEED_NAME
The name of the threat feed in UI friendly format.
THREAT_FEED_REFERENCE
Reference information for the threat feed in a UI friendly format.
THREAT_FRAMEWORK
Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events.
THREAT_GROUP_ALIAS
The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es).
THREAT_GROUP_ID
The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id.
THREAT_GROUP_NAME
The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name.
THREAT_GROUP_REFERENCE
The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL.
THREAT_INDICATOR_AS_NUMBER
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
THREAT_INDICATOR_AS_ORGANIZATION_NAME
Organization name.
THREAT_INDICATOR_CONFIDENCE
Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.
THREAT_INDICATOR_DESCRIPTION
Describes the type of action conducted by the threat.
THREAT_INDICATOR_EMAIL_ADDRESS
Identifies a threat indicator as an email address (irrespective of direction).
THREAT_INDICATOR_FILE_ACCESSED
Last time the file was accessed. Note that not all filesystems keep track of access time.
THREAT_INDICATOR_FILE_ATTRIBUTES
Array of file attributes. Attributes names will vary by platform. Here’s a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write.
THREAT_INDICATOR_FILE_CODE_SIGNATURE_DIGEST_ALGORITHM
The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm.
THREAT_INDICATOR_FILE_CODE_SIGNATURE_EXISTS
Boolean to capture if a signature is present.
THREAT_INDICATOR_FILE_CODE_SIGNATURE_SIGNING_ID
The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple *OS only.
THREAT_INDICATOR_FILE_CODE_SIGNATURE_STATUS
Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked.
THREAT_INDICATOR_FILE_CODE_SIGNATURE_SUBJECT_NAME
Subject name of the code signer
THREAT_INDICATOR_FILE_CODE_SIGNATURE_TEAM_ID
The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.
THREAT_INDICATOR_FILE_CODE_SIGNATURE_TIMESTAMP
Date and time when the code signature was generated and signed.
THREAT_INDICATOR_FILE_CODE_SIGNATURE_TRUSTED
Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status.
THREAT_INDICATOR_FILE_CODE_SIGNATURE_VALID
Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked.
THREAT_INDICATOR_FILE_CREATED
File creation time. Note that not all filesystems store the creation time.
THREAT_INDICATOR_FILE_CTIME
Last time the file attributes or metadata changed. Note that changes to the file content will update mtime. This implies ctime will be adjusted at the same time, since mtime is an attribute of the file.
THREAT_INDICATOR_FILE_DEVICE
Device that is the source of the file.
THREAT_INDICATOR_FILE_DIRECTORY
Directory where the file is located. It should include the drive letter, when appropriate.
THREAT_INDICATOR_FILE_DRIVE_LETTER
Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.
THREAT_INDICATOR_FILE_ELF_ARCHITECTURE
Machine architecture of the ELF file.
THREAT_INDICATOR_FILE_ELF_BYTE_ORDER
Byte sequence of ELF file.
THREAT_INDICATOR_FILE_ELF_CPU_TYPE
CPU type of the ELF file.
THREAT_INDICATOR_FILE_ELF_CREATION_DATE
Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators.
THREAT_INDICATOR_FILE_ELF_EXPORTS
List of exported element names and types.
THREAT_INDICATOR_FILE_ELF_GO_IMPORTS
List of imported Go language element names and types.
THREAT_INDICATOR_FILE_ELF_GO_IMPORTS_NAMES_ENTROPY
Shannon entropy calculation from the list of Go imports.
THREAT_INDICATOR_FILE_ELF_GO_IMPORTS_NAMES_VAR_ENTROPY
Variance for Shannon entropy calculation from the list of Go imports.
THREAT_INDICATOR_FILE_ELF_GO_IMPORT_HASH
A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available here.
THREAT_INDICATOR_FILE_ELF_GO_STRIPPED
Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
THREAT_INDICATOR_FILE_ELF_HEADER_ABI_VERSION
Version of the ELF Application Binary Interface (ABI).
THREAT_INDICATOR_FILE_ELF_HEADER_CLASS
Header class of the ELF file.
THREAT_INDICATOR_FILE_ELF_HEADER_DATA
Data table of the ELF header.
THREAT_INDICATOR_FILE_ELF_HEADER_ENTRYPOINT
Header entrypoint of the ELF file.
THREAT_INDICATOR_FILE_ELF_HEADER_OBJECT_VERSION
“0x1” for original ELF files.
THREAT_INDICATOR_FILE_ELF_HEADER_OS_ABI
Application Binary Interface (ABI) of the Linux OS.
THREAT_INDICATOR_FILE_ELF_HEADER_TYPE
Header type of the ELF file.
THREAT_INDICATOR_FILE_ELF_HEADER_VERSION
Version of the ELF header.
THREAT_INDICATOR_FILE_ELF_IMPORTS
List of imported element names and types.
THREAT_INDICATOR_FILE_ELF_IMPORTS_NAMES_ENTROPY
Shannon entropy calculation from the list of imported element names and types.
THREAT_INDICATOR_FILE_ELF_IMPORTS_NAMES_VAR_ENTROPY
Variance for Shannon entropy calculation from the list of imported element names and types.
THREAT_INDICATOR_FILE_ELF_IMPORT_HASH
A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is an ELF implementation of the Windows PE imphash.
THREAT_INDICATOR_FILE_ELF_SECTIONS
An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath elf.sections.*.
THREAT_INDICATOR_FILE_ELF_SECTIONS_CHI2
Chi-square probability distribution of the section.
THREAT_INDICATOR_FILE_ELF_SECTIONS_ENTROPY
Shannon entropy calculation from the section.
THREAT_INDICATOR_FILE_ELF_SECTIONS_FLAGS
ELF Section List flags.
THREAT_INDICATOR_FILE_ELF_SECTIONS_NAME
ELF Section List name.
THREAT_INDICATOR_FILE_ELF_SECTIONS_PHYSICAL_OFFSET
ELF Section List offset.
THREAT_INDICATOR_FILE_ELF_SECTIONS_PHYSICAL_SIZE
ELF Section List physical size.
THREAT_INDICATOR_FILE_ELF_SECTIONS_TYPE
ELF Section List type.
THREAT_INDICATOR_FILE_ELF_SECTIONS_VAR_ENTROPY
Variance for Shannon entropy calculation from the section.
THREAT_INDICATOR_FILE_ELF_SECTIONS_VIRTUAL_ADDRESS
ELF Section List virtual address.
THREAT_INDICATOR_FILE_ELF_SECTIONS_VIRTUAL_SIZE
ELF Section List virtual size.
THREAT_INDICATOR_FILE_ELF_SEGMENTS
An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath elf.segments.*.
THREAT_INDICATOR_FILE_ELF_SEGMENTS_SECTIONS
ELF object segment sections.
THREAT_INDICATOR_FILE_ELF_SEGMENTS_TYPE
ELF object segment type.
THREAT_INDICATOR_FILE_ELF_SHARED_LIBRARIES
List of shared libraries used by this ELF object.
THREAT_INDICATOR_FILE_ELF_TELFHASH
telfhash symbol hash for ELF file.
THREAT_INDICATOR_FILE_EXTENSION
File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured (“gz”, not “tar.gz”).
THREAT_INDICATOR_FILE_FORK_NAME
A fork is additional data associated with a filesystem object. On Linux, a resource fork is used to store additional data with a filesystem object. A file always has at least one fork for the data portion, and additional forks may exist. On NTFS, this is analogous to an Alternate Data Stream (ADS), and the default data stream for a file is just called $DATA. Zone.Identifier is commonly used by Windows to track contents downloaded from the Internet. An ADS is typically of the form: C:\path\to\filename.extension:some_fork_name, and some_fork_name is the value that should populate fork_name. filename.extension should populate file.name, and extension should populate file.extension. The full path, file.path, will include the fork name.
THREAT_INDICATOR_FILE_GID
Primary group ID (GID) of the file.
THREAT_INDICATOR_FILE_GROUP
Primary group name of the file.
THREAT_INDICATOR_FILE_HASH_MD5
MD5 hash.
THREAT_INDICATOR_FILE_HASH_SHA1
SHA1 hash.
THREAT_INDICATOR_FILE_HASH_SHA256
SHA256 hash.
THREAT_INDICATOR_FILE_HASH_SHA384
SHA384 hash.
THREAT_INDICATOR_FILE_HASH_SHA512
SHA512 hash.
THREAT_INDICATOR_FILE_HASH_SSDEEP
SSDEEP hash.
THREAT_INDICATOR_FILE_HASH_TLSH
TLSH hash.
THREAT_INDICATOR_FILE_INODE
Inode representing the file in the filesystem.
THREAT_INDICATOR_FILE_MIME_TYPE
MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.
THREAT_INDICATOR_FILE_MODE
Mode of the file in octal representation.
THREAT_INDICATOR_FILE_MTIME
Last time the file content was modified.
THREAT_INDICATOR_FILE_NAME
Name of the file including the extension, without the directory.
THREAT_INDICATOR_FILE_OWNER
File owner’s username.
THREAT_INDICATOR_FILE_PATH
Full path to the file, including the file name. It should include the drive letter, when appropriate.
THREAT_INDICATOR_FILE_PE_ARCHITECTURE
CPU architecture target for the file.
THREAT_INDICATOR_FILE_PE_COMPANY
Internal company name of the file, provided at compile-time.
THREAT_INDICATOR_FILE_PE_DESCRIPTION
Internal description of the file, provided at compile-time.
THREAT_INDICATOR_FILE_PE_FILE_VERSION
Internal version of the file, provided at compile-time.
THREAT_INDICATOR_FILE_PE_GO_IMPORTS
List of imported Go language element names and types.
THREAT_INDICATOR_FILE_PE_GO_IMPORTS_NAMES_ENTROPY
Shannon entropy calculation from the list of Go imports.
THREAT_INDICATOR_FILE_PE_GO_IMPORTS_NAMES_VAR_ENTROPY
Variance for Shannon entropy calculation from the list of Go imports.
THREAT_INDICATOR_FILE_PE_GO_IMPORT_HASH
A hash of the Go language imports in a PE file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available here.
THREAT_INDICATOR_FILE_PE_GO_STRIPPED
Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable.
THREAT_INDICATOR_FILE_PE_IMPHASH
A hash of the imports in a PE file. An imphash – or import hash – can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.
THREAT_INDICATOR_FILE_PE_IMPORTS
List of imported element names and types.
THREAT_INDICATOR_FILE_PE_IMPORTS_NAMES_ENTROPY
Shannon entropy calculation from the list of imported element names and types.
THREAT_INDICATOR_FILE_PE_IMPORTS_NAMES_VAR_ENTROPY
Variance for Shannon entropy calculation from the list of imported element names and types.
THREAT_INDICATOR_FILE_PE_IMPORT_HASH
A hash of the imports in a PE file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is a synonym for imphash.
THREAT_INDICATOR_FILE_PE_ORIGINAL_FILE_NAME
Internal name of the file, provided at compile-time.
THREAT_INDICATOR_FILE_PE_PEHASH
A hash of the PE header and data from one or more PE sections. An pehash can be used to cluster files by transforming structural information about a file into a hash value. Learn more at https://www.usenix.org/legacy/events/leet09/tech/full_papers/wicherski/wicherski_html/index.html.
THREAT_INDICATOR_FILE_PE_PRODUCT
Internal product name of the file, provided at compile-time.
THREAT_INDICATOR_FILE_PE_SECTIONS
An array containing an object for each section of the PE file. The keys that should be present in these objects are defined by sub-fields underneath pe.sections.*.
THREAT_INDICATOR_FILE_PE_SECTIONS_ENTROPY
Shannon entropy calculation from the section.
THREAT_INDICATOR_FILE_PE_SECTIONS_NAME
PE Section List name.
THREAT_INDICATOR_FILE_PE_SECTIONS_PHYSICAL_SIZE
PE Section List physical size.
THREAT_INDICATOR_FILE_PE_SECTIONS_VAR_ENTROPY
Variance for Shannon entropy calculation from the section.
THREAT_INDICATOR_FILE_PE_SECTIONS_VIRTUAL_SIZE
PE Section List virtual size. This is always the same as physical_size.
THREAT_INDICATOR_FILE_SIZE
File size in bytes. Only relevant when file.type is “file”.
THREAT_INDICATOR_FILE_TARGET_PATH
Target path for symlinks.
THREAT_INDICATOR_FILE_TYPE
File type (file, dir, or symlink).
THREAT_INDICATOR_FILE_UID
The user ID (UID) or security identifier (SID) of the file owner.
THREAT_INDICATOR_FILE_X509_ALTERNATIVE_NAMES
List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
THREAT_INDICATOR_FILE_X509_ISSUER_COMMON_NAME
List of common name (CN) of issuing certificate authority.
THREAT_INDICATOR_FILE_X509_ISSUER_COUNTRY
List of country (C) codes
THREAT_INDICATOR_FILE_X509_ISSUER_DISTINGUISHED_NAME
Distinguished name (DN) of issuing certificate authority.
THREAT_INDICATOR_FILE_X509_ISSUER_LOCALITY
List of locality names (L)
THREAT_INDICATOR_FILE_X509_ISSUER_ORGANIZATION
List of organizations (O) of issuing certificate authority.
THREAT_INDICATOR_FILE_X509_ISSUER_ORGANIZATIONAL_UNIT
List of organizational units (OU) of issuing certificate authority.
THREAT_INDICATOR_FILE_X509_ISSUER_STATE_OR_PROVINCE
List of state or province names (ST, S, or P)
THREAT_INDICATOR_FILE_X509_NOT_AFTER
Time at which the certificate is no longer considered valid.
THREAT_INDICATOR_FILE_X509_NOT_BEFORE
Time at which the certificate is first considered valid.
THREAT_INDICATOR_FILE_X509_PUBLIC_KEY_ALGORITHM
Algorithm used to generate the public key.
THREAT_INDICATOR_FILE_X509_PUBLIC_KEY_CURVE
The curve used by the elliptic curve public key algorithm. This is algorithm specific.
THREAT_INDICATOR_FILE_X509_PUBLIC_KEY_EXPONENT
Exponent used to derive the public key. This is algorithm specific.
THREAT_INDICATOR_FILE_X509_PUBLIC_KEY_SIZE
The size of the public key space in bits.
THREAT_INDICATOR_FILE_X509_SERIAL_NUMBER
Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
THREAT_INDICATOR_FILE_X509_SIGNATURE_ALGORITHM
Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
THREAT_INDICATOR_FILE_X509_SUBJECT_COMMON_NAME
List of common names (CN) of subject.
THREAT_INDICATOR_FILE_X509_SUBJECT_COUNTRY
List of country (C) code
THREAT_INDICATOR_FILE_X509_SUBJECT_DISTINGUISHED_NAME
Distinguished name (DN) of the certificate subject entity.
THREAT_INDICATOR_FILE_X509_SUBJECT_LOCALITY
List of locality names (L)
THREAT_INDICATOR_FILE_X509_SUBJECT_ORGANIZATION
List of organizations (O) of subject.
THREAT_INDICATOR_FILE_X509_SUBJECT_ORGANIZATIONAL_UNIT
List of organizational units (OU) of subject.
THREAT_INDICATOR_FILE_X509_SUBJECT_STATE_OR_PROVINCE
List of state or province names (ST, S, or P)
THREAT_INDICATOR_FILE_X509_VERSION_NUMBER
Version of x509 format.
THREAT_INDICATOR_FIRST_SEEN
The date and time when intelligence source first reported sighting this indicator.
THREAT_INDICATOR_GEO_CITY_NAME
City name.
THREAT_INDICATOR_GEO_CONTINENT_CODE
Two-letter code representing continent’s name.
THREAT_INDICATOR_GEO_CONTINENT_NAME
Name of the continent.
THREAT_INDICATOR_GEO_COUNTRY_ISO_CODE
Country ISO code.
THREAT_INDICATOR_GEO_COUNTRY_NAME
Country name.
THREAT_INDICATOR_GEO_LOCATION
Longitude and latitude.
THREAT_INDICATOR_GEO_NAME
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
THREAT_INDICATOR_GEO_POSTAL_CODE
Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
THREAT_INDICATOR_GEO_REGION_ISO_CODE
Region ISO code.
THREAT_INDICATOR_GEO_REGION_NAME
Region name.
THREAT_INDICATOR_GEO_TIMEZONE
The time zone of the location, such as IANA time zone name.
THREAT_INDICATOR_IP
Identifies a threat indicator as an IP address (irrespective of direction).
THREAT_INDICATOR_LAST_SEEN
The date and time when intelligence source last reported sighting this indicator.
THREAT_INDICATOR_MARKING_TLP
Traffic Light Protocol sharing markings.
THREAT_INDICATOR_MARKING_TLP_VERSION
Traffic Light Protocol version.
THREAT_INDICATOR_MODIFIED_AT
The date and time when intelligence source last modified information for this indicator.
THREAT_INDICATOR_NAME
The display name indicator in an UI friendly format URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name.
THREAT_INDICATOR_PORT
Identifies a threat indicator as a port number (irrespective of direction).
THREAT_INDICATOR_PROVIDER
The name of the indicator’s provider.
THREAT_INDICATOR_REFERENCE
Reference URL linking to additional information about this indicator.
THREAT_INDICATOR_REGISTRY_DATA_BYTES
Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by lp_data. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
THREAT_INDICATOR_REGISTRY_DATA_STRINGS
Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g "1").
THREAT_INDICATOR_REGISTRY_DATA_TYPE
Standard registry type for encoding contents
THREAT_INDICATOR_REGISTRY_HIVE
Abbreviated name for the hive.
THREAT_INDICATOR_REGISTRY_KEY
Hive-relative path of keys.
THREAT_INDICATOR_REGISTRY_PATH
Full path, including hive, key and value
THREAT_INDICATOR_REGISTRY_VALUE
Name of the value written.
THREAT_INDICATOR_SCANNER_STATS
Count of AV/EDR vendors that successfully detected malicious file or URL.
THREAT_INDICATOR_SIGHTINGS
Number of times this indicator was observed conducting threat activity.
THREAT_INDICATOR_TYPE
Type of indicator as represented by Cyber Observable in STIX 2.0.
THREAT_INDICATOR_URL_DOMAIN
Domain of the url, such as “www.elastic.co”. In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the domain field. If the URL contains a literal IPv6 address enclosed by [ and ] (IETF RFC 2732), the [ and ] characters should also be captured in the domain field.
THREAT_INDICATOR_URL_EXTENSION
The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be “png”, not “.png”. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured (“gz”, not “tar.gz”).
THREAT_INDICATOR_URL_FRAGMENT
Portion of the url after the #, such as “top”. The # is not part of the fragment.
THREAT_INDICATOR_URL_FULL
If full URLs are important to your use case, they should be stored in url.full, whether this field is reconstructed or present in the event source.
THREAT_INDICATOR_URL_ORIGINAL
Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.
THREAT_INDICATOR_URL_PASSWORD
Password of the request.
THREAT_INDICATOR_URL_PATH
Path of the request, such as “/search”.
THREAT_INDICATOR_URL_PORT
Port of the request, such as 443.
THREAT_INDICATOR_URL_QUERY
The query field describes the query string of the request, such as “q=elasticsearch”. The ? is excluded from the query string. If a URL contains no ?, there is no query field. If there is a ? but no query, the query field exists with an empty string. The exists query can be used to differentiate between the two cases.
THREAT_INDICATOR_URL_REGISTERED_DOMAIN
The highest registered url domain, stripped of the subdomain. For example, the registered domain for “foo.example.com” is “example.com”. This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as “co.uk”.
THREAT_INDICATOR_URL_SCHEME
Scheme of the request, such as “https”. Note: The : is not part of the scheme.
THREAT_INDICATOR_URL_SUBDOMAIN
The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of “www.east.mydomain.co.uk” is “east”. If the domain has multiple levels of subdomain, such as “sub2.sub1.example.com”, the subdomain field should contain “sub2.sub1”, with no trailing period.
THREAT_INDICATOR_URL_TOP_LEVEL_DOMAIN
The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is “com”. This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as “co.uk”.
THREAT_INDICATOR_URL_USERNAME
Username of the request.
THREAT_INDICATOR_X509_ALTERNATIVE_NAMES
List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
THREAT_INDICATOR_X509_ISSUER_COMMON_NAME
List of common name (CN) of issuing certificate authority.
THREAT_INDICATOR_X509_ISSUER_COUNTRY
List of country (C) codes
THREAT_INDICATOR_X509_ISSUER_DISTINGUISHED_NAME
Distinguished name (DN) of issuing certificate authority.
THREAT_INDICATOR_X509_ISSUER_LOCALITY
List of locality names (L)
THREAT_INDICATOR_X509_ISSUER_ORGANIZATION
List of organizations (O) of issuing certificate authority.
THREAT_INDICATOR_X509_ISSUER_ORGANIZATIONAL_UNIT
List of organizational units (OU) of issuing certificate authority.
THREAT_INDICATOR_X509_ISSUER_STATE_OR_PROVINCE
List of state or province names (ST, S, or P)
THREAT_INDICATOR_X509_NOT_AFTER
Time at which the certificate is no longer considered valid.
THREAT_INDICATOR_X509_NOT_BEFORE
Time at which the certificate is first considered valid.
THREAT_INDICATOR_X509_PUBLIC_KEY_ALGORITHM
Algorithm used to generate the public key.
THREAT_INDICATOR_X509_PUBLIC_KEY_CURVE
The curve used by the elliptic curve public key algorithm. This is algorithm specific.
THREAT_INDICATOR_X509_PUBLIC_KEY_EXPONENT
Exponent used to derive the public key. This is algorithm specific.
THREAT_INDICATOR_X509_PUBLIC_KEY_SIZE
The size of the public key space in bits.
THREAT_INDICATOR_X509_SERIAL_NUMBER
Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
THREAT_INDICATOR_X509_SIGNATURE_ALGORITHM
Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
THREAT_INDICATOR_X509_SUBJECT_COMMON_NAME
List of common names (CN) of subject.
THREAT_INDICATOR_X509_SUBJECT_COUNTRY
List of country (C) code
THREAT_INDICATOR_X509_SUBJECT_DISTINGUISHED_NAME
Distinguished name (DN) of the certificate subject entity.
THREAT_INDICATOR_X509_SUBJECT_LOCALITY
List of locality names (L)
THREAT_INDICATOR_X509_SUBJECT_ORGANIZATION
List of organizations (O) of subject.
THREAT_INDICATOR_X509_SUBJECT_ORGANIZATIONAL_UNIT
List of organizational units (OU) of subject.
THREAT_INDICATOR_X509_SUBJECT_STATE_OR_PROVINCE
List of state or province names (ST, S, or P)
THREAT_INDICATOR_X509_VERSION_NUMBER
Version of x509 format.
THREAT_SOFTWARE_ALIAS
The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® associated software description.
THREAT_SOFTWARE_ID
The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id.
THREAT_SOFTWARE_NAME
The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name.
THREAT_SOFTWARE_PLATFORMS
The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use MITRE ATT&CK® software platform values.
THREAT_SOFTWARE_REFERENCE
The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL.
THREAT_SOFTWARE_TYPE
The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type.
THREAT_TACTIC_ID
The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )
THREAT_TACTIC_NAME
Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)
THREAT_TACTIC_REFERENCE
The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )
THREAT_TECHNIQUE_ID
The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
THREAT_TECHNIQUE_NAME
The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
THREAT_TECHNIQUE_REFERENCE
The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
THREAT_TECHNIQUE_SUBTECHNIQUE_ID
The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
THREAT_TECHNIQUE_SUBTECHNIQUE_NAME
The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE
The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)