Threat Fields
editThreat Fields
editFields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework.
These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service").
Threat Field Details
edit| Field | Description | Level |
|---|---|---|
[beta] This field is beta and subject to change. A list of associated indicators objects enriching the event, and the context of that association/enrichment. type: nested |
extended |
|
[beta] This field is beta and subject to change. Object containing associated indicators enriching the event. type: object |
extended |
|
[beta] This field is beta and subject to change. Identifies the confidence rating assigned by the provider using STIX confidence scales. Expected values: * Not Specified, None, Low, Medium, High * 0-10 * Admirality Scale (1-6) * DNI Scale (5-95) * WEP Scale (Impossible - Certain) type: keyword example: |
extended |
|
[beta] This field is beta and subject to change. Describes the type of action conducted by the threat. type: keyword example: |
extended |
|
[beta] This field is beta and subject to change. Identifies a threat indicator as an email address (irrespective of direction). type: keyword example: |
extended |
|
[beta] This field is beta and subject to change. The date and time when intelligence source first reported sighting this indicator. type: date example: |
extended |
|
[beta] This field is beta and subject to change. Identifies a threat indicator as an IP address (irrespective of direction). type: ip example: |
extended |
|
[beta] This field is beta and subject to change. The date and time when intelligence source last reported sighting this indicator. type: date example: |
extended |
|
[beta] This field is beta and subject to change. Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED type: keyword example: |
extended |
|
[beta] This field is beta and subject to change. The date and time when intelligence source last modified information for this indicator. type: date example: |
extended |
|
[beta] This field is beta and subject to change. Identifies a threat indicator as a port number (irrespective of direction). type: long example: |
extended |
|
[beta] This field is beta and subject to change. The name of the indicator’s provider. type: keyword example: |
extended |
|
[beta] This field is beta and subject to change. Reference URL linking to additional information about this indicator. type: keyword example: |
extended |
|
[beta] This field is beta and subject to change. Count of AV/EDR vendors that successfully detected malicious file or URL. type: long example: |
extended |
|
[beta] This field is beta and subject to change. Number of times this indicator was observed conducting threat activity. type: long example: |
extended |
|
[beta] This field is beta and subject to change. Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate type: keyword example: |
extended |
|
[beta] This field is beta and subject to change. Identifies the atomic indicator value that matched a local environment endpoint or network event. type: keyword example: |
extended |
|
[beta] This field is beta and subject to change. Identifies the field of the atomic indicator that matched a local environment endpoint or network event. type: keyword example: |
extended |
|
[beta] This field is beta and subject to change. Identifies the _id of the indicator document enriching the event. type: keyword example: |
extended |
|
[beta] This field is beta and subject to change. Identifies the _index of the indicator document enriching the event. type: keyword example: |
extended |
|
[beta] This field is beta and subject to change. Identifies the type of match that caused the event to be enriched with the given indicator type: keyword example: |
extended |
|
Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. type: keyword example: |
extended |
|
[beta] This field is beta and subject to change. The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es). type: keyword Note: this field should contain an array of values. example: |
extended |
|
[beta] This field is beta and subject to change. The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. type: keyword example: |
extended |
|
[beta] This field is beta and subject to change. The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name. type: keyword example: |
extended |
|
[beta] This field is beta and subject to change. The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL. type: keyword example: |
extended |
|
[beta] This field is beta and subject to change. Identifies the confidence rating assigned by the provider using STIX confidence scales. Recommended values: * Not Specified, None, Low, Medium, High * 0-10 * Admirality Scale (1-6) * DNI Scale (5-95) * WEP Scale (Impossible - Certain) type: keyword example: |
extended |
|
[beta] This field is beta and subject to change. Describes the type of action conducted by the threat. type: keyword example: |
extended |
|
[beta] This field is beta and subject to change. Identifies a threat indicator as an email address (irrespective of direction). type: keyword example: |
extended |
|
[beta] This field is beta and subject to change. The date and time when intelligence source first reported sighting this indicator. type: date example: |
extended |
|
[beta] This field is beta and subject to change. Identifies a threat indicator as an IP address (irrespective of direction). type: ip example: |
extended |
|
[beta] This field is beta and subject to change. The date and time when intelligence source last reported sighting this indicator. type: date example: |
extended |
|
[beta] This field is beta and subject to change. Traffic Light Protocol sharing markings. Recommended values are: * WHITE * GREEN * AMBER * RED type: keyword example: |
extended |
|
[beta] This field is beta and subject to change. The date and time when intelligence source last modified information for this indicator. type: date example: |
extended |
|
[beta] This field is beta and subject to change. Identifies a threat indicator as a port number (irrespective of direction). type: long example: |
extended |
|
[beta] This field is beta and subject to change. The name of the indicator’s provider. type: keyword example: |
extended |
|
[beta] This field is beta and subject to change. Reference URL linking to additional information about this indicator. type: keyword example: |
extended |
|
[beta] This field is beta and subject to change. Count of AV/EDR vendors that successfully detected malicious file or URL. type: long example: |
extended |
|
[beta] This field is beta and subject to change. Number of times this indicator was observed conducting threat activity. type: long example: |
extended |
|
[beta] This field is beta and subject to change. Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * port * process * software * url * user-account * windows-registry-key * x509-certificate type: keyword example: |
extended |
|
[beta] This field is beta and subject to change. The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id. type: keyword example: |
extended |
|
[beta] This field is beta and subject to change. The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. type: keyword example: |
extended |
|
[beta] This field is beta and subject to change. The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platforms. Recommended Values: * AWS * Azure * Azure AD * GCP * Linux * macOS * Network * Office 365 * SaaS * Windows type: keyword Note: this field should contain an array of values. example: |
extended |
|
[beta] This field is beta and subject to change. The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL. type: keyword example: |
extended |
|
[beta] This field is beta and subject to change. The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. Recommended values * Malware * Tool type: keyword example: |
extended |
|
The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword Note: this field should contain an array of values. example: |
extended |
|
Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) type: keyword Note: this field should contain an array of values. example: |
extended |
|
The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword Note: this field should contain an array of values. example: |
extended |
|
The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword Note: this field should contain an array of values. example: |
extended |
|
The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword Multi-fields: * threat.technique.name.text (type: text) Note: this field should contain an array of values. example: |
extended |
|
The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword Note: this field should contain an array of values. example: |
extended |
|
The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword Note: this field should contain an array of values. example: |
extended |
|
The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword Multi-fields: * threat.technique.subtechnique.name.text (type: text) Note: this field should contain an array of values. example: |
extended |
|
The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword Note: this field should contain an array of values. example: |
extended |
Field Reuse
editField sets that can be nested under Threat
edit| Location | Field Set | Description |
|---|---|---|
|
[beta]
Reusing the Fields describing an Autonomous System (Internet routing prefix). |
|
|
[beta]
Reusing the Fields describing files. |
|
|
[beta]
Reusing the Fields describing a location. |
|
|
[beta]
Reusing the Hashes, usually file hashes. |
|
|
[beta]
Reusing the These fields contain Windows Portable Executable (PE) metadata. |
|
|
[beta]
Reusing the Fields related to Windows Registry operations. |
|
|
[beta]
Reusing the Fields that let you store URLs in various forms. |
|
|
[beta]
Reusing the These fields contain x509 certificate metadata. |
|
|
[beta]
Reusing the Fields describing an Autonomous System (Internet routing prefix). |
|
|
[beta]
Reusing the Fields describing files. |
|
|
[beta]
Reusing the Fields describing a location. |
|
|
[beta]
Reusing the Hashes, usually file hashes. |
|
|
[beta]
Reusing the These fields contain Windows Portable Executable (PE) metadata. |
|
|
[beta]
Reusing the Fields related to Windows Registry operations. |
|
|
[beta]
Reusing the Fields that let you store URLs in various forms. |
|
|
[beta]
Reusing the These fields contain x509 certificate metadata. |