Threat Fields

edit

Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework.

These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service").

Threat Field Details

edit
Field Description Level

threat.framework

Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events.

type: keyword

example: MITRE ATT&CK

extended

threat.tactic.id

The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )

type: keyword

Note: this field should contain an array of values.

example: TA0002

extended

threat.tactic.name

Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)

type: keyword

Note: this field should contain an array of values.

example: Execution

extended

threat.tactic.reference

The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )

type: keyword

Note: this field should contain an array of values.

example: https://attack.mitre.org/tactics/TA0002/

extended

threat.technique.id

The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)

type: keyword

Note: this field should contain an array of values.

example: T1059

extended

threat.technique.name

The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)

type: keyword

Multi-fields:

* threat.technique.name.text (type: text)

Note: this field should contain an array of values.

example: Command and Scripting Interpreter

extended

threat.technique.reference

The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)

type: keyword

Note: this field should contain an array of values.

example: https://attack.mitre.org/techniques/T1059/

extended

threat.technique.subtechnique.id

The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)

type: keyword

Note: this field should contain an array of values.

example: T1059.001

extended

threat.technique.subtechnique.name

The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)

type: keyword

Multi-fields:

* threat.technique.subtechnique.name.text (type: text)

Note: this field should contain an array of values.

example: PowerShell

extended

threat.technique.subtechnique.reference

The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)

type: keyword

Note: this field should contain an array of values.

example: https://attack.mitre.org/techniques/T1059/001/

extended