IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Source Fields Threat Fields Usage and Examples »

› ›

Threat Fields

edit

Threat Fields

edit

Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework.

These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service").

Threat Field Details

edit

Field	Description	Level
threat.enrichments	A list of associated indicators objects enriching the event, and the context of that association/enrichment. type: nested Note: this field should contain an array of values.	extended
threat.enrichments.indicator	Object containing associated indicators enriching the event. type: object	extended
threat.enrichments.indicator.confidence	Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values for this field: `Not Specified` `None` `Low` `Medium` `High` type: keyword example: `Medium`	extended
threat.enrichments.indicator.description	Describes the type of action conducted by the threat. type: keyword example: `IP x.x.x.x was observed delivering the Angler EK.`	extended
threat.enrichments.indicator.email.address	Identifies a threat indicator as an email address (irrespective of direction). type: keyword example: `phish@example.com`	extended
threat.enrichments.indicator.first_seen	The date and time when intelligence source first reported sighting this indicator. type: date example: `2020-11-05T17:25:47.000Z`	extended
threat.enrichments.indicator.ip	Identifies a threat indicator as an IP address (irrespective of direction). type: ip example: `1.2.3.4`	extended
threat.enrichments.indicator.last_seen	The date and time when intelligence source last reported sighting this indicator. type: date example: `2020-11-05T17:25:47.000Z`	extended
threat.enrichments.indicator.marking.tlp	Traffic Light Protocol sharing markings. Expected values for this field: `WHITE` `CLEAR` `GREEN` `AMBER` `AMBER+STRICT` `RED` type: keyword example: `CLEAR`	extended
threat.enrichments.indicator.marking.tlp_version	Traffic Light Protocol version. type: keyword example: `2.0`	extended
threat.enrichments.indicator.modified_at	The date and time when intelligence source last modified information for this indicator. type: date example: `2020-11-05T17:25:47.000Z`	extended
threat.enrichments.indicator.name	The display name indicator in an UI friendly format Expected values for this field: `5.2.75.227` `2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6` `https://example.com/some/path` `example.com` `373d34874d7bc89fd4cefa6272ee80bf` `b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7` `email@example.com` `HKLM\SOFTWARE\Microsoft\Active` `13335` `00:00:5e:00:53:af` `8008` type: keyword example: `5.2.75.227`	extended
threat.enrichments.indicator.port	Identifies a threat indicator as a port number (irrespective of direction). type: long example: `443`	extended
threat.enrichments.indicator.provider	The name of the indicator’s provider. type: keyword example: `lrz_urlhaus`	extended
threat.enrichments.indicator.reference	Reference URL linking to additional information about this indicator. type: keyword example: `https://system.example.com/indicator/0001234`	extended
threat.enrichments.indicator.scanner_stats	Count of AV/EDR vendors that successfully detected malicious file or URL. type: long example: `4`	extended
threat.enrichments.indicator.sightings	Number of times this indicator was observed conducting threat activity. type: long example: `20`	extended
threat.enrichments.indicator.type	Type of indicator as represented by Cyber Observable in STIX 2.0. Expected values for this field: `autonomous-system` `artifact` `directory` `domain-name` `email-addr` `file` `ipv4-addr` `ipv6-addr` `mac-addr` `mutex` `port` `process` `software` `url` `user-account` `windows-registry-key` `x509-certificate` type: keyword example: `ipv4-addr`	extended
threat.enrichments.matched.atomic	Identifies the atomic indicator value that matched a local environment endpoint or network event. type: keyword example: `bad-domain.com`	extended
threat.enrichments.matched.field	Identifies the field of the atomic indicator that matched a local environment endpoint or network event. type: keyword example: `file.hash.sha256`	extended
threat.enrichments.matched.id	Identifies the _id of the indicator document enriching the event. type: keyword example: `ff93aee5-86a1-4a61-b0e6-0cdc313d01b5`	extended
threat.enrichments.matched.index	Identifies the _index of the indicator document enriching the event. type: keyword example: `filebeat-8.0.0-2021.05.23-000011`	extended
threat.enrichments.matched.occurred	Indicates when the indicator match was generated type: date example: `2021-10-05T17:00:58.326Z`	extended
threat.enrichments.matched.type	Identifies the type of match that caused the event to be enriched with the given indicator type: keyword example: `indicator_match_rule`	extended
threat.feed.dashboard_id	The saved object ID of the dashboard belonging to the threat feed for displaying dashboard links to threat feeds in Kibana. type: keyword example: `5ba16340-72e6-11eb-a3e3-b3cc7c78a70f`	extended
threat.feed.description	Description of the threat feed in a UI friendly format. type: keyword example: `Threat feed from the AlienVault Open Threat eXchange network.`	extended
threat.feed.name	The name of the threat feed in UI friendly format. type: keyword example: `AlienVault OTX`	extended
threat.feed.reference	Reference information for the threat feed in a UI friendly format. type: keyword example: `https://otx.alienvault.com`	extended
threat.framework	Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. type: keyword example: `MITRE ATT&CK`	extended
threat.group.alias	The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es). type: keyword Note: this field should contain an array of values. example: `[ "Magecart Group 6" ]`	extended
threat.group.id	The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. type: keyword example: `G0037`	extended
threat.group.name	The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name. type: keyword example: `FIN6`	extended
threat.group.reference	The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL. type: keyword example: `https://attack.mitre.org/groups/G0037/`	extended
threat.indicator.confidence	Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values for this field: `Not Specified` `None` `Low` `Medium` `High` type: keyword example: `Medium`	extended
threat.indicator.description	Describes the type of action conducted by the threat. type: keyword example: `IP x.x.x.x was observed delivering the Angler EK.`	extended
threat.indicator.email.address	Identifies a threat indicator as an email address (irrespective of direction). type: keyword example: `phish@example.com`	extended
threat.indicator.first_seen	The date and time when intelligence source first reported sighting this indicator. type: date example: `2020-11-05T17:25:47.000Z`	extended
threat.indicator.ip	Identifies a threat indicator as an IP address (irrespective of direction). type: ip example: `1.2.3.4`	extended
threat.indicator.last_seen	The date and time when intelligence source last reported sighting this indicator. type: date example: `2020-11-05T17:25:47.000Z`	extended
threat.indicator.marking.tlp	Traffic Light Protocol sharing markings. Expected values for this field: `WHITE` `CLEAR` `GREEN` `AMBER` `AMBER+STRICT` `RED` type: keyword example: `CLEAR`	extended
threat.indicator.marking.tlp_version	Traffic Light Protocol version. type: keyword example: `2.0`	extended
threat.indicator.modified_at	The date and time when intelligence source last modified information for this indicator. type: date example: `2020-11-05T17:25:47.000Z`	extended
threat.indicator.name	The display name indicator in an UI friendly format Expected values for this field: `5.2.75.227` `2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6` `https://example.com/some/path` `example.com` `373d34874d7bc89fd4cefa6272ee80bf` `b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7` `email@example.com` `HKLM\SOFTWARE\Microsoft\Active` `13335` `00:00:5e:00:53:af` `8008` type: keyword example: `5.2.75.227`	extended
threat.indicator.port	Identifies a threat indicator as a port number (irrespective of direction). type: long example: `443`	extended
threat.indicator.provider	The name of the indicator’s provider. type: keyword example: `lrz_urlhaus`	extended
threat.indicator.reference	Reference URL linking to additional information about this indicator. type: keyword example: `https://system.example.com/indicator/0001234`	extended
threat.indicator.scanner_stats	Count of AV/EDR vendors that successfully detected malicious file or URL. type: long example: `4`	extended
threat.indicator.sightings	Number of times this indicator was observed conducting threat activity. type: long example: `20`	extended
threat.indicator.type	Type of indicator as represented by Cyber Observable in STIX 2.0. Expected values for this field: `autonomous-system` `artifact` `directory` `domain-name` `email-addr` `file` `ipv4-addr` `ipv6-addr` `mac-addr` `mutex` `port` `process` `software` `url` `user-account` `windows-registry-key` `x509-certificate` type: keyword example: `ipv4-addr`	extended
threat.software.alias	The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® associated software description. type: keyword Note: this field should contain an array of values. example: `[ "X-Agent" ]`	extended
threat.software.id	The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id. type: keyword example: `S0552`	extended
threat.software.name	The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name. type: keyword example: `AdFind`	extended
threat.software.platforms	The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use MITRE ATT&CK® software platform values. Expected values for this field: `AWS` `Azure` `Azure AD` `GCP` `Linux` `macOS` `Network` `Office 365` `SaaS` `Windows` type: keyword Note: this field should contain an array of values. example: `[ "Windows" ]`	extended
threat.software.reference	The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL. type: keyword example: `https://attack.mitre.org/software/S0552/`	extended
threat.software.type	The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type. Expected values for this field: `Malware` `Tool` type: keyword example: `Tool`	extended
threat.tactic.id	The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword Note: this field should contain an array of values. example: `TA0002`	extended
threat.tactic.name	Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) type: keyword Note: this field should contain an array of values. example: `Execution`	extended
threat.tactic.reference	The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword Note: this field should contain an array of values. example: `https://attack.mitre.org/tactics/TA0002/`	extended
threat.technique.id	The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword Note: this field should contain an array of values. example: `T1059`	extended
threat.technique.name	The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword Multi-fields: threat.technique.name.text (type: match_only_text) Note: this field should contain an array of values. example: `Command and Scripting Interpreter`	extended
threat.technique.reference	The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword Note: this field should contain an array of values. example: `https://attack.mitre.org/techniques/T1059/`	extended
threat.technique.subtechnique.id	The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword Note: this field should contain an array of values. example: `T1059.001`	extended
threat.technique.subtechnique.name	The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword Multi-fields: threat.technique.subtechnique.name.text (type: match_only_text) Note: this field should contain an array of values. example: `PowerShell`	extended
threat.technique.subtechnique.reference	The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword Note: this field should contain an array of values. example: `https://attack.mitre.org/techniques/T1059/001/`	extended

Field Reuse

edit

Field sets that can be nested under Threat

edit

Location	Field Set	Description
`threat.enrichments.indicator.as.*`	as	Fields describing an Autonomous System (Internet routing prefix).
`threat.enrichments.indicator.file.*`	file	Fields describing files.
`threat.enrichments.indicator.geo.*`	geo	Fields describing a location.
`threat.enrichments.indicator.registry.*`	registry	Fields related to Windows Registry operations.
`threat.enrichments.indicator.url.*`	url	Fields that let you store URLs in various forms.
`threat.enrichments.indicator.x509.*`	x509	These fields contain x509 certificate metadata.
`threat.indicator.as.*`	as	Fields describing an Autonomous System (Internet routing prefix).
`threat.indicator.file.*`	file	Fields describing files.
`threat.indicator.geo.*`	geo	Fields describing a location.
`threat.indicator.registry.*`	registry	Fields related to Windows Registry operations.
`threat.indicator.url.*`	url	Fields that let you store URLs in various forms.
`threat.indicator.x509.*`	x509	These fields contain x509 certificate metadata.

Threat Field Usage

edit

For usage and examples of the threat fields, please see the Threat Fields Usage and Examples section.

« Source Fields Threat Fields Usage and Examples »