- Elastic Common Schema (ECS) Reference: other versions:
- Overview
- Using ECS
- ECS Field Reference
- Base Fields
- Agent Fields
- Autonomous System Fields
- Client Fields
- Cloud Fields
- Code Signature Fields
- Container Fields
- Data Stream Fields
- Destination Fields
- Device Fields
- DLL Fields
- DNS Fields
- ECS Fields
- ELF Header Fields
- Email Fields
- Error Fields
- Event Fields
- FaaS Fields
- File Fields
- Geo Fields
- Group Fields
- Hash Fields
- Host Fields
- HTTP Fields
- Interface Fields
- Log Fields
- Mach-O Header Fields
- Network Fields
- Observer Fields
- Orchestrator Fields
- Organization Fields
- Operating System Fields
- Package Fields
- PE Header Fields
- Process Fields
- Registry Fields
- Related Fields
- Risk information Fields
- Rule Fields
- Server Fields
- Service Fields
- Source Fields
- Threat Fields
- TLS Fields
- Tracing Fields
- URL Fields
- User Fields
- User agent Fields
- VLAN Fields
- Volume Fields
- Vulnerability Fields
- x509 Certificate Fields
- ECS Categorization Fields
- Migrating to ECS
- Additional Information
- Release Notes
Threat Fields Usage and Examples
editThreat Fields Usage and Examples
editThe threat.*
fields map threat indicators to ECS. The data helps detect
malicious events with indicator match rules and enrichment.
Indicators
editThreat intelligence indicators come from many sources in different structures. Normalize these indicators using the ECS threat.indicator.* fields. Once normalized, consistently query indicators from various sources and build indicator match rules.
The below example is from an online database. It contains several network indicators from a known malware site.
{ "@timestamp": "2019-08-10T11:09:23.000Z", "event": { "kind": "enrichment", "category": "threat", "type": "indicator", "severity": 7, "risk_score": 10.0, }, "threat: { "indicator": { "first_seen": "2020-11-05T17:25:47.000Z", "last_seen": "2020-11-05T17:25:47.000Z", "modified_at": "2020-11-05T17:25:47.000Z", "sightings": 10, "type": [ "ipv4-addr", "port", "domain-name", "email-addr" ], "description": "Email address, domain, port, and IP address observed during an Angler EK campaign.", "provider": "Abuse.ch", "reference": "https://urlhaus.abuse.ch/url/abcdefg/", "confidence": "High", "ip": 1.2.3.4, "port": 443, "email.address": "phish@malicious.evil", "marking": { "tlp": "CLEAR" }, "url": { "domain": "malicious.evil", }, "scanner_stats": 4 } }, "related": { "hosts": [ "malicious.evil" ], "ip": [ 1.2.3.4 ] } }
Use the |
|
Use the |
|
The event type is set to |
|
Capture indicator details at |
|
Copy indicators to the relevant |
The following example maps a file-based indicator.
{ "@timestamp": "2019-08-10T11:09:23.000Z", "event": { "kind": "enrichment", "category": "threat", "type": "indicator", "severity": 7, "risk_score": 10, }, "threat": { "indicator": { "first_seen": "2020-11-05T17:25:47.000Z", "last_seen": "2020-11-05T17:25:47.000Z", "modified_at": "2020-11-05T17:25:47.000Z", "sightings": 10, "type": [ "file" ], "description": "Implant used during an Angler EK campaign.", "provider": "Abuse.ch", "reference": "https://bazaar.abuse.ch/sample/f3ec9a2f2766c6bcf8c2894a9927c227649249ac146aabfe8d26b259be7d7055", "confidence": "High", "file": { "hash": { "sha256": "0c415dd718e3b3728707d579cf8214f54c2942e964975a5f925e0b82fea644b4", "md5": "1eee2bf3f56d8abed72da2bc523e7431" }, "size": 656896, "name": "invoice.doc" }, "marking": { "tlp": "CLEAR" }, "scanner_stats": 4 } }, "related": { "hash": [ "1eee2bf3f56d8abed72da2bc523e7431", "0c415dd718e3b3728707d579cf8214f54c2942e964975a5f925e0b82fea644b4" ] } }
Use the |
|
Capture file attributes at |
|
Again, populate the |
Enrichments
editEvent enrichment searches for known threats using an event’s values and, if found, adds those associated details.
{ "process": { "name": "svchost.exe", "pid": 1644, "entity_id": "MDgyOWFiYTYtMzRkYi1kZTM2LTFkNDItMzBlYWM3NDVlOTgwLTE2NDQtMTMyNDk3MTA2OTcuNDc1OTExNTAw", "executable": "C:\\Windows\\System32\\svchost.exe" }, "message": "Endpoint file event", "@timestamp": "2020-11-17T19:07:46.0956672Z", "file": { "path": "C:\\Windows\\Prefetch\\SVCHOST.EXE-AE7DB802.pf", "extension": "pf", "name": "SVCHOST.EXE-AE7DB802.pf", "hash": { "sha256": "0c415dd718e3b3728707d579cf8214f54c2942e964975a5f925e0b82fea644b4" } }, "threat": { "enrichments": [ { "indicator": { "marking": { "tlp": "CLEAR" }, "first_seen": "2020-11-17T19:07:46.0956672Z", "file": { "hash": { "sha256": "0c415dd718e3b3728707d579cf8214f54c2942e964975a5f925e0b82fea644b4", "md5": "1eee2bf3f56d8abed72da2bc523e7431" }, "size": 656896, "name": "invoice.doc" }, "last_seen": "2020-11-17T19:07:46.0956672Z", "reference": "https://system.example.com/event/#0001234", "sightings": 4, "type": [ "sha256", "md5", "file_name", "file_size" ], "description": "file last associated with delivering Angler EK" }, "matched": { "atomic": "0c415dd718e3b3728707d579cf8214f54c2942e964975a5f925e0b82fea644b4", "field": "file.hash.sha256", "id": "abc123f03", "index": "threat-indicators-index-000001", "type": "indicator_match_rule" } } ] } }
On this page