forked from elastic/ecs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy paththreat.yml
141 lines (117 loc) · 4.48 KB
/
threat.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
---
- name: threat
title: Threat
group: 2
short: Fields to classify events and alerts according to a threat taxonomy.
description: >
Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework.
These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a
common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat
(e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by
this detected threat, to accomplish the goal (e.g. "endpoint denial of service").
type: group
fields:
- name: framework
level: extended
type: keyword
short: Threat classification framework.
description: >
Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat.
Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events.
example: MITRE ATT&CK
- name: tactic.id
level: extended
type: keyword
short: Threat tactic id.
description: >
The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example.
(ex. https://attack.mitre.org/tactics/TA0002/ )
example: TA0002
normalize:
- array
- name: tactic.name
level: extended
type: keyword
short: Threat tactic.
description: >
Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example.
(ex. https://attack.mitre.org/tactics/TA0002/)
example: Execution
normalize:
- array
- name: tactic.reference
level: extended
type: keyword
short: Threat tactic URL reference.
description: >
The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example.
(ex. https://attack.mitre.org/tactics/TA0002/ )
example: https://attack.mitre.org/tactics/TA0002/
normalize:
- array
- name: technique.id
level: extended
type: keyword
short: Threat technique id.
description: >
The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example.
(ex. https://attack.mitre.org/techniques/T1059/)
example: T1059
normalize:
- array
- name: technique.name
level: extended
type: keyword
multi_fields:
- type: text
name: text
short: Threat technique name.
description: >
The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example.
(ex. https://attack.mitre.org/techniques/T1059/)
example: Command and Scripting Interpreter
normalize:
- array
- name: technique.reference
level: extended
type: keyword
short: Threat technique URL reference.
description: >
The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example.
(ex. https://attack.mitre.org/techniques/T1059/)
example: https://attack.mitre.org/techniques/T1059/
normalize:
- array
- name: technique.subtechnique.id
level: extended
type: keyword
short: Threat subtechnique id.
description: >
The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example.
(ex. https://attack.mitre.org/techniques/T1059/001/)
example: T1059.001
normalize:
- array
- name: technique.subtechnique.name
level: extended
type: keyword
multi_fields:
- type: text
name: text
short: Threat subtechnique name.
description: >
The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example.
(ex. https://attack.mitre.org/techniques/T1059/001/)
example: PowerShell
normalize:
- array
- name: technique.subtechnique.reference
level: extended
type: keyword
short: Threat subtechnique URL reference.
description: >
The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example.
(ex. https://attack.mitre.org/techniques/T1059/001/)
example: https://attack.mitre.org/techniques/T1059/001/
normalize:
- array