forked from elastic/ecs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
threat.yml
100 lines (84 loc) · 3.25 KB
/
threat.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
---
- name: threat
title: Threat
group: 2
short: Fields to classify events and alerts according to a threat taxonomy.
description: >
Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework.
These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a
common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat
(e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by
this detected threat, to accomplish the goal (e.g. "endpoint denial of service").
type: group
fields:
- name: framework
level: extended
type: keyword
short: Threat classification framework.
description: >
Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat.
Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events.
example: MITRE ATT&CK
- name: tactic.name
level: extended
type: keyword
short: Threat tactic.
description: >
Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example.
(ex. https://attack.mitre.org/tactics/TA0040/)
example: impact
normalize:
- array
- name: tactic.id
level: extended
type: keyword
short: Threat tactic id.
description: >
The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example.
(ex. https://attack.mitre.org/tactics/TA0040/ )
example: TA0040
normalize:
- array
- name: tactic.reference
level: extended
type: keyword
short: Threat tactic URL reference.
description: >
The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example.
(ex. https://attack.mitre.org/tactics/TA0040/ )
example: https://attack.mitre.org/tactics/TA0040/
normalize:
- array
- name: technique.name
level: extended
type: keyword
multi_fields:
- type: text
name: text
short: Threat technique name.
description: >
The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example.
(ex. https://attack.mitre.org/techniques/T1499/)
example: Endpoint Denial of Service
normalize:
- array
- name: technique.id
level: extended
type: keyword
short: Threat technique id.
description: >
The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example.
(ex. https://attack.mitre.org/techniques/T1499/)
example: T1499
normalize:
- array
- name: technique.reference
level: extended
type: keyword
short: Threat technique URL reference.
description: >
The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example.
(ex. https://attack.mitre.org/techniques/T1499/ )
example: https://attack.mitre.org/techniques/T1499/
normalize:
- array