Threat Fieldsedit

Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework.

These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* fields are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service").

Threat Field Detailsedit

Field Description Level

threat.enrichments

A list of associated indicators objects enriching the event, and the context of that association/enrichment.

type: nested

Note: this field should contain an array of values.

extended

threat.enrichments.indicator

Object containing associated indicators enriching the event.

type: object

extended

threat.enrichments.indicator.confidence

Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.

Expected values for this field:

  • Not Specified
  • None
  • Low
  • Medium
  • High

type: keyword

example: Medium

extended

threat.enrichments.indicator.description

Describes the type of action conducted by the threat.

type: keyword

example: IP x.x.x.x was observed delivering the Angler EK.

extended

threat.enrichments.indicator.email.address

Identifies a threat indicator as an email address (irrespective of direction).

type: keyword

example: phish@example.com

extended

threat.enrichments.indicator.first_seen

The date and time when intelligence source first reported sighting this indicator.

type: date

example: 2020-11-05T17:25:47.000Z

extended

threat.enrichments.indicator.ip

Identifies a threat indicator as an IP address (irrespective of direction).

type: ip

example: 1.2.3.4

extended

threat.enrichments.indicator.last_seen

The date and time when intelligence source last reported sighting this indicator.

type: date

example: 2020-11-05T17:25:47.000Z

extended

threat.enrichments.indicator.marking.tlp

Traffic Light Protocol sharing markings.

Expected values for this field:

  • WHITE
  • CLEAR
  • GREEN
  • AMBER
  • AMBER+STRICT
  • RED

type: keyword

example: CLEAR

extended

threat.enrichments.indicator.marking.tlp_version

Traffic Light Protocol version.

type: keyword

example: 2.0

extended

threat.enrichments.indicator.modified_at

The date and time when intelligence source last modified information for this indicator.

type: date

example: 2020-11-05T17:25:47.000Z

extended

threat.enrichments.indicator.name

The display name indicator in an UI friendly format

URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name.

type: keyword

example: 5.2.75.227

extended

threat.enrichments.indicator.port

Identifies a threat indicator as a port number (irrespective of direction).

type: long

example: 443

extended

threat.enrichments.indicator.provider

The name of the indicator’s provider.

type: keyword

example: lrz_urlhaus

extended

threat.enrichments.indicator.reference

Reference URL linking to additional information about this indicator.

type: keyword

example: https://system.example.com/indicator/0001234

extended

threat.enrichments.indicator.scanner_stats

Count of AV/EDR vendors that successfully detected malicious file or URL.

type: long

example: 4

extended

threat.enrichments.indicator.sightings

Number of times this indicator was observed conducting threat activity.

type: long

example: 20

extended

threat.enrichments.indicator.type

Type of indicator as represented by Cyber Observable in STIX 2.0.

Expected values for this field:

  • autonomous-system
  • artifact
  • directory
  • domain-name
  • email-addr
  • file
  • ipv4-addr
  • ipv6-addr
  • mac-addr
  • mutex
  • port
  • process
  • software
  • url
  • user-account
  • windows-registry-key
  • x509-certificate

type: keyword

example: ipv4-addr

extended

threat.enrichments.matched.atomic

Identifies the atomic indicator value that matched a local environment endpoint or network event.

type: keyword

example: bad-domain.com

extended

threat.enrichments.matched.field

Identifies the field of the atomic indicator that matched a local environment endpoint or network event.

type: keyword

example: file.hash.sha256

extended

threat.enrichments.matched.id

Identifies the _id of the indicator document enriching the event.

type: keyword

example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5

extended

threat.enrichments.matched.index

Identifies the _index of the indicator document enriching the event.

type: keyword

example: filebeat-8.0.0-2021.05.23-000011

extended

threat.enrichments.matched.occurred

Indicates when the indicator match was generated

type: date

example: 2021-10-05T17:00:58.326Z

extended

threat.enrichments.matched.type

Identifies the type of match that caused the event to be enriched with the given indicator

type: keyword

example: indicator_match_rule

extended

threat.feed.dashboard_id

The saved object ID of the dashboard belonging to the threat feed for displaying dashboard links to threat feeds in Kibana.

type: keyword

example: 5ba16340-72e6-11eb-a3e3-b3cc7c78a70f

extended

threat.feed.description

Description of the threat feed in a UI friendly format.

type: keyword

example: Threat feed from the AlienVault Open Threat eXchange network.

extended

threat.feed.name

The name of the threat feed in UI friendly format.

type: keyword

example: AlienVault OTX

extended

threat.feed.reference

Reference information for the threat feed in a UI friendly format.

type: keyword

example: https://otx.alienvault.com

extended

threat.framework

Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events.

type: keyword

example: MITRE ATT&CK

extended

threat.group.alias

The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community.

While not required, you can use a MITRE ATT&CK® group alias(es).

type: keyword

Note: this field should contain an array of values.

example: [ "Magecart Group 6" ]

extended

threat.group.id

The id of the group for a set of related intrusion activity that are tracked by a common name in the security community.

While not required, you can use a MITRE ATT&CK® group id.

type: keyword

example: G0037

extended

threat.group.name

The name of the group for a set of related intrusion activity that are tracked by a common name in the security community.

While not required, you can use a MITRE ATT&CK® group name.

type: keyword

example: FIN6

extended

threat.group.reference

The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community.

While not required, you can use a MITRE ATT&CK® group reference URL.

type: keyword

example: https://attack.mitre.org/groups/G0037/

extended

threat.indicator.confidence

Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.

Expected values for this field:

  • Not Specified
  • None
  • Low
  • Medium
  • High

type: keyword

example: Medium

extended

threat.indicator.description

Describes the type of action conducted by the threat.

type: keyword

example: IP x.x.x.x was observed delivering the Angler EK.

extended

threat.indicator.email.address

Identifies a threat indicator as an email address (irrespective of direction).

type: keyword

example: phish@example.com

extended

threat.indicator.first_seen

The date and time when intelligence source first reported sighting this indicator.

type: date

example: 2020-11-05T17:25:47.000Z

extended

threat.indicator.ip

Identifies a threat indicator as an IP address (irrespective of direction).

type: ip

example: 1.2.3.4

extended

threat.indicator.last_seen

The date and time when intelligence source last reported sighting this indicator.

type: date

example: 2020-11-05T17:25:47.000Z

extended

threat.indicator.marking.tlp

Traffic Light Protocol sharing markings.

Expected values for this field:

  • WHITE
  • CLEAR
  • GREEN
  • AMBER
  • AMBER+STRICT
  • RED

type: keyword

example: CLEAR

extended

threat.indicator.marking.tlp_version

Traffic Light Protocol version.

type: keyword

example: 2.0

extended

threat.indicator.modified_at

The date and time when intelligence source last modified information for this indicator.

type: date

example: 2020-11-05T17:25:47.000Z

extended

threat.indicator.name

The display name indicator in an UI friendly format

URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name.

type: keyword

example: 5.2.75.227

extended

threat.indicator.port

Identifies a threat indicator as a port number (irrespective of direction).

type: long

example: 443

extended

threat.indicator.provider

The name of the indicator’s provider.

type: keyword

example: lrz_urlhaus

extended

threat.indicator.reference

Reference URL linking to additional information about this indicator.

type: keyword

example: https://system.example.com/indicator/0001234

extended

threat.indicator.scanner_stats

Count of AV/EDR vendors that successfully detected malicious file or URL.

type: long

example: 4

extended

threat.indicator.sightings

Number of times this indicator was observed conducting threat activity.

type: long

example: 20

extended

threat.indicator.type

Type of indicator as represented by Cyber Observable in STIX 2.0.

Expected values for this field:

  • autonomous-system
  • artifact
  • directory
  • domain-name
  • email-addr
  • file
  • ipv4-addr
  • ipv6-addr
  • mac-addr
  • mutex
  • port
  • process
  • software
  • url
  • user-account
  • windows-registry-key
  • x509-certificate

type: keyword

example: ipv4-addr

extended

threat.software.alias

The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community.

While not required, you can use a MITRE ATT&CK® associated software description.

type: keyword

Note: this field should contain an array of values.

example: [ "X-Agent" ]

extended

threat.software.id

The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.

While not required, you can use a MITRE ATT&CK® software id.

type: keyword

example: S0552

extended

threat.software.name

The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.

While not required, you can use a MITRE ATT&CK® software name.

type: keyword

example: AdFind

extended

threat.software.platforms

The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.

While not required, you can use MITRE ATT&CK® software platform values.

Expected values for this field:

  • AWS
  • Azure
  • Azure AD
  • GCP
  • Linux
  • macOS
  • Network
  • Office 365
  • SaaS
  • Windows

type: keyword

Note: this field should contain an array of values.

example: [ "Windows" ]

extended

threat.software.reference

The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.

While not required, you can use a MITRE ATT&CK® software reference URL.

type: keyword

example: https://attack.mitre.org/software/S0552/

extended

threat.software.type

The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®.

While not required, you can use a MITRE ATT&CK® software type.

Expected values for this field:

  • Malware
  • Tool

type: keyword

example: Tool

extended

threat.tactic.id

The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )

type: keyword

Note: this field should contain an array of values.

example: TA0002

extended

threat.tactic.name

Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)

type: keyword

Note: this field should contain an array of values.

example: Execution

extended

threat.tactic.reference

The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )

type: keyword

Note: this field should contain an array of values.

example: https://attack.mitre.org/tactics/TA0002/

extended

threat.technique.id

The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)

type: keyword

Note: this field should contain an array of values.

example: T1059

extended

threat.technique.name

The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)

type: keyword

Multi-fields:

  • threat.technique.name.text (type: match_only_text)

Note: this field should contain an array of values.

example: Command and Scripting Interpreter

extended

threat.technique.reference

The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)

type: keyword

Note: this field should contain an array of values.

example: https://attack.mitre.org/techniques/T1059/

extended

threat.technique.subtechnique.id

The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)

type: keyword

Note: this field should contain an array of values.

example: T1059.001

extended

threat.technique.subtechnique.name

The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)

type: keyword

Multi-fields:

  • threat.technique.subtechnique.name.text (type: match_only_text)

Note: this field should contain an array of values.

example: PowerShell

extended

threat.technique.subtechnique.reference

The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)

type: keyword

Note: this field should contain an array of values.

example: https://attack.mitre.org/techniques/T1059/001/

extended

Field Reuseedit

Field sets that can be nested under Threatedit
Location Field Set Description

threat.enrichments.indicator.as.*

as

Fields describing an Autonomous System (Internet routing prefix).

threat.enrichments.indicator.file.*

file

Fields describing files.

threat.enrichments.indicator.geo.*

geo

Fields describing a location.

threat.enrichments.indicator.registry.*

registry

Fields related to Windows Registry operations.

threat.enrichments.indicator.url.*

url

Fields that let you store URLs in various forms.

threat.enrichments.indicator.x509.*

x509

These fields contain x509 certificate metadata.

threat.indicator.as.*

as

Fields describing an Autonomous System (Internet routing prefix).

threat.indicator.file.*

file

Fields describing files.

threat.indicator.geo.*

geo

Fields describing a location.

threat.indicator.registry.*

registry

Fields related to Windows Registry operations.

threat.indicator.url.*

url

Fields that let you store URLs in various forms.

threat.indicator.x509.*

x509

These fields contain x509 certificate metadata.

Threat Field Usageedit

For usage and examples of the threat fields, please see the Threat Fields Usage and Examples section.