[Docs] Add url.domain to the Threat usage docs (#2124)

* updated usage docs for url.domain and TLP CLEAR * added missing quote around url for threat docs * changed last TLP WHITE to TLP CLEAR in usage docs for threat * updated PR number in changelog.next
elastic · Dec 21, 2022 · 4b3fe9a · 4b3fe9a
1 parent 9fe1894
commit 4b3fe9a
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 5 deletions.
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
@@ -19,6 +19,7 @@ Thanks, you're awesome :-) -->
 #### Added
 
 #### Improvements
+* Updated usage docs to include `threat.indicator.url.domain` and changed `indicator.marking.tlp` and `indicator.enrichments.marking.tlp` from "WHITE" to "CLEAR" to align with TLP 2.0. #2124
 
 #### Deprecated
 

diff --git a/docs/fields/usage/threat.asciidoc b/docs/fields/usage/threat.asciidoc
@@ -43,11 +43,13 @@ indicators from a known malware site.
             "reference": "https://urlhaus.abuse.ch/url/abcdefg/",
             "confidence": "High",
             "ip": 1.2.3.4,
-            "domain": "malicious.evil",
             "port": 443,
             "email.address": "[email protected]",
-            "marking: {
-                "tlp": "WHITE"
+            "marking": {
+                "tlp": "CLEAR"
+            },
+            "url": {
+                "domain": "malicious.evil",
             },
             "scanner_stats": 4
         }
@@ -102,7 +104,7 @@ The following example maps a file-based indicator.
                 "name": "invoice.doc"
                 },
             "marking": {
-                "tlp": "WHITE"
+                "tlp": "CLEAR"
             },
             "scanner_stats": 4
         }
@@ -148,7 +150,7 @@ Event enrichment searches for known threats using an event's values and, if foun
       {
         "indicator": {
           "marking": {
-            "tlp": "WHITE"
+            "tlp": "CLEAR"
           },
           "first_seen": "2020-11-17T19:07:46.0956672Z",
           "file": {