Skip to content

Commit

Permalink
Introduce threat.indicator.name field (#2121)
Browse files Browse the repository at this point in the history 
This PR addresses issue #1998

Co-authored-by: Kylie (Geller) Meli <[email protected]>
  • Loading branch information
@lgmys @kgeller
lgmys and kgeller authored Jan 5, 2023
1 parent 4b3fe9a commit 753a893
Show file tree
Hide file tree
Showing 15 changed files with 350 additions and 0 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.next.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ Thanks, you're awesome :-) -->

#### Added

* adding `name` field to `threat.indicator` #2121

#### Improvements
* Updated usage docs to include `threat.indicator.url.domain` and changed `indicator.marking.tlp` and `indicator.enrichments.marking.tlp` from "WHITE" to "CLEAR" to align with TLP 2.0. #2124

Expand Down
60 changes: 60 additions & 0 deletions docs/fields/field-details.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10401,6 +10401,36 @@ example: `2020-11-05T17:25:47.000Z`

// ===============================================================

|
[[field-threat-enrichments-indicator-name]]
<<field-threat-enrichments-indicator-name, threat.enrichments.indicator.name>>

a| The display name indicator in an UI friendly format

Expected values for this field:

* `5.2.75.227`
* `2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6`
* `https://example.com/some/path`
* `example.com`
* `373d34874d7bc89fd4cefa6272ee80bf`
* `b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7`
* `[email protected]`
* `HKLM\\SOFTWARE\\Microsoft\\Active`
* `13335`
* `00:00:5e:00:53:af`
* `8008`

type: keyword



example: `5.2.75.227`

| extended

// ===============================================================

|
[[field-threat-enrichments-indicator-port]]
<<field-threat-enrichments-indicator-port, threat.enrichments.indicator.port>>
Expand Down Expand Up @@ -10913,6 +10943,36 @@ example: `2020-11-05T17:25:47.000Z`

// ===============================================================

|
[[field-threat-indicator-name]]
<<field-threat-indicator-name, threat.indicator.name>>

a| The display name indicator in an UI friendly format

Expected values for this field:

* `5.2.75.227`
* `2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6`
* `https://example.com/some/path`
* `example.com`
* `373d34874d7bc89fd4cefa6272ee80bf`
* `b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7`
* `[email protected]`
* `HKLM\\SOFTWARE\\Microsoft\\Active`
* `13335`
* `00:00:5e:00:53:af`
* `8008`

type: keyword



example: `5.2.75.227`

| extended

// ===============================================================

|
[[field-threat-indicator-port]]
<<field-threat-indicator-port, threat.indicator.port>>
Expand Down
14 changes: 14 additions & 0 deletions experimental/generated/beats/fields.ecs.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10862,6 +10862,13 @@
for this indicator.
example: '2020-11-05T17:25:47.000Z'
default_field: false
- name: enrichments.indicator.name
level: extended
type: keyword
ignore_above: 1024
description: The display name indicator in an UI friendly format
example: 5.2.75.227
default_field: false
- name: enrichments.indicator.port
level: extended
type: long
Expand Down Expand Up @@ -12452,6 +12459,13 @@
for this indicator.
example: '2020-11-05T17:25:47.000Z'
default_field: false
- name: indicator.name
level: extended
type: keyword
ignore_above: 1024
description: The display name indicator in an UI friendly format
example: 5.2.75.227
default_field: false
- name: indicator.port
level: extended
type: long
Expand Down
2 changes: 2 additions & 0 deletions experimental/generated/csv/fields.csv
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1271,6 +1271,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.7.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
8.7.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp.version,keyword,extended,,2.0,Indicator TLP version
8.7.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
8.7.0-dev+exp,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
8.7.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
8.7.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
8.7.0-dev+exp,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
Expand Down Expand Up @@ -1486,6 +1487,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.7.0-dev+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
8.7.0-dev+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
8.7.0-dev+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
8.7.0-dev+exp,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
8.7.0-dev+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port
8.7.0-dev+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
8.7.0-dev+exp,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
Expand Down
46 changes: 46 additions & 0 deletions experimental/generated/ecs/ecs_flat.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16020,6 +16020,29 @@ threat.enrichments.indicator.modified_at:
normalize: []
short: Date/time indicator was last updated.
type: date
threat.enrichments.indicator.name:
dashed_name: threat-enrichments-indicator-name
description: The display name indicator in an UI friendly format
example: 5.2.75.227
expected_values:
- 5.2.75.227
- 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
- https://example.com/some/path
- example.com
- 373d34874d7bc89fd4cefa6272ee80bf
- b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7
- [email protected]
- HKLM\\SOFTWARE\\Microsoft\\Active
- 13335
- 00:00:5e:00:53:af
- 8008
flat_name: threat.enrichments.indicator.name
ignore_above: 1024
level: extended
name: enrichments.indicator.name
normalize: []
short: Indicator display name
type: keyword
threat.enrichments.indicator.port:
dashed_name: threat-enrichments-indicator-port
description: Identifies a threat indicator as a port number (irrespective of direction).
Expand Down Expand Up @@ -18705,6 +18728,29 @@ threat.indicator.modified_at:
normalize: []
short: Date/time indicator was last updated.
type: date
threat.indicator.name:
dashed_name: threat-indicator-name
description: The display name indicator in an UI friendly format
example: 5.2.75.227
expected_values:
- 5.2.75.227
- 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
- https://example.com/some/path
- example.com
- 373d34874d7bc89fd4cefa6272ee80bf
- b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7
- [email protected]
- HKLM\\SOFTWARE\\Microsoft\\Active
- 13335
- 00:00:5e:00:53:af
- 8008
flat_name: threat.indicator.name
ignore_above: 1024
level: extended
name: indicator.name
normalize: []
short: Indicator display name
type: keyword
threat.indicator.port:
dashed_name: threat-indicator-port
description: Identifies a threat indicator as a port number (irrespective of direction).
Expand Down
46 changes: 46 additions & 0 deletions experimental/generated/ecs/ecs_nested.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18689,6 +18689,29 @@ threat:
normalize: []
short: Date/time indicator was last updated.
type: date
threat.enrichments.indicator.name:
dashed_name: threat-enrichments-indicator-name
description: The display name indicator in an UI friendly format
example: 5.2.75.227
expected_values:
- 5.2.75.227
- 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
- https://example.com/some/path
- example.com
- 373d34874d7bc89fd4cefa6272ee80bf
- b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7
- [email protected]
- HKLM\\SOFTWARE\\Microsoft\\Active
- 13335
- 00:00:5e:00:53:af
- 8008
flat_name: threat.enrichments.indicator.name
ignore_above: 1024
level: extended
name: enrichments.indicator.name
normalize: []
short: Indicator display name
type: keyword
threat.enrichments.indicator.port:
dashed_name: threat-enrichments-indicator-port
description: Identifies a threat indicator as a port number (irrespective of
Expand Down Expand Up @@ -21380,6 +21403,29 @@ threat:
normalize: []
short: Date/time indicator was last updated.
type: date
threat.indicator.name:
dashed_name: threat-indicator-name
description: The display name indicator in an UI friendly format
example: 5.2.75.227
expected_values:
- 5.2.75.227
- 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
- https://example.com/some/path
- example.com
- 373d34874d7bc89fd4cefa6272ee80bf
- b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7
- [email protected]
- HKLM\\SOFTWARE\\Microsoft\\Active
- 13335
- 00:00:5e:00:53:af
- 8008
flat_name: threat.indicator.name
ignore_above: 1024
level: extended
name: indicator.name
normalize: []
short: Indicator display name
type: keyword
threat.indicator.port:
dashed_name: threat-indicator-port
description: Identifies a threat indicator as a port number (irrespective of
Expand Down
8 changes: 8 additions & 0 deletions experimental/generated/elasticsearch/composable/component/threat.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -622,6 +622,10 @@
"modified_at": {
"type": "date"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"port": {
"type": "long"
},
Expand Down Expand Up @@ -1535,6 +1539,10 @@
"modified_at": {
"type": "date"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"port": {
"type": "long"
},
Expand Down
8 changes: 8 additions & 0 deletions experimental/generated/elasticsearch/legacy/template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5759,6 +5759,10 @@
"modified_at": {
"type": "date"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"port": {
"type": "long"
},
Expand Down Expand Up @@ -6672,6 +6676,10 @@
"modified_at": {
"type": "date"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"port": {
"type": "long"
},
Expand Down
14 changes: 14 additions & 0 deletions generated/beats/fields.ecs.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10812,6 +10812,13 @@
for this indicator.
example: '2020-11-05T17:25:47.000Z'
default_field: false
- name: enrichments.indicator.name
level: extended
type: keyword
ignore_above: 1024
description: The display name indicator in an UI friendly format
example: 5.2.75.227
default_field: false
- name: enrichments.indicator.port
level: extended
type: long
Expand Down Expand Up @@ -12402,6 +12409,13 @@
for this indicator.
example: '2020-11-05T17:25:47.000Z'
default_field: false
- name: indicator.name
level: extended
type: keyword
ignore_above: 1024
description: The display name indicator in an UI friendly format
example: 5.2.75.227
default_field: false
- name: indicator.port
level: extended
type: long
Expand Down
2 changes: 2 additions & 0 deletions generated/csv/fields.csv
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1264,6 +1264,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.7.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
8.7.0-dev,true,threat,threat.enrichments.indicator.marking.tlp.version,keyword,extended,,2.0,Indicator TLP version
8.7.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
8.7.0-dev,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
8.7.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
8.7.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
8.7.0-dev,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
Expand Down Expand Up @@ -1479,6 +1480,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
8.7.0-dev,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
8.7.0-dev,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
8.7.0-dev,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
8.7.0-dev,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name
8.7.0-dev,true,threat,threat.indicator.port,long,extended,,443,Indicator port
8.7.0-dev,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
8.7.0-dev,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL
Expand Down
46 changes: 46 additions & 0 deletions generated/ecs/ecs_flat.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15951,6 +15951,29 @@ threat.enrichments.indicator.modified_at:
normalize: []
short: Date/time indicator was last updated.
type: date
threat.enrichments.indicator.name:
dashed_name: threat-enrichments-indicator-name
description: The display name indicator in an UI friendly format
example: 5.2.75.227
expected_values:
- 5.2.75.227
- 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
- https://example.com/some/path
- example.com
- 373d34874d7bc89fd4cefa6272ee80bf
- b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7
- [email protected]
- HKLM\\SOFTWARE\\Microsoft\\Active
- 13335
- 00:00:5e:00:53:af
- 8008
flat_name: threat.enrichments.indicator.name
ignore_above: 1024
level: extended
name: enrichments.indicator.name
normalize: []
short: Indicator display name
type: keyword
threat.enrichments.indicator.port:
dashed_name: threat-enrichments-indicator-port
description: Identifies a threat indicator as a port number (irrespective of direction).
Expand Down Expand Up @@ -18636,6 +18659,29 @@ threat.indicator.modified_at:
normalize: []
short: Date/time indicator was last updated.
type: date
threat.indicator.name:
dashed_name: threat-indicator-name
description: The display name indicator in an UI friendly format
example: 5.2.75.227
expected_values:
- 5.2.75.227
- 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6
- https://example.com/some/path
- example.com
- 373d34874d7bc89fd4cefa6272ee80bf
- b0e914d1bbe19433cc9df64ea1ca07fe77f7b150b511b786e46e007941a62bd7
- [email protected]
- HKLM\\SOFTWARE\\Microsoft\\Active
- 13335
- 00:00:5e:00:53:af
- 8008
flat_name: threat.indicator.name
ignore_above: 1024
level: extended
name: indicator.name
normalize: []
short: Indicator display name
type: keyword
threat.indicator.port:
dashed_name: threat-indicator-port
description: Identifies a threat indicator as a port number (irrespective of direction).
Expand Down
Loading

0 comments on commit 753a893

Please sign in to comment.