elastic · kgeller · Jul 19, 2022 · May 23, 2022 · May 23, 2022 · May 23, 2022
@@ -18,6 +18,8 @@ Thanks, you're awesome :-) -->
 
 #### Improvements
 
+* Advances `threat.enrichments.indicator` to GA. #1928
+
 #### Deprecated
 
 ### Tooling and Artifact Changes

@@ -9089,9 +9089,7 @@ These fields are for users to classify alerts from all of their sources (e.g. ID
 [[field-threat-enrichments]]
 <<field-threat-enrichments, threat.enrichments>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-A list of associated indicators objects enriching the event, and the context of that association/enrichment.
+a| A list of associated indicators objects enriching the event, and the context of that association/enrichment.
 
 type: nested
 
@@ -9110,9 +9108,7 @@ Note: this field should contain an array of values.
 [[field-threat-enrichments-indicator]]
 <<field-threat-enrichments-indicator, threat.enrichments.indicator>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Object containing associated indicators enriching the event.
+a| Object containing associated indicators enriching the event.
 
 type: object
 
@@ -9128,9 +9124,7 @@ type: object
 [[field-threat-enrichments-indicator-confidence]]
 <<field-threat-enrichments-indicator-confidence, threat.enrichments.indicator.confidence>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.
+a| Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.
 
 Expected values for this field:
 
@@ -9154,9 +9148,7 @@ example: `Medium`
 [[field-threat-enrichments-indicator-description]]
 <<field-threat-enrichments-indicator-description, threat.enrichments.indicator.description>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Describes the type of action conducted by the threat.
+a| Describes the type of action conducted by the threat.
 
 type: keyword
 
@@ -9172,9 +9164,7 @@ example: `IP x.x.x.x was observed delivering the Angler EK.`
 [[field-threat-enrichments-indicator-email-address]]
 <<field-threat-enrichments-indicator-email-address, threat.enrichments.indicator.email.address>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Identifies a threat indicator as an email address (irrespective of direction).
+a| Identifies a threat indicator as an email address (irrespective of direction).
 
 type: keyword
 
@@ -9190,9 +9180,7 @@ example: `[email protected]`
 [[field-threat-enrichments-indicator-first-seen]]
 <<field-threat-enrichments-indicator-first-seen, threat.enrichments.indicator.first_seen>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-The date and time when intelligence source first reported sighting this indicator.
+a| The date and time when intelligence source first reported sighting this indicator.
 
 type: date
 
@@ -9208,9 +9196,7 @@ example: `2020-11-05T17:25:47.000Z`
 [[field-threat-enrichments-indicator-ip]]
 <<field-threat-enrichments-indicator-ip, threat.enrichments.indicator.ip>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Identifies a threat indicator as an IP address (irrespective of direction).
+a| Identifies a threat indicator as an IP address (irrespective of direction).
 
 type: ip
 
@@ -9226,9 +9212,7 @@ example: `1.2.3.4`
 [[field-threat-enrichments-indicator-last-seen]]
 <<field-threat-enrichments-indicator-last-seen, threat.enrichments.indicator.last_seen>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-The date and time when intelligence source last reported sighting this indicator.
+a| The date and time when intelligence source last reported sighting this indicator.
 
 type: date
 
@@ -9244,9 +9228,7 @@ example: `2020-11-05T17:25:47.000Z`
 [[field-threat-enrichments-indicator-marking-tlp]]
 <<field-threat-enrichments-indicator-marking-tlp, threat.enrichments.indicator.marking.tlp>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Traffic Light Protocol sharing markings.
+a| Traffic Light Protocol sharing markings.
 
 Expected values for this field:
 
@@ -9269,9 +9251,7 @@ example: `WHITE`
 [[field-threat-enrichments-indicator-modified-at]]
 <<field-threat-enrichments-indicator-modified-at, threat.enrichments.indicator.modified_at>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-The date and time when intelligence source last modified information for this indicator.
+a| The date and time when intelligence source last modified information for this indicator.
 
 type: date
 
@@ -9287,9 +9267,7 @@ example: `2020-11-05T17:25:47.000Z`
 [[field-threat-enrichments-indicator-port]]
 <<field-threat-enrichments-indicator-port, threat.enrichments.indicator.port>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Identifies a threat indicator as a port number (irrespective of direction).
+a| Identifies a threat indicator as a port number (irrespective of direction).
 
 type: long
 
@@ -9305,9 +9283,7 @@ example: `443`
 [[field-threat-enrichments-indicator-provider]]
 <<field-threat-enrichments-indicator-provider, threat.enrichments.indicator.provider>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-The name of the indicator's provider.
+a| The name of the indicator's provider.
 
 type: keyword
 
@@ -9323,9 +9299,7 @@ example: `lrz_urlhaus`
 [[field-threat-enrichments-indicator-reference]]
 <<field-threat-enrichments-indicator-reference, threat.enrichments.indicator.reference>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Reference URL linking to additional information about this indicator.
+a| Reference URL linking to additional information about this indicator.
 
 type: keyword
 
@@ -9341,9 +9315,7 @@ example: `https://system.example.com/indicator/0001234`
 [[field-threat-enrichments-indicator-scanner-stats]]
 <<field-threat-enrichments-indicator-scanner-stats, threat.enrichments.indicator.scanner_stats>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Count of AV/EDR vendors that successfully detected malicious file or URL.
+a| Count of AV/EDR vendors that successfully detected malicious file or URL.
 
 type: long
 
@@ -9359,9 +9331,7 @@ example: `4`
 [[field-threat-enrichments-indicator-sightings]]
 <<field-threat-enrichments-indicator-sightings, threat.enrichments.indicator.sightings>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Number of times this indicator was observed conducting threat activity.
+a| Number of times this indicator was observed conducting threat activity.
 
 type: long
 
@@ -9377,9 +9347,7 @@ example: `20`
 [[field-threat-enrichments-indicator-type]]
 <<field-threat-enrichments-indicator-type, threat.enrichments.indicator.type>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Type of indicator as represented by Cyber Observable in STIX 2.0.
+a| Type of indicator as represented by Cyber Observable in STIX 2.0.
 
 Expected values for this field:
 
@@ -9415,9 +9383,7 @@ example: `ipv4-addr`
 [[field-threat-enrichments-matched-atomic]]
 <<field-threat-enrichments-matched-atomic, threat.enrichments.matched.atomic>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Identifies the atomic indicator value that matched a local environment endpoint or network event.
+a| Identifies the atomic indicator value that matched a local environment endpoint or network event.
 
 type: keyword
 
@@ -9433,9 +9399,7 @@ example: `bad-domain.com`
 [[field-threat-enrichments-matched-field]]
 <<field-threat-enrichments-matched-field, threat.enrichments.matched.field>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Identifies the field of the atomic indicator that matched a local environment endpoint or network event.
+a| Identifies the field of the atomic indicator that matched a local environment endpoint or network event.
 
 type: keyword
 
@@ -9451,9 +9415,7 @@ example: `file.hash.sha256`
 [[field-threat-enrichments-matched-id]]
 <<field-threat-enrichments-matched-id, threat.enrichments.matched.id>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Identifies the _id of the indicator document enriching the event.
+a| Identifies the _id of the indicator document enriching the event.
 
 type: keyword
 
@@ -9469,9 +9431,7 @@ example: `ff93aee5-86a1-4a61-b0e6-0cdc313d01b5`
 [[field-threat-enrichments-matched-index]]
 <<field-threat-enrichments-matched-index, threat.enrichments.matched.index>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Identifies the _index of the indicator document enriching the event.
+a| Identifies the _index of the indicator document enriching the event.
 
 type: keyword
 
@@ -9503,9 +9463,7 @@ example: `2021-10-05T17:00:58.326Z`
 [[field-threat-enrichments-matched-type]]
 <<field-threat-enrichments-matched-type, threat.enrichments.matched.type>>
 
-a| beta:[ This field is beta and subject to change. ]
-
-Identifies the type of match that caused the event to be enriched with the given indicator
+a| Identifies the type of match that caused the event to be enriched with the given indicator
 
 type: keyword
 
@@ -10263,49 +10221,43 @@ example: `https://attack.mitre.org/techniques/T1059/001/`
 
 
 | `threat.enrichments.indicator.as.*`
-| <<ecs-as,as>>| beta:[ Reusing the `as` fields in this location is currently considered beta.]
-
-Fields describing an Autonomous System (Internet routing prefix).
+| <<ecs-as,as>>
+| Fields describing an Autonomous System (Internet routing prefix).
 
 // ===============================================================
 
 
 | `threat.enrichments.indicator.file.*`
-| <<ecs-file,file>>| beta:[ Reusing the `file` fields in this location is currently considered beta.]
-
-Fields describing files.
+| <<ecs-file,file>>
+| Fields describing files.
 
 // ===============================================================
 
 
 | `threat.enrichments.indicator.geo.*`
-| <<ecs-geo,geo>>| beta:[ Reusing the `geo` fields in this location is currently considered beta.]
-
-Fields describing a location.
+| <<ecs-geo,geo>>
+| Fields describing a location.
 
 // ===============================================================
 
 
 | `threat.enrichments.indicator.registry.*`
-| <<ecs-registry,registry>>| beta:[ Reusing the `registry` fields in this location is currently considered beta.]
-
-Fields related to Windows Registry operations.
+| <<ecs-registry,registry>>
+| Fields related to Windows Registry operations.
 
 // ===============================================================
 
 
 | `threat.enrichments.indicator.url.*`
-| <<ecs-url,url>>| beta:[ Reusing the `url` fields in this location is currently considered beta.]
-
-Fields that let you store URLs in various forms.
+| <<ecs-url,url>>
+| Fields that let you store URLs in various forms.
 
 // ===============================================================
 
 
 | `threat.enrichments.indicator.x509.*`
-| <<ecs-x509,x509>>| beta:[ Reusing the `x509` fields in this location is currently considered beta.]
-
-These fields contain x509 certificate metadata.
+| <<ecs-x509,x509>>
+| These fields contain x509 certificate metadata.
 
 // ===============================================================