elastic · kgeller · Feb 2, 2023 · Feb 2, 2023 · Feb 2, 2023 · Feb 2, 2023
@@ -32,6 +32,14 @@ Thanks, you're awesome :-) -->
 
 #### Deprecated
 
+## 8.6.1
+
+### Schema Changes
+
+#### Bugfixes
+
+* Fixing `tlp_version` and `tlp` field for threat. #2156
+
 <!-- All empty sections:
 
 ## Unreleased

@@ -9653,9 +9653,34 @@ example: `2020-11-05T17:25:47.000Z`
 
 // ===============================================================
 
+|
+[[field-threat-enrichments-indicator-marking-tlp]]
+<<field-threat-enrichments-indicator-marking-tlp, threat.enrichments.indicator.marking.tlp>>
+
+a| Traffic Light Protocol sharing markings.
+
+Expected values for this field:
+
+* `WHITE`
+* `CLEAR`
+* `GREEN`
+* `AMBER`
+* `AMBER+STRICT`
+* `RED`
+
+type: keyword
+
+
+
+example: `CLEAR`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-threat-enrichments-indicator-marking-tlp-version]]
-<<field-threat-enrichments-indicator-marking-tlp-version, threat.enrichments.indicator.marking.tlp.version>>
+<<field-threat-enrichments-indicator-marking-tlp-version, threat.enrichments.indicator.marking.tlp_version>>
 
 a| Traffic Light Protocol version.
 
@@ -10181,6 +10206,22 @@ example: `CLEAR`
 
 // ===============================================================
 
+|
+[[field-threat-indicator-marking-tlp-version]]
+<<field-threat-indicator-marking-tlp-version, threat.indicator.marking.tlp_version>>
+
+a| Traffic Light Protocol version.
+
+type: keyword
+
+
+
+example: `2.0`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-threat-indicator-modified-at]]
 <<field-threat-indicator-modified-at, threat.indicator.modified_at>>
@@ -10628,22 +10669,6 @@ example: `https://attack.mitre.org/techniques/T1059/001/`
 
 // ===============================================================
 
-|
-[[field-threat-threat-indicator-marking-tlp-version]]
-<<field-threat-threat-indicator-marking-tlp-version, threat.threat.indicator.marking.tlp.version>>
-
-a| Traffic Light Protocol version.
-
-type: keyword
-
-
-
-example: `2.0`
-
-| extended
-
-// ===============================================================
-
 |=====
 
 [discrete]

@@ -9422,7 +9422,14 @@
         this indicator.
       example: '2020-11-05T17:25:47.000Z'
       default_field: false
-    - name: enrichments.indicator.marking.tlp.version
+    - name: enrichments.indicator.marking.tlp
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Traffic Light Protocol sharing markings.
+      example: CLEAR
+      default_field: false
+    - name: enrichments.indicator.marking.tlp_version
       level: extended
       type: keyword
       ignore_above: 1024
@@ -10848,6 +10855,13 @@
       description: Traffic Light Protocol sharing markings.
       example: CLEAR
       default_field: false
+    - name: indicator.marking.tlp_version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Traffic Light Protocol version.
+      example: 2.0
+      default_field: false
     - name: indicator.modified_at
       level: extended
       type: date
@@ -11403,13 +11417,6 @@
         \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
       example: https://attack.mitre.org/techniques/T1059/001/
       default_field: false
-    - name: threat.indicator.marking.tlp.version
-      level: extended
-      type: keyword
-      ignore_above: 1024
-      description: Traffic Light Protocol version.
-      example: 2.0
-      default_field: false
   - name: tls
     title: TLS
     group: 2

@@ -1110,7 +1110,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 8.6.0+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
 8.6.0+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.6.0+exp,true,threat,threat.enrichments.indicator.marking.tlp.version,keyword,extended,,2.0,Indicator TLP version
+8.6.0+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+8.6.0+exp,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
 8.6.0+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
 8.6.0+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
 8.6.0+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
@@ -1302,6 +1303,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0+exp,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
 8.6.0+exp,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
 8.6.0+exp,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking
+8.6.0+exp,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version
 8.6.0+exp,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
 8.6.0+exp,true,threat,threat.indicator.port,long,extended,,443,Indicator port
 8.6.0+exp,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
@@ -1373,7 +1375,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.6.0+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
 8.6.0+exp,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
 8.6.0+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
-8.6.0+exp,true,threat,threat.threat.indicator.marking.tlp.version,keyword,extended,,2.0,Indicator TLP version
 8.6.0+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
 8.6.0+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
 8.6.0+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.

@@ -14042,14 +14042,32 @@ threat.enrichments.indicator.last_seen:
   normalize: []
   short: Date/time indicator was last reported.
   type: date
-threat.enrichments.indicator.marking.tlp.version:
+threat.enrichments.indicator.marking.tlp:
+  dashed_name: threat-enrichments-indicator-marking-tlp
+  description: Traffic Light Protocol sharing markings.
+  example: CLEAR
+  expected_values:
+  - WHITE
+  - CLEAR
+  - GREEN
+  - AMBER
+  - AMBER+STRICT
+  - RED
+  flat_name: threat.enrichments.indicator.marking.tlp
+  ignore_above: 1024
+  level: extended
+  name: enrichments.indicator.marking.tlp
+  normalize: []
+  short: Indicator TLP marking
+  type: keyword
+threat.enrichments.indicator.marking.tlp_version:
   dashed_name: threat-enrichments-indicator-marking-tlp-version
   description: Traffic Light Protocol version.
   example: 2.0
-  flat_name: threat.enrichments.indicator.marking.tlp.version
+  flat_name: threat.enrichments.indicator.marking.tlp_version
   ignore_above: 1024
   level: extended
-  name: enrichments.indicator.marking.tlp.version
+  name: enrichments.indicator.marking.tlp_version
   normalize: []
   short: Indicator TLP version
   type: keyword
@@ -16443,6 +16461,17 @@ threat.indicator.marking.tlp:
   normalize: []
   short: Indicator TLP marking
   type: keyword
+threat.indicator.marking.tlp_version:
+  dashed_name: threat-indicator-marking-tlp-version
+  description: Traffic Light Protocol version.
+  example: 2.0
+  flat_name: threat.indicator.marking.tlp_version
+  ignore_above: 1024
+  level: extended
+  name: indicator.marking.tlp_version
+  normalize: []
+  short: Indicator TLP version
+  type: keyword
 threat.indicator.modified_at:
   dashed_name: threat-indicator-modified-at
   description: The date and time when intelligence source last modified information
@@ -17375,17 +17404,6 @@ threat.technique.subtechnique.reference:
   - array
   short: Threat subtechnique URL reference.
   type: keyword
-threat.threat.indicator.marking.tlp.version:
-  dashed_name: threat-threat-indicator-marking-tlp-version
-  description: Traffic Light Protocol version.
-  example: 2.0
-  flat_name: threat.threat.indicator.marking.tlp.version
-  ignore_above: 1024
-  level: extended
-  name: threat.indicator.marking.tlp.version
-  normalize: []
-  short: Indicator TLP version
-  type: keyword
 tls.cipher:
   dashed_name: tls-cipher
   description: String indicating the cipher used during the current connection.

@@ -16212,14 +16212,32 @@ threat:
       normalize: []
       short: Date/time indicator was last reported.
       type: date
-    threat.enrichments.indicator.marking.tlp.version:
+    threat.enrichments.indicator.marking.tlp:
+      dashed_name: threat-enrichments-indicator-marking-tlp
+      description: Traffic Light Protocol sharing markings.
+      example: CLEAR
+      expected_values:
+      - WHITE
+      - CLEAR
+      - GREEN
+      - AMBER
+      - AMBER+STRICT
+      - RED
+      flat_name: threat.enrichments.indicator.marking.tlp
+      ignore_above: 1024
+      level: extended
+      name: enrichments.indicator.marking.tlp
+      normalize: []
+      short: Indicator TLP marking
+      type: keyword
+    threat.enrichments.indicator.marking.tlp_version:
       dashed_name: threat-enrichments-indicator-marking-tlp-version
       description: Traffic Light Protocol version.
       example: 2.0
-      flat_name: threat.enrichments.indicator.marking.tlp.version
+      flat_name: threat.enrichments.indicator.marking.tlp_version
       ignore_above: 1024
       level: extended
-      name: enrichments.indicator.marking.tlp.version
+      name: enrichments.indicator.marking.tlp_version
       normalize: []
       short: Indicator TLP version
       type: keyword
@@ -18617,6 +18635,17 @@ threat:
       normalize: []
       short: Indicator TLP marking
       type: keyword
+    threat.indicator.marking.tlp_version:
+      dashed_name: threat-indicator-marking-tlp-version
+      description: Traffic Light Protocol version.
+      example: 2.0
+      flat_name: threat.indicator.marking.tlp_version
+      ignore_above: 1024
+      level: extended
+      name: indicator.marking.tlp_version
+      normalize: []
+      short: Indicator TLP version
+      type: keyword
     threat.indicator.modified_at:
       dashed_name: threat-indicator-modified-at
       description: The date and time when intelligence source last modified information
@@ -19552,17 +19581,6 @@ threat:
       - array
       short: Threat subtechnique URL reference.
       type: keyword
-    threat.threat.indicator.marking.tlp.version:
-      dashed_name: threat-threat-indicator-marking-tlp-version
-      description: Traffic Light Protocol version.
-      example: 2.0
-      flat_name: threat.threat.indicator.marking.tlp.version
-      ignore_above: 1024
-      level: extended
-      name: threat.indicator.marking.tlp.version
-      normalize: []
-      short: Indicator TLP version
-      type: keyword
   group: 2
   name: threat
   nestings:

@@ -531,12 +531,12 @@
                     "marking": {
                       "properties": {
                         "tlp": {
-                          "properties": {
-                            "version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "tlp_version": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
                         }
                       }
                     },
@@ -1371,6 +1371,10 @@
                     "tlp": {
                       "ignore_above": 1024,
                       "type": "keyword"
+                    },
+                    "tlp_version": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
                     }
                   }
                 },
@@ -1692,26 +1696,6 @@
                   }
                 }
               }
-            },
-            "threat": {
-              "properties": {
-                "indicator": {
-                  "properties": {
-                    "marking": {
-                      "properties": {
-                        "tlp": {
-                          "properties": {
-                            "version": {
-                              "ignore_above": 1024,
-                              "type": "keyword"
-                            }
-                          }
-                        }
-                      }
-                    }
-                  }
-                }
-              }
             }
           }
         }