[RFC] added new field: threat.indicator.id - resolves GH-2252

[brett-fitz]

Added threat.indicator.id field. Resolves #2252.

The new field threat.indicator.id will allow for security systems to append a threat.indicator.id. This field can have multiple values to allow for the identification of the same indicator across systems that use different ID formats.

Common serialization format you may expect to see here is a STIX 2.x indicator id. Here is an example of one being produced.

{
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--8a8c60c4-00a8-43dd-ad76-8004ee718c39",
            "created": "2023-12-21T17:55:29.187214Z",
            "modified": "2023-12-21T17:55:29.187214Z",
            "name": "Malicious activity",
            "description": "Indicator for a known malicious IP address",
            "pattern": "[ipv4-addr:value = '192.168.1.1']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2023-01-01T12:00:00Z"
}

[brett-fitz]

@ebeahan This should be good to go and ready for discussion. Let me know if there are any issues with the PR! 😄

[github-actions[bot]]

This PR is stale because it has been open for 60 days with no activity.

[trisch-me]

Looks ok to me but I would like to have another approval from ecs maintainers / security folks

[trisch-me]

@mjwolf could you check it as well?

[brett-fitz]

@trisch-me @mjwolf My organization has dissolved and formed into a new entity. I'm going to resubmit this PR under a branch off my personal fork with the requested changes from above.

[brett-fitz]

Closing this PR. Now please refer to the new one: https://github.com/elastic/ecs/pull/2324