The new field threat.indicator.id will allow for security systems to append a threat.indicator.id. This field can have multiple values to allow for the identification of the same indicator across systems that use different ID formats.
Common serialization format you may expect to see here is a STIX 2.x indicator id. Here is an example of one being produced.
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8a8c60c4-00a8-43dd-ad76-8004ee718c39",
"created": "2023-12-21T17:55:29.187214Z",
"modified": "2023-12-21T17:55:29.187214Z",
"name": "Malicious activity",
"description": "Indicator for a known malicious IP address",
"pattern": "[ipv4-addr:value = '192.168.1.1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-01-01T12:00:00Z"
}
Note: This is a recreated PR from https://github.com/elastic/ecs/pull/2307. See comment for reason.
Added
threat.indicator.id
field. Resolves #2252.The new field
threat.indicator.id
will allow for security systems to append a threat.indicator.id. This field can have multiple values to allow for the identification of the same indicator across systems that use different ID formats.Common serialization format you may expect to see here is a STIX 2.x indicator id. Here is an example of one being produced.