search

elastic / ecs

Elastic Common Schema
https://www.elastic.co/what-is/ecs
Apache License 2.0
987 stars 410 forks source link

[RFC] added new field: threat.indicator.id - resolves GH-2252 #2324

Closed brett-fitz closed 3 months ago

brett-fitz commented 3 months ago

Note: This is a recreated PR from https://github.com/elastic/ecs/pull/2307. See comment for reason.

Added threat.indicator.id field. Resolves #2252.

The new field threat.indicator.id will allow for security systems to append a threat.indicator.id. This field can have multiple values to allow for the identification of the same indicator across systems that use different ID formats.

Common serialization format you may expect to see here is a STIX 2.x indicator id. Here is an example of one being produced.

{
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--8a8c60c4-00a8-43dd-ad76-8004ee718c39",
            "created": "2023-12-21T17:55:29.187214Z",
            "modified": "2023-12-21T17:55:29.187214Z",
            "name": "Malicious activity",
            "description": "Indicator for a known malicious IP address",
            "pattern": "[ipv4-addr:value = '192.168.1.1']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "valid_from": "2023-01-01T12:00:00Z"
}
github-actions[bot] commented 3 months ago

Documentation changes preview: https://ecs_bk_2324.docs-preview.app.elstc.co/diff

brett-fitz commented 3 months ago

CC: @trisch-me @mjwolf