Threat
Fields to classify events and alerts according to a threat taxonomy.
Fields
Field Summary
| Field | Type | Level | Description |
|---|---|---|---|
threat.enrichments | nested | Extended | List of objects containing indicators enriching the event. |
threat.enrichments.indicator | object | Extended | Object containing indicators enriching the event. |
threat.enrichments.indicator.as.number | long | Extended | Unique number allocated to the autonomous system. |
threat.enrichments.indicator.as.organization.name | keyword | Extended | Organization name. |
threat.enrichments.indicator.as.organization.name.text | match_only_text | Extended | Organization name. |
threat.enrichments.indicator.confidence | keyword | Extended | Indicator confidence rating |
threat.enrichments.indicator.description | keyword | Extended | Indicator description |
threat.enrichments.indicator.email.address | keyword | Extended | Indicator email address |
threat.enrichments.indicator.file.accessed | date | Extended | Last time the file was accessed. |
threat.enrichments.indicator.file.attributes | keyword | Extended | Array of file attributes. |
threat.enrichments.indicator.file.code_signature.digest_algorithm | keyword | Extended | Hashing algorithm used to sign the process. |
threat.enrichments.indicator.file.code_signature.exists | boolean | Core | Boolean to capture if a signature is present. |
threat.enrichments.indicator.file.code_signature.flags | keyword | Extended | Code signing flags of the process |
threat.enrichments.indicator.file.code_signature.signing_id | keyword | Extended | The identifier used to sign the process. |
threat.enrichments.indicator.file.code_signature.status | keyword | Extended | Additional information about the certificate status. |
threat.enrichments.indicator.file.code_signature.subject_name | keyword | Core | Subject name of the code signer |
threat.enrichments.indicator.file.code_signature.team_id | keyword | Extended | The team identifier used to sign the process. |
threat.enrichments.indicator.file.code_signature.timestamp | date | Extended | When the signature was generated and signed. |
threat.enrichments.indicator.file.code_signature.trusted | boolean | Extended | Stores the trust status of the certificate chain. |
threat.enrichments.indicator.file.code_signature.valid | boolean | Extended | Boolean to capture if the digital signature is verified against the binary content. |
threat.enrichments.indicator.file.created | date | Extended | File creation time. |
threat.enrichments.indicator.file.ctime | date | Extended | Last time the file attributes or metadata changed. |
threat.enrichments.indicator.file.device | keyword | Extended | Device that is the source of the file. |
threat.enrichments.indicator.file.directory | keyword | Extended | Directory where the file is located. |
threat.enrichments.indicator.file.drive_letter | keyword | Extended | Drive letter where the file is located. |
threat.enrichments.indicator.file.elf.architecture | keyword | Extended | Machine architecture of the ELF file. |
threat.enrichments.indicator.file.elf.byte_order | keyword | Extended | Byte sequence of ELF file. |
threat.enrichments.indicator.file.elf.cpu_type | keyword | Extended | CPU type of the ELF file. |
threat.enrichments.indicator.file.elf.creation_date | date | Extended | Build or compile date. |
threat.enrichments.indicator.file.elf.exports | flattened | Extended | List of exported element names and types. |
threat.enrichments.indicator.file.elf.go_import_hash | keyword | Extended | A hash of the Go language imports in an ELF file. |
threat.enrichments.indicator.file.elf.go_imports | flattened | Extended | List of imported Go language element names and types. |
threat.enrichments.indicator.file.elf.go_imports_names_entropy | long | Extended | Shannon entropy calculation from the list of Go imports. |
threat.enrichments.indicator.file.elf.go_imports_names_var_entropy | long | Extended | Variance for Shannon entropy calculation from the list of Go imports. |
threat.enrichments.indicator.file.elf.go_stripped | boolean | Extended | Whether the file is a stripped or obfuscated Go executable. |
threat.enrichments.indicator.file.elf.header.abi_version | keyword | Extended | Version of the ELF Application Binary Interface (ABI). |
threat.enrichments.indicator.file.elf.header.class | keyword | Extended | Header class of the ELF file. |
threat.enrichments.indicator.file.elf.header.data | keyword | Extended | Data table of the ELF header. |
threat.enrichments.indicator.file.elf.header.entrypoint | long | Extended | Header entrypoint of the ELF file. |
threat.enrichments.indicator.file.elf.header.object_version | keyword | Extended | "0x1" for original ELF files. |
threat.enrichments.indicator.file.elf.header.os_abi | keyword | Extended | Application Binary Interface (ABI) of the Linux OS. |
threat.enrichments.indicator.file.elf.header.type | keyword | Extended | Header type of the ELF file. |
threat.enrichments.indicator.file.elf.header.version | keyword | Extended | Version of the ELF header. |
threat.enrichments.indicator.file.elf.import_hash | keyword | Extended | A hash of the imports in an ELF file. |
threat.enrichments.indicator.file.elf.imports | flattened | Extended | List of imported element names and types. |
threat.enrichments.indicator.file.elf.imports_names_entropy | long | Extended | Shannon entropy calculation from the list of imported element names and types. |
threat.enrichments.indicator.file.elf.imports_names_var_entropy | long | Extended | Variance for Shannon entropy calculation from the list of imported element names and types. |
threat.enrichments.indicator.file.elf.sections | nested | Extended | Section information of the ELF file. |
threat.enrichments.indicator.file.elf.sections.chi2 | long | Extended | Chi-square probability distribution of the section. |
threat.enrichments.indicator.file.elf.sections.entropy | long | Extended | Shannon entropy calculation from the section. |
threat.enrichments.indicator.file.elf.sections.flags | keyword | Extended | ELF Section List flags. |
threat.enrichments.indicator.file.elf.sections.name | keyword | Extended | ELF Section List name. |
threat.enrichments.indicator.file.elf.sections.physical_offset | keyword | Extended | ELF Section List offset. |
threat.enrichments.indicator.file.elf.sections.physical_size | long | Extended | ELF Section List physical size. |
threat.enrichments.indicator.file.elf.sections.type | keyword | Extended | ELF Section List type. |
threat.enrichments.indicator.file.elf.sections.var_entropy | long | Extended | Variance for Shannon entropy calculation from the section. |
threat.enrichments.indicator.file.elf.sections.virtual_address | long | Extended | ELF Section List virtual address. |
threat.enrichments.indicator.file.elf.sections.virtual_size | long | Extended | ELF Section List virtual size. |
threat.enrichments.indicator.file.elf.segments | nested | Extended | ELF object segment list. |
threat.enrichments.indicator.file.elf.segments.sections | keyword | Extended | ELF object segment sections. |
threat.enrichments.indicator.file.elf.segments.type | keyword | Extended | ELF object segment type. |
threat.enrichments.indicator.file.elf.shared_libraries | keyword | Extended | List of shared libraries used by this ELF object. |
threat.enrichments.indicator.file.elf.telfhash | keyword | Extended | telfhash hash for ELF file. |
threat.enrichments.indicator.file.extension | keyword | Extended | File extension, excluding the leading dot. |
threat.enrichments.indicator.file.fork_name | keyword | Extended | A fork is additional data associated with a filesystem object. |
threat.enrichments.indicator.file.gid | keyword | Extended | Primary group ID (GID) of the file. |
threat.enrichments.indicator.file.group | keyword | Extended | Primary group name of the file. |
threat.enrichments.indicator.file.hash.cdhash | keyword | Extended | The Code Directory (CD) hash of an executable. |
threat.enrichments.indicator.file.hash.md5 | keyword | Extended | MD5 hash. |
threat.enrichments.indicator.file.hash.sha1 | keyword | Extended | SHA1 hash. |
threat.enrichments.indicator.file.hash.sha256 | keyword | Extended | SHA256 hash. |
threat.enrichments.indicator.file.hash.sha384 | keyword | Extended | SHA384 hash. |
threat.enrichments.indicator.file.hash.sha512 | keyword | Extended | SHA512 hash. |
threat.enrichments.indicator.file.hash.ssdeep | keyword | Extended | SSDEEP hash. |
threat.enrichments.indicator.file.hash.tlsh | keyword | Extended | TLSH hash. |
threat.enrichments.indicator.file.inode | keyword | Extended | Inode representing the file in the filesystem. |
threat.enrichments.indicator.file.mime_type | keyword | Extended | Media type of file, document, or arrangement of bytes. |
threat.enrichments.indicator.file.mode | keyword | Extended | Mode of the file in octal representation. |
threat.enrichments.indicator.file.mtime | date | Extended | Last time the file content was modified. |
threat.enrichments.indicator.file.name | keyword | Extended | Name of the file including the extension, without the directory. |
threat.enrichments.indicator.file.owner | keyword | Extended | File owner's username. |
threat.enrichments.indicator.file.path | keyword | Extended | Full path to the file, including the file name. |
threat.enrichments.indicator.file.path.text | match_only_text | Extended | Full path to the file, including the file name. |
threat.enrichments.indicator.file.pe.architecture | keyword | Extended | CPU architecture target for the file. |
threat.enrichments.indicator.file.pe.company | keyword | Extended | Internal company name of the file, provided at compile-time. |
threat.enrichments.indicator.file.pe.description | keyword | Extended | Internal description of the file, provided at compile-time. |
threat.enrichments.indicator.file.pe.file_version | keyword | Extended | Process name. |
threat.enrichments.indicator.file.pe.go_import_hash | keyword | Extended | A hash of the Go language imports in a PE file. |
threat.enrichments.indicator.file.pe.go_imports | flattened | Extended | List of imported Go language element names and types. |
threat.enrichments.indicator.file.pe.go_imports_names_entropy | long | Extended | Shannon entropy calculation from the list of Go imports. |
threat.enrichments.indicator.file.pe.go_imports_names_var_entropy | long | Extended | Variance for Shannon entropy calculation from the list of Go imports. |
threat.enrichments.indicator.file.pe.go_stripped | boolean | Extended | Whether the file is a stripped or obfuscated Go executable. |
threat.enrichments.indicator.file.pe.imphash | keyword | Extended | A hash of the imports in a PE file. |
threat.enrichments.indicator.file.pe.import_hash | keyword | Extended | A hash of the imports in a PE file. |
threat.enrichments.indicator.file.pe.imports | flattened | Extended | List of imported element names and types. |
threat.enrichments.indicator.file.pe.imports_names_entropy | long | Extended | Shannon entropy calculation from the list of imported element names and types. |
threat.enrichments.indicator.file.pe.imports_names_var_entropy | long | Extended | Variance for Shannon entropy calculation from the list of imported element names and types. |
threat.enrichments.indicator.file.pe.original_file_name | keyword | Extended | Internal name of the file, provided at compile-time. |
threat.enrichments.indicator.file.pe.pehash | keyword | Extended | A hash of the PE header and data from one or more PE sections. |
threat.enrichments.indicator.file.pe.product | keyword | Extended | Internal product name of the file, provided at compile-time. |
threat.enrichments.indicator.file.pe.sections | nested | Extended | Section information of the PE file. |
threat.enrichments.indicator.file.pe.sections.entropy | long | Extended | Shannon entropy calculation from the section. |
threat.enrichments.indicator.file.pe.sections.name | keyword | Extended | PE Section List name. |
threat.enrichments.indicator.file.pe.sections.physical_size | long | Extended | PE Section List physical size. |
threat.enrichments.indicator.file.pe.sections.var_entropy | long | Extended | Variance for Shannon entropy calculation from the section. |
threat.enrichments.indicator.file.pe.sections.virtual_size | long | Extended | PE Section List virtual size. This is always the same as physical_size. |
threat.enrichments.indicator.file.size | long | Extended | File size in bytes. |
threat.enrichments.indicator.file.target_path | keyword | Extended | Target path for symlinks. |
threat.enrichments.indicator.file.target_path.text | match_only_text | Extended | Target path for symlinks. |
threat.enrichments.indicator.file.type | keyword | Extended | File type (file, dir, or symlink). |
threat.enrichments.indicator.file.uid | keyword | Extended | The user ID (UID) or security identifier (SID) of the file owner. |
threat.enrichments.indicator.file.x509.alternative_names | keyword | Extended | List of subject alternative names (SAN). |
threat.enrichments.indicator.file.x509.issuer.common_name | keyword | Extended | List of common name (CN) of issuing certificate authority. |
threat.enrichments.indicator.file.x509.issuer.country | keyword | Extended | List of country (C) codes |
threat.enrichments.indicator.file.x509.issuer.distinguished_name | keyword | Extended | Distinguished name (DN) of issuing certificate authority. |
threat.enrichments.indicator.file.x509.issuer.locality | keyword | Extended | List of locality names (L) |
threat.enrichments.indicator.file.x509.issuer.organization | keyword | Extended | List of organizations (O) of issuing certificate authority. |
threat.enrichments.indicator.file.x509.issuer.organizational_unit | keyword | Extended | List of organizational units (OU) of issuing certificate authority. |
threat.enrichments.indicator.file.x509.issuer.state_or_province | keyword | Extended | List of state or province names (ST, S, or P) |
threat.enrichments.indicator.file.x509.not_after | date | Extended | Time at which the certificate is no longer considered valid. |
threat.enrichments.indicator.file.x509.not_before | date | Extended | Time at which the certificate is first considered valid. |
threat.enrichments.indicator.file.x509.public_key_algorithm | keyword | Extended | Algorithm used to generate the public key. |
threat.enrichments.indicator.file.x509.public_key_curve | keyword | Extended | The curve used by the elliptic curve public key algorithm. This is algorithm specific. |
threat.enrichments.indicator.file.x509.public_key_exponent | long | Extended | Exponent used to derive the public key. This is algorithm specific. |
threat.enrichments.indicator.file.x509.public_key_size | long | Extended | The size of the public key space in bits. |
threat.enrichments.indicator.file.x509.serial_number | keyword | Extended | Unique serial number issued by the certificate authority. |
threat.enrichments.indicator.file.x509.signature_algorithm | keyword | Extended | Identifier for certificate signature algorithm. |
threat.enrichments.indicator.file.x509.subject.common_name | keyword | Extended | List of common names (CN) of subject. |
threat.enrichments.indicator.file.x509.subject.country | keyword | Extended | List of country (C) code |
threat.enrichments.indicator.file.x509.subject.distinguished_name | keyword | Extended | Distinguished name (DN) of the certificate subject entity. |
threat.enrichments.indicator.file.x509.subject.locality | keyword | Extended | List of locality names (L) |
threat.enrichments.indicator.file.x509.subject.organization | keyword | Extended | List of organizations (O) of subject. |
threat.enrichments.indicator.file.x509.subject.organizational_unit | keyword | Extended | List of organizational units (OU) of subject. |
threat.enrichments.indicator.file.x509.subject.state_or_province | keyword | Extended | List of state or province names (ST, S, or P) |
threat.enrichments.indicator.file.x509.version_number | keyword | Extended | Version of x509 format. |
threat.enrichments.indicator.first_seen | date | Extended | Date/time indicator was first reported. |
threat.enrichments.indicator.geo.city_name | keyword | Core | City name. |
threat.enrichments.indicator.geo.continent_code | keyword | Core | Continent code. |
threat.enrichments.indicator.geo.continent_name | keyword | Core | Name of the continent. |
threat.enrichments.indicator.geo.country_iso_code | keyword | Core | Country ISO code. |
threat.enrichments.indicator.geo.country_name | keyword | Core | Country name. |
threat.enrichments.indicator.geo.location | geo_point | Core | Longitude and latitude. |
threat.enrichments.indicator.geo.name | keyword | Extended | User-defined description of a location. |
threat.enrichments.indicator.geo.postal_code | keyword | Core | Postal code. |
threat.enrichments.indicator.geo.region_iso_code | keyword | Core | Region ISO code. |
threat.enrichments.indicator.geo.region_name | keyword | Core | Region name. |
threat.enrichments.indicator.geo.timezone | keyword | Core | Time zone. |
threat.enrichments.indicator.ip | ip | Extended | Indicator IP address |
threat.enrichments.indicator.last_seen | date | Extended | Date/time indicator was last reported. |
threat.enrichments.indicator.marking.tlp | keyword | Extended | Indicator TLP marking |
threat.enrichments.indicator.marking.tlp_version | keyword | Extended | Indicator TLP version |
threat.enrichments.indicator.modified_at | date | Extended | Date/time indicator was last updated. |
threat.enrichments.indicator.name | keyword | Extended | Indicator display name |
threat.enrichments.indicator.port | long | Extended | Indicator port |
threat.enrichments.indicator.provider | keyword | Extended | Indicator provider |
threat.enrichments.indicator.reference | keyword | Extended | Indicator reference URL |
threat.enrichments.indicator.registry.data.bytes | keyword | Extended | Original bytes written with base64 encoding. |
threat.enrichments.indicator.registry.data.strings | wildcard | Core | List of strings representing what was written to the registry. |
threat.enrichments.indicator.registry.data.type | keyword | Core | Standard registry type for encoding contents |
threat.enrichments.indicator.registry.hive | keyword | Core | Abbreviated name for the hive. |
threat.enrichments.indicator.registry.key | keyword | Core | Hive-relative path of keys. |
threat.enrichments.indicator.registry.path | keyword | Core | Full path, including hive, key and value |
threat.enrichments.indicator.registry.value | keyword | Core | Name of the value written. |
threat.enrichments.indicator.scanner_stats | long | Extended | Scanner statistics |
threat.enrichments.indicator.sightings | long | Extended | Number of times indicator observed |
threat.enrichments.indicator.type | keyword | Extended | Type of indicator |
threat.enrichments.indicator.url.domain | keyword | Extended | Domain of the url. |
threat.enrichments.indicator.url.extension | keyword | Extended | File extension from the request url, excluding the leading dot. |
threat.enrichments.indicator.url.fragment | keyword | Extended | Portion of the url after the #. |
threat.enrichments.indicator.url.full | wildcard | Extended | Full unparsed URL. |
threat.enrichments.indicator.url.full.text | match_only_text | Extended | Full unparsed URL. |
threat.enrichments.indicator.url.original | wildcard | Extended | Unmodified original url as seen in the event source. |
threat.enrichments.indicator.url.original.text | match_only_text | Extended | Unmodified original url as seen in the event source. |
threat.enrichments.indicator.url.password | keyword | Extended | Password of the request. |
threat.enrichments.indicator.url.path | wildcard | Extended | Path of the request, such as "/search". |
threat.enrichments.indicator.url.port | long | Extended | Port of the request, such as 443. |
threat.enrichments.indicator.url.query | keyword | Extended | Query string of the request. |
threat.enrichments.indicator.url.registered_domain | keyword | Extended | The highest registered url domain, stripped of the subdomain. |
threat.enrichments.indicator.url.scheme | keyword | Extended | Scheme of the url. |
threat.enrichments.indicator.url.subdomain | keyword | Extended | The subdomain of the domain. |
threat.enrichments.indicator.url.top_level_domain | keyword | Extended | The effective top level domain (com, org, net, co.uk). |
threat.enrichments.indicator.url.username | keyword | Extended | Username of the request. |
threat.enrichments.indicator.x509.alternative_names | keyword | Extended | List of subject alternative names (SAN). |
threat.enrichments.indicator.x509.issuer.common_name | keyword | Extended | List of common name (CN) of issuing certificate authority. |
threat.enrichments.indicator.x509.issuer.country | keyword | Extended | List of country (C) codes |
threat.enrichments.indicator.x509.issuer.distinguished_name | keyword | Extended | Distinguished name (DN) of issuing certificate authority. |
threat.enrichments.indicator.x509.issuer.locality | keyword | Extended | List of locality names (L) |
threat.enrichments.indicator.x509.issuer.organization | keyword | Extended | List of organizations (O) of issuing certificate authority. |
threat.enrichments.indicator.x509.issuer.organizational_unit | keyword | Extended | List of organizational units (OU) of issuing certificate authority. |
threat.enrichments.indicator.x509.issuer.state_or_province | keyword | Extended | List of state or province names (ST, S, or P) |
threat.enrichments.indicator.x509.not_after | date | Extended | Time at which the certificate is no longer considered valid. |
threat.enrichments.indicator.x509.not_before | date | Extended | Time at which the certificate is first considered valid. |
threat.enrichments.indicator.x509.public_key_algorithm | keyword | Extended | Algorithm used to generate the public key. |
threat.enrichments.indicator.x509.public_key_curve | keyword | Extended | The curve used by the elliptic curve public key algorithm. This is algorithm specific. |
threat.enrichments.indicator.x509.public_key_exponent | long | Extended | Exponent used to derive the public key. This is algorithm specific. |
threat.enrichments.indicator.x509.public_key_size | long | Extended | The size of the public key space in bits. |
threat.enrichments.indicator.x509.serial_number | keyword | Extended | Unique serial number issued by the certificate authority. |
threat.enrichments.indicator.x509.signature_algorithm | keyword | Extended | Identifier for certificate signature algorithm. |
threat.enrichments.indicator.x509.subject.common_name | keyword | Extended | List of common names (CN) of subject. |
threat.enrichments.indicator.x509.subject.country | keyword | Extended | List of country (C) code |
threat.enrichments.indicator.x509.subject.distinguished_name | keyword | Extended | Distinguished name (DN) of the certificate subject entity. |
threat.enrichments.indicator.x509.subject.locality | keyword | Extended | List of locality names (L) |
threat.enrichments.indicator.x509.subject.organization | keyword | Extended | List of organizations (O) of subject. |
threat.enrichments.indicator.x509.subject.organizational_unit | keyword | Extended | List of organizational units (OU) of subject. |
threat.enrichments.indicator.x509.subject.state_or_province | keyword | Extended | List of state or province names (ST, S, or P) |
threat.enrichments.indicator.x509.version_number | keyword | Extended | Version of x509 format. |
threat.enrichments.matched.atomic | keyword | Extended | Matched indicator value |
threat.enrichments.matched.field | keyword | Extended | Matched indicator field |
threat.enrichments.matched.id | keyword | Extended | Matched indicator identifier |
threat.enrichments.matched.index | keyword | Extended | Matched indicator index |
threat.enrichments.matched.occurred | date | Extended | Date of match |
threat.enrichments.matched.type | keyword | Extended | Type of indicator match |
threat.feed.dashboard_id | keyword | Extended | Feed dashboard ID. |
threat.feed.description | keyword | Extended | Description of the threat feed. |
threat.feed.name | keyword | Extended | Name of the threat feed. |
threat.feed.reference | keyword | Extended | Reference for the threat feed. |
threat.framework | keyword | Extended | Threat classification framework. |
threat.group.alias | keyword | Extended | Alias of the group. |
threat.group.id | keyword | Extended | ID of the group. |
threat.group.name | keyword | Extended | Name of the group. |
threat.group.reference | keyword | Extended | Reference URL of the group. |
threat.indicator.as.number | long | Extended | Unique number allocated to the autonomous system. |
threat.indicator.as.organization.name | keyword | Extended | Organization name. |
threat.indicator.as.organization.name.text | match_only_text | Extended | Organization name. |
threat.indicator.confidence | keyword | Extended | Indicator confidence rating |
threat.indicator.description | keyword | Extended | Indicator description |
threat.indicator.email.address | keyword | Extended | Indicator email address |
threat.indicator.file.accessed | date | Extended | Last time the file was accessed. |
threat.indicator.file.attributes | keyword | Extended | Array of file attributes. |
threat.indicator.file.code_signature.digest_algorithm | keyword | Extended | Hashing algorithm used to sign the process. |
threat.indicator.file.code_signature.exists | boolean | Core | Boolean to capture if a signature is present. |
threat.indicator.file.code_signature.flags | keyword | Extended | Code signing flags of the process |
threat.indicator.file.code_signature.signing_id | keyword | Extended | The identifier used to sign the process. |
threat.indicator.file.code_signature.status | keyword | Extended | Additional information about the certificate status. |
threat.indicator.file.code_signature.subject_name | keyword | Core | Subject name of the code signer |
threat.indicator.file.code_signature.team_id | keyword | Extended | The team identifier used to sign the process. |
threat.indicator.file.code_signature.timestamp | date | Extended | When the signature was generated and signed. |
threat.indicator.file.code_signature.trusted | boolean | Extended | Stores the trust status of the certificate chain. |
threat.indicator.file.code_signature.valid | boolean | Extended | Boolean to capture if the digital signature is verified against the binary content. |
threat.indicator.file.created | date | Extended | File creation time. |
threat.indicator.file.ctime | date | Extended | Last time the file attributes or metadata changed. |
threat.indicator.file.device | keyword | Extended | Device that is the source of the file. |
threat.indicator.file.directory | keyword | Extended | Directory where the file is located. |
threat.indicator.file.drive_letter | keyword | Extended | Drive letter where the file is located. |
threat.indicator.file.elf.architecture | keyword | Extended | Machine architecture of the ELF file. |
threat.indicator.file.elf.byte_order | keyword | Extended | Byte sequence of ELF file. |
threat.indicator.file.elf.cpu_type | keyword | Extended | CPU type of the ELF file. |
threat.indicator.file.elf.creation_date | date | Extended | Build or compile date. |
threat.indicator.file.elf.exports | flattened | Extended | List of exported element names and types. |
threat.indicator.file.elf.go_import_hash | keyword | Extended | A hash of the Go language imports in an ELF file. |
threat.indicator.file.elf.go_imports | flattened | Extended | List of imported Go language element names and types. |
threat.indicator.file.elf.go_imports_names_entropy | long | Extended | Shannon entropy calculation from the list of Go imports. |
threat.indicator.file.elf.go_imports_names_var_entropy | long | Extended | Variance for Shannon entropy calculation from the list of Go imports. |
threat.indicator.file.elf.go_stripped | boolean | Extended | Whether the file is a stripped or obfuscated Go executable. |
threat.indicator.file.elf.header.abi_version | keyword | Extended | Version of the ELF Application Binary Interface (ABI). |
threat.indicator.file.elf.header.class | keyword | Extended | Header class of the ELF file. |
threat.indicator.file.elf.header.data | keyword | Extended | Data table of the ELF header. |
threat.indicator.file.elf.header.entrypoint | long | Extended | Header entrypoint of the ELF file. |
threat.indicator.file.elf.header.object_version | keyword | Extended | "0x1" for original ELF files. |
threat.indicator.file.elf.header.os_abi | keyword | Extended | Application Binary Interface (ABI) of the Linux OS. |
threat.indicator.file.elf.header.type | keyword | Extended | Header type of the ELF file. |
threat.indicator.file.elf.header.version | keyword | Extended | Version of the ELF header. |
threat.indicator.file.elf.import_hash | keyword | Extended | A hash of the imports in an ELF file. |
threat.indicator.file.elf.imports | flattened | Extended | List of imported element names and types. |
threat.indicator.file.elf.imports_names_entropy | long | Extended | Shannon entropy calculation from the list of imported element names and types. |
threat.indicator.file.elf.imports_names_var_entropy | long | Extended | Variance for Shannon entropy calculation from the list of imported element names and types. |
threat.indicator.file.elf.sections | nested | Extended | Section information of the ELF file. |
threat.indicator.file.elf.sections.chi2 | long | Extended | Chi-square probability distribution of the section. |
threat.indicator.file.elf.sections.entropy | long | Extended | Shannon entropy calculation from the section. |
threat.indicator.file.elf.sections.flags | keyword | Extended | ELF Section List flags. |
threat.indicator.file.elf.sections.name | keyword | Extended | ELF Section List name. |
threat.indicator.file.elf.sections.physical_offset | keyword | Extended | ELF Section List offset. |
threat.indicator.file.elf.sections.physical_size | long | Extended | ELF Section List physical size. |
threat.indicator.file.elf.sections.type | keyword | Extended | ELF Section List type. |
threat.indicator.file.elf.sections.var_entropy | long | Extended | Variance for Shannon entropy calculation from the section. |
threat.indicator.file.elf.sections.virtual_address | long | Extended | ELF Section List virtual address. |
threat.indicator.file.elf.sections.virtual_size | long | Extended | ELF Section List virtual size. |
threat.indicator.file.elf.segments | nested | Extended | ELF object segment list. |
threat.indicator.file.elf.segments.sections | keyword | Extended | ELF object segment sections. |
threat.indicator.file.elf.segments.type | keyword | Extended | ELF object segment type. |
threat.indicator.file.elf.shared_libraries | keyword | Extended | List of shared libraries used by this ELF object. |
threat.indicator.file.elf.telfhash | keyword | Extended | telfhash hash for ELF file. |
threat.indicator.file.extension | keyword | Extended | File extension, excluding the leading dot. |
threat.indicator.file.fork_name | keyword | Extended | A fork is additional data associated with a filesystem object. |
threat.indicator.file.gid | keyword | Extended | Primary group ID (GID) of the file. |
threat.indicator.file.group | keyword | Extended | Primary group name of the file. |
threat.indicator.file.hash.cdhash | keyword | Extended | The Code Directory (CD) hash of an executable. |
threat.indicator.file.hash.md5 | keyword | Extended | MD5 hash. |
threat.indicator.file.hash.sha1 | keyword | Extended | SHA1 hash. |
threat.indicator.file.hash.sha256 | keyword | Extended | SHA256 hash. |
threat.indicator.file.hash.sha384 | keyword | Extended | SHA384 hash. |
threat.indicator.file.hash.sha512 | keyword | Extended | SHA512 hash. |
threat.indicator.file.hash.ssdeep | keyword | Extended | SSDEEP hash. |
threat.indicator.file.hash.tlsh | keyword | Extended | TLSH hash. |
threat.indicator.file.inode | keyword | Extended | Inode representing the file in the filesystem. |
threat.indicator.file.mime_type | keyword | Extended | Media type of file, document, or arrangement of bytes. |
threat.indicator.file.mode | keyword | Extended | Mode of the file in octal representation. |
threat.indicator.file.mtime | date | Extended | Last time the file content was modified. |
threat.indicator.file.name | keyword | Extended | Name of the file including the extension, without the directory. |
threat.indicator.file.owner | keyword | Extended | File owner's username. |
threat.indicator.file.path | keyword | Extended | Full path to the file, including the file name. |
threat.indicator.file.path.text | match_only_text | Extended | Full path to the file, including the file name. |
threat.indicator.file.pe.architecture | keyword | Extended | CPU architecture target for the file. |
threat.indicator.file.pe.company | keyword | Extended | Internal company name of the file, provided at compile-time. |
threat.indicator.file.pe.description | keyword | Extended | Internal description of the file, provided at compile-time. |
threat.indicator.file.pe.file_version | keyword | Extended | Process name. |
threat.indicator.file.pe.go_import_hash | keyword | Extended | A hash of the Go language imports in a PE file. |
threat.indicator.file.pe.go_imports | flattened | Extended | List of imported Go language element names and types. |
threat.indicator.file.pe.go_imports_names_entropy | long | Extended | Shannon entropy calculation from the list of Go imports. |
threat.indicator.file.pe.go_imports_names_var_entropy | long | Extended | Variance for Shannon entropy calculation from the list of Go imports. |
threat.indicator.file.pe.go_stripped | boolean | Extended | Whether the file is a stripped or obfuscated Go executable. |
threat.indicator.file.pe.imphash | keyword | Extended | A hash of the imports in a PE file. |
threat.indicator.file.pe.import_hash | keyword | Extended | A hash of the imports in a PE file. |
threat.indicator.file.pe.imports | flattened | Extended | List of imported element names and types. |
threat.indicator.file.pe.imports_names_entropy | long | Extended | Shannon entropy calculation from the list of imported element names and types. |
threat.indicator.file.pe.imports_names_var_entropy | long | Extended | Variance for Shannon entropy calculation from the list of imported element names and types. |
threat.indicator.file.pe.original_file_name | keyword | Extended | Internal name of the file, provided at compile-time. |
threat.indicator.file.pe.pehash | keyword | Extended | A hash of the PE header and data from one or more PE sections. |
threat.indicator.file.pe.product | keyword | Extended | Internal product name of the file, provided at compile-time. |
threat.indicator.file.pe.sections | nested | Extended | Section information of the PE file. |
threat.indicator.file.pe.sections.entropy | long | Extended | Shannon entropy calculation from the section. |
threat.indicator.file.pe.sections.name | keyword | Extended | PE Section List name. |
threat.indicator.file.pe.sections.physical_size | long | Extended | PE Section List physical size. |
threat.indicator.file.pe.sections.var_entropy | long | Extended | Variance for Shannon entropy calculation from the section. |
threat.indicator.file.pe.sections.virtual_size | long | Extended | PE Section List virtual size. This is always the same as physical_size. |
threat.indicator.file.size | long | Extended | File size in bytes. |
threat.indicator.file.target_path | keyword | Extended | Target path for symlinks. |
threat.indicator.file.target_path.text | match_only_text | Extended | Target path for symlinks. |
threat.indicator.file.type | keyword | Extended | File type (file, dir, or symlink). |
threat.indicator.file.uid | keyword | Extended | The user ID (UID) or security identifier (SID) of the file owner. |
threat.indicator.file.x509.alternative_names | keyword | Extended | List of subject alternative names (SAN). |
threat.indicator.file.x509.issuer.common_name | keyword | Extended | List of common name (CN) of issuing certificate authority. |
threat.indicator.file.x509.issuer.country | keyword | Extended | List of country (C) codes |
threat.indicator.file.x509.issuer.distinguished_name | keyword | Extended | Distinguished name (DN) of issuing certificate authority. |
threat.indicator.file.x509.issuer.locality | keyword | Extended | List of locality names (L) |
threat.indicator.file.x509.issuer.organization | keyword | Extended | List of organizations (O) of issuing certificate authority. |
threat.indicator.file.x509.issuer.organizational_unit | keyword | Extended | List of organizational units (OU) of issuing certificate authority. |
threat.indicator.file.x509.issuer.state_or_province | keyword | Extended | List of state or province names (ST, S, or P) |
threat.indicator.file.x509.not_after | date | Extended | Time at which the certificate is no longer considered valid. |
threat.indicator.file.x509.not_before | date | Extended | Time at which the certificate is first considered valid. |
threat.indicator.file.x509.public_key_algorithm | keyword | Extended | Algorithm used to generate the public key. |
threat.indicator.file.x509.public_key_curve | keyword | Extended | The curve used by the elliptic curve public key algorithm. This is algorithm specific. |
threat.indicator.file.x509.public_key_exponent | long | Extended | Exponent used to derive the public key. This is algorithm specific. |
threat.indicator.file.x509.public_key_size | long | Extended | The size of the public key space in bits. |
threat.indicator.file.x509.serial_number | keyword | Extended | Unique serial number issued by the certificate authority. |
threat.indicator.file.x509.signature_algorithm | keyword | Extended | Identifier for certificate signature algorithm. |
threat.indicator.file.x509.subject.common_name | keyword | Extended | List of common names (CN) of subject. |
threat.indicator.file.x509.subject.country | keyword | Extended | List of country (C) code |
threat.indicator.file.x509.subject.distinguished_name | keyword | Extended | Distinguished name (DN) of the certificate subject entity. |
threat.indicator.file.x509.subject.locality | keyword | Extended | List of locality names (L) |
threat.indicator.file.x509.subject.organization | keyword | Extended | List of organizations (O) of subject. |
threat.indicator.file.x509.subject.organizational_unit | keyword | Extended | List of organizational units (OU) of subject. |
threat.indicator.file.x509.subject.state_or_province | keyword | Extended | List of state or province names (ST, S, or P) |
threat.indicator.file.x509.version_number | keyword | Extended | Version of x509 format. |
threat.indicator.first_seen | date | Extended | Date/time indicator was first reported. |
threat.indicator.geo.city_name | keyword | Core | City name. |
threat.indicator.geo.continent_code | keyword | Core | Continent code. |
threat.indicator.geo.continent_name | keyword | Core | Name of the continent. |
threat.indicator.geo.country_iso_code | keyword | Core | Country ISO code. |
threat.indicator.geo.country_name | keyword | Core | Country name. |
threat.indicator.geo.location | geo_point | Core | Longitude and latitude. |
threat.indicator.geo.name | keyword | Extended | User-defined description of a location. |
threat.indicator.geo.postal_code | keyword | Core | Postal code. |
threat.indicator.geo.region_iso_code | keyword | Core | Region ISO code. |
threat.indicator.geo.region_name | keyword | Core | Region name. |
threat.indicator.geo.timezone | keyword | Core | Time zone. |
threat.indicator.id | keyword | Extended | ID of the indicator |
threat.indicator.ip | ip | Extended | Indicator IP address |
threat.indicator.last_seen | date | Extended | Date/time indicator was last reported. |
threat.indicator.marking.tlp | keyword | Extended | Indicator TLP marking |
threat.indicator.marking.tlp_version | keyword | Extended | Indicator TLP version |
threat.indicator.modified_at | date | Extended | Date/time indicator was last updated. |
threat.indicator.name | keyword | Extended | Indicator display name |
threat.indicator.port | long | Extended | Indicator port |
threat.indicator.provider | keyword | Extended | Indicator provider |
threat.indicator.reference | keyword | Extended | Indicator reference URL |
threat.indicator.registry.data.bytes | keyword | Extended | Original bytes written with base64 encoding. |
threat.indicator.registry.data.strings | wildcard | Core | List of strings representing what was written to the registry. |
threat.indicator.registry.data.type | keyword | Core | Standard registry type for encoding contents |
threat.indicator.registry.hive | keyword | Core | Abbreviated name for the hive. |
threat.indicator.registry.key | keyword | Core | Hive-relative path of keys. |
threat.indicator.registry.path | keyword | Core | Full path, including hive, key and value |
threat.indicator.registry.value | keyword | Core | Name of the value written. |
threat.indicator.scanner_stats | long | Extended | Scanner statistics |
threat.indicator.sightings | long | Extended | Number of times indicator observed |
threat.indicator.type | keyword | Extended | Type of indicator |
threat.indicator.url.domain | keyword | Extended | Domain of the url. |
threat.indicator.url.extension | keyword | Extended | File extension from the request url, excluding the leading dot. |
threat.indicator.url.fragment | keyword | Extended | Portion of the url after the #. |
threat.indicator.url.full | wildcard | Extended | Full unparsed URL. |
threat.indicator.url.full.text | match_only_text | Extended | Full unparsed URL. |
threat.indicator.url.original | wildcard | Extended | Unmodified original url as seen in the event source. |
threat.indicator.url.original.text | match_only_text | Extended | Unmodified original url as seen in the event source. |
threat.indicator.url.password | keyword | Extended | Password of the request. |
threat.indicator.url.path | wildcard | Extended | Path of the request, such as "/search". |
threat.indicator.url.port | long | Extended | Port of the request, such as 443. |
threat.indicator.url.query | keyword | Extended | Query string of the request. |
threat.indicator.url.registered_domain | keyword | Extended | The highest registered url domain, stripped of the subdomain. |
threat.indicator.url.scheme | keyword | Extended | Scheme of the url. |
threat.indicator.url.subdomain | keyword | Extended | The subdomain of the domain. |
threat.indicator.url.top_level_domain | keyword | Extended | The effective top level domain (com, org, net, co.uk). |
threat.indicator.url.username | keyword | Extended | Username of the request. |
threat.indicator.x509.alternative_names | keyword | Extended | List of subject alternative names (SAN). |
threat.indicator.x509.issuer.common_name | keyword | Extended | List of common name (CN) of issuing certificate authority. |
threat.indicator.x509.issuer.country | keyword | Extended | List of country (C) codes |
threat.indicator.x509.issuer.distinguished_name | keyword | Extended | Distinguished name (DN) of issuing certificate authority. |
threat.indicator.x509.issuer.locality | keyword | Extended | List of locality names (L) |
threat.indicator.x509.issuer.organization | keyword | Extended | List of organizations (O) of issuing certificate authority. |
threat.indicator.x509.issuer.organizational_unit | keyword | Extended | List of organizational units (OU) of issuing certificate authority. |
threat.indicator.x509.issuer.state_or_province | keyword | Extended | List of state or province names (ST, S, or P) |
threat.indicator.x509.not_after | date | Extended | Time at which the certificate is no longer considered valid. |
threat.indicator.x509.not_before | date | Extended | Time at which the certificate is first considered valid. |
threat.indicator.x509.public_key_algorithm | keyword | Extended | Algorithm used to generate the public key. |
threat.indicator.x509.public_key_curve | keyword | Extended | The curve used by the elliptic curve public key algorithm. This is algorithm specific. |
threat.indicator.x509.public_key_exponent | long | Extended | Exponent used to derive the public key. This is algorithm specific. |
threat.indicator.x509.public_key_size | long | Extended | The size of the public key space in bits. |
threat.indicator.x509.serial_number | keyword | Extended | Unique serial number issued by the certificate authority. |
threat.indicator.x509.signature_algorithm | keyword | Extended | Identifier for certificate signature algorithm. |
threat.indicator.x509.subject.common_name | keyword | Extended | List of common names (CN) of subject. |
threat.indicator.x509.subject.country | keyword | Extended | List of country (C) code |
threat.indicator.x509.subject.distinguished_name | keyword | Extended | Distinguished name (DN) of the certificate subject entity. |
threat.indicator.x509.subject.locality | keyword | Extended | List of locality names (L) |
threat.indicator.x509.subject.organization | keyword | Extended | List of organizations (O) of subject. |
threat.indicator.x509.subject.organizational_unit | keyword | Extended | List of organizational units (OU) of subject. |
threat.indicator.x509.subject.state_or_province | keyword | Extended | List of state or province names (ST, S, or P) |
threat.indicator.x509.version_number | keyword | Extended | Version of x509 format. |
threat.software.alias | keyword | Extended | Alias of the software |
threat.software.id | keyword | Extended | ID of the software |
threat.software.name | keyword | Extended | Name of the software. |
threat.software.platforms | keyword | Extended | Platforms of the software. |
threat.software.reference | keyword | Extended | Software reference URL. |
threat.software.type | keyword | Extended | Software type. |
threat.tactic.id | keyword | Extended | Threat tactic id. |
threat.tactic.name | keyword | Extended | Threat tactic. |
threat.tactic.reference | keyword | Extended | Threat tactic URL reference. |
threat.technique.id | keyword | Extended | Threat technique id. |
threat.technique.name | keyword | Extended | Threat technique name. |
threat.technique.name.text | match_only_text | Extended | Threat technique name. |
threat.technique.reference | keyword | Extended | Threat technique URL reference. |
threat.technique.subtechnique.id | keyword | Extended | Threat subtechnique id. |
threat.technique.subtechnique.name | keyword | Extended | Threat subtechnique name. |
threat.technique.subtechnique.name.text | match_only_text | Extended | Threat subtechnique name. |
threat.technique.subtechnique.reference | keyword | Extended | Threat subtechnique URL reference. |
Field Details
threat.enrichments
Type: nested
Level: Extended
Description: List of objects containing indicators enriching the event.
Normalization: array
Indexed: true
threat.enrichments.indicator
Type: object
Level: Extended
Description: Object containing indicators enriching the event.
Indexed: true
threat.enrichments.indicator.as.number
Type: long
Level: Extended
Description: Unique number allocated to the autonomous system.
Example: 15169
Indexed: true
threat.enrichments.indicator.as.organization.name
Type: keyword
Level: Extended
Description: Organization name.
Example: Google LLC
Indexed: true
threat.enrichments.indicator.as.organization.name.text
Type: match_only_text
Level: Extended
Description: Organization name.
Example: Google LLC
Indexed: true
threat.enrichments.indicator.confidence
Type: keyword
Level: Extended
Description: Indicator confidence rating
Example: Medium
Indexed: true
threat.enrichments.indicator.description
Type: keyword
Level: Extended
Description: Indicator description
Example: IP x.x.x.x was observed delivering the Angler EK.
Indexed: true
threat.enrichments.indicator.email.address
Type: keyword
Level: Extended
Description: Indicator email address
Example: [email protected]
Indexed: true
threat.enrichments.indicator.file.accessed
Type: date
Level: Extended
Description: Last time the file was accessed.
Indexed: true
threat.enrichments.indicator.file.attributes
Type: keyword
Level: Extended
Description: Array of file attributes.
Example: ["readonly", "system"]
Normalization: array
Indexed: true
threat.enrichments.indicator.file.code_signature.digest_algorithm
Type: keyword
Level: Extended
Description: Hashing algorithm used to sign the process.
Example: sha256
Indexed: true
threat.enrichments.indicator.file.code_signature.exists
Type: boolean
Level: Core
Description: Boolean to capture if a signature is present.
Example: true
Indexed: true
threat.enrichments.indicator.file.code_signature.flags
Type: keyword
Level: Extended
Description: Code signing flags of the process
Example: 570522385
Indexed: true
threat.enrichments.indicator.file.code_signature.signing_id
Type: keyword
Level: Extended
Description: The identifier used to sign the process.
Example: com.apple.xpc.proxy
Indexed: true
threat.enrichments.indicator.file.code_signature.status
Type: keyword
Level: Extended
Description: Additional information about the certificate status.
Example: ERROR_UNTRUSTED_ROOT
Indexed: true
threat.enrichments.indicator.file.code_signature.subject_name
Type: keyword
Level: Core
Description: Subject name of the code signer
Example: Microsoft Corporation
Indexed: true
threat.enrichments.indicator.file.code_signature.team_id
Type: keyword
Level: Extended
Description: The team identifier used to sign the process.
Example: EQHXZ8M8AV
Indexed: true
threat.enrichments.indicator.file.code_signature.timestamp
Type: date
Level: Extended
Description: When the signature was generated and signed.
Example: 2021-01-01T12:10:30Z
Indexed: true
threat.enrichments.indicator.file.code_signature.trusted
Type: boolean
Level: Extended
Description: Stores the trust status of the certificate chain.
Example: true
Indexed: true
threat.enrichments.indicator.file.code_signature.valid
Type: boolean
Level: Extended
Description: Boolean to capture if the digital signature is verified against the binary content.
Example: true
Indexed: true
threat.enrichments.indicator.file.created
Type: date
Level: Extended
Description: File creation time.
Indexed: true
threat.enrichments.indicator.file.ctime
Type: date
Level: Extended
Description: Last time the file attributes or metadata changed.
Indexed: true
threat.enrichments.indicator.file.device
Type: keyword
Level: Extended
Description: Device that is the source of the file.
Example: sda
Indexed: true
threat.enrichments.indicator.file.directory
Type: keyword
Level: Extended
Description: Directory where the file is located.
Example: /home/alice
Indexed: true
threat.enrichments.indicator.file.drive_letter
Type: keyword
Level: Extended
Description: Drive letter where the file is located.
Example: C
Indexed: true
threat.enrichments.indicator.file.elf.architecture
Type: keyword
Level: Extended
Description: Machine architecture of the ELF file.
Example: x86-64
Indexed: true
threat.enrichments.indicator.file.elf.byte_order
Type: keyword
Level: Extended
Description: Byte sequence of ELF file.
Example: Little Endian
Indexed: true
threat.enrichments.indicator.file.elf.cpu_type
Type: keyword
Level: Extended
Description: CPU type of the ELF file.
Example: Intel
Indexed: true
threat.enrichments.indicator.file.elf.creation_date
Type: date
Level: Extended
Description: Build or compile date.
Indexed: true
threat.enrichments.indicator.file.elf.exports
Type: flattened
Level: Extended
Description: List of exported element names and types.
Normalization: array
Indexed: true
threat.enrichments.indicator.file.elf.go_import_hash
Type: keyword
Level: Extended
Description: A hash of the Go language imports in an ELF file.
Example: 10bddcb4cee42080f76c88d9ff964491
Indexed: true
threat.enrichments.indicator.file.elf.go_imports
Type: flattened
Level: Extended
Description: List of imported Go language element names and types.
Indexed: true
threat.enrichments.indicator.file.elf.go_imports_names_entropy
Type: long
Level: Extended
Description: Shannon entropy calculation from the list of Go imports.
Indexed: true
threat.enrichments.indicator.file.elf.go_imports_names_var_entropy
Type: long
Level: Extended
Description: Variance for Shannon entropy calculation from the list of Go imports.
Indexed: true
threat.enrichments.indicator.file.elf.go_stripped
Type: boolean
Level: Extended
Description: Whether the file is a stripped or obfuscated Go executable.
Indexed: true
threat.enrichments.indicator.file.elf.header.abi_version
Type: keyword
Level: Extended
Description: Version of the ELF Application Binary Interface (ABI).
Indexed: true
threat.enrichments.indicator.file.elf.header.class
Type: keyword
Level: Extended
Description: Header class of the ELF file.
Indexed: true
threat.enrichments.indicator.file.elf.header.data
Type: keyword
Level: Extended
Description: Data table of the ELF header.
Indexed: true
threat.enrichments.indicator.file.elf.header.entrypoint
Type: long
Level: Extended
Description: Header entrypoint of the ELF file.
Indexed: true
threat.enrichments.indicator.file.elf.header.object_version
Type: keyword
Level: Extended
Description: "0x1" for original ELF files.
Indexed: true
threat.enrichments.indicator.file.elf.header.os_abi
Type: keyword
Level: Extended
Description: Application Binary Interface (ABI) of the Linux OS.
Indexed: true
threat.enrichments.indicator.file.elf.header.type
Type: keyword
Level: Extended
Description: Header type of the ELF file.
Indexed: true
threat.enrichments.indicator.file.elf.header.version
Type: keyword
Level: Extended
Description: Version of the ELF header.
Indexed: true
threat.enrichments.indicator.file.elf.import_hash
Type: keyword
Level: Extended
Description: A hash of the imports in an ELF file.
Example: d41d8cd98f00b204e9800998ecf8427e
Indexed: true
threat.enrichments.indicator.file.elf.imports
Type: flattened
Level: Extended
Description: List of imported element names and types.
Normalization: array
Indexed: true
threat.enrichments.indicator.file.elf.imports_names_entropy
Type: long
Level: Extended
Description: Shannon entropy calculation from the list of imported element names and types.
Indexed: true
threat.enrichments.indicator.file.elf.imports_names_var_entropy
Type: long
Level: Extended
Description: Variance for Shannon entropy calculation from the list of imported element names and types.
Indexed: true
threat.enrichments.indicator.file.elf.sections
Type: nested
Level: Extended
Description: Section information of the ELF file.
Normalization: array
Indexed: true
threat.enrichments.indicator.file.elf.sections.chi2
Type: long
Level: Extended
Description: Chi-square probability distribution of the section.
Indexed: true
threat.enrichments.indicator.file.elf.sections.entropy
Type: long
Level: Extended
Description: Shannon entropy calculation from the section.
Indexed: true
threat.enrichments.indicator.file.elf.sections.flags
Type: keyword
Level: Extended
Description: ELF Section List flags.
Indexed: true
threat.enrichments.indicator.file.elf.sections.name
Type: keyword
Level: Extended
Description: ELF Section List name.
Indexed: true
threat.enrichments.indicator.file.elf.sections.physical_offset
Type: keyword
Level: Extended
Description: ELF Section List offset.
Indexed: true
threat.enrichments.indicator.file.elf.sections.physical_size
Type: long
Level: Extended
Description: ELF Section List physical size.
Indexed: true
threat.enrichments.indicator.file.elf.sections.type
Type: keyword
Level: Extended
Description: ELF Section List type.
Indexed: true
threat.enrichments.indicator.file.elf.sections.var_entropy
Type: long
Level: Extended
Description: Variance for Shannon entropy calculation from the section.
Indexed: true
threat.enrichments.indicator.file.elf.sections.virtual_address
Type: long
Level: Extended
Description: ELF Section List virtual address.
Indexed: true
threat.enrichments.indicator.file.elf.sections.virtual_size
Type: long
Level: Extended
Description: ELF Section List virtual size.
Indexed: true
threat.enrichments.indicator.file.elf.segments
Type: nested
Level: Extended
Description: ELF object segment list.
Normalization: array
Indexed: true
threat.enrichments.indicator.file.elf.segments.sections
Type: keyword
Level: Extended
Description: ELF object segment sections.
Indexed: true
threat.enrichments.indicator.file.elf.segments.type
Type: keyword
Level: Extended
Description: ELF object segment type.
Indexed: true
threat.enrichments.indicator.file.elf.shared_libraries
Type: keyword
Level: Extended
Description: List of shared libraries used by this ELF object.
Normalization: array
Indexed: true
threat.enrichments.indicator.file.elf.telfhash
Type: keyword
Level: Extended
Description: telfhash hash for ELF file.
Indexed: true
threat.enrichments.indicator.file.extension
Type: keyword
Level: Extended
Description: File extension, excluding the leading dot.
Example: png
Indexed: true
threat.enrichments.indicator.file.fork_name
Type: keyword
Level: Extended
Description: A fork is additional data associated with a filesystem object.
Example: Zone.Identifer
Indexed: true
threat.enrichments.indicator.file.gid
Type: keyword
Level: Extended
Description: Primary group ID (GID) of the file.
Example: 1001
Indexed: true
threat.enrichments.indicator.file.group
Type: keyword
Level: Extended
Description: Primary group name of the file.
Example: alice
Indexed: true
threat.enrichments.indicator.file.hash.cdhash
Type: keyword
Level: Extended
Description: The Code Directory (CD) hash of an executable.
Example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
Indexed: true
threat.enrichments.indicator.file.hash.md5
Type: keyword
Level: Extended
Description: MD5 hash.
Indexed: true
threat.enrichments.indicator.file.hash.sha1
Type: keyword
Level: Extended
Description: SHA1 hash.
Indexed: true
threat.enrichments.indicator.file.hash.sha256
Type: keyword
Level: Extended
Description: SHA256 hash.
Indexed: true
threat.enrichments.indicator.file.hash.sha384
Type: keyword
Level: Extended
Description: SHA384 hash.
Indexed: true
threat.enrichments.indicator.file.hash.sha512
Type: keyword
Level: Extended
Description: SHA512 hash.
Indexed: true
threat.enrichments.indicator.file.hash.ssdeep
Type: keyword
Level: Extended
Description: SSDEEP hash.
Indexed: true
threat.enrichments.indicator.file.hash.tlsh
Type: keyword
Level: Extended
Description: TLSH hash.
Indexed: true
threat.enrichments.indicator.file.inode
Type: keyword
Level: Extended
Description: Inode representing the file in the filesystem.
Example: 256383
Indexed: true
threat.enrichments.indicator.file.mime_type
Type: keyword
Level: Extended
Description: Media type of file, document, or arrangement of bytes.
Indexed: true
threat.enrichments.indicator.file.mode
Type: keyword
Level: Extended
Description: Mode of the file in octal representation.
Example: 0640
Indexed: true
threat.enrichments.indicator.file.mtime
Type: date
Level: Extended
Description: Last time the file content was modified.
Indexed: true
threat.enrichments.indicator.file.name
Type: keyword
Level: Extended
Description: Name of the file including the extension, without the directory.
Example: example.png
Indexed: true
threat.enrichments.indicator.file.owner
Type: keyword
Level: Extended
Description: File owner's username.
Example: alice
Indexed: true
threat.enrichments.indicator.file.path
Type: keyword
Level: Extended
Description: Full path to the file, including the file name.
Example: /home/alice/example.png
Indexed: true
threat.enrichments.indicator.file.path.text
Type: match_only_text
Level: Extended
Description: Full path to the file, including the file name.
Example: /home/alice/example.png
Indexed: true
threat.enrichments.indicator.file.pe.architecture
Type: keyword
Level: Extended
Description: CPU architecture target for the file.
Example: x64
Indexed: true
threat.enrichments.indicator.file.pe.company
Type: keyword
Level: Extended
Description: Internal company name of the file, provided at compile-time.
Example: Microsoft Corporation
Indexed: true
threat.enrichments.indicator.file.pe.description
Type: keyword
Level: Extended
Description: Internal description of the file, provided at compile-time.
Example: Paint
Indexed: true
threat.enrichments.indicator.file.pe.file_version
Type: keyword
Level: Extended
Description: Process name.
Example: 6.3.9600.17415
Indexed: true
threat.enrichments.indicator.file.pe.go_import_hash
Type: keyword
Level: Extended
Description: A hash of the Go language imports in a PE file.
Example: 10bddcb4cee42080f76c88d9ff964491
Indexed: true
threat.enrichments.indicator.file.pe.go_imports
Type: flattened
Level: Extended
Description: List of imported Go language element names and types.
Indexed: true
threat.enrichments.indicator.file.pe.go_imports_names_entropy
Type: long
Level: Extended
Description: Shannon entropy calculation from the list of Go imports.
Indexed: true
threat.enrichments.indicator.file.pe.go_imports_names_var_entropy
Type: long
Level: Extended
Description: Variance for Shannon entropy calculation from the list of Go imports.
Indexed: true
threat.enrichments.indicator.file.pe.go_stripped
Type: boolean
Level: Extended
Description: Whether the file is a stripped or obfuscated Go executable.
Indexed: true
threat.enrichments.indicator.file.pe.imphash
Type: keyword
Level: Extended
Description: A hash of the imports in a PE file.
Example: 0c6803c4e922103c4dca5963aad36ddf
Indexed: true
threat.enrichments.indicator.file.pe.import_hash
Type: keyword
Level: Extended
Description: A hash of the imports in a PE file.
Example: d41d8cd98f00b204e9800998ecf8427e
Indexed: true
threat.enrichments.indicator.file.pe.imports
Type: flattened
Level: Extended
Description: List of imported element names and types.
Normalization: array
Indexed: true
threat.enrichments.indicator.file.pe.imports_names_entropy
Type: long
Level: Extended
Description: Shannon entropy calculation from the list of imported element names and types.
Indexed: true
threat.enrichments.indicator.file.pe.imports_names_var_entropy
Type: long
Level: Extended
Description: Variance for Shannon entropy calculation from the list of imported element names and types.
Indexed: true
threat.enrichments.indicator.file.pe.original_file_name
Type: keyword
Level: Extended
Description: Internal name of the file, provided at compile-time.
Example: MSPAINT.EXE
Indexed: true
threat.enrichments.indicator.file.pe.pehash
Type: keyword
Level: Extended
Description: A hash of the PE header and data from one or more PE sections.
Example: 73ff189b63cd6be375a7ff25179a38d347651975
Indexed: true
threat.enrichments.indicator.file.pe.product
Type: keyword
Level: Extended
Description: Internal product name of the file, provided at compile-time.
Example: Microsoft® Windows® Operating System
Indexed: true
threat.enrichments.indicator.file.pe.sections
Type: nested
Level: Extended
Description: Section information of the PE file.
Normalization: array
Indexed: true
threat.enrichments.indicator.file.pe.sections.entropy
Type: long
Level: Extended
Description: Shannon entropy calculation from the section.
Indexed: true
threat.enrichments.indicator.file.pe.sections.name
Type: keyword
Level: Extended
Description: PE Section List name.
Indexed: true
threat.enrichments.indicator.file.pe.sections.physical_size
Type: long
Level: Extended
Description: PE Section List physical size.
Indexed: true
threat.enrichments.indicator.file.pe.sections.var_entropy
Type: long
Level: Extended
Description: Variance for Shannon entropy calculation from the section.
Indexed: true
threat.enrichments.indicator.file.pe.sections.virtual_size
Type: long
Level: Extended
Description: PE Section List virtual size. This is always the same as physical_size.
Indexed: true
threat.enrichments.indicator.file.size
Type: long
Level: Extended
Description: File size in bytes.
Example: 16384
Indexed: true
threat.enrichments.indicator.file.target_path
Type: keyword
Level: Extended
Description: Target path for symlinks.
Indexed: true
threat.enrichments.indicator.file.target_path.text
Type: match_only_text
Level: Extended
Description: Target path for symlinks.
Indexed: true
threat.enrichments.indicator.file.type
Type: keyword
Level: Extended
Description: File type (file, dir, or symlink).
Example: file
Indexed: true
threat.enrichments.indicator.file.uid
Type: keyword
Level: Extended
Description: The user ID (UID) or security identifier (SID) of the file owner.
Example: 1001
Indexed: true
threat.enrichments.indicator.file.x509.alternative_names
Type: keyword
Level: Extended
Description: List of subject alternative names (SAN).
Example: *.elastic.co
Normalization: array
Indexed: true
threat.enrichments.indicator.file.x509.issuer.common_name
Type: keyword
Level: Extended
Description: List of common name (CN) of issuing certificate authority.
Example: Example SHA2 High Assurance Server CA
Normalization: array
Indexed: true
threat.enrichments.indicator.file.x509.issuer.country
Type: keyword
Level: Extended
Description: List of country (C) codes
Example: US
Normalization: array
Indexed: true
threat.enrichments.indicator.file.x509.issuer.distinguished_name
Type: keyword
Level: Extended
Description: Distinguished name (DN) of issuing certificate authority.
Example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
Indexed: true
threat.enrichments.indicator.file.x509.issuer.locality
Type: keyword
Level: Extended
Description: List of locality names (L)
Example: Mountain View
Normalization: array
Indexed: true
threat.enrichments.indicator.file.x509.issuer.organization
Type: keyword
Level: Extended
Description: List of organizations (O) of issuing certificate authority.
Example: Example Inc
Normalization: array
Indexed: true
threat.enrichments.indicator.file.x509.issuer.organizational_unit
Type: keyword
Level: Extended
Description: List of organizational units (OU) of issuing certificate authority.
Example: www.example.com
Normalization: array
Indexed: true
threat.enrichments.indicator.file.x509.issuer.state_or_province
Type: keyword
Level: Extended
Description: List of state or province names (ST, S, or P)
Example: California
Normalization: array
Indexed: true
threat.enrichments.indicator.file.x509.not_after
Type: date
Level: Extended
Description: Time at which the certificate is no longer considered valid.
Example: 2020-07-16T03:15:39Z
Indexed: true
threat.enrichments.indicator.file.x509.not_before
Type: date
Level: Extended
Description: Time at which the certificate is first considered valid.
Example: 2019-08-16T01:40:25Z
Indexed: true
threat.enrichments.indicator.file.x509.public_key_algorithm
Type: keyword
Level: Extended
Description: Algorithm used to generate the public key.
Example: RSA
Indexed: true
threat.enrichments.indicator.file.x509.public_key_curve
Type: keyword
Level: Extended
Description: The curve used by the elliptic curve public key algorithm. This is algorithm specific.
Example: nistp521
Indexed: true
threat.enrichments.indicator.file.x509.public_key_exponent
Type: long
Level: Extended
Description: Exponent used to derive the public key. This is algorithm specific.
Example: 65537
Indexed: false
threat.enrichments.indicator.file.x509.public_key_size
Type: long
Level: Extended
Description: The size of the public key space in bits.
Example: 2048
Indexed: true
threat.enrichments.indicator.file.x509.serial_number
Type: keyword
Level: Extended
Description: Unique serial number issued by the certificate authority.
Example: 55FBB9C7DEBF09809D12CCAA
Indexed: true
threat.enrichments.indicator.file.x509.signature_algorithm
Type: keyword
Level: Extended
Description: Identifier for certificate signature algorithm.
Example: SHA256-RSA
Indexed: true
threat.enrichments.indicator.file.x509.subject.common_name
Type: keyword
Level: Extended
Description: List of common names (CN) of subject.
Example: shared.global.example.net
Normalization: array
Indexed: true
threat.enrichments.indicator.file.x509.subject.country
Type: keyword
Level: Extended
Description: List of country (C) code
Example: US
Normalization: array
Indexed: true
threat.enrichments.indicator.file.x509.subject.distinguished_name
Type: keyword
Level: Extended
Description: Distinguished name (DN) of the certificate subject entity.
Example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
Indexed: true
threat.enrichments.indicator.file.x509.subject.locality
Type: keyword
Level: Extended
Description: List of locality names (L)
Example: San Francisco
Normalization: array
Indexed: true
threat.enrichments.indicator.file.x509.subject.organization
Type: keyword
Level: Extended
Description: List of organizations (O) of subject.
Example: Example, Inc.
Normalization: array
Indexed: true
threat.enrichments.indicator.file.x509.subject.organizational_unit
Type: keyword
Level: Extended
Description: List of organizational units (OU) of subject.
Normalization: array
Indexed: true
threat.enrichments.indicator.file.x509.subject.state_or_province
Type: keyword
Level: Extended
Description: List of state or province names (ST, S, or P)
Example: California
Normalization: array
Indexed: true
threat.enrichments.indicator.file.x509.version_number
Type: keyword
Level: Extended
Description: Version of x509 format.
Example: 3
Indexed: true
threat.enrichments.indicator.first_seen
Type: date
Level: Extended
Description: Date/time indicator was first reported.
Example: 2020-11-05T17:25:47.000Z
Indexed: true
threat.enrichments.indicator.geo.city_name
Type: keyword
Level: Core
Description: City name.
Example: Montreal
Indexed: true
threat.enrichments.indicator.geo.continent_code
Type: keyword
Level: Core
Description: Continent code.
Example: NA
Indexed: true
threat.enrichments.indicator.geo.continent_name
Type: keyword
Level: Core
Description: Name of the continent.
Example: North America
Indexed: true
threat.enrichments.indicator.geo.country_iso_code
Type: keyword
Level: Core
Description: Country ISO code.
Example: CA
Indexed: true
threat.enrichments.indicator.geo.country_name
Type: keyword
Level: Core
Description: Country name.
Example: Canada
Indexed: true
threat.enrichments.indicator.geo.location
Type: geo_point
Level: Core
Description: Longitude and latitude.
Example: { "lon": -73.614830, "lat": 45.505918 }
Indexed: true
threat.enrichments.indicator.geo.name
Type: keyword
Level: Extended
Description: User-defined description of a location.
Example: boston-dc
Indexed: true
threat.enrichments.indicator.geo.postal_code
Type: keyword
Level: Core
Description: Postal code.
Example: 94040
Indexed: true
threat.enrichments.indicator.geo.region_iso_code
Type: keyword
Level: Core
Description: Region ISO code.
Example: CA-QC
Indexed: true
threat.enrichments.indicator.geo.region_name
Type: keyword
Level: Core
Description: Region name.
Example: Quebec
Indexed: true
threat.enrichments.indicator.geo.timezone
Type: keyword
Level: Core
Description: Time zone.
Example: America/Argentina/Buenos_Aires
Indexed: true
threat.enrichments.indicator.ip
Type: ip
Level: Extended
Description: Indicator IP address
Example: 1.2.3.4
Indexed: true
threat.enrichments.indicator.last_seen
Type: date
Level: Extended
Description: Date/time indicator was last reported.
Example: 2020-11-05T17:25:47.000Z
Indexed: true
threat.enrichments.indicator.marking.tlp
Type: keyword
Level: Extended
Description: Indicator TLP marking
Example: CLEAR
Indexed: true
threat.enrichments.indicator.marking.tlp_version
Type: keyword
Level: Extended
Description: Indicator TLP version
Example: 2.0
Indexed: true
threat.enrichments.indicator.modified_at
Type: date
Level: Extended
Description: Date/time indicator was last updated.
Example: 2020-11-05T17:25:47.000Z
Indexed: true
threat.enrichments.indicator.name
Type: keyword
Level: Extended
Description: Indicator display name
Example: 5.2.75.227
Indexed: true
threat.enrichments.indicator.port
Type: long
Level: Extended
Description: Indicator port
Example: 443
Indexed: true
threat.enrichments.indicator.provider
Type: keyword
Level: Extended
Description: Indicator provider
Example: lrz_urlhaus
Indexed: true
threat.enrichments.indicator.reference
Type: keyword
Level: Extended
Description: Indicator reference URL
Example: https://system.example.com/indicator/0001234
Indexed: true
threat.enrichments.indicator.registry.data.bytes
Type: keyword
Level: Extended
Description: Original bytes written with base64 encoding.
Example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
Indexed: true
threat.enrichments.indicator.registry.data.strings
Type: wildcard
Level: Core
Description: List of strings representing what was written to the registry.
Example: ["C:\rta\red_ttp\bin\myapp.exe"]
Normalization: array
Indexed: true
threat.enrichments.indicator.registry.data.type
Type: keyword
Level: Core
Description: Standard registry type for encoding contents
Example: REG_SZ
Indexed: true
threat.enrichments.indicator.registry.hive
Type: keyword
Level: Core
Description: Abbreviated name for the hive.
Example: HKLM
Indexed: true
threat.enrichments.indicator.registry.key
Type: keyword
Level: Core
Description: Hive-relative path of keys.
Example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
Indexed: true
threat.enrichments.indicator.registry.path
Type: keyword
Level: Core
Description: Full path, including hive, key and value
Example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
Indexed: true
threat.enrichments.indicator.registry.value
Type: keyword
Level: Core
Description: Name of the value written.
Example: Debugger
Indexed: true
threat.enrichments.indicator.scanner_stats
Type: long
Level: Extended
Description: Scanner statistics
Example: 4
Indexed: true
threat.enrichments.indicator.sightings
Type: long
Level: Extended
Description: Number of times indicator observed
Example: 20
Indexed: true
threat.enrichments.indicator.type
Type: keyword
Level: Extended
Description: Type of indicator
Example: ipv4-addr
Indexed: true
threat.enrichments.indicator.url.domain
Type: keyword
Level: Extended
Description: Domain of the url.
Example: www.elastic.co
Indexed: true
threat.enrichments.indicator.url.extension
Type: keyword
Level: Extended
Description: File extension from the request url, excluding the leading dot.
Example: png
Indexed: true
threat.enrichments.indicator.url.fragment
Type: keyword
Level: Extended
Description: Portion of the url after the #.
Indexed: true
threat.enrichments.indicator.url.full
Type: wildcard
Level: Extended
Description: Full unparsed URL.
Example: https://www.elastic.co:443/search?q=elasticsearch#top
Indexed: true
threat.enrichments.indicator.url.full.text
Type: match_only_text
Level: Extended
Description: Full unparsed URL.
Example: https://www.elastic.co:443/search?q=elasticsearch#top
Indexed: true
threat.enrichments.indicator.url.original
Type: wildcard
Level: Extended
Description: Unmodified original url as seen in the event source.
Example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
Indexed: true
threat.enrichments.indicator.url.original.text
Type: match_only_text
Level: Extended
Description: Unmodified original url as seen in the event source.
Example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
Indexed: true
threat.enrichments.indicator.url.password
Type: keyword
Level: Extended
Description: Password of the request.
Indexed: true
threat.enrichments.indicator.url.path
Type: wildcard
Level: Extended
Description: Path of the request, such as "/search".
Indexed: true
threat.enrichments.indicator.url.port
Type: long
Level: Extended
Description: Port of the request, such as 443.
Example: 443
Indexed: true
threat.enrichments.indicator.url.query
Type: keyword
Level: Extended
Description: Query string of the request.
Indexed: true
threat.enrichments.indicator.url.registered_domain
Type: keyword
Level: Extended
Description: The highest registered url domain, stripped of the subdomain.
Example: example.com
Indexed: true
threat.enrichments.indicator.url.scheme
Type: keyword
Level: Extended
Description: Scheme of the url.
Example: https
Indexed: true
threat.enrichments.indicator.url.subdomain
Type: keyword
Level: Extended
Description: The subdomain of the domain.
Example: east
Indexed: true
threat.enrichments.indicator.url.top_level_domain
Type: keyword
Level: Extended
Description: The effective top level domain (com, org, net, co.uk).
Example: co.uk
Indexed: true
threat.enrichments.indicator.url.username
Type: keyword
Level: Extended
Description: Username of the request.
Indexed: true
threat.enrichments.indicator.x509.alternative_names
Type: keyword
Level: Extended
Description: List of subject alternative names (SAN).
Example: *.elastic.co
Normalization: array
Indexed: true
threat.enrichments.indicator.x509.issuer.common_name
Type: keyword
Level: Extended
Description: List of common name (CN) of issuing certificate authority.
Example: Example SHA2 High Assurance Server CA
Normalization: array
Indexed: true
threat.enrichments.indicator.x509.issuer.country
Type: keyword
Level: Extended
Description: List of country (C) codes
Example: US
Normalization: array
Indexed: true
threat.enrichments.indicator.x509.issuer.distinguished_name
Type: keyword
Level: Extended
Description: Distinguished name (DN) of issuing certificate authority.
Example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
Indexed: true
threat.enrichments.indicator.x509.issuer.locality
Type: keyword
Level: Extended
Description: List of locality names (L)
Example: Mountain View
Normalization: array
Indexed: true
threat.enrichments.indicator.x509.issuer.organization
Type: keyword
Level: Extended
Description: List of organizations (O) of issuing certificate authority.
Example: Example Inc
Normalization: array
Indexed: true
threat.enrichments.indicator.x509.issuer.organizational_unit
Type: keyword
Level: Extended
Description: List of organizational units (OU) of issuing certificate authority.
Example: www.example.com
Normalization: array
Indexed: true
threat.enrichments.indicator.x509.issuer.state_or_province
Type: keyword
Level: Extended
Description: List of state or province names (ST, S, or P)
Example: California
Normalization: array
Indexed: true
threat.enrichments.indicator.x509.not_after
Type: date
Level: Extended
Description: Time at which the certificate is no longer considered valid.
Example: 2020-07-16T03:15:39Z
Indexed: true
threat.enrichments.indicator.x509.not_before
Type: date
Level: Extended
Description: Time at which the certificate is first considered valid.
Example: 2019-08-16T01:40:25Z
Indexed: true
threat.enrichments.indicator.x509.public_key_algorithm
Type: keyword
Level: Extended
Description: Algorithm used to generate the public key.
Example: RSA
Indexed: true
threat.enrichments.indicator.x509.public_key_curve
Type: keyword
Level: Extended
Description: The curve used by the elliptic curve public key algorithm. This is algorithm specific.
Example: nistp521
Indexed: true
threat.enrichments.indicator.x509.public_key_exponent
Type: long
Level: Extended
Description: Exponent used to derive the public key. This is algorithm specific.
Example: 65537
Indexed: false
threat.enrichments.indicator.x509.public_key_size
Type: long
Level: Extended
Description: The size of the public key space in bits.
Example: 2048
Indexed: true
threat.enrichments.indicator.x509.serial_number
Type: keyword
Level: Extended
Description: Unique serial number issued by the certificate authority.
Example: 55FBB9C7DEBF09809D12CCAA
Indexed: true
threat.enrichments.indicator.x509.signature_algorithm
Type: keyword
Level: Extended
Description: Identifier for certificate signature algorithm.
Example: SHA256-RSA
Indexed: true
threat.enrichments.indicator.x509.subject.common_name
Type: keyword
Level: Extended
Description: List of common names (CN) of subject.
Example: shared.global.example.net
Normalization: array
Indexed: true
threat.enrichments.indicator.x509.subject.country
Type: keyword
Level: Extended
Description: List of country (C) code
Example: US
Normalization: array
Indexed: true
threat.enrichments.indicator.x509.subject.distinguished_name
Type: keyword
Level: Extended
Description: Distinguished name (DN) of the certificate subject entity.
Example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
Indexed: true
threat.enrichments.indicator.x509.subject.locality
Type: keyword
Level: Extended
Description: List of locality names (L)
Example: San Francisco
Normalization: array
Indexed: true
threat.enrichments.indicator.x509.subject.organization
Type: keyword
Level: Extended
Description: List of organizations (O) of subject.
Example: Example, Inc.
Normalization: array
Indexed: true
threat.enrichments.indicator.x509.subject.organizational_unit
Type: keyword
Level: Extended
Description: List of organizational units (OU) of subject.
Normalization: array
Indexed: true
threat.enrichments.indicator.x509.subject.state_or_province
Type: keyword
Level: Extended
Description: List of state or province names (ST, S, or P)
Example: California
Normalization: array
Indexed: true
threat.enrichments.indicator.x509.version_number
Type: keyword
Level: Extended
Description: Version of x509 format.
Example: 3
Indexed: true
threat.enrichments.matched.atomic
Type: keyword
Level: Extended
Description: Matched indicator value
Example: bad-domain.com
Indexed: true
threat.enrichments.matched.field
Type: keyword
Level: Extended
Description: Matched indicator field
Example: file.hash.sha256
Indexed: true
threat.enrichments.matched.id
Type: keyword
Level: Extended
Description: Matched indicator identifier
Example: ff93aee5-86a1-4a61-b0e6-0cdc313d01b5
Indexed: true
threat.enrichments.matched.index
Type: keyword
Level: Extended
Description: Matched indicator index
Example: filebeat-8.0.0-2021.05.23-000011
Indexed: true
threat.enrichments.matched.occurred
Type: date
Level: Extended
Description: Date of match
Example: 2021-10-05T17:00:58.326Z
Indexed: true
threat.enrichments.matched.type
Type: keyword
Level: Extended
Description: Type of indicator match
Example: indicator_match_rule
Indexed: true
threat.feed.dashboard_id
Type: keyword
Level: Extended
Description: Feed dashboard ID.
Example: 5ba16340-72e6-11eb-a3e3-b3cc7c78a70f
Indexed: true
threat.feed.description
Type: keyword
Level: Extended
Description: Description of the threat feed.
Example: Threat feed from the AlienVault Open Threat eXchange network.
Indexed: true
threat.feed.name
Type: keyword
Level: Extended
Description: Name of the threat feed.
Example: AlienVault OTX
Indexed: true
threat.feed.reference
Type: keyword
Level: Extended
Description: Reference for the threat feed.
Example: https://otx.alienvault.com
Indexed: true
threat.framework
Type: keyword
Level: Extended
Description: Threat classification framework.
Example: MITRE ATT&CK
Indexed: true
threat.group.alias
Type: keyword
Level: Extended
Description: Alias of the group.
Example: [ "Magecart Group 6" ]
Normalization: array
Indexed: true
threat.group.id
Type: keyword
Level: Extended
Description: ID of the group.
Example: G0037
Indexed: true
threat.group.name
Type: keyword
Level: Extended
Description: Name of the group.
Example: FIN6
Indexed: true
threat.group.reference
Type: keyword
Level: Extended
Description: Reference URL of the group.
Example: https://attack.mitre.org/groups/G0037/
Indexed: true
threat.indicator.as.number
Type: long
Level: Extended
Description: Unique number allocated to the autonomous system.
Example: 15169
Indexed: true
threat.indicator.as.organization.name
Type: keyword
Level: Extended
Description: Organization name.
Example: Google LLC
Indexed: true
threat.indicator.as.organization.name.text
Type: match_only_text
Level: Extended
Description: Organization name.
Example: Google LLC
Indexed: true
threat.indicator.confidence
Type: keyword
Level: Extended
Description: Indicator confidence rating
Example: Medium
Indexed: true
threat.indicator.description
Type: keyword
Level: Extended
Description: Indicator description
Example: IP x.x.x.x was observed delivering the Angler EK.
Indexed: true
threat.indicator.email.address
Type: keyword
Level: Extended
Description: Indicator email address
Example: [email protected]
Indexed: true
threat.indicator.file.accessed
Type: date
Level: Extended
Description: Last time the file was accessed.
Indexed: true
threat.indicator.file.attributes
Type: keyword
Level: Extended
Description: Array of file attributes.
Example: ["readonly", "system"]
Normalization: array
Indexed: true
threat.indicator.file.code_signature.digest_algorithm
Type: keyword
Level: Extended
Description: Hashing algorithm used to sign the process.
Example: sha256
Indexed: true
threat.indicator.file.code_signature.exists
Type: boolean
Level: Core
Description: Boolean to capture if a signature is present.
Example: true
Indexed: true
threat.indicator.file.code_signature.flags
Type: keyword
Level: Extended
Description: Code signing flags of the process
Example: 570522385
Indexed: true
threat.indicator.file.code_signature.signing_id
Type: keyword
Level: Extended
Description: The identifier used to sign the process.
Example: com.apple.xpc.proxy
Indexed: true
threat.indicator.file.code_signature.status
Type: keyword
Level: Extended
Description: Additional information about the certificate status.
Example: ERROR_UNTRUSTED_ROOT
Indexed: true
threat.indicator.file.code_signature.subject_name
Type: keyword
Level: Core
Description: Subject name of the code signer
Example: Microsoft Corporation
Indexed: true
threat.indicator.file.code_signature.team_id
Type: keyword
Level: Extended
Description: The team identifier used to sign the process.
Example: EQHXZ8M8AV
Indexed: true
threat.indicator.file.code_signature.timestamp
Type: date
Level: Extended
Description: When the signature was generated and signed.
Example: 2021-01-01T12:10:30Z
Indexed: true
threat.indicator.file.code_signature.trusted
Type: boolean
Level: Extended
Description: Stores the trust status of the certificate chain.
Example: true
Indexed: true
threat.indicator.file.code_signature.valid
Type: boolean
Level: Extended
Description: Boolean to capture if the digital signature is verified against the binary content.
Example: true
Indexed: true
threat.indicator.file.created
Type: date
Level: Extended
Description: File creation time.
Indexed: true
threat.indicator.file.ctime
Type: date
Level: Extended
Description: Last time the file attributes or metadata changed.
Indexed: true
threat.indicator.file.device
Type: keyword
Level: Extended
Description: Device that is the source of the file.
Example: sda
Indexed: true
threat.indicator.file.directory
Type: keyword
Level: Extended
Description: Directory where the file is located.
Example: /home/alice
Indexed: true
threat.indicator.file.drive_letter
Type: keyword
Level: Extended
Description: Drive letter where the file is located.
Example: C
Indexed: true
threat.indicator.file.elf.architecture
Type: keyword
Level: Extended
Description: Machine architecture of the ELF file.
Example: x86-64
Indexed: true
threat.indicator.file.elf.byte_order
Type: keyword
Level: Extended
Description: Byte sequence of ELF file.
Example: Little Endian
Indexed: true
threat.indicator.file.elf.cpu_type
Type: keyword
Level: Extended
Description: CPU type of the ELF file.
Example: Intel
Indexed: true
threat.indicator.file.elf.creation_date
Type: date
Level: Extended
Description: Build or compile date.
Indexed: true
threat.indicator.file.elf.exports
Type: flattened
Level: Extended
Description: List of exported element names and types.
Normalization: array
Indexed: true
threat.indicator.file.elf.go_import_hash
Type: keyword
Level: Extended
Description: A hash of the Go language imports in an ELF file.
Example: 10bddcb4cee42080f76c88d9ff964491
Indexed: true
threat.indicator.file.elf.go_imports
Type: flattened
Level: Extended
Description: List of imported Go language element names and types.
Indexed: true
threat.indicator.file.elf.go_imports_names_entropy
Type: long
Level: Extended
Description: Shannon entropy calculation from the list of Go imports.
Indexed: true
threat.indicator.file.elf.go_imports_names_var_entropy
Type: long
Level: Extended
Description: Variance for Shannon entropy calculation from the list of Go imports.
Indexed: true
threat.indicator.file.elf.go_stripped
Type: boolean
Level: Extended
Description: Whether the file is a stripped or obfuscated Go executable.
Indexed: true
threat.indicator.file.elf.header.abi_version
Type: keyword
Level: Extended
Description: Version of the ELF Application Binary Interface (ABI).
Indexed: true
threat.indicator.file.elf.header.class
Type: keyword
Level: Extended
Description: Header class of the ELF file.
Indexed: true
threat.indicator.file.elf.header.data
Type: keyword
Level: Extended
Description: Data table of the ELF header.
Indexed: true
threat.indicator.file.elf.header.entrypoint
Type: long
Level: Extended
Description: Header entrypoint of the ELF file.
Indexed: true
threat.indicator.file.elf.header.object_version
Type: keyword
Level: Extended
Description: "0x1" for original ELF files.
Indexed: true
threat.indicator.file.elf.header.os_abi
Type: keyword
Level: Extended
Description: Application Binary Interface (ABI) of the Linux OS.
Indexed: true
threat.indicator.file.elf.header.type
Type: keyword
Level: Extended
Description: Header type of the ELF file.
Indexed: true
threat.indicator.file.elf.header.version
Type: keyword
Level: Extended
Description: Version of the ELF header.
Indexed: true
threat.indicator.file.elf.import_hash
Type: keyword
Level: Extended
Description: A hash of the imports in an ELF file.
Example: d41d8cd98f00b204e9800998ecf8427e
Indexed: true
threat.indicator.file.elf.imports
Type: flattened
Level: Extended
Description: List of imported element names and types.
Normalization: array
Indexed: true
threat.indicator.file.elf.imports_names_entropy
Type: long
Level: Extended
Description: Shannon entropy calculation from the list of imported element names and types.
Indexed: true
threat.indicator.file.elf.imports_names_var_entropy
Type: long
Level: Extended
Description: Variance for Shannon entropy calculation from the list of imported element names and types.
Indexed: true
threat.indicator.file.elf.sections
Type: nested
Level: Extended
Description: Section information of the ELF file.
Normalization: array
Indexed: true
threat.indicator.file.elf.sections.chi2
Type: long
Level: Extended
Description: Chi-square probability distribution of the section.
Indexed: true
threat.indicator.file.elf.sections.entropy
Type: long
Level: Extended
Description: Shannon entropy calculation from the section.
Indexed: true
threat.indicator.file.elf.sections.flags
Type: keyword
Level: Extended
Description: ELF Section List flags.
Indexed: true
threat.indicator.file.elf.sections.name
Type: keyword
Level: Extended
Description: ELF Section List name.
Indexed: true
threat.indicator.file.elf.sections.physical_offset
Type: keyword
Level: Extended
Description: ELF Section List offset.
Indexed: true
threat.indicator.file.elf.sections.physical_size
Type: long
Level: Extended
Description: ELF Section List physical size.
Indexed: true
threat.indicator.file.elf.sections.type
Type: keyword
Level: Extended
Description: ELF Section List type.
Indexed: true
threat.indicator.file.elf.sections.var_entropy
Type: long
Level: Extended
Description: Variance for Shannon entropy calculation from the section.
Indexed: true
threat.indicator.file.elf.sections.virtual_address
Type: long
Level: Extended
Description: ELF Section List virtual address.
Indexed: true
threat.indicator.file.elf.sections.virtual_size
Type: long
Level: Extended
Description: ELF Section List virtual size.
Indexed: true
threat.indicator.file.elf.segments
Type: nested
Level: Extended
Description: ELF object segment list.
Normalization: array
Indexed: true
threat.indicator.file.elf.segments.sections
Type: keyword
Level: Extended
Description: ELF object segment sections.
Indexed: true
threat.indicator.file.elf.segments.type
Type: keyword
Level: Extended
Description: ELF object segment type.
Indexed: true
threat.indicator.file.elf.shared_libraries
Type: keyword
Level: Extended
Description: List of shared libraries used by this ELF object.
Normalization: array
Indexed: true
threat.indicator.file.elf.telfhash
Type: keyword
Level: Extended
Description: telfhash hash for ELF file.
Indexed: true
threat.indicator.file.extension
Type: keyword
Level: Extended
Description: File extension, excluding the leading dot.
Example: png
Indexed: true
threat.indicator.file.fork_name
Type: keyword
Level: Extended
Description: A fork is additional data associated with a filesystem object.
Example: Zone.Identifer
Indexed: true
threat.indicator.file.gid
Type: keyword
Level: Extended
Description: Primary group ID (GID) of the file.
Example: 1001
Indexed: true
threat.indicator.file.group
Type: keyword
Level: Extended
Description: Primary group name of the file.
Example: alice
Indexed: true
threat.indicator.file.hash.cdhash
Type: keyword
Level: Extended
Description: The Code Directory (CD) hash of an executable.
Example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
Indexed: true
threat.indicator.file.hash.md5
Type: keyword
Level: Extended
Description: MD5 hash.
Indexed: true
threat.indicator.file.hash.sha1
Type: keyword
Level: Extended
Description: SHA1 hash.
Indexed: true
threat.indicator.file.hash.sha256
Type: keyword
Level: Extended
Description: SHA256 hash.
Indexed: true
threat.indicator.file.hash.sha384
Type: keyword
Level: Extended
Description: SHA384 hash.
Indexed: true
threat.indicator.file.hash.sha512
Type: keyword
Level: Extended
Description: SHA512 hash.
Indexed: true
threat.indicator.file.hash.ssdeep
Type: keyword
Level: Extended
Description: SSDEEP hash.
Indexed: true
threat.indicator.file.hash.tlsh
Type: keyword
Level: Extended
Description: TLSH hash.
Indexed: true
threat.indicator.file.inode
Type: keyword
Level: Extended
Description: Inode representing the file in the filesystem.
Example: 256383
Indexed: true
threat.indicator.file.mime_type
Type: keyword
Level: Extended
Description: Media type of file, document, or arrangement of bytes.
Indexed: true
threat.indicator.file.mode
Type: keyword
Level: Extended
Description: Mode of the file in octal representation.
Example: 0640
Indexed: true
threat.indicator.file.mtime
Type: date
Level: Extended
Description: Last time the file content was modified.
Indexed: true
threat.indicator.file.name
Type: keyword
Level: Extended
Description: Name of the file including the extension, without the directory.
Example: example.png
Indexed: true
threat.indicator.file.owner
Type: keyword
Level: Extended
Description: File owner's username.
Example: alice
Indexed: true
threat.indicator.file.path
Type: keyword
Level: Extended
Description: Full path to the file, including the file name.
Example: /home/alice/example.png
Indexed: true
threat.indicator.file.path.text
Type: match_only_text
Level: Extended
Description: Full path to the file, including the file name.
Example: /home/alice/example.png
Indexed: true
threat.indicator.file.pe.architecture
Type: keyword
Level: Extended
Description: CPU architecture target for the file.
Example: x64
Indexed: true
threat.indicator.file.pe.company
Type: keyword
Level: Extended
Description: Internal company name of the file, provided at compile-time.
Example: Microsoft Corporation
Indexed: true
threat.indicator.file.pe.description
Type: keyword
Level: Extended
Description: Internal description of the file, provided at compile-time.
Example: Paint
Indexed: true
threat.indicator.file.pe.file_version
Type: keyword
Level: Extended
Description: Process name.
Example: 6.3.9600.17415
Indexed: true
threat.indicator.file.pe.go_import_hash
Type: keyword
Level: Extended
Description: A hash of the Go language imports in a PE file.
Example: 10bddcb4cee42080f76c88d9ff964491
Indexed: true
threat.indicator.file.pe.go_imports
Type: flattened
Level: Extended
Description: List of imported Go language element names and types.
Indexed: true
threat.indicator.file.pe.go_imports_names_entropy
Type: long
Level: Extended
Description: Shannon entropy calculation from the list of Go imports.
Indexed: true
threat.indicator.file.pe.go_imports_names_var_entropy
Type: long
Level: Extended
Description: Variance for Shannon entropy calculation from the list of Go imports.
Indexed: true
threat.indicator.file.pe.go_stripped
Type: boolean
Level: Extended
Description: Whether the file is a stripped or obfuscated Go executable.
Indexed: true
threat.indicator.file.pe.imphash
Type: keyword
Level: Extended
Description: A hash of the imports in a PE file.
Example: 0c6803c4e922103c4dca5963aad36ddf
Indexed: true
threat.indicator.file.pe.import_hash
Type: keyword
Level: Extended
Description: A hash of the imports in a PE file.
Example: d41d8cd98f00b204e9800998ecf8427e
Indexed: true
threat.indicator.file.pe.imports
Type: flattened
Level: Extended
Description: List of imported element names and types.
Normalization: array
Indexed: true
threat.indicator.file.pe.imports_names_entropy
Type: long
Level: Extended
Description: Shannon entropy calculation from the list of imported element names and types.
Indexed: true
threat.indicator.file.pe.imports_names_var_entropy
Type: long
Level: Extended
Description: Variance for Shannon entropy calculation from the list of imported element names and types.
Indexed: true
threat.indicator.file.pe.original_file_name
Type: keyword
Level: Extended
Description: Internal name of the file, provided at compile-time.
Example: MSPAINT.EXE
Indexed: true
threat.indicator.file.pe.pehash
Type: keyword
Level: Extended
Description: A hash of the PE header and data from one or more PE sections.
Example: 73ff189b63cd6be375a7ff25179a38d347651975
Indexed: true
threat.indicator.file.pe.product
Type: keyword
Level: Extended
Description: Internal product name of the file, provided at compile-time.
Example: Microsoft® Windows® Operating System
Indexed: true
threat.indicator.file.pe.sections
Type: nested
Level: Extended
Description: Section information of the PE file.
Normalization: array
Indexed: true
threat.indicator.file.pe.sections.entropy
Type: long
Level: Extended
Description: Shannon entropy calculation from the section.
Indexed: true
threat.indicator.file.pe.sections.name
Type: keyword
Level: Extended
Description: PE Section List name.
Indexed: true
threat.indicator.file.pe.sections.physical_size
Type: long
Level: Extended
Description: PE Section List physical size.
Indexed: true
threat.indicator.file.pe.sections.var_entropy
Type: long
Level: Extended
Description: Variance for Shannon entropy calculation from the section.
Indexed: true
threat.indicator.file.pe.sections.virtual_size
Type: long
Level: Extended
Description: PE Section List virtual size. This is always the same as physical_size.
Indexed: true
threat.indicator.file.size
Type: long
Level: Extended
Description: File size in bytes.
Example: 16384
Indexed: true
threat.indicator.file.target_path
Type: keyword
Level: Extended
Description: Target path for symlinks.
Indexed: true
threat.indicator.file.target_path.text
Type: match_only_text
Level: Extended
Description: Target path for symlinks.
Indexed: true
threat.indicator.file.type
Type: keyword
Level: Extended
Description: File type (file, dir, or symlink).
Example: file
Indexed: true
threat.indicator.file.uid
Type: keyword
Level: Extended
Description: The user ID (UID) or security identifier (SID) of the file owner.
Example: 1001
Indexed: true
threat.indicator.file.x509.alternative_names
Type: keyword
Level: Extended
Description: List of subject alternative names (SAN).
Example: *.elastic.co
Normalization: array
Indexed: true
threat.indicator.file.x509.issuer.common_name
Type: keyword
Level: Extended
Description: List of common name (CN) of issuing certificate authority.
Example: Example SHA2 High Assurance Server CA
Normalization: array
Indexed: true
threat.indicator.file.x509.issuer.country
Type: keyword
Level: Extended
Description: List of country (C) codes
Example: US
Normalization: array
Indexed: true
threat.indicator.file.x509.issuer.distinguished_name
Type: keyword
Level: Extended
Description: Distinguished name (DN) of issuing certificate authority.
Example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
Indexed: true
threat.indicator.file.x509.issuer.locality
Type: keyword
Level: Extended
Description: List of locality names (L)
Example: Mountain View
Normalization: array
Indexed: true
threat.indicator.file.x509.issuer.organization
Type: keyword
Level: Extended
Description: List of organizations (O) of issuing certificate authority.
Example: Example Inc
Normalization: array
Indexed: true
threat.indicator.file.x509.issuer.organizational_unit
Type: keyword
Level: Extended
Description: List of organizational units (OU) of issuing certificate authority.
Example: www.example.com
Normalization: array
Indexed: true
threat.indicator.file.x509.issuer.state_or_province
Type: keyword
Level: Extended
Description: List of state or province names (ST, S, or P)
Example: California
Normalization: array
Indexed: true
threat.indicator.file.x509.not_after
Type: date
Level: Extended
Description: Time at which the certificate is no longer considered valid.
Example: 2020-07-16T03:15:39Z
Indexed: true
threat.indicator.file.x509.not_before
Type: date
Level: Extended
Description: Time at which the certificate is first considered valid.
Example: 2019-08-16T01:40:25Z
Indexed: true
threat.indicator.file.x509.public_key_algorithm
Type: keyword
Level: Extended
Description: Algorithm used to generate the public key.
Example: RSA
Indexed: true
threat.indicator.file.x509.public_key_curve
Type: keyword
Level: Extended
Description: The curve used by the elliptic curve public key algorithm. This is algorithm specific.
Example: nistp521
Indexed: true
threat.indicator.file.x509.public_key_exponent
Type: long
Level: Extended
Description: Exponent used to derive the public key. This is algorithm specific.
Example: 65537
Indexed: false
threat.indicator.file.x509.public_key_size
Type: long
Level: Extended
Description: The size of the public key space in bits.
Example: 2048
Indexed: true
threat.indicator.file.x509.serial_number
Type: keyword
Level: Extended
Description: Unique serial number issued by the certificate authority.
Example: 55FBB9C7DEBF09809D12CCAA
Indexed: true
threat.indicator.file.x509.signature_algorithm
Type: keyword
Level: Extended
Description: Identifier for certificate signature algorithm.
Example: SHA256-RSA
Indexed: true
threat.indicator.file.x509.subject.common_name
Type: keyword
Level: Extended
Description: List of common names (CN) of subject.
Example: shared.global.example.net
Normalization: array
Indexed: true
threat.indicator.file.x509.subject.country
Type: keyword
Level: Extended
Description: List of country (C) code
Example: US
Normalization: array
Indexed: true
threat.indicator.file.x509.subject.distinguished_name
Type: keyword
Level: Extended
Description: Distinguished name (DN) of the certificate subject entity.
Example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
Indexed: true
threat.indicator.file.x509.subject.locality
Type: keyword
Level: Extended
Description: List of locality names (L)
Example: San Francisco
Normalization: array
Indexed: true
threat.indicator.file.x509.subject.organization
Type: keyword
Level: Extended
Description: List of organizations (O) of subject.
Example: Example, Inc.
Normalization: array
Indexed: true
threat.indicator.file.x509.subject.organizational_unit
Type: keyword
Level: Extended
Description: List of organizational units (OU) of subject.
Normalization: array
Indexed: true
threat.indicator.file.x509.subject.state_or_province
Type: keyword
Level: Extended
Description: List of state or province names (ST, S, or P)
Example: California
Normalization: array
Indexed: true
threat.indicator.file.x509.version_number
Type: keyword
Level: Extended
Description: Version of x509 format.
Example: 3
Indexed: true
threat.indicator.first_seen
Type: date
Level: Extended
Description: Date/time indicator was first reported.
Example: 2020-11-05T17:25:47.000Z
Indexed: true
threat.indicator.geo.city_name
Type: keyword
Level: Core
Description: City name.
Example: Montreal
Indexed: true
threat.indicator.geo.continent_code
Type: keyword
Level: Core
Description: Continent code.
Example: NA
Indexed: true
threat.indicator.geo.continent_name
Type: keyword
Level: Core
Description: Name of the continent.
Example: North America
Indexed: true
threat.indicator.geo.country_iso_code
Type: keyword
Level: Core
Description: Country ISO code.
Example: CA
Indexed: true
threat.indicator.geo.country_name
Type: keyword
Level: Core
Description: Country name.
Example: Canada
Indexed: true
threat.indicator.geo.location
Type: geo_point
Level: Core
Description: Longitude and latitude.
Example: { "lon": -73.614830, "lat": 45.505918 }
Indexed: true
threat.indicator.geo.name
Type: keyword
Level: Extended
Description: User-defined description of a location.
Example: boston-dc
Indexed: true
threat.indicator.geo.postal_code
Type: keyword
Level: Core
Description: Postal code.
Example: 94040
Indexed: true
threat.indicator.geo.region_iso_code
Type: keyword
Level: Core
Description: Region ISO code.
Example: CA-QC
Indexed: true
threat.indicator.geo.region_name
Type: keyword
Level: Core
Description: Region name.
Example: Quebec
Indexed: true
threat.indicator.geo.timezone
Type: keyword
Level: Core
Description: Time zone.
Example: America/Argentina/Buenos_Aires
Indexed: true
threat.indicator.id
Type: keyword
Level: Extended
Description: ID of the indicator
Example: [indicator--d7008e06-ab86-415a-9803-3c81ce2d3c37]
Normalization: array
Indexed: true
threat.indicator.ip
Type: ip
Level: Extended
Description: Indicator IP address
Example: 1.2.3.4
Indexed: true
threat.indicator.last_seen
Type: date
Level: Extended
Description: Date/time indicator was last reported.
Example: 2020-11-05T17:25:47.000Z
Indexed: true
threat.indicator.marking.tlp
Type: keyword
Level: Extended
Description: Indicator TLP marking
Example: CLEAR
Indexed: true
threat.indicator.marking.tlp_version
Type: keyword
Level: Extended
Description: Indicator TLP version
Example: 2.0
Indexed: true
threat.indicator.modified_at
Type: date
Level: Extended
Description: Date/time indicator was last updated.
Example: 2020-11-05T17:25:47.000Z
Indexed: true
threat.indicator.name
Type: keyword
Level: Extended
Description: Indicator display name
Example: 5.2.75.227
Indexed: true
threat.indicator.port
Type: long
Level: Extended
Description: Indicator port
Example: 443
Indexed: true
threat.indicator.provider
Type: keyword
Level: Extended
Description: Indicator provider
Example: lrz_urlhaus
Indexed: true
threat.indicator.reference
Type: keyword
Level: Extended
Description: Indicator reference URL
Example: https://system.example.com/indicator/0001234
Indexed: true
threat.indicator.registry.data.bytes
Type: keyword
Level: Extended
Description: Original bytes written with base64 encoding.
Example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
Indexed: true
threat.indicator.registry.data.strings
Type: wildcard
Level: Core
Description: List of strings representing what was written to the registry.
Example: ["C:\rta\red_ttp\bin\myapp.exe"]
Normalization: array
Indexed: true
threat.indicator.registry.data.type
Type: keyword
Level: Core
Description: Standard registry type for encoding contents
Example: REG_SZ
Indexed: true
threat.indicator.registry.hive
Type: keyword
Level: Core
Description: Abbreviated name for the hive.
Example: HKLM
Indexed: true
threat.indicator.registry.key
Type: keyword
Level: Core
Description: Hive-relative path of keys.
Example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
Indexed: true
threat.indicator.registry.path
Type: keyword
Level: Core
Description: Full path, including hive, key and value
Example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
Indexed: true
threat.indicator.registry.value
Type: keyword
Level: Core
Description: Name of the value written.
Example: Debugger
Indexed: true
threat.indicator.scanner_stats
Type: long
Level: Extended
Description: Scanner statistics
Example: 4
Indexed: true
threat.indicator.sightings
Type: long
Level: Extended
Description: Number of times indicator observed
Example: 20
Indexed: true
threat.indicator.type
Type: keyword
Level: Extended
Description: Type of indicator
Example: ipv4-addr
Indexed: true
threat.indicator.url.domain
Type: keyword
Level: Extended
Description: Domain of the url.
Example: www.elastic.co
Indexed: true
threat.indicator.url.extension
Type: keyword
Level: Extended
Description: File extension from the request url, excluding the leading dot.
Example: png
Indexed: true
threat.indicator.url.fragment
Type: keyword
Level: Extended
Description: Portion of the url after the #.
Indexed: true
threat.indicator.url.full
Type: wildcard
Level: Extended
Description: Full unparsed URL.
Example: https://www.elastic.co:443/search?q=elasticsearch#top
Indexed: true
threat.indicator.url.full.text
Type: match_only_text
Level: Extended
Description: Full unparsed URL.
Example: https://www.elastic.co:443/search?q=elasticsearch#top
Indexed: true
threat.indicator.url.original
Type: wildcard
Level: Extended
Description: Unmodified original url as seen in the event source.
Example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
Indexed: true
threat.indicator.url.original.text
Type: match_only_text
Level: Extended
Description: Unmodified original url as seen in the event source.
Example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
Indexed: true
threat.indicator.url.password
Type: keyword
Level: Extended
Description: Password of the request.
Indexed: true
threat.indicator.url.path
Type: wildcard
Level: Extended
Description: Path of the request, such as "/search".
Indexed: true
threat.indicator.url.port
Type: long
Level: Extended
Description: Port of the request, such as 443.
Example: 443
Indexed: true
threat.indicator.url.query
Type: keyword
Level: Extended
Description: Query string of the request.
Indexed: true
threat.indicator.url.registered_domain
Type: keyword
Level: Extended
Description: The highest registered url domain, stripped of the subdomain.
Example: example.com
Indexed: true
threat.indicator.url.scheme
Type: keyword
Level: Extended
Description: Scheme of the url.
Example: https
Indexed: true
threat.indicator.url.subdomain
Type: keyword
Level: Extended
Description: The subdomain of the domain.
Example: east
Indexed: true
threat.indicator.url.top_level_domain
Type: keyword
Level: Extended
Description: The effective top level domain (com, org, net, co.uk).
Example: co.uk
Indexed: true
threat.indicator.url.username
Type: keyword
Level: Extended
Description: Username of the request.
Indexed: true
threat.indicator.x509.alternative_names
Type: keyword
Level: Extended
Description: List of subject alternative names (SAN).
Example: *.elastic.co
Normalization: array
Indexed: true
threat.indicator.x509.issuer.common_name
Type: keyword
Level: Extended
Description: List of common name (CN) of issuing certificate authority.
Example: Example SHA2 High Assurance Server CA
Normalization: array
Indexed: true
threat.indicator.x509.issuer.country
Type: keyword
Level: Extended
Description: List of country (C) codes
Example: US
Normalization: array
Indexed: true
threat.indicator.x509.issuer.distinguished_name
Type: keyword
Level: Extended
Description: Distinguished name (DN) of issuing certificate authority.
Example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA
Indexed: true
threat.indicator.x509.issuer.locality
Type: keyword
Level: Extended
Description: List of locality names (L)
Example: Mountain View
Normalization: array
Indexed: true
threat.indicator.x509.issuer.organization
Type: keyword
Level: Extended
Description: List of organizations (O) of issuing certificate authority.
Example: Example Inc
Normalization: array
Indexed: true
threat.indicator.x509.issuer.organizational_unit
Type: keyword
Level: Extended
Description: List of organizational units (OU) of issuing certificate authority.
Example: www.example.com
Normalization: array
Indexed: true
threat.indicator.x509.issuer.state_or_province
Type: keyword
Level: Extended
Description: List of state or province names (ST, S, or P)
Example: California
Normalization: array
Indexed: true
threat.indicator.x509.not_after
Type: date
Level: Extended
Description: Time at which the certificate is no longer considered valid.
Example: 2020-07-16T03:15:39Z
Indexed: true
threat.indicator.x509.not_before
Type: date
Level: Extended
Description: Time at which the certificate is first considered valid.
Example: 2019-08-16T01:40:25Z
Indexed: true
threat.indicator.x509.public_key_algorithm
Type: keyword
Level: Extended
Description: Algorithm used to generate the public key.
Example: RSA
Indexed: true
threat.indicator.x509.public_key_curve
Type: keyword
Level: Extended
Description: The curve used by the elliptic curve public key algorithm. This is algorithm specific.
Example: nistp521
Indexed: true
threat.indicator.x509.public_key_exponent
Type: long
Level: Extended
Description: Exponent used to derive the public key. This is algorithm specific.
Example: 65537
Indexed: false
threat.indicator.x509.public_key_size
Type: long
Level: Extended
Description: The size of the public key space in bits.
Example: 2048
Indexed: true
threat.indicator.x509.serial_number
Type: keyword
Level: Extended
Description: Unique serial number issued by the certificate authority.
Example: 55FBB9C7DEBF09809D12CCAA
Indexed: true
threat.indicator.x509.signature_algorithm
Type: keyword
Level: Extended
Description: Identifier for certificate signature algorithm.
Example: SHA256-RSA
Indexed: true
threat.indicator.x509.subject.common_name
Type: keyword
Level: Extended
Description: List of common names (CN) of subject.
Example: shared.global.example.net
Normalization: array
Indexed: true
threat.indicator.x509.subject.country
Type: keyword
Level: Extended
Description: List of country (C) code
Example: US
Normalization: array
Indexed: true
threat.indicator.x509.subject.distinguished_name
Type: keyword
Level: Extended
Description: Distinguished name (DN) of the certificate subject entity.
Example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net
Indexed: true
threat.indicator.x509.subject.locality
Type: keyword
Level: Extended
Description: List of locality names (L)
Example: San Francisco
Normalization: array
Indexed: true
threat.indicator.x509.subject.organization
Type: keyword
Level: Extended
Description: List of organizations (O) of subject.
Example: Example, Inc.
Normalization: array
Indexed: true
threat.indicator.x509.subject.organizational_unit
Type: keyword
Level: Extended
Description: List of organizational units (OU) of subject.
Normalization: array
Indexed: true
threat.indicator.x509.subject.state_or_province
Type: keyword
Level: Extended
Description: List of state or province names (ST, S, or P)
Example: California
Normalization: array
Indexed: true
threat.indicator.x509.version_number
Type: keyword
Level: Extended
Description: Version of x509 format.
Example: 3
Indexed: true
threat.software.alias
Type: keyword
Level: Extended
Description: Alias of the software
Example: [ "X-Agent" ]
Normalization: array
Indexed: true
threat.software.id
Type: keyword
Level: Extended
Description: ID of the software
Example: S0552
Indexed: true
threat.software.name
Type: keyword
Level: Extended
Description: Name of the software.
Example: AdFind
Indexed: true
threat.software.platforms
Type: keyword
Level: Extended
Description: Platforms of the software.
Example: [ "Windows" ]
Normalization: array
Indexed: true
threat.software.reference
Type: keyword
Level: Extended
Description: Software reference URL.
Example: https://attack.mitre.org/software/S0552/
Indexed: true
threat.software.type
Type: keyword
Level: Extended
Description: Software type.
Example: Tool
Indexed: true
threat.tactic.id
Type: keyword
Level: Extended
Description: Threat tactic id.
Example: TA0002
Normalization: array
Indexed: true
threat.tactic.name
Type: keyword
Level: Extended
Description: Threat tactic.
Example: Execution
Normalization: array
Indexed: true
threat.tactic.reference
Type: keyword
Level: Extended
Description: Threat tactic URL reference.
Example: https://attack.mitre.org/tactics/TA0002/
Normalization: array
Indexed: true
threat.technique.id
Type: keyword
Level: Extended
Description: Threat technique id.
Example: T1059
Normalization: array
Indexed: true
threat.technique.name
Type: keyword
Level: Extended
Description: Threat technique name.
Example: Command and Scripting Interpreter
Normalization: array
Indexed: true
threat.technique.name.text
Type: match_only_text
Level: Extended
Description: Threat technique name.
Example: Command and Scripting Interpreter
Indexed: true
threat.technique.reference
Type: keyword
Level: Extended
Description: Threat technique URL reference.
Example: https://attack.mitre.org/techniques/T1059/
Normalization: array
Indexed: true
threat.technique.subtechnique.id
Type: keyword
Level: Extended
Description: Threat subtechnique id.
Example: T1059.001
Normalization: array
Indexed: true
threat.technique.subtechnique.name
Type: keyword
Level: Extended
Description: Threat subtechnique name.
Example: PowerShell
Normalization: array
Indexed: true
threat.technique.subtechnique.name.text
Type: match_only_text
Level: Extended
Description: Threat subtechnique name.
Example: PowerShell
Indexed: true
threat.technique.subtechnique.reference
Type: keyword
Level: Extended
Description: Threat subtechnique URL reference.
Example: https://attack.mitre.org/techniques/T1059/001/
Normalization: array
Indexed: true