- Elastic Common Schema (ECS) Reference: other versions:
- Overview
- Using ECS
- ECS Field Reference
- Base Fields
- Agent Fields
- Autonomous System Fields
- Client Fields
- Cloud Fields
- Code Signature Fields
- Container Fields
- Destination Fields
- DLL Fields
- DNS Fields
- ECS Fields
- Error Fields
- Event Fields
- File Fields
- Geo Fields
- Group Fields
- Hash Fields
- Host Fields
- HTTP Fields
- Interface Fields
- Log Fields
- Network Fields
- Observer Fields
- Organization Fields
- Operating System Fields
- Package Fields
- PE Header Fields
- Process Fields
- Registry Fields
- Related Fields
- Rule Fields
- Server Fields
- Service Fields
- Source Fields
- Threat Fields
- TLS Fields
- Tracing Fields
- URL Fields
- User Fields
- User agent Fields
- VLAN Fields
- Vulnerability Fields
- x509 Certificate Fields
- ECS Categorization Fields
- Migrating to ECS
- Additional Information
Threat Fields
editThreat Fields
editFields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework.
These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service").
Threat Field Details
editField | Description | Level |
---|---|---|
Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. type: keyword example: |
extended |
|
The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword Note: this field should contain an array of values. example: |
extended |
|
Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) type: keyword Note: this field should contain an array of values. example: |
extended |
|
The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) type: keyword Note: this field should contain an array of values. example: |
extended |
|
The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword Note: this field should contain an array of values. example: |
extended |
|
The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword Multi-fields: * threat.technique.name.text (type: text) Note: this field should contain an array of values. example: |
extended |
|
The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) type: keyword Note: this field should contain an array of values. example: |
extended |
|
The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword Note: this field should contain an array of values. example: |
extended |
|
The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword Multi-fields: * threat.technique.subtechnique.name.text (type: text) Note: this field should contain an array of values. example: |
extended |
|
The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/) type: keyword Note: this field should contain an array of values. example: |
extended |
On this page