IOC Fields #741
Comments
|
Hi @rhysxevans thanks for the suggestion. I think it makes sense to add fields for importing databases of IOCs eventually. However for the time being, we're holding off on adding too many "inventory-like" or "database-like" fields. ECS is currently mostly geared towards events, and information users would enrich events with. We're waiting a bit before we address "inventory-like" fields, as I think we'll need a new documentation layout that will let us clearly delineate what's meant for event data & metadata vs what's meant to be for inventories (of hosts, users, IOCs, etc). |
|
Ping @shimonmodi on other thoughts around IOCs. |
|
Hi Team, Is there any further development on this topic? We are also facing similar challenge to decide which field to use for IOC. Thank you. |
|
Hi @thecloud24x7, until this has progressed, we recommend capturing your IOC details in custom fields. Here's how to name your custom fields in order to avoid conflicts with future versions of ECS. The work to add these fields to ECS will happen in the open, in this repository. So feel free to watch for activity around this, and contribute ideas on the subject 🙂 But to answer your question directly, no progress yet; however support threat IOCs is coming in Elastic Security. Stay tuned |
|
@thecloud24x7 - thanks for your interest. we are currently evaluating ECS fields specifically for the threat intel use case as we develop CTI workflows. the questions posted above are absolutely under consideration. We will likely be leveraging the STIX cyber observables model to provide mappings for fields like first seen, last seen, sightings from a threat perspective. As @webmat said, stay tuned for more on this in the near future. |
|
An RFC is in process for capturing IOCs is in progress. Closing in favor of #1037. |
From #113
Hi Guys,
Firstly thanks, for doing this.
However I am struggling to determine where within the threat.* definitions / fields I would put details around threat feeds hits. I seem to have the feeling that the current threat feeds are largely geared to the MITRE Att&ck framework, from my reading (And I might be reading it wrong). So I was thinking something along the lines of
threat.ioc.provider: feed_vendor_name
threat.ioc.feed: feed_name
threat.ioc.type: type_of_ioc (tor exit node, compromised ip)
threat.ioc.location: source/destination (refers back to source and destination fields, and respective sub fields)
Any guidance / advice is greatly appreciated
Hopefully as we move forward we would then start populating the other fields within the threat.* definition
Thanks
The text was updated successfully, but these errors were encountered: