- Elastic Common Schema (ECS) Reference: other versions:
- Overview
- Using ECS
- ECS Field Reference
- Base Fields
- Agent Fields
- Autonomous System Fields
- Client Fields
- Cloud Fields
- Container Fields
- Destination Fields
- DNS Fields
- ECS Fields
- Error Fields
- Event Fields
- File Fields
- Geo Fields
- Group Fields
- Hash Fields
- Host Fields
- HTTP Fields
- Log Fields
- Network Fields
- Observer Fields
- Organization Fields
- Operating System Fields
- Package Fields
- Process Fields
- Registry Fields
- Related Fields
- Rule Fields
- Server Fields
- Service Fields
- Source Fields
- Threat Fields
- TLS Fields
- Tracing Fields
- URL Fields
- User Fields
- User agent Fields
- Vulnerability Fields
- ECS Categorization Fields
- Migrating to ECS
- Additional Information
Threat Fields
editThreat Fields
editFields to classify events and alerts according to a threat taxonomy such as the Mitre ATT&CK framework.
These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service").
Threat Field Details
edit| Field | Description | Level |
|---|---|---|
threat.framework |
Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. type: keyword example: |
extended |
threat.tactic.id |
The id of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword example: |
extended |
threat.tactic.name |
Name of the type of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword example: |
extended |
threat.tactic.reference |
The reference url of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword example: |
extended |
threat.technique.id |
The id of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) type: keyword example: |
extended |
threat.technique.name |
The name of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) type: keyword Multi-fields: * threat.technique.name.text (type: text) example: |
extended |
threat.technique.reference |
The reference url of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) type: keyword example: |
extended |
On this page