威胁字段的使用和示例
编辑威胁字段的使用和示例
编辑threat.*
字段将威胁指标映射到 ECS。这些数据有助于使用指标匹配规则和丰富功能检测恶意事件。
指标
编辑威胁情报指标来自许多不同结构的来源。使用 ECS 的 threat.indicator.*
字段规范化这些指标。规范化后,可以一致地查询来自各种来源的指标并构建指标匹配规则。
以下示例来自一个在线数据库。它包含来自已知恶意软件网站的多个网络指标。
{ "@timestamp": "2019-08-10T11:09:23.000Z", "event": { "kind": "enrichment", "category": "threat", "type": "indicator", "severity": 7, "risk_score": 10.0, }, "threat: { "indicator": { "first_seen": "2020-11-05T17:25:47.000Z", "last_seen": "2020-11-05T17:25:47.000Z", "modified_at": "2020-11-05T17:25:47.000Z", "sightings": 10, "type": [ "ipv4-addr", "port", "domain-name", "email-addr" ], "description": "Email address, domain, port, and IP address observed during an Angler EK campaign.", "provider": "Abuse.ch", "reference": "https://urlhaus.abuse.ch/url/abcdefg/", "confidence": "High", "ip": 1.2.3.4, "port": 443, "email.address": "[email protected]", "marking": { "tlp": "CLEAR" }, "url": { "domain": "malicious.evil", }, "scanner_stats": 4 } }, "related": { "hosts": [ "malicious.evil" ], "ip": [ 1.2.3.4 ] } }
对于 |
|
对于 |
|
事件类型设置为 |
|
在 |
|
将指标复制到相关的 |
以下示例映射了一个基于文件的指标。
{ "@timestamp": "2019-08-10T11:09:23.000Z", "event": { "kind": "enrichment", "category": "threat", "type": "indicator", "severity": 7, "risk_score": 10, }, "threat": { "indicator": { "first_seen": "2020-11-05T17:25:47.000Z", "last_seen": "2020-11-05T17:25:47.000Z", "modified_at": "2020-11-05T17:25:47.000Z", "sightings": 10, "type": [ "file" ], "description": "Implant used during an Angler EK campaign.", "provider": "Abuse.ch", "reference": "https://bazaar.abuse.ch/sample/f3ec9a2f2766c6bcf8c2894a9927c227649249ac146aabfe8d26b259be7d7055", "confidence": "High", "file": { "hash": { "sha256": "0c415dd718e3b3728707d579cf8214f54c2942e964975a5f925e0b82fea644b4", "md5": "1eee2bf3f56d8abed72da2bc523e7431" }, "size": 656896, "name": "invoice.doc" }, "marking": { "tlp": "CLEAR" }, "scanner_stats": 4 } }, "related": { "hash": [ "1eee2bf3f56d8abed72da2bc523e7431", "0c415dd718e3b3728707d579cf8214f54c2942e964975a5f925e0b82fea644b4" ] } }
丰富功能
编辑事件丰富功能使用事件的值搜索已知威胁,如果找到,则添加相关的详细信息。
{ "process": { "name": "svchost.exe", "pid": 1644, "entity_id": "MDgyOWFiYTYtMzRkYi1kZTM2LTFkNDItMzBlYWM3NDVlOTgwLTE2NDQtMTMyNDk3MTA2OTcuNDc1OTExNTAw", "executable": "C:\\Windows\\System32\\svchost.exe" }, "message": "Endpoint file event", "@timestamp": "2020-11-17T19:07:46.0956672Z", "file": { "path": "C:\\Windows\\Prefetch\\SVCHOST.EXE-AE7DB802.pf", "extension": "pf", "name": "SVCHOST.EXE-AE7DB802.pf", "hash": { "sha256": "0c415dd718e3b3728707d579cf8214f54c2942e964975a5f925e0b82fea644b4" } }, "threat": { "enrichments": [ { "indicator": { "marking": { "tlp": "CLEAR" }, "first_seen": "2020-11-17T19:07:46.0956672Z", "file": { "hash": { "sha256": "0c415dd718e3b3728707d579cf8214f54c2942e964975a5f925e0b82fea644b4", "md5": "1eee2bf3f56d8abed72da2bc523e7431" }, "size": 656896, "name": "invoice.doc" }, "last_seen": "2020-11-17T19:07:46.0956672Z", "reference": "https://system.example.com/event/#0001234", "sightings": 4, "type": [ "sha256", "md5", "file_name", "file_size" ], "description": "file last associated with delivering Angler EK" }, "matched": { "atomic": "0c415dd718e3b3728707d579cf8214f54c2942e964975a5f925e0b82fea644b4", "field": "file.hash.sha256", "id": "abc123f03", "index": "threat-indicators-index-000001", "type": "indicator_match_rule" } } ] } }