威胁字段的使用和示例

编辑

threat.* 字段将威胁指标映射到 ECS。这些数据有助于使用指标匹配规则和丰富功能检测恶意事件。

指标
编辑

威胁情报指标来自许多不同结构的来源。使用 ECS 的 threat.indicator.* 字段规范化这些指标。规范化后,可以一致地查询来自各种来源的指标并构建指标匹配规则。

以下示例来自一个在线数据库。它包含来自已知恶意软件网站的多个网络指标。

{
    "@timestamp": "2019-08-10T11:09:23.000Z",
    "event": {
        "kind": "enrichment", 
        "category": "threat", 
        "type": "indicator", 
        "severity": 7,
        "risk_score": 10.0,
    },
    "threat: {
        "indicator": { 
            "first_seen": "2020-11-05T17:25:47.000Z",
            "last_seen": "2020-11-05T17:25:47.000Z",
            "modified_at": "2020-11-05T17:25:47.000Z",
            "sightings": 10,
            "type": [
                "ipv4-addr",
                "port",
                "domain-name",
                "email-addr"
            ],
            "description": "Email address, domain, port, and IP address observed during an Angler EK campaign.",
            "provider": "Abuse.ch",
            "reference": "https://urlhaus.abuse.ch/url/abcdefg/",
            "confidence": "High",
            "ip": 1.2.3.4,
            "port": 443,
            "email.address": "[email protected]",
            "marking": {
                "tlp": "CLEAR"
            },
            "url": {
                "domain": "malicious.evil",
            },
            "scanner_stats": 4
        }
    },
    "related": { 
        "hosts": [
            "malicious.evil"
        ],
        "ip": [
            1.2.3.4
        ]
    }
}

对于 event.kind,使用 enrichment 值。

对于 event.category,使用 threat 值。

事件类型设置为 indicator

threat.indicator.* 中捕获指标详细信息。

将指标复制到相关的 related.* 字段。

以下示例映射了一个基于文件的指标。

{
    "@timestamp": "2019-08-10T11:09:23.000Z",
    "event": {
        "kind": "enrichment",
        "category": "threat",
        "type": "indicator",
        "severity": 7,
        "risk_score": 10,
        },
    "threat": {
        "indicator": {
            "first_seen": "2020-11-05T17:25:47.000Z",
            "last_seen": "2020-11-05T17:25:47.000Z",
            "modified_at": "2020-11-05T17:25:47.000Z",
            "sightings": 10,
            "type": [
                "file" 
            ],
            "description": "Implant used during an Angler EK campaign.",
            "provider": "Abuse.ch",
            "reference": "https://bazaar.abuse.ch/sample/f3ec9a2f2766c6bcf8c2894a9927c227649249ac146aabfe8d26b259be7d7055",
            "confidence": "High",
            "file": { 
                "hash": {
                    "sha256": "0c415dd718e3b3728707d579cf8214f54c2942e964975a5f925e0b82fea644b4",
                     "md5": "1eee2bf3f56d8abed72da2bc523e7431"
                },
                "size": 656896,
                "name": "invoice.doc"
                },
            "marking": {
                "tlp": "CLEAR"
            },
            "scanner_stats": 4
        }
    },
    "related": { 
        "hash": [
            "1eee2bf3f56d8abed72da2bc523e7431",
            "0c415dd718e3b3728707d579cf8214f54c2942e964975a5f925e0b82fea644b4"
        ]
    }
}

对于 threat.indicator.type,使用 file 值。

threat.indicator.file.* 中捕获文件属性。

同样,使用文件哈希填充 related.hash 字段。

丰富功能
编辑

事件丰富功能使用事件的值搜索已知威胁,如果找到,则添加相关的详细信息。

{
  "process": {
    "name": "svchost.exe",
    "pid": 1644,
    "entity_id": "MDgyOWFiYTYtMzRkYi1kZTM2LTFkNDItMzBlYWM3NDVlOTgwLTE2NDQtMTMyNDk3MTA2OTcuNDc1OTExNTAw",
    "executable": "C:\\Windows\\System32\\svchost.exe"
  },
  "message": "Endpoint file event",
  "@timestamp": "2020-11-17T19:07:46.0956672Z",
  "file": {
    "path": "C:\\Windows\\Prefetch\\SVCHOST.EXE-AE7DB802.pf",
    "extension": "pf",
    "name": "SVCHOST.EXE-AE7DB802.pf",
    "hash": {
      "sha256": "0c415dd718e3b3728707d579cf8214f54c2942e964975a5f925e0b82fea644b4"
    }
  },
  "threat": {
    "enrichments": [ 
      {
        "indicator": {
          "marking": {
            "tlp": "CLEAR"
          },
          "first_seen": "2020-11-17T19:07:46.0956672Z",
          "file": {
            "hash": {
              "sha256": "0c415dd718e3b3728707d579cf8214f54c2942e964975a5f925e0b82fea644b4",
              "md5": "1eee2bf3f56d8abed72da2bc523e7431"
            },
            "size": 656896,
            "name": "invoice.doc"
          },
          "last_seen": "2020-11-17T19:07:46.0956672Z",
          "reference": "https://system.example.com/event/#0001234",
          "sightings": 4,
          "type": [
              "sha256",
              "md5",
              "file_name",
              "file_size"
        ],
          "description": "file last associated with delivering Angler EK"
        },
        "matched": { 
          "atomic": "0c415dd718e3b3728707d579cf8214f54c2942e964975a5f925e0b82fea644b4",
          "field": "file.hash.sha256",
          "id": "abc123f03",
          "index": "threat-indicators-index-000001",
          "type": "indicator_match_rule"
        }
      }
    ]
  }
}

将每个丰富功能添加到 threat.enrichments.* 下的嵌套对象中。

matched 对象提供了有关此事件匹配的指标的上下文。