威胁字段使用和示例
编辑威胁字段使用和示例编辑
threat.* 字段将威胁指标映射到 ECS。这些数据有助于通过指标匹配规则和富化来检测恶意事件。
指标编辑
威胁情报指标来自不同来源,结构各异。使用 ECS threat.indicator.* 字段规范化这些指标。规范化后,可以一致地查询来自各种来源的指标,并构建指标匹配规则。
以下示例来自一个在线数据库。它包含来自已知恶意软件站点的多个网络指标。
{
"@timestamp": "2019-08-10T11:09:23.000Z",
"event": {
"kind": "enrichment",
"category": "threat",
"type": "indicator",
"severity": 7,
"risk_score": 10.0,
},
"threat: {
"indicator": {
"first_seen": "2020-11-05T17:25:47.000Z",
"last_seen": "2020-11-05T17:25:47.000Z",
"modified_at": "2020-11-05T17:25:47.000Z",
"sightings": 10,
"type": [
"ipv4-addr",
"port",
"domain-name",
"email-addr"
],
"description": "Email address, domain, port, and IP address observed during an Angler EK campaign.",
"provider": "Abuse.ch",
"reference": "https://urlhaus.abuse.ch/url/abcdefg/",
"confidence": "High",
"ip": 1.2.3.4,
"port": 443,
"email.address": "[email protected]",
"marking": {
"tlp": "CLEAR"
},
"url": {
"domain": "malicious.evil",
},
"scanner_stats": 4
}
},
"related": {
"hosts": [
"malicious.evil"
],
"ip": [
1.2.3.4
]
}
}
|
对 |
|
|
对 |
|
|
事件类型设置为 |
|
|
在 |
|
|
将指标复制到相关的 |
以下示例映射了一个基于文件的指标。
{
"@timestamp": "2019-08-10T11:09:23.000Z",
"event": {
"kind": "enrichment",
"category": "threat",
"type": "indicator",
"severity": 7,
"risk_score": 10,
},
"threat": {
"indicator": {
"first_seen": "2020-11-05T17:25:47.000Z",
"last_seen": "2020-11-05T17:25:47.000Z",
"modified_at": "2020-11-05T17:25:47.000Z",
"sightings": 10,
"type": [
"file"
],
"description": "Implant used during an Angler EK campaign.",
"provider": "Abuse.ch",
"reference": "https://bazaar.abuse.ch/sample/f3ec9a2f2766c6bcf8c2894a9927c227649249ac146aabfe8d26b259be7d7055",
"confidence": "High",
"file": {
"hash": {
"sha256": "0c415dd718e3b3728707d579cf8214f54c2942e964975a5f925e0b82fea644b4",
"md5": "1eee2bf3f56d8abed72da2bc523e7431"
},
"size": 656896,
"name": "invoice.doc"
},
"marking": {
"tlp": "CLEAR"
},
"scanner_stats": 4
}
},
"related": {
"hash": [
"1eee2bf3f56d8abed72da2bc523e7431",
"0c415dd718e3b3728707d579cf8214f54c2942e964975a5f925e0b82fea644b4"
]
}
}
富化编辑
事件富化使用事件的值搜索已知威胁,如果找到,则添加这些关联的详细信息。
{
"process": {
"name": "svchost.exe",
"pid": 1644,
"entity_id": "MDgyOWFiYTYtMzRkYi1kZTM2LTFkNDItMzBlYWM3NDVlOTgwLTE2NDQtMTMyNDk3MTA2OTcuNDc1OTExNTAw",
"executable": "C:\\Windows\\System32\\svchost.exe"
},
"message": "Endpoint file event",
"@timestamp": "2020-11-17T19:07:46.0956672Z",
"file": {
"path": "C:\\Windows\\Prefetch\\SVCHOST.EXE-AE7DB802.pf",
"extension": "pf",
"name": "SVCHOST.EXE-AE7DB802.pf",
"hash": {
"sha256": "0c415dd718e3b3728707d579cf8214f54c2942e964975a5f925e0b82fea644b4"
}
},
"threat": {
"enrichments": [
{
"indicator": {
"marking": {
"tlp": "CLEAR"
},
"first_seen": "2020-11-17T19:07:46.0956672Z",
"file": {
"hash": {
"sha256": "0c415dd718e3b3728707d579cf8214f54c2942e964975a5f925e0b82fea644b4",
"md5": "1eee2bf3f56d8abed72da2bc523e7431"
},
"size": 656896,
"name": "invoice.doc"
},
"last_seen": "2020-11-17T19:07:46.0956672Z",
"reference": "https://system.example.com/event/#0001234",
"sightings": 4,
"type": [
"sha256",
"md5",
"file_name",
"file_size"
],
"description": "file last associated with delivering Angler EK"
},
"matched": {
"atomic": "0c415dd718e3b3728707d579cf8214f54c2942e964975a5f925e0b82fea644b4",
"field": "file.hash.sha256",
"id": "abc123f03",
"index": "threat-indicators-index-000001",
"type": "indicator_match_rule"
}
}
]
}
}