SECURITY SECURITY

Threat Intelligence Collections in Enterprise Security 3.3

For all those security enthusiasts out there that write their own, or wish to write their own, OpenIOC and STIX documents, this is a mapping of the Threat Intelligence KV Collections in Enterprise Security 3.3 to their respective OpenIOC/STIX objects. Hopefully this helps provide a little insight into which objects will be extracted into this release of the Threat Intelligence Framework, and which will not be. In addition, the table will also tell you which KVStore fields ES uses for matching against the threat data you’re ingesting in Splunk.

Note that if a cell contains a hyphen (-) that it is likely because there was not an associated field from that particular intel document (OpenIOC/STIX) for representing that specific type of data. An example of this can be seen in the service_intel collection where the service_file_path and service_file_name KV fields do not have a STIX CybOX object equivalent for representing that data. Likewise, looking at the certificate_intel collection, there isn’t an OpenIOC object for representing that data.

In addition, if you look at the certificate_issuer_email/locality/etc… KV fields you’ll notice that they contain hyphens for both OpenIOC and STIX. That doesn’t mean these fields are never populated in the Threat Intelligence Framework, just that the intel is extracted elsewhere. In this case it’s extracted from the certificate_issuer KV field, which will contain all of the child fields for that content.

Feel free to ask any questions regarding the table in the comments below and I’ll do my best to answer them :-)

 

KV Field OpenIOC 1.0/1.1 Object STIX/CybOX Object Matchable?
file_intel
file_name FileItem/FileName FileObj.File_Name Y
file_extension FileItem/FileExtension FileObj.File_Extension
file_path FileItem/FilePath FileObj.File_Path
file_hash FileItem/Md5sum
FileItem/Sha1sum
FileItem/Sha256sum
FileObj.Hashes[i].Simple_Hash_Value Y
file_size FileItem/SizeInBytes FileObj.Size_In_Bytes
registry_intel
registry_hive RegistryItem/Hive WinRegistryKeyObj.Hive
registry_path RegistryItem/Path
RegistryItem/KeyPath
WinRegistryKeyObj.Key Y
registry_key_name
registry_value_name RegistryItem/ValueName WinRegistryKeyObj.Values[i].Name Y
registry_value_data RegistryItem/Value WinRegistryKeyObj.Values[i].Data
registry_value_text RegistryItem/Text Y
registry_value_type RegistryItem/Type WinRegistryKeyObj.Values[i].Datatype
registry_modified_time RegistryItem/Modified WinRegistryKeyObj.Modified_Time
user RegistryItem/Username
service_intel
service ServiceItem/name WinServiceObj.Service_Name Y
descriptive_name ServiceItem/descriptiveName WinServiceObj.Display_Name
description ServiceItem/description WinServiceObj.Description_List[i].Description
status ServiceItem/status WinServiceObj.Service_Status
service_type ServiceItem/type WinServiceObj.Service_Type
start_mode ServiceItem/mode WinServiceObj.Startup_Type
service_file_path ServiceItem/path
service_file_name Extracted from ServiceItem/path
service_file_hash ServiceItem/pathmd5sum
ServiceItem/pathsha1sum
ServiceItem/pathsha256sum
Y
service_dll_file_path ServiceItem/serviceDLL WinServiceObj.Service_DLL
service_dll_file_name Extracted from ServiceItem/serviceDLL
service_dll_file_hash ServiceItem/serviceDLLmd5sum
ServiceItem/serviceDLLsha1sum
ServiceItem/serviceDLLsha256sum
WinServiceObj.Service_DLL_Hashes[i].Simple_Hash_Value Y
process_intel
process ProcessItem/name ProcessObj.Name Y
process_file_path ProcessItem/path ProcessObj.Image_Info.Path
process_file_name ProcessItem/path ProcessObj.Image_Info.File_Name Y
process_arguments ProcessItem/arguments ProcessObj.Argument_List[i]
process_handle_name ProcessItem/HandleList/Handle/Name ProcessObj.Handle_List[i].Name Y
process_handle_type ProcessItem/HandleList/Handle/Type ProcessObj.Handle_List[i].Type
src ProcessItem/PortList/PortItem/localIP ProcessObj.Network_Connection_List[i].Source_Socket_Address.IP_Address Y
src_port ProcessItem/PortList/PortItem/localPort ProcessObj.Network_Connection_List[i].Source_Socket_Address.Port
dest ProcessItem/PortList/PortItem/remoteIP ProcessObj.Network_Connection_List[i].Destination_Socket_Address.IP_Address Y
dest_port ProcessItem/PortList/PortItem/remotePort ProcessObj.Network_Connection_List[i].Destination_Socket_Address.Port
user_intel
user UserItem/Username UserAccountObj.Username Y
full_name UserItem/fullname UserAccountObj.Full_Name
group_name UserItem/grouplist/groupname WinUserAccountObj.Group_List[i].Name
description UserItem/description UserAccountObj.Description
ip_intel
ip DnsEntryItem/RecordData/IPv4Address AddressObj.Address_Value
WhoisObj.IP_Address.Address_Value
SocketAddressObj.IP_Address.Address_Value
NetworkSocketObj.Local_Address.IP_Address.Address_Value
NetworkSocketObj.Remote_Address.IP_Address.Address_Value
DNSRecordObj.IP_Address.Address_Value
Y
domain DnsEntryItem/RecordData/Host DomainNameObj.Value
WhoisObj.Domain_Name.Value
NetworkSocketObj.Domain
DNSRecordObj.Domain_Name.Value
Y
description
address WhoisObj.Contact_Info.Address
city
country
postal_code
state_prov
organization_name
organization_id
registration_time
http_intel
http_version HTTPSessionObj.HTTP_Request_Response[i].HTTP_Client_Request.HTTP_Request_Line.Version
HTTPSessionObj.HTTP_Request_Response[i].HTTP_Provisional_Server_Response.HTTP_Status_Line.Version
HTTPSessionObj.HTTP_Request_Response[i].HTTP_Server_Response.HTTP_Status_Line.Version
http_method HTTPSessionObj.HTTP_Request_Response[i].HTTP_Client_Request.HTTP_Request_Line.HTTP_Method
http_content_type HTTPSessionObj.HTTP_Request_Response[i].HTTP_Client_Request.HTTP_Request_Header.Parsed_Header.Content_Type
HTTPSessionObj.HTTP_Request_Response[i].HTTP_Provisional_Server_Response.HTTP_Response_Header.Parsed_Header.Content_Type
HTTPSessionObj.HTTP_Request_Response[i].HTTP_Server_Response.HTTP_Response_Header.Parsed_Header.Content_Type
http_referrer Network/HTTP_Referr HTTPSessionObj.HTTP_Request_Response[i].HTTP_Client_Request.HTTP_Request_Header.Parsed_Header.Referer.Value Y
http_user_agent Network/UserAgent HTTPSessionObj.HTTP_Request_Response[i].HTTP_Client_Request.HTTP_Request_Header.Parsed_Header.User_Agent Y
http_user_agent_length
status HTTPSessionObj.HTTP_Request_Response[i].HTTP_Provisional_Server_Response.HTTP_Status_Line
HTTPSessionObj.HTTP_Request_Response[i].HTTP_Server_Response.HTTP_Status_Line.Status_Code
cookie HTTPSessionObj.HTTP_Request_Response[i].HTTP_Client_Request.HTTP_Request_Header.Parsed_Header.Cookie
header HTTPSessionObj.HTTP_Request_Response[i].HTTP_Client_Request.HTTP_Request_Header.Raw_Header
HTTPSessionObj.HTTP_Request_Response[i].HTTP_Provisional_Server_Response.HTTP_Response_Header.Raw_Header
HTTPSessionObj.HTTP_Request_Response[i].HTTP_Server_Response.HTTP_Response_Header.Raw_Header
Y
data Network/String
url Network/URI URIObj.Value Y
url_length
uri_path HTTPSessionObj.HTTP_Request_Response[i].HTTP_Client_Request.HTTP_Request_Line.Value
uri_query
ip NetworkConnectionObj.Source_Socket_Address.IP_Address.Value Y
domain Network/DNS HTTPSessionObj.HTTP_Request_Response[i].HTTP_Client_Request.HTTP_Request_Header.Parsed_Header.Host.Domain_Name.Value
URIObj.Value
Y
certificate_intel
alias
certificate_version X509CertificateObj.Certificate.Version
certificate_file_hash Y
certificate_handshake_type
certificate_issuer X509CertificateObj.Certificate.Issuer
WinServiceObj.Service_DLL_Certificate_Issuer
certificate_issuer_common_name Y
certificate_issuer_email Y
certificate_issuer_locality
certificate_issuer_organization Y
certificate_issuer_state
certificate_issuer_street
certificate_issuer_unit Y
certificate_publickey_algorithm X509CertificateObj.Certificate.Subject_Public_Key.Public_Key_Algorithm
certificate_serial X509CertificateObj.Certificate.Serial_Number Y
certificate_signature_algorithm X509CertificateObj.Certificate.Signature_Algorithm
certificate_subject X509CertificateObj.Certificate.Subject
WinServiceObj.Service_DLL_Certificate_Subject
certificate_subject_common_name Y
certificate_subject_email Y
certificate_subject_locality
certificate_subject_organization Y
certificate_subject_state
certificate_subject_street
certificate_subject_unit Y
certificate_supported_next_protocol
certificate_end_time X509CertificateObj.Certificate.Validity.Not_After
certificate_start_time X509CertificateObj.Certificate.Validity.Not_Before
ip Y
domain Y
email_intel
alias
received_time Email/Received EmailMessageObj.Header.Date
src_user Email/From EmailMessageObj.Header.Sender.Address_Value
EmailMessageObj.Header.From.Address_Value
Y
actual_src_user
recipient Email/To EmailMessageObj.Header.To[i].Address_Value
EmailMessageObj.Header.CC[i].Address_Value
EmailMessageObj.Header.BCC[i].Address_Value
actual_recipient
subject Email/Subject EmailMessageObj.Header.Subject Y
body Email/Body EmailMessageObj.Raw_Body
embedded_domain EmailMessageObj.Links.Link -> URIObjectType.Value Y
embedded_ip EmailMessageObj.Links.Link -> URIObjectType.Value Y
file_name Email/Attachment/Name EmailMessageObj.Attachments[i].File->FileObjectType.File_Name Y
file_hash EmailMessageObj.Attachments[i].AttachmentReference->FileObjectType.Hashes[i].Simple_Hash_Value Y
file_size Email/Attachment/SizeInBytes EmailMessageObj.Attachments.AttachmentReference->FileObjectType.Size_In_Bytes
attachment_type Email/Attachment/MIMEType
src Email/ReceivedFromIP Y
threat_group_intel
time
threat_group ta:ThreatActorType.Title
threat-actor:ThreatActorType.Identity.Name
threat_category ta:ThreatActorType.Type[i].Value
description ta:ThreatActorType.Short_Description
weight
malware_alias
source_type
source_id
source_path
source_digest
source_status
source_processed_time
Brian Luger
Posted by Brian Luger

Join the Discussion