By Splunk April 30, 2015
For all those security enthusiasts out there that write their own, or wish to write their own, OpenIOC and STIX documents, this is a mapping of the Threat Intelligence KV Collections in Enterprise Security 3.3 to their respective OpenIOC/STIX objects. Hopefully this helps provide a little insight into which objects will be extracted into this release of the Threat Intelligence Framework, and which will not be. In addition, the table will also tell you which KVStore fields ES uses for matching against the threat data you’re ingesting in Splunk.
Note that if a cell contains a hyphen (-) that it is likely because there was not an associated field from that particular intel document (OpenIOC/STIX) for representing that specific type of data. An example of this can be seen in the service_intel collection where the service_file_path and service_file_name KV fields do not have a STIX CybOX object equivalent for representing that data. Likewise, looking at the certificate_intel collection, there isn’t an OpenIOC object for representing that data.
In addition, if you look at the certificate_issuer_email/locality/etc… KV fields you’ll notice that they contain hyphens for both OpenIOC and STIX. That doesn’t mean these fields are never populated in the Threat Intelligence Framework, just that the intel is extracted elsewhere. In this case it’s extracted from the certificate_issuer KV field, which will contain all of the child fields for that content.
Feel free to ask any questions regarding the table in the comments below and I’ll do my best to answer them 
| KV Field | OpenIOC 1.0/1.1 Object | STIX/CybOX Object | Matchable? |
| file_intel | |||
| file_name | FileItem/FileName | FileObj.File_Name | Y |
| file_extension | FileItem/FileExtension | FileObj.File_Extension | – |
| file_path | FileItem/FilePath | FileObj.File_Path | – |
| file_hash |
FileItem/Md5sum FileItem/Sha1sum FileItem/Sha256sum |
FileObj.Hashes[i].Simple_Hash_Value | Y |
| file_size | FileItem/SizeInBytes | FileObj.Size_In_Bytes | – |
| registry_intel | |||
| registry_hive | RegistryItem/Hive | WinRegistryKeyObj.Hive | – |
| registry_path |
RegistryItem/Path RegistryItem/KeyPath |
WinRegistryKeyObj.Key | Y |
| registry_key_name | – | – | – |
| registry_value_name | RegistryItem/ValueName | WinRegistryKeyObj.Values[i].Name | Y |
| registry_value_data | RegistryItem/Value | WinRegistryKeyObj.Values[i].Data | – |
| registry_value_text | RegistryItem/Text | – | Y |
| registry_value_type | RegistryItem/Type | WinRegistryKeyObj.Values[i].Datatype | – |
| registry_modified_time | RegistryItem/Modified | WinRegistryKeyObj.Modified_Time | – |
| user | RegistryItem/Username | – | – |
| service_intel | |||
| service | ServiceItem/name | WinServiceObj.Service_Name | Y |
| descriptive_name | ServiceItem/descriptiveName | WinServiceObj.Display_Name | – |
| description | ServiceItem/description | WinServiceObj.Description_List[i].Description | – |
| status | ServiceItem/status | WinServiceObj.Service_Status | – |
| service_type | ServiceItem/type | WinServiceObj.Service_Type | – |
| start_mode | ServiceItem/mode | WinServiceObj.Startup_Type | – |
| service_file_path | ServiceItem/path | – | – |
| service_file_name | Extracted from ServiceItem/path | – | – |
| service_file_hash |
ServiceItem/pathmd5sum ServiceItem/pathsha1sum ServiceItem/pathsha256sum |
– | Y |
| service_dll_file_path | ServiceItem/serviceDLL | WinServiceObj.Service_DLL | – |
| service_dll_file_name | Extracted from ServiceItem/serviceDLL | – | – |
| service_dll_file_hash |
ServiceItem/serviceDLLmd5sum ServiceItem/serviceDLLsha1sum ServiceItem/serviceDLLsha256sum |
WinServiceObj.Service_DLL_Hashes[i].Simple_Hash_Value | Y |
| process_intel | |||
| process | ProcessItem/name | ProcessObj.Name | Y |
| process_file_path | ProcessItem/path | ProcessObj.Image_Info.Path | – |
| process_file_name | ProcessItem/path | ProcessObj.Image_Info.File_Name | Y |
| process_arguments | ProcessItem/arguments | ProcessObj.Argument_List[i] | – |
| process_handle_name | ProcessItem/HandleList/Handle/Name | ProcessObj.Handle_List[i].Name | Y |
| process_handle_type | ProcessItem/HandleList/Handle/Type | ProcessObj.Handle_List[i].Type | – |
| src | ProcessItem/PortList/PortItem/localIP | ProcessObj.Network_Connection_List[i].Source_Socket_Address.IP_Address | Y |
| src_port | ProcessItem/PortList/PortItem/localPort | ProcessObj.Network_Connection_List[i].Source_Socket_Address.Port | – |
| dest | ProcessItem/PortList/PortItem/remoteIP | ProcessObj.Network_Connection_List[i].Destination_Socket_Address.IP_Address | Y |
| dest_port | ProcessItem/PortList/PortItem/remotePort | ProcessObj.Network_Connection_List[i].Destination_Socket_Address.Port | – |
| user_intel | |||
| user | UserItem/Username | UserAccountObj.Username | Y |
| full_name | UserItem/fullname | UserAccountObj.Full_Name | – |
| group_name | UserItem/grouplist/groupname | WinUserAccountObj.Group_List[i].Name | – |
| description | UserItem/description | UserAccountObj.Description | – |
| ip_intel | |||
| ip | DnsEntryItem/RecordData/IPv4Address |
AddressObj.Address_Value WhoisObj.IP_Address.Address_Value SocketAddressObj.IP_Address.Address_Value NetworkSocketObj.Local_Address.IP_Address.Address_Value NetworkSocketObj.Remote_Address.IP_Address.Address_Value DNSRecordObj.IP_Address.Address_Value |
Y |
| domain | DnsEntryItem/RecordData/Host |
DomainNameObj.Value WhoisObj.Domain_Name.Value NetworkSocketObj.Domain DNSRecordObj.Domain_Name.Value |
Y |
| description | – | – | – |
| address | – | WhoisObj.Contact_Info.Address | – |
| city | – | – | – |
| country | – | – | – |
| postal_code | – | – | – |
| state_prov | – | – | – |
| organization_name | – | – | – |
| organization_id | – | – | – |
| registration_time | – | – | – |
| http_intel | |||
| http_version | – |
HTTPSessionObj.HTTP_Request_Response[i].HTTP_Client_Request.HTTP_Request_Line.Version HTTPSessionObj.HTTP_Request_Response[i].HTTP_Provisional_Server_Response.HTTP_Status_Line.Version HTTPSessionObj.HTTP_Request_Response[i].HTTP_Server_Response.HTTP_Status_Line.Version |
– |
| http_method | – | HTTPSessionObj.HTTP_Request_Response[i].HTTP_Client_Request.HTTP_Request_Line.HTTP_Method | – |
| http_content_type | – |
HTTPSessionObj.HTTP_Request_Response[i].HTTP_Client_Request.HTTP_Request_Header.Parsed_Header.Content_Type HTTPSessionObj.HTTP_Request_Response[i].HTTP_Provisional_Server_Response.HTTP_Response_Header.Parsed_Header.Content_Type HTTPSessionObj.HTTP_Request_Response[i].HTTP_Server_Response.HTTP_Response_Header.Parsed_Header.Content_Type |
– |
| http_referrer | Network/HTTP_Referr | HTTPSessionObj.HTTP_Request_Response[i].HTTP_Client_Request.HTTP_Request_Header.Parsed_Header.Referer.Value | Y |
| http_user_agent | Network/UserAgent | HTTPSessionObj.HTTP_Request_Response[i].HTTP_Client_Request.HTTP_Request_Header.Parsed_Header.User_Agent | Y |
| http_user_agent_length | – | – | – |
| status | – |
HTTPSessionObj.HTTP_Request_Response[i].HTTP_Provisional_Server_Response.HTTP_Status_Line HTTPSessionObj.HTTP_Request_Response[i].HTTP_Server_Response.HTTP_Status_Line.Status_Code |
– |
| cookie | – | HTTPSessionObj.HTTP_Request_Response[i].HTTP_Client_Request.HTTP_Request_Header.Parsed_Header.Cookie | – |
| header | – |
HTTPSessionObj.HTTP_Request_Response[i].HTTP_Client_Request.HTTP_Request_Header.Raw_Header HTTPSessionObj.HTTP_Request_Response[i].HTTP_Provisional_Server_Response.HTTP_Response_Header.Raw_Header HTTPSessionObj.HTTP_Request_Response[i].HTTP_Server_Response.HTTP_Response_Header.Raw_Header |
Y |
| data | Network/String | – | – |
| url | Network/URI | URIObj.Value | Y |
| url_length | – | – | – |
| uri_path | – | HTTPSessionObj.HTTP_Request_Response[i].HTTP_Client_Request.HTTP_Request_Line.Value | – |
| uri_query | – | – | – |
| ip | – | NetworkConnectionObj.Source_Socket_Address.IP_Address.Value | Y |
| domain | Network/DNS |
HTTPSessionObj.HTTP_Request_Response[i].HTTP_Client_Request.HTTP_Request_Header.Parsed_Header.Host.Domain_Name.Value URIObj.Value |
Y |
| certificate_intel | |||
| alias | – | – | – |
| certificate_version | – | X509CertificateObj.Certificate.Version | – |
| certificate_file_hash | – | – | Y |
| certificate_handshake_type | – | – | – |
| certificate_issuer | – |
X509CertificateObj.Certificate.Issuer WinServiceObj.Service_DLL_Certificate_Issuer |
– |
| certificate_issuer_common_name | – | – | Y |
| certificate_issuer_email | – | – | Y |
| certificate_issuer_locality | – | – | – |
| certificate_issuer_organization | – | – | Y |
| certificate_issuer_state | – | – | – |
| certificate_issuer_street | – | – | – |
| certificate_issuer_unit | – | – | Y |
| certificate_publickey_algorithm | – | X509CertificateObj.Certificate.Subject_Public_Key.Public_Key_Algorithm | – |
| certificate_serial | – | X509CertificateObj.Certificate.Serial_Number | Y |
| certificate_signature_algorithm | – | X509CertificateObj.Certificate.Signature_Algorithm | – |
| certificate_subject | – |
X509CertificateObj.Certificate.Subject WinServiceObj.Service_DLL_Certificate_Subject |
– |
| certificate_subject_common_name | – | – | Y |
| certificate_subject_email | – | – | Y |
| certificate_subject_locality | – | – | – |
| certificate_subject_organization | – | – | Y |
| certificate_subject_state | – | – | – |
| certificate_subject_street | – | – | – |
| certificate_subject_unit | – | – | Y |
| certificate_supported_next_protocol | – | – | – |
| certificate_end_time | – | X509CertificateObj.Certificate.Validity.Not_After | – |
| certificate_start_time | – | X509CertificateObj.Certificate.Validity.Not_Before | – |
| ip | – | – | Y |
| domain | – | – | Y |
| email_intel | |||
| alias | – | – | – |
| received_time | Email/Received | EmailMessageObj.Header.Date | – |
| src_user | Email/From |
EmailMessageObj.Header.Sender.Address_Value EmailMessageObj.Header.From.Address_Value |
Y |
| actual_src_user | – | – | – |
| recipient | Email/To |
EmailMessageObj.Header.To[i].Address_Value EmailMessageObj.Header.CC[i].Address_Value EmailMessageObj.Header.BCC[i].Address_Value |
– |
| actual_recipient | – | – | – |
| subject | Email/Subject | EmailMessageObj.Header.Subject | Y |
| body | Email/Body | EmailMessageObj.Raw_Body | – |
| embedded_domain | – | EmailMessageObj.Links.Link -> URIObjectType.Value | Y |
| embedded_ip | – | EmailMessageObj.Links.Link -> URIObjectType.Value | Y |
| file_name | Email/Attachment/Name | EmailMessageObj.Attachments[i].File->FileObjectType.File_Name | Y |
| file_hash | – | EmailMessageObj.Attachments[i].AttachmentReference->FileObjectType.Hashes[i].Simple_Hash_Value | Y |
| file_size | Email/Attachment/SizeInBytes | EmailMessageObj.Attachments.AttachmentReference->FileObjectType.Size_In_Bytes | – |
| attachment_type | Email/Attachment/MIMEType | – | – |
| src | Email/ReceivedFromIP | – | Y |
| threat_group_intel | |||
| time | – | – | – |
| threat_group | – |
ta:ThreatActorType.Title threat-actor:ThreatActorType.Identity.Name |
– |
| threat_category | – | ta:ThreatActorType.Type[i].Value | – |
| description | – | ta:ThreatActorType.Short_Description | – |
| weight | – | – | – |
| malware_alias | – | – | – |
| source_type | – | – | – |
| source_id | – | – | – |
| source_path | – | – | – |
| source_digest | – | – | – |
| source_status | – | – | – |
| source_processed_time | – | – | – |
----------------------------------------------------
Thanks!
Brian Luger
Join the Discussion