You are viewing docs on Elastic's new documentation system, currently in technical preview. For all other Elastic docs, visit elastic.co/guide.

OpenCTI

Ingest threat intelligence indicators from OpenCTI with Elastic Agent.

Version
2.1.1 (View all)
Compatible Kibana version(s)
8.12.0 or higher
Supported Serverless project types

Security
Observability
Subscription level
Basic
Level of support
Elastic

The OpenCTI integration allows you to ingest data from the OpenCTI threat intelligence platform.

Use this integration to get indicator data from OpenCTI. You can monitor and explore the ingested data on the OpenCTI dashboard or in Kibana's Discover tab. Indicator match rules in Elastic Security can then use the ingested indicator data to generate alerts about detected threats.

Data streams

The OpenCTI integration collects one type of data stream: logs.

Logs are lists of records created over time. Each event in the log data stream collected by the OpenCTI integration is an indicator that can be used to detect suspicious or malicious cyber activity. The data is fetched from OpenCTI's GraphQL API.

Requirements

This integration requires Filebeat version 8.9.0, or later.

It has been updated for OpenCTI version 5.12.24 and requires that version or later.

Setup

For additional information about threat intelligence integrations, including the steps required to add an integration, please refer to the Enable threat intelligence integrations page of the Elastic Security documentation.

When adding the OpenCTI integration, you will need to provide a base URL for the target OpenCTI instance. It should be just the base URL (e.g. https://demo.opencti.io) and not include an additional path for the API or UI.

The simplest authentication method to use is an API key (bearer token). You can find a value for the API key on your profile page in the OpenCTI user interface. Advanced integration settings can be used to configure various OAuth2-based authentication arrangements, and to enter SSL settings for mTLS authentication and for other purposes. For information on setting up the OpenCTI side of an authentication strategy, please refer to OpenCTI's authentication documentation.

Logs

Indicator

The indicator data stream includes indicators of the following types (threat.indicator.type): artifact, autonomous-system, bank-account, cryptocurrency-wallet, cryptographic-key, directory, domain-name, email-addr, email-message, email-mime-part-type, hostname, ipv4-addr, ipv6-addr, mac-addr, media-content, mutex, network-traffic, payment-card, phone-number, process, software, file, text, url, user-account, user-agent, windows-registry-key, windows-registry-value-type, x509-certificate, unknown.

OpenCTI's data model closely follows the STIX standard. It supports complex indicators defined using STIX patterns or other languages, and each indicator can be related to one or more observables. In the ECS threat fields the focus is on atomic indicators. This integration fetches as much data as possible about indicators and their related observables, and populates relevant ECS fields wherever possible. It uses related observables rather than the indicator pattern as the data source for type-specific indicator fields.

Expiration of inactive indicators

The opencti.indicator.invalid_or_revoked_from field is set to the earliest time at which an indicator reaches its valid_until time or is marked as revoked. From that time the indicator should no longer be considered active.

An Elastic Transform is created to provide a view of active indicators for end users. This transform creates destination indices that are accessible via the alias logs-ti_opencti_latest.indicator. When querying for active indicators or setting up indicator match rules, use that alias to avoid false positives from expired indicators.

The dashboards show only active indicators, except the Ingestion dashboard, which shows data from both the source data stream and the indices of the latest indicators.

Indicators that are never expired or revoked will not be removed from the indices of the latest indicators. If accumulation of indicators is a problem there, it can be managed upstream in OpenCTI, or by manually deleting indicators from those indices.

To prevent unbounded growth of the source data stream logs-ti_opencti.indicator-*, it has an index lifecycle management (ILM) policy that deletes records 5 days after ingestion.

Example

Here is an example indicator event:

An example event for indicator looks as following:

{
    "@timestamp": "2023-11-09T01:59:11.241Z",
    "agent": {
        "ephemeral_id": "f115b31f-9c4f-4f14-a73b-3a54e25f204e",
        "id": "00b6764d-580c-4a5e-bd48-b4e128e0d894",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.10.1"
    },
    "data_stream": {
        "dataset": "ti_opencti.indicator",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "00b6764d-580c-4a5e-bd48-b4e128e0d894",
        "snapshot": false,
        "version": "8.10.1"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "threat"
        ],
        "created": "2018-02-05T08:04:53.000Z",
        "dataset": "ti_opencti.indicator",
        "id": "d019b01c-b637-4eb2-af53-6d527be3193d",
        "ingested": "2023-11-09T01:59:14Z",
        "kind": "enrichment",
        "original": "{\"confidence\":15,\"created\":\"2018-02-05T08:04:53.000Z\",\"createdBy\":{\"identity_class\":\"organization\",\"name\":\"CthulhuSPRL.be\"},\"description\":\"\",\"externalReferences\":{\"edges\":[]},\"id\":\"d019b01c-b637-4eb2-af53-6d527be3193d\",\"is_inferred\":false,\"killChainPhases\":{\"edges\":[]},\"lang\":\"en\",\"modified\":\"2023-01-17T05:53:42.851Z\",\"name\":\"ec2-23-21-172-164.compute-1.amazonaws.com\",\"objectLabel\":{\"edges\":[{\"node\":{\"value\":\"information-credibility-6\"}},{\"node\":{\"value\":\"osint\"}}]},\"objectMarking\":{\"edges\":[{\"node\":{\"definition\":\"TLP:GREEN\",\"definition_type\":\"TLP\"}}]},\"observables\":{\"edges\":[{\"node\":{\"entity_type\":\"Hostname\",\"id\":\"b0a91059-5637-4050-8dce-a976a607f75c\",\"observable_value\":\"ec2-23-21-172-164.compute-1.amazonaws.com\",\"standard_id\":\"hostname--2047cd44-ffae-5b34-b912-5856add59b59\",\"value\":\"ec2-23-21-172-164.compute-1.amazonaws.com\"}}],\"pageInfo\":{\"globalCount\":1}},\"pattern\":\"[hostname:value = 'ec2-23-21-172-164.compute-1.amazonaws.com']\",\"pattern_type\":\"stix\",\"pattern_version\":\"2.1\",\"revoked\":true,\"standard_id\":\"indicator--cde0a6e1-c622-52c4-b857-e9aeac56131b\",\"valid_from\":\"2018-02-05T08:04:53.000Z\",\"valid_until\":\"2019-02-05T08:04:53.000Z\",\"x_opencti_detection\":false,\"x_opencti_main_observable_type\":\"Hostname\",\"x_opencti_score\":40}",
        "type": [
            "indicator"
        ]
    },
    "input": {
        "type": "cel"
    },
    "opencti": {
        "indicator": {
            "creator_identity_class": "organization",
            "detection": false,
            "is_inferred": false,
            "lang": "en",
            "observables_count": 1,
            "pattern": "[hostname:value = 'ec2-23-21-172-164.compute-1.amazonaws.com']",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "revoked": true,
            "score": 40,
            "standard_id": "indicator--cde0a6e1-c622-52c4-b857-e9aeac56131b",
            "valid_from": "2018-02-05T08:04:53.000Z",
            "valid_until": "2019-02-05T08:04:53.000Z"
        },
        "observable": {
            "hostname": {
                "entity_type": "Hostname",
                "id": "b0a91059-5637-4050-8dce-a976a607f75c",
                "standard_id": "hostname--2047cd44-ffae-5b34-b912-5856add59b59",
                "value": "ec2-23-21-172-164.compute-1.amazonaws.com"
            }
        }
    },
    "related": {
        "hosts": [
            "ec2-23-21-172-164.compute-1.amazonaws.com"
        ]
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "opencti-indicator",
        "information-credibility-6",
        "osint",
        "ecs-indicator-detail"
    ],
    "threat": {
        "feed": {
            "dashboard_id": "ti_opencti-83b2bef0-591c-11ee-ba5f-49a63bb985cd",
            "description": "Indicator data from OpenCTI",
            "name": "OpenCTI",
            "reference": "https://docs.opencti.io/latest/usage/overview/"
        },
        "indicator": {
            "confidence": "Low",
            "marking": {
                "tlp": "GREEN"
            },
            "modified_at": "2023-01-17T05:53:42.851Z",
            "name": "ec2-23-21-172-164.compute-1.amazonaws.com",
            "provider": "CthulhuSPRL.be",
            "reference": "http://elastic-package-service-opencti_stub-1:8080/dashboard/observations/indicators/d019b01c-b637-4eb2-af53-6d527be3193d",
            "type": "hostname",
            "url": {
                "domain": "ec2-23-21-172-164.compute-1.amazonaws.com",
                "registered_domain": "ec2-23-21-172-164.compute-1.amazonaws.com",
                "top_level_domain": "compute-1.amazonaws.com"
            }
        }
    }
}

Exported fields

Fields for indicators of any type are mapped to ECS fields when possible (primarily threat.indicator.*) and otherwise stored with a vendor prefix (opencti.indicator.*).

Fields for related observables of the various types are always stored under opencti.observable.<type>.* and when possible their values will be copied into corresponding ECS fields.

The related.* fields will also be populated with any relevant data.

Timestamps are mapped as follows:

SourceDestinationDescription
-
@timestamp
Time the event was received by the pipeline
-
event.ingested
Time the event arrived in the central data store
created
event.created
Time of the indicator's creation
modified
threat.indicator.modified_at
Time of the indicator's last modification
valid_from
opencti.indicator.valid_from
Time from which this indicator is considered a valid indicator of the behaviors it is related to or represents
valid_until
opencti.indicator.valid_until
Time at which this indicator should no longer be considered a valid indicator of the behaviors it is related to or represents
-
opencti.indicator.invalid_or_revoked_from
The earliest time at which an indicator reaches its valid_until time or is marked as revoked

The table below lists all opencti.* fields.

The documentation for ECS fields can be found at:

Exported fields

FieldDescriptionType
@timestamp
Time the event was received by the pipeline.
date
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
ecs.version
ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
keyword
event.agent_id_status
Agents are normally responsible for populating the agent.id field value. If the system receiving events is capable of validating the value based on authentication information for the client then this field can be used to reflect the outcome of that validation. For example if the agent's connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the agent.id value in events can be checked against the certificate. If the values match then event.agent_id_status: verified is added to the event, otherwise one of the other allowed values should be used. If no validation is performed then the field should be omitted. The allowed values are: verified - The agent.id field value matches expected value obtained from auth metadata. mismatch - The agent.id field value does not match the expected value obtained from auth metadata. missing - There was no agent.id field in the event to validate. auth_metadata_missing - There was no auth metadata or it was missing information about the agent ID.
keyword
event.category
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. event.category represents the "big buckets" of ECS categories. For example, filtering on event.category:process yields all events relating to process activity. This field is closely related to event.type, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.
keyword
event.created
event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.
date
event.dataset
Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
keyword
event.id
Unique ID to describe the event.
keyword
event.ingested
Timestamp when an event arrived in the central data store. This is different from @timestamp, which is when the event originally occurred. It's also different from event.created, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: @timestamp < event.created < event.ingested.
date
event.kind
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. event.kind gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not.
keyword
event.module
Event module
constant_keyword
event.original
Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from _source. If users wish to override this and index this field, please see Field data types in the Elasticsearch Reference.
keyword
event.type
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. event.type represents a categorization "sub-bucket" that, when used along with the event.category field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.
keyword
input.type
Input type.
keyword
labels.is_ioc_transform_source
Field indicating if the document is a source for the transform. This field is not added to destination indices to facilitate easier filtering of indicators for indicator match rules.
constant_keyword
opencti.indicator.creator_identity_class
The type of the creator of this indicator (e.g. "organization").
keyword
opencti.indicator.detection
Whether the indicator has been detected.
boolean
opencti.indicator.external_reference.description
A description for a related record in an external system.
keyword
opencti.indicator.external_reference.external_id
A non-STIX ID for a related record in an external system.
keyword
opencti.indicator.external_reference.source_name
The name of an external source of related records.
keyword
opencti.indicator.external_reference.url
A URL for a related record in an external system.
keyword
opencti.indicator.invalid_or_revoked_from
A time from which this indicator should be considered invalid or revoked.
date
opencti.indicator.is_inferred
Whether the indicator is inferred.
boolean
opencti.indicator.kill_chain_phase
The kill chain name and kill change phase name (e.g. "[mitre-attack] exfiltration").
keyword
opencti.indicator.lang
A language associated with the indicator record.
keyword
opencti.indicator.observables_count
The number of observables related to this indicator, which may exceed the number fetched.
long
opencti.indicator.pattern
The detection pattern for this indicator, expressed as a STIX pattern or using another appropriate language such as SNORT, YARA, etc.
keyword
opencti.indicator.pattern_type
The pattern language used in this indicator.
keyword
opencti.indicator.pattern_version
The version of the pattern language used in this indicator.
keyword
opencti.indicator.revoked
Whether the indicator is revoked.
boolean
opencti.indicator.score
An integer score for the indicator.
long
opencti.indicator.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the indicator.
keyword
opencti.indicator.valid_from
The time from which this indicator is considered a valid indicator of the behaviors it is related to or represents.
date
opencti.indicator.valid_until
The time at which this indicator should no longer be considered a valid indicator of the behaviors it is related to or represents.
date
opencti.observable.artifact.additional_names
Additional names of the artifact.
keyword
opencti.observable.artifact.decryption_key
The decryption key for the encrypted binary data.
keyword
opencti.observable.artifact.encryption_algorithm
The type of encryption algorithm the binary data is encoded in, if the artifact is encrypted.
keyword
opencti.observable.artifact.entity_type
The observable type.
keyword
opencti.observable.artifact.hash.md5
MD5 hash for the contents of the url or the payload_bin.
keyword
opencti.observable.artifact.hash.sha1
SHA1 hash for the contents of the url or the payload_bin.
keyword
opencti.observable.artifact.hash.sha256
SHA-256 hash for the contents of the url or the payload_bin.
keyword
opencti.observable.artifact.hash.sha3_256
SHA3-256 hash for the contents of the url or the payload_bin.
keyword
opencti.observable.artifact.hash.sha3_512
SHA3-512 hash for the contents of the url or the payload_bin.
keyword
opencti.observable.artifact.hash.sha512
SHA-512 hash for the contents of the url or the payload_bin.
keyword
opencti.observable.artifact.hash.ssdeep
SSDEEP hash for the contents of the url or the payload_bin.
keyword
opencti.observable.artifact.hash.tlsh
TLSH hash for the contents of the url or the payload_bin.
keyword
opencti.observable.artifact.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.artifact.mime_type
MIME type of the artifact, given as of the values defined in the Template column in the IANA media type registry, when feasible.
keyword
opencti.observable.artifact.payload_bin
The binary data contained in the artifact as a base64-encoded string.
keyword
opencti.observable.artifact.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.artifact.url
A valid URL that resolves to the unencoded content.
keyword
opencti.observable.artifact.value
The main value for the observable.
keyword
opencti.observable.autonomous_system.entity_type
The observable type.
keyword
opencti.observable.autonomous_system.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.autonomous_system.name
The name of the AS.
keyword
opencti.observable.autonomous_system.number
The number assigned to the AS, typically by a Regional Internet Registry (RIR).
long
opencti.observable.autonomous_system.rir
The name of the Regional Internet Registry (RIR) that assigned the number to the AS.
keyword
opencti.observable.autonomous_system.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.autonomous_system.value
The main value for the observable.
keyword
opencti.observable.bank_account.account_number
A bank account number.
keyword
opencti.observable.bank_account.bic
A Bank Identifier Code (BIC).
keyword
opencti.observable.bank_account.entity_type
The observable type.
keyword
opencti.observable.bank_account.iban
An International Bank Account Number (IBAN).
keyword
opencti.observable.bank_account.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.bank_account.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.bank_account.value
The main value for the observable.
keyword
opencti.observable.cryptocurrency_wallet.entity_type
The observable type.
keyword
opencti.observable.cryptocurrency_wallet.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.cryptocurrency_wallet.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.cryptocurrency_wallet.value
A cryptocurrency wallet ID.
keyword
opencti.observable.cryptographic_key.entity_type
The observable type.
keyword
opencti.observable.cryptographic_key.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.cryptographic_key.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.cryptographic_key.value
A cryptographic key.
keyword
opencti.observable.directory.atime
The date/time the directory was last accessed.
date
opencti.observable.directory.ctime
The date/time the directory was created.
date
opencti.observable.directory.entity_type
The observable type.
keyword
opencti.observable.directory.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.directory.mtime
The date/time the directory was last written to/modified.
date
opencti.observable.directory.path
The path, as originally observed, to the directory on the file system.
keyword
opencti.observable.directory.path_enc
The observed encoding for the path, using the IANA character set registry.
keyword
opencti.observable.directory.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.directory.value
The main value for the observable.
keyword
opencti.observable.domain_name.entity_type
The observable type.
keyword
opencti.observable.domain_name.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.domain_name.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.domain_name.value
The value of the domain name, using RFC1034, RFC5890.
keyword
opencti.observable.email_addr.display_name
A single email display name, i.e., the name that is displayed to the human user of a mail application, using RFC5322.
keyword
opencti.observable.email_addr.entity_type
The observable type.
keyword
opencti.observable.email_addr.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.email_addr.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.email_addr.value
The value of the email address, using RFC5322.
keyword
opencti.observable.email_message.attribute_date
The date/time that the email message was sent.
date
opencti.observable.email_message.body
A string containing the email body.
keyword
opencti.observable.email_message.content_type
The value of the "Content-Type" header of the email message.
keyword
opencti.observable.email_message.entity_type
The observable type.
keyword
opencti.observable.email_message.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.email_message.is_multipart
Indicates whether the email body contains multiple MIME parts.
boolean
opencti.observable.email_message.message_id
The Message-ID field of the email message.
keyword
opencti.observable.email_message.received_lines
One or more "Received" header fields that may be included in the email headers.
keyword
opencti.observable.email_message.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.email_message.subject
The subject of the email message.
keyword
opencti.observable.email_message.value
The main value for the observable.
keyword
opencti.observable.email_mime_part_type.body
The contents of the MIME part.
keyword
opencti.observable.email_mime_part_type.content_disposition
The value of the "Content-Disposition" header field of the MIME part.
keyword
opencti.observable.email_mime_part_type.content_type
The value of the "Content-Type" header field of the MIME part.
keyword
opencti.observable.email_mime_part_type.entity_type
The observable type.
keyword
opencti.observable.email_mime_part_type.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.email_mime_part_type.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.email_mime_part_type.value
The main value for the observable.
keyword
opencti.observable.file.additional_names
Additional names of the file.
keyword
opencti.observable.file.atime
The date/time the file was last accessed.
date
opencti.observable.file.content.decryption_key
The decryption key for the encrypted binary data.
keyword
opencti.observable.file.content.encryption_algorithm
The type of encryption algorithm the binary data is encoded in, if the file is encrypted.
keyword
opencti.observable.file.content.payload_bin
The binary data contained in the file as a base64-encoded string.
keyword
opencti.observable.file.content.url
A valid URL that resolves to the unencoded content.
keyword
opencti.observable.file.ctime
The date/time the file was created.
date
opencti.observable.file.entity_type
The observable type.
keyword
opencti.observable.file.hash.md5
MD5 hash for the file.
keyword
opencti.observable.file.hash.sha1
SHA1 hash for the file.
keyword
opencti.observable.file.hash.sha256
SHA-256 hash for the file.
keyword
opencti.observable.file.hash.sha3_256
SHA3-256 hash for the file.
keyword
opencti.observable.file.hash.sha3_512
SHA3-512 hash for the file.
keyword
opencti.observable.file.hash.sha512
SHA-512 hash for the file.
keyword
opencti.observable.file.hash.ssdeep
SSDEEP hash for the file.
keyword
opencti.observable.file.hash.tlsh
TLSH hash for the file.
keyword
opencti.observable.file.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.file.magic_number_hex
The hexadecimal constant ("magic number") associated with a specific file format that corresponds to the file, if applicable.
keyword
opencti.observable.file.mime_type
MIME type of the file, given as of the values defined in the Template column in the IANA media type registry, when feasible.
keyword
opencti.observable.file.mtime
The date/time the file was last written to/modified.
date
opencti.observable.file.name
The name of the file.
keyword
opencti.observable.file.name_enc
The observed encoding for the name of the file, using the IANA character set registry.
keyword
opencti.observable.file.size
The size of the file, in bytes.
long
opencti.observable.file.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.file.value
The main value for the observable.
keyword
opencti.observable.hostname.entity_type
The observable type.
keyword
opencti.observable.hostname.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.hostname.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.hostname.value
A hostname.
keyword
opencti.observable.ipv4_addr.entity_type
The observable type.
keyword
opencti.observable.ipv4_addr.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.ipv4_addr.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.ipv4_addr.value
The values of one or more IPv4 addresses expressed using CIDR notation.
keyword
opencti.observable.ipv6_addr.entity_type
The observable type.
keyword
opencti.observable.ipv6_addr.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.ipv6_addr.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.ipv6_addr.value
The values of one or more IPv6 addresses expressed using CIDR notation.
keyword
opencti.observable.mac_addr.entity_type
The observable type.
keyword
opencti.observable.mac_addr.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.mac_addr.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.mac_addr.value
The value of a single MAC address.
keyword
opencti.observable.media_content.content
The content of an item of media content.
keyword
opencti.observable.media_content.entity_type
The observable type.
keyword
opencti.observable.media_content.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.media_content.media_category
The category of an item of media content.
keyword
opencti.observable.media_content.publication_date
The publication date of an item of media content.
date
opencti.observable.media_content.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.media_content.title
The title of an item of media content.
keyword
opencti.observable.media_content.url
The URL of an item of media content.
keyword
opencti.observable.media_content.value
The main value for the observable.
keyword
opencti.observable.mutex.entity_type
The observable type.
keyword
opencti.observable.mutex.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.mutex.name
The name of the mutex object.
keyword
opencti.observable.mutex.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.mutex.value
The main value for the observable.
keyword
opencti.observable.network_traffic.dst_byte_count
The number of bytes, as a positive integer, sent from the destination to the source.
long
opencti.observable.network_traffic.dst_packets
The number of packets, as a positive integer, sent from the destination to the source.
long
opencti.observable.network_traffic.dst_port
The destination port used in the network traffic, as an integer.
long
opencti.observable.network_traffic.end
The date/time the network traffic ended, if known.
date
opencti.observable.network_traffic.entity_type
The observable type.
keyword
opencti.observable.network_traffic.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.network_traffic.is_active
Indicates whether the network traffic is still ongoing.
boolean
opencti.observable.network_traffic.protocols
The protocols observed in the network traffic, along with their corresponding state.
keyword
opencti.observable.network_traffic.src_byte_count
The number of bytes, as a positive integer, sent from the source to the destination.
long
opencti.observable.network_traffic.src_packets
The number of packets, as a positive integer, sent from the source to the destination.
long
opencti.observable.network_traffic.src_port
The source port used in the network traffic, as an integer.
long
opencti.observable.network_traffic.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.network_traffic.start
The date/time the network traffic was initiated, if known.
date
opencti.observable.network_traffic.value
The main value for the observable.
keyword
opencti.observable.payment_card.card_number
A payment card number.
keyword
opencti.observable.payment_card.cvv
A Card Verification Value (CVV) for a payment card.
keyword
opencti.observable.payment_card.entity_type
The observable type.
keyword
opencti.observable.payment_card.expiration_date
A payment card expiration date.
date
opencti.observable.payment_card.holder_name
The name of a payment card holder.
long
opencti.observable.payment_card.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.payment_card.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.payment_card.value
The main value for the observable.
keyword
opencti.observable.phone_number.entity_type
The observable type.
keyword
opencti.observable.phone_number.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.phone_number.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.phone_number.value
A phone number.
keyword
opencti.observable.process.aslr_enabled
Whether Address Space Layout Randomization (ASLR) is enabled for the process (on Windows).
boolean
opencti.observable.process.command_line
The full command line used in executing the process, including the process name and any arguments.
keyword
opencti.observable.process.created_time
The date/time at which the process was created.
date
opencti.observable.process.cwd
The current working directory of the process.
keyword
opencti.observable.process.dep_enabled
Whether Data Execution Prevention (DEP) is enabled for the process (on Windows).
boolean
opencti.observable.process.description
Description of the process.
keyword
opencti.observable.process.descriptions
The descriptions defined for the (Windows) service.
keyword
opencti.observable.process.display_name
The display name of the service in Windows GUI controls.
keyword
opencti.observable.process.entity_type
The observable type.
keyword
opencti.observable.process.environment_variables
The list of environment variables associated with the process.
keyword
opencti.observable.process.group_name
The name of the load ordering group of which the (Windows) service is a member.
keyword
opencti.observable.process.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.process.integrity_level
The Windows integrity level, or trustworthiness, of the process.
keyword
opencti.observable.process.is_hidden
Whether the process is hidden.
boolean
opencti.observable.process.owner_sid
The Security ID (SID) value of the owner of the process (on Windows).
keyword
opencti.observable.process.pid
The Process ID, or PID, of the process.
long
opencti.observable.process.priority
The current priority class of the process in Windows.
keyword
opencti.observable.process.service_dll.additional_names
Additional names of the service DLL file.
keyword
opencti.observable.process.service_dll.atime
The date/time the service DLL file was last accessed.
date
opencti.observable.process.service_dll.content.decryption_key
The decryption key for the encrypted binary data of the service DLL file.
keyword
opencti.observable.process.service_dll.content.encryption_algorithm
The type of encryption algorithm the binary data is encoded in, if the service DLL file is encrypted.
keyword
opencti.observable.process.service_dll.content.payload_bin
The binary data contained in the service DLL file as a base64-encoded string.
keyword
opencti.observable.process.service_dll.content.url
A valid URL that resolves to the unencoded content of the service DLL file.
keyword
opencti.observable.process.service_dll.ctime
The date/time the service DLL file was created.
date
opencti.observable.process.service_dll.hash.md5
MD5 hash for the service DLL file.
keyword
opencti.observable.process.service_dll.hash.sha1
SHA1 hash for the service DLL file.
keyword
opencti.observable.process.service_dll.hash.sha256
SHA-256 hash for the service DLL file.
keyword
opencti.observable.process.service_dll.hash.sha3_256
SHA3-256 hash for the service DLL file.
keyword
opencti.observable.process.service_dll.hash.sha3_512
SHA3-512 hash for the service DLL file.
keyword
opencti.observable.process.service_dll.hash.sha512
SHA-512 hash for the service DLL file.
keyword
opencti.observable.process.service_dll.hash.ssdeep
SSDEEP hash for the service DLL file.
keyword
opencti.observable.process.service_dll.hash.tlsh
TLSH hash for the service DLL file.
keyword
opencti.observable.process.service_dll.magic_number_hex
The hexadecimal constant ("magic number") associated with a specific file format that corresponds to the service DLL file, if applicable.
keyword
opencti.observable.process.service_dll.mime_type
MIME type of the service DLL file, given as of the values defined in the Template column in the IANA media type registry, when feasible.
keyword
opencti.observable.process.service_dll.mtime
The date/time the service DLL file was last written to/modified.
date
opencti.observable.process.service_dll.name
The name of the service DLL file.
keyword
opencti.observable.process.service_dll.name_enc
The observed encoding for the name of the service DLL file, using the IANA character set registry.
keyword
opencti.observable.process.service_dll.size
The size of the service DLL file, in bytes.
long
opencti.observable.process.service_name
The name of the (Windows) service.
keyword
opencti.observable.process.service_status
The type of the (Windows) service.
keyword
opencti.observable.process.service_type
The DLLs loaded by the (Windows) service, as a reference to one or more File objects.
keyword
opencti.observable.process.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.process.start_type
The start options defined for the (Windows) service.
keyword
opencti.observable.process.startup_info
The STARTUP_INFO struct used by the process (on Windows).
flattened
opencti.observable.process.value
The main value for the observable.
keyword
opencti.observable.process.window_title
The title of the main window of the process (on Windows).
keyword
opencti.observable.software.cpe
The Common Platform Enumeration (CPE) entry for the software, if available.
keyword
opencti.observable.software.entity_type
The observable type.
keyword
opencti.observable.software.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.software.languages
The languages supported by the software, using RFC5646.
keyword
opencti.observable.software.name
The name of the software.
keyword
opencti.observable.software.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.software.swid
The Software Identification (SWID) Tags entry for the software, if available.
keyword
opencti.observable.software.value
The main value for the observable.
keyword
opencti.observable.software.vendor
The name of the vendor of the software.
keyword
opencti.observable.software.version
The version of the software.
keyword
opencti.observable.text.entity_type
The observable type.
keyword
opencti.observable.text.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.text.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.text.value
Text.
keyword
opencti.observable.url.entity_type
The observable type.
keyword
opencti.observable.url.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.url.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.url.value
The value of the URL, using RFC3986.
keyword
opencti.observable.user_account.account_created
When the account was created.
date
opencti.observable.user_account.account_expires
The expiration date of the account.
date
opencti.observable.user_account.account_first_login
When the account was first accessed.
date
opencti.observable.user_account.account_last_login
When the account was last accessed.
date
opencti.observable.user_account.account_login
The account login string, where it differs from the user_id.
keyword
opencti.observable.user_account.account_type
The type of the account.
keyword
opencti.observable.user_account.can_escalate_privs
That the account has the ability to escalate privileges.
boolean
opencti.observable.user_account.credential
A cleartext credential, not PII.
keyword
opencti.observable.user_account.credential_last_changed
When the account credential was last changed.
date
opencti.observable.user_account.display_name
The display name of the account, to be shown in user interfaces, if applicable.
keyword
opencti.observable.user_account.entity_type
The observable type.
keyword
opencti.observable.user_account.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.user_account.is_disabled
If the account is disabled.
boolean
opencti.observable.user_account.is_privileged
That the account has elevated privileges.
boolean
opencti.observable.user_account.is_service_account
Indicates that the account is associated with a network service or system process (daemon), not a specific individual.
boolean
opencti.observable.user_account.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.user_account.user_id
The identifier of the account and may be a numeric ID, a GUID, an account name, an email address, etc.
keyword
opencti.observable.user_account.value
The main value for the observable.
keyword
opencti.observable.user_agent.entity_type
The observable type.
keyword
opencti.observable.user_agent.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.user_agent.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.user_agent.value
An HTTP User-Agent string.
keyword
opencti.observable.windows_registry_key.attribute_key
The full registry key including the hive.
keyword
opencti.observable.windows_registry_key.entity_type
The observable type.
keyword
opencti.observable.windows_registry_key.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.windows_registry_key.modified_time
The last date/time that the registry key was modified.
date
opencti.observable.windows_registry_key.number_of_subkeys
The number of subkeys contained under the registry key.
long
opencti.observable.windows_registry_key.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.windows_registry_key.value
The main value for the observable.
keyword
opencti.observable.windows_registry_value_type.data
The data contained in the registry value.
keyword
opencti.observable.windows_registry_value_type.data_type
The registry (REG_*) data type used in the registry value.
keyword
opencti.observable.windows_registry_value_type.entity_type
The observable type.
keyword
opencti.observable.windows_registry_value_type.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.windows_registry_value_type.name
The name of the registry value.
keyword
opencti.observable.windows_registry_value_type.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.windows_registry_value_type.value
The main value for the observable.
keyword
opencti.observable.x509_certificate.authority_key_identifier
The identifier that provides a means of identifying the public key corresponding to the private key used to sign a certificate.
keyword
opencti.observable.x509_certificate.basic_constraints
A multi-valued extension which indicates whether a certificate is a CA certificate.
keyword
opencti.observable.x509_certificate.certificate_policies
A sequence of one or more policy information terms, each of which consists of an object identifier (OID) and optional qualifiers.
keyword
opencti.observable.x509_certificate.crl_distribution_points
How CRL information is obtained.
keyword
opencti.observable.x509_certificate.entity_type
The observable type.
keyword
opencti.observable.x509_certificate.extended_key_usage
A list of usages indicating purposes for which the certificate public key can be used for.
keyword
opencti.observable.x509_certificate.hash.md5
MD5 hash calculated for the entire contents of the certificate.
keyword
opencti.observable.x509_certificate.hash.sha1
SHA1 hash calculated for the entire contents of the certificate.
keyword
opencti.observable.x509_certificate.hash.sha256
SHA-256 hash calculated for the entire contents of the certificate.
keyword
opencti.observable.x509_certificate.hash.sha3_256
SHA3-256 hash calculated for the entire contents of the certificate.
keyword
opencti.observable.x509_certificate.hash.sha3_512
SHA3-512 hash calculated for the entire contents of the certificate.
keyword
opencti.observable.x509_certificate.hash.sha512
SHA-512 hash calculated for the entire contents of the certificate.
keyword
opencti.observable.x509_certificate.hash.ssdeep
SSDEEP hash calculated for the entire contents of the certificate.
keyword
opencti.observable.x509_certificate.hash.tlsh
TLSH hash calculated for the entire contents of the certificate.
keyword
opencti.observable.x509_certificate.id
The ID of the observable in OpenCTI.
keyword
opencti.observable.x509_certificate.inhibit_any_policy
The number of additional certificates that may appear in the path before anyPolicy is no longer permitted.
keyword
opencti.observable.x509_certificate.is_self_signed
Whether the certificate is self-signed, i.e., whether it is signed by the same entity whose identity it certifies.
boolean
opencti.observable.x509_certificate.issuer
The name of the Certificate Authority that issued the certificate.
keyword
opencti.observable.x509_certificate.issuer_alternative_name
The additional identities to be bound to the issuer of the certificate.
keyword
opencti.observable.x509_certificate.key_usage
A multi-valued extension consisting of a list of names of the permitted key usages.
keyword
opencti.observable.x509_certificate.name_constraints
A namespace within which all subject names in subsequent certificates in a certification path are located.
keyword
opencti.observable.x509_certificate.policy_constraints
Any constraints on path validation for certificates issued to CAs.
keyword
opencti.observable.x509_certificate.policy_mappings
One or more pairs of OIDs; each pair includes an issuerDomainPolicy and a subjectDomainPolicy.
keyword
opencti.observable.x509_certificate.private_key_usage_period_not_after
The date on which the validity period ends for the private key, if it is different from the validity period of the certificate.
date
opencti.observable.x509_certificate.private_key_usage_period_not_before
The date on which the validity period begins for the private key, if it is different from the validity period of the certificate.
date
opencti.observable.x509_certificate.serial_number
The unique identifier for the certificate, as issued by a specific Certificate Authority.
keyword
opencti.observable.x509_certificate.signature_algorithm
The name of the algorithm used to sign the certificate.
keyword
opencti.observable.x509_certificate.standard_id
A predictable STIX ID, generated based on one or multiple attributes of the observable.
keyword
opencti.observable.x509_certificate.subject
The name of the entity associated with the public key stored in the subject public key field of the certificate.
keyword
opencti.observable.x509_certificate.subject_alternative_name
The additional identities to be bound to the subject of the certificate.
keyword
opencti.observable.x509_certificate.subject_directory_attributes
The identification attributes (e.g., nationality) of the subject.
keyword
opencti.observable.x509_certificate.subject_key_identifier
The identifier that provides a means of identifying certificates that contain a particular public key.
keyword
opencti.observable.x509_certificate.subject_public_key_algorithm
The name of the algorithm with which to encrypt data being sent to the subject.
keyword
opencti.observable.x509_certificate.subject_public_key_exponent
The exponent portion of the subject’s public RSA key, as an integer.
long
opencti.observable.x509_certificate.subject_public_key_modulus
The modulus portion of the subject’s public RSA key.
keyword
opencti.observable.x509_certificate.validity_not_after
The date on which the certificate validity period ends.
date
opencti.observable.x509_certificate.validity_not_before
The date on which the certificate validity period begins.
date
opencti.observable.x509_certificate.value
The main value for the observable.
keyword
opencti.observable.x509_certificate.version
The version of the encoded certificate.
keyword
related.hash
All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search).
keyword
related.hosts
All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
keyword
related.ip
All of the IPs seen on your event.
ip
related.user
All the user names or other user identifiers seen on the event.
keyword
tags
List of keywords used to tag each event.
keyword
threat.feed.dashboard_id
The saved object ID of the dashboard belonging to the threat feed for displaying dashboard links to threat feeds in Kibana.
keyword
threat.feed.description
Description of the threat feed in a UI friendly format.
keyword
threat.feed.name
The name of the threat feed in UI friendly format.
keyword
threat.feed.reference
Reference information for the threat feed in a UI friendly format.
keyword
threat.indicator.as.number
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
long
threat.indicator.as.organization.name
Organization name.
keyword
threat.indicator.as.organization.name.text
Multi-field of threat.indicator.as.organization.name.
match_only_text
threat.indicator.confidence
Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields.
keyword
threat.indicator.description
Describes the type of action conducted by the threat.
keyword
threat.indicator.email.address
Identifies a threat indicator as an email address (irrespective of direction).
keyword
threat.indicator.file.accessed
Last time the file was accessed. Note that not all filesystems keep track of access time.
date
threat.indicator.file.created
File creation time. Note that not all filesystems store the creation time.
date
threat.indicator.file.directory
Directory where the file is located. It should include the drive letter, when appropriate.
keyword
threat.indicator.file.drive_letter
Drive letter where the file is located. This field is only relevant on Windows. The value should be uppercase, and not include the colon.
keyword
threat.indicator.file.extension
File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
keyword
threat.indicator.file.hash.md5
MD5 hash.
keyword
threat.indicator.file.hash.sha1
SHA1 hash.
keyword
threat.indicator.file.hash.sha256
SHA256 hash.
keyword
threat.indicator.file.hash.sha384
SHA384 hash.
keyword
threat.indicator.file.hash.sha3_256
SHA3-256 hash.
keyword
threat.indicator.file.hash.sha3_512
SHA3-512 hash.
keyword
threat.indicator.file.hash.sha512
SHA512 hash.
keyword
threat.indicator.file.hash.ssdeep
SSDEEP hash.
keyword
threat.indicator.file.hash.tlsh
TLSH hash.
keyword
threat.indicator.file.mime_type
MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml\[IANA official types], where possible. When more than one type is applicable, the most specific type should be used.
keyword
threat.indicator.file.mtime
Last time the file content was modified.
date
threat.indicator.file.name
Name of the file including the extension, without the directory.
keyword
threat.indicator.file.path
Full path to the file, including the file name. It should include the drive letter, when appropriate.
keyword
threat.indicator.file.path.text
Multi-field of threat.indicator.file.path.
match_only_text
threat.indicator.file.size
File size in bytes. Only relevant when file.type is "file".
long
threat.indicator.file.type
File type (file, dir, or symlink).
keyword
threat.indicator.ip
Identifies a threat indicator as an IP address (irrespective of direction).
ip
threat.indicator.marking.tlp
Traffic Light Protocol sharing markings.
keyword
threat.indicator.modified_at
The date and time when intelligence source last modified information for this indicator.
date
threat.indicator.name
The display name indicator in an UI friendly format
keyword
threat.indicator.port
Identifies a threat indicator as a port number (irrespective of direction).
long
threat.indicator.provider
The name of the indicator's provider.
keyword
threat.indicator.reference
Reference URL linking to additional information about this indicator.
keyword
threat.indicator.registry.data.bytes
Original bytes written with base64 encoding. For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by lp_data. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values.
keyword
threat.indicator.registry.data.strings
Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g "1").
wildcard
threat.indicator.registry.data.type
Standard registry type for encoding contents
keyword
threat.indicator.registry.hive
Abbreviated name for the hive.
keyword
threat.indicator.registry.key
Hive-relative path of keys.
keyword
threat.indicator.registry.path
Full path, including hive, key and value
keyword
threat.indicator.registry.value
Name of the value written.
keyword
threat.indicator.type
Type of indicator as represented by Cyber Observable in STIX 2.1 or OpenCTI
keyword
threat.indicator.url.domain
Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the domain field. If the URL contains a literal IPv6 address enclosed by [ and ] (IETF RFC 2732), the [ and ] characters should also be captured in the domain field.
keyword
threat.indicator.url.extension
The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz").
keyword
threat.indicator.url.fragment
Portion of the url after the #, such as "top". The # is not part of the fragment.
keyword
threat.indicator.url.full
If full URLs are important to your use case, they should be stored in url.full, whether this field is reconstructed or present in the event source.
wildcard
threat.indicator.url.full.text
Multi-field of threat.indicator.url.full.
match_only_text
threat.indicator.url.original
Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.
wildcard
threat.indicator.url.original.text
Multi-field of threat.indicator.url.original.
match_only_text
threat.indicator.url.password
Password of the request.
keyword
threat.indicator.url.path
Path of the request, such as "/search".
wildcard
threat.indicator.url.port
Port of the request, such as 443.
long
threat.indicator.url.query
The query field describes the query string of the request, such as "q=elasticsearch". The ? is excluded from the query string. If a URL contains no ?, there is no query field. If there is a ? but no query, the query field exists with an empty string. The exists query can be used to differentiate between the two cases.
keyword
threat.indicator.url.registered_domain
The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
keyword
threat.indicator.url.scheme
Scheme of the request, such as "https". Note: The : is not part of the scheme.
keyword
threat.indicator.url.subdomain
The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.
keyword
threat.indicator.url.top_level_domain
The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".
keyword
threat.indicator.url.username
Username of the request.
keyword
threat.indicator.x509.alternative_names
List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.
keyword
threat.indicator.x509.issuer.common_name
List of common name (CN) of issuing certificate authority.
keyword
threat.indicator.x509.not_after
Time at which the certificate is no longer considered valid.
date
threat.indicator.x509.not_before
Time at which the certificate is first considered valid.
date
threat.indicator.x509.public_key_algorithm
Algorithm used to generate the public key.
keyword
threat.indicator.x509.public_key_exponent
Exponent used to derive the public key. This is algorithm specific.
long
threat.indicator.x509.serial_number
Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.
keyword
threat.indicator.x509.signature_algorithm
Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353.
keyword
threat.indicator.x509.subject.common_name
List of common names (CN) of subject.
keyword
threat.indicator.x509.version_number
Version of x509 format.
keyword

Changelog

VersionDetailsKibana version(s)

2.1.1

Bug fix View pull request
Adjust field mappings for transform destination index.

8.12.0 or higher

2.1.0

Enhancement View pull request
Set sensitive values as secret.

8.12.0 or higher

2.0.0

Bug fix View pull request
Update for OpenCTI v5.12.24 GraphQL schema change

8.10.1 or higher

1.1.0

Enhancement View pull request
Add support for IOC expiration

8.10.1 or higher

1.0.1

Enhancement View pull request
Changed owners

8.9.0 or higher

1.0.0

Enhancement View pull request
Release package as GA.

8.9.0 or higher

0.3.5

Bug fix View pull request
Keep expected nulls, improve error handling

0.3.4

Enhancement View pull request
Tolerate suffixes on the OpenCTI instance URL

0.3.3

Bug fix View pull request
Support OpenCTI 5.12.X by removing filters parameter

0.3.2

Bug fix View pull request
Fix processing of externalReferences.

0.3.1

Bug fix View pull request
Fix event.original field type conflict

0.3.0

Enhancement View pull request
Limit request tracer log count to five.

0.2.0

Enhancement View pull request
ECS version updated to 8.11.0.

0.1.0

Enhancement View pull request
Initial version of the package

On this page