Hash Data Model
Attention!
To ensure compatibility and consistency, data is aligned to ECS (Elastic Common Schema). Additional fields that start with a capital letter are also used. These fields are not part of ECS, but are required to enrich information for this IoC type.
The fields below must be present in index documents that describe indicators of compromise (IoC).
Main Information
| Field | Description |
|---|---|
threat.indicator.name | Array of hash values used as indicators (MD5, SHA1, and SHA256). Main field for matching. |
threat.indicator.type | Indicator type. Always file here. |
event.provider | Threat data provider (for example: CTT, ThreatFox). |
threat.indicator.provider | Alternative field for IoC source/provider. |
File Details
| Field | Description |
|---|---|
threat.indicator.file.name | Original or known filename associated with the hash. |
threat.indicator.file.md5 | File hash calculated with MD5. |
threat.indicator.file.sha1 | File hash calculated with SHA1. |
threat.indicator.file.sha256 | File hash calculated with SHA256. |
Scoring and Classification
| Field | Description |
|---|---|
Threat.indicator.severity | Severity score from SIEM (for example: Low, Medium, High). |
threat.indicator.confidence | Confidence level from the IoC provider (for example: Low, Medium, High). |
Threat.indicator.risk_score | Numeric risk score calculated by SIEM (event.risk_score / 10). |
Threat.indicator.category | Threat category associated with the IoC (for example: malware, ransomware, dropper). |
event.risk_score | Risk score assigned by the IoC provider (0 to 100). |
Threat Context
| Field | Description |
|---|---|
Threat.indicator.ttp | Related tactics, techniques, and procedures (TTPs) from MITRE ATT&CK. |
threat.indicator.description | Text description or additional threat details. |
tags | List of tags or related vulnerabilities. |
Threat.indicator.blacklists | Blacklists where this IoC was observed. |
Time Attributes
| Field | Description |
|---|---|
threat.indicator.first_seen | Date and time when the IoC was first observed by the provider. |
threat.indicator.last_seen | Date and time of the latest IoC update. |
Threat.indicator.lifetime | Indicator lifetime. |
False Positive Handling
| Field | Description |
|---|---|
Threat.indicator.fp.alarm | Flag indicating a potential false positive. |
Threat.indicator.fp.description | Description of why the IoC can be a false positive. |
Data Model for Correlation
The fields below must be present in index documents that describe user file interactions. For all such sources containing this data, add the alias: sm_threat_intelligence_alerts_hash.
File Information
| Field | Description |
|---|---|
file.name | File name detected in the event. |
file.path | Full file path on the host. |
file.hash.md5 | MD5 hash from the event. Key field for correlation. |
file.hash.sha1 | SHA1 hash from the event. Key field for correlation. |
file.hash.sha256 | SHA256 hash from the event. Key field for correlation. |
Host and User Information
| Field | Description |
|---|---|
host.name | Host name where the event occurred. |
winlog.user.name | Username in whose context the event occurred. |