IP Data Model
Attention!
To ensure compatibility and consistency, data is aligned to ECS (Elastic Common Schema). Additional fields that start with a capital letter are also used. These fields are not part of ECS, but are required to enrich information for this IoC type.
The fields below must be present in index documents that describe indicators of compromise (IoC).
Main Information
| Field | Description |
|---|---|
threat.indicator.name | IP address used as an indicator of compromise. Main field for matching. |
event.provider | Threat data provider. |
threat.indicator.type | Indicator type. In this case, ipv4-addr. |
threat.indicator.provider | IoC source/provider. |
Scoring and Classification
| Field | Description |
|---|---|
Threat.indicator.category | Threat category associated with the IoC (for example, C2, Scanner, Phishing). |
threat.indicator.confidence | Confidence level from the IoC provider (for example: Low, Medium, High). |
Threat.indicator.severity | Severity score from SIEM (for example: Low, Medium, High). |
event.risk_score | Risk score assigned by the IoC provider (0 to 100). |
Threat.indicator.risk_score | Numeric risk score calculated by SIEM (event.risk_score / 10). |
Context and Enrichment
| Field | Description |
|---|---|
threat.indicator.description | Text description or additional threat details. |
tags | List of tags or related vulnerabilities. |
Threat.indicator.blacklists | Blacklists where this IoC was observed. |
threat.indicator.geo.country_name | Country associated with the IP address. |
threat.indicator.geo.city | City associated with the IP address. |
threat.indicator.geo.latitude | Geographical latitude of the IP address. |
threat.indicator.geo.longitude | Geographical longitude of the IP address. |
Time Attributes
| Field | Description |
|---|---|
threat.indicator.last_seen | Date and time of the latest IoC update. |
threat.indicator.first_seen | Date and time when the IoC was first observed by the provider. |
Threat.indicator.lifetime | Indicator lifetime. |
False Positive Handling
| Field | Description |
|---|---|
Threat.indicator.fp.alarm | Flag indicating a potential false positive. |
Threat.indicator.fp.description | Description of why the IoC can be a false positive. |
Data Model for Correlation
The fields below must be present in index documents that describe user network interactions. For all such sources containing this data, add the alias: sm_threat_intelligence_alerts_ip.
Observer Information
| Field | Description |
|---|---|
observer.product | Product that generated the event (for example, Cisco ASA). |
observer.type | Observer type (for example, firewall). |
Network Information
| Field | Description |
|---|---|
network.type | Network type (for example, ipv4, ipv6). |
network.transport | Transport protocol (for example, tcp, udp). |
destination.address | Destination address (domain or IP) checked against the IoC database. |
destination.ip | Destination IP address. Key field for correlation. |
destination.port | Destination port. |
source.ip | Source IP address. |
Participant Information
| Field | Description |
|---|---|
user.name | Username that initiated the action. |
host.hostname | Hostname where the event occurred. |