URL Data Model
Attention!
To ensure compatibility and consistency, data is aligned to ECS (Elastic Common Schema). Additional fields that start with a capital letter are also used. These fields are not part of ECS, but are required to enrich information for this IoC type.
The fields below must be present in index documents that describe indicators of compromise (IoC).
Main Information
| Field | Description |
|---|---|
threat.indicator.name | Full URL used as an indicator of compromise. Main field for matching. |
event.provider | Threat data provider. |
threat.indicator.type | Indicator type. In this case, url. |
threat.indicator.url.domain | Domain extracted from the URL. |
threat.indicator.provider | IoC source/provider. |
Scoring and Classification
| Field | Description |
|---|---|
Threat.indicator.category | Threat category associated with the IoC (for example: phishing, malware_distribution). |
threat.indicator.confidence | Confidence level from the IoC provider (for example: Low, Medium, High). |
Threat.indicator.severity | Severity score from SIEM (for example: Low, Medium, High). |
event.risk_score | Risk score assigned by the IoC provider (0 to 100). |
Threat.indicator.risk_score | Numeric risk score calculated by SIEM (event.risk_score / 10). |
Malware Information
| Field | Description |
|---|---|
Threat.indicator.malware.name | Malware family name associated with the URL. |
Threat.indicator.malware.printable | Malware strain/variant label. |
Context and Enrichment
| Field | Description |
|---|---|
threat.indicator.description | Text description or additional threat details. |
tags | List of tags or related vulnerabilities. |
Threat.indicator.blacklists | Blacklists where this IoC was observed. |
Time Attributes
| Field | Description |
|---|---|
threat.indicator.last_seen | Date and time of the latest IoC update. |
threat.indicator.first_seen | Date and time when the IoC was first observed by the provider. |
Threat.indicator.lifetime | Indicator lifetime. |
False Positive Handling
| Field | Description |
|---|---|
Threat.indicator.fp.alarm | Flag indicating a potential false positive. |
Threat.indicator.fp.description | Description of why the IoC can be a false positive. |
Data Model for Correlation
The fields below must be present in index documents that describe user network interactions. For all such sources containing this data, add the alias: sm_threat_intelligence_alerts_url.
Event Categorization
| Field | Description |
|---|---|
Access.Control.rule.Action | Action taken by the access control system (for example: Block) |
Network Information
| Field | Description |
|---|---|
url.original | Full URL that was accessed. Key field for correlation. |
network.transport | Transport protocol (for example, tcp). |
source.ip | Source IP address. |
source.port | Source port. |
destination.ip | Destination IP address. |
destination.port | Destination port. |
Participant Information
| Field | Description |
|---|---|
user.name | Username that initiated the action. |
host.name | Hostname from which access was made. |