Domain Data Model
Attention!
To ensure compatibility and consistency, data is aligned to ECS (Elastic Common Schema). Additional fields that start with a capital letter are also used. These fields are not part of ECS, but are required to enrich information for this IoC type.
The fields below must be present in index documents that describe indicators of compromise (IoC).
Categorization
| Field | Description |
|---|---|
event.category | High-level event category (must be threat). |
event.type | Event type within the category (must be indicator). |
event.risk_score | Numeric risk score assigned by the log provider (0 to 100). |
Main Information
| Field | Description |
|---|---|
threat.indicator.name | Indicator of compromise. Main field used for matching. |
threat.indicator.type | Indicator type. |
threat.indicator.domain | Fully qualified domain name (FQDN). Can duplicate name. |
Threat.indicator.tld | Top-level domain. |
Scoring and Classification
| Field | Description |
|---|---|
Threat.indicator.severity | Severity score from SIEM (for example: Low, Medium, High). |
threat.indicator.confidence | Confidence score from the IoC provider (for example: Low, Medium, High). |
Threat.indicator.risk_score | Numeric risk score calculated by SIEM (event.risk_score / 10). |
Threat.indicator.category | Threat category associated with the IoC (for example: phishing, C2, malware). |
event.provider | Threat intelligence data provider (for example: ThreatFox, CTT). |
threat.indicator.provider | Alternative field for IoC source/provider. |
Enrichment and Context
| Field | Description |
|---|---|
Threat.indicator.resolved.registrant | Domain registrant (owner). |
Threat.indicator.resolved.registrar | Domain registrar. |
threat.indicator.description | Text description or additional threat details. |
tags | Tag list. |
Threat.indicator.blacklists | Blacklists where this IoC was observed. |
Malware Information
| Field | Description |
|---|---|
Threat.indicator.malware.name | Malware family name (for example: Emotet, Qakbot). |
Threat.indicator.malware.printable | Malware strain/variant label. |
Time Attributes
| Field | Description |
|---|---|
threat.indicator.first_seen | Date and time when the IoC was first observed by the provider. |
threat.indicator.last_seen | Date and time of the latest IoC update. |
Threat.indicator.lifetime | Indicator lifetime. |
False Positive Handling
| Field | Description |
|---|---|
Threat.indicator.fp.alarm | Flag indicating a potential false positive. |
Threat.indicator.fp.description | Description of why the IoC can be a false positive. |
Data Model for Correlation
The fields below must be present in index documents that describe user network interactions. For all such sources containing this data, add the alias: sm_threat_intelligence_alerts_domain.
Network Information
| Field | Description |
|---|---|
network.transport | Transport protocol (for example: tcp, udp). |
network.type | Network type (for example: ipv4, ipv6). |
source.ip | Source IP address. |
source.port | Source port. |
destination.address | Destination address checked against the IoC database. |
destination.ip | Destination IP address. |
destination.port | Destination port. |
Observer Information
| Field | Description |
|---|---|
observer.product | Product that generated the event (for example: Cisco ASA, Kaspersky Security Center). |
observer.type | Observer type (for example: firewall, antivirus, proxy). |
observer.hostname | Hostname of the observing device. |
Participant Information
| Field | Description |
|---|---|
host.hostname | Hostname where the event occurred. |
user.name | Username that initiated the action. |