Threat

Top Level Fieldset: False

This field set defines the framework in which rules are classified.

Fields from threat can only be found at the following locations:

• rule.threat

Threat Fields

threat.framework

Required Field: False
Type: STRING
Example: MITRE ATT&CK
Detection Supported Field: False

Name of the threat framework used to classify the tactic and technique of a threat.

threat.tactic.id

Required Field: False
Type: ARRAY
Example: ['TA0002']
Detection Supported Field: False

ID of the tactic.

threat.tactic.name

Required Field: False
Type: ARRAY
Example: ['Execution']
Detection Supported Field: False

Name of the tactic.

threat.tactic.reference

Required Field: False
Type: ARRAY
Example: ['https://attack.mitre.org/tactics/TA0002/']
Detection Supported Field: False

URL to reference information about the tactic.

threat.technique.id

Required Field: False
Type: ARRAY
Example: ['T1059']
Detection Supported Field: False

ID of the technique.

threat.technique.name

Required Field: False
Type: ARRAY
Example: ['Command and Scripting Interpreter']
Detection Supported Field: False

Name of the technique.

threat.technique.reference

Required Field: False
Type: ARRAY
Example: ['https://attack.mitre.org/techniques/T1059/']
Detection Supported Field: False

URL to reference information about the technique.