threat.(enrichments.)indicator.domain missing

[peasead]

Description of the issue:
threat.indicator.domain and threat.enrichments.indicator.domain are missing from the fieldset, but are present in the example usage documentation.

Usage

{
    "@timestamp": "2019-08-10T11:09:23.000Z",
    "event": {
        "kind": "enrichment", 
        "category": "threat", 
        "type": "indicator", 
        "severity": 7,
        "risk_score": 10.0,
    },
    "threat: {
        "indicator": { 
            "first_seen": "2020-11-05T17:25:47.000Z",
            "last_seen": "2020-11-05T17:25:47.000Z",
            "modified_at": "2020-11-05T17:25:47.000Z",
            "sightings": 10,
            "type": [
                "ipv4-addr",
                "port",
                "domain-name",
                "email-addr"
            ],
            "description": "Email address, domain, port, and IP address observed during an Angler EK campaign.",
            "provider": "Abuse.ch",
            "reference": "https://urlhaus.abuse.ch/url/abcdefg/",
            "confidence": "High",
            "ip": 1.2.3.4,
            "domain": "malicious.evil",
            "port": 443,
            "email.address": "phish@malicious.evil",
            "marking: {
                "tlp": "WHITE"
            },
            "scanner_stats": 4
        }
    },
    "related": { 
        "hosts": [
            "malicious.evil"
        ],
        "ip": [
            1.2.3.4
        ]
    }
}

[ebeahan]

Same situation in the RFC. The field isn't explicitly defined but is included in an example.

Since it wasn't included as a field in the proposal, do we need to just remove the reference in the usage example for threat intelligence?

[peasead]

I think we need to add it as a field.

Does this need to be a fresh RFC or can it simply be a PR?

[kgeller]

@peasead since it's the one field, just a PR works

[peasead]

Added PR #2117

[kgeller]

Hey @peasead, I think we actually don't need the PR at all, we just need to update the usage docs.

Due to ECS re-use, we already nest url at threat.(enrichments.)indicator, and url.* encompasses domain, subdomain and full.

So for your sample json, instead of threat.indicator.domain , it's threat.indicator.url.domain as stated here.

Apologies for the delay, and the confusion.