[RFC] Threat Intel - Stage 1

rfcs/text/0008/as.yml

@@ -0,0 +1,5 @@
+---
+- name: as
+  reusable:
+    expected:
+      - threat.indicator

rfcs/text/0008/file.yml

@@ -0,0 +1,5 @@
+---
+- name: file
+  reusable:
+    expected:
+      - threat.indicator

rfcs/text/0008/geo.yml

@@ -0,0 +1,5 @@
+---
+- name: geo
+  reusable:
+    expected:
+      - threat.indicator

rfcs/text/0008/hash.yml

@@ -0,0 +1,5 @@
+---
+- name: hash
+  reusable:
+    expected:
+      - threat.indicator

rfcs/text/0008/pe.yml

@@ -0,0 +1,5 @@
+---
+- name: pe
+  reusable:
+    expected:
+      - threat.indicator

rfcs/text/0008/registry.yml

@@ -0,0 +1,5 @@
+---
+- name: registry
+  reusable:
+    expected:
+      - threat.indicator

rfcs/text/0008/threat.yml

@@ -0,0 +1,196 @@
+---
+- name: threat
+
+  fields:
+
+  - name: indicator.first_seen
+    level: extended
+    type: date
+    short: Date/time indicator was first reported.
+    description: >
+      The date and time when intelligence source first reported sighting this indicator.
+
+    example: "2020-11-05T17:25:47.000Z"
+
+  - name: indicator.last_seen
+    level: extended
+    type: date
+    short: Date/time indicator was last reported.
+    description: >
+      The date and time when intelligence source last reported sighting this indicator.
+
+    example: "2020-11-05T17:25:47.000Z"
+
+  - name: indicator.sightings
+    level: extended
+    type: long
+    short: Number of times indicator observed
+    description: >
+      Number of times this indicator was observed conducting threat activity.
+
+    example: 20
+
+  - name: indicator.type
+    level: extended
+    type: keyword
+    short: Type of indicator
+    description: >
+      Type of indicator as represented by Cyber Observable in STIX 2.0.
+
+      Expected values
+        * autonomous-system
+        * artifact
+        * directory
+        * domain-name
+        * email-addr
+        * file
+        * ipv4-addr
+        * ipv6-addr
+        * mac-addr
+        * mutex
+        * process
+        * software
+        * url
+        * user-account
+        * windows-registry-key
+        * x-509-certificate
+
+    example: ipv4-addr
+
+  - name: indicator.description
+    level: extended
+    type: wildcard
+    short: Indicator description
+    description: >
+      Describes the type of action conducted by the threat.
+
+    example: IP x.x.x.x was observed delivering the Angler EK.
+
+  - name: indicator.scanner_stats
+    level: extended
+    type: long
+    short: Scanner statistics
+    description: >
+      Count of AV/EDR vendors that successfully detected malicious file or URL.
+
+    example: 4
+
+  - name: indicator.provider
+    level: extended
+    type: keyword
+    description: >
+      Identifies the name of the intelligence provider.
+
+    example: VirusTotal
+
+  - name: indicator.confidence
+    level: extended
+    type: keyword
+    short: Indicator confidence rating
+    description: >
+      Identifies the confidence rating assigned by the provider using STIX confidence scales.
+
+      Expected values:
+        * Not Specified, None, Low, Medium, High
+        * 0-10
+        * Admirality Scale (1-6)
+        * DNI Scale (5-95)
+        * WEP Scale (Impossible - Certain)
+
+    example: High
+
+  - name: indicator.module
+    level: extended
+    type: keyword
+    short: Indicator module
+    description: >
+      Identifies the name of specific module this data is coming from.
+
+    example: threatintel
+
+  - name: indicator.dataset
+    level: extended
+    type: keyword
+    short: Indicator dataset
+    description: >
+      Identifies the name of specific dataset from the intelligence source.
+
+    example: threatintel.abusemalware
+
+  - name: indicator.ip
+    level: extended
+    type: ip
+    short: Indicator IP address
+    description: >
+      Identifies a threat indicator as an IP address (irrespective of direction).
+
+    example: 1.2.3.4
+
+  - name: indicator.domain
+    level: extended
+    type: keyword
+    short: Indicator domain name
+    description: >
+      Identifies a threat indicator as a domain (irrespective of direction).
+
+    example: example.com
+
+  - name: indicator.port
+    level: extended
+    type: long
+    short: Indicator port
+    description: >
+      Identifies a threat indicator as a port number (irrespective of direction).
+
+    example: 443
+
+  - name: indicator.email.address
+    level: extended
+    type: keyword
+    short: Indicator email address
+    description: >
+      Identifies a threat indicator as an email address (irrespective of direction).
+
+    example: phish@example.com
+
+  - name: indicator.marking.tlp
+    level: extended
+    type: keyword
+    short: Indicator TLP marking
+    description: >
+      Traffic Light Protocol sharing markings.
+
+      Expected values are:
+        * White
+        * Green
+        * Amber
+        * Red
+
+    example: White
+
+  - name: indicator.matched.atomic
+    level: extended
+    type: keyword
+    short: Indicator atomic match
+    description: >
+      Identifies the atomic indicator that matched a local environment endpoint or network event.
+
+    example: example.com
+
+  - name: indicator.matched.field
+    level: extended
+    type: keyword
+    short: Indicator field match
+    description: >
+      Identifies the field of the atomic indicator that matched a local environment endpoint or network event.
+
+    example: file.hash.sha256
+
+  - name: indicator.matched.type
+    level: extended
+    type: keyword
+    short: Indicator type match
+    description: >
+      Identifies the type of the atomic indicator that matched a local environment endpoint or network event.
+
+    example: domain-name

rfcs/text/0008/url.yml

@@ -0,0 +1,5 @@
+---
+- name: url
+  reusable:
+    expected:
+      - threat.indicator

rfcs/text/0008/x509.yml

@@ -0,0 +1,5 @@
+---
+- name: x509
+  reusable:
+    expected:
+      - threat.indicator