From 2a6cf85a930dc26f2bfe9c5a138bc5a41f4ec53e Mon Sep 17 00:00:00 2001 From: Trent Mick Date: Fri, 27 Oct 2023 12:56:56 -0700 Subject: [PATCH] chore: some missing parts of the ECS schema version update - update the ecs-helpers deps for morgan and winston - update the ECS JSON schema (and the generation script) from ecs.git v8.10.0 tag Refs: #163 --- packages/ecs-morgan-format/package.json | 2 +- packages/ecs-winston-format/package.json | 2 +- utils/create-schema.js | 10 +- utils/schema.json | 1638 +++++++++++++++++++--- 4 files changed, 1444 insertions(+), 208 deletions(-) diff --git a/packages/ecs-morgan-format/package.json b/packages/ecs-morgan-format/package.json index fec241e..c6d68c7 100644 --- a/packages/ecs-morgan-format/package.json +++ b/packages/ecs-morgan-format/package.json @@ -37,7 +37,7 @@ "node": ">=10" }, "dependencies": { - "@elastic/ecs-helpers": "^2.0.0", + "@elastic/ecs-helpers": "^2.1.0", "safe-stable-stringify": "^2.4.3" }, "devDependencies": { diff --git a/packages/ecs-winston-format/package.json b/packages/ecs-winston-format/package.json index 5be85a1..7a6747a 100644 --- a/packages/ecs-winston-format/package.json +++ b/packages/ecs-winston-format/package.json @@ -40,7 +40,7 @@ "node": ">=10" }, "dependencies": { - "@elastic/ecs-helpers": "^2.0.0", + "@elastic/ecs-helpers": "^2.1.0", "safe-stable-stringify": "^2.4.3", "triple-beam": ">=1.1.0" }, diff --git a/utils/create-schema.js b/utils/create-schema.js index 02f4ff5..02a90f9 100644 --- a/utils/create-schema.js +++ b/utils/create-schema.js @@ -47,10 +47,11 @@ if (!ecsRepo) { const ecsSchemasDir = path.join(ecsRepo, 'schemas') // Build the JSON schema properties from the ECS schema YAML files. -const properties = getAllFiles(ecsSchemasDir) +var properties = getAllFiles(ecsSchemasDir) .filter(file => !file.includes('README.md')) .map(file => fs.readFileSync(file, 'utf8')) .map(yaml.safeLoad) + .filter(entry => Array.isArray(entry)) // filter out weird `{name: 'main', ...}` entry .reduce((acc, [val]) => { let properties = {} for (const prop of val.fields) { @@ -121,6 +122,7 @@ function set (object, objPath, value, customizer) { function jsonSchemaTypeFromEcsType (type) { switch (type) { case 'keyword': + case 'constant_keyword': return { type: 'string' } case 'boolean': return { type: 'boolean' } @@ -134,11 +136,14 @@ function jsonSchemaTypeFromEcsType (type) { ] } case 'text': + case 'match_only_text': + case 'wildcard': return { type: 'string' } case 'integer': return { type: 'integer' } case 'long': case 'float': + case 'scaled_float': return { type: 'number' } case 'geo_point': return { @@ -149,6 +154,9 @@ function jsonSchemaTypeFromEcsType (type) { } } case 'object': + case 'flattened': + case 'nested': + case 'source': return { type: 'object', additionalProperties: true diff --git a/utils/schema.json b/utils/schema.json index e4bfcfc..d04717b 100644 --- a/utils/schema.json +++ b/utils/schema.json @@ -1,5 +1,5 @@ { - "$comment": "ecs.git commit b5bbe25 (HEAD, tag: v1.5.0)", + "$comment": "ecs.git commit 43a1a61a (HEAD, tag: v8.10.0)", "type": "object", "properties": { "agent": { @@ -8,6 +8,15 @@ "version": { "type": "string" }, + "build": { + "type": "object", + "additionalProperties": true, + "properties": { + "original": { + "type": "string" + } + } + }, "name": { "type": "string" }, @@ -86,6 +95,9 @@ "top_level_domain": { "type": "string" }, + "subdomain": { + "type": "string" + }, "bytes": { "type": "number" }, @@ -154,6 +166,30 @@ "properties": { "id": { "type": "string" + }, + "name": { + "type": "string" + } + } + }, + "service": { + "type": "object", + "additionalProperties": true, + "properties": { + "name": { + "type": "string" + } + } + }, + "project": { + "type": "object", + "additionalProperties": true, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" } } } @@ -176,14 +212,57 @@ }, "status": { "type": "string" + }, + "team_id": { + "type": "string" + }, + "signing_id": { + "type": "string" + }, + "digest_algorithm": { + "type": "string" + }, + "timestamp": { + "type": "string", + "format": "date-time" } } }, "container": { "type": "object", "properties": { - "runtime": { - "type": "string" + "cpu": { + "type": "object", + "additionalProperties": true, + "properties": { + "usage": { + "type": "number" + } + } + }, + "disk": { + "type": "object", + "additionalProperties": true, + "properties": { + "read": { + "type": "object", + "additionalProperties": true, + "properties": { + "bytes": { + "type": "number" + } + } + }, + "write": { + "type": "object", + "additionalProperties": true, + "properties": { + "bytes": { + "type": "number" + } + } + } + } }, "id": { "type": "string" @@ -197,15 +276,83 @@ }, "tag": { "type": "string" + }, + "hash": { + "type": "object", + "additionalProperties": true, + "properties": { + "all": { + "type": "string" + } + } + } + } + }, + "labels": { + "type": "object", + "additionalProperties": true + }, + "memory": { + "type": "object", + "additionalProperties": true, + "properties": { + "usage": { + "type": "number" } } }, "name": { "type": "string" }, - "labels": { + "network": { "type": "object", - "additionalProperties": true + "additionalProperties": true, + "properties": { + "ingress": { + "type": "object", + "additionalProperties": true, + "properties": { + "bytes": { + "type": "number" + } + } + }, + "egress": { + "type": "object", + "additionalProperties": true, + "properties": { + "bytes": { + "type": "number" + } + } + } + } + }, + "security_context": { + "type": "object", + "additionalProperties": true, + "properties": { + "privileged": { + "type": "boolean" + } + } + }, + "runtime": { + "type": "string" + } + } + }, + "data_stream": { + "type": "object", + "properties": { + "type": { + "type": "string" + }, + "dataset": { + "type": "string" + }, + "namespace": { + "type": "string" } } }, @@ -242,6 +389,9 @@ "top_level_domain": { "type": "string" }, + "subdomain": { + "type": "string" + }, "bytes": { "type": "number" }, @@ -271,6 +421,29 @@ } } }, + "device": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "model": { + "type": "object", + "additionalProperties": true, + "properties": { + "name": { + "type": "string" + }, + "identifier": { + "type": "string" + } + } + }, + "manufacturer": { + "type": "string" + } + } + }, "dll": { "type": "object", "properties": { @@ -367,72 +540,316 @@ } } }, - "error": { + "elf": { "type": "object", "properties": { - "id": { - "type": "string" + "creation_date": { + "type": "string", + "format": "date-time" }, - "message": { + "architecture": { "type": "string" }, - "code": { + "byte_order": { "type": "string" }, - "type": { + "cpu_type": { "type": "string" }, - "stack_trace": { - "type": "string" - } - } - }, - "event": { - "type": "object", - "properties": { - "id": { + "go_import_hash": { "type": "string" }, - "code": { - "type": "string" + "go_imports_names_entropy": { + "type": "number" }, - "kind": { - "type": "string" + "go_imports_names_var_entropy": { + "type": "number" }, - "category": { - "type": "string" + "go_imports": { + "type": "object", + "additionalProperties": true }, - "action": { - "type": "string" + "go_stripped": { + "type": "boolean" }, - "outcome": { - "type": "string" + "header": { + "type": "object", + "additionalProperties": true, + "properties": { + "class": { + "type": "string" + }, + "data": { + "type": "string" + }, + "os_abi": { + "type": "string" + }, + "type": { + "type": "string" + }, + "version": { + "type": "string" + }, + "abi_version": { + "type": "string" + }, + "entrypoint": { + "type": "number" + }, + "object_version": { + "type": "string" + } + } }, - "type": { + "import_hash": { "type": "string" }, - "module": { - "type": "string" + "imports_names_entropy": { + "type": "number" }, - "dataset": { - "type": "string" + "imports_names_var_entropy": { + "type": "number" }, - "provider": { - "type": "string" + "sections": { + "type": "object", + "additionalProperties": true, + "properties": { + "flags": { + "type": "string" + }, + "name": { + "type": "string" + }, + "physical_offset": { + "type": "string" + }, + "type": { + "type": "string" + }, + "physical_size": { + "type": "number" + }, + "var_entropy": { + "type": "number" + }, + "virtual_address": { + "type": "number" + }, + "virtual_size": { + "type": "number" + }, + "entropy": { + "type": "number" + }, + "chi2": { + "type": "number" + } + } }, - "severity": { - "type": "number" + "exports": { + "type": "object", + "additionalProperties": true }, - "original": { - "type": "string" + "imports": { + "type": "object", + "additionalProperties": true }, - "hash": { + "shared_libraries": { "type": "string" }, - "duration": { - "type": "number" + "telfhash": { + "type": "string" }, - "sequence": { + "segments": { + "type": "object", + "additionalProperties": true, + "properties": { + "type": { + "type": "string" + }, + "sections": { + "type": "string" + } + } + } + } + }, + "email": { + "type": "object", + "properties": { + "attachments": { + "type": "object", + "additionalProperties": true, + "properties": { + "file": { + "type": "object", + "additionalProperties": true, + "properties": { + "extension": { + "type": "string" + }, + "mime_type": { + "type": "string" + }, + "name": { + "type": "string" + }, + "size": { + "type": "number" + } + } + } + } + }, + "bcc": { + "type": "object", + "additionalProperties": true, + "properties": { + "address": { + "type": "string" + } + } + }, + "cc": { + "type": "object", + "additionalProperties": true, + "properties": { + "address": { + "type": "string" + } + } + }, + "content_type": { + "type": "string" + }, + "delivery_timestamp": { + "type": "string", + "format": "date-time" + }, + "direction": { + "type": "string" + }, + "from": { + "type": "object", + "additionalProperties": true, + "properties": { + "address": { + "type": "string" + } + } + }, + "local_id": { + "type": "string" + }, + "message_id": { + "type": "string" + }, + "origination_timestamp": { + "type": "string", + "format": "date-time" + }, + "reply_to": { + "type": "object", + "additionalProperties": true, + "properties": { + "address": { + "type": "string" + } + } + }, + "sender": { + "type": "object", + "additionalProperties": true, + "properties": { + "address": { + "type": "string" + } + } + }, + "subject": { + "type": "string" + }, + "to": { + "type": "object", + "additionalProperties": true, + "properties": { + "address": { + "type": "string" + } + } + }, + "x_mailer": { + "type": "string" + } + } + }, + "error": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "message": { + "type": "string" + }, + "code": { + "type": "string" + }, + "type": { + "type": "string" + }, + "stack_trace": { + "type": "string" + } + } + }, + "event": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "code": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "category": { + "type": "string" + }, + "action": { + "type": "string" + }, + "outcome": { + "type": "string" + }, + "type": { + "type": "string" + }, + "module": { + "type": "string" + }, + "dataset": { + "type": "string" + }, + "provider": { + "type": "string" + }, + "severity": { + "type": "number" + }, + "original": { + "type": "string" + }, + "hash": { + "type": "string" + }, + "duration": { + "type": "number" + }, + "sequence": { "type": "number" }, "timezone": { @@ -465,6 +882,44 @@ }, "url": { "type": "string" + }, + "reason": { + "type": "string" + }, + "agent_id_status": { + "type": "string" + } + } + }, + "faas": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "id": { + "type": "string" + }, + "version": { + "type": "string" + }, + "coldstart": { + "type": "boolean" + }, + "execution": { + "type": "string" + }, + "trigger": { + "type": "object", + "additionalProperties": true, + "properties": { + "type": { + "type": "string" + }, + "request_id": { + "type": "string" + } + } } } }, @@ -537,6 +992,9 @@ }, "mime_type": { "type": "string" + }, + "fork_name": { + "type": "string" } } }, @@ -554,6 +1012,9 @@ } } }, + "continent_code": { + "type": "string" + }, "continent_name": { "type": "string" }, @@ -569,9 +1030,15 @@ "country_iso_code": { "type": "string" }, + "postal_code": { + "type": "string" + }, "region_iso_code": { "type": "string" }, + "timezone": { + "type": "string" + }, "name": { "type": "string" } @@ -603,8 +1070,17 @@ "sha256": { "type": "string" }, + "sha384": { + "type": "string" + }, "sha512": { "type": "string" + }, + "ssdeep": { + "type": "string" + }, + "tlsh": { + "type": "string" } } }, @@ -646,61 +1122,145 @@ }, "domain": { "type": "string" - } - } - }, - "http": { - "type": "object", - "properties": { - "request": { + }, + "cpu": { "type": "object", "additionalProperties": true, "properties": { - "method": { - "type": "string" - }, - "body": { + "usage": { + "type": "number" + } + } + }, + "disk": { + "type": "object", + "additionalProperties": true, + "properties": { + "read": { "type": "object", "additionalProperties": true, "properties": { - "content": { - "type": "string" - }, "bytes": { "type": "number" } } }, - "referrer": { - "type": "string" - }, - "bytes": { - "type": "number" + "write": { + "type": "object", + "additionalProperties": true, + "properties": { + "bytes": { + "type": "number" + } + } } } }, - "response": { + "network": { "type": "object", "additionalProperties": true, "properties": { - "status_code": { - "type": "number" - }, - "body": { + "ingress": { "type": "object", "additionalProperties": true, "properties": { - "content": { - "type": "string" - }, "bytes": { "type": "number" + }, + "packets": { + "type": "number" } } }, - "bytes": { - "type": "number" - } + "egress": { + "type": "object", + "additionalProperties": true, + "properties": { + "bytes": { + "type": "number" + }, + "packets": { + "type": "number" + } + } + } + } + }, + "boot": { + "type": "object", + "additionalProperties": true, + "properties": { + "id": { + "type": "string" + } + } + }, + "pid_ns_ino": { + "type": "string" + } + } + }, + "http": { + "type": "object", + "properties": { + "request": { + "type": "object", + "additionalProperties": true, + "properties": { + "id": { + "type": "string" + }, + "method": { + "type": "string" + }, + "mime_type": { + "type": "string" + }, + "body": { + "type": "object", + "additionalProperties": true, + "properties": { + "content": { + "type": "string" + }, + "bytes": { + "type": "number" + } + } + }, + "referrer": { + "type": "string" + }, + "bytes": { + "type": "number" + } + } + }, + "response": { + "type": "object", + "additionalProperties": true, + "properties": { + "status_code": { + "type": "number" + }, + "mime_type": { + "type": "string" + }, + "body": { + "type": "object", + "additionalProperties": true, + "properties": { + "content": { + "type": "string" + }, + "bytes": { + "type": "number" + } + } + }, + "bytes": { + "type": "number" + } } }, "version": { @@ -728,8 +1288,14 @@ "level": { "type": "string" }, - "original": { - "type": "string" + "file": { + "type": "object", + "additionalProperties": true, + "properties": { + "path": { + "type": "string" + } + } }, "logger": { "type": "string" @@ -746,7 +1312,7 @@ "type": "string" }, "line": { - "type": "integer" + "type": "number" } } }, @@ -785,8 +1351,85 @@ }, "priority": { "type": "number" + }, + "version": { + "type": "string" + }, + "hostname": { + "type": "string" + }, + "appname": { + "type": "string" + }, + "procid": { + "type": "string" + }, + "msgid": { + "type": "string" + }, + "structured_data": { + "type": "object", + "additionalProperties": true + } + } + } + } + }, + "macho": { + "type": "object", + "properties": { + "go_import_hash": { + "type": "string" + }, + "go_imports_names_entropy": { + "type": "number" + }, + "go_imports_names_var_entropy": { + "type": "number" + }, + "go_imports": { + "type": "object", + "additionalProperties": true + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "type": "string" + }, + "imports": { + "type": "object", + "additionalProperties": true + }, + "imports_names_entropy": { + "type": "number" + }, + "imports_names_var_entropy": { + "type": "number" + }, + "sections": { + "type": "object", + "additionalProperties": true, + "properties": { + "entropy": { + "type": "number" + }, + "name": { + "type": "string" + }, + "physical_size": { + "type": "number" + }, + "var_entropy": { + "type": "number" + }, + "virtual_size": { + "type": "number" } } + }, + "symhash": { + "type": "string" } } }, @@ -900,6 +1543,83 @@ } } }, + "orchestrator": { + "type": "object", + "properties": { + "cluster": { + "type": "object", + "additionalProperties": true, + "properties": { + "name": { + "type": "string" + }, + "id": { + "type": "string" + }, + "url": { + "type": "string" + }, + "version": { + "type": "string" + } + } + }, + "type": { + "type": "string" + }, + "organization": { + "type": "string" + }, + "namespace": { + "type": "string" + }, + "resource": { + "type": "object", + "additionalProperties": true, + "properties": { + "annotation": { + "type": "string" + }, + "label": { + "type": "string" + }, + "name": { + "type": "string" + }, + "type": { + "type": "string" + }, + "parent": { + "type": "object", + "additionalProperties": true, + "properties": { + "type": { + "type": "string" + } + } + }, + "ip": { + "anyOf": [ + { + "type": "string", + "format": "ipv4" + }, + { + "type": "string", + "format": "ipv6" + } + ] + }, + "id": { + "type": "string" + } + } + }, + "api_version": { + "type": "string" + } + } + }, "organization": { "type": "object", "properties": { @@ -914,6 +1634,9 @@ "os": { "type": "object", "properties": { + "type": { + "type": "string" + }, "platform": { "type": "string" }, @@ -996,75 +1719,76 @@ }, "company": { "type": "string" - } - } - }, - "process": { - "type": "object", - "properties": { - "pid": { + }, + "imphash": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "go_import_hash": { + "type": "string" + }, + "go_imports": { + "type": "object", + "additionalProperties": true + }, + "go_imports_names_entropy": { + "type": "number" + }, + "go_imports_names_var_entropy": { + "type": "number" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "type": "string" + }, + "imports": { + "type": "object", + "additionalProperties": true + }, + "imports_names_entropy": { + "type": "number" + }, + "imports_names_var_entropy": { "type": "number" }, - "parent": { + "pehash": { + "type": "string" + }, + "sections": { "type": "object", "additionalProperties": true, "properties": { - "pid": { + "entropy": { "type": "number" }, - "entity_id": { - "type": "string" - }, "name": { "type": "string" }, - "ppid": { + "physical_size": { "type": "number" }, - "pgid": { + "var_entropy": { "type": "number" }, - "command_line": { - "type": "string" - }, - "args": { - "type": "string" - }, - "args_count": { - "type": "number" - }, - "executable": { - "type": "string" - }, - "title": { - "type": "string" - }, - "thread": { - "type": "object", - "additionalProperties": true, - "properties": { - "id": { - "type": "number" - }, - "name": { - "type": "string" - } - } - }, - "start": { - "type": "string", - "format": "date-time" - }, - "uptime": { - "type": "number" - }, - "working_directory": { - "type": "string" - }, - "exit_code": { + "virtual_size": { "type": "number" } } + } + } + }, + "process": { + "type": "object", + "properties": { + "pid": { + "type": "number" + }, + "vpid": { + "type": "number" }, "entity_id": { "type": "string" @@ -1072,9 +1796,6 @@ "name": { "type": "string" }, - "ppid": { - "type": "number" - }, "pgid": { "type": "number" }, @@ -1102,6 +1823,18 @@ }, "name": { "type": "string" + }, + "capabilities": { + "type": "object", + "additionalProperties": true, + "properties": { + "permitted": { + "type": "string" + }, + "effective": { + "type": "string" + } + } } } }, @@ -1117,6 +1850,89 @@ }, "exit_code": { "type": "number" + }, + "end": { + "type": "string", + "format": "date-time" + }, + "interactive": { + "type": "boolean" + }, + "same_as_process": { + "type": "boolean" + }, + "env_vars": { + "type": "string" + }, + "entry_meta": { + "type": "object", + "additionalProperties": true, + "properties": { + "type": { + "type": "string" + }, + "source": { + "type": "object", + "additionalProperties": true + } + } + }, + "tty": { + "type": "object", + "additionalProperties": true, + "properties": { + "char_device": { + "type": "object", + "additionalProperties": true, + "properties": { + "major": { + "type": "number" + }, + "minor": { + "type": "number" + } + } + }, + "rows": { + "type": "number" + }, + "columns": { + "type": "number" + } + } + }, + "io": { + "type": "object", + "additionalProperties": true, + "properties": { + "type": { + "type": "string" + }, + "text": { + "type": "string" + }, + "total_bytes_captured": { + "type": "number" + }, + "total_bytes_skipped": { + "type": "number" + }, + "max_bytes_per_process_exceeded": { + "type": "boolean" + }, + "bytes_skipped": { + "type": "object", + "additionalProperties": true, + "properties": { + "offset": { + "type": "number" + }, + "length": { + "type": "number" + } + } + } + } } } }, @@ -1172,6 +1988,32 @@ }, "hash": { "type": "string" + }, + "hosts": { + "type": "string" + } + } + }, + "risk": { + "type": "object", + "properties": { + "calculated_score": { + "type": "number" + }, + "calculated_score_norm": { + "type": "number" + }, + "static_score": { + "type": "number" + }, + "static_score_norm": { + "type": "number" + }, + "calculated_level": { + "type": "string" + }, + "static_level": { + "type": "string" } } }, @@ -1243,6 +2085,9 @@ "top_level_domain": { "type": "string" }, + "subdomain": { + "type": "string" + }, "bytes": { "type": "number" }, @@ -1269,84 +2114,303 @@ "type": "number" } } - } - } - }, - "service": { - "type": "object", - "properties": { - "id": { - "type": "string" + } + } + }, + "service": { + "type": "object", + "properties": { + "environment": { + "type": "string" + }, + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "node": { + "type": "object", + "additionalProperties": true, + "properties": { + "name": { + "type": "string" + }, + "role": { + "type": "string" + }, + "roles": { + "type": "string" + } + } + }, + "type": { + "type": "string" + }, + "state": { + "type": "string" + }, + "version": { + "type": "string" + }, + "ephemeral_id": { + "type": "string" + }, + "address": { + "type": "string" + } + } + }, + "source": { + "type": "object", + "properties": { + "address": { + "type": "string" + }, + "ip": { + "anyOf": [ + { + "type": "string", + "format": "ipv4" + }, + { + "type": "string", + "format": "ipv6" + } + ] + }, + "port": { + "type": "number" + }, + "mac": { + "type": "string" + }, + "domain": { + "type": "string" + }, + "registered_domain": { + "type": "string" + }, + "top_level_domain": { + "type": "string" + }, + "subdomain": { + "type": "string" + }, + "bytes": { + "type": "number" + }, + "packets": { + "type": "number" + }, + "nat": { + "type": "object", + "additionalProperties": true, + "properties": { + "ip": { + "anyOf": [ + { + "type": "string", + "format": "ipv4" + }, + { + "type": "string", + "format": "ipv6" + } + ] + }, + "port": { + "type": "number" + } + } + } + } + }, + "threat": { + "type": "object", + "properties": { + "enrichments": { + "type": "object", + "additionalProperties": true, + "properties": { + "indicator": { + "type": "object", + "additionalProperties": true, + "properties": { + "first_seen": { + "type": "string", + "format": "date-time" + }, + "last_seen": { + "type": "string", + "format": "date-time" + }, + "modified_at": { + "type": "string", + "format": "date-time" + }, + "sightings": { + "type": "number" + }, + "type": { + "type": "string" + }, + "name": { + "type": "string" + }, + "description": { + "type": "string" + }, + "scanner_stats": { + "type": "number" + }, + "confidence": { + "type": "string" + }, + "ip": { + "anyOf": [ + { + "type": "string", + "format": "ipv4" + }, + { + "type": "string", + "format": "ipv6" + } + ] + }, + "port": { + "type": "number" + }, + "email": { + "type": "object", + "additionalProperties": true, + "properties": { + "address": { + "type": "string" + } + } + }, + "marking": { + "type": "object", + "additionalProperties": true, + "properties": { + "tlp": { + "type": "string" + }, + "tlp_version": { + "type": "string" + } + } + }, + "reference": { + "type": "string" + }, + "provider": { + "type": "string" + } + } + }, + "matched": { + "type": "object", + "additionalProperties": true, + "properties": { + "atomic": { + "type": "string" + }, + "field": { + "type": "string" + }, + "id": { + "type": "string" + }, + "index": { + "type": "string" + }, + "occurred": { + "type": "string", + "format": "date-time" + }, + "type": { + "type": "string" + } + } + } + } }, - "name": { - "type": "string" - }, - "node": { + "feed": { "type": "object", "additionalProperties": true, "properties": { + "dashboard_id": { + "type": "string" + }, "name": { "type": "string" + }, + "description": { + "type": "string" + }, + "reference": { + "type": "string" } } }, - "type": { - "type": "string" - }, - "state": { - "type": "string" - }, - "version": { - "type": "string" - }, - "ephemeral_id": { - "type": "string" - } - } - }, - "source": { - "type": "object", - "properties": { - "address": { + "framework": { "type": "string" }, - "ip": { - "anyOf": [ - { - "type": "string", - "format": "ipv4" + "group": { + "type": "object", + "additionalProperties": true, + "properties": { + "alias": { + "type": "string" }, - { - "type": "string", - "format": "ipv6" + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "type": "string" } - ] - }, - "port": { - "type": "number" - }, - "mac": { - "type": "string" - }, - "domain": { - "type": "string" - }, - "registered_domain": { - "type": "string" - }, - "top_level_domain": { - "type": "string" - }, - "bytes": { - "type": "number" - }, - "packets": { - "type": "number" + } }, - "nat": { + "indicator": { "type": "object", "additionalProperties": true, "properties": { + "first_seen": { + "type": "string", + "format": "date-time" + }, + "last_seen": { + "type": "string", + "format": "date-time" + }, + "modified_at": { + "type": "string", + "format": "date-time" + }, + "sightings": { + "type": "number" + }, + "type": { + "type": "string" + }, + "name": { + "type": "string" + }, + "description": { + "type": "string" + }, + "scanner_stats": { + "type": "number" + }, + "confidence": { + "type": "string" + }, "ip": { "anyOf": [ { @@ -1361,44 +2425,102 @@ }, "port": { "type": "number" + }, + "email": { + "type": "object", + "additionalProperties": true, + "properties": { + "address": { + "type": "string" + } + } + }, + "marking": { + "type": "object", + "additionalProperties": true, + "properties": { + "tlp": { + "type": "string" + }, + "tlp_version": { + "type": "string" + } + } + }, + "reference": { + "type": "string" + }, + "provider": { + "type": "string" } } - } - } - }, - "threat": { - "type": "object", - "properties": { - "framework": { - "type": "string" }, - "tactic": { + "software": { "type": "object", "additionalProperties": true, "properties": { + "id": { + "type": "string" + }, "name": { "type": "string" }, - "id": { + "alias": { + "type": "string" + }, + "platforms": { "type": "string" }, "reference": { "type": "string" + }, + "type": { + "type": "string" } } }, - "technique": { + "tactic": { "type": "object", "additionalProperties": true, "properties": { + "id": { + "type": "string" + }, "name": { "type": "string" }, + "reference": { + "type": "string" + } + } + }, + "technique": { + "type": "object", + "additionalProperties": true, + "properties": { "id": { "type": "string" }, + "name": { + "type": "string" + }, "reference": { "type": "string" + }, + "subtechnique": { + "type": "object", + "additionalProperties": true, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "type": "string" + } + } } } } @@ -1544,6 +2666,15 @@ "type": "string" } } + }, + "span": { + "type": "object", + "additionalProperties": true, + "properties": { + "id": { + "type": "string" + } + } } } }, @@ -1568,6 +2699,9 @@ "top_level_domain": { "type": "string" }, + "subdomain": { + "type": "string" + }, "port": { "type": "number" }, @@ -1611,6 +2745,9 @@ }, "domain": { "type": "string" + }, + "roles": { + "type": "string" } } }, @@ -1703,6 +2840,97 @@ "type": "string" } } + }, + "x509": { + "type": "object", + "properties": { + "version_number": { + "type": "string" + }, + "serial_number": { + "type": "string" + }, + "issuer": { + "type": "object", + "additionalProperties": true, + "properties": { + "distinguished_name": { + "type": "string" + }, + "common_name": { + "type": "string" + }, + "organizational_unit": { + "type": "string" + }, + "organization": { + "type": "string" + }, + "locality": { + "type": "string" + }, + "state_or_province": { + "type": "string" + }, + "country": { + "type": "string" + } + } + }, + "signature_algorithm": { + "type": "string" + }, + "not_before": { + "type": "string", + "format": "date-time" + }, + "not_after": { + "type": "string", + "format": "date-time" + }, + "subject": { + "type": "object", + "additionalProperties": true, + "properties": { + "distinguished_name": { + "type": "string" + }, + "common_name": { + "type": "string" + }, + "organizational_unit": { + "type": "string" + }, + "organization": { + "type": "string" + }, + "locality": { + "type": "string" + }, + "state_or_province": { + "type": "string" + }, + "country": { + "type": "string" + } + } + }, + "public_key_algorithm": { + "type": "string" + }, + "public_key_size": { + "type": "number" + }, + "public_key_exponent": { + "type": "number" + }, + "public_key_curve": { + "type": "string" + }, + "alternative_names": { + "type": "string" + } + } } }, "additionalProperties": true