Elastic
Start free trial Contact Sales
Loading

ThreatConnect

<div class="condensed-table">
| | |
| --- | --- |
| Version | 1.7.0 (View all) |
| Compatible Kibana version(s) | 8.13.0 or higher |
| Supported Serverless project types
What’s this? | Security
Observability |
| Subscription level
What’s this? | Basic |
| Level of support
What’s this? | Partner |

</div>
ThreatConnect is a widely used Threat Intelligence Platform (TIP) designed to assist organizations in aggregating, analyzing, and sharing information related to cybersecurity threats. The platform provides tools and features that enable security teams to collaborate on threat intelligence, manage incidents, and make informed decisions to enhance their overall cybersecurity posture. This ThreatConnect integration enables you to consume and analyze ThreatConnect data within Elastic Security, including indicator events, providing you with visibility and context for your cloud environments within Elastic Security.

The ThreatConnect Integration collects indicators as the primary data type. Associated groups and associated indicators are brought in via Elastic custom mapping fields.

An Indicator inside ThreatConnect represents an atomic piece of information that has some intelligence value.

Reference for REST APIs of ThreatConnect.

Elastic Agent must be installed. For more information, refer to the link here.

The minimum required versions for the Elastic Stack is 8.12.0.

The minimum required ThreatConnect Platform version is 7.3.1 This integration module uses the ThreatConnect V3 API.

You have a few options for installing and managing an Elastic Agent:

With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier.

With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only.

You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes.

There are some minimum requirements for running Elastic Agent and for more information, refer to the link here.

The minimum kibana.version* required is 8.11.0. This module has been tested against the ThreatConnect API Version v3. The minimum required ThreatConnect Platform version needs to be *7.3.1.

  1. Access Id
  2. Secret Key
  3. URL

To create an API user account, please refer to this article.

  1. In Kibana, go to Management > Integrations.
  2. In the "Search for integrations" search bar, type ThreatConnect.
  3. Click on the "ThreatConnect" integration from the search results.
  4. Click on the "Add ThreatConnect" button to add the integration.
  5. Configure all required integration parameters, including Access Id, Secret Key, and URL, to enable data collection from the ThreatConnect REST API.
  6. Save the integration.

The ingested indicators expire after certain duration. An Elastic Transform is created to facilitate only active indicators be available to the end users. Since we want to retain only valuable information and avoid duplicated data, the ThreatConnect Elastic integration forces the intel indicators to rotate into a custom index called: logs-ti_threatconnect_latest.dest_indicator-*. Please, refer to this index in order to set alerts and so on.

In order to prevent orphaned indicators that may never expire in the destination index users can configure IOC Expiration Duration parameter while setting up the integration. This parameter deletes all data inside the destination index logs-ti_threatconnect_latest.dest_indicator after this specified duration is reached.

This is possible thanks to a transform rule installed along with the integration. The transform rule parses the data stream content that is pulled from ThreatConnect and only adds new indicators.

Both the data stream and the latest index have applied expiration through ILM and a retention policy in the transform respectively.

This is the Indicator dataset.

**Example**

An example event for indicator looks as following:

{
    "@timestamp": "2023-12-05T06:38:53.000Z",
    "agent": {
        "ephemeral_id": "bfc8c3c8-d6ef-467f-a80c-6c75059c9a7c",
        "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.13.0"
    },
    "data_stream": {
        "dataset": "ti_threatconnect.indicator",
        "namespace": "53159",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "8299ae35-ee0e-4107-9acb-1b6acfdda1fb",
        "snapshot": false,
        "version": "8.13.0"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "threat"
        ],
        "dataset": "ti_threatconnect.indicator",
        "id": "test.user@elastic.co",
        "ingested": "2024-08-02T06:30:51Z",
        "kind": "enrichment",
        "original": "{\"active\":true,\"activeLocked\":false,\"address\":\"test.user@elastic.co\",\"associatedGroups\":{\"data\":[{\"createdBy\":{\"firstName\":\"test\",\"id\":69,\"lastName\":\"user\",\"owner\":\"Elastic\",\"pseudonym\":\"testW\",\"userName\":\"test.user@elastic.co\"},\"dateAdded\":\"2023-12-05T06:38:33Z\",\"downVoteCount\":\"0\",\"id\":609427,\"lastModified\":\"2023-12-05T06:43:21Z\",\"legacyLink\":\"https://app.threatconnect.com/auth/vulnerability/vulnerability.xhtml?vulnerability=609427\",\"name\":\"Test2 \",\"ownerId\":51,\"ownerName\":\"Elastic\",\"type\":\"Vulnerability\",\"upVoteCount\":\"0\",\"webLink\":\"https://app.threatconnect.com/#/details/groups/609427/overview\"},{\"createdBy\":{\"firstName\":\"test\",\"id\":69,\"lastName\":\"user\",\"owner\":\"Elastic\",\"pseudonym\":\"testW\",\"userName\":\"test.user@elastic.co\"},\"dateAdded\":\"2023-12-04T07:18:52Z\",\"documentDateAdded\":\"2023-12-04T07:18:53Z\",\"documentType\":\"PDF\",\"downVoteCount\":\"0\",\"fileName\":\"testthreatgroup.pdf\",\"fileSize\":24467,\"generatedReport\":true,\"id\":601237,\"lastModified\":\"2023-12-05T06:38:46Z\",\"legacyLink\":\"https://app.threatconnect.com/auth/report/report.xhtml?report=601237\",\"name\":\"TestThreatGroup\",\"ownerId\":51,\"ownerName\":\"Elastic\",\"status\":\"Success\",\"type\":\"Report\",\"upVoteCount\":\"0\",\"webLink\":\"https://app.threatconnect.com/#/details/groups/601237/overview\"}]},\"associatedIndicators\":{\"data\":[{\"active\":true,\"activeLocked\":false,\"address\":\"testing@poverts.com\",\"confidence\":61,\"dateAdded\":\"2023-08-25T12:57:24Z\",\"id\":891599,\"lastModified\":\"2023-12-05T06:50:06Z\",\"legacyLink\":\"https://app.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=testing%40poverts.com\\u0026owner=Elastic\",\"ownerId\":51,\"ownerName\":\"Elastic\",\"privateFlag\":false,\"rating\":3,\"summary\":\"testing@poverts.com\",\"type\":\"EmailAddress\",\"webLink\":\"https://app.threatconnect.com/#/details/indicators/891599/overview\"},{\"active\":true,\"activeLocked\":false,\"dateAdded\":\"2023-08-24T06:28:17Z\",\"id\":738667,\"lastModified\":\"2023-12-05T06:47:59Z\",\"legacyLink\":\"https://app.threatconnect.com/auth/indicators/details/url.xhtml?orgid=738667\\u0026owner=Elastic\",\"ownerId\":51,\"ownerName\":\"Elastic\",\"privateFlag\":false,\"summary\":\"http://www.testingmcafeesites.com/testcat_pc.html\",\"text\":\"http://www.testingmcafeesites.com/testcat_pc.html\",\"type\":\"URL\",\"webLink\":\"https://app.threatconnect.com/#/details/indicators/738667/overview\"}]},\"attributes\":{},\"dateAdded\":\"2023-08-24T06:19:58Z\",\"id\":736758,\"lastModified\":\"2023-12-05T06:38:53Z\",\"legacyLink\":\"https://app.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=test.user%40elastic.co\\u0026owner=Elastic\",\"ownerId\":51,\"ownerName\":\"Elastic\",\"privateFlag\":false,\"securityLabels\":{\"data\":[{\"color\":\"FFC000\",\"dateAdded\":\"2016-08-31T00:00:00Z\",\"description\":\"This security label is used for information that requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Information with this label can be shared with members of an organization and its clients.\",\"id\":3,\"name\":\"TLP:AMBER\",\"owner\":\"System\"}]},\"summary\":\"test.user@elastic.co\",\"tags\":{\"data\":[{\"description\":\"Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) \\\"pig butchering,\\\"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin) \\n\\nAdversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) to conduct unauthorized transfers of funds.(Citation: Internet crime report 2022) In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://attack.mitre.org/techniques/T1656) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.(Citation: FBI-BEC) This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.(Citation: VEC)\\n\\nExtortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010) of data, followed by threatening public exposure unless payment is made to the adversary.(Citation: Mandiant-leaks)\\n\\nDue to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and business disruption.(Citation: AP-NotPetya)\",\"id\":463701,\"lastUsed\":\"2023-12-04T06:44:44Z\",\"name\":\"Financial Theft\",\"platforms\":{\"count\":6,\"data\":[\"Linux\",\"macOS\",\"Windows\",\"Office 365\",\"SaaS\",\"Google Workspace\"]},\"techniqueId\":\"T1657\"}]},\"threatAssessConfidence\":0,\"threatAssessRating\":0,\"threatAssessScore\":281,\"threatAssessScoreFalsePositive\":0,\"threatAssessScoreObserved\":0,\"type\":\"EmailAddress\",\"webLink\":\"https://app.threatconnect.com/#/details/indicators/736758/overview\"}",
        "type": [
            "indicator"
        ]
    },
    "input": {
        "type": "cel"
    },
    "os": {
        "family": [
            "Linux",
            "macOS",
            "Windows",
            "Office 365",
            "SaaS",
            "Google Workspace"
        ]
    },
    "related": {
        "user": [
            "test.user",
            "test",
            "user",
            "test.user@elastic.co"
        ]
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "threatconnect-indicator"
    ],
    "threat": {
        "indicator": {
            "email": {
                "address": "test.user@elastic.co"
            },
            "marking": {
                "tlp": [
                    "AMBER"
                ]
            },
            "provider": "ThreatConnect",
            "reference": [
                "https://app.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=test.user%40elastic.co&owner=Elastic",
                "https://app.threatconnect.com/#/details/indicators/736758/overview"
            ],
            "type": [
                "email-addr"
            ]
        },
        "technique": {
            "id": [
                "T1657"
            ]
        }
    },
    "threat_connect": {
        "indicator": {
            "active": {
                "locked": false,
                "value": true
            },
            "address": "test.user@elastic.co",
            "associated_groups": {
                "data": [
                    {
                        "created_by": {
                            "first_name": "test",
                            "id": "69",
                            "last_name": "user",
                            "owner": "Elastic",
                            "pseudonym": "testW",
                            "user_name": "test.user@elastic.co"
                        },
                        "date_added": "2023-12-05T06:38:33.000Z",
                        "down_vote_count": "0",
                        "id": "609427",
                        "last_modified": "2023-12-05T06:43:21.000Z",
                        "legacy_link": "https://app.threatconnect.com/auth/vulnerability/vulnerability.xhtml?vulnerability=609427",
                        "name": "Test2 ",
                        "owner": {
                            "id": "51",
                            "name": "Elastic"
                        },
                        "type": "Vulnerability",
                        "up_vote_count": "0",
                        "web_link": "https://app.threatconnect.com/#/details/groups/609427/overview"
                    },
                    {
                        "created_by": {
                            "first_name": "test",
                            "id": "69",
                            "last_name": "user",
                            "owner": "Elastic",
                            "pseudonym": "testW",
                            "user_name": "test.user@elastic.co"
                        },
                        "date_added": "2023-12-04T07:18:52.000Z",
                        "document": {
                            "date_added": "2023-12-04T07:18:53.000Z",
                            "type": "PDF"
                        },
                        "down_vote_count": "0",
                        "file": {
                            "name": "testthreatgroup.pdf",
                            "size": "24467"
                        },
                        "generated_report": true,
                        "id": "601237",
                        "last_modified": "2023-12-05T06:38:46.000Z",
                        "legacy_link": "https://app.threatconnect.com/auth/report/report.xhtml?report=601237",
                        "name": "TestThreatGroup",
                        "owner": {
                            "id": "51",
                            "name": "Elastic"
                        },
                        "status": "Success",
                        "type": "Report",
                        "up_vote_count": "0",
                        "web_link": "https://app.threatconnect.com/#/details/groups/601237/overview"
                    }
                ]
            },
            "associated_indicators": {
                "data": [
                    {
                        "active": {
                            "locked": false,
                            "value": true
                        },
                        "address": "testing@poverts.com",
                        "confidence": 61,
                        "date_added": "2023-08-25T12:57:24.000Z",
                        "id": "891599",
                        "last_modified": "2023-12-05T06:50:06.000Z",
                        "legacy_link": "https://app.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=testing%40poverts.com&owner=Elastic",
                        "owner": {
                            "id": "51",
                            "name": "Elastic"
                        },
                        "private_flag": false,
                        "rating": 3,
                        "summary": "testing@poverts.com",
                        "type": "EmailAddress",
                        "web_link": "https://app.threatconnect.com/#/details/indicators/891599/overview"
                    },
                    {
                        "active": {
                            "locked": false,
                            "value": true
                        },
                        "date_added": "2023-08-24T06:28:17.000Z",
                        "id": "738667",
                        "last_modified": "2023-12-05T06:47:59.000Z",
                        "legacy_link": "https://app.threatconnect.com/auth/indicators/details/url.xhtml?orgid=738667&owner=Elastic",
                        "owner": {
                            "id": "51",
                            "name": "Elastic"
                        },
                        "private_flag": false,
                        "summary": "http://www.testingmcafeesites.com/testcat_pc.html",
                        "text": "http://www.testingmcafeesites.com/testcat_pc.html",
                        "type": "URL",
                        "web_link": "https://app.threatconnect.com/#/details/indicators/738667/overview"
                    }
                ]
            },
            "date_added": "2023-08-24T06:19:58.000Z",
            "deleted_at": "2024-03-04T06:38:53.000Z",
            "expiration_duration": "90d",
            "id": "736758",
            "last_modified": "2023-12-05T06:38:53.000Z",
            "legacy_link": "https://app.threatconnect.com/auth/indicators/details/emailaddress.xhtml?emailaddress=test.user%40elastic.co&owner=Elastic",
            "owner": {
                "id": "51",
                "name": "Elastic"
            },
            "private_flag": false,
            "security_labels": {
                "data": [
                    {
                        "date_added": "2016-08-31T00:00:00.000Z",
                        "name": "TLP:AMBER"
                    }
                ]
            },
            "summary": "test.user@elastic.co",
            "tags": {
                "data": [
                    {
                        "last_used": "2023-12-04T06:44:44.000Z",
                        "name": "Financial Theft",
                        "technique": {
                            "id": "T1657"
                        }
                    }
                ]
            },
            "threat_assess": {
                "confidence": 0,
                "rating": 0,
                "score": {
                    "false_positive": 0,
                    "observed": 0,
                    "value": 281
                }
            },
            "type": "EmailAddress",
            "web_link": "https://app.threatconnect.com/#/details/indicators/736758/overview"
        }
    },
    "user": {
        "domain": "elastic.co",
        "email": "test.user@elastic.co",
        "name": "test.user"
    }
}
**Exported fields**
Field Description Type
@timestamp Event timestamp. date
data_stream.dataset Data stream dataset. constant_keyword
data_stream.namespace Data stream namespace. constant_keyword
data_stream.type Data stream type. constant_keyword
event.dataset Event dataset. constant_keyword
event.module Event module. constant_keyword
input.type Type of filebeat input. keyword
labels.is_ioc_transform_source Indicates whether an IOC is in the raw source data stream, or the in latest destination index. constant_keyword
log.offset Log offset. long
threat.feed.name Display friendly feed name. constant_keyword
threat.indicator.first_seen The date and time when intelligence source first reported sighting this indicator. date
threat.indicator.last_seen The date and time when intelligence source last reported sighting this indicator. date
threat.indicator.modified_at The date and time when intelligence source last modified information for this indicator. date
threat_connect.indicator.active.locked Indicates whether the active status is locked. boolean
threat_connect.indicator.active.value Indicates whether the indicator is active. boolean
threat_connect.indicator.address The email address associated with the Email Address Indicator. keyword
threat_connect.indicator.as_number The AS number associated with the ASN Indicator. keyword
threat_connect.indicator.associated_artifacts A list of Artifacts associated to the Indicator. flattened
threat_connect.indicator.associated_cases A list of Cases associated to the Indicator. flattened
threat_connect.indicator.associated_groups.data.assignments.data.type Valid values for the type of assignment are Assigned and Escalate. keyword
threat_connect.indicator.associated_groups.data.assignments.data.user.id Unique identifier of users assigned to the Task or to whom the Task will be escalated. keyword
threat_connect.indicator.associated_groups.data.body The Emails body. keyword
threat_connect.indicator.associated_groups.data.created_by.first_name First name of user. keyword
threat_connect.indicator.associated_groups.data.created_by.id Unique Identifier of the user who created the group. keyword
threat_connect.indicator.associated_groups.data.created_by.last_name Last name of user. keyword
threat_connect.indicator.associated_groups.data.created_by.owner Owner of attribute creator. keyword
threat_connect.indicator.associated_groups.data.created_by.pseudonym Pseudonym or alias of the user. keyword
threat_connect.indicator.associated_groups.data.created_by.user_name Username of user. keyword
threat_connect.indicator.associated_groups.data.date_added Date and time group was added. date
threat_connect.indicator.associated_groups.data.document.date_added Date and time when the document was added. date
threat_connect.indicator.associated_groups.data.document.type The type of document. keyword
threat_connect.indicator.associated_groups.data.down_vote_count Downvote Intel Rating. keyword
threat_connect.indicator.associated_groups.data.due_date The date and time when the Task is due. date
threat_connect.indicator.associated_groups.data.email_date The date associated with an email. date
threat_connect.indicator.associated_groups.data.escalation_date The date and time when the Task should be escalated. date
threat_connect.indicator.associated_groups.data.event_date The date and time when the Event took place. date
threat_connect.indicator.associated_groups.data.external.date.added The date and time when the Group was created externally. date
threat_connect.indicator.associated_groups.data.external.date.expires The date and time when the Group expires externally. date
threat_connect.indicator.associated_groups.data.external.last_modified The date and time when the Group was last modified externally. date
threat_connect.indicator.associated_groups.data.file.name The file name of the Document. keyword
threat_connect.indicator.associated_groups.data.file.size The File size of the document. keyword
threat_connect.indicator.associated_groups.data.file.text The file text of the Signature. keyword
threat_connect.indicator.associated_groups.data.file.type The file type of the SignaturePossible values are Bro,ClamAV,CybOX,Iris Search Hash,KQL,OpenIOC,Regex,SPL,Sigma,Snort,Suricata,TQL Query,YARA. keyword
threat_connect.indicator.associated_groups.data.first_seen The date and time when the Group was first seen. date
threat_connect.indicator.associated_groups.data.from The Emails subject. keyword
threat_connect.indicator.associated_groups.data.generated_report Indicates whether the report is generated. boolean
threat_connect.indicator.associated_groups.data.header The Emails header. keyword
threat_connect.indicator.associated_groups.data.id Unique Identifier of Group. keyword
threat_connect.indicator.associated_groups.data.last_modified Date and time when the document was last updated. date
threat_connect.indicator.associated_groups.data.last_seen The date and time when the Group was last seen. date
threat_connect.indicator.associated_groups.data.legacy_link Legacy link to the group’s details in the ThreatConnect web application. keyword
threat_connect.indicator.associated_groups.data.malware Indicates whether the Document is malware. boolean
threat_connect.indicator.associated_groups.data.name The Groups name. keyword
threat_connect.indicator.associated_groups.data.owner.id The ID of the owner to which the Group belongs. keyword
threat_connect.indicator.associated_groups.data.owner.name The name of the owner to which the Group belongs. keyword
threat_connect.indicator.associated_groups.data.password The password associated with the Document. keyword
threat_connect.indicator.associated_groups.data.publish_date The date and time when the Report was published. date
threat_connect.indicator.associated_groups.data.reminder_date The date and time when a reminder about the Task will be sent. date
threat_connect.indicator.associated_groups.data.score_breakdown A breakdown or explanation of the score, providing additional information about how the score was determined. keyword
threat_connect.indicator.associated_groups.data.score_includes_body Indicates whether the score includes information from the email body. boolean
threat_connect.indicator.associated_groups.data.status The status of the Group type. keyword
threat_connect.indicator.associated_groups.data.subject The Emails From field. keyword
threat_connect.indicator.associated_groups.data.to The receiver email address. keyword
threat_connect.indicator.associated_groups.data.type The type of Group being created.Possiblevalues:Adversary,AttackPattern,Campaign,CourseofAction,Document,Email,Event,Incident,IntrusionSet,Malware,Report,Signature,Tactic,Task,Threat,Tool, Vulnerability. keyword
threat_connect.indicator.associated_groups.data.up_vote Use this field to update the Groups Intel Rating. boolean
threat_connect.indicator.associated_groups.data.up_vote_count Upvote Intel Rating. keyword
threat_connect.indicator.associated_groups.data.web_link Link to the group’s details in the ThreatConnect web application. keyword
threat_connect.indicator.associated_groups.data.xid The Groups XID. keyword
threat_connect.indicator.associated_indicators.data.active.locked Indicates whether the active status is locked. boolean
threat_connect.indicator.associated_indicators.data.active.value Indicates whether the indicator is active. boolean
threat_connect.indicator.associated_indicators.data.address The email address associated with the Email Address Indicator. keyword
threat_connect.indicator.associated_indicators.data.as_number The AS number associated with the ASN Indicator. keyword
threat_connect.indicator.associated_indicators.data.block The block of network IP addresses associated with the CIDR Indicator. keyword
threat_connect.indicator.associated_indicators.data.confidence The Indicators Confidence Rating. long
threat_connect.indicator.associated_indicators.data.date_added Date and time when the indicator was added. date
threat_connect.indicator.associated_indicators.data.description Description of the indicator. keyword
threat_connect.indicator.associated_indicators.data.dns_active Indicates whether the DNS feature is active for the Host Indicator. boolean
threat_connect.indicator.associated_indicators.data.external.date.added The date and time when the Indicator was created externally. date
threat_connect.indicator.associated_indicators.data.external.date.expires The date and time when the Indicator expires externally. date
threat_connect.indicator.associated_indicators.data.external.last_modified The date and time when the Indicator was last modified externally. date
threat_connect.indicator.associated_indicators.data.first_seen The date and time when the Indicator was first seen. date
threat_connect.indicator.associated_indicators.data.hashtag The hashtag term associated with the Hashtag Indicator. keyword
threat_connect.indicator.associated_indicators.data.host_name The host name associated with the Host Indicator. keyword
threat_connect.indicator.associated_indicators.data.id Unique identifier for the indicator. keyword
threat_connect.indicator.associated_indicators.data.ip The IP address associated with the Address Indicator. ip
threat_connect.indicator.associated_indicators.data.key_name The name of the registry key associated with the Registry Key Indicator. keyword
threat_connect.indicator.associated_indicators.data.last_modified Date and time when the indicator was last modified. date
threat_connect.indicator.associated_indicators.data.last_seen The date and time when the Indicator was last seen. date
threat_connect.indicator.associated_indicators.data.legacy_link Legacy link to the indicator’s details in the ThreatConnect web application. keyword
threat_connect.indicator.associated_indicators.data.md5 MD5 hash value associated with the indicator. keyword
threat_connect.indicator.associated_indicators.data.mutex The synchronization primitive used to identify malware files that is associated with the Mutex. keyword
threat_connect.indicator.associated_indicators.data.owner.id Identifier for the owner of the indicator. keyword
threat_connect.indicator.associated_indicators.data.owner.name Name of the organization that owns the indicator. keyword
threat_connect.indicator.associated_indicators.data.private_flag Indicates whether the indicator is marked as private. boolean
threat_connect.indicator.associated_indicators.data.rating The Indicators Threat Rating. double
threat_connect.indicator.associated_indicators.data.sha1 The SHA1 hash associated with the File Indicator. keyword
threat_connect.indicator.associated_indicators.data.sha256 The SHA256 hash associated with the File Indicator. keyword
threat_connect.indicator.associated_indicators.data.size The size of the file associated with the File Indicator. keyword
threat_connect.indicator.associated_indicators.data.subject The subject line of the email associated with the Email Subject Indicator. keyword
threat_connect.indicator.associated_indicators.data.summary Summary or description of the indicator. keyword
threat_connect.indicator.associated_indicators.data.text The URL associated with the URL Indicator. keyword
threat_connect.indicator.associated_indicators.data.type Type of the indicator. keyword
threat_connect.indicator.associated_indicators.data.user_agent_string The characteristic identification string associated with the User Agent Indicator. keyword
threat_connect.indicator.associated_indicators.data.value.name The registry value associated with the Registry Key Indicator. keyword
threat_connect.indicator.associated_indicators.data.value.type Possible values:REG_NONE,REG_BINARY,REG_DWORD,REG_DWORD_LITTLE_ENDIAN,REG_DWORD_BIG_ENDIAN,REG_EXPAND_SZ,REG_LINK,REG_MULTI_SZ,REG_QWORD,REG_QWORD_LITTLE_ENDIAN,REG_SZ. keyword
threat_connect.indicator.associated_indicators.data.web_link Link to the indicator’s details in the ThreatConnect web application. keyword
threat_connect.indicator.associated_indicators.data.whois_active Indicates whether the Whois feature is active for the Host Indicator. boolean
threat_connect.indicator.attributes.data.created_by.first_name First name of the user who created the victim attribute. keyword
threat_connect.indicator.attributes.data.created_by.id Unique Identifier of the user who created the attribute. keyword
threat_connect.indicator.attributes.data.created_by.last_name Lastname of the user who created the victim attribute. keyword
threat_connect.indicator.attributes.data.created_by.owner Owner of attribute creator. keyword
threat_connect.indicator.attributes.data.created_by.pseudonym Pseudonym or alias of the user. keyword
threat_connect.indicator.attributes.data.created_by.user_name Username of the user who created the victim attribute. keyword
threat_connect.indicator.attributes.data.date_added Date and time when the attribute was added. date
threat_connect.indicator.attributes.data.default Indicates whether the Attribute is the default Attribute of its type for the Indicator to which it is added (this field applies to certain Attribute and data types only). boolean
threat_connect.indicator.attributes.data.id Unique Identifier of attribute. keyword
threat_connect.indicator.attributes.data.last_modified Date and time when attribute was modified. date
threat_connect.indicator.attributes.data.pinned Indicates whether the Attribute is to be displayed as a Pinned Attribute on the Details screen for the Indicator to which the Attribute is added. boolean
threat_connect.indicator.attributes.data.source The Attributes source. keyword
threat_connect.indicator.attributes.data.type The Attributes type. keyword
threat_connect.indicator.attributes.data.value The Attributes value. keyword
threat_connect.indicator.block The block of network IP addresses associated with the CIDR Indicator. keyword
threat_connect.indicator.confidence The Indicators Confidence Rating. long
threat_connect.indicator.custom_associations Includes indicators with custom associations to the indicator. flattened
threat_connect.indicator.date_added Date and time when the indicator was added. date
threat_connect.indicator.deleted_at Date when the IOC was expired/deleted. date
threat_connect.indicator.description Description of the indicator. keyword
threat_connect.indicator.dns_active Indicates whether the DNS feature is active for the Host Indicator. boolean
threat_connect.indicator.dns_resolution Includes DNS resolution data related to the Host indicators. flattened
threat_connect.indicator.enrichment Includes Enrichment data related to the indicator. flattened
threat_connect.indicator.expiration_duration Duration when the IOC will expire. keyword
threat_connect.indicator.external.date.added The date and time when the Indicator was created externally. date
threat_connect.indicator.external.date.expires The date and time when the Indicator expires externally. date
threat_connect.indicator.external_last.modified The date and time when the Indicator was last modified externally. date
threat_connect.indicator.false_positive_reported_by_user Indicates whether false positive is reported by user. boolean
threat_connect.indicator.false_positives Count of false positives. long
threat_connect.indicator.file_actions A list of File Actions associated with the File Indicator. flattened
threat_connect.indicator.file_occurrences A list of File Occurrences associated with the File Indicator. flattened
threat_connect.indicator.first_seen The date and time when the Indicator was first seen. date
threat_connect.indicator.generic_custom_indicator_values Includes the fields over-writing the custom field names: value1, value2, and value3. flattened
threat_connect.indicator.geo_location Includes GEO location information related to the Host and IP indicators. flattened
threat_connect.indicator.hashtag The hashtag term associated with the Hashtag Indicator. keyword
threat_connect.indicator.host_name The host name associated with the Host Indicator. keyword
threat_connect.indicator.id Unique identifier for the indicator. keyword
threat_connect.indicator.investigation_links Includes investigation links related to the indicator type. flattened
threat_connect.indicator.ip The IP address associated with the Address Indicator. ip
threat_connect.indicator.key_name The name of the registry key associated with the Registry Key Indicator. keyword
threat_connect.indicator.last_false_positive Date and time of last false positive. date
threat_connect.indicator.last_modified Date and time when the indicator was last modified. date
threat_connect.indicator.last_seen The date and time when the Indicator was last seen. date
threat_connect.indicator.legacy_link Legacy link to the indicator’s details in the ThreatConnect web application. keyword
threat_connect.indicator.md5 MD5 hash value associated with the indicator. keyword
threat_connect.indicator.mutex The synchronization primitive used to identify malware files that is associated with the Mutex. keyword
threat_connect.indicator.observations Includes the Observations fields. flattened
threat_connect.indicator.owner.id Identifier for the owner of the indicator. keyword
threat_connect.indicator.owner.name Name of the organization that owns the indicator. keyword
threat_connect.indicator.private_flag Indicates whether the indicator is marked as private. boolean
threat_connect.indicator.rating The Indicators Threat Rating. double
threat_connect.indicator.security_labels.data.date_added The date and time when the security label was added. date
threat_connect.indicator.security_labels.data.name Actual name or label of the security classification. keyword
threat_connect.indicator.security_labels.data.owner The entity or system that owns or manages the security label. keyword
threat_connect.indicator.security_labels.data.source The source of the security label. keyword
threat_connect.indicator.sha1 The SHA1 hash associated with the File Indicator. keyword
threat_connect.indicator.sha256 The SHA256 hash associated with the File Indicator. keyword
threat_connect.indicator.size The size of the file associated with the File Indicator. keyword
threat_connect.indicator.source The Indicators source. keyword
threat_connect.indicator.subject The subject line of the email associated with the Email Subject Indicator. keyword
threat_connect.indicator.summary Summary or description of the indicator. keyword
threat_connect.indicator.tags.data.last_used Date and time when tag was last used. date
threat_connect.indicator.tags.data.name Name of tag. keyword
threat_connect.indicator.tags.data.owner The Organization, Community, or Source to which the Tag belongs. keyword
threat_connect.indicator.tags.data.platforms.count Count of platforms. long
threat_connect.indicator.tags.data.platforms.data Platform on which tag is added. keyword
threat_connect.indicator.tags.data.technique.id Unique Identifier of tag technique. keyword
threat_connect.indicator.text The URL associated with the URL Indicator. keyword
threat_connect.indicator.threat_assess.confidence The confidence level associated with the threat assessment. double
threat_connect.indicator.threat_assess.rating A numerical rating indicating the threat assessment level. double
threat_connect.indicator.threat_assess.score.false_positive The count of false positives associated with the threat assessment score. long
threat_connect.indicator.threat_assess.score.observed The observed value associated with the threat assessment score. long
threat_connect.indicator.threat_assess.score.value The overall score assigned to the threat, indicating its severity or risk. long
threat_connect.indicator.tracked_users Includes Observations and False Positive stats of tracked users. flattened
threat_connect.indicator.type Type of the indicator (e.g., File, IP address). keyword
threat_connect.indicator.user_agent_string The characteristic identification string associated with the User Agent Indicator. keyword
threat_connect.indicator.value.name The registry value associated with the Registry Key Indicator. keyword
threat_connect.indicator.value.type Possible values:REG_NONE,REG_BINARY,REG_DWORD,REG_DWORD_LITTLE_ENDIAN,REG_DWORD_BIG_ENDIAN,REG_EXPAND_SZ,REG_LINK,REG_MULTI_SZ,REG_QWORD,REG_QWORD_LITTLE_ENDIAN,REG_SZ. keyword
threat_connect.indicator.web_link Link to the indicator’s details in the ThreatConnect web application. keyword
threat_connect.indicator.who_is Includes WhoIs information related to the Host indicators. flattened
threat_connect.indicator.whois_active Indicates whether the Whois feature is active for the Host Indicator. boolean
**Changelog**
Version Details Kibana version(s)
1.7.0 pass:[] Enhancement (View pull request)
Add in filter for dashboard to only show latest indicators.
 8.13.0 or higher
1.6.0 pass:[] Enhancement (View pull request)
Add "preserve_original_event" tag to documents with event.kind manually set to "pipeline_error".
 8.13.0 or higher
1.5.0 pass:[] Enhancement (View pull request)
Do not remove event.original in main ingest pipeline.
 8.13.0 or higher
1.4.0 pass:[] Enhancement (View pull request)
Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error".
 8.13.0 or higher
1.3.0 pass:[] Enhancement (View pull request)
Add in technique.name field to the transform. Remove milliseconds from TQL query.
 8.13.0 or higher
1.2.2 pass:[] Bug fix (View pull request)
Add missing fields in transform
 8.13.0 or higher
1.2.1 pass:[] Bug fix (View pull request)
Fix ECS date mapping on threat fields.
 8.13.0 or higher
1.2.0 pass:[] Enhancement (View pull request)
Improve error reporting for API request failures.
 8.13.0 or higher
1.1.0 pass:[] Enhancement (View pull request)
Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.
 8.13.0 or higher
1.0.1 pass:[] Bug fix (View pull request)
Adjust field mappings for transform destination index.
 8.12.0 or higher
1.0.0 pass:[] Enhancement (View pull request)
Release package as GA.
 8.12.0 or higher
0.6.1 pass:[] Bug fix (View pull request)
Fix name canonicalization routines.
0.6.0 pass:[] Enhancement (View pull request)
Remove default SSL certificate, update descriptions, add ability to control attributes, associated groups and indicators.
0.5.1 pass:[] Bug fix (View pull request)
Resolved ignore_malformed issues with fields.
0.5.0 pass:[] Enhancement (View pull request)
Add error handling to API requests.
0.4.0 pass:[] Enhancement (View pull request)
Refactor CEL collection code.
0.3.0 pass:[] Enhancement (View pull request)
Update Readme and Description for configuration parameters.

pass:[] Enhancement (View pull request)
Update field for Fingerprint processor and mapping of Event ID.

pass:[] Enhancement (View pull request)
Resolve Signature Mismatch error with special character starting secret_key.
0.2.0 pass:[] Enhancement (View pull request)
Set sensitive values as secret, upgrade to package spec 3.0.3, and add missing mapping.
0.1.0 pass:[] Enhancement (View pull request)
Initial release.