From #113
Hi Guys,
Firstly thanks, for doing this.
However I am struggling to determine where within the threat.* definitions / fields I would put details around threat feeds hits. I seem to have the feeling that the current threat feeds are largely geared to the MITRE Att&ck framework, from my reading (And I might be reading it wrong). So I was thinking something along the lines of
threat.ioc.provider: feed_vendor_name
threat.ioc.feed: feed_name
threat.ioc.type: type_of_ioc (tor exit node, compromised ip)
threat.ioc.location: source/destination (refers back to source and destination fields, and respective sub fields)
Any guidance / advice is greatly appreciated
Hopefully as we move forward we would then start populating the other fields within the threat.* definition
Thanks
From #113
Hi Guys,
Firstly thanks, for doing this.
However I am struggling to determine where within the threat.* definitions / fields I would put details around threat feeds hits. I seem to have the feeling that the current threat feeds are largely geared to the MITRE Att&ck framework, from my reading (And I might be reading it wrong). So I was thinking something along the lines of
threat.ioc.provider: feed_vendor_name
threat.ioc.feed: feed_name
threat.ioc.type: type_of_ioc (tor exit node, compromised ip)
threat.ioc.location: source/destination (refers back to source and destination fields, and respective sub fields)
Any guidance / advice is greatly appreciated
Hopefully as we move forward we would then start populating the other fields within the threat.* definition
Thanks