MITRE Cyber Analytics Repository¶
This is the mapping from MITRE Cyber Analytics Repository native fields to the security schema.
Timestamp¶
field: | @timestamp |
---|---|
format: | %Y-%m-%dT%H:%M:%S.%fZ |
Globally provided mapping¶
hostname: | hostname |
---|---|
pid: | pid |
process_name: | exe |
process_path: | image_path |
unique_pid: | process_guid |
user: | user |
user_domain: | split(user, "\\", 0) |
user_name: | split(user, "\\", 1) |
Event specific mappings¶
file¶
data_model.object = 'file'
subtype mapping
create: | arrayContains(data_model.actions, "create") |
---|---|
delete: | arrayContains(data_model.actions, "delete") |
modify: | arrayContains(data_model.actions, "modify") |
fields
file_name: | file_name |
---|---|
file_path: | file_path |
network¶
data_model.object == 'flow'
subtype mapping
incoming: | not initiated |
---|---|
outgoing: | initiated |
fields
destination_address: | dest_ip |
---|---|
destination_port: | dest_port |
protocol: | transport |
source_address: | src_ip |
source_port: | src_port |
process¶
data_model.object = 'process'
subtype mapping
create: | arrayContains(data_model.action, 'create') |
---|---|
terminate: | arrayContains(data_model.action, 'terminate') |
fields
command_line: | command_line |
---|---|
parent_process_name: | parent_exe |
parent_process_path: | parent_image_path |
ppid: | ppid |
unique_ppid: | parent_process_guid |
registry¶
data_model.object == "registry" and not arrayContains(data_model.actions, "remove")
registry_type mapping
binary: | type == "REG_BINARY" |
---|---|
dword: | type = "REG_DWORD" |
expand_string: | type = "REG_EXPAND_SZ" |
multi_string: | type = "REG_MULTI_SZ" |
qword: | type = "REG_QWORD" |
string: | type = "REG_SZ" |
hive mapping
hklm: | hive == "HKEY_LOCAL_MACHINE" |
---|---|
hku: | hive == "HKEY_USERS" |
fields
registry_data: | data |
---|---|
registry_key: | key |
registry_path: | key |
registry_value: | value |