MITRE Cyber Analytics Repository¶
This is the mapping from MITRE Cyber Analytics Repository native fields to the security schema.
Timestamp¶
| field: | @timestamp |
|---|---|
| format: | %Y-%m-%dT%H:%M:%S.%fZ |
Globally provided mapping¶
| hostname: | hostname |
|---|---|
| pid: | pid |
| process_name: | exe |
| process_path: | image_path |
| unique_pid: | process_guid |
| user: | user |
| user_domain: | split(user, "\\", 0) |
| user_name: | split(user, "\\", 1) |
Event specific mappings¶
file¶
data_model.object = 'file'
subtype mapping
| create: | arrayContains(data_model.actions, "create") |
|---|---|
| delete: | arrayContains(data_model.actions, "delete") |
| modify: | arrayContains(data_model.actions, "modify") |
fields
| file_name: | file_name |
|---|---|
| file_path: | file_path |
network¶
data_model.object == 'flow'
subtype mapping
| incoming: | not initiated |
|---|---|
| outgoing: | initiated |
fields
| destination_address: | dest_ip |
|---|---|
| destination_port: | dest_port |
| protocol: | transport |
| source_address: | src_ip |
| source_port: | src_port |
process¶
data_model.object = 'process'
subtype mapping
| create: | arrayContains(data_model.action, 'create') |
|---|---|
| terminate: | arrayContains(data_model.action, 'terminate') |
fields
| command_line: | command_line |
|---|---|
| parent_process_name: | parent_exe |
| parent_process_path: | parent_image_path |
| ppid: | ppid |
| unique_ppid: | parent_process_guid |
registry¶
data_model.object == "registry" and not arrayContains(data_model.actions, "remove")
registry_type mapping
| binary: | type == "REG_BINARY" |
|---|---|
| dword: | type = "REG_DWORD" |
| expand_string: | type = "REG_EXPAND_SZ" |
| multi_string: | type = "REG_MULTI_SZ" |
| qword: | type = "REG_QWORD" |
| string: | type = "REG_SZ" |
hive mapping
| hklm: | hive == "HKEY_LOCAL_MACHINE" |
|---|---|
| hku: | hive == "HKEY_USERS" |
fields
| registry_data: | data |
|---|---|
| registry_key: | key |
| registry_path: | key |
| registry_value: | value |