---
- name: threat

  fields:

  - name: software.id
    level: extended
    type: keyword
    short: ID of the software
    description: >
      The id of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software id.

    example: "S0226"

  - name: software.name
    level: extended
    type: keyword
    short: Name of the software.
    description: >
      The name of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software name.

    example: "CHOPSTICK"

  - name: software.alias
    level: extended
    type: keyword
    short: Alias of the software.
    description: >
      The alias(es) of the software for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® associated software description.

    example: '[ "X-Agent" ]'
    normalize:
      - array

  - name: software.platforms
    level: extended
    type: keyword
    short: platforms of the software.
    description: >
      The platforms of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software platform.

      Recommended Values:
        * AWS
        * Azure
        * Azure AD
        * GCP
        * Linux
        * macOS
        * Network
        * Office 365
        * SaaS
        * Windows

    example: '[ "Windows" ]'
    normalize:
      - array

  - name: software.reference
    level: extended
    type: url
    short: Software reference URL.
    description: >
      The reference URL of the software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software reference URL.

    example: "https://attack.mitre.org/software/S0023/"

  - name: software.type
    level: extended
    type: keyword
    short: Software type.
    description: >
      The type of software used by this threat to conduct behavior commonly modeled using MITRE ATT&CK®. While not required, you can use a MITRE ATT&CK® software type.

      Recommended values
        * Malware
        * Tool

    example: "Malware"

  - name: group.alias
    level: extended
    type: keyword
    short: Alias of the group.
    description: >
      The alias(es) of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group alias(es).

    example: '[ "Magecart Group 6" ]'
    normalize:
      - array

  - name: group.id
    level: extended
    type: keyword
    short: ID of the group.
    description: >
      The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id.

    example: "G0037"

  - name: group.name
    level: extended
    type: keyword
    short: Name of the group.
    description: >
      The name of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group name.

    example: "FIN6"

  - name: group.reference
    level: extended
    type: url
    short: Reference URL of the group.
    description: >
      The reference URL of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group reference URL.

    example: "https://attack.mitre.org/groups/G0037/"