External security products, such as endpoint protection etc., often send a threat signature with their alerts ("Trojan.generic.823719237", "CVE-XXX-XXX Joomla SQL Injection"). Where do we put this threat name / signature?
- event.action would be a generic place to store those. however it feels too generic, as actions for these types of observers are usually things like "quarantine requested", "definitions updated", "running exe in sandbox" and the like. Thus event.action for a detection would be occupied with something like "threat-detected".
- threat.name, threat.signature: best fit in my opinion. however currently the threat.* fieldset is only used for threat taxonomy in Mitre ATT&CK & co. Its semantics would have to be expanded here.
Am I missing some other place to put this? If not, I'd love to start a feature request to incorporate threat.name or threat.signature into ECS.