Update to TLP (#2074)

CHANGELOG.next.md

@@ -44,10 +44,11 @@ Thanks, you're awesome :-) -->
 
 * Adding `vulnerability` option for `event.catgeory`. #2029
 * Added `device.*` field set as beta. #2030
+* Added `tlp.version` to threat #2074
 
 #### Improvements
 
-* Added `CLEAR` and `AMBER+STRICT` as valid values for `threat.indicator.marking.tlp` to accept new [TLP 2.0](https://www.first.org/tlp/) markings - [#2022](https://github.com/elastic/ecs/issues/2022)
+* Added `CLEAR` and `AMBER+STRICT` as valid values for `threat.indicator.marking.tlp` and `enrichments.indicator.marking.tlp` to accept new [TLP 2.0](https://www.first.org/tlp/) markings #2022, #2074
 
 #### Deprecated
 

docs/fields/field-details.asciidoc

@@ -9512,23 +9512,16 @@ example: `2020-11-05T17:25:47.000Z`
 // ===============================================================
 
 |
-[[field-threat-enrichments-indicator-marking-tlp]]
-<<field-threat-enrichments-indicator-marking-tlp, threat.enrichments.indicator.marking.tlp>>
+[[field-threat-enrichments-indicator-marking-tlp-version]]
+<<field-threat-enrichments-indicator-marking-tlp-version, threat.enrichments.indicator.marking.tlp.version>>
 
-a| Traffic Light Protocol sharing markings.
-
-Expected values for this field:
-
-* `WHITE`
-* `GREEN`
-* `AMBER`
-* `RED`
+a| Traffic Light Protocol version.
 
 type: keyword
 
 
 
-example: `WHITE`
+example: `2.0`
 
 | extended
 
@@ -10493,6 +10486,22 @@ example: `https://attack.mitre.org/techniques/T1059/001/`
 
 // ===============================================================
 
+|
+[[field-threat-threat-indicator-marking-tlp-version]]
+<<field-threat-threat-indicator-marking-tlp-version, threat.threat.indicator.marking.tlp.version>>
+
+a| Traffic Light Protocol version.
+
+type: keyword
+
+
+
+example: `2.0`
+
+| extended
+
+// ===============================================================
+
 |=====
 
 [discrete]

experimental/generated/beats/fields.ecs.yml

@@ -9358,12 +9358,12 @@
         this indicator.
       example: '2020-11-05T17:25:47.000Z'
       default_field: false
-    - name: enrichments.indicator.marking.tlp
+    - name: enrichments.indicator.marking.tlp.version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Traffic Light Protocol sharing markings.
-      example: WHITE
+      description: Traffic Light Protocol version.
+      example: 2.0
       default_field: false
     - name: enrichments.indicator.modified_at
       level: extended
@@ -11339,6 +11339,13 @@
         \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
       example: https://attack.mitre.org/techniques/T1059/001/
       default_field: false
+    - name: threat.indicator.marking.tlp.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Traffic Light Protocol version.
+      example: 2.0
+      default_field: false
   - name: tls
     title: TLS
     group: 2

experimental/generated/csv/fields.csv

@@ -1101,7 +1101,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.7.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking
+8.7.0-dev+exp,true,threat,threat.enrichments.indicator.marking.tlp.version,keyword,extended,,2.0,Indicator TLP version
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
 8.7.0-dev+exp,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
@@ -1364,6 +1364,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev+exp,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
 8.7.0-dev+exp,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
 8.7.0-dev+exp,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+8.7.0-dev+exp,true,threat,threat.threat.indicator.marking.tlp.version,keyword,extended,,2.0,Indicator TLP version
 8.7.0-dev+exp,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
 8.7.0-dev+exp,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
 8.7.0-dev+exp,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.

experimental/generated/ecs/ecs_flat.yml

@@ -13955,21 +13955,16 @@ threat.enrichments.indicator.last_seen:
   normalize: []
   short: Date/time indicator was last reported.
   type: date
-threat.enrichments.indicator.marking.tlp:
-  dashed_name: threat-enrichments-indicator-marking-tlp
-  description: Traffic Light Protocol sharing markings.
-  example: WHITE
-  expected_values:
-  - WHITE
-  - GREEN
-  - AMBER
-  - RED
-  flat_name: threat.enrichments.indicator.marking.tlp
+threat.enrichments.indicator.marking.tlp.version:
+  dashed_name: threat-enrichments-indicator-marking-tlp-version
+  description: Traffic Light Protocol version.
+  example: 2.0
+  flat_name: threat.enrichments.indicator.marking.tlp.version
   ignore_above: 1024
   level: extended
-  name: enrichments.indicator.marking.tlp
+  name: enrichments.indicator.marking.tlp.version
   normalize: []
-  short: Indicator TLP marking
+  short: Indicator TLP version
   type: keyword
 threat.enrichments.indicator.modified_at:
   dashed_name: threat-enrichments-indicator-modified-at
@@ -17293,6 +17288,17 @@ threat.technique.subtechnique.reference:
   - array
   short: Threat subtechnique URL reference.
   type: keyword
+threat.threat.indicator.marking.tlp.version:
+  dashed_name: threat-threat-indicator-marking-tlp-version
+  description: Traffic Light Protocol version.
+  example: 2.0
+  flat_name: threat.threat.indicator.marking.tlp.version
+  ignore_above: 1024
+  level: extended
+  name: threat.indicator.marking.tlp.version
+  normalize: []
+  short: Indicator TLP version
+  type: keyword
 tls.cipher:
   dashed_name: tls-cipher
   description: String indicating the cipher used during the current connection.

experimental/generated/ecs/ecs_nested.yml

@@ -16162,21 +16162,16 @@ threat:
       normalize: []
       short: Date/time indicator was last reported.
       type: date
-    threat.enrichments.indicator.marking.tlp:
-      dashed_name: threat-enrichments-indicator-marking-tlp
-      description: Traffic Light Protocol sharing markings.
-      example: WHITE
-      expected_values:
-      - WHITE
-      - GREEN
-      - AMBER
-      - RED
-      flat_name: threat.enrichments.indicator.marking.tlp
+    threat.enrichments.indicator.marking.tlp.version:
+      dashed_name: threat-enrichments-indicator-marking-tlp-version
+      description: Traffic Light Protocol version.
+      example: 2.0
+      flat_name: threat.enrichments.indicator.marking.tlp.version
       ignore_above: 1024
       level: extended
-      name: enrichments.indicator.marking.tlp
+      name: enrichments.indicator.marking.tlp.version
       normalize: []
-      short: Indicator TLP marking
+      short: Indicator TLP version
       type: keyword
     threat.enrichments.indicator.modified_at:
       dashed_name: threat-enrichments-indicator-modified-at
@@ -19507,6 +19502,17 @@ threat:
       - array
       short: Threat subtechnique URL reference.
       type: keyword
+    threat.threat.indicator.marking.tlp.version:
+      dashed_name: threat-threat-indicator-marking-tlp-version
+      description: Traffic Light Protocol version.
+      example: 2.0
+      flat_name: threat.threat.indicator.marking.tlp.version
+      ignore_above: 1024
+      level: extended
+      name: threat.indicator.marking.tlp.version
+      normalize: []
+      short: Indicator TLP version
+      type: keyword
   group: 2
   name: threat
   nestings:

experimental/generated/elasticsearch/composable/component/threat.json

@@ -531,8 +531,12 @@
                     "marking": {
                       "properties": {
                         "tlp": {
-                          "ignore_above": 1024,
-                          "type": "keyword"
+                          "properties": {
+                            "version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
                         }
                       }
                     },
@@ -1688,6 +1692,26 @@
                   }
                 }
               }
+            },
+            "threat": {
+              "properties": {
+                "indicator": {
+                  "properties": {
+                    "marking": {
+                      "properties": {
+                        "tlp": {
+                          "properties": {
+                            "version": {
+                              "ignore_above": 1024,
+                              "type": "keyword"
+                            }
+                          }
+                        }
+                      }
+                    }
+                  }
+                }
+              }
             }
           }
         }

experimental/generated/elasticsearch/legacy/template.json

@@ -5175,8 +5175,12 @@
                   "marking": {
                     "properties": {
                       "tlp": {
-                        "ignore_above": 1024,
-                        "type": "keyword"
+                        "properties": {
+                          "version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
                       }
                     }
                   },
@@ -6332,6 +6336,26 @@
                 }
               }
             }
+          },
+          "threat": {
+            "properties": {
+              "indicator": {
+                "properties": {
+                  "marking": {
+                    "properties": {
+                      "tlp": {
+                        "properties": {
+                          "version": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                          }
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
           }
         }
       },

generated/beats/fields.ecs.yml

@@ -9308,12 +9308,12 @@
         this indicator.
       example: '2020-11-05T17:25:47.000Z'
       default_field: false
-    - name: enrichments.indicator.marking.tlp
+    - name: enrichments.indicator.marking.tlp.version
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Traffic Light Protocol sharing markings.
-      example: WHITE
+      description: Traffic Light Protocol version.
+      example: 2.0
       default_field: false
     - name: enrichments.indicator.modified_at
       level: extended
@@ -11289,6 +11289,13 @@
         \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
       example: https://attack.mitre.org/techniques/T1059/001/
       default_field: false
+    - name: threat.indicator.marking.tlp.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Traffic Light Protocol version.
+      example: 2.0
+      default_field: false
   - name: tls
     title: TLS
     group: 2

generated/csv/fields.csv

@@ -1094,7 +1094,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone.
 8.7.0-dev,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address
 8.7.0-dev,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported.
-8.7.0-dev,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,WHITE,Indicator TLP marking
+8.7.0-dev,true,threat,threat.enrichments.indicator.marking.tlp.version,keyword,extended,,2.0,Indicator TLP version
 8.7.0-dev,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated.
 8.7.0-dev,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port
 8.7.0-dev,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider
@@ -1357,6 +1357,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.7.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
 8.7.0-dev,true,threat,threat.technique.subtechnique.name.text,match_only_text,extended,,PowerShell,Threat subtechnique name.
 8.7.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
+8.7.0-dev,true,threat,threat.threat.indicator.marking.tlp.version,keyword,extended,,2.0,Indicator TLP version
 8.7.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
 8.7.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
 8.7.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client.

generated/ecs/ecs_flat.yml

@@ -13886,21 +13886,16 @@ threat.enrichments.indicator.last_seen:
   normalize: []
   short: Date/time indicator was last reported.
   type: date
-threat.enrichments.indicator.marking.tlp:
-  dashed_name: threat-enrichments-indicator-marking-tlp
-  description: Traffic Light Protocol sharing markings.
-  example: WHITE
-  expected_values:
-  - WHITE
-  - GREEN
-  - AMBER
-  - RED
-  flat_name: threat.enrichments.indicator.marking.tlp
+threat.enrichments.indicator.marking.tlp.version:
+  dashed_name: threat-enrichments-indicator-marking-tlp-version
+  description: Traffic Light Protocol version.
+  example: 2.0
+  flat_name: threat.enrichments.indicator.marking.tlp.version
   ignore_above: 1024
   level: extended
-  name: enrichments.indicator.marking.tlp
+  name: enrichments.indicator.marking.tlp.version
   normalize: []
-  short: Indicator TLP marking
+  short: Indicator TLP version
   type: keyword
 threat.enrichments.indicator.modified_at:
   dashed_name: threat-enrichments-indicator-modified-at
@@ -17224,6 +17219,17 @@ threat.technique.subtechnique.reference:
   - array
   short: Threat subtechnique URL reference.
   type: keyword
+threat.threat.indicator.marking.tlp.version:
+  dashed_name: threat-threat-indicator-marking-tlp-version
+  description: Traffic Light Protocol version.
+  example: 2.0
+  flat_name: threat.threat.indicator.marking.tlp.version
+  ignore_above: 1024
+  level: extended
+  name: threat.indicator.marking.tlp.version
+  normalize: []
+  short: Indicator TLP version
+  type: keyword
 tls.cipher:
   dashed_name: tls-cipher
   description: String indicating the cipher used during the current connection.