Threat Fields
Overview
The threat fields describe indicators, categories, and contextual attributes associated with potentially malicious or security-relevant activity. These fields represent high-level threat information derived from detection engines, classification systems, behavioral analysis, or security telemetry. The entity provides a normalized structure for modeling threat-related context across diverse platforms and analytic sources.
Design and Usage
The threat entity defines conceptual properties that characterize the nature, severity, or classification of identified threats. It is designed to support consistent representation of threat intelligence, detection outcomes, and analytic findings without relying on vendor-specific terminology. As a top-level entity, threat may be referenced by events that include threat classifications, alerts, or determinations made by security systems.
Common Use Cases
- Associating security events with the threat category or classification relevant to the detected behavior
- Normalizing heterogeneous threat terminology across analytics engines, endpoint tools, and network detection systems
- Supporting investigations, triage workflows, and reporting where threat context is essential for understanding event impact
Implementation Notes
As a top-level entity, threat models the abstract concept of security-relevant classifications and detections. Its fields should remain neutral and consistently defined to align threat context across multiple data sources. If a detection or classification is implied but not explicitly represented in the event data, related fields may be included to clarify event semantics and maintain relational integrity.
| field | field_type | description | example_values |
|---|---|---|---|
|
threat_category |
keyword |
Classification of the threat based on its type, behavior, or functional characteristics. |
malware, trojan |
|
threat_detected |
keyword |
Indicates whether a threat was identified during analysis or evaluation. |
true, false |
