elastic · r00tu53r · Jan 25, 2022 · Jan 3, 2022 · Jan 4, 2022 · Jan 6, 2022
@@ -1,3 +1,3 @@
 dependencies:
   ecs:
-    reference: git@1.12
+    reference: git@8.0
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.2.0"
+  changes:
+    - description: Update to ECS 8.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2447
 - version: "1.1.0"
   changes:
     - description: Adds dashboards, new logo and new threat ECS fields

@@ -2,7 +2,7 @@
     "expected": [
         {
             "ecs": {
-                "version": "1.12.0"
+                "version": "8.0.0"
             },
             "cybersixgill": {
                 "actor": "RedBeardIOCs",

@@ -5,7 +5,7 @@ processors:
       if: ctx.json?.cybersixgill == null
   - set:
       field: ecs.version
-      value: "1.12.0"
+      value: "8.0.0"
   - set:
       field: event.kind
       value: enrichment

@@ -1,11 +1,11 @@
 {
-    "@timestamp": "2021-12-13T09:11:38.695Z",
+    "@timestamp": "2022-01-03T02:14:51.617Z",
     "agent": {
-        "ephemeral_id": "b926046b-e163-47a4-a876-63fa4de055fd",
-        "id": "4f10d4e8-cc5a-44f6-b968-c8c2ae0e5ee5",
+        "ephemeral_id": "2c8413ec-6eec-496b-9449-34f8b1559a78",
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
         "name": "docker-fleet-agent",
         "type": "filebeat",
-        "version": "8.0.0"
+        "version": "8.0.0-beta1"
     },
     "cybersixgill": {
         "actor": "IfOnlyYouKnew",
@@ -26,18 +26,18 @@
         "type": "logs"
     },
     "ecs": {
-        "version": "1.12.0"
+        "version": "8.0.0"
     },
     "elastic_agent": {
-        "id": "4f10d4e8-cc5a-44f6-b968-c8c2ae0e5ee5",
-        "snapshot": true,
-        "version": "8.0.0"
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
     },
     "event": {
         "agent_id_status": "verified",
         "category": "threat",
         "dataset": "ti_cybersixgill.threat",
-        "ingested": "2021-12-13T09:11:39Z",
+        "ingested": "2022-01-03T02:14:52Z",
         "kind": "enrichment",
         "original": "{\"cybersixgill\":{\"actor\":\"IfOnlyYouKnew\",\"feedname\":\"darkweb_vt_links\",\"mitre\":{\"description\":\"Mitre attack tactics and technique reference\"},\"title\":\"OpenCore [1.0.0] C# Source\",\"valid_from\":\"2021-06-06T06:39:31Z\",\"virustotal\":{\"pr\":\"none\",\"url\":\"https://virustotal.com/#/file/1e8034a0109c9d2be96954fe4c503db6a01be1ffbc80c3dadeb2127fad6036bd\"}},\"event\":{\"severity\":70},\"tags\":[\"malicious-activity\",\"malware\",\"malicious\",\"Test capabilities\",\"Test signature detection for file upload/email filters\"],\"threat\":{\"indicator\":{\"confidence\":80,\"description\":\"Virustotal link that appeared on a dark web site, generally to show malware that is undetected\",\"file\":{\"hash\":{\"md5\":\"6279649f4e3a8e9f907080c154c34605\",\"sha1\":\"bd4e4bd96222c1570a99b8016eb0b59ca5c33100\",\"sha256\":\"1e8034a0109c9d2be96954fe4c503db6a01be1ffbc80c3dadeb2127fad6036bd\"}},\"first_seen\":\"2021-06-07T00:40:52.134Z\",\"last_seen\":\"2021-06-07T00:40:52.134Z\",\"provider\":\"forum_mpgh\",\"reference\":\"https://portal.cybersixgill.com/#/search?q=_id:58f8623e1f18f5c5accf617ad282837dd469bd29\",\"type\":\"file\",\"url\":{\"full\":\"https://rapidgator.net/file/71827fac0618ea3b1192bb51d5cbff45/101.Woodworking.Tips.Complete.Book.A.Collection.Of.Easy.To.Follow.Projects.And.Plans.2021.pdf\"}},\"tactic\":{\"id\":\"TA0025\",\"name\":\"Test capabilities\",\"reference\":\"https://attack.mitre.org/tactics/TA0025/\"}}}",
         "severity": 70,

@@ -71,7 +71,7 @@ All relevant documentation on how to install and configure the Python script is
 | tags | List of keywords used to tag each event. | keyword |
 | threat.feed.dashboard_id | Dashboard ID used for Kibana CTI UI | constant_keyword |
 | threat.feed.name | Display friendly feed name | constant_keyword |
-| threat.indicator.confidence | Identifies the confidence rating assigned by the provider using STIX confidence scales. Recommended values:   \* Not Specified, None, Low, Medium, High   \* 0-10   \* Admirality Scale (1-6)   \* DNI Scale (5-95)   \* WEP Scale (Impossible - Certain) | keyword |
+| threat.indicator.confidence | Identifies the vendor-neutral confidence rating using the None/Low/Medium/High scale defined in Appendix A of the STIX 2.1 framework. Vendor-specific confidence scales may be added as custom fields. Expected values are:   \* Not Specified   \* None   \* Low   \* Medium   \* High | keyword |
 | threat.indicator.description | Describes the type of action conducted by the threat. | keyword |
 | threat.indicator.file.hash.md5 | MD5 hash. | keyword |
 | threat.indicator.file.hash.sha1 | SHA1 hash. | keyword |
@@ -97,13 +97,13 @@ An example event for `threat` looks as following:
 
 ```json
 {
-    "@timestamp": "2021-12-13T09:11:38.695Z",
+    "@timestamp": "2022-01-03T02:14:51.617Z",
     "agent": {
-        "ephemeral_id": "b926046b-e163-47a4-a876-63fa4de055fd",
-        "id": "4f10d4e8-cc5a-44f6-b968-c8c2ae0e5ee5",
+        "ephemeral_id": "2c8413ec-6eec-496b-9449-34f8b1559a78",
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
         "name": "docker-fleet-agent",
         "type": "filebeat",
-        "version": "8.0.0"
+        "version": "8.0.0-beta1"
     },
     "cybersixgill": {
         "actor": "IfOnlyYouKnew",
@@ -124,18 +124,18 @@ An example event for `threat` looks as following:
         "type": "logs"
     },
     "ecs": {
-        "version": "1.12.0"
+        "version": "8.0.0"
     },
     "elastic_agent": {
-        "id": "4f10d4e8-cc5a-44f6-b968-c8c2ae0e5ee5",
-        "snapshot": true,
-        "version": "8.0.0"
+        "id": "b1d83907-ff3e-464a-b79a-cf843f6f0bba",
+        "snapshot": false,
+        "version": "8.0.0-beta1"
     },
     "event": {
         "agent_id_status": "verified",
         "category": "threat",
         "dataset": "ti_cybersixgill.threat",
-        "ingested": "2021-12-13T09:11:39Z",
+        "ingested": "2022-01-03T02:14:52Z",
         "kind": "enrichment",
         "original": "{\"cybersixgill\":{\"actor\":\"IfOnlyYouKnew\",\"feedname\":\"darkweb_vt_links\",\"mitre\":{\"description\":\"Mitre attack tactics and technique reference\"},\"title\":\"OpenCore [1.0.0] C# Source\",\"valid_from\":\"2021-06-06T06:39:31Z\",\"virustotal\":{\"pr\":\"none\",\"url\":\"https://virustotal.com/#/file/1e8034a0109c9d2be96954fe4c503db6a01be1ffbc80c3dadeb2127fad6036bd\"}},\"event\":{\"severity\":70},\"tags\":[\"malicious-activity\",\"malware\",\"malicious\",\"Test capabilities\",\"Test signature detection for file upload/email filters\"],\"threat\":{\"indicator\":{\"confidence\":80,\"description\":\"Virustotal link that appeared on a dark web site, generally to show malware that is undetected\",\"file\":{\"hash\":{\"md5\":\"6279649f4e3a8e9f907080c154c34605\",\"sha1\":\"bd4e4bd96222c1570a99b8016eb0b59ca5c33100\",\"sha256\":\"1e8034a0109c9d2be96954fe4c503db6a01be1ffbc80c3dadeb2127fad6036bd\"}},\"first_seen\":\"2021-06-07T00:40:52.134Z\",\"last_seen\":\"2021-06-07T00:40:52.134Z\",\"provider\":\"forum_mpgh\",\"reference\":\"https://portal.cybersixgill.com/#/search?q=_id:58f8623e1f18f5c5accf617ad282837dd469bd29\",\"type\":\"file\",\"url\":{\"full\":\"https://rapidgator.net/file/71827fac0618ea3b1192bb51d5cbff45/101.Woodworking.Tips.Complete.Book.A.Collection.Of.Easy.To.Follow.Projects.And.Plans.2021.pdf\"}},\"tactic\":{\"id\":\"TA0025\",\"name\":\"Test capabilities\",\"reference\":\"https://attack.mitre.org/tactics/TA0025/\"}}}",
         "severity": 70,

@@ -1,6 +1,6 @@
 name: ti_cybersixgill
 title: Cybersixgill
-version: 1.1.0
+version: 1.2.0
 release: ga
 description: This Elastic integration collects threat intelligence from Cybersixgill
 type: integration