New data structure for IoCs #814
Description
Description
We are defining a new set of fields for IoC (index .cti-iocs) to make the structure closer to other content types and easier to understand.
This content will be published in a Wazuh CTI consumer, to which the Wazuh Indexer must connect to download IoC content. Starting from a ZIP snapshot, and then through periodic updates (using JSON patch operations), the Indexer must download, store and keep the IoC content up-to-date.
Examples
This content is wrapped under the payload object in CTI.
domain-name
{
"document": {
"id": "1593453",
"name": "av.r1a4.ru",
"software.type": "payload_delivery",
"type": "domain-name",
"software.name": "js.clearfake",
"software.alias": ["ClearFake"],
"confidence": 100,
"first_seen": "2025-09-17 17:06:15 UTC",
"last_seen": "2025-09-17 17:06:44 UTC",
"reference": null,
"feed.name": "threatcat_ch",
"tags": [ "ClearFake"],
"provider": "threat-fox"
},
"type": "ioc"
}ip:port
{
"document" : {
"id": "1593452",
"name": "89.213.174.225:3778",
"software.type": "botnet_cc",
"type": "ip:port",
"software.name": "elf.mirai",
"software.alias": ["ClearFake", "Katana"],
"confidence": 100,
"first_seen": "2025-09-17 16:40:05 UTC",
"last_seen": null,
"reference": null,
"feed.name": "elfdigest",
"tags": [ "Mirai"],
"provider": "threat-fox"
},
"type": "ioc"
}Related ECS fields
- threat.indicator
- threat.feed
- threat.software
- tags
Note
We are not using the threat parent.
Functional requirements
- The index mappings for the
.cti-iocsmust be set to strict.
Implementation restrictions
- Re-use the existing functionality to consumer data from a CTI consumer.
Plan
- Redefine the IOC module for the WCS.
- Add the new mappings to the Content Manager plugin, so it can create the index when needed.
- Download and index IOC content into the
.cti-iocsindex.
Metadata
Metadata
Assignees
Type
Projects
Status