threatintel fields

The date and time when intelligence source first reported sighting this indicator.

type: date

The date and time when intelligence source last reported sighting this indicator.

type: date

Number of times this indicator was observed conducting threat activity.

type: long

Type of indicator as represented by Cyber Observable in STIX 2.0. Expected values * autonomous-system * artifact * directory * domain-name * email-addr * file * ipv4-addr * ipv6-addr * mac-addr * mutex * process * software * url * user-account * windows-registry-key * x-509-certificate

type: keyword

Describes the type of action conducted by the threat.

type: keyword

Count of AV/EDR vendors that successfully detected malicious file or URL.

type: long

Identifies the name of the intelligence provider.

type: keyword

Identifies the confidence rating assigned by the provider using STIX confidence scales. Expected values * Not Specified, None, Low, Medium, High * 0-10 * Admirality Scale (1-6) * DNI Scale (5-95) * WEP Scale (Impossible - Certain)

type: keyword

Identifies the name of specific module this data is coming from.

type: keyword

Identifies the name of specific dataset from the intelligence source.

type: keyword

Reference URL linking to additional information about this indicator.

type: keyword

Identifies a threat indicator as an IP address (irrespective of direction).

type: ip

Identifies a threat indicator as a port number (irrespective of direction).

type: long

Identifies a threat indicator as an email address (irrespective of direction).

type: keyword

Traffic Light Protocol sharing markings. Expected values are: * White * Green * Amber * Red

type: keyword

Identifies the atomic indicator that matched a local environment endpoint or network event.

type: keyword

Identifies the field of the atomic indicator that matched a local environment endpoint or network event.

type: keyword

Identifies the type of the atomic indicator that matched a local environment endpoint or network event.

type: keyword

Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.

type: long

example: 15169

Organization name.

type: keyword

example: Google LLC

type: text

Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g "1").

type: keyword

example: ["C:\rta\red_ttp\bin\myapp.exe"]

Full path, including hive, key and value

type: keyword

example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger

Name of the value written.

type: keyword

example: Debugger

Registry key value

type: keyword

City name.

type: keyword

example: Montreal

Name of the continent.

type: keyword

example: North America

Country ISO code.

type: keyword

example: CA

Country name.

type: keyword

example: Canada

Longitude and latitude.

type: geo_point

example: { "lon": -73.614830, "lat": 45.505918 }

Region ISO code.

type: keyword

example: CA-QC

Region name.

type: keyword

example: Quebec

A hash of the imports in a PE file. An imphash — or import hash — can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.

type: keyword

example: 0c6803c4e922103c4dca5963aad36ddf

The file’s import tlsh, if available.

type: keyword

The file’s ssdeep hash, if available.

type: keyword

The file’s md5 hash, if available.

type: keyword

The file’s sha1 hash, if available.

type: keyword

The file’s sha256 hash, if available.

type: keyword

The file’s sha384 hash, if available.

type: keyword

The file’s sha512 hash, if available.

type: keyword

The file type.

type: keyword

The file’s total size.

type: long

The file’s name.

type: keyword

The file’s extension.

type: keyword

The file’s MIME type.

type: keyword

Domain of the url, such as "www.elastic.co".

type: keyword

The field contains the file extension from the original request

type: keyword

Portion of the url after the #, such as "top".

type: keyword

If full URLs are important to your use case, they should be stored in url.full, whether this field is reconstructed or present in the event source.

type: keyword

Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.

type: keyword

Password of the request.

type: keyword

Path of the request, such as "/search".

type: keyword

Port of the request, such as 443.

type: long

format: string

The query field describes the query string of the request, such as "q=elasticsearch". The ? is excluded from the query string. If a URL contains no ?, there is no query field. If there is a ? but no query, the query field exists with an empty string. The exists query can be used to differentiate between the two cases.

type: keyword

The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".

type: keyword

Scheme of the request, such as "https".

type: keyword

The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period.

type: keyword

The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk".

type: keyword

Username of the request.

type: keyword

Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters.

type: keyword

example: 55FBB9C7DEBF09809D12CCAA

Name of issuing certificate authority. Could be either Distinguished Name (DN) or Common Name (CN), depending on source.

type: keyword

example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA

Name of the certificate subject entity. Could be either Distinguished Name (DN) or Common Name (CN), depending on source.

type: keyword

example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net

List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses.

type: keyword

example: *.elastic.co

Malware family of sample (if available).

type: keyword

File type guessed by URLhaus.

type: keyword

Malware familiy.

type: keyword

Location (URL) where you can download a copy of this file.

type: keyword

AV detection ration.

type: keyword

AV detection in percent.

type: float

Link to the Virustotal report.

type: keyword

The ID of the url.

type: keyword

Link to URLhaus entry.

type: keyword

The current status of the URL. Possible values are: online, offline and unknown.

type: keyword

The threat corresponding to this malware URL.

type: keyword

SURBL blacklist status. Possible values are: listed and not_listed

type: keyword

Spamhaus DBL blacklist status.

type: keyword

The Twitter handle of the reporter that has reported this malware URL (or anonymous).

type: keyword

Indicates whether the malware URL has been reported to the hosting provider (true or false)

type: boolean

A list of tags associated with the queried malware URL

type: keyword

The ID of the indicator.

type: keyword

The name of the indicator.

type: keyword

The pattern ID of the indicator.

type: keyword

When the indicator was first found or is considered valid.

type: date

When the indicator was last modified

type: date

The labels related to the indicator

type: keyword

The value of the indicator, for example if the type is domain, this would be the value.

type: keyword

A description of the indicator.

type: keyword

Title describing the indicator.

type: keyword

Extra text or descriptive content related to the indicator.

type: keyword

The indicator type, can for example be "domain, email, FileHash-SHA256".

type: keyword

The STIX reference object.

type: keyword

Indicates whether an indicator is private or from a public feed and available publicly. Possible values: private, public.

type: keyword

example: private

The measure of the accuracy (from 0 to 100) assigned by ThreatStream’s predictive analytics technology to indicators.

type: short

Detail text for indicator.

type: text

example: Imported by user 42.

The ID of the indicator.

type: keyword

ID of the import session that created the indicator on ThreatStream.

type: keyword

Indicator type. Possible values: "apt_domain", "apt_email", "apt_ip", "apt_url", "bot_ip", "c2_domain", "c2_ip", "c2_url", "i2p_ip", "mal_domain", "mal_email", "mal_ip", "mal_md5", "mal_url", "parked_ip", "phish_email", "phish_ip", "phish_url", "scan_ip", "spam_domain", "ssh_ip", "suspicious_domain", "tor_ip" and "torrent_tracker_url".

type: keyword

Information regarding a malware family, a CVE ID, or another attack or threat, associated with the indicator.

type: wildcard

Hash for the indicator.

type: keyword

Relative URI for the indicator details.

type: keyword

Criticality associated with the threat feed that supplied the indicator. Possible values: low, medium, high, very-high.

type: keyword

Source for the indicator.

type: keyword

example: Analyst

ID for the integrator source.

type: keyword

State for this indicator.

type: keyword

example: active

ID of the trusted circle that imported the indicator.

type: keyword

Update ID.

type: keyword

URL for the indicator.

type: keyword

Data type of the indicator. Possible values: ip, domain, url, email, md5.

type: keyword

File type guessed by Malware Bazaar.

type: keyword

Malware familiy.

type: keyword

A list of tags associated with the queried malware sample.

type: keyword

Number of downloads from MalwareBazaar.

type: long

Number of uploads from MalwareBazaar.

type: long

Malware seen in generic spam traffic.

type: keyword

Malware seen in IT spam traffic.

type: keyword

Identifies if the sample was submitted anonymously.

type: long

Code signing information for the sample.

type: keyword

Attribute ID.

type: keyword

Organization Community ID of the event.

type: keyword

Organization ID of the event.

type: keyword

Threat level from 5 to 1, where 1 is the most critical.

type: long

Additional text or information related to the event.

type: keyword

When the event was published.

type: boolean

The UUID of the event object.

type: keyword

The date of when the event object was created.

type: date

How many attributes are included in a single event object.

type: long

The timestamp of when the event object was created.

type: date

Distribution type related to MISP.

type: keyword

Settings configured on MISP for email lock on this event object.

type: boolean

If the current MISP event object is locked or not.

type: boolean

At what time the event object was published

type: date

The ID of the grouped events or sources of the event.

type: keyword

If correlation is disabled on the MISP event object.

type: boolean

The UUID of the event object it might extend.

type: keyword

The organization ID related to the event object.

type: keyword

The organization name related to the event object.

type: keyword

The UUID of the organization related to the event object.

type: keyword

If the event object is local or from a remote source.

type: boolean

The Organization Community ID in which the event object was reported from.

type: keyword

The Organization Community name in which the event object was reported from.

type: keyword

The Organization Community UUID in which the event object was reported from.

type: keyword

If the Organization Community was local or synced from a remote source.

type: boolean

The ID of the attribute related to the event object.

type: keyword

The type of the attribute related to the event object. For example email, ipv4, sha1 and such.

type: keyword

The category of the attribute related to the event object. For example "Network Activity".

type: keyword

If the attribute should be automatically synced with an IDS.

type: boolean

The UUID of the attribute related to the event.

type: keyword

The local event ID of the attribute related to the event.

type: keyword

How the attribute has been distributed, represented by integer numbers.

type: long

The timestamp in which the attribute was attached to the event object.

type: date

Comments made to the attribute itself.

type: keyword

The group ID of the sharing group related to the specific attribute.

type: keyword

If the attribute has been removed from the event object.

type: boolean

If correlation has been enabled on the attribute related to the event object.

type: boolean

The ID of the Object in which the attribute is attached.

type: keyword

The type of relation the attribute has with the event object itself.

type: keyword

The value of the attribute, depending on the type like "url, sha1, email-src".

type: keyword

The ID of the secondary attribute related to the event object.

type: keyword

The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such.

type: keyword

The category of the secondary attribute related to the event object. For example "Network Activity".

type: keyword

If the secondary attribute should be automatically synced with an IDS.

type: boolean

The UUID of the secondary attribute related to the event.

type: keyword

The local event ID of the secondary attribute related to the event.

type: keyword

How the secondary attribute has been distributed, represented by integer numbers.

type: long

The timestamp in which the secondary attribute was attached to the event object.

type: date

Comments made to the secondary attribute itself.

type: keyword

The group ID of the sharing group related to the specific secondary attribute.

type: keyword

If the secondary attribute has been removed from the event object.

type: boolean

If correlation has been enabled on the secondary attribute related to the event object.

type: boolean

The ID of the Object in which the secondary attribute is attached.

type: keyword

The type of relation the secondary attribute has with the event object itself.

type: keyword

The value of the attribute, depending on the type like "url, sha1, email-src".

type: keyword

The ID of the indicator.

type: keyword

The value of the indicator, for example if the type is domain, this would be the value.

type: keyword

A description of the indicator.

type: keyword

Title describing the indicator.

type: keyword

Extra text or descriptive content related to the indicator.

type: keyword

The indicator type, can for example be "domain, email, FileHash-SHA256".

type: keyword

Entity ID.

type: keyword

example: ip:192.0.2.13

Entity name. Value for the entity.

type: keyword

example: 192.0.2.13

Entity type.

type: keyword

example: IpAddress

Link to the Recorded Future Intelligence Card for to this indicator.

type: keyword

Range of IPs for this indicator.

type: ip_range

example: 192.0.2.0/16

Risk criticality (0-4).

type: byte

Risk criticality label. One of None, Unusual, Suspicious, Malicious, Very Malicious.

type: keyword

Risk’s evidence details.

type: flattened

Risk score (0-99).

type: short

Number of Risk Rules observed as a factor of total number of rules.

type: keyword

example: 1/54

Risk summary.

type: keyword

example: 1 of 54 Risk Rules currently observed.

type: text

Number of rules observed.

type: long