Indicator
Indicators represent the result of the data mining. This includes both blacklisted elements, like a blacklisted IP, as well as whitelisted elements.
The indicator is close related to the IndicatorType
IndicatorType
IndicatorType represents the type of data returned by the API. Valid IndicatorTypes are:
| IndicatorType | Description |
|---|---|
| api_key | a valid api-key |
| as_number | a valid as_number |
| cmd_line | a command line |
| domain | a valid domain ex: example.com |
| email_address | a valid email address |
| file_created | a file created |
| file_deleted | a file deteld: 'C:\Temp\bot.exe' |
| file_moved | a file has been moved |
| file_name | a file name |
| file_opened | a file has been opened |
| file_read | |
| file_written | |
| hash_imphash | the PE import hash of a Portable Executable file |
| hash_md5 | |
| hash_sha1 | |
| hash_sha256 | |
| http_request | a raw request like GET /index.html HTML 1.1 |
| ipv4_address | an ip address, version agnostic |
| ipv4_subnet | a cidr, version agnostic, 128.0.0.0/24 or fe80::202:c9ff:fe54:5952/64 |
| isp | a name of an isp |
| location | a name of a location. not a country |
| latitude | float 33.2 |
| longitudine | float 34.5 |
| uri | http://www.domain.com/page or /index.html |
Status
Status lists the status for which an indicator can be in.
| Status | Description |
|---|---|
| malicious | The indicator is a known malicious identifier |
| suspicious | Indicator can be malicious, depending on the context in which it is found |
| unknown | The indicator status is unknwon |
| non_malicious | The indicator is not malicious
PrivacyType
Defines who might view the data
| PrivacyType | Description |
|---|---|
| all | the data is visible by all participants to the system |
| group | the data is visible to a specific group. The group must be specified in the PrivacyMembers field |