Indicator
Indicators represent the result of the data mining. This includes both blacklisted elements, like a blacklisted IP, as well as whitelisted elements.
The indicator is close related to the IndicatorType
IndicatorType
IndicatorType represents the type of data returned by the API. Valid IndicatorTypes are:
IndicatorType | Description |
---|---|
api_key | a valid api-key |
as_number | a valid as_number |
cmd_line | a command line |
domain | a valid domain ex: example.com |
email_address | a valid email address |
file_created | a file created |
file_deleted | a file deteld: 'C:\Temp\bot.exe' |
file_moved | a file has been moved |
file_name | a file name |
file_opened | a file has been opened |
file_read | |
file_written | |
hash_imphash | the PE import hash of a Portable Executable file |
hash_md5 | |
hash_sha1 | |
hash_sha256 | |
http_request | a raw request like GET /index.html HTML 1.1 |
ipv4_address | an ip address, version agnostic |
ipv4_subnet | a cidr, version agnostic, 128.0.0.0/24 or fe80::202:c9ff:fe54:5952/64 |
isp | a name of an isp |
location | a name of a location. not a country |
latitude | float 33.2 |
longitudine | float 34.5 |
uri | http://www.domain.com/page or /index.html |
Status
Status lists the status for which an indicator can be in.
Status | Description |
---|---|
malicious | The indicator is a known malicious identifier |
suspicious | Indicator can be malicious, depending on the context in which it is found |
unknown | The indicator status is unknwon |
non_malicious | The indicator is not malicious
PrivacyType
Defines who might view the data
PrivacyType | Description |
---|---|
all | the data is visible by all participants to the system |
group | the data is visible to a specific group. The group must be specified in the PrivacyMembers field |