# Data Sets - Common Fields | Field | Description | Data\_Sets | | ------------------ | ------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | | area\_code | area code geolocated from indicator | keylogger\_data, pastebin, malicious\_emails, sinkhole\_traffic, threat\_recon | | attribution | provides malware attribution or actor attribution for sinkhole | sinkhole\_traffic, threat\_recon | | city | city name geolocated from indicator | keylogger\_data, pastebin, malicious\_emails, sinkhole\_traffic, threat\_recon | | country | two character country code geolocated from indicator | keylogger\_data, pastebin, malicious\_emails, sinkhole\_traffic, threat\_recon | | domain\_cat | general site categorization of indicator | keylogger\_data, pastebin, malicious\_emails, sinkhole\_traffic | | etl\_date | date data was exported, transformed or loaded(ETL) | darkweb, keylogger\_data, pastebin, malicious\_emails, sinkhole\_traffic, threat\_recon, | | first\_seen | when keylogger output first observed | darkweb, keylogger\_data, pastebin, malicious\_emails, sinkhole\_traffic, threat\_recon | | indicator | indicator extracted from keylogger output | keylogger\_data, pastebin, malicious\_emails, sinkhole\_traffic, threat\_recon | | indicator\_context | context in which keylogger indicator observed; keylogged email, portal etc. | keylogger\_data, malicious\_emails, sinkhole\_traffic, threat\_recon | | indicator\_type | indicator type | keylogger\_data, pastebin, malicious\_emails, sinkhole\_traffic, threat\_recon | | last\_seen | when keylogger output last observed | darkweb, keylogger\_data, pastebin, malicious\_emails, sinkhole\_traffic, threat\_recon | | location | latitude longitude coordinates | keylogger\_data, pastebin, malicious\_emails, sinkhole\_traffic, threat\_recon | | postal\_code | postal code geolocated from indicator | keylogger\_data, pastebin, malicious\_emails, sinkhole\_traffic, threat\_recon | | raw\_data\_file | normalized name of keylogger output file- consists of md5 hash +\_content.txt or .eml | keylogger\_data, pastebin, malicious\_emails, malicious\_emails\_context, malicious\_email\_detections, sinkhole\_traffic, threat\_recon | | reference | URL for paste: may not resolve if paste taken down | darkweb, pastebin, malicious\_emails, malicious\_emails\_context, malicious\_email\_detections, sinkhole\_traffic, threat\_recon | | region | region name geolocated from indicator | keylogger\_data, pastebin, malicious\_emails, sinkhole\_traffic, threat\_recon | | url\_cat | specific site categorization of indicator | keylogger\_data, pastebin, malicious\_emails, sinkhole\_traffic |