Data Sets - Unique Fields
Data_Set | Field | Description |
botnet_tracker | c2 | Command & Control for botnet |
breach_data | breach_date | timestamp of breach data file, or date of breach discovery |
breach_data | breach_line_data | raw data string from breach data file, typically in a [user:password] format |
breach_data | breach_name | common name for the breach, or name of the file containing breach data |
darkweb | site_name | name of website |
darkweb | site_type | dark website category |
darkweb | site_url | link to url (.onion) where indicator was identified |
darkweb_forum | post_author | name of user posting forum content |
darkweb_forum | post_category | category assigned by forum or post author |
darkweb_forum | post_content | content of the forum post |
darkweb_forum | post_reply_author | name of user replying to original post content |
darkweb_forum | post_reply_content | content of reply post |
darkweb_forum | post_reply_timestamp | timestamp or reply post |
darkweb_forum | post_timestamp | timestamp of original post |
darkweb_forum | post_title | title of the forum post |
darkweb_marketplace | item_category | category assigned by marketplace or vendor |
darkweb_marketplace | item_description | description of item being sold |
darkweb_marketplace | item_price | price of item being sold (as listed) |
darkweb_marketplace | item_title | name of the item being sold |
darkweb_marketplace | item_vendor | vendor selling the item |
darkweb_ransomware | victim_address | address of ransomware victim |
darkweb_ransomware | victim_description | description of leaked information |
darkweb_ransomware | victim_domain | domain (website) of ransomware victim |
darkweb_ransomware | victim_email | email address listed as contact for victim company |
darkweb_ransomware | victim_files | name of files leaked |
darkweb_ransomware | victim_name | name of ransomware victim |
darkweb_ransomware | victim_phone | phone number listed as contact for victim company |
darkweb_ransomware | victim_published_data_size | volume of data being leaked |
keylogger_data | attacker_server | name of keylogger endpoint from which output was observed |
keylogger_data | password_redact | populated with '' if password was captured by keylogger |
keylogger_data | username | observed username captured captured by keylogger (if applicable) |
keylogger_data | victim_src_ip | IP address observed sending keylogger outputs. While named victim_src_ip, this IP may not always represent a victim, for example if non-keylogger data was observed sending information to the endpoint |
keylogger_data | victim_whois | Whois of victim_src_ip |
keylogger_data | description | name of keylogger output file- this can define the type of keylogger variant, such as Predator or Hawkeye |
malicious_email_detections | detection_shortname | normalized antivirus name |
malicious_email_detections | detection_name | antivirus detection name |
malicious_email_detections | vendor | antivirus vendor |
malicious_emails | detection | number of postivie antivirus detections |
malicious_emails | email_type | type of email: either MSG or EML |
malicious_emails_context | detections | complete list of antivirus detection names |
malicious_emails_context | recipients | email account(s) receiving malicous email |
malicious_emails_context | sender | email account sending email |
malicious_emails_context | subject_line | observed subject line |
malicious_emails_context | targets | organization receiving malicious email |
open_cloud_buckets | bucket | AWS or Azure server where data is hosted |
open_cloud_buckets | id | AWS or Azure server ID number |
open_cloud_buckets | type | AWS or Azure |
open_cloud_bucket_files | filename | name of the file hosted on AWS or Azure server |
open_cloud_bucket_files | full_path | path of file being hosted on AWS or Azure server |
open_cloud_bucket_files | size | size of file (bytes) |
open_cloud_bucket_files | type | AWS or Azure |
sinkhole_traffic | count_rec | observation count for given IP (indicator) |
sinkhole_traffic | cs_asn | refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx |
sinkhole_traffic | cs_bytes | refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx |
sinkhole_traffic | cs_cookie | refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx |
sinkhole_traffic | cs_host | refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx |
sinkhole_traffic | cs_referrer | refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx |
sinkhole_traffic | cs_ua | refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx |
sinkhole_traffic | cs_username | refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx |
sinkhole_traffic | cs_version | refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx |
sinkhole_traffic | sc_bytes | refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx |
sinkhole_traffic | sc_status | refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx |
sinkhole_traffic | sc_substatus | refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx |
sinkhole_traffic | sc_win32_status | refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx |
sinkhole_traffic | tag | defines whether sikhole is APT or crimeware/botnet |
source_code_secrets | git_account | user associated with the code repository |
source_code_secrets | git_host | service hosting the code repository |
source_code_secrets | matches | indicator from the code repository which matches a signature |
source_code_secrets | matching_file | file name of the code repository file containing match (indicator) |
source_code_secrets | repository_name | title of code repository |
source_code_secrets | signature_name | description of the signature which triggered the match (indicator) |
threat_recon | comment | free form field for analyst comments |
threat_recon | process_type | defines whether an indicator was manually added (Direct) or programmatically derived(Derived_*) |
threat_recon | rdata | DNS rdata record (if applicable) |
threat_recon | root_node | Origin of derived indicator: only applicable for Derived_ process types |
threat_recon | rrname | DNS rrname record (if applicable) |
threat_recon | source | either Wapack_Propriety or Wapack_OSINT |
threat_recon | tag | used for identifying other characteristics of indicator such as dynamic domain or cif indicator |
Last updated