Data Sets - Unique Fields

Data_Set

Field

Description

botnet_tracker

Command & Control for botnet

breach_data

breach_date

timestamp of breach data file, or date of breach discovery

breach_data

breach_line_data

raw data string from breach data file, typically in a [user:password] format

breach_data

breach_name

common name for the breach, or name of the file containing breach data

darkweb

site_name

name of website

darkweb

site_type

dark website category

darkweb

site_url

link to url (.onion) where indicator was identified

darkweb_forum

post_author

name of user posting forum content

darkweb_forum

post_category

category assigned by forum or post author

darkweb_forum

post_content

content of the forum post

darkweb_forum

post_reply_author

name of user replying to original post content

darkweb_forum

post_reply_content

content of reply post

darkweb_forum

post_reply_timestamp

timestamp or reply post

darkweb_forum

post_timestamp

timestamp of original post

darkweb_forum

post_title

title of the forum post

darkweb_marketplace

item_category

category assigned by marketplace or vendor

darkweb_marketplace

item_description

description of item being sold

darkweb_marketplace

item_price

price of item being sold (as listed)

darkweb_marketplace

item_title

name of the item being sold

darkweb_marketplace

item_vendor

vendor selling the item

darkweb_ransomware

victim_address

address of ransomware victim

darkweb_ransomware

victim_description

description of leaked information

darkweb_ransomware

victim_domain

domain (website) of ransomware victim

darkweb_ransomware

victim_email

email address listed as contact for victim company

darkweb_ransomware

victim_files

name of files leaked

darkweb_ransomware

victim_name

name of ransomware victim

darkweb_ransomware

victim_phone

phone number listed as contact for victim company

darkweb_ransomware

victim_published_data_size

volume of data being leaked

keylogger_data

attacker_server

name of keylogger endpoint from which output was observed

keylogger_data

password_redact

populated with '' if password was captured by keylogger

keylogger_data

username

observed username captured captured by keylogger (if applicable)

keylogger_data

victim_src_ip

IP address observed sending keylogger outputs. While named victim_src_ip, this IP may not always represent a victim, for example if non-keylogger data was observed sending information to the endpoint

keylogger_data

victim_whois

Whois of victim_src_ip

keylogger_data

description

name of keylogger output file- this can define the type of keylogger variant, such as Predator or Hawkeye

malicious_email_detections

detection_shortname

normalized antivirus name

malicious_email_detections

detection_name

antivirus detection name

malicious_email_detections

vendor

antivirus vendor

malicious_emails

detection

number of postivie antivirus detections

malicious_emails

email_type

type of email: either MSG or EML

malicious_emails_context

detections

complete list of antivirus detection names

malicious_emails_context

recipients

email account(s) receiving malicous email

malicious_emails_context

sender

email account sending email

malicious_emails_context

subject_line

observed subject line

malicious_emails_context

targets

organization receiving malicious email

open_cloud_buckets

bucket

AWS or Azure server where data is hosted

open_cloud_buckets

AWS or Azure server ID number

open_cloud_buckets

type

AWS or Azure

open_cloud_bucket_files

filename

name of the file hosted on AWS or Azure server

open_cloud_bucket_files

full_path

path of file being hosted on AWS or Azure server

open_cloud_bucket_files

size

size of file (bytes)

open_cloud_bucket_files

type

AWS or Azure

sinkhole_traffic

count_rec

observation count for given IP (indicator)

sinkhole_traffic

cs_asn

sinkhole_traffic

cs_bytes

sinkhole_traffic

cs_cookie

sinkhole_traffic

cs_host

sinkhole_traffic

cs_referrer

sinkhole_traffic

cs_ua

sinkhole_traffic

cs_username

sinkhole_traffic

cs_version

sinkhole_traffic

sc_bytes

sinkhole_traffic

sc_status

sinkhole_traffic

sc_substatus

sinkhole_traffic

sc_win32_status

sinkhole_traffic

tag

defines whether sikhole is APT or crimeware/botnet

source_code_secrets

git_account

user associated with the code repository

source_code_secrets

git_host

service hosting the code repository

source_code_secrets

matches

indicator from the code repository which matches a signature

source_code_secrets

matching_file

file name of the code repository file containing match (indicator)

source_code_secrets

repository_name

title of code repository

source_code_secrets

signature_name

description of the signature which triggered the match (indicator)

threat_recon

comment

free form field for analyst comments

threat_recon

process_type

defines whether an indicator was manually added (Direct) or programmatically derived(Derived_*)

threat_recon

rdata

DNS rdata record (if applicable)

threat_recon

root_node

Origin of derived indicator: only applicable for Derived_ process types

threat_recon

rrname

DNS rrname record (if applicable)

threat_recon

source

either Wapack_Propriety or Wapack_OSINT

threat_recon

tag

used for identifying other characteristics of indicator such as dynamic domain or cif indicator

PreviousAppendices NextData Sets - Common Fields

Last updated 3 years ago

Data Sets - Unique Fields

Data_Set

Field

Description

botnet_tracker

Command & Control for botnet

breach_data

breach_date

timestamp of breach data file, or date of breach discovery

breach_data

breach_line_data

raw data string from breach data file, typically in a [user:password] format

breach_data

breach_name

common name for the breach, or name of the file containing breach data

darkweb

site_name

name of website

darkweb

site_type

dark website category

darkweb

site_url

link to url (.onion) where indicator was identified

darkweb_forum

post_author

name of user posting forum content

darkweb_forum

post_category

category assigned by forum or post author

darkweb_forum

post_content

content of the forum post

darkweb_forum

post_reply_author

name of user replying to original post content

darkweb_forum

post_reply_content

content of reply post

darkweb_forum

post_reply_timestamp

timestamp or reply post

darkweb_forum

post_timestamp

timestamp of original post

darkweb_forum

post_title

title of the forum post

darkweb_marketplace

item_category

category assigned by marketplace or vendor

darkweb_marketplace

item_description

description of item being sold

darkweb_marketplace

item_price

price of item being sold (as listed)

darkweb_marketplace

item_title

name of the item being sold

darkweb_marketplace

item_vendor

vendor selling the item

darkweb_ransomware

victim_address

address of ransomware victim

darkweb_ransomware

victim_description

description of leaked information

darkweb_ransomware

victim_domain

domain (website) of ransomware victim

darkweb_ransomware

victim_email

email address listed as contact for victim company

darkweb_ransomware

victim_files

name of files leaked

darkweb_ransomware

victim_name

name of ransomware victim

darkweb_ransomware

victim_phone

phone number listed as contact for victim company

darkweb_ransomware

victim_published_data_size

volume of data being leaked

keylogger_data

attacker_server

name of keylogger endpoint from which output was observed

keylogger_data

password_redact

populated with '' if password was captured by keylogger

keylogger_data

username

observed username captured captured by keylogger (if applicable)

keylogger_data

victim_src_ip

IP address observed sending keylogger outputs. While named victim_src_ip, this IP may not always represent a victim, for example if non-keylogger data was observed sending information to the endpoint

keylogger_data

victim_whois

Whois of victim_src_ip

keylogger_data

description

name of keylogger output file- this can define the type of keylogger variant, such as Predator or Hawkeye

malicious_email_detections

detection_shortname

normalized antivirus name

malicious_email_detections

detection_name

antivirus detection name

malicious_email_detections

vendor

antivirus vendor

malicious_emails

detection

number of postivie antivirus detections

malicious_emails

email_type

type of email: either MSG or EML

malicious_emails_context

detections

complete list of antivirus detection names

malicious_emails_context

recipients

email account(s) receiving malicous email

malicious_emails_context

sender

email account sending email

malicious_emails_context

subject_line

observed subject line

malicious_emails_context

targets

organization receiving malicious email

open_cloud_buckets

bucket

AWS or Azure server where data is hosted

open_cloud_buckets

AWS or Azure server ID number

open_cloud_buckets

type

AWS or Azure

open_cloud_bucket_files

filename

name of the file hosted on AWS or Azure server

open_cloud_bucket_files

full_path

path of file being hosted on AWS or Azure server

open_cloud_bucket_files

size

size of file (bytes)

open_cloud_bucket_files

type

AWS or Azure

sinkhole_traffic

count_rec

observation count for given IP (indicator)

sinkhole_traffic

cs_asn