# Data Sets - Unique Fields | Data\_Set | Field | Description | | ---------------------------- | ----------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | botnet\_tracker | c2 | Command & Control for botnet | | breach\_data | breach\_date | timestamp of breach data file, or date of breach discovery | | breach\_data | breach\_line\_data | raw data string from breach data file, typically in a \[user:password] format | | breach\_data | breach\_name | common name for the breach, or name of the file containing breach data | | darkweb | site\_name | name of website | | darkweb | site\_type | dark website category | | darkweb | site\_url | link to url (.onion) where indicator was identified | | darkweb\_forum | post\_author | name of user posting forum content | | darkweb\_forum | post\_category | category assigned by forum or post author | | darkweb\_forum | post\_content | content of the forum post | | darkweb\_forum | post\_reply\_author | name of user replying to original post content | | darkweb\_forum | post\_reply\_content | content of reply post | | darkweb\_forum | post\_reply\_timestamp | timestamp or reply post | | darkweb\_forum | post\_timestamp | timestamp of original post | | darkweb\_forum | post\_title | title of the forum post | | darkweb\_marketplace | item\_category | category assigned by marketplace or vendor | | darkweb\_marketplace | item\_description | description of item being sold | | darkweb\_marketplace | item\_price | price of item being sold (as listed) | | darkweb\_marketplace | item\_title | name of the item being sold | | darkweb\_marketplace | item\_vendor | vendor selling the item | | darkweb\_ransomware | victim\_address | address of ransomware victim | | darkweb\_ransomware | victim\_description | description of leaked information | | darkweb\_ransomware | victim\_domain | domain (website) of ransomware victim | | darkweb\_ransomware | victim\_email | email address listed as contact for victim company | | darkweb\_ransomware | victim\_files | name of files leaked | | darkweb\_ransomware | victim\_name | name of ransomware victim | | darkweb\_ransomware | victim\_phone | phone number listed as contact for victim company | | darkweb\_ransomware | victim\_published\_data\_size | volume of data being leaked | | keylogger\_data | attacker\_server | name of keylogger endpoint from which output was observed | | keylogger\_data | password\_redact | populated with '' if password was captured by keylogger | | keylogger\_data | username | observed username captured captured by keylogger (if applicable) | | keylogger\_data | victim\_src\_ip | IP address observed sending keylogger outputs. While named victim\_src\_ip, this IP may not always represent a victim, for example if non-keylogger data was observed sending information to the endpoint | | keylogger\_data | victim\_whois | Whois of victim\_src\_ip | | keylogger\_data | description | name of keylogger output file- this can define the type of keylogger variant, such as Predator or Hawkeye | | malicious\_email\_detections | detection\_shortname | normalized antivirus name | | malicious\_email\_detections | detection\_name | antivirus detection name | | malicious\_email\_detections | vendor | antivirus vendor | | malicious\_emails | detection | number of postivie antivirus detections | | malicious\_emails | email\_type | type of email: either MSG or EML | | malicious\_emails\_context | detections | complete list of antivirus detection names | | malicious\_emails\_context | recipients | email account(s) receiving malicous email | | malicious\_emails\_context | sender | email account sending email | | malicious\_emails\_context | subject\_line | observed subject line | | malicious\_emails\_context | targets | organization receiving malicious email | | open\_cloud\_buckets | bucket | AWS or Azure server where data is hosted | | open\_cloud\_buckets | id | AWS or Azure server ID number | | open\_cloud\_buckets | type | AWS or Azure | | open\_cloud\_bucket\_files | filename | name of the file hosted on AWS or Azure server | | open\_cloud\_bucket\_files | full\_path | path of file being hosted on AWS or Azure server | | open\_cloud\_bucket\_files | size | size of file (bytes) | | open\_cloud\_bucket\_files | type | AWS or Azure | | sinkhole\_traffic | count\_rec | observation count for given IP (indicator) | | sinkhole\_traffic | cs\_asn | refer to W3C logging specifications - | | sinkhole\_traffic | cs\_bytes | refer to W3C logging specifications - | | sinkhole\_traffic | cs\_cookie | refer to W3C logging specifications - | | sinkhole\_traffic | cs\_host | refer to W3C logging specifications - | | sinkhole\_traffic | cs\_referrer | refer to W3C logging specifications - | | sinkhole\_traffic | cs\_ua | refer to W3C logging specifications - | | sinkhole\_traffic | cs\_username | refer to W3C logging specifications - | | sinkhole\_traffic | cs\_version | refer to W3C logging specifications - | | sinkhole\_traffic | sc\_bytes | refer to W3C logging specifications - | | sinkhole\_traffic | sc\_status | refer to W3C logging specifications - | | sinkhole\_traffic | sc\_substatus | refer to W3C logging specifications - | | sinkhole\_traffic | sc\_win32\_status | refer to W3C logging specifications - | | sinkhole\_traffic | tag | defines whether sikhole is APT or crimeware/botnet | | source\_code\_secrets | git\_account | user associated with the code repository | | source\_code\_secrets | git\_host | service hosting the code repository | | source\_code\_secrets | matches | indicator from the code repository which matches a signature | | source\_code\_secrets | matching\_file | file name of the code repository file containing match (indicator) | | source\_code\_secrets | repository\_name | title of code repository | | source\_code\_secrets | signature\_name | description of the signature which triggered the match (indicator) | | threat\_recon | comment | free form field for analyst comments | | threat\_recon | process\_type | defines whether an indicator was manually added (Direct) or programmatically derived(Derived\_\*) | | threat\_recon | rdata | DNS rdata record (if applicable) | | threat\_recon | root\_node | Origin of derived indicator: only applicable for Derived\_ process types | | threat\_recon | rrname | DNS rrname record (if applicable) | | threat\_recon | source | either Wapack\_Propriety or Wapack\_OSINT | | threat\_recon | tag | used for identifying other characteristics of indicator such as dynamic domain or cif indicator |