threat_recon
Phishing (Threat Recon)
Wapack Labs publishes in depth analysis on hundreds of technical, geopolitical, and criminal cyber activities per year. Most reports include snort rules, yara rules and incidators of compromise derived from these reports. These are considered the highest confidence indicators, and are used to derive new information. Approximately 20% are APT, 60% are criminal, and the remainder, misc. All indicators are directly observed. Most are attributed to specific groups or activities. All are rated our highest confidence rating - 70%
Field | Description |
area_code | area code geolocated from indicator |
attribution | provides attribution information (if applicable) |
city | city name geolocated from indicator |
comment | free form field for analyst comments |
country | two character country code geolocated from indicator |
etl_date | date data was exported, transformed or loaded(ETL) |
first_seen | when indicator first observed or processed |
indicator | indicator observed by Wapack Labs or from open source |
indicator_context | additional context on indicator to include kill chain phase (if known) |
indicator_type | indicator type |
last_seen | when indicator first observed or processed |
location | latitude longitude coordinates |
postal_code | postal code geolocated from indicator |
process_type | defines whether an indicator was manually added (Direct) or programmatically derived(Derived_*) |
rdata | DNS rdata record (if applicable) |
reference | reference for indicator |
region | region name geolocated from indicator |
root_node | Origin of derived indicator: only applicable for Derived_ process types |
rrname | DNS rrname record (if applicable) |
source | either Wapack_Propriety or Wapack_OSINT |
tag | used for identifying other characteristics of indicator such as dynamic domain or cif indicator |
Last updated