Data Sets - Unique Fields

Data_Set

Field

Description

botnet_tracker

asn

Autonomous System Number

botnet_tracker

attribution

botnet associated with network traffic

botnet_tracker

Command & Control node (if identified)

breach_data

breach_date

timestamp of breach data file

breach_data

breach_line_data

raw breach data (typically username:password format) observed in breach data file

breach_data

breach_name

name of file containing breach data, or common name of the breach

keylogger_data

password_redact

populated with '' if password was captured by keylogger

keylogger_data

username

observed username captured captured by keylogger (if applicable)

keylogger_data

victim_src_ip

IP address observed sending keylogger outputs. While named victim_src_ip, this IP may not always represent a victim, for example if non-keylogger data was observed sending information to the endpoint

keylogger_data

victim_whois

Whois of victim_src_ip

keylogger_data

description

name of keylogger output file- this can define the type of keylogger variant, such as Predator or Hawkeye

malicious_email_detections

detection_shortname

normalized antivirus name

malicious_email_detections

detection_name

antivirus detection name

malicious_email_detections

vendor

antivirus vendor

malicious_emails

detection

number of postivie antivirus detections

malicious_emails

email_type

type of email: either MSG or EML

malicious_emails_context

detections

complete list of antivirus detection names

malicious_emails_context

recipients

email account(s) receiving malicous email

malicious_emails_context

sender

email account sending email

malicious_emails_context

subject_line

observed subject line

malicious_emails_context

targets

organization receiving malicious email

sinkhole_traffic

count_rec

observation count for given IP (indicator)

sinkhole_traffic

cs_asn

sinkhole_traffic

cs_bytes

sinkhole_traffic

cs_cookie

sinkhole_traffic

cs_host

sinkhole_traffic

cs_referrer

sinkhole_traffic

cs_ua

sinkhole_traffic

cs_username

sinkhole_traffic

cs_version

sinkhole_traffic

sc_bytes

sinkhole_traffic

sc_status

sinkhole_traffic

sc_substatus

sinkhole_traffic

sc_win32_status

sinkhole_traffic

tag

defines whether sikhole is APT or crimeware/botnet

threat_recon

comment

free form field for analyst comments

threat_recon

process_type

defines whether an indicator was manually added (Direct) or programmatically derived(Derived_*)

threat_recon

rdata

DNS rdata record (if applicable)

threat_recon

root_node

Origin of derived indicator: only applicable for Derived_ process types

threat_recon

rrname

DNS rrname record (if applicable)

threat_recon

source

either Wapack_Propriety or Wapack_OSINT

threat_recon

tag

used for identifying other characteristics of indicator such as dynamic domain or cif indicator

PreviousAppendices NextData Sets - Common Fields

Last updated 3 years ago

Was this helpful?

Data Sets - Unique Fields

Data_Set

Field

Description

botnet_tracker

asn

Autonomous System Number

botnet_tracker

attribution

botnet associated with network traffic

botnet_tracker

Command & Control node (if identified)

breach_data

breach_date

timestamp of breach data file

breach_data

breach_line_data

raw breach data (typically username:password format) observed in breach data file

breach_data

breach_name

name of file containing breach data, or common name of the breach

keylogger_data

password_redact

populated with '' if password was captured by keylogger

keylogger_data

username

observed username captured captured by keylogger (if applicable)

keylogger_data

victim_src_ip

IP address observed sending keylogger outputs. While named victim_src_ip, this IP may not always represent a victim, for example if non-keylogger data was observed sending information to the endpoint

keylogger_data

victim_whois

Whois of victim_src_ip

keylogger_data

description

name of keylogger output file- this can define the type of keylogger variant, such as Predator or Hawkeye

malicious_email_detections

detection_shortname

normalized antivirus name

malicious_email_detections

detection_name

antivirus detection name

malicious_email_detections

vendor

antivirus vendor

malicious_emails

detection

number of postivie antivirus detections

malicious_emails

email_type

type of email: either MSG or EML

malicious_emails_context

detections

complete list of antivirus detection names

malicious_emails_context

recipients

email account(s) receiving malicous email

malicious_emails_context

sender

email account sending email

malicious_emails_context

subject_line

observed subject line

malicious_emails_context

targets

organization receiving malicious email

sinkhole_traffic

count_rec

observation count for given IP (indicator)

sinkhole_traffic

cs_asn