Data Sets - Unique Fields

Data_Set	Field	Description
botnet_tracker	asn	Autonomous System Number
botnet_tracker	attribution	botnet associated with network traffic
botnet_tracker	c2	Command & Control node (if identified)
breach_data	breach_date	timestamp of breach data file
breach_data	breach_line_data	raw breach data (typically username:password format) observed in breach data file
breach_data	breach_name	name of file containing breach data, or common name of the breach
keylogger_data	password_redact	populated with '' if password was captured by keylogger
keylogger_data	username	observed username captured captured by keylogger (if applicable)
keylogger_data	victim_src_ip	IP address observed sending keylogger outputs. While named victim_src_ip, this IP may not always represent a victim, for example if non-keylogger data was observed sending information to the endpoint
keylogger_data	victim_whois	Whois of victim_src_ip
keylogger_data	description	name of keylogger output file- this can define the type of keylogger variant, such as Predator or Hawkeye
malicious_email_detections	detection_shortname	normalized antivirus name
malicious_email_detections	detection_name	antivirus detection name
malicious_email_detections	vendor	antivirus vendor
malicious_emails	detection	number of postivie antivirus detections
malicious_emails	email_type	type of email: either MSG or EML
malicious_emails_context	detections	complete list of antivirus detection names
malicious_emails_context	recipients	email account(s) receiving malicous email
malicious_emails_context	sender	email account sending email
malicious_emails_context	subject_line	observed subject line
malicious_emails_context	targets	organization receiving malicious email
sinkhole_traffic	count_rec	observation count for given IP (indicator)
sinkhole_traffic	cs_asn	refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx
sinkhole_traffic	cs_bytes	refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx
sinkhole_traffic	cs_cookie	refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx
sinkhole_traffic	cs_host	refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx
sinkhole_traffic	cs_referrer	refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx
sinkhole_traffic	cs_ua	refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx
sinkhole_traffic	cs_username	refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx
sinkhole_traffic	cs_version	refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx
sinkhole_traffic	sc_bytes	refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx
sinkhole_traffic	sc_status	refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx
sinkhole_traffic	sc_substatus	refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx
sinkhole_traffic	sc_win32_status	refer to W3C logging specifications - https://msdn.microsoft.com/en-us/library/windows/desktop/aa814385(v=vs.85).aspx
sinkhole_traffic	tag	defines whether sikhole is APT or crimeware/botnet
threat_recon	comment	free form field for analyst comments
threat_recon	process_type	defines whether an indicator was manually added (Direct) or programmatically derived(Derived_*)
threat_recon	rdata	DNS rdata record (if applicable)
threat_recon	root_node	Origin of derived indicator: only applicable for Derived_ process types
threat_recon	rrname	DNS rrname record (if applicable)
threat_recon	source	either Wapack_Propriety or Wapack_OSINT
threat_recon	tag	used for identifying other characteristics of indicator such as dynamic domain or cif indicator