threat_recon

Phishing (Threat Recon)

Wapack Labs publishes in depth analysis on hundreds of technical, geopolitical, and criminal cyber activities per year. Most reports include snort rules, yara rules and incidators of compromise derived from these reports. These are considered the highest confidence indicators, and are used to derive new information. Approximately 20% are APT, 60% are criminal, and the remainder, misc. All indicators are directly observed. Most are attributed to specific groups or activities. All are rated our highest confidence rating - 70%

Field	Description
area_code	area code geolocated from indicator
attribution	provides attribution information (if applicable)
city	city name geolocated from indicator
comment	free form field for analyst comments
country	two character country code geolocated from indicator
etl_date	date data was exported, transformed or loaded(ETL)
first_seen	when indicator first observed or processed
indicator	indicator observed by Wapack Labs or from open source
indicator_context	additional context on indicator to include kill chain phase (if known)
indicator_type	indicator type
last_seen	when indicator first observed or processed
location	latitude longitude coordinates
postal_code	postal code geolocated from indicator
process_type	defines whether an indicator was manually added (Direct) or programmatically derived(Derived_*)
rdata	DNS rdata record (if applicable)
reference	reference for indicator
region	region name geolocated from indicator
root_node	Origin of derived indicator: only applicable for Derived_ process types
rrname	DNS rrname record (if applicable)
source	either Wapack_Propriety or Wapack_OSINT
tag	used for identifying other characteristics of indicator such as dynamic domain or cif indicator