Standard context schema used for the system indicators and the DBot Score object.
There are standard context schema used for the system indicators and the DBot Score object. You do not need to manually output this in your code, instead, use the builtin classes as described in context use cases.
The following is the format for a File. File here refers to the file indicator or a binary file that could potentially be malicious, and might be checked for reputation or sent to a sandbox.
"File": { "Name": "STRING, The full file name (including file extension).", "EntryID": "STRING, The ID for locating the file in the War Room.", "Size": "INT, The size of the file in bytes.", "MD5": "STRING, The MD5 hash of the file.", "SHA1": "STRING, The SHA1 hash of the file.", "SHA256": "STRING, The SHA256 hash of the file.", "SHA512": "STRING The SHA512 hash of the file.", "SSDeep": "STRING, The ssdeep hash of the file (same as displayed in file entries).", "Extension": "STRING, The file extension, for example: 'xls'.", "Type": "STRING, The file type, as determined by libmagic (same as displayed in file entries).", "Hostname": "STRING, The name of the host where the file was found. Should match Path.", "Path": "STRING, The path where the file is located.", "Company": "STRING, The name of the company that released a binary.", "ProductName": "STRING, The name of the product to which this file belongs.", "DigitalSignature": { "Publisher": "STRING, The publisher of the digital signature for the file." }, "Actor": "STRING, The actor reference.", "Tags": "STRING, Tags of the file.", "Signature": { "Authentihash": "STRING, The authentication hash.", "Copyright": "STRING, Copyright information.", "Description": "STRING, A description of the signature.", "FileVersion": "STRING, The file version.", "InternalName": "STRING, The internal name of the file.", "OriginalName": "STRING, The original name of the file." }, "Malicious": { "Vendor": "STRING, The vendor that reported the file as malicious.", "Description": "STRING, A description explaining why the file was determined to be malicious." }, "EntityA": "STRING, The source of the relationship.", "EntityB": "STRING, The destination of the relationship.", "Relationship": "STRING, The name of the relationship.", "EntityAType": "STRING, The type of the source of the relationship.", "EntityBType": "STRING, The type of the destination of the relationship.", "FeedRelatedIndicators": { "value": "STRING, Indicators that are associated with the file.", "type": "STRING, The type of the indicators that are associated with the file", "description": "STRING, The description of the indicators that are associated with the file." }, "MalwareFamily": "STRING, The malware family associated with the file.", "Campaign": "STRING, The campaign associated with the file.", "TrafficLightProtocol": "STRING, The Traffic Light Protocol (TLP) color that is suitable for the file.", "CommunityNotes": { "note": "STRING, Notes on the file that were given by the community.", "timestamp": "DATE, The time in which the note was published." }, "Publications": { "source": "STRING, The source in which the article was published.", "title": "STRING, The name of the article.", "link": "STRING, A link to the original article.", "timestamp": "DATE, The time in which the article was published." }, "Behavior": { "details": "STRING, The technical details which are relevant to the behavior.", "title": "STRING, The behavior associated with the file." }, "ThreatTypes": { "threatcategory": "STRING, The threat category associated to this indicator by the source vendor. For example, Phishing, Control, TOR, etc.", "threatcategoryconfidence": "STRING, Threat Category Confidence is the confidence level provided by the vendor for the threat type category For example a confidence of 90 for threat type category 'malware' means that the vendor rates that this is 90% confidence of being a malware." }, "Imphash": "STRING, The Imphash hash of the file.", "Quarantined": "BOOL, Is the file quarantined or not.", "Organization": "STRING, The organization of the file.", "AssociatedFileNames": "STRING, File names that are known as associated to the file." }
In YAML
outputs: - contextPath: File.Name description: The full file name (including file extension). type: String - contextPath: File.EntryID description: The ID for locating the file in the War Room. type: String - contextPath: File.Size description: The size of the file in bytes. type: Number - contextPath: File.MD5 description: The MD5 hash of the file. type: String - contextPath: File.SHA1 description: The SHA1 hash of the file. type: String - contextPath: File.SHA256 description: The SHA1 hash of the file. type: String - contextPath: File.SHA512 description: The SHA512 hash of the file. type: String - contextPath: File.SSDeep description: The ssdeep hash of the file (same as displayed in file entries). type: String - contextPath: File.Extension description: "The file extension, for example: 'xls'." type: String - contextPath: File.Type description: The file type, as determined by libmagic (same as displayed in file entries). type: String - contextPath: File.Hostname description: The name of the host where the file was found. Should match Path. type: String - contextPath: File.Path description: The path where the file is located. type: String - contextPath: File.Company description: The name of the company that released a binary. type: String - contextPath: File.ProductName description: The name of the product to which this file belongs. type: String - contextPath: File.DigitalSignature.Publisher description: The publisher of the digital signature for the file. type: String - contextPath: File.Actor description: The actor reference. type: String - contextPath: File.Tags description: (List) Tags of the file. type: Unknown - contextPath: File.FeedRelatedIndicators.value description: Indicators that are associated with the file. type: String - contextPath: File.FeedRelatedIndicators.type description: The type of the indicators that are associated with the file. type: String - contextPath: File.FeedRelatedIndicators.description description: The description of the indicators that are associated with the file. type: String - contextPath: File.MalwareFamily description: The malware family associated with the file. type: String - contextPath: File.Signature.Authentihash description: The authentication hash. type: String - contextPath: File.Signature.Copyright description: Copyright information. type: String - contextPath: File.Signature.Description description: A description of the signature. type: String - contextPath: File.Signature.FileVersion description: The file version. type: String - contextPath: File.Signature.InternalName description: The internal name of the file. type: String - contextPath: File.Signature.OriginalName description: The original name of the file. type: String - contextPath: File.Malicious.Vendor description: The vendor that reported the file as malicious. type: String - contextPath: File.Malicious.Description description: A description explaining why the file was determined to be malicious. type: String - contextPath: File.Relationships.EntityA description: The source of the relationship. type: string - contextPath: File.Relationships.EntityB description: The destination of the relationship. type: string - contextPath: File.Relationships.Relationship description: The name of the relationship. type: string - contextPath: File.Relationships.EntityAType description: The type of the source of the relationship. type: string - contextPath: File.Relationships.EntityBType description: The type of the destination of the relationship. type: string - contextPath: File.Campaign description: The campaign associated with the file. type: String - contextPath: File.TrafficLightProtocol description: The Traffic Light Protocol (TLP) color that is suitable for the file. type: String - contextPath: File.CommunityNotes.note description: Notes on the file that were given by the community. type: String - contextPath: File.CommunityNotes.timestamp description: The time in which the note was published. type: Date - contextPath: File.Publications.source description: The source in which the article was published. type: String - contextPath: File.Publications.title description: The name of the article. type: String - contextPath: File.Publications.link description: A link to the original article. type: String - contextPath: File.Publications.timestamp description: The time in which the article was published. type: Date - contextPath: File.Behavior.details description: The technical details which are relevant to the behavior. type: String - contextPath: File.Behavior.title description: The behavior associated with the file. type: String - contextPath: File.ThreatTypes.threatcategory description: The threat category associated to this indicator by the source vendor. For example, Phishing, Control, TOR, etc. type: String - contextPath: File.ThreatTypes.threatcategoryconfidence description: Threat Category Confidence is the confidence level provided by the vendor for the threat type category For example a confidence of 90 for threat type category 'malware' means that the vendor rates that this is 90% confidence of being a malware. type: String - contextPath: File.Imphash description: The Imphash hash of the file. type: String - contextPath: File.Quarantined description: Is the file quarantined or not. type: Bool - contextPath: File.Organization description: The organization of the file. type: String - contextPath: File.AssociatedFileNames description: File names that are known as associated to the file. type: String
The following is the format for an IP entity:
"IP": { "Address": "STRING, IP address", "EntityA": "STRING, The source of the relationship.", "EntityB": "STRING, The destination of the relationship.", "Relationship": "STRING, The name of the relationship.", "EntityAType": "STRING, The type of the source of the relationship.", "EntityBType": "STRING, The type of the destination of the relationship.", "ASN": "STRING, The autonomous system name for the IP address, for example: 'AS8948'.", "Hostname": "STRING, The hostname that is mapped to this IP address.", "Geo":{ "Location": "STRING, The geolocation where the IP address is located, in the format: latitude:longitude.", "Country": "STRING, The country in which the IP address is located.", "Description": "STRING, Additional information about the location." }, "DetectionEngines": "NUMBER, The total number of engines that checked the indicator.", "PositiveDetections": "NUMBEr, The number of engines that positively detected the indicator as malicious.", "Malicious":{ "Vendor": "STRING, The vendor reporting the IP address as malicious.", "Description": "STRING, A description explaining why the IP address was reported as malicious." }, "Tags": "STRING, Tags of the IP.", "FeedRelatedIndicators": { "value": "STRING, Indicators that are associated with the IP.", "type": "STRING, The type of the indicators that are associated with the IP", "description": "STRING, The description of the indicators that are associated with the IP." }, "MalwareFamily": "STRING, The malware family associated with the IP.", "Organization": { "Name": "STRING, The organization of the IP.", "Type": "STRING, The organization type of the IP." }, "ASOwner": "STRING, The autonomous system owner of the IP.", "Region": "STRING, The region in which the IP is located.", "Port": "STRING, Ports that are associated with the IP.", "Internal": "BOOL, Whether or not the IP is internal or external.", "UpdatedDate": "DATE, The date that the IP was last updated.", "Registrar": { "Abuse":{ "Name": "STRING, The name of the contact for reporting abuse.", "Address": "STRING, The address of the contact for reporting abuse.", "Country": "STRING, The country of the contact for reporting abuse.", "Network": "STRING, The network of the contact for reporting abuse.", "Phone": "STRING, The phone number of the contact for reporting abuse.", "Email": "STRING, The email address of the contact for reporting abuse.", }}, "Campaign": "STRING, The campaign associated with the IP.", "TrafficLightProtocol": "STRING, The Traffic Light Protocol (TLP) color that is suitable for the IP.", "CommunityNotes": { "note": "STRING, Notes on the IP that were given by the community.", "timestamp": "DATE, The time in which the note was published." }, "Publications": { "source": "STRING, The source in which the article was published.", "title": "STRING, The name of the article.", "link": "STRING, A link to the original article.", "timestamp": "DATE, The time in which the article was published." }, "ThreatTypes": { "threatcategory": "STRING, The threat category associated to this indicator by the source vendor. For example, Phishing, Control, TOR, etc.", "threatcategoryconfidence": "STRING, Threat Category Confidence is the confidence level provided by the vendor for the threat type category For example a confidence of 90 for threat type category 'malware' means that the vendor rates that this is 90% confidence of being a malware." } }
In YAML
outputs: - contextPath: IP.Address description: IP address type: String - contextPath: IP.Relationships.EntityA description: The source of the relationship. type: string - contextPath: IP.Relationships.EntityB description: The destination of the relationship. type: string - contextPath: IP.Relationships.Relationship description: The name of the relationship. type: string - contextPath: IP.Relationships.EntityAType description: The type of the source of the relationship. type: string - contextPath: IP.Relationships.EntityBType description: The type of the destination of the relationship. type: string - contextPath: IP.ASN description: 'The autonomous system name for the IP address, for example: "AS8948".' type: String - contextPath: IP.Hostname description: The hostname that is mapped to this IP address. type: String - contextPath: IP.Geo.Location description: 'The geolocation where the IP address is located, in the format: latitude:longitude.' type: String - contextPath: IP.Geo.Country description: The country in which the IP address is located. type: String - contextPath: IP.Geo.Description description: Additional information about the location. type: String - contextPath: IP.DetectionEngines description: The total number of engines that checked the indicator. type: Number - contextPath: IP.PositiveDetections description: The number of engines that positively detected the indicator as malicious. type: Number - contextPath: IP.Malicious.Vendor description: The vendor reporting the IP address as malicious. type: String - contextPath: IP.Malicious.Description description: A description explaining why the IP address was reported as malicious. type: String - contextPath: IP.Tags description: (List) Tags of the IP. type: Unknown - contextPath: IP.FeedRelatedIndicators.value description: Indicators that are associated with the IP. type: String - contextPath: IP.FeedRelatedIndicators.type description: The type of the indicators that are associated with the IP. type: String - contextPath: IP.FeedRelatedIndicators.description description: The description of the indicators that are associated with the IP. type: String - contextPath: IP.MalwareFamily description: The malware family associated with the IP. type: String - contextPath: IP.Organization.Name description: The organization of the IP. type: String - contextPath: IP.Organization.Type description: The organization type of the IP. type: String - contextPath: IP.ASOwner description: The autonomous system owner of the IP. type: String - contextPath: IP.Region description: The region in which the IP is located. type: String - contextPath: IP.Port description: Ports that are associated with the IP. type: String - contextPath: IP.Internal description: Whether or not the IP is internal or external. type: Bool - contextPath: IP.UpdatedDate description: The date that the IP was last updated. type: Date - contextPath: IP.Registrar.Abuse.Name description: The name of the contact for reporting abuse. type: String - contextPath: IP.Registrar.Abuse.Address description: The address of the contact for reporting abuse. type: String - contextPath: IP.Registrar.Abuse.Country description: The country of the contact for reporting abuse. type: String - contextPath: IP.Registrar.Abuse.Network description: The network of the contact for reporting abuse. type: String - contextPath: IP.Registrar.Abuse.Phone description: The phone number of the contact for reporting abuse. type: String - contextPath: IP.Registrar.Abuse.Email description: The email address of the contact for reporting abuse. type: String - contextPath: IP.Campaign description: The campaign associated with the IP. type: String - contextPath: IP.TrafficLightProtocol description: The Traffic Light Protocol (TLP) color that is suitable for the IP. type: String - contextPath: IP.CommunityNotes.note description: Notes on the IP that were given by the community. type: String - contextPath: IP.CommunityNotes.timestamp description: The time in which the note was published. type: Date - contextPath: IP.Publications.source description: The source in which the article was published. type: String - contextPath: IP.Publications.title description: The name of the article. type: String - contextPath: IP.Publications.link description: A link to the original article. type: String - contextPath: IP.Publications.timestamp description: The time in which the article was published. type: Date - contextPath: IP.ThreatTypes.threatcategory description: The threat category associated to this indicator by the source vendor. For example, Phishing, Control, TOR, etc. type: String - contextPath: IP.ThreatTypes.threatcategoryconfidence description: Threat Category Confidence is the confidence level provided by the vendor for the threat type category For example a confidence of 90 for threat type category 'malware' means that the vendor rates that this is 90% confidence of being a malware. type: String
The following is the format for an Endpoint:
"Endpoint": { "Hostname": "STRING, The endpoint's hostname.", "EntityA": "STRING, The source of the relationship.", "EntityB": "STRING, The destination of the relationship.", "Relationship": "STRING, The name of the relationship.", "EntityAType": "STRING, The type of the source of the relationship.", "EntityBType": "STRING, The type of the destination of the relationship.", "ID": "STRING, The endpoint's ID.", "IPAddress": "STRING, The endpoint's IP address.", "Domain": "STRING, The endpoint's domain.", "MACAddress": "STRING, The endpoint's MAC address.", "DHCPServer": "STRING, The DHCP server of the endpoint.", "OS": "STRING, The endpoint's operation system.", "OSVersion": "STRING, The endpoint's operation system version.", "BIOSVersion": "STRING, The endpoint's BIOS version.", "Model": "STRING, The model of the machine or device.", "Memory": "INT, Memory on this endpoint.", "Processors": "INT, The number of processors.", "Processor": "STRING, The model of the processor.", "IsIsolated": "STRING, The endpoint's isolation status.", "Status": "STRING, The endpoint's status.", "Vendor": "STRING, The integration name of the endpoint vendor.", }
In YAML
outputs: - contextPath: Endpoint.Hostname description: The endpoint's hostname. type: String - contextPath: Endpoint.Relationships.EntityA description: The source of the relationship. type: string - contextPath: Endpoint.Relationships.EntityB description: The destination of the relationship. type: string - contextPath: Endpoint.Relationships.Relationship description: The name of the relationship. type: string - contextPath: Endpoint.Relationships.EntityAType description: The type of the source of the relationship. type: string - contextPath: Endpoint.Relationships.EntityBType description: The type of the destination of the relationship. type: string - contextPath: Endpoint.OS description: The endpoint's operation system. type: String - contextPath: Endpoint.IPAddress description: The endpoint's IP address. type: String - contextPath: Endpoint.ID description: The endpoint's ID. type: String - contextPath: Endpoint.Status description: The endpoint's status. type: String - contextPath: Endpoint.IsIsolated description: The endpoint's isolation status. type: String - contextPath: Endpoint.MACAddress description: The endpoint's MAC address. type: String - contextPath: Endpoint.Vendor description: The integration name of the endpoint vendor. type: String - contextPath: Endpoint.Domain description: The endpoint's domain. type: String - contextPath: Endpoint.DHCPServer description: The DHCP server of the endpoint. type: String - contextPath: Endpoint.OSVersion description: The endpoint's operation system version. type: String - contextPath: Endpoint.BIOSVersion description: The endpoint's BIOS version. type: String - contextPath: Endpoint.Model description: The model of the machine or device. type: String - contextPath: Endpoint.Memory description: Memory on this endpoint. type: Int - contextPath: Endpoint.Processors description: The number of processors. type: Int - contextPath: Endpoint.Processor description: The model of the processor. type: String
The following is the format for an Email Object:
"Email": { "To": "STRING, The recipient of the email.", "From": "STRING, The sender of the email.", "CC": "STRING, Email addresses CC'ed to the email.", "BCC": "STRING, Email addresses BCC'ed to the email.", "EntityA": "STRING, The source of the relationship.", "EntityB": "STRING, The destination of the relationship.", "Relationship": "STRING, The name of the relationship.", "EntityAType": "STRING, The type of the source of the relationship.", "EntityBType": "STRING, The type of the destination of the relationship.", "Format": "STRING, The format of the email.", "Body/HTML": "STRING, The HTML version of the email.", "Body/Text": "STRING, The plain-text version of the email.", "Subject": "STRING, The subject of the email.", "Headers": "STRING, The headers of the email." }
In YAML
outputs: - contextPath: Email.To description: The recipient of the email. type: String - contextPath: Email.From description: The sender of the email. type: String - contextPath: Email.CC description: Email addresses CC'ed to the email. type: String - contextPath: Email.BCC description: Email addresses BCC'ed to the email. type: String - contextPath: Email.Format description: The format of the email. type: String - contextPath: Email.Relationships.EntityA description: The source of the relationship. type: string - contextPath: Email.Relationships.EntityB description: The destination of the relationship. type: string - contextPath: Email.Relationships.Relationship description: The name of the relationship. type: string - contextPath: Email.Relationships.EntityAType description: The type of the source of the relationship. type: string - contextPath: Email.Relationships.EntityBType description: The type of the destination of the relationship. type: string - contextPath: Email.Body/HTML description: The HTML version of the email. type: String - contextPath: Email.Body/Text description: The plain-text version of the email. type: String - contextPath: Email.Subject description: The subject of the email. type: String - contextPath: Email.Headers description: The headers of the email. type: String - contextPath: Email.Attachment description: List<String> Entry IDs of email attachments type: Unknown
The following is the format for a Domain. Please note that for WHOIS, the entity is a dictionary nested for the key "WHOIS".
"Domain": { "Name": "STRING, The domain name, for example: 'google.com'.", "EntityA": "STRING, The source of the relationship.", "EntityB": "STRING, The destination of the relationship.", "Relationship": "STRING, The name of the relationship.", "EntityAType": "STRING, The type of the source of the relationship.", "EntityBType": "STRING, The type of the destination of the relationship.", "DNS": "STRING, A list of IP objects resolved by DNS.", "DetectionEngines": "NUMBER, The total number of engines that checked the indicator.", "PositiveDetections": "NUMBER, The number of engines that positively detected the indicator as malicious.", "CreationDate": "DATE, The date that the domain was created.", "UpdatedDate": "DATE, The date that the domain was last updated.", "ExpirationDate": "DATE, The expiration date of the domain.", "DomainStatus": "STRING, The status of the domain.", "NameServers": "STRING, Name servers of the domain.", "Organization": "STRING, The organization of the domain.", "Subdomains": "STRING, Subdomains of the domain.", "Admin": { "Country": "STRING, The country of the domain administrator.", "Email": "STRING, The email address of the domain administrator.", "Name": "STRING, The name of the domain administrator.", "Phone": "STRING, The phone number of the domain administrator." }, "Registrant": { "Country": "STRING, The country of the registrant.", "Email": "STRING, The email address of the registrant.", "Name": "STRING, The name of the registrant.", "Phone": "STRING, The phone number for receiving abuse reports." }, "Tags": "STRING, Tags of the domain.", "FeedRelatedIndicators": { "value": "STRING, Indicators that are associated with the domain.", "type": "STRING, The type of the indicators that are associated with the domin", "description": "STRING, The description of the indicators that are associated with the domain." }, "MalwareFamily": "STRING, The malware family associated with the domain.", "WHOIS": { "DomainStatus": "STRING, The status of the domain.", "NameServers": "STRING, A list of name servers, for example: 'ns1.bla.com, ns2.bla.com'.", "CreationDate": "DATE, The date that the domain was created.", "UpdatedDate": "DATE, The date that the domain was last updated.", "ExpirationDate": "DATE, The date that the domain expires.", "Registrant": { "Name": "STRING, The name of the registrant.", "Email": "STRING, The email address of the registrant.", "Phone": "STRING, The phone number of the registrant." }, "Registrar": { "Name": "STRING, The name of the registrar, for example: 'GoDaddy'.", "AbuseEmail": "STRING, The email address of the contact for reporting abuse.", "AbusePhone": "STRING, The phone number of contact for reporting abuse." }, "Admin": { "Name": "STRING, The name of the domain administrator.", "Email": "STRING, The email address of the domain administrator.", "Phone": "STRING, The phone number of the domain administrator." } }, "WHOIS/History": "List of Whois objects", "Malicious":{ "Vendor": "STRING, The vendor reporting the domain as malicious.", "Description": "STRING, A description explaining why the domain was reported as malicious." }, "DomainIDNName": "STRING, The internationalized domain name (IDN) of the domain.", "Port": "STRING, Ports that are associated with the domain.", "Internal": "BOOL, Whether or not the domain is internal or external.", "Category": "STRING, The category associated with the indicator.", "Campaign": "STRING, The campaign associated with the domain.", "TrafficLightProtocol": "STRING, The Traffic Light Protocol (TLP) color that is suitable for the domain.", "ThreatTypes": { "threatcategory": "STRING, The threat category associated to this indicator by the source vendor. For example, Phishing, Control, TOR, etc.", "threatcategoryconfidence": "STRING, Threat Category Confidence is the confidence level provided by the vendor for the threat type category For example a confidence of 90 for threat type category 'malware' means that the vendor rates that this is 90% confidence of being a malware." }, "Geo":{ "Location": "STRING, The geolocation where the domain address is located, in the format: latitude:longitude.", "Country": "STRING, The country in which the domain address is located.", "Description": "STRING, Additional information about the location." }, "Tech": { "Country": "STRING, The country of the domain technical contact.", "Name": "STRING, The name of the domain technical contact.", "Organization": "STRING, The organization of the domain technical contact.", "Email": "STRING, The email address of the domain technical contact." }, "CommunityNotes": { "note": "STRING, Notes on the domain that were given by the community.", "timestamp": "DATE, The time in which the note was published." }, "Publications": { "source": "STRING, The source in which the article was published.", "title": "STRING, The name of the article.", "link": "STRING, A link to the original article.", "timestamp": "DATE, The time in which the article was published." }, "Billing": "STRING, The billing address of the domain.", }
In YAML
outputs: - contextPath: Domain.Name description: 'The domain name, for example: "google.com".' type: String - contextPath: Domain.Relationships.EntityA description: The source of the relationship. type: string - contextPath: Domain.Relationships.EntityB description: The destination of the relationship. type: string - contextPath: Domain.Relationships.Relationship description: The name of the relationship. type: string - contextPath: Domain.Relationships.EntityAType description: The type of the source of the relationship. type: string - contextPath: Domain.Relationships.EntityBType description: The type of the destination of the relationship. type: string - contextPath: Domain.DNS description: A list of IP objects resolved by DNS. type: String - contextPath: Domain.DetectionEngines description: The total number of engines that checked the indicator. type: Number - contextPath: Domain.PositiveDetections description: The number of engines that positively detected the indicator as malicious. type: Number - contextPath: Domain.CreationDate description: The date that the domain was created. type: Date - contextPath: Domain.UpdatedDate description: The date that the domain was last updated. type: String - contextPath: Domain.ExpirationDate description: The expiration date of the domain. type: Date - contextPath: Domain.DomainStatus description: The status of the domain. type: Datte - contextPath: Domain.NameServers description: (List<String>) Name servers of the domain. type: Unknown - contextPath: Domain.Organization description: The organization of the domain. type: String - contextPath: Domain.Subdomains description: (List<String>) Subdomains of the domain. type: Unknown - contextPath: Domain.Admin.Country description: The country of the domain administrator. type: String - contextPath: Domain.Admin.Email description: The email address of the domain administrator. type: String - contextPath: Domain.Admin.Name description: The name of the domain administrator. type: String - contextPath: Domain.Admin.Phone description: The phone number of the domain administrator. type: String - contextPath: Domain.Registrant.Country description: The country of the registrant. type: String - contextPath: Domain.Registrant.Email description: The email address of the registrant. type: String - contextPath: Domain.Registrant.Name description: The name of the registrant. type: String - contextPath: Domain.Registrant.Phone description: The phone number for receiving abuse reports. type: String - contextPath: Domain.Tags description: (List) Tags of the domain. type: Unknown - contextPath: Domain.FeedRelatedIndicators.value description: Indicators that are associated with the domain. type: String - contextPath: Domain.FeedRelatedIndicators.type description: The type of the indicators that are associated with the domain. type: String - contextPath: Domain.FeedRelatedIndicators.description description: The description of the indicators that are associated with the domain. type: String - contextPath: Domain.MalwareFamily description: The malware family associated with the domain. type: String - contextPath: Domain.WHOIS.DomainStatus description: The status of the domain. type: String - contextPath: Domain.WHOIS.NameServers description: (List<String>) Name servers of the domain. type: String - contextPath: Domain.WHOIS.CreationDate description: The date that the domain was created. type: Date - contextPath: Domain.WHOIS.UpdatedDate description: The date that the domain was last updated. type: Date - contextPath: Domain.WHOIS.ExpirationDate description: The expiration date of the domain. type: Date - contextPath: Domain.WHOIS.Registrant.Name description: The name of the registrant. type: String - contextPath: Domain.WHOIS.Registrant.Email description: The email address of the registrant. type: String - contextPath: Domain.WHOIS.Registrant.Phone description: The phone number of the registrant. type: String - contextPath: Domain.WHOIS.Registrar.Name description: 'The name of the registrar, for example: 'GoDaddy"' type: String - contextPath: Domain.WHOIS.Registrar.AbuseEmail description: The email address of the contact for reporting abuse. type: String - contextPath: Domain.WHOIS.Registrar.AbusePhone description: The phone number of contact for reporting abuse. type: String - contextPath: Domain.WHOIS.Admin.Name description: The name of the domain administrator. type: String - contextPath: Domain.WHOIS.Admin.Email description: The email address of the domain administrator. type: String - contextPath: Domain.WHOIS.Admin.Phone description: The phone number of the domain administrator. type: String - contextPath: Domain.WHOIS/History description: List of Whois objects type: String - contextPath: Domain.Malicious.Vendor description: The vendor reporting the domain as malicious. type: String - contextPath: Domain.Malicious.Description description: A description explaining why the domain was reported as malicious. type: String - contextPath: Domain.DomainIDNName description: The internationalized domain name (IDN) of the domain. type: String - contextPath: Domain.Port description: Ports that are associated with the domain. type: String - contextPath: Domain.Internal description: Whether or not the domain is internal or external. type: Bool - contextPath: Domain.Category description: The category associated with the indicator. type: String - contextPath: Domain.Campaign description: The campaign associated with the domain. type: String - contextPath: Domain.TrafficLightProtocol description: The Traffic Light Protocol (TLP) color that is suitable for the domain. type: String - contextPath: Domain.ThreatTypes.threatcategory description: The threat category associated to this indicator by the source vendor. For example, Phishing, Control, TOR, etc. type: String - contextPath: Domain.ThreatTypes.threatcategoryconfidence description: Threat Category Confidence is the confidence level provided by the vendor for the threat type category For example a confidence of 90 for threat type category 'malware' means that the vendor rates that this is 90% confidence of being a malware. type: String - contextPath: Domain.Geo.Location description: 'The geolocation where the domain address is located, in the format: latitude:longitude.' type: String - contextPath: Domain.Geo.Country description: The country in which the domain address is located. type: String - contextPath: Domain.Geo.Description description: Additional information about the location. type: String - contextPath: Domain.Tech.Country description: The country of the domain technical contact. type: String - contextPath: Domain.Tech.Name description: The name of the domain technical contact. type: String - contextPath: Domain.Tech.Organization description: The organization of the domain technical contact. type: String - contextPath: Domain.Tech.Email description: The email address of the domain technical contact. type: String - contextPath: Domain.CommunityNotes.note description: Notes on the domain that were given by the community. type: String - contextPath: Domain.CommunityNotes.timestamp description: The time in which the note was published. type: Date - contextPath: Domain.Publications.source description: The source in which the article was published. type: String - contextPath: Domain.Publications.title description: The name of the article. type: String - contextPath: Domain.Publications.link description: A link to the original article. type: String - contextPath: Domain.Publications.timestamp description: The time in which the article was published. type: Date - contextPath: Domain.Billing description: The billing address of the domain. type: String
The following is the format for a URL entity:
"URL": { "Data": "STRING, The URL", "EntityA": "STRING, The source of the relationship.", "EntityB": "STRING, The destination of the relationship.", "Relationship": "STRING, The name of the relationship.", "EntityAType": "STRING, The type of the source of the relationship.", "EntityBType": "STRING, The type of the destination of the relationship.", "Malicious": { "Vendor": "STRING, The vendor reporting the URL as malicious.", "Description": "STRING, A description of the malicious URL." }, "DetectionEngines": "NUMBER, The total number of engines that checked the indicator.", "PositiveDetections": "NUMBER, The number of engines that positively detected the indicator as malicious.", "Category": "STRING, The category associated with the indicator.", "Tags": "STRING, Tags of the URL.", "FeedRelatedIndicators": { "value": "STRING, Indicators that are associated with the URL.", "type": "STRING, The type of the indicators that are associated with the URL", "description": "STRING, The description of the indicators that are associated with the URL." }, "MalwareFamily": "STRING, The malware family associated with the URL.", "Port": "STRING, Ports that are associated with the URL.", "Internal": "STRING, Whether or not the URL is internal or external.", "Campaign": "STRING, The campaign associated with the URL.", "TrafficLightProtocol": "STRING, The Traffic Light Protocol (TLP) color that is suitable for the URL.", "ThreatTypes": { "threatcategory": "STRING, The threat category associated to this indicator by the source vendor. For example, Phishing, Control, TOR, etc.", "threatcategoryconfidence": "STRING, Threat Category Confidence is the confidence level provided by the vendor for the threat type category For example a confidence of 90 for threat type category 'malware' means that the vendor rates that this is 90% confidence of being a malware." }, "ASN": "STRING, The autonomous system name for the URL, for example: 'AS8948'.", "ASOwner": "STRING, The autonomous system owner of the URL.", "Geo": { "Country": "STRING, The country in which the URL is located." }, "Organization": "STRING, The organization of the URL.", "CommunityNotes": { "note": "STRING, Notes on the URL that were given by the community.", "timestamp": "DATE, The time in which the note was published." }, "Publications": { "source": "STRING, The source in which the article was published.", "title": "STRING, The name of the article.", "link": "STRING, A link to the original article.", "timestamp": "DATE, The time in which the article was published." } }
In YAML
outputs: - contextPath: URL.Data description: The URL type: String - contextPath: URL.Relationships.EntityA description: The source of the relationship. type: string - contextPath: URL.Relationships.EntityB description: The destination of the relationship. type: string - contextPath: URL.Relationships.Relationship description: The name of the relationship. type: string - contextPath: URL.Relationships.EntityAType description: The type of the source of the relationship. type: string - contextPath: URL.Relationships.EntityBType description: The type of the destination of the relationship. type: string - contextPath: URL.DetectionEngines description: The total number of engines that checked the indicator. type: String - contextPath: URL.PositiveDetections description: The number of engines that positively detected the indicator as malicious. type: String - contextPath: URL.Category description: The category associated with the indicator. type: String - contextPath: URL.Malicious.Vendor description: The vendor reporting the URL as malicious. type: String - contextPath: URL.Malicious.Description description: A description of the malicious URL. type: String - contextPath: URL.Tags description: (List) Tags of the URL. type: Unknown - contextPath: URL.FeedRelatedIndicators.value description: Indicators that are associated with the URL. type: String - contextPath: URL.FeedRelatedIndicators.type description: The type of the indicators that are associated with the URL. type: String - contextPath: URL.FeedRelatedIndicators.description description: The description of the indicators that are associated with the URL. type: String - contextPath: URL.MalwareFamily description: The malware family associated with the URL. type: String - contextPath: URL.Port description: Ports that are associated with the URL. type: String - contextPath: URL.Internal description: Whether or not the URL is internal or external. type: Bool - contextPath: URL.Campaign description: The campaign associated with the URL. type: String - contextPath: URL.TrafficLightProtocol description: The Traffic Light Protocol (TLP) color that is suitable for the URL. type: String - contextPath: URL.ThreatTypes.threatcategory description: The threat category associated to this indicator by the source vendor. For example, Phishing, Control, TOR, etc. type: String - contextPath: URL.ThreatTypes.threatcategoryconfidence description: Threat Category Confidence is the confidence level provided by the vendor for the threat type category For example a confidence of 90 for threat type category 'malware' means that the vendor rates that this is 90% confidence of being a malware. type: String - contextPath: URL.ASN description: "The autonomous system name for the URL, for example: 'AS8948'." type: String - contextPath: URL.ASOwner description:The autonomous system owner of the URL. type: String - contextPath: URL.GeoCountry description: The country in which the URL is located. type: String - contextPath: URL.Organization description:The organization of the URL. type: String - contextPath: URL.CommunityNotes.note description: Notes on the URL that were given by the community. type: String - contextPath: URL.CommunityNotes.timestamp description: The time in which the note was published. type: Date - contextPath: URL.Publications.source description: The source in which the article was published. type: String - contextPath: URL.Publications.title description: The name of the article. type: String - contextPath: URL.Publications.link description: A link to the original article. type: String - contextPath: URL.Publications.timestamp description: The time in which the article was published. type: Date
The following is the format for a CVE:
"CVE": { "ID": "STRING, The ID of the CVE, for example: CVE-2015-1653", "EntityA": "STRING, The source of the relationship.", "EntityB": "STRING, The destination of the relationship.", "Relationship": "STRING, The name of the relationship.", "EntityAType": "STRING, The type of the source of the relationship.", "EntityBType": "STRING, The type of the destination of the relationship.", "CVSS": "STRING, The CVSS of the CVE, for example: 10.0", "Published": "DATE, The timestamp of when the CVE was published.", "Modified": "DATE, The timestamp of when the CVE was last modified.", "Description": "STRING, A description of the CVE." }
In YAML
outputs: - contextPath: CVE.ID description: 'The ID of the CVE, for example: CVE-2015-1653' type: String - contextPath: CVE.Relationships.EntityA description: The source of the relationship. type: string - contextPath: CVE.Relationships.EntityB description: The destination of the relationship. type: string - contextPath: CVE.Relationships.Relationship description: The name of the relationship. type: string - contextPath: CVE.Relationships.EntityAType description: The type of the source of the relationship. type: string - contextPath: CVE.Relationships.EntityBType description: The type of the destination of the relationship. type: string - contextPath: CVE.CVSS description: 'The CVSS of the CVE, for example: 10.0' type: String - contextPath: CVE.Published description: The timestamp of when the CVE was published. type: Date - contextPath: CVE.Modified description: The timestamp of when the CVE was last modified. type: Date - contextPath: CVE.Description description: A description of the CVE. type: String
The following is the format for a Rule:
"Rule": { "Name": "STRING, The name of the rule.", "Condition": "STRING, The condition for the rule." }
In YAML:
outputs: - contextPath: Rule.Name description: The name of the rule. - contextPath: Rule.Condition description: The condition of the rule.
The following is the format for a DBot Score entry:
"DBotScore": { "Indicator": "The indicator that was tested.", "Type": "The indicator type.", "Vendor": "The vendor used to calculate the score.", "Score": "The actual score.", "Reliability": "Reliability of the source providing the intelligence data." }
In YAML
- contextPath: DBotScore.Indicator description: The indicator that was tested. type: String - contextPath: DBotScore.Type description: The indicator type. type: String - contextPath: DBotScore.Vendor description: The vendor used to calculate the score. type: String - contextPath: DBotScore.Score description: The actual score. type: Number - contextPath: DBotScore.Reliability description: Reliability of the source providing the intelligence data. type: String
The following is the format for an X509 certificate:
"Certificate": { "Name": "STRING, Name (CN or SAN) appearing in the certificate.", "SubjectDN": "STRING, The Subject Distinguished Name of the certificate. This field includes the Common Name of the certificate.", "PEM": "STRING, Certificate in PEM format.", "IssuerDN": "STRING, The Issuer Distinguished Name of the certificate.", "SerialNumber": "STRING, The Serial Number of the certificate.", "ValidityNotAfter": "DATE, End of certificate validity period.", "ValidityNotBefore": "DATE, Start of certificate validity period.", "SubjectAlternativeName": { "Type": "STRING, Type of the SAN.", "Value": "STRING, Name of the SAN." }, "SHA512": "STRING, SHA512 Fingerprint of the certificate in DER format.", "SHA256": "STRING, SHA256 Fingerprint of the certificate in DER format.", "SHA1": "STRING, SHA1 Fingerprint of the certificate in DER format.", "MD5": "STRING, MD5 Fingerprint of the certificate in DER format.", "PublicKey": { "Algorithm": "STRING, Algorithm used for public key of the certificate.", "Length": "NUMBER, Length in bits of the public key of the certificate.", "Modulus": "STRING, Certificate.PublicKey.Modulus", "Exponent": "NUMBER, Exponent of the public key for RSA keys.", "PublicKey": "STRING, The public key for DSA/Unknown keys.", "P": "STRING, The P parameter for DSA keys.", "Q": "STRING, The Q parameter for DSA keys.", "G": "STRING, The G parameter for DSA keys.", "X": "STRING, The X parameter for EC keys.", "Y": "STRING, The Y parameter for EC keys.", "Curve": "STRING, Curve of the Public Key for EC keys.", "Y": "STRING, The Y parameter for EC keys." }, "SPKISHA256": "STRING, SHA256 fingerprint of the certificate Subject Public Key Info.", "Signature": { "Algorithm": "STRING, Algorithm used in the signature of the certificate.", "Signature": "STRING, Signature of the certificate." }, "Extension": { "Critical": "BOOL, Critical flag of the certificate extension.", "OID": "STRING, OID of the certificate extension.", "Name": "STRING, Name of the certificate extension.", "Value": "STRING, Value of the certificate extension." }, "Malicious": { "Vendor": "STRING, The vendor that reported the certificate as malicious.", "Description": "STRING, A description explaining why the certificate was determined to be malicious." } }
In YAML
outputs: - contextPath: Certificate.Name description: Name (CN or SAN) appearing in the certificate. type: String - contextPath: Certificate.SubjectDN description: | The Subject Distinguished Name of the certificate. This field includes the Common Name of the certificate. type: String - contextPath: Certificate.PEM description: Certificate in PEM format. type: String - contextPath: Certificate.IssuerDN description: The Issuer Distinguished Name of the certificate. type: String - contextPath: Certificate.SerialNumber description: The Serial Number of the certificate. type: String - contextPath: Certificate.ValidityNotAfter description: End of certificate validity period. type: Date - contextPath: Certificate.ValidityNotBefore description: Start of certificate validity period. type: Date - contextPath: Certificate.SubjectAlternativeName.Type description: Type of the SAN. type: String - contextPath: Certificate.SubjectAlternativeName.Value description: Name of the SAN. type: String - contextPath: Certificate.SHA512 description: SHA512 Fingerprint of the certificate in DER format. type: String - contextPath: Certificate.SHA256 description: SHA256 Fingerprint of the certificate in DER format. type: String - contextPath: Certificate.SHA1 description: SHA1 Fingerprint of the certificate in DER format. type: String - contextPath: Certificate.MD5 description: MD5 Fingerprint of the certificate in DER format. type: String - contextPath: Certificate.PublicKey.Algorithm description: Algorithm used for public key of the certificate. type: String - contextPath: Certificate.PublicKey.Length description: Length in bits of the public key of the certificate. type: Number - contextPath: Certificate.PublicKey.Modulus description: Modulus of the public key for RSA keys. type: String - contextPath: Certificate.PublicKey.Exponent description: Exponent of the public key for RSA keys. type: Number - contextPath: Certificate.PublicKey.PublicKey description: The public key for DSA/Unknown keys. type: String - contextPath: Certificate.PublicKey.P description: The P parameter for DSA keys. type: String - contextPath: Certificate.PublicKey.Q description: The Q parameter for DSA keys. type: String - contextPath: Certificate.PublicKey.G description: The G parameter for DSA keys. type: String - contextPath: Certificate.PublicKey.X description: The X parameter for EC keys. type: String - contextPath: Certificate.PublicKey.Y description: The Y parameter for EC keys. type: String - contextPath: Certificate.PublicKey.Curve description: Curve of the Public Key for EC keys. type: String - contextPath: Certificate.SPKISHA256 description: SHA256 fingerprint of the certificate Subject Public Key Info. type: String - contextPath: Certificate.Signature.Algorithm description: Algorithm used in the signature of the certificate. type: String - contextPath: Certificate.Signature.Signature description: Signature of the certificate. type: String - contextPath: Certificate.Extension.Critical description: Critical flag of the certificate extension. type: Bool - contextPath: Certificate.Extension.OID description: OID of the certificate extension. type: String - contextPath: Certificate.Extension.Name description: Name of the certificate extension. type: String - contextPath: Certificate.Extension.Value description: Value of the certificate extension. type: Unknown - contextPath: Certificate.Malicious.Vendor description: The vendor that reported the file as malicious. type: String - contextPath: Certificate.Malicious.Description description: A description explaining why the file was determined to be malicious. type: String