Domain Threat Intelligence
Domain Threat Intelligence is a searchable entity at the top of Query's UI.
domain_intelligence
Insights from threat intelligence platforms about domains
Contents
Attributes
| Caption | Name | Type | Is Array | Default | Description |
|---|---|---|---|---|---|
| Details | details | String | Details about the IP address. | ||
| DNS Entries | dns_entries | DNS Answer | The Domain Name System (DNS) entries from passive DNS logs or a direct query for enrichment. | ||
| Domain | domain | String | The name of the domain. | ||
| Domain Information | domain_info | Domain Information | The registration information pertaining to a domain. | ||
| Findings | findings | Finding | The findings from threat intelligence platforms | ||
| Labels | labels | String | The labels or tags in the intelligence. | ||
| Raw Data | raw_data | JSON | The event data as received from the event source. | ||
| Record ID | record_id | String | Unique identifier for the object | ||
| Additional references for more information. | references | String | A list of reference URLs supporting the finding/detection. | ||
| Reputations | reputations | Reputation | Reputation score as reported by provider | ||
| Unmapped Data | unmapped | Unmapped | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. | ||
| Vendor Name | vendor_name | String | The vendor that provided the intelligence. |
References
Referenced By
Context
JSON
{
"attributes": {
"domain_info": {
"description": "The registration information pertaining to a domain.",
"type": "domain_info",
"caption": "Domain Information",
"requirement": "optional"
},
"domain": {
"requirement": "optional",
"caption": "Domain",
"description": "The name of the domain.",
"type": "string_t"
},
"dns_entries": {
"requirement": "optional",
"caption": "DNS Entries",
"description": "The Domain Name System (DNS) entries from passive DNS logs or a direct query for enrichment.",
"is_array": true,
"type": "dns_answer"
},
"vendor_name": {
"description": "The vendor that provided the intelligence.",
"requirement": "optional",
"caption": "Vendor Name",
"type": "string_t"
},
"references": {
"caption": "Additional references for more information.",
"requirement": "optional",
"description": "A list of reference URLs supporting the finding/detection.",
"type": "string_t",
"is_array": true
},
"reputations": {
"description": "Reputation score as reported by provider",
"requirement": "optional",
"caption": "Reputations",
"is_array": true,
"type": "reputation"
},
"findings": {
"description": "The findings from threat intelligence platforms",
"requirement": "optional",
"caption": "Findings",
"type": "finding",
"is_array": true
},
"labels": {
"description": "The labels or tags in the intelligence.",
"requirement": "optional",
"caption": "Labels",
"type": "string_t",
"is_array": true
},
"details": {
"description": "Details about the IP address.",
"requirement": "optional",
"caption": "Details",
"type": "string_t"
},
"raw_data": {
"group": "context",
"caption": "Raw Data",
"description": "The event data as received from the event source.",
"type": "json_t"
},
"record_id": {
"description": "Unique identifier for the object",
"group": "primary",
"requirement": "required",
"caption": "Record ID",
"type": "string_t"
},
"unmapped": {
"caption": "Unmapped Data",
"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
"type": "unmapped",
"is_array": true
}
},
"extension": "query",
"description": "Insights from threat intelligence platforms about domains",
"caption": "Domain Threat Intelligence",
"name": "domain_intelligence",
"extends": "_base_threat_intelligence"
}