Threat Intelligence
Threat Intelligence is a searchable entity at the top of Query's UI.
threat_intelligence
Insights from threat intelligence platforms
Contents
Attributes
| Caption | Name | Type | Is Array | Default | Description |
|---|---|---|---|---|---|
| Provider | provider | String | Threat intelligence data provider name e.g. AlienVaultOTX | ||
| Raw Data | raw_data | JSON | The event data as received from the event source. | ||
| Record ID | record_id | String | Unique identifier for the object | ||
| Reputation Scores | reputation | Reputation | Reputation score as reported by provider | ||
| Type ID | type_id | Integer | 0 |
Type of entity for which threat info is provided e.g. IP
|
|
| Unmapped Data | unmapped | Unmapped | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. | ||
| Value | value | String | Entity value for which threat info is provided |
References
Referenced By
Context
JSON
{
"attributes": {
"type_id": {
"default": 0,
"caption": "Type ID",
"description": "Type of entity for which threat info is provided e.g. IP",
"sibling": "type",
"type": "integer_t",
"enum": {
"0": {
"caption": "Unknown",
"description": "The type is unknown."
},
"99": {
"caption": "Other",
"description": "The type is not mapped. See the <code>type</code> attribute, which contains a data source specific value."
},
"1": {
"caption": "IP"
},
"2": {
"caption": "Domain"
},
"3": {
"caption": "Url"
},
"4": {
"caption": "Hash"
}
},
"requirement": "required"
},
"provider": {
"description": "Threat intelligence data provider name e.g. AlienVaultOTX",
"requirement": "required",
"caption": "Provider",
"type": "string_t"
},
"reputation": {
"description": "Reputation score as reported by provider",
"requirement": "optional",
"caption": "Reputation Scores",
"type": "reputation"
},
"value": {
"description": "Entity value for which threat info is provided",
"requirement": "required",
"caption": "Value",
"type": "string_t"
},
"raw_data": {
"group": "context",
"caption": "Raw Data",
"description": "The event data as received from the event source.",
"type": "json_t"
},
"record_id": {
"description": "Unique identifier for the object",
"group": "primary",
"requirement": "required",
"caption": "Record ID",
"type": "string_t"
},
"unmapped": {
"caption": "Unmapped Data",
"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
"type": "unmapped",
"is_array": true
}
},
"extension": "query",
"description": "Insights from threat intelligence platforms",
"caption": "Threat Intelligence",
"name": "threat_intelligence",
"extends": "object"
}