{ "entries": [ { "key": "IPHeader", "label": "IP Address", "type": "IpAddress" }, { "key": "DomainHeader", "label": "Domain", "type": "InternetDomainName" }, { "key": "HashHeader", "label": "Hash", "type": "Hash" }, { "key": "threatScore", "label": "Threat Score", "type": "integer" }, { "key": "sha256", "label": "SHA256", "type": "Hash" }, { "key": "sha1", "label": "SHA1", "type": "Hash" }, { "key": "md5", "label": "MD5", "type": "Hash" }, { "key": "magicType", "label": "Magic Type", "type": "text" }, { "key": "size", "label": "Size", "type": "text" }, { "key": "firstSeen", "label": "First Seen", "type": "datetime" }, { "key": "avresults", "label": "AV Results", "type": "list", "collapse": false, "item": { "type": "text" } }, { "key": "behaviors", "label": "Behavioral Indicators", "type": "list", "collapse": true, "item": { "type": "dict", "entries": [ { "key": "title", "label": "Indicator", "type": "text" }, { "key": "name", "label": "Note", "type": "text" }, { "key": "category", "label": "Category", "type": "text" }, { "key": "severity", "label": "Severity", "type": "integer" }, { "key": "confidence", "label": "Confidence", "type": "integer" } ] } }, { "key": "connections", "label": "Network Connections", "type": "list", "collapse": true, "item": { "type": "dict", "entries": [ { "key": "dest_host", "label": "Destination host", "type": "InternetDomainName" }, { "key": "dest_ip", "label": "Destination IP", "type": "IpAddress" }, { "key": "securityCategories", "label": "Security Categories", "type": "text" }, { "key": "threatType", "label": "Threat Type", "type": "text" }, { "key": "firstSeen", "label": "First Seen", "type": "datetime" }, { "key": "lastSeen", "label": "Last Seen", "type": "datetime" }, { "key": "urls", "label": "URLs", "type": "list", "item": { "type": "URL" } } ] } }, { "key": "AS", "label": "AS", "type": "dict", "entries": [ { "key": "cidr", "label": "Prefix", "type": "text" }, { "key": "asn", "label": "ASN", "type": "ASNumber" }, { "key": "description", "label": "Network Owner Description", "type": "text" } ] }, { "key": "mal_doms_length", "label": "# of Malicious Domains", "type": "integer" }, { "key": "mal_doms", "label": "Malicious Domains (max of 20 shown)", "type": "list", "item": { "type": "InternetDomainName" } }, { "key": "status", "label": "Classifier Prediction", "type": "text" }, { "key": "attack", "label": "Associated Attacks", "type": "text" }, { "key": "ff_candidate", "label": "Fast Flux", "type": "text" }, { "key": "securerank2Range", "label": "SecureRank2 Scale", "type": "text" }, { "key": "asn_scoreRange", "label": "ASN Score Range", "type": "text" }, { "key": "prefix_scoreRange", "label": "Prefix Score Range", "type": "text" }, { "key": "rip_scoreRange", "label": "RIP Score Range", "type": "text" }, { "key": "content_categories", "label": "Content Categories", "type": "list", "item": { "type": "text" } }, { "key": "security_categories", "label": "Security Categories", "type": "list", "item": { "type": "text" } }, { "key": "whois", "label": "Whois Record Data", "type": "dict", "entries": [ { "key": "registrarName", "label": "Registrar Name", "type": "text" }, { "key": "registrarIANAID", "label": "IANAID", "type": "text" }, { "key": "created", "label": "Created", "type": "date" }, { "key": "updated", "label": "Updated", "type": "date" }, { "key": "expires", "label": "Expires", "type": "date" }, { "key": "raw", "label": "Link", "type": "link" }, { "key": "emails", "label": "Email Address", "type": "list", "item": { "type": "dict", "entries": [ { "key": "entity", "label": "Email", "type": "EmailAddress" }, { "key": "type", "label": "Email Type", "type": "text" } ] } }, { "key": "nameServers", "label": "Nameserver", "type": "list", "item": { "type": "InternetDomainName" } }, { "key": "contactname", "label": "Contacts", "type": "list", "item": { "type": "dict", "entries": [ { "key": "entity", "label": "Contact Name", "type": "text" }, { "key": "type", "label": "Contact Type", "type": "text" } ] } }, { "key": "address", "label": "Address", "type": "list", "item": { "type": "dict", "entries": [ { "key": "entity", "label": "Address", "type": "text" }, { "key": "type", "label": "Address Type", "type": "text" } ] } }, { "key": "phone", "label": "Phone Number", "type": "list", "item": { "type": "dict", "entries": [ { "key": "entity", "label": "Phone number", "type": "text" }, { "key": "type", "label": "Phone Type", "type": "text" } ] } }, { "key": "fax", "label": "Fax Number", "type": "list", "item": { "type": "dict", "entries": [ { "key": "entity", "label": "Fax number", "type": "text" }, { "key": "type", "label": "Fax Type", "type": "text" } ] } } ] }, { "key": "hash", "label": "Associated Samples (max of 20 shown), powered by Cisco Amp Threat Grid", "type": "list", "collapse": true, "item": { "type": "dict", "entries": [ { "key": "threatScore", "label": "Threat Score", "type": "integer" }, { "key": "sha256", "label": "SHA256", "type": "Hash" }, { "key": "avresults", "label": "AV Results", "type": "list", "item": { "type": "text" } } ] } }, { "key": "features", "label": "Features", "type": "dict", "collapse": true, "entries": [ { "key": "known", "label": "Known domains hosted at this IP", "type": "integer" }, { "key": "ld2_count", "label": "LD2 domains count", "type": "integer" }, { "key": "ld3_count", "label": "LD3 domains count", "type": "integer" }, { "key": "ld2_1_count", "label": "LD2-1 domains count", "type": "integer" }, { "key": "ld2_2_count", "label": "LD2-2 domains count", "type": "integer" }, { "key": "div_ld2", "label": "LD2 domains diversity", "type": "text" }, { "key": "div_ld3", "label": "LD3 domains diversity", "type": "text" }, { "key": "div_ld2_1", "label": "LD2-1 domains diversity", "type": "text" }, { "key": "div_ld2_2", "label": "LD2-2 domains diversity", "type": "text" }, { "key": "ttls_min", "label": "TTLs min", "type": "text" }, { "key": "ttls_max", "label": "TTLs max", "type": "text" }, { "key": "ttls_mean", "label": "TTLs mean", "type": "text" }, { "key": "ttls_median", "label": "TTLs median", "type": "text" }, { "key": "ttls_stddev", "label": "TTLs standard deviation", "type": "text" }, { "key": "country_codes", "label": "Country codes", "type": "list", "item": { "type": "text" } }, { "key": "country_count", "label": "Country count", "type": "text" }, { "key": "asns", "label": "ASNs", "type": "list", "item": { "type": "ASNumber" } }, { "key": "asns_count", "label": "ASNs count", "type": "text" }, { "key": "prefixes", "label": "Prefixes", "type": "list", "item": { "type": "IpAddress" } }, { "key": "prefixes_count", "label": "Prefixes count", "type": "text" }, { "key": "rips", "label": "RIPs", "type": "text" }, { "key": "div_rips", "label": "RIPs diversity", "type": "text" }, { "key": "locations_count", "label": "Locations count", "type": "text" }, { "key": "geo_distance_sum", "label": "Sum geo distance", "type": "text" }, { "key": "geo_distance_mean", "label": "Mean geo distance", "type": "text" }, { "key": "non_routable", "label": "Non-routable", "type": "text" }, { "key": "mail_exchanger", "label": "Mail exchanger", "type": "text" }, { "key": "ff_candidate", "label": "Fast flux candidate", "type": "text" } ] }, { "key": "security", "label": "Security Features", "type": "dict", "collapse": true, "entries": [ { "key": "securerank2", "label": "SecureRank 2 (rescaled)", "type": "text" }, { "key": "pagerank", "label": "PageRank", "type": "text" }, { "key": "asn_score", "label": "ASN score", "type": "text" }, { "key": "prefix_score", "label": "Prefix score", "type": "text" }, { "key": "rip_score", "label": "RIP score", "type": "text" }, { "key": "popularity", "label": "Popularity", "type": "text" }, { "key": "geodiversity", "label": "Requester geo distribution", "type": "list", "collapse": true, "item": { "type": "text" } }, { "key": "", "label": "Requester geo distribution (normalized)", "type": "list", "collapse": true, "item": { "type": "text" } } ] }, { "key": "dga", "label": "DGA", "type": "dict", "collapse": true, "entries": [ { "key": "dga_score", "label": "DGA score (rescaled)", "type": "text" }, { "key": "perplexity", "label": "Perplexity score (rescaled)", "type": "text" }, { "key": "entropy", "label": "Entropy", "type": "text" } ] }, { "key": "dns_rr", "label": "IP Addresses", "type": "list", "collapse": true, "item": { "type": "dict", "label_key": "label", "item": { "key": "data", "type": "list", "item": { "type": "dict", "entries": [ { "key": "first_seen", "label": "First Seen", "type": "date" }, { "key": "last_seen", "label": "Last Seen", "type": "date" }, { "key": "IPs", "label": "IPs", "type": "list", "collapse": false, "item": { "type": "dict", "entries": [ { "key": "ip", "label": "IP Address", "type": "IpAddress" }, { "key": "ttl", "label": "TTL", "type": "integer" } ] } } ] } } } }, { "key": "cooccur", "label": "Co-occurrences", "type": "list", "item": { "type": "dict", "entries": [ { "key": "co_domain", "label": "Domain", "type": "InternetDomainName" }, { "key": "score", "label": "Score", "type": "text" } ] } }, { "key": "rrs", "label": "Known domains hosted at this IP (max of 20 shown)", "type": "list", "item": { "type": "InternetDomainName" } }, { "key": "investigate_link", "label": "For Additional Information", "type": "link" } ] }