References - Platform Standard Attributes

Overview

This page provides a standard list of attributes available within the ThreatConnect Platform.

Currently this list reflects ThreatConnect Platform version 6.1

Standard Attributes Table

Attribute Name

Attribute Description

Attribute Field/Object Size

Applicable ThreatConnect Data Model Objects

Additional Information

Allows Markdown?

Additional Analysis and Context

Relevant research and analysis associated with this Indicator, Signature, or Activity Group. Can be internal analysis or links to published articles, whitepapers, websites, or any reference providing amplifying information or geo-political context.

64K

ASN
Address
Adversary
CIDR
Campaign
Email
EmailAddress
Event
File
Host
Incident
Intrusion Set
Mutex
Registry Key
Report
Signature
Threat
Url
User Agent
Victim

Please enter valid Additional Analysis and Context.

True

Admiralty Code

The Admiralty System is a method for evaluating collected items of intelligence.

2 characters

ASN
Address
Adversary
Campaign
Email
EmailAddress
Event
File
Host
Incident
Intrusion Set
Mutex
Registry Key
Report
Signature
Threat
Url
User Agent

Please enter a valid Admiralty Code.

False

Adversary Motivation Type

Select an overall motivation.

21 characters

Adversary
Campaign
Document
Incident
Intrusion Set
Report
Threat

Please enter a valid Adversary Motivation Type.

False

Adversary Origin & Source

The observed and or assumed attacker origin or source.

500 characters

Adversary
Campaign
Email
Incident
Report
Threat

Please enter an observed and or assumed attacker origin or source.

True

Adversary Type

The type of Adversary.

50 characters

Adversary

Please enter a valid Adversary Type: Group, Persona

False

Aliases

Other names used to refer to this entity.

500 characters

Adversary
Campaign
Intrusion Set
Threat

Please enter a valid Aliases.

True

AMA Signature

Text string returned by an AMA for structural or behavioral signatures triggered by the file sample.

500 characters

File

Please enter a valid Signature of 500 characters or fewer.

False

Archive Password

Password for Malware Documents

255 characters

Document

Please input password. Default password is "TCInfected".

False

Attribution Assessment

Attribution of Threat activity to a given person, group, or entity.

500 characters

Campaign
Email
Incident
Intrusion Set
Report
Signature
Threat

Please enter a valid Attribution Assessment.

False

Attribution Confidence

Confidence of attribution of Threat activity to a given person, group, entity.

5 characters

Campaign
Email
Incident
Intrusion Set
Report
Signature
Threat

Please enter a valid attribution confidence with a value 0-100.

False

Autonomous System Name

The Autonomous System Name for this ASN.

250 characters

ASN

Please enter a valid Autonomous System Name.

False

AV Scanner Results

This type is a markdown formatted antivirus scanner results from an AV scanner bank.

8K

File
Incident

Please check that your AV scanner results are fewer than 8192 characters.

True

AV Scan Timestamp

The timestamp when this file was most recently scanned by AV engines. Example: 2017-05-03T14:38:02Z

20 characters

File

Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z"

False

Bitcoin Address

Bitcoin wallet address.

34 characters

Adversary
File
Host
Threat

Check that the bitcoin address is the correct format.

False

Body Type

The Body Type of this Email.

250 characters

Email

Please enter a valid Body Type.

False

Campaign Objective

Defines the Campaign’s primary goal, objective, desired outcome, or intended effect.

500 characters

Campaign

Please enter a valid Campaign Objective.

False

Capabilities

Overview of Threat or Adversary capabilities.

500 characters

Adversary
Intrusion Set
Threat

Please enter a valid capabilities.

True

Code Page

Code page is a table of values that describes the character set used for encoding a particular set of characters. Code page here is an integer 1-65520 referencing this table.

5 characters

File

Please enter a valid code page 1-65520.

False

Collection Location

Location in the email header or body where an email address indicator was collected.

13 characters

EmailAddress

Please enter a valid collection location: Body, Reply-To, From, Sender, Envelope-from, or Return-Path.

False

Compiler

The compiler used for this File.

300 characters

File

Please enter a valid Compiler.

True

Compiler Language

The compiler language of this File.

100 characters

File

Please enter a valid Compiler Language.

True

Confidence

Characterizes the level of confidence held in the characterization of this Campaign or Signature.

7 characters

Campaign
Signature

Please enter a valid Confidence: High, Medium, Low, None, Unknown

False

Course of Action Desired Effect

Select a desired effect on the Adversary operations.

7 characters

Adversary
Campaign
Email
Event
Incident
Report
Signature

Please enter a valid effect: Deny, Degrade, Deceive, Disrupt, or Destroy.

False

Course of Action Effectiveness

Select how effective the Course of Action was.

20 characters

Adversary
Campaign
Email
Incident
Report
Signature
Threat

Please enter a valid COA Effect: No Effect, Low Effect, Moderately Effective, Highly Effective, or Extremely Effective.

False

Course of Action Recommendation

Recommend a Course of Action.

64K

Adversary
Campaign
Email
Incident
Report
Signature
Threat

Please enter a valid Course of Action Recommendation.

True

Course of Action Taken

Describe the Course of Action Taken.

500 characters

Adversary
Campaign
Email
Incident
Report
Signature
Threat

Please enter a valid Course of Action.

True

Created Date Time

Date and time when this STIX Campaign object was created.

255 characters

Campaign
Intrusion Set

Please enter a valid Created Date Time: YYYY/MM/DD HH:mm:ss

False

Creation Timestamp

The time and date this document or file was created. Example: 2017-05-03T14:38:02Z

20 characters

File

Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z"

False

Date of Discovery

Select the date when the Event, Incident, Threat, or Adversary was discovered.

25 characters

ASN
Adversary
CIDR
Campaign
Email
Event
Incident
Mutex
Registry Key
Report
Threat
User Agent

Please enter a valid date in YYYY/MM/DD format.

False

Debug Symbol Path

Path to windows debugging symbol file. Found in the debug info of a PE file.

500 characters

File

Please check the format and that the length is 500 characters or less.

False

Deployment Status

Enter any sensors or hosts this signature is deployed to.

500 characters

Signature

Please enter a valid deployment status.

False

Description

A general description. There may be several descriptions from various sources. Check the Default checkbox above to make this description the default.

100K

ASN
Address
Adversary
CIDR
Campaign
Document
Email
Email Subject
EmailAddress
Event
File
Hashtag
Host
Incident
Intrusion Set
Mutex
Registry Key
Report
Signature
Task
Threat
Url
User Agent
Victim

Please enter a valid description.

True

Detection Percentage

The percentage of AV engines that are detecting the file as malicious.

3 characters

File
Incident

Please enter a valid detection percentage between 0 and 100.

False

Detection Ratio

This type is a ratio of positive AV scanner results to the total number of scanners with which the sample was checked.

7 characters

File
Incident

Please input a valid detection ratio value. Maximum is 100/100.

False

Dll Name

When present, this is the Name field in the Export Directory struct of a PE file.

100 characters

File

Please enter the dll name extracted from PE file.

False

Document Author

Author field from the document metadata.

100 characters

File

Please check the input length for document author is 100 characters or fewer.

False

Document Company

Company field from the document metadata.

100 characters

File

Please check the input length for document company is 100 characters or fewer.

False

Document Creation Tool

Software tool used to create this document, if available.

100 characters

File

Please check the input length for document creation tool is 100 characters or fewer.

False

Document Description

Description field from document metadata.

100 characters

File

Please check the input length for document description is 100 characters or fewer.

False

Document Last Modified By

Name of the last individual to modify this document from metadata.

100 characters

File

Please check the input length for document last modified by is 100 characters or fewer.

False

Document Subject

Subject of the document from metadata.

100 characters

File

Please check the input length for document subject is 100 characters or fewer.

False

Document Title

Title of the document from metadata.

100 characters

File

Please check the input length for document title is 100 characters or fewer.

False

EmailAddress Usage

Select the Tactics, Techniques, and Procedures (TTPs) the Adversary used in relation to this Email Address.

26 characters

EmailAddress

Please enter a valid option: Phishing Email Sender, Command and Control, Personal Email Account, Professional Email Account, Domain Registrant, Drop Email.

False

Entropy

Overall Shannon entropy of a file.

4 characters

File

Please enter the file entropy as a decimal number to the precision of 2 (1.02) and a maximum of 8.00.

False

Entry Point

Location where control is transferred from the operating system to a computer program, at which place the processor enters a program or a code fragment and execution begins.

8 characters

File

Please enter a valid entry point that is a 32-bit lowercase hex string (8 characters).

False

Event End Date

The end date of the event reported in this Incident. Example: 2017-05-03T14:38:02Z

100 characters

Incident

Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z"

False

Event Log

Logs that pertain to an event.

100K

Event

Please enter a valid event log.

False

Events

Notable events this indicator was observed in.

500 characters

Address
Campaign
EmailAddress
File
Host
Url

Please enter a valid Event.

False

External Date Created

The External timestamp of when this resource was Create. Example: 2017-05-03T14:38:02Z

100 characters

ASN
Address
Adversary
CIDR
Campaign
Document
Email
EmailAddress
Event
File
Host
Incident
Intrusion Set
Mutex
Registry Key
Report
Signature
Threat
Url
User Agent

Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z"

False

External Date Expires

The External timestamp of when this resource will expire. Example: 2017-05-03T14:38:02Z

100 characters

ASN
Address
Adversary
CIDR
Campaign
Document
Email
EmailAddress
Event
File
Host
Incident
Intrusion Set
Mutex
Registry Key
Report
Signature
Threat
Url
User Agent

Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z"

False

External Date Last Modified

The External timestamp of when this resource was Last Modified. Example: 2017-05-03T14:38:02Z

100 characters

ASN
Address
Adversary
CIDR
Campaign
Document
Email
EmailAddress
Event
File
Host
Incident
Intrusion Set
Mutex
Registry Key
Report
Signature
Threat
Url
User Agent

Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z"

False

External ID

ID used by system outside of ThreatConnect.

255 characters

ASN
Address
Adversary
CIDR
Campaign
Document
Email
EmailAddress
Event
File
Host
Incident
Intrusion Set
Mutex
Registry Key
Report
Signature
Task
Threat
Url
User Agent
Victim

Please enter an External ID of 255 characters or less.

False

External References

Specifies a list of external references which refers to non-STIX information.

500 characters

Campaign
Intrusion Set
Report

Please enter a valid External References.

False

File Type

File type as determined by libmagic or the file command.

500 characters

Document
File

Please enter a File Type of 500 characters or fewer.

False

First Seen

The timestamp of when this indicator or activity was first seen. Example: 2017-05-03T14:38:02Z

20 characters

ASN
Address
Adversary
CIDR
Campaign
EmailAddress
Event
File
Host
Intrusion Set
Mutex
Registry Key
Report
Signature
Threat
Url
User Agent

Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z"

False

First Seen Timestamp Precision

The precision of the First Seen timestamp.

50 characters

Campaign

Please enter a valid First Seen Timestamp Precision.

False

Frequency

How frequently this event or activity occurs.

9 characters

Event

Please enter a valid frequency: Often, Sometimes, Rarely.

False

Granular Markings

Specifies a list of granular markings applied to this.

100 characters

Campaign
Intrusion Set
Report

Please enter a valid Granular Markings.

False

Hashtag

A hashtag associated to this activity.

280 characters

Adversary
Campaign
Incident

Please enter a valid Hashtag.

False

HTTP Request Header

HTTP request header text.

100K

Address
Adversary
Campaign
File
Host
Threat
Url

Please check the length of the input and that it follows RFC 7230. https://tools.ietf.org/html/rfc7230

False

HTTP Response Header

HTTP response header text.

100K

Address
Host
Url

Please check the length of the input and that it follows RFC 7230. https://tools.ietf.org/html/rfc7230

False

iDefense History

The history of this fudemental within Accenture iDefense.

500 characters

ASN
Address
Adversary
Campaign
Email
EmailAddress
Event
File
Host
Incident
Mutex
Registry Key
Report
Signature
Threat
Url

Please enter a valid iDefense History.

True

Impact of Adversary Activity

Select the impact of the Incident or Activity.

8 characters

Campaign
Email
Incident
Intrusion Set
Report

Please enter a valid impact: None, Low, Medium, High, Critical.

False

Import Hash

A hash based on library/API names and their specific order within the executable's Import Address Table (IAT).

32 characters

File

Please enter a valid import hash that is a 128-bit hex string.

False

Incident Type

The type of Incident or Campaign.

50 characters

Campaign
Incident

Please enter a valid Incident Type.

False

Infrastructure Ownership

Select ownership details of the Infrastructure (IP Address, Domain Name, URL, etc) used in an Adversary operation.

19 characters

Address
EmailAddress
Host
Url

Please enter valid infrastructure ownership details: Adversary Owned, Adversary Leased, Adversary Subverted

False

Intelligence Report Type

The type of iDefense Intelligence Report.

10 characters

Report

Please enter a valid Intelligence Report Type: Blog, Report

False

Intended Effect

The intended effect of a campaign.

40 characters

Campaign

Please enter a valid Intended Effect.

False

Intent

Intent of the Adversary in this activity.

64K

Campaign
Email
Incident
Intrusion Set
Report

Please enter a valid Intent.

False

IP and Host Usage

Select Tactics, Techniques, and Procedures of the Adversary used with this IP or Host.

21 characters

Address
Host

Options: C2,Tool Server,Web Hosted Exploit,Remote Exploit,Vulnerability Scan,Exfiltration Point,Adversary Source Host,Phishing Mailserver,Dynamic DNS Host,Sinkhole,Phishing Origin,Phishing Relay,Parking,Malware Hosting,Phishing Site,Infected Node,Other

False

Labels

Labels for this object.

100 characters

Campaign
Intrusion Set
Report

Please enter a valid Labels.

False

Languages

The Languages used by this Adversary.

100 characters

Adversary

Please enter a valid Language for this Adversary.

False

Last Seen

The timestamp of when this indicator or activity was last seen. Example: 2017-05-03T14:38:02Z

20 characters

ASN
Address
Adversary
CIDR
Campaign
EmailAddress
Event
File
Host
Intrusion Set
Mutex
Registry Key
Report
Signature
Threat
Url
User Agent

Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z"

False

Malicious Tool Variety

The Malicious Tool Variety of this Threat.

250 characters

Threat

Please enter a valid Malicous Tool Variety for this Threat.

False

Malicious Tool Version

The Malicious Tool Version of this Threat.

100 characters

Threat

Please enter a valid Malicous Tool Version for this Threat.

False

Malware Controller Availability

Select the Malware Controller Availability.

32 characters

File

Please enter a valid Malware Controller Availability: Public Free, Public Paid, Custom Variant of Public Malware, Underground, Not Publicly Available, or Other.

False

Malware Family Variety

The Malware Family Variety of this Threat.

250 characters

Threat

Please enter a valid Malware Family Variety for this Threat.

False

Malware Family Vector

The Malware Family Vector of this Threat.

100 characters

Threat

Please enter a valid Malware Family Vector for this Threat.

False

MIME Type

A two-part identifier for file formats and format contents transmitted on the network.

127 characters

Document
Email
File
Url

Please enter a valid MIME type in lower case.

False

Modified Date Time

Date and time when this STIX Campaign object was modified.

255 characters

Campaign
Intrusion Set
Report

Please enter a valid Modified Date Time: YYYY/MM/DD HH:mm:ss

False

Modified Files

List of Modified Files.

100K

File

Please enter valid list of Modified Files.

False

Modified Timestamp

The time and date this document or file was last modified. Example: 2017-05-03T14:38:02Z

20 characters

File

Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z"

False

Naming Source

The Naming Source for this Threat.

100 characters

Threat

Please enter a valid Naming Source for this Threat.

False

.NET Assembly References

References to assembly made by a .NET file.

500 characters

File

Please enter .NET assembly references of 500 characters or fewer.

True

.NET Byte Code

Decompiled .NET byte code.

100K

File

Please enter a .NET byte code string of 102400 characters or fewer.

False

.NET Module Version ID

A GUID generated at build time that can be used to find similar .NET assemblies if the binary was modified post build somehow.

36 characters

File

Please enter a GUID value tied to the .NET Module Version ID.

False

.NET Source Code

Decompiled .NET byte code into source code.

100K

File

Please enter a decompiled .NET code of 102400 characters or fewer.

False

.NET TypeLib ID

The TypeLib ID is a GUID generated by Visual Studio during a .NET project creation.

36 characters

File

Please enter a GUID value tied to the .NET Module Version ID.

False

Network Protocol Analysis

Analysis of C2 protocol for signature development, detection, and de-obfuscation.

500 characters

Address
EmailAddress
File
Host
Signature
Url

Please enter a valid Network Protocol Analysis.

True

Network Traffic Sample

Hex dump of the network traffic that this signature will detect.

100K

Signature

Please enter a valid network traffic sample.

False

Object Marking References

Specifies a list of IDs of marking-definitions that apply to this Marking Definition.

100 characters

Campaign
Intrusion Set
Report

Please enter a valid Object Marking References.

False

Observation Method

How this Event was observed or how it potentially could be observed.

500 characters

ASN
Address
CIDR
EmailAddress
Event
File
Host
Incident
Mutex
Registry Key
Url
User Agent

Please enter a valid Observation Method of 500 characters or less.

False

Origin Country

Select an assumed country of origin.

44 characters

Adversary
Campaign
Threat

Please enter a valid Origin Country.

False

Packer

The Packer used for this File.

250 characters

File

Please enter valid Packer for this File.

False

Password

Password for documents, accounts, etc.

500 characters

Adversary
Document
Report

Please enter a valid Password of 500 characters or fewer.

False

PDF Producer

Text string saved in the metadata field, producer, of a PDF.

100 characters

File

Please check the input length for PDF producer is 100 characters or fewer.

False

PE Company Name

File company name from the file version info resource.

100 characters

File

Please check the input length for PE company name is 100 characters or fewer.

False

PE Description

File description from the file version info resource.

100 characters

File

Please check the input length for PE description is 100 characters or fewer.

False

PE Hex Timestamp

The time that the linker (or compiler for an OBJ file) produced this file. This field holds the number of seconds since January 1st, 1970 in a hex value.

8 characters

File

Please enter a valid PE hex timestamp.

False

PE Imports

A list of imports called by a Portable Executable.

500 characters

File

Please enter PE imports of 500 characters or fewer.

True

PE Resources

Text detailing the resources in a Portable Executable.

500 characters

File

Please enter PE resources of 500 characters or fewer.

True

PE Sections

Text detailing the sections of a Portable Executable.

500 characters

File

Please enter PE sections of 500 characters or fewer.

True

PE Timestamp

Date and time that the linker (or compiler for an OBJ file) produced this file. This is a human readable representation of the raw PE header field TimeDateStamp. Example: "2017-05-03T14:38:02Z"

20 characters

File

Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z"

False

PE Version

File version from the file version info resource.

100 characters

File

Please check the input length for PE version is 100 characters or fewer.

True

Phase of Intrusion

Select a Phase of Intrusion. See https://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf

21 characters

ASN
Address
Adversary
CIDR
Campaign
Email
EmailAddress
Event
File
Host
Incident
Intrusion Set
Mutex
Registry Key
Signature
Url
User Agent

Please enter a valid Phase of Intrusion: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, C2, or Actions on Objectives

False

Physical Address

Address location of the entity.

500 characters

Adversary
Event
Victim

Please enter a valid Physical Address.

False

Powershell

Extracted powershell code.

100K

File

Please enter a powershell string of 102400 characters or fewer.

False

Producer

The Producer field details the source of this entry. (STIX 1.2 Indicator field) https://stixproject.github.io/data-model/1.2/indicator/IndicatorType/

500 characters

ASN
Address
CIDR
EmailAddress
File
Host
Intrusion Set
Mutex
Registry Key
Report
Url
User Agent

Please enter a Producer field of 500 characters or fewer.

False

Raw Data

Raw data for this object.

100K

Event
Signature

Please enter valid Raw Data of 102400 characters or fewer.

False

Raw Data Type

Raw event data type.

100 characters

Event

Please enter valid Raw Data Type of 100 characters or fewer.

False

Region

The Region associated to this resource.

200 characters

Adversary
Campaign
Incident
Report

Please enter a valid Region.

False

Registration Date

Date and time for the registration of the resource. Example: 2017-05-03T14:38:02Z

20 characters

ASN

Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z"

False

Registration Name

The Registration Name used for this resource.

500 characters

ASN

Please enter a valid Registration Name for this resource.

False

Registry

The Registry used for this resource.

10 characters

ASN

Please enter a valid Registry for this resource.

False

Registry Value Data

The Registry contains two basic elements: keys and values. Registry values are non-container objects similar to files. This attribute contains the data part of the registry value.

100K

Registry Key

Please enter a valid registry value data.

False

Registry Value Name

The Registry contains two basic elements: keys and values. Registry values are non-container objects similar to files. This attribute contains the name part of the registry value.

15K

Registry Key

Please enter a valid registry value name.

False

Religion

The Religion associated with this Adversary.

100 characters

Adversary

Please enter a valid Religion for this Adversary.

False

Resource Directory Time

The timestamp extracted from the resource directory of a PE file.

20 characters

File

Please enter a valid timestamp in ISO 8610 format with the trailing "Z". Example: 2017-05-03T14:38:02Z

False

Resource Level

The organizational level at which this Intrusion Set or Adversary typically works, which in turn determines the resources available to this Intrusion Set or Adversary for use in an attack.

12 characters

Adversary
Intrusion Set

Please enter a valid Resource Level: Individual, Team, Club, Organization, Contest, Government

False

Response Team & Staff involved

Names and or email address of personnel investigating the event.

500 characters

Adversary
Campaign
Email
Event
Incident
Intrusion Set
Report
Victim

Please enter a valid Response Team & Staff involved.

True

Revoked

Flag that indicates whether this STIX Object has been revoked.

5 characters

Campaign
Event
Intrusion Set
Report

Please enter a valid boolean value:True, False

False

Sample Download Link

Link from which the file can be downloaded.

300 characters

Document
File

Please enter a valid sample download link that is 300 characters or fewer.

False

Secondary Motivation

Select a secondary motivation.

21 characters

Adversary
Document
Intrusion Set
Threat

Valid options: Nation State, Criminal, Accidental, Coercion, Corporate Espionage, Dominance, Economic Espionage, Ideological, Notoriety, Organizational Gain, Personal Gain, Personal Satisfaction, Revenge, Unpredictable, Unknown, Other

False

Service Classification

The Service Classification used by this Adversary.

100 characters

Adversary

Please enter a valid Service Classification for this Adversary.

False

Service Type

The Service Type used by this Adversary.

100 characters

Adversary

Please enter a valid Service Type for this Adversary.

False

SHA512 Hash

SHA-512 hash of a file.

128 characters

File

Please enter a valid SHA512 hash.

False

Signature Encoding Type

The encoding type of the signature. Examples: Base64 or ASCII text

500 characters

Signature

Please enter a valid Signature Encoding Type.

False

Skill Level

The Skill Level of this Adversary.

10 characters

Adversary

Please enter a valid Skill Level for this Adversary.

False

Source

The source of the Indicator or Intelligence. There may be multiple source attributes. Check the Default checkbox above to have this attribute the default.

64K

ASN
Address
Adversary
CIDR
Campaign
Document
Email
Email Subject
EmailAddress
Event
File
Hashtag
Host
Incident
Intrusion Set
Mutex
Registry Key
Report
Signature
Threat
Url
User Agent
Victim

Please enter a valid Source.

True

Source Date Time

Select Date and Time information was provided by source.

255 characters

ASN
Address
Adversary
CIDR
Campaign
Email
EmailAddress
Event
File
Host
Incident
Intrusion Set
Mutex
Registry Key
Report
Signature
Threat
Url
User Agent

Please enter a valid Source Date: "YYYY-MM-DD HH:MM UTC"

False

ssdeep Hash

Piecewise fuzzy hash value for the file.

150 characters

File

Please check that this is a valid ssdeep hash.

False

SSH Fingerprint

SSH fingerprint in either MD5 format (before OpenSSH 6.8) or base64 SHA256 (OpenSSH 6.8 and after).

44 characters

Address

Please check that the MD5 is lower case without ':' and the length of the fingerprint is correct depending on the fingerprint used: 32 for MD5 and 44 for base64 SHA256.

False

Status

The status of a campaign.

8 characters

Campaign

Please enter a valid Status: Ongoing, Historic, Future

False

STIX Actions

Description or specification of one or more cyber observable actions.

500 characters

Event

Please enter a valid STIX Actions of 500 characters or fewer.

False

STIX Created By Ref

The ID of the Identity object that describes the entity that created this object.

36 characters

Intrusion Set

Please enter a valid lowercase UUID for STIX Created By Ref.

False

STIX Event Type

The type of this event.

100 characters

Event

Please enter a valid STIX Event Type of 100 characters or fewer.

False

STIX ID

Specifies a globally unique identifier for this cyber threat Campaign.

500 characters

Campaign
Event
Intrusion Set
Report

Please enter a valid STIX ID.

False

STIX IDRef

Specifies a globally unique identifier for a cyber threat Campaign specified elsewhere.

500 characters

Campaign
Event
Report

Please enter a valid STIX IDRef.

False

STIX Malware Used

The ID of the Malware object that describes the entity that created this object.

36 characters

Intrusion Set

Please enter a valid lowercase UUID for STIX Malware Used

False

STIX Object Version

The version number of this STIX Campaign.

10 characters

Campaign
Intrusion Set
Report

Please enter a valid STIX Object Version with a value 1 - 999,999,999

False

STIX Observable ID

STIX ID of observable instance or observable pattern. (STIX 1.2)

500 characters

ASN
Address
CIDR
EmailAddress
File
Host
Mutex
Registry Key
Url
User Agent

Please enter a STIX Observable ID of 500 characters or fewer.

False

STIX Related Attack Pattern

Attack patterns (TTPs) asserted to be related to this cyber threat Campaign.

100 characters

Campaign
Intrusion Set

Please enter a valid STIX Related Attack Pattern.

False

STIX Related Indicator

Indicator related to this cyber threat Campaign.

100 characters

Campaign

Please enter a valid STIX Related Indicator.

False

STIX Related Packages

Identifies or characterizes relationships to set of related Packages.

100 characters

Campaign

Please enter a valid STIX Package relationship.

False

STIX Scope of Related Reports

How multiple related items should be interpreted. If inclusive, then a single relationship between subject and collection of objects. If exclusive, then multiple relationships between the subject and each object.

9 characters

Report

Please enter a valid STIX Scope of Related Reports of Inclusive or Exclusive

False

STIX Timestamp

Specifies a timestamp for the definition of a specific version of a Campaign.

255 characters

Campaign
Intrusion Set
Report

Please enter a valid STIX Timestamp: YYYY/MM/DD HH:mm:ss

False

STIX Tool Used

The ID of the Tool object that describes the entity that created this object.

36 characters

Intrusion Set

Please enter a valid lowercase UUID for STIX Tool Used

False

STIX Version

Specifies the relevant STIX-Campaign schema version for this content.

8 characters

Campaign
Intrusion Set
Report

Please enter a valid STIX Version.

False

Strings

Strings relevant to a host based signature or file.

500 characters

File
Signature

Please enter valid Strings of 500 characters or fewer.

False

Tactics, Techniques, and Procedures

Tactics, Techniques, Procedures (TTPs) used by the adversary.

500 characters

Adversary
Campaign
Email
Incident
Intrusion Set
Report
Signature
Threat

Please enter a valid TTP.

True

Target Country

Select targeted country.

44 characters

ASN
Address
Adversary
Campaign
Incident
Report
Threat

Please enter a valid Target Country.

False

Targeted Identity

Relationship that describes the type of victims targeted by this Campaign.

100 characters

Campaign
Intrusion Set

Please enter a valid Targeted Identity.

False

Targeted Vulnerability

Relationship that describes the Vulnerability exploited by this Campaign.

100 characters

Campaign
Intrusion Set

Please enter a valid Targeted Vulnerability.

False

Testing and Validation Status

Select the Signature processing status.

15 characters

Signature

Please enter a valid Testing and Validation Status: Not Tested, Experimental, or Confirmed Valid.

False

Threat Level

Select the severity of Threat posed to the organization by this activity.

8 characters

Adversary
Campaign
Email
Event
Incident
Intrusion Set
Report
Signature
Threat

Please enter a valid Threat Level: None, Low, Medium, High, or Critical.

False

Threat Type

Select Threat Type for this Threat.

20 characters

Threat

Select a valid type for this Threat: Attack Pattern, Malware Family, Tool, Vulnerability

False

Title

The Title field provides a simple title for this Indicator. (STIX 1.2 Indicator field) https://stixproject.github.io/data-model/1.2/indicator/IndicatorType/

500 characters

ASN
Address
Adversary
CIDR
Campaign
Document
Email
EmailAddress
File
Host
Incident
Mutex
Registry Key
Signature
Task
Threat
Url
User Agent
Victim

Please enter a Title field of 500 characters or fewer.

False

TTP Description: Email

Characteristics of the Email Event suggested descriptions: Spoofed Sender, Impersonating Account Sender, Hijacked Account Sender, Specific X-Mailer used, XSS, Attachment, Other…

500 characters

Email

Please enter a valid TTP Description

True

TTP Description: Malware/Tool Information

Malware and hackertools usage characteristics: backdoor, self-propagating, rootkit, pass-the-hash, keylogger, Other.

500 characters

File

Please enter a valid TTP Description: Malware/Tool Information.

True

URL Type

Select Tactics, Techniques, and Procedures of the Adversary used in context with URL in this event.

27 characters

Url

Please enter a valid URL Type.

False

VBA Code

Extracted MS Office macro Visual Basic for Applications code.

100K

File

Please check the length of the input.

False

Version

Specifies the Version of the Report or Signature.

500 characters

Report
Signature

Please enter a valid Version.

False

X-Mailer

The X-Mailer header of this Email.

250 characters

Email

Please enter a valid X-Mailer for this Email.

False