References - Platform Standard Attributes
- John Hall (Unlicensed)
- Tianyi Chen
Overview
This page provides a standard list of attributes available within the ThreatConnect Platform.
Currently this list reflects ThreatConnect Platform version 6.1
Standard Attributes Table
Attribute Name | Attribute Description | Attribute Field/Object Size | Applicable ThreatConnect Data Model Objects | Additional Information | Allows Markdown? |
Additional Analysis and Context | Relevant research and analysis associated with this Indicator, Signature, or Activity Group. Can be internal analysis or links to published articles, whitepapers, websites, or any reference providing amplifying information or geo-political context. | 64K | ASN | Please enter valid Additional Analysis and Context. | True |
Admiralty Code | The Admiralty System is a method for evaluating collected items of intelligence. | 2 characters | ASN | Please enter a valid Admiralty Code. | False |
Adversary Motivation Type | Select an overall motivation. | 21 characters | Adversary | Please enter a valid Adversary Motivation Type. | False |
Adversary Origin & Source | The observed and or assumed attacker origin or source. | 500 characters | Adversary | Please enter an observed and or assumed attacker origin or source. | True |
Adversary Type | The type of Adversary. | 50 characters | Adversary | Please enter a valid Adversary Type: Group, Persona | False |
Aliases | Other names used to refer to this entity. | 500 characters | Adversary | Please enter a valid Aliases. | True |
AMA Signature | Text string returned by an AMA for structural or behavioral signatures triggered by the file sample. | 500 characters | File | Please enter a valid Signature of 500 characters or fewer. | False |
Archive Password | Password for Malware Documents | 255 characters | Document | Please input password. Default password is "TCInfected". | False |
Attribution Assessment | Attribution of Threat activity to a given person, group, or entity. | 500 characters | Campaign | Please enter a valid Attribution Assessment. | False |
Attribution Confidence | Confidence of attribution of Threat activity to a given person, group, entity. | 5 characters | Campaign | Please enter a valid attribution confidence with a value 0-100. | False |
Autonomous System Name | The Autonomous System Name for this ASN. | 250 characters | ASN | Please enter a valid Autonomous System Name. | False |
AV Scanner Results | This type is a markdown formatted antivirus scanner results from an AV scanner bank. | 8K | File | Please check that your AV scanner results are fewer than 8192 characters. | True |
AV Scan Timestamp | The timestamp when this file was most recently scanned by AV engines. Example: 2017-05-03T14:38:02Z | 20 characters | File | Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z" | False |
Bitcoin Address | Bitcoin wallet address. | 34 characters | Adversary | Check that the bitcoin address is the correct format. | False |
Body Type | The Body Type of this Email. | 250 characters | Please enter a valid Body Type. | False | |
Campaign Objective | Defines the Campaign’s primary goal, objective, desired outcome, or intended effect. | 500 characters | Campaign | Please enter a valid Campaign Objective. | False |
Capabilities | Overview of Threat or Adversary capabilities. | 500 characters | Adversary | Please enter a valid capabilities. | True |
Code Page | Code page is a table of values that describes the character set used for encoding a particular set of characters. Code page here is an integer 1-65520 referencing this table. | 5 characters | File | Please enter a valid code page 1-65520. | False |
Collection Location | Location in the email header or body where an email address indicator was collected. | 13 characters | EmailAddress | Please enter a valid collection location: Body, Reply-To, From, Sender, Envelope-from, or Return-Path. | False |
Compiler | The compiler used for this File. | 300 characters | File | Please enter a valid Compiler. | True |
Compiler Language | The compiler language of this File. | 100 characters | File | Please enter a valid Compiler Language. | True |
Confidence | Characterizes the level of confidence held in the characterization of this Campaign or Signature. | 7 characters | Campaign | Please enter a valid Confidence: High, Medium, Low, None, Unknown | False |
Course of Action Desired Effect | Select a desired effect on the Adversary operations. | 7 characters | Adversary | Please enter a valid effect: Deny, Degrade, Deceive, Disrupt, or Destroy. | False |
Course of Action Effectiveness | Select how effective the Course of Action was. | 20 characters | Adversary | Please enter a valid COA Effect: No Effect, Low Effect, Moderately Effective, Highly Effective, or Extremely Effective. | False |
Course of Action Recommendation | Recommend a Course of Action. | 64K | Adversary | Please enter a valid Course of Action Recommendation. | True |
Course of Action Taken | Describe the Course of Action Taken. | 500 characters | Adversary | Please enter a valid Course of Action. | True |
Created Date Time | Date and time when this STIX Campaign object was created. | 255 characters | Campaign | Please enter a valid Created Date Time: YYYY/MM/DD HH:mm:ss | False |
Creation Timestamp | The time and date this document or file was created. Example: 2017-05-03T14:38:02Z | 20 characters | File | Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z" | False |
Date of Discovery | Select the date when the Event, Incident, Threat, or Adversary was discovered. | 25 characters | ASN | Please enter a valid date in YYYY/MM/DD format. | False |
Debug Symbol Path | Path to windows debugging symbol file. Found in the debug info of a PE file. | 500 characters | File | Please check the format and that the length is 500 characters or less. | False |
Deployment Status | Enter any sensors or hosts this signature is deployed to. | 500 characters | Signature | Please enter a valid deployment status. | False |
Description | A general description. There may be several descriptions from various sources. Check the Default checkbox above to make this description the default. | 100K | ASN | Please enter a valid description. | True |
Detection Percentage | The percentage of AV engines that are detecting the file as malicious. | 3 characters | File | Please enter a valid detection percentage between 0 and 100. | False |
Detection Ratio | This type is a ratio of positive AV scanner results to the total number of scanners with which the sample was checked. | 7 characters | File | Please input a valid detection ratio value. Maximum is 100/100. | False |
Dll Name | When present, this is the Name field in the Export Directory struct of a PE file. | 100 characters | File | Please enter the dll name extracted from PE file. | False |
Document Author | Author field from the document metadata. | 100 characters | File | Please check the input length for document author is 100 characters or fewer. | False |
Document Company | Company field from the document metadata. | 100 characters | File | Please check the input length for document company is 100 characters or fewer. | False |
Document Creation Tool | Software tool used to create this document, if available. | 100 characters | File | Please check the input length for document creation tool is 100 characters or fewer. | False |
Document Description | Description field from document metadata. | 100 characters | File | Please check the input length for document description is 100 characters or fewer. | False |
Document Last Modified By | Name of the last individual to modify this document from metadata. | 100 characters | File | Please check the input length for document last modified by is 100 characters or fewer. | False |
Document Subject | Subject of the document from metadata. | 100 characters | File | Please check the input length for document subject is 100 characters or fewer. | False |
Document Title | Title of the document from metadata. | 100 characters | File | Please check the input length for document title is 100 characters or fewer. | False |
EmailAddress Usage | Select the Tactics, Techniques, and Procedures (TTPs) the Adversary used in relation to this Email Address. | 26 characters | EmailAddress | Please enter a valid option: Phishing Email Sender, Command and Control, Personal Email Account, Professional Email Account, Domain Registrant, Drop Email. | False |
Entropy | Overall Shannon entropy of a file. | 4 characters | File | Please enter the file entropy as a decimal number to the precision of 2 (1.02) and a maximum of 8.00. | False |
Entry Point | Location where control is transferred from the operating system to a computer program, at which place the processor enters a program or a code fragment and execution begins. | 8 characters | File | Please enter a valid entry point that is a 32-bit lowercase hex string (8 characters). | False |
Event End Date | The end date of the event reported in this Incident. Example: 2017-05-03T14:38:02Z | 100 characters | Incident | Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z" | False |
Event Log | Logs that pertain to an event. | 100K | Event | Please enter a valid event log. | False |
Events | Notable events this indicator was observed in. | 500 characters | Address | Please enter a valid Event. | False |
External Date Created | The External timestamp of when this resource was Create. Example: 2017-05-03T14:38:02Z | 100 characters | ASN | Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z" | False |
External Date Expires | The External timestamp of when this resource will expire. Example: 2017-05-03T14:38:02Z | 100 characters | ASN | Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z" | False |
External Date Last Modified | The External timestamp of when this resource was Last Modified. Example: 2017-05-03T14:38:02Z | 100 characters | ASN | Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z" | False |
External ID | ID used by system outside of ThreatConnect. | 255 characters | ASN | Please enter an External ID of 255 characters or less. | False |
External References | Specifies a list of external references which refers to non-STIX information. | 500 characters | Campaign | Please enter a valid External References. | False |
File Type | File type as determined by libmagic or the file command. | 500 characters | Document | Please enter a File Type of 500 characters or fewer. | False |
First Seen | The timestamp of when this indicator or activity was first seen. Example: 2017-05-03T14:38:02Z | 20 characters | ASN | Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z" | False |
First Seen Timestamp Precision | The precision of the First Seen timestamp. | 50 characters | Campaign | Please enter a valid First Seen Timestamp Precision. | False |
Frequency | How frequently this event or activity occurs. | 9 characters | Event | Please enter a valid frequency: Often, Sometimes, Rarely. | False |
Granular Markings | Specifies a list of granular markings applied to this. | 100 characters | Campaign | Please enter a valid Granular Markings. | False |
Hashtag | A hashtag associated to this activity. | 280 characters | Adversary | Please enter a valid Hashtag. | False |
HTTP Request Header | HTTP request header text. | 100K | Address | Please check the length of the input and that it follows RFC 7230. https://tools.ietf.org/html/rfc7230 | False |
HTTP Response Header | HTTP response header text. | 100K | Address | Please check the length of the input and that it follows RFC 7230. https://tools.ietf.org/html/rfc7230 | False |
iDefense History | The history of this fudemental within Accenture iDefense. | 500 characters | ASN | Please enter a valid iDefense History. | True |
Impact of Adversary Activity | Select the impact of the Incident or Activity. | 8 characters | Campaign | Please enter a valid impact: None, Low, Medium, High, Critical. | False |
Import Hash | A hash based on library/API names and their specific order within the executable's Import Address Table (IAT). | 32 characters | File | Please enter a valid import hash that is a 128-bit hex string. | False |
Incident Type | The type of Incident or Campaign. | 50 characters | Campaign | Please enter a valid Incident Type. | False |
Infrastructure Ownership | Select ownership details of the Infrastructure (IP Address, Domain Name, URL, etc) used in an Adversary operation. | 19 characters | Address | Please enter valid infrastructure ownership details: Adversary Owned, Adversary Leased, Adversary Subverted | False |
Intelligence Report Type | The type of iDefense Intelligence Report. | 10 characters | Report | Please enter a valid Intelligence Report Type: Blog, Report | False |
Intended Effect | The intended effect of a campaign. | 40 characters | Campaign | Please enter a valid Intended Effect. | False |
Intent | Intent of the Adversary in this activity. | 64K | Campaign | Please enter a valid Intent. | False |
IP and Host Usage | Select Tactics, Techniques, and Procedures of the Adversary used with this IP or Host. | 21 characters | Address | Options: C2,Tool Server,Web Hosted Exploit,Remote Exploit,Vulnerability Scan,Exfiltration Point,Adversary Source Host,Phishing Mailserver,Dynamic DNS Host,Sinkhole,Phishing Origin,Phishing Relay,Parking,Malware Hosting,Phishing Site,Infected Node,Other | False |
Labels | Labels for this object. | 100 characters | Campaign | Please enter a valid Labels. | False |
Languages | The Languages used by this Adversary. | 100 characters | Adversary | Please enter a valid Language for this Adversary. | False |
Last Seen | The timestamp of when this indicator or activity was last seen. Example: 2017-05-03T14:38:02Z | 20 characters | ASN | Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z" | False |
Malicious Tool Variety | The Malicious Tool Variety of this Threat. | 250 characters | Threat | Please enter a valid Malicous Tool Variety for this Threat. | False |
Malicious Tool Version | The Malicious Tool Version of this Threat. | 100 characters | Threat | Please enter a valid Malicous Tool Version for this Threat. | False |
Malware Controller Availability | Select the Malware Controller Availability. | 32 characters | File | Please enter a valid Malware Controller Availability: Public Free, Public Paid, Custom Variant of Public Malware, Underground, Not Publicly Available, or Other. | False |
Malware Family Variety | The Malware Family Variety of this Threat. | 250 characters | Threat | Please enter a valid Malware Family Variety for this Threat. | False |
Malware Family Vector | The Malware Family Vector of this Threat. | 100 characters | Threat | Please enter a valid Malware Family Vector for this Threat. | False |
MIME Type | A two-part identifier for file formats and format contents transmitted on the network. | 127 characters | Document | Please enter a valid MIME type in lower case. | False |
Modified Date Time | Date and time when this STIX Campaign object was modified. | 255 characters | Campaign | Please enter a valid Modified Date Time: YYYY/MM/DD HH:mm:ss | False |
Modified Files | List of Modified Files. | 100K | File | Please enter valid list of Modified Files. | False |
Modified Timestamp | The time and date this document or file was last modified. Example: 2017-05-03T14:38:02Z | 20 characters | File | Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z" | False |
Naming Source | The Naming Source for this Threat. | 100 characters | Threat | Please enter a valid Naming Source for this Threat. | False |
.NET Assembly References | References to assembly made by a .NET file. | 500 characters | File | Please enter .NET assembly references of 500 characters or fewer. | True |
.NET Byte Code | Decompiled .NET byte code. | 100K | File | Please enter a .NET byte code string of 102400 characters or fewer. | False |
.NET Module Version ID | A GUID generated at build time that can be used to find similar .NET assemblies if the binary was modified post build somehow. | 36 characters | File | Please enter a GUID value tied to the .NET Module Version ID. | False |
.NET Source Code | Decompiled .NET byte code into source code. | 100K | File | Please enter a decompiled .NET code of 102400 characters or fewer. | False |
.NET TypeLib ID | The TypeLib ID is a GUID generated by Visual Studio during a .NET project creation. | 36 characters | File | Please enter a GUID value tied to the .NET Module Version ID. | False |
Network Protocol Analysis | Analysis of C2 protocol for signature development, detection, and de-obfuscation. | 500 characters | Address | Please enter a valid Network Protocol Analysis. | True |
Network Traffic Sample | Hex dump of the network traffic that this signature will detect. | 100K | Signature | Please enter a valid network traffic sample. | False |
Object Marking References | Specifies a list of IDs of marking-definitions that apply to this Marking Definition. | 100 characters | Campaign | Please enter a valid Object Marking References. | False |
Observation Method | How this Event was observed or how it potentially could be observed. | 500 characters | ASN | Please enter a valid Observation Method of 500 characters or less. | False |
Origin Country | Select an assumed country of origin. | 44 characters | Adversary | Please enter a valid Origin Country. | False |
Packer | The Packer used for this File. | 250 characters | File | Please enter valid Packer for this File. | False |
Password | Password for documents, accounts, etc. | 500 characters | Adversary | Please enter a valid Password of 500 characters or fewer. | False |
PDF Producer | Text string saved in the metadata field, producer, of a PDF. | 100 characters | File | Please check the input length for PDF producer is 100 characters or fewer. | False |
PE Company Name | File company name from the file version info resource. | 100 characters | File | Please check the input length for PE company name is 100 characters or fewer. | False |
PE Description | File description from the file version info resource. | 100 characters | File | Please check the input length for PE description is 100 characters or fewer. | False |
PE Hex Timestamp | The time that the linker (or compiler for an OBJ file) produced this file. This field holds the number of seconds since January 1st, 1970 in a hex value. | 8 characters | File | Please enter a valid PE hex timestamp. | False |
PE Imports | A list of imports called by a Portable Executable. | 500 characters | File | Please enter PE imports of 500 characters or fewer. | True |
PE Resources | Text detailing the resources in a Portable Executable. | 500 characters | File | Please enter PE resources of 500 characters or fewer. | True |
PE Sections | Text detailing the sections of a Portable Executable. | 500 characters | File | Please enter PE sections of 500 characters or fewer. | True |
PE Timestamp | Date and time that the linker (or compiler for an OBJ file) produced this file. This is a human readable representation of the raw PE header field TimeDateStamp. Example: "2017-05-03T14:38:02Z" | 20 characters | File | Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z" | False |
PE Version | File version from the file version info resource. | 100 characters | File | Please check the input length for PE version is 100 characters or fewer. | True |
Phase of Intrusion | Select a Phase of Intrusion. See https://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf | 21 characters | ASN | Please enter a valid Phase of Intrusion: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, C2, or Actions on Objectives | False |
Physical Address | Address location of the entity. | 500 characters | Adversary | Please enter a valid Physical Address. | False |
Powershell | Extracted powershell code. | 100K | File | Please enter a powershell string of 102400 characters or fewer. | False |
Producer | The Producer field details the source of this entry. (STIX 1.2 Indicator field) https://stixproject.github.io/data-model/1.2/indicator/IndicatorType/ | 500 characters | ASN | Please enter a Producer field of 500 characters or fewer. | False |
Raw Data | Raw data for this object. | 100K | Event | Please enter valid Raw Data of 102400 characters or fewer. | False |
Raw Data Type | Raw event data type. | 100 characters | Event | Please enter valid Raw Data Type of 100 characters or fewer. | False |
Region | The Region associated to this resource. | 200 characters | Adversary | Please enter a valid Region. | False |
Registration Date | Date and time for the registration of the resource. Example: 2017-05-03T14:38:02Z | 20 characters | ASN | Please enter a valid timestamp in ISO 8601 format with the trailing Z. Example: "2017-05-03T14:38:02Z" | False |
Registration Name | The Registration Name used for this resource. | 500 characters | ASN | Please enter a valid Registration Name for this resource. | False |
Registry | The Registry used for this resource. | 10 characters | ASN | Please enter a valid Registry for this resource. | False |
Registry Value Data | The Registry contains two basic elements: keys and values. Registry values are non-container objects similar to files. This attribute contains the data part of the registry value. | 100K | Registry Key | Please enter a valid registry value data. | False |
Registry Value Name | The Registry contains two basic elements: keys and values. Registry values are non-container objects similar to files. This attribute contains the name part of the registry value. | 15K | Registry Key | Please enter a valid registry value name. | False |
Religion | The Religion associated with this Adversary. | 100 characters | Adversary | Please enter a valid Religion for this Adversary. | False |
Resource Directory Time | The timestamp extracted from the resource directory of a PE file. | 20 characters | File | Please enter a valid timestamp in ISO 8610 format with the trailing "Z". Example: 2017-05-03T14:38:02Z | False |
Resource Level | The organizational level at which this Intrusion Set or Adversary typically works, which in turn determines the resources available to this Intrusion Set or Adversary for use in an attack. | 12 characters | Adversary | Please enter a valid Resource Level: Individual, Team, Club, Organization, Contest, Government | False |
Response Team & Staff involved | Names and or email address of personnel investigating the event. | 500 characters | Adversary | Please enter a valid Response Team & Staff involved. | True |
Revoked | Flag that indicates whether this STIX Object has been revoked. | 5 characters | Campaign | Please enter a valid boolean value:True, False | False |
Sample Download Link | Link from which the file can be downloaded. | 300 characters | Document | Please enter a valid sample download link that is 300 characters or fewer. | False |
Secondary Motivation | Select a secondary motivation. | 21 characters | Adversary | Valid options: Nation State, Criminal, Accidental, Coercion, Corporate Espionage, Dominance, Economic Espionage, Ideological, Notoriety, Organizational Gain, Personal Gain, Personal Satisfaction, Revenge, Unpredictable, Unknown, Other | False |
Service Classification | The Service Classification used by this Adversary. | 100 characters | Adversary | Please enter a valid Service Classification for this Adversary. | False |
Service Type | The Service Type used by this Adversary. | 100 characters | Adversary | Please enter a valid Service Type for this Adversary. | False |
SHA512 Hash | SHA-512 hash of a file. | 128 characters | File | Please enter a valid SHA512 hash. | False |
Signature Encoding Type | The encoding type of the signature. Examples: Base64 or ASCII text | 500 characters | Signature | Please enter a valid Signature Encoding Type. | False |
Skill Level | The Skill Level of this Adversary. | 10 characters | Adversary | Please enter a valid Skill Level for this Adversary. | False |
Source | The source of the Indicator or Intelligence. There may be multiple source attributes. Check the Default checkbox above to have this attribute the default. | 64K | ASN | Please enter a valid Source. | True |
Source Date Time | Select Date and Time information was provided by source. | 255 characters | ASN | Please enter a valid Source Date: "YYYY-MM-DD HH:MM UTC" | False |
ssdeep Hash | Piecewise fuzzy hash value for the file. | 150 characters | File | Please check that this is a valid ssdeep hash. | False |
SSH Fingerprint | SSH fingerprint in either MD5 format (before OpenSSH 6.8) or base64 SHA256 (OpenSSH 6.8 and after). | 44 characters | Address | Please check that the MD5 is lower case without ':' and the length of the fingerprint is correct depending on the fingerprint used: 32 for MD5 and 44 for base64 SHA256. | False |
Status | The status of a campaign. | 8 characters | Campaign | Please enter a valid Status: Ongoing, Historic, Future | False |
STIX Actions | Description or specification of one or more cyber observable actions. | 500 characters | Event | Please enter a valid STIX Actions of 500 characters or fewer. | False |
STIX Created By Ref | The ID of the Identity object that describes the entity that created this object. | 36 characters | Intrusion Set | Please enter a valid lowercase UUID for STIX Created By Ref. | False |
STIX Event Type | The type of this event. | 100 characters | Event | Please enter a valid STIX Event Type of 100 characters or fewer. | False |
STIX ID | Specifies a globally unique identifier for this cyber threat Campaign. | 500 characters | Campaign | Please enter a valid STIX ID. | False |
STIX IDRef | Specifies a globally unique identifier for a cyber threat Campaign specified elsewhere. | 500 characters | Campaign | Please enter a valid STIX IDRef. | False |
STIX Malware Used | The ID of the Malware object that describes the entity that created this object. | 36 characters | Intrusion Set | Please enter a valid lowercase UUID for STIX Malware Used | False |
STIX Object Version | The version number of this STIX Campaign. | 10 characters | Campaign | Please enter a valid STIX Object Version with a value 1 - 999,999,999 | False |
STIX Observable ID | STIX ID of observable instance or observable pattern. (STIX 1.2) | 500 characters | ASN | Please enter a STIX Observable ID of 500 characters or fewer. | False |
STIX Related Attack Pattern | Attack patterns (TTPs) asserted to be related to this cyber threat Campaign. | 100 characters | Campaign | Please enter a valid STIX Related Attack Pattern. | False |
STIX Related Indicator | Indicator related to this cyber threat Campaign. | 100 characters | Campaign | Please enter a valid STIX Related Indicator. | False |
STIX Related Packages | Identifies or characterizes relationships to set of related Packages. | 100 characters | Campaign | Please enter a valid STIX Package relationship. | False |
STIX Scope of Related Reports | How multiple related items should be interpreted. If inclusive, then a single relationship between subject and collection of objects. If exclusive, then multiple relationships between the subject and each object. | 9 characters | Report | Please enter a valid STIX Scope of Related Reports of Inclusive or Exclusive | False |
STIX Timestamp | Specifies a timestamp for the definition of a specific version of a Campaign. | 255 characters | Campaign | Please enter a valid STIX Timestamp: YYYY/MM/DD HH:mm:ss | False |
STIX Tool Used | The ID of the Tool object that describes the entity that created this object. | 36 characters | Intrusion Set | Please enter a valid lowercase UUID for STIX Tool Used | False |
STIX Version | Specifies the relevant STIX-Campaign schema version for this content. | 8 characters | Campaign | Please enter a valid STIX Version. | False |
Strings | Strings relevant to a host based signature or file. | 500 characters | File | Please enter valid Strings of 500 characters or fewer. | False |
Tactics, Techniques, and Procedures | Tactics, Techniques, Procedures (TTPs) used by the adversary. | 500 characters | Adversary | Please enter a valid TTP. | True |
Target Country | Select targeted country. | 44 characters | ASN | Please enter a valid Target Country. | False |
Targeted Identity | Relationship that describes the type of victims targeted by this Campaign. | 100 characters | Campaign | Please enter a valid Targeted Identity. | False |
Targeted Vulnerability | Relationship that describes the Vulnerability exploited by this Campaign. | 100 characters | Campaign | Please enter a valid Targeted Vulnerability. | False |
Testing and Validation Status | Select the Signature processing status. | 15 characters | Signature | Please enter a valid Testing and Validation Status: Not Tested, Experimental, or Confirmed Valid. | False |
Threat Level | Select the severity of Threat posed to the organization by this activity. | 8 characters | Adversary | Please enter a valid Threat Level: None, Low, Medium, High, or Critical. | False |
Threat Type | Select Threat Type for this Threat. | 20 characters | Threat | Select a valid type for this Threat: Attack Pattern, Malware Family, Tool, Vulnerability | False |
Title | The Title field provides a simple title for this Indicator. (STIX 1.2 Indicator field) https://stixproject.github.io/data-model/1.2/indicator/IndicatorType/ | 500 characters | ASN | Please enter a Title field of 500 characters or fewer. | False |
TTP Description: Email | Characteristics of the Email Event suggested descriptions: Spoofed Sender, Impersonating Account Sender, Hijacked Account Sender, Specific X-Mailer used, XSS, Attachment, Other… | 500 characters | Please enter a valid TTP Description | True | |
TTP Description: Malware/Tool Information | Malware and hackertools usage characteristics: backdoor, self-propagating, rootkit, pass-the-hash, keylogger, Other. | 500 characters | File | Please enter a valid TTP Description: Malware/Tool Information. | True |
URL Type | Select Tactics, Techniques, and Procedures of the Adversary used in context with URL in this event. | 27 characters | Url | Please enter a valid URL Type. | False |
VBA Code | Extracted MS Office macro Visual Basic for Applications code. | 100K | File | Please check the length of the input. | False |
Version | Specifies the Version of the Report or Signature. | 500 characters | Report | Please enter a valid Version. | False |
X-Mailer | The X-Mailer header of this Email. | 250 characters | Please enter a valid X-Mailer for this Email. | False |