OSINT

Any pertinent DNS answers information related to an indicator or OSINT analysis.

MITRE ATT&CK Tactics, Techniques, and/or Procedures (TTPs) pertinent to an indicator or OSINT analysis.

Any pertinent autonomous system information related to an indicator or OSINT analysis.

The campaign object describes details about the campaign that was the source of the activity.

Categorizes the threat indicator based on its functional or operational role.

Analyst commentary or source commentary about an indicator or OSINT analysis.

The confidence of an indicator being malicious and/or pertinent, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source or analyst.

The normalized confidence refers to the accuracy of collected information related to the OSINT or how pertinent an indicator or analysis is to a specific event or finding. A low confidence means that the information collected or analysis conducted lacked detail or is not accurate enough to qualify an indicator as fully malicious.

• 0: Unknown (UNKNOWN)
• 1: Low (LOW)
• 2: Medium (MEDIUM)
• 3: High (HIGH)
• 99: Other (OTHER)

The timestamp when the indicator was initially created or identified.

Entity:USER
The identifier of the user, system, or organization that contributed the indicator.

A detailed explanation of the indicator, including its context, purpose, and relevance.

The specific detection pattern or signature associated with the indicator.

The detection pattern type, normalized to the caption of the detection_pattern_type_id value. In the case of 'Other', it is defined by the event source.

Specifies the type of detection pattern used to identify the associated threat indicator.

• 0: Unknown (UNKNOWN)
• 1: STIX (STIX)
• 2: PCRE (PCRE)
• 3: SIGMA (SIGMA)
• 4: Snort (SNORT)
• 5: Suricata (SURICATA)
• 6: YARA (YARA)
• 99: Other (OTHER)

Entity:EMAIL
Any email information pertinent to an indicator or OSINT analysis.

Any email authentication information pertinent to an indicator or OSINT analysis.

The expiration date of the indicator, after which it is no longer considered reliable.

A unique identifier assigned by an external system for cross-referencing.

Entity:FILE
Any pertinent file information related to an indicator or OSINT analysis.

A grouping of adversarial behaviors and resources believed to be associated with specific threat actors or campaigns. Intrusion sets often encompass multiple campaigns and are used to organize related activities under a common label.

Lockheed Martin Kill Chain Phases pertinent to an indicator or OSINT analysis.

Tags or keywords associated with the indicator to enhance searchability.

Entity:GEO_LOCATION
Any pertinent geolocation information related to an indicator or OSINT analysis.

A list of Malware objects, describing details about the identified malware.

The timestamp of the last modification or update to the indicator.

The name is a pointer/reference to an attribute within the OCSF event data. For example: file.name.

Group:context
The event data as received from the event source.

Group:primary
Unique identifier for the object

Provides a reference to an external source of information related to the CTI being represented. This may include a URL, a document, or some other type of reference that provides additional context or information about the CTI.

Any analytics related to an indicator or OSINT analysis.

Related reputational analysis from third-party engines and analysts for a given indicator or OSINT analysis.

A numerical representation of the threat indicator’s risk level.

Any pertinent script information related to an indicator or OSINT analysis.

Represents the severity level of the threat indicator, typically reflecting its potential impact or damage.

The normalized severity level of the threat indicator, typically reflecting its potential impact or damage.

• 0: Unknown (UNKNOWN)
• 1: Informational (INFORMATIONAL)
• 2: Low (LOW)
• 3: Medium (MEDIUM)
• 4: High (HIGH)
• 5: Critical (CRITICAL)
• 6: Fatal (FATAL)
• 99: Other (OTHER)

Any digital signatures or hashes related to an indicator or OSINT analysis.

Entity:URL_STRING
The source URL of an indicator or OSINT analysis, e.g., a URL back to a TIP, report, or otherwise.

Any pertinent subdomain information - such as those generated by a Domain Generation Algorithm - related to an indicator or OSINT analysis.

Entity:SUBNET
A CIDR or network block related to an indicator or OSINT analysis.

A threat actor is an individual or group that conducts malicious cyber activities, often with financial, political, or ideological motives.

The Traffic Light Protocol was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. TLP provides a simple and intuitive schema for indicating with whom potentially sensitive information can be shared.

• AMBER: TLP:AMBER (TLPAMBER)
• AMBER STRICT: TLP:AMBER+STRICT (TLPAMBER+STRICT)
• CLEAR: TLP:CLEAR (TLPCLEAR)
• GREEN: TLP:GREEN (TLPGREEN)
• RED: TLP:RED (TLPRED)
• WHITE: TLP:WHITE (TLPWHITE)

The OSINT indicator type.

The OSINT indicator type ID.

• 0: Unknown (UNKNOWN)
• 1: IP Address (IP_ADDRESS)
• 2: Domain (DOMAIN)
• 3: Hostname (HOSTNAME)
• 4: Hash (HASH)
• 5: URL (URL)
• 6: User Agent (USER_AGENT)
• 7: Digital Certificate (DIGITAL_CERTIFICATE)
• 8: Email (EMAIL)
• 9: Email Address (EMAIL_ADDRESS)
• 10: Vulnerability (VULNERABILITY)
• 11: File (FILE)
• 12: Registry Key (REGISTRY_KEY)
• 13: Registry Value (REGISTRY_VALUE)
• 14: Command Line (COMMAND_LINE)
• 99: Other (OTHER)

The unique identifier for the OSINT object.

Data from the source that was not mapped into the schema.

The timestamp indicating when the associated indicator or intelligence was added to the system or repository.

The actual indicator value in scope, e.g., a SHA-256 hash hexdigest or a domain name.

The vendor name of a tool which generates intelligence or provides indicators.

Any vulnerabilities related to an indicator or OSINT analysis.

Any pertinent WHOIS information related to an indicator or OSINT analysis.