Threat Intelligence

<code>threat\_intelligence</code>

<blockquote class="callout callout_warn">
    <h3>🚧 WARNING: DEPRECATED</h3>
    <p>Threat Intelligence has been deprecated since 1.4.0. Deprecated in QDM 1.4.0</p>
</blockquote>
Insights from threat intelligence platforms

## Attributes

<table>
    <tr>
        <th>Caption</th>
        <th>Name</th>
        <th>Type</th>
        <th>Description</th>
    </tr>
    <tr id="attr-provider">
        <td>Provider</td>
        <td><code>provider</code></td>
        <td>
            <a href="/docs/types#string_t">String</a>
        </td>
        <td>
        Threat intelligence data provider name e.g. AlienVaultOTX
        
        </td>
    </tr>
    <tr id="attr-raw_data">
        <td>Raw Data</td>
        <td><code>raw_data</code></td>
        <td>
            <a href="/docs/types#json_t">JSON</a>
        </td>
        <td>
            <strong>Group:</strong><code>context</code><br/>
        The event data as received from the event source.
        
        </td>
    </tr>
    <tr id="attr-record_id">
        <td>Record ID</td>
        <td><code>record_id</code></td>
        <td>
            <a href="/docs/types#string_t">String</a>
        </td>
        <td>
            <strong>Group:</strong><code>primary</code><br/>
        Unique identifier for the object
        
        </td>
    </tr>
    <tr id="attr-reputation">
        <td>Reputation Scores</td>
        <td><code>reputation</code></td>
        <td>
            <a href="/docs/obj-reputation">Reputation[]</a>
        </td>
        <td>
        Reputation score as reported by provider
        
        </td>
    </tr>
    <tr id="attr-type_id">
        <td>Type ID</td>
        <td><code>type_id</code></td>
        <td>
            <a href="/docs/types#integer_t">Integer</a>
        </td>
        <td>
        Type of entity for which threat info is provided e.g. IP
        
            <ul>
                <li><code>0</code>: Unknown (<code>UNKNOWN</code>)</li>
                <li><code>1</code>: IP (<code>IP</code>)</li>
                <li><code>2</code>: Domain (<code>DOMAIN</code>)</li>
                <li><code>3</code>: Url (<code>URL</code>)</li>
                <li><code>4</code>: Hash (<code>HASH</code>)</li>
                <li><code>99</code>: Other (<code>OTHER</code>)</li>
            </ul>
        </td>
    </tr>
    <tr id="attr-unmapped">
        <td>Unmapped</td>
        <td><code>unmapped</code></td>
        <td>
            <a href="/docs/obj-unmapped">Unmapped[]</a>
        </td>
        <td>
        Data from the source that was not mapped into the schema.
        
        </td>
    </tr>
    <tr id="attr-value">
        <td>Value</td>
        <td><code>value</code></td>
        <td>
            <a href="/docs/types#string_t">String</a>
        </td>
        <td>
        Entity value for which threat info is provided
        
        </td>
    </tr>
</table>

## Relationships

<img src="https://schema.query.ai/images/obj-threat_intelligence.svg" alt="Threat Intelligence shown in context" />

### Outbound Relationships

Threat Intelligence references the following objects and events in its attributes:

<ul>
    <li><a href="/docs/obj-reputation">Reputation</a></li>
    <li><a href="/docs/obj-unmapped">Unmapped</a></li>
</ul>

<p><small><i>This page describes ocsf-1.4.0</i></small></p>