Indicators¶
Indicators are a secondary resource in TruSTAR’s data model.
Endpoints¶
Schema¶
| Field | Description |
|---|---|
| indicatorType | the type of indicator (IP, URL, EMAIL_ADDRESS, etc.) |
| value | the indicator’s value (ex 209.239.125.153, www.evil.com, attacker@evil.com, etc.) |
Additionally, the fields below are only present on certain endpoints.
| Field | Endpoints | Description |
|---|---|---|
| correlationCount | Get Community Trending Indicators | the number of reports containing this indicator |
| priorityLevel | Search Indicators | LOW, MEDIUM, or HIGH. NOT_FOUND if no score has been computed for this indicator. |
| whitelisted | Get Indicators for Report | whether the indicator has been whitelisted by the requesting company |
| weight | Get Indicators for Report | Possible values are 0 and 1. A value of 0 indicates that, although the term fits the technical requirements to be considered an indicator, our machine learning model has determined that it is likely not an indicator of compromise when considered in the context of a specific report. For example, the term “3.11.2.1” is a valid IP address, but when it appears within a clause such as “installed some_program.exe version 3.11.2.1”, our model might assign a weight of 0 because the term is likely a version number. |
| reason | Get Indicators for Report | the reason the indicator has a weight of 0 (not present if weight is 1) |
Finally, another set of fields are returned on the endpoint Get Indicator Metadata, which is part of a product feature that is still in beta and is not available to all users:
| Field | Description |
|---|---|
| sightings | the number of times the indicator has appeared in a report or indicator submission to any enclaves the user has access to |
| lastSeen | the time (in milliseconds since epoch) that the indicator last appeared in a report or indicator submission to any enclaves the user has access to |
| enclaveIds | the enclaves (of those the user has access to) that the indicator has appeared in a report or indicator submission to |
| tags | the set of Tag objects that the indicator has been tagged with |
| notes | the notes associated with the indicator |
| noteCount | the number of notes associated with this indicators |
| source | where the indicator originated from before it was submitted to TruSTAR’s system |
Sample JSON¶
{
"indicatorType": "IP",
"value": "103.255.61.39",
"whitelisted": false,
"weight": 1,
"priorityLevel": "HIGH",
"correlationCount": 34
}
Indicator Types¶
The indicator types that TruSTAR supports are listed below. These are also the exact strings that the indicatorType field can take on.
| Indicator Type | Example | Description |
|---|---|---|
| BITCOIN_ADDRESS | 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2 | A bitcoin address is an identifier of 26-35 alphanumeric characters, beginning with the number 1 or 3, that represents a possible destination for a bitcoin payment. |
| CIDR_BLOCK | 192.30.250.00/18 | CIDR (Classless Inter-Domain Routing) identifies a range of IP addresses, and was introduced as a way to allow more flexible allocation of Internet Protocol (IP) addresses than was possible with the original system of IP address classes. |
| CVE | CVE-2014-7654321 | The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. |
| EMAIL_ADDRESS | jsmith@example.com | An email address is a unique identifier for an email account. |
| IP | 165.179.144.240 | An Internet Protocol address (IP address) is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. |
| MALWARE | WANNACRY | Names of software that are intended to damage or disable computers and computer systems. |
| MD5 | 925e3aa143d543bc9a44a421e0a4a957 | The MD5 algorithm is a widely used hash function producing a 128-bit hash value. |
| REGISTRY_KEY | HKEY_LOCAL_MACHINE | The registry is a hierarchical database that contains data that is critical for the operation of Windows and the applications and services that run on Windows. |
| SHA1 | cf23df2207d99a74fbe169e3eba035e633b65d94 | SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest - typically rendered as a hexadecimal number, 40 digits long. SHA-1 is prone to length extension attacks. |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 | SHA-256 is a member of the SHA-2 cryptographic hash functions designed by the NSA, which are the successors to SHA-1. It is represented as a 64-character hexadecimal string. |
| SOFTWARE | example.exe | The name of a file on a filesystem. |
| URL | http://www.example.com | A Uniform Resource Locator (URL) is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. |