Indicators¶
Indicators are a secondary resource in TruSTAR’s data model.
Endpoints¶
Schema¶
| Field | Description |
|---|---|
| indicatorType | the type of indicator (IP, URL, EMAIL_ADDRESS, etc.) |
| value | the indicator’s value (ex 209.239.125.153, www.evil.com, attacker@evil.com, etc.) |
Additionally, the fields below are only present on certain endpoints.
| Field | Endpoints | Description |
|---|---|---|
| priorityLevel | Search Indicators | Deprecated. Will read NOT_FOUND for all indicators. |
| firstSeen | Search Indicators | the time (in milliseconds since epoch) that the indicator first appeared in a report or indicator submission in the specified enclaves. |
| lastSeen | Search Indicators | the time (in milliseconds since epoch) that the indicator last appeared in a report or indicator submission in the specified enclaves. |
| whitelisted | Get Indicators for Report | whether the indicator has been whitelisted by the requesting company |
| weight | Get Indicators for Report | Deprecated. |
| reason | Get Indicators for Report | Deprecated. |
Finally, another set of fields are returned on the endpoint Get Indicator Metadata.
These fields’ values are driven by the enclaves submitted to the endpoint’s enclaveIds parameter. Changing the enclaves will,
change the metadata values in most cases.
| Field | Description |
|---|---|
| sightings | the number of times the indicator has appeared in a report or indicator submission in the specified enclaves. |
| lastSeen | the time (in milliseconds since epoch) that the indicator last appeared in a report or indicator submission in the specified enclaves. |
| enclaveIds | the enclaves (from the specified enclaves) that the indicator has appeared in a report or indicator submission. |
| tags | the set of Tag objects that the indicator has been tagged with in the specified enclaves. |
| notes | the notes from the specified enclaves associated with the indicator. |
| noteCount | the number of notes from the specified enclaves associated with this indicator. |
| source | where the indicator originated from before it was submitted to TruSTAR’s system. Only indicators that were submitted in IOC submissions through the submit-indicators endpoint will have a value for this attribute. IOCs found in reports will not have a value for this attribute, unless they were also included in a submission to the submit-indicators endpoint. |
Indicator Types¶
The indicator types that TruSTAR supports are listed below. These are also the exact strings that the indicatorType field can take on.
| Indicator Type | Example | Description |
|---|---|---|
| BITCOIN_ADDRESS | 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2 | A bitcoin address is an identifier of 26-35 alphanumeric characters, beginning with the number 1 or 3, that represents a possible destination for a bitcoin payment. |
| CIDR_BLOCK | 192.30.250.00/18 | CIDR (Classless Inter-Domain Routing) identifies a range of IP addresses, and was introduced as a way to allow more flexible allocation of Internet Protocol (IP) addresses than was possible with the original system of IP address classes. |
| CVE | CVE-2014-7654321 | The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. |
| EMAIL_ADDRESS | jsmith@example.com | An email address is a unique identifier for an email account. |
| IP | 165.179.144.240 | An Internet Protocol address (IP address) is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. |
| MALWARE | WANNACRY | Names of software that are intended to damage or disable computers and computer systems. |
| MD5 | 925e3aa143d543bc9a44a421e0a4a957 | The MD5 algorithm is a widely used hash function producing a 128-bit hash value. |
| REGISTRY_KEY | HKEY_LOCAL_MACHINE | The registry is a hierarchical database that contains data that is critical for the operation of Windows and the applications and services that run on Windows. |
| SHA1 | cf23df2207d99a74fbe169e3eba035e633b65d94 | SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest - typically rendered as a hexadecimal number, 40 digits long. SHA-1 is prone to length extension attacks. |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 | SHA-256 is a member of the SHA-2 cryptographic hash functions designed by the NSA, which are the successors to SHA-1. It is represented as a 64-character hexadecimal string. |
| SOFTWARE | example.exe | The name of a file on a filesystem. |
| URL | http://www.example.com | A Uniform Resource Locator (URL) is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. |