Indicators

Indicators are a secondary resource in TruSTAR’s data model.

Schema

Field Description
indicatorType the type of indicator (IP, URL, EMAIL_ADDRESS, etc.)
value the indicator’s value (ex 209.239.125.153, www.evil.com, attacker@evil.com, etc.)

Additionally, the fields below are only present on certain endpoints.

Field Endpoints Description
correlationCount Get Community Trending Indicators the number of reports containing this indicator
priorityLevel Search Indicators LOW, MEDIUM, or HIGH. NOT_FOUND if no score has been computed for this indicator.
whitelisted Get Indicators for Report whether the indicator has been whitelisted by the requesting company
weight Get Indicators for Report Possible values are 0 and 1. A value of 0 indicates that, although the term fits the technical requirements to be considered an indicator, our machine learning model has determined that it is likely not an indicator of compromise when considered in the context of a specific report. For example, the term “3.11.2.1” is a valid IP address, but when it appears within a clause such as “installed some_program.exe version 3.11.2.1”, our model might assign a weight of 0 because the term is likely a version number.
reason Get Indicators for Report the reason the indicator has a weight of 0 (not present if weight is 1)

Finally, another set of fields are returned on the endpoint Get Indicator Metadata, which is part of a product feature that is still in beta and is not available to all users:

Field Description
sightings the number of times the indicator has appeared in a report or indicator submission to any enclaves the user has access to
lastSeen the time (in milliseconds since epoch) that the indicator last appeared in a report or indicator submission to any enclaves the user has access to
enclaveIds the enclaves (of those the user has access to) that the indicator has appeared in a report or indicator submission to
tags the set of Tag objects that the indicator has been tagged with
notes the notes associated with the indicator
noteCount the number of notes associated with this indicators
source where the indicator originated from before it was submitted to TruSTAR’s system

Sample JSON

{
    "indicatorType": "IP",
    "value": "103.255.61.39",
    "whitelisted": false,
    "weight": 1,
    "priorityLevel": "HIGH",
    "correlationCount": 34
}

Indicator Types

The indicator types that TruSTAR supports are listed below. These are also the exact strings that the indicatorType field can take on.

Indicator Type Example Description
BITCOIN_ADDRESS 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2 A bitcoin address is an identifier of 26-35 alphanumeric characters, beginning with the number 1 or 3, that represents a possible destination for a bitcoin payment.
CIDR_BLOCK 192.30.250.00/18 CIDR (Classless Inter-Domain Routing) identifies a range of IP addresses, and was introduced as a way to allow more flexible allocation of Internet Protocol (IP) addresses than was possible with the original system of IP address classes.
CVE CVE-2014-7654321 The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures.
EMAIL_ADDRESS jsmith@example.com An email address is a unique identifier for an email account.
IP 165.179.144.240 An Internet Protocol address (IP address) is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication.
MALWARE WANNACRY Names of software that are intended to damage or disable computers and computer systems.
MD5 925e3aa143d543bc9a44a421e0a4a957 The MD5 algorithm is a widely used hash function producing a 128-bit hash value.
REGISTRY_KEY HKEY_LOCAL_MACHINE The registry is a hierarchical database that contains data that is critical for the operation of Windows and the applications and services that run on Windows.
SHA1 cf23df2207d99a74fbe169e3eba035e633b65d94 SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest - typically rendered as a hexadecimal number, 40 digits long. SHA-1 is prone to length extension attacks.
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SHA-256 is a member of the SHA-2 cryptographic hash functions designed by the NSA, which are the successors to SHA-1. It is represented as a 64-character hexadecimal string.
SOFTWARE example.exe The name of a file on a filesystem.
URL http://www.example.com A Uniform Resource Locator (URL) is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it.