Indicators

Indicators are a secondary resource in TruSTAR’s data model.

Schema

Field Description
indicatorType the type of indicator (IP, URL, EMAIL_ADDRESS, etc.)
value the indicator’s value (ex 209.239.125.153, www.evil.com, attacker@evil.com, etc.)

Additionally, the fields below are only present on certain endpoints.

Field Endpoints Description
priorityLevel Search Indicators Deprecated. Will read NOT_FOUND for all indicators.
firstSeen Search Indicators the time (in milliseconds since epoch) that the indicator first appeared in a report or indicator submission in the specified enclaves.
lastSeen Search Indicators the time (in milliseconds since epoch) that the indicator last appeared in a report or indicator submission in the specified enclaves.
whitelisted Get Indicators for Report whether the indicator has been whitelisted by the requesting company
weight Get Indicators for Report Deprecated.
reason Get Indicators for Report Deprecated.

Finally, another set of fields are returned on the endpoint Get Indicator Metadata. These fields’ values are driven by the enclaves submitted to the endpoint’s enclaveIds parameter. Changing the enclaves will, change the metadata values in most cases.

Field Description
sightings the number of times the indicator has appeared in a report or indicator submission in the specified enclaves.
lastSeen the time (in milliseconds since epoch) that the indicator last appeared in a report or indicator submission in the specified enclaves.
enclaveIds the enclaves (from the specified enclaves) that the indicator has appeared in a report or indicator submission.
tags the set of Tag objects that the indicator has been tagged with in the specified enclaves.
notes the notes from the specified enclaves associated with the indicator.
noteCount the number of notes from the specified enclaves associated with this indicator.
source where the indicator originated from before it was submitted to TruSTAR’s system. Only indicators that were submitted in IOC submissions through the submit-indicators endpoint will have a value for this attribute. IOCs found in reports will not have a value for this attribute, unless they were also included in a submission to the submit-indicators endpoint.

Indicator Types

The indicator types that TruSTAR supports are listed below. These are also the exact strings that the indicatorType field can take on.

Indicator Type Example Description
BITCOIN_ADDRESS 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2 A bitcoin address is an identifier of 26-35 alphanumeric characters, beginning with the number 1 or 3, that represents a possible destination for a bitcoin payment.
CIDR_BLOCK 192.30.250.00/18 CIDR (Classless Inter-Domain Routing) identifies a range of IP addresses, and was introduced as a way to allow more flexible allocation of Internet Protocol (IP) addresses than was possible with the original system of IP address classes.
CVE CVE-2014-7654321 The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures.
EMAIL_ADDRESS jsmith@example.com An email address is a unique identifier for an email account.
IP 165.179.144.240 An Internet Protocol address (IP address) is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication.
MALWARE WANNACRY Names of software that are intended to damage or disable computers and computer systems.
MD5 925e3aa143d543bc9a44a421e0a4a957 The MD5 algorithm is a widely used hash function producing a 128-bit hash value.
REGISTRY_KEY HKEY_LOCAL_MACHINE The registry is a hierarchical database that contains data that is critical for the operation of Windows and the applications and services that run on Windows.
SHA1 cf23df2207d99a74fbe169e3eba035e633b65d94 SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest - typically rendered as a hexadecimal number, 40 digits long. SHA-1 is prone to length extension attacks.
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SHA-256 is a member of the SHA-2 cryptographic hash functions designed by the NSA, which are the successors to SHA-1. It is represented as a 64-character hexadecimal string.
SOFTWARE example.exe The name of a file on a filesystem.
URL http://www.example.com A Uniform Resource Locator (URL) is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it.