Indicator Summary

class trustar.models.indicator_summary.IndicatorSummary(value=None, indicator_type=None, report_id=None, enclave_id=None, source=None, score=None, created=None, updated=None, description=None, attributes=None, severity_level=None)

Models an IndicatorSummary. This represents a normalized summary of common properties extracted from the body of a report, from an intelligence source, that gives details about a specific indicator.

The score field will only be populated if the source contained information that can be interpreted as a type of score. The attributes field is a list of IndicatorAttribute objects for fields that are specific to this source.

Variables:
  • value (str) – The indicator’s value.
  • indicator_type (IndicatorType) – The indicator’s type.
  • report_id (str) – The ID of the report for this summary.
  • enclave_id (str) – The ID of the report’s enclave.
  • source (IntelligenceSource) – An object containing information about the source that the report came from.
  • score (IndicatorScore) – The score of the report, according to the source.
  • created (int) – The created or first seen timestamp of the indicator, according to the source.
  • updated (int) – The updated or last seen timestamp of the indicator, according to the source.
  • description (str) – The description of the indicator, according to the source.
  • attributes (list(Attribute)) – A list of attributes about the indicator, according to the source.
  • severity_level (str) – a normalized representation of the score from this source (if one exists). This is an integer between 0 and 3, with 0 being the lowest score and 3 being the highest.
classmethod from_dict(indicator_summary)

Create an IndicatorSummary object from a dictionary.

Parameters:indicator_summary – The dictionary.
Returns:The IndicatorSummary object.
to_dict(remove_nones=False)

Creates a dictionary representation of the indicator summary.

Parameters:remove_nones – Whether None values should be filtered out of the dictionary. Defaults to False.
Returns:A dictionary representation of the indicator summary.

Indicator Score

class trustar.models.indicator_summary.IndicatorScore(name=None, value=None)

Models a IndicatorScore.

Variables:
  • name (str) – The name of the score type, e.g. “Risk Score” or “Malicious Confidence”
  • value (str) – The value of the score, as directly extracted from the source.
classmethod from_dict(indicator_score)

Create an IndicatorScore object from a dictionary.

Parameters:indicator_score – The dictionary.
Returns:The IndicatorScore object.
to_dict(remove_nones=False)

Creates a dictionary representation of the indicator score.

Parameters:remove_nones – Whether None values should be filtered out of the dictionary. Defaults to False.
Returns:A dictionary representation of the indicator score.

Indicator Attribute

class trustar.models.indicator_summary.IndicatorAttribute(name=None, value=None, logical_type=None, description=None)

Models a IndicatorAttribute. This is an attribute of an indicator, according to an intelligence source.

Variables:
  • name (str) – The name of the attribute, e.g. “Actors” or “Malware Families”
  • value (any) – The value of the attribute, e.g. “North Korea” or “Emotet”
  • logical_type (str) – Describes how to interpret the value field, e.g. could be “timestamp” if value is an integer
  • description (str) – A description of how to interpret this attribute. This corresponds to the attribute name, i.e. this will be the same for all attributes in a source with the same name.
classmethod from_dict(indicator_attribute)

Create an IndicatorAttribute object from a dictionary.

Parameters:indicator_attribute – The dictionary.
Returns:The IndicatorAttribute object.
to_dict(remove_nones=False)

Creates a dictionary representation of the indicator attribute.

Parameters:remove_nones – Whether None values should be filtered out of the dictionary. Defaults to False.
Returns:A dictionary representation of the indicator attribute.