Document toolboxDocument toolbox

threatintel.flashpoint

Introduction

The tags begin with threatintel.flashpoint identifies events generated by Flashpoint.

Valid tags and data tables

The full tag must have n levels. The first two are fixed as threatintel.flashpoint . The third level identifies the type of events sent, and the fourth level indicates the event subtype.

Technology

Brand

Type

Subtype

Technology

Brand

Type

Subtype

threatintel

flashpoint

  • intelligence

  • alerts

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Data table

Tag

Data table

threatintel.flashpoint.intelligence.alerts

threatintel.flashpoint.intelligence.alerts

Tables structure

This is the set displayed by these tables.

Field

Type

Extra Label

Field

Type

Extra Label

eventdate

timestamp

-

hostname

str

-

alert_id

str

-

fpid

str

-

keyword__keyword_id

str

-

keyword__keyword_text

str

-

highlights

str

-

basetypes

str

-

timestamp

str

-

source__asn

str

-

source__basetypes

str

-

source__country

str

-

source__fpid

str

-

source__highlight_sections__ports

str

-

source__highlight_sections__services

str

-

source__ip_address

ip4

-

source__org

str

-

source__shodan_url

str

-

source__source

str

-

source__vulns

str

-

source__body__text_plain

str

-

source__first_observed_at__date_time

str

-

source__first_observed_at__raw

str

-

source__first_observed_at__timestamp

timestamp

-

source__last_observed_at__date_time

str

-

source__last_observed_at__raw

str

-

source__last_observed_at__timestamp

timestamp

-

source__native_id

str

-

source__site__title

str

-

source__site_actor__names__aliases

str

-

source__site_actor__names__handle

str

-

source__sort_date

timestamp

-

source__title

str

-

source__enriched_secrets

str

-

source__file

str

-

source__owner

str

-

source__repo

str

-

source__snippet

str

-

source__url

str

-

source__type

str

-

source__breach_type

str

-

source__credential_record_fpid

str

-

source__customer_id

str

-

source__domain

str

-

source__email

str

-

source__is_fresh

bool

-

source__password

str

-

source__password_complexity_has_lowercase

str

-

source__password_complexity_has_number

str

-

source__password_complexity_has_symbol

str

-

source__password_complexity_length

str

-

source__password_complexity_probable_hash_algorithms

str

-

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

How is the data sent to Devo?

To send logs to these tables, Devo provides a collector that you can download and use to send the required events to your Devo domain. You can learn how to use it in the article about AlienVault OTX Pulse collector.