threatintel.discovery
Introduction
The tags beginning with threatintel.discovery
identify events generated by discovery scanners.
Valid tags and data tablesÂ
The full tag must have 4 levels. The first two are fixed as threatintel.discovery
. The third level identifies the product and the fourth indicates the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Arachni Web Application Security Scanner Framework |
|
|
Nmap Network Scanner |
|
|
For more information, read more About Devo tags.
Table structure
These are the fields displayed in these tables:
threatintel.discovery.arachni.scan
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
name |
| Â |
severity |
| Â |
vector_type |
| Â |
response_code |
| Â |
response_ip_address |
| Â |
response_headers_string |
| Â |
cwe |
| Â |
cwe_url |
| Â |
request_url |
| Â |
request_headers_string |
| Â |
request_effective_body |
| Â |
request_method |
| Â |
new |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
threatintel.discovery.nmap.scan
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
host |
| Â |
hostname |
| Â |
hostname_type |
| Â |
protocol |
| Â |
port |
| Â |
name |
| Â |
state |
| Â |
product |
| Â |
extrainfo |
| Â |
reason |
| Â |
version |
| Â |
conf |
| Â |
cpe |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |