Document toolboxDocument toolbox

threatintel.discovery

Introduction

The tags beginning with threatintel.discovery identify events generated by discovery scanners.

Valid tags and data tables 

The full tag must have 4 levels. The first two are fixed as threatintel.discovery. The third level identifies the product and the fourth indicates the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Arachni Web Application Security Scanner Framework

threatintel.discovery.arachni.scan

threatintel.discovery.arachni.scan

Nmap Network Scanner

threatintel.discovery.nmap.scan

threatintel.discovery.nmap.scan

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

threatintel.discovery.arachni.scan

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

name

str

 

severity

str

 

vector_type

str

 

response_code

str

 

response_ip_address

str

 

response_headers_string

str

 

cwe

str

 

cwe_url

str

 

request_url

str

 

request_headers_string

str

 

request_effective_body

str

 

request_method

str

 

new

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

threatintel.discovery.nmap.scan

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

host

str

 

hostname

str

 

hostname_type

str

 

protocol

str

 

port

str

 

name

str

 

state

str

 

product

str

 

extrainfo

str

 

reason

str

 

version

str

 

conf

str

 

cpe

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓