Document toolboxDocument toolbox

threatintel.external

Introduction

The tags beginning with threatintel.external identify events generated by products to detect external threats.

Valid tags and data tables 

The full tag must have 4 levels. The first two are fixed as threatintel.external. The third level identifies the product and the fourth indicates the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Threat Compass (formerly Blueliv Threat Compass)

threatintel.external.blueliv.attackingips

threatintel.external.blueliv.attackingips

threatintel.external.blueliv.credentials

threatintel.external.blueliv.credentials

threatintel.external.blueliv.credentialsettings

threatintel.external.blueliv.credentialsettings

threatintel.external.blueliv.crimeservers

threatintel.external.blueliv.crimeservers

threatintel.external.blueliv.malware

threatintel.external.blueliv.malware

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

threatintel.external.blueliv.attackingips

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

attackType

str

 

destination_ip

str

 

destination_port

int4

 

destination_serviceName

str

 

destination_latitude

float8

 

destination_longitude

float8

 

destination_city

str

 

destination_country

str

 

destination_countryName

str

 

source_ip

str

 

source_port

int4

 

source_latitude

float8

 

source_longitude

float8

 

source_city

str

 

source_country

str

 

source_countryName

str

 

lastEvent

str

 

updatedAt

str

 

createdAt

str

 

firstEvent

str

 

numEvents

int4

 

_id

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

threatintel.external.blueliv.credentials

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

id

str

 

userName

str

 

userPassword

str

 

portalUrl

str

 

botIp

str

 

type

str

 

isEmail

str

 

reportedAt

str

 

classification

str

 

stolenAt

str

 

botLongitude

float8

 

botLatitude

float8

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

threatintel.external.blueliv.credentialsettings

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

asset

str

 

action

str

 

assetype

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

threatintel.external.blueliv.crimeservers

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

url

str

 

type

str

 

subType

str

 

country

str

 

countryName

str

 

city

str

 

status

str

 

host

str

 

latitude

float8

 

longitude

float8

 

ip

str

 

updatedAt

str

 

asnId

int4

 

lastSeenAt

str

 

confidence

int4

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

threatintel.external.blueliv.malware

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

malwareType

str

 

filename

str

 

md5

str

 

sha1

str

 

sha256

str

 

fileType

str

 

confidence

str

 

contentType

str

 

architecture

str

 

fileSize

int4

 

firstSeenAt

str

 

analyzedAt

str

 

severityOneCount

int4

 

severityOneList

str

 

severityTwoCount

int4

 

severityTwoList

str

 

severityThreeCount

int4

 

severityThreeList

str

 

severityFourCount

int4

 

severityFourList

str

 

severityFiveCount

int4

 

severityFiveList

str

 

severitySixCount

int4

 

severitySixList

str

 

hostchain

str

✓

tag

str

✓

rawMessage

str

✓