threatintel.external
Introduction
The tags beginning with threatintel.external
identify events generated by products to detect external threats.
Valid tags and data tablesÂ
The full tag must have 4 levels. The first two are fixed as threatintel.external
. The third level identifies the product and the fourth indicates the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Threat Compass (formerly Blueliv Threat Compass) |
|
|
|
| |
|
| |
|
| |
|
|
For more information, read more About Devo tags.
Table structure
These are the fields displayed in these tables:
threatintel.external.blueliv.attackingips
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
attackType |
| Â |
destination_ip |
| Â |
destination_port |
| Â |
destination_serviceName |
| Â |
destination_latitude |
| Â |
destination_longitude |
| Â |
destination_city |
| Â |
destination_country |
| Â |
destination_countryName |
| Â |
source_ip |
| Â |
source_port |
| Â |
source_latitude |
| Â |
source_longitude |
| Â |
source_city |
| Â |
source_country |
| Â |
source_countryName |
| Â |
lastEvent |
| Â |
updatedAt |
| Â |
createdAt |
| Â |
firstEvent |
| Â |
numEvents |
| Â |
_id |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
threatintel.external.blueliv.credentials
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
id |
| Â |
userName |
| Â |
userPassword |
| Â |
portalUrl |
| Â |
botIp |
| Â |
type |
| Â |
isEmail |
| Â |
reportedAt |
| Â |
classification |
| Â |
stolenAt |
| Â |
botLongitude |
| Â |
botLatitude |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
threatintel.external.blueliv.credentialsettings
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
asset |
| Â |
action |
| Â |
assetype |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
threatintel.external.blueliv.crimeservers
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
url |
| Â |
type |
| Â |
subType |
| Â |
country |
| Â |
countryName |
| Â |
city |
| Â |
status |
| Â |
host |
| Â |
latitude |
| Â |
longitude |
| Â |
ip |
| Â |
updatedAt |
| Â |
asnId |
| Â |
lastSeenAt |
| Â |
confidence |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |
threatintel.external.blueliv.malware
Field | Type | Extra fields |
---|---|---|
eventdate |
| Â |
malwareType |
| Â |
filename |
| Â |
md5 |
| Â |
sha1 |
| Â |
sha256 |
| Â |
fileType |
| Â |
confidence |
| Â |
contentType |
| Â |
architecture |
| Â |
fileSize |
| Â |
firstSeenAt |
| Â |
analyzedAt |
| Â |
severityOneCount |
| Â |
severityOneList |
| Â |
severityTwoCount |
| Â |
severityTwoList |
| Â |
severityThreeCount |
| Â |
severityThreeList |
| Â |
severityFourCount |
| Â |
severityFourList |
| Â |
severityFiveCount |
| Â |
severityFiveList |
| Â |
severitySixCount |
| Â |
severitySixList |
| Â |
hostchain |
| ✓ |
tag |
| ✓ |
rawMessage |
| ✓ |