{ "result": { "sane_defaults": { "md5": { "default_category": "Payload delivery", "to_ids": 1 }, "sha1": { "default_category": "Payload delivery", "to_ids": 1 }, "sha256": { "default_category": "Payload delivery", "to_ids": 1 }, "filename": { "default_category": "Payload delivery", "to_ids": 1 }, "pdb": { "default_category": "Artifacts dropped", "to_ids": 0 }, "filename|md5": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|sha1": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|sha256": { "default_category": "Payload delivery", "to_ids": 1 }, "ip-src": { "default_category": "Network activity", "to_ids": 1 }, "ip-dst": { "default_category": "Network activity", "to_ids": 1 }, "hostname": { "default_category": "Network activity", "to_ids": 1 }, "domain": { "default_category": "Network activity", "to_ids": 1 }, "domain|ip": { "default_category": "Network activity", "to_ids": 1 }, "email-src": { "default_category": "Payload delivery", "to_ids": 1 }, "email-dst": { "default_category": "Network activity", "to_ids": 1 }, "email-subject": { "default_category": "Payload delivery", "to_ids": 0 }, "email-attachment": { "default_category": "Payload delivery", "to_ids": 1 }, "email-body": { "default_category": "Payload delivery", "to_ids": 0 }, "float": { "default_category": "Other", "to_ids": 0 }, "url": { "default_category": "External analysis", "to_ids": 1 }, "http-method": { "default_category": "Network activity", "to_ids": 0 }, "user-agent": { "default_category": "Network activity", "to_ids": 0 }, "regkey": { "default_category": "Persistence mechanism", "to_ids": 1 }, "regkey|value": { "default_category": "Persistence mechanism", "to_ids": 1 }, "AS": { "default_category": "Network activity", "to_ids": 0 }, "snort": { "default_category": "Network activity", "to_ids": 1 }, "pattern-in-file": { "default_category": "Payload installation", "to_ids": 1 }, "pattern-in-traffic": { "default_category": "Network activity", "to_ids": 1 }, "pattern-in-memory": { "default_category": "Payload installation", "to_ids": 1 }, "yara": { "default_category": "Payload installation", "to_ids": 1 }, "stix2-pattern": { "default_category": "Payload installation", "to_ids": 1 }, "sigma": { "default_category": "Payload installation", "to_ids": 1 }, "cookie": { "default_category": "Network activity", "to_ids": 0 }, "vulnerability": { "default_category": "External analysis", "to_ids": 0 }, "attachment": { "default_category": "External analysis", "to_ids": 0 }, "malware-sample": { "default_category": "Payload delivery", "to_ids": 1 }, "link": { "default_category": "External analysis", "to_ids": 0 }, "comment": { "default_category": "Other", "to_ids": 0 }, "text": { "default_category": "Other", "to_ids": 0 }, "hex": { "default_category": "Other", "to_ids": 0 }, "other": { "default_category": "Other", "to_ids": 0 }, "named pipe": { "default_category": "Artifacts dropped", "to_ids": 0 }, "mutex": { "default_category": "Artifacts dropped", "to_ids": 1 }, "target-user": { "default_category": "Targeting data", "to_ids": 0 }, "target-email": { "default_category": "Targeting data", "to_ids": 0 }, "target-machine": { "default_category": "Targeting data", "to_ids": 0 }, "target-org": { "default_category": "Targeting data", "to_ids": 0 }, "target-location": { "default_category": "Targeting data", "to_ids": 0 }, "target-external": { "default_category": "Targeting data", "to_ids": 0 }, "btc": { "default_category": "Financial fraud", "to_ids": 1 }, "iban": { "default_category": "Financial fraud", "to_ids": 1 }, "bic": { "default_category": "Financial fraud", "to_ids": 1 }, "bank-account-nr": { "default_category": "Financial fraud", "to_ids": 1 }, "aba-rtn": { "default_category": "Financial fraud", "to_ids": 1 }, "bin": { "default_category": "Financial fraud", "to_ids": 1 }, "cc-number": { "default_category": "Financial fraud", "to_ids": 1 }, "prtn": { "default_category": "Financial fraud", "to_ids": 1 }, "phone-number": { "default_category": "Person", "to_ids": 0 }, "threat-actor": { "default_category": "Attribution", "to_ids": 0 }, "campaign-name": { "default_category": "Attribution", "to_ids": 0 }, "campaign-id": { "default_category": "Attribution", "to_ids": 0 }, "malware-type": { "default_category": "Payload delivery", "to_ids": 0 }, "uri": { "default_category": "Network activity", "to_ids": 1 }, "authentihash": { "default_category": "Payload delivery", "to_ids": 1 }, "ssdeep": { "default_category": "Payload delivery", "to_ids": 1 }, "imphash": { "default_category": "Payload delivery", "to_ids": 1 }, "pehash": { "default_category": "Payload delivery", "to_ids": 1 }, "impfuzzy": { "default_category": "Payload delivery", "to_ids": 1 }, "sha224": { "default_category": "Payload delivery", "to_ids": 1 }, "sha384": { "default_category": "Payload delivery", "to_ids": 1 }, "sha512": { "default_category": "Payload delivery", "to_ids": 1 }, "sha512/224": { "default_category": "Payload delivery", "to_ids": 1 }, "sha512/256": { "default_category": "Payload delivery", "to_ids": 1 }, "tlsh": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|authentihash": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|ssdeep": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|imphash": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|impfuzzy": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|pehash": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|sha224": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|sha384": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|sha512": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|sha512/224": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|sha512/256": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|tlsh": { "default_category": "Payload delivery", "to_ids": 1 }, "windows-scheduled-task": { "default_category": "Artifacts dropped", "to_ids": 0 }, "windows-service-name": { "default_category": "Artifacts dropped", "to_ids": 0 }, "windows-service-displayname": { "default_category": "Artifacts dropped", "to_ids": 0 }, "whois-registrant-email": { "default_category": "Attribution", "to_ids": 0 }, "whois-registrant-phone": { "default_category": "Attribution", "to_ids": 0 }, "whois-registrant-name": { "default_category": "Attribution", "to_ids": 0 }, "whois-registrant-org": { "default_category": "Attribution", "to_ids": 0 }, "whois-registrar": { "default_category": "Attribution", "to_ids": 0 }, "whois-creation-date": { "default_category": "Attribution", "to_ids": 0 }, "x509-fingerprint-sha1": { "default_category": "Network activity", "to_ids": 1 }, "x509-fingerprint-md5": { "default_category": "Network activity", "to_ids": 1 }, "x509-fingerprint-sha256": { "default_category": "Network activity", "to_ids": 1 }, "dns-soa-email": { "default_category": "Attribution", "to_ids": 0 }, "size-in-bytes": { "default_category": "Other", "to_ids": 0 }, "counter": { "default_category": "Other", "to_ids": 0 }, "datetime": { "default_category": "Other", "to_ids": 0 }, "cpe": { "default_category": "Other", "to_ids": 0 }, "port": { "default_category": "Network activity", "to_ids": 0 }, "ip-dst|port": { "default_category": "Network activity", "to_ids": 1 }, "ip-src|port": { "default_category": "Network activity", "to_ids": 1 }, "hostname|port": { "default_category": "Network activity", "to_ids": 1 }, "mac-address": { "default_category": "Network activity", "to_ids": 0 }, "mac-eui-64": { "default_category": "Network activity", "to_ids": 0 }, "email-dst-display-name": { "default_category": "Payload delivery", "to_ids": 0 }, "email-src-display-name": { "default_category": "Payload delivery", "to_ids": 0 }, "email-header": { "default_category": "Payload delivery", "to_ids": 0 }, "email-reply-to": { "default_category": "Payload delivery", "to_ids": 0 }, "email-x-mailer": { "default_category": "Payload delivery", "to_ids": 0 }, "email-mime-boundary": { "default_category": "Payload delivery", "to_ids": 0 }, "email-thread-index": { "default_category": "Payload delivery", "to_ids": 0 }, "email-message-id": { "default_category": "Payload delivery", "to_ids": 0 }, "github-username": { "default_category": "Social network", "to_ids": 0 }, "github-repository": { "default_category": "Social network", "to_ids": 0 }, "github-organisation": { "default_category": "Social network", "to_ids": 0 }, "jabber-id": { "default_category": "Social network", "to_ids": 0 }, "twitter-id": { "default_category": "Social network", "to_ids": 0 }, "first-name": { "default_category": "Person", "to_ids": 0 }, "middle-name": { "default_category": "Person", "to_ids": 0 }, "last-name": { "default_category": "Person", "to_ids": 0 }, "date-of-birth": { "default_category": "Person", "to_ids": 0 }, "place-of-birth": { "default_category": "Person", "to_ids": 0 }, "gender": { "default_category": "Person", "to_ids": 0 }, "passport-number": { "default_category": "Person", "to_ids": 0 }, "passport-country": { "default_category": "Person", "to_ids": 0 }, "passport-expiration": { "default_category": "Person", "to_ids": 0 }, "redress-number": { "default_category": "Person", "to_ids": 0 }, "nationality": { "default_category": "Person", "to_ids": 0 }, "visa-number": { "default_category": "Person", "to_ids": 0 }, "issue-date-of-the-visa": { "default_category": "Person", "to_ids": 0 }, "primary-residence": { "default_category": "Person", "to_ids": 0 }, "country-of-residence": { "default_category": "Person", "to_ids": 0 }, "special-service-request": { "default_category": "Person", "to_ids": 0 }, "frequent-flyer-number": { "default_category": "Person", "to_ids": 0 }, "travel-details": { "default_category": "Person", "to_ids": 0 }, "payment-details": { "default_category": "Person", "to_ids": 0 }, "place-port-of-original-embarkation": { "default_category": "Person", "to_ids": 0 }, "place-port-of-clearance": { "default_category": "Person", "to_ids": 0 }, "place-port-of-onward-foreign-destination": { "default_category": "Person", "to_ids": 0 }, "passenger-name-record-locator-number": { "default_category": "Person", "to_ids": 0 }, "mobile-application-id": { "default_category": "Payload delivery", "to_ids": 1 }, "cortex": { "default_category": "External analysis", "to_ids": 0 } }, "types": [ "md5", "sha1", "sha256", "filename", "pdb", "filename|md5", "filename|sha1", "filename|sha256", "ip-src", "ip-dst", "hostname", "domain", "domain|ip", "email-src", "email-dst", "email-subject", "email-attachment", "email-body", "float", "url", "http-method", "user-agent", "regkey", "regkey|value", "AS", "snort", "pattern-in-file", "pattern-in-traffic", "pattern-in-memory", "yara", "stix2-pattern", "sigma", "cookie", "vulnerability", "attachment", "malware-sample", "link", "comment", "text", "hex", "other", "named pipe", "mutex", "target-user", "target-email", "target-machine", "target-org", "target-location", "target-external", "btc", "iban", "bic", "bank-account-nr", "aba-rtn", "bin", "cc-number", "prtn", "phone-number", "threat-actor", "campaign-name", "campaign-id", "malware-type", "uri", "authentihash", "ssdeep", "imphash", "pehash", "impfuzzy", "sha224", "sha384", "sha512", "sha512/224", "sha512/256", "tlsh", "filename|authentihash", "filename|ssdeep", "filename|imphash", "filename|impfuzzy", "filename|pehash", "filename|sha224", "filename|sha384", "filename|sha512", "filename|sha512/224", "filename|sha512/256", "filename|tlsh", "windows-scheduled-task", "windows-service-name", "windows-service-displayname", "whois-registrant-email", "whois-registrant-phone", "whois-registrant-name", "whois-registrant-org", "whois-registrar", "whois-creation-date", "x509-fingerprint-sha1", "x509-fingerprint-md5", "x509-fingerprint-sha256", "dns-soa-email", "size-in-bytes", "counter", "datetime", "cpe", "port", "ip-dst|port", "ip-src|port", "hostname|port", "mac-address", "mac-eui-64", "email-dst-display-name", "email-src-display-name", "email-header", "email-reply-to", "email-x-mailer", "email-mime-boundary", "email-thread-index", "email-message-id", "github-username", "github-repository", "github-organisation", "jabber-id", "twitter-id", "first-name", "middle-name", "last-name", "date-of-birth", "place-of-birth", "gender", "passport-number", "passport-country", "passport-expiration", "redress-number", "nationality", "visa-number", "issue-date-of-the-visa", "primary-residence", "country-of-residence", "special-service-request", "frequent-flyer-number", "travel-details", "payment-details", "place-port-of-original-embarkation", "place-port-of-clearance", "place-port-of-onward-foreign-destination", "passenger-name-record-locator-number", "mobile-application-id", "cortex" ], "categories": [ "Internal reference", "Targeting data", "Antivirus detection", "Payload delivery", "Artifacts dropped", "Payload installation", "Persistence mechanism", "Network activity", "Payload type", "Attribution", "External analysis", "Financial fraud", "Support Tool", "Social network", "Person", "Other" ], "category_type_mappings": { "Internal reference": [ "text", "link", "comment", "other", "hex" ], "Targeting data": [ "target-user", "target-email", "target-machine", "target-org", "target-location", "target-external", "comment" ], "Antivirus detection": [ "link", "comment", "text", "hex", "attachment", "other" ], "Payload delivery": [ "md5", "sha1", "sha224", "sha256", "sha384", "sha512", "sha512/224", "sha512/256", "ssdeep", "imphash", "impfuzzy", "authentihash", "pehash", "tlsh", "filename", "filename|md5", "filename|sha1", "filename|sha224", "filename|sha256", "filename|sha384", "filename|sha512", "filename|sha512/224", "filename|sha512/256", "filename|authentihash", "filename|ssdeep", "filename|tlsh", "filename|imphash", "filename|impfuzzy", "filename|pehash", "mac-address", "mac-eui-64", "ip-src", "ip-dst", "ip-dst|port", "ip-src|port", "hostname", "domain", "email-src", "email-dst", "email-subject", "email-attachment", "email-body", "url", "user-agent", "AS", "pattern-in-file", "pattern-in-traffic", "stix2-pattern", "yara", "sigma", "attachment", "malware-sample", "link", "malware-type", "comment", "text", "hex", "vulnerability", "x509-fingerprint-sha1", "x509-fingerprint-md5", "x509-fingerprint-sha256", "other", "hostname|port", "email-dst-display-name", "email-src-display-name", "email-header", "email-reply-to", "email-x-mailer", "email-mime-boundary", "email-thread-index", "email-message-id", "mobile-application-id", "whois-registrant-email" ], "Artifacts dropped": [ "md5", "sha1", "sha224", "sha256", "sha384", "sha512", "sha512/224", "sha512/256", "ssdeep", "imphash", "impfuzzy", "authentihash", "filename", "filename|md5", "filename|sha1", "filename|sha224", "filename|sha256", "filename|sha384", "filename|sha512", "filename|sha512/224", "filename|sha512/256", "filename|authentihash", "filename|ssdeep", "filename|tlsh", "filename|imphash", "filename|impfuzzy", "filename|pehash", "regkey", "regkey|value", "pattern-in-file", "pattern-in-memory", "pdb", "stix2-pattern", "yara", "sigma", "attachment", "malware-sample", "named pipe", "mutex", "windows-scheduled-task", "windows-service-name", "windows-service-displayname", "comment", "text", "hex", "x509-fingerprint-sha1", "x509-fingerprint-md5", "x509-fingerprint-sha256", "other", "cookie" ], "Payload installation": [ "md5", "sha1", "sha224", "sha256", "sha384", "sha512", "sha512/224", "sha512/256", "ssdeep", "imphash", "impfuzzy", "authentihash", "pehash", "tlsh", "filename", "filename|md5", "filename|sha1", "filename|sha224", "filename|sha256", "filename|sha384", "filename|sha512", "filename|sha512/224", "filename|sha512/256", "filename|authentihash", "filename|ssdeep", "filename|tlsh", "filename|imphash", "filename|impfuzzy", "filename|pehash", "pattern-in-file", "pattern-in-traffic", "pattern-in-memory", "stix2-pattern", "yara", "sigma", "vulnerability", "attachment", "malware-sample", "malware-type", "comment", "text", "hex", "x509-fingerprint-sha1", "x509-fingerprint-md5", "x509-fingerprint-sha256", "mobile-application-id", "other" ], "Persistence mechanism": [ "filename", "regkey", "regkey|value", "comment", "text", "other", "hex" ], "Network activity": [ "ip-src", "ip-dst", "ip-dst|port", "ip-src|port", "port", "hostname", "domain", "domain|ip", "mac-address", "mac-eui-64", "email-dst", "url", "uri", "user-agent", "http-method", "AS", "snort", "pattern-in-file", "stix2-pattern", "pattern-in-traffic", "attachment", "comment", "text", "x509-fingerprint-sha1", "other", "hex", "cookie" ], "Payload type": [ "comment", "text", "other" ], "Attribution": [ "threat-actor", "campaign-name", "campaign-id", "whois-registrant-phone", "whois-registrant-email", "whois-registrant-name", "whois-registrant-org", "whois-registrar", "whois-creation-date", "comment", "text", "x509-fingerprint-sha1", "x509-fingerprint-md5", "x509-fingerprint-sha256", "other", "dns-soa-email" ], "External analysis": [ "md5", "sha1", "sha256", "filename", "filename|md5", "filename|sha1", "filename|sha256", "ip-src", "ip-dst", "ip-dst|port", "ip-src|port", "mac-address", "mac-eui-64", "hostname", "domain", "domain|ip", "url", "user-agent", "regkey", "regkey|value", "AS", "snort", "pattern-in-file", "pattern-in-traffic", "pattern-in-memory", "vulnerability", "attachment", "malware-sample", "link", "comment", "text", "x509-fingerprint-sha1", "x509-fingerprint-md5", "x509-fingerprint-sha256", "github-repository", "other", "cortex" ], "Financial fraud": [ "btc", "iban", "bic", "bank-account-nr", "aba-rtn", "bin", "cc-number", "prtn", "phone-number", "comment", "text", "other", "hex" ], "Support Tool": [ "link", "text", "attachment", "comment", "other", "hex" ], "Social network": [ "github-username", "github-repository", "github-organisation", "jabber-id", "twitter-id", "email-src", "email-dst", "comment", "text", "other", "whois-registrant-email" ], "Person": [ "first-name", "middle-name", "last-name", "date-of-birth", "place-of-birth", "gender", "passport-number", "passport-country", "passport-expiration", "redress-number", "nationality", "visa-number", "issue-date-of-the-visa", "primary-residence", "country-of-residence", "special-service-request", "frequent-flyer-number", "travel-details", "payment-details", "place-port-of-original-embarkation", "place-port-of-clearance", "place-port-of-onward-foreign-destination", "passenger-name-record-locator-number", "comment", "text", "other", "phone-number" ], "Other": [ "comment", "text", "other", "size-in-bytes", "counter", "datetime", "cpe", "port", "float", "hex", "phone-number" ] } } }