{ "result": { "categories": [ "Antivirus detection", "Artifacts dropped", "Attribution", "External analysis", "Financial fraud", "Internal reference", "Network activity", "Other", "Payload delivery", "Payload installation", "Payload type", "Persistence mechanism", "Person", "Social network", "Support Tool", "Targeting data" ], "category_type_mappings": { "Antivirus detection": [ "anonymised", "attachment", "comment", "hex", "link", "other", "text" ], "Artifacts dropped": [ "anonymised", "attachment", "authentihash", "cdhash", "comment", "cookie", "filename", "filename|authentihash", "filename|impfuzzy", "filename|imphash", "filename|md5", "filename|pehash", "filename|sha1", "filename|sha224", "filename|sha256", "filename|sha384", "filename|sha512", "filename|sha512/224", "filename|sha512/256", "filename|ssdeep", "filename|tlsh", "gene", "hex", "impfuzzy", "imphash", "kusto-query", "malware-sample", "md5", "mime-type", "mutex", "named pipe", "other", "pattern-in-file", "pattern-in-memory", "pdb", "regkey", "regkey|value", "sha1", "sha224", "sha256", "sha384", "sha512", "sha512/224", "sha512/256", "sigma", "ssdeep", "stix2-pattern", "text", "windows-scheduled-task", "windows-service-displayname", "windows-service-name", "x509-fingerprint-md5", "x509-fingerprint-sha1", "x509-fingerprint-sha256", "yara" ], "Attribution": [ "anonymised", "campaign-id", "campaign-name", "comment", "dns-soa-email", "other", "text", "threat-actor", "whois-creation-date", "whois-registrant-email", "whois-registrant-name", "whois-registrant-org", "whois-registrant-phone", "whois-registrar", "x509-fingerprint-md5", "x509-fingerprint-sha1", "x509-fingerprint-sha256" ], "External analysis": [ "AS", "anonymised", "attachment", "bro", "comment", "community-id", "cortex", "domain", "domain|ip", "filename", "filename|md5", "filename|sha1", "filename|sha256", "github-repository", "hassh-md5", "hasshserver-md5", "hostname", "ip-dst", "ip-dst|port", "ip-src", "ip-src|port", "ja3-fingerprint-md5", "link", "mac-address", "mac-eui-64", "malware-sample", "md5", "other", "pattern-in-file", "pattern-in-memory", "pattern-in-traffic", "regkey", "regkey|value", "sha1", "sha256", "snort", "text", "url", "user-agent", "vulnerability", "weakness", "x509-fingerprint-md5", "x509-fingerprint-sha1", "x509-fingerprint-sha256", "zeek" ], "Financial fraud": [ "aba-rtn", "anonymised", "bank-account-nr", "bic", "bin", "btc", "cc-number", "comment", "dash", "hex", "iban", "other", "phone-number", "prtn", "text", "xmr" ], "Internal reference": [ "anonymised", "comment", "hex", "link", "other", "text" ], "Network activity": [ "AS", "anonymised", "attachment", "bro", "comment", "community-id", "cookie", "domain", "domain|ip", "email-dst", "email-src", "email-subject", "eppn", "hassh-md5", "hasshserver-md5", "hex", "hostname", "hostname|port", "http-method", "ip-dst", "ip-dst|port", "ip-src", "ip-src|port", "ja3-fingerprint-md5", "mac-address", "mac-eui-64", "other", "pattern-in-file", "pattern-in-traffic", "port", "snort", "stix2-pattern", "text", "uri", "url", "user-agent", "x509-fingerprint-md5", "x509-fingerprint-sha1", "x509-fingerprint-sha256", "zeek" ], "Other": [ "anonymised", "boolean", "comment", "counter", "cpe", "datetime", "float", "hex", "other", "phone-number", "port", "size-in-bytes", "text" ], "Payload delivery": [ "AS", "anonymised", "attachment", "authentihash", "cdhash", "chrome-extension-id", "comment", "domain", "email-attachment", "email-body", "email-dst", "email-dst-display-name", "email-header", "email-message-id", "email-mime-boundary", "email-reply-to", "email-src", "email-src-display-name", "email-subject", "email-thread-index", "email-x-mailer", "filename", "filename|authentihash", "filename|impfuzzy", "filename|imphash", "filename|md5", "filename|pehash", "filename|sha1", "filename|sha224", "filename|sha256", "filename|sha384", "filename|sha512", "filename|sha512/224", "filename|sha512/256", "filename|ssdeep", "filename|tlsh", "hassh-md5", "hasshserver-md5", "hex", "hostname", "hostname|port", "impfuzzy", "imphash", "ip-dst", "ip-dst|port", "ip-src", "ip-src|port", "ja3-fingerprint-md5", "link", "mac-address", "mac-eui-64", "malware-sample", "malware-type", "md5", "mime-type", "mobile-application-id", "other", "pattern-in-file", "pattern-in-traffic", "pehash", "sha1", "sha224", "sha256", "sha384", "sha512", "sha512/224", "sha512/256", "sigma", "ssdeep", "stix2-pattern", "text", "tlsh", "url", "user-agent", "vulnerability", "weakness", "whois-registrant-email", "x509-fingerprint-md5", "x509-fingerprint-sha1", "x509-fingerprint-sha256", "yara" ], "Payload installation": [ "anonymised", "attachment", "authentihash", "cdhash", "chrome-extension-id", "comment", "filename", "filename|authentihash", "filename|impfuzzy", "filename|imphash", "filename|md5", "filename|pehash", "filename|sha1", "filename|sha224", "filename|sha256", "filename|sha384", "filename|sha512", "filename|sha512/224", "filename|sha512/256", "filename|ssdeep", "filename|tlsh", "hex", "impfuzzy", "imphash", "malware-sample", "malware-type", "md5", "mime-type", "mobile-application-id", "other", "pattern-in-file", "pattern-in-memory", "pattern-in-traffic", "pehash", "sha1", "sha224", "sha256", "sha384", "sha512", "sha512/224", "sha512/256", "sigma", "ssdeep", "stix2-pattern", "text", "tlsh", "vulnerability", "weakness", "x509-fingerprint-md5", "x509-fingerprint-sha1", "x509-fingerprint-sha256", "yara" ], "Payload type": [ "anonymised", "comment", "other", "text" ], "Persistence mechanism": [ "anonymised", "comment", "filename", "hex", "other", "regkey", "regkey|value", "text" ], "Person": [ "anonymised", "comment", "country-of-residence", "date-of-birth", "first-name", "frequent-flyer-number", "gender", "identity-card-number", "issue-date-of-the-visa", "last-name", "middle-name", "nationality", "other", "passenger-name-record-locator-number", "passport-country", "passport-expiration", "passport-number", "payment-details", "phone-number", "place-of-birth", "place-port-of-clearance", "place-port-of-onward-foreign-destination", "place-port-of-original-embarkation", "primary-residence", "redress-number", "special-service-request", "text", "travel-details", "visa-number" ], "Social network": [ "anonymised", "comment", "email-dst", "email-src", "eppn", "github-organisation", "github-repository", "github-username", "jabber-id", "other", "text", "twitter-id", "whois-registrant-email" ], "Support Tool": [ "anonymised", "attachment", "comment", "hex", "link", "other", "text" ], "Targeting data": [ "anonymised", "comment", "target-email", "target-external", "target-location", "target-machine", "target-org", "target-user" ] }, "sane_defaults": { "AS": { "default_category": "Network activity", "to_ids": 0 }, "aba-rtn": { "default_category": "Financial fraud", "to_ids": 1 }, "anonymised": { "default_category": "Other", "to_ids": 0 }, "attachment": { "default_category": "External analysis", "to_ids": 0 }, "authentihash": { "default_category": "Payload delivery", "to_ids": 1 }, "bank-account-nr": { "default_category": "Financial fraud", "to_ids": 1 }, "bic": { "default_category": "Financial fraud", "to_ids": 1 }, "bin": { "default_category": "Financial fraud", "to_ids": 1 }, "boolean": { "default_category": "Other", "to_ids": 0 }, "bro": { "default_category": "Network activity", "to_ids": 1 }, "btc": { "default_category": "Financial fraud", "to_ids": 1 }, "campaign-id": { "default_category": "Attribution", "to_ids": 0 }, "campaign-name": { "default_category": "Attribution", "to_ids": 0 }, "cc-number": { "default_category": "Financial fraud", "to_ids": 1 }, "cdhash": { "default_category": "Payload delivery", "to_ids": 1 }, "chrome-extension-id": { "default_category": "Payload delivery", "to_ids": 1 }, "comment": { "default_category": "Other", "to_ids": 0 }, "community-id": { "default_category": "Network activity", "to_ids": 1 }, "cookie": { "default_category": "Network activity", "to_ids": 0 }, "cortex": { "default_category": "External analysis", "to_ids": 0 }, "counter": { "default_category": "Other", "to_ids": 0 }, "country-of-residence": { "default_category": "Person", "to_ids": 0 }, "cpe": { "default_category": "Other", "to_ids": 0 }, "dash": { "default_category": "Financial fraud", "to_ids": 1 }, "date-of-birth": { "default_category": "Person", "to_ids": 0 }, "datetime": { "default_category": "Other", "to_ids": 0 }, "dns-soa-email": { "default_category": "Attribution", "to_ids": 0 }, "domain": { "default_category": "Network activity", "to_ids": 1 }, "domain|ip": { "default_category": "Network activity", "to_ids": 1 }, "email-attachment": { "default_category": "Payload delivery", "to_ids": 1 }, "email-body": { "default_category": "Payload delivery", "to_ids": 0 }, "email-dst": { "default_category": "Network activity", "to_ids": 1 }, "email-dst-display-name": { "default_category": "Payload delivery", "to_ids": 0 }, "email-header": { "default_category": "Payload delivery", "to_ids": 0 }, "email-message-id": { "default_category": "Payload delivery", "to_ids": 0 }, "email-mime-boundary": { "default_category": "Payload delivery", "to_ids": 0 }, "email-reply-to": { "default_category": "Payload delivery", "to_ids": 0 }, "email-src": { "default_category": "Payload delivery", "to_ids": 1 }, "email-src-display-name": { "default_category": "Payload delivery", "to_ids": 0 }, "email-subject": { "default_category": "Payload delivery", "to_ids": 0 }, "email-thread-index": { "default_category": "Payload delivery", "to_ids": 0 }, "email-x-mailer": { "default_category": "Payload delivery", "to_ids": 0 }, "eppn": { "default_category": "Network activity", "to_ids": 1 }, "filename": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|authentihash": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|impfuzzy": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|imphash": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|md5": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|pehash": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|sha1": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|sha224": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|sha256": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|sha384": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|sha512": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|sha512/224": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|sha512/256": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|ssdeep": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|tlsh": { "default_category": "Payload delivery", "to_ids": 1 }, "first-name": { "default_category": "Person", "to_ids": 0 }, "float": { "default_category": "Other", "to_ids": 0 }, "frequent-flyer-number": { "default_category": "Person", "to_ids": 0 }, "gender": { "default_category": "Person", "to_ids": 0 }, "gene": { "default_category": "Artifacts dropped", "to_ids": 0 }, "github-organisation": { "default_category": "Social network", "to_ids": 0 }, "github-repository": { "default_category": "Social network", "to_ids": 0 }, "github-username": { "default_category": "Social network", "to_ids": 0 }, "hassh-md5": { "default_category": "Network activity", "to_ids": 1 }, "hasshserver-md5": { "default_category": "Network activity", "to_ids": 1 }, "hex": { "default_category": "Other", "to_ids": 0 }, "hostname": { "default_category": "Network activity", "to_ids": 1 }, "hostname|port": { "default_category": "Network activity", "to_ids": 1 }, "http-method": { "default_category": "Network activity", "to_ids": 0 }, "iban": { "default_category": "Financial fraud", "to_ids": 1 }, "identity-card-number": { "default_category": "Person", "to_ids": 0 }, "impfuzzy": { "default_category": "Payload delivery", "to_ids": 1 }, "imphash": { "default_category": "Payload delivery", "to_ids": 1 }, "ip-dst": { "default_category": "Network activity", "to_ids": 1 }, "ip-dst|port": { "default_category": "Network activity", "to_ids": 1 }, "ip-src": { "default_category": "Network activity", "to_ids": 1 }, "ip-src|port": { "default_category": "Network activity", "to_ids": 1 }, "issue-date-of-the-visa": { "default_category": "Person", "to_ids": 0 }, "ja3-fingerprint-md5": { "default_category": "Network activity", "to_ids": 1 }, "jabber-id": { "default_category": "Social network", "to_ids": 0 }, "kusto-query": { "default_category": "Artifacts dropped", "to_ids": 0 }, "last-name": { "default_category": "Person", "to_ids": 0 }, "link": { "default_category": "External analysis", "to_ids": 0 }, "mac-address": { "default_category": "Network activity", "to_ids": 0 }, "mac-eui-64": { "default_category": "Network activity", "to_ids": 0 }, "malware-sample": { "default_category": "Payload delivery", "to_ids": 1 }, "malware-type": { "default_category": "Payload delivery", "to_ids": 0 }, "md5": { "default_category": "Payload delivery", "to_ids": 1 }, "middle-name": { "default_category": "Person", "to_ids": 0 }, "mime-type": { "default_category": "Artifacts dropped", "to_ids": 0 }, "mobile-application-id": { "default_category": "Payload delivery", "to_ids": 1 }, "mutex": { "default_category": "Artifacts dropped", "to_ids": 1 }, "named pipe": { "default_category": "Artifacts dropped", "to_ids": 0 }, "nationality": { "default_category": "Person", "to_ids": 0 }, "other": { "default_category": "Other", "to_ids": 0 }, "passenger-name-record-locator-number": { "default_category": "Person", "to_ids": 0 }, "passport-country": { "default_category": "Person", "to_ids": 0 }, "passport-expiration": { "default_category": "Person", "to_ids": 0 }, "passport-number": { "default_category": "Person", "to_ids": 0 }, "pattern-in-file": { "default_category": "Payload installation", "to_ids": 1 }, "pattern-in-memory": { "default_category": "Payload installation", "to_ids": 1 }, "pattern-in-traffic": { "default_category": "Network activity", "to_ids": 1 }, "payment-details": { "default_category": "Person", "to_ids": 0 }, "pdb": { "default_category": "Artifacts dropped", "to_ids": 0 }, "pehash": { "default_category": "Payload delivery", "to_ids": 1 }, "phone-number": { "default_category": "Person", "to_ids": 0 }, "place-of-birth": { "default_category": "Person", "to_ids": 0 }, "place-port-of-clearance": { "default_category": "Person", "to_ids": 0 }, "place-port-of-onward-foreign-destination": { "default_category": "Person", "to_ids": 0 }, "place-port-of-original-embarkation": { "default_category": "Person", "to_ids": 0 }, "port": { "default_category": "Network activity", "to_ids": 0 }, "primary-residence": { "default_category": "Person", "to_ids": 0 }, "prtn": { "default_category": "Financial fraud", "to_ids": 1 }, "redress-number": { "default_category": "Person", "to_ids": 0 }, "regkey": { "default_category": "Persistence mechanism", "to_ids": 1 }, "regkey|value": { "default_category": "Persistence mechanism", "to_ids": 1 }, "sha1": { "default_category": "Payload delivery", "to_ids": 1 }, "sha224": { "default_category": "Payload delivery", "to_ids": 1 }, "sha256": { "default_category": "Payload delivery", "to_ids": 1 }, "sha384": { "default_category": "Payload delivery", "to_ids": 1 }, "sha512": { "default_category": "Payload delivery", "to_ids": 1 }, "sha512/224": { "default_category": "Payload delivery", "to_ids": 1 }, "sha512/256": { "default_category": "Payload delivery", "to_ids": 1 }, "sigma": { "default_category": "Payload installation", "to_ids": 1 }, "size-in-bytes": { "default_category": "Other", "to_ids": 0 }, "snort": { "default_category": "Network activity", "to_ids": 1 }, "special-service-request": { "default_category": "Person", "to_ids": 0 }, "ssdeep": { "default_category": "Payload delivery", "to_ids": 1 }, "stix2-pattern": { "default_category": "Payload installation", "to_ids": 1 }, "target-email": { "default_category": "Targeting data", "to_ids": 0 }, "target-external": { "default_category": "Targeting data", "to_ids": 0 }, "target-location": { "default_category": "Targeting data", "to_ids": 0 }, "target-machine": { "default_category": "Targeting data", "to_ids": 0 }, "target-org": { "default_category": "Targeting data", "to_ids": 0 }, "target-user": { "default_category": "Targeting data", "to_ids": 0 }, "text": { "default_category": "Other", "to_ids": 0 }, "threat-actor": { "default_category": "Attribution", "to_ids": 0 }, "tlsh": { "default_category": "Payload delivery", "to_ids": 1 }, "travel-details": { "default_category": "Person", "to_ids": 0 }, "twitter-id": { "default_category": "Social network", "to_ids": 0 }, "uri": { "default_category": "Network activity", "to_ids": 1 }, "url": { "default_category": "Network activity", "to_ids": 1 }, "user-agent": { "default_category": "Network activity", "to_ids": 0 }, "visa-number": { "default_category": "Person", "to_ids": 0 }, "vulnerability": { "default_category": "External analysis", "to_ids": 0 }, "weakness": { "default_category": "External analysis", "to_ids": 0 }, "whois-creation-date": { "default_category": "Attribution", "to_ids": 0 }, "whois-registrant-email": { "default_category": "Attribution", "to_ids": 0 }, "whois-registrant-name": { "default_category": "Attribution", "to_ids": 0 }, "whois-registrant-org": { "default_category": "Attribution", "to_ids": 0 }, "whois-registrant-phone": { "default_category": "Attribution", "to_ids": 0 }, "whois-registrar": { "default_category": "Attribution", "to_ids": 0 }, "windows-scheduled-task": { "default_category": "Artifacts dropped", "to_ids": 0 }, "windows-service-displayname": { "default_category": "Artifacts dropped", "to_ids": 0 }, "windows-service-name": { "default_category": "Artifacts dropped", "to_ids": 0 }, "x509-fingerprint-md5": { "default_category": "Network activity", "to_ids": 1 }, "x509-fingerprint-sha1": { "default_category": "Network activity", "to_ids": 1 }, "x509-fingerprint-sha256": { "default_category": "Network activity", "to_ids": 1 }, "xmr": { "default_category": "Financial fraud", "to_ids": 1 }, "yara": { "default_category": "Payload installation", "to_ids": 1 }, "zeek": { "default_category": "Network activity", "to_ids": 1 } }, "types": [ "AS", "aba-rtn", "anonymised", "attachment", "authentihash", "bank-account-nr", "bic", "bin", "boolean", "bro", "btc", "campaign-id", "campaign-name", "cc-number", "cdhash", "chrome-extension-id", "comment", "community-id", "cookie", "cortex", "counter", "country-of-residence", "cpe", "dash", "date-of-birth", "datetime", "dns-soa-email", "domain", "domain|ip", "email-attachment", "email-body", "email-dst", "email-dst-display-name", "email-header", "email-message-id", "email-mime-boundary", "email-reply-to", "email-src", "email-src-display-name", "email-subject", "email-thread-index", "email-x-mailer", "eppn", "filename", "filename|authentihash", "filename|impfuzzy", "filename|imphash", "filename|md5", "filename|pehash", "filename|sha1", "filename|sha224", "filename|sha256", "filename|sha384", "filename|sha512", "filename|sha512/224", "filename|sha512/256", "filename|ssdeep", "filename|tlsh", "first-name", "float", "frequent-flyer-number", "gender", "gene", "github-organisation", "github-repository", "github-username", "hassh-md5", "hasshserver-md5", "hex", "hostname", "hostname|port", "http-method", "iban", "identity-card-number", "impfuzzy", "imphash", "ip-dst", "ip-dst|port", "ip-src", "ip-src|port", "issue-date-of-the-visa", "ja3-fingerprint-md5", "jabber-id", "kusto-query", "last-name", "link", "mac-address", "mac-eui-64", "malware-sample", "malware-type", "md5", "middle-name", "mime-type", "mobile-application-id", "mutex", "named pipe", "nationality", "other", "passenger-name-record-locator-number", "passport-country", "passport-expiration", "passport-number", "pattern-in-file", "pattern-in-memory", "pattern-in-traffic", "payment-details", "pdb", "pehash", "phone-number", "place-of-birth", "place-port-of-clearance", "place-port-of-onward-foreign-destination", "place-port-of-original-embarkation", "port", "primary-residence", "prtn", "redress-number", "regkey", "regkey|value", "sha1", "sha224", "sha256", "sha384", "sha512", "sha512/224", "sha512/256", "sigma", "size-in-bytes", "snort", "special-service-request", "ssdeep", "stix2-pattern", "target-email", "target-external", "target-location", "target-machine", "target-org", "target-user", "text", "threat-actor", "tlsh", "travel-details", "twitter-id", "uri", "url", "user-agent", "visa-number", "vulnerability", "weakness", "whois-creation-date", "whois-registrant-email", "whois-registrant-name", "whois-registrant-org", "whois-registrant-phone", "whois-registrar", "windows-scheduled-task", "windows-service-displayname", "windows-service-name", "x509-fingerprint-md5", "x509-fingerprint-sha1", "x509-fingerprint-sha256", "xmr", "yara", "zeek" ] } }