Colander

Hi Foobar Top top. Hi mispfile top.

This documentation page provides an overview of the different Colander data types - the core entity categories and their specifications within the Colander threat intelligence data model.

Colander organizes threat intelligence data into eight primary entity super types, each representing a distinct category of information relevant to cybersecurity analysis and threat hunting. This reference documents both the data structure and available subtypes for each category.

Colander supports the following entity types:

  • Actors - Individuals, groups, or organizations involved in threat activities

  • Artifacts - Files, documents, binaries, and other data objects

  • Data Fragments - Code snippets, text portions, and content fragments

  • Detection Rules - Rules and logic for identifying specific threats or patterns

  • Devices - Physical or virtual systems, hardware, and infrastructure components

  • Events - Temporal occurrences, alerts, detections, and log entries

  • Observables - Detectable entities like IP addresses, domains, file hashes, and URLs

  • Threats - Malicious entities such as malware families, campaigns, and attack techniques

colander

Colander feed structure

A Colander feed (ColanderFeed) is a collection of entities, relations, and cases, represented as a JSON object with the following top-level structure:

  • id: Unique identifier for the feed (UUID).

  • name: Human-readable name for the feed.

  • description: Optional description of the feed.

  • entities: Dictionary of entity objects, keyed by their IDs.

  • relations: Dictionary of relation objects, keyed by their IDs.

  • cases: Dictionary of case objects, keyed by their IDs.

Relations between entities

Defined by EntityRelation.

Top-level structure:

  • id: Unique identifier (UUID)

  • created_at: Creation timestamp

  • updated_at: Last update timestamp

  • name: Name of the relation

  • case: Reference to the case this relation belongs to

  • attributes: Dictionary of additional attributes

  • obj_from: Source entity or reference

  • obj_to: Target entity or reference

actor Actors

An actor (Actor) represents an individual or group involved in an event, activity, or system.

Top-level structure:

  • id: Unique identifier (UUID)

  • created_at: Creation timestamp

  • updated_at: Last update timestamp

  • name: Name of the actor

  • type: Actor type

  • case: Reference to the case

  • description: Description

  • pap: PAP level

  • source_url: Optional source URL

  • tlp: TLP level

  • attributes: Dictionary of additional attributes

Supported types

Details

  • colanderAPT APT

    An advanced persistent threat group, typically well-resourced and highly skilled.

  • colanderCOMPANY Private company

    A privately owned business entity, often a target or participant in cyber activities.

  • colanderCYBER_CRIMINAL Cyber criminal

    An individual or group engaging in illegal activities for financial gain.

  • colanderGENERIC Generic

    A generic or unspecified actor type.

  • colanderHACKTIVIST Hacktivist

    An individual or group using hacking to promote political or social agendas.

  • colanderINDIVIDUAL Individual

    A single person involved in threat activity or as a target.

  • colanderINSIDER Insider threat

    An individual within an organization posing a security risk.

  • colanderNATION_STATE Nation-state actor

    A government-sponsored group conducting cyber operations.

  • colanderNGO NGO

    A non-governmental organization.

  • colanderPUB_INST Public institution

    A government or public sector organization.

  • colanderTHREAT_ACTOR Threat actor

    An individual or group responsible for malicious cyber activities.

ID (short name)

Name

Description

colanderAPT

APT

An advanced persistent threat group, typically well-resourced and highly skilled.

colanderCOMPANY

Private company

A privately owned business entity, often a target or participant in cyber activities.

colanderCYBER_CRIMINAL

Cyber criminal

An individual or group engaging in illegal activities for financial gain.

colanderGENERIC

Generic

A generic or unspecified actor type.

colanderHACKTIVIST

Hacktivist

An individual or group using hacking to promote political or social agendas.

colanderINDIVIDUAL

Individual

A single person involved in threat activity or as a target.

colanderINSIDER

Insider threat

An individual within an organization posing a security risk.

colanderNATION_STATE

Nation-state actor

A government-sponsored group conducting cyber operations.

colanderNGO

NGO

A non-governmental organization.

colanderPUB_INST

Public institution

A government or public sector organization.

colanderTHREAT_ACTOR

Threat actor

An individual or group responsible for malicious cyber activities.

artifact Artifacts

An artifact (Artifact) represents a file or data object, such as a document, image, or binary, within a system.

Top-level structure:

  • id: Unique identifier (UUID)

  • created_at: Creation timestamp

  • updated_at: Last update timestamp

  • name: Name of the artifact

  • type: Artifact type

  • case: Reference to the case

  • description: Description

  • pap: PAP level

  • source_url: Optional source URL

  • tlp: TLP level

  • attributes: Dictionary of additional attributes

  • extracted_from: Reference to the device

  • extension: File extension

  • original_name: Original file name

  • mime_type: MIME type

  • detached_signature: Optional signature

  • md5: MD5 hash

  • sha1: SHA1 hash

  • sha256: SHA256 hash

  • size_in_bytes: Size in bytes

Supported types

Details

  • colanderANDROID_BACKUP Android backup image

    A backup image created from an Android device.

  • colanderANDROID_SAMPLE Android sample

    A sample file specific to the Android platform.

    • Suggested MIME types: application/vnd.android.package-archive application/x-dex

  • colanderARCHIVE Archive

    A compressed file or collection of files, such as ZIP or TAR.

    • Suggested MIME types: application/gzip application/java-archive application/vnd.debian.binary-package application/vnd.ms-cab-compressed application/vnd.rar application/x-7z-compressed application/x-apple-diskimage application/x-bzip-compressed-tar application/x-bzip2 application/x-compress application/x-compressed-tar application/x-gzip application/x-iso9660-image application/x-rpm application/x-tar application/x-xz application/x-xz-compressed-tar application/x-zip-compressed application/zip

  • colanderAUDIO Audio

    A file containing audio content, such as MP3, WAV, or AAC.

    • Suggested extra properties: content_warning

    • Suggested MIME types: audio/*

  • colanderBACKUP Backup image

    A file containing a backup copy of data or a system image.

  • colanderBINARY Binary file

    A file containing binary data, not intended to be read as text.

    • Suggested MIME types: application/octet-stream application/x-binary application/x-coredump application/x-executable application/x-object application/x-sharedlib

  • colanderCRYPTO_T Cryptographic activity trace

    A file logging cryptographic operations or key usage.

  • colanderDOCUMENT Document

    A generic document file, such as PDF, DOCX, or ODT.

    • Suggested extra properties: content_warning

    • Suggested MIME types: application/msword application/pdf application/rtf application/vnd.ms-excel application/vnd.ms-powerpoint application/vnd.oasis.opendocument.presentation application/vnd.oasis.opendocument.spreadsheet application/vnd.oasis.opendocument.text application/vnd.openxmlformats-officedocument.presentationml.presentation application/vnd.openxmlformats-officedocument.spreadsheetml.sheet application/vnd.openxmlformats-officedocument.wordprocessingml.document text/csv

  • colanderEMAIL Email file

    A file containing email messages, such as EML or MSG format.

    • Suggested MIME types: application/mbox application/vnd.ms-outlook application/x-msmessage message/rfc822

  • colanderF_DUMP Forensic dump

    A file containing a forensic image or memory dump.

  • colanderGENERIC Generic

    A file that does not fit into any of other predefined categories.

  • colanderHAR HAR file

    A file containing HTTP Archive (HAR) data for web traffic analysis.

  • colanderIMAGE Image

    A file containing a still image, such as JPG, PNG, or GIF.

    • Suggested extra properties: content_warning

    • Suggested MIME types: image/*

  • colanderIOS_BACKUP iOS backup image

    A backup image created from an iOS device.

  • colanderIOS_SAMPLE iOS sample

    A sample file specific to the iOS platform.

  • colanderJSON JSON file

    A file in JavaScript Object Notation (JSON) format.

    • Suggested MIME types: application/json

  • colanderPCAP PCAP file

    A file capturing network traffic, typically in PCAP format.

    • Suggested MIME types: application/cap application/pcap application/vnd.tcpdump.pcap application/vnd.tcpdump.pcapng application/x-cap application/x-pcap

  • colanderREPORT Report

    A file containing an analytical or investigative report.

  • colanderSAMPLE Sample

    A generic sample file, often used for malware or suspicious files.

  • colanderSOCIAL_POST Social media post

    A file or record representing a post from a social media platform.

    • Suggested extra properties: content_warning

  • colanderSOCKET_T Socket activity trace

    A file recording socket or network connection activity.

  • colanderSSLKEYLOG SSL keylog file

    A file containing SSL/TLS session keys for decrypting network traffic.

  • colanderTEXT Text file

    A plain text file, such as TXT or LOG.

    • Suggested MIME types: text/plain

  • colanderVIDEO Video

    A file containing video content, such as MP4, AVI, or MOV.

    • Suggested extra properties: content_warning

    • Suggested MIME types: video/*

  • colanderWEBPAGE Web page

    A file containing web page content, such as HTML or XHTML.

    • Suggested extra properties: content_warning

    • Suggested MIME types: application/xhtml+xml text/html

ID (short name)

Name

Description

colanderANDROID_BACKUP

Android backup image

A backup image created from an Android device.

colanderANDROID_SAMPLE

Android sample

A sample file specific to the Android platform.

colanderARCHIVE

Archive

A compressed file or collection of files, such as ZIP or TAR.

colanderAUDIO

Audio

A file containing audio content, such as MP3, WAV, or AAC.

colanderBACKUP

Backup image

A file containing a backup copy of data or a system image.

colanderBINARY

Binary file

A file containing binary data, not intended to be read as text.

colanderCRYPTO_T

Cryptographic activity trace

A file logging cryptographic operations or key usage.

colanderDOCUMENT

Document

A generic document file, such as PDF, DOCX, or ODT.

colanderEMAIL

Email file

A file containing email messages, such as EML or MSG format.

colanderF_DUMP

Forensic dump

A file containing a forensic image or memory dump.

colanderGENERIC

Generic

A file that does not fit into any of other predefined categories.

colanderHAR

HAR file

A file containing HTTP Archive (HAR) data for web traffic analysis.

colanderIMAGE

Image

A file containing a still image, such as JPG, PNG, or GIF.

colanderIOS_BACKUP

iOS backup image

A backup image created from an iOS device.

colanderIOS_SAMPLE

iOS sample

A sample file specific to the iOS platform.

colanderJSON

JSON file

A file in JavaScript Object Notation (JSON) format.

colanderPCAP

PCAP file

A file capturing network traffic, typically in PCAP format.

colanderREPORT

Report

A file containing an analytical or investigative report.

colanderSAMPLE

Sample

A generic sample file, often used for malware or suspicious files.

colanderSOCIAL_POST

Social media post

A file or record representing a post from a social media platform.

colanderSOCKET_T

Socket activity trace

A file recording socket or network connection activity.

colanderSSLKEYLOG

SSL keylog file

A file containing SSL/TLS session keys for decrypting network traffic.

colanderTEXT

Text file

A plain text file, such as TXT or LOG.

colanderVIDEO

Video

A file containing video content, such as MP4, AVI, or MOV.

colanderWEBPAGE

Web page

A file containing web page content, such as HTML or XHTML.

datafragment Data Fragments

A data fragment (DataFragment) represents a fragment of data, such as a code snippet, text, or other content.

Top-level structure:

  • id: Unique identifier (UUID)

  • created_at: Creation timestamp

  • updated_at: Last update timestamp

  • name: Name of the data fragment

  • type: Data fragment type

  • case: Reference to the case

  • description: Description

  • pap: PAP level

  • source_url: Optional source URL

  • tlp: TLP level

  • content: Content of the fragment

  • extracted_from: Reference to the artifact

Supported types

Details

  • colanderCODE Snippet of code

    A snippet or segment of source code from any programming language.

  • colanderGENERIC Generic

    A general or unspecified data fragment type that does not fit other categories.

  • colanderPATTERN Matching pattern

    A recognizable sequence or structure, such as a regular expression or YARA rule.

  • colanderPAYLOAD Encoded payload

    A block of encoded data.

  • colanderTEXT Piece of text

    A fragment of unstructured or plain text.

ID (short name)

Name

Description

colanderCODE

Snippet of code

A snippet or segment of source code from any programming language.

colanderGENERIC

Generic

A general or unspecified data fragment type that does not fit other categories.

colanderPATTERN

Matching pattern

A recognizable sequence or structure, such as a regular expression or YARA rule.

colanderPAYLOAD

Encoded payload

A block of encoded data.

colanderTEXT

Piece of text

A fragment of unstructured or plain text.

detectionrule Detection Rules

A detection rule (DetectionRule) represents a rule used for detecting specific content or logic related to observables.

Top-level structure:

  • id: Unique identifier (UUID)

  • created_at: Creation timestamp

  • updated_at: Last update timestamp

  • name: Name of the detection rule

  • type: Detection rule type

  • case: Reference to the case

  • description: Description

  • pap: PAP level

  • source_url: Optional source URL

  • tlp: TLP level

  • content: Rule content

  • targeted_observables: List of observables or references

Supported types

Details

  • colanderGENERIC Generic

    A general or unspecified detection rule type that does not fit other categories.

  • colanderSURICATA Suricata rule

    A rule for the Suricata engine to detect network threats and suspicious traffic.

  • colanderYARA Yara rule

    A rule used to identify and classify malware or files based on patterns.

ID (short name)

Name

Description

colanderGENERIC

Generic

A general or unspecified detection rule type that does not fit other categories.

colanderSURICATA

Suricata rule

A rule for the Suricata engine to detect network threats and suspicious traffic.

colanderYARA

Yara rule

A rule used to identify and classify malware or files based on patterns.

device Devices

A device (Device) represents a physical or virtual device in a system.

Top-level structure:

  • id: Unique identifier (UUID)

  • created_at: Creation timestamp

  • updated_at: Last update timestamp

  • name: Name of the device

  • type: Device type

  • case: Reference to the case

  • description: Description

  • pap: PAP level

  • source_url: Optional source URL

  • tlp: TLP level

  • attributes: Dictionary of additional attributes

  • operated_by: Reference to the actor

Supported types

Details

  • colanderDESKTOP Desktop

    A personal computer intended for regular use at a single location.

  • colanderGENERIC Generic

    A general or unspecified device type that does not fit other categories.

  • colanderIOT Internet of Things

    A device connected to the internet, often embedded and used for specific functions (e.g., smart home devices).

  • colanderLAPTOP Laptop

    A portable personal computer designed for mobile use.

  • colanderMOBILE Mobile device

    A handheld device such as a smartphone or tablet.

  • colanderROUTER Router

    A network device that forwards data packets between computer networks.

  • colanderSERVER Server

    A computer or system that provides resources, data, or services to other computers over a network.

ID (short name)

Name

Description

colanderDESKTOP

Desktop

A personal computer intended for regular use at a single location.

colanderGENERIC

Generic

A general or unspecified device type that does not fit other categories.

colanderIOT

Internet of Things

A device connected to the internet, often embedded and used for specific functions (e.g., smart home devices).

colanderLAPTOP

Laptop

A portable personal computer designed for mobile use.

colanderMOBILE

Mobile device

A handheld device such as a smartphone or tablet.

colanderROUTER

Router

A network device that forwards data packets between computer networks.

colanderSERVER

Server

A computer or system that provides resources, data, or services to other computers over a network.

event Events

An event (Event) represents an occurrence or activity observed within a system, such as a detection, alert, or log entry.

Top-level structure:

  • id: Unique identifier (UUID)

  • created_at: Creation timestamp

  • updated_at: Last update timestamp

  • name: Name of the event

  • type: Event type

  • case: Reference to the case

  • description: Description

  • pap: PAP level

  • source_url: Optional source URL

  • tlp: TLP level

  • attributes: Dictionary of additional attributes

  • first_seen: First observed timestamp

  • last_seen: Last observed timestamp

  • count: Number of times observed

  • extracted_from: Reference to the artifact

  • observed_on: Reference to the device

  • detected_by: Reference to the detection rule

  • attributed_to: Reference to the actor attributed to the event

  • target: Reference to the actor targeted during the event

  • involved_observables: List of observables or references

Supported types

Details

  • colanderALERT Alert

    A notification or warning about a detected security event or anomaly.

  • colanderATTACK Attack

    An event indicating a deliberate attempt to breach, disrupt, or damage a system or network.

  • colanderAV_DETECTION AntiVirus detection

    An event where antivirus software detects malicious or suspicious activity.

  • colanderCOMMUNICATION Communication

    An event involving the exchange of information between entities, such as emails or messages.

  • colanderCOMPROMISE Compromise

    An event indicating that a system, account, or data has been breached or compromised.

  • colanderGENERIC Generic

    An event that does not fit into any of the predefined categories.

  • colanderHIT Hit

    An event indicating a match or detection by a rule, signature, or indicator.

  • colanderINFECTION Infection

    An event where a system or device is infected by malware or a similar threat.

  • colanderPASSIVE_DNS Passive DNS

    An event recording historical DNS resolution data observed passively.

  • colanderRESOLVE Resolution

    An event where a domain or hostname is resolved to an IP address.

  • colanderTARGETED_ATTACK Targeted attack

    An event representing a focused and intentional attack against a specific entity or asset.

ID (short name)

Name

Description

colanderALERT

Alert

A notification or warning about a detected security event or anomaly.

colanderATTACK

Attack

An event indicating a deliberate attempt to breach, disrupt, or damage a system or network.

colanderAV_DETECTION

AntiVirus detection

An event where antivirus software detects malicious or suspicious activity.

colanderCOMMUNICATION

Communication

An event involving the exchange of information between entities, such as emails or messages.

colanderCOMPROMISE

Compromise

An event indicating that a system, account, or data has been breached or compromised.

colanderGENERIC

Generic

An event that does not fit into any of the predefined categories.

colanderHIT

Hit

An event indicating a match or detection by a rule, signature, or indicator.

colanderINFECTION

Infection

An event where a system or device is infected by malware or a similar threat.

colanderPASSIVE_DNS

Passive DNS

An event recording historical DNS resolution data observed passively.

colanderRESOLVE

Resolution

An event where a domain or hostname is resolved to an IP address.

colanderTARGETED_ATTACK

Targeted attack

An event representing a focused and intentional attack against a specific entity or asset.

observable Observables

An observable (Observable) represents an entity such as an IP address that can be observed or detected within a system.

Top-level structure:

  • id: Unique identifier (UUID)

  • created_at: Creation timestamp

  • updated_at: Last update timestamp

  • name: Name of the observable

  • type: Observable type

  • case: Reference to the case

  • description: Description

  • pap: PAP level

  • source_url: Optional source URL

  • tlp: TLP level

  • attributes: Dictionary of additional attributes

  • classification: Classification label

  • raw_value: Raw value

  • extracted_from: Reference to the artifact

  • associated_threat: Reference to a threat

  • operated_by: Reference to the actor

Supported types

Details

  • colanderASN Autonomous system number

    A unique number assigned to a group of IP networks operated by one or more network operators.

    • Suggested extra properties: organization

  • colanderCIDR CIDR

    A Classless Inter-Domain Routing block, representing a range of IP addresses.

  • colanderCOMMUNITY_ID Community id

    A hash value used to uniquely identify network flows across tools.

    • Suggested extra properties: dst_ip dst_port src_ip src_port

  • colanderCVE CVE

    A Common Vulnerabilities and Exposures identifier for publicly known security flaws.

  • colanderDEXOFUZZY Dexofuzzy hash

    A fuzzy hash value used to compare Android DEX files for similarity.

  • colanderDNS_RECORD DNS record

    A record containing information about a domain name in the DNS system.

    • Suggested extra properties: a aaaa cname domain mx ns ptr resolver soa spf srv txt

  • colanderDOMAIN Domain name

    A human-readable address used to identify resources on the internet.

    • Suggested extra properties: registration_date root_domain

  • colanderDOMAIN_REGISTRANT Domain registrant

    The individual or organization that owns or controls a domain name.

    • Suggested extra properties: city country email fax name organization phone postal_code state street

  • colanderDOMAIN_REGISTRAR Domain registrar

    The organization or entity responsible for registering domain names.

    • Suggested extra properties: city country email fax name organization phone postal_code state street

  • colanderEMAIL Email address

    An address used to send and receive electronic mail.

  • colanderGENERIC Generic

    A general or unspecified observable type that does not fit other categories.

  • colanderHOSTNAME Hostname

    A label assigned to a device on a network, used to identify it in various forms.

  • colanderIMPHASH Import hash

    A hash of the import table of a PE file, used to identify similar binaries.

    • Suggested extra properties: impfuzzy pehash

  • colanderIPV4 IPv4

    An IPv4 address, a 32-bit numeric address used for identifying devices on a network.

    • Suggested extra properties: address_block ASN routable subnet

  • colanderIPV6 IPv6

    An IPv6 address, a 128-bit alphanumeric address for identifying devices on a network.

    • Suggested extra properties: address_block ASN routable subnet

  • colanderLOCATION Location

    A physical or geographical place, specified by coordinates or address.

    • Suggested extra properties: address altitude city country latitude longitude state

  • colanderMAC MAC address

    A unique hardware identifier assigned to a network interface card (NIC).

    • Suggested extra properties: manufacturer

  • colanderMD5 MD5

    A 128-bit hash value, commonly used to verify file integrity.

  • colanderMUTEX Mutex

    A mutual exclusion object used for process synchronization.

  • colanderNAMESPACE Namespace

    A container that holds a set of identifiers, such as classes or functions, to avoid naming conflicts.

    • Suggested extra properties: fully_qualified_name

  • colanderOS_QUERY Os query

    A query or result from an operating system instrumentation framework.

  • colanderPATH File path

    A string specifying the location of a file or directory in a filesystem.

  • colanderPEHASH PE hash

    A hash value calculated from the structure of a Portable Executable (PE) file.

  • colanderPHONE Phone number

    A numeric identifier used to reach a telephone endpoint.

    • Suggested extra properties: country_code country_name prefix

  • colanderPROCESS Process name

    The name of a running process on a computer system.

    • Suggested extra properties: executable path

  • colanderSERVICE Running service

    A network or system service that is currently active or listening.

    • Suggested extra properties: ip_address port technology

  • colanderSHA1 SHA1

    A 160-bit hash value, used for data integrity and file identification.

  • colanderSHA256 SHA256

    A 256-bit hash value, widely used for file and data integrity verification.

  • colanderSOCIAL_ACCOUNT Social account identifier

    A unique identifier for a user account on a social media platform.

    • Suggested extra properties: platform

  • colanderSSL_CERT_F SSL certificate fingerprint

    A hash value uniquely identifying an SSL/TLS certificate.

    • Suggested extra properties: issuer md5 not_after not_before organization sha1 sha256 subject

  • colanderURI URI

    A Uniform Resource Identifier, a string used to identify a resource.

  • colanderURL URL

    A Uniform Resource Locator, specifying the address of a resource on the internet.

    • Suggested extra properties: domain query_string resource_path scheme

ID (short name)

Name

Description

colanderASN

Autonomous system number

A unique number assigned to a group of IP networks operated by one or more network operators.

colanderCIDR

CIDR

A Classless Inter-Domain Routing block, representing a range of IP addresses.

colanderCOMMUNITY_ID

Community id

A hash value used to uniquely identify network flows across tools.

colanderCVE

CVE

A Common Vulnerabilities and Exposures identifier for publicly known security flaws.

colanderDEXOFUZZY

Dexofuzzy hash

A fuzzy hash value used to compare Android DEX files for similarity.

colanderDNS_RECORD

DNS record

A record containing information about a domain name in the DNS system.

colanderDOMAIN

Domain name

A human-readable address used to identify resources on the internet.

colanderDOMAIN_REGISTRANT

Domain registrant

The individual or organization that owns or controls a domain name.

colanderDOMAIN_REGISTRAR

Domain registrar

The organization or entity responsible for registering domain names.

colanderEMAIL

Email address

An address used to send and receive electronic mail.

colanderGENERIC

Generic

A general or unspecified observable type that does not fit other categories.

colanderHOSTNAME

Hostname

A label assigned to a device on a network, used to identify it in various forms.

colanderIMPHASH

Import hash

A hash of the import table of a PE file, used to identify similar binaries.

colanderIPV4

IPv4

An IPv4 address, a 32-bit numeric address used for identifying devices on a network.

colanderIPV6

IPv6

An IPv6 address, a 128-bit alphanumeric address for identifying devices on a network.

colanderLOCATION

Location

A physical or geographical place, specified by coordinates or address.

colanderMAC

MAC address

A unique hardware identifier assigned to a network interface card (NIC).

colanderMD5

MD5

A 128-bit hash value, commonly used to verify file integrity.

colanderMUTEX

Mutex

A mutual exclusion object used for process synchronization.

colanderNAMESPACE

Namespace

A container that holds a set of identifiers, such as classes or functions, to avoid naming conflicts.

colanderOS_QUERY

Os query

A query or result from an operating system instrumentation framework.

colanderPATH

File path

A string specifying the location of a file or directory in a filesystem.

colanderPEHASH

PE hash

A hash value calculated from the structure of a Portable Executable (PE) file.

colanderPHONE

Phone number

A numeric identifier used to reach a telephone endpoint.

colanderPROCESS

Process name

The name of a running process on a computer system.

colanderSERVICE

Running service

A network or system service that is currently active or listening.

colanderSHA1

SHA1

A 160-bit hash value, used for data integrity and file identification.

colanderSHA256

SHA256

A 256-bit hash value, widely used for file and data integrity verification.

colanderSOCIAL_ACCOUNT

Social account identifier

A unique identifier for a user account on a social media platform.

colanderSSL_CERT_F

SSL certificate fingerprint

A hash value uniquely identifying an SSL/TLS certificate.

colanderURI

URI

A Uniform Resource Identifier, a string used to identify a resource.

colanderURL

URL

A Uniform Resource Locator, specifying the address of a resource on the internet.

threat Threats

A threat (Threat) represents a potentially malicious entity, such as a malware family, campaign, or adversary.

Top-level structure:

  • id: Unique identifier (UUID)

  • created_at: Creation timestamp

  • updated_at: Last update timestamp

  • name: Name of the threat

  • type: Threat type

  • case: Reference to the case

  • description: Description

  • pap: PAP level

  • source_url: Optional source URL

  • tlp: TLP level

Supported types

Details

  • colanderADWARE Adware

    Software that automatically displays or downloads advertising material, often unwanted.

  • colanderAPT APT

    Advanced Persistent Threat; a prolonged and targeted cyberattack by a well-resourced adversary.

  • colanderBACKDOOR Backdoor

    Malware that allows unauthorized remote access to a compromised system.

  • colanderBOTNET Botnet

    A network of compromised computers controlled by an attacker to perform coordinated tasks.

  • colanderBROWSER_HIJACKER Browser Hijacker

    Malware that alters browser settings, redirects traffic, or injects unwanted ads.

  • colanderCRYPTOJACKING Cryptojacking

    Unauthorized use of a device to mine cryptocurrency.

  • colanderCYBER_ATTACK Cyber Attack

    An attempt by hackers to damage, disrupt, or gain unauthorized access to computer systems, networks, or devices.

  • colanderCYBERCRIME Cybercrime

    Criminal activities carried out using computers or the internet, including fraud, theft, and unauthorized access.

  • colanderDOXXING Doxxing

    The act of publicly revealing private or identifying information about an individual without their consent.

  • colanderDROPPER Dropper

    A type of malware designed to deliver and install other malicious software.

  • colanderEXPLOIT_KIT Exploit Kit

    A toolkit used to exploit vulnerabilities in software to deliver malware.

  • colanderGENERIC Generic

    A general or unspecified threat type that does not fit other categories.

  • colanderHARASSMENT Harassment

    Unwanted behavior intended to intimidate, threaten, or disturb an individual, often through digital means.

  • colanderINFO_STEALER Information Stealer

    Malware designed to steal sensitive information such as credentials or financial data.

  • colanderLOADER Loader

    Malware that loads and executes other malicious payloads on a system.

  • colanderMALVERTISING Malvertising

    The use of online advertising to spread malware.

  • colanderMALWARE Malware

    A general term for any software intentionally designed to cause damage or unauthorized actions.

  • colanderMOBILE_MALWARE Mobile Malware

    A malware specifically targeting mobile devices to steal data or perform malicious actions.

  • colanderPHISHING Phishing

    A technique to trick users into revealing sensitive information, often via fake emails or websites.

  • colanderPHYSICAL_ATTACK Physical Attack

    A threat involving physical actions intended to harm or compromise assets, infrastructure, or individuals.

  • colanderRANSOMWARE Ransomware

    Malware that encrypts data and demands payment for decryption.

  • colanderRAT Remote Access Trojan (RAT)

    Malware that provides remote control over an infected system.

  • colanderROOTKIT Rootkit

    Malware designed to hide its presence and provide privileged access to a system.

  • colanderSPAM Spam

    Unsolicited or bulk messages, often used to deliver malware or phishing attempts.

  • colanderSPYWARE Spyware

    Malware that secretly gathers user information without consent.

  • colanderSTALKERWARE Stalkerware

    Software used to secretly monitor and track user activity, often for surveillance.

  • colanderTROJAN Trojan

    Malware disguised as legitimate software to trick users into installing it.

ID (short name)

Name

Description

colanderADWARE

Adware

Software that automatically displays or downloads advertising material, often unwanted.

colanderAPT

APT

Advanced Persistent Threat; a prolonged and targeted cyberattack by a well-resourced adversary.

colanderBACKDOOR

Backdoor

Malware that allows unauthorized remote access to a compromised system.

colanderBOTNET

Botnet

A network of compromised computers controlled by an attacker to perform coordinated tasks.

colanderBROWSER_HIJACKER

Browser Hijacker

Malware that alters browser settings, redirects traffic, or injects unwanted ads.

colanderCRYPTOJACKING

Cryptojacking

Unauthorized use of a device to mine cryptocurrency.

colanderCYBER_ATTACK

Cyber Attack

An attempt by hackers to damage, disrupt, or gain unauthorized access to computer systems, networks, or devices.

colanderCYBERCRIME

Cybercrime

Criminal activities carried out using computers or the internet, including fraud, theft, and unauthorized access.

colanderDOXXING

Doxxing

The act of publicly revealing private or identifying information about an individual without their consent.

colanderDROPPER

Dropper

A type of malware designed to deliver and install other malicious software.

colanderEXPLOIT_KIT

Exploit Kit

A toolkit used to exploit vulnerabilities in software to deliver malware.

colanderGENERIC

Generic

A general or unspecified threat type that does not fit other categories.

colanderHARASSMENT

Harassment

Unwanted behavior intended to intimidate, threaten, or disturb an individual, often through digital means.

colanderINFO_STEALER

Information Stealer

Malware designed to steal sensitive information such as credentials or financial data.

colanderLOADER

Loader

Malware that loads and executes other malicious payloads on a system.

colanderMALVERTISING

Malvertising

The use of online advertising to spread malware.

colanderMALWARE

Malware

A general term for any software intentionally designed to cause damage or unauthorized actions.

colanderMOBILE_MALWARE

Mobile Malware

A malware specifically targeting mobile devices to steal data or perform malicious actions.

colanderPHISHING

Phishing

A technique to trick users into revealing sensitive information, often via fake emails or websites.

colanderPHYSICAL_ATTACK

Physical Attack

A threat involving physical actions intended to harm or compromise assets, infrastructure, or individuals.

colanderRANSOMWARE

Ransomware

Malware that encrypts data and demands payment for decryption.

colanderRAT

Remote Access Trojan (RAT)

Malware that provides remote control over an infected system.

colanderROOTKIT

Rootkit

Malware designed to hide its presence and provide privileged access to a system.

colanderSPAM

Spam

Unsolicited or bulk messages, often used to deliver malware or phishing attempts.

colanderSPYWARE

Spyware

Malware that secretly gathers user information without consent.

colanderSTALKERWARE

Stalkerware

Software used to secretly monitor and track user activity, often for surveillance.

colanderTROJAN

Trojan

Malware disguised as legitimate software to trick users into installing it.