Colander

Actors

An actor represents an individual or group involved in an event, activity, or system.

Supported types:

`APT`

APT An advanced persistent threat group, typically well-resourced and highly skilled.

`COMPANY`

Private company A privately owned business entity, often a target or participant in cyber activities.

`CYBER_CRIMINAL`

Cyber criminal An individual or group engaging in illegal activities for financial gain.

`GENERIC`

Generic A generic or unspecified actor type.

`HACKTIVIST`

Hacktivist An individual or group using hacking to promote political or social agendas.

`INDIVIDUAL`

Individual A single person involved in threat activity or as a target.

`INSIDER`

Insider threat An individual within an organization posing a security risk.

`NATION_STATE`

Nation-state actor A government-sponsored group conducting cyber operations.

`NGO`

NGO A non-governmental organization.

`PUB_INST`

Public institution A government or public sector organization.

`THREAT_ACTOR`

Threat actor An individual or group responsible for malicious cyber activities.

Artifacts

An artifact represents a file or data object, such as a document, image, or binary, within a system.

Supported types:

`ANDROID_BACKUP`

Android backup image A backup image created from an Android device.

`ANDROID_SAMPLE`

Android sample A sample file specific to the Android platform.

Suggested MIME types:

application/vnd.android.package-archive
application/x-dex

`ARCHIVE`

Archive A compressed file or collection of files, such as ZIP or TAR.

Suggested MIME types:

application/gzip
application/java-archive
application/vnd.debian.binary-package
application/vnd.ms-cab-compressed
application/vnd.rar
application/x-7z-compressed
application/x-apple-diskimage
application/x-bzip-compressed-tar
application/x-bzip2
application/x-compress
application/x-compressed-tar
application/x-gzip
application/x-iso9660-image
application/x-rpm
application/x-tar
application/x-xz
application/x-xz-compressed-tar
application/x-zip-compressed
application/zip

`AUDIO`

Audio A file containing audio content, such as MP3, WAV, or AAC.

Suggested extra properties: content_warning

Suggested MIME types:

audio/*

`BACKUP`

Backup image A file containing a backup copy of data or a system image.

`BINARY`

Binary file A file containing binary data, not intended to be read as text.

Suggested MIME types:

application/octet-stream
application/x-binary
application/x-coredump
application/x-executable
application/x-object
application/x-sharedlib

`CRYPTO_T`

Cryptographic activity trace A file logging cryptographic operations or key usage.

`DOCUMENT`

Document A generic document file, such as PDF, DOCX, or ODT.

Suggested extra properties: content_warning

Suggested MIME types:

application/msword
application/pdf
application/rtf
application/vnd.ms-excel
application/vnd.ms-powerpoint
application/vnd.oasis.opendocument.presentation
application/vnd.oasis.opendocument.spreadsheet
application/vnd.oasis.opendocument.text
application/vnd.openxmlformats-officedocument.presentationml.presentation
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
application/vnd.openxmlformats-officedocument.wordprocessingml.document
text/csv

`EMAIL`

Email file A file containing email messages, such as EML or MSG format.

Suggested MIME types:

application/mbox
application/vnd.ms-outlook
application/x-msmessage
message/rfc822

`F_DUMP`

Forensic dump A file containing a forensic image or memory dump.

`GENERIC`

Generic A file that does not fit into any of other predefined categories.

`HAR`

HAR file A file containing HTTP Archive (HAR) data for web traffic analysis.

`IMAGE`

Image A file containing a still image, such as JPG, PNG, or GIF.

Suggested extra properties: content_warning

Suggested MIME types:

image/*

`IOS_BACKUP`

iOS backup image A backup image created from an iOS device.

`IOS_SAMPLE`

iOS sample A sample file specific to the iOS platform.

`JSON`

JSON file A file in JavaScript Object Notation (JSON) format.

Suggested MIME types:

application/json

`PCAP`

PCAP file A file capturing network traffic, typically in PCAP format.

Suggested MIME types:

application/cap
application/pcap
application/vnd.tcpdump.pcap
application/vnd.tcpdump.pcapng
application/x-cap
application/x-pcap

`REPORT`

Report A file containing an analytical or investigative report.

`SAMPLE`

Sample A generic sample file, often used for malware or suspicious files.

`SOCKET_T`

Socket activity trace A file recording socket or network connection activity.

`SSLKEYLOG`

SSL keylog file A file containing SSL/TLS session keys for decrypting network traffic.

`TEXT`

Text file A plain text file, such as TXT or LOG.

Suggested MIME types:

text/plain

`VIDEO`

Video A file containing video content, such as MP4, AVI, or MOV.

Suggested extra properties: content_warning

Suggested MIME types:

video/*

`WEBPAGE`

Web page A file containing web page content, such as HTML or XHTML.

Suggested extra properties: content_warning

Suggested MIME types:

application/xhtml+xml
text/html

Data Fragments

A data fragment represents a fragment of data, such as a code snippet, text, or other content.

Supported types:

`CODE`

Piece of code A snippet or segment of source code from any programming language.

`GENERIC`

Generic A general or unspecified data fragment type that does not fit other categories.

`PATTERN`

Pattern A recognizable sequence or structure, such as a regular expression or YARA rule.

`PAYLOAD`

Raw payload A block of raw binary or encoded data.

`TEXT`

Piece of text A fragment of unstructured or plain text.

Detection Rules

A detection rule represents a rule used for detecting specific content or logic related to observables.

Supported types:

`GENERIC`

Generic A general or unspecified detection rule type that does not fit other categories.

`SURICATA`

Suricata rule A rule for the Suricata engine to detect network threats and suspicious traffic.

`YARA`

Yara rule A rule used to identify and classify malware or files based on patterns.

Devices

A device represents a physical or virtual device in a system.

Supported types:

`DESKTOP`

Desktop A personal computer intended for regular use at a single location.

`GENERIC`

Generic A general or unspecified device type that does not fit other categories.

`IOT`

Internet of Things A device connected to the internet, often embedded and used for specific functions (e.g., smart home devices).

`LAPTOP`

Laptop A portable personal computer designed for mobile use.

`MOBILE`

Mobile device A handheld device such as a smartphone or tablet.

`ROUTER`

Router A network device that forwards data packets between computer networks.

`SERVER`

Server A computer or system that provides resources, data, or services to other computers over a network.

Events

An event represents an occurrence or activity observed within a system, such as a detection, alert, or log entry.

Supported types:

`ALERT`

Alert A notification or warning about a detected security event or anomaly.

`AV_DETECTION`

AntiVirus detection An event where antivirus software detects malicious or suspicious activity.

`COMMUNICATION`

Communication An event involving the exchange of information between entities, such as emails or messages.

`COMPROMISE`

Compromise An event indicating that a system, account, or data has been breached or compromised.

`GENERIC`

Generic An event that does not fit into any of the predefined categories.

`HIT`

Hit An event indicating a match or detection by a rule, signature, or indicator.

`INFECTION`

Infection An event where a system or device is infected by malware or a similar threat.

`PASSIVE_DNS`

Passive DNS An event recording historical DNS resolution data observed passively.

`RESOLVE`

Resolution An event where a domain or hostname is resolved to an IP address.

Observables

Observable represents an entity such as an IP address that can be observed or detected within a system.

Supported types:

`ASN`

Autonomous system number A unique number assigned to a group of IP networks operated by one or more network operators.

Suggested extra properties: organization

`CIDR`

CIDR A Classless Inter-Domain Routing block, representing a range of IP addresses.

`COMMUNITY_ID`

Community id A hash value used to uniquely identify network flows across tools.

`CVE`

CVE A Common Vulnerabilities and Exposures identifier for publicly known security flaws.

`DEXOFUZZY`

Dexofuzzy hash A fuzzy hash value used to compare Android DEX files for similarity.

`DNS_RECORD`

DNS record A record containing information about a domain name in the DNS system.

Suggested extra properties: resolver

`DOMAIN`

Domain name A human-readable address used to identify resources on the internet.

Suggested extra properties: root_domain, registration_date

`DOMAIN_REGISTRANT`

Domain registrant The individual or organization that owns or controls a domain name.

Suggested extra properties: name, organization, street, city, state, postal_code, country, phone, fax, email

`DOMAIN_REGISTRAR`

Domain registrar The organization or entity responsible for registering domain names.

Suggested extra properties: name, organization, street, city, state, postal_code, country, phone, fax, email

`EMAIL`

Email address An address used to send and receive electronic mail.

`GENERIC`

Generic A general or unspecified observable type that does not fit other categories.

`HOSTNAME`

Hostname A label assigned to a device on a network, used to identify it in various forms.

`IMPHASH`

Import hash A hash of the import table of a PE file, used to identify similar binaries.

`IPV4`

IPv4 An IPv4 address, a 32-bit numeric address used for identifying devices on a network.

Suggested extra properties: address_block, subnet, routable, ASN

`IPV6`

IPv6 An IPv6 address, a 128-bit alphanumeric address for identifying devices on a network.

Suggested extra properties: address_block, subnet, routable, ASN

`LOCATION`

Location A physical or geographical place, specified by coordinates or address.

Suggested extra properties: latitude, longitude, altitude, country, state, city, address

`MAC`

MAC address A unique hardware identifier assigned to a network interface card (NIC).

Suggested extra properties: manufacturer

`MD5`

MD5 A 128-bit hash value, commonly used to verify file integrity.

`MUTEX`

Mutex A mutual exclusion object used for process synchronization.

`NAMESPACE`

Namespace A container that holds a set of identifiers, such as classes or functions, to avoid naming conflicts.

Suggested extra properties: fully_qualified_name

`OS_QUERY`

Os query A query or result from an operating system instrumentation framework.

`PATH`

File path A string specifying the location of a file or directory in a filesystem.

`PEHASH`

PE hash A hash value calculated from the structure of a Portable Executable (PE) file.

`PHONE`

Phone number A numeric identifier used to reach a telephone endpoint.

Suggested extra properties: prefix, country_code, country_name

`PROCESS`

Process name The name of a running process on a computer system.

Suggested extra properties: executable, path

`SERVICE`

Running service A network or system service that is currently active or listening.

Suggested extra properties: ip_address, technology, port

`SHA1`

SHA1 A 160-bit hash value, used for data integrity and file identification.

`SHA256`

SHA256 A 256-bit hash value, widely used for file and data integrity verification.

`SSL_CERT_F`

SSL certificate fingerprint A hash value uniquely identifying an SSL/TLS certificate.

Suggested extra properties: subject, md5, sha1, sha256, issuer, organization, not_before, not_after

`URI`

URI A Uniform Resource Identifier, a string used to identify a resource.

`URL`

URL A Uniform Resource Locator, specifying the address of a resource on the internet.

Threats

A threat represents a potentially malicious entity, such as a malware family, campaign, or adversary.

Supported types:

`ADWARE`

Adware Software that automatically displays or downloads advertising material, often unwanted.

`APT`

APT Advanced Persistent Threat; a prolonged and targeted cyberattack by a well-resourced adversary.

`BACKDOOR`

Backdoor Malware that allows unauthorized remote access to a compromised system.

`BOTNET`

Botnet A network of compromised computers controlled by an attacker to perform coordinated tasks.

`BROWSER_HIJACKER`

Browser Hijacker Malware that alters browser settings, redirects traffic, or injects unwanted ads.

`CRYPTOJACKING`

Cryptojacking Unauthorized use of a device to mine cryptocurrency.

`CVE`

CVE A Common Vulnerabilities and Exposures identifier for a known security flaw.

`DIALER`

Dialer Malware that makes unauthorized calls or connections, often to premium-rate numbers.

`DROPPER`

Dropper A type of malware designed to deliver and install other malicious software.

`EXPLOIT_KIT`

Exploit Kit A toolkit used to exploit vulnerabilities in software to deliver malware.

`FF_BOTNET`

Fast Flux Botnet A botnet that rapidly changes DNS records to hide malicious activities.

`GENERIC`

Generic A general or unspecified threat type that does not fit other categories.

`INFO_STEALER`

Information Stealer Malware designed to steal sensitive information such as credentials or financial data.

`LOADER`

Loader Malware that loads and executes other malicious payloads on a system.

`MALVERTISING`

Malvertising The use of online advertising to spread malware.

`MALWARE`

Malware A general term for any software intentionally designed to cause damage or unauthorized actions.

`MOBILE_TROJAN`

Mobile Trojan A trojan specifically targeting mobile devices to steal data or perform malicious actions.

`PHISHING`

Phishing A technique to trick users into revealing sensitive information, often via fake emails or websites.

`POS_MALWARE`

Point-of-sale Malware Malware targeting point-of-sale systems to steal payment card data.

`RANSOMWARE`

Ransomware Malware that encrypts data and demands payment for decryption.

`RAT`

Remote Access Trojan (RAT) Malware that provides remote control over an infected system.

`ROOTKIT`

Rootkit Malware designed to hide its presence and provide privileged access to a system.

`SCAREWARE`

Scareware Malware that tricks users into buying unnecessary or harmful software by scaring them.

`SINKHOLE`

Sinkhole A technique or system used to redirect malicious traffic for analysis or mitigation.

`SPAM`

Spam Unsolicited or bulk messages, often used to deliver malware or phishing attempts.

`SPYWARE`

Spyware Malware that secretly gathers user information without consent.

`STALKERWARE`

Stalkerware Software used to secretly monitor and track user activity, often for surveillance.

`TROJAN`

Trojan Malware disguised as legitimate software to trick users into installing it.

`WATCHWARE`

Watchware Malware designed to monitor user activity, similar to spyware or stalkerware.

`WORM`

Worm Self-replicating malware that spreads across networks without user intervention.

Colander

Actors

APT

COMPANY

CYBER_CRIMINAL

GENERIC

HACKTIVIST

INDIVIDUAL

INSIDER

NATION_STATE

NGO

PUB_INST

THREAT_ACTOR

Artifacts

ANDROID_BACKUP

ANDROID_SAMPLE

ARCHIVE

AUDIO

BACKUP

BINARY

CRYPTO_T

DOCUMENT

EMAIL

F_DUMP

GENERIC

HAR

IMAGE

IOS_BACKUP

IOS_SAMPLE

JSON

PCAP

REPORT

SAMPLE

SOCIAL_POST

SOCKET_T

SSLKEYLOG

TEXT

VIDEO

WEBPAGE

Data Fragments

CODE

GENERIC

PATTERN

PAYLOAD

TEXT

Detection Rules

GENERIC

SURICATA

YARA

Devices

DESKTOP

GENERIC

IOT

LAPTOP

MOBILE

ROUTER

SERVER

Events

ALERT

AV_DETECTION

COMMUNICATION

COMPROMISE

GENERIC

HIT

INFECTION

PASSIVE_DNS

RESOLVE

Observables

ASN

CIDR

COMMUNITY_ID

CVE

DEXOFUZZY

DNS_RECORD

DOMAIN

DOMAIN_REGISTRANT

DOMAIN_REGISTRAR

EMAIL

GENERIC

HOSTNAME

`APT`

`COMPANY`

`CYBER_CRIMINAL`

`GENERIC`

`HACKTIVIST`

`INDIVIDUAL`

`INSIDER`

`NATION_STATE`

`NGO`

`PUB_INST`

`THREAT_ACTOR`

`ANDROID_BACKUP`

`ANDROID_SAMPLE`

`ARCHIVE`

`AUDIO`

`BACKUP`

`BINARY`

`CRYPTO_T`

`DOCUMENT`

`EMAIL`

`F_DUMP`

`GENERIC`

`HAR`

`IMAGE`

`IOS_BACKUP`

`IOS_SAMPLE`

`JSON`

`PCAP`

`REPORT`

`SAMPLE`

`SOCIAL_POST`

`SOCKET_T`

`SSLKEYLOG`

`TEXT`

`VIDEO`

`WEBPAGE`

`CODE`

`GENERIC`

`PATTERN`

`PAYLOAD`

`TEXT`

`GENERIC`

`SURICATA`

`YARA`

`DESKTOP`

`GENERIC`

`IOT`

`LAPTOP`

`MOBILE`

`ROUTER`

`SERVER`

`ALERT`

`AV_DETECTION`

`COMMUNICATION`

`COMPROMISE`

`GENERIC`

`HIT`

`INFECTION`

`PASSIVE_DNS`

`RESOLVE`

`ASN`

`CIDR`

`COMMUNITY_ID`

`CVE`

`DEXOFUZZY`

`DNS_RECORD`

`DOMAIN`

`DOMAIN_REGISTRANT`

`DOMAIN_REGISTRAR`

`EMAIL`

`GENERIC`

`HOSTNAME`

`IMPHASH`

`IPV4`

`IPV6`

`LOCATION`

`MAC`

`MD5`

`MUTEX`

`NAMESPACE`