EntityIndicator

JSON representation

Identifying information for an Entity at a given point in time. This encapsulates the indicator type (in the field name) and value, as well as the namespace when relevant (for internal Asset indicators).

JSON representation

JSON representation
{ "indicator_namespace": string, // Union field `indicator` can be only one of the following: "hostname": string, "asset_ip_address": string, "mac": string, "product_id": string, "username": string, "email": string, "employee_id": string, "windows_sid": string, "project_object_id": string, "raw_pid": string, "process_id": string, "full_command_line": string, "parent_process_id": string, "hash_md5": string, "hash_sha1": string, "hash_sha256": string, "file_path": string, "destination_ip_address": string, "domainname": string, "resource_project_object_id": string, "resource": string, "product_object_id": string // End of list of possible types for union field `indicator`. }

{
  "indicator_namespace": string,

  // Union field indicator can be only one of the following:
  "hostname": string,
  "asset_ip_address": string,
  "mac": string,
  "product_id": string,
  "username": string,
  "email": string,
  "employee_id": string,
  "windows_sid": string,
  "project_object_id": string,
  "raw_pid": string,
  "process_id": string,
  "full_command_line": string,
  "parent_process_id": string,
  "hash_md5": string,
  "hash_sha1": string,
  "hash_sha256": string,
  "file_path": string,
  "destination_ip_address": string,
  "domainname": string,
  "resource_project_object_id": string,
  "resource": string,
  "product_object_id": string
  // End of list of possible types for union field indicator.
}

Fields
`indicator_namespace`	`string` Namespace value of the indicator. Namespaces are supported for Asset indicators - hostname, mac, asset_ip_address, product_id, and project_object_id.
Union field `indicator`. Indicator type and value, consistent with malachite.dao.KValueType. `indicator` can be only one of the following:
`hostname`	`string` The hostname to identify an asset.
`asset_ip_address`	`string` The IP address to identify an asset.
`mac`	`string` The MAC address to identify an asset.
`product_id`	`string` Some ID that uniquely identifies an asset. This corresponds to the `asset_id` field in the UDM `Asset` and `Noun`.
`username`	`string` The user name or user ID to identify a user. This corresponds to the `userid` field in the UDM `User` and the `user_name` field when specified as a entityRiskScores.query entity_idicator filter.
`email`	`string` The email address to identify a user. This corresponds to the `email_addresses` field in the UDM `User`.
`employee_id`	`string` The employee id to identify a user.
`windows_sid`	`string` The windows SID to identify a user.
`project_object_id (deprecated)`	`string` This item is deprecated! Deprecated. Some vendor-specific ID to identify a user. This corresponds to the `product_object_id` field in the UDM `User`.
`raw_pid`	`string` The raw pid.
`process_id`	`string` The process id. This corresponds to the `pid` field in the UDM `Process`.
`full_command_line`	`string` The full command line. This corresponds to the `command_line` field in the UDM `Process`.
`parent_process_id`	`string` The parent process id. This corresponds to the `parent_process.pid` field in the UDM `Process`.
`hash_md5`	`string` The hash md5.
`hash_sha1`	`string` The hash sha1.
`hash_sha256`	`string` The hash sha256.
`file_path`	`string` The file path. This corresponds to the `full_path` field in the UDM `File`.
`destination_ip_address`	`string` The resolved ip address. This corresponds to the `ip` field in the UDM `Artifact`.
`domainname`	`string` The domain name. This corresponds to the `name` field in the UDM `Domain` and to the `domain_name` field when specified as a entityRiskScores.query entity_idicator filter.
`resource_project_object_id`	`string` LDAP Object Id or generic product object identifier that creates a unique user entity identifier. This corresponds to the `product_object_id` field in the UDM `Resource`.
`resource`	`string` System unique resource name. This corresponds to the `name` field in the UDM `Resource` and to the `resource_name` field when specified as a entityRiskScores.query entity_idicator filter.
`product_object_id`	`string` The product object id which can be used to identify an asset, user, group, or resource. This corresponds to the `product_object_id` field in the UDM `Resource`, `User`, `Asset`, and `Group`.