EntityIndicator

JSON representation

Identifying information for an Entity at a given point in time. This encapsulates the indicator type (in the field name) and value, as well as the namespace when relevant (for internal Asset indicators).

JSON representation

JSON representation
{ "indicatorNamespace": string, // Union field `indicator` can be only one of the following: "hostname": string, "assetIpAddress": string, "mac": string, "productId": string, "username": string, "email": string, "employeeId": string, "windowsSid": string, "projectObjectId": string, "rawPid": string, "processId": string, "fullCommandLine": string, "parentProcessId": string, "hashMd5": string, "hashSha1": string, "hashSha256": string, "filePath": string, "destinationIpAddress": string, "domainname": string, "resourceProjectObjectId": string, "resource": string, "productObjectId": string // End of list of possible types for union field `indicator`. }

{
  "indicatorNamespace": string,

  // Union field indicator can be only one of the following:
  "hostname": string,
  "assetIpAddress": string,
  "mac": string,
  "productId": string,
  "username": string,
  "email": string,
  "employeeId": string,
  "windowsSid": string,
  "projectObjectId": string,
  "rawPid": string,
  "processId": string,
  "fullCommandLine": string,
  "parentProcessId": string,
  "hashMd5": string,
  "hashSha1": string,
  "hashSha256": string,
  "filePath": string,
  "destinationIpAddress": string,
  "domainname": string,
  "resourceProjectObjectId": string,
  "resource": string,
  "productObjectId": string
  // End of list of possible types for union field indicator.
}

Fields
`indicatorNamespace`	`string` Namespace value of the indicator. Namespaces are supported for Asset indicators - hostname, mac, assetIpAddress, productId, and projectObjectId.
Union field `indicator`. Indicator type and value, consistent with malachite.dao.KValueType. `indicator` can be only one of the following:
`hostname`	`string` The hostname to identify an asset.
`assetIpAddress`	`string` The IP address to identify an asset.
`mac`	`string` The MAC address to identify an asset.
`productId`	`string` Some ID that uniquely identifies an asset. This corresponds to the `assetId` field in the UDM `Asset` and `Noun`.
`username`	`string` The user name or user ID to identify a user. This corresponds to the `userid` field in the UDM `User` and the `userName` field when specified as a entityRiskScores.query entity_idicator filter.
`email`	`string` The email address to identify a user. This corresponds to the `emailAddresses` field in the UDM `User`.
`employeeId`	`string` The employee id to identify a user.
`windowsSid`	`string` The windows SID to identify a user.
`projectObjectId (deprecated)`	`string` This item is deprecated! Deprecated. Some vendor-specific ID to identify a user. This corresponds to the `productObjectId` field in the UDM `User`.
`rawPid`	`string` The raw pid.
`processId`	`string` The process id. This corresponds to the `pid` field in the UDM `Process`.
`fullCommandLine`	`string` The full command line. This corresponds to the `commandLine` field in the UDM `Process`.
`parentProcessId`	`string` The parent process id. This corresponds to the `parentProcess.pid` field in the UDM `Process`.
`hashMd5`	`string` The hash md5.
`hashSha1`	`string` The hash sha1.
`hashSha256`	`string` The hash sha256.
`filePath`	`string` The file path. This corresponds to the `fullPath` field in the UDM `File`.
`destinationIpAddress`	`string` The resolved ip address. This corresponds to the `ip` field in the UDM `Artifact`.
`domainname`	`string` The domain name. This corresponds to the `name` field in the UDM `Domain` and to the `domainName` field when specified as a entityRiskScores.query entity_idicator filter.
`resourceProjectObjectId`	`string` LDAP Object Id or generic product object identifier that creates a unique user entity identifier. This corresponds to the `productObjectId` field in the UDM `Resource`.
`resource`	`string` System unique resource name. This corresponds to the `name` field in the UDM `Resource` and to the `resourceName` field when specified as a entityRiskScores.query entity_idicator filter.
`productObjectId`	`string` The product object id which can be used to identify an asset, user, group, or resource. This corresponds to the `productObjectId` field in the UDM `Resource`, `User`, `Asset`, and `Group`.