--- title: Threat Intel fields description: Threat intelligence Filebeat Module. Fields for AbuseCH Malware Threat Intel Fields for AbuseCH Malware Threat Intel Fields for Anomali Threat Intel Fields... url: https://www.elastic.co/elastic/docs-builder/docs/3016/reference/beats/filebeat/exported-fields-threatintel products: - Beats - Filebeat applies_to: - Elastic Cloud Serverless: Generally available - Elastic Stack: Generally available --- # Threat Intel fields Threat intelligence Filebeat Module. The file's import tlsh, if available. type: keyword The file's sha384 hash, if available. type: keyword type: keyword type: keyword ## abusech.malware Fields for AbuseCH Malware Threat Intel File type guessed by URLhaus. type: keyword Malware familiy. type: keyword Location (URL) where you can download a copy of this file. type: keyword AV detection ration. type: keyword AV detection in percent. type: float Link to the Virustotal report. type: keyword ## abusech.url Fields for AbuseCH Malware Threat Intel The ID of the url. type: keyword Link to URLhaus entry. type: keyword The current status of the URL. Possible values are: online, offline and unknown. type: keyword The threat corresponding to this malware URL. type: keyword SURBL blacklist status. Possible values are: listed and not_listed type: keyword Spamhaus DBL blacklist status. type: keyword The Twitter handle of the reporter that has reported this malware URL (or anonymous). type: keyword Indicates whether the malware URL has been reported to the hosting provider (true or false) type: boolean A list of tags associated with the queried malware URL type: keyword ## anomali.limo Fields for Anomali Threat Intel The ID of the indicator. type: keyword The name of the indicator. type: keyword The pattern ID of the indicator. type: keyword When the indicator was first found or is considered valid. type: date When the indicator was last modified type: date The labels related to the indicator type: keyword The value of the indicator, for example if the type is domain, this would be the value. type: keyword A description of the indicator. type: keyword Title describing the indicator. type: keyword Extra text or descriptive content related to the indicator. type: keyword The indicator type, can for example be "domain, email, FileHash-SHA256". type: keyword The STIX reference object. type: keyword ## anomali.threatstream Fields for Anomali ThreatStream Indicates whether an indicator is private or from a public feed and available publicly. Possible values: private, public. type: keyword example: private The measure of the accuracy (from 0 to 100) assigned by ThreatStream's predictive analytics technology to indicators. type: short Detail text for indicator. type: text example: Imported by user 42. The ID of the indicator. type: keyword ID of the import session that created the indicator on ThreatStream. type: keyword Indicator type. Possible values: "apt_domain", "apt_email", "apt_ip", "apt_url", "bot_ip", "c2_domain", "c2_ip", "c2_url", "i2p_ip", "mal_domain", "mal_email", "mal_ip", "mal_md5", "mal_url", "parked_ip", "phish_email", "phish_ip", "phish_url", "scan_ip", "spam_domain", "ssh_ip", "suspicious_domain", "tor_ip" and "torrent_tracker_url". type: keyword Information regarding a malware family, a CVE ID, or another attack or threat, associated with the indicator. type: wildcard Hash for the indicator. type: keyword Relative URI for the indicator details. type: keyword Criticality associated with the threat feed that supplied the indicator. Possible values: low, medium, high, very-high. type: keyword Source for the indicator. type: keyword example: Analyst ID for the integrator source. type: keyword State for this indicator. type: keyword example: active ID of the trusted circle that imported the indicator. type: keyword Update ID. type: keyword URL for the indicator. type: keyword Data type of the indicator. Possible values: ip, domain, url, email, md5. type: keyword ## abusech.malwarebazaar Fields for Malware Bazaar Threat Intel File type guessed by Malware Bazaar. type: keyword Malware familiy. type: keyword A list of tags associated with the queried malware sample. type: keyword Number of downloads from MalwareBazaar. type: long Number of uploads from MalwareBazaar. type: long Malware seen in generic spam traffic. type: keyword Malware seen in IT spam traffic. type: keyword Identifies if the sample was submitted anonymously. type: long Code signing information for the sample. type: nested ## misp Fields for MISP Threat Intel Attribute ID. type: keyword Organization Community ID of the event. type: keyword Organization ID of the event. type: keyword Threat level from 5 to 1, where 1 is the most critical. type: long Additional text or information related to the event. type: keyword When the event was published. type: boolean The UUID of the event object. type: keyword The date of when the event object was created. type: date How many attributes are included in a single event object. type: long The timestamp of when the event object was created. type: date Distribution type related to MISP. type: keyword Settings configured on MISP for email lock on this event object. type: boolean If the current MISP event object is locked or not. type: boolean At what time the event object was published type: date The ID of the grouped events or sources of the event. type: keyword If correlation is disabled on the MISP event object. type: boolean The UUID of the event object it might extend. type: keyword The organization ID related to the event object. type: keyword The organization name related to the event object. type: keyword The UUID of the organization related to the event object. type: keyword If the event object is local or from a remote source. type: boolean The Organization Community ID in which the event object was reported from. type: keyword The Organization Community name in which the event object was reported from. type: keyword The Organization Community UUID in which the event object was reported from. type: keyword If the Organization Community was local or synced from a remote source. type: boolean The ID of the attribute related to the event object. type: keyword The type of the attribute related to the event object. For example email, ipv4, sha1 and such. type: keyword The category of the attribute related to the event object. For example "Network Activity". type: keyword If the attribute should be automatically synced with an IDS. type: boolean The UUID of the attribute related to the event. type: keyword The local event ID of the attribute related to the event. type: keyword How the attribute has been distributed, represented by integer numbers. type: long The timestamp in which the attribute was attached to the event object. type: date Comments made to the attribute itself. type: keyword The group ID of the sharing group related to the specific attribute. type: keyword If the attribute has been removed from the event object. type: boolean If correlation has been enabled on the attribute related to the event object. type: boolean The ID of the Object in which the attribute is attached. type: keyword The type of relation the attribute has with the event object itself. type: keyword The value of the attribute, depending on the type like "url, sha1, email-src". type: keyword The ID of the secondary attribute related to the event object. type: keyword The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such. type: keyword The category of the secondary attribute related to the event object. For example "Network Activity". type: keyword If the secondary attribute should be automatically synced with an IDS. type: boolean The UUID of the secondary attribute related to the event. type: keyword The local event ID of the secondary attribute related to the event. type: keyword How the secondary attribute has been distributed, represented by integer numbers. type: long The timestamp in which the secondary attribute was attached to the event object. type: date Comments made to the secondary attribute itself. type: keyword The group ID of the sharing group related to the specific secondary attribute. type: keyword If the secondary attribute has been removed from the event object. type: boolean If correlation has been enabled on the secondary attribute related to the event object. type: boolean The ID of the Object in which the secondary attribute is attached. type: keyword The type of relation the secondary attribute has with the event object itself. type: keyword The value of the attribute, depending on the type like "url, sha1, email-src". type: keyword ## otx Fields for OTX Threat Intel The ID of the indicator. type: keyword The value of the indicator, for example if the type is domain, this would be the value. type: keyword A description of the indicator. type: keyword Title describing the indicator. type: keyword Extra text or descriptive content related to the indicator. type: keyword The indicator type, can for example be "domain, email, FileHash-SHA256". type: keyword ## threatq Fields for ThreatQ Threat Library Last modification time type: date Object creation time type: date Expiration time type: date Expiration calculation time type: date Object publication time type: date Object status within the Threat Library type: keyword Original indicator value type: keyword Adversaries that are linked to the object type: keyword These provide additional context about an object type: flattened