Monitor Fields
DTM Monitor & Research Tools Fields | Docs
ExcerptWhen creating Monitors in Digital Threat Monitoring (DTM), the Topics you select for your Monitor Conditions are actually search groups. These search groups match your values against a set of related entity types making it easier to build effective Monitors.
When creating Monitors in Digital Threat Monitoring (DTM), the Topics you select for your Monitor Conditions are actually search groups. These search groups match your values against a set of related entity types making it easier to build effective Monitors.
For example, using the Network Information
topic with a must contain
Operator and a value of acme.com
would match if acme.com
was found in a domain name, URL, or Typosquatted domain. This is because the Network Information
topic searches across all of those entity types.
The following table includes the available fields in the monitors and the type of data you should enter.
Monitor Topic | Monitor API Topic | Monitor Matches on Topics & Research Tools Entities | Description |
---|---|---|---|
Bank Identification Number | group_bin | bin | Complete Bank Identification Number |
bin_foreign | Foreign (non-US) Bank Identification number | ||
bin_partial | Partial Bank Identification number | ||
Brand | group_brand | identity_name | A name of a person, place, company, or thing |
name | A name of a person, place, company, or thing | ||
organization | The name of an organization | ||
product | The name of a product | ||
brand | Brand name or trademark | ||
product_batch_name | A batch number for a product | ||
Crypto | group_crypto | atom_address | Wallet address for the Cosmos (ATOM) cryptocurrency |
bch_address | Wallet address for the Bitcoin Cash (BCH) cryptocurrency | ||
btc_address | Wallet address for the Bitcoin (BTC) cryptocurrency | ||
dash_address | Wallet address for the Dash cryptocurrency | ||
doge_address | Wallet address for the Doge cryptocurrency | ||
ltc_address | Wallet address for the Litecoin cryptocurrency | ||
xlm_address | Wallet address for the Stellar (XLM) cryptocurrency | ||
xmr_address | Wallet address for the Monero (XMR) cryptocurrency | ||
zec_address | Wallet address for the Zcash (ZEC) cryptocurrency | ||
Filenames & Paths | group_paths | filename | A name or identifier for a file |
path | A location of a file or folder on a filesystem | ||
registry_key | A path in the Windows registry | ||
Free Text Search | keyword | Will text search all fields of the document for the given keyword(s) | |
Hash | group_hash | md5_hash | A MD5 cryptographic hash |
sha1_hash | A SHA1 cryptographic hash | ||
sha256_hash | A SHA256 cryptographic hash | ||
Industry | label_industry | label_industry | Industry code of the affected industries of the original document{ 'ind.aeromil': 'Aerospace and Defense', 'ind.agri': 'Agriculture', 'ind.auto': 'Automotive', 'ind.chemmat': 'Chemicals & Materials', 'ind.civil': 'Civil Society & Non-Profits', 'ind.constructeng': 'Construction & Engineering', 'ind.edu': 'Education', 'ind.energyutils': 'Energy & Utilities', 'ind.fin': 'Financial Services', 'ind.gov': 'Governments', 'ind.health': 'Healthcare', 'ind.hosp': 'Hospitality', 'ind.legalprofserv': 'Legal & Professional Services', 'ind.manuf': 'Manufacturing', 'ind.mediaentertain': 'Media & Entertainment', 'ind.oilgas': 'Oil & Gas', 'ind.pharma': 'Pharmaceuticals', 'ind.retail': 'Retail', 'ind.tech': 'Technology', 'ind.telecom': 'Telecommunications', 'ind.transport': 'Transportation' } |
Language | label_language | label_language | Two-character ISO 639-1 language code specifying the detected language type |
Locations | group_location | city | A city or locality name |
country | A country or nationality name | ||
location_name | The name of a physical place or location | ||
Lucene Text Query (Advanced) | lucene | Searches all text fields of documents based on the Lucene query syntax For more information about using Lucene in DTM, see Lucene Queries in DTM | |
Mime-Type | label_type | label_type | Detected MIME type of the originating document. Valid types include: application/font-sfnt, application/javascript, application/json, application/octet-stream, application/pdf, application/pgp-keys, application/postscript, application/vmd.ms-opentype, application/appleworks3, application/dosexec, application/x-empty, application/x-sqlite3, application/x-tar, application/x-wine-extension-ini, application/x-xar, image/gif, image/svg, image/xvg+xml, image/x-portable-greymap, message/news, message/rfc822, text/html, text/plain, text/troff, text/x-asm, text/x-awk, text/x-c, text/x-c++, text/x-diff, text/x-fortran, text/x-java, text/x-lisp, text/x-m4, text/x-makefile, text/x-ms-regedit, text/x-mdos-batch, text/x-objective-c, text/x-pascal, text/x-perl, text/x-php, text/x-po, text/x-python, text/x-ruby, text/x-shellscript, text/x-tex, text/xml, text/x-sgi-movie |
Network Information | group_network | domain | An RFC1035 domain name |
ipv4_address | An IPv4 Address | ||
ipv6_address | An IPv6 Address | ||
typosquatted_domain | Accepts a plain fully qualified domain name (not URL's) and will attempt to detect and alert when similar domains are registered | ||
url | An RFC1738 uniform resource locator (URL) | ||
Person or Identity | group_identity | client_identifier | An OpenID client identifier |
email_address | An RFC5322 e-mail address | ||
identity_name | A name of a person, place, company, or thing | ||
name | A name of a person, place, company, or thing | ||
phone_number | A partial or complete phone number | ||
telegram_user_name | A username for the Telegram messaging platform | ||
twitter_handle | A user name for the Twitter platform | ||
Search Collection Type | doc_type | doc_type | The specific document type to match, valid types include:
|
Threat Type | label_threat | Pre-defined list | Threat specifier of the original document. Valid types include:
|
Threat Intel | group_threats | cve | A Common Vulnerabilities and Exposures (CVE) Identifier |
threat_group_name | The name of a threat group | ||
threat_name | The name of a particular type of threat | ||
service_name | The name of a service | ||
cwe | A Common Weakness Enumeration (CWE) Identifier | ||
Tokens & Key | group_keys | access_token | Access token used by applications to authenticate against protected resources |
crypto_key_private | Asymmetric cryptography private key | ||
crypto_key_public | Asymmetric cryptograph public key | ||
password_plaintext | A detected plaintext password | ||
predict_password_plaintext | A detected plaintext password (lower confidence) |
Updated 5 months ago