Association

Associations represents different metadata about malware and threat actors involved with an IoC.

JSON representation
{
  "id": string,
  "countryCode": [
    string
  ],
  "type": enum (AssociationType),
  "name": string,
  "description": string,
  "role": string,
  "sourceCountry": string,
  "alias": [
    {
      object (AssociationAlias)
    }
  ],
  "firstReferenceTime": string,
  "lastReferenceTime": string,
  "industriesAffected": [
    string
  ],
  "associatedActors": [
    {
      object (Association)
    }
  ],
  "regionCode": {
    object (Location)
  },
  "sponsorRegion": {
    object (Location)
  },
  "targetedRegions": [
    {
      object (Location)
    }
  ],
  "tags": [
    string
  ]
}
Fields
id

string

Unique association id generated by mandiant.

countryCode[]

string

Country from which the threat actor/ malware is originated.

type

enum (AssociationType)

Signifies the type of association.

name

string

Name of the threat actor/malware.

description

string

Human readable description about the association.

role

string

Role of the malware. Not applicable for threat actor.

sourceCountry
(deprecated)

string

Name of the country the threat originated from.

alias[]

object (AssociationAlias)

Different aliases of the threat actor given by different sources.

firstReferenceTime

string (Timestamp format)

First time the threat actor was referenced or seen.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

lastReferenceTime

string (Timestamp format)

Last time the threat actor was referenced or seen.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

industriesAffected[]

string

List of industries the threat actor affects.

associatedActors[]

object (Association)

List of associated threat actors for a malware. Not applicable for threat actors.

regionCode

object (Location)

Name of the country, the threat is originating from.

sponsorRegion

object (Location)

Sponsor region of the threat actor.

targetedRegions[]

object (Location)

Targeted regions.

tags[]

string

Tags.

AssociationType

Represents different possible Association types. Can be threat or malware. Used to represent Mandiant threat intelligence.

Enums
ASSOCIATION_TYPE_UNSPECIFIED The default Association Type.
THREAT_ACTOR Association type Threat actor.
MALWARE Association type Malware.

AssociationAlias

Association Alias used to represent Mandiant Threat Intelligence.

JSON representation
{
  "name": string,
  "company": string
}
Fields
name

string

Name of the alias.

company

string

Name of the provider who gave the association's name.