EntityIndicator

Identifying information for an Entity at a given point in time. This encapsulates the indicator type (in the field name) and value, as well as the namespace when relevant (for internal Asset indicators).

JSON representation
{
  "indicatorNamespace": string,

  // Union field indicator can be only one of the following:
  "hostname": string,
  "assetIpAddress": string,
  "mac": string,
  "productId": string,
  "username": string,
  "email": string,
  "employeeId": string,
  "windowsSid": string,
  "projectObjectId": string,
  "rawPid": string,
  "processId": string,
  "fullCommandLine": string,
  "parentProcessId": string,
  "hashMd5": string,
  "hashSha1": string,
  "hashSha256": string,
  "filePath": string,
  "destinationIpAddress": string,
  "domainname": string,
  "resourceProjectObjectId": string,
  "resource": string,
  "productObjectId": string
  // End of list of possible types for union field indicator.
}
Fields
indicatorNamespace

string

Namespace value of the indicator. Namespaces are supported for Asset indicators - hostname, mac, assetIpAddress, productId, and projectObjectId.

Union field indicator. Indicator type and value, consistent with malachite.dao.KValueType. indicator can be only one of the following:
hostname

string

The hostname to identify an asset.

assetIpAddress

string

The IP address to identify an asset.

mac

string

The MAC address to identify an asset.

productId

string

Some ID that uniquely identifies an asset. This corresponds to the assetId field in the UDM Asset and Noun.

username

string

The user name or user ID to identify a user. This corresponds to the userid field in the UDM User and the userName field when specified as a entityRiskScores.query entity_idicator filter.

email

string

The email address to identify a user. This corresponds to the emailAddresses field in the UDM User.

employeeId

string

The employee id to identify a user.

windowsSid

string

The windows SID to identify a user.

projectObjectId
(deprecated)

string

Deprecated. Some vendor-specific ID to identify a user. This corresponds to the productObjectId field in the UDM User.

rawPid

string

The raw pid.

processId

string

The process id. This corresponds to the pid field in the UDM Process.

fullCommandLine

string

The full command line. This corresponds to the commandLine field in the UDM Process.

parentProcessId

string

The parent process id. This corresponds to the parentProcess.pid field in the UDM Process.

hashMd5

string

The hash md5.

hashSha1

string

The hash sha1.

hashSha256

string

The hash sha256.

filePath

string

The file path. This corresponds to the fullPath field in the UDM File.

destinationIpAddress

string

The resolved ip address. This corresponds to the ip field in the UDM Artifact.

domainname

string

The domain name. This corresponds to the name field in the UDM Domain and to the domainName field when specified as a entityRiskScores.query entity_idicator filter.

resourceProjectObjectId

string

LDAP Object Id or generic product object identifier that creates a unique user entity identifier. This corresponds to the productObjectId field in the UDM Resource.

resource

string

System unique resource name. This corresponds to the name field in the UDM Resource and to the resourceName field when specified as a entityRiskScores.query entity_idicator filter.

productObjectId

string

The product object id which can be used to identify an asset, user, group, or resource. This corresponds to the productObjectId field in the UDM Resource, User, Asset, and Group.