EntityIndicator

Identifying information for an Entity at a given point in time. This encapsulates the indicator type (in the field name) and value, as well as the namespace when relevant (for internal Asset indicators).

JSON representation 
{
  "indicator_namespace": string,

  // Union field indicator can be only one of the following:
  "hostname": string,
  "asset_ip_address": string,
  "mac": string,
  "product_id": string,
  "username": string,
  "email": string,
  "employee_id": string,
  "windows_sid": string,
  "project_object_id": string,
  "raw_pid": string,
  "process_id": string,
  "full_command_line": string,
  "parent_process_id": string,
  "hash_md5": string,
  "hash_sha1": string,
  "hash_sha256": string,
  "file_path": string,
  "destination_ip_address": string,
  "domainname": string,
  "resource_project_object_id": string,
  "resource": string,
  "product_object_id": string
  // End of list of possible types for union field indicator.
}
Fields
indicator_namespace

string

Namespace value of the indicator. Namespaces are supported for Asset indicators - hostname, mac, asset_ip_address, product_id, and project_object_id.
Union field indicator. Indicator type and value, consistent with malachite.dao.KValueType. indicator can be only one of the following:
hostname

string

The hostname to identify an asset.
asset_ip_address

string

The IP address to identify an asset.
mac

string

The MAC address to identify an asset.
product_id

string

Some ID that uniquely identifies an asset. This corresponds to the asset_id field in the UDM Asset and Noun.
username

string

The user name or user ID to identify a user. This corresponds to the userid field in the UDM User and the user_name field when specified as a entityRiskScores.query entity_idicator filter.
email

string

The email address to identify a user. This corresponds to the email_addresses field in the UDM User.
employee_id

string

The employee id to identify a user.
windows_sid

string

The windows SID to identify a user.
project_object_id
(deprecated)

string

Deprecated. Some vendor-specific ID to identify a user. This corresponds to the product_object_id field in the UDM User.
raw_pid

string

The raw pid.
process_id

string

The process id. This corresponds to the pid field in the UDM Process.
full_command_line

string

The full command line. This corresponds to the command_line field in the UDM Process.
parent_process_id

string

The parent process id. This corresponds to the parent_process.pid field in the UDM Process.
hash_md5

string

The hash md5.
hash_sha1

string

The hash sha1.
hash_sha256

string

The hash sha256.
file_path

string

The file path. This corresponds to the full_path field in the UDM File.
destination_ip_address

string

The resolved ip address. This corresponds to the ip field in the UDM Artifact.
domainname

string

The domain name. This corresponds to the name field in the UDM Domain and to the domain_name field when specified as a entityRiskScores.query entity_idicator filter.
resource_project_object_id

string

LDAP Object Id or generic product object identifier that creates a unique user entity identifier. This corresponds to the product_object_id field in the UDM Resource.
resource

string

System unique resource name. This corresponds to the name field in the UDM Resource and to the resource_name field when specified as a entityRiskScores.query entity_idicator filter.
product_object_id

string

The product object id which can be used to identify an asset, user, group, or resource. This corresponds to the product_object_id field in the UDM Resource, User, Asset, and Group.