Gerenderde documentatie
Deze pagina rendert de Markdown en Mermaid van de module direct vanuit de publieke documentatiebron.
Overview#
The Indicator domain provides polymorphic handling of Indicators of Compromise (IOCs) including IP addresses, URLs, domains, and vulnerabilities. It supports enrichment, threat intelligence lookup, and querying across different indicator types using union types for flexible return values.
Key Features#
- Polymorphic indicator handling with automatic type resolution (IP, URL, domain, vulnerability, generic)
- Common base fields inherited across all indicator types
- IP address indicators with geolocation, ASN information, threat intelligence, and reputation scoring
- URL/domain indicators with WHOIS, DNS records, and SSL certificate data
- Vulnerability indicators with CVE references and CVSS scoring
- Search across indicator types with type and limit filtering
- Enrichment from multiple external sources (geolocation, ASN, threat intel, reputation, WHOIS, DNS)
- Threat level classification from unknown through critical
Use Cases#
- Looking up and enriching indicators of compromise during threat investigations
- Searching for related IOCs across multiple indicator types simultaneously
- Profiling IP addresses with geolocation, network ownership, and threat intelligence
- Tracking vulnerabilities with CVE references linked to investigations
Integration#
The Indicator domain integrates with IP Address for IP-specific operations, URL for analysis, Domain for profiling, Vulnerability for CVE tracking, Threat Intel for IOC enrichment, and OSINT for open source intelligence.
Last Reviewed: 2026-02-05