Next ID: 16 AtiPrioritization contains various fields used to calculate a priority score for an entity identified as a threat.
| JSON representation |
|---|
{ "gtiVerdict" : integer , "gtiSeverity" : integer , "gtiThreatScore" : integer , "mandiantAnalystConfidence" : integer , "gtiUpdateTime" : string , "activeIr" : boolean , "activeIrFirstTaggedTime" : string , "globalCustomerCount" : string , "globalHitCount" : string , "exclusive" : boolean , "osint" : boolean , "scanner" : boolean , "reviewed" : boolean , "attributedMalware" : [ { object ( |
| Fields | |
|---|---|
gtiVerdict
|
The confidence score from "GTI verdict" source. |
gtiSeverity
|
The confidence score from "GTI severity" source. |
gtiThreatScore
|
The confidence score from "GTI threat score" source. |
mandiantAnalystConfidence
|
The confidence score from "Mandiant Analyst Intel" source. |
gtiUpdateTime
|
Timestamp of the latest update for GTI verdict, severity, or threat score. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
activeIr
|
Whether one or more Mandiant incident response customers had this indicator in their environment. |
activeIrFirstTaggedTime
|
The timestamp of the first time an active IR was applied to this entity. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
globalCustomerCount
|
Global customer count over the last 30 days |
globalHitCount
|
Global hit count over the last 30 days |
exclusive
|
Whether the indicator is being used by a maximum of one threat actor. |
osint
|
Whether the indicator details are available in open source. |
scanner
|
Whether the indicator is a scanner. |
reviewed
|
Whether the indicator verdict has passed review. |
attributedMalware[]
|
Malware families associated with this indicator. |
attributedThreatActors[]
|
Threat actors associated with this indicator. |
