Title
Create new category
Edit page index title
Edit category
Edit link
JSON Feed Format
MetaDefender InSights threat intelligence feeds are available in clear and concise JSON data formats. JSON is a widely used serialization format that has become the de facto standard for online data interchange, and is broadly supported in many systems and platforms. This makes it simple to integrate MetaDefender InSights in your environment. This page documents the currently implemented formats.
Lookups
The lookup is an API query returning a response in JSON format. Intel lookups may be issued on demand and are useful as part of automated workflows or application integrations. The response format consists of an object containing the following elements:
Field | Description | Type |
|---|---|---|
artifact | The response object contains an inner object, where the key is the queried artifact (typically a domain name, IP address or URL). | String |
report | The inner artifact object contains an inner object named report, which contains the report fields for the queried artifact. | Object |
score | Resulting severity score for the queried artifact. Range: 1-10 (higher numbers indicate greater severity). | Integer |
sources_alarmed | Number of InSights intel sources that list the artifact. | Integer |
sources_evaluated | Number of InSights intel sources evaluated for listing. | Integer |
The inner report object contains additional detail:
Field | Description | Type |
|---|---|---|
asn | Autonomous system number (ASN) advertising the IP address artifact (enriched at time of ingestion). | String |
inquest | InQuest verdict details containing proprietary information from reputation data sources. hits: (Integer) Number of hits against tracked sources. malicious: (Boolean) Verdict on the artifact (source). sources: (Array) Names of tracked InSights TI sources. | Object |
malicious | Verdict on the artifact (overall). | Boolean |
opswat | OPSWAT verdict details containing proprietary information from our reputation data. hits: (Integer) Number of hits against tracked sources. malicious: (Boolean) Verdict on the artifact (source). sources: (Array) Names of tracked InSights TI sources. | Object |
InSights C2 response samples
Reputation response samples
The following example shows the response received when a queried indicator is not listed in the the threat intelligence collection:
score is 0.
sources_alarmed is 0.
report does not have a malicious field set to true.
Snapshots
The snapshot feed download is an API query returning a response in JSON format. Intel data snapshots are intended to be retrieved on a continual basis, and each download provides the complete set of validated and relevant threat indicators that are active at the time of download. Indicators that have expired and are no longer active are not included in the snapshots feed in order to keep it fresh and actionable. The feed format consists of an array of indicator objects, each containing fields as described below:
Indicator formats
InSights C2 format
Field | Description | Type |
|---|---|---|
artifact | Artifact type; one of: address: IP address host: hostname (or domain name) | String |
value | Artifact value; the actual IP address or domain name | String |
score | Severity (criticality) score; a rating of the threat level ranging from 1-10 | Integer |
source | Internal feed source identifier; one of: labs-c2: InSights C2 data | String (CSV) |
confidence | Confidence score; a rating indicating the level of confidence that sightings of the artifact relate to a threat of the given severity ranging from 1-10 | Integer |
description | Free-form descriptive context providing known details about the artifact | String |
created | ISO 8601 timestamp (UTC) for artifact creation time in OPSWAT intelligence | ISO timestamp |
lastSeen | ISO 8601 timestamp (UTC) for the last time the artifact was last seen in OPWAT’s collection | ISO timestamp |
InSights TI format
Field | Description | Type |
|---|---|---|
artifact | Artifact type; one of: address: IP address host: hostname (or domain name) url: Universal Resource Locator (URL) | String |
value | Artifact value; the actual IP address, domain name, or URL | String |
score | Severity (criticality) score; a rating of the threat level ranging from 1-10 | Integer |
source | Internal feed source identifier; one of: labs-C2: InSights C2 data labs-reputation: InSights TI data labs-osint: InSights OSINT data | String (CSV) |
confidence | Confidence score; a rating indicating the level of confidence that sightings of the artifact relate to a threat of the given severity ranging from 1-10 | Integer |
description | Free-form descriptive context providing known details about the artifact | String |
reference | Reference to the origin or context for the classification of the artifact; examples:
This field is only present in InSights TI artifacts. | String |
created | ISO 8601 timestamp (UTC) for artifact creation time in OPSWAT intelligence | ISO timestamp |
lastSeen | ISO 8601 timestamp (UTC) for the last time the artifact was last seen in OPWAT’s collection | ISO timestamp |
expiresOn | ISO 8601 timestamp (UTC) for the time the artifact is scheduled to age out | ISO timestamp |
InSights OSINT format
Field | Description | Type |
|---|---|---|
artifact | Artifact type; one of: domain: hostname (or domain name) | String |
value | Artifact value; the actual indicator value | String |
severity | Severity (criticality) score; a rating of the threat level ranging from 1-10 | Integer |
confidence | Confidence score; a rating indicating the level of confidence that sightings of the artifact relate to a threat of the given severity ranging from 1-10 | Integer |
sources | Internal feed source identifiers, providing context by indicating the source of validation or overlap of OSINT indicator with OPSWAT data: <file-hash>: Indicator overlapped with IOCs extracted by OPSWAT in our backend DFI file processing corpus. This field provides the hashes of a small sample of relevant file hashes. iocdb: Indicator identified in overlap with InQuest Labs IOCDB data repdb_derived: Indicator identified in overlap with InQuest Labs REPDB data domain-analysis-dfidb: Indicator identified in overlap with OPSWAT DFI file processing domain-analysis-iocdb: Indicator identified in overlap with InQuest Labs IOCDB data domain-analysis-labs: Indicator identified in overlap with InQuest Labs data domain-analysis-repdb: Indicator identified in overlap with InQuest Labs REPDB data domain-analysis-tidb: Indicator identified in overlap with OPSWAT MetaDefender InSights TI threat intelligence data | Array |
created_on | ISO 8601 datestamp (UTC) for artifact creation time in OPSWAT intelligence | ISO datestamp |
modified_on | ISO 8601 datestamp (UTC) for the last time the artifact was last seen in OPWAT’s collection | ISO datestamp |
expires_on | ISO 8601 datestamp (UTC) for the time the artifact is scheduled to be age out | ISO datestamp |