Identity and Type
Each indicator has a value and a type. The value is the observable entity itself, for examplepulsedive.com or 8.8.8.8.
The type describes what kind of observable entity it is.
Pulsedive supports five indicator types:
| Type | Description |
|---|---|
domain | A domain name |
ip | An IPv4 address |
ipv6 | An IPv6 address |
url | A full URL |
Properties
Properties are structured data points that Pulsedive collects about an indicator through passive and active scanning. They capture what Pulsedive has directly observed, stored as name-value pairs grouped by scan type. Examples include:- DNS records
- WHOIS data
- HTTP headers
- SSL certificate details
Attributes
Attributes are categorical tags applied to an indicator or threat, such as a port, protocol, technology, or detail like a threat’s country or industry. Pulsedive populates some attributes from scan data, but unlike properties, attributes aren’t fixed once recorded: contributors can add or update them later, even for details a scan didn’t directly observe, such as an open port reported by feed data after the fact. Enterprise plans can define extensible attribute types beyond Pulsedive’s built-in set.Lifecycle
Indicators carry a family of timestamps that track their history in Pulsedive:| Field | Description |
|---|---|
stamp_added | When Pulsedive first added the indicator |
stamp_updated | When Pulsedive last updated the indicator record, either through internal maintenance or a scan |
stamp_seen | When Pulsedive last observed the indicator, whether through a scan, a feed, or a user submission or report |
stamp_probed | When Pulsedive last actively scanned the indicator |
stamp_retired | When Pulsedive retired the indicator, if applicable |
Submissions
Each indicator tracks how many distinct Pulsedive users have submitted it. Thissubmissions count is exposed in the API.
A high submission count is a provenance signal: it suggests the indicator is widely recognized across the community, not flagged by a single source.
Risk
Pulsedive calculates a risk score for each indicator automatically. The system-recommended score (risk_recommended) reflects Pulsedive’s evaluation based on observed data and risk factors.
The active score (risk) is what the indicator currently carries, which may match the recommendation or reflect a manual override.
When manualrisk is set, a manual override has replaced the system-recommended score.
Risk factors (riskfactors) are human-readable explanations that describe why an indicator received its score.
Contributors and admins can override an indicator’s risk in several ways:
- Through feed configuration
- Through bulk management in Explore
- By editing an indicator directly
- Through individual or bulk submission via Analyze