Skip to main content
The three entities in Pulsedive’s data model connect to each other in specific, typed ways. Understanding these relationships lets you move fluidly between individual observable entities and the broader context they belong to.

Indicators and Threats

Indicators and threats connect bidirectionally. From an indicator, you can pivot to the threats it is associated with, placing a specific observable entity in the context of broader malicious activity. From a threat, you can retrieve the full list of indicators linked to it, exposing the underlying infrastructure or artifacts the threat relies on.

Indicators and Feeds

The indicator-to-feed relationship is a provenance record: it tells you which feeds flagged a given indicator. Multiple feeds can reference the same indicator independently, and each link includes a stamp_linked timestamp recording when the feed first flagged it. When an indicator appears in several feeds, that overlap is itself a signal about how widely the indicator is tracked across the community.

Threats and Feeds

Threats and feeds connect in two ways. A shared indicator usually creates the link: when an indicator from a feed is associated with a threat, Pulsedive links the threat to that feed. Some feeds, such as STIX/TAXII feeds like MITRE ATT&CK, supply threat data directly, so Pulsedive links the threat to the feed even without a shared indicator. When you retrieve a threat summary, Pulsedive includes every feed linked to that threat, along with indicator counts per feed.

Indicators and Indicators

Indicators link to other indicators through typed relationships. Each link type describes a specific kind of connection between two observable entities. The supported link types are:
  • Active DNS: DNS resolutions observed for this indicator
  • Mail Servers: Mail server records associated with this indicator, sourced from DNS MX records
  • Name Servers: Name server records associated with this indicator, sourced from DNS NS records
  • Redirects: HTTP redirect relationships between indicators
  • Related Domains: Domain indicators associated with this indicator
  • Related URLs: URL indicators associated with this indicator
  • SSL Certificate Domains: Domains sharing an SSL certificate with this indicator
For example, a domain indicator resolves the following links: For URL and subdomain indicators, Pulsedive resolves a root domain using the Related Domains and Related URLs link types. Geo and WHOIS properties are inherited from that root domain rather than stored on the URL or subdomain directly.

Summaries

Both threats and feeds expose summaries that give you a high-level view of their linked indicators without requiring you to retrieve the full indicator list. Summaries include risk distributions, common attributes, and common properties aggregated across linked indicators. To retrieve full indicator data, use the linked indicators endpoint for the relevant threat or feed.