Indicators and Threats
Indicators and threats connect bidirectionally. From an indicator, you can pivot to the threats it is associated with, placing a specific observable entity in the context of broader malicious activity. From a threat, you can retrieve the full list of indicators linked to it, exposing the underlying infrastructure or artifacts the threat relies on.Indicators and Feeds
The indicator-to-feed relationship is a provenance record: it tells you which feeds flagged a given indicator. Multiple feeds can reference the same indicator independently, and each link includes astamp_linked timestamp recording when the feed first flagged it.
When an indicator appears in several feeds, that overlap is itself a signal about how widely the indicator is tracked across the community.
Threats and Feeds
Threats and feeds connect in two ways. A shared indicator usually creates the link: when an indicator from a feed is associated with a threat, Pulsedive links the threat to that feed. Some feeds, such as STIX/TAXII feeds like MITRE ATT&CK, supply threat data directly, so Pulsedive links the threat to the feed even without a shared indicator. When you retrieve a threat summary, Pulsedive includes every feed linked to that threat, along with indicator counts per feed.Indicators and Indicators
Indicators link to other indicators through typed relationships. Each link type describes a specific kind of connection between two observable entities. The supported link types are:- Active DNS: DNS resolutions observed for this indicator
- Mail Servers: Mail server records associated with this indicator, sourced from DNS MX records
- Name Servers: Name server records associated with this indicator, sourced from DNS NS records
- Redirects: HTTP redirect relationships between indicators
- Related Domains: Domain indicators associated with this indicator
- Related URLs: URL indicators associated with this indicator
- SSL Certificate Domains: Domains sharing an SSL certificate with this indicator