Identity
Each threat has a primary name and may carry one or more aliases (othernames), reflecting the reality that the security industry often tracks the same threat under different names.
Pulsedive also assigns each threat a category, such as malware, apt, or exploit, which broadly classifies the type of activity the threat represents.
Narrative Fields
Threats carry several fields that provide narrative context:- Description: A summary of the threat and its activity.
- Analyst notes (
notes): Additional context contributed by Pulsedive analysts. - Wikipedia summary (
wikisummary) and reference (wikireference): A summary and link pulled from Wikipedia, where available. - Comments: Community-contributed commentary that any registered user can add to a threat.
References
Thenews array contains external sources linked to the threat.
It includes two types:
- Primary references: Curated sources such as MITRE ATT&CK entries, vendor research, and government advisories that were deliberately linked to the threat. These have
primaryset to1. - News articles: Articles where the threat was mentioned, pulled in automatically. These have
primaryset to0.
Threat Attributes
Threats carry native attributes that describe how a threat operates and what it targets. Feeds, research, and automated ingestion from MITRE ATT&CK all contribute to these attributes. They include:- Tactics and techniques (TTPs): How the threat operates, mapped to the MITRE ATT&CK framework. In the API response, the
ttpsobject groups techniques by tactic, with each tactic containing a list of its associated techniques. - Technology: Operating systems and platforms the threat targets.
- Suspected attribution: The country suspected of sponsoring or directing the threat.
- Industry targeting: Sectors the threat is known to target.
Indicator Summary
In addition to their own attributes, threats surface aggregated data from their linked indicators. This summary gives you a high-level view of the threat’s associated activity without requiring you to retrieve the full indicator list. The summary includes:- Aggregated attributes across linked indicators
- Common properties observed across linked indicators
- Screenshots collected from linked indicators
Related Threats
Threats can link to other threats, reflecting real-world relationships such as a malware family associated with a known threat actor. Each related threat includes its name, category, risk level, and the timestamp when Pulsedive first observed the relationship (stamp_linked).
Lifecycle
Threats carry four timestamps:| Field | Description |
|---|---|
stamp_added | When Pulsedive first added the threat |
stamp_updated | When Pulsedive last updated the threat record |
stamp_seen | When a linked indicator or feed last reported activity for this threat |
stamp_retired | When Pulsedive retired the threat, if applicable |