Next ID: 16 AtiPrioritization contains various fields used to calculate a priority score for an entity identified as a threat.
| JSON representation |
|---|
{ "gtiVerdict": integer, "gtiSeverity": integer, "gtiThreatScore": integer, "mandiantAnalystConfidence": integer, "gtiUpdateTime": string, "activeIr": boolean, "activeIrFirstTaggedTime": string, "globalCustomerCount": string, "globalHitCount": string, "exclusive": boolean, "osint": boolean, "scanner": boolean, "reviewed": boolean, "attributedMalware": [ { object ( |
| Fields | |
|---|---|
gtiVerdict |
The confidence score from "GTI verdict" source. |
gtiSeverity |
The confidence score from "GTI severity" source. |
gtiThreatScore |
The confidence score from "GTI threat score" source. |
mandiantAnalystConfidence |
The confidence score from "Mandiant Analyst Intel" source. |
gtiUpdateTime |
Timestamp of the latest update for GTI verdict, severity, or threat score. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
activeIr |
Whether one or more Mandiant incident response customers had this indicator in their environment. |
activeIrFirstTaggedTime |
The timestamp of the first time an active IR was applied to this entity. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
globalCustomerCount |
Global customer count over the last 30 days |
globalHitCount |
Global hit count over the last 30 days |
exclusive |
Whether the indicator is being used by a maximum of one threat actor. |
osint |
Whether the indicator details are available in open source. |
scanner |
Whether the indicator is a scanner. |
reviewed |
Whether the indicator verdict has passed review. |
attributedMalware[] |
Malware families associated with this indicator. |
attributedThreatActors[] |
Threat actors associated with this indicator. |