These properties identify when the listing happened, why it happened and provide essential intelligence.
The listed
is a Unix timestamp of the event.
The seen
is the Unix timestamp of the first signal identifier that triggered the listing. For example, a spamtrap hit, a sandbox analysis, or a honeypot signal.
The valid_until
is the Unix time at which this listing should be considered invalid
. This listing may be renewed if more signals are observed. In this case, please send another API query for this object before the expiry date to find out if this listing is still valid.
The remove_timestamp
is the Unix time when the team manually removed the listing. Manual removals occur following an external removal request or if the team discovers a false positive entry, which rarely happens.
The rule
is the internal ID pointing to the rule triggering the detection. Detections triggered by different means or rules will show different IDs, even when they refer to the same detection. Please note that this is for internal use only, and we don’t provide a complete list of rules. However, users can use this field to cross-reference different events.
The botname
The bot name associated with the detected activity. Where a clear association isn’t possible, “unknown” will be returned.
The botnam_malpedia
is the Malpedia bot name associated with the detected activity, as named by Malpedia. Where a clear association isn’t possible, “unknown” will be returned. This field isn’t always provided, particularly for historic listings.
The heuristic
represents the parameter contributing to the listing decision.
The detection
is a string in a human-readable form, briefly describing how the data was collected. This field only appears when the heuristic involves multiple data collection methods.