These properties identify when the listing happened, why it happened and provide essential intelligence.

• The listed is a Unix timestamp of the event.

• The seen is the Unix timestamp of the first signal identifier that triggered the listing. For example, a spamtrap hit, a sandbox analysis, or a honeypot signal.

• The valid_until is the Unix time at which this listing should be considered invalid. This listing may be renewed if more signals are observed. In this case, please send another API query for this object before the expiry date to find out if this listing is still valid.

• The remove_timestamp is the Unix time when the team manually removed the listing. Manual removals occur following an external removal request or if the team discovers a false positive entry, which rarely happens.

• The rule is the internal ID pointing to the rule triggering the detection. Detections triggered by different means or rules will show different IDs, even when they refer to the same detection. Please note that this is for internal use only, and we don’t provide a complete list of rules. However, users can use this field to cross-reference different events.

• The botname The bot name associated with the detected activity. Where a clear association isn’t possible, “unknown” will be returned.

• The botnam_malpedia is the Malpedia bot name associated with the detected activity, as named by Malpedia. Where a clear association isn’t possible, “unknown” will be returned. This field isn’t always provided, particularly for historic listings.

• The heuristic represents the parameter contributing to the listing decision.

• The detection is a string in a human-readable form, briefly describing how the data was collected. This field only appears when the heuristic involves multiple data collection methods.