fcti-attack-reports
Fetch attack reports from FCTI
fcti-attack-reports [proxy=PROXY] [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss]
- proxy=PROXY
- URL of the proxy server
- duration=NUM{mon|w|d|h|m|s}
- Scan only recent data. You should use s(second), m(minute), h(hour), d(day), mon(month) time unit. For example,
10smeans data from 10 seconds earlier. - from=yyyyMMddHHmmss
- Start time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
- to=yyyyMMddHHmmss
- End time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
Output Fields
| Field | Type | Name | Description |
|---|---|---|---|
| _time | Date | Time | Upload time |
| title | String | Subject | |
| contents | String | Contents | |
| first_seen | Date | First seen | Min time of the attack |
| last_seen | Date | Last seen | Max time of the attack |
| pattern | String | Signature | |
| importance | String | Severity | e.g. H (High), M (Medium), L (Low) |
| confirm_yn | String | Confirm request | e.g. Y, N |
| confirm_status | String | Confirm status | |
| organization | String | Organization | |
| writer | String | Author | |
| stix_id | String | STIX ID | |
| shared_scope | String | Shared scope | ALL, FSI, BANK, INVEST, INSURANCE, NONBANK, CUSTOM |
| logs | List | Logs | Elements with identity, time, src_ip, src_port, dst_ip, dst_port, src_country, dst_country, signature, file_name, sha256, http_host, http_uri, http_referer, email_sender, email_receiver, email_subject, email_attachments properties. |