Alibaba Cloud threat intelligence (query) component - Security Center

The ThreatIntelligence component enables you to query Alibaba Cloud threat intelligence.

Feature description

Action	Description	Scenarios
describeInformation	Queries Alibaba Cloud threat intelligence.	Checks whether an IP address or file is malicious.

Configuration example

This topic provides parameter configuration examples for each action of the ThreatIntelligence component. You can import them as test playbooks. Through the visual flow editor, you can more intuitively understand and test the configuration parameters of each action, and easily master the functional logic and usage of the component. For the procedure, see Playbook import.

Note

Save the example data as a JSON file first.

Example data

{
    "cells": [
        {
            "position": {
                "x": -440, 
                "y": -170
            }, 
            "size": {
                "width": 36, 
                "height": 36
            }, 
            "attrs": {
                "body": {
                    "fill": "white", 
                    "strokeOpacity": 0.95, 
                    "stroke": "#63ba4d", 
                    "strokeWidth": 2
                }, 
                "label": {
                    "text": "start", 
                    "fontSize": 12, 
                    "refX": 0.5, 
                    "refY": "100%", 
                    "refY2": 4, 
                    "textAnchor": "middle", 
                    "textVerticalAnchor": "top"
                }, 
                "path": {
                    "stroke": "#63ba4d"
                }
            }, 
            "visible": true, 
            "shape": "circle", 
            "id": "58d87b7d-28d9-4f0e-b135-4adc4f1a70e4", 
            "zIndex": 1, 
            "data": {
                "nodeType": "startEvent", 
                "appType": "basic", 
                "nodeName": "start", 
                "icon": "icon-circle", 
                "description": "Playbook start node. A playbook must have one and only one start node, which requires input data configuration for the playbook."
            }, 
            "markup": [
                {
                    "tagName": "circle", 
                    "selector": "body"
                }, 
                {
                    "tagName": "text", 
                    "selector": "label"
                }
            ], 
            "isNode": true
        }, 
        {
            "shape": "custom-edge", 
            "attrs": {
                "line": {
                    "stroke": "#63ba4d", 
                    "targetMarker": {
                        "stroke": "#63ba4d"
                    }
                }
            }, 
            "zIndex": 1, 
            "id": "5293c3f9-e1c9-4a49-b0eb-635067dc67e8", 
            "data": {
                "nodeType": "sequenceFlow", 
                "appType": "basic", 
                "isRequired": true, 
                "icon": "icon-upper-right-arrow"
            }, 
            "isNode": false, 
            "source": {
                "cell": "58d87b7d-28d9-4f0e-b135-4adc4f1a70e4"
            }, 
            "target": {
                "cell": "a0ba5cc1-7308-47c6-8c20-ea97ff4ba982"
            }, 
            "visible": true, 
            "router": {
                "name": "manhattan", 
                "args": {
                    "padding": 5, 
                    "excludeHiddenNodes": true, 
                    "excludeNodes": [
                        "clone_node_id"
                    ]
                }
            }, 
            "vertices": [ ]
        }, 
        {
            "position": {
                "x": -70, 
                "y": -170
            }, 
            "size": {
                "width": 36, 
                "height": 36
            }, 
            "attrs": {
                "body": {
                    "fill": "white", 
                    "strokeOpacity": 0.95, 
                    "stroke": "#63ba4d", 
                    "strokeWidth": 2
                }, 
                "path": {
                    "r": 12, 
                    "refX": "50%", 
                    "refY": "50%", 
                    "fill": "#63ba4d", 
                    "strokeOpacity": 0.95, 
                    "stroke": "#63ba4d", 
                    "strokeWidth": 4
                }, 
                "label": {
                    "text": "end", 
                    "fontSize": 12, 
                    "refX": 0.5, 
                    "refY": "100%", 
                    "refY2": 4, 
                    "textAnchor": "middle", 
                    "textVerticalAnchor": "top"
                }
            }, 
            "visible": true, 
            "shape": "circle", 
            "id": "317dd1be-2d20-460e-977e-1fc936ffb583", 
            "zIndex": 1, 
            "data": {
                "nodeType": "endEvent", 
                "appType": "basic", 
                "nodeName": "end", 
                "icon": "icon-radio-off-full", 
                "description": "end"
            }, 
            "markup": [
                {
                    "tagName": "circle", 
                    "selector": "body"
                }, 
                {
                    "tagName": "circle", 
                    "selector": "path"
                }, 
                {
                    "tagName": "text", 
                    "selector": "label"
                }
            ], 
            "isNode": true
        }, 
        {
            "position": {
                "x": -325, 
                "y": -185
            }, 
            "size": {
                "width": 137, 
                "height": 66
            }, 
            "view": "react-shape-view", 
            "attrs": {
                "label": {
                    "text": "ThreatIntelligence_1"
                }
            }, 
            "shape": "activity", 
            "id": "a0ba5cc1-7308-47c6-8c20-ea97ff4ba982", 
            "data": {
                "componentName": "ThreatIntelligence", 
                "appType": "component", 
                "nodeType": "action", 
                "icon": "https://sophon-gen-v2.oss-cn-zhangjiakou.aliyuncs.com/componentUpload/1709621963021_ThreatIntelligence_logo.png?Expires=1745653947&OSSAccessKeyId=STS.NVSf************&Signature=5sM3Yf1mMUYucQMk0Qdl7ms7Q6k%3D&security-token=CAIS2AJ1q6Ft5B2yfSjIr5XmLdnOq51W35DYehD9rEU2b%2FlOioeZoTz2IHhMenFpAegcv%2Fw%2BlGFZ6%2F8elrp6SJtIXleCZtF94oxN9h2gb4fb42oQKDOK0s%2FLI3OaLjKm9u2wCryLYbGwU%2FOpbE%2B%2B5U0X6LDmdDKkckW4OJmS8%2FBOZcgWWQ%2FKBlgvRq0hRG1YpdQdKGHaONu0LxfumRCwNkdzvRdmgm4NgsbWgO%2Fks0OP3AOrlrBN%2Bdiuf8T9NvMBZskvD42Hu8tbbfE3SJq7BxHybx7lqQs%2B02c5onDWwAJu0%2FXa7uEo4wydVNjFbM9A65Dqufxn%2Fpgt%2Braj4X7xhhEIOVJSSPbSZBbSxJNvU1RXDxQVcEYWxylurjnXvF%2B45y49dcUGin%2B2svzhw6RGJ1dq8DgINtD0jokjPndRVbLXs84nxS7gbsGn76oY2zradH%2FdU79rm%2FlMytAXxqAAac9os3AP8Nzzgoznum6vHAy6hg20xps4DvoSeI%2FpHxuGwDOpnBW28WBgatsejfq3xcbniKRLqja8PA609xdkIt9%2F2fUaH7cAgAZxkFj8ZazMYuZ4jCdN2VM5qLHdj5CMBNTU2VIm8rQaKk9e1umHFILg%2Fsn1sBNnqzGfhZyq%2BlJIAA%3D", 
                "ownType": "sys", 
                "zIndex": 1, 
                "tenantId": "baba", 
                "customInput": false, 
                "description": "Threat intelligence query.", 
                "id": 0, 
                "name": "describeInformation", 
                "operateType": "general", 
                "parameters": [
                    {
                        "dataType": "String", 
                        "defaultValue": "", 
                        "description": "The type of intelligence, supporting ip, file, domain.", 
                        "enDescription": "", 
                        "formConfig": "{\"component\":\"Select\",\"options\":{\"selectMode\":\"mixSelect\",\"remote\":false,\"optionList\":[{\"label\":\"Domain\",\"value\":\"domain\"},{\"label\":\"IP\",\"value\":\"ip\"},{\"label\":\"File HASH\",\"value\":\"file\"}],\"mode\":\"single\",\"labelKey\":\"label\",\"valueKey\":\"value\"}}", 
                        "name": "entityType", 
                        "needCascader": false, 
                        "required": true, 
                        "tags": ""
                    }, 
                    {
                        "dataType": "String", 
                        "defaultValue": "", 
                        "description": "When entityType is ip, enter the IP address to query, example value: 192.0.XX.XX; When entityType is file, enter the file hash (MD5 value), example value: b4208cc50cb***0f82a47d***fde4312a; When entityType is domain, enter the domain name to query, supporting wildcard domains. Example value: example.com.", 
                        "enDescription": "", 
                        "name": "entityValue", 
                        "needCascader": false, 
                        "required": true, 
                        "tags": ""
                    }
                ], 
                "riskLevel": 2, 
                "nodeName": "ThreatIntelligence_1", 
                "actionName": "describeInformation", 
                "actionDisplayName": "describeInformation", 
                "cascaderValue": [ ], 
                "valueData": {
                    "entityType": "ip", 
                    "entityValue": "127.0.0.1"
                }, 
                "status": "success"
            }, 
            "zIndex": 1
        }, 
        {
            "shape": "custom-edge", 
            "attrs": {
                "line": {
                    "stroke": "#63ba4d", 
                    "targetMarker": {
                        "stroke": "#63ba4d"
                    }
                }
            }, 
            "zIndex": 1, 
            "id": "cdf4a475-3dd1-4883-a56b-d90444e11c64", 
            "data": {
                "nodeType": "sequenceFlow", 
                "appType": "basic", 
                "isRequired": true, 
                "icon": "icon-upper-right-arrow"
            }, 
            "isNode": false, 
            "visible": true, 
            "router": {
                "name": "manhattan", 
                "args": {
                    "padding": 5, 
                    "excludeHiddenNodes": true, 
                    "excludeNodes": [
                        "clone_node_id"
                    ]
                }
            }, 
            "source": {
                "cell": "a0ba5cc1-7308-47c6-8c20-ea97ff4ba982"
            }, 
            "target": {
                "cell": "317dd1be-2d20-460e-977e-1fc936ffb583"
            }, 
            "vertices": [ ]
        }
    ]
}

describeInformation

Parameter description

Parameter	Description
entityType	The type of intelligence, supporting ip, file, domain.
entityValue	When entityType is ip, enter the IP address to query, example value: 192.0.XX.XX; When entityType is file, enter the file hash (MD5 value), example value: b4208cc50cb*0f82a47d*fde4312a; When entityType is domain, enter the domain name to query, supporting wildcard domains. Example value: example.com.

Output example

IP type

Output parameter description:

Parameter

Description

Intelligences

The threat intelligence event information, which is a JSON string. The following table describes the fields in the JSON value:

source: The source of the threat intelligence event.
first_find_time: The time when the event was first discovered.
last_find_time: The last active time.
threat_type_l2: Detailed threat intelligence tags, which can be family group tags, such as Mykings, or attack methods, such as SQL injection, describing the basic threat tags of this IP.

Whois

The Whois information of the IP address.

RequestId

The unique identifier that Alibaba Cloud generates for this request.

AttackPreferenceTop5

The Top 5 industry distribution of attack targets for this IP.

event_cnt: The number of attacks.
industry_name: The industry category of the attack.
gmt_last_attack: The last active time of the attack.

Confidence

The confidence level in the determination result. The higher the confidence value, the more confidence in the determination result (the determination result is the ThreatLevel field). Generally, results with a confidence level greater than 90 can be considered accurate results. For malicious indicators with high threat levels, interception can be performed. For normal results (ThreatLevel equals 0), traffic can be allowed.

Value range 0-100:

[90-100): The intelligence is considered highly reliable and can be used as a basis for interception or allowing traffic. If ThreatLevel indicates high risk (ThreatLevel=3), interception can be performed. If ThreatLevel indicates normal (ThreatLevel=0), traffic can be allowed.
[60-90): The intelligence is considered somewhat reliable but does not reach the interception indicator. It is typically an IP address with some malicious behavior. It can be used as an auxiliary basis for security analysis operations.
Others: The confidence level of threat-related information in the threat intelligence is considered low.

ThreatTypes

The risk tags generated by analyzing threat intelligence and security events, such as remote control, malware, etc. This parameter is a JSON string. The following table describes the fields in the JSON value:

threat_type: The threat type.
Common threat types
- IDC: IDC server
- Tor: Dark web
- Proxy: Proxy
- NAT: Public exit
- Miner Pool: Mining pool
- C&C Server: Command and control server
- Brute Force: Brute-force attacks
- Malicious Login: Malicious logon
- WEB Attack: WEB attack
- Malicious Source: Malicious download source
- Network Service Scanning: Network service scanning
- Exploit: Vulnerability exploits
- Network Share Discovery: Network sharing discovery
- Scheduled Task: Windows scheduled task
- BITS Jobs: BITS job
- Command-Line Interface: Malicious command
- Mshta execution: Mshta execution
- Regsvr32: Regsvr32 execution
- Signed Binary Proxy Execution: Signed binary proxy execution
- Local Job Scheduling: Linux scheduled task
- Rundll32: Rundll32 execution
- Web Shell: WebShell communication
- SQL Injection: SQL injection attack
- XSS Attack: XSS attack
threat_type_desc: The meaning of the tag.
risk_type: The threat level (3 high risk, 2 medium risk, 1 suspicious, 0 normal, -1 unknown).
scenario: The applicable security scenario (attack indicator, compromise indicator).
first_find_time: The time when the tag was first marked.
last_find_time: The last time the tag was marked.
attck_stage: The ATT&CK attack stage to which it belongs.

Scenario

The attack scenario applicable to this IP.

Attack indicator: This IP actively initiates attack traffic and can be matched by security devices such as firewalls and WAF for sources that actively initiate from outside to inside, and can be intercepted according to tags.
Compromise indicator: Scripts or malicious code planted by attackers will communicate with this IP for communication and data transmission. If this IP is found in traffic or logs, it means that the current host has been compromised.
Information data: Types such as whitelists. This field is information data and does not have a risk scenario.

The basic information of the IP. This parameter is a JSON string. The following table describes the fields in the JSON value:

ip: The IP address
idc_name: The IDC server name
isp: The Internet service provider
country: The country
province: The province
city: The city
asn: ASN (Autonomous System Numbers)
asn_label: The ASN name

ThreatLevel

The risk level, which indicates the level of harm caused after a hit. There are five levels: high risk, medium risk, low risk, normal, and unknown. When using this field, you can combine it with the confidence level (Confidence field) to intercept data with high risk and high confidence. For normal types (i.e., whitelists), traffic can be allowed.

-1: Unknown
0: Normal, i.e., whitelist, traffic can be allowed
1: Low risk
2: Medium risk
3: High risk

AttackCntByThreatType

The number of attacks in different attack stages. This parameter is represented as a JSON array. The following table describes the fields in the array:

event_cnt: The number of attacks.
threat_type: The ATT&CK stage to which the attack belongs.

Sample output:

{
    "Context": "",
    "Group": "",
    "Whois": "",
    "AttackCntByThreatType": [
        {
            "event_cnt": 1,
            "threat_type": "Application layer intrusion"
        }
    ],
    "ThreatLevel": -1,
    "Confidence": "",
    "Ip": {
        "country": "",
        "province": "",
        "city": "",
        "ip": "127.0.0.1",
        "isp": "",
        "asn": "",
        "asn_label": ""
    },
    "ThreatTypes": "",
    "Intelligences": [],
    "AttackPreferenceTop5": [
        {
            "event_cnt": 2407,
            "industry_name": "IoT",
            "gmt_last_attack": "2021-12-15 23:59:15"
        },
        {
            "event_cnt": 4813,
            "industry_name": "Manufacturing",
            "gmt_last_attack": "2021-12-15 23:59:49"
        },
        {
            "event_cnt": 2240,
            "industry_name": "Finance",
            "gmt_last_attack": "2021-12-15 23:59:41"
        },
        {
            "event_cnt": 16954,
            "industry_name": "Retail",
            "gmt_last_attack": "2021-12-15 23:59:31"
        },
        {
            "event_cnt": 28764,
            "industry_name": "Internet",
            "gmt_last_attack": "2021-12-15 23:59:48"
        }
    ],
    "Scenario": ""
}

File type

Output parameter description:

Parameter	Description
Intelligences	The threat intelligence event, which is a JSON array. The elements in the array can be DDoS Trojans, mining programs, network layer intrusions, network service scans, network sharing and discovery, mining pools, exploits, dark webs, malicious logons, malicious download sources, C&C servers, web shells, and web attacks.
RequestI	The unique identifier that Alibaba Cloud generates for this request.
FileHash	The file hash value.
ThreatTypes	The risk tags and server tags that are generated by analyzing threat intelligence and security events. This parameter is represented as an array. Each array element has the following values: threat_type_desc: The threat type. Values include the following: Rootkit, backdoor program, suspicious program, mining program, DDoS Trojan, malware, worms, suspicious hacking tool Trojan program, contaminated basic software (implanted with malicious code), infectious virus, exploit program, ransomware, self-mutating Trojan, high-risk program, hacking tool. last_find_time: The most recent discovery time. risk_type: Indicates whether it is a malicious tag. 0 indicates a non-malicious tag, 1 indicates a malicious tag, -1 indicates unknown. threat_type: The threat type. The value is an array. The elements in the array can be network layer intrusions, network service scans, network sharing and discovery, mining pools, exploits, dark webs, malicious logons, malicious download sources, C&C servers, web shells, and web attacks.
Basic	The basic information. This parameter is a JSON string. The following table describes the fields in the JSON value: md5: The MD5 value of the file. sha1: The SHA1 value of the file. sha256: The SHA256 value of the file. sha512: The SHA512 value of the file. virus_result: The static scan result of the file. 0 indicates normal, 1 indicates malicious, -1 indicates unknown. sandbox_result: The dynamic sandbox running result of the file. 0 indicates normal, 1 indicates malicious, -1 indicates unknown. source: The source of the file. The only value is aegis, indicating that the file was detected by Security Center.
ThreatLevel	The risk level. -1: Unknown 0: Normal 1: Suspicious 2: Medium risk 3: High risk

Sample output:

{
    "Intelligences": [
        "DDoS Trojan"
    ],
    "RequestId": "3F2BBCA2-4EE5-456F-****-DE0B69CAFD71",
    "FileHash": "02e6b7cf0d34c6eac05*****751208b",
    "ThreatTypes": [
        {
            "threat_type_desc": "DDoS Trojan",
            "risk_type": 1,
            "threat_type": "DDoS"
        }
    ],
    "Basic": {
        "sha1": "",
        "virus_result": "1",
        "sandbox_result": "-1",
        "sha256": "",
        "sha512": "",
        "virus_name": "Self-mutating Trojan",
        "source": "aegis"
    },
    "ThreatLevel": "2",
    "Sandbox": ""
}

Domain type

Output parameter description:

Parameter	Description
Intelligences	Detailed threat intelligence events, represented as a JSON array. The following table describes the fields in the JSON value: source: The source of the threat intelligence data. first_find_time: The time when the event was first discovered. last_find_time: The last active time. threat_type_l2: Detailed threat intelligence tags, which can be family group tags such as mykings, apt32, or attack methods such as bits job, describing the method used to connect to the domain. threat_type: The primary tag corresponding to the detailed threat intelligence tag, which is the major categorization tag of the threat. refer: Related references.
Domain	The domain name.
SslCert	The SSL certificate information bound to the domain name, represented as a JSON string.
AttackPreferenceTop5	The Top 5 industries to which the attacked websites belong. This parameter is represented as a JSON array. The following table describes the fields in the JSON value: event_cnt: The number of attacks. industry_name: The industry category of the attack. gmt_last_attack: The last active time of the attack.
ThreatTypes	Detailed threat intelligence data related to this domain name, represented as a JSON array. The following table describes the fields in each array element: threat_type: The threat type. Common types Botnet: Botnets Trojan: Trojan Worm: Worm Malware: Malware Ransomware: Ransomware APT: Advanced Persistent Threat attack RAT: Remote control C&C Server: Command and control server Miner Pool: Mining pool Malicious Source: Malicious download source Scheduled Task: Windows scheduled task BITS Jobs: BITS job Command-Line Interface: Malicious command Mshta execution: Mshta execution Regsvr32: Regsvr32 execution Signed Binary Proxy Execution: Signed binary proxy execution Local Job Scheduling: Linux scheduled task Rundll32: Rundll32 execution threat_type_desc: The Chinese description of the tag. first_find_time: The time when the tag was first marked. last_find_time: The last time the tag was marked. risk_type: Indicates whether it is a malicious tag. 0 indicates a non-malicious tag, 1 indicates a low-risk tag, 2 indicates a medium-risk tag, 3 indicates a high-risk tag, -1 indicates unknown. scenario: The scenario to which the domain name belongs, either a compromise indicator or an attack indicator. attck_stage: The ATT&CK attack stage to which the malicious behavior belongs.
Confidence	The confidence level in the determination result. The higher the confidence value, the more confidence in the determination result (the determination result is the ThreatLevel field). Generally, results with a confidence level greater than 90 can be considered accurate results. For malicious indicators with high threat levels, interception can be performed. For normal results (ThreatLevel equals 0), traffic can be allowed. Value range 60-100: [90-100): The intelligence is considered highly reliable and can be used as a basis for interception or allowing traffic. If ThreatLevel indicates high risk (ThreatLevel=3), interception can be performed. If ThreatLevel indicates normal (ThreatLevel=0), traffic can be allowed. [60-90): The intelligence is considered somewhat reliable but does not reach the interception indicator. It is typically a domain name with some malicious behavior. It can be used as an auxiliary basis for security analysis operations. Others: The confidence level of threat-related information in the threat intelligence is considered low.
ThreatLevel	The risk level, which indicates the level of harm caused after a hit. There are five levels of maliciousness: high risk, medium risk, low risk, normal, and unknown. When using this field, you can combine it with the confidence level (Confidence field) to intercept data with high risk and high confidence. For normal types (i.e., whitelists), traffic can be allowed. -1: Unknown 0: Normal, i.e., whitelist, traffic can be allowed 1: Low risk 2: Medium risk 3: High risk
AttackCntByThreatType	The number of attacks in different attack stages. This parameter is represented as a JSON array. The following table describes the fields in the array: event_cnt: The number of attacks. threat_type: The ATT&CK stage to which the attack belongs.
Whois	The Whois information of the domain name.
RequestId	The unique identifier that Alibaba Cloud generates for this request.
Scenario	The attack scenario applicable to this domain name. It can take one or more of the following values: Attack indicator: Domain names are typically not attack indicators. Compromise indicator: Scripts or malicious code planted by attackers will communicate with this domain name for communication and data transmission. If this domain name is found in traffic or logs, it means that the current host has been compromised. C2 connection outward after compromise. Information data: Types such as whitelists. This field is information data and does not have a risk scenario.
Basic	The basic information of the domain name. This parameter is represented in JSON format. The following table describes the fields: domain: The domain name sld_domain: The SLD domain name reg_date: The domain registration time expire_date: The domain expiration time child_domain_cnt: The number of subdomains malicious_child_domain_cnt: The number of malicious subdomains ip_cnt: The number of resolved IPs for this domain name in the past year malicious_ip_cnt: The number of resolved IPs for this domain name that are malicious IPs in the past year

Sample output:

{
    "Intelligences": [
        {
            "last_find_time": "2020-06-17 03:54:23",
            "threat_type_l2": "Malicious download source",
            "first_find_time": "2020-01-01 00:59:52",
            "source": "aliyun"
        },
        {
            "last_find_time": "2020-11-10 14:45:12",
            "threat_type_l2": "rexxx.exe executing malicious file",
            "first_find_time": "2017-09-22 11:15:00",
            "source": "aliyun"
        }
    ],
    "Domain": "example.com",
    "SslCert": {
        "serial_number": "183954751680****4",
        "validity_end": "2029-12-02 06:00:31",
        "issuer": "example.ca"
    },
    "AttackPreferenceTop5": "[{\"event_cnt\":586,\"industry_name\":\"Gaming\",\"gmt_last_attack\":\"2020-06-14 21:54:04\"}]",
    "ThreatTypes": [
        {
            "threat_type_desc": "Malicious download source",
            "last_find_time": "2020-06-17 03:54:23",
            "risk_type": 3,
            "scenario": "Compromise indicator",
            "threat_type": "Malicious Source",
            "first_find_time": "2020-01-01 00:59:52",
            "attck_stage": "delivery"
        },
        {
            "threat_type_desc": "Regsvr32 execution",
            "last_find_time": "2020-11-10 14:45:12",
            "risk_type": 3,
            "scenario": "Compromise indicator",
            "threat_type": "Regsvr32",
            "first_find_time": "2017-09-22 11:15:00",
            "attck_stage": "defense evasion"
        }
    ],
    "Confidence": "95",
    "ThreatLevel": "2",
    "AttackCntByThreatType": {
        "event_cnt": 27,
        "threat_type": "Network Layer intrusion"
    },
    "Context": "",
    "Whois": {
        "registrant_phone": "",
        "registrar": "XX Technology Co., Ltd.",
        "registrar_url": "",
        "whois_server": "whois.cnnic.cn",
        "admin_phone": "",
        "registrar_phone": "",
        "registrant_email": "",
        "admin_email": "",
        "admin_organization": "",
        "tech_name": "",
        "registrant_city": "",
        "tech_street": "",
        "tech_phone": "",
        "dnssec": "unsigned",
        "admin_province": "",
        "tech_organization": "",
        "registrant_country": "",
        "admin_city": "",
        "registrant_province": "",
        "admin_street": "",
        "tech_email": "",
        "nameservers": "ns4.myhostadmin.net,ns1.myhostadmin.net,ns2.myhostadmin.net,ns3.myhostadmin.net,ns5.myhostadmin.net,ns6.myhostadmin.net",
        "registrar_email": "",
        "domain_status": "ok",
        "domain": "example.com",
        "tech_city": "",
        "registrant_name": "",
        "registrant_organization": "",
        "tech_country": "",
        "registrant_street": "",
        "admin_name": "",
        "tech_province": "",
        "admin_country": ""
    },
    "RequestId": "718747A4-9A75-4130-88F9-C9B47350B7F5",
    "Scenario": "Compromise indicator",
    "Basic": {
        "ip_cnt": "36",
        "domain": "example.com",
        "child_domain_cnt": "18",
        "sld_domain": "example.com",
        "malicious_ip_cnt": "28",
        "malicious_child_domain_cnt": "4"
    },
    "Group": ""
}