Identifying information for an Entity at a given point in time. This encapsulates the indicator type (in the field name) and value, as well as the namespace when relevant (for internal Asset indicators).
JSON representation
{"indicatorNamespace": string,// Union field indicator can be only one of the following:"hostname": string,"assetIpAddress": string,"mac": string,"productId": string,"username": string,"email": string,"employeeId": string,"windowsSid": string,"projectObjectId": string,"rawPid": string,"processId": string,"fullCommandLine": string,"parentProcessId": string,"hashMd5": string,"hashSha1": string,"hashSha256": string,"filePath": string,"destinationIpAddress": string,"domainname": string,"resourceProjectObjectId": string,"resource": string,"productObjectId": string// End of list of possible types for union field indicator.}
Fields
indicatorNamespace
string
Namespace value of the indicator. Namespaces are supported for Asset indicators - hostname, mac, assetIpAddress, productId, and projectObjectId.
Union field indicator. Indicator type and value, consistent with malachite.dao.KValueType. indicator can be only one of the following:
hostname
string
The hostname to identify an asset.
assetIpAddress
string
The IP address to identify an asset.
mac
string
The MAC address to identify an asset.
productId
string
Some ID that uniquely identifies an asset. This corresponds to the assetId field in the UDM Asset and Noun.
username
string
The user name or user ID to identify a user. This corresponds to the userid field in the UDM User and the userName field when specified as a entityRiskScores.query entity_idicator filter.
email
string
The email address to identify a user. This corresponds to the emailAddresses field in the UDM User.
employeeId
string
The employee id to identify a user.
windowsSid
string
The windows SID to identify a user.
projectObjectId (deprecated)
string
Deprecated. Some vendor-specific ID to identify a user. This corresponds to the productObjectId field in the UDM User.
rawPid
string
The raw pid.
processId
string
The process id. This corresponds to the pid field in the UDM Process.
fullCommandLine
string
The full command line. This corresponds to the commandLine field in the UDM Process.
parentProcessId
string
The parent process id. This corresponds to the parentProcess.pid field in the UDM Process.
hashMd5
string
The hash md5.
hashSha1
string
The hash sha1.
hashSha256
string
The hash sha256.
filePath
string
The file path. This corresponds to the fullPath field in the UDM File.
destinationIpAddress
string
The resolved ip address. This corresponds to the ip field in the UDM Artifact.
domainname
string
The domain name. This corresponds to the name field in the UDM Domain and to the domainName field when specified as a entityRiskScores.query entity_idicator filter.
resourceProjectObjectId
string
LDAP Object Id or generic product object identifier that creates a unique user entity identifier. This corresponds to the productObjectId field in the UDM Resource.
resource
string
System unique resource name. This corresponds to the name field in the UDM Resource and to the resourceName field when specified as a entityRiskScores.query entity_idicator filter.
productObjectId
string
The product object id which can be used to identify an asset, user, group, or resource. This corresponds to the productObjectId field in the UDM Resource, User, Asset, and Group.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[]]
