Skip to content

Commit 43fed89

Browse files
regulartimregulartim
committed
add IOC scores description to doc
1 parent 20586a6 commit 43fed89

File tree

1 file changed

+12
-2
lines changed

1 file changed

+12
-2
lines changed

docs/GreedyBear/Usage.md

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ GreedyBear is created with the aim to collect the information from the TPOTs and
3232
The feeds are reachable through the following URL:
3333

3434
```
35-
https://<greedybear_site>/api/feeds/<feed_type>/<attack_type>/<age>.<format>?<flags>
35+
https://<greedybear_site>/api/feeds/<feed_type>/<attack_type>/<prioritize>.<format>?<flags>
3636
```
3737

3838
The available feed_type are:
@@ -64,10 +64,12 @@ The available attack_type are:
6464
- `payload_request`: IP addresses and domains extracted from payloads that would have been executed after a speficic attack would have been successful
6565
- `all`: get all types at once
6666

67-
The available age are:
67+
The available prioritization mechanisms are:
6868

6969
- `recent`: most recent IOCs seen in the last 3 days
7070
- `persistent`: these IOCs are the ones that were seen regularly by the honeypots. This feeds will start empty once no prior data was collected and will become bigger over time.
71+
- `likely_to_recur`: these IOCs are most likely to hit the honeypots again during the next day
72+
- `most_expected_hits`: these IOCs are expected to be responsible for the most hits during the next day
7173

7274
The available formats are:
7375

@@ -76,8 +78,16 @@ The available formats are:
7678
- `json`: JSON file with additional information regarding the IOCs
7779

7880
The available flags are:
81+
7982
- `exclude_mass_scanners`: if set, IOCs that are known mass scanners will be excluded from the result
8083

84+
The `json` result includes two predictive scores:
85+
86+
- `recurrence_probability` (0.0-1.0): Indicates the likelihood that an IOC will reappear within the next 24 hours. Higher values suggest greater persistence of the threat.
87+
- `expected_interactions` (0+): Estimates the number of honeypot interactions anticipated from the IOC in the next 24 hours, indicating potential activity level.
88+
89+
These predictions are based on historical interaction patterns and are updated once a day, shortly after midnight UTC. They are the foundation of the `likely_to_recur` and `most_expected_hits` prioritization mechanisms.
90+
8191
Check the [API specification](https://intelowlproject.github.io/docs/GreedyBear/Api-docs/#docs.Submodules.GreedyBear.api.views.feeds.feeds_advanced) or the to get all the details about how to use the available APIs.
8292

8393
## Advanced Feeds

0 commit comments

Comments
 (0)