This document defines the data structure for "Threat Intelligence" articles. These articles contain insights into cyber threat actor behavior, TTPs, campaigns, and associated indicators of compromise (IOCs).

🧱 Core Fields

Field	Type	Description
`summary`	string	Summary or key message of the article.
`title`	string	Title of the original intel report.
`published_date`	string (ISO 8601)	When the article was first published.
`last_updated_date`	string (ISO 8601)	(Optional) Last modification date from the source.
`scraped_date`	string (ISO 8601)	Date when the report was ingested.
`url`	string	Direct link to the original article.
`publishing_company`	string	Entity or company publishing the report.
`version_info`	string	Version or tag of the report (if any).
`classification`	string	Always set to `Threat Intelligence`.

🛠️ Threat Intel Context

Field	Type	Description
`groups`	List[string]	Threat actor group names (e.g., APT28, FIN7).
`tools`	List[string]	Tools or malware used (e.g., Mimikatz, Cobalt Strike).
`campaigns`	List[string]	Named campaigns referenced in the article.
`botnets`	List[string]	Known botnets mentioned.
`victim_names`	List[string]	Named victims if publicly disclosed.
`target_sectors`	List[string]	Sectors targeted (e.g., Finance, Telecom).
`target_geographies`	List[string]	Geographic focus of the threat actor or campaign.
`CVEs`	List[string]	Vulnerabilities related to the attack or group.
`references`	List[string]	Additional URLs or citations in the article.
`techniques`	List[string]	MITRE ATT&CK techniques mentioned or inferred.

🧩 IOC Structure

Field	Type	Description
`IOCs`	List[dict]	Each item contains structured information about an indicator of compromise. Format: `{"type": string, "indicator": string, "context": string}` Examples:- `{"type": "ipv4", "indicator": "192.168.1.10", "context": "C2 server observed in FIN7 campaign"}`- `{"type": "sha256", "indicator": "e3b0c44298...", "context": "Malware hash for AgentTesla dropper"}`- `{"type": "domain", "indicator": "malicious.example.com", "context": "Used in phishing campaign against finance sector"}`

Supported types include: IP addresses, domain names, email addresses, email subjects, file names, user-agent strings, malicious URLs, usernames, passwords, and cryptographic hashes (SHA256, SHA1, MD5).

✅ Integration Guidance

Use classification == "Threat Intelligence" to classify this type.
IOCs should follow the format: indicator type : indicator : context, where context captures relevant metadata (e.g., group, tool, infrastructure, or artifact relationship).
Enrich IOCs with specific context when possible (e.g., "IP used as C2 in Lazarus campaign").
Store dates in ISO 8601 format (e.g., 2025-06-01T00:00:00Z).