{"service":"Zedmos CTI","version":"0.2.0","generated_at":"2026-04-29T22:27:01.588Z","definitions":{"iocs.total":{"meaning":"Distinct (value, type) tuples that have passed the 5-stage FP filter and are currently shipped to firewalls.","unit":"indicators","where":"MongoDB collection `iocs`. Auto-expired after `last_seen + DECAY_DAYS` (default 180d) unless manually approved."},"iocs.domain":{"meaning":"Subset of iocs.total with type=domain.","unit":"indicators"},"iocs.ip":{"meaning":"Subset with type=ip (IPv4/IPv6).","unit":"indicators"},"iocs.cidr":{"meaning":"Subset with type=cidr (network ranges).","unit":"indicators"},"feeds.enabled":{"meaning":"Upstream feed sources currently enabled.","unit":"feeds"},"feeds.last_ok":{"meaning":"Of the enabled feeds, those whose last fetch attempt returned HTTP 2xx and parsed at least 0 valid indicators.","unit":"feeds"},"review_queue.pending":{"meaning":"Candidate indicators that the FP filter caught and held back. NOT shipped to firewalls. Operator decision required to either approve-block or reject-as-FP (which adds to allowlist).","unit":"candidates","fp_reasons":["allowlist_match","popular_top_domain","root_domain_protected","low_consensus","invalid_format","manual_flag"]},"allowlist.size":{"meaning":"Trusted (domain|ip|cidr) entries that can never be shipped as IOCs to firewalls.","unit":"entries","sources":["seed (curated cloud/social/govt list)","tranco (top-N daily list)","umbrella (Cisco Umbrella daily)","manual (operator-added)"]},"sightings.total":{"meaning":"Aggregate firewall hit reports collected via the closed-loop sightings ingest (POST /v1/sightings/bulk). Aggregated per (indicator, source-token, day). Privacy-preserving — no PII.","unit":"sighting-rows"},"mitre_attack.objects":{"meaning":"STIX objects (attack-pattern, malware, intrusion-set, campaign, tool, course-of-action, x-mitre-* etc.) mirrored from MITRE ATT&CK STIX 2.1 bundles (enterprise + mobile + ICS). Ingested weekly.","unit":"STIX SDOs","source":"https://github.com/mitre/cti"},"taxii.collections_total":{"meaning":"TAXII 2.1 collections currently exposed (one per kind+category combination).","unit":"collections"}},"fp_filter_stages":[{"stage":1,"name":"Hard allowlist suffix-match","impl":"tldts-derived registrable root + Mozilla PSL; UNION of seed + Tranco + Umbrella anchors. Any indicator whose registrable root matches an allowlisted suffix is held back."},{"stage":2,"name":"Registrable-root protection","impl":"Two-label or PSL-effective-TLD-relative roots are routed to manual review by default (env: FP_ROOT_DOMAIN_PROTECT=true)."},{"stage":3,"name":"Multi-source consensus (planned, off by default)","impl":"Indicator must appear in ≥ FP_MIN_CONSENSUS distinct upstream feeds before promotion."},{"stage":4,"name":"Format validation","impl":"Lexical + DNS validity checks; invalid lines are dropped at the parser, not even stored."},{"stage":5,"name":"Manual review queue","impl":"Operator approves-block or rejects-as-FP from the operator console."}],"cryptographic_provenance":{"algorithm":"ed25519","key_endpoint":"/v1/public/keys/sign","signature_endpoints":"Append `.sig` to any /v1/feeds/<k>/<c>/<file> URL to fetch a base64 ed25519 signature over the file body.","kid_format":"16-char hex prefix of SHA-256 of SPKI-DER encoded public key"},"data_sources":{"upstream_feeds":"30 OSINT/community feeds — full list at /admin/v1/feeds (Bearer-protected). Major contributors: abuse.ch (URLhaus, ThreatFox, Feodo, MalwareBazaar), CERT.pl, USOM, Spamhaus DROP, EmergingThreats, OpenPhish, Hagezi, DigitalSide, TweetFeed, Cybercrime-tracker.","allowlist_anchors":"Tranco daily top-1M (top 100k by default), Cisco Umbrella daily top-1M, curated seed list of cloud/social/banking/government services.","certificate_transparency":"Calidog certstream (wss://certstream.calidog.io/) — every newly-issued cert is scored; brand-keyword matches and high-entropy lookalikes surface in `/v1/public/ct/recent`.","mitre_attack":"MITRE ATT&CK STIX 2.1 bundles — enterprise + mobile + ICS. Weekly mirror."},"output_formats":["plain","suricata","pihole","opnsense","mikrotik","unbound-rpz","stix-2.1","taxii-2.1","misp","sigma"],"sla_targets":{"public_api_uptime":"99.5% monthly","firewall_feed_uptime":"99.9% monthly","public_api_p99_latency":"<500ms","feed_freshness_mean":"<30min for high-frequency feeds","feed_freshness_p99":"<6h for daily feeds","feed_health_alert":"Any feed with >3 consecutive failures or >48h since last successful fetch."},"what_we_do_NOT_count":["Indicators in the FP review queue are NOT counted in iocs.total.","Allowlisted domains/IPs are NEVER shipped to firewalls regardless of upstream feed claim.","Sightings are anonymized aggregates; no PII or raw IPs except the indicator itself.","Numbers do NOT include CT-watchlist entries — those are pre-approval and live in /v1/public/ct/recent."]}