diff --git a/docs/api-reference/v2/endpoints/activities/get-fireworkv2activities-.mdx b/docs/api-reference/v2/endpoints/activities/get-fireworkv2activities-.mdx
index 5c19a45..ba8bfb4 100644
--- a/docs/api-reference/v2/endpoints/activities/get-fireworkv2activities-.mdx
+++ b/docs/api-reference/v2/endpoints/activities/get-fireworkv2activities-.mdx
@@ -3,6 +3,9 @@ openapi: firework-v2-openapi get /firework/v2/activities/
title: Retrieve Event
---
+This response changes based on the event type, for more information the various possible responses, see
+[Event Types ](/event-types/).
+
For backwards compatibility, this endpoint is also available as `/firework/v2/activities/{index}/{source}/{id}`.
diff --git a/docs/changelog/overview.mdx b/docs/changelog/overview.mdx
index 18a96d0..55d9866 100644
--- a/docs/changelog/overview.mdx
+++ b/docs/changelog/overview.mdx
@@ -12,6 +12,11 @@ This page lists changes to Flare's API.
Release notes for the Flare Platform can be found on the [product documentation website](https://docs.flare.io/releases).
+
+ Added documentation for
+ [Flare API Event Types ](/event-types/overview).
+
+
API endpoints using the `/leaksdb/` prefix were changed to `/astp/`.
The old prefix remains available as an alias and there are no plans to deprecate it.
@@ -20,7 +25,7 @@ Release notes for the Flare Platform can be found on the [product documentation
Released the
[Flare API Documentation MCP Server ](/sdk/mcp).
-
+
This is useful for developers building Flare API automations with AI-powered integrated development environments (IDE).
@@ -46,7 +51,7 @@ Release notes for the Flare Platform can be found on the [product documentation
- Released a new version of the List All Credentials endpoint,
+ Released a new version of the List All Credentials endpoint,
[List All Credentials V2 ](/api-reference/leaksdb/endpoints/get-credentials-v2),
which supports the
[Flare standard paging pattern ](/concepts/paging).
diff --git a/docs/docs.json b/docs/docs.json
index 6a5f0db..b35292d 100644
--- a/docs/docs.json
+++ b/docs/docs.json
@@ -260,6 +260,33 @@
}
]
},
+ {
+ "tab": "Event Types",
+ "groups": [
+ {
+ "group": "Events",
+ "pages": [
+ "event-types/overview",
+ "event-types/blog-post",
+ "event-types/bucket-object",
+ "event-types/bucket",
+ "event-types/document",
+ "event-types/domain",
+ "event-types/experimental",
+ "event-types/forum-post",
+ "event-types/forum-topic",
+ "event-types/google",
+ "event-types/leak",
+ "event-types/listing",
+ "event-types/paste",
+ "event-types/profile",
+ "event-types/seller",
+ "event-types/source-code",
+ "event-types/stealer-log"
+ ]
+ }
+ ]
+ },
{
"tab": "Changelog",
"groups": [
@@ -296,9 +323,7 @@
"display": "interactive"
},
"mdx": {
- "server": [
- "http://api.flare.io/"
- ],
+ "server": ["http://api.flare.io/"],
"auth": {
"method": "bearer"
}
diff --git a/docs/event-types/blog-post.mdx b/docs/event-types/blog-post.mdx
new file mode 100644
index 0000000..cb345b9
--- /dev/null
+++ b/docs/event-types/blog-post.mdx
@@ -0,0 +1,74 @@
+---
+title: "Blog Post"
+---
+
+The `blog_post` type represents blog-style documents and text-based publications that have been discovered and indexed by Flare across document-sharing or content-hosting platforms such as Scribd, Medium, or public paste/document repositories.
+These records generally include technical manuals, guides, or articles that are accessible to the public, potentially containing sensitive, proprietary, or copyrighted materials.
+
+```json Example Content
+{
+ "id": "example-id-12345",
+ "title": "Example Technical Document | PDF | Mechanical Part | Component Type",
+ "description": "Example Product Line Full Description",
+ "content": "Brief summary of the document contents",
+ "url": "https://example.com/document/example-id-12345",
+ "browser_url": "https://example.com/document/example-id-12345",
+ "metadata": {
+ "estimated_created_at": "2025-10-27T05:51:19.667458+00:00",
+ "event_id": null,
+ "first_crawled_at": "2025-10-27T05:51:19.667458+00:00",
+ "last_crawled_at": "2025-10-27T05:51:19.667458+00:00",
+ "payload_digest": "hashvalue123abc",
+ "scraped_at": "2025-10-27T05:51:22.483346+00:00",
+ "source": "example_source",
+ "crawled_by": null,
+ "flare_url": "https://app.flare.io/#/blog_post/scribd/example-id-12345"
+ },
+ "header": {
+ "actor": "John Doe",
+ "actor_id": null,
+ "category_name": "",
+ "content_hash": "hashvalue123abc",
+ "content_preview": "Short excerpt from the document text",
+ "country": null,
+ "duplicates": [],
+ "es_score": 1.0,
+ "expiration": null,
+ "highlights": {},
+ "id": "example-id-12345",
+ "parent_id": null,
+ "parent_title": null,
+ "parent_title_en": null,
+ "parent_uid": null,
+ "parent_uids": [],
+ "risk": { "score": 2 },
+ "similar_items_count": 0,
+ "source": "example_source",
+ "source_name": "Example Platform",
+ "target_name": "Example Platform",
+ "tags": [],
+ "notes": null,
+ "state_code": null,
+ "timestamp": "2025-10-27T05:51:19.667458+00:00",
+ "title": "Example Technical Document | PDF | Mechanical Part | Component Type",
+ "type": "blog_post",
+ "uid": "blog_post/example_source/example-id-12345",
+ "user_risk_score": null,
+ "user_notes": null,
+ "ignored_at": null,
+ "remediated_at": null,
+ "verb": "posted",
+ "external_url": null,
+ "external_netloc": null,
+ "can_have_duplicates": true,
+ "priority_action_uuid_related": false,
+ "victim_name": null,
+ "contains_secrets": null,
+ "secrets_metadata": null
+ },
+ "duplicates": [],
+ "history_logs": null,
+ "similar_items": []
+}
+
+```
diff --git a/docs/event-types/bucket-object.mdx b/docs/event-types/bucket-object.mdx
new file mode 100644
index 0000000..4ed4b7c
--- /dev/null
+++ b/docs/event-types/bucket-object.mdx
@@ -0,0 +1,143 @@
+---
+title: "Bucket Object"
+---
+
+The `bucket_object` type represents individual files (objects) discovered within publicly exposed cloud storage buckets, such as those hosted on Amazon S3, Azure Blob Storage, or Google Cloud Storage.
+Each record identifies a single accessible object, typically containing metadata like its bucket location, provider, file path, and exposure source.
+
+```json Example Content
+{
+ "id": "example-id-67890",
+ "title": "Example Bucket Object example-user@example.com.json",
+ "content": null,
+ "content_en": null,
+ "url": null,
+ "browser_url": null,
+ "metadata": {
+ "estimated_created_at": "2022-09-29T05:41:31.384630+00:00",
+ "event_id": null,
+ "first_crawled_at": "2022-09-29T05:41:31.384630+00:00",
+ "last_crawled_at": "2022-10-03T01:32:45.841604+00:00",
+ "payload_digest": null,
+ "scraped_at": "2022-10-03T01:32:45.845075+00:00",
+ "source": "example_source",
+ "crawled_by": null,
+ "flare_url": "https://app.flare.io/#/bucket_object/grayhat_warfare/example-id-67890"
+ },
+ "bucket": {
+ "host": "example.blob.core.windows.net",
+ "bucket_id": "example-bucket-id",
+ "id": "azure/example-bucket-id",
+ "provider": "azure"
+ },
+ "commit": {
+ "author_email": null,
+ "author_id": null,
+ "author_name": null,
+ "committer_email": null,
+ "committer_id": null,
+ "committer_name": null,
+ "sha": null,
+ "patch_url": null
+ },
+ "code": {
+ "commit_name": null,
+ "commit_date": null,
+ "path": null,
+ "commit_email": null
+ },
+ "drill_type": "bucket_object",
+ "dork_name": null,
+ "html_url": null,
+ "is_secret_detection_rule_match": null,
+ "issue": {
+ "id": null,
+ "state": null,
+ "title": null,
+ "tags": null,
+ "assignee_id": null,
+ "assignee_name": null
+ },
+ "project_name": null,
+ "project": {
+ "owner_name": null,
+ "owner_id": null,
+ "owner_type": null,
+ "tags": null,
+ "last_activity_at": null,
+ "language": null,
+ "followers_count": null,
+ "forks_count": null,
+ "is_fork": null
+ },
+ "resource_url": [
+ "https://example.blob.core.windows.net/publiccontainer/Users/example-user@example.com.json"
+ ],
+ "secret_detection_rule_id": null,
+ "snippets": null,
+ "user": {
+ "email": null,
+ "company": null,
+ "full_name": null,
+ "location": null,
+ "followers_count": null
+ },
+ "features": {
+ "domains": ["example.blob.core.windows.net"],
+ "emails": null,
+ "ip_addresses": null,
+ "ip_addresses_cidr": null,
+ "reversed_domains": ["net.windows.core.blob.example"],
+ "urls": ["https://example.blob.core.windows.net/publiccontainer/Users/example-user@example.com.json"],
+ "usernames": null,
+ "vulnerabilities": null
+ },
+ "duplicates": [],
+ "header": {
+ "actor": "",
+ "actor_id": null,
+ "category_name": "Drill",
+ "content_hash": "bucket_object/example_source/example-id-67890",
+ "content_preview": "example-user@example.com.json on Azure at example.blob.core.windows.net",
+ "country": null,
+ "duplicates": [],
+ "es_score": 1.0,
+ "expiration": null,
+ "highlights": {},
+ "host": null,
+ "id": "example-id-67890",
+ "infection_date": null,
+ "parent_id": null,
+ "parent_title": null,
+ "parent_title_en": null,
+ "parent_uid": null,
+ "parent_uids": [],
+ "risk": { "score": 2 },
+ "similar_items_count": 0,
+ "source": "example_source",
+ "source_name": "Example Source",
+ "target_name": "Example Target",
+ "tags": [],
+ "notes": null,
+ "state_code": null,
+ "timestamp": "2022-09-29T05:41:31.384630+00:00",
+ "title": "Example Bucket Object example-user@example.com.json",
+ "type": "bucket_object",
+ "uid": "bucket_object/example_source/example-id-67890",
+ "user_risk_score": null,
+ "user_notes": null,
+ "ignored_at": null,
+ "remediated_at": null,
+ "verb": "pushed",
+ "external_url": "https://example.blob.core.windows.net/publiccontainer/Users/example-user@example.com.json",
+ "external_netloc": "example.blob.core.windows.net",
+ "can_have_duplicates": true,
+ "priority_action_uuid_related": false,
+ "victim_name": null,
+ "contains_secrets": false,
+ "secrets_metadata": []
+ },
+ "history_logs": null,
+ "similar_items": []
+}
+```
diff --git a/docs/event-types/bucket.mdx b/docs/event-types/bucket.mdx
new file mode 100644
index 0000000..16d4111
--- /dev/null
+++ b/docs/event-types/bucket.mdx
@@ -0,0 +1,89 @@
+---
+title: "Bucket"
+---
+
+The `bucket` type represents publicly exposed cloud storage containers, such as Amazon S3, Azure Blob, or Google Cloud Storage buckets.
+These records document information about misconfigured or accessible cloud storage endpoints, including domain names, providers, and discovered files.
+
+```json Example Content
+{
+ "id": "example-id-34567",
+ "title": "Example Bucket example-bucket.s3.amazonaws.com on Aws",
+ "url": null,
+ "browser_url": null,
+ "metadata": {
+ "estimated_created_at": "2022-07-20T08:01:19.174392+00:00",
+ "event_id": null,
+ "first_crawled_at": "2022-07-20T08:01:19.174392+00:00",
+ "last_crawled_at": "2022-08-15T04:24:18.493735+00:00",
+ "payload_digest": null,
+ "scraped_at": "2022-08-15T04:24:18.495069+00:00",
+ "source": "example_source",
+ "crawled_by": null,
+ "flare_url": "https://app.flare.io/#/bucket/grayhat_warfare/example-id-34567"
+ },
+ "resource_url": "https://example-bucket.s3.amazonaws.com",
+ "domain": "example-bucket.s3.amazonaws.com",
+ "provider": "aws",
+ "content_type": null,
+ "file_count": 1,
+ "files": [],
+ "features": {
+ "domains": ["example-bucket.s3.amazonaws.com"],
+ "emails": null,
+ "ip_addresses": null,
+ "ip_addresses_cidr": null,
+ "reversed_domains": ["com.amazonaws.s3.example-bucket"],
+ "urls": null,
+ "usernames": null,
+ "vulnerabilities": null
+ },
+ "duplicates": [],
+ "header": {
+ "actor": "",
+ "actor_id": null,
+ "category_name": "aws",
+ "content_hash": "bucket/example_source/example-id-34567",
+ "content_preview": "",
+ "country": null,
+ "duplicates": [],
+ "es_score": 1.0,
+ "expiration": null,
+ "highlights": {},
+ "host": null,
+ "id": "example-id-34567",
+ "infection_date": null,
+ "parent_id": null,
+ "parent_title": null,
+ "parent_title_en": null,
+ "parent_uid": null,
+ "parent_uids": [],
+ "risk": { "score": 2 },
+ "similar_items_count": 0,
+ "source": "example_source",
+ "source_name": "Example Source",
+ "target_name": "Example Target",
+ "tags": [],
+ "notes": null,
+ "state_code": null,
+ "timestamp": "2022-07-20T08:01:19.174392+00:00",
+ "title": "Example Bucket example-bucket.s3.amazonaws.com on Aws",
+ "type": "bucket",
+ "uid": "bucket/example_source/example-id-34567",
+ "user_risk_score": null,
+ "user_notes": null,
+ "ignored_at": null,
+ "remediated_at": null,
+ "verb": "",
+ "external_url": null,
+ "external_netloc": null,
+ "can_have_duplicates": true,
+ "priority_action_uuid_related": false,
+ "victim_name": null,
+ "contains_secrets": null,
+ "secrets_metadata": null
+ },
+ "history_logs": null,
+ "similar_items": []
+}
+```
diff --git a/docs/event-types/document.mdx b/docs/event-types/document.mdx
new file mode 100644
index 0000000..5312ff4
--- /dev/null
+++ b/docs/event-types/document.mdx
@@ -0,0 +1,112 @@
+---
+title: "Ransomleak (document)"
+---
+
+The `ransomleak` (or `document` subtype) represents a public leak post made by a ransomware group on a dark web site or leak portal.
+Each record corresponds to a specific victim organization whose exfiltrated data is published as part of extortion attempts.
+These entries typically include:
+- Victim details (company name, country, industry).
+- Leak description and download links to stolen archives.
+- Threat statements or ransom instructions.
+- Screenshots or excerpts of the leaked data for proof.
+
+```json Example Content
+{
+ "id": "example-id-91011",
+ "title": "Example Leak - www.example.com PART1",
+ "url": "http://exampleonionaddress.onion/page_company.php?id=123",
+ "browser_url": null,
+ "main": "Brief description of the leak content and references to external onion links",
+ "body": "Shortened representation of the text body",
+ "type": "RANSOMLEAK",
+ "response_url": "http://exampleonionaddress.onion/page_company.php?id=123",
+ "docmeta": {
+ "title": "Example Leak - www.example.com PART1"
+ },
+ "screenshots": [
+ {
+ "preview_url": "https://example-screenshot-storage.s3.amazonaws.com/examplehash1",
+ "extracted_content": "Short text snippet from screenshot 1"
+ },
+ {
+ "preview_url": "https://example-screenshot-storage.s3.amazonaws.com/examplehash2",
+ "extracted_content": "Short text snippet from screenshot 2"
+ },
+ {
+ "preview_url": "https://example-screenshot-storage.s3.amazonaws.com/examplehash3",
+ "extracted_content": "Short text snippet from screenshot 3"
+ }
+ ],
+ "victim_metadata": {
+ "name": "Example Financial Institution S.A.",
+ "display_name": "Example Financial Institution S.A.",
+ "domain": "example.com",
+ "alternative_domains": null,
+ "industry": "Financial Services",
+ "employee_count": 250,
+ "city": "Example City",
+ "state": "Example State",
+ "country": "Example Country",
+ "latitude": -25.3,
+ "longitude": -57.63
+ },
+ "duplicates": [],
+ "header": {
+ "actor": "",
+ "actor_id": null,
+ "category_name": "Ransom Leak",
+ "content_hash": "hashvalue123xyz",
+ "content_preview": "Brief preview of the leaked page content",
+ "country": null,
+ "duplicates": [],
+ "es_score": 1.0,
+ "expiration": null,
+ "highlights": {},
+ "host": null,
+ "id": "example-id-91011",
+ "infection_date": null,
+ "parent_id": null,
+ "parent_title": null,
+ "parent_title_en": null,
+ "parent_uid": null,
+ "parent_uids": [],
+ "risk": { "score": 3 },
+ "similar_items_count": 0,
+ "source": "example_source",
+ "source_name": "Example Leak Source",
+ "target_name": "Example Leak Target",
+ "tags": [],
+ "notes": null,
+ "state_code": null,
+ "timestamp": "2025-10-28T19:49:18.173119+00:00",
+ "title": "Example Leak - www.example.com PART1",
+ "type": "ransomleak",
+ "uid": "document/example_source/example-id-91011",
+ "user_risk_score": null,
+ "user_notes": null,
+ "ignored_at": null,
+ "remediated_at": null,
+ "verb": "",
+ "external_url": null,
+ "external_netloc": null,
+ "can_have_duplicates": true,
+ "priority_action_uuid_related": false,
+ "victim_name": "Example Financial Institution S.A.",
+ "contains_secrets": null,
+ "secrets_metadata": null
+ },
+ "history_logs": null,
+ "metadata": {
+ "estimated_created_at": "2025-10-28T19:49:18.173119+00:00",
+ "event_id": null,
+ "first_crawled_at": "2024-11-29T15:03:18.015000+00:00",
+ "last_crawled_at": "2025-10-28T19:49:20.490310+00:00",
+ "payload_digest": "hashvalue123xyz",
+ "scraped_at": "2025-10-28T19:49:20.981763+00:00",
+ "source": "example_source",
+ "crawled_by": null,
+ "flare_url": "https://app.flare.io/#/document/eraleign/example-id-91011"
+ },
+ "similar_items": []
+}
+```
diff --git a/docs/event-types/domain.mdx b/docs/event-types/domain.mdx
new file mode 100644
index 0000000..84554a3
--- /dev/null
+++ b/docs/event-types/domain.mdx
@@ -0,0 +1,90 @@
+---
+title: "Lookalike Domain (domain)"
+---
+
+The `domain` type represents lookalike or typosquatted domains identified by Flare’s detection engines, often leveraging tools such as dnstwist.
+These records capture information about suspicious domains that closely resemble legitimate organizations’ domains and could be used in phishing, brand impersonation, or malware campaigns.
+
+```json Example Content
+{
+ "id": "example-id-11223",
+ "title": "exampledomain.co.uk",
+ "url": null,
+ "browser_url": null,
+ "name": "exampledomain.co.uk",
+ "registered_at": null,
+ "feed": null,
+ "identifier_domain": ["example.co.uk"],
+ "cert_data": null,
+ "subject": null,
+ "issuer": null,
+ "features": {
+ "domains": ["example.co.uk", "exampledomain.co.uk"],
+ "emails": null,
+ "ip_addresses": null,
+ "ip_addresses_cidr": null,
+ "reversed_domains": ["uk.co.example", "uk.co.exampledomain"],
+ "urls": null,
+ "usernames": null,
+ "vulnerabilities": null
+ },
+ "duplicates": [],
+ "header": {
+ "actor": "",
+ "actor_id": null,
+ "category_name": "domain",
+ "content_hash": "domain/example_source/exampledomain.co.uk",
+ "content_preview": "Domain exampledomain.co.uk",
+ "country": null,
+ "duplicates": [],
+ "es_score": 1.0,
+ "expiration": null,
+ "highlights": {},
+ "host": null,
+ "id": "exampledomain.co.uk",
+ "infection_date": null,
+ "parent_id": null,
+ "parent_title": null,
+ "parent_title_en": null,
+ "parent_uid": null,
+ "parent_uids": ["domain/example_source/exampledomain.co.uk"],
+ "risk": { "score": 1 },
+ "similar_items_count": 0,
+ "source": "example_source",
+ "source_name": "Example DNS Monitor",
+ "target_name": "Example DNS Monitor",
+ "tags": [],
+ "notes": null,
+ "state_code": null,
+ "timestamp": "2025-10-20T23:15:59.521157+00:00",
+ "title": "exampledomain.co.uk",
+ "type": "domain",
+ "uid": "domain/example_source/exampledomain.co.uk",
+ "user_risk_score": null,
+ "user_notes": null,
+ "ignored_at": null,
+ "remediated_at": null,
+ "verb": "",
+ "external_url": null,
+ "external_netloc": null,
+ "can_have_duplicates": true,
+ "priority_action_uuid_related": false,
+ "victim_name": null,
+ "contains_secrets": null,
+ "secrets_metadata": null
+ },
+ "history_logs": null,
+ "metadata": {
+ "estimated_created_at": "2025-10-20T23:15:59.521157+00:00",
+ "event_id": null,
+ "first_crawled_at": "2025-10-20T23:15:59.521157+00:00",
+ "last_crawled_at": "2025-10-26T00:29:04.263918+00:00",
+ "payload_digest": null,
+ "scraped_at": "2025-10-26T00:29:04.264838+00:00",
+ "source": "example_source",
+ "crawled_by": null,
+ "flare_url": "https://app.flare.io/#/domain/flare/exampledomain.co.uk"
+ },
+ "similar_items": []
+}
+```
diff --git a/docs/event-types/experimental.mdx b/docs/event-types/experimental.mdx
new file mode 100644
index 0000000..5a86d26
--- /dev/null
+++ b/docs/event-types/experimental.mdx
@@ -0,0 +1,78 @@
+---
+title: "Experimental"
+---
+
+The `experimental` type represents test or prototype data sources curated by the research team that Flare is evaluating for potential inclusion as officially supported event types.
+
+```json Example Content
+{
+ "id": "example-id-55667",
+ "title": "Darknet App Listing - AI Chat Assistant (suspicious)",
+ "url": null,
+ "browser_url": "http://hiddenserviceexample.onion/app/210.0",
+ "data": {
+ "app_name": "DarkChat AI",
+ "publisher": "anonymous_publisher",
+ "description": "Darknet-hosted APK listing. Entry claims multilingual AI chat functionality but metadata and hosting indicate untrusted provenance. Listing notes: obfuscated binary, unknown signing key, and community comments alleging covert telemetry and possible remote access components. Use in CTI contexts to track actor TTPs and indicators of compromise — do NOT execute the APK; treat as intelligence artifact."
+ },
+ "content": "Dark web-style app marketplace entry summarizing version history, mirrored onion download locations (redacted), uploader notes claiming 'hardened' build and bundled modules, and community-sourced warnings about suspected backdoor behavior. Contains version list and redacted hashes for analyst reference.",
+ "duplicates": [],
+ "header": {
+ "actor": "",
+ "actor_id": null,
+ "category_name": "",
+ "content_hash": "hashvalue123xyz",
+ "content_preview": "Dark web APK listing for 'DarkChat AI' with suspicious provenance — mirrors and community warnings.",
+ "country": null,
+ "duplicates": [],
+ "es_score": 1.0,
+ "expiration": null,
+ "highlights": {},
+ "host": null,
+ "id": "example-id-55667",
+ "infection_date": null,
+ "parent_id": null,
+ "parent_title": null,
+ "parent_title_en": null,
+ "parent_uid": null,
+ "parent_uids": [],
+ "risk": { "score": 3 },
+ "similar_items_count": 0,
+ "source": "darknet_market_scrape",
+ "source_name": "Darknet Market Scrape",
+ "target_name": "Darknet Market Scrape",
+ "tags": ["darkweb", "apk", "malicious-suspected", "cti"],
+ "notes": null,
+ "state_code": null,
+ "timestamp": "2025-10-01T23:57:51.346759+00:00",
+ "title": "Darknet App Listing - AI Chat Assistant (suspicious)",
+ "type": "experimental",
+ "uid": "experimental/darknet/darkchat/example-id-55667",
+ "user_risk_score": null,
+ "user_notes": null,
+ "ignored_at": null,
+ "remediated_at": null,
+ "verb": "",
+ "external_url": null,
+ "external_netloc": null,
+ "can_have_duplicates": true,
+ "priority_action_uuid_related": false,
+ "victim_name": null,
+ "contains_secrets": null,
+ "secrets_metadata": null
+ },
+ "history_logs": null,
+ "metadata": {
+ "estimated_created_at": "2025-10-01T23:57:51.346759+00:00",
+ "event_id": null,
+ "first_crawled_at": "2025-10-01T23:57:51.346759+00:00",
+ "last_crawled_at": "2025-10-01T23:57:51.346759+00:00",
+ "payload_digest": "hashvalue123xyz",
+ "scraped_at": "2025-10-01T23:57:51.347503+00:00",
+ "source": "darknet_market_scrape",
+ "crawled_by": null,
+ "flare_url": "https://app.flare.io/#/experimental/app_store/example-id-55667"
+ },
+ "similar_items": []
+}
+```
diff --git a/docs/event-types/forum-post.mdx b/docs/event-types/forum-post.mdx
new file mode 100644
index 0000000..5699867
--- /dev/null
+++ b/docs/event-types/forum-post.mdx
@@ -0,0 +1,109 @@
+---
+title: "Forum Post"
+---
+
+The `forum_post` type represents an individual message or reply made within a forum thread on an underground or hacker-oriented site.
+Each record contains the message text, author alias, thread association, and metadata such as timestamps and extracted indicators (domains, emails, etc.).
+
+```json Example Content
+{
+ "id": "example-id-77889",
+ "title": "Leaked Database – Government Regulatory Agency (INDONESIA)",
+ "url": "http://hiddenforumexample.onion/showthread.php?pid=77889#pid77889",
+ "browser_url": "http://hiddenforumexample.onion/Thread-Leaked-Government-Agency-Database",
+ "actor": "DarkLeakX",
+ "actor_id": null,
+ "actor_name": "DarkLeakX",
+ "category_name": "Databases",
+ "category_path_name": null,
+ "content": "Thread posted by user DarkLeakX offering multiple CSV files allegedly exfiltrated from a government nuclear regulatory body. The actor lists multiple database names and sample table filenames suggesting personnel and licensing data. The post includes redacted sample entries with identifiers and email addresses, indicating exposure of administrative and technical staff information. The dataset is hosted on an external anonymous file service (URL redacted) and mirrored through multiple onion links. Mentions of CSV exports such as 'users.csv', 'licenses.csv', and 'requests.csv' are included. The author claims to provide access upon contact or trade.",
+ "content_en": null,
+ "title_en": null,
+ "posted_at": "2025-10-28T18:50:57.328427+05:30",
+ "topic_id": "9999",
+ "topic_title": "Leaked Database – Government Regulatory Agency (INDONESIA)",
+ "topic_title_en": null,
+ "features": {
+ "domains": [
+ "example.gov.id",
+ "examplemail.com",
+ "anonfiles.onion"
+ ],
+ "emails": [
+ "admin@example.gov.id",
+ "contact@examplemail.com"
+ ],
+ "ip_addresses": null,
+ "ip_addresses_cidr": null,
+ "reversed_domains": [
+ "id.gov.example",
+ "com.examplemail",
+ "onion.anonfiles"
+ ],
+ "urls": [
+ "https://example.gov.id",
+ "https://anonfiles.onion/example"
+ ],
+ "usernames": ["DarkLeakX", "ParanoidHax"],
+ "vulnerabilities": null
+ },
+ "duplicates": [],
+ "header": {
+ "actor": "DarkLeakX",
+ "actor_id": null,
+ "category_name": "Databases",
+ "content_hash": "hashvalue123xyz",
+ "content_preview": "Forum post advertising leaked Indonesian government database with multiple CSV exports and user data samples.",
+ "country": null,
+ "duplicates": [],
+ "es_score": 1.0,
+ "expiration": null,
+ "highlights": {},
+ "host": null,
+ "id": "example-id-77889",
+ "infection_date": null,
+ "parent_id": "9999",
+ "parent_title": "Leaked Database – Government Regulatory Agency (INDONESIA)",
+ "parent_title_en": null,
+ "parent_uid": "forum_topic/darkforums/example-id-9999",
+ "parent_uids": [],
+ "risk": { "score": 3 },
+ "similar_items_count": 0,
+ "source": "darkforums",
+ "source_name": "DarkForums",
+ "target_name": "DarkForums",
+ "tags": ["darkweb", "leak", "database", "government", "cti"],
+ "notes": null,
+ "state_code": null,
+ "timestamp": "2025-10-28T13:20:57.328427+00:00",
+ "title": "Leaked Database – Government Regulatory Agency (INDONESIA)",
+ "type": "forum_post",
+ "uid": "forum_post/darkforums/example-id-77889",
+ "user_risk_score": null,
+ "user_notes": null,
+ "ignored_at": null,
+ "remediated_at": null,
+ "verb": "posted",
+ "external_url": null,
+ "external_netloc": null,
+ "can_have_duplicates": true,
+ "priority_action_uuid_related": false,
+ "victim_name": "Government Regulatory Agency (Indonesia)",
+ "contains_secrets": null,
+ "secrets_metadata": null
+ },
+ "history_logs": null,
+ "metadata": {
+ "estimated_created_at": "2025-10-28T13:20:57.328427+00:00",
+ "event_id": null,
+ "first_crawled_at": "2025-10-28T19:00:57.328427+00:00",
+ "last_crawled_at": "2025-10-28T19:00:57.328427+00:00",
+ "payload_digest": "hashvalue123xyz",
+ "scraped_at": "2025-10-28T19:00:57.394413+00:00",
+ "source": "darkforums",
+ "crawled_by": null,
+ "flare_url": "https://app.flare.io/#/forum_post/darkforums/example-id-77889"
+ },
+ "similar_items": []
+}
+```
diff --git a/docs/event-types/forum-topic.mdx b/docs/event-types/forum-topic.mdx
new file mode 100644
index 0000000..43b465a
--- /dev/null
+++ b/docs/event-types/forum-topic.mdx
@@ -0,0 +1,87 @@
+---
+title: "Forum Topic"
+---
+
+The `forum_topic` type represents a forum discussion thread, capturing its title, author, creation date, and source platform.
+Each record corresponds to a thread-level post, distinct from individual replies (`forum_post`).
+Forum topics are often technical discussions, tutorials, leak announcements, or tool releases shared by actors on underground or gray-hat forums.
+
+```json Example Content
+{
+ "id": "example-id-1628778",
+ "title": "[Tutorial] Mobile Game Crack – Angry Birds Match 3 (Android)",
+ "url": "http://hiddenforumexample.onion/thread-1628778-1-1.html",
+ "browser_url": null,
+ "actor": "ByteWing",
+ "actor_id": "user-874154",
+ "actor_name": "ByteWing",
+ "category_id": "65",
+ "category_name": "[Mobile Security Zone]",
+ "category_path_name": null,
+ "content": "Forum topic posted by underground user 'ByteWing' describing methods for modifying mobile game binaries. The thread explains the use of patched APKs and custom scripts to bypass license verification and in-app purchase checks. While framed as an educational post, the content includes step-by-step details and links to modified game builds (links redacted). Community replies discuss anti-tamper protections and note that the author may use these techniques in broader Android cracking operations. The post’s tone and context align with known behavior of low-tier mobile modding groups active on clear and dark web forums.",
+ "title_en": "[Tutorial] Angry Birds Match 3 Android Game – Reverse Engineering Guide",
+ "posted_at": "2022-04-27T21:46:00+00:00",
+ "tags": ["android", "reverse-engineering", "apk", "tutorial", "darkweb"],
+ "profile_id": null,
+ "first_post_preview": "User post includes a step-by-step 'how-to' for unpacking and modifying Android game binaries.",
+ "posts": [],
+ "duplicates": [],
+ "header": {
+ "actor": "ByteWing",
+ "actor_id": "user-874154",
+ "category_name": "[Mobile Security Zone]",
+ "content_hash": "hashvalue123xyz",
+ "content_preview": "Underground tutorial post showing mobile APK cracking process for an Android puzzle game.",
+ "country": null,
+ "duplicates": [],
+ "es_score": 1.0,
+ "expiration": null,
+ "highlights": {},
+ "host": null,
+ "id": "example-id-1628778",
+ "infection_date": null,
+ "parent_id": null,
+ "parent_title": null,
+ "parent_title_en": null,
+ "parent_uid": null,
+ "parent_uids": [],
+ "risk": { "score": 2 },
+ "similar_items_count": 0,
+ "source": "darkweb_forum",
+ "source_name": "DarkWeb Forum",
+ "target_name": "DarkWeb Forum",
+ "tags": ["darkweb", "apk", "reverse-engineering", "tutorial"],
+ "notes": null,
+ "state_code": null,
+ "timestamp": "2022-04-27T21:46:00+00:00",
+ "title": "[Tutorial] Mobile Game Crack – Angry Birds Match 3 (Android)",
+ "type": "forum_topic",
+ "uid": "forum_topic/darkweb_forum/example-id-1628778",
+ "user_risk_score": null,
+ "user_notes": null,
+ "ignored_at": null,
+ "remediated_at": null,
+ "verb": "posted",
+ "external_url": null,
+ "external_netloc": null,
+ "can_have_duplicates": true,
+ "priority_action_uuid_related": false,
+ "victim_name": null,
+ "contains_secrets": null,
+ "secrets_metadata": null
+ },
+ "history_logs": null,
+ "metadata": {
+ "estimated_created_at": "2022-04-27T21:46:00+00:00",
+ "event_id": null,
+ "first_crawled_at": "2025-10-26T06:06:24.944152+00:00",
+ "last_crawled_at": "2025-10-26T06:06:24.944152+00:00",
+ "payload_digest": "hashvalue123xyz",
+ "scraped_at": "2025-10-26T06:06:34.643500+00:00",
+ "source": "darkweb_forum",
+ "crawled_by": null,
+ "flare_url": "https://app.flare.io/#/forum_topic/darkweb_forum/example-id-1628778"
+ },
+ "similar_items": []
+}
+```
diff --git a/docs/event-types/google.mdx b/docs/event-types/google.mdx
new file mode 100644
index 0000000..219629e
--- /dev/null
+++ b/docs/event-types/google.mdx
@@ -0,0 +1,96 @@
+---
+title: "Google"
+---
+
+The `driller_google` type represents Google search-based reconnaissance data, gathered through Flare’s “Driller” engine.
+This data consists of crafted Google dork queries and their discovered URLs; used to identify exposed files, misconfigured services, or leaked data indexed by Google.
+
+```json Example Content
+{
+ "id": "example-id-413",
+ "title": "Example Intelligence Scrape — Search Engine Crawl",
+ "url": null,
+ "browser_url": null,
+ "content": "Short summary: archived HTML capture of a publicly-posted 'best hacking tools' article scraped from a search engine result. Contains article metadata, markup, and embedded tracking scripts — treated as an intelligence artifact for CTI indexing (do not execute any embedded code).",
+ "bucket": {
+ "host": null,
+ "bucket_id": null,
+ "id": null,
+ "provider": null
+ },
+ "commit": {
+ "author_email": null,
+ "author_id": null,
+ "author_name": null,
+ "committer_email": null,
+ "committer_id": null,
+ "committer_name": null,
+ "sha": null,
+ "patch_url": null
+ },
+ "code": {
+ "commit_name": null,
+ "commit_date": null,
+ "path": null,
+ "commit_email": null
+ },
+ "duplicates": [],
+ "header": {
+ "actor": "",
+ "actor_id": null,
+ "category_name": "driller",
+ "content_hash": "driller/google_search/example-id-413",
+ "content_preview": "Search-engine-captured page about 'Best Hacking Tools' with full HTML and embedded metadata.",
+ "country": null,
+ "duplicates": [],
+ "es_score": 1.0,
+ "expiration": null,
+ "highlights": {},
+ "host": null,
+ "id": "example-id-413",
+ "infection_date": null,
+ "parent_id": null,
+ "parent_title": null,
+ "parent_title_en": null,
+ "parent_uid": null,
+ "parent_uids": [],
+ "risk": { "score": 1 },
+ "similar_items_count": 0,
+ "source": "google_search",
+ "source_name": "Search Engine Crawl",
+ "target_name": "Search Engine Crawl",
+ "tags": ["crawler", "html", "intake"],
+ "notes": null,
+ "state_code": null,
+ "timestamp": "2025-03-21T21:08:10.949536+00:00",
+ "title": "Example Intelligence Scrape — Search Engine Crawl",
+ "type": "driller",
+ "uid": "driller/google_search/example-id-413",
+ "user_risk_score": null,
+ "user_notes": null,
+ "ignored_at": null,
+ "remediated_at": null,
+ "verb": "scraped",
+ "external_url": null,
+ "external_netloc": null,
+ "can_have_duplicates": true,
+ "priority_action_uuid_related": false,
+ "victim_name": null,
+ "contains_secrets": null,
+ "secrets_metadata": null
+ },
+ "history_logs": null,
+ "metadata": {
+ "estimated_created_at": "2025-03-21T21:08:10.949536+00:00",
+ "event_id": null,
+ "first_crawled_at": "2025-03-21T21:08:10.949536+00:00",
+ "last_crawled_at": "2025-03-25T22:49:57.146074+00:00",
+ "payload_digest": "example-payload-digest-1445a761",
+ "scraped_at": "2025-03-25T22:49:57.160355+00:00",
+ "source": "google_search",
+ "crawled_by": null,
+ "flare_url": "https://app.flare.io/#/driller/google_search/2c3aedb836e52893c8254ac0ac6bf4bca8dce5c1"
+ },
+ "similar_items": []
+}
+```
diff --git a/docs/event-types/leak.mdx b/docs/event-types/leak.mdx
new file mode 100644
index 0000000..70a3c53
--- /dev/null
+++ b/docs/event-types/leak.mdx
@@ -0,0 +1,122 @@
+---
+title: "Leaked Credentials (leak)"
+---
+
+The `leak` event type represents a list of leaked credentials over a time period, usually in the form of a `url:login:password` triplet.
+
+These leaks can sometimes contain duplicated credentials that were found in a separate stealer log.
+
+```json Example Content
+{
+ "activity": {
+ "data": {
+ "es_id": null,
+ "es_score": null,
+ "highlights": null,
+ "id": "user_12345",
+ "index": "leak",
+ "metadata": {
+ "estimated_created_at": "2025-03-10T12:34:56Z",
+ "event_id": null,
+ "first_crawled_at": "2025-03-10T12:34:56Z",
+ "last_crawled_at": "2025-03-10T12:34:56Z",
+ "payload_digest": null,
+ "scraped_at": null,
+ "source": "dark_web_forum",
+ "crawled_by": null,
+ "flare_url": null
+ },
+ "uid": "leak/groups/username/user_12345/dark_web_forum/000001",
+ "url": null,
+ "browser_url": null,
+ "identities": {
+ "name": null,
+ "passwords": {
+ "domain": null,
+ "hash": null,
+ "hash_type": null,
+ "extra": null,
+ "id": null,
+ "imported_at": null,
+ "source_id": null,
+ "source_params": null
+ }
+ },
+ "leak_source": {
+ "id": "dark_web_forum",
+ "name": "Dark Web Forum",
+ "description_en": "Credentials exposed on underground marketplaces or stealer logs.",
+ "description_fr": "Identifiants exposés sur des forums clandestins ou journaux de vol de données.",
+ "breached_at": null,
+ "leaked_at": null,
+ "pii_tags": []
+ }
+ },
+ "duplicates": null,
+ "header": {
+ "actor": null,
+ "actor_id": null,
+ "bank": null,
+ "bin": null,
+ "brand": null,
+ "credential_count": null,
+ "category_name": null,
+ "content_hash": "abcdef1234567890abcdef1234567890abcdef12",
+ "content_preview": null,
+ "country": null,
+ "duplicates": null,
+ "es_score": null,
+ "expiration": null,
+ "highlights": null,
+ "host": null,
+ "id": "user_12345",
+ "infection_date": null,
+ "parent_id": null,
+ "parent_title": null,
+ "parent_title_en": null,
+ "parent_uid": null,
+ "parent_uids": null,
+ "risk": {
+ "score": 4
+ },
+ "similar_items_count": null,
+ "source": "groups",
+ "source_name": "Dark Web Forum",
+ "target_name": null,
+ "tags": null,
+ "notes": null,
+ "state_code": null,
+ "timestamp": null,
+ "title": "user_12345 leak on Dark Web Forum",
+ "type": "leak",
+ "uid": "leak/groups/username/user_12345/dark_web_forum/000001",
+ "user_risk_score": null,
+ "user_notes": null,
+ "ignored_at": null,
+ "remediated_at": null,
+ "verb": null,
+ "external_url": null,
+ "external_netloc": null,
+ "can_have_duplicates": null,
+ "priority_action_uuid_related": null,
+ "analyzers_items_uids": null,
+ "victim_name": null,
+ "contains_secrets": null,
+ "secrets_metadata": null
+ },
+ "history_logs": null,
+ "metadata": {
+ "estimated_created_at": "2025-03-10T12:34:56Z",
+ "event_id": null,
+ "first_crawled_at": "2025-03-10T12:34:56Z",
+ "last_crawled_at": "2025-03-10T12:34:56Z",
+ "payload_digest": null,
+ "scraped_at": null,
+ "source": "dark_web_forum",
+ "crawled_by": null,
+ "flare_url": null
+ },
+ "similar_items": null
+ }
+}
+```
diff --git a/docs/event-types/listing.mdx b/docs/event-types/listing.mdx
new file mode 100644
index 0000000..0ad3b82
--- /dev/null
+++ b/docs/event-types/listing.mdx
@@ -0,0 +1,138 @@
+---
+title: "Listing"
+---
+
+The `listing` type represents marketplace product advertisements sourced from dark web or illicit online markets.
+Each record captures a single product post, including its title, description, seller information, price, and shipping regions.
+Listings can refer to drugs, malware, guides, digital goods, counterfeit items, or stolen data, depending on the source market.
+
+```json Example Content
+{
+ "activity": {
+ "data": {
+ "es_id": "dark_market/listing_12345",
+ "es_score": 1.0,
+ "highlights": {},
+ "id": "listing_12345",
+ "index": "listing",
+ "metadata": {
+ "estimated_created_at": "2025-03-12T09:15:00Z",
+ "event_id": null,
+ "first_crawled_at": "2025-03-12T09:15:00Z",
+ "last_crawled_at": "2025-03-14T16:30:00Z",
+ "payload_digest": "abcdef0987654321abcdef0987654321abcdef09",
+ "scraped_at": "2025-03-14T16:31:00Z",
+ "source": "dark_market",
+ "crawled_by": null,
+ "flare_url": "https://app.cti.example.com/#/listing/dark_market/listing_12345"
+ },
+ "uid": "listing/dark_market/listing_12345",
+ "url": "http://darkmarketxyz.onion/products/listing_12345",
+ "browser_url": null,
+ "actor": "vendor_alpha",
+ "actor_id": "vendor_alpha",
+ "actor_name": "vendor_alpha",
+ "category_name": null,
+ "classification": {
+ "classes": {
+ "is_carding": null,
+ "is_bypass": null,
+ "is_ident_fraud": null,
+ "is_doc_fraud": null,
+ "is_phishing": null,
+ "is_money_xfer": null,
+ "is_cashout": null,
+ "is_virt_currency": null,
+ "is_hacking": null,
+ "is_misc_financial": null
+ },
+ "types": {
+ "is_guide": null,
+ "is_service": null,
+ "is_software": null,
+ "is_hardware": null,
+ "is_data": null
+ }
+ },
+ "currency": "usd",
+ "description": "Listing for a cybercrime-related product with anonymized shipment details and general marketplace disclaimers.",
+ "description_en": null,
+ "description_preview": [""],
+ "escrow": null,
+ "price": "75.00",
+ "seller_id": "vendor_alpha",
+ "seller_name": "vendor_alpha",
+ "ship_to": ["Worldwide"],
+ "ship_from": ["United States"],
+ "title": "Synthetic Product Sample",
+ "title_en": null,
+ "stock_count": 8000
+ },
+ "duplicates": [],
+ "header": {
+ "actor": "vendor_alpha",
+ "actor_id": "vendor_alpha",
+ "bank": null,
+ "bin": null,
+ "brand": null,
+ "credential_count": null,
+ "category_name": "",
+ "content_hash": "abcdef0987654321abcdef0987654321abcdef09",
+ "content_preview": "Listing for a cybercrime-related product with anonymized shipment details...",
+ "country": null,
+ "duplicates": [],
+ "es_score": 1.0,
+ "expiration": null,
+ "highlights": {},
+ "host": null,
+ "id": "listing_12345",
+ "infection_date": null,
+ "parent_id": null,
+ "parent_title": null,
+ "parent_title_en": null,
+ "parent_uid": null,
+ "parent_uids": [],
+ "risk": {
+ "score": 3
+ },
+ "similar_items_count": 0,
+ "source": "dark_market",
+ "source_name": "Dark Market",
+ "target_name": "Dark Market",
+ "tags": [],
+ "notes": null,
+ "state_code": null,
+ "timestamp": "2025-03-12T09:15:00Z",
+ "title": "Synthetic Product Sample",
+ "type": "listing",
+ "uid": "listing/dark_market/listing_12345",
+ "user_risk_score": null,
+ "user_notes": null,
+ "ignored_at": null,
+ "remediated_at": null,
+ "verb": "announced",
+ "external_url": null,
+ "external_netloc": null,
+ "can_have_duplicates": true,
+ "priority_action_uuid_related": false,
+ "analyzers_items_uids": [],
+ "victim_name": null,
+ "contains_secrets": null,
+ "secrets_metadata": null
+ },
+ "history_logs": null,
+ "metadata": {
+ "estimated_created_at": "2025-03-12T09:15:00Z",
+ "event_id": null,
+ "first_crawled_at": "2025-03-12T09:15:00Z",
+ "last_crawled_at": "2025-03-14T16:30:00Z",
+ "payload_digest": "abcdef0987654321abcdef0987654321abcdef09",
+ "scraped_at": "2025-03-14T16:31:00Z",
+ "source": "dark_market",
+ "crawled_by": null,
+ "flare_url": "https://app.cti.example.com/#/listing/dark_market/listing_12345"
+ },
+ "similar_items": []
+ }
+}
+```
diff --git a/docs/event-types/overview.mdx b/docs/event-types/overview.mdx
new file mode 100644
index 0000000..87737df
--- /dev/null
+++ b/docs/event-types/overview.mdx
@@ -0,0 +1 @@
+This section documents the Flare API Event Types.
diff --git a/docs/event-types/paste.mdx b/docs/event-types/paste.mdx
new file mode 100644
index 0000000..fe0b1d6
--- /dev/null
+++ b/docs/event-types/paste.mdx
@@ -0,0 +1,118 @@
+---
+title: "Paste"
+---
+
+The `paste` event type corresponds to public text pastes found on paste sites such as *Pastebin*, *JustPaste.it*, *YamCode*, or similar sharing services.
+These entries typically contain raw text dumps, links to leaked data, code snippets, or communication content, sometimes referencing or re-hosting credential leaks.
+
+```json Example Content
+{
+ "activity": {
+ "data": {
+ "es_id": "paste_site/example_paste_12345",
+ "es_score": 1.0,
+ "highlights": {},
+ "id": "example_paste_12345",
+ "index": "paste",
+ "metadata": {
+ "estimated_created_at": "2025-03-18T00:00:00Z",
+ "event_id": null,
+ "first_crawled_at": "2025-03-18T09:00:00Z",
+ "last_crawled_at": "2025-03-18T09:00:00Z",
+ "payload_digest": "123abc456def789ghi012jkl345mno678pqr901",
+ "scraped_at": "2025-03-18T09:00:30Z",
+ "source": "paste_site",
+ "crawled_by": null,
+ "flare_url": "https://app.cti.example.com/#/paste/paste_site/example_paste_12345"
+ },
+ "uid": "paste/paste_site/example_paste_12345",
+ "url": "http://pasteexample.onion/example_paste_12345",
+ "browser_url": null,
+ "actor": "threat_user01",
+ "actor_id": null,
+ "actor_name": "threat_user01",
+ "content": "Example text containing links or credentials shared on a paste site.",
+ "content_en": null,
+ "title": "Leaked Credentials Paste",
+ "title_en": null,
+ "expire_at": null,
+ "syntax": null,
+ "features": {
+ "domains": ["example.com"],
+ "emails": null,
+ "ip_addresses": null,
+ "ip_addresses_cidr": null,
+ "reversed_domains": ["com.example"],
+ "urls": ["example.com/leak123"],
+ "usernames": null,
+ "vulnerabilities": null
+ }
+ },
+ "duplicates": [],
+ "header": {
+ "actor": "threat_user01",
+ "actor_id": null,
+ "bank": null,
+ "bin": null,
+ "brand": null,
+ "credential_count": null,
+ "category_name": "",
+ "content_hash": "123abc456def789ghi012jkl345mno678pqr901",
+ "content_preview": "Example text containing links or credentials...",
+ "country": null,
+ "duplicates": [],
+ "es_score": 1.0,
+ "expiration": null,
+ "highlights": {},
+ "host": null,
+ "id": "example_paste_12345",
+ "infection_date": null,
+ "parent_id": null,
+ "parent_title": null,
+ "parent_title_en": null,
+ "parent_uid": null,
+ "parent_uids": [],
+ "risk": {
+ "score": 2
+ },
+ "similar_items_count": 0,
+ "source": "paste_site",
+ "source_name": "Paste Site",
+ "target_name": "Paste Site",
+ "tags": [],
+ "notes": null,
+ "state_code": null,
+ "timestamp": "2025-03-18T00:00:00Z",
+ "title": "Leaked Credentials Paste",
+ "type": "paste",
+ "uid": "paste/paste_site/example_paste_12345",
+ "user_risk_score": null,
+ "user_notes": null,
+ "ignored_at": null,
+ "remediated_at": null,
+ "verb": "",
+ "external_url": null,
+ "external_netloc": null,
+ "can_have_duplicates": true,
+ "priority_action_uuid_related": false,
+ "analyzers_items_uids": [],
+ "victim_name": null,
+ "contains_secrets": false,
+ "secrets_metadata": []
+ },
+ "history_logs": null,
+ "metadata": {
+ "estimated_created_at": "2025-03-18T00:00:00Z",
+ "event_id": null,
+ "first_crawled_at": "2025-03-18T09:00:00Z",
+ "last_crawled_at": "2025-03-18T09:00:00Z",
+ "payload_digest": "123abc456def789ghi012jkl345mno678pqr901",
+ "scraped_at": "2025-03-18T09:00:30Z",
+ "source": "paste_site",
+ "crawled_by": null,
+ "flare_url": "https://app.cti.example.com/#/paste/paste_site/example_paste_12345"
+ },
+ "similar_items": []
+ }
+}
+```
diff --git a/docs/event-types/profile.mdx b/docs/event-types/profile.mdx
new file mode 100644
index 0000000..261f339
--- /dev/null
+++ b/docs/event-types/profile.mdx
@@ -0,0 +1,120 @@
+---
+title: "Profile"
+---
+
+The `driller_profile` type captures developer identity profiles discovered on software development platforms such as GitHub, GitLab, or Bitbucket.
+These profiles are enriched by analyzing open-source repositories, contributor metadata, and contact information to build intelligence around potentially exposed developer accounts or threat-linked GitHub users.
+
+```json Example Content
+{
+ "activity": {
+ "data": {
+ "es_id": "driller_github/user_98765",
+ "es_score": 1.0,
+ "highlights": {},
+ "id": "user_98765",
+ "index": "driller_profile",
+ "metadata": {
+ "estimated_created_at": "2025-03-08T17:04:18Z",
+ "event_id": null,
+ "first_crawled_at": "2025-02-10T05:04:09Z",
+ "last_crawled_at": "2025-03-08T17:04:19Z",
+ "payload_digest": null,
+ "scraped_at": "2025-03-08T17:04:19Z",
+ "source": "github",
+ "crawled_by": null,
+ "flare_url": "https://app.cti.example.com/#/driller_profile/github/user_98765"
+ },
+ "uid": "driller_profile/github/user_98765",
+ "url": null,
+ "browser_url": null,
+ "about": "",
+ "about_en": null,
+ "contact_info": {
+ "twitter": null,
+ "email": "example_contact@protonmail.com"
+ },
+ "location": null,
+ "website": null,
+ "groups": null,
+ "username": null,
+ "realname": "User98765",
+ "features": {
+ "domains": null,
+ "emails": ["example_contact@protonmail.com"],
+ "ip_addresses": null,
+ "ip_addresses_cidr": null,
+ "reversed_domains": null,
+ "urls": null,
+ "usernames": null,
+ "vulnerabilities": null
+ }
+ },
+ "duplicates": [],
+ "header": {
+ "actor": "User98765",
+ "actor_id": "User98765",
+ "bank": null,
+ "bin": null,
+ "brand": null,
+ "credential_count": null,
+ "category_name": "",
+ "content_hash": "driller_profile/github/user_98765",
+ "content_preview": "...",
+ "country": null,
+ "duplicates": [],
+ "es_score": 1.0,
+ "expiration": null,
+ "highlights": {},
+ "host": null,
+ "id": "user_98765",
+ "infection_date": null,
+ "parent_id": null,
+ "parent_title": null,
+ "parent_title_en": null,
+ "parent_uid": null,
+ "parent_uids": [],
+ "risk": {
+ "score": 1
+ },
+ "similar_items_count": 0,
+ "source": "github",
+ "source_name": "GitHub",
+ "target_name": "GitHub",
+ "tags": [],
+ "notes": null,
+ "state_code": null,
+ "timestamp": "2025-03-08T17:04:18Z",
+ "title": "User98765",
+ "type": "driller_profile",
+ "uid": "driller_profile/github/user_98765",
+ "user_risk_score": null,
+ "user_notes": null,
+ "ignored_at": null,
+ "remediated_at": null,
+ "verb": "",
+ "external_url": null,
+ "external_netloc": null,
+ "can_have_duplicates": true,
+ "priority_action_uuid_related": false,
+ "analyzers_items_uids": [],
+ "victim_name": null,
+ "contains_secrets": null,
+ "secrets_metadata": null
+ },
+ "history_logs": null,
+ "metadata": {
+ "estimated_created_at": "2025-03-08T17:04:18Z",
+ "event_id": null,
+ "first_crawled_at": "2025-02-10T05:04:09Z",
+ "last_crawled_at": "2025-03-08T17:04:19Z",
+ "payload_digest": null,
+ "scraped_at": "2025-03-08T17:04:19Z",
+ "source": "github",
+ "crawled_by": null,
+ "flare_url": "https://app.cti.example.com/#/driller_profile/github/user_98765"
+ },
+ "similar_items": []
+ }
+}
+```
diff --git a/docs/event-types/seller.mdx b/docs/event-types/seller.mdx
new file mode 100644
index 0000000..44adbf6
--- /dev/null
+++ b/docs/event-types/seller.mdx
@@ -0,0 +1,127 @@
+---
+title: "Seller"
+---
+
+The `seller` event type represents a vendor profile extracted from darknet marketplaces or illicit e-commerce platforms.
+Each record corresponds to a seller’s identity page, including their alias, reputation score, number of transactions, and contact details (such as PGP public keys or Telegram handles).
+This information is used to track threat actor personas, understand marketplace reputations, and correlate sellers across multiple marketplaces or identities.
+
+```json Example Content
+{
+ "activity": {
+ "data": {
+ "es_id": "dark_market/seller_12345",
+ "es_score": 1.0,
+ "highlights": {},
+ "id": "seller_12345",
+ "index": "seller",
+ "metadata": {
+ "estimated_created_at": "2025-03-25T17:20:23Z",
+ "event_id": null,
+ "first_crawled_at": "2025-01-10T16:35:15Z",
+ "last_crawled_at": "2025-03-25T17:21:05Z",
+ "payload_digest": null,
+ "scraped_at": "2025-03-25T17:21:06Z",
+ "source": "dark_market",
+ "crawled_by": null,
+ "flare_url": "https://app.cti.example.com/#/seller/dark_market/seller_12345"
+ },
+ "uid": "seller/dark_market/seller_12345",
+ "url": "http://darkmarketxyz.onion/seller/profile/seller_12345",
+ "browser_url": null,
+ "about": "Seller specializing in high-demand illicit goods and services with a focus on reliability, discretion, and customer satisfaction.",
+ "about_en": null,
+ "actor": "seller_12345",
+ "actor_id": "seller_12345",
+ "actor_name": "seller_12345",
+ "contact_info": {
+ "public_pgp_fingerprint": "-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: BCPG v1.58\n\n[Truncated PGP public key data for documentation example]\n-----END PGP PUBLIC KEY BLOCK-----",
+ "public_pgp_uid": null
+ },
+ "title": null,
+ "transactions_count": null,
+ "rating": ["0.00"],
+ "ratings_count": null,
+ "rating_pos": null,
+ "rating_neg": null,
+ "ship_to": null,
+ "ship_from": null,
+ "features": {
+ "domains": null,
+ "emails": null,
+ "ip_addresses": null,
+ "ip_addresses_cidr": null,
+ "reversed_domains": null,
+ "urls": null,
+ "usernames": null,
+ "vulnerabilities": null
+ }
+ },
+ "duplicates": [],
+ "header": {
+ "actor": "seller_12345",
+ "actor_id": "seller_12345",
+ "bank": null,
+ "bin": null,
+ "brand": null,
+ "credential_count": null,
+ "category_name": "",
+ "content_hash": "seller/dark_market/seller_12345",
+ "content_preview": "Seller specializing in high-demand illicit goods and services...",
+ "country": null,
+ "duplicates": [],
+ "es_score": 1.0,
+ "expiration": null,
+ "highlights": {},
+ "host": null,
+ "id": "seller_12345",
+ "infection_date": null,
+ "parent_id": null,
+ "parent_title": null,
+ "parent_title_en": null,
+ "parent_uid": null,
+ "parent_uids": [],
+ "risk": {
+ "score": 3
+ },
+ "similar_items_count": 0,
+ "source": "dark_market",
+ "source_name": "Dark Market",
+ "target_name": "Dark Market",
+ "tags": [],
+ "notes": null,
+ "state_code": null,
+ "timestamp": "2025-03-25T17:20:23Z",
+ "title": "seller_12345",
+ "type": "seller",
+ "uid": "seller/dark_market/seller_12345",
+ "user_risk_score": null,
+ "user_notes": null,
+ "ignored_at": null,
+ "remediated_at": null,
+ "verb": "",
+ "external_url": null,
+ "external_netloc": null,
+ "can_have_duplicates": true,
+ "priority_action_uuid_related": false,
+ "analyzers_items_uids": [],
+ "victim_name": null,
+ "contains_secrets": null,
+ "secrets_metadata": null
+ },
+ "history_logs": null,
+ "metadata": {
+ "estimated_created_at": "2025-03-25T17:20:23Z",
+ "event_id": null,
+ "first_crawled_at": "2025-01-10T16:35:15Z",
+ "last_crawled_at": "2025-03-25T17:21:05Z",
+ "payload_digest": null,
+ "scraped_at": "2025-03-25T17:21:06Z",
+ "source": "dark_market",
+ "crawled_by": null,
+ "flare_url": "https://app.cti.example.com/#/seller/dark_market/seller_12345"
+ },
+ "similar_items": []
+ }
+}
+```
diff --git a/docs/event-types/source-code.mdx b/docs/event-types/source-code.mdx
new file mode 100644
index 0000000..742269c
--- /dev/null
+++ b/docs/event-types/source-code.mdx
@@ -0,0 +1,126 @@
+---
+title: "Source code"
+---
+
+The `source_code` event type captures data originating from public source code repositories or registries, such as Docker Hub, GitHub, or GitLab.
+These entries are used to identify potentially exposed code, build artifacts, or embedded secrets that may represent a security risk.
+For Docker images, Flare extracts and analyzes metadata such as the image digest, architecture, tags, and embedded configuration or environment data.
+
+```json Example Content
+{
+ "activity": {
+ "data": {
+ "es_id": "dockerhub/image_12345",
+ "es_score": 1.0,
+ "highlights": {},
+ "id": "image_12345",
+ "index": "docker_image",
+ "metadata": {
+ "estimated_created_at": "2025-03-20T19:58:52Z",
+ "event_id": null,
+ "first_crawled_at": "2025-03-20T20:00:00Z",
+ "last_crawled_at": "2025-03-20T20:00:00Z",
+ "payload_digest": "abc123def456ghi789jkl012mno345pqr678stu901",
+ "scraped_at": "2025-03-20T20:00:15Z",
+ "source": "dockerhub",
+ "crawled_by": null,
+ "flare_url": "https://app.cti.example.com/#/docker_image/dockerhub/image_12345"
+ },
+ "uid": "docker_image/dockerhub/image_12345",
+ "url": null,
+ "browser_url": null,
+ "digest": "sha256:abc123def456ghi789jkl012mno345pqr678stu901",
+ "architecture": "amd64",
+ "variant": null,
+ "os": "linux",
+ "os_features": null,
+ "os_version": null,
+ "size": 19240105,
+ "last_pushed_at": "2025-03-20T19:58:52Z",
+ "last_pulled_at": "2025-03-20T19:58:54Z",
+ "tag": [
+ {
+ "name": "frontend-prod-latest",
+ "repository_name": "exampleorg/webapp"
+ }
+ ],
+ "content": "Dockerfile contents with environment setup, package installations, and service configuration steps. Example truncated for documentation purposes.",
+ "features": {
+ "domains": ["nginx.org", "example.com"],
+ "emails": ["maintainer@example.com"],
+ "ip_addresses": null,
+ "ip_addresses_cidr": null,
+ "reversed_domains": ["org.nginx", "com.example"],
+ "urls": ["https://nginx.org/packages/alpine", "https://example.com/repo"],
+ "usernames": null,
+ "vulnerabilities": null
+ }
+ },
+ "duplicates": [],
+ "header": {
+ "actor": null,
+ "actor_id": null,
+ "bank": null,
+ "bin": null,
+ "brand": null,
+ "credential_count": null,
+ "category_name": "Docker Image",
+ "content_hash": "abc123def456ghi789jkl012mno345pqr678stu901",
+ "content_preview": "Dockerfile setup with environment and service configuration steps...",
+ "country": null,
+ "duplicates": [],
+ "es_score": 1.0,
+ "expiration": null,
+ "highlights": {},
+ "host": null,
+ "id": "image_12345",
+ "infection_date": null,
+ "parent_id": null,
+ "parent_title": null,
+ "parent_title_en": null,
+ "parent_uid": null,
+ "parent_uids": [],
+ "risk": {
+ "score": 1
+ },
+ "similar_items_count": 0,
+ "source": "dockerhub",
+ "source_name": "Docker Hub",
+ "target_name": "Docker Hub",
+ "tags": [],
+ "notes": null,
+ "state_code": null,
+ "timestamp": "2025-03-20T19:58:52Z",
+ "title": "Docker Image image_12345 (exampleorg/webapp:frontend-prod-latest)",
+ "type": "docker_image",
+ "uid": "docker_image/dockerhub/image_12345",
+ "user_risk_score": null,
+ "user_notes": null,
+ "ignored_at": null,
+ "remediated_at": null,
+ "verb": "",
+ "external_url": null,
+ "external_netloc": null,
+ "can_have_duplicates": true,
+ "priority_action_uuid_related": false,
+ "analyzers_items_uids": [],
+ "victim_name": null,
+ "contains_secrets": false,
+ "secrets_metadata": []
+ },
+ "history_logs": null,
+ "metadata": {
+ "estimated_created_at": "2025-03-20T19:58:52Z",
+ "event_id": null,
+ "first_crawled_at": "2025-03-20T20:00:00Z",
+ "last_crawled_at": "2025-03-20T20:00:00Z",
+ "payload_digest": "abc123def456ghi789jkl012mno345pqr678stu901",
+ "scraped_at": "2025-03-20T20:00:15Z",
+ "source": "dockerhub",
+ "crawled_by": null,
+ "flare_url": "https://app.cti.example.com/#/docker_image/dockerhub/image_12345"
+ },
+ "similar_items": []
+ }
+}
+```
diff --git a/docs/event-types/stealer-log.mdx b/docs/event-types/stealer-log.mdx
new file mode 100644
index 0000000..c8d3551
--- /dev/null
+++ b/docs/event-types/stealer-log.mdx
@@ -0,0 +1,242 @@
+---
+title: "Stealer Log"
+---
+
+The `stealer_log` (also observed as `bot` in some indices) represents a record of a compromised device whose credentials and browsing data were harvested by an information stealer malware (such as RedLine, Raccoon, or Vidar).
+These entries originate from dark-web marketplaces (for example, “Russian Market”) where attackers sell logs containing cookies, saved passwords, and session tokens from infected machines.
+Each document corresponds to a single device or “bot,” with metadata describing where and when it was first seen, its environment (OS, IP, ISP), and the websites and services discovered in its data.
+
+```json Example Content
+{
+ "activity": {
+ "data": {
+ "es_id": "stealer_logs/sample_log_doc_000002",
+ "es_score": 1.0,
+ "highlights": {},
+ "id": "sample_log_doc_000002",
+ "index": "stealer_log",
+ "metadata": {
+ "estimated_created_at": "2025-10-24T03:51:00+00:00",
+ "event_id": null,
+ "first_crawled_at": "2025-10-28T18:35:15.095033+00:00",
+ "last_crawled_at": "2025-10-28T18:35:15.095033+00:00",
+ "payload_digest": "f8fbcbf034e346eedf2a8abed80b883433ddccaf",
+ "scraped_at": "2025-10-28T18:35:17.333487+00:00",
+ "source": "stealer_logs",
+ "crawled_by": null,
+ "flare_url": "https://app.example.com/#/stealer_log/stealer_logs/sample_log_doc_000002"
+ },
+ "uid": "stealer_log/stealer_logs/sample_log_doc_000002",
+ "url": null,
+ "browser_url": null,
+ "name": null,
+ "installed_at": "2025-10-24T03:51:00+00:00",
+ "updated_at": null,
+ "seller_id": null,
+ "isp": null,
+ "information": null,
+ "credentials": [
+ {
+ "url": "https://www.epicgames.com/id/login",
+ "username": "user1@example.com",
+ "password": "raf*********",
+ "application": "Browser/Logins/Edge_Default[edeafc70].txt"
+ }
+ ],
+ "cookies": [
+ {
+ "host_key": ".instagram.com",
+ "path": "/",
+ "expires_utc": "2026-03-04T02:22:08",
+ "name": "datr",
+ "value": "REDACTED"
+ },
+ {
+ "host_key": ".mediafire.com",
+ "path": "/",
+ "expires_utc": "2026-03-04T12:54:47",
+ "name": "ukey",
+ "value": "REDACTED"
+ }
+ ],
+ "user_information": {
+ "ip_address": "198.51.100.1",
+ "ip_network": null,
+ "username": "user_display_name",
+ "country_code": "BR",
+ "zip_code": "",
+ "location": "",
+ "hwid": "HWID-REDACTED-0001",
+ "current_language": "",
+ "screensize_width": 1920,
+ "screensize_height": 1080,
+ "timezone": "UTC-3",
+ "os": "Windows 11 24H2 build 26200 (64 Bit)",
+ "uac": "",
+ "process_elevation": null,
+ "available_keyboards": [
+ "Portuguese"
+ ],
+ "hardware": [
+ "CPU: AMD Ryzen 5 5500",
+ "RAM: 16278 MB",
+ "HOSTNAME: HOST-XXXX"
+ ],
+ "anti_viruses": null
+ },
+ "malware_information": {
+ "malware_family": "unknown",
+ "build_id": "",
+ "file_location": "",
+ "infection_date": "2025-10-24T03:51:00+00:00"
+ },
+ "files": [
+ "Browser/Autofill/Blink_Default[99168010].txt",
+ "Browser/Autofill/Blink_Default[9cf42651].txt",
+ "Browser/Autofill/Blink_Default[edeafc70].txt",
+ "Browser/Autofill/Blink_Default[f4116c65].txt"
+ ],
+ "price": null,
+ "currency": null,
+ "features": {
+ "domains": [
+ "account.educacross.com.br",
+ "accounts.google.com",
+ "bitly.com",
+ "connect.ubisoft.com",
+ "discord.com",
+ "gmail.com",
+ "hotmail.com",
+ "myaccount.google.com",
+ "saladofuturo.educacao.sp.gov.br",
+ "store.steampowered.com",
+ "www.epicgames.com",
+ "www.fortnite.com",
+ "www.roblox.com"
+ ],
+ "emails": [
+ "user1@example.com",
+ "user2@example.com"
+ ],
+ "ip_addresses": [
+ "198.51.100.1"
+ ],
+ "ip_addresses_cidr": [
+ "198.51.100.1"
+ ],
+ "reversed_domains": [
+ "br.com.educacross.account",
+ "br.gov.sp.educacao.saladofuturo",
+ "com.bitly",
+ "com.discord",
+ "com.epicgames.www",
+ "com.fortnite.www",
+ "com.gmail",
+ "com.google.accounts",
+ "com.google.myaccount",
+ "com.hotmail",
+ "com.roblox.www",
+ "com.steampowered.store",
+ "com.ubisoft.connect"
+ ],
+ "urls": [
+ "https://account.educacross.com.br/login",
+ "https://accounts.google.com/v3/signin/challenge/pwd",
+ "https://bitly.com/a/sign_up",
+ "https://connect.ubisoft.com/login",
+ "https://connect.ubisoft.com/oauth/create",
+ "https://discord.com/channels/@me",
+ "https://myaccount.google.com/signinoptions/password",
+ "https://saladofuturo.educacao.sp.gov.br/login-alunos",
+ "https://store.steampowered.com/join/completesignup",
+ "https://www.epicgames.com/id/login",
+ "https://www.fortnite.com/id/login/customized",
+ "https://www.roblox.com/login"
+ ],
+ "usernames": [
+ "user120063621",
+ "user_display_name",
+ "user_display_2",
+ "user_display_3",
+ "user_display_4",
+ "user_display_5",
+ "user1@example.com",
+ "user2@example.com",
+ "user_display_6"
+ ],
+ "vulnerabilities": null
+ },
+ "sources": [
+ "stealer_logs_private"
+ ]
+ },
+ "duplicates": [],
+ "header": {
+ "actor": null,
+ "actor_id": null,
+ "bank": null,
+ "bin": null,
+ "brand": null,
+ "credential_count": 17,
+ "category_name": "Infected Device",
+ "content_hash": "f8fbcbf034e346eedf2a8abed80b883433ddccaf",
+ "content_preview": "17 credentials",
+ "country": null,
+ "duplicates": [],
+ "es_score": 1.0,
+ "expiration": null,
+ "highlights": {},
+ "host": null,
+ "id": "sample_log_doc_000002",
+ "infection_date": "2025-10-24T03:51:00+00:00",
+ "parent_id": null,
+ "parent_title": null,
+ "parent_title_en": null,
+ "parent_uid": null,
+ "parent_uids": [
+ "chat_message/telegram/0000000000/00000000000"
+ ],
+ "risk": {
+ "score": 3
+ },
+ "similar_items_count": 0,
+ "source": "stealer_logs",
+ "source_name": "Stealer Logs",
+ "target_name": "Stealer Logs",
+ "tags": [],
+ "notes": null,
+ "state_code": null,
+ "timestamp": "2025-10-24T03:51:00+00:00",
+ "title": "",
+ "type": "stealer_log",
+ "uid": "stealer_log/stealer_logs/sample_log_doc_000002",
+ "user_risk_score": null,
+ "user_notes": null,
+ "ignored_at": null,
+ "remediated_at": null,
+ "verb": "sold",
+ "external_url": "s3://example-bucket/0000000000/00000000000000000000000000000000000000",
+ "external_netloc": "example-bucket",
+ "can_have_duplicates": true,
+ "priority_action_uuid_related": false,
+ "analyzers_items_uids": [],
+ "victim_name": null,
+ "contains_secrets": null,
+ "secrets_metadata": null
+ },
+ "history_logs": null,
+ "metadata": {
+ "estimated_created_at": "2025-10-24T03:51:00+00:00",
+ "event_id": null,
+ "first_crawled_at": "2025-10-28T18:35:15.095033+00:00",
+ "last_crawled_at": "2025-10-28T18:35:15.095033+00:00",
+ "payload_digest": "f8fbcbf034e346eedf2a8abed80b883433ddccaf",
+ "scraped_at": "2025-10-28T18:35:17.333487+00:00",
+ "source": "stealer_logs",
+ "crawled_by": null,
+ "flare_url": "https://app.example.com/#/stealer_log/stealer_logs/sample_log_doc_000002"
+ },
+ "similar_items": []
+ }
+}
+```