Paste - Flare

The paste event type corresponds to public text pastes found on paste sites such as Pastebin, JustPaste.it, YamCode, or similar sharing services.
These entries typically contain raw text dumps, links to leaked data, code snippets, or communication content, sometimes referencing or re-hosting credential leaks.
Example Content
{
  "activity": {
    "data": {
      "es_id": "paste_site/example_paste_12345",
      "es_score": 1.0,
      "highlights": {},
      "id": "example_paste_12345",
      "index": "paste",
      "metadata": {
        "estimated_created_at": "2025-03-18T00:00:00Z",
        "event_id": null,
        "first_crawled_at": "2025-03-18T09:00:00Z",
        "last_crawled_at": "2025-03-18T09:00:00Z",
        "payload_digest": "123abc456def789ghi012jkl345mno678pqr901",
        "scraped_at": "2025-03-18T09:00:30Z",
        "source": "paste_site",
        "crawled_by": null,
        "flare_url": "https://app.cti.example.com/#/paste/paste_site/example_paste_12345"
      },
      "uid": "paste/paste_site/example_paste_12345",
      "url": "http://pasteexample.onion/example_paste_12345",
      "browser_url": null,
      "actor": "threat_user01",
      "actor_id": null,
      "actor_name": "threat_user01",
      "content": "Example text containing links or credentials shared on a paste site.",
      "content_en": null,
      "title": "Leaked Credentials Paste",
      "title_en": null,
      "expire_at": null,
      "syntax": null,
      "features": {
        "domains": ["example.com"],
        "emails": null,
        "ip_addresses": null,
        "ip_addresses_cidr": null,
        "reversed_domains": ["com.example"],
        "urls": ["example.com/leak123"],
        "usernames": null,
        "vulnerabilities": null
      }
    },
    "duplicates": [],
    "header": {
      "actor": "threat_user01",
      "actor_id": null,
      "bank": null,
      "bin": null,
      "brand": null,
      "credential_count": null,
      "category_name": "",
      "content_hash": "123abc456def789ghi012jkl345mno678pqr901",
      "content_preview": "Example text containing links or credentials...",
      "country": null,
      "duplicates": [],
      "es_score": 1.0,
      "expiration": null,
      "highlights": {},
      "host": null,
      "id": "example_paste_12345",
      "infection_date": null,
      "parent_id": null,
      "parent_title": null,
      "parent_title_en": null,
      "parent_uid": null,
      "parent_uids": [],
      "risk": {
        "score": 2
      },
      "similar_items_count": 0,
      "source": "paste_site",
      "source_name": "Paste Site",
      "target_name": "Paste Site",
      "tags": [],
      "notes": null,
      "state_code": null,
      "timestamp": "2025-03-18T00:00:00Z",
      "title": "Leaked Credentials Paste",
      "type": "paste",
      "uid": "paste/paste_site/example_paste_12345",
      "user_risk_score": null,
      "user_notes": null,
      "ignored_at": null,
      "remediated_at": null,
      "verb": "",
      "external_url": null,
      "external_netloc": null,
      "can_have_duplicates": true,
      "priority_action_uuid_related": false,
      "analyzers_items_uids": [],
      "victim_name": null,
      "contains_secrets": false,
      "secrets_metadata": []
    },
    "history_logs": null,
    "metadata": {
      "estimated_created_at": "2025-03-18T00:00:00Z",
      "event_id": null,
      "first_crawled_at": "2025-03-18T09:00:00Z",
      "last_crawled_at": "2025-03-18T09:00:00Z",
      "payload_digest": "123abc456def789ghi012jkl345mno678pqr901",
      "scraped_at": "2025-03-18T09:00:30Z",
      "source": "paste_site",
      "crawled_by": null,
      "flare_url": "https://app.cti.example.com/#/paste/paste_site/example_paste_12345"
    },
    "similar_items": []
  }
}
Events
