Artifact

Information about an artifact. The artifact can only be an IP.

JSON representation 
{
  "ip": string,
  "prevalence": {
    object (Prevalence)
  },
  "firstSeenTime": string,
  "lastSeenTime": string,
  "location": {
    object (Location)
  },
  "network": {
    object (Network)
  },
  "asOwner": string,
  "asn": string,
  "jarm": string,
  "lastHttpsCertificate": {
    object (SSLCertificate)
  },
  "lastHttpsCertificateDate": string,
  "regionalInternetRegistry": string,
  "tags": [
    string
  ],
  "whois": string,
  "whoisDate": string,
  "tunnels": [
    {
      object (Tunnels)
    }
  ],
  "anonymous": boolean,
  "artifactClient": {
    object (ArtifactClient)
  },
  "risks": [
    string
  ]
}
Fields
ip

string

IP address of the artifact. This field can be used as an entity indicator for an external destination IP entity.
prevalence

object (Prevalence)

The prevalence of the artifact within the customer's environment.
firstSeenTime

string (Timestamp format)

First seen timestamp of the IP in the customer's environment.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
lastSeenTime

string (Timestamp format)

Last seen timestamp of the IP address in the customer's environment.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
location

object (Location)

Location of the Artifact's IP address.
network

object (Network)

Network information related to the Artifact's IP address.
asOwner

string

Owner of the Autonomous System to which the IP address belongs.
asn

string (int64 format)

Autonomous System Number to which the IP address belongs.
jarm

string

The JARM hash for the IP address. (https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a).
lastHttpsCertificate

object (SSLCertificate)

SSL certificate information about the IP address.
lastHttpsCertificateDate

string (Timestamp format)

Most recent date for the certificate in VirusTotal.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
regionalInternetRegistry

string

RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC).
tags[]

string

Identification attributes
whois

string

WHOIS information as returned from the pertinent WHOIS server.
whoisDate

string (Timestamp format)

Date of the last update of the WHOIS record in VirusTotal.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
tunnels[]

object (Tunnels)

VPN tunnels.
anonymous

boolean

Whether the VPN tunnels are configured for anonymous browsing or not.
artifactClient

object (ArtifactClient)

Entity or software accessing or utilizing network resources.
risks[]

string

This field lists potential risks associated with the network activity.

Tunnels

VPN tunnels.

JSON representation 
{
  "provider": string,
  "type": string
}
Fields
provider

string

The provider of the VPN tunnels being used.
type

string

The type of the VPN tunnels.

ArtifactClient

Entity or software accessing or utilizing network resources.

JSON representation 
{
  "behaviors": [
    string
  ],
  "proxies": [
    string
  ]
}
Fields
behaviors[]

string

The behaviors of the client accessing the network.
proxies[]

string

The type of proxies used by the client.