Noun

The Noun type is used to represent the different entities in an event: principal, src, target, observer, intermediary, and about. It stores attributes known about the entity. For example, if the entity is a device with multiple IP or MAC addresses, it stores the IP and MAC addresses that are relevant to the event.

JSON representation
{
  "hostname": string,
  "domain": {
    object (Domain)
  },
  "artifact": {
    object (Artifact)
  },
  "url_metadata": {
    object (Url)
  },
  "asset_id": string,
  "user": {
    object (User)
  },
  "user_management_chain": [
    {
      object (User)
    }
  ],
  "group": {
    object (Group)
  },
  "process": {
    object (Process)
  },
  "process_ancestors": [
    {
      object (Process)
    }
  ],
  "asset": {
    object (Asset)
  },
  "ip": [
    string
  ],
  "nat_ip": [
    string
  ],
  "port": integer,
  "nat_port": integer,
  "mac": [
    string
  ],
  "administrative_domain": string,
  "namespace": string,
  "url": string,
  "file": {
    object (File)
  },
  "email": string,
  "registry": {
    object (Registry)
  },
  "application": string,
  "platform": enum (Platform),
  "platform_version": string,
  "platform_patch_level": string,
  "cloud": {
    object (Cloud)
  },
  "location": {
    object (Location)
  },
  "ip_location": [
    {
      object (Location)
    }
  ],
  "ip_geo_artifact": [
    {
      object (Artifact)
    }
  ],
  "resource": {
    object (Resource)
  },
  "resource_ancestors": [
    {
      object (Resource)
    }
  ],
  "labels": [
    {
      object (Label)
    }
  ],
  "object_reference": {
    object (Id)
  },
  "investigation": {
    object (Investigation)
  },
  "network": {
    object (Network)
  },
  "security_result": [
    {
      object (SecurityResult)
    }
  ]
}
Fields
hostname

string

Client hostname or domain name field. Hostname also doubles as the domain for remote entities. This field can be used as an entity indicator for asset entities.

domain

object (Domain)

Information about the domain.

artifact

object (Artifact)

Information about an artifact.

url_metadata

object (Url)

Information about the URL.

asset_id

string

The asset ID. This field can be used as an entity indicator for asset entities.

user

object (User)

Information about the user.

user_management_chain[]

object (User)

Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery.

group

object (Group)

Information about the group.

process

object (Process)

Information about the process.

process_ancestors[]

object (Process)

Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery.

asset

object (Asset)

Information about the asset.

ip[]

string

A list of IP addresses associated with a network connection. This field can be used as an entity indicator for asset entities.

nat_ip[]

string

A list of NAT translated IP addresses associated with a network connection.

port

integer

Source or destination network port number when a specific network connection is described within an event.

nat_port

integer

NAT external network port number when a specific network connection is described within an event.

mac[]

string

List of MAC addresses associated with a device. This field can be used as an entity indicator for asset entities.

administrative_domain

string

Domain which the device belongs to (for example, the Microsoft Windows domain).

namespace

string

Namespace which the device belongs to, such as "AD forest". Uses for this field include Microsoft Windows AD forest, the name of subsidiary, or the name of acquisition. This field can be used along with an asset indicator to identify an asset.

url

string

The URL.

file

object (File)

Information about the file.

email

string

Email address. Only filled in for security_result.about

registry

object (Registry)

Registry information.

application

string

The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle".

platform

enum (Platform)

Platform.

platform_version

string

Platform version. For example, "Microsoft Windows 1803".

platform_patch_level

string

Platform patch level. For example, "Build 17134.48"

cloud
(deprecated)

object (Cloud)

Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud).

location

object (Location)

Physical location. For cloud environments, set the region in location.name.

ip_location[]
(deprecated)

object (Location)

Deprecated: use ip_geo_artifact.location instead.

ip_geo_artifact[]

object (Artifact)

Enriched geographic information corresponding to an IP address. Specifically, location and network data.

resource

object (Resource)

Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, or processes because these objects are already part of Noun.

resource_ancestors[]

object (Resource)

Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource).

labels[]
(deprecated)

object (Label)

Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels).

object_reference

object (Id)

Finding to which the Analyst updated the feedback.

investigation

object (Investigation)

Analyst feedback/investigation for alerts.

network

object (Network)

Network details, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP).

security_result[]

object (SecurityResult)

A list of security results.

Domain

Information about a domain.

JSON representation
{
  "name": string,
  "prevalence": {
    object (Prevalence)
  },
  "first_seen_time": string,
  "last_seen_time": string,
  "registrar": string,
  "contact_email": string,
  "whois_server": string,
  "name_server": [
    string
  ],
  "creation_time": string,
  "update_time": string,
  "expiration_time": string,
  "audit_update_time": string,
  "status": string,
  "registrant": {
    object (User)
  },
  "admin": {
    object (User)
  },
  "tech": {
    object (User)
  },
  "billing": {
    object (User)
  },
  "zone": {
    object (User)
  },
  "whois_record_raw_text": string,
  "registry_data_raw_text": string,
  "iana_registrar_id": integer,
  "private_registration": boolean,
  "categories": [
    string
  ],
  "favicon": {
    object (Favicon)
  },
  "jarm": string,
  "last_dns_records": [
    {
      object (DNSRecord)
    }
  ],
  "last_dns_records_time": string,
  "last_https_certificate": {
    object (SSLCertificate)
  },
  "last_https_certificate_time": string,
  "popularity_ranks": [
    {
      object (PopularityRank)
    }
  ],
  "tags": [
    string
  ],
  "whois_time": string
}
Fields
name

string

The domain name. This field can be used as an entity indicator for Domain entities.

prevalence

object (Prevalence)

The prevalence of the domain within the customer's environment.

first_seen_time

string (Timestamp format)

First seen timestamp of the domain in the customer's environment.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

last_seen_time

string (Timestamp format)

Last seen timestamp of the domain in the customer's environment.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

registrar

string

Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM".

contact_email

string

Contact email address.

whois_server

string

Whois server name.

name_server[]

string

Repeated list of name servers.

creation_time

string (Timestamp format)

Domain creation time.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

update_time

string (Timestamp format)

Last updated time.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

expiration_time

string (Timestamp format)

Expiration time.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

audit_update_time

string (Timestamp format)

Audit updated time.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

status

string

Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values

registrant

object (User)

Parsed contact information for the registrant of the domain.

admin

object (User)

Parsed contact information for the administrative contact for the domain.

tech

object (User)

Parsed contact information for the technical contact for the domain

billing

object (User)

Parsed contact information for the billing contact of the domain.

zone

object (User)

Parsed contact information for the zone.

whois_record_raw_text

string (bytes format)

WHOIS raw text.

A base64-encoded string.

registry_data_raw_text

string (bytes format)

Registry Data raw text.

A base64-encoded string.

iana_registrar_id

integer

IANA Registrar ID. See https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml

private_registration

boolean

Indicates whether the domain appears to be using a private registration service to mask the owner's contact information.

categories[]

string

Categories assign to the domain as retrieved from VirusTotal.

favicon

object (Favicon)

Includes difference hash and MD5 hash of the domain's favicon.

jarm

string

Domain's JARM hash.

last_dns_records[]

object (DNSRecord)

Domain's DNS records from the last scan.

last_dns_records_time

string (Timestamp format)

Date when the DNS records list was retrieved by VirusTotal.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

last_https_certificate

object (SSLCertificate)

SSL certificate object retrieved last time the domain was analyzed.

last_https_certificate_time

string (Timestamp format)

When the certificate was retrieved by VirusTotal.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

popularity_ranks[]

object (PopularityRank)

Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc

tags[]

string

List of representative attributes.

whois_time

string (Timestamp format)

Date of the last update of the WHOIS record.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

User

Information about a user.

JSON representation
{
  "product_object_id": string,
  "userid": string,
  "user_display_name": string,
  "first_name": string,
  "middle_name": string,
  "last_name": string,
  "phone_numbers": [
    string
  ],
  "personal_address": {
    object (Location)
  },
  "attribute": {
    object (Attribute)
  },
  "first_seen_time": string,
  "account_type": enum (AccountType),
  "groupid": string,
  "group_identifiers": [
    string
  ],
  "windows_sid": string,
  "email_addresses": [
    string
  ],
  "employee_id": string,
  "title": string,
  "company_name": string,
  "department": [
    string
  ],
  "office_address": {
    object (Location)
  },
  "managers": [
    {
      object (User)
    }
  ],
  "hire_date": string,
  "termination_date": string,
  "time_off": [
    {
      object (TimeOff)
    }
  ],
  "last_login_time": string,
  "last_password_change_time": string,
  "password_expiration_time": string,
  "account_expiration_time": string,
  "account_lockout_time": string,
  "last_bad_password_attempt_time": string,
  "user_authentication_status": enum (AuthenticationStatus),
  "role_name": string,
  "role_description": string,
  "user_role": enum (Role)
}
Fields
product_object_id

string

A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar). This field can be used as an entity indicator for user entities.

userid

string

The ID of the user. This field can be used as an entity indicator for user entities.

user_display_name

string

The display name of the user (e.g. "John Locke").

first_name

string

First name of the user (e.g. "John").

middle_name

string

Middle name of the user.

last_name

string

Last name of the user (e.g. "Locke").

phone_numbers[]

string

Phone numbers for the user.

personal_address

object (Location)

Personal address of the user.

attribute

object (Attribute)

Generic entity metadata attributes of the user.

first_seen_time

string (Timestamp format)

The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

account_type

enum (AccountType)

Type of user account (for example, service, domain, or cloud). This is somewhat aligned to: https://attack.mitre.org/techniques/T1078/

groupid
(deprecated)

string

The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field.

group_identifiers[]

string

Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).

windows_sid

string

The Microsoft Windows SID of the user. This field can be used as an entity indicator for user entities.

email_addresses[]

string

Email addresses of the user. This field can be used as an entity indicator for user entities.

employee_id

string

Human capital management identifier. This field can be used as an entity indicator for user entities.

title

string

User job title.

company_name

string

User job company name.

department[]

string

User job department

office_address

object (Location)

User job office location.

managers[]

object (User)

User job manager(s).

hire_date

string (Timestamp format)

User job employment hire date.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

termination_date

string (Timestamp format)

User job employment termination date.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

time_off[]

object (TimeOff)

User time off leaves from active work.

last_login_time

string (Timestamp format)

User last login timestamp.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

last_password_change_time

string (Timestamp format)

User last password change timestamp.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

password_expiration_time

string (Timestamp format)

User password expiration timestamp.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

account_expiration_time

string (Timestamp format)

User account expiration timestamp.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

account_lockout_time

string (Timestamp format)

User account lockout timestamp.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

last_bad_password_attempt_time

string (Timestamp format)

User last bad password attempt timestamp.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

user_authentication_status

enum (AuthenticationStatus)

System authentication status for user.

role_name
(deprecated)

string

System role name for user. Deprecated: use attribute.roles.

role_description
(deprecated)

string

System role description for user. Deprecated: use attribute.roles.

user_role
(deprecated)

enum (Role)

System role for user. Deprecated: use attribute.roles.

Attribute

Attribute is a container for generic entity attributes including common attributes across core entities (such as, user or asset). For example, Cloud is a generic entity attribute since it can apply to an asset (for example, a VM) or a user (for example, an identity service account).

JSON representation
{
  "cloud": {
    object (Cloud)
  },
  "labels": [
    {
      object (Label)
    }
  ],
  "permissions": [
    {
      object (Permission)
    }
  ],
  "roles": [
    {
      object (Role)
    }
  ],
  "creation_time": string,
  "last_update_time": string
}
Fields
cloud

object (Cloud)

Cloud metadata attributes such as project ID, account ID, or organizational hierarchy.

labels[]

object (Label)

Set of labels for the entity. Should only be used for product labels (for example, Google Cloud resource labels or Azure AD sensitivity labels. Should not be used for arbitrary key-value mappings.

permissions[]

object (Permission)

System permissions for IAM entity (human principal, service account, group).

roles[]

object (Role)

System IAM roles to be assumed by resources to use the role's permissions for access control.

creation_time

string (Timestamp format)

Time the resource or entity was created or provisioned.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

last_update_time

string (Timestamp format)

Time the resource or entity was last updated.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

Cloud

Metadata related to the cloud environment.

JSON representation
{
  "environment": enum (CloudEnvironment),
  "vpc": {
    object (Resource)
  },
  "project": {
    object (Resource)
  },
  "availability_zone": string
}
Fields
environment

enum (CloudEnvironment)

The Cloud environment.

vpc
(deprecated)

object (Resource)

The cloud environment VPC. Deprecated.

project
(deprecated)

object (Resource)

The cloud environment project information. Deprecated: Use Resource.resource_ancestors

availability_zone

string

The cloud environment availability zone (different from region which is location.name).

CloudEnvironment

The service provider environment.

Enums
UNSPECIFIED_CLOUD_ENVIRONMENT Default.
GOOGLE_CLOUD_PLATFORM Google Cloud Platform.
AMAZON_WEB_SERVICES Amazon Web Services.
MICROSOFT_AZURE Microsoft Azure.

Resource

Information about a resource such as a task, Cloud Storage bucket, database, disk, logical policy, or something similar.

JSON representation
{
  "type": string,
  "resource_type": enum (ResourceType),
  "resource_subtype": string,
  "id": string,
  "name": string,
  "parent": string,
  "product_object_id": string,
  "attribute": {
    object (Attribute)
  }
}
Fields
type
(deprecated)

string

Deprecated: use resource_type instead.

resource_type

enum (ResourceType)

Resource type.

resource_subtype

string

Resource sub-type (e.g. "BigQuery", "Bigtable").

id
(deprecated)

string

Deprecated: Use resource.name or resource.product_object_id.

name

string

The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe.

parent
(deprecated)

string

The parent of the resource. For a database table, the parent is the database. For a storage object, the bucket name. Deprecated: use resource_ancestors.name.

product_object_id

string

A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) This field can be used as an entity indicator for a Resource entity.

attribute

object (Attribute)

Generic entity metadata attributes of the resource.

ResourceType

@exclude The type of resource we are referring to. Be as descriptive as possible and suggested adding types if your data doesn't cleanly map to one.

NEXT_TAG: 36

Enums
UNSPECIFIED Default type.
MUTEX Mutex.
TASK Task.
PIPE Named pipe.
DEVICE Device.
FIREWALL_RULE Firewall rule.
MAILBOX_FOLDER Mailbox folder.
VPC_NETWORK VPC Network.
VIRTUAL_MACHINE Virtual machine.
STORAGE_BUCKET Storage bucket.
STORAGE_OBJECT Storage object.
DATABASE Database.
TABLE Data table.
CLOUD_PROJECT Cloud project.
CLOUD_ORGANIZATION Cloud organization.
SERVICE_ACCOUNT Service account.
ACCESS_POLICY Access policy.
CLUSTER Cluster.
SETTING Settings.
DATASET Dataset.
BACKEND_SERVICE Endpoint that receive traffic from a load balancer or proxy.
POD Pod, which is a collection of containers. Often used in Kubernetes.
CONTAINER Container.
FUNCTION Cloud function.
RUNTIME Runtime.
IP_ADDRESS IP address.
DISK Disk.
VOLUME Volume.
IMAGE Machine image.
SNAPSHOT Snapshot.
REPOSITORY Repository.
CREDENTIAL Credential, e.g. access keys, ssh keys, tokens, certificates.
LOAD_BALANCER Load balancer.
GATEWAY Gateway.
SUBNET Subnet.
USER User.

Permission

System permission for resource access and modification.

JSON representation
{
  "name": string,
  "description": string,
  "type": enum (PermissionType)
}
Fields
name

string

Name of the permission (e.g. chronicle.analyst.updateRule).

description

string

Description of the permission (e.g. 'Ability to update detect rules').

type

enum (PermissionType)

Type of the permission.

PermissionType

High level categorizations of permission type.

Enums
UNKNOWN_PERMISSION_TYPE Default permission type.
ADMIN_WRITE Administrator write permission.
ADMIN_READ Administrator read permission.
DATA_WRITE Data resource access write permission.
DATA_READ Data resource access read permission.

Role

System role for resource access and modification.

JSON representation
{
  "name": string,
  "description": string,
  "type": enum (Type)
}
Fields
name

string

System role name for user.

description

string

System role description for user.

type

enum (Type)

System role type for well known roles.

Type

Well-known system roles.

Enums
TYPE_UNSPECIFIED Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access.

AccountType

User Account Type.

Enums
ACCOUNT_TYPE_UNSPECIFIED Default user account type.
DOMAIN_ACCOUNT_TYPE A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE A local machine account.
CLOUD_ACCOUNT_TYPE A SaaS service account type (such as Slack or GitHub).
SERVICE_ACCOUNT_TYPE A non-human account for data access.
DEFAULT_ACCOUNT_TYPE A system built in default account.

TimeOff

System record for leave/time-off from a Human Capital Management (HCM) system.

JSON representation
{
  "interval": {
    object (Interval)
  },
  "description": string
}
Fields
interval

object (Interval)

Interval duration of the leave.

description

string

Description of the leave if available (e.g. 'Vacation').

AuthenticationStatus

Authentication status, can be used to describe the status of authentication for a user or particular credential.

Enums
UNKNOWN_AUTHENTICATION_STATUS The default authentication status.
ACTIVE The authentication method is in active state.
SUSPENDED The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS The authentication method has no active credentials.
DELETED The authentication method has been deleted.

Role

User system roles.

Enums
UNKNOWN_ROLE Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT

System service account for automated privilege access. Deprecated: not a role, instead set User.account_type.

Favicon

Difference hash and MD5 hash of the domain's favicon.

JSON representation
{
  "raw_md5": string,
  "dhash": string
}
Fields
raw_md5

string

Favicon's MD5 hash.

dhash

string

Difference hash.

DNSRecord

DNS record.

JSON representation
{
  "type": string,
  "value": string,
  "ttl": string,
  "priority": string,
  "retry": string,
  "refresh": string,
  "minimum": string,
  "expire": string,
  "serial": string,
  "rname": string
}
Fields
type

string

Type.

value

string

Value.

ttl

string (Duration format)

Time to live.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

priority

string (int64 format)

Priority.

retry

string (int64 format)

Retry.

refresh

string (Duration format)

Refresh.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

minimum

string (Duration format)

Minimum.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

expire

string (Duration format)

Expire.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

serial

string (int64 format)

Serial.

rname

string

Rname.

SSLCertificate

SSL certificate.

JSON representation
{
  "cert_signature": {
    object (CertSignature)
  },
  "extension": {
    object (Extension)
  },
  "cert_extensions": {
    object
  },
  "first_seen_time": string,
  "issuer": {
    object (Subject)
  },
  "ec": {
    object (EC)
  },
  "serial_number": string,
  "signature_algorithm": string,
  "size": string,
  "subject": {
    object (Subject)
  },
  "thumbprint": string,
  "thumbprint_sha256": string,
  "validity": {
    object (Validity)
  },
  "version": string,
  "public_key": {
    object (PublicKey)
  }
}
Fields
cert_signature

object (CertSignature)

Certificate's signature and algorithm.

extension
(deprecated)

object (Extension)

(DEPRECATED) certificate's extension.

cert_extensions

object (Struct format)

Certificate's extensions.

first_seen_time

string (Timestamp format)

Date the certificate was first retrieved by VirusTotal.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

issuer

object (Subject)

Certificate's issuer data.

ec

object (EC)

EC public key information.

serial_number

string

Certificate's serial number hexdump.

signature_algorithm

string

Algorithm used for the signature (for example, "sha1RSA").

size

string (int64 format)

Certificate content length.

subject

object (Subject)

Certificate's subject data.

thumbprint

string

Certificate's content SHA1 hash.

thumbprint_sha256

string

Certificate's content SHA256 hash.

validity

object (Validity)

Certificate's validity period.

version

string

Certificate version (typically "V1", "V2" or "V3").

public_key

object (PublicKey)

Public key information.

CertSignature

Certificate's signature and algorithm.

JSON representation
{
  "signature": string,
  "signature_algorithm": string
}
Fields
signature

string

Signature.

signature_algorithm

string

Algorithm.

Extension

Certificate's extensions.

JSON representation
{
  "ca": boolean,
  "subject_key_id": string,
  "authority_key_id": {
    object (AuthorityKeyId)
  },
  "key_usage": string,
  "ca_info_access": string,
  "crl_distribution_points": string,
  "extended_key_usage": string,
  "subject_alternative_name": string,
  "certificate_policies": string,
  "netscape_cert_comment": string,
  "cert_template_name_dc": string,
  "netscape_certificate": boolean,
  "pe_logotype": boolean,
  "old_authority_key_id": boolean
}
Fields
ca

boolean

Whether the subject acts as a certificate authority (CA) or not.

subject_key_id

string

Identifies the public key being certified.

authority_key_id

object (AuthorityKeyId)

Identifies the public key to be used to verify the signature on this certificate or CRL.

key_usage

string

The purpose for which the certified public key is used.

ca_info_access

string

Authority information access locations are URLs that are added to a certificate in its authority information access extension.

crl_distribution_points

string

CRL distribution points to which a certificate user should refer to ascertain if the certificate has been revoked.

extended_key_usage

string

One or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension field.

subject_alternative_name

string

Contains one or more alternative names, using any of a variety of name forms, for the entity that is bound by the CA to the certified public key.

certificate_policies

string

Different certificate policies will relate to different applications which may use the certified key.

netscape_cert_comment

string

Used to include free-form text comments inside certificates.

cert_template_name_dc

string

BMP data value "DomainController". See MS Q291010.

netscape_certificate

boolean

Identify whether the certificate subject is an SSL client, an SSL server, or a CA.

pe_logotype

boolean

Whether the certificate includes a logotype.

old_authority_key_id

boolean

Whether the certificate has an old authority key identifier extension.

AuthorityKeyId

Identifies the public key to be used to verify the signature on this certificate or CRL.

JSON representation
{
  "keyid": string,
  "serial_number": string
}
Fields
keyid

string

Key hexdump.

serial_number

string

Serial number hexdump.

Subject

Subject data.

JSON representation
{
  "country_name": string,
  "common_name": string,
  "locality": string,
  "organization": string,
  "organizational_unit": string,
  "state_or_province_name": string
}
Fields
country_name

string

C: Country name.

common_name

string

CN: CommonName.

locality

string

L: Locality.

organization

string

O: Organization.

organizational_unit

string

OU: OrganizationalUnit.

state_or_province_name

string

ST: StateOrProvinceName.

EC

EC public key information.

JSON representation
{
  "oid": string,
  "pub": string
}
Fields
oid

string

Curve name.

pub

string

Public key hexdump.

Validity

Defines certificate's validity period.

JSON representation
{
  "expiry_time": string,
  "issue_time": string
}
Fields
expiry_time

string (Timestamp format)

Expiry date.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

issue_time

string (Timestamp format)

Issue date.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

PublicKey

Subject public key info.

JSON representation
{
  "algorithm": string,
  "rsa": {
    object (RSA)
  }
}
Fields
algorithm

string

Any of "RSA", "DSA" or "EC". Indicates the algorithm used to generate the certificate.

rsa

object (RSA)

RSA public key information.

RSA

RSA public key information.

JSON representation
{
  "key_size": string,
  "modulus": string,
  "exponent": string
}
Fields
key_size

string (int64 format)

Key size.

modulus

string

Key modulus hexdump.

exponent

string

Key exponent hexdump.

PopularityRank

Domain's position in popularity ranks for sources such as Alexa, Quantcast, or Statvoo.

JSON representation
{
  "giver": string,
  "rank": string,
  "ingestion_time": string
}
Fields
giver

string

Name of the rank serial number hexdump.

rank

string (int64 format)

Rank position.

ingestion_time

string (Timestamp format)

Timestamp when the rank was ingested.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

Artifact

Information about an artifact. The artifact can only be an IP.

JSON representation
{
  "ip": string,
  "prevalence": {
    object (Prevalence)
  },
  "first_seen_time": string,
  "last_seen_time": string,
  "location": {
    object (Location)
  },
  "network": {
    object (Network)
  },
  "as_owner": string,
  "asn": string,
  "jarm": string,
  "last_https_certificate": {
    object (SSLCertificate)
  },
  "last_https_certificate_date": string,
  "regional_internet_registry": string,
  "tags": [
    string
  ],
  "whois": string,
  "whois_date": string,
  "tunnels": [
    {
      object (Tunnels)
    }
  ],
  "anonymous": boolean,
  "artifact_client": {
    object (ArtifactClient)
  },
  "risks": [
    string
  ]
}
Fields
ip

string

IP address of the artifact. This field can be used as an entity indicator for an external destination IP entity.

prevalence

object (Prevalence)

The prevalence of the artifact within the customer's environment.

first_seen_time

string (Timestamp format)

First seen timestamp of the IP in the customer's environment.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

last_seen_time

string (Timestamp format)

Last seen timestamp of the IP address in the customer's environment.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

location

object (Location)

Location of the Artifact's IP address.

network

object (Network)

Network information related to the Artifact's IP address.

as_owner

string

Owner of the Autonomous System to which the IP address belongs.

asn

string (int64 format)

Autonomous System Number to which the IP address belongs.

jarm

string

The JARM hash for the IP address. (https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a).

last_https_certificate

object (SSLCertificate)

SSL certificate information about the IP address.

last_https_certificate_date

string (Timestamp format)

Most recent date for the certificate in VirusTotal.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

regional_internet_registry

string

RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC).

tags[]

string

Identification attributes

whois

string

WHOIS information as returned from the pertinent WHOIS server.

whois_date

string (Timestamp format)

Date of the last update of the WHOIS record in VirusTotal.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

tunnels[]

object (Tunnels)

VPN tunnels.

anonymous

boolean

Whether the VPN tunnels are configured for anonymous browsing or not.

artifact_client

object (ArtifactClient)

Entity or software accessing or utilizing network resources.

risks[]

string

This field lists potential risks associated with the network activity.

Tunnels

VPN tunnels.

JSON representation
{
  "provider": string,
  "type": string
}
Fields
provider

string

The provider of the VPN tunnels being used.

type

string

The type of the VPN tunnels.

ArtifactClient

Entity or software accessing or utilizing network resources.

JSON representation
{
  "behaviors": [
    string
  ],
  "proxies": [
    string
  ]
}
Fields
behaviors[]

string

The behaviors of the client accessing the network.

proxies[]

string

The type of proxies used by the client.

Url

Url.

JSON representation
{
  "url": string,
  "categories": [
    string
  ],
  "favicon": {
    object (Favicon)
  },
  "html_meta": {
    object
  },
  "last_final_url": string,
  "last_http_response_code": integer,
  "last_http_response_content_length": string,
  "last_http_response_content_sha256": string,
  "last_http_response_cookies": {
    object
  },
  "last_http_response_headers": {
    object
  },
  "tags": [
    string
  ],
  "title": string,
  "trackers": [
    {
      object (Tracker)
    }
  ]
}
Fields
url

string

URL.

categories[]

string

Categorisation done by VirusTotal partners.

favicon

object (Favicon)

Difference hash and MD5 hash of the URL's.

html_meta

object (Struct format)

Meta tags (only for URLs downloading HTML).

last_final_url

string

If the original URL redirects, where does it end.

last_http_response_code

integer

HTTP response code of the last response.

last_http_response_content_length

string (int64 format)

Length in bytes of the content received.

last_http_response_content_sha256

string

URL response body's SHA256 hash.

last_http_response_cookies

object (Struct format)

Website's cookies.

last_http_response_headers

object (Struct format)

Headers and values of the last HTTP response.

tags[]

string

Tags.

title

string

Webpage title.

trackers[]

object (Tracker)

Trackers found in the URL in a historical manner.

Tracker

URL Tracker.

JSON representation
{
  "tracker": string,
  "id": string,
  "timestamp": string,
  "url": string
}
Fields
tracker

string

Tracker name.

id

string

Tracker ID, if available.

timestamp

string (Timestamp format)

Tracker ingestion date.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

url

string

Tracker script URL.

Group

Information about an organizational group.

JSON representation
{
  "product_object_id": string,
  "creation_time": string,
  "group_display_name": string,
  "attribute": {
    object (Attribute)
  },
  "email_addresses": [
    string
  ],
  "windows_sid": string
}
Fields
product_object_id

string

Product globally unique user object identifier, such as an LDAP Object Identifier.

creation_time
(deprecated)

string (Timestamp format)

Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

group_display_name

string

Group display name. e.g. "Finance".

attribute

object (Attribute)

Generic entity metadata attributes of the group.

email_addresses[]

string

Email addresses of the group.

windows_sid

string

Microsoft Windows SID of the group.

Process

Information about a process.

JSON representation
{
  "pid": string,
  "parent_pid": string,
  "parent_process": {
    object (Process)
  },
  "file": {
    object (File)
  },
  "command_line": string,
  "command_line_history": [
    string
  ],
  "product_specific_process_id": string,
  "access_mask": string,
  "integrity_level_rid": string,
  "euid": string,
  "ruid": string,
  "egid": string,
  "rgid": string,
  "pgid": string,
  "session_leader_pid": string,
  "tty": string,
  "token_elevation_type": enum (TokenElevationType),
  "product_specific_parent_process_id": string
}
Fields
pid

string

The process ID. This field can be used as an entity indicator for process entities.

parent_pid
(deprecated)

string

The ID of the parent process. Deprecated: use parent_process.pid instead.

parent_process

object (Process)

Information about the parent process.

file

object (File)

Information about the file in use by the process.

command_line

string

The command line command that created the process. This field can be used as an entity indicator for process entities.

command_line_history[]

string

The command line history of the process.

product_specific_process_id

string

A product specific process id.

access_mask

string

A bit mask representing the level of access.

integrity_level_rid

string

The Microsoft Windows integrity level relative ID (RID) of the process.

euid

string

The effective user ID of the process.

ruid

string

The real user ID of the process.

egid

string

The effective group ID of the process.

rgid

string

The real group ID of the process.

pgid

string

The identifier that points to the process group ID leader.

session_leader_pid

string

The process ID of the session leader process.

tty

string

The teletype terminal which the command was executed within.

token_elevation_type

enum (TokenElevationType)

The elevation type of the process on Microsoft Windows. This determines if any privileges are removed when UAC is enabled.

product_specific_parent_process_id
(deprecated)

string

A product specific id for the parent process. Please use parent_process.product_specific_process_id instead.

File

Information about a file.

JSON representation
{
  "sha256": string,
  "md5": string,
  "sha1": string,
  "size": string,
  "full_path": string,
  "mime_type": string,
  "file_metadata": {
    object (FileMetadata)
  },
  "security_result": {
    object (SecurityResult)
  },
  "pe_file": {
    object (FileMetadataPE)
  },
  "ssdeep": string,
  "vhash": string,
  "ahash": string,
  "authentihash": string,
  "file_type": enum (FileType),
  "capabilities_tags": [
    string
  ],
  "names": [
    string
  ],
  "tags": [
    string
  ],
  "last_modification_time": string,
  "create_time": string,
  "last_access_time": string,
  "prevalence": {
    object (Prevalence)
  },
  "first_seen_time": string,
  "last_seen_time": string,
  "stat_mode": string,
  "stat_inode": string,
  "stat_dev": string,
  "stat_nlink": string,
  "stat_flags": integer,
  "last_analysis_time": string,
  "embedded_urls": [
    string
  ],
  "embedded_domains": [
    string
  ],
  "embedded_ips": [
    string
  ],
  "exif_info": {
    object (ExifInfo)
  },
  "signature_info": {
    object (SignatureInfo)
  },
  "pdf_info": {
    object (PDFInfo)
  },
  "first_submission_time": string,
  "last_submission_time": string,
  "main_icon": {
    object (Favicon)
  },
  "ntfs": {
    object (NtfsFileMetadata)
  }
}
Fields
sha256

string

The SHA256 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities.

md5

string

The MD5 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities.

sha1

string

The SHA1 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities.

size

string

The size of the file in bytes.

full_path

string

The full path identifying the location of the file on the system. This field can be used as an entity indicator for file entities.

mime_type

string

The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", or "powershell script".

file_metadata
(deprecated)

object (FileMetadata)

Metadata associated with the file. Deprecate FileMetadata in favor of using fields in File.

security_result

object (SecurityResult)

Google Cloud Threat Intelligence (GCTI) security result for the file including threat context and detection metadata.

pe_file

object (FileMetadataPE)

Metadata about the Portable Executable (PE) file.

ssdeep

string

Ssdeep of the file

vhash

string

Vhash of the file.

ahash
(deprecated)

string

Deprecated. Use authentihash instead.

authentihash

string

Authentihash of the file.

file_type

enum (FileType)

FileType field.

capabilities_tags[]

string

Capabilities tags.

names[]

string

Names fields.

tags[]

string

Tags for the file.

last_modification_time

string (Timestamp format)

Timestamp when the file was last updated.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

create_time

string (Timestamp format)

Timestamp when the file was created.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

last_access_time

string (Timestamp format)

Timestamp when the file was accessed.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

prevalence

object (Prevalence)

Prevalence of the file hash in the customer's environment.

first_seen_time

string (Timestamp format)

Timestamp the file was first seen in the customer's environment.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

last_seen_time

string (Timestamp format)

Timestamp the file was last seen in the customer's environment.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

stat_mode

string

The mode of the file. A bit string indicating the permissions and privileges of the file.

stat_inode

string

The file identifier. Unique identifier of object within a file system.

stat_dev

string

The file system identifier to which the object belongs.

stat_flags

integer (uint32 format)

User defined flags for file.

last_analysis_time

string (Timestamp format)

Timestamp the file was last analysed.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

embedded_urls[]

string

Embedded urls found in the file.

embedded_domains[]

string

Embedded domains found in the file.

embedded_ips[]

string

Embedded IP addresses found in the file.

exif_info

object (ExifInfo)

Exif metadata from different file formats extracted by exiftool.

signature_info

object (SignatureInfo)

File signature information extracted from different tools.

pdf_info

object (PDFInfo)

Information about the PDF file structure.

first_submission_time

string (Timestamp format)

First submission time of the file.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

last_submission_time

string (Timestamp format)

Last submission time of the file.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

main_icon

object (Favicon)

Icon's relevant hashes.

ntfs

object (NtfsFileMetadata)

NTFS metadata.

FileMetadata

@hide_from_doc

JSON representation
{
  "pe": {
    object (PeFileMetadata)
  }
}
Fields
pe
(deprecated)

object (PeFileMetadata)

Metadata for Microsoft Windows PE files. Deprecate PeFileMetadata in favor of single File proto.

PeFileMetadata

Metadata about a Microsoft Windows Portable Executable.

JSON representation
{
  "import_hash": string
}
Fields
import_hash

string

Hash of PE imports.

FileMetadataPE

Metadata about the Portable Executable (PE) file.

JSON representation
{
  "imphash": string,
  "entry_point": string,
  "entry_point_exiftool": string,
  "compilation_time": string,
  "compilation_exiftool_time": string,
  "section": [
    {
      object (FileMetadataSection)
    }
  ],
  "imports": [
    {
      object (FileMetadataImports)
    }
  ],
  "resource": [
    {
      object (FileMetadataPeResourceInfo)
    }
  ],
  "resources_type_count": [
    {
      object (StringToInt64MapEntry)
    }
  ],
  "resources_language_count": [
    {
      object (StringToInt64MapEntry)
    }
  ],
  "resources_type_count_str": [
    {
      object (Label)
    }
  ],
  "resources_language_count_str": [
    {
      object (Label)
    }
  ],
  "signature_info": {
    object (FileMetadataSignatureInfo)
  }
}
Fields
imphash

string

Imphash of the file.

entry_point

string (int64 format)

info.pe-entry-point.

entry_point_exiftool

string (int64 format)

info.exiftool.EntryPoint.

compilation_time

string (Timestamp format)

info.pe-timestamp.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

compilation_exiftool_time

string (Timestamp format)

info.exiftool.TimeStamp.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

section[]

object (FileMetadataSection)

FilemetadataSection fields.

imports[]

object (FileMetadataImports)

FilemetadataImports fields.

resource[]

object (FileMetadataPeResourceInfo)

FilemetadataPeResourceInfo fields.

resources_type_count[]
(deprecated)

object (StringToInt64MapEntry)

Deprecated: use resources_type_count_str.

resources_language_count[]
(deprecated)

object (StringToInt64MapEntry)

Deprecated: use resources_language_count_str.

resources_type_count_str[]

object (Label)

Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5

resources_language_count_str[]

object (Label)

Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10

signature_info
(deprecated)

object (FileMetadataSignatureInfo)

FilemetadataSignatureInfo field. deprecated, user File.signature_info instead.

FileMetadataSection

@hide_from_doc

JSON representation
{
  "name": string,
  "entropy": number,
  "raw_size_bytes": string,
  "virtual_size_bytes": string,
  "md5_hex": string
}
Fields
name

string

Name of the section.

entropy

number

Entropy of the section.

raw_size_bytes

string (int64 format)

Raw file size in bytes.

virtual_size_bytes

string (int64 format)

Virtual file size in bytes.

md5_hex

string

MD5 hex of the file.

FileMetadataImports

@hide_from_doc

JSON representation
{
  "library": string,
  "functions": [
    string
  ]
}
Fields
library

string

Library field.

functions[]

string

Function field.

FileMetadataPeResourceInfo

@hide_from_doc

JSON representation
{
  "sha256_hex": string,
  "filetype_magic": string,
  "language_code": string,
  "entropy": number,
  "file_type": string
}
Fields
sha256_hex

string

SHA256_hex field..

filetype_magic

string

Type of resource content, as identified by the magic Python module.

language_code

string

Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification. Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US |

entropy

number

Entropy of the resource.

file_type

string

File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum.

StringToInt64MapEntry

@hide_from_doc

JSON representation
{
  "key": string,
  "value": string
}
Fields
key

string

Key field.

value

string (int64 format)

Value field.

FileMetadataSignatureInfo

Signature information.

JSON representation
{
  "verification_message": string,
  "verified": boolean,
  "signer": [
    string
  ],
  "signers": [
    {
      object (SignerInfo)
    }
  ],
  "x509": [
    {
      object (X509)
    }
  ]
}
Fields
verification_message

string

Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found.

verified

boolean

True if verification_message == "Signed"

signer[]
(deprecated)

string

Deprecated: use signers field.

signers[]

object (SignerInfo)

File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority.

x509[]

object (X509)

List of certificates.

SignerInfo

File metadata related to the signer information.

JSON representation
{
  "name": string,
  "status": string,
  "valid_usage": string,
  "cert_issuer": string
}
Fields
name

string

Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority.

status

string

It can say "Valid" or state the problem with the certificate if any (e.g. "This certificate or one of the certificates in the certificate chain is not time valid.").

valid_usage

string

Indicates which situations the certificate is valid for (e.g. "Code Signing").

cert_issuer

string

Company that issued the certificate.

X509

File certificate.

JSON representation
{
  "name": string,
  "algorithm": string,
  "thumbprint": string,
  "cert_issuer": string,
  "serial_number": string
}
Fields
name

string

Certificate name.

algorithm

string

Certificate algorithm.

thumbprint

string

Certificate thumbprint.

cert_issuer

string

Issuer of the certificate.

serial_number

string

Certificate serial number.

FileType

The file type, for example Microsoft Windows executable.

Enums
FILE_TYPE_UNSPECIFIED File type is UNSPECIFIED.
FILE_TYPE_PE_EXE File type is PE_EXE.
FILE_TYPE_PE_DLL Although DLLs are actually portable executables, this value enables the file type to be identified separately. File type is PE_DLL.
FILE_TYPE_MSI File type is MSI.
FILE_TYPE_NE_EXE File type is NE_EXE.
FILE_TYPE_NE_DLL File type is NE_DLL.
FILE_TYPE_DOS_EXE File type is DOS_EXE.
FILE_TYPE_DOS_COM File type is DOS_COM.
FILE_TYPE_COFF File type is COFF.
FILE_TYPE_ELF File type is ELF.
FILE_TYPE_LINUX_KERNEL File type is LINUX_KERNEL.
FILE_TYPE_RPM File type is RPM.
FILE_TYPE_LINUX File type is LINUX.
FILE_TYPE_MACH_O File type is MACH_O.
FILE_TYPE_JAVA_BYTECODE File type is JAVA_BYTECODE.
FILE_TYPE_DMG File type is DMG.
FILE_TYPE_DEB File type is DEB.
FILE_TYPE_PKG File type is PKG.
FILE_TYPE_PYC File type is PYC.
FILE_TYPE_LNK File type is LNK.
FILE_TYPE_DESKTOP_ENTRY File type is DESKTOP_ENTRY.
FILE_TYPE_JPEG File type is JPEG.
FILE_TYPE_TIFF File type is TIFF.
FILE_TYPE_GIF File type is GIF.
FILE_TYPE_PNG File type is PNG.
FILE_TYPE_BMP File type is BMP.
FILE_TYPE_GIMP File type is GIMP.
FILE_TYPE_IN_DESIGN File type is Adobe InDesign.
FILE_TYPE_PSD File type is PSD. Adobe Photoshop.
FILE_TYPE_TARGA File type is TARGA.
FILE_TYPE_XWD File type is XWD.
FILE_TYPE_DIB File type is DIB.
FILE_TYPE_JNG File type is JNG.
FILE_TYPE_ICO File type is ICO.
FILE_TYPE_FPX File type is FPX.
FILE_TYPE_EPS File type is EPS.
FILE_TYPE_SVG File type is SVG.
FILE_TYPE_EMF File type is EMF.
FILE_TYPE_WEBP File type is WEBP.
FILE_TYPE_DWG File type is DWG.
FILE_TYPE_DXF File type is DXF.
FILE_TYPE_THREEDS File type is 3DS.
FILE_TYPE_OGG File type is OGG.
FILE_TYPE_FLC File type is FLC.
FILE_TYPE_FLI File type is FLI.
FILE_TYPE_MP3 File type is MP3.
FILE_TYPE_FLAC File type is FLAC.
FILE_TYPE_WAV File type is WAV.
FILE_TYPE_MIDI File type is MIDI.
FILE_TYPE_AVI File type is AVI.
FILE_TYPE_MPEG File type is MPEG.
FILE_TYPE_QUICKTIME File type is QUICKTIME.
FILE_TYPE_ASF File type is ASF.
FILE_TYPE_DIVX File type is DIVX.
FILE_TYPE_FLV File type is FLV.
FILE_TYPE_WMA File type is WMA.
FILE_TYPE_WMV File type is WMV.
FILE_TYPE_RM File type is RM. RealMedia type.
FILE_TYPE_MOV File type is MOV.
FILE_TYPE_MP4 File type is MP4.
FILE_TYPE_T3GP File type is T3GP.
FILE_TYPE_WEBM File type is WEBM.
FILE_TYPE_MKV File type is MKV.
FILE_TYPE_PDF File type is PDF.
FILE_TYPE_PS File type is PS.
FILE_TYPE_DOC File type is DOC.
FILE_TYPE_DOCX File type is DOCX.
FILE_TYPE_PPT File type is PPT.
FILE_TYPE_PPTX File type is PPTX.
FILE_TYPE_XLS File type is XLS.
FILE_TYPE_XLSX File type is XLSX.
FILE_TYPE_RTF File type is RTF.
FILE_TYPE_PPSX File type is PPSX.
FILE_TYPE_ODP File type is ODP.
FILE_TYPE_ODS File type is ODS.
FILE_TYPE_ODT File type is ODT.
FILE_TYPE_HWP File type is HWP.
FILE_TYPE_GUL File type is GUL.
FILE_TYPE_ODF File type is ODF.
FILE_TYPE_ODG File type is ODG.
FILE_TYPE_ONE_NOTE File type is ONE_NOTE.
FILE_TYPE_OOXML File type is OOXML.
FILE_TYPE_SLK File type is SLK.
FILE_TYPE_EBOOK File type is EBOOK.
FILE_TYPE_LATEX File type is LATEX.
FILE_TYPE_TTF File type is TTF.
FILE_TYPE_EOT File type is EOT.
FILE_TYPE_WOFF File type is WOFF.
FILE_TYPE_CHM File type is CHM.
FILE_TYPE_ZIP File type is ZIP.
FILE_TYPE_GZIP File type is GZIP.
FILE_TYPE_BZIP File type is BZIP.
FILE_TYPE_RZIP File type is RZIP.
FILE_TYPE_DZIP File type is DZIP.
FILE_TYPE_SEVENZIP File type is SEVENZIP.
FILE_TYPE_CAB File type is CAB.
FILE_TYPE_JAR File type is JAR.
FILE_TYPE_RAR File type is RAR.
FILE_TYPE_MSCOMPRESS File type is MSCOMPRESS.
FILE_TYPE_ACE File type is ACE.
FILE_TYPE_ARC File type is ARC.
FILE_TYPE_ARJ File type is ARJ.
FILE_TYPE_ASD File type is ASD.
FILE_TYPE_BLACKHOLE File type is BLACKHOLE.
FILE_TYPE_KGB File type is KGB.
FILE_TYPE_ZLIB File type is ZLIB.
FILE_TYPE_TAR File type is TAR.
FILE_TYPE_ZST File type is ZST.
FILE_TYPE_LZFSE File type is LZFSE.
FILE_TYPE_PYTHON_WHL File type is PYTHON_WHL.
FILE_TYPE_PYTHON_PKG File type is PYTHON_PKG.
FILE_TYPE_MSIX File type is MSIX, new Windows app package format.
FILE_TYPE_TEXT File type is TEXT.
FILE_TYPE_SCRIPT File type is SCRIPT.
FILE_TYPE_PHP File type is PHP.
FILE_TYPE_PYTHON File type is PYTHON.
FILE_TYPE_PERL File type is PERL.
FILE_TYPE_RUBY File type is RUBY.
FILE_TYPE_C File type is C.
FILE_TYPE_CPP File type is CPP.
FILE_TYPE_JAVA File type is JAVA.
FILE_TYPE_SHELLSCRIPT File type is SHELLSCRIPT.
FILE_TYPE_PASCAL File type is PASCAL.
FILE_TYPE_AWK File type is AWK.
FILE_TYPE_DYALOG File type is DYALOG.
FILE_TYPE_FORTRAN File type is FORTRAN.
FILE_TYPE_JAVASCRIPT File type is JAVASCRIPT.
FILE_TYPE_POWERSHELL File type is POWERSHELL.
FILE_TYPE_VBA File type is VBA.
FILE_TYPE_M4 File type is M4.
FILE_TYPE_OBJETIVEC File type is OBJETIVEC.
FILE_TYPE_JMOD File type is JMOD.
FILE_TYPE_MAKEFILE File type is MAKEFILE.
FILE_TYPE_INI File type is INI.
FILE_TYPE_CLJ File type is CLJ.
FILE_TYPE_PDB File type is PDB.
FILE_TYPE_SQL File type is SQL.
FILE_TYPE_NEKO File type is NEKO.
FILE_TYPE_WER File type is WER.
FILE_TYPE_GOLANG File type is GOLANG.
FILE_TYPE_M3U File type is M3U.
FILE_TYPE_BAT File type is BAT, Windows .bat/.cmd (old files are tagged as SHELLSCRIPT).
FILE_TYPE_MSC File type is MSC, Microsoft Management Console (MMC).
FILE_TYPE_RDP File type is RDP, Microsoft Remote Desktop Protocol (RDP) file.
FILE_TYPE_SYMBIAN File type is SYMBIAN.
FILE_TYPE_PALMOS File type is PALMOS.
FILE_TYPE_WINCE File type is WINCE.
FILE_TYPE_ANDROID File type is ANDROID.
FILE_TYPE_IPHONE File type is IPHONE.
FILE_TYPE_HTML File type is HTML.
FILE_TYPE_XML File type is XML.
FILE_TYPE_SWF File type is SWF.
FILE_TYPE_FLA File type is FLA.
FILE_TYPE_TORRENT File type is TORRENT.
FILE_TYPE_EMAIL_TYPE File type is EMAIL_TYPE.
FILE_TYPE_OUTLOOK File type is OUTLOOK.
FILE_TYPE_SGML File type is SGML.
FILE_TYPE_JSON File type is JSON.
FILE_TYPE_CSV File type is CSV.
FILE_TYPE_HTA File type is HTA (HTML Application).
FILE_TYPE_INTERNET_SHORTCUT File type is MSHTML .url.
FILE_TYPE_CAP File type is CAP.
FILE_TYPE_ISOIMAGE File type is ISOIMAGE.
FILE_TYPE_SQUASHFS File type is SQUASHFS.
FILE_TYPE_VHD File type is VHD.
FILE_TYPE_APPLE File type is APPLE.
FILE_TYPE_MACINTOSH File type is MACINTOSH.
FILE_TYPE_APPLESINGLE File type is APPLESINGLE.
FILE_TYPE_APPLEDOUBLE File type is APPLEDOUBLE.
FILE_TYPE_MACINTOSH_HFS File type is MACINTOSH_HFS.
FILE_TYPE_APPLE_PLIST File type is APPLE_PLIST.
FILE_TYPE_MACINTOSH_LIB File type is MACINTOSH_LIB.
FILE_TYPE_APPLESCRIPT File type is APPLESCRIPT.
FILE_TYPE_APPLESCRIPT_COMPILED File type is APPLESCRIPT_COMPILED .
FILE_TYPE_CRX File type is CRX.
FILE_TYPE_XPI File type is XPI.
FILE_TYPE_ROM File type is ROM.
FILE_TYPE_IPS File type is IPS.
FILE_TYPE_PEM File type is PEM.
FILE_TYPE_PGP File type is PGP.
FILE_TYPE_CRT File type is CRT.

ExifInfo

@hide_from_doc

JSON representation
{
  "original_file": string,
  "product": string,
  "company": string,
  "file_description": string,
  "entry_point": string,
  "compilation_time": string
}
Fields
original_file

string

original file name.

product

string

product name.

company

string

company name.

file_description

string

description of a file.

entry_point

string (int64 format)

entry point.

compilation_time

string (Timestamp format)

Compilation time.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

SignatureInfo

File signature information extracted from different tools.

JSON representation
{
  "sigcheck": {
    object (FileMetadataSignatureInfo)
  },
  "codesign": {
    object (FileMetadataCodesign)
  }
}
Fields
sigcheck

object (FileMetadataSignatureInfo)

Signature information extracted from the sigcheck tool.

codesign

object (FileMetadataCodesign)

Signature information extracted from the codesign utility.

FileMetadataCodesign

File metadata from the codesign utility.

JSON representation
{
  "id": string,
  "format": string,
  "compilation_time": string,
  "team_id": string
}
Fields
id

string

Code sign identifier.

format

string

Code sign format.

compilation_time

string (Timestamp format)

Code sign timestamp

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

team_id

string

The assigned team identifier of the developer who signed the application.

PDFInfo

Information about the PDF file structure. See https://developers.virustotal.com/reference/pdf_info

JSON representation
{
  "js": string,
  "javascript": string,
  "launch_action_count": string,
  "object_stream_count": string,
  "endobj_count": string,
  "header": string,
  "acroform": string,
  "autoaction": string,
  "embedded_file": string,
  "encrypted": string,
  "flash": string,
  "jbig2_compression": string,
  "obj_count": string,
  "endstream_count": string,
  "page_count": string,
  "stream_count": string,
  "openaction": string,
  "startxref": string,
  "suspicious_colors": string,
  "trailer": string,
  "xfa": string,
  "xref": string
}
Fields
js

string (int64 format)

Number of /JS tags found in the PDF file. Should be the same as javascript field in normal scenarios.

javascript

string (int64 format)

Number of /JavaScript tags found in the PDF file. Should be the same as the js field in normal scenarios.

launch_action_count

string (int64 format)

Number of /Launch tags found in the PDF file.

object_stream_count

string (int64 format)

Number of object streams.

endobj_count

string (int64 format)

Number of object definitions (endobj keyword).

header

string

PDF version.

acroform

string (int64 format)

Number of /AcroForm tags found in the PDF.

autoaction

string (int64 format)

Number of /AA tags found in the PDF.

embedded_file

string (int64 format)

Number of /EmbeddedFile tags found in the PDF.

encrypted

string (int64 format)

Whether the document is encrypted or not. This is defined by the /Encrypt tag.

flash

string (int64 format)

Number of /RichMedia tags found in the PDF.

jbig2_compression

string (int64 format)

Number of /JBIG2Decode tags found in the PDF.

obj_count

string (int64 format)

Number of objects definitions (obj keyword).

endstream_count

string (int64 format)

Number of defined stream objects (stream keyword).

page_count

string (int64 format)

Number of pages in the PDF.

stream_count

string (int64 format)

Number of defined stream objects (stream keyword).

openaction

string (int64 format)

Number of /OpenAction tags found in the PDF.

startxref

string (int64 format)

Number of startxref keywords in the PDF.

suspicious_colors

string (int64 format)

Number of colors expressed with more than 3 bytes (CVE-2009-3459).

trailer

string (int64 format)

Number of trailer keywords in the PDF.

xfa

string (int64 format)

Number of \XFA tags found in the PDF.

xref

string (int64 format)

Number of xref keywords in the PDF.

NtfsFileMetadata

NTFS-specific file metadata.

JSON representation
{
  "change_time": string,
  "filename_create_time": string,
  "filename_modify_time": string,
  "filename_access_time": string,
  "filename_change_time": string
}
Fields
change_time

string (Timestamp format)

NTFS MFT entry changed timestamp.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

filename_create_time

string (Timestamp format)

NTFS $FILE_NAME attribute created timestamp.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

filename_modify_time

string (Timestamp format)

NTFS $FILE_NAME attribute modified timestamp.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

filename_access_time

string (Timestamp format)

NTFS $FILE_NAME attribute accessed timestamp.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

filename_change_time

string (Timestamp format)

NTFS $FILE_NAME attribute changed timestamp.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

TokenElevationType

The elevation type of the process's token. See https://learn.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-token_elevation_type

Enums
UNKNOWN An undetermined token type.
TYPE_1 A full token with no privileges removed or groups disabled.
TYPE_2 An elevated token with no privileges removed or groups disabled. Used when running as administrator.
TYPE_3 A limited token with administrative privileges removed and administrative groups disabled.

Asset

Information about a compute asset such as a workstation, laptop, phone, virtual desktop, or VM.

JSON representation
{
  "product_object_id": string,
  "hostname": string,
  "asset_id": string,
  "ip": [
    string
  ],
  "mac": [
    string
  ],
  "nat_ip": [
    string
  ],
  "first_seen_time": string,
  "hardware": [
    {
      object (Hardware)
    }
  ],
  "platform_software": {
    object (PlatformSoftware)
  },
  "software": [
    {
      object (Software)
    }
  ],
  "location": {
    object (Location)
  },
  "category": string,
  "type": enum (AssetType),
  "network_domain": string,
  "creation_time": string,
  "first_discover_time": string,
  "last_discover_time": string,
  "system_last_update_time": string,
  "last_boot_time": string,
  "labels": [
    {
      object (Label)
    }
  ],
  "deployment_status": enum (DeploymentStatus),
  "vulnerabilities": [
    {
      object (Vulnerability)
    }
  ],
  "attribute": {
    object (Attribute)
  }
}
Fields
product_object_id

string

A vendor-specific identifier to uniquely identify the entity (a GUID or similar). This field can be used as an entity indicator for asset entities.

hostname

string

Asset hostname or domain name field. This field can be used as an entity indicator for asset entities.

asset_id

string

The asset ID. Value must contain the ':' character. For example, cs:abcdd23434. This field can be used as an entity indicator for asset entities.

ip[]

string

A list of IP addresses associated with an asset. This field can be used as an entity indicator for asset entities.

mac[]

string

List of MAC addresses associated with an asset. This field can be used as an entity indicator for asset entities.

nat_ip[]

string

List of NAT IP addresses associated with an asset.

first_seen_time

string (Timestamp format)

The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

hardware[]

object (Hardware)

The asset hardware specifications.

platform_software

object (PlatformSoftware)

The asset operating system platform software.

software[]

object (Software)

The asset software details.

location

object (Location)

Location of the asset.

category

string

The category of the asset (e.g. "End User Asset", "Workstation", "Server").

type

enum (AssetType)

The type of the asset (e.g. workstation or laptop or server).

network_domain

string

The network domain of the asset (e.g. "corp.acme.com")

creation_time
(deprecated)

string (Timestamp format)

Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

first_discover_time

string (Timestamp format)

Time the asset was first discovered (by asset management/discoverability software).

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

last_discover_time

string (Timestamp format)

Time the asset was last discovered (by asset management/discoverability software).

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

system_last_update_time

string (Timestamp format)

Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a VM), use Attribute.last_update_time.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

last_boot_time

string (Timestamp format)

Time the asset was last boot started.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

labels[]
(deprecated)

object (Label)

Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata.

deployment_status

enum (DeploymentStatus)

The deployment status of the asset for device lifecycle purposes.

vulnerabilities[]

object (Vulnerability)

Vulnerabilities discovered on asset.

attribute

object (Attribute)

Generic entity metadata attributes of the asset.

Hardware

Hardware specification details for a resource, including both physical and virtual hardware.

JSON representation
{
  "serial_number": string,
  "manufacturer": string,
  "model": string,
  "cpu_platform": string,
  "cpu_model": string,
  "cpu_clock_speed": string,
  "cpu_max_clock_speed": string,
  "cpu_number_cores": string,
  "ram": string
}
Fields
serial_number

string

Hardware serial number.

manufacturer

string

Hardware manufacturer.

model

string

Hardware model.

cpu_platform

string

Platform of the hardware CPU (e.g. "Intel Broadwell").

cpu_model

string

Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5").

cpu_clock_speed

string

Clock speed of the hardware CPU in MHz.

cpu_max_clock_speed

string

Maximum possible clock speed of the hardware CPU in MHz.

cpu_number_cores

string

Number of CPU cores.

ram

string

Amount of the hardware ramdom access memory (RAM) in Mb.

PlatformSoftware

Platform software information about an operating system.

JSON representation
{
  "platform": enum (Platform),
  "platform_version": string,
  "platform_patch_level": string
}
Fields
platform

enum (Platform)

The platform operating system.

platform_version

string

The platform software version ( e.g. "Microsoft Windows 1803").

platform_patch_level

string

The platform software patch level ( e.g. "Build 17134.48", "SP1").

Platform

Operating system platform.

Enums
UNKNOWN_PLATFORM Default value.
WINDOWS Microsoft Windows.
MAC macOS.
LINUX Linux.
GCP

Deprecated: see cloud.environment.

AWS

Deprecated: see cloud.environment.

AZURE

Deprecated: see cloud.environment.

IOS IOS
ANDROID Android
CHROME_OS Chrome OS

Software

Information about a software package or application.

JSON representation
{
  "name": string,
  "version": string,
  "permissions": [
    {
      object (Permission)
    }
  ],
  "description": string,
  "vendor_name": string
}
Fields
name

string

The name of the software.

version

string

The version of the software.

permissions[]

object (Permission)

System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE"

description

string

The description of the software.

vendor_name

string

The name of the software vendor.

AssetType

The role type of the asset.

Enums
ROLE_UNSPECIFIED Unspecified asset role.
WORKSTATION A workstation or desktop.
LAPTOP A laptop computer.
IOT An IOT asset.
NETWORK_ATTACHED_STORAGE A network attached storage device.
PRINTER A printer.
SCANNER A scanner.
SERVER A server.
TAPE_LIBRARY A tape library device.
MOBILE A mobile device such as a mobile phone or PDA.

DeploymentStatus

Deployment status states.

Enums
DEPLOYMENT_STATUS_UNSPECIFIED Unspecified deployment status.
ACTIVE Asset is active, functional and deployed.
PENDING_DECOMISSION Asset is pending decommission and no longer deployed.
DECOMISSIONED Asset is decommissioned.

Registry

Information about a registry key or value.

JSON representation
{
  "registry_key": string,
  "registry_value_name": string,
  "registry_value_data": string,
  "registry_value_type": enum (Type)
}
Fields
registry_key

string

Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...).

registry_value_name

string

Name of the registry value associated with an application or system component (e.g. TEMP).

registry_value_data

string

Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp).

registry_value_type

enum (Type)

Type of the registry value.

Type

Type of the registry value. These values are based on the Windows Registry value types: https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types

Enums
TYPE_UNSPECIFIED Default registry value type used when the type is unknown.
NONE The registry value is not set and only the key exists.
SZ A null-terminated string.
EXPAND_SZ A null-terminated string that contains unexpanded references to environment variables
BINARY Binary data in any form.
DWORD A 32-bit number.
DWORD_LITTLE_ENDIAN A 32-bit number in little-endian format.
DWORD_BIG_ENDIAN A 32-bit number in big-endian format.
MULTI_SZ A sequence of null-terminated strings, terminated by an empty string
RESOURCE_LIST A device driver resource list.
QWORD A 64-bit number.
QWORD_LITTLE_ENDIAN A 64-bit number in little-endian format.

Id

Identifier to identify a UDM object like a UDM event, Entity, Collection. The full identifier for persistence is created by setting the 32 most significant bits as the Id.Namespace enum. This is a convenience wrapper to define the id space enum values and provide an easy interface for RPCs, most persistence use cases should use a denormalized form.

JSON representation
{
  "namespace": enum (Namespace),
  "id": string,
  "string_id": string
}
Fields
namespace

enum (Namespace)

Namespace the id belongs to.

id

string (bytes format)

Full raw ID.

A base64-encoded string.

string_id

string

Some ids are stored as strings that are not able to be translated to bytes, so store these separately. Ex. detection id of the form de_aaaaaaaa-aaaa...

Investigation

Represents the aggregated state of an investigation such as categorization, severity, and status. Can be expanded to include analyst assignment details and more.

JSON representation
{
  "comments": [
    string
  ],
  "verdict": enum (Verdict),
  "reputation": enum (Reputation),
  "severity_score": integer,
  "status": enum (Status),
  "priority": enum (Priority),
  "root_cause": string,
  "reason": enum (Reason),
  "risk_score": integer
}
Fields
comments[]

string

Comment added by the Analyst.

verdict

enum (Verdict)

Describes reason a finding investigation was resolved.

reputation

enum (Reputation)

Describes whether a finding was useful or not-useful.

severity_score

integer (uint32 format)

Severity score for a finding set by an analyst.

status

enum (Status)

Describes the workflow status of a finding.

priority

enum (Priority)

Priority of the Alert or Finding set by analyst.

root_cause

string

Root cause of the Alert or Finding set by analyst.

reason

enum (Reason)

Reason for closing the Case or Alert.

risk_score

integer (uint32 format)

Risk score for a finding set by an analyst.

Verdict

Categorization options for the validity of a finding (for example, whether it reflects an actual security incident).

Enums
VERDICT_UNSPECIFIED An unspecified verdict.
TRUE_POSITIVE A categorization of the finding as a "true positive".
FALSE_POSITIVE A categorization of the finding as a "false positive".

Reputation

Categorization options for the usefulness of a finding.

Enums
REPUTATION_UNSPECIFIED An unspecified reputation.
USEFUL A categorization of the finding as useful.
NOT_USEFUL A categorization of the finding as not useful.

Status

Describes status of a finding.

Enums
STATUS_UNSPECIFIED Unspecified finding status.
NEW New finding.
REVIEWED When a finding has feedback.
CLOSED When an analyst closes an finding.
OPEN Open. Used to indicate that a Case / Alert is open.

Priority

Priority that is assigned to a Case or Alert.

Enums
PRIORITY_UNSPECIFIED Default priority level.
PRIORITY_INFO Informational priority.
PRIORITY_LOW Low priority.
PRIORITY_MEDIUM Medium priority.
PRIORITY_HIGH High priority.
PRIORITY_CRITICAL Critical priority.

Reason

Reason for closing an Alert or Case in the SOAR product.

Enums
REASON_UNSPECIFIED Default reason.
REASON_NOT_MALICIOUS Case or Alert not malicious.
REASON_MALICIOUS Case or Alert is malicious.
REASON_MAINTENANCE Case or Alert is under maintenance.