- JSON representation
- Domain
- User
- Attribute
- Cloud
- CloudEnvironment
- Resource
- ResourceType
- Permission
- PermissionType
- Role
- Type
- AccountType
- TimeOff
- AuthenticationStatus
- Role
- Favicon
- DNSRecord
- SSLCertificate
- CertSignature
- Extension
- AuthorityKeyId
- Subject
- EC
- Validity
- PublicKey
- RSA
- PopularityRank
- Artifact
- Tunnels
- ArtifactClient
- Url
- Tracker
- Group
- Process
- File
- FileMetadata
- PeFileMetadata
- FileMetadataPE
- FileMetadataSection
- FileMetadataImports
- FileMetadataPeResourceInfo
- StringToInt64MapEntry
- FileMetadataSignatureInfo
- SignerInfo
- X509
- FileType
- ExifInfo
- SignatureInfo
- FileMetadataCodesign
- PDFInfo
- NtfsFileMetadata
- TokenElevationType
- Asset
- Hardware
- PlatformSoftware
- Platform
- Software
- AssetType
- DeploymentStatus
- Registry
- Type
- Id
- Investigation
- Verdict
- Reputation
- Status
- Priority
- Reason
The Noun type is used to represent the different entities in an event: principal, src, target, observer, intermediary, and about. It stores attributes known about the entity. For example, if the entity is a device with multiple IP or MAC addresses, it stores the IP and MAC addresses that are relevant to the event.
| JSON representation |
|---|
{ "hostname": string, "domain": { object ( |
| Fields | |
|---|---|
hostname |
Client hostname or domain name field. Hostname also doubles as the domain for remote entities. This field can be used as an entity indicator for asset entities. |
domain |
Information about the domain. |
artifact |
Information about an artifact. |
url_ |
Information about the URL. |
asset_ |
The asset ID. This field can be used as an entity indicator for asset entities. |
user |
Information about the user. |
user_ |
Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery. |
group |
Information about the group. |
process |
Information about the process. |
process_ |
Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery. |
asset |
Information about the asset. |
ip[] |
A list of IP addresses associated with a network connection. This field can be used as an entity indicator for asset entities. |
nat_ |
A list of NAT translated IP addresses associated with a network connection. |
port |
Source or destination network port number when a specific network connection is described within an event. |
nat_ |
NAT external network port number when a specific network connection is described within an event. |
mac[] |
List of MAC addresses associated with a device. This field can be used as an entity indicator for asset entities. |
administrative_ |
Domain which the device belongs to (for example, the Microsoft Windows domain). |
namespace |
Namespace which the device belongs to, such as "AD forest". Uses for this field include Microsoft Windows AD forest, the name of subsidiary, or the name of acquisition. This field can be used along with an asset indicator to identify an asset. |
url |
The URL. |
file |
Information about the file. |
email |
Email address. Only filled in for security_result.about |
registry |
Registry information. |
application |
The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle". |
platform |
Platform. |
platform_ |
Platform version. For example, "Microsoft Windows 1803". |
platform_ |
Platform patch level. For example, "Build 17134.48" |
cloud |
Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud). |
location |
Physical location. For cloud environments, set the region in location.name. |
ip_location[] |
Deprecated: use ip_geo_artifact.location instead. |
ip_ |
Enriched geographic information corresponding to an IP address. Specifically, location and network data. |
resource |
Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, or processes because these objects are already part of Noun. |
resource_ |
Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource). |
labels[] |
Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels). |
object_ |
Finding to which the Analyst updated the feedback. |
investigation |
Analyst feedback/investigation for alerts. |
network |
Network details, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). |
security_ |
A list of security results. |
Domain
Information about a domain.
| JSON representation |
|---|
{ "name": string, "prevalence": { object ( |
| Fields | |
|---|---|
name |
The domain name. This field can be used as an entity indicator for Domain entities. |
prevalence |
The prevalence of the domain within the customer's environment. |
first_ |
First seen timestamp of the domain in the customer's environment. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
last_ |
Last seen timestamp of the domain in the customer's environment. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
registrar |
Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM". |
contact_ |
Contact email address. |
whois_ |
Whois server name. |
name_ |
Repeated list of name servers. |
creation_ |
Domain creation time. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
update_ |
Last updated time. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
expiration_ |
Expiration time. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
audit_ |
Audit updated time. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
status |
Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values |
registrant |
Parsed contact information for the registrant of the domain. |
admin |
Parsed contact information for the administrative contact for the domain. |
tech |
Parsed contact information for the technical contact for the domain |
billing |
Parsed contact information for the billing contact of the domain. |
zone |
Parsed contact information for the zone. |
whois_ |
WHOIS raw text. A base64-encoded string. |
registry_ |
Registry Data raw text. A base64-encoded string. |
iana_ |
IANA Registrar ID. See https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml |
private_ |
Indicates whether the domain appears to be using a private registration service to mask the owner's contact information. |
categories[] |
Categories assign to the domain as retrieved from VirusTotal. |
favicon |
Includes difference hash and MD5 hash of the domain's favicon. |
jarm |
Domain's JARM hash. |
last_ |
Domain's DNS records from the last scan. |
last_ |
Date when the DNS records list was retrieved by VirusTotal. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
last_ |
SSL certificate object retrieved last time the domain was analyzed. |
last_ |
When the certificate was retrieved by VirusTotal. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
popularity_ |
Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc |
tags[] |
List of representative attributes. |
whois_ |
Date of the last update of the WHOIS record. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
User
Information about a user.
| JSON representation |
|---|
{ "product_object_id": string, "userid": string, "user_display_name": string, "first_name": string, "middle_name": string, "last_name": string, "phone_numbers": [ string ], "personal_address": { object ( |
| Fields | |
|---|---|
product_ |
A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar). This field can be used as an entity indicator for user entities. |
userid |
The ID of the user. This field can be used as an entity indicator for user entities. |
user_ |
The display name of the user (e.g. "John Locke"). |
first_ |
First name of the user (e.g. "John"). |
middle_ |
Middle name of the user. |
last_ |
Last name of the user (e.g. "Locke"). |
phone_ |
Phone numbers for the user. |
personal_ |
Personal address of the user. |
attribute |
Generic entity metadata attributes of the user. |
first_ |
The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
account_ |
Type of user account (for example, service, domain, or cloud). This is somewhat aligned to: https://attack.mitre.org/techniques/T1078/ |
groupid |
The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. |
group_ |
Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar). |
windows_ |
The Microsoft Windows SID of the user. This field can be used as an entity indicator for user entities. |
email_ |
Email addresses of the user. This field can be used as an entity indicator for user entities. |
employee_ |
Human capital management identifier. This field can be used as an entity indicator for user entities. |
title |
User job title. |
company_ |
User job company name. |
department[] |
User job department |
office_ |
User job office location. |
managers[] |
User job manager(s). |
hire_ |
User job employment hire date. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
termination_ |
User job employment termination date. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
time_ |
User time off leaves from active work. |
last_ |
User last login timestamp. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
last_ |
User last password change timestamp. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
password_ |
User password expiration timestamp. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
account_ |
User account expiration timestamp. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
account_ |
User account lockout timestamp. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
last_ |
User last bad password attempt timestamp. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
user_ |
System authentication status for user. |
role_name |
System role name for user. Deprecated: use attribute.roles. |
role_description |
System role description for user. Deprecated: use attribute.roles. |
user_role |
System role for user. Deprecated: use attribute.roles. |
Attribute
Attribute is a container for generic entity attributes including common attributes across core entities (such as, user or asset). For example, Cloud is a generic entity attribute since it can apply to an asset (for example, a VM) or a user (for example, an identity service account).
| JSON representation |
|---|
{ "cloud": { object ( |
| Fields | |
|---|---|
cloud |
Cloud metadata attributes such as project ID, account ID, or organizational hierarchy. |
labels[] |
Set of labels for the entity. Should only be used for product labels (for example, Google Cloud resource labels or Azure AD sensitivity labels. Should not be used for arbitrary key-value mappings. |
permissions[] |
System permissions for IAM entity (human principal, service account, group). |
roles[] |
System IAM roles to be assumed by resources to use the role's permissions for access control. |
creation_ |
Time the resource or entity was created or provisioned. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
last_ |
Time the resource or entity was last updated. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
Cloud
Metadata related to the cloud environment.
| JSON representation |
|---|
{ "environment": enum ( |
| Fields | |
|---|---|
environment |
The Cloud environment. |
vpc |
The cloud environment VPC. Deprecated. |
project |
The cloud environment project information. Deprecated: Use Resource.resource_ancestors |
availability_ |
The cloud environment availability zone (different from region which is location.name). |
CloudEnvironment
The service provider environment.
| Enums | |
|---|---|
UNSPECIFIED_CLOUD_ENVIRONMENT |
Default. |
GOOGLE_CLOUD_PLATFORM |
Google Cloud Platform. |
AMAZON_WEB_SERVICES |
Amazon Web Services. |
MICROSOFT_AZURE |
Microsoft Azure. |
Resource
Information about a resource such as a task, Cloud Storage bucket, database, disk, logical policy, or something similar.
| JSON representation |
|---|
{ "type": string, "resource_type": enum ( |
| Fields | |
|---|---|
type |
Deprecated: use resource_type instead. |
resource_ |
Resource type. |
resource_ |
Resource sub-type (e.g. "BigQuery", "Bigtable"). |
id |
Deprecated: Use resource.name or resource.product_object_id. |
name |
The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. |
parent |
The parent of the resource. For a database table, the parent is the database. For a storage object, the bucket name. Deprecated: use resource_ancestors.name. |
product_ |
A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) This field can be used as an entity indicator for a Resource entity. |
attribute |
Generic entity metadata attributes of the resource. |
ResourceType
@exclude The type of resource we are referring to. Be as descriptive as possible and suggested adding types if your data doesn't cleanly map to one.
NEXT_TAG: 36
| Enums | |
|---|---|
UNSPECIFIED |
Default type. |
MUTEX |
Mutex. |
TASK |
Task. |
PIPE |
Named pipe. |
DEVICE |
Device. |
FIREWALL_RULE |
Firewall rule. |
MAILBOX_FOLDER |
Mailbox folder. |
VPC_NETWORK |
VPC Network. |
VIRTUAL_MACHINE |
Virtual machine. |
STORAGE_BUCKET |
Storage bucket. |
STORAGE_OBJECT |
Storage object. |
DATABASE |
Database. |
TABLE |
Data table. |
CLOUD_PROJECT |
Cloud project. |
CLOUD_ORGANIZATION |
Cloud organization. |
SERVICE_ACCOUNT |
Service account. |
ACCESS_POLICY |
Access policy. |
CLUSTER |
Cluster. |
SETTING |
Settings. |
DATASET |
Dataset. |
BACKEND_SERVICE |
Endpoint that receive traffic from a load balancer or proxy. |
POD |
Pod, which is a collection of containers. Often used in Kubernetes. |
CONTAINER |
Container. |
FUNCTION |
Cloud function. |
RUNTIME |
Runtime. |
IP_ADDRESS |
IP address. |
DISK |
Disk. |
VOLUME |
Volume. |
IMAGE |
Machine image. |
SNAPSHOT |
Snapshot. |
REPOSITORY |
Repository. |
CREDENTIAL |
Credential, e.g. access keys, ssh keys, tokens, certificates. |
LOAD_BALANCER |
Load balancer. |
GATEWAY |
Gateway. |
SUBNET |
Subnet. |
USER |
User. |
Permission
System permission for resource access and modification.
| JSON representation |
|---|
{
"name": string,
"description": string,
"type": enum ( |
| Fields | |
|---|---|
name |
Name of the permission (e.g. chronicle.analyst.updateRule). |
description |
Description of the permission (e.g. 'Ability to update detect rules'). |
type |
Type of the permission. |
PermissionType
High level categorizations of permission type.
| Enums | |
|---|---|
UNKNOWN_PERMISSION_TYPE |
Default permission type. |
ADMIN_WRITE |
Administrator write permission. |
ADMIN_READ |
Administrator read permission. |
DATA_WRITE |
Data resource access write permission. |
DATA_READ |
Data resource access read permission. |
Role
System role for resource access and modification.
| JSON representation |
|---|
{
"name": string,
"description": string,
"type": enum ( |
| Fields | |
|---|---|
name |
System role name for user. |
description |
System role description for user. |
type |
System role type for well known roles. |
Type
Well-known system roles.
| Enums | |
|---|---|
TYPE_UNSPECIFIED |
Default user role. |
ADMINISTRATOR |
Product administrator with elevated privileges. |
SERVICE_ACCOUNT |
System service account for automated privilege access. |
AccountType
User Account Type.
| Enums | |
|---|---|
ACCOUNT_TYPE_UNSPECIFIED |
Default user account type. |
DOMAIN_ACCOUNT_TYPE |
A human account part of some domain in directory services. |
LOCAL_ACCOUNT_TYPE |
A local machine account. |
CLOUD_ACCOUNT_TYPE |
A SaaS service account type (such as Slack or GitHub). |
SERVICE_ACCOUNT_TYPE |
A non-human account for data access. |
DEFAULT_ACCOUNT_TYPE |
A system built in default account. |
TimeOff
System record for leave/time-off from a Human Capital Management (HCM) system.
| JSON representation |
|---|
{
"interval": {
object ( |
| Fields | |
|---|---|
interval |
Interval duration of the leave. |
description |
Description of the leave if available (e.g. 'Vacation'). |
AuthenticationStatus
Authentication status, can be used to describe the status of authentication for a user or particular credential.
| Enums | |
|---|---|
UNKNOWN_AUTHENTICATION_STATUS |
The default authentication status. |
ACTIVE |
The authentication method is in active state. |
SUSPENDED |
The authentication method is in suspended/disabled state. |
NO_ACTIVE_CREDENTIALS |
The authentication method has no active credentials. |
DELETED |
The authentication method has been deleted. |
Role
User system roles.
| Enums | |
|---|---|
UNKNOWN_ROLE |
Default user role. |
ADMINISTRATOR |
Product administrator with elevated privileges. |
SERVICE_ACCOUNT |
System service account for automated privilege access. Deprecated: not a role, instead set User.account_type. |
Favicon
Difference hash and MD5 hash of the domain's favicon.
| JSON representation |
|---|
{ "raw_md5": string, "dhash": string } |
| Fields | |
|---|---|
raw_ |
Favicon's MD5 hash. |
dhash |
Difference hash. |
DNSRecord
DNS record.
| JSON representation |
|---|
{ "type": string, "value": string, "ttl": string, "priority": string, "retry": string, "refresh": string, "minimum": string, "expire": string, "serial": string, "rname": string } |
| Fields | |
|---|---|
type |
Type. |
value |
Value. |
ttl |
Time to live. A duration in seconds with up to nine fractional digits, ending with ' |
priority |
Priority. |
retry |
Retry. |
refresh |
Refresh. A duration in seconds with up to nine fractional digits, ending with ' |
minimum |
Minimum. A duration in seconds with up to nine fractional digits, ending with ' |
expire |
Expire. A duration in seconds with up to nine fractional digits, ending with ' |
serial |
Serial. |
rname |
Rname. |
SSLCertificate
SSL certificate.
| JSON representation |
|---|
{ "cert_signature": { object ( |
| Fields | |
|---|---|
cert_ |
Certificate's signature and algorithm. |
extension |
(DEPRECATED) certificate's extension. |
cert_ |
Certificate's extensions. |
first_ |
Date the certificate was first retrieved by VirusTotal. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
issuer |
Certificate's issuer data. |
ec |
EC public key information. |
serial_ |
Certificate's serial number hexdump. |
signature_ |
Algorithm used for the signature (for example, "sha1RSA"). |
size |
Certificate content length. |
subject |
Certificate's subject data. |
thumbprint |
Certificate's content SHA1 hash. |
thumbprint_ |
Certificate's content SHA256 hash. |
validity |
Certificate's validity period. |
version |
Certificate version (typically "V1", "V2" or "V3"). |
public_ |
Public key information. |
CertSignature
Certificate's signature and algorithm.
| JSON representation |
|---|
{ "signature": string, "signature_algorithm": string } |
| Fields | |
|---|---|
signature |
Signature. |
signature_ |
Algorithm. |
Extension
Certificate's extensions.
| JSON representation |
|---|
{
"ca": boolean,
"subject_key_id": string,
"authority_key_id": {
object ( |
| Fields | |
|---|---|
ca |
Whether the subject acts as a certificate authority (CA) or not. |
subject_ |
Identifies the public key being certified. |
authority_ |
Identifies the public key to be used to verify the signature on this certificate or CRL. |
key_ |
The purpose for which the certified public key is used. |
ca_ |
Authority information access locations are URLs that are added to a certificate in its authority information access extension. |
crl_ |
CRL distribution points to which a certificate user should refer to ascertain if the certificate has been revoked. |
extended_ |
One or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension field. |
subject_ |
Contains one or more alternative names, using any of a variety of name forms, for the entity that is bound by the CA to the certified public key. |
certificate_ |
Different certificate policies will relate to different applications which may use the certified key. |
netscape_ |
Used to include free-form text comments inside certificates. |
cert_ |
BMP data value "DomainController". See MS Q291010. |
netscape_ |
Identify whether the certificate subject is an SSL client, an SSL server, or a CA. |
pe_ |
Whether the certificate includes a logotype. |
old_ |
Whether the certificate has an old authority key identifier extension. |
AuthorityKeyId
Identifies the public key to be used to verify the signature on this certificate or CRL.
| JSON representation |
|---|
{ "keyid": string, "serial_number": string } |
| Fields | |
|---|---|
keyid |
Key hexdump. |
serial_ |
Serial number hexdump. |
Subject
Subject data.
| JSON representation |
|---|
{ "country_name": string, "common_name": string, "locality": string, "organization": string, "organizational_unit": string, "state_or_province_name": string } |
| Fields | |
|---|---|
country_ |
C: Country name. |
common_ |
CN: CommonName. |
locality |
L: Locality. |
organization |
O: Organization. |
organizational_ |
OU: OrganizationalUnit. |
state_ |
ST: StateOrProvinceName. |
EC
EC public key information.
| JSON representation |
|---|
{ "oid": string, "pub": string } |
| Fields | |
|---|---|
oid |
Curve name. |
pub |
Public key hexdump. |
Validity
Defines certificate's validity period.
| JSON representation |
|---|
{ "expiry_time": string, "issue_time": string } |
| Fields | |
|---|---|
expiry_ |
Expiry date. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
issue_ |
Issue date. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
PublicKey
Subject public key info.
| JSON representation |
|---|
{
"algorithm": string,
"rsa": {
object ( |
| Fields | |
|---|---|
algorithm |
Any of "RSA", "DSA" or "EC". Indicates the algorithm used to generate the certificate. |
rsa |
RSA public key information. |
RSA
RSA public key information.
| JSON representation |
|---|
{ "key_size": string, "modulus": string, "exponent": string } |
| Fields | |
|---|---|
key_ |
Key size. |
modulus |
Key modulus hexdump. |
exponent |
Key exponent hexdump. |
PopularityRank
Domain's position in popularity ranks for sources such as Alexa, Quantcast, or Statvoo.
| JSON representation |
|---|
{ "giver": string, "rank": string, "ingestion_time": string } |
| Fields | |
|---|---|
giver |
Name of the rank serial number hexdump. |
rank |
Rank position. |
ingestion_ |
Timestamp when the rank was ingested. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
Artifact
Information about an artifact. The artifact can only be an IP.
| JSON representation |
|---|
{ "ip": string, "prevalence": { object ( |
| Fields | |
|---|---|
ip |
IP address of the artifact. This field can be used as an entity indicator for an external destination IP entity. |
prevalence |
The prevalence of the artifact within the customer's environment. |
first_ |
First seen timestamp of the IP in the customer's environment. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
last_ |
Last seen timestamp of the IP address in the customer's environment. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
location |
Location of the Artifact's IP address. |
network |
Network information related to the Artifact's IP address. |
as_ |
Owner of the Autonomous System to which the IP address belongs. |
asn |
Autonomous System Number to which the IP address belongs. |
jarm |
The JARM hash for the IP address. (https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a). |
last_ |
SSL certificate information about the IP address. |
last_ |
Most recent date for the certificate in VirusTotal. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
regional_ |
RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC). |
tags[] |
Identification attributes |
whois |
WHOIS information as returned from the pertinent WHOIS server. |
whois_ |
Date of the last update of the WHOIS record in VirusTotal. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
tunnels[] |
VPN tunnels. |
anonymous |
Whether the VPN tunnels are configured for anonymous browsing or not. |
artifact_ |
Entity or software accessing or utilizing network resources. |
risks[] |
This field lists potential risks associated with the network activity. |
Tunnels
VPN tunnels.
| JSON representation |
|---|
{ "provider": string, "type": string } |
| Fields | |
|---|---|
provider |
The provider of the VPN tunnels being used. |
type |
The type of the VPN tunnels. |
ArtifactClient
Entity or software accessing or utilizing network resources.
| JSON representation |
|---|
{ "behaviors": [ string ], "proxies": [ string ] } |
| Fields | |
|---|---|
behaviors[] |
The behaviors of the client accessing the network. |
proxies[] |
The type of proxies used by the client. |
Url
Url.
| JSON representation |
|---|
{ "url": string, "categories": [ string ], "favicon": { object ( |
| Fields | |
|---|---|
url |
URL. |
categories[] |
Categorisation done by VirusTotal partners. |
favicon |
Difference hash and MD5 hash of the URL's. |
html_ |
Meta tags (only for URLs downloading HTML). |
last_ |
If the original URL redirects, where does it end. |
last_ |
HTTP response code of the last response. |
last_ |
Length in bytes of the content received. |
last_ |
URL response body's SHA256 hash. |
last_ |
Website's cookies. |
last_ |
Headers and values of the last HTTP response. |
tags[] |
Tags. |
title |
Webpage title. |
trackers[] |
Trackers found in the URL in a historical manner. |
Tracker
URL Tracker.
| JSON representation |
|---|
{ "tracker": string, "id": string, "timestamp": string, "url": string } |
| Fields | |
|---|---|
tracker |
Tracker name. |
id |
Tracker ID, if available. |
timestamp |
Tracker ingestion date. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
url |
Tracker script URL. |
Group
Information about an organizational group.
| JSON representation |
|---|
{
"product_object_id": string,
"creation_time": string,
"group_display_name": string,
"attribute": {
object ( |
| Fields | |
|---|---|
product_ |
Product globally unique user object identifier, such as an LDAP Object Identifier. |
creation_time |
Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
group_ |
Group display name. e.g. "Finance". |
attribute |
Generic entity metadata attributes of the group. |
email_ |
Email addresses of the group. |
windows_ |
Microsoft Windows SID of the group. |
Process
Information about a process.
| JSON representation |
|---|
{ "pid": string, "parent_pid": string, "parent_process": { object ( |
| Fields | |
|---|---|
pid |
The process ID. This field can be used as an entity indicator for process entities. |
parent_pid |
The ID of the parent process. Deprecated: use parent_process.pid instead. |
parent_ |
Information about the parent process. |
file |
Information about the file in use by the process. |
command_ |
The command line command that created the process. This field can be used as an entity indicator for process entities. |
command_ |
The command line history of the process. |
product_ |
A product specific process id. |
access_ |
A bit mask representing the level of access. |
integrity_ |
The Microsoft Windows integrity level relative ID (RID) of the process. |
euid |
The effective user ID of the process. |
ruid |
The real user ID of the process. |
egid |
The effective group ID of the process. |
rgid |
The real group ID of the process. |
pgid |
The identifier that points to the process group ID leader. |
session_ |
The process ID of the session leader process. |
tty |
The teletype terminal which the command was executed within. |
token_ |
The elevation type of the process on Microsoft Windows. This determines if any privileges are removed when UAC is enabled. |
product_specific_parent_process_id |
A product specific id for the parent process. Please use parent_process.product_specific_process_id instead. |
File
Information about a file.
| JSON representation |
|---|
{ "sha256": string, "md5": string, "sha1": string, "size": string, "full_path": string, "mime_type": string, "file_metadata": { object ( |
| Fields | |
|---|---|
sha256 |
The SHA256 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. |
md5 |
The MD5 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. |
sha1 |
The SHA1 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. |
size |
The size of the file in bytes. |
full_ |
The full path identifying the location of the file on the system. This field can be used as an entity indicator for file entities. |
mime_ |
The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", or "powershell script". |
file_metadata |
Metadata associated with the file. Deprecate FileMetadata in favor of using fields in File. |
security_ |
Google Cloud Threat Intelligence (GCTI) security result for the file including threat context and detection metadata. |
pe_ |
Metadata about the Portable Executable (PE) file. |
ssdeep |
Ssdeep of the file |
vhash |
Vhash of the file. |
ahash |
Deprecated. Use authentihash instead. |
authentihash |
Authentihash of the file. |
file_ |
FileType field. |
capabilities_ |
Capabilities tags. |
names[] |
Names fields. |
tags[] |
Tags for the file. |
last_ |
Timestamp when the file was last updated. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
create_ |
Timestamp when the file was created. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
last_ |
Timestamp when the file was accessed. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
prevalence |
Prevalence of the file hash in the customer's environment. |
first_ |
Timestamp the file was first seen in the customer's environment. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
last_ |
Timestamp the file was last seen in the customer's environment. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
stat_ |
The mode of the file. A bit string indicating the permissions and privileges of the file. |
stat_ |
The file identifier. Unique identifier of object within a file system. |
stat_ |
The file system identifier to which the object belongs. |
stat_ |
Number of links to file. |
stat_ |
User defined flags for file. |
last_ |
Timestamp the file was last analysed. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
embedded_ |
Embedded urls found in the file. |
embedded_ |
Embedded domains found in the file. |
embedded_ |
Embedded IP addresses found in the file. |
exif_ |
Exif metadata from different file formats extracted by exiftool. |
signature_ |
File signature information extracted from different tools. |
pdf_ |
Information about the PDF file structure. |
first_ |
First submission time of the file. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
last_ |
Last submission time of the file. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
main_ |
Icon's relevant hashes. |
ntfs |
NTFS metadata. |
FileMetadata
@hide_from_doc
| JSON representation |
|---|
{
"pe": {
object ( |
| Fields | |
|---|---|
pe |
Metadata for Microsoft Windows PE files. Deprecate PeFileMetadata in favor of single File proto. |
PeFileMetadata
Metadata about a Microsoft Windows Portable Executable.
| JSON representation |
|---|
{ "import_hash": string } |
| Fields | |
|---|---|
import_ |
Hash of PE imports. |
FileMetadataPE
Metadata about the Portable Executable (PE) file.
| JSON representation |
|---|
{ "imphash": string, "entry_point": string, "entry_point_exiftool": string, "compilation_time": string, "compilation_exiftool_time": string, "section": [ { object ( |
| Fields | |
|---|---|
imphash |
Imphash of the file. |
entry_ |
info.pe-entry-point. |
entry_ |
info.exiftool.EntryPoint. |
compilation_ |
info.pe-timestamp. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
compilation_ |
info.exiftool.TimeStamp. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
section[] |
FilemetadataSection fields. |
imports[] |
FilemetadataImports fields. |
resource[] |
FilemetadataPeResourceInfo fields. |
resources_type_count[] |
Deprecated: use resources_type_count_str. |
resources_language_count[] |
Deprecated: use resources_language_count_str. |
resources_ |
Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5 |
resources_ |
Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10 |
signature_info |
FilemetadataSignatureInfo field. deprecated, user File.signature_info instead. |
FileMetadataSection
@hide_from_doc
| JSON representation |
|---|
{ "name": string, "entropy": number, "raw_size_bytes": string, "virtual_size_bytes": string, "md5_hex": string } |
| Fields | |
|---|---|
name |
Name of the section. |
entropy |
Entropy of the section. |
raw_ |
Raw file size in bytes. |
virtual_ |
Virtual file size in bytes. |
md5_ |
MD5 hex of the file. |
FileMetadataImports
@hide_from_doc
| JSON representation |
|---|
{ "library": string, "functions": [ string ] } |
| Fields | |
|---|---|
library |
Library field. |
functions[] |
Function field. |
FileMetadataPeResourceInfo
@hide_from_doc
| JSON representation |
|---|
{ "sha256_hex": string, "filetype_magic": string, "language_code": string, "entropy": number, "file_type": string } |
| Fields | |
|---|---|
sha256_ |
SHA256_hex field.. |
filetype_ |
Type of resource content, as identified by the magic Python module. |
language_ |
Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification. Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US | |
entropy |
Entropy of the resource. |
file_ |
File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum. |
StringToInt64MapEntry
@hide_from_doc
| JSON representation |
|---|
{ "key": string, "value": string } |
| Fields | |
|---|---|
key |
Key field. |
value |
Value field. |
FileMetadataSignatureInfo
Signature information.
| JSON representation |
|---|
{ "verification_message": string, "verified": boolean, "signer": [ string ], "signers": [ { object ( |
| Fields | |
|---|---|
verification_ |
Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found. |
verified |
True if verification_message == "Signed" |
signer[] |
Deprecated: use signers field. |
signers[] |
File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority. |
x509[] |
List of certificates. |
SignerInfo
File metadata related to the signer information.
| JSON representation |
|---|
{ "name": string, "status": string, "valid_usage": string, "cert_issuer": string } |
| Fields | |
|---|---|
name |
Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority. |
status |
It can say "Valid" or state the problem with the certificate if any (e.g. "This certificate or one of the certificates in the certificate chain is not time valid."). |
valid_ |
Indicates which situations the certificate is valid for (e.g. "Code Signing"). |
cert_ |
Company that issued the certificate. |
X509
File certificate.
| JSON representation |
|---|
{ "name": string, "algorithm": string, "thumbprint": string, "cert_issuer": string, "serial_number": string } |
| Fields | |
|---|---|
name |
Certificate name. |
algorithm |
Certificate algorithm. |
thumbprint |
Certificate thumbprint. |
cert_ |
Issuer of the certificate. |
serial_ |
Certificate serial number. |
FileType
The file type, for example Microsoft Windows executable.
| Enums | |
|---|---|
FILE_TYPE_UNSPECIFIED |
File type is UNSPECIFIED. |
FILE_TYPE_PE_EXE |
File type is PE_EXE. |
FILE_TYPE_PE_DLL |
Although DLLs are actually portable executables, this value enables the file type to be identified separately. File type is PE_DLL. |
FILE_TYPE_MSI |
File type is MSI. |
FILE_TYPE_NE_EXE |
File type is NE_EXE. |
FILE_TYPE_NE_DLL |
File type is NE_DLL. |
FILE_TYPE_DOS_EXE |
File type is DOS_EXE. |
FILE_TYPE_DOS_COM |
File type is DOS_COM. |
FILE_TYPE_COFF |
File type is COFF. |
FILE_TYPE_ELF |
File type is ELF. |
FILE_TYPE_LINUX_KERNEL |
File type is LINUX_KERNEL. |
FILE_TYPE_RPM |
File type is RPM. |
FILE_TYPE_LINUX |
File type is LINUX. |
FILE_TYPE_MACH_O |
File type is MACH_O. |
FILE_TYPE_JAVA_BYTECODE |
File type is JAVA_BYTECODE. |
FILE_TYPE_DMG |
File type is DMG. |
FILE_TYPE_DEB |
File type is DEB. |
FILE_TYPE_PKG |
File type is PKG. |
FILE_TYPE_PYC |
File type is PYC. |
FILE_TYPE_LNK |
File type is LNK. |
FILE_TYPE_DESKTOP_ENTRY |
File type is DESKTOP_ENTRY. |
FILE_TYPE_JPEG |
File type is JPEG. |
FILE_TYPE_TIFF |
File type is TIFF. |
FILE_TYPE_GIF |
File type is GIF. |
FILE_TYPE_PNG |
File type is PNG. |
FILE_TYPE_BMP |
File type is BMP. |
FILE_TYPE_GIMP |
File type is GIMP. |
FILE_TYPE_IN_DESIGN |
File type is Adobe InDesign. |
FILE_TYPE_PSD |
File type is PSD. Adobe Photoshop. |
FILE_TYPE_TARGA |
File type is TARGA. |
FILE_TYPE_XWD |
File type is XWD. |
FILE_TYPE_DIB |
File type is DIB. |
FILE_TYPE_JNG |
File type is JNG. |
FILE_TYPE_ICO |
File type is ICO. |
FILE_TYPE_FPX |
File type is FPX. |
FILE_TYPE_EPS |
File type is EPS. |
FILE_TYPE_SVG |
File type is SVG. |
FILE_TYPE_EMF |
File type is EMF. |
FILE_TYPE_WEBP |
File type is WEBP. |
FILE_TYPE_DWG |
File type is DWG. |
FILE_TYPE_DXF |
File type is DXF. |
FILE_TYPE_THREEDS |
File type is 3DS. |
FILE_TYPE_OGG |
File type is OGG. |
FILE_TYPE_FLC |
File type is FLC. |
FILE_TYPE_FLI |
File type is FLI. |
FILE_TYPE_MP3 |
File type is MP3. |
FILE_TYPE_FLAC |
File type is FLAC. |
FILE_TYPE_WAV |
File type is WAV. |
FILE_TYPE_MIDI |
File type is MIDI. |
FILE_TYPE_AVI |
File type is AVI. |
FILE_TYPE_MPEG |
File type is MPEG. |
FILE_TYPE_QUICKTIME |
File type is QUICKTIME. |
FILE_TYPE_ASF |
File type is ASF. |
FILE_TYPE_DIVX |
File type is DIVX. |
FILE_TYPE_FLV |
File type is FLV. |
FILE_TYPE_WMA |
File type is WMA. |
FILE_TYPE_WMV |
File type is WMV. |
FILE_TYPE_RM |
File type is RM. RealMedia type. |
FILE_TYPE_MOV |
File type is MOV. |
FILE_TYPE_MP4 |
File type is MP4. |
FILE_TYPE_T3GP |
File type is T3GP. |
FILE_TYPE_WEBM |
File type is WEBM. |
FILE_TYPE_MKV |
File type is MKV. |
FILE_TYPE_PDF |
File type is PDF. |
FILE_TYPE_PS |
File type is PS. |
FILE_TYPE_DOC |
File type is DOC. |
FILE_TYPE_DOCX |
File type is DOCX. |
FILE_TYPE_PPT |
File type is PPT. |
FILE_TYPE_PPTX |
File type is PPTX. |
FILE_TYPE_XLS |
File type is XLS. |
FILE_TYPE_XLSX |
File type is XLSX. |
FILE_TYPE_RTF |
File type is RTF. |
FILE_TYPE_PPSX |
File type is PPSX. |
FILE_TYPE_ODP |
File type is ODP. |
FILE_TYPE_ODS |
File type is ODS. |
FILE_TYPE_ODT |
File type is ODT. |
FILE_TYPE_HWP |
File type is HWP. |
FILE_TYPE_GUL |
File type is GUL. |
FILE_TYPE_ODF |
File type is ODF. |
FILE_TYPE_ODG |
File type is ODG. |
FILE_TYPE_ONE_NOTE |
File type is ONE_NOTE. |
FILE_TYPE_OOXML |
File type is OOXML. |
FILE_TYPE_SLK |
File type is SLK. |
FILE_TYPE_EBOOK |
File type is EBOOK. |
FILE_TYPE_LATEX |
File type is LATEX. |
FILE_TYPE_TTF |
File type is TTF. |
FILE_TYPE_EOT |
File type is EOT. |
FILE_TYPE_WOFF |
File type is WOFF. |
FILE_TYPE_CHM |
File type is CHM. |
FILE_TYPE_ZIP |
File type is ZIP. |
FILE_TYPE_GZIP |
File type is GZIP. |
FILE_TYPE_BZIP |
File type is BZIP. |
FILE_TYPE_RZIP |
File type is RZIP. |
FILE_TYPE_DZIP |
File type is DZIP. |
FILE_TYPE_SEVENZIP |
File type is SEVENZIP. |
FILE_TYPE_CAB |
File type is CAB. |
FILE_TYPE_JAR |
File type is JAR. |
FILE_TYPE_RAR |
File type is RAR. |
FILE_TYPE_MSCOMPRESS |
File type is MSCOMPRESS. |
FILE_TYPE_ACE |
File type is ACE. |
FILE_TYPE_ARC |
File type is ARC. |
FILE_TYPE_ARJ |
File type is ARJ. |
FILE_TYPE_ASD |
File type is ASD. |
FILE_TYPE_BLACKHOLE |
File type is BLACKHOLE. |
FILE_TYPE_KGB |
File type is KGB. |
FILE_TYPE_ZLIB |
File type is ZLIB. |
FILE_TYPE_TAR |
File type is TAR. |
FILE_TYPE_ZST |
File type is ZST. |
FILE_TYPE_LZFSE |
File type is LZFSE. |
FILE_TYPE_PYTHON_WHL |
File type is PYTHON_WHL. |
FILE_TYPE_PYTHON_PKG |
File type is PYTHON_PKG. |
FILE_TYPE_MSIX |
File type is MSIX, new Windows app package format. |
FILE_TYPE_TEXT |
File type is TEXT. |
FILE_TYPE_SCRIPT |
File type is SCRIPT. |
FILE_TYPE_PHP |
File type is PHP. |
FILE_TYPE_PYTHON |
File type is PYTHON. |
FILE_TYPE_PERL |
File type is PERL. |
FILE_TYPE_RUBY |
File type is RUBY. |
FILE_TYPE_C |
File type is C. |
FILE_TYPE_CPP |
File type is CPP. |
FILE_TYPE_JAVA |
File type is JAVA. |
FILE_TYPE_SHELLSCRIPT |
File type is SHELLSCRIPT. |
FILE_TYPE_PASCAL |
File type is PASCAL. |
FILE_TYPE_AWK |
File type is AWK. |
FILE_TYPE_DYALOG |
File type is DYALOG. |
FILE_TYPE_FORTRAN |
File type is FORTRAN. |
FILE_TYPE_JAVASCRIPT |
File type is JAVASCRIPT. |
FILE_TYPE_POWERSHELL |
File type is POWERSHELL. |
FILE_TYPE_VBA |
File type is VBA. |
FILE_TYPE_M4 |
File type is M4. |
FILE_TYPE_OBJETIVEC |
File type is OBJETIVEC. |
FILE_TYPE_JMOD |
File type is JMOD. |
FILE_TYPE_MAKEFILE |
File type is MAKEFILE. |
FILE_TYPE_INI |
File type is INI. |
FILE_TYPE_CLJ |
File type is CLJ. |
FILE_TYPE_PDB |
File type is PDB. |
FILE_TYPE_SQL |
File type is SQL. |
FILE_TYPE_NEKO |
File type is NEKO. |
FILE_TYPE_WER |
File type is WER. |
FILE_TYPE_GOLANG |
File type is GOLANG. |
FILE_TYPE_M3U |
File type is M3U. |
FILE_TYPE_BAT |
File type is BAT, Windows .bat/.cmd (old files are tagged as SHELLSCRIPT). |
FILE_TYPE_MSC |
File type is MSC, Microsoft Management Console (MMC). |
FILE_TYPE_RDP |
File type is RDP, Microsoft Remote Desktop Protocol (RDP) file. |
FILE_TYPE_SYMBIAN |
File type is SYMBIAN. |
FILE_TYPE_PALMOS |
File type is PALMOS. |
FILE_TYPE_WINCE |
File type is WINCE. |
FILE_TYPE_ANDROID |
File type is ANDROID. |
FILE_TYPE_IPHONE |
File type is IPHONE. |
FILE_TYPE_HTML |
File type is HTML. |
FILE_TYPE_XML |
File type is XML. |
FILE_TYPE_SWF |
File type is SWF. |
FILE_TYPE_FLA |
File type is FLA. |
FILE_TYPE_COOKIE |
File type is COOKIE. |
FILE_TYPE_TORRENT |
File type is TORRENT. |
FILE_TYPE_EMAIL_TYPE |
File type is EMAIL_TYPE. |
FILE_TYPE_OUTLOOK |
File type is OUTLOOK. |
FILE_TYPE_SGML |
File type is SGML. |
FILE_TYPE_JSON |
File type is JSON. |
FILE_TYPE_CSV |
File type is CSV. |
FILE_TYPE_HTA |
File type is HTA (HTML Application). |
FILE_TYPE_INTERNET_SHORTCUT |
File type is MSHTML .url. |
FILE_TYPE_CAP |
File type is CAP. |
FILE_TYPE_ISOIMAGE |
File type is ISOIMAGE. |
FILE_TYPE_SQUASHFS |
File type is SQUASHFS. |
FILE_TYPE_VHD |
File type is VHD. |
FILE_TYPE_APPLE |
File type is APPLE. |
FILE_TYPE_MACINTOSH |
File type is MACINTOSH. |
FILE_TYPE_APPLESINGLE |
File type is APPLESINGLE. |
FILE_TYPE_APPLEDOUBLE |
File type is APPLEDOUBLE. |
FILE_TYPE_MACINTOSH_HFS |
File type is MACINTOSH_HFS. |
FILE_TYPE_APPLE_PLIST |
File type is APPLE_PLIST. |
FILE_TYPE_MACINTOSH_LIB |
File type is MACINTOSH_LIB. |
FILE_TYPE_APPLESCRIPT |
File type is APPLESCRIPT. |
FILE_TYPE_APPLESCRIPT_COMPILED |
File type is APPLESCRIPT_COMPILED . |
FILE_TYPE_CRX |
File type is CRX. |
FILE_TYPE_XPI |
File type is XPI. |
FILE_TYPE_ROM |
File type is ROM. |
FILE_TYPE_IPS |
File type is IPS. |
FILE_TYPE_PEM |
File type is PEM. |
FILE_TYPE_PGP |
File type is PGP. |
FILE_TYPE_CRT |
File type is CRT. |
ExifInfo
@hide_from_doc
| JSON representation |
|---|
{ "original_file": string, "product": string, "company": string, "file_description": string, "entry_point": string, "compilation_time": string } |
| Fields | |
|---|---|
original_ |
original file name. |
product |
product name. |
company |
company name. |
file_ |
description of a file. |
entry_ |
entry point. |
compilation_ |
Compilation time. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
SignatureInfo
File signature information extracted from different tools.
| JSON representation |
|---|
{ "sigcheck": { object ( |
| Fields | |
|---|---|
sigcheck |
Signature information extracted from the sigcheck tool. |
codesign |
Signature information extracted from the codesign utility. |
FileMetadataCodesign
File metadata from the codesign utility.
| JSON representation |
|---|
{ "id": string, "format": string, "compilation_time": string, "team_id": string } |
| Fields | |
|---|---|
id |
Code sign identifier. |
format |
Code sign format. |
compilation_ |
Code sign timestamp Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
team_ |
The assigned team identifier of the developer who signed the application. |
PDFInfo
Information about the PDF file structure. See https://developers.virustotal.com/reference/pdf_info
| JSON representation |
|---|
{ "js": string, "javascript": string, "launch_action_count": string, "object_stream_count": string, "endobj_count": string, "header": string, "acroform": string, "autoaction": string, "embedded_file": string, "encrypted": string, "flash": string, "jbig2_compression": string, "obj_count": string, "endstream_count": string, "page_count": string, "stream_count": string, "openaction": string, "startxref": string, "suspicious_colors": string, "trailer": string, "xfa": string, "xref": string } |
| Fields | |
|---|---|
js |
Number of /JS tags found in the PDF file. Should be the same as javascript field in normal scenarios. |
javascript |
Number of /JavaScript tags found in the PDF file. Should be the same as the js field in normal scenarios. |
launch_ |
Number of /Launch tags found in the PDF file. |
object_ |
Number of object streams. |
endobj_ |
Number of object definitions (endobj keyword). |
header |
PDF version. |
acroform |
Number of /AcroForm tags found in the PDF. |
autoaction |
Number of /AA tags found in the PDF. |
embedded_ |
Number of /EmbeddedFile tags found in the PDF. |
encrypted |
Whether the document is encrypted or not. This is defined by the /Encrypt tag. |
flash |
Number of /RichMedia tags found in the PDF. |
jbig2_ |
Number of /JBIG2Decode tags found in the PDF. |
obj_ |
Number of objects definitions (obj keyword). |
endstream_ |
Number of defined stream objects (stream keyword). |
page_ |
Number of pages in the PDF. |
stream_ |
Number of defined stream objects (stream keyword). |
openaction |
Number of /OpenAction tags found in the PDF. |
startxref |
Number of startxref keywords in the PDF. |
suspicious_ |
Number of colors expressed with more than 3 bytes (CVE-2009-3459). |
trailer |
Number of trailer keywords in the PDF. |
xfa |
Number of \XFA tags found in the PDF. |
xref |
Number of xref keywords in the PDF. |
NtfsFileMetadata
NTFS-specific file metadata.
| JSON representation |
|---|
{ "change_time": string, "filename_create_time": string, "filename_modify_time": string, "filename_access_time": string, "filename_change_time": string } |
| Fields | |
|---|---|
change_ |
NTFS MFT entry changed timestamp. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
filename_ |
NTFS $FILE_NAME attribute created timestamp. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
filename_ |
NTFS $FILE_NAME attribute modified timestamp. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
filename_ |
NTFS $FILE_NAME attribute accessed timestamp. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
filename_ |
NTFS $FILE_NAME attribute changed timestamp. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
TokenElevationType
The elevation type of the process's token. See https://learn.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-token_elevation_type
| Enums | |
|---|---|
UNKNOWN |
An undetermined token type. |
TYPE_1 |
A full token with no privileges removed or groups disabled. |
TYPE_2 |
An elevated token with no privileges removed or groups disabled. Used when running as administrator. |
TYPE_3 |
A limited token with administrative privileges removed and administrative groups disabled. |
Asset
Information about a compute asset such as a workstation, laptop, phone, virtual desktop, or VM.
| JSON representation |
|---|
{ "product_object_id": string, "hostname": string, "asset_id": string, "ip": [ string ], "mac": [ string ], "nat_ip": [ string ], "first_seen_time": string, "hardware": [ { object ( |
| Fields | |
|---|---|
product_ |
A vendor-specific identifier to uniquely identify the entity (a GUID or similar). This field can be used as an entity indicator for asset entities. |
hostname |
Asset hostname or domain name field. This field can be used as an entity indicator for asset entities. |
asset_ |
The asset ID. Value must contain the ':' character. For example, cs:abcdd23434. This field can be used as an entity indicator for asset entities. |
ip[] |
A list of IP addresses associated with an asset. This field can be used as an entity indicator for asset entities. |
mac[] |
List of MAC addresses associated with an asset. This field can be used as an entity indicator for asset entities. |
nat_ |
List of NAT IP addresses associated with an asset. |
first_ |
The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
hardware[] |
The asset hardware specifications. |
platform_ |
The asset operating system platform software. |
software[] |
The asset software details. |
location |
Location of the asset. |
category |
The category of the asset (e.g. "End User Asset", "Workstation", "Server"). |
type |
The type of the asset (e.g. workstation or laptop or server). |
network_ |
The network domain of the asset (e.g. "corp.acme.com") |
creation_time |
Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
first_ |
Time the asset was first discovered (by asset management/discoverability software). Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
last_ |
Time the asset was last discovered (by asset management/discoverability software). Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
system_ |
Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a VM), use Attribute.last_update_time. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
last_ |
Time the asset was last boot started. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
labels[] |
Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata. |
deployment_ |
The deployment status of the asset for device lifecycle purposes. |
vulnerabilities[] |
Vulnerabilities discovered on asset. |
attribute |
Generic entity metadata attributes of the asset. |
Hardware
Hardware specification details for a resource, including both physical and virtual hardware.
| JSON representation |
|---|
{ "serial_number": string, "manufacturer": string, "model": string, "cpu_platform": string, "cpu_model": string, "cpu_clock_speed": string, "cpu_max_clock_speed": string, "cpu_number_cores": string, "ram": string } |
| Fields | |
|---|---|
serial_ |
Hardware serial number. |
manufacturer |
Hardware manufacturer. |
model |
Hardware model. |
cpu_ |
Platform of the hardware CPU (e.g. "Intel Broadwell"). |
cpu_ |
Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5"). |
cpu_ |
Clock speed of the hardware CPU in MHz. |
cpu_ |
Maximum possible clock speed of the hardware CPU in MHz. |
cpu_ |
Number of CPU cores. |
ram |
Amount of the hardware ramdom access memory (RAM) in Mb. |
PlatformSoftware
Platform software information about an operating system.
| JSON representation |
|---|
{
"platform": enum ( |
| Fields | |
|---|---|
platform |
The platform operating system. |
platform_ |
The platform software version ( e.g. "Microsoft Windows 1803"). |
platform_ |
The platform software patch level ( e.g. "Build 17134.48", "SP1"). |
Platform
Operating system platform.
| Enums | |
|---|---|
UNKNOWN_PLATFORM |
Default value. |
WINDOWS |
Microsoft Windows. |
MAC |
macOS. |
LINUX |
Linux. |
GCP |
Deprecated: see cloud.environment. |
AWS |
Deprecated: see cloud.environment. |
AZURE |
Deprecated: see cloud.environment. |
IOS |
IOS |
ANDROID |
Android |
CHROME_OS |
Chrome OS |
Software
Information about a software package or application.
| JSON representation |
|---|
{
"name": string,
"version": string,
"permissions": [
{
object ( |
| Fields | |
|---|---|
name |
The name of the software. |
version |
The version of the software. |
permissions[] |
System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE" |
description |
The description of the software. |
vendor_ |
The name of the software vendor. |
AssetType
The role type of the asset.
| Enums | |
|---|---|
ROLE_UNSPECIFIED |
Unspecified asset role. |
WORKSTATION |
A workstation or desktop. |
LAPTOP |
A laptop computer. |
IOT |
An IOT asset. |
NETWORK_ATTACHED_STORAGE |
A network attached storage device. |
PRINTER |
A printer. |
SCANNER |
A scanner. |
SERVER |
A server. |
TAPE_LIBRARY |
A tape library device. |
MOBILE |
A mobile device such as a mobile phone or PDA. |
DeploymentStatus
Deployment status states.
| Enums | |
|---|---|
DEPLOYMENT_STATUS_UNSPECIFIED |
Unspecified deployment status. |
ACTIVE |
Asset is active, functional and deployed. |
PENDING_DECOMISSION |
Asset is pending decommission and no longer deployed. |
DECOMISSIONED |
Asset is decommissioned. |
Registry
Information about a registry key or value.
| JSON representation |
|---|
{
"registry_key": string,
"registry_value_name": string,
"registry_value_data": string,
"registry_value_type": enum ( |
| Fields | |
|---|---|
registry_ |
Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...). |
registry_ |
Name of the registry value associated with an application or system component (e.g. TEMP). |
registry_ |
Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp). |
registry_ |
Type of the registry value. |
Type
Type of the registry value. These values are based on the Windows Registry value types: https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types
| Enums | |
|---|---|
TYPE_UNSPECIFIED |
Default registry value type used when the type is unknown. |
NONE |
The registry value is not set and only the key exists. |
SZ |
A null-terminated string. |
EXPAND_SZ |
A null-terminated string that contains unexpanded references to environment variables |
BINARY |
Binary data in any form. |
DWORD |
A 32-bit number. |
DWORD_LITTLE_ENDIAN |
A 32-bit number in little-endian format. |
DWORD_BIG_ENDIAN |
A 32-bit number in big-endian format. |
LINK |
A null-terminated Unicode string that contains the target path of a symbolic link. |
MULTI_SZ |
A sequence of null-terminated strings, terminated by an empty string |
RESOURCE_LIST |
A device driver resource list. |
QWORD |
A 64-bit number. |
QWORD_LITTLE_ENDIAN |
A 64-bit number in little-endian format. |
Id
Identifier to identify a UDM object like a UDM event, Entity, Collection. The full identifier for persistence is created by setting the 32 most significant bits as the Id.Namespace enum. This is a convenience wrapper to define the id space enum values and provide an easy interface for RPCs, most persistence use cases should use a denormalized form.
| JSON representation |
|---|
{
"namespace": enum ( |
| Fields | |
|---|---|
namespace |
Namespace the id belongs to. |
id |
Full raw ID. A base64-encoded string. |
string_ |
Some ids are stored as strings that are not able to be translated to bytes, so store these separately. Ex. detection id of the form de_aaaaaaaa-aaaa... |
Investigation
Represents the aggregated state of an investigation such as categorization, severity, and status. Can be expanded to include analyst assignment details and more.
| JSON representation |
|---|
{ "comments": [ string ], "verdict": enum ( |
| Fields | |
|---|---|
comments[] |
Comment added by the Analyst. |
verdict |
Describes reason a finding investigation was resolved. |
reputation |
Describes whether a finding was useful or not-useful. |
severity_ |
Severity score for a finding set by an analyst. |
status |
Describes the workflow status of a finding. |
priority |
Priority of the Alert or Finding set by analyst. |
root_ |
Root cause of the Alert or Finding set by analyst. |
reason |
Reason for closing the Case or Alert. |
risk_ |
Risk score for a finding set by an analyst. |
Verdict
Categorization options for the validity of a finding (for example, whether it reflects an actual security incident).
| Enums | |
|---|---|
VERDICT_UNSPECIFIED |
An unspecified verdict. |
TRUE_POSITIVE |
A categorization of the finding as a "true positive". |
FALSE_POSITIVE |
A categorization of the finding as a "false positive". |
Reputation
Categorization options for the usefulness of a finding.
| Enums | |
|---|---|
REPUTATION_UNSPECIFIED |
An unspecified reputation. |
USEFUL |
A categorization of the finding as useful. |
NOT_USEFUL |
A categorization of the finding as not useful. |
Status
Describes status of a finding.
| Enums | |
|---|---|
STATUS_UNSPECIFIED |
Unspecified finding status. |
NEW |
New finding. |
REVIEWED |
When a finding has feedback. |
CLOSED |
When an analyst closes an finding. |
OPEN |
Open. Used to indicate that a Case / Alert is open. |
Priority
Priority that is assigned to a Case or Alert.
| Enums | |
|---|---|
PRIORITY_UNSPECIFIED |
Default priority level. |
PRIORITY_INFO |
Informational priority. |
PRIORITY_LOW |
Low priority. |
PRIORITY_MEDIUM |
Medium priority. |
PRIORITY_HIGH |
High priority. |
PRIORITY_CRITICAL |
Critical priority. |
Reason
Reason for closing an Alert or Case in the SOAR product.
| Enums | |
|---|---|
REASON_UNSPECIFIED |
Default reason. |
REASON_NOT_MALICIOUS |
Case or Alert not malicious. |
REASON_MALICIOUS |
Case or Alert is malicious. |
REASON_MAINTENANCE |
Case or Alert is under maintenance. |