- JSON representation
- Domain
- User
- TimeOff
- Favicon
- DNSRecord
- PopularityRank
- Url
- Tracker
- Group
- Process
- File
- FileMetadata
- PeFileMetadata
- FileMetadataPE
- FileMetadataSection
- FileMetadataImports
- FileMetadataPeResourceInfo
- StringToInt64MapEntry
- FileMetadataSignatureInfo
- SignerInfo
- X509
- ExifInfo
- SignatureInfo
- FileMetadataCodesign
- PDFInfo
- NtfsFileMetadata
- Registry
The Noun type is used to represent the different entities in an event: principal, src, target, observer, intermediary, and about. It stores attributes known about the entity. For example, if the entity is a device with multiple IP or MAC addresses, it stores the IP and MAC addresses that are relevant to the event.
JSON representation |
---|
{ "hostname": string, "domain": { object ( |
Fields | |
---|---|
hostname |
Client hostname or domain name field. Hostname also doubles as the domain for remote entities. This field can be used as an entity indicator for asset entities. |
domain |
Information about the domain. |
artifact |
Information about an artifact. |
url_metadata |
Information about the URL. |
asset_id |
The asset ID. This field can be used as an entity indicator for asset entities. |
user |
Information about the user. |
user_management_chain[] |
Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery. |
group |
Information about the group. |
process |
Information about the process. |
process_ancestors[] |
Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery. |
asset |
Information about the asset. |
ip[] |
A list of IP addresses associated with a network connection. This field can be used as an entity indicator for asset entities. |
nat_ip[] |
A list of NAT translated IP addresses associated with a network connection. |
port |
Source or destination network port number when a specific network connection is described within an event. |
nat_port |
NAT external network port number when a specific network connection is described within an event. |
mac[] |
List of MAC addresses associated with a device. This field can be used as an entity indicator for asset entities. |
administrative_domain |
Domain which the device belongs to (for example, the Microsoft Windows domain). |
namespace |
Namespace which the device belongs to, such as "AD forest". Uses for this field include Microsoft Windows AD forest, the name of subsidiary, or the name of acquisition. This field can be used along with an asset indicator to identify an asset. |
url |
The URL. |
file |
Information about the file. |
email |
Email address. Only filled in for security_result.about |
registry |
Registry information. |
application |
The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle". |
platform |
Platform. |
platform_version |
Platform version. For example, "Microsoft Windows 1803". |
platform_patch_level |
Platform patch level. For example, "Build 17134.48" |
cloud |
Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud). |
location |
Physical location. For cloud environments, set the region in location.name. |
ip_location[] |
Deprecated: use ip_geo_artifact.location instead. |
ip_geo_artifact[] |
Enriched geographic information corresponding to an IP address. Specifically, location and network data. |
resource |
Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, or processes because these objects are already part of Noun. |
resource_ancestors[] |
Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource). |
labels[] |
Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels). |
object_reference |
Finding to which the Analyst updated the feedback. |
investigation |
Analyst feedback/investigation for alerts. |
network |
Network details, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). |
security_result[] |
A list of security results. |
Domain
Information about a domain.
JSON representation |
---|
{ "name": string, "prevalence": { object ( |
Fields | |
---|---|
name |
The domain name. This field can be used as an entity indicator for Domain entities. |
prevalence |
The prevalence of the domain within the customer's environment. |
first_seen_time |
First seen timestamp of the domain in the customer's environment. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
last_seen_time |
Last seen timestamp of the domain in the customer's environment. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
registrar |
Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM". |
contact_email |
Contact email address. |
whois_server |
Whois server name. |
name_server[] |
Repeated list of name servers. |
creation_time |
Domain creation time. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
update_time |
Last updated time. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
expiration_time |
Expiration time. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
audit_update_time |
Audit updated time. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
status |
Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values |
registrant |
Parsed contact information for the registrant of the domain. |
admin |
Parsed contact information for the administrative contact for the domain. |
tech |
Parsed contact information for the technical contact for the domain |
billing |
Parsed contact information for the billing contact of the domain. |
zone |
Parsed contact information for the zone. |
whois_record_raw_text |
WHOIS raw text. A base64-encoded string. |
registry_data_raw_text |
Registry Data raw text. A base64-encoded string. |
iana_registrar_id |
IANA Registrar ID. See https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml |
private_registration |
Indicates whether the domain appears to be using a private registration service to mask the owner's contact information. |
categories[] |
Categories assign to the domain as retrieved from VirusTotal. |
favicon |
Includes difference hash and MD5 hash of the domain's favicon. |
jarm |
Domain's JARM hash. |
last_dns_records[] |
Domain's DNS records from the last scan. |
last_dns_records_time |
Date when the DNS records list was retrieved by VirusTotal. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
last_https_certificate |
SSL certificate object retrieved last time the domain was analyzed. |
last_https_certificate_time |
When the certificate was retrieved by VirusTotal. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
popularity_ranks[] |
Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc |
tags[] |
List of representative attributes. |
whois_time |
Date of the last update of the WHOIS record. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
User
Information about a user.
JSON representation |
---|
{ "product_object_id": string, "userid": string, "user_display_name": string, "first_name": string, "middle_name": string, "last_name": string, "phone_numbers": [ string ], "personal_address": { object ( |
Fields | |
---|---|
product_object_id |
A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar). This field can be used as an entity indicator for user entities. |
userid |
The ID of the user. This field can be used as an entity indicator for user entities. |
user_display_name |
The display name of the user (e.g. "John Locke"). |
first_name |
First name of the user (e.g. "John"). |
middle_name |
Middle name of the user. |
last_name |
Last name of the user (e.g. "Locke"). |
phone_numbers[] |
Phone numbers for the user. |
personal_address |
Personal address of the user. |
attribute |
Generic entity metadata attributes of the user. |
first_seen_time |
The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
account_type |
Type of user account (for example, service, domain, or cloud). This is somewhat aligned to: https://attack.mitre.org/techniques/T1078/ |
groupid |
The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. |
group_identifiers[] |
Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar). |
windows_sid |
The Microsoft Windows SID of the user. This field can be used as an entity indicator for user entities. |
email_addresses[] |
Email addresses of the user. This field can be used as an entity indicator for user entities. |
employee_id |
Human capital management identifier. This field can be used as an entity indicator for user entities. |
title |
User job title. |
company_name |
User job company name. |
department[] |
User job department |
office_address |
User job office location. |
managers[] |
User job manager(s). |
hire_date |
User job employment hire date. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
termination_date |
User job employment termination date. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
time_off[] |
User time off leaves from active work. |
last_login_time |
User last login timestamp. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
last_password_change_time |
User last password change timestamp. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
password_expiration_time |
User password expiration timestamp. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
account_expiration_time |
User account expiration timestamp. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
account_lockout_time |
User account lockout timestamp. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
last_bad_password_attempt_time |
User last bad password attempt timestamp. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
user_authentication_status |
System authentication status for user. |
role_name |
System role name for user. Deprecated: use attribute.roles. |
role_description |
System role description for user. Deprecated: use attribute.roles. |
user_role |
System role for user. Deprecated: use attribute.roles. |
TimeOff
System record for leave/time-off from a Human Capital Management (HCM) system.
JSON representation |
---|
{
"interval": {
object ( |
Fields | |
---|---|
interval |
Interval duration of the leave. |
description |
Description of the leave if available (e.g. 'Vacation'). |
Favicon
Difference hash and MD5 hash of the domain's favicon.
JSON representation |
---|
{ "raw_md5": string, "dhash": string } |
Fields | |
---|---|
raw_md5 |
Favicon's MD5 hash. |
dhash |
Difference hash. |
DNSRecord
DNS record.
JSON representation |
---|
{ "type": string, "value": string, "ttl": string, "priority": string, "retry": string, "refresh": string, "minimum": string, "expire": string, "serial": string, "rname": string } |
Fields | |
---|---|
type |
Type. |
value |
Value. |
ttl |
Time to live. A duration in seconds with up to nine fractional digits, ending with ' |
priority |
Priority. |
retry |
Retry. |
refresh |
Refresh. A duration in seconds with up to nine fractional digits, ending with ' |
minimum |
Minimum. A duration in seconds with up to nine fractional digits, ending with ' |
expire |
Expire. A duration in seconds with up to nine fractional digits, ending with ' |
serial |
Serial. |
rname |
Rname. |
PopularityRank
Domain's position in popularity ranks for sources such as Alexa, Quantcast, or Statvoo.
JSON representation |
---|
{ "giver": string, "rank": string, "ingestion_time": string } |
Fields | |
---|---|
giver |
Name of the rank serial number hexdump. |
rank |
Rank position. |
ingestion_time |
Timestamp when the rank was ingested. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
Url
Url.
JSON representation |
---|
{ "url": string, "categories": [ string ], "favicon": { object ( |
Fields | |
---|---|
url |
URL. |
categories[] |
Categorisation done by VirusTotal partners. |
favicon |
Difference hash and MD5 hash of the URL's. |
html_meta |
Meta tags (only for URLs downloading HTML). |
last_final_url |
If the original URL redirects, where does it end. |
last_http_response_code |
HTTP response code of the last response. |
last_http_response_content_length |
Length in bytes of the content received. |
last_http_response_content_sha256 |
URL response body's SHA256 hash. |
last_http_response_cookies |
Website's cookies. |
last_http_response_headers |
Headers and values of the last HTTP response. |
tags[] |
Tags. |
title |
Webpage title. |
trackers[] |
Trackers found in the URL in a historical manner. |
Tracker
URL Tracker.
JSON representation |
---|
{ "tracker": string, "id": string, "timestamp": string, "url": string } |
Fields | |
---|---|
tracker |
Tracker name. |
id |
Tracker ID, if available. |
timestamp |
Tracker ingestion date. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
url |
Tracker script URL. |
Group
Information about an organizational group.
JSON representation |
---|
{
"product_object_id": string,
"creation_time": string,
"group_display_name": string,
"attribute": {
object ( |
Fields | |
---|---|
product_object_id |
Product globally unique user object identifier, such as an LDAP Object Identifier. |
creation_time |
Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
group_display_name |
Group display name. e.g. "Finance". |
attribute |
Generic entity metadata attributes of the group. |
email_addresses[] |
Email addresses of the group. |
windows_sid |
Microsoft Windows SID of the group. |
Process
Information about a process.
JSON representation |
---|
{ "pid": string, "parent_pid": string, "parent_process": { object ( |
Fields | |
---|---|
pid |
The process ID. This field can be used as an entity indicator for process entities. |
parent_pid |
The ID of the parent process. Deprecated: use parent_process.pid instead. |
parent_process |
Information about the parent process. |
file |
Information about the file in use by the process. |
command_line |
The command line command that created the process. This field can be used as an entity indicator for process entities. |
command_line_history[] |
The command line history of the process. |
product_specific_process_id |
A product specific process id. |
access_mask |
A bit mask representing the level of access. |
integrity_level_rid |
The Microsoft Windows integrity level relative ID (RID) of the process. |
euid |
The effective user ID of the process. |
ruid |
The real user ID of the process. |
egid |
The effective group ID of the process. |
rgid |
The real group ID of the process. |
pgid |
The identifier that points to the process group ID leader. |
session_leader_pid |
The process ID of the session leader process. |
tty |
The teletype terminal which the command was executed within. |
token_elevation_type |
The elevation type of the process on Microsoft Windows. This determines if any privileges are removed when UAC is enabled. |
product_specific_parent_process_id |
A product specific id for the parent process. Please use parent_process.product_specific_process_id instead. |
File
Information about a file.
JSON representation |
---|
{ "sha256": string, "md5": string, "sha1": string, "size": string, "full_path": string, "mime_type": string, "file_metadata": { object ( |
Fields | |
---|---|
sha256 |
The SHA256 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. |
md5 |
The MD5 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. |
sha1 |
The SHA1 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. |
size |
The size of the file in bytes. |
full_path |
The full path identifying the location of the file on the system. This field can be used as an entity indicator for file entities. |
mime_type |
The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", or "powershell script". |
file_metadata |
Metadata associated with the file. Deprecate FileMetadata in favor of using fields in File. |
security_result |
Google Cloud Threat Intelligence (GCTI) security result for the file including threat context and detection metadata. |
pe_file |
Metadata about the Portable Executable (PE) file. |
ssdeep |
Ssdeep of the file |
vhash |
Vhash of the file. |
ahash |
Deprecated. Use authentihash instead. |
authentihash |
Authentihash of the file. |
symhash |
SymHash of the file. Used for Mach-O (e.g. MacOS) binaries, to identify similar files based on their symbol table. |
file_type |
FileType field. |
capabilities_tags[] |
Capabilities tags. |
names[] |
Names fields. |
tags[] |
Tags for the file. |
last_modification_time |
Timestamp when the file was last updated. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
create_time |
Timestamp when the file was created. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
last_access_time |
Timestamp when the file was accessed. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
prevalence |
Prevalence of the file hash in the customer's environment. |
first_seen_time |
Timestamp the file was first seen in the customer's environment. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
last_seen_time |
Timestamp the file was last seen in the customer's environment. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
stat_mode |
The mode of the file. A bit string indicating the permissions and privileges of the file. |
stat_inode |
The file identifier. Unique identifier of object within a file system. |
stat_dev |
The file system identifier to which the object belongs. |
stat_nlink |
Number of links to file. |
stat_flags |
User defined flags for file. |
last_analysis_time |
Timestamp the file was last analysed. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
embedded_urls[] |
Embedded urls found in the file. |
embedded_domains[] |
Embedded domains found in the file. |
embedded_ips[] |
Embedded IP addresses found in the file. |
exif_info |
Exif metadata from different file formats extracted by exiftool. |
signature_info |
File signature information extracted from different tools. |
pdf_info |
Information about the PDF file structure. |
first_submission_time |
First submission time of the file. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
last_submission_time |
Last submission time of the file. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
main_icon |
Icon's relevant hashes. |
ntfs |
NTFS metadata. |
FileMetadata
Metadata about a file. Place metadata about different file types here, for example data from the Microsoft Windows VersionInfo block or digital signer details. Use a different sub-message per file type.
JSON representation |
---|
{
"pe": {
object ( |
Fields | |
---|---|
pe |
Metadata for Microsoft Windows PE files. Deprecate PeFileMetadata in favor of single File proto. |
PeFileMetadata
Metadata about a Microsoft Windows Portable Executable.
JSON representation |
---|
{ "import_hash": string } |
Fields | |
---|---|
import_hash |
Hash of PE imports. |
FileMetadataPE
Metadata about the Portable Executable (PE) file.
JSON representation |
---|
{ "imphash": string, "entry_point": string, "entry_point_exiftool": string, "compilation_time": string, "compilation_exiftool_time": string, "section": [ { object ( |
Fields | |
---|---|
imphash |
Imphash of the file. |
entry_point |
info.pe-entry-point. |
entry_point_exiftool |
info.exiftool.EntryPoint. |
compilation_time |
info.pe-timestamp. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
compilation_exiftool_time |
info.exiftool.TimeStamp. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
section[] |
FilemetadataSection fields. |
imports[] |
FilemetadataImports fields. |
resource[] |
FilemetadataPeResourceInfo fields. |
resources_type_count[] |
Deprecated: use resources_type_count_str. |
resources_language_count[] |
Deprecated: use resources_language_count_str. |
resources_type_count_str[] |
Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5 |
resources_language_count_str[] |
Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10 |
signature_info |
FilemetadataSignatureInfo field. deprecated, user File.signature_info instead. |
FileMetadataSection
File metadata section.
JSON representation |
---|
{ "name": string, "entropy": number, "raw_size_bytes": string, "virtual_size_bytes": string, "md5_hex": string } |
Fields | |
---|---|
name |
Name of the section. |
entropy |
Entropy of the section. |
raw_size_bytes |
Raw file size in bytes. |
virtual_size_bytes |
Virtual file size in bytes. |
md5_hex |
MD5 hex of the file. |
FileMetadataImports
File metadata imports.
JSON representation |
---|
{ "library": string, "functions": [ string ] } |
Fields | |
---|---|
library |
Library field. |
functions[] |
Function field. |
FileMetadataPeResourceInfo
File metadata for PE resource.
JSON representation |
---|
{ "sha256_hex": string, "filetype_magic": string, "language_code": string, "entropy": number, "file_type": string } |
Fields | |
---|---|
sha256_hex |
SHA256_hex field.. |
filetype_magic |
Type of resource content, as identified by the magic Python module. |
language_code |
Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification. Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US | |
entropy |
Entropy of the resource. |
file_type |
File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum. |
StringToInt64MapEntry
JSON representation |
---|
{ "key": string, "value": string } |
Fields | |
---|---|
key |
Key field. |
value |
Value field. |
FileMetadataSignatureInfo
Signature information.
JSON representation |
---|
{ "verification_message": string, "verified": boolean, "signer": [ string ], "signers": [ { object ( |
Fields | |
---|---|
verification_message |
Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found. |
verified |
True if verification_message == "Signed" |
signer[] |
Deprecated: use signers field. |
signers[] |
File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority. |
x509[] |
List of certificates. |
SignerInfo
File metadata related to the signer information.
JSON representation |
---|
{ "name": string, "status": string, "valid_usage": string, "cert_issuer": string } |
Fields | |
---|---|
name |
Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority. |
status |
It can say "Valid" or state the problem with the certificate if any (e.g. "This certificate or one of the certificates in the certificate chain is not time valid."). |
valid_usage |
Indicates which situations the certificate is valid for (e.g. "Code Signing"). |
cert_issuer |
Company that issued the certificate. |
X509
File certificate.
JSON representation |
---|
{ "name": string, "algorithm": string, "thumbprint": string, "cert_issuer": string, "serial_number": string } |
Fields | |
---|---|
name |
Certificate name. |
algorithm |
Certificate algorithm. |
thumbprint |
Certificate thumbprint. |
cert_issuer |
Issuer of the certificate. |
serial_number |
Certificate serial number. |
ExifInfo
Exif information.
JSON representation |
---|
{ "original_file": string, "product": string, "company": string, "file_description": string, "entry_point": string, "compilation_time": string } |
Fields | |
---|---|
original_file |
original file name. |
product |
product name. |
company |
company name. |
file_description |
description of a file. |
entry_point |
entry point. |
compilation_time |
Compilation time. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
SignatureInfo
File signature information extracted from different tools.
JSON representation |
---|
{ "sigcheck": { object ( |
Fields | |
---|---|
sigcheck |
Signature information extracted from the sigcheck tool. |
codesign |
Signature information extracted from the codesign utility. |
FileMetadataCodesign
File metadata from the codesign utility.
JSON representation |
---|
{ "id": string, "format": string, "compilation_time": string, "team_id": string } |
Fields | |
---|---|
id |
Code sign identifier. |
format |
Code sign format. |
compilation_time |
Code sign timestamp Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
team_id |
The assigned team identifier of the developer who signed the application. |
PDFInfo
Information about the PDF file structure. See https://developers.virustotal.com/reference/pdf_info
JSON representation |
---|
{ "js": string, "javascript": string, "launch_action_count": string, "object_stream_count": string, "endobj_count": string, "header": string, "acroform": string, "autoaction": string, "embedded_file": string, "encrypted": string, "flash": string, "jbig2_compression": string, "obj_count": string, "endstream_count": string, "page_count": string, "stream_count": string, "openaction": string, "startxref": string, "suspicious_colors": string, "trailer": string, "xfa": string, "xref": string } |
Fields | |
---|---|
js |
Number of /JS tags found in the PDF file. Should be the same as javascript field in normal scenarios. |
javascript |
Number of /JavaScript tags found in the PDF file. Should be the same as the js field in normal scenarios. |
launch_action_count |
Number of /Launch tags found in the PDF file. |
object_stream_count |
Number of object streams. |
endobj_count |
Number of object definitions (endobj keyword). |
header |
PDF version. |
acroform |
Number of /AcroForm tags found in the PDF. |
autoaction |
Number of /AA tags found in the PDF. |
embedded_file |
Number of /EmbeddedFile tags found in the PDF. |
encrypted |
Whether the document is encrypted or not. This is defined by the /Encrypt tag. |
flash |
Number of /RichMedia tags found in the PDF. |
jbig2_compression |
Number of /JBIG2Decode tags found in the PDF. |
obj_count |
Number of objects definitions (obj keyword). |
endstream_count |
Number of defined stream objects (stream keyword). |
page_count |
Number of pages in the PDF. |
stream_count |
Number of defined stream objects (stream keyword). |
openaction |
Number of /OpenAction tags found in the PDF. |
startxref |
Number of startxref keywords in the PDF. |
suspicious_colors |
Number of colors expressed with more than 3 bytes (CVE-2009-3459). |
trailer |
Number of trailer keywords in the PDF. |
xfa |
Number of \XFA tags found in the PDF. |
xref |
Number of xref keywords in the PDF. |
NtfsFileMetadata
NTFS-specific file metadata.
JSON representation |
---|
{ "change_time": string, "filename_create_time": string, "filename_modify_time": string, "filename_access_time": string, "filename_change_time": string } |
Fields | |
---|---|
change_time |
NTFS MFT entry changed timestamp. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
filename_create_time |
NTFS $FILE_NAME attribute created timestamp. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
filename_modify_time |
NTFS $FILE_NAME attribute modified timestamp. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
filename_access_time |
NTFS $FILE_NAME attribute accessed timestamp. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
filename_change_time |
NTFS $FILE_NAME attribute changed timestamp. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
Registry
Information about a registry key or value.
JSON representation |
---|
{
"registry_key": string,
"registry_value_name": string,
"registry_value_data": string,
"registry_value_type": enum ( |
Fields | |
---|---|
registry_key |
Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...). |
registry_value_name |
Name of the registry value associated with an application or system component (e.g. TEMP). |
registry_value_data |
Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp). |
registry_value_type |
Type of the registry value. |