Noun

The Noun type is used to represent the different entities in an event: principal, src, target, observer, intermediary, and about. It stores attributes known about the entity. For example, if the entity is a device with multiple IP or MAC addresses, it stores the IP and MAC addresses that are relevant to the event.

JSON representation
{
  "hostname": string,
  "domain": {
    object (Domain)
  },
  "artifact": {
    object (Artifact)
  },
  "url_metadata": {
    object (Url)
  },
  "asset_id": string,
  "user": {
    object (User)
  },
  "user_management_chain": [
    {
      object (User)
    }
  ],
  "group": {
    object (Group)
  },
  "process": {
    object (Process)
  },
  "process_ancestors": [
    {
      object (Process)
    }
  ],
  "asset": {
    object (Asset)
  },
  "ip": [
    string
  ],
  "nat_ip": [
    string
  ],
  "port": integer,
  "nat_port": integer,
  "mac": [
    string
  ],
  "administrative_domain": string,
  "namespace": string,
  "url": string,
  "file": {
    object (File)
  },
  "email": string,
  "registry": {
    object (Registry)
  },
  "application": string,
  "platform": enum (Platform),
  "platform_version": string,
  "platform_patch_level": string,
  "cloud": {
    object (Cloud)
  },
  "location": {
    object (Location)
  },
  "ip_location": [
    {
      object (Location)
    }
  ],
  "ip_geo_artifact": [
    {
      object (Artifact)
    }
  ],
  "resource": {
    object (Resource)
  },
  "resource_ancestors": [
    {
      object (Resource)
    }
  ],
  "labels": [
    {
      object (Label)
    }
  ],
  "object_reference": {
    object (Id)
  },
  "investigation": {
    object (Investigation)
  },
  "network": {
    object (Network)
  },
  "security_result": [
    {
      object (SecurityResult)
    }
  ]
}
Fields
hostname

string

Client hostname or domain name field. Hostname also doubles as the domain for remote entities. This field can be used as an entity indicator for asset entities.

domain

object (Domain)

Information about the domain.

artifact

object (Artifact)

Information about an artifact.

url_metadata

object (Url)

Information about the URL.

asset_id

string

The asset ID. This field can be used as an entity indicator for asset entities.

user

object (User)

Information about the user.

user_management_chain[]

object (User)

Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery.

group

object (Group)

Information about the group.

process

object (Process)

Information about the process.

process_ancestors[]

object (Process)

Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery.

asset

object (Asset)

Information about the asset.

ip[]

string

A list of IP addresses associated with a network connection. This field can be used as an entity indicator for asset entities.

nat_ip[]

string

A list of NAT translated IP addresses associated with a network connection.

port

integer

Source or destination network port number when a specific network connection is described within an event.

nat_port

integer

NAT external network port number when a specific network connection is described within an event.

mac[]

string

List of MAC addresses associated with a device. This field can be used as an entity indicator for asset entities.

administrative_domain

string

Domain which the device belongs to (for example, the Microsoft Windows domain).

namespace

string

Namespace which the device belongs to, such as "AD forest". Uses for this field include Microsoft Windows AD forest, the name of subsidiary, or the name of acquisition. This field can be used along with an asset indicator to identify an asset.

url

string

The URL.

file

object (File)

Information about the file.

email

string

Email address. Only filled in for security_result.about

registry

object (Registry)

Registry information.

application

string

The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle".

platform

enum (Platform)

Platform.

platform_version

string

Platform version. For example, "Microsoft Windows 1803".

platform_patch_level

string

Platform patch level. For example, "Build 17134.48"

cloud
(deprecated)

object (Cloud)

Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud).

location

object (Location)

Physical location. For cloud environments, set the region in location.name.

ip_location[]
(deprecated)

object (Location)

Deprecated: use ip_geo_artifact.location instead.

ip_geo_artifact[]

object (Artifact)

Enriched geographic information corresponding to an IP address. Specifically, location and network data.

resource

object (Resource)

Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, or processes because these objects are already part of Noun.

resource_ancestors[]

object (Resource)

Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource).

labels[]
(deprecated)

object (Label)

Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels).

object_reference

object (Id)

Finding to which the Analyst updated the feedback.

investigation

object (Investigation)

Analyst feedback/investigation for alerts.

network

object (Network)

Network details, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP).

security_result[]

object (SecurityResult)

A list of security results.

Domain

Information about a domain.

JSON representation
{
  "name": string,
  "prevalence": {
    object (Prevalence)
  },
  "first_seen_time": string,
  "last_seen_time": string,
  "registrar": string,
  "contact_email": string,
  "whois_server": string,
  "name_server": [
    string
  ],
  "creation_time": string,
  "update_time": string,
  "expiration_time": string,
  "audit_update_time": string,
  "status": string,
  "registrant": {
    object (User)
  },
  "admin": {
    object (User)
  },
  "tech": {
    object (User)
  },
  "billing": {
    object (User)
  },
  "zone": {
    object (User)
  },
  "whois_record_raw_text": string,
  "registry_data_raw_text": string,
  "iana_registrar_id": integer,
  "private_registration": boolean,
  "categories": [
    string
  ],
  "favicon": {
    object (Favicon)
  },
  "jarm": string,
  "last_dns_records": [
    {
      object (DNSRecord)
    }
  ],
  "last_dns_records_time": string,
  "last_https_certificate": {
    object (SSLCertificate)
  },
  "last_https_certificate_time": string,
  "popularity_ranks": [
    {
      object (PopularityRank)
    }
  ],
  "tags": [
    string
  ],
  "whois_time": string
}
Fields
name

string

The domain name. This field can be used as an entity indicator for Domain entities.

prevalence

object (Prevalence)

The prevalence of the domain within the customer's environment.

first_seen_time

string (Timestamp format)

First seen timestamp of the domain in the customer's environment.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

last_seen_time

string (Timestamp format)

Last seen timestamp of the domain in the customer's environment.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

registrar

string

Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM".

contact_email

string

Contact email address.

whois_server

string

Whois server name.

name_server[]

string

Repeated list of name servers.

creation_time

string (Timestamp format)

Domain creation time.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

update_time

string (Timestamp format)

Last updated time.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

expiration_time

string (Timestamp format)

Expiration time.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

audit_update_time

string (Timestamp format)

Audit updated time.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

status

string

Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values

registrant

object (User)

Parsed contact information for the registrant of the domain.

admin

object (User)

Parsed contact information for the administrative contact for the domain.

tech

object (User)

Parsed contact information for the technical contact for the domain

billing

object (User)

Parsed contact information for the billing contact of the domain.

zone

object (User)

Parsed contact information for the zone.

whois_record_raw_text

string (bytes format)

WHOIS raw text.

A base64-encoded string.

registry_data_raw_text

string (bytes format)

Registry Data raw text.

A base64-encoded string.

iana_registrar_id

integer

IANA Registrar ID. See https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml

private_registration

boolean

Indicates whether the domain appears to be using a private registration service to mask the owner's contact information.

categories[]

string

Categories assign to the domain as retrieved from VirusTotal.

favicon

object (Favicon)

Includes difference hash and MD5 hash of the domain's favicon.

jarm

string

Domain's JARM hash.

last_dns_records[]

object (DNSRecord)

Domain's DNS records from the last scan.

last_dns_records_time

string (Timestamp format)

Date when the DNS records list was retrieved by VirusTotal.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

last_https_certificate

object (SSLCertificate)

SSL certificate object retrieved last time the domain was analyzed.

last_https_certificate_time

string (Timestamp format)

When the certificate was retrieved by VirusTotal.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

popularity_ranks[]

object (PopularityRank)

Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc

tags[]

string

List of representative attributes.

whois_time

string (Timestamp format)

Date of the last update of the WHOIS record.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

User

Information about a user.

JSON representation
{
  "product_object_id": string,
  "userid": string,
  "user_display_name": string,
  "first_name": string,
  "middle_name": string,
  "last_name": string,
  "phone_numbers": [
    string
  ],
  "personal_address": {
    object (Location)
  },
  "attribute": {
    object (Attribute)
  },
  "first_seen_time": string,
  "account_type": enum (AccountType),
  "groupid": string,
  "group_identifiers": [
    string
  ],
  "windows_sid": string,
  "email_addresses": [
    string
  ],
  "employee_id": string,
  "title": string,
  "company_name": string,
  "department": [
    string
  ],
  "office_address": {
    object (Location)
  },
  "managers": [
    {
      object (User)
    }
  ],
  "hire_date": string,
  "termination_date": string,
  "time_off": [
    {
      object (TimeOff)
    }
  ],
  "last_login_time": string,
  "last_password_change_time": string,
  "password_expiration_time": string,
  "account_expiration_time": string,
  "account_lockout_time": string,
  "last_bad_password_attempt_time": string,
  "user_authentication_status": enum (AuthenticationStatus),
  "role_name": string,
  "role_description": string,
  "user_role": enum (Role)
}
Fields
product_object_id

string

A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar). This field can be used as an entity indicator for user entities.

userid

string

The ID of the user. This field can be used as an entity indicator for user entities.

user_display_name

string

The display name of the user (e.g. "John Locke").

first_name

string

First name of the user (e.g. "John").

middle_name

string

Middle name of the user.

last_name

string

Last name of the user (e.g. "Locke").

phone_numbers[]

string

Phone numbers for the user.

personal_address

object (Location)

Personal address of the user.

attribute

object (Attribute)

Generic entity metadata attributes of the user.

first_seen_time

string (Timestamp format)

The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

account_type

enum (AccountType)

Type of user account (for example, service, domain, or cloud). This is somewhat aligned to: https://attack.mitre.org/techniques/T1078/

groupid
(deprecated)

string

The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field.

group_identifiers[]

string

Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).

windows_sid

string

The Microsoft Windows SID of the user. This field can be used as an entity indicator for user entities.

email_addresses[]

string

Email addresses of the user. This field can be used as an entity indicator for user entities.

employee_id

string

Human capital management identifier. This field can be used as an entity indicator for user entities.

title

string

User job title.

company_name

string

User job company name.

department[]

string

User job department

office_address

object (Location)

User job office location.

managers[]

object (User)

User job manager(s).

hire_date

string (Timestamp format)

User job employment hire date.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

termination_date

string (Timestamp format)

User job employment termination date.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

time_off[]

object (TimeOff)

User time off leaves from active work.

last_login_time

string (Timestamp format)

User last login timestamp.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

last_password_change_time

string (Timestamp format)

User last password change timestamp.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

password_expiration_time

string (Timestamp format)

User password expiration timestamp.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

account_expiration_time

string (Timestamp format)

User account expiration timestamp.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

account_lockout_time

string (Timestamp format)

User account lockout timestamp.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

last_bad_password_attempt_time

string (Timestamp format)

User last bad password attempt timestamp.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

user_authentication_status

enum (AuthenticationStatus)

System authentication status for user.

role_name
(deprecated)

string

System role name for user. Deprecated: use attribute.roles.

role_description
(deprecated)

string

System role description for user. Deprecated: use attribute.roles.

user_role
(deprecated)

enum (Role)

System role for user. Deprecated: use attribute.roles.

TimeOff

System record for leave/time-off from a Human Capital Management (HCM) system.

JSON representation
{
  "interval": {
    object (Interval)
  },
  "description": string
}
Fields
interval

object (Interval)

Interval duration of the leave.

description

string

Description of the leave if available (e.g. 'Vacation').

Favicon

Difference hash and MD5 hash of the domain's favicon.

JSON representation
{
  "raw_md5": string,
  "dhash": string
}
Fields
raw_md5

string

Favicon's MD5 hash.

dhash

string

Difference hash.

DNSRecord

DNS record.

JSON representation
{
  "type": string,
  "value": string,
  "ttl": string,
  "priority": string,
  "retry": string,
  "refresh": string,
  "minimum": string,
  "expire": string,
  "serial": string,
  "rname": string
}
Fields
type

string

Type.

value

string

Value.

ttl

string (Duration format)

Time to live.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

priority

string (int64 format)

Priority.

retry

string (int64 format)

Retry.

refresh

string (Duration format)

Refresh.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

minimum

string (Duration format)

Minimum.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

expire

string (Duration format)

Expire.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

serial

string (int64 format)

Serial.

rname

string

Rname.

PopularityRank

Domain's position in popularity ranks for sources such as Alexa, Quantcast, or Statvoo.

JSON representation
{
  "giver": string,
  "rank": string,
  "ingestion_time": string
}
Fields
giver

string

Name of the rank serial number hexdump.

rank

string (int64 format)

Rank position.

ingestion_time

string (Timestamp format)

Timestamp when the rank was ingested.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

Url

Url.

JSON representation
{
  "url": string,
  "categories": [
    string
  ],
  "favicon": {
    object (Favicon)
  },
  "html_meta": {
    object
  },
  "last_final_url": string,
  "last_http_response_code": integer,
  "last_http_response_content_length": string,
  "last_http_response_content_sha256": string,
  "last_http_response_cookies": {
    object
  },
  "last_http_response_headers": {
    object
  },
  "tags": [
    string
  ],
  "title": string,
  "trackers": [
    {
      object (Tracker)
    }
  ]
}
Fields
url

string

URL.

categories[]

string

Categorisation done by VirusTotal partners.

favicon

object (Favicon)

Difference hash and MD5 hash of the URL's.

html_meta

object (Struct format)

Meta tags (only for URLs downloading HTML).

last_final_url

string

If the original URL redirects, where does it end.

last_http_response_code

integer

HTTP response code of the last response.

last_http_response_content_length

string (int64 format)

Length in bytes of the content received.

last_http_response_content_sha256

string

URL response body's SHA256 hash.

last_http_response_cookies

object (Struct format)

Website's cookies.

last_http_response_headers

object (Struct format)

Headers and values of the last HTTP response.

tags[]

string

Tags.

title

string

Webpage title.

trackers[]

object (Tracker)

Trackers found in the URL in a historical manner.

Tracker

URL Tracker.

JSON representation
{
  "tracker": string,
  "id": string,
  "timestamp": string,
  "url": string
}
Fields
tracker

string

Tracker name.

id

string

Tracker ID, if available.

timestamp

string (Timestamp format)

Tracker ingestion date.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

url

string

Tracker script URL.

Group

Information about an organizational group.

JSON representation
{
  "product_object_id": string,
  "creation_time": string,
  "group_display_name": string,
  "attribute": {
    object (Attribute)
  },
  "email_addresses": [
    string
  ],
  "windows_sid": string
}
Fields
product_object_id

string

Product globally unique user object identifier, such as an LDAP Object Identifier.

creation_time
(deprecated)

string (Timestamp format)

Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

group_display_name

string

Group display name. e.g. "Finance".

attribute

object (Attribute)

Generic entity metadata attributes of the group.

email_addresses[]

string

Email addresses of the group.

windows_sid

string

Microsoft Windows SID of the group.

Process

Information about a process.

JSON representation
{
  "pid": string,
  "parent_pid": string,
  "parent_process": {
    object (Process)
  },
  "file": {
    object (File)
  },
  "command_line": string,
  "command_line_history": [
    string
  ],
  "product_specific_process_id": string,
  "access_mask": string,
  "integrity_level_rid": string,
  "euid": string,
  "ruid": string,
  "egid": string,
  "rgid": string,
  "pgid": string,
  "session_leader_pid": string,
  "tty": string,
  "token_elevation_type": enum (TokenElevationType),
  "product_specific_parent_process_id": string
}
Fields
pid

string

The process ID. This field can be used as an entity indicator for process entities.

parent_pid
(deprecated)

string

The ID of the parent process. Deprecated: use parent_process.pid instead.

parent_process

object (Process)

Information about the parent process.

file

object (File)

Information about the file in use by the process.

command_line

string

The command line command that created the process. This field can be used as an entity indicator for process entities.

command_line_history[]

string

The command line history of the process.

product_specific_process_id

string

A product specific process id.

access_mask

string

A bit mask representing the level of access.

integrity_level_rid

string

The Microsoft Windows integrity level relative ID (RID) of the process.

euid

string

The effective user ID of the process.

ruid

string

The real user ID of the process.

egid

string

The effective group ID of the process.

rgid

string

The real group ID of the process.

pgid

string

The identifier that points to the process group ID leader.

session_leader_pid

string

The process ID of the session leader process.

tty

string

The teletype terminal which the command was executed within.

token_elevation_type

enum (TokenElevationType)

The elevation type of the process on Microsoft Windows. This determines if any privileges are removed when UAC is enabled.

product_specific_parent_process_id
(deprecated)

string

A product specific id for the parent process. Please use parent_process.product_specific_process_id instead.

File

Information about a file.

JSON representation
{
  "sha256": string,
  "md5": string,
  "sha1": string,
  "size": string,
  "full_path": string,
  "mime_type": string,
  "file_metadata": {
    object (FileMetadata)
  },
  "security_result": {
    object (SecurityResult)
  },
  "pe_file": {
    object (FileMetadataPE)
  },
  "ssdeep": string,
  "vhash": string,
  "ahash": string,
  "authentihash": string,
  "symhash": string,
  "file_type": enum (FileType),
  "capabilities_tags": [
    string
  ],
  "names": [
    string
  ],
  "tags": [
    string
  ],
  "last_modification_time": string,
  "create_time": string,
  "last_access_time": string,
  "prevalence": {
    object (Prevalence)
  },
  "first_seen_time": string,
  "last_seen_time": string,
  "stat_mode": string,
  "stat_inode": string,
  "stat_dev": string,
  "stat_nlink": string,
  "stat_flags": integer,
  "last_analysis_time": string,
  "embedded_urls": [
    string
  ],
  "embedded_domains": [
    string
  ],
  "embedded_ips": [
    string
  ],
  "exif_info": {
    object (ExifInfo)
  },
  "signature_info": {
    object (SignatureInfo)
  },
  "pdf_info": {
    object (PDFInfo)
  },
  "first_submission_time": string,
  "last_submission_time": string,
  "main_icon": {
    object (Favicon)
  },
  "ntfs": {
    object (NtfsFileMetadata)
  }
}
Fields
sha256

string

The SHA256 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities.

md5

string

The MD5 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities.

sha1

string

The SHA1 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities.

size

string

The size of the file in bytes.

full_path

string

The full path identifying the location of the file on the system. This field can be used as an entity indicator for file entities.

mime_type

string

The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", or "powershell script".

file_metadata
(deprecated)

object (FileMetadata)

Metadata associated with the file. Deprecate FileMetadata in favor of using fields in File.

security_result

object (SecurityResult)

Google Cloud Threat Intelligence (GCTI) security result for the file including threat context and detection metadata.

pe_file

object (FileMetadataPE)

Metadata about the Portable Executable (PE) file.

ssdeep

string

Ssdeep of the file

vhash

string

Vhash of the file.

ahash
(deprecated)

string

Deprecated. Use authentihash instead.

authentihash

string

Authentihash of the file.

symhash

string

SymHash of the file. Used for Mach-O (e.g. MacOS) binaries, to identify similar files based on their symbol table.

file_type

enum (FileType)

FileType field.

capabilities_tags[]

string

Capabilities tags.

names[]

string

Names fields.

tags[]

string

Tags for the file.

last_modification_time

string (Timestamp format)

Timestamp when the file was last updated.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

create_time

string (Timestamp format)

Timestamp when the file was created.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

last_access_time

string (Timestamp format)

Timestamp when the file was accessed.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

prevalence

object (Prevalence)

Prevalence of the file hash in the customer's environment.

first_seen_time

string (Timestamp format)

Timestamp the file was first seen in the customer's environment.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

last_seen_time

string (Timestamp format)

Timestamp the file was last seen in the customer's environment.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

stat_mode

string

The mode of the file. A bit string indicating the permissions and privileges of the file.

stat_inode

string

The file identifier. Unique identifier of object within a file system.

stat_dev

string

The file system identifier to which the object belongs.

stat_flags

integer (uint32 format)

User defined flags for file.

last_analysis_time

string (Timestamp format)

Timestamp the file was last analysed.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

embedded_urls[]

string

Embedded urls found in the file.

embedded_domains[]

string

Embedded domains found in the file.

embedded_ips[]

string

Embedded IP addresses found in the file.

exif_info

object (ExifInfo)

Exif metadata from different file formats extracted by exiftool.

signature_info

object (SignatureInfo)

File signature information extracted from different tools.

pdf_info

object (PDFInfo)

Information about the PDF file structure.

first_submission_time

string (Timestamp format)

First submission time of the file.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

last_submission_time

string (Timestamp format)

Last submission time of the file.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

main_icon

object (Favicon)

Icon's relevant hashes.

ntfs

object (NtfsFileMetadata)

NTFS metadata.

FileMetadata

Metadata about a file. Place metadata about different file types here, for example data from the Microsoft Windows VersionInfo block or digital signer details. Use a different sub-message per file type.

JSON representation
{
  "pe": {
    object (PeFileMetadata)
  }
}
Fields
pe
(deprecated)

object (PeFileMetadata)

Metadata for Microsoft Windows PE files. Deprecate PeFileMetadata in favor of single File proto.

PeFileMetadata

Metadata about a Microsoft Windows Portable Executable.

JSON representation
{
  "import_hash": string
}
Fields
import_hash

string

Hash of PE imports.

FileMetadataPE

Metadata about the Portable Executable (PE) file.

JSON representation
{
  "imphash": string,
  "entry_point": string,
  "entry_point_exiftool": string,
  "compilation_time": string,
  "compilation_exiftool_time": string,
  "section": [
    {
      object (FileMetadataSection)
    }
  ],
  "imports": [
    {
      object (FileMetadataImports)
    }
  ],
  "resource": [
    {
      object (FileMetadataPeResourceInfo)
    }
  ],
  "resources_type_count": [
    {
      object (StringToInt64MapEntry)
    }
  ],
  "resources_language_count": [
    {
      object (StringToInt64MapEntry)
    }
  ],
  "resources_type_count_str": [
    {
      object (Label)
    }
  ],
  "resources_language_count_str": [
    {
      object (Label)
    }
  ],
  "signature_info": {
    object (FileMetadataSignatureInfo)
  }
}
Fields
imphash

string

Imphash of the file.

entry_point

string (int64 format)

info.pe-entry-point.

entry_point_exiftool

string (int64 format)

info.exiftool.EntryPoint.

compilation_time

string (Timestamp format)

info.pe-timestamp.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

compilation_exiftool_time

string (Timestamp format)

info.exiftool.TimeStamp.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

section[]

object (FileMetadataSection)

FilemetadataSection fields.

imports[]

object (FileMetadataImports)

FilemetadataImports fields.

resource[]

object (FileMetadataPeResourceInfo)

FilemetadataPeResourceInfo fields.

resources_type_count[]
(deprecated)

object (StringToInt64MapEntry)

Deprecated: use resources_type_count_str.

resources_language_count[]
(deprecated)

object (StringToInt64MapEntry)

Deprecated: use resources_language_count_str.

resources_type_count_str[]

object (Label)

Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5

resources_language_count_str[]

object (Label)

Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10

signature_info
(deprecated)

object (FileMetadataSignatureInfo)

FilemetadataSignatureInfo field. deprecated, user File.signature_info instead.

FileMetadataSection

File metadata section.

JSON representation
{
  "name": string,
  "entropy": number,
  "raw_size_bytes": string,
  "virtual_size_bytes": string,
  "md5_hex": string
}
Fields
name

string

Name of the section.

entropy

number

Entropy of the section.

raw_size_bytes

string (int64 format)

Raw file size in bytes.

virtual_size_bytes

string (int64 format)

Virtual file size in bytes.

md5_hex

string

MD5 hex of the file.

FileMetadataImports

File metadata imports.

JSON representation
{
  "library": string,
  "functions": [
    string
  ]
}
Fields
library

string

Library field.

functions[]

string

Function field.

FileMetadataPeResourceInfo

File metadata for PE resource.

JSON representation
{
  "sha256_hex": string,
  "filetype_magic": string,
  "language_code": string,
  "entropy": number,
  "file_type": string
}
Fields
sha256_hex

string

SHA256_hex field..

filetype_magic

string

Type of resource content, as identified by the magic Python module.

language_code

string

Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification. Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US |

entropy

number

Entropy of the resource.

file_type

string

File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum.

StringToInt64MapEntry

JSON representation
{
  "key": string,
  "value": string
}
Fields
key

string

Key field.

value

string (int64 format)

Value field.

FileMetadataSignatureInfo

Signature information.

JSON representation
{
  "verification_message": string,
  "verified": boolean,
  "signer": [
    string
  ],
  "signers": [
    {
      object (SignerInfo)
    }
  ],
  "x509": [
    {
      object (X509)
    }
  ]
}
Fields
verification_message

string

Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found.

verified

boolean

True if verification_message == "Signed"

signer[]
(deprecated)

string

Deprecated: use signers field.

signers[]

object (SignerInfo)

File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority.

x509[]

object (X509)

List of certificates.

SignerInfo

File metadata related to the signer information.

JSON representation
{
  "name": string,
  "status": string,
  "valid_usage": string,
  "cert_issuer": string
}
Fields
name

string

Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority.

status

string

It can say "Valid" or state the problem with the certificate if any (e.g. "This certificate or one of the certificates in the certificate chain is not time valid.").

valid_usage

string

Indicates which situations the certificate is valid for (e.g. "Code Signing").

cert_issuer

string

Company that issued the certificate.

X509

File certificate.

JSON representation
{
  "name": string,
  "algorithm": string,
  "thumbprint": string,
  "cert_issuer": string,
  "serial_number": string
}
Fields
name

string

Certificate name.

algorithm

string

Certificate algorithm.

thumbprint

string

Certificate thumbprint.

cert_issuer

string

Issuer of the certificate.

serial_number

string

Certificate serial number.

ExifInfo

Exif information.

JSON representation
{
  "original_file": string,
  "product": string,
  "company": string,
  "file_description": string,
  "entry_point": string,
  "compilation_time": string
}
Fields
original_file

string

original file name.

product

string

product name.

company

string

company name.

file_description

string

description of a file.

entry_point

string (int64 format)

entry point.

compilation_time

string (Timestamp format)

Compilation time.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

SignatureInfo

File signature information extracted from different tools.

JSON representation
{
  "sigcheck": {
    object (FileMetadataSignatureInfo)
  },
  "codesign": {
    object (FileMetadataCodesign)
  }
}
Fields
sigcheck

object (FileMetadataSignatureInfo)

Signature information extracted from the sigcheck tool.

codesign

object (FileMetadataCodesign)

Signature information extracted from the codesign utility.

FileMetadataCodesign

File metadata from the codesign utility.

JSON representation
{
  "id": string,
  "format": string,
  "compilation_time": string,
  "team_id": string
}
Fields
id

string

Code sign identifier.

format

string

Code sign format.

compilation_time

string (Timestamp format)

Code sign timestamp

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

team_id

string

The assigned team identifier of the developer who signed the application.

PDFInfo

Information about the PDF file structure. See https://developers.virustotal.com/reference/pdf_info

JSON representation
{
  "js": string,
  "javascript": string,
  "launch_action_count": string,
  "object_stream_count": string,
  "endobj_count": string,
  "header": string,
  "acroform": string,
  "autoaction": string,
  "embedded_file": string,
  "encrypted": string,
  "flash": string,
  "jbig2_compression": string,
  "obj_count": string,
  "endstream_count": string,
  "page_count": string,
  "stream_count": string,
  "openaction": string,
  "startxref": string,
  "suspicious_colors": string,
  "trailer": string,
  "xfa": string,
  "xref": string
}
Fields
js

string (int64 format)

Number of /JS tags found in the PDF file. Should be the same as javascript field in normal scenarios.

javascript

string (int64 format)

Number of /JavaScript tags found in the PDF file. Should be the same as the js field in normal scenarios.

launch_action_count

string (int64 format)

Number of /Launch tags found in the PDF file.

object_stream_count

string (int64 format)

Number of object streams.

endobj_count

string (int64 format)

Number of object definitions (endobj keyword).

header

string

PDF version.

acroform

string (int64 format)

Number of /AcroForm tags found in the PDF.

autoaction

string (int64 format)

Number of /AA tags found in the PDF.

embedded_file

string (int64 format)

Number of /EmbeddedFile tags found in the PDF.

encrypted

string (int64 format)

Whether the document is encrypted or not. This is defined by the /Encrypt tag.

flash

string (int64 format)

Number of /RichMedia tags found in the PDF.

jbig2_compression

string (int64 format)

Number of /JBIG2Decode tags found in the PDF.

obj_count

string (int64 format)

Number of objects definitions (obj keyword).

endstream_count

string (int64 format)

Number of defined stream objects (stream keyword).

page_count

string (int64 format)

Number of pages in the PDF.

stream_count

string (int64 format)

Number of defined stream objects (stream keyword).

openaction

string (int64 format)

Number of /OpenAction tags found in the PDF.

startxref

string (int64 format)

Number of startxref keywords in the PDF.

suspicious_colors

string (int64 format)

Number of colors expressed with more than 3 bytes (CVE-2009-3459).

trailer

string (int64 format)

Number of trailer keywords in the PDF.

xfa

string (int64 format)

Number of \XFA tags found in the PDF.

xref

string (int64 format)

Number of xref keywords in the PDF.

NtfsFileMetadata

NTFS-specific file metadata.

JSON representation
{
  "change_time": string,
  "filename_create_time": string,
  "filename_modify_time": string,
  "filename_access_time": string,
  "filename_change_time": string
}
Fields
change_time

string (Timestamp format)

NTFS MFT entry changed timestamp.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

filename_create_time

string (Timestamp format)

NTFS $FILE_NAME attribute created timestamp.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

filename_modify_time

string (Timestamp format)

NTFS $FILE_NAME attribute modified timestamp.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

filename_access_time

string (Timestamp format)

NTFS $FILE_NAME attribute accessed timestamp.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

filename_change_time

string (Timestamp format)

NTFS $FILE_NAME attribute changed timestamp.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

Registry

Information about a registry key or value.

JSON representation
{
  "registry_key": string,
  "registry_value_name": string,
  "registry_value_data": string,
  "registry_value_type": enum (Type)
}
Fields
registry_key

string

Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...).

registry_value_name

string

Name of the registry value associated with an application or system component (e.g. TEMP).

registry_value_data

string

Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp).

registry_value_type

enum (Type)

Type of the registry value.