| AccessorЕxt |
accessor |
Recommended |
String |
The name of the user who last accessed the object. |
| Name |
name |
Recommended |
String |
The name of the file. For example: "svchost.exe", "bin", or "resolv.conf". |
| Source IPЕxt |
src_ip |
Recommended |
IP Address |
The IP address of the host where the file resides. |
| Source NameЕxt |
src_name |
Recommended |
String |
The name of the host where the file resides. |
| Load Type |
load_type_id |
Recommended |
Integer |
The load type identifies how the module was loaded in memory.
| 0 | Unknown | | |
| 1 | Standard | A normal module loaded by the normal windows loading mechanism i.e. LoadLibrary. | |
| 2 | Non Standard | A module loaded in a way avoidant of normal windows procedures. i.e. Bootstrapped Loading/Manual Dll Loading. | |
| 3 | ShellCode | A raw module in process memory that is READWRITE_EXECUTE and had a thread started in its range. | |
| 4 | Mapped | A memory mapped file, typically created with CreatefileMapping/MapViewOfFile. | |
| 5 | NonStandard Backed | A module loaded in a non standard way. However, GetModuleFileName succeeds on this allocation. | |
|
| Extended AttributesЕxt |
xattributes |
Optional |
JSON |
An unordered collection of zero or more name/value pairs where each pair represents a file or directory extended attribute. For example: Windows alternate data stream attributes (ADS stream name, ADS size, etc.), user-defined or application-defined attributes, ACL, owner, primary group, etc. Examples from DCS: - ads_name
- ads_size
- dacl
- owner
- primary_group
- link_name - name of the link associated to the file.
- hard_link_count - the number of links that are associated to the file.
- Unix_permissions - Unix permissions notation style for user, group and others to access the file, including notations for setuid, setgid and sticky bit settings. For example "rwxrw-r—", "r-xr-sr-x", "rwxrwxrwt".
|
| Compressed SizeЕxt |
size_compressed |
Optional |
Long |
The compressed size of the object, in bytes. |
| Signature FingerprintsЕxt |
signature_fingerprints |
Recommended |
Fingerprint Array |
The array of fingerprint objects associated with the certificate. |
| MD5 |
md5 |
Recommended |
String |
The MD5 checksum of the object content. |
| ModifierЕxt |
modifier |
Recommended |
String |
The name of the user who last modified the module. |
| Reputation Prevalence BandЕxt |
rep_prevalence_band |
Recommended |
Integer |
The file reputation prevalence fuzzed band number.
| 0 | No Users | | |
| 1 | Fewer than 5 users | | |
| 2 | Fewer than 50 users | | |
| 3 | Fewer than 100 users | | |
| 4 | Hundreds of users | | |
| 5 | Thousands of users | | |
| 6 | Tens of thousands of users | | |
| 7 | Hundreds of thousands of users | | |
| 8 | Millions of users | | |
|
| Company NameЕxt |
company_name |
Recommended |
String |
The name of the company that published the file. For example: "Microsoft Corporation". |
| CreatorЕxt |
creator |
Recommended |
String |
The name of the user who created the module. |
| ModifiedЕxt |
modified |
Recommended |
Datetime |
The time when the module was last modified. Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC. |
| DescriptionЕxt |
desc |
Recommended |
String |
The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type. |
| Content TypeЕxt |
content_type |
Recommended |
File Content Type |
The file content type as defined by the STAR "File-typer" engine. |
| Reputation Discovered BandЕxt |
rep_discovered_band |
Recommended |
Integer |
The discovery fuzzed band number, expressed as the number of days since discovery.
| 0 | Unknown | | |
| 1 | Never Seen | | |
| 2 | Two days ago | | |
| 5 | Five days ago | | |
| 7 | A week ago | | |
| 14 | Two weeks ago | | |
| 30 | A month ago | | |
| 365 | A year ago | | |
| 366 | More than a year | | |
|
| Security DescriptorЕxt |
security_descriptor |
Recommended |
String |
The object security descriptor. |
| Size |
size |
Recommended |
Long |
The size of the object, in bytes. |
| Folder IDЕxt |
folder_uid |
Recommended |
String |
The unique identifier of the folder in which the file resides. |
| Product PathЕxt |
product_path |
Recommended |
String |
The path to the product that includes the file. |
| Reputation DiscoveredЕxt |
rep_discovered_date |
Recommended |
Datetime |
The Symantec discovery date of the reputed file or URL. Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC. |
| MIME typeЕxt |
mime_type |
Optional |
String |
The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. |
| AccessedЕxt |
accessed |
Recommended |
Datetime |
The time that the file was last accessed. Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC. |
| Signature Value IDsЕxt |
signature_value_ids |
Recommended |
Integer Array |
The array of signature values as derived from the Signature Bits.
| 0 | Unsigned | | |
| 1 | Signed | The file contains an embedded digital signature, or its SHA1 hash is contained in a catalog with an embedded digital signature. The validity of the signature is indicated by other Signature Value IDs. | |
| 2 | Code signed | | |
| 3 | Class 3 signed | | |
| 4 | Symantec signed | | |
| 5 | Microsoft signed | | |
| 6 | OS component | | |
| 7 | Windows Hardware Quality Labs (WHQL) signed | | |
| 8 | Signer explicitly untrusted | | |
| 9 | Signature has extra data | | |
| 10 | Signature uses MD5 | | |
| 11 | Signature uses SHA-1 | | |
| 12 | Signature chain not valid | | |
| 13 | Signature from catalog | | |
| 14 | Hash does not match | | |
| 15 | Local trusted certificate | | |
| 16 | Trustworthy | | |
| 17 | Well known trusted root certificate | | |
| 18 | Heuristically trustworthy | | |
| 19 | Symantec internal | | |
| 20 | Signature uses SHA-256 | | |
| 21 | Signature uses SHA-384 | | |
| 22 | Signature uses SHA-512 | | |
| 23 | Signer explicitly revoked | | |
| 24 | Expired | | |
| 25 | Not yet valid | | |
|
| AttributesЕxt |
attributes |
Recommended |
Integer |
The bitmask value that represents the file attributes. |
| Path |
path |
Optional |
String |
The full path to the file. For example: "c:\windows\system32\svchost.exe". |
| Signature Company NameЕxt |
signature_company_name |
Recommended |
String |
The company name on the certificate that signed the file. |
| Signature IssuerЕxt |
signature_issuer |
Recommended |
String |
The issuer of the object signature. |
| Reputation Score BandЕxt |
rep_score_band |
Optional |
Integer |
The file reputation score fuzzed band number.
| 0 | Unknown | | |
| 1 | Known Bad | The file is malicious. | |
| 2 | High Confidence Bad | There is strong evidence that the file is untrustworthy. | |
| 3 | Medium Confidence Bad | One or more detection engines have detected the file as malicious | |
| 4 | Trending Bad or Unproven | There is not enough information about the file; recommended to block. | |
| 5 | Unproven | There is not enough information about the file to block it | |
| 6 | Low Confidence Good | There is some evidence that the file is trustworthy. | |
| 7 | Medium Confidence Good | There is a significant evidence that the file is trustworthy. | |
| 8 | High Confidence Good | Symantec trusts the file. | |
| 9 | Known Good | The file is trustworthy. | |
|
| Parent SHA2Еxt |
parent_sha2 |
Optional |
String |
The SHA-256 checksum of the parent file. |
| VersionЕxt |
version |
Optional |
String |
The file version. For example: "8.0.7601.17514". |
| Signature LevelЕxt |
signature_level_id |
Recommended |
Integer |
A numeric representation of the signature level. The signature levels are defined by STAR.
| 0 | Unknown | | |
| 10 | Unsigned | | |
| 20 | Signed but untrusted | | |
| 30 | Signed | | |
| 40 | Class 3 signed | | |
| 42 | Developer signed | | |
| 44 | Developer notarization signed | | |
| 46 | App Store signed | | |
| 50 | Symantec signed | | |
| 60 | Microsoft signed | | |
| 70 | Microsoft OS component | | |
|
| Signature BitsЕxt |
signature_value |
Recommended |
Long |
The digital signature bitmask. |
| Type |
type_id |
Recommended |
Integer |
The file type.
| 1 | File | | |
| 2 | Directory | | |
| 3 | Hard Link | | |
| 4 | Mount | | |
| 5 | Node | | |
| 6 | Symbolic Link | | |
| 7 | Named Pipe | | |
| 8 | Socket | | |
| 9 | Device | | |
| 10 | Email | | |
| 11 | Memory File | | |
| 12 | File in container | | |
|
| SHA-1Еxt |
sha1 |
Recommended |
String |
The SHA-1 checksum of the object content. |
| Creator ProcessЕxt |
creator_process |
Recommended |
String |
The name of the process that created (or downloaded) the file or module. |
| Normalized PathЕxt |
normalized_path |
Optional |
String |
The CSIDL normalized path name. For example: "CSIDL_SYSTEM\svchost.exe" (Windows only). |
| CreatedЕxt |
created |
Recommended |
Datetime |
The time that the module was created. Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC. |
| SystemЕxt |
is_system |
Optional |
Boolean |
The indication of whether the object is part of the operating system. |
| Attribute IDsЕxt |
attribute_ids |
Recommended |
Integer Array |
The array of file attributes.
| 1 | Archive | | |
| 2 | Compressed | | |
| 3 | Directory | | |
| 4 | Encrypted | | |
| 5 | Hidden | | |
| 6 | Normal | | |
| 7 | Offline | | |
| 8 | Read only | | |
| 9 | Reparse Point | | |
| 10 | Sparse File | | |
| 11 | System | | |
| 12 | Temporary | | |
| 13 | Not Content Indexed | | |
| 14 | Block Special | | |
| 15 | Character Special | | |
| 16 | Executable | | |
| 17 | Driver | | |
|
| IDЕxt |
uid |
Optional |
String |
The unique identifier of the file as defined by the storage system, such the file system file ID. |
| URLЕxt |
url |
Recommended |
Uniform Resource Locator |
The URL from which the object was downloaded or the URL where the object resides. |
| Product NameЕxt |
product_name |
Recommended |
String |
The name of the product that includes the file. For example: "Windows Internet Explorer". |
| FolderЕxt |
folder |
Recommended |
String |
The parent folder in which the file resides. For example: "c:\windows\system32". |
| Reputation PrevalenceЕxt |
rep_prevalence |
Recommended |
Integer |
The file reputation prevalence, as provided by a reputation query. |
| SHA-256 |
sha2 |
Recommended |
String |
The SHA-256 checksum of the object content. |
| Signature Serial NumberЕxt |
signature_serial_number |
Optional |
String |
The object serial number. |
| Load Type |
load_type |
Recommended |
String |
The load type describes how the module was loaded in memory. |
| Base Address |
base_address |
Recommended |
String |
The memory address where the module was loaded. |
| Reputation Score |
rep_score |
Recommended |
Integer |
The reputation score of the file. |
| Signature Created DateЕxt |
signature_created_date |
Recommended |
Datetime |
The date and time when the signature was created. Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC. |
| ConfidentialityЕxt |
confidentiality_id |
Optional |
Integer |
The file content confidentiality indicator.
| 0 | Unknown | | |
| 1 | Not Confidential | | |
| 2 | Confidential | | |
| 3 | Secret | | |
| 4 | Top Secret | | |
|
| Original NameЕxt |
original_name |
Optional |
String |
The original name of the file. |
| Parent FileЕxt |
parent_name |
Optional |
String |
The name of the file that contains this file. |
| OwnerЕxt |
owner |
Recommended |
String |
The owner of the file. |
| Signature Developer IDЕxt |
signature_developer_uid |
Recommended |
String |
The developer ID on the certificate that signed the file. |