Noun

JSON representation
Domain
- JSON representation
User
- JSON representation
TimeOff
- JSON representation
Favicon
- JSON representation
DNSRecord
- JSON representation
PopularityRank
- JSON representation
Url
- JSON representation
Tracker
- JSON representation
Browser
- JSON representation
Cookie
- JSON representation
Group
- JSON representation
Process
- JSON representation
File
- JSON representation
FileMetadata
- JSON representation
PeFileMetadata
- JSON representation
FileMetadataPE
- JSON representation
FileMetadataSection
- JSON representation
FileMetadataImports
- JSON representation
FileMetadataPeResourceInfo
- JSON representation
StringToInt64MapEntry
- JSON representation
FileMetadataSignatureInfo
- JSON representation
SignerInfo
- JSON representation
X509
- JSON representation
ExifInfo
- JSON representation
SignatureInfo
- JSON representation
FileMetadataCodesign
- JSON representation
PDFInfo
- JSON representation
NtfsFileMetadata
- JSON representation
Registry
- JSON representation
Id
- JSON representation
Investigation
- JSON representation

The Noun type is used to represent the different entities in an event: principal, src, target, observer, intermediary, and about. It stores attributes known about the entity. For example, if the entity is a device with multiple IP or MAC addresses, it stores the IP and MAC addresses that are relevant to the event.

JSON representation

JSON representation
{ "hostname": string, "domain": { object (`Domain`) }, "artifact": { object (`Artifact`) }, "urlMetadata": { object (`Url`) }, "browser": { object (`Browser`) }, "assetId": string, "user": { object (`User`) }, "userManagementChain": [ { object (`User`) } ], "group": { object (`Group`) }, "process": { object (`Process`) }, "processAncestors": [ { object (`Process`) } ], "asset": { object (`Asset`) }, "ip": [ string ], "natIp": [ string ], "port": integer, "natPort": integer, "mac": [ string ], "administrativeDomain": string, "namespace": string, "url": string, "file": { object (`File`) }, "email": string, "registry": { object (`Registry`) }, "application": string, "platform": enum (`Platform`), "platformVersion": string, "platformPatchLevel": string, "cloud": { object (`Cloud`) }, "location": { object (`Location`) }, "ipLocation": [ { object (`Location`) } ], "ipGeoArtifact": [ { object (`Artifact`) } ], "resource": { object (`Resource`) }, "resourceAncestors": [ { object (`Resource`) } ], "labels": [ { object (`Label`) } ], "objectReference": { object (`Id`) }, "investigation": { object (`Investigation`) }, "network": { object (`Network`) }, "securityResult": [ { object (`SecurityResult`) } ] }

{
  "hostname": string,
  "domain": {
    object (Domain)
  },
  "artifact": {
    object (Artifact)
  },
  "urlMetadata": {
    object (Url)
  },
  "browser": {
    object (Browser)
  },
  "assetId": string,
  "user": {
    object (User)
  },
  "userManagementChain": [
    {
      object (User)
    }
  ],
  "group": {
    object (Group)
  },
  "process": {
    object (Process)
  },
  "processAncestors": [
    {
      object (Process)
    }
  ],
  "asset": {
    object (Asset)
  },
  "ip": [
    string
  ],
  "natIp": [
    string
  ],
  "port": integer,
  "natPort": integer,
  "mac": [
    string
  ],
  "administrativeDomain": string,
  "namespace": string,
  "url": string,
  "file": {
    object (File)
  },
  "email": string,
  "registry": {
    object (Registry)
  },
  "application": string,
  "platform": enum (Platform),
  "platformVersion": string,
  "platformPatchLevel": string,
  "cloud": {
    object (Cloud)
  },
  "location": {
    object (Location)
  },
  "ipLocation": [
    {
      object (Location)
    }
  ],
  "ipGeoArtifact": [
    {
      object (Artifact)
    }
  ],
  "resource": {
    object (Resource)
  },
  "resourceAncestors": [
    {
      object (Resource)
    }
  ],
  "labels": [
    {
      object (Label)
    }
  ],
  "objectReference": {
    object (Id)
  },
  "investigation": {
    object (Investigation)
  },
  "network": {
    object (Network)
  },
  "securityResult": [
    {
      object (SecurityResult)
    }
  ]
}

Fields
`hostname`	`string` Client hostname or domain name field. Hostname also doubles as the domain for remote entities. This field can be used as an entity indicator for asset entities.
`domain`	`object (Domain)` Information about the domain.
`artifact`	`object (Artifact)` Information about an artifact.
`urlMetadata`	`object (Url)` Information about the URL.
`browser`	`object (Browser)` Information about an entry in the web browser's local history database.
`assetId`	`string` The asset ID. This field can be used as an entity indicator for asset entities.
`user`	`object (User)` Information about the user.
`userManagementChain[]`	`object (User)` Information about the user's management chain (reporting hierarchy). Note: userManagementChain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery.
`group`	`object (Group)` Information about the group.
`process`	`object (Process)` Information about the process.
`processAncestors[]`	`object (Process)` Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: processAncestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery.
`asset`	`object (Asset)` Information about the asset.
`ip[]`	`string` A list of IP addresses associated with a network connection. This field can be used as an entity indicator for asset entities.
`natIp[]`	`string` A list of NAT translated IP addresses associated with a network connection.
`port`	`integer` Source or destination network port number when a specific network connection is described within an event.
`natPort`	`integer` NAT external network port number when a specific network connection is described within an event.
`mac[]`	`string` List of MAC addresses associated with a device. This field can be used as an entity indicator for asset entities.
`administrativeDomain`	`string` Domain which the device belongs to (for example, the Microsoft Windows domain).
`namespace`	`string` Namespace which the device belongs to, such as "AD forest". Uses for this field include Microsoft Windows AD forest, the name of subsidiary, or the name of acquisition. This field can be used along with an asset indicator to identify an asset.
`url`	`string` The URL.
`file`	`object (File)` Information about the file.
`email`	`string` Email address. Only filled in for securityResult.about
`registry`	`object (Registry)` Registry information.
`application`	`string` The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle".
`platform`	`enum (Platform)` Platform.
`platformVersion`	`string` Platform version. For example, "Microsoft Windows 1803".
`platformPatchLevel`	`string` Platform patch level. For example, "Build 17134.48"
`cloud (deprecated)`	`object (Cloud)` This item is deprecated! Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud).
`location`	`object (Location)` Physical location. For cloud environments, set the region in location.name.
`ipLocation[] (deprecated)`	`object (Location)` This item is deprecated! Deprecated: use ipGeoArtifact.location instead.
`ipGeoArtifact[]`	`object (Artifact)` Enriched geographic information corresponding to an IP address. Specifically, location and network data.
`resource`	`object (Resource)` Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, or processes because these objects are already part of Noun.
`resourceAncestors[]`	`object (Resource)` Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource).
`labels[] (deprecated)`	`object (Label)` This item is deprecated! Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels).
`objectReference`	`object (Id)` Finding to which the Analyst updated the feedback.
`investigation`	`object (Investigation)` Analyst feedback/investigation for alerts.
`network`	`object (Network)` Network details, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP).
`securityResult[]`	`object (SecurityResult)` A list of security results.

Domain

Information about a domain.

JSON representation

JSON representation
{ "name": string, "prevalence": { object (`Prevalence`) }, "firstSeenTime": string, "lastSeenTime": string, "registrar": string, "contactEmail": string, "whoisServer": string, "nameServer": [ string ], "creationTime": string, "updateTime": string, "expirationTime": string, "auditUpdateTime": string, "status": string, "registrant": { object (`User`) }, "admin": { object (`User`) }, "tech": { object (`User`) }, "billing": { object (`User`) }, "zone": { object (`User`) }, "whoisRecordRawText": string, "registryDataRawText": string, "ianaRegistrarId": integer, "privateRegistration": boolean, "categories": [ string ], "favicon": { object (`Favicon`) }, "jarm": string, "lastDnsRecords": [ { object (`DNSRecord`) } ], "lastDnsRecordsTime": string, "lastHttpsCertificate": { object (`SSLCertificate`) }, "lastHttpsCertificateTime": string, "popularityRanks": [ { object (`PopularityRank`) } ], "tags": [ string ], "whoisTime": string }

{
  "name": string,
  "prevalence": {
    object (Prevalence)
  },
  "firstSeenTime": string,
  "lastSeenTime": string,
  "registrar": string,
  "contactEmail": string,
  "whoisServer": string,
  "nameServer": [
    string
  ],
  "creationTime": string,
  "updateTime": string,
  "expirationTime": string,
  "auditUpdateTime": string,
  "status": string,
  "registrant": {
    object (User)
  },
  "admin": {
    object (User)
  },
  "tech": {
    object (User)
  },
  "billing": {
    object (User)
  },
  "zone": {
    object (User)
  },
  "whoisRecordRawText": string,
  "registryDataRawText": string,
  "ianaRegistrarId": integer,
  "privateRegistration": boolean,
  "categories": [
    string
  ],
  "favicon": {
    object (Favicon)
  },
  "jarm": string,
  "lastDnsRecords": [
    {
      object (DNSRecord)
    }
  ],
  "lastDnsRecordsTime": string,
  "lastHttpsCertificate": {
    object (SSLCertificate)
  },
  "lastHttpsCertificateTime": string,
  "popularityRanks": [
    {
      object (PopularityRank)
    }
  ],
  "tags": [
    string
  ],
  "whoisTime": string
}

Fields
`name`	`string` The domain name. This field can be used as an entity indicator for Domain entities.
`prevalence`	`object (Prevalence)` The prevalence of the domain within the customer's environment.
`firstSeenTime`	`string (Timestamp format)` First seen timestamp of the domain in the customer's environment. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`lastSeenTime`	`string (Timestamp format)` Last seen timestamp of the domain in the customer's environment. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`registrar`	`string` Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM".
`contactEmail`	`string` Contact email address.
`whoisServer`	`string` Whois server name.
`nameServer[]`	`string` Repeated list of name servers.
`creationTime`	`string (Timestamp format)` Domain creation time. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`updateTime`	`string (Timestamp format)` Last updated time. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`expirationTime`	`string (Timestamp format)` Expiration time. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`auditUpdateTime`	`string (Timestamp format)` Audit updated time. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`status`	`string` Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values
`registrant`	`object (User)` Parsed contact information for the registrant of the domain.
`admin`	`object (User)` Parsed contact information for the administrative contact for the domain.
`tech`	`object (User)` Parsed contact information for the technical contact for the domain
`billing`	`object (User)` Parsed contact information for the billing contact of the domain.
`zone`	`object (User)` Parsed contact information for the zone.
`whoisRecordRawText`	`string (bytes format)` WHOIS raw text. A base64-encoded string.
`registryDataRawText`	`string (bytes format)` Registry Data raw text. A base64-encoded string.
`ianaRegistrarId`	`integer` IANA Registrar ID. See https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml
`privateRegistration`	`boolean` Indicates whether the domain appears to be using a private registration service to mask the owner's contact information.
`categories[]`	`string` Categories assign to the domain as retrieved from VirusTotal.
`favicon`	`object (Favicon)` Includes difference hash and MD5 hash of the domain's favicon.
`jarm`	`string` Domain's JARM hash.
`lastDnsRecords[]`	`object (DNSRecord)` Domain's DNS records from the last scan.
`lastDnsRecordsTime`	`string (Timestamp format)` Date when the DNS records list was retrieved by VirusTotal. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`lastHttpsCertificate`	`object (SSLCertificate)` SSL certificate object retrieved last time the domain was analyzed.
`lastHttpsCertificateTime`	`string (Timestamp format)` When the certificate was retrieved by VirusTotal. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`popularityRanks[]`	`object (PopularityRank)` Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc
`tags[]`	`string` List of representative attributes.
`whoisTime`	`string (Timestamp format)` Date of the last update of the WHOIS record. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.

User

Information about a user.

JSON representation

JSON representation
{ "productObjectId": string, "userid": string, "userDisplayName": string, "firstName": string, "middleName": string, "lastName": string, "phoneNumbers": [ string ], "personalAddress": { object (`Location`) }, "attribute": { object (`Attribute`) }, "firstSeenTime": string, "accountType": enum (`AccountType`), "groupid": string, "groupIdentifiers": [ string ], "windowsSid": string, "emailAddresses": [ string ], "employeeId": string, "title": string, "companyName": string, "department": [ string ], "officeAddress": { object (`Location`) }, "managers": [ { object (`User`) } ], "hireDate": string, "terminationDate": string, "timeOff": [ { object (`TimeOff`) } ], "lastLoginTime": string, "lastPasswordChangeTime": string, "passwordExpirationTime": string, "accountExpirationTime": string, "accountLockoutTime": string, "lastBadPasswordAttemptTime": string, "userAuthenticationStatus": enum (`AuthenticationStatus`), "roleName": string, "roleDescription": string, "userRole": enum (`Role`) }

{
  "productObjectId": string,
  "userid": string,
  "userDisplayName": string,
  "firstName": string,
  "middleName": string,
  "lastName": string,
  "phoneNumbers": [
    string
  ],
  "personalAddress": {
    object (Location)
  },
  "attribute": {
    object (Attribute)
  },
  "firstSeenTime": string,
  "accountType": enum (AccountType),
  "groupid": string,
  "groupIdentifiers": [
    string
  ],
  "windowsSid": string,
  "emailAddresses": [
    string
  ],
  "employeeId": string,
  "title": string,
  "companyName": string,
  "department": [
    string
  ],
  "officeAddress": {
    object (Location)
  },
  "managers": [
    {
      object (User)
    }
  ],
  "hireDate": string,
  "terminationDate": string,
  "timeOff": [
    {
      object (TimeOff)
    }
  ],
  "lastLoginTime": string,
  "lastPasswordChangeTime": string,
  "passwordExpirationTime": string,
  "accountExpirationTime": string,
  "accountLockoutTime": string,
  "lastBadPasswordAttemptTime": string,
  "userAuthenticationStatus": enum (AuthenticationStatus),
  "roleName": string,
  "roleDescription": string,
  "userRole": enum (Role)
}

Fields
`productObjectId`	`string` A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar). This field can be used as an entity indicator for user entities.
`userid`	`string` The ID of the user. This field can be used as an entity indicator for user entities.
`userDisplayName`	`string` The display name of the user (e.g. "John Locke").
`firstName`	`string` First name of the user (e.g. "John").
`middleName`	`string` Middle name of the user.
`lastName`	`string` Last name of the user (e.g. "Locke").
`phoneNumbers[]`	`string` Phone numbers for the user.
`personalAddress`	`object (Location)` Personal address of the user.
`attribute`	`object (Attribute)` Generic entity metadata attributes of the user.
`firstSeenTime`	`string (Timestamp format)` The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`accountType`	`enum (AccountType)` Type of user account (for example, service, domain, or cloud). This is somewhat aligned to: https://attack.mitre.org/techniques/T1078/
`groupid (deprecated)`	`string` This item is deprecated! The ID of the group that the user belongs to. Deprecated in favor of the repeated groupIdentifiers field.
`groupIdentifiers[]`	`string` Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).
`windowsSid`	`string` The Microsoft Windows SID of the user. This field can be used as an entity indicator for user entities.
`emailAddresses[]`	`string` Email addresses of the user. This field can be used as an entity indicator for user entities.
`employeeId`	`string` Human capital management identifier. This field can be used as an entity indicator for user entities.
`title`	`string` User job title.
`companyName`	`string` User job company name.
`department[]`	`string` User job department
`officeAddress`	`object (Location)` User job office location.
`managers[]`	`object (User)` User job manager(s).
`hireDate`	`string (Timestamp format)` User job employment hire date. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`terminationDate`	`string (Timestamp format)` User job employment termination date. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`timeOff[]`	`object (TimeOff)` User time off leaves from active work.
`lastLoginTime`	`string (Timestamp format)` User last login timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`lastPasswordChangeTime`	`string (Timestamp format)` User last password change timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`passwordExpirationTime`	`string (Timestamp format)` User password expiration timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`accountExpirationTime`	`string (Timestamp format)` User account expiration timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`accountLockoutTime`	`string (Timestamp format)` User account lockout timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`lastBadPasswordAttemptTime`	`string (Timestamp format)` User last bad password attempt timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`userAuthenticationStatus`	`enum (AuthenticationStatus)` System authentication status for user.
`roleName (deprecated)`	`string` This item is deprecated! System role name for user. Deprecated: use attribute.roles.
`roleDescription (deprecated)`	`string` This item is deprecated! System role description for user. Deprecated: use attribute.roles.
`userRole (deprecated)`	`enum (Role)` This item is deprecated! System role for user. Deprecated: use attribute.roles.

TimeOff

System record for leave/time-off from a Human Capital Management (HCM) system.

JSON representation
{ "interval": { object (`Interval`) }, "description": string }

Fields

Fields
`interval`	`object (Interval)` Interval duration of the leave.
`description`	`string` Description of the leave if available (e.g. 'Vacation').

interval

object (Interval)

Interval duration of the leave.

description

string

Description of the leave if available (e.g. 'Vacation').

Favicon

Difference hash and MD5 hash of the domain's favicon.

JSON representation
{ "rawMd5": string, "dhash": string }

Fields

Fields
`rawMd5`	`string` Favicon's MD5 hash.
`dhash`	`string` Difference hash.

rawMd5

string

Favicon's MD5 hash.

dhash

string

Difference hash.

DNSRecord

DNS record.

JSON representation
{ "type": string, "value": string, "ttl": string, "priority": string, "retry": string, "refresh": string, "minimum": string, "expire": string, "serial": string, "rname": string }

Fields
`type`	`string` Type.
`value`	`string` Value.
`ttl`	`string (Duration format)` Time to live. A duration in seconds with up to nine fractional digits, ending with '`s`'. Example: `"3.5s"`.
`priority`	`string (int64 format)` Priority.
`retry`	`string (int64 format)` Retry.
`refresh`	`string (Duration format)` Refresh. A duration in seconds with up to nine fractional digits, ending with '`s`'. Example: `"3.5s"`.
`minimum`	`string (Duration format)` Minimum. A duration in seconds with up to nine fractional digits, ending with '`s`'. Example: `"3.5s"`.
`expire`	`string (Duration format)` Expire. A duration in seconds with up to nine fractional digits, ending with '`s`'. Example: `"3.5s"`.
`serial`	`string (int64 format)` Serial.
`rname`	`string` Rname.

PopularityRank

Domain's position in popularity ranks for sources such as Alexa, Quantcast, or Statvoo.

JSON representation
{ "giver": string, "rank": string, "ingestionTime": string }

Fields

Fields
`giver`	`string` Name of the rank serial number hexdump.
`rank`	`string (int64 format)` Rank position.
`ingestionTime`	`string (Timestamp format)` Timestamp when the rank was ingested. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.

giver

string

Name of the rank serial number hexdump.

rank

string (int64 format)

Rank position.

ingestionTime

string (Timestamp format)

Timestamp when the rank was ingested.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

Url

Url.

JSON representation

JSON representation
{ "url": string, "categories": [ string ], "favicon": { object (`Favicon`) }, "htmlMeta": { object }, "lastFinalUrl": string, "lastHttpResponseCode": integer, "lastHttpResponseContentLength": string, "lastHttpResponseContentSha256": string, "lastHttpResponseCookies": { object }, "lastHttpResponseHeaders": { object }, "tags": [ string ], "title": string, "trackers": [ { object (`Tracker`) } ] }

{
  "url": string,
  "categories": [
    string
  ],
  "favicon": {
    object (Favicon)
  },
  "htmlMeta": {
    object
  },
  "lastFinalUrl": string,
  "lastHttpResponseCode": integer,
  "lastHttpResponseContentLength": string,
  "lastHttpResponseContentSha256": string,
  "lastHttpResponseCookies": {
    object
  },
  "lastHttpResponseHeaders": {
    object
  },
  "tags": [
    string
  ],
  "title": string,
  "trackers": [
    {
      object (Tracker)
    }
  ]
}

Fields
`url`	`string` URL.
`categories[]`	`string` Categorisation done by VirusTotal partners.
`favicon`	`object (Favicon)` Difference hash and MD5 hash of the URL's.
`htmlMeta`	`object (Struct format)` Meta tags (only for URLs downloading HTML).
`lastFinalUrl`	`string` If the original URL redirects, where does it end.
`lastHttpResponseCode`	`integer` HTTP response code of the last response.
`lastHttpResponseContentLength`	`string (int64 format)` Length in bytes of the content received.
`lastHttpResponseContentSha256`	`string` URL response body's SHA256 hash.
`lastHttpResponseCookies`	`object (Struct format)` Website's cookies.
`lastHttpResponseHeaders`	`object (Struct format)` Headers and values of the last HTTP response.
`tags[]`	`string` Tags.
`title`	`string` Webpage title.
`trackers[]`	`object (Tracker)` Trackers found in the URL in a historical manner.

Tracker

URL Tracker.

JSON representation
{ "tracker": string, "id": string, "timestamp": string, "url": string }

Fields
`tracker`	`string` Tracker name.
`id`	`string` Tracker ID, if available.
`timestamp`	`string (Timestamp format)` Tracker ingestion date. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`url`	`string` Tracker script URL.

Browser

Information about an entry in the web browser's local history database.

JSON representation

JSON representation
{ "browserType": enum (`BrowserType`), "browserVersion": string, "firstVisitTime": string, "lastVisitTime": string, "profile": string, "typed": boolean, "visitType": enum (`UrlVisitType`), "hidden": boolean, "requestOriginUri": string, "visitCount": string, "visitCountCriteria": string, "indexedContent": string, "firstBookmarkedTime": string, "cookies": [ { object (`Cookie`) } ], "typedCount": string, "visitSource": enum (`VisitSource`) }

{
  "browserType": enum (BrowserType),
  "browserVersion": string,
  "firstVisitTime": string,
  "lastVisitTime": string,
  "profile": string,
  "typed": boolean,
  "visitType": enum (UrlVisitType),
  "hidden": boolean,
  "requestOriginUri": string,
  "visitCount": string,
  "visitCountCriteria": string,
  "indexedContent": string,
  "firstBookmarkedTime": string,
  "cookies": [
    {
      object (Cookie)
    }
  ],
  "typedCount": string,
  "visitSource": enum (VisitSource)
}

Fields
`browserType`	`enum (BrowserType)` The browser that recorded the history entry (e.g. "Chrome", "Firefox", "Safari", etc.).
`browserVersion`	`string` The browser version.
`firstVisitTime`	`string (Timestamp format)` The timestamp indicating the initial visit to the URL. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`lastVisitTime`	`string (Timestamp format)` The timestamp indicating the most recent visit to the URL. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`profile`	`string` The browser profile associated with the history entry.
`typed`	`boolean` A boolean value indicating if the URL was typed by the user.
`visitType`	`enum (UrlVisitType)` Describes the type of navigation or visit (e.g., direct, redirect, etc.).
`hidden`	`boolean` A boolean value indicating if the history entry is hidden.
`requestOriginUri`	`string` Indicates the URI from which the current visit originated.
`visitCount`	`string (int64 format)` The total number of times the Url has been visited.
`visitCountCriteria`	`string` Describes the criteria used to calculate the visitCount.
`indexedContent`	`string` Represents the textual content of a web page. This field should be kept short. Large strings may affect latency and payload sizes.
`firstBookmarkedTime`	`string (Timestamp format)` The timestamp indicating the first time the URL was bookmarked. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`cookies[]`	`object (Cookie)` Information about the cookies.
`typedCount`	`string (int64 format)` The number of times the URL was visited with this specific visit type and visit source.
`visitSource`	`enum (VisitSource)` The source of the visit.

JSON representation

JSON representation
{ "name": string, "value": string, "domain": string, "path": string, "expirationTime": string, "httpOnly": boolean, "secure": boolean, "maxAge": string, "sameSite": enum (`CookieSameSite`), "session": boolean, "partitioned": boolean }

{
  "name": string,
  "value": string,
  "domain": string,
  "path": string,
  "expirationTime": string,
  "httpOnly": boolean,
  "secure": boolean,
  "maxAge": string,
  "sameSite": enum (CookieSameSite),
  "session": boolean,
  "partitioned": boolean
}

Fields
`name`	`string` The unique name identifying the cookie.
`value`	`string` The data stored within the cookie.
`domain`	`string` The domain for which the cookie is valid.
`path`	`string` The URL path for which the cookie is valid.
`expirationTime`	`string (Timestamp format)` The date and time when the cookie will expire. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`httpOnly`	`boolean` Indicates if the cookie is inaccessible via client-side scripts (e.g., JavaScript).
`secure`	`boolean` Indicates if the cookie should only be sent over secure HTTPS connections.
`maxAge`	`string (int64 format)` The maximum age of the cookie in seconds.
`sameSite`	`enum (CookieSameSite)` Affects cross-site request behavior.
`session`	`boolean` Indicates if the cookie is persistent.
`partitioned`	`boolean` Shows if the cookies is stored using partitioned storage.

Group

Information about an organizational group.

JSON representation
{ "productObjectId": string, "creationTime": string, "groupDisplayName": string, "attribute": { object (`Attribute`) }, "emailAddresses": [ string ], "windowsSid": string }

Fields
`productObjectId`	`string` Product globally unique user object identifier, such as an LDAP Object Identifier.
`creationTime (deprecated)`	`string (Timestamp format)` This item is deprecated! Group creation time. Deprecated: creationTime should be populated in Attribute as generic metadata. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`groupDisplayName`	`string` Group display name. e.g. "Finance".
`attribute`	`object (Attribute)` Generic entity metadata attributes of the group.
`emailAddresses[]`	`string` Email addresses of the group.
`windowsSid`	`string` Microsoft Windows SID of the group.

Process

Information about a process.

JSON representation

JSON representation
{ "pid": string, "parentPid": string, "parentProcess": { object (`Process`) }, "file": { object (`File`) }, "commandLine": string, "commandLineHistory": [ string ], "productSpecificProcessId": string, "accessMask": string, "integrityLevelRid": string, "euid": string, "ruid": string, "egid": string, "rgid": string, "pgid": string, "sessionLeaderPid": string, "tty": string, "tokenElevationType": enum (`TokenElevationType`), "productSpecificParentProcessId": string }

{
  "pid": string,
  "parentPid": string,
  "parentProcess": {
    object (Process)
  },
  "file": {
    object (File)
  },
  "commandLine": string,
  "commandLineHistory": [
    string
  ],
  "productSpecificProcessId": string,
  "accessMask": string,
  "integrityLevelRid": string,
  "euid": string,
  "ruid": string,
  "egid": string,
  "rgid": string,
  "pgid": string,
  "sessionLeaderPid": string,
  "tty": string,
  "tokenElevationType": enum (TokenElevationType),
  "productSpecificParentProcessId": string
}

Fields
`pid`	`string` The process ID. This field can be used as an entity indicator for process entities.
`parentPid (deprecated)`	`string` This item is deprecated! The ID of the parent process. Deprecated: use parentProcess.pid instead.
`parentProcess`	`object (Process)` Information about the parent process.
`file`	`object (File)` Information about the file in use by the process.
`commandLine`	`string` The command line command that created the process. This field can be used as an entity indicator for process entities.
`commandLineHistory[]`	`string` The command line history of the process.
`productSpecificProcessId`	`string` A product specific process id.
`accessMask`	`string` A bit mask representing the level of access.
`integrityLevelRid`	`string` The Microsoft Windows integrity level relative ID (RID) of the process.
`euid`	`string` The effective user ID of the process.
`ruid`	`string` The real user ID of the process.
`egid`	`string` The effective group ID of the process.
`rgid`	`string` The real group ID of the process.
`pgid`	`string` The identifier that points to the process group ID leader.
`sessionLeaderPid`	`string` The process ID of the session leader process.
`tty`	`string` The teletype terminal which the command was executed within.
`tokenElevationType`	`enum (TokenElevationType)` The elevation type of the process on Microsoft Windows. This determines if any privileges are removed when UAC is enabled.
`productSpecificParentProcessId (deprecated)`	`string` This item is deprecated! A product specific id for the parent process. Please use parentProcess.product_specific_process_id instead.

File

Information about a file.

JSON representation

JSON representation
{ "sha256": string, "md5": string, "sha1": string, "size": string, "fullPath": string, "mimeType": string, "fileMetadata": { object (`FileMetadata`) }, "securityResult": { object (`SecurityResult`) }, "peFile": { object (`FileMetadataPE`) }, "ssdeep": string, "vhash": string, "ahash": string, "authentihash": string, "symhash": string, "fileType": enum (`FileType`), "capabilitiesTags": [ string ], "names": [ string ], "tags": [ string ], "lastModificationTime": string, "createTime": string, "lastAccessTime": string, "prevalence": { object (`Prevalence`) }, "firstSeenTime": string, "lastSeenTime": string, "statMode": string, "statInode": string, "statDev": string, "statNlink": string, "statFlags": integer, "lastAnalysisTime": string, "embeddedUrls": [ string ], "embeddedDomains": [ string ], "embeddedIps": [ string ], "exifInfo": { object (`ExifInfo`) }, "signatureInfo": { object (`SignatureInfo`) }, "pdfInfo": { object (`PDFInfo`) }, "firstSubmissionTime": string, "lastSubmissionTime": string, "mainIcon": { object (`Favicon`) }, "ntfs": { object (`NtfsFileMetadata`) }, "appCompatCache": { object (`AppCompatMetadata`) } }

{
  "sha256": string,
  "md5": string,
  "sha1": string,
  "size": string,
  "fullPath": string,
  "mimeType": string,
  "fileMetadata": {
    object (FileMetadata)
  },
  "securityResult": {
    object (SecurityResult)
  },
  "peFile": {
    object (FileMetadataPE)
  },
  "ssdeep": string,
  "vhash": string,
  "ahash": string,
  "authentihash": string,
  "symhash": string,
  "fileType": enum (FileType),
  "capabilitiesTags": [
    string
  ],
  "names": [
    string
  ],
  "tags": [
    string
  ],
  "lastModificationTime": string,
  "createTime": string,
  "lastAccessTime": string,
  "prevalence": {
    object (Prevalence)
  },
  "firstSeenTime": string,
  "lastSeenTime": string,
  "statMode": string,
  "statInode": string,
  "statDev": string,
  "statNlink": string,
  "statFlags": integer,
  "lastAnalysisTime": string,
  "embeddedUrls": [
    string
  ],
  "embeddedDomains": [
    string
  ],
  "embeddedIps": [
    string
  ],
  "exifInfo": {
    object (ExifInfo)
  },
  "signatureInfo": {
    object (SignatureInfo)
  },
  "pdfInfo": {
    object (PDFInfo)
  },
  "firstSubmissionTime": string,
  "lastSubmissionTime": string,
  "mainIcon": {
    object (Favicon)
  },
  "ntfs": {
    object (NtfsFileMetadata)
  },
  "appCompatCache": {
    object (AppCompatMetadata)
  }
}

Fields
`sha256`	`string` The SHA256 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities.
`md5`	`string` The MD5 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities.
`sha1`	`string` The SHA1 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities.
`size`	`string` The size of the file in bytes.
`fullPath`	`string` The full path identifying the location of the file on the system. This field can be used as an entity indicator for file entities.
`mimeType`	`string` The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", or "powershell script".
`fileMetadata (deprecated)`	`object (FileMetadata)` This item is deprecated! Metadata associated with the file. Deprecate FileMetadata in favor of using fields in File.
`securityResult`	`object (SecurityResult)` Google Cloud Threat Intelligence (GCTI) security result for the file including threat context and detection metadata.
`peFile`	`object (FileMetadataPE)` Metadata about the Portable Executable (PE) file.
`ssdeep`	`string` Ssdeep of the file
`vhash`	`string` Vhash of the file.
`ahash (deprecated)`	`string` This item is deprecated! Deprecated. Use authentihash instead.
`authentihash`	`string` Authentihash of the file.
`symhash`	`string` SymHash of the file. Used for Mach-O (e.g. MacOS) binaries, to identify similar files based on their symbol table.
`fileType`	`enum (FileType)` FileType field.
`capabilitiesTags[]`	`string` Capabilities tags.
`names[]`	`string` Names fields.
`tags[]`	`string` Tags for the file.
`lastModificationTime`	`string (Timestamp format)` Timestamp when the file was last updated. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`createTime`	`string (Timestamp format)` Timestamp when the file was created. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`lastAccessTime`	`string (Timestamp format)` Timestamp when the file was accessed. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`prevalence`	`object (Prevalence)` Prevalence of the file hash in the customer's environment.
`firstSeenTime`	`string (Timestamp format)` Timestamp the file was first seen in the customer's environment. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`lastSeenTime`	`string (Timestamp format)` Timestamp the file was last seen in the customer's environment. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`statMode`	`string` The mode of the file. A bit string indicating the permissions and privileges of the file.
`statInode`	`string` The file identifier. Unique identifier of object within a file system.
`statDev`	`string` The file system identifier to which the object belongs.
`statNlink`	`string` Number of links to file.
`statFlags`	`integer (uint32 format)` User defined flags for file.
`lastAnalysisTime`	`string (Timestamp format)` Timestamp the file was last analysed. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`embeddedUrls[]`	`string` Embedded urls found in the file.
`embeddedDomains[]`	`string` Embedded domains found in the file.
`embeddedIps[]`	`string` Embedded IP addresses found in the file.
`exifInfo`	`object (ExifInfo)` Exif metadata from different file formats extracted by exiftool.
`signatureInfo`	`object (SignatureInfo)` File signature information extracted from different tools.
`pdfInfo`	`object (PDFInfo)` Information about the PDF file structure.
`firstSubmissionTime`	`string (Timestamp format)` First submission time of the file. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`lastSubmissionTime`	`string (Timestamp format)` Last submission time of the file. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`mainIcon`	`object (Favicon)` Icon's relevant hashes.
`ntfs`	`object (NtfsFileMetadata)` NTFS metadata.
`appCompatCache`	`object (AppCompatMetadata)` Windows AppCompatCache (Application Compatibility) metadata.

FileMetadata

Metadata about a file. Place metadata about different file types here, for example data from the Microsoft Windows VersionInfo block or digital signer details. Use a different sub-message per file type.

JSON representation
{ "pe": { object (`PeFileMetadata`) } }

Fields

pe
(deprecated)

object (PeFileMetadata)

Metadata for Microsoft Windows PE files. Deprecate PeFileMetadata in favor of single File proto.

PeFileMetadata

Metadata about a Microsoft Windows Portable Executable.

JSON representation
{ "importHash": string }

Fields

importHash

string

Hash of PE imports.

FileMetadataPE

Metadata about the Portable Executable (PE) file.

JSON representation

JSON representation
{ "imphash": string, "entryPoint": string, "entryPointExiftool": string, "compilationTime": string, "compilationExiftoolTime": string, "section": [ { object (`FileMetadataSection`) } ], "imports": [ { object (`FileMetadataImports`) } ], "resource": [ { object (`FileMetadataPeResourceInfo`) } ], "resourcesTypeCount": [ { object (`StringToInt64MapEntry`) } ], "resourcesLanguageCount": [ { object (`StringToInt64MapEntry`) } ], "resourcesTypeCountStr": [ { object (`Label`) } ], "resourcesLanguageCountStr": [ { object (`Label`) } ], "signatureInfo": { object (`FileMetadataSignatureInfo`) } }

{
  "imphash": string,
  "entryPoint": string,
  "entryPointExiftool": string,
  "compilationTime": string,
  "compilationExiftoolTime": string,
  "section": [
    {
      object (FileMetadataSection)
    }
  ],
  "imports": [
    {
      object (FileMetadataImports)
    }
  ],
  "resource": [
    {
      object (FileMetadataPeResourceInfo)
    }
  ],
  "resourcesTypeCount": [
    {
      object (StringToInt64MapEntry)
    }
  ],
  "resourcesLanguageCount": [
    {
      object (StringToInt64MapEntry)
    }
  ],
  "resourcesTypeCountStr": [
    {
      object (Label)
    }
  ],
  "resourcesLanguageCountStr": [
    {
      object (Label)
    }
  ],
  "signatureInfo": {
    object (FileMetadataSignatureInfo)
  }
}

Fields
`imphash`	`string` Imphash of the file.
`entryPoint`	`string (int64 format)` info.pe-entry-point.
`entryPointExiftool`	`string (int64 format)` info.exiftool.EntryPoint.
`compilationTime`	`string (Timestamp format)` info.pe-timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`compilationExiftoolTime`	`string (Timestamp format)` info.exiftool.TimeStamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`section[]`	`object (FileMetadataSection)` FilemetadataSection fields.
`imports[]`	`object (FileMetadataImports)` FilemetadataImports fields.
`resource[]`	`object (FileMetadataPeResourceInfo)` FilemetadataPeResourceInfo fields.
`resourcesTypeCount[] (deprecated)`	`object (StringToInt64MapEntry)` This item is deprecated! Deprecated: use resourcesTypeCountStr.
`resourcesLanguageCount[] (deprecated)`	`object (StringToInt64MapEntry)` This item is deprecated! Deprecated: use resourcesLanguageCountStr.
`resourcesTypeCountStr[]`	`object (Label)` Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5
`resourcesLanguageCountStr[]`	`object (Label)` Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10
`signatureInfo (deprecated)`	`object (FileMetadataSignatureInfo)` This item is deprecated! FilemetadataSignatureInfo field. deprecated, user File.signature_info instead.

FileMetadataSection

File metadata section.

JSON representation
{ "name": string, "entropy": number, "rawSizeBytes": string, "virtualSizeBytes": string, "md5Hex": string }

Fields
`name`	`string` Name of the section.
`entropy`	`number` Entropy of the section.
`rawSizeBytes`	`string (int64 format)` Raw file size in bytes.
`virtualSizeBytes`	`string (int64 format)` Virtual file size in bytes.
`md5Hex`	`string` MD5 hex of the file.

FileMetadataImports

File metadata imports.

JSON representation
{ "library": string, "functions": [ string ] }

Fields

library

string

Library field.

functions[]

string

Function field.

FileMetadataPeResourceInfo

File metadata for PE resource.

JSON representation
{ "sha256Hex": string, "filetypeMagic": string, "languageCode": string, "entropy": number, "fileType": string }

Fields
`sha256Hex`	`string` SHA256_hex field..
`filetypeMagic`	`string` Type of resource content, as identified by the magic Python module.
`languageCode`	`string` Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification. Examples: \| Language \| Sublanguage \| Field value \| \| LANG_NEUTRAL \| SUBLANG_NEUTRAL \| NEUTRAL \| \| LANG_FRENCH \| - \| FRENCH \| \| LANG_ENGLISH \| SUBLANG_ENGLISH US \| ENGLISH US \|
`entropy`	`number` Entropy of the resource.
`fileType`	`string` File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum.

StringToInt64MapEntry

JSON representation
{ "key": string, "value": string }

Fields

Fields
`key`	`string` Key field.
`value`	`string (int64 format)` Value field.

key

string

Key field.

value

string (int64 format)

Value field.

FileMetadataSignatureInfo

Signature information.

JSON representation
{ "verificationMessage": string, "verified": boolean, "signer": [ string ], "signers": [ { object (`SignerInfo`) } ], "x509": [ { object (`X509`) } ] }

Fields
`verificationMessage`	`string` Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found.
`verified`	`boolean` True if verificationMessage == "Signed"
`signer[] (deprecated)`	`string` This item is deprecated! Deprecated: use signers field.
`signers[]`	`object (SignerInfo)` File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority.
`x509[]`	`object (X509)` List of certificates.

SignerInfo

File metadata related to the signer information.

JSON representation
{ "name": string, "status": string, "validUsage": string, "certIssuer": string }

Fields
`name`	`string` Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority.
`status`	`string` It can say "Valid" or state the problem with the certificate if any (e.g. "This certificate or one of the certificates in the certificate chain is not time valid.").
`validUsage`	`string` Indicates which situations the certificate is valid for (e.g. "Code Signing").
`certIssuer`	`string` Company that issued the certificate.

X509

File certificate.

JSON representation
{ "name": string, "algorithm": string, "thumbprint": string, "certIssuer": string, "serialNumber": string }

Fields
`name`	`string` Certificate name.
`algorithm`	`string` Certificate algorithm.
`thumbprint`	`string` Certificate thumbprint.
`certIssuer`	`string` Issuer of the certificate.
`serialNumber`	`string` Certificate serial number.

ExifInfo

Exif information.

JSON representation
{ "originalFile": string, "product": string, "company": string, "fileDescription": string, "entryPoint": string, "compilationTime": string }

Fields
`originalFile`	`string` original file name.
`product`	`string` product name.
`company`	`string` company name.
`fileDescription`	`string` description of a file.
`entryPoint`	`string (int64 format)` entry point.
`compilationTime`	`string (Timestamp format)` Compilation time. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.

SignatureInfo

File signature information extracted from different tools.

JSON representation
{ "sigcheck": { object (`FileMetadataSignatureInfo`) }, "codesign": { object (`FileMetadataCodesign`) } }

Fields

sigcheck

object (FileMetadataSignatureInfo)

Signature information extracted from the sigcheck tool.

codesign

object (FileMetadataCodesign)

Signature information extracted from the codesign utility.

FileMetadataCodesign

File metadata from the codesign utility.

JSON representation
{ "id": string, "format": string, "compilationTime": string, "teamId": string }

Fields
`id`	`string` Code sign identifier.
`format`	`string` Code sign format.
`compilationTime`	`string (Timestamp format)` Code sign timestamp Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`teamId`	`string` The assigned team identifier of the developer who signed the application.

PDFInfo

Information about the PDF file structure. See https://developers.virustotal.com/reference/pdfInfo

JSON representation

{
  "js": string,
  "javascript": string,
  "launchActionCount": string,
  "objectStreamCount": string,
  "endobjCount": string,
  "header": string,
  "acroform": string,
  "autoaction": string,
  "embeddedFile": string,
  "encrypted": string,
  "flash": string,
  "jbig2Compression": string,
  "objCount": string,
  "endstreamCount": string,
  "pageCount": string,
  "streamCount": string,
  "openaction": string,
  "startxref": string,
  "suspiciousColors": string,
  "trailer": string,
  "xfa": string,
  "xref": string
}

Fields
`js`	`string (int64 format)` Number of /JS tags found in the PDF file. Should be the same as javascript field in normal scenarios.
`javascript`	`string (int64 format)` Number of /JavaScript tags found in the PDF file. Should be the same as the js field in normal scenarios.
`launchActionCount`	`string (int64 format)` Number of /Launch tags found in the PDF file.
`objectStreamCount`	`string (int64 format)` Number of object streams.
`endobjCount`	`string (int64 format)` Number of object definitions (endobj keyword).
`header`	`string` PDF version.
`acroform`	`string (int64 format)` Number of /AcroForm tags found in the PDF.
`autoaction`	`string (int64 format)` Number of /AA tags found in the PDF.
`embeddedFile`	`string (int64 format)` Number of /EmbeddedFile tags found in the PDF.
`encrypted`	`string (int64 format)` Whether the document is encrypted or not. This is defined by the /Encrypt tag.
`flash`	`string (int64 format)` Number of /RichMedia tags found in the PDF.
`jbig2Compression`	`string (int64 format)` Number of /JBIG2Decode tags found in the PDF.
`objCount`	`string (int64 format)` Number of objects definitions (obj keyword).
`endstreamCount`	`string (int64 format)` Number of defined stream objects (stream keyword).
`pageCount`	`string (int64 format)` Number of pages in the PDF.
`streamCount`	`string (int64 format)` Number of defined stream objects (stream keyword).
`openaction`	`string (int64 format)` Number of /OpenAction tags found in the PDF.
`startxref`	`string (int64 format)` Number of startxref keywords in the PDF.
`suspiciousColors`	`string (int64 format)` Number of colors expressed with more than 3 bytes (CVE-2009-3459).
`trailer`	`string (int64 format)` Number of trailer keywords in the PDF.
`xfa`	`string (int64 format)` Number of \XFA tags found in the PDF.
`xref`	`string (int64 format)` Number of xref keywords in the PDF.

NtfsFileMetadata

NTFS-specific file metadata.

JSON representation
{ "changeTime": string, "filenameCreateTime": string, "filenameModifyTime": string, "filenameAccessTime": string, "filenameChangeTime": string }

Fields
`changeTime`	`string (Timestamp format)` NTFS MFT entry changed timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`filenameCreateTime`	`string (Timestamp format)` NTFS $FILE_NAME attribute created timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`filenameModifyTime`	`string (Timestamp format)` NTFS $FILE_NAME attribute modified timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`filenameAccessTime`	`string (Timestamp format)` NTFS $FILE_NAME attribute accessed timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`filenameChangeTime`	`string (Timestamp format)` NTFS $FILE_NAME attribute changed timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.

Registry

Information about a registry key or value.

JSON representation
{ "registryKey": string, "registryValueName": string, "registryValueData": string, "registryValueType": enum (`Type`) }

Fields
`registryKey`	`string` Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...).
`registryValueName`	`string` Name of the registry value associated with an application or system component (e.g. TEMP).
`registryValueData`	`string` Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp).
`registryValueType`	`enum (Type)` Type of the registry value.

Id

Identifier to identify a UDM object like a UDM event, Entity, Collection. The full identifier for persistence is created by setting the 32 most significant bits as the Id.Namespace enum This is a convenience wrapper to define the id space enum values and provide an easy interface for RPCs, most persistence use cases should use a denormalized form.

JSON representation
{ "namespace": enum (`Namespace`), "id": string, "stringId": string }

Fields

namespace

enum (Namespace)

Namespace the id belongs to.

id

string (bytes format)

Full raw ID.

A base64-encoded string.

stringId

string

Some ids are stored as strings that are not able to be translated to bytes, so store these separately. Ex. detection id of the form de_aaaaaaaa-aaaa...

Investigation

Represents the aggregated state of an investigation such as categorization, severity, and status. Can be expanded to include analyst assignment details and more.

JSON representation

{
  "comments": [
    string
  ],
  "verdict": enum (Verdict),
  "reputation": enum (Reputation),
  "severityScore": integer,
  "status": enum (Status),
  "priority": enum (Priority),
  "rootCause": string,
  "reason": enum (Reason),
  "riskScore": integer,
  "id": string
}

Fields
`comments[]`	`string` Comment added by the Analyst.
`verdict`	`enum (Verdict)` Describes reason a finding investigation was resolved.
`reputation`	`enum (Reputation)` Describes whether a finding was useful or not-useful.
`severityScore`	`integer (uint32 format)` Severity score for a finding set by an analyst.
`status`	`enum (Status)` Describes the workflow status of a finding.
`priority`	`enum (Priority)` Priority of the Alert or Finding set by analyst.
`rootCause`	`string` Root cause of the Alert or Finding set by analyst.
`reason`	`enum (Reason)` Reason for closing the Case or Alert.
`riskScore`	`integer (uint32 format)` Risk score for a finding set by an analyst.
`id`	`string` Identifier for the investigation

Noun Stay organized with collections Save and categorize content based on your preferences.

Domain

User

TimeOff

Favicon

DNSRecord

PopularityRank

Url

Tracker

Browser

Cookie

Group

Process

File

FileMetadata

PeFileMetadata

FileMetadataPE

FileMetadataSection

FileMetadataImports

FileMetadataPeResourceInfo

StringToInt64MapEntry

FileMetadataSignatureInfo

SignerInfo

X509

ExifInfo

SignatureInfo

FileMetadataCodesign

PDFInfo

NtfsFileMetadata

Registry

Id

Investigation

Noun