Result¶
Result Model.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| archive_ts | Date | None | Optional |
None |
| classification | Classification | Aggregate security classification for the result. | Yes |
None |
| created | Date | Date at which the result object got created. | Yes |
NOW |
| expiry_ts | Date | Timestamp for when the result record expires. | Optional |
None |
| response | ResponseBody | The body of the response from the service. | Yes |
None |
| result | ResultBody | The result body. | Yes |
See ResultBody for more details. |
| sha256 | SHA256 | SHA256 of the file the result object relates to. | Yes |
None |
| type | Keyword | None | Optional |
None |
| size | Integer | None | Optional |
None |
| drop_file | Boolean | Use to not pass to other stages after this run. | Yes |
False |
| partial | Boolean | Invalidate the current result cache creation. | Yes |
False |
| from_archive | Boolean | Was loaded from the archive. | Yes |
False |
ResponseBody¶
Response Body of Result.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| milestones | Milestone | Milestone block. | Yes |
See Milestone for more details. |
| service_version | Keyword | Version of the service. | Yes |
None |
| service_name | Keyword | Name of the service that scanned the file. | Yes |
None |
| service_tool_version | Keyword | Tool version of the service. | Optional |
None |
| supplementary | List [File] | List of supplementary files. | Yes |
[] |
| extracted | List [File] | List of extracted files. | Yes |
[] |
| service_context | Keyword | Context about the service. | Optional |
None |
| service_debug_info | Keyword | Debug info about the service. | Optional |
None |
File¶
File related to the Response.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| name | Keyword | Name of the file. | Yes |
None |
| sha256 | SHA256 | SHA256 of the file. | Yes |
None |
| description | Text | Description of the file. | Yes |
None |
| classification | Classification | Classification of the file. | Yes |
None |
| is_section_image | Boolean | Is this an image used in an Image Result Section. | Yes |
False |
| parent_relation | Text | File relation to parent, if any. Values: "ROOT", "EXTRACTED", "INFORMATION", "DYNAMIC", "MEMDUMP", "DOWNLOADED". |
Yes |
EXTRACTED |
| allow_dynamic_recursion | Boolean | Allow file to be analysed during Dynamic Analysis even if Dynamic Recursion Prevention is enabled. | Yes |
False |
Milestone¶
Service Milestones.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| service_started | Date | Date the service started scanning. | Yes |
NOW |
| service_completed | Date | Date the service finished scanning. | Yes |
NOW |
ResultBody¶
Result Body.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| score | Integer | Aggregate of the score for all heuristics. | Yes |
0 |
| sections | List [Section] | List of sections. | Yes |
[] |
Section¶
Result Section.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| auto_collapse | Boolean | Auto-collapse result sections upon loading. | Yes |
False |
| body | Text | Text body of the result section. | Optional |
None |
| classification | Classification | Security classification of the individual result section. | Yes |
None |
| body_format | Enum | Type of body in this section. Supported values are: "GRAPH_DATA", "IMAGE", "JSON", "KEY_VALUE", "MEMORY_DUMP", "MULTI", "ORDERED_KEY_VALUE", "PROCESS_TREE", "TABLE", "TEXT", "TIMELINE", "URL" |
Yes |
None |
| body_config | Mapping [String, Any] | None | Optional |
None |
| depth | Integer | Depth of the section. | Yes |
None |
| heuristic | Heuristic | Heuristic triggered in a result section. | Optional |
None |
| tags | Tagging | List of tags associated with this section. | Yes |
See Tagging for more details. |
| safelisted_tags | FlatMapping | List of safelisted tags. | Yes |
{} |
| title_text | Text | Title of the section. | Yes |
None |
| promote_to | Enum | None Supported values are: "ENTROPY", "SCREENSHOT", "URI_PARAMS" |
Optional |
None |
Heuristic¶
Heuristic associated with the result section.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| heur_id | Keyword | Heuristic ID. | Yes |
None |
| name | Keyword | Name of the heuristic. | Yes |
None |
| attack | List [Attack] | List of the Mitre Att&ck IDs related to this heuristic. | Yes |
[] |
| signature | List [Signature] | List of signatures that triggered the heuristic. | Yes |
[] |
| score | Integer | Calculated heuristic score. | Yes |
None |
Attack¶
None
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| attack_id | Keyword | Mitre ATT&CK ID. | Yes |
None |
| pattern | Keyword | MITRE ATT&CK® framework patterns identified in the analysis. | Yes |
None |
| categories | List [Keyword] | MITRE ATT&CK® framework categories associated with the alert. | Yes |
None |
Signature¶
Heuristic Signatures.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| name | Keyword | Name of the signature that triggered a heuristic. | Yes |
None |
| frequency | Integer | Number of times this signature triggered a heuristic. | Yes |
1 |
| safe | Boolean | Is the signature safelisted or not. | Yes |
False |