Result¶
Result Model
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| archive_ts | Date | None | Optional |
None |
| classification | Classification | Aggregate classification for the result | Yes |
None |
| created | Date | Date at which the result object got created | Yes |
NOW |
| expiry_ts | Date | Expiry timestamp | Optional |
None |
| response | ResponseBody | The body of the response from the service | Yes |
None |
| result | ResultBody | The result body | Yes |
See ResultBody for more details. |
| sha256 | SHA256 | SHA256 of the file the result object relates to | Yes |
None |
| type | Keyword | None | Optional |
None |
| size | Integer | None | Optional |
None |
| drop_file | Boolean | Use to not pass to other stages after this run | Yes |
False |
| from_archive | Boolean | Was loaded from the archive | Yes |
False |
ResponseBody¶
Response Body of Result
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| milestones | Milestone | Milestone block | Yes |
See Milestone for more details. |
| service_version | Keyword | Version of the service | Yes |
None |
| service_name | Keyword | Name of the service that scanned the file | Yes |
None |
| service_tool_version | Keyword | Tool version of the service | Optional |
None |
| supplementary | List [File] | List of supplementary files | Yes |
[] |
| extracted | List [File] | List of extracted files | Yes |
[] |
| service_context | Keyword | Context about the service | Optional |
None |
| service_debug_info | Keyword | Debug info about the service | Optional |
None |
File¶
File related to the Response
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| name | Keyword | Name of the file | Yes |
None |
| sha256 | SHA256 | SHA256 of the file | Yes |
None |
| description | Text | Description of the file | Yes |
None |
| classification | Classification | Classification of the file | Yes |
None |
| is_section_image | Boolean | Is this an image used in an Image Result Section? | Yes |
False |
| parent_relation | Text | File relation to parent, if any. Values: "ROOT", "EXTRACTED", "INFORMATION", "DYNAMIC", "MEMDUMP", "DOWNLOADED" |
Yes |
EXTRACTED |
| allow_dynamic_recursion | Boolean | Allow file to be analysed during Dynamic Analysiseven if Dynamic Recursion Prevention is enabled. | Yes |
False |
Milestone¶
Service Milestones
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| service_started | Date | Date the service started scanning | Yes |
NOW |
| service_completed | Date | Date the service finished scanning | Yes |
NOW |
ResultBody¶
Result Body
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| score | Integer | Aggregate of the score for all heuristics | Yes |
0 |
| sections | List [Section] | List of sections | Yes |
[] |
Section¶
Result Section
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| auto_collapse | Boolean | Should the section be collapsed when displayed? | Yes |
False |
| body | Text | Text body of the result section | Optional |
None |
| classification | Classification | Classification of the section | Yes |
None |
| body_format | Enum | Type of body in this section Supported values are: "GRAPH_DATA", "IMAGE", "JSON", "KEY_VALUE", "MEMORY_DUMP", "MULTI", "ORDERED_KEY_VALUE", "PROCESS_TREE", "TABLE", "TEXT", "TIMELINE", "URL" |
Yes |
None |
| body_config | Mapping [String, Any] | None | Optional |
None |
| depth | Integer | Depth of the section | Yes |
None |
| heuristic | Heuristic | Heuristic used to score result section | Optional |
None |
| tags | Tagging | List of tags associated to this section | Yes |
See Tagging for more details. |
| safelisted_tags | FlattenedListObject | List of safelisted tags | Yes |
{} |
| title_text | Text | Title of the section | Yes |
None |
| promote_to | Enum | None Supported values are: "ENTROPY", "SCREENSHOT", "URI_PARAMS" |
Optional |
None |
Heuristic¶
Heuristic associated to the Section
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| heur_id | Keyword | ID of the heuristic triggered | Yes |
None |
| name | Keyword | Name of the heuristic | Yes |
None |
| attack | List [Attack] | List of Att&ck IDs related to this heuristic | Yes |
[] |
| signature | List [Signature] | List of signatures that triggered the heuristic | Yes |
[] |
| score | Integer | Calculated Heuristic score | Yes |
None |
Attack¶
None
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| attack_id | Keyword | ID | Yes |
None |
| pattern | Keyword | Pattern Name | Yes |
None |
| categories | List [Keyword] | Categories | Yes |
None |
Signature¶
Heuristic Signatures
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| name | Keyword | Name of the signature that triggered the heuristic | Yes |
None |
| frequency | Integer | Number of times this signature triggered the heuristic | Yes |
1 |
| safe | Boolean | Is the signature safelisted or not | Yes |
False |