Submission¶
Model of Submission
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| archive_ts | Date | None | Optional |
None |
| archived | Boolean | Document is present in the malware archive | Yes |
False |
| classification | Classification | Classification of the submission | Yes |
None |
| tracing_events | List [TraceEvent] | None | Yes |
[] |
| error_count | Integer | Total number of errors in the submission | Yes |
None |
| errors | List [Keyword] | List of error keys | Yes |
None |
| expiry_ts | Date | Expiry timestamp | Optional |
None |
| file_count | Integer | Total number of files in the submission | Yes |
None |
| files | List [File] | List of files that were originally submitted | Yes |
None |
| max_score | Integer | Maximum score of all the files in the scan | Yes |
None |
| metadata | FlatMapping | Metadata associated to the submission | Yes |
{} |
| params | SubmissionParams | Submission parameter details | Yes |
None |
| results | List [Wildcard] | List of result keys | Yes |
None |
| sid | UUID | Submission ID | Yes |
None |
| state | Enum | Status of the submission Supported values are: "completed", "failed", "submitted" |
Yes |
None |
| to_be_deleted | Boolean | This document is going to be deleted as soon as it finishes | Yes |
False |
| times | Times | Submission-specific times | Yes |
See Times for more details. |
| verdict | Verdict | Malicious verdict details | Yes |
See Verdict for more details. |
| from_archive | Boolean | Was loaded from the archive | Yes |
False |
| scan_key | Keyword | None | Optional |
None |
File¶
File Model of Submission
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| name | Keyword | Name of the file | Yes |
None |
| size | Long | Size of the file in bytes | Optional |
None |
| sha256 | SHA256 | SHA256 hash of the file | Yes |
None |
SubmissionParams¶
Submission Parameters
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| classification | Classification | Original classification of the submission | Yes |
TLP:C |
| deep_scan | Boolean | Should a deep scan be performed? | Yes |
False |
| description | Text | Description of the submission | Yes |
None |
| generate_alert | Boolean | Should this submission generate an alert? | Yes |
False |
| groups | List [Keyword] | List of groups related to this scan | Yes |
[] |
| ignore_cache | Boolean | Ignore the cached service results? | Yes |
False |
| ignore_recursion_prevention | Boolean | Should we ignore recursion prevention? | Yes |
False |
| ignore_filtering | Boolean | Should we ignore filtering services? | Yes |
False |
| ignore_size | Boolean | Ignore the file size limits? | Yes |
False |
| never_drop | Boolean | Exempt from being dropped by ingester? | Yes |
False |
| malicious | Boolean | Is the file submitted already known to be malicious? | Yes |
False |
| max_extracted | Integer | Max number of extracted files | Yes |
500 |
| max_supplementary | Integer | Max number of supplementary files | Yes |
500 |
| priority | Integer | Priority of the scan | Yes |
1000 |
| psid | UUID | Parent submission ID | Optional |
None |
| quota_item | Boolean | Does this submission count against quota? | Yes |
False |
| services | ServiceSelection | Service selection | Yes |
See ServiceSelection for more details. |
| service_spec | Mapping [String, Mapping [String, Any]] | Service-specific parameters | Yes |
{} |
| submitter | Keyword | User who submitted the file | Yes |
None |
| trace | Boolean | Collect debug information about the processing of a submission | Yes |
False |
| ttl | Integer | Time, in days, to live for this submission | Yes |
0 |
| type | Keyword | Type of submission | Yes |
USER |
| initial_data | Text | Initialization for temporary submission data | Optional |
None |
| auto_archive | Boolean | Does the submission automatically goes into the archive when completed? | Yes |
False |
| delete_after_archive | Boolean | When the submission is archived, should we delete it from hot storage right away? | Yes |
False |
| use_archive_alternate_dtl | Boolean | Should we use the alternate dtl while archiving? | Yes |
False |
ServiceSelection¶
Service Selection Scheme
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| selected | List [Keyword] | List of selected services | Yes |
['Filtering', 'Antivirus', 'Static Analysis', 'Extraction', 'Networking'] |
| excluded | List [Keyword] | List of excluded services | Yes |
[] |
| rescan | List [Keyword] | List of services to rescan | Yes |
[] |
| resubmit | List [Keyword] | Add to service selection when resubmitting | Yes |
[] |
Times¶
Submission-Relevant Times
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| completed | Date | Date at which the submission finished scanning | Optional |
None |
| submitted | Date | Date at which the submission started scanning | Yes |
NOW |
TraceEvent¶
A logging event describing the processing of a submission
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| timestamp | Date | None | Yes |
NOW |
| event_type | Keyword | None | Yes |
None |
| service | Keyword | None | Optional |
None |
| file | SHA256 | None | Optional |
None |
| message | Keyword | None | Optional |
None |
Verdict¶
Submission Verdict
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| malicious | List [Keyword] | List of user that thinks this submission is malicious | Yes |
[] |
| non_malicious | List [Keyword] | List of user that thinks this submission is non-malicious | Yes |
[] |