Submission¶
Model of Submission
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| archive_ts | Date | None | Optional |
None |
| archived | Boolean | Submission is present in the malware archive. | Yes |
False |
| classification | Classification | Overall security classification of the submission. | Yes |
None |
| tracing_events | List [TraceEvent] | None | Yes |
[] |
| error_count | Integer | Total number of errors in the submission. | Yes |
None |
| errors | List [Keyword] | List of error keys present in the submission. | Yes |
None |
| expiry_ts | Date | Timestamp for when the submission record expires. | Optional |
None |
| file_count | Integer | Total number of files in the submission. | Yes |
None |
| files | List [File] | List of files that were originally submitted. | Yes |
None |
| max_score | Integer | The highest score across all files within a submission. | Yes |
None |
| metadata | FlatMapping | Metadata associated with the submission. | Yes |
{} |
| params | SubmissionParams | Submission parameter details. | Yes |
None |
| results | List [Wildcard] | List of result keys from the submission. | Yes |
None |
| sid | UUID | The ID associated with a submission. | Yes |
None |
| state | Enum | State of the submission (ie. completed). Supported values are: "completed", "failed", "submitted" |
Yes |
None |
| to_be_deleted | Boolean | This submission is going to be deleted as soon as it finishes. | Yes |
False |
| times | Times | Submission-specific times. | Yes |
See Times for more details. |
| verdict | Verdict | Relates to the verdict of the submission (i.e. Malicious or Non-Malicious). | Yes |
See Verdict for more details. |
| from_archive | Boolean | Was loaded from the archive. | Yes |
False |
| scan_key | Keyword | None | Optional |
None |
File¶
File Model of Submission.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| name | Keyword | Name of the submission. | Yes |
None |
| size | Long | Size of the submitted file in bytes. | Optional |
None |
| sha256 | SHA256 | SHA256 hash of the submitted file. | Yes |
None |
SubmissionParams¶
Submission Parameters
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| classification | Classification | Original classification of the submission. | Yes |
TLP:C |
| deep_scan | Boolean | Select to perform a deep scan. | Yes |
False |
| description | Text | User-supplied information applied to Submission Details. | Yes |
None |
| generate_alert | Boolean | Generate alert upon completion of analysis. | Yes |
False |
| groups | List [Keyword] | List relevant group or organization related to this scan. | Yes |
[] |
| ignore_cache | Boolean | Ignore cached service results. | Yes |
False |
| ignore_recursion_prevention | Boolean | Ignore recursions prevention to avoid performance issues. | Yes |
False |
| ignore_filtering | Boolean | Ignore services in the FILTER category (i.e. Safelist). | Yes |
False |
| ignore_size | Boolean | Ignore the file size limits. | Yes |
False |
| never_drop | Boolean | Ingestion of submission will not be dropped as a result of ingestion queue volume. | Yes |
False |
| malicious | Boolean | User confirmation that the submission is known to be malicious. | Yes |
False |
| max_extracted | Integer | Max number of extracted files. | Yes |
500 |
| max_supplementary | Integer | Max number of supplementary files. | Yes |
500 |
| priority | Integer | Determines order in which submission is analyzed relative to the queue. | Yes |
1000 |
| psid | UUID | Submission ID of 'parent' submission that has not been resubmitted for extended scan. | Optional |
None |
| quota_item | Boolean | Does this submission count against quota? | Yes |
False |
| services | ServiceSelection | Identify which services will run in the relevant submission. | Yes |
See ServiceSelection for more details. |
| service_spec | Mapping [String, Mapping [String, Any]] | Service-specific parameters for the relevant submission. | Yes |
{} |
| submitter | Keyword | User who submitted the file. | Yes |
None |
| trace | Boolean | Collect debug information about the processing of a submission. | Yes |
False |
| ttl | Integer | Time, in days, to live for this submission. | Yes |
0 |
| type | Keyword | Source of submission (i.e. 'USER' or a particular sensor). | Yes |
USER |
| initial_data | Text | Initialization for temporary submission data. | Optional |
None |
| auto_archive | Boolean | Send submission to the archive upon completion of analysis. | Yes |
False |
| delete_after_archive | Boolean | When the submission is archived, immediately delete from hot storage. | Yes |
False |
| use_archive_alternate_dtl | Boolean | use alternating dtl when archiving. | Yes |
False |
ServiceSelection¶
Service Selection Scheme.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| selected | List [Keyword] | List of selected services. | Yes |
['Filtering', 'Antivirus', 'Static Analysis', 'Extraction', 'Networking'] |
| excluded | List [Keyword] | List of excluded services. | Yes |
[] |
| rescan | List [Keyword] | List of services to rescan when initial run scores as malicious. | Yes |
[] |
| resubmit | List [Keyword] | Add to service selection when resubmitting. | Yes |
[] |
Times¶
Submission-Relevant Times.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| completed | Date | Date at which the submission finished scanning. | Optional |
None |
| submitted | Date | Date at which the submission started scanning. | Yes |
NOW |
TraceEvent¶
A logging event describing the processing of a submission.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| timestamp | Date | None | Yes |
NOW |
| event_type | Keyword | None | Yes |
None |
| service | Keyword | None | Optional |
None |
| file | SHA256 | None | Optional |
None |
| message | Keyword | None | Optional |
None |
Verdict¶
Submission Verdict
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| malicious | List [Keyword] | List all submissions that were labelled malicious by a specific user. | Yes |
[] |
| non_malicious | List [Keyword] | List all submissions that were labelled non-malicious by a specific user. | Yes |
[] |