Tagging¶
Top-level model containing all tagging metadata for an analysis.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| attribution | Attribution | All attribution-related tags (actors, campaigns, tooling, etc.). | Optional |
None |
| av | AV | Tags derived from antivirus detection names and heuristics. | Optional |
None |
| cert | Cert | Tags derived from digital certificates and related fields. | Optional |
None |
| code | Code | Tags capturing relationships to other code samples. | Optional |
None |
| dynamic | Dynamic | Tags generated from sandbox or other dynamic analysis. | Optional |
None |
| info | Info | General informational tags not covered by other categories. | Optional |
None |
| file | File | Tags describing file content, structure, and embedded formats. | Optional |
None |
| network | Network | Tags describing network indicators and communication patterns. | Optional |
None |
| source | List [Keyword] | Tags describing where the sample or tagging information originated. | Optional |
None |
| technique | Technique | Tags summarizing techniques, tactics, and tradecraft used. | Optional |
None |
| vector | List [Keyword] | Tags describing delivery or infection vectors for the sample. | Optional |
None |
AV¶
Tags derived from antivirus detections and heuristics.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| heuristic | List [Keyword] | Antivirus heuristic names or identifiers triggered by the sample. | Optional |
None |
| virus_name | List [Keyword] | Virus or malware names reported by antivirus engines. | Optional |
None |
Attribution¶
Attribution-related tags such as actors, campaigns, and families.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| actor | List [UpperKeyword] | Threat actors or groups attributed to this sample. | Optional |
None |
| campaign | List [UpperKeyword] | Named campaigns or operations associated with this sample. | Optional |
None |
| category | List [UpperKeyword] | High-level attribution categories (e.g. crimeware, nation-state). | Optional |
None |
| exploit | List [UpperKeyword] | Named exploits or vulnerability identifiers used by this sample. | Optional |
None |
| implant | List [UpperKeyword] | Malware implants or tools linked to the attributed actor. | Optional |
None |
| family | List [UpperKeyword] | Malware families or codebases related to this sample. | Optional |
None |
| network | List [UpperKeyword] | Network infrastructure or clusters used for attribution. | Optional |
None |
Cert¶
Metadata tags extracted from digital certificates.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| extended_key_usage | List [Keyword] | Extended key usage values indicating allowed certificate purposes. | Optional |
None |
| issuer | List [Keyword] | Issuer distinguished name fields for the certificate. | Optional |
None |
| key_usage | List [Keyword] | Key usage flags describing how the certificate key may be used. | Optional |
None |
| owner | List [Keyword] | Subject entity that owns or controls the certificate. | Optional |
None |
| serial_no | List [Keyword] | Certificate serial numbers. | Optional |
None |
| signature_algo | List [Keyword] | Signature algorithm used to sign the certificate. | Optional |
None |
| subject | List [Keyword] | Certificate subject distinguished name. | Optional |
None |
| subject_alt_name | List [Keyword] | Subject alternative names (e.g. DNS names, IPs, emails). | Optional |
None |
| thumbprint | List [Keyword] | Certificate thumbprints (hashes of the full certificate). | Optional |
None |
| valid | CertValid | Structured validity period information for the certificate. | Optional |
None |
| version | List [Keyword] | Certificate version numbers. | Optional |
None |
CertValid¶
Certificate validity period (notBefore / notAfter).
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| start | List [Keyword] | Earliest date from which the certificate is valid. | Optional |
None |
| end | List [Keyword] | Latest date until which the certificate is valid. | Optional |
None |
Code¶
Tags describing code-level relationships between samples.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| sha256 | List [SHA256] | SHA256 hashes of related code blobs, modules, or snippets. | Optional |
None |
Dynamic¶
Tags produced by dynamic/sandbox analysis about runtime behavior.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| autorun_location | List [Keyword] | Locations where persistence or autorun entries were created. | Optional |
None |
| dos_device | List [Keyword] | DOS device paths (e.g. \.) referenced during execution. | Optional |
None |
| mutex | List [Keyword] | Mutex names used for synchronization or infection markers. | Optional |
None |
| registry_key | List [Keyword] | Registry keys created, read, or modified at runtime. | Optional |
None |
| process | DynamicProcess | Structured process information from sandbox execution. | Optional |
None |
| signature | DynamicSignature | Structured list of sandbox or dynamic signatures that fired. | Optional |
None |
| ssdeep | DynamicSSDeep | SSDeep-based fingerprints derived from dynamic artifacts. | Optional |
None |
| window | DynamicWindow | Windows opened during dynamic analysis. | Optional |
None |
| operating_system | DynamicOperatingSystem | Operating-system metadata from the sandbox environment. | Optional |
None |
| processtree_id | List [Keyword] | Identifiers for nodes in the sandbox process tree. | Optional |
None |
DynamicOperatingSystem¶
Operating system environment in the sandbox.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| platform | List [Platform] | OS platform identifiers (e.g. Windows, Linux). | Optional |
None |
| version | List [Keyword] | OS version strings observed (e.g. 10.0.19045). | Optional |
None |
| processor | List [Processor] | CPU architecture (e.g. x86, x64) used in the sandbox. | Optional |
None |
DynamicProcess¶
Processes observed during dynamic execution.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| command_line | List [Keyword] | Command-line strings for processes started at runtime. | Optional |
None |
| file_name | List [Keyword] | Executable or script filenames launched by the sample. | Optional |
None |
| shortcut | List [Keyword] | Shortcut (.lnk) names or targets created or accessed. | Optional |
None |
DynamicSSDeep¶
SSDeep-based similarity hashes for dynamic artifacts.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| cls_ids | List [SSDeepHash] | SSDeep hashes of CLSID-like identifiers seen during analysis. | Optional |
None |
| dynamic_classes | List [SSDeepHash] | SSDeep hashes of dynamically loaded classes or COM objects. | Optional |
None |
| regkeys | List [SSDeepHash] | SSDeep hashes of registry key strings accessed at runtime. | Optional |
None |
DynamicSignature¶
Dynamic analysis signatures that fired.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| category | List [Keyword] | High-level behavioral category for the dynamic signature. | Optional |
None |
| family | List [Keyword] | Malware family name associated with the dynamic signature. | Optional |
None |
| name | List [Keyword] | Human-readable name of the dynamic analysis signature. | Optional |
None |
DynamicWindow¶
Raw Windows-related identifiers from dynamic analysis.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| cls_ids | List [Keyword] | CLSIDs or similar identifiers observed during execution. | Optional |
None |
| dynamic_classes | List [Keyword] | Names of dynamically loaded classes or COM objects. | Optional |
None |
| regkeys | List [Keyword] | Registry key paths accessed or modified. | Optional |
None |
File¶
Tags describing file structure, content, and embedded formats.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| ancestry | List [Keyword] | Tags describing file genealogy or derivation relationships. | Optional |
None |
| behavior | List [Keyword] | Behavioral characteristics inferred from analysis. | Optional |
None |
| compiler | List [Keyword] | Compiler or toolchain used to build the file. | Optional |
None |
| config | List [Keyword] | Configuration blocks or key-value settings extracted from the file. | Optional |
None |
| date | FileDate | Structured date and timestamp metadata for the file. | Optional |
None |
| elf | FileELF | Structured properties specific to ELF binaries. | Optional |
None |
| lib | List [Keyword] | Libraries the file depends on or bundles. | Optional |
None |
| lsh | List [Keyword] | Locality-sensitive hashes (LSH) computed for fuzzy similarity. | Optional |
None |
| name | FileName | Structured tags describing observed file names and anomalies. | Optional |
None |
| path | List [Keyword] | File system or archive paths where the file was seen. | Optional |
None |
| rule | Mapping [String, List [Keyword]] | Rules or signatures that matched this file, grouped by source. | Optional |
None |
| string | FileStrings | Structured categories of strings extracted from the file. | Optional |
None |
| apk | FileAPK | Detailed properties specific to Android APK files. | Optional |
None |
| jar | FileJAR | Detailed properties specific to Java JAR archives. | Optional |
None |
| img | FileIMG | Detailed properties specific to image files. | Optional |
None |
| ole | FileOLE | Detailed properties specific to OLE/Office documents. | Optional |
None |
| pe | FilePE | Detailed properties specific to Windows PE binaries. | Optional |
None |
| FilePDF | Detailed properties specific to PDF documents. | Optional |
None |
|
| plist | FilePList | Detailed properties specific to Apple plist files. | Optional |
None |
| powershell | FilePowerShell | Detailed properties specific to PowerShell scripts. | Optional |
None |
| shortcut | FileShortcut | Detailed properties specific to Windows shortcut files. | Optional |
None |
| swf | FileSWF | Detailed properties specific to SWF files. | Optional |
None |
FileAPK¶
Metadata extracted from Android APK packages.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| activity | List [Keyword] | Declared Android activities within the APK. | Optional |
None |
| app | FileAPKApp | Application-level information from the APK. | Optional |
None |
| feature | List [Keyword] | Optional hardware or software features requested by the app. | Optional |
None |
| locale | List [Keyword] | Locales or languages supported by the application. | Optional |
None |
| permission | List [Keyword] | Android permissions requested by the application. | Optional |
None |
| pkg_name | List [Keyword] | Application package names (e.g. com.example.app). | Optional |
None |
| provides_component | List [Keyword] | Components exposed by the APK (activities, services, providers, etc.). | Optional |
None |
| sdk | FileAPKSDK | Structured Android SDK version information for the app. | Optional |
None |
| used_library | List [Keyword] | Third-party or system libraries referenced by the APK. | Optional |
None |
FileAPKApp¶
High-level information about the Android application.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| label | List [Keyword] | User-facing application label shown on the device. | Optional |
None |
| version | List [Keyword] | Application version strings from the manifest. | Optional |
None |
FileAPKSDK¶
Android SDK version requirements.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| min | List [Keyword] | Minimum Android SDK/API level required to run the app. | Optional |
None |
| target | List [Keyword] | Target Android SDK/API level the app was built for. | Optional |
None |
FileDate¶
Timestamp-related metadata associated with the file.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| creation | List [Keyword] | File creation timestamps. | Optional |
None |
| last_modified | List [Keyword] | File last-modified timestamps. | Optional |
None |
FileELF¶
Metadata extracted from ELF binaries.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| libraries | List [Keyword] | Shared libraries linked by the ELF file. | Optional |
None |
| interpreter | List [Keyword] | Dynamic loader or interpreter path used by the ELF. | Optional |
None |
| sections | FileELFSections | Structured metadata for ELF sections. | Optional |
None |
| segments | FileELFSegments | Structured metadata for ELF program segments. | Optional |
None |
| notes | FileELFNotes | Structured metadata for ELF notes. | Optional |
None |
FileELFNotes¶
Metadata contained in ELF NOTE segments.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| name | List [Keyword] | ELF note or owner names. | Optional |
None |
| type | List [Keyword] | ELF note type identifiers. | Optional |
None |
| type_core | List [Keyword] | Core-dump related ELF note type identifiers. | Optional |
None |
FileELFSections¶
Information about individual ELF sections.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| name | List [Keyword] | Names of sections within the ELF file. | Optional |
None |
FileELFSegments¶
Information about ELF program segments.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| type | List [Keyword] | Segment type identifiers (e.g. LOAD, DYNAMIC). | Optional |
None |
FileIMG¶
Metadata extracted from image files and containers.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| exif_tool | FileIMGExiftool | Exiftool metadata for the image. | Optional |
None |
| mega_pixels | List [Keyword] | Image size expressed in megapixels. | Optional |
None |
| mode | List [Keyword] | Mode field from image metadata, typically indicating how the image was captured or encoded. | Optional |
None |
| size | List [Keyword] | Image dimensions or overall size information. | Optional |
None |
| sorted_metadata_hash | List [Keyword] | Hash of normalized and sorted metadata fields. | Optional |
None |
FileIMGExiftool¶
Exiftool-derived metadata about the image.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| creator_tool | List [Keyword] | Application or tool reported as having created the image. | Optional |
None |
| derived_document_id | List [Keyword] | Identifier for a document derived from the original source. | Optional |
None |
| document_id | List [Keyword] | Original document identifier stored in metadata. | Optional |
None |
| instance_id | List [Keyword] | Unique identifier for this specific file instance. | Optional |
None |
| toolkit | List [Keyword] | Toolkit or library used to generate or edit the image. | Optional |
None |
FileJAR¶
Metadata extracted from Java JAR archives.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| main_class | List [Keyword] | Main class specified in the JAR manifest. | Optional |
None |
| main_package | List [Keyword] | Package containing the main class. | Optional |
None |
| imported_package | List [Keyword] | Referenced or imported Java packages. | Optional |
None |
FileName¶
Observed file name variants and anomalies.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| anomaly | List [Keyword] | Suspicious or unusual filename patterns. | Optional |
None |
| extracted | List [Keyword] | Names of files extracted from the original sample. | Optional |
None |
FileOLE¶
Metadata extracted from OLE/Office compound documents.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| macro | FileOLEMacro | Structured metadata describing macros embedded in the file. | Optional |
None |
| summary | FileOLESummary | Structured summary/document-property metadata. | Optional |
None |
| clsid | List [Keyword] | Class IDs (CLSIDs) for embedded OLE objects. | Optional |
None |
| dde_link | List [Keyword] | Dynamic Data Exchange (DDE) link targets. | Optional |
None |
| fib_timestamp | List [Keyword] | Timestamps from the File Information Block (FIB). | Optional |
None |
FileOLEMacro¶
Information about embedded OLE macros.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| sha256 | List [SHA256] | SHA256 hashes of extracted macro streams. | Optional |
None |
| suspicious_string | List [Keyword] | Strings from macros that were flagged as suspicious. | Optional |
None |
FileOLESummary¶
Standard document summary properties from OLE.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| author | List [Keyword] | Document author metadata. | Optional |
None |
| codepage | List [Keyword] | Character encoding or code page information. | Optional |
None |
| comment | List [Keyword] | Document comments or summary notes. | Optional |
None |
| company | List [Keyword] | Company or organization name from metadata. | Optional |
None |
| create_time | List [Keyword] | Original document creation timestamp. | Optional |
None |
| last_printed | List [Keyword] | Timestamp when the document was last printed. | Optional |
None |
| last_saved_by | List [Keyword] | User name that last saved the document. | Optional |
None |
| last_saved_time | List [Keyword] | Timestamp when the document was last saved. | Optional |
None |
| manager | List [Keyword] | Manager field from document properties. | Optional |
None |
| subject | List [Keyword] | Document subject or brief description. | Optional |
None |
| title | List [Keyword] | Document title string. | Optional |
None |
FilePDF¶
Metadata and analysis artifacts from PDF documents.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| date | FilePDFDate | Structured collection of PDF date-related metadata. | Optional |
None |
| javascript | FilePDFJavascript | Structured metadata about JavaScript embedded inside the PDF. | Optional |
None |
| stats | FilePDFStats | Structured statistics metadata describing the PDF layout. | Optional |
None |
FilePDFDate¶
Date-related metadata fields from the PDF.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| modified | List [Keyword] | PDF modification timestamps. | Optional |
None |
| pdfx | List [Keyword] | PDF/X standard-related metadata values. | Optional |
None |
| source_modified | List [Keyword] | Timestamp when the source document was last modified. | Optional |
None |
FilePDFJavascript¶
Metadata about JavaScript embedded in the PDF.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| sha1 | List [SHA1] | SHA1 hashes of JavaScript streams found in the PDF. | Optional |
None |
FilePDFStats¶
Statistical fingerprints for the PDF structure.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| sha1 | List [SHA1] | SHA1 hashes representing PDF structural statistics. | Optional |
None |
FilePE¶
Metadata extracted from Windows PE executables and libraries.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| api_vector | List [Keyword] | Vector of imported or used APIs summarizing sample behavior. | Optional |
None |
| authenticode | FilePEAuthenticode | Authenticode signature metadata for the PE. | Optional |
None |
| debug | FilePEDebug | Debug directory metadata from the PE. | Optional |
None |
| exports | FilePEExports | PE export table metadata. | Optional |
None |
| imports | FilePEImports | PE import table metadata and associated hashes. | Optional |
None |
| linker | FilePELinker | PE linker metadata. | Optional |
None |
| oep | FilePEOEP | Entry-point bytes and hexdump information. | Optional |
None |
| pdb_filename | List [Keyword] | Names or paths of referenced PDB debug symbol files. | Optional |
None |
| resources | FilePEResources | PE resource metadata. | Optional |
None |
| rich_header | FilePERichHeader | Rich header metadata for the PE. | Optional |
None |
| sections | FilePESections | Metadata describing PE sections. | Optional |
None |
| versions | FilePEVersions | Version resource metadata. | Optional |
None |
FilePEAuthenticode¶
Authenticode signature and catalog metadata.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| spc_sp_opus_info | FilePEAuthenticodeSpcSpOpusInfo | SpcSpOpusInfo metadata about the signed program. | Optional |
None |
FilePEAuthenticodeSpcSpOpusInfo¶
SpcSpOpusInfo attributes describing the signed program.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| program_name | List [Keyword] | Program name string from the Authenticode signature. | Optional |
None |
FilePEDebug¶
Debug directory information from the PE file.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| guid | List [Keyword] | Debug GUIDs (e.g. PDB signature identifiers). | Optional |
None |
FilePEExports¶
Information about exported PE functions.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| function_name | List [Keyword] | Names of functions exported by the PE file. | Optional |
None |
| module_name | List [Keyword] | Name of the module (DLL/EXE) providing the export. | Optional |
None |
FilePEImports¶
Information and fingerprints of imported PE functions.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| fuzzy | List [SSDeepHash] | SSDeep hashes computed over the import table. | Optional |
None |
| md5 | List [MD5] | MD5 hashes representing imported symbols or modules. | Optional |
None |
| imphash | List [MD5] | Canonical import-hash (imphash) values for the PE. | Optional |
None |
| sorted_fuzzy | List [SSDeepHash] | Fuzzy hashes computed over sorted import entries. | Optional |
None |
| sorted_sha1 | List [SHA1] | SHA1 hashes computed over sorted import entries. | Optional |
None |
| gimphash | List [SHA256] | Go-style import-hash values for Go binaries. | Optional |
None |
| suspicious | List [Keyword] | Flags or descriptors for suspicious import patterns. | Optional |
None |
FilePELinker¶
Metadata related to the PE linker.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| timestamp | List [Keyword] | Linker timestamp value from the PE header. | Optional |
None |
FilePEOEP¶
Metadata about the PE original entry point (OEP).
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| bytes | List [Keyword] | Raw bytes taken around the entry point. | Optional |
None |
| hexdump | List [Keyword] | Hexadecimal dump of bytes at the entry point. | Optional |
None |
FilePEResources¶
Metadata about embedded PE resources.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| language | List [Keyword] | Resource language identifiers. | Optional |
None |
| name | List [Keyword] | Resource names or identifiers. | Optional |
None |
FilePERichHeader¶
Information about the PE Rich header.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| hash | List [Keyword] | Hashes summarizing Rich header contents. | Optional |
None |
FilePESections¶
Information about sections within the PE file.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| hash | List [Keyword] | Hashes of section contents or characteristics. | Optional |
None |
| name | List [Keyword] | Section names (e.g. .text, .rsrc). | Optional |
None |
FilePEVersions¶
Version-information resources from the PE file.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| description | List [Keyword] | Product or file description from version info. | Optional |
None |
| filename | List [Keyword] | Original filename recorded in version info. | Optional |
None |
FilePList¶
Metadata extracted from Apple property list (plist) files.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| installer_url | List [Keyword] | URL used to obtain or install the app. | Optional |
None |
| min_os_version | List [Keyword] | Minimum OS version required to run the software. | Optional |
None |
| requests_open_access | List [Keyword] | Indicates whether a component (e.g. keyboard) requests full access. | Optional |
None |
| build | FilePListBuild | Structured build-environment details from the plist. | Optional |
None |
| cf_bundle | FilePListCFBundle | Structured CFBundle-related metadata. | Optional |
None |
| dt | FilePListDT | Structured developer tools (DT*) metadata. | Optional |
None |
| ls | FilePListLS | Structured Launch Services configuration from the plist. | Optional |
None |
| ns | FilePListNS | Structured Cocoa (NS*) configuration and behaviors. | Optional |
None |
| ui | FilePListUI | Structured UI behavior metadata. | Optional |
None |
| wk | FilePListWK | Structured WatchKit (WK*) metadata. | Optional |
None |
FilePListBuild¶
Build-environment metadata from the plist.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| machine_os | List [Keyword] | Operating system version of the build machine. | Optional |
None |
FilePListCFBundle¶
CFBundle-related bundle metadata.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| development_region | List [Keyword] | Default localization or development region. | Optional |
None |
| display_name | List [Keyword] | Human-readable application display name. | Optional |
None |
| executable | List [Keyword] | Name of the main executable binary. | Optional |
None |
| identifier | List [Keyword] | Bundle identifier string (e.g. com.example.app). | Optional |
None |
| name | List [Keyword] | Internal bundle name. | Optional |
None |
| pkg_type | List [Keyword] | Package type code (e.g. APPL). | Optional |
None |
| signature | List [Keyword] | Legacy creator/signature code values. | Optional |
None |
| url_scheme | List [Keyword] | Custom URL schemes registered by the application. | Optional |
None |
| version | FilePListCFBundleVersion | Structured bundle version information. | Optional |
None |
FilePListCFBundleVersion¶
Bundle version metadata.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| long | List [Keyword] | Full or long-form bundle version string. | Optional |
None |
| short | List [Keyword] | Short marketing version string. | Optional |
None |
FilePListDT¶
Developer tools (DT*) metadata fields.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| compiler | List [Keyword] | Compiler or build tool identifier. | Optional |
None |
| platform | FilePListDTPlatform | Structured platform metadata used for building the app. | Optional |
None |
FilePListDTPlatform¶
Platform-specific build metadata.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| build | List [Keyword] | Platform build identifier. | Optional |
None |
| name | List [Keyword] | Platform name (e.g. iPhoneOS, MacOSX). | Optional |
None |
| version | List [Keyword] | Platform version number. | Optional |
None |
FilePListLS¶
Launch Services (LS*) metadata from the plist.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| background_only | List [Keyword] | Indicates whether the app is background-only. | Optional |
None |
| min_system_version | List [Keyword] | Minimum operating system version required by Launch Services. | Optional |
None |
FilePListNS¶
Cocoa (NS*) behavior flags from the plist.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| apple_script_enabled | List [Keyword] | Whether AppleScript automation is allowed for the app. | Optional |
None |
| principal_class | List [Keyword] | Name of the app's principal Objective-C class. | Optional |
None |
FilePListUI¶
User-interface-related plist keys.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| background_modes | List [Keyword] | UI background modes the app declares. | Optional |
None |
| requires_persistent_wifi | List [Keyword] | Indicates if the app requires persistent Wi-Fi connectivity. | Optional |
None |
FilePListWK¶
WatchKit or WK* related metadata.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| app_bundle_identifier | List [Keyword] | Bundle identifier of the associated application. | Optional |
None |
FilePowerShell¶
Metadata extracted from PowerShell files or commands.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| cmdlet | List [Keyword] | PowerShell cmdlets referenced or invoked by the script. | Optional |
None |
FileSWF¶
Metadata extracted from Adobe Flash (SWF) files.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| header | FileSWFHeader | Structured SWF header metadata. | Optional |
None |
| tags_ssdeep | List [SSDeepHash] | SSDeep hashes computed over SWF tags for similarity. | Optional |
None |
FileSWFHeader¶
Header-level metadata from the SWF file.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| frame | FileSWFHeaderFrame | Structured SWF header frame information. | Optional |
None |
| version | List [Keyword] | SWF file format version. | Optional |
None |
FileSWFHeaderFrame¶
Frame-rate and size information from the SWF header.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| count | List [Integer] | Total number of frames in the SWF animation. | Optional |
None |
| rate | List [Keyword] | Frame rate (speed) of the SWF animation. | Optional |
None |
| size | List [Keyword] | Logical stage size or frame dimensions. | Optional |
None |
FileShortcut¶
Metadata from Windows shortcut (.lnk) files.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| command_line | List [Keyword] | Command line stored in or invoked by the shortcut. | Optional |
None |
| icon_location | List [Keyword] | Path of the icon referenced by the shortcut. | Optional |
None |
| machine_id | List [Keyword] | Machine identifier recorded within the shortcut. | Optional |
None |
| tracker_mac | List [Keyword] | Potential MAC addresses recovered from the shortcut tracker block. | Optional |
None |
FileStrings¶
Categorized strings extracted from the file.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| api | List [Keyword] | Extracted strings that resemble API or function names. | Optional |
None |
| blacklisted | List [Keyword] | Strings matching blacklist patterns or known bad indicators. | Optional |
None |
| decoded | List [Keyword] | Strings obtained after decoding or deobfuscation. | Optional |
None |
| extracted | List [Keyword] | Raw printable strings extracted from the file. | Optional |
None |
Info¶
General informational tags extracted from content.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| phone_number | List [PhoneNumber] | Phone numbers extracted from the sample. | Optional |
None |
| password | List [Keyword] | Passwords or password-like strings extracted from the sample. | Optional |
None |
Network¶
Tags for network indicators and traffic-related artifacts.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| attack | List [Keyword] | High-level classification of observed or attempted attacks. | Optional |
None |
| dynamic | NetworkIOCs | Network IOCs derived from dynamic/sandbox analysis. | Optional |
None |
| NetworkEmail | Structured email-related network metadata. | Optional |
None |
|
| mac_address | List [MAC] | MAC addresses observed in network or related artifacts. | Optional |
None |
| port | List [Integer] | Network port numbers used by the sample. | Optional |
None |
| protocol | List [Keyword] | Application or transport protocols observed (e.g. HTTP, TCP). | Optional |
None |
| signature | NetworkSignature | Structured metadata for network detection signatures. | Optional |
None |
| static | NetworkIOCs | Network IOCs derived from static analysis of the sample. | Optional |
None |
| tls | NetworkTLS | Structured TLS handshake and fingerprint information. | Optional |
None |
| user_agent | List [Keyword] | HTTP or other user-agent strings observed. | Optional |
None |
NetworkEmail¶
Metadata from email-related network artifacts.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| address | List [Email] | Sender or recipient email addresses observed. | Optional |
None |
| date | List [Keyword] | Email date header values. | Optional |
None |
| subject | List [Keyword] | Email subject lines. | Optional |
None |
| msg_id | List [Keyword] | Email Message-ID header values. | Optional |
None |
NetworkIOCs¶
Network indicators of compromise (IOCs).
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| domain | List [Domain] | Domain names contacted, embedded, or otherwise referenced. | Optional |
None |
| ip | List [IP] | IP addresses contacted, embedded, or otherwise referenced. | Optional |
None |
| unc_path | List [UNCPath] | Windows UNC paths (\server\share) used by the sample. | Optional |
None |
| uri | List [URI] | Full URIs or URLs observed (including scheme and host). | Optional |
None |
| uri_path | List [URIPath] | URI path components without scheme or host. | Optional |
None |
NetworkSignature¶
Network IDS/IPS or rule-engine signatures.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| signature_id | List [Keyword] | Identifier of the network detection signature (e.g. SID). | Optional |
None |
| message | List [Keyword] | Human-readable description of the network signature. | Optional |
None |
NetworkTLS¶
TLS fingerprint and metadata tags.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| ja3_hash | List [MD5] | MD5 hash of the JA3 TLS client fingerprint. | Optional |
None |
| ja3_string | List [Keyword] | Raw JA3 TLS client fingerprint string. | Optional |
None |
| ja3s_hash | List [MD5] | MD5 hash of the JA3S TLS server fingerprint. | Optional |
None |
| ja3s_string | List [Keyword] | Raw JA3S TLS server fingerprint string. | Optional |
None |
| ja4_hash | List [ValidatedKeyword] | Validated JA4 TLS client fingerprint hash. | Optional |
None |
| ja4s_hash | List [ValidatedKeyword] | Validated JA4S TLS server fingerprint hash. | Optional |
None |
| sni | List [Keyword] | Server Name Indication (SNI) values from TLS handshakes. | Optional |
None |
Technique¶
Tags capturing techniques and tradecraft used by the sample.
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| comms_routine | List [Keyword] | Patterns or routines used for C2 or other communications. | Optional |
None |
| config | List [Keyword] | Technique-related configuration data (e.g. keys, flags). | Optional |
None |
| crypto | List [Keyword] | Use of cryptographic algorithms, keys, or primitives. | Optional |
None |
| exploit | List [Keyword] | Exploit techniques or identifiers used by the sample. | Optional |
None |
| keylogger | List [Keyword] | Keylogging components or behaviors. | Optional |
None |
| macro | List [Keyword] | Macro-based execution techniques or mechanisms. | Optional |
None |
| masking_algo | List [Keyword] | Algorithms used for masking, encoding, or hiding data. | Optional |
None |
| obfuscation | List [Keyword] | Obfuscation or anti-analysis techniques observed. | Optional |
None |
| packer | List [Keyword] | Packers or protectors used to wrap the sample. | Optional |
None |
| persistence | List [Keyword] | Persistence techniques used to survive reboot or logoff. | Optional |
None |
| shellcode | List [Keyword] | Shellcode payloads or shellcode-based techniques. | Optional |
None |
| string | List [Keyword] | Technique-related string patterns (e.g. markers, protocol strings). | Optional |
None |