Skip to content

Extensions Fields

All other first-class, event-specific metadata goes in this message. Do not place protocol metadata in Extensions; put it in Network.

Extensions Field Details

extensions.auth.auth_details

Description: The vendor defined details of the authentication.

Type: String

extensions.auth.mechanism

Description: The authentication mechanism.

Type: ArrayEnum

Enum Description
MECHANISM_UNSPECIFIED The default mechanism.
USERNAME_PASSWORD Username + password authentication.
OTP OTP authentication.
HARDWARE_KEY Hardware key authentication.
LOCAL Local authentication.
REMOTE Remote authentication.
REMOTE_INTERACTIVE RDP, Terminal Services, VNC, etc.
MECHANISM_OTHER Some other mechanism that is not defined here.
BADGE_READER Badge reader authentication
NETWORK Network authentication.
BATCH Batch authentication.
SERVICE Service authentication
UNLOCK Direct human-interactive unlock authentication.
NETWORK_CLEAR_TEXT Network clear text authentication.
NEW_CREDENTIALS Authentication with new credentials.
INTERACTIVE Interactive authentication.
CACHED_INTERACTIVE Interactive authentication using cached credentials.
CACHED_REMOTE_INTERACTIVE Cached Remote Interactive authentication using cached credentials.
CACHED_UNLOCK Cached Remote Interactive authentication using cached credentials.

extensions.auth.type

Description: The type of authentication.

Type: Enum

Enum Description
AUTHTYPE_UNSPECIFIED The default type.
MACHINE A machine authentication.
SSO An SSO authentication.
VPN A VPN authentication.
PHYSICAL A Physical authentication (e.g. "Badge reader").
TACACS A TACACS family protocol for networked systems authentication (e.g. TACACS, TACACS+).

extensions.vulns.vulnerabilities[n].about.administrative_domain

Description: Domain which the device belongs to (for example, the Windows domain).

Type: String

extensions.vulns.vulnerabilities[n].about.application

Description: The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle".

Type: String

extensions.vulns.vulnerabilities[n].about.artifact.first_seen_time

Description: First seen timestamp of the IP in the customer tenant.

Type: String

extensions.vulns.vulnerabilities[n].about.artifact.ip

Description: IP address of the artifact.

Type: String

extensions.vulns.vulnerabilities[n].about.artifact.last_seen_time

Description: Last seen timestamp of the IP in the customer tenant.

Type: String

extensions.vulns.vulnerabilities[n].about.artifact.prevalence.day_count

Description: The number of days over which rolling_max is calculated.

Type: Integer

extensions.vulns.vulnerabilities[n].about.artifact.prevalence.rolling_max

Description: The maximum number of assets per day accessing the resource over the trailing day_count days.

Type: Integer

extensions.vulns.vulnerabilities[n].about.artifact.prevalence.rolling_max_sub_domains

Description: The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This fields is only valid for domains

Type: Integer

extensions.vulns.vulnerabilities[n].about.asset.asset_id

Description: The asset ID.

Type: String

extensions.vulns.vulnerabilities[n].about.asset.attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

extensions.vulns.vulnerabilities[n].about.asset.attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum Description
UNSPECIFIED_CLOUD_ENVIRONMENT Default.
GOOGLE_CLOUD_PLATFORM Google Cloud Platform.
AMAZON_WEB_SERVICES Amazon Web Services.
MICROSOFT_AZURE Microsoft Azure.

extensions.vulns.vulnerabilities[n].about.asset.attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

extensions.vulns.vulnerabilities[n].about.asset.attribute.labels[n].key

Description: The key.

Type: String

extensions.vulns.vulnerabilities[n].about.asset.attribute.labels[n].value

Description: The value.

Type: String

extensions.vulns.vulnerabilities[n].about.asset.attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

extensions.vulns.vulnerabilities[n].about.asset.attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

extensions.vulns.vulnerabilities[n].about.asset.attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

extensions.vulns.vulnerabilities[n].about.asset.attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

extensions.vulns.vulnerabilities[n].about.asset.attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum Description
UNKNOWN_PERMISSION_TYPE Default permission type.
ADMIN_WRITE Administrator write permission.
ADMIN_READ Administrator read permission.
DATA_WRITE Data resource access write permission.
DATA_READ Data resource access read permission.

extensions.vulns.vulnerabilities[n].about.asset.attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

extensions.vulns.vulnerabilities[n].about.asset.attribute.roles[n].description

Description: System role description for user.

Type: String

extensions.vulns.vulnerabilities[n].about.asset.attribute.roles[n].name

Description: System role name for user.

Type: String

extensions.vulns.vulnerabilities[n].about.asset.attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum Description
TYPE_UNSPECIFIED Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access.

extensions.vulns.vulnerabilities[n].about.asset.attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

extensions.vulns.vulnerabilities[n].about.asset.category

Description: The category of the asset (e.g. "End User Asset", "Workstation", "Server").

Type: String

extensions.vulns.vulnerabilities[n].about.asset.creation_time

Description: Time the asset was created or provisioned. Deprecated: creation_time should be populated in Attribute as generic metadata.

Type: String

extensions.vulns.vulnerabilities[n].about.asset.deployment_status

Description: The deployment status of the asset for device lifecycle purposes.

Type: Enum

Enum Description
DEPLOYMENT_STATUS_UNSPECIFIED Unspecified deployment status.
ACTIVE Asset is active, functional and deployed.
PENDING_DECOMISSION Asset is pending decommission and no longer deployed.
DECOMISSIONED Asset is decomissioned.

extensions.vulns.vulnerabilities[n].about.asset.first_discover_time

Description: Time the asset was first discovered (by asset management/discoverability software).

Type: String

extensions.vulns.vulnerabilities[n].about.asset.first_seen_time

Description: The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed.

Type: String

extensions.vulns.vulnerabilities[n].about.asset.hardware[n].cpu_clock_speed

Description: Clock speed of the hardware CPU in MHz.

Type: String

extensions.vulns.vulnerabilities[n].about.asset.hardware[n].cpu_max_clock_speed

Description: Maximum possible clock speed of the hardware CPU in MHz.

Type: String

extensions.vulns.vulnerabilities[n].about.asset.hardware[n].cpu_model

Description: Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5").

Type: String

extensions.vulns.vulnerabilities[n].about.asset.hardware[n].cpu_number_cores

Description: Number of CPU cores.

Type: String

extensions.vulns.vulnerabilities[n].about.asset.hardware[n].cpu_platform

Description: Platform of the hardware CPU (e.g. "Intel Broadwell").

Type: String

extensions.vulns.vulnerabilities[n].about.asset.hardware[n].manufacturer

Description: Hardware manufacturer.

Type: String

extensions.vulns.vulnerabilities[n].about.asset.hardware[n].model

Description: Hardware model.

Type: String

extensions.vulns.vulnerabilities[n].about.asset.hardware[n].ram

Description: Amount of the hardware ramdom access memory (RAM) in Mb.

Type: String

extensions.vulns.vulnerabilities[n].about.asset.hardware[n].serial_number

Description: Hardware serial number.

Type: String

extensions.vulns.vulnerabilities[n].about.asset.hardware

Description: The asset hardware specifications.

Type: Array

extensions.vulns.vulnerabilities[n].about.asset.hostname

Description: Asset hostname or domain name field.

Type: String

extensions.vulns.vulnerabilities[n].about.asset.ip

Description: A list of IP addresses associated with an asset.

Type: Array

extensions.vulns.vulnerabilities[n].about.asset.labels[n].key

Description: The key.

Type: String

extensions.vulns.vulnerabilities[n].about.asset.labels[n].value

Description: The value.

Type: String

extensions.vulns.vulnerabilities[n].about.asset.labels

Description: Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata.

Type: Array

extensions.vulns.vulnerabilities[n].about.asset.last_boot_time

Description: Time the asset was last boot started.

Type: String

extensions.vulns.vulnerabilities[n].about.asset.last_discover_time

Description: Time the asset was last discovered (by asset management/discoverability software).

Type: String

extensions.vulns.vulnerabilities[n].about.asset.location.city

Description: The city.

Type: String

extensions.vulns.vulnerabilities[n].about.asset.location.country_or_region

Description: The country or region.

Type: String

extensions.vulns.vulnerabilities[n].about.asset.location.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

extensions.vulns.vulnerabilities[n].about.asset.location.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

extensions.vulns.vulnerabilities[n].about.asset.location.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

extensions.vulns.vulnerabilities[n].about.asset.location.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.asset.location.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.asset.location.state

Description: The state.

Type: String

extensions.vulns.vulnerabilities[n].about.asset.mac

Description: List of MAC addresses associated with an asset.

Type: Array

extensions.vulns.vulnerabilities[n].about.asset.nat_ip

Description: List of NAT IP addresses associated with an asset.

Type: Array

extensions.vulns.vulnerabilities[n].about.asset.network_domain

Description: The network domain of the asset (e.g. "corp.acme.com")

Type: String

extensions.vulns.vulnerabilities[n].about.asset.platform_software.platform

Description: The platform operating system.

Type: Enum

Enum Description
UNKNOWN_PLATFORM Default value.
WINDOWS Windows.
MAC Mac OS.
LINUX Linux.
GCP DEPRECATED - See cloud.environment.
AWS DEPRECATED - See cloud.environment.
AZURE DEPRECATED - See cloud.environment.

extensions.vulns.vulnerabilities[n].about.asset.platform_software.platform_patch_level

Description: The platform software patch level ( e.g. "Build 17134.48", "SP1").

Type: String

extensions.vulns.vulnerabilities[n].about.asset.platform_software.platform_version

Description: The platform software version ( e.g. "Microsoft Windows 1803").

Type: String

extensions.vulns.vulnerabilities[n].about.asset.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID or similar).

Type: String

extensions.vulns.vulnerabilities[n].about.asset.software[n].name

Description: The name of the software.

Type: String

extensions.vulns.vulnerabilities[n].about.asset.software[n].permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

extensions.vulns.vulnerabilities[n].about.asset.software[n].permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

extensions.vulns.vulnerabilities[n].about.asset.software[n].permissions[n].type

Description: Type of the permission.

Type: Enum

Enum Description
UNKNOWN_PERMISSION_TYPE Default permission type.
ADMIN_WRITE Administrator write permission.
ADMIN_READ Administrator read permission.
DATA_WRITE Data resource access write permission.
DATA_READ Data resource access read permission.

extensions.vulns.vulnerabilities[n].about.asset.software[n].permissions

Description: System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE"

Type: Array

extensions.vulns.vulnerabilities[n].about.asset.software[n].version

Description: The version of the software.

Type: String

extensions.vulns.vulnerabilities[n].about.asset.software

Description: The asset software details.

Type: Array

extensions.vulns.vulnerabilities[n].about.asset.system_last_update_time

Description: Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a vm, etc.) use Attribute.last_update_time.

Type: String

extensions.vulns.vulnerabilities[n].about.asset.type

Description: The type of the asset (e.g. workstation or laptop or server).

Type: Enum

Enum Description
ROLE_UNSPECIFIED Unspecified asset role.
WORKSTATION A workstation or desktop.
LAPTOP A laptop computer.
IOT An IOT asset.
NETWORK_ATTACHED_STORAGE A network attached storage device.
PRINTER A printer.
SCANNER A scanner.
SERVER A server.
TAPE_LIBRARY A tape library device.
MOBILE A mobile device such as a mobile phone or PDA.

extensions.vulns.vulnerabilities[n].about.asset.vulnerabilities

Description: Vulnerabilities discovered on asset.

Type: Array

extensions.vulns.vulnerabilities[n].about.asset_id

Description: The asset ID.

Type: String

extensions.vulns.vulnerabilities[n].about.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

extensions.vulns.vulnerabilities[n].about.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum Description
UNSPECIFIED_CLOUD_ENVIRONMENT Default.
GOOGLE_CLOUD_PLATFORM Google Cloud Platform.
AMAZON_WEB_SERVICES Amazon Web Services.
MICROSOFT_AZURE Microsoft Azure.

extensions.vulns.vulnerabilities[n].about.domain.admin.account_type

Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/

Type: Enum

Enum Description
ACCOUNT_TYPE_UNSPECIFIED Default user account type.
DOMAIN_ACCOUNT_TYPE A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE A local machine account.
CLOUD_ACCOUNT_TYPE A SaaS service account type (Slack, GitHub, etc).
SERVICE_ACCOUNT_TYPE A non-human account for data access.
DEFAULT_ACCOUNT_TYPE A system built in default account.

extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum Description
UNSPECIFIED_CLOUD_ENVIRONMENT Default.
GOOGLE_CLOUD_PLATFORM Google Cloud Platform.
AMAZON_WEB_SERVICES Amazon Web Services.
MICROSOFT_AZURE Microsoft Azure.

extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.labels[n].key

Description: The key.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.labels[n].value

Description: The value.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum Description
UNKNOWN_PERMISSION_TYPE Default permission type.
ADMIN_WRITE Administrator write permission.
ADMIN_READ Administrator read permission.
DATA_WRITE Data resource access write permission.
DATA_READ Data resource access read permission.

extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.roles[n].description

Description: System role description for user.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.roles[n].name

Description: System role name for user.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum Description
TYPE_UNSPECIFIED Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access.

extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.admin.company_name

Description: User job company name.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.department

Description: User job department

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.admin.email_addresses

Description: Email addresses of the user.

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.admin.employee_id

Description: Human capital management identifier.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.first_name

Description: First name of the user (e.g. "John").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.first_seen_time

Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.group_identifiers

Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.admin.groupid

Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.hire_date

Description: User job employment hire date.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.last_name

Description: Last name of the user (e.g. "Locke").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.managers

Description: User job manager(s).

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.admin.middle_name

Description: Middle name of the user.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.office_address.city

Description: The city.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.office_address.country_or_region

Description: The country or region.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.office_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.office_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.office_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.office_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.domain.admin.office_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.domain.admin.office_address.state

Description: The state.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.personal_address.city

Description: The city.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.personal_address.country_or_region

Description: The country or region.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.personal_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.personal_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.personal_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.personal_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.domain.admin.personal_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.domain.admin.personal_address.state

Description: The state.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.phone_numbers

Description: Phone numbers for the user.

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.admin.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.role_description

Description: System role description for user. DEPRECATED: use attribute.roles.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.role_name

Description: System role name for user. DEPRECATED: use attribute.roles.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.termination_date

Description: User job employment termination date.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.time_off[n].description

Description: Description of the leave if available (e.g. 'Vacation').

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.time_off[n].interval.end_time

Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.time_off[n].interval.start_time

Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.time_off

Description: User time off leaves from active work.

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.admin.title

Description: User job title.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.user_authentication_status

Description: System authentication status for user.

Type: Enum

Enum Description
UNKNOWN_AUTHENTICATION_STATUS The default authentication status.
ACTIVE The authentication method is in active state.
SUSPENDED The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS The authentication method has no active credentials.
DELETED The authentication method has been deleted.

extensions.vulns.vulnerabilities[n].about.domain.admin.user_display_name

Description: The display name of the user (e.g. "John Locke").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.user_role

Description: System role for user. DEPRECATED: use attribute.roles.

Type: Enum

Enum Description
UNKNOWN_ROLE Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type.

extensions.vulns.vulnerabilities[n].about.domain.admin.userid

Description: The ID of the user.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.admin.windows_sid

Description: The windows SID of the user.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.audit_update_time

Description: Audit updated time.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.account_type

Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/

Type: Enum

Enum Description
ACCOUNT_TYPE_UNSPECIFIED Default user account type.
DOMAIN_ACCOUNT_TYPE A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE A local machine account.
CLOUD_ACCOUNT_TYPE A SaaS service account type (Slack, GitHub, etc).
SERVICE_ACCOUNT_TYPE A non-human account for data access.
DEFAULT_ACCOUNT_TYPE A system built in default account.

extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum Description
UNSPECIFIED_CLOUD_ENVIRONMENT Default.
GOOGLE_CLOUD_PLATFORM Google Cloud Platform.
AMAZON_WEB_SERVICES Amazon Web Services.
MICROSOFT_AZURE Microsoft Azure.

extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.labels[n].key

Description: The key.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.labels[n].value

Description: The value.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum Description
UNKNOWN_PERMISSION_TYPE Default permission type.
ADMIN_WRITE Administrator write permission.
ADMIN_READ Administrator read permission.
DATA_WRITE Data resource access write permission.
DATA_READ Data resource access read permission.

extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.roles[n].description

Description: System role description for user.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.roles[n].name

Description: System role name for user.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum Description
TYPE_UNSPECIFIED Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access.

extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.billing.company_name

Description: User job company name.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.department

Description: User job department

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.billing.email_addresses

Description: Email addresses of the user.

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.billing.employee_id

Description: Human capital management identifier.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.first_name

Description: First name of the user (e.g. "John").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.first_seen_time

Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.group_identifiers

Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.billing.groupid

Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.hire_date

Description: User job employment hire date.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.last_name

Description: Last name of the user (e.g. "Locke").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.managers

Description: User job manager(s).

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.billing.middle_name

Description: Middle name of the user.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.office_address.city

Description: The city.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.office_address.country_or_region

Description: The country or region.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.office_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.office_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.office_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.office_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.domain.billing.office_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.domain.billing.office_address.state

Description: The state.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.personal_address.city

Description: The city.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.personal_address.country_or_region

Description: The country or region.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.personal_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.personal_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.personal_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.personal_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.domain.billing.personal_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.domain.billing.personal_address.state

Description: The state.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.phone_numbers

Description: Phone numbers for the user.

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.billing.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.role_description

Description: System role description for user. DEPRECATED: use attribute.roles.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.role_name

Description: System role name for user. DEPRECATED: use attribute.roles.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.termination_date

Description: User job employment termination date.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.time_off[n].description

Description: Description of the leave if available (e.g. 'Vacation').

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.time_off[n].interval.end_time

Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.time_off[n].interval.start_time

Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.time_off

Description: User time off leaves from active work.

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.billing.title

Description: User job title.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.user_authentication_status

Description: System authentication status for user.

Type: Enum

Enum Description
UNKNOWN_AUTHENTICATION_STATUS The default authentication status.
ACTIVE The authentication method is in active state.
SUSPENDED The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS The authentication method has no active credentials.
DELETED The authentication method has been deleted.

extensions.vulns.vulnerabilities[n].about.domain.billing.user_display_name

Description: The display name of the user (e.g. "John Locke").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.user_role

Description: System role for user. DEPRECATED: use attribute.roles.

Type: Enum

Enum Description
UNKNOWN_ROLE Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type.

extensions.vulns.vulnerabilities[n].about.domain.billing.userid

Description: The ID of the user.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.billing.windows_sid

Description: The windows SID of the user.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.contact_email

Description: Contact email address.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.creation_time

Description: Domain creation time.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.expiration_time

Description: Expiration time.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.first_seen_time

Description: First seen timestamp of the domain in the customer tenant.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.iana_registrar_id

Description: IANA Registrar ID. See: https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml

Type: Integer

extensions.vulns.vulnerabilities[n].about.domain.last_seen_time

Description: Last seen timestamp of the domain in the customer tenant.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.name

Description: The domain name.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.name_server

Description: Repeated list of name servers.

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.prevalence.day_count

Description: The number of days over which rolling_max is calculated.

Type: Integer

extensions.vulns.vulnerabilities[n].about.domain.prevalence.rolling_max

Description: The maximum number of assets per day accessing the resource over the trailing day_count days.

Type: Integer

extensions.vulns.vulnerabilities[n].about.domain.prevalence.rolling_max_sub_domains

Description: The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This fields is only valid for domains

Type: Integer

extensions.vulns.vulnerabilities[n].about.domain.private_registration

Description: Indicates whether the domain appears to be using a private registration service to mask the owner's contact information.

Type: Boolean

extensions.vulns.vulnerabilities[n].about.domain.registrant.account_type

Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/

Type: Enum

Enum Description
ACCOUNT_TYPE_UNSPECIFIED Default user account type.
DOMAIN_ACCOUNT_TYPE A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE A local machine account.
CLOUD_ACCOUNT_TYPE A SaaS service account type (Slack, GitHub, etc).
SERVICE_ACCOUNT_TYPE A non-human account for data access.
DEFAULT_ACCOUNT_TYPE A system built in default account.

extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum Description
UNSPECIFIED_CLOUD_ENVIRONMENT Default.
GOOGLE_CLOUD_PLATFORM Google Cloud Platform.
AMAZON_WEB_SERVICES Amazon Web Services.
MICROSOFT_AZURE Microsoft Azure.

extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.labels[n].key

Description: The key.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.labels[n].value

Description: The value.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum Description
UNKNOWN_PERMISSION_TYPE Default permission type.
ADMIN_WRITE Administrator write permission.
ADMIN_READ Administrator read permission.
DATA_WRITE Data resource access write permission.
DATA_READ Data resource access read permission.

extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.roles[n].description

Description: System role description for user.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.roles[n].name

Description: System role name for user.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum Description
TYPE_UNSPECIFIED Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access.

extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.registrant.company_name

Description: User job company name.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.department

Description: User job department

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.registrant.email_addresses

Description: Email addresses of the user.

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.registrant.employee_id

Description: Human capital management identifier.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.first_name

Description: First name of the user (e.g. "John").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.first_seen_time

Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.group_identifiers

Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.registrant.groupid

Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.hire_date

Description: User job employment hire date.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.last_name

Description: Last name of the user (e.g. "Locke").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.managers

Description: User job manager(s).

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.registrant.middle_name

Description: Middle name of the user.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.office_address.city

Description: The city.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.office_address.country_or_region

Description: The country or region.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.office_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.office_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.office_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.office_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.domain.registrant.office_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.domain.registrant.office_address.state

Description: The state.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.personal_address.city

Description: The city.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.personal_address.country_or_region

Description: The country or region.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.personal_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.personal_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.personal_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.personal_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.domain.registrant.personal_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.domain.registrant.personal_address.state

Description: The state.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.phone_numbers

Description: Phone numbers for the user.

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.registrant.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.role_description

Description: System role description for user. DEPRECATED: use attribute.roles.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.role_name

Description: System role name for user. DEPRECATED: use attribute.roles.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.termination_date

Description: User job employment termination date.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.time_off[n].description

Description: Description of the leave if available (e.g. 'Vacation').

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.time_off[n].interval.end_time

Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.time_off[n].interval.start_time

Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.time_off

Description: User time off leaves from active work.

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.registrant.title

Description: User job title.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.user_authentication_status

Description: System authentication status for user.

Type: Enum

Enum Description
UNKNOWN_AUTHENTICATION_STATUS The default authentication status.
ACTIVE The authentication method is in active state.
SUSPENDED The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS The authentication method has no active credentials.
DELETED The authentication method has been deleted.

extensions.vulns.vulnerabilities[n].about.domain.registrant.user_display_name

Description: The display name of the user (e.g. "John Locke").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.user_role

Description: System role for user. DEPRECATED: use attribute.roles.

Type: Enum

Enum Description
UNKNOWN_ROLE Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type.

extensions.vulns.vulnerabilities[n].about.domain.registrant.userid

Description: The ID of the user.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrant.windows_sid

Description: The windows SID of the user.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registrar

Description: Registrar name - e.g. "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM", etc.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.registry_data_raw_text

Description: Registry Data raw text

Type: String

extensions.vulns.vulnerabilities[n].about.domain.status

Description: Domain status. see: https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.account_type

Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/

Type: Enum

Enum Description
ACCOUNT_TYPE_UNSPECIFIED Default user account type.
DOMAIN_ACCOUNT_TYPE A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE A local machine account.
CLOUD_ACCOUNT_TYPE A SaaS service account type (Slack, GitHub, etc).
SERVICE_ACCOUNT_TYPE A non-human account for data access.
DEFAULT_ACCOUNT_TYPE A system built in default account.

extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum Description
UNSPECIFIED_CLOUD_ENVIRONMENT Default.
GOOGLE_CLOUD_PLATFORM Google Cloud Platform.
AMAZON_WEB_SERVICES Amazon Web Services.
MICROSOFT_AZURE Microsoft Azure.

extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.labels[n].key

Description: The key.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.labels[n].value

Description: The value.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum Description
UNKNOWN_PERMISSION_TYPE Default permission type.
ADMIN_WRITE Administrator write permission.
ADMIN_READ Administrator read permission.
DATA_WRITE Data resource access write permission.
DATA_READ Data resource access read permission.

extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.roles[n].description

Description: System role description for user.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.roles[n].name

Description: System role name for user.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum Description
TYPE_UNSPECIFIED Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access.

extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.tech.company_name

Description: User job company name.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.department

Description: User job department

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.tech.email_addresses

Description: Email addresses of the user.

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.tech.employee_id

Description: Human capital management identifier.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.first_name

Description: First name of the user (e.g. "John").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.first_seen_time

Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.group_identifiers

Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.tech.groupid

Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.hire_date

Description: User job employment hire date.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.last_name

Description: Last name of the user (e.g. "Locke").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.managers

Description: User job manager(s).

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.tech.middle_name

Description: Middle name of the user.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.office_address.city

Description: The city.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.office_address.country_or_region

Description: The country or region.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.office_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.office_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.office_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.office_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.domain.tech.office_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.domain.tech.office_address.state

Description: The state.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.personal_address.city

Description: The city.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.personal_address.country_or_region

Description: The country or region.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.personal_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.personal_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.personal_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.personal_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.domain.tech.personal_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.domain.tech.personal_address.state

Description: The state.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.phone_numbers

Description: Phone numbers for the user.

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.tech.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.role_description

Description: System role description for user. DEPRECATED: use attribute.roles.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.role_name

Description: System role name for user. DEPRECATED: use attribute.roles.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.termination_date

Description: User job employment termination date.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.time_off[n].description

Description: Description of the leave if available (e.g. 'Vacation').

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.time_off[n].interval.end_time

Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.time_off[n].interval.start_time

Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.time_off

Description: User time off leaves from active work.

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.tech.title

Description: User job title.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.user_authentication_status

Description: System authentication status for user.

Type: Enum

Enum Description
UNKNOWN_AUTHENTICATION_STATUS The default authentication status.
ACTIVE The authentication method is in active state.
SUSPENDED The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS The authentication method has no active credentials.
DELETED The authentication method has been deleted.

extensions.vulns.vulnerabilities[n].about.domain.tech.user_display_name

Description: The display name of the user (e.g. "John Locke").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.user_role

Description: System role for user. DEPRECATED: use attribute.roles.

Type: Enum

Enum Description
UNKNOWN_ROLE Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type.

extensions.vulns.vulnerabilities[n].about.domain.tech.userid

Description: The ID of the user.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.tech.windows_sid

Description: The windows SID of the user.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.update_time

Description: Last updated time.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.whois_record_raw_text

Description: unix epoch of the time when the domaintools first catches the record, or the time when domaintools catch the record changes. domaintools_time_ms is also used as the bigtable timestamp.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.whois_server

Description: Whois server name.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.account_type

Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/

Type: Enum

Enum Description
ACCOUNT_TYPE_UNSPECIFIED Default user account type.
DOMAIN_ACCOUNT_TYPE A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE A local machine account.
CLOUD_ACCOUNT_TYPE A SaaS service account type (Slack, GitHub, etc).
SERVICE_ACCOUNT_TYPE A non-human account for data access.
DEFAULT_ACCOUNT_TYPE A system built in default account.

extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum Description
UNSPECIFIED_CLOUD_ENVIRONMENT Default.
GOOGLE_CLOUD_PLATFORM Google Cloud Platform.
AMAZON_WEB_SERVICES Amazon Web Services.
MICROSOFT_AZURE Microsoft Azure.

extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.labels[n].key

Description: The key.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.labels[n].value

Description: The value.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum Description
UNKNOWN_PERMISSION_TYPE Default permission type.
ADMIN_WRITE Administrator write permission.
ADMIN_READ Administrator read permission.
DATA_WRITE Data resource access write permission.
DATA_READ Data resource access read permission.

extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.roles[n].description

Description: System role description for user.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.roles[n].name

Description: System role name for user.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum Description
TYPE_UNSPECIFIED Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access.

extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.zone.company_name

Description: User job company name.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.department

Description: User job department

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.zone.email_addresses

Description: Email addresses of the user.

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.zone.employee_id

Description: Human capital management identifier.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.first_name

Description: First name of the user (e.g. "John").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.first_seen_time

Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.group_identifiers

Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.zone.groupid

Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.hire_date

Description: User job employment hire date.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.last_name

Description: Last name of the user (e.g. "Locke").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.managers

Description: User job manager(s).

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.zone.middle_name

Description: Middle name of the user.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.office_address.city

Description: The city.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.office_address.country_or_region

Description: The country or region.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.office_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.office_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.office_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.office_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.domain.zone.office_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.domain.zone.office_address.state

Description: The state.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.personal_address.city

Description: The city.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.personal_address.country_or_region

Description: The country or region.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.personal_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.personal_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.personal_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.personal_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.domain.zone.personal_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.domain.zone.personal_address.state

Description: The state.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.phone_numbers

Description: Phone numbers for the user.

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.zone.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.role_description

Description: System role description for user. DEPRECATED: use attribute.roles.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.role_name

Description: System role name for user. DEPRECATED: use attribute.roles.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.termination_date

Description: User job employment termination date.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.time_off[n].description

Description: Description of the leave if available (e.g. 'Vacation').

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.time_off[n].interval.end_time

Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.time_off[n].interval.start_time

Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.time_off

Description: User time off leaves from active work.

Type: Array

extensions.vulns.vulnerabilities[n].about.domain.zone.title

Description: User job title.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.user_authentication_status

Description: System authentication status for user.

Type: Enum

Enum Description
UNKNOWN_AUTHENTICATION_STATUS The default authentication status.
ACTIVE The authentication method is in active state.
SUSPENDED The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS The authentication method has no active credentials.
DELETED The authentication method has been deleted.

extensions.vulns.vulnerabilities[n].about.domain.zone.user_display_name

Description: The display name of the user (e.g. "John Locke").

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.user_role

Description: System role for user. DEPRECATED: use attribute.roles.

Type: Enum

Enum Description
UNKNOWN_ROLE Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type.

extensions.vulns.vulnerabilities[n].about.domain.zone.userid

Description: The ID of the user.

Type: String

extensions.vulns.vulnerabilities[n].about.domain.zone.windows_sid

Description: The windows SID of the user.

Type: String

extensions.vulns.vulnerabilities[n].about.email

Description: Email address. Only filled in for security_result.about

Type: String

extensions.vulns.vulnerabilities[n].about.file.ahash

Description: Authentihash of the file.

Type: String

extensions.vulns.vulnerabilities[n].about.file.capabilities_tags

Description: Capabilities tags.

Type: Array

extensions.vulns.vulnerabilities[n].about.file.file_metadata.pe.import_hash

Description: Hash of PE imports.

Type: String

extensions.vulns.vulnerabilities[n].about.file.file_type

Description: FileType field.

Type: Enum

Enum Description
FILE_TYPE_UNSPECIFIED File type is UNSPECIFIED.
FILE_TYPE_PE_EXE -- OS specific executable related files -- File type is PE_EXE.
FILE_TYPE_PE_DLL We acknowledge the fact that DLLs are actually portable executables, but want to make the distinction so as to be able to treat them differently in sandboxing systems and the like. File type is PE_DLL.
FILE_TYPE_MSI File type is MSI.
FILE_TYPE_NE_EXE File type is NE_EXE.
FILE_TYPE_NE_DLL File type is NE_DLL.
FILE_TYPE_DOS_EXE File type is DOS_EXE.
FILE_TYPE_DOS_COM File type is DOS_COM.
FILE_TYPE_COFF File type is COFF.
FILE_TYPE_ELF File type is ELF.
FILE_TYPE_LINUX_KERNEL File type is LINUX_KERNEL.
FILE_TYPE_RPM File type is RPM.
FILE_TYPE_LINUX File type is LINUX.
FILE_TYPE_MACH_O File type is MACH_O.
FILE_TYPE_JAVA_BYTECODE File type is JAVA_BYTECODE.
FILE_TYPE_DMG File type is DMG.
FILE_TYPE_DEB File type is DEB.
FILE_TYPE_PKG File type is PKG.
FILE_TYPE_LNK -- Shortcuts -- File type is LNK.
FILE_TYPE_JPEG -- Image related types -- File type is JPEG.
FILE_TYPE_TIFF File type is TIFF.
FILE_TYPE_GIF File type is GIF.
FILE_TYPE_PNG File type is PNG.
FILE_TYPE_BMP File type is BMP.
FILE_TYPE_GIMP File type is GIMP.
FILE_TYPE_IN_DESIGN File type is IN_DESIGN.
FILE_TYPE_PSD File type is PSD. Adobe Photoshop.
FILE_TYPE_TARGA File type is TARGA.
FILE_TYPE_XWD File type is XWD.
FILE_TYPE_DIB File type is DIB.
FILE_TYPE_JNG File type is JNG.
FILE_TYPE_ICO File type is ICO.
FILE_TYPE_FPX File type is FPX.
FILE_TYPE_EPS File type is EPS.
FILE_TYPE_SVG File type is SVG.
FILE_TYPE_EMF File type is EMF.
FILE_TYPE_WEBP File type is WEBP.
FILE_TYPE_OGG -- Video related types -- File type is OGG.
FILE_TYPE_FLC File type is FLC.
FILE_TYPE_FLI File type is FLI.
FILE_TYPE_MP3 File type is MP3.
FILE_TYPE_FLAC File type is FLAC.
FILE_TYPE_WAV File type is WAV.
FILE_TYPE_MIDI File type is MIDI.
FILE_TYPE_AVI File type is AVI.
FILE_TYPE_MPEG File type is MPEG.
FILE_TYPE_QUICKTIME File type is QUICKTIME.
FILE_TYPE_ASF File type is ASF.
FILE_TYPE_DIVX File type is DIVX.
FILE_TYPE_FLV File type is FLV.
FILE_TYPE_WMA File type is WMA.
FILE_TYPE_WMV File type is WMV.
FILE_TYPE_RM File type is RM. RealMedia type.
FILE_TYPE_MOV File type is MOV.
FILE_TYPE_MP4 File type is MP4.
FILE_TYPE_T3GP File type is T3GP.
FILE_TYPE_PDF -- Document types -- File type is PDF.
FILE_TYPE_PS File type is PS.
FILE_TYPE_DOC File type is DOC.
FILE_TYPE_DOCX File type is DOCX.
FILE_TYPE_PPT File type is PPT.
FILE_TYPE_PPTX File type is PPTX.
FILE_TYPE_PPSX File type is PPSX.
FILE_TYPE_XLS File type is XLS.
FILE_TYPE_XLSX File type is XLSX.
FILE_TYPE_RTF File type is RTF.
FILE_TYPE_ODP File type is ODP.
FILE_TYPE_ODS File type is ODS.
FILE_TYPE_ODT File type is ODT.
FILE_TYPE_HWP File type is HWP.
FILE_TYPE_GUL File type is GUL.
FILE_TYPE_ODF File type is ODF.
FILE_TYPE_ODG File type is ODG.
FILE_TYPE_EBOOK -- Text/ebook related -- File type is EBOOK.
FILE_TYPE_LATEX File type is LATEX.
FILE_TYPE_TTF File type is TTF.
FILE_TYPE_EOT File type is EOT.
FILE_TYPE_WOFF File type is WOFF.
FILE_TYPE_CHM File type is CHM.
FILE_TYPE_ZIP -- Compressed bundles -- File type is ZIP.
FILE_TYPE_GZIP File type is GZIP.
FILE_TYPE_BZIP File type is BZIP.
FILE_TYPE_RZIP File type is RZIP.
FILE_TYPE_DZIP File type is DZIP.
FILE_TYPE_SEVENZIP File type is SEVENZIP.
FILE_TYPE_CAB File type is CAB.
FILE_TYPE_JAR File type is JAR.
FILE_TYPE_RAR File type is RAR.
FILE_TYPE_MSCOMPRESS File type is MSCOMPRESS.
FILE_TYPE_ACE File type is ACE.
FILE_TYPE_ARC File type is ARC.
FILE_TYPE_ARJ File type is ARJ.
FILE_TYPE_ASD File type is ASD.
FILE_TYPE_BLACKHOLE File type is BLACKHOLE.
FILE_TYPE_KGB File type is KGB.
FILE_TYPE_ZLIB File type is ZLIB.
FILE_TYPE_TAR File type is TAR.
FILE_TYPE_TEXT -- Scripting -- File type is TEXT.
FILE_TYPE_SCRIPT File type is SCRIPT.
FILE_TYPE_PHP File type is PHP.
FILE_TYPE_PYTHON File type is PYTHON.
FILE_TYPE_PERL File type is PERL.
FILE_TYPE_RUBY File type is RUBY.
FILE_TYPE_C File type is C.
FILE_TYPE_CPP File type is CPP.
FILE_TYPE_JAVA File type is JAVA.
FILE_TYPE_SHELLSCRIPT File type is SHELLSCRIPT.
FILE_TYPE_PASCAL File type is PASCAL.
FILE_TYPE_AWK File type is AWK.
FILE_TYPE_DYALOG File type is DYALOG.
FILE_TYPE_FORTRAN File type is FORTRAN.
FILE_TYPE_JAVASCRIPT File type is JAVASCRIPT.
FILE_TYPE_POWERSHELL File type is POWERSHELL.
FILE_TYPE_VBA File type is VBA.
FILE_TYPE_SYMBIAN -- Mobile phone types -- File type is SYMBIAN.
FILE_TYPE_PALMOS File type is PALMOS.
FILE_TYPE_WINCE File type is WINCE.
FILE_TYPE_ANDROID File type is ANDROID.
FILE_TYPE_IPHONE File type is IPHONE.
FILE_TYPE_HTML -- Web related -- File type is HTML.
FILE_TYPE_XML File type is XML.
FILE_TYPE_SWF File type is SWF.
FILE_TYPE_FLA File type is FLA.
FILE_TYPE_COOKIE File type is COOKIE.
FILE_TYPE_TORRENT File type is TORRENT.
FILE_TYPE_EMAIL_TYPE File type is EMAIL_TYPE.
FILE_TYPE_OUTLOOK File type is OUTLOOK.
FILE_TYPE_CAP -- Network traffic captures -- File type is CAP.
FILE_TYPE_ISOIMAGE -- Disk images -- File type is ISOIMAGE.
FILE_TYPE_APPLE -- Apple environment related, executables aside -- File type is APPLE.
FILE_TYPE_MACINTOSH File type is MACINTOSH.
FILE_TYPE_APPLESINGLE File type is APPLESINGLE.
FILE_TYPE_APPLEDOUBLE File type is APPLEDOUBLE.
FILE_TYPE_MACINTOSH_HFS File type is MACINTOSH_HFS.
FILE_TYPE_APPLE_PLIST File type is APPLE_PLIST.
FILE_TYPE_MACINTOSH_LIB File type is MACINTOSH_LIB.
FILE_TYPE_APPLESCRIPT File type is APPLESCRIPT.
FILE_TYPE_APPLESCRIPT_COMPILED File type is APPLESCRIPT_COMPILED .
FILE_TYPE_CRX -- Browser extensions -- File type is CRX.
FILE_TYPE_XPI File type is XPI.
FILE_TYPE_ROM -- Firmware related -- File type is ROM.

extensions.vulns.vulnerabilities[n].about.file.first_seen_time

Description: First seen timestamp of the File in the customer tenant.

Type: String

extensions.vulns.vulnerabilities[n].about.file.full_path

Description: The full path identifying the location of the file on the system.

Type: String

extensions.vulns.vulnerabilities[n].about.file.last_modification_time

Description: Timestamp when the file was last updated.

Type: String

extensions.vulns.vulnerabilities[n].about.file.last_seen_time

Description: Last seen timestamp of the IP in the customer tenant.

Type: String

extensions.vulns.vulnerabilities[n].about.file.md5

Description: The MD5 hash of the file.

Type: String

extensions.vulns.vulnerabilities[n].about.file.mime_type

Description: The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", "powershell script", etc.

Type: String

extensions.vulns.vulnerabilities[n].about.file.names

Description: Names fields.

Type: Array

extensions.vulns.vulnerabilities[n].about.file.pe_file.compilation_exiftool_time

Description: info.exiftool.TimeStamp.

Type: String

extensions.vulns.vulnerabilities[n].about.file.pe_file.compilation_time

Description: info.pe-timestamp.

Type: String

extensions.vulns.vulnerabilities[n].about.file.pe_file.entry_point

Description: info.pe-entry-point.

Type: String

extensions.vulns.vulnerabilities[n].about.file.pe_file.entry_point_exiftool

Description: info.exiftool.EntryPoint.

Type: String

extensions.vulns.vulnerabilities[n].about.file.pe_file.imphash

Description: Imphash of the file.

Type: String

extensions.vulns.vulnerabilities[n].about.file.pe_file.imports[n].functions

Description: Function field.

Type: Array

extensions.vulns.vulnerabilities[n].about.file.pe_file.imports[n].library

Description: Library field.

Type: String

extensions.vulns.vulnerabilities[n].about.file.pe_file.imports

Description: FilemetadataImports fields.

Type: Array

extensions.vulns.vulnerabilities[n].about.file.pe_file.resource[n].entropy

Description: Entropy of the resource.

Type: Number

extensions.vulns.vulnerabilities[n].about.file.pe_file.resource[n].file_type

Description: File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum.

Type: String

extensions.vulns.vulnerabilities[n].about.file.pe_file.resource[n].filetype_magic

Description: Type of resource content, as identified by the magic Python module. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/magic.py END GOOGLE-INTERNAL

Type: String

extensions.vulns.vulnerabilities[n].about.file.pe_file.resource[n].language_code

Description: Human-readable version of the language and sublanguage identifiers, as defined in the Windows PE specification. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/toolpefile.py?l=419&rcl=df1fcff7c5e82a39875359608b47669d5aff82c7 END GOOGLE-INTERNAL Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US |

Type: String

extensions.vulns.vulnerabilities[n].about.file.pe_file.resource[n].sha256_hex

Description: SHA256_hex field..

Type: String

extensions.vulns.vulnerabilities[n].about.file.pe_file.resource

Description: FilemetadataPeResourceInfo fields.

Type: Array

extensions.vulns.vulnerabilities[n].about.file.pe_file.resources_language_count[n].key

Description: Key field.

Type: String

extensions.vulns.vulnerabilities[n].about.file.pe_file.resources_language_count[n].value

Description: Value field.

Type: String

extensions.vulns.vulnerabilities[n].about.file.pe_file.resources_language_count

Description: Deprecated. Use resources_language_count_str.

Type: Array

extensions.vulns.vulnerabilities[n].about.file.pe_file.resources_language_count_str[n].key

Description: The key.

Type: String

extensions.vulns.vulnerabilities[n].about.file.pe_file.resources_language_count_str[n].value

Description: The value.

Type: String

extensions.vulns.vulnerabilities[n].about.file.pe_file.resources_language_count_str

Description: Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10

Type: Array

extensions.vulns.vulnerabilities[n].about.file.pe_file.resources_type_count[n].key

Description: Key field.

Type: String

extensions.vulns.vulnerabilities[n].about.file.pe_file.resources_type_count[n].value

Description: Value field.

Type: String

extensions.vulns.vulnerabilities[n].about.file.pe_file.resources_type_count

Description: Deprecated. Use resources_type_count_str.

Type: Array

extensions.vulns.vulnerabilities[n].about.file.pe_file.resources_type_count_str[n].key

Description: The key.

Type: String

extensions.vulns.vulnerabilities[n].about.file.pe_file.resources_type_count_str[n].value

Description: The value.

Type: String

extensions.vulns.vulnerabilities[n].about.file.pe_file.resources_type_count_str

Description: Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5

Type: Array

extensions.vulns.vulnerabilities[n].about.file.pe_file.section[n].entropy

Description: Entropy of the section.

Type: Number

extensions.vulns.vulnerabilities[n].about.file.pe_file.section[n].md5_hex

Description: MD5 hex of the file.

Type: String

extensions.vulns.vulnerabilities[n].about.file.pe_file.section[n].name

Description: Name of the section.

Type: String

extensions.vulns.vulnerabilities[n].about.file.pe_file.section[n].raw_size_bytes

Description: Raw file size in bytes.

Type: String

extensions.vulns.vulnerabilities[n].about.file.pe_file.section[n].virtual_size_bytes

Description: Virtual file size in bytes.

Type: String

extensions.vulns.vulnerabilities[n].about.file.pe_file.section

Description: FilemetadataSection fields.

Type: Array

extensions.vulns.vulnerabilities[n].about.file.pe_file.signature_info.signer

Description: Common name of the signers. The order of the signers matters. Each element is a higher level authority, being the last the root authority.

Type: Array

extensions.vulns.vulnerabilities[n].about.file.pe_file.signature_info.verification_message

Description: Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found.

Type: String

extensions.vulns.vulnerabilities[n].about.file.pe_file.signature_info.verified

Description: True iff verification_message == "Signed"

Type: Boolean

extensions.vulns.vulnerabilities[n].about.file.prevalence.day_count

Description: The number of days over which rolling_max is calculated.

Type: Integer

extensions.vulns.vulnerabilities[n].about.file.prevalence.rolling_max

Description: The maximum number of assets per day accessing the resource over the trailing day_count days.

Type: Integer

extensions.vulns.vulnerabilities[n].about.file.prevalence.rolling_max_sub_domains

Description: The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This fields is only valid for domains

Type: Integer

extensions.vulns.vulnerabilities[n].about.file.sha1

Description: The SHA1 hash of the file.

Type: String

extensions.vulns.vulnerabilities[n].about.file.sha256

Description: The SHA256 hash of the file.

Type: String

extensions.vulns.vulnerabilities[n].about.file.size

Description: The size of the file in bytes.

Type: String

extensions.vulns.vulnerabilities[n].about.file.ssdeep

Description: Ssdeep of the file

Type: String

extensions.vulns.vulnerabilities[n].about.file.vhash

Description: Vhash of the file.

Type: String

extensions.vulns.vulnerabilities[n].about.group.attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

extensions.vulns.vulnerabilities[n].about.group.attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum Description
UNSPECIFIED_CLOUD_ENVIRONMENT Default.
GOOGLE_CLOUD_PLATFORM Google Cloud Platform.
AMAZON_WEB_SERVICES Amazon Web Services.
MICROSOFT_AZURE Microsoft Azure.

extensions.vulns.vulnerabilities[n].about.group.attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

extensions.vulns.vulnerabilities[n].about.group.attribute.labels[n].key

Description: The key.

Type: String

extensions.vulns.vulnerabilities[n].about.group.attribute.labels[n].value

Description: The value.

Type: String

extensions.vulns.vulnerabilities[n].about.group.attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

extensions.vulns.vulnerabilities[n].about.group.attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

extensions.vulns.vulnerabilities[n].about.group.attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

extensions.vulns.vulnerabilities[n].about.group.attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

extensions.vulns.vulnerabilities[n].about.group.attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum Description
UNKNOWN_PERMISSION_TYPE Default permission type.
ADMIN_WRITE Administrator write permission.
ADMIN_READ Administrator read permission.
DATA_WRITE Data resource access write permission.
DATA_READ Data resource access read permission.

extensions.vulns.vulnerabilities[n].about.group.attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

extensions.vulns.vulnerabilities[n].about.group.attribute.roles[n].description

Description: System role description for user.

Type: String

extensions.vulns.vulnerabilities[n].about.group.attribute.roles[n].name

Description: System role name for user.

Type: String

extensions.vulns.vulnerabilities[n].about.group.attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum Description
TYPE_UNSPECIFIED Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access.

extensions.vulns.vulnerabilities[n].about.group.attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

extensions.vulns.vulnerabilities[n].about.group.creation_time

Description: Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata.

Type: String

extensions.vulns.vulnerabilities[n].about.group.email_addresses

Description: Email addresses of the group.

Type: Array

extensions.vulns.vulnerabilities[n].about.group.group_display_name

Description: Group display name. e.g. "Finance".

Type: String

extensions.vulns.vulnerabilities[n].about.group.product_object_id

Description: Product globally unique user object identifier, such as an LDAP Object Identifier.

Type: String

extensions.vulns.vulnerabilities[n].about.group.windows_sid

Description: Windows SID of the group.

Type: String

extensions.vulns.vulnerabilities[n].about.hostname

Description: Client hostname or domain name field. Hostname also doubles as the domain for remote entities.

Type: String

extensions.vulns.vulnerabilities[n].about.investigation.comments

Description: Comment added by the Analyst.

Type: Array

extensions.vulns.vulnerabilities[n].about.investigation.reputation

Description: Describes whether a finding was useful or not-useful.

Type: Enum

Enum Description
REPUTATION_UNSPECIFIED An unspecified reputation.
USEFUL A categorization of the finding as useful.
NOT_USEFUL A categorization of the finding as not useful.

extensions.vulns.vulnerabilities[n].about.investigation.severity_score

Description: Severity score for a finding set by an analyst.

Type: Integer

extensions.vulns.vulnerabilities[n].about.investigation.status

Description: Describes the workflow status of a finding.

Type: Enum

Enum Description
STATUS_UNSPECIFIED Unspecified finding status.
NEW New finding.
REVIEWED When a finding has feedback.
CLOSED When an analyst closes an finding.

extensions.vulns.vulnerabilities[n].about.investigation.verdict

Description: Describes reason a finding investigation was resolved.

Type: Enum

Enum Description
VERDICT_UNSPECIFIED An unspecified verdict.
TRUE_POSITIVE A categorization of the finding as a "true positive".
FALSE_POSITIVE A categorization of the finding as a "false positive".

extensions.vulns.vulnerabilities[n].about.ip

Description: A list of IP addresses associated with a network connection.

Type: Array

extensions.vulns.vulnerabilities[n].about.labels[n].key

Description: The key.

Type: String

extensions.vulns.vulnerabilities[n].about.labels[n].value

Description: The value.

Type: String

extensions.vulns.vulnerabilities[n].about.labels

Description: Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels).

Type: Array

extensions.vulns.vulnerabilities[n].about.location.city

Description: The city.

Type: String

extensions.vulns.vulnerabilities[n].about.location.country_or_region

Description: The country or region.

Type: String

extensions.vulns.vulnerabilities[n].about.location.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

extensions.vulns.vulnerabilities[n].about.location.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

extensions.vulns.vulnerabilities[n].about.location.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

extensions.vulns.vulnerabilities[n].about.location.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.location.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.location.state

Description: The state.

Type: String

extensions.vulns.vulnerabilities[n].about.mac

Description: List of MAC addresses associated with a device.

Type: Array

extensions.vulns.vulnerabilities[n].about.namespace

Description: Namespace which the device belongs to (e.g. AD forest) Uses for this field include Windows AD forest, name of subsidiary or acquisition, etc.

Type: String

extensions.vulns.vulnerabilities[n].about.nat_ip

Description: A list of NAT translated IP addresses associated with a network connection.

Type: Array

extensions.vulns.vulnerabilities[n].about.nat_port

Description: NAT external network port number when a specific network connection is described within an event.

Type: Integer

extensions.vulns.vulnerabilities[n].about.object_reference.id

Description: Full raw ID.

Type: String

extensions.vulns.vulnerabilities[n].about.object_reference.namespace

Description: Namespace the id belongs to.

Type: Enum

Enum Description
NORMALIZED_TELEMETRY Ingested and Normalized telemetry events
RAW_TELEMETRY Ingested Raw telemetry
RULE_DETECTIONS Chronicle Rules engine
UPPERCASE Uppercase
MACHINE_INTELLIGENCE DSML - Machine Intelligence
SECURITY_COMMAND_CENTER A normalized telemetry event from Google Security Command Center.

extensions.vulns.vulnerabilities[n].about.platform

Description: Platform.

Type: Enum

Enum Description
UNKNOWN_PLATFORM Default value.
WINDOWS Windows.
MAC Mac OS.
LINUX Linux.
GCP DEPRECATED - See cloud.environment.
AWS DEPRECATED - See cloud.environment.
AZURE DEPRECATED - See cloud.environment.

extensions.vulns.vulnerabilities[n].about.platform_patch_level

Description: Platform patch level. e.g. "Build 17134.48"

Type: String

extensions.vulns.vulnerabilities[n].about.platform_version

Description: Platform version. e.g. "Microsoft Windows 1803"

Type: String

extensions.vulns.vulnerabilities[n].about.port

Description: Source or destination network port number when a specific network connection is described within an event.

Type: Integer

extensions.vulns.vulnerabilities[n].about.process.access_mask

Description: A bit mask representing the level of access.

Type: String

extensions.vulns.vulnerabilities[n].about.process.command_line

Description: The command line command that created the process.

Type: String

extensions.vulns.vulnerabilities[n].about.process.command_line_history

Description: The command line history of the process.

Type: Array

extensions.vulns.vulnerabilities[n].about.process.file.ahash

Description: Authentihash of the file.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.capabilities_tags

Description: Capabilities tags.

Type: Array

extensions.vulns.vulnerabilities[n].about.process.file.file_metadata.pe.import_hash

Description: Hash of PE imports.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.file_type

Description: FileType field.

Type: Enum

Enum Description
FILE_TYPE_UNSPECIFIED File type is UNSPECIFIED.
FILE_TYPE_PE_EXE -- OS specific executable related files -- File type is PE_EXE.
FILE_TYPE_PE_DLL We acknowledge the fact that DLLs are actually portable executables, but want to make the distinction so as to be able to treat them differently in sandboxing systems and the like. File type is PE_DLL.
FILE_TYPE_MSI File type is MSI.
FILE_TYPE_NE_EXE File type is NE_EXE.
FILE_TYPE_NE_DLL File type is NE_DLL.
FILE_TYPE_DOS_EXE File type is DOS_EXE.
FILE_TYPE_DOS_COM File type is DOS_COM.
FILE_TYPE_COFF File type is COFF.
FILE_TYPE_ELF File type is ELF.
FILE_TYPE_LINUX_KERNEL File type is LINUX_KERNEL.
FILE_TYPE_RPM File type is RPM.
FILE_TYPE_LINUX File type is LINUX.
FILE_TYPE_MACH_O File type is MACH_O.
FILE_TYPE_JAVA_BYTECODE File type is JAVA_BYTECODE.
FILE_TYPE_DMG File type is DMG.
FILE_TYPE_DEB File type is DEB.
FILE_TYPE_PKG File type is PKG.
FILE_TYPE_LNK -- Shortcuts -- File type is LNK.
FILE_TYPE_JPEG -- Image related types -- File type is JPEG.
FILE_TYPE_TIFF File type is TIFF.
FILE_TYPE_GIF File type is GIF.
FILE_TYPE_PNG File type is PNG.
FILE_TYPE_BMP File type is BMP.
FILE_TYPE_GIMP File type is GIMP.
FILE_TYPE_IN_DESIGN File type is IN_DESIGN.
FILE_TYPE_PSD File type is PSD. Adobe Photoshop.
FILE_TYPE_TARGA File type is TARGA.
FILE_TYPE_XWD File type is XWD.
FILE_TYPE_DIB File type is DIB.
FILE_TYPE_JNG File type is JNG.
FILE_TYPE_ICO File type is ICO.
FILE_TYPE_FPX File type is FPX.
FILE_TYPE_EPS File type is EPS.
FILE_TYPE_SVG File type is SVG.
FILE_TYPE_EMF File type is EMF.
FILE_TYPE_WEBP File type is WEBP.
FILE_TYPE_OGG -- Video related types -- File type is OGG.
FILE_TYPE_FLC File type is FLC.
FILE_TYPE_FLI File type is FLI.
FILE_TYPE_MP3 File type is MP3.
FILE_TYPE_FLAC File type is FLAC.
FILE_TYPE_WAV File type is WAV.
FILE_TYPE_MIDI File type is MIDI.
FILE_TYPE_AVI File type is AVI.
FILE_TYPE_MPEG File type is MPEG.
FILE_TYPE_QUICKTIME File type is QUICKTIME.
FILE_TYPE_ASF File type is ASF.
FILE_TYPE_DIVX File type is DIVX.
FILE_TYPE_FLV File type is FLV.
FILE_TYPE_WMA File type is WMA.
FILE_TYPE_WMV File type is WMV.
FILE_TYPE_RM File type is RM. RealMedia type.
FILE_TYPE_MOV File type is MOV.
FILE_TYPE_MP4 File type is MP4.
FILE_TYPE_T3GP File type is T3GP.
FILE_TYPE_PDF -- Document types -- File type is PDF.
FILE_TYPE_PS File type is PS.
FILE_TYPE_DOC File type is DOC.
FILE_TYPE_DOCX File type is DOCX.
FILE_TYPE_PPT File type is PPT.
FILE_TYPE_PPTX File type is PPTX.
FILE_TYPE_PPSX File type is PPSX.
FILE_TYPE_XLS File type is XLS.
FILE_TYPE_XLSX File type is XLSX.
FILE_TYPE_RTF File type is RTF.
FILE_TYPE_ODP File type is ODP.
FILE_TYPE_ODS File type is ODS.
FILE_TYPE_ODT File type is ODT.
FILE_TYPE_HWP File type is HWP.
FILE_TYPE_GUL File type is GUL.
FILE_TYPE_ODF File type is ODF.
FILE_TYPE_ODG File type is ODG.
FILE_TYPE_EBOOK -- Text/ebook related -- File type is EBOOK.
FILE_TYPE_LATEX File type is LATEX.
FILE_TYPE_TTF File type is TTF.
FILE_TYPE_EOT File type is EOT.
FILE_TYPE_WOFF File type is WOFF.
FILE_TYPE_CHM File type is CHM.
FILE_TYPE_ZIP -- Compressed bundles -- File type is ZIP.
FILE_TYPE_GZIP File type is GZIP.
FILE_TYPE_BZIP File type is BZIP.
FILE_TYPE_RZIP File type is RZIP.
FILE_TYPE_DZIP File type is DZIP.
FILE_TYPE_SEVENZIP File type is SEVENZIP.
FILE_TYPE_CAB File type is CAB.
FILE_TYPE_JAR File type is JAR.
FILE_TYPE_RAR File type is RAR.
FILE_TYPE_MSCOMPRESS File type is MSCOMPRESS.
FILE_TYPE_ACE File type is ACE.
FILE_TYPE_ARC File type is ARC.
FILE_TYPE_ARJ File type is ARJ.
FILE_TYPE_ASD File type is ASD.
FILE_TYPE_BLACKHOLE File type is BLACKHOLE.
FILE_TYPE_KGB File type is KGB.
FILE_TYPE_ZLIB File type is ZLIB.
FILE_TYPE_TAR File type is TAR.
FILE_TYPE_TEXT -- Scripting -- File type is TEXT.
FILE_TYPE_SCRIPT File type is SCRIPT.
FILE_TYPE_PHP File type is PHP.
FILE_TYPE_PYTHON File type is PYTHON.
FILE_TYPE_PERL File type is PERL.
FILE_TYPE_RUBY File type is RUBY.
FILE_TYPE_C File type is C.
FILE_TYPE_CPP File type is CPP.
FILE_TYPE_JAVA File type is JAVA.
FILE_TYPE_SHELLSCRIPT File type is SHELLSCRIPT.
FILE_TYPE_PASCAL File type is PASCAL.
FILE_TYPE_AWK File type is AWK.
FILE_TYPE_DYALOG File type is DYALOG.
FILE_TYPE_FORTRAN File type is FORTRAN.
FILE_TYPE_JAVASCRIPT File type is JAVASCRIPT.
FILE_TYPE_POWERSHELL File type is POWERSHELL.
FILE_TYPE_VBA File type is VBA.
FILE_TYPE_SYMBIAN -- Mobile phone types -- File type is SYMBIAN.
FILE_TYPE_PALMOS File type is PALMOS.
FILE_TYPE_WINCE File type is WINCE.
FILE_TYPE_ANDROID File type is ANDROID.
FILE_TYPE_IPHONE File type is IPHONE.
FILE_TYPE_HTML -- Web related -- File type is HTML.
FILE_TYPE_XML File type is XML.
FILE_TYPE_SWF File type is SWF.
FILE_TYPE_FLA File type is FLA.
FILE_TYPE_COOKIE File type is COOKIE.
FILE_TYPE_TORRENT File type is TORRENT.
FILE_TYPE_EMAIL_TYPE File type is EMAIL_TYPE.
FILE_TYPE_OUTLOOK File type is OUTLOOK.
FILE_TYPE_CAP -- Network traffic captures -- File type is CAP.
FILE_TYPE_ISOIMAGE -- Disk images -- File type is ISOIMAGE.
FILE_TYPE_APPLE -- Apple environment related, executables aside -- File type is APPLE.
FILE_TYPE_MACINTOSH File type is MACINTOSH.
FILE_TYPE_APPLESINGLE File type is APPLESINGLE.
FILE_TYPE_APPLEDOUBLE File type is APPLEDOUBLE.
FILE_TYPE_MACINTOSH_HFS File type is MACINTOSH_HFS.
FILE_TYPE_APPLE_PLIST File type is APPLE_PLIST.
FILE_TYPE_MACINTOSH_LIB File type is MACINTOSH_LIB.
FILE_TYPE_APPLESCRIPT File type is APPLESCRIPT.
FILE_TYPE_APPLESCRIPT_COMPILED File type is APPLESCRIPT_COMPILED .
FILE_TYPE_CRX -- Browser extensions -- File type is CRX.
FILE_TYPE_XPI File type is XPI.
FILE_TYPE_ROM -- Firmware related -- File type is ROM.

extensions.vulns.vulnerabilities[n].about.process.file.first_seen_time

Description: First seen timestamp of the File in the customer tenant.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.full_path

Description: The full path identifying the location of the file on the system.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.last_modification_time

Description: Timestamp when the file was last updated.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.last_seen_time

Description: Last seen timestamp of the IP in the customer tenant.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.md5

Description: The MD5 hash of the file.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.mime_type

Description: The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", "powershell script", etc.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.names

Description: Names fields.

Type: Array

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.compilation_exiftool_time

Description: info.exiftool.TimeStamp.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.compilation_time

Description: info.pe-timestamp.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.entry_point

Description: info.pe-entry-point.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.entry_point_exiftool

Description: info.exiftool.EntryPoint.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.imphash

Description: Imphash of the file.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.imports[n].functions

Description: Function field.

Type: Array

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.imports[n].library

Description: Library field.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.imports

Description: FilemetadataImports fields.

Type: Array

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resource[n].entropy

Description: Entropy of the resource.

Type: Number

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resource[n].file_type

Description: File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resource[n].filetype_magic

Description: Type of resource content, as identified by the magic Python module. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/magic.py END GOOGLE-INTERNAL

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resource[n].language_code

Description: Human-readable version of the language and sublanguage identifiers, as defined in the Windows PE specification. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/toolpefile.py?l=419&rcl=df1fcff7c5e82a39875359608b47669d5aff82c7 END GOOGLE-INTERNAL Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US |

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resource[n].sha256_hex

Description: SHA256_hex field..

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resource

Description: FilemetadataPeResourceInfo fields.

Type: Array

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resources_language_count[n].key

Description: Key field.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resources_language_count[n].value

Description: Value field.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resources_language_count

Description: Deprecated. Use resources_language_count_str.

Type: Array

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resources_language_count_str[n].key

Description: The key.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resources_language_count_str[n].value

Description: The value.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resources_language_count_str

Description: Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10

Type: Array

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resources_type_count[n].key

Description: Key field.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resources_type_count[n].value

Description: Value field.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resources_type_count

Description: Deprecated. Use resources_type_count_str.

Type: Array

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resources_type_count_str[n].key

Description: The key.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resources_type_count_str[n].value

Description: The value.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resources_type_count_str

Description: Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5

Type: Array

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.section[n].entropy

Description: Entropy of the section.

Type: Number

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.section[n].md5_hex

Description: MD5 hex of the file.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.section[n].name

Description: Name of the section.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.section[n].raw_size_bytes

Description: Raw file size in bytes.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.section[n].virtual_size_bytes

Description: Virtual file size in bytes.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.section

Description: FilemetadataSection fields.

Type: Array

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.signature_info.signer

Description: Common name of the signers. The order of the signers matters. Each element is a higher level authority, being the last the root authority.

Type: Array

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.signature_info.verification_message

Description: Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.pe_file.signature_info.verified

Description: True iff verification_message == "Signed"

Type: Boolean

extensions.vulns.vulnerabilities[n].about.process.file.prevalence.day_count

Description: The number of days over which rolling_max is calculated.

Type: Integer

extensions.vulns.vulnerabilities[n].about.process.file.prevalence.rolling_max

Description: The maximum number of assets per day accessing the resource over the trailing day_count days.

Type: Integer

extensions.vulns.vulnerabilities[n].about.process.file.prevalence.rolling_max_sub_domains

Description: The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This fields is only valid for domains

Type: Integer

extensions.vulns.vulnerabilities[n].about.process.file.sha1

Description: The SHA1 hash of the file.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.sha256

Description: The SHA256 hash of the file.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.size

Description: The size of the file in bytes.

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.ssdeep

Description: Ssdeep of the file

Type: String

extensions.vulns.vulnerabilities[n].about.process.file.vhash

Description: Vhash of the file.

Type: String

extensions.vulns.vulnerabilities[n].about.process.parent_pid

Description: The ID of the parent process. Deprecated. Please use parent_process.pid instead.

Type: String

extensions.vulns.vulnerabilities[n].about.process.pid

Description: The process ID.

Type: String

extensions.vulns.vulnerabilities[n].about.process.product_specific_parent_process_id

Description: A product specific id for the parent process. Please use parent_process.product_specific_process_id instead.

Type: String

extensions.vulns.vulnerabilities[n].about.process.product_specific_process_id

Description: A product specific process id.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].access_mask

Description: A bit mask representing the level of access.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].command_line

Description: The command line command that created the process.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].command_line_history

Description: The command line history of the process.

Type: Array

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.ahash

Description: Authentihash of the file.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.capabilities_tags

Description: Capabilities tags.

Type: Array

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.file_metadata.pe.import_hash

Description: Hash of PE imports.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.file_type

Description: FileType field.

Type: Enum

Enum Description
FILE_TYPE_UNSPECIFIED File type is UNSPECIFIED.
FILE_TYPE_PE_EXE -- OS specific executable related files -- File type is PE_EXE.
FILE_TYPE_PE_DLL We acknowledge the fact that DLLs are actually portable executables, but want to make the distinction so as to be able to treat them differently in sandboxing systems and the like. File type is PE_DLL.
FILE_TYPE_MSI File type is MSI.
FILE_TYPE_NE_EXE File type is NE_EXE.
FILE_TYPE_NE_DLL File type is NE_DLL.
FILE_TYPE_DOS_EXE File type is DOS_EXE.
FILE_TYPE_DOS_COM File type is DOS_COM.
FILE_TYPE_COFF File type is COFF.
FILE_TYPE_ELF File type is ELF.
FILE_TYPE_LINUX_KERNEL File type is LINUX_KERNEL.
FILE_TYPE_RPM File type is RPM.
FILE_TYPE_LINUX File type is LINUX.
FILE_TYPE_MACH_O File type is MACH_O.
FILE_TYPE_JAVA_BYTECODE File type is JAVA_BYTECODE.
FILE_TYPE_DMG File type is DMG.
FILE_TYPE_DEB File type is DEB.
FILE_TYPE_PKG File type is PKG.
FILE_TYPE_LNK -- Shortcuts -- File type is LNK.
FILE_TYPE_JPEG -- Image related types -- File type is JPEG.
FILE_TYPE_TIFF File type is TIFF.
FILE_TYPE_GIF File type is GIF.
FILE_TYPE_PNG File type is PNG.
FILE_TYPE_BMP File type is BMP.
FILE_TYPE_GIMP File type is GIMP.
FILE_TYPE_IN_DESIGN File type is IN_DESIGN.
FILE_TYPE_PSD File type is PSD. Adobe Photoshop.
FILE_TYPE_TARGA File type is TARGA.
FILE_TYPE_XWD File type is XWD.
FILE_TYPE_DIB File type is DIB.
FILE_TYPE_JNG File type is JNG.
FILE_TYPE_ICO File type is ICO.
FILE_TYPE_FPX File type is FPX.
FILE_TYPE_EPS File type is EPS.
FILE_TYPE_SVG File type is SVG.
FILE_TYPE_EMF File type is EMF.
FILE_TYPE_WEBP File type is WEBP.
FILE_TYPE_OGG -- Video related types -- File type is OGG.
FILE_TYPE_FLC File type is FLC.
FILE_TYPE_FLI File type is FLI.
FILE_TYPE_MP3 File type is MP3.
FILE_TYPE_FLAC File type is FLAC.
FILE_TYPE_WAV File type is WAV.
FILE_TYPE_MIDI File type is MIDI.
FILE_TYPE_AVI File type is AVI.
FILE_TYPE_MPEG File type is MPEG.
FILE_TYPE_QUICKTIME File type is QUICKTIME.
FILE_TYPE_ASF File type is ASF.
FILE_TYPE_DIVX File type is DIVX.
FILE_TYPE_FLV File type is FLV.
FILE_TYPE_WMA File type is WMA.
FILE_TYPE_WMV File type is WMV.
FILE_TYPE_RM File type is RM. RealMedia type.
FILE_TYPE_MOV File type is MOV.
FILE_TYPE_MP4 File type is MP4.
FILE_TYPE_T3GP File type is T3GP.
FILE_TYPE_PDF -- Document types -- File type is PDF.
FILE_TYPE_PS File type is PS.
FILE_TYPE_DOC File type is DOC.
FILE_TYPE_DOCX File type is DOCX.
FILE_TYPE_PPT File type is PPT.
FILE_TYPE_PPTX File type is PPTX.
FILE_TYPE_PPSX File type is PPSX.
FILE_TYPE_XLS File type is XLS.
FILE_TYPE_XLSX File type is XLSX.
FILE_TYPE_RTF File type is RTF.
FILE_TYPE_ODP File type is ODP.
FILE_TYPE_ODS File type is ODS.
FILE_TYPE_ODT File type is ODT.
FILE_TYPE_HWP File type is HWP.
FILE_TYPE_GUL File type is GUL.
FILE_TYPE_ODF File type is ODF.
FILE_TYPE_ODG File type is ODG.
FILE_TYPE_EBOOK -- Text/ebook related -- File type is EBOOK.
FILE_TYPE_LATEX File type is LATEX.
FILE_TYPE_TTF File type is TTF.
FILE_TYPE_EOT File type is EOT.
FILE_TYPE_WOFF File type is WOFF.
FILE_TYPE_CHM File type is CHM.
FILE_TYPE_ZIP -- Compressed bundles -- File type is ZIP.
FILE_TYPE_GZIP File type is GZIP.
FILE_TYPE_BZIP File type is BZIP.
FILE_TYPE_RZIP File type is RZIP.
FILE_TYPE_DZIP File type is DZIP.
FILE_TYPE_SEVENZIP File type is SEVENZIP.
FILE_TYPE_CAB File type is CAB.
FILE_TYPE_JAR File type is JAR.
FILE_TYPE_RAR File type is RAR.
FILE_TYPE_MSCOMPRESS File type is MSCOMPRESS.
FILE_TYPE_ACE File type is ACE.
FILE_TYPE_ARC File type is ARC.
FILE_TYPE_ARJ File type is ARJ.
FILE_TYPE_ASD File type is ASD.
FILE_TYPE_BLACKHOLE File type is BLACKHOLE.
FILE_TYPE_KGB File type is KGB.
FILE_TYPE_ZLIB File type is ZLIB.
FILE_TYPE_TAR File type is TAR.
FILE_TYPE_TEXT -- Scripting -- File type is TEXT.
FILE_TYPE_SCRIPT File type is SCRIPT.
FILE_TYPE_PHP File type is PHP.
FILE_TYPE_PYTHON File type is PYTHON.
FILE_TYPE_PERL File type is PERL.
FILE_TYPE_RUBY File type is RUBY.
FILE_TYPE_C File type is C.
FILE_TYPE_CPP File type is CPP.
FILE_TYPE_JAVA File type is JAVA.
FILE_TYPE_SHELLSCRIPT File type is SHELLSCRIPT.
FILE_TYPE_PASCAL File type is PASCAL.
FILE_TYPE_AWK File type is AWK.
FILE_TYPE_DYALOG File type is DYALOG.
FILE_TYPE_FORTRAN File type is FORTRAN.
FILE_TYPE_JAVASCRIPT File type is JAVASCRIPT.
FILE_TYPE_POWERSHELL File type is POWERSHELL.
FILE_TYPE_VBA File type is VBA.
FILE_TYPE_SYMBIAN -- Mobile phone types -- File type is SYMBIAN.
FILE_TYPE_PALMOS File type is PALMOS.
FILE_TYPE_WINCE File type is WINCE.
FILE_TYPE_ANDROID File type is ANDROID.
FILE_TYPE_IPHONE File type is IPHONE.
FILE_TYPE_HTML -- Web related -- File type is HTML.
FILE_TYPE_XML File type is XML.
FILE_TYPE_SWF File type is SWF.
FILE_TYPE_FLA File type is FLA.
FILE_TYPE_COOKIE File type is COOKIE.
FILE_TYPE_TORRENT File type is TORRENT.
FILE_TYPE_EMAIL_TYPE File type is EMAIL_TYPE.
FILE_TYPE_OUTLOOK File type is OUTLOOK.
FILE_TYPE_CAP -- Network traffic captures -- File type is CAP.
FILE_TYPE_ISOIMAGE -- Disk images -- File type is ISOIMAGE.
FILE_TYPE_APPLE -- Apple environment related, executables aside -- File type is APPLE.
FILE_TYPE_MACINTOSH File type is MACINTOSH.
FILE_TYPE_APPLESINGLE File type is APPLESINGLE.
FILE_TYPE_APPLEDOUBLE File type is APPLEDOUBLE.
FILE_TYPE_MACINTOSH_HFS File type is MACINTOSH_HFS.
FILE_TYPE_APPLE_PLIST File type is APPLE_PLIST.
FILE_TYPE_MACINTOSH_LIB File type is MACINTOSH_LIB.
FILE_TYPE_APPLESCRIPT File type is APPLESCRIPT.
FILE_TYPE_APPLESCRIPT_COMPILED File type is APPLESCRIPT_COMPILED .
FILE_TYPE_CRX -- Browser extensions -- File type is CRX.
FILE_TYPE_XPI File type is XPI.
FILE_TYPE_ROM -- Firmware related -- File type is ROM.

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.first_seen_time

Description: First seen timestamp of the File in the customer tenant.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.full_path

Description: The full path identifying the location of the file on the system.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.last_modification_time

Description: Timestamp when the file was last updated.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.last_seen_time

Description: Last seen timestamp of the IP in the customer tenant.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.md5

Description: The MD5 hash of the file.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.mime_type

Description: The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", "powershell script", etc.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.names

Description: Names fields.

Type: Array

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.compilation_exiftool_time

Description: info.exiftool.TimeStamp.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.compilation_time

Description: info.pe-timestamp.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.entry_point

Description: info.pe-entry-point.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.entry_point_exiftool

Description: info.exiftool.EntryPoint.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.imphash

Description: Imphash of the file.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.imports[n].functions

Description: Function field.

Type: Array

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.imports[n].library

Description: Library field.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.imports

Description: FilemetadataImports fields.

Type: Array

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resource[n].entropy

Description: Entropy of the resource.

Type: Number

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resource[n].file_type

Description: File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resource[n].filetype_magic

Description: Type of resource content, as identified by the magic Python module. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/magic.py END GOOGLE-INTERNAL

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resource[n].language_code

Description: Human-readable version of the language and sublanguage identifiers, as defined in the Windows PE specification. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/toolpefile.py?l=419&rcl=df1fcff7c5e82a39875359608b47669d5aff82c7 END GOOGLE-INTERNAL Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US |

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resource[n].sha256_hex

Description: SHA256_hex field..

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resource

Description: FilemetadataPeResourceInfo fields.

Type: Array

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resources_language_count[n].key

Description: Key field.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resources_language_count[n].value

Description: Value field.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resources_language_count

Description: Deprecated. Use resources_language_count_str.

Type: Array

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resources_language_count_str[n].key

Description: The key.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resources_language_count_str[n].value

Description: The value.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resources_language_count_str

Description: Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10

Type: Array

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resources_type_count[n].key

Description: Key field.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resources_type_count[n].value

Description: Value field.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resources_type_count

Description: Deprecated. Use resources_type_count_str.

Type: Array

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resources_type_count_str[n].key

Description: The key.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resources_type_count_str[n].value

Description: The value.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resources_type_count_str

Description: Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5

Type: Array

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.section[n].entropy

Description: Entropy of the section.

Type: Number

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.section[n].md5_hex

Description: MD5 hex of the file.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.section[n].name

Description: Name of the section.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.section[n].raw_size_bytes

Description: Raw file size in bytes.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.section[n].virtual_size_bytes

Description: Virtual file size in bytes.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.section

Description: FilemetadataSection fields.

Type: Array

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.signature_info.signer

Description: Common name of the signers. The order of the signers matters. Each element is a higher level authority, being the last the root authority.

Type: Array

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.signature_info.verification_message

Description: Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.signature_info.verified

Description: True iff verification_message == "Signed"

Type: Boolean

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.prevalence.day_count

Description: The number of days over which rolling_max is calculated.

Type: Integer

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.prevalence.rolling_max

Description: The maximum number of assets per day accessing the resource over the trailing day_count days.

Type: Integer

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.prevalence.rolling_max_sub_domains

Description: The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This fields is only valid for domains

Type: Integer

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.sha1

Description: The SHA1 hash of the file.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.sha256

Description: The SHA256 hash of the file.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.size

Description: The size of the file in bytes.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.ssdeep

Description: Ssdeep of the file

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.vhash

Description: Vhash of the file.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].parent_pid

Description: The ID of the parent process. Deprecated. Please use parent_process.pid instead.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].pid

Description: The process ID.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].product_specific_parent_process_id

Description: A product specific id for the parent process. Please use parent_process.product_specific_process_id instead.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors[n].product_specific_process_id

Description: A product specific process id.

Type: String

extensions.vulns.vulnerabilities[n].about.process_ancestors

Description: Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery.

Type: Array

extensions.vulns.vulnerabilities[n].about.registry.registry_key

Description: Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...).

Type: String

extensions.vulns.vulnerabilities[n].about.registry.registry_value_data

Description: Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp).

Type: String

extensions.vulns.vulnerabilities[n].about.registry.registry_value_name

Description: Name of the registry value associated with an application or system component (e.g. TEMP).

Type: String

extensions.vulns.vulnerabilities[n].about.resource.attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

extensions.vulns.vulnerabilities[n].about.resource.attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum Description
UNSPECIFIED_CLOUD_ENVIRONMENT Default.
GOOGLE_CLOUD_PLATFORM Google Cloud Platform.
AMAZON_WEB_SERVICES Amazon Web Services.
MICROSOFT_AZURE Microsoft Azure.

extensions.vulns.vulnerabilities[n].about.resource.attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

extensions.vulns.vulnerabilities[n].about.resource.attribute.labels[n].key

Description: The key.

Type: String

extensions.vulns.vulnerabilities[n].about.resource.attribute.labels[n].value

Description: The value.

Type: String

extensions.vulns.vulnerabilities[n].about.resource.attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

extensions.vulns.vulnerabilities[n].about.resource.attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

extensions.vulns.vulnerabilities[n].about.resource.attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

extensions.vulns.vulnerabilities[n].about.resource.attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

extensions.vulns.vulnerabilities[n].about.resource.attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum Description
UNKNOWN_PERMISSION_TYPE Default permission type.
ADMIN_WRITE Administrator write permission.
ADMIN_READ Administrator read permission.
DATA_WRITE Data resource access write permission.
DATA_READ Data resource access read permission.

extensions.vulns.vulnerabilities[n].about.resource.attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

extensions.vulns.vulnerabilities[n].about.resource.attribute.roles[n].description

Description: System role description for user.

Type: String

extensions.vulns.vulnerabilities[n].about.resource.attribute.roles[n].name

Description: System role name for user.

Type: String

extensions.vulns.vulnerabilities[n].about.resource.attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum Description
TYPE_UNSPECIFIED Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access.

extensions.vulns.vulnerabilities[n].about.resource.attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

extensions.vulns.vulnerabilities[n].about.resource.id

Description: DEPRECATED

Type: String

extensions.vulns.vulnerabilities[n].about.resource.name

Description: The name of the resource.

Type: String

extensions.vulns.vulnerabilities[n].about.resource.parent

Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.

Type: String

extensions.vulns.vulnerabilities[n].about.resource.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)

Type: String

extensions.vulns.vulnerabilities[n].about.resource.resource_subtype

Description: Resource sub-type (e.g. "BigQuery", "Bigtable").

Type: String

extensions.vulns.vulnerabilities[n].about.resource.resource_type

Description: Resource type.

Type: Enum

Enum Description
UNSPECIFIED Default type.
MUTEX Mutex.
TASK Task.
PIPE Named pipe.
DEVICE Device.
FIREWALL_RULE Firewall rule.
MAILBOX_FOLDER Mailbox folder.
VPC_NETWORK VPC Network.
VIRTUAL_MACHINE Virtual machine.
STORAGE_BUCKET Storage bucket.
STORAGE_OBJECT Storage object.
DATABASE Database.
TABLE Data table.
CLOUD_PROJECT Cloud project.
CLOUD_ORGANIZATION Cloud organization.
SERVICE_ACCOUNT Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY Access policy.
CLUSTER Cluster.
SETTING Settings.
DATASET Dataset.
BACKEND_SERVICE Endpoint that receive traffic from a load balancer or proxy.

extensions.vulns.vulnerabilities[n].about.resource.type

Description: DEPRECATED - use resource_type instead.

Type: String

extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum Description
UNSPECIFIED_CLOUD_ENVIRONMENT Default.
GOOGLE_CLOUD_PLATFORM Google Cloud Platform.
AMAZON_WEB_SERVICES Amazon Web Services.
MICROSOFT_AZURE Microsoft Azure.

extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.labels[n].key

Description: The key.

Type: String

extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.labels[n].value

Description: The value.

Type: String

extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum Description
UNKNOWN_PERMISSION_TYPE Default permission type.
ADMIN_WRITE Administrator write permission.
ADMIN_READ Administrator read permission.
DATA_WRITE Data resource access write permission.
DATA_READ Data resource access read permission.

extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.roles[n].description

Description: System role description for user.

Type: String

extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.roles[n].name

Description: System role name for user.

Type: String

extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum Description
TYPE_UNSPECIFIED Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access.

extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].id

Description: DEPRECATED

Type: String

extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].name

Description: The name of the resource.

Type: String

extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].parent

Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.

Type: String

extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)

Type: String

extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].resource_subtype

Description: Resource sub-type (e.g. "BigQuery", "Bigtable").

Type: String

extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].resource_type

Description: Resource type.

Type: Enum

Enum Description
UNSPECIFIED Default type.
MUTEX Mutex.
TASK Task.
PIPE Named pipe.
DEVICE Device.
FIREWALL_RULE Firewall rule.
MAILBOX_FOLDER Mailbox folder.
VPC_NETWORK VPC Network.
VIRTUAL_MACHINE Virtual machine.
STORAGE_BUCKET Storage bucket.
STORAGE_OBJECT Storage object.
DATABASE Database.
TABLE Data table.
CLOUD_PROJECT Cloud project.
CLOUD_ORGANIZATION Cloud organization.
SERVICE_ACCOUNT Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY Access policy.
CLUSTER Cluster.
SETTING Settings.
DATASET Dataset.
BACKEND_SERVICE Endpoint that receive traffic from a load balancer or proxy.

extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].type

Description: DEPRECATED - use resource_type instead.

Type: String

extensions.vulns.vulnerabilities[n].about.resource_ancestors

Description: Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource).

Type: Array

extensions.vulns.vulnerabilities[n].about.url

Description: The URL.

Type: String

extensions.vulns.vulnerabilities[n].about.user.account_type

Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/

Type: Enum

Enum Description
ACCOUNT_TYPE_UNSPECIFIED Default user account type.
DOMAIN_ACCOUNT_TYPE A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE A local machine account.
CLOUD_ACCOUNT_TYPE A SaaS service account type (Slack, GitHub, etc).
SERVICE_ACCOUNT_TYPE A non-human account for data access.
DEFAULT_ACCOUNT_TYPE A system built in default account.

extensions.vulns.vulnerabilities[n].about.user.attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

extensions.vulns.vulnerabilities[n].about.user.attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum Description
UNSPECIFIED_CLOUD_ENVIRONMENT Default.
GOOGLE_CLOUD_PLATFORM Google Cloud Platform.
AMAZON_WEB_SERVICES Amazon Web Services.
MICROSOFT_AZURE Microsoft Azure.

extensions.vulns.vulnerabilities[n].about.user.attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

extensions.vulns.vulnerabilities[n].about.user.attribute.labels[n].key

Description: The key.

Type: String

extensions.vulns.vulnerabilities[n].about.user.attribute.labels[n].value

Description: The value.

Type: String

extensions.vulns.vulnerabilities[n].about.user.attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

extensions.vulns.vulnerabilities[n].about.user.attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

extensions.vulns.vulnerabilities[n].about.user.attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

extensions.vulns.vulnerabilities[n].about.user.attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

extensions.vulns.vulnerabilities[n].about.user.attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum Description
UNKNOWN_PERMISSION_TYPE Default permission type.
ADMIN_WRITE Administrator write permission.
ADMIN_READ Administrator read permission.
DATA_WRITE Data resource access write permission.
DATA_READ Data resource access read permission.

extensions.vulns.vulnerabilities[n].about.user.attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

extensions.vulns.vulnerabilities[n].about.user.attribute.roles[n].description

Description: System role description for user.

Type: String

extensions.vulns.vulnerabilities[n].about.user.attribute.roles[n].name

Description: System role name for user.

Type: String

extensions.vulns.vulnerabilities[n].about.user.attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum Description
TYPE_UNSPECIFIED Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access.

extensions.vulns.vulnerabilities[n].about.user.attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

extensions.vulns.vulnerabilities[n].about.user.company_name

Description: User job company name.

Type: String

extensions.vulns.vulnerabilities[n].about.user.department

Description: User job department

Type: Array

extensions.vulns.vulnerabilities[n].about.user.email_addresses

Description: Email addresses of the user.

Type: Array

extensions.vulns.vulnerabilities[n].about.user.employee_id

Description: Human capital management identifier.

Type: String

extensions.vulns.vulnerabilities[n].about.user.first_name

Description: First name of the user (e.g. "John").

Type: String

extensions.vulns.vulnerabilities[n].about.user.first_seen_time

Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.

Type: String

extensions.vulns.vulnerabilities[n].about.user.group_identifiers

Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).

Type: Array

extensions.vulns.vulnerabilities[n].about.user.groupid

Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.

Type: String

extensions.vulns.vulnerabilities[n].about.user.hire_date

Description: User job employment hire date.

Type: String

extensions.vulns.vulnerabilities[n].about.user.last_name

Description: Last name of the user (e.g. "Locke").

Type: String

extensions.vulns.vulnerabilities[n].about.user.managers

Description: User job manager(s).

Type: Array

extensions.vulns.vulnerabilities[n].about.user.middle_name

Description: Middle name of the user.

Type: String

extensions.vulns.vulnerabilities[n].about.user.office_address.city

Description: The city.

Type: String

extensions.vulns.vulnerabilities[n].about.user.office_address.country_or_region

Description: The country or region.

Type: String

extensions.vulns.vulnerabilities[n].about.user.office_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

extensions.vulns.vulnerabilities[n].about.user.office_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

extensions.vulns.vulnerabilities[n].about.user.office_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

extensions.vulns.vulnerabilities[n].about.user.office_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.user.office_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.user.office_address.state

Description: The state.

Type: String

extensions.vulns.vulnerabilities[n].about.user.personal_address.city

Description: The city.

Type: String

extensions.vulns.vulnerabilities[n].about.user.personal_address.country_or_region

Description: The country or region.

Type: String

extensions.vulns.vulnerabilities[n].about.user.personal_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

extensions.vulns.vulnerabilities[n].about.user.personal_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

extensions.vulns.vulnerabilities[n].about.user.personal_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

extensions.vulns.vulnerabilities[n].about.user.personal_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.user.personal_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.user.personal_address.state

Description: The state.

Type: String

extensions.vulns.vulnerabilities[n].about.user.phone_numbers

Description: Phone numbers for the user.

Type: Array

extensions.vulns.vulnerabilities[n].about.user.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).

Type: String

extensions.vulns.vulnerabilities[n].about.user.role_description

Description: System role description for user. DEPRECATED: use attribute.roles.

Type: String

extensions.vulns.vulnerabilities[n].about.user.role_name

Description: System role name for user. DEPRECATED: use attribute.roles.

Type: String

extensions.vulns.vulnerabilities[n].about.user.termination_date

Description: User job employment termination date.

Type: String

extensions.vulns.vulnerabilities[n].about.user.time_off[n].description

Description: Description of the leave if available (e.g. 'Vacation').

Type: String

extensions.vulns.vulnerabilities[n].about.user.time_off[n].interval.end_time

Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.

Type: String

extensions.vulns.vulnerabilities[n].about.user.time_off[n].interval.start_time

Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.

Type: String

extensions.vulns.vulnerabilities[n].about.user.time_off

Description: User time off leaves from active work.

Type: Array

extensions.vulns.vulnerabilities[n].about.user.title

Description: User job title.

Type: String

extensions.vulns.vulnerabilities[n].about.user.user_authentication_status

Description: System authentication status for user.

Type: Enum

Enum Description
UNKNOWN_AUTHENTICATION_STATUS The default authentication status.
ACTIVE The authentication method is in active state.
SUSPENDED The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS The authentication method has no active credentials.
DELETED The authentication method has been deleted.

extensions.vulns.vulnerabilities[n].about.user.user_display_name

Description: The display name of the user (e.g. "John Locke").

Type: String

extensions.vulns.vulnerabilities[n].about.user.user_role

Description: System role for user. DEPRECATED: use attribute.roles.

Type: Enum

Enum Description
UNKNOWN_ROLE Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type.

extensions.vulns.vulnerabilities[n].about.user.userid

Description: The ID of the user.

Type: String

extensions.vulns.vulnerabilities[n].about.user.windows_sid

Description: The windows SID of the user.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].account_type

Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/

Type: Enum

Enum Description
ACCOUNT_TYPE_UNSPECIFIED Default user account type.
DOMAIN_ACCOUNT_TYPE A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE A local machine account.
CLOUD_ACCOUNT_TYPE A SaaS service account type (Slack, GitHub, etc).
SERVICE_ACCOUNT_TYPE A non-human account for data access.
DEFAULT_ACCOUNT_TYPE A system built in default account.

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum Description
UNSPECIFIED_CLOUD_ENVIRONMENT Default.
GOOGLE_CLOUD_PLATFORM Google Cloud Platform.
AMAZON_WEB_SERVICES Amazon Web Services.
MICROSOFT_AZURE Microsoft Azure.

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.labels[n].key

Description: The key.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.labels[n].value

Description: The value.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum Description
UNKNOWN_PERMISSION_TYPE Default permission type.
ADMIN_WRITE Administrator write permission.
ADMIN_READ Administrator read permission.
DATA_WRITE Data resource access write permission.
DATA_READ Data resource access read permission.

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.roles[n].description

Description: System role description for user.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.roles[n].name

Description: System role name for user.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum Description
TYPE_UNSPECIFIED Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access.

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].company_name

Description: User job company name.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].department

Description: User job department

Type: Array

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].email_addresses

Description: Email addresses of the user.

Type: Array

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].employee_id

Description: Human capital management identifier.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].first_name

Description: First name of the user (e.g. "John").

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].first_seen_time

Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].group_identifiers

Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).

Type: Array

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].groupid

Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].hire_date

Description: User job employment hire date.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].last_name

Description: Last name of the user (e.g. "Locke").

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].managers

Description: User job manager(s).

Type: Array

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].middle_name

Description: Middle name of the user.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].office_address.city

Description: The city.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].office_address.country_or_region

Description: The country or region.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].office_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].office_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].office_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].office_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].office_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].office_address.state

Description: The state.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].personal_address.city

Description: The city.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].personal_address.country_or_region

Description: The country or region.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].personal_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].personal_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].personal_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].personal_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].personal_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].personal_address.state

Description: The state.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].phone_numbers

Description: Phone numbers for the user.

Type: Array

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].role_description

Description: System role description for user. DEPRECATED: use attribute.roles.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].role_name

Description: System role name for user. DEPRECATED: use attribute.roles.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].termination_date

Description: User job employment termination date.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].time_off[n].description

Description: Description of the leave if available (e.g. 'Vacation').

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].time_off[n].interval.end_time

Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].time_off[n].interval.start_time

Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].time_off

Description: User time off leaves from active work.

Type: Array

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].title

Description: User job title.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].user_authentication_status

Description: System authentication status for user.

Type: Enum

Enum Description
UNKNOWN_AUTHENTICATION_STATUS The default authentication status.
ACTIVE The authentication method is in active state.
SUSPENDED The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS The authentication method has no active credentials.
DELETED The authentication method has been deleted.

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].user_display_name

Description: The display name of the user (e.g. "John Locke").

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].user_role

Description: System role for user. DEPRECATED: use attribute.roles.

Type: Enum

Enum Description
UNKNOWN_ROLE Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type.

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].userid

Description: The ID of the user.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain[n].windows_sid

Description: The windows SID of the user.

Type: String

extensions.vulns.vulnerabilities[n].about.user_management_chain

Description: Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery.

Type: Array

extensions.vulns.vulnerabilities[n].cve_description

Description: Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record

Type: String

extensions.vulns.vulnerabilities[n].cve_id

Description: Common Vulnerabilities and Exposures Id. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id

Type: String

extensions.vulns.vulnerabilities[n].cvss_base_score

Description: CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting.

Type: Number

extensions.vulns.vulnerabilities[n].cvss_vector

Description: Vector of CVSS properties (e.g. "AV:L/AC:H/Au:N/C:N/I:P/A:C") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=VALUE

Type: String

extensions.vulns.vulnerabilities[n].cvss_version

Description: Version of CVSS Vector/Score.

Type: String

extensions.vulns.vulnerabilities[n].description

Description: Description of the vulnerability.

Type: String

extensions.vulns.vulnerabilities[n].first_found

Description: Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset.

Type: String

extensions.vulns.vulnerabilities[n].last_found

Description: Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset.

Type: String

extensions.vulns.vulnerabilities[n].name

Description: Name of the vulnerability (e.g. "Unsupported OS Version detected").

Type: String

extensions.vulns.vulnerabilities[n].scan_end_time

Description: If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable.

Type: String

extensions.vulns.vulnerabilities[n].scan_start_time

Description: If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable.

Type: String

extensions.vulns.vulnerabilities[n].severity

Description: The severity of the vulnerability.

Type: Enum

Enum Description
UNKNOWN_SEVERITY The default severity level.
LOW Low severity.
MEDIUM Medium severity.
HIGH High severity.
CRITICAL Critical severity.

extensions.vulns.vulnerabilities[n].severity_details

Description: Vendor-specific severity

Type: String

extensions.vulns.vulnerabilities[n].vendor

Description: Vendor of scan that discovered vulnerability.

Type: String

extensions.vulns.vulnerabilities[n].vendor_knowledge_base_article_id

Description: Vendor specific knowledge base article (e.g. "KBXXXXXX" from Microsoft) https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase

Type: String

extensions.vulns.vulnerabilities[n].vendor_vulnerability_id

Description: Vendor specific vulnerability id (e.g. Microsoft security bulletin id).

Type: String

extensions.vulns.vulnerabilities

Description: A list of vulnerabilities.

Type: Array