Extensions Fields¶
All other first-class, event-specific metadata goes in this message. Do not place protocol metadata in Extensions; put it in Network.
Extensions Field Details¶
extensions.auth.auth_details¶
Description: The vendor defined details of the authentication.
Type: String
extensions.auth.mechanism¶
Description: The authentication mechanism.
Type: ArrayEnum
| Enum | Description |
|---|---|
| MECHANISM_UNSPECIFIED | The default mechanism. |
| USERNAME_PASSWORD | Username + password authentication. |
| OTP | OTP authentication. |
| HARDWARE_KEY | Hardware key authentication. |
| LOCAL | Local authentication. |
| REMOTE | Remote authentication. |
| REMOTE_INTERACTIVE | RDP, Terminal Services, VNC, etc. |
| MECHANISM_OTHER | Some other mechanism that is not defined here. |
| BADGE_READER | Badge reader authentication |
| NETWORK | Network authentication. |
| BATCH | Batch authentication. |
| SERVICE | Service authentication |
| UNLOCK | Direct human-interactive unlock authentication. |
| NETWORK_CLEAR_TEXT | Network clear text authentication. |
| NEW_CREDENTIALS | Authentication with new credentials. |
| INTERACTIVE | Interactive authentication. |
| CACHED_INTERACTIVE | Interactive authentication using cached credentials. |
| CACHED_REMOTE_INTERACTIVE | Cached Remote Interactive authentication using cached credentials. |
| CACHED_UNLOCK | Cached Remote Interactive authentication using cached credentials. |
extensions.auth.type¶
Description: The type of authentication.
Type: Enum
| Enum | Description |
|---|---|
| AUTHTYPE_UNSPECIFIED | The default type. |
| MACHINE | A machine authentication. |
| SSO | An SSO authentication. |
| VPN | A VPN authentication. |
| PHYSICAL | A Physical authentication (e.g. "Badge reader"). |
| TACACS | A TACACS family protocol for networked systems authentication (e.g. TACACS, TACACS+). |
extensions.vulns.vulnerabilities[n].about.administrative_domain¶
Description: Domain which the device belongs to (for example, the Windows domain).
Type: String
extensions.vulns.vulnerabilities[n].about.application¶
Description: The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle".
Type: String
extensions.vulns.vulnerabilities[n].about.artifact.first_seen_time¶
Description: First seen timestamp of the IP in the customer tenant.
Type: String
extensions.vulns.vulnerabilities[n].about.artifact.ip¶
Description: IP address of the artifact.
Type: String
extensions.vulns.vulnerabilities[n].about.artifact.last_seen_time¶
Description: Last seen timestamp of the IP in the customer tenant.
Type: String
extensions.vulns.vulnerabilities[n].about.artifact.prevalence.day_count¶
Description: The number of days over which rolling_max is calculated.
Type: Integer
extensions.vulns.vulnerabilities[n].about.artifact.prevalence.rolling_max¶
Description: The maximum number of assets per day accessing the resource over the trailing day_count days.
Type: Integer
extensions.vulns.vulnerabilities[n].about.artifact.prevalence.rolling_max_sub_domains¶
Description: The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This fields is only valid for domains
Type: Integer
extensions.vulns.vulnerabilities[n].about.asset.asset_id¶
Description: The asset ID.
Type: String
extensions.vulns.vulnerabilities[n].about.asset.attribute.cloud.availability_zone¶
Description: The cloud environment availability zone (different from region which is location.name).
Type: String
extensions.vulns.vulnerabilities[n].about.asset.attribute.cloud.environment¶
Description: The Cloud environment.
Type: Enum
| Enum | Description |
|---|---|
| UNSPECIFIED_CLOUD_ENVIRONMENT | Default. |
| GOOGLE_CLOUD_PLATFORM | Google Cloud Platform. |
| AMAZON_WEB_SERVICES | Amazon Web Services. |
| MICROSOFT_AZURE | Microsoft Azure. |
extensions.vulns.vulnerabilities[n].about.asset.attribute.creation_time¶
Description: Time the resource or entity was created or provisioned.
Type: String
extensions.vulns.vulnerabilities[n].about.asset.attribute.labels[n].key¶
Description: The key.
Type: String
extensions.vulns.vulnerabilities[n].about.asset.attribute.labels[n].value¶
Description: The value.
Type: String
extensions.vulns.vulnerabilities[n].about.asset.attribute.labels¶
Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.
Type: Array
extensions.vulns.vulnerabilities[n].about.asset.attribute.last_update_time¶
Description: Time the resource or entity was last updated.
Type: String
extensions.vulns.vulnerabilities[n].about.asset.attribute.permissions[n].description¶
Description: Description of the permission (e.g. 'Ability to update detect rules').
Type: String
extensions.vulns.vulnerabilities[n].about.asset.attribute.permissions[n].name¶
Description: Name of the permission (e.g. chronicle.analyst.updateRule).
Type: String
extensions.vulns.vulnerabilities[n].about.asset.attribute.permissions[n].type¶
Description: Type of the permission.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_PERMISSION_TYPE | Default permission type. |
| ADMIN_WRITE | Administrator write permission. |
| ADMIN_READ | Administrator read permission. |
| DATA_WRITE | Data resource access write permission. |
| DATA_READ | Data resource access read permission. |
extensions.vulns.vulnerabilities[n].about.asset.attribute.permissions¶
Description: System permissions for IAM entity (human principal, service account, group).
Type: Array
extensions.vulns.vulnerabilities[n].about.asset.attribute.roles[n].description¶
Description: System role description for user.
Type: String
extensions.vulns.vulnerabilities[n].about.asset.attribute.roles[n].name¶
Description: System role name for user.
Type: String
extensions.vulns.vulnerabilities[n].about.asset.attribute.roles[n].type¶
Description: System role type for well known roles.
Type: Enum
| Enum | Description |
|---|---|
| TYPE_UNSPECIFIED | Default user role. |
| ADMINISTRATOR | Product administrator with elevated privileges. |
| SERVICE_ACCOUNT | System service account for automated privilege access. |
extensions.vulns.vulnerabilities[n].about.asset.attribute.roles¶
Description: System IAM roles to be assumed by resources to use the role's permissions for access control.
Type: Array
extensions.vulns.vulnerabilities[n].about.asset.category¶
Description: The category of the asset (e.g. "End User Asset", "Workstation", "Server").
Type: String
extensions.vulns.vulnerabilities[n].about.asset.creation_time¶
Description: Time the asset was created or provisioned. Deprecated: creation_time should be populated in Attribute as generic metadata.
Type: String
extensions.vulns.vulnerabilities[n].about.asset.deployment_status¶
Description: The deployment status of the asset for device lifecycle purposes.
Type: Enum
| Enum | Description |
|---|---|
| DEPLOYMENT_STATUS_UNSPECIFIED | Unspecified deployment status. |
| ACTIVE | Asset is active, functional and deployed. |
| PENDING_DECOMISSION | Asset is pending decommission and no longer deployed. |
| DECOMISSIONED | Asset is decomissioned. |
extensions.vulns.vulnerabilities[n].about.asset.first_discover_time¶
Description: Time the asset was first discovered (by asset management/discoverability software).
Type: String
extensions.vulns.vulnerabilities[n].about.asset.first_seen_time¶
Description: The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed.
Type: String
extensions.vulns.vulnerabilities[n].about.asset.hardware[n].cpu_clock_speed¶
Description: Clock speed of the hardware CPU in MHz.
Type: String
extensions.vulns.vulnerabilities[n].about.asset.hardware[n].cpu_max_clock_speed¶
Description: Maximum possible clock speed of the hardware CPU in MHz.
Type: String
extensions.vulns.vulnerabilities[n].about.asset.hardware[n].cpu_model¶
Description: Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5").
Type: String
extensions.vulns.vulnerabilities[n].about.asset.hardware[n].cpu_number_cores¶
Description: Number of CPU cores.
Type: String
extensions.vulns.vulnerabilities[n].about.asset.hardware[n].cpu_platform¶
Description: Platform of the hardware CPU (e.g. "Intel Broadwell").
Type: String
extensions.vulns.vulnerabilities[n].about.asset.hardware[n].manufacturer¶
Description: Hardware manufacturer.
Type: String
extensions.vulns.vulnerabilities[n].about.asset.hardware[n].model¶
Description: Hardware model.
Type: String
extensions.vulns.vulnerabilities[n].about.asset.hardware[n].ram¶
Description: Amount of the hardware ramdom access memory (RAM) in Mb.
Type: String
extensions.vulns.vulnerabilities[n].about.asset.hardware[n].serial_number¶
Description: Hardware serial number.
Type: String
extensions.vulns.vulnerabilities[n].about.asset.hardware¶
Description: The asset hardware specifications.
Type: Array
extensions.vulns.vulnerabilities[n].about.asset.hostname¶
Description: Asset hostname or domain name field.
Type: String
extensions.vulns.vulnerabilities[n].about.asset.ip¶
Description: A list of IP addresses associated with an asset.
Type: Array
extensions.vulns.vulnerabilities[n].about.asset.labels[n].key¶
Description: The key.
Type: String
extensions.vulns.vulnerabilities[n].about.asset.labels[n].value¶
Description: The value.
Type: String
extensions.vulns.vulnerabilities[n].about.asset.labels¶
Description: Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata.
Type: Array
extensions.vulns.vulnerabilities[n].about.asset.last_boot_time¶
Description: Time the asset was last boot started.
Type: String
extensions.vulns.vulnerabilities[n].about.asset.last_discover_time¶
Description: Time the asset was last discovered (by asset management/discoverability software).
Type: String
extensions.vulns.vulnerabilities[n].about.asset.location.city¶
Description: The city.
Type: String
extensions.vulns.vulnerabilities[n].about.asset.location.country_or_region¶
Description: The country or region.
Type: String
extensions.vulns.vulnerabilities[n].about.asset.location.desk_name¶
Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").
Type: String
extensions.vulns.vulnerabilities[n].about.asset.location.floor_name¶
Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").
Type: String
extensions.vulns.vulnerabilities[n].about.asset.location.name¶
Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").
Type: String
extensions.vulns.vulnerabilities[n].about.asset.location.region_latitude¶
Description: Latitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.asset.location.region_longitude¶
Description: Longitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.asset.location.state¶
Description: The state.
Type: String
extensions.vulns.vulnerabilities[n].about.asset.mac¶
Description: List of MAC addresses associated with an asset.
Type: Array
extensions.vulns.vulnerabilities[n].about.asset.nat_ip¶
Description: List of NAT IP addresses associated with an asset.
Type: Array
extensions.vulns.vulnerabilities[n].about.asset.network_domain¶
Description: The network domain of the asset (e.g. "corp.acme.com")
Type: String
extensions.vulns.vulnerabilities[n].about.asset.platform_software.platform¶
Description: The platform operating system.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_PLATFORM | Default value. |
| WINDOWS | Windows. |
| MAC | Mac OS. |
| LINUX | Linux. |
| GCP | DEPRECATED - See cloud.environment. |
| AWS | DEPRECATED - See cloud.environment. |
| AZURE | DEPRECATED - See cloud.environment. |
extensions.vulns.vulnerabilities[n].about.asset.platform_software.platform_patch_level¶
Description: The platform software patch level ( e.g. "Build 17134.48", "SP1").
Type: String
extensions.vulns.vulnerabilities[n].about.asset.platform_software.platform_version¶
Description: The platform software version ( e.g. "Microsoft Windows 1803").
Type: String
extensions.vulns.vulnerabilities[n].about.asset.product_object_id¶
Description: A vendor-specific identifier to uniquely identify the entity (a GUID or similar).
Type: String
extensions.vulns.vulnerabilities[n].about.asset.software[n].name¶
Description: The name of the software.
Type: String
extensions.vulns.vulnerabilities[n].about.asset.software[n].permissions[n].description¶
Description: Description of the permission (e.g. 'Ability to update detect rules').
Type: String
extensions.vulns.vulnerabilities[n].about.asset.software[n].permissions[n].name¶
Description: Name of the permission (e.g. chronicle.analyst.updateRule).
Type: String
extensions.vulns.vulnerabilities[n].about.asset.software[n].permissions[n].type¶
Description: Type of the permission.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_PERMISSION_TYPE | Default permission type. |
| ADMIN_WRITE | Administrator write permission. |
| ADMIN_READ | Administrator read permission. |
| DATA_WRITE | Data resource access write permission. |
| DATA_READ | Data resource access read permission. |
extensions.vulns.vulnerabilities[n].about.asset.software[n].permissions¶
Description: System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE"
Type: Array
extensions.vulns.vulnerabilities[n].about.asset.software[n].version¶
Description: The version of the software.
Type: String
extensions.vulns.vulnerabilities[n].about.asset.software¶
Description: The asset software details.
Type: Array
extensions.vulns.vulnerabilities[n].about.asset.system_last_update_time¶
Description: Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a vm, etc.) use Attribute.last_update_time.
Type: String
extensions.vulns.vulnerabilities[n].about.asset.type¶
Description: The type of the asset (e.g. workstation or laptop or server).
Type: Enum
| Enum | Description |
|---|---|
| ROLE_UNSPECIFIED | Unspecified asset role. |
| WORKSTATION | A workstation or desktop. |
| LAPTOP | A laptop computer. |
| IOT | An IOT asset. |
| NETWORK_ATTACHED_STORAGE | A network attached storage device. |
| PRINTER | A printer. |
| SCANNER | A scanner. |
| SERVER | A server. |
| TAPE_LIBRARY | A tape library device. |
| MOBILE | A mobile device such as a mobile phone or PDA. |
extensions.vulns.vulnerabilities[n].about.asset.vulnerabilities¶
Description: Vulnerabilities discovered on asset.
Type: Array
extensions.vulns.vulnerabilities[n].about.asset_id¶
Description: The asset ID.
Type: String
extensions.vulns.vulnerabilities[n].about.cloud.availability_zone¶
Description: The cloud environment availability zone (different from region which is location.name).
Type: String
extensions.vulns.vulnerabilities[n].about.cloud.environment¶
Description: The Cloud environment.
Type: Enum
| Enum | Description |
|---|---|
| UNSPECIFIED_CLOUD_ENVIRONMENT | Default. |
| GOOGLE_CLOUD_PLATFORM | Google Cloud Platform. |
| AMAZON_WEB_SERVICES | Amazon Web Services. |
| MICROSOFT_AZURE | Microsoft Azure. |
extensions.vulns.vulnerabilities[n].about.domain.admin.account_type¶
Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/
Type: Enum
| Enum | Description |
|---|---|
| ACCOUNT_TYPE_UNSPECIFIED | Default user account type. |
| DOMAIN_ACCOUNT_TYPE | A human account part of some domain in directory services. |
| LOCAL_ACCOUNT_TYPE | A local machine account. |
| CLOUD_ACCOUNT_TYPE | A SaaS service account type (Slack, GitHub, etc). |
| SERVICE_ACCOUNT_TYPE | A non-human account for data access. |
| DEFAULT_ACCOUNT_TYPE | A system built in default account. |
extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.cloud.availability_zone¶
Description: The cloud environment availability zone (different from region which is location.name).
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.cloud.environment¶
Description: The Cloud environment.
Type: Enum
| Enum | Description |
|---|---|
| UNSPECIFIED_CLOUD_ENVIRONMENT | Default. |
| GOOGLE_CLOUD_PLATFORM | Google Cloud Platform. |
| AMAZON_WEB_SERVICES | Amazon Web Services. |
| MICROSOFT_AZURE | Microsoft Azure. |
extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.creation_time¶
Description: Time the resource or entity was created or provisioned.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.labels[n].key¶
Description: The key.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.labels[n].value¶
Description: The value.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.labels¶
Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.last_update_time¶
Description: Time the resource or entity was last updated.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.permissions[n].description¶
Description: Description of the permission (e.g. 'Ability to update detect rules').
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.permissions[n].name¶
Description: Name of the permission (e.g. chronicle.analyst.updateRule).
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.permissions[n].type¶
Description: Type of the permission.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_PERMISSION_TYPE | Default permission type. |
| ADMIN_WRITE | Administrator write permission. |
| ADMIN_READ | Administrator read permission. |
| DATA_WRITE | Data resource access write permission. |
| DATA_READ | Data resource access read permission. |
extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.permissions¶
Description: System permissions for IAM entity (human principal, service account, group).
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.roles[n].description¶
Description: System role description for user.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.roles[n].name¶
Description: System role name for user.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.roles[n].type¶
Description: System role type for well known roles.
Type: Enum
| Enum | Description |
|---|---|
| TYPE_UNSPECIFIED | Default user role. |
| ADMINISTRATOR | Product administrator with elevated privileges. |
| SERVICE_ACCOUNT | System service account for automated privilege access. |
extensions.vulns.vulnerabilities[n].about.domain.admin.attribute.roles¶
Description: System IAM roles to be assumed by resources to use the role's permissions for access control.
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.admin.company_name¶
Description: User job company name.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.department¶
Description: User job department
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.admin.email_addresses¶
Description: Email addresses of the user.
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.admin.employee_id¶
Description: Human capital management identifier.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.first_name¶
Description: First name of the user (e.g. "John").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.first_seen_time¶
Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.group_identifiers¶
Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.admin.groupid¶
Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.hire_date¶
Description: User job employment hire date.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.last_name¶
Description: Last name of the user (e.g. "Locke").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.managers¶
Description: User job manager(s).
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.admin.middle_name¶
Description: Middle name of the user.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.office_address.city¶
Description: The city.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.office_address.country_or_region¶
Description: The country or region.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.office_address.desk_name¶
Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.office_address.floor_name¶
Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.office_address.name¶
Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.office_address.region_latitude¶
Description: Latitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.domain.admin.office_address.region_longitude¶
Description: Longitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.domain.admin.office_address.state¶
Description: The state.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.personal_address.city¶
Description: The city.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.personal_address.country_or_region¶
Description: The country or region.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.personal_address.desk_name¶
Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.personal_address.floor_name¶
Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.personal_address.name¶
Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.personal_address.region_latitude¶
Description: Latitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.domain.admin.personal_address.region_longitude¶
Description: Longitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.domain.admin.personal_address.state¶
Description: The state.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.phone_numbers¶
Description: Phone numbers for the user.
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.admin.product_object_id¶
Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.role_description¶
Description: System role description for user. DEPRECATED: use attribute.roles.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.role_name¶
Description: System role name for user. DEPRECATED: use attribute.roles.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.termination_date¶
Description: User job employment termination date.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.time_off[n].description¶
Description: Description of the leave if available (e.g. 'Vacation').
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.time_off[n].interval.end_time¶
Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.time_off[n].interval.start_time¶
Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.time_off¶
Description: User time off leaves from active work.
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.admin.title¶
Description: User job title.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.user_authentication_status¶
Description: System authentication status for user.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_AUTHENTICATION_STATUS | The default authentication status. |
| ACTIVE | The authentication method is in active state. |
| SUSPENDED | The authentication method is in suspended/disabled state. |
| NO_ACTIVE_CREDENTIALS | The authentication method has no active credentials. |
| DELETED | The authentication method has been deleted. |
extensions.vulns.vulnerabilities[n].about.domain.admin.user_display_name¶
Description: The display name of the user (e.g. "John Locke").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.user_role¶
Description: System role for user. DEPRECATED: use attribute.roles.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_ROLE | Default user role. |
| ADMINISTRATOR | Product administrator with elevated privileges. |
| SERVICE_ACCOUNT | System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type. |
extensions.vulns.vulnerabilities[n].about.domain.admin.userid¶
Description: The ID of the user.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.admin.windows_sid¶
Description: The windows SID of the user.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.audit_update_time¶
Description: Audit updated time.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.account_type¶
Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/
Type: Enum
| Enum | Description |
|---|---|
| ACCOUNT_TYPE_UNSPECIFIED | Default user account type. |
| DOMAIN_ACCOUNT_TYPE | A human account part of some domain in directory services. |
| LOCAL_ACCOUNT_TYPE | A local machine account. |
| CLOUD_ACCOUNT_TYPE | A SaaS service account type (Slack, GitHub, etc). |
| SERVICE_ACCOUNT_TYPE | A non-human account for data access. |
| DEFAULT_ACCOUNT_TYPE | A system built in default account. |
extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.cloud.availability_zone¶
Description: The cloud environment availability zone (different from region which is location.name).
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.cloud.environment¶
Description: The Cloud environment.
Type: Enum
| Enum | Description |
|---|---|
| UNSPECIFIED_CLOUD_ENVIRONMENT | Default. |
| GOOGLE_CLOUD_PLATFORM | Google Cloud Platform. |
| AMAZON_WEB_SERVICES | Amazon Web Services. |
| MICROSOFT_AZURE | Microsoft Azure. |
extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.creation_time¶
Description: Time the resource or entity was created or provisioned.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.labels[n].key¶
Description: The key.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.labels[n].value¶
Description: The value.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.labels¶
Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.last_update_time¶
Description: Time the resource or entity was last updated.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.permissions[n].description¶
Description: Description of the permission (e.g. 'Ability to update detect rules').
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.permissions[n].name¶
Description: Name of the permission (e.g. chronicle.analyst.updateRule).
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.permissions[n].type¶
Description: Type of the permission.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_PERMISSION_TYPE | Default permission type. |
| ADMIN_WRITE | Administrator write permission. |
| ADMIN_READ | Administrator read permission. |
| DATA_WRITE | Data resource access write permission. |
| DATA_READ | Data resource access read permission. |
extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.permissions¶
Description: System permissions for IAM entity (human principal, service account, group).
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.roles[n].description¶
Description: System role description for user.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.roles[n].name¶
Description: System role name for user.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.roles[n].type¶
Description: System role type for well known roles.
Type: Enum
| Enum | Description |
|---|---|
| TYPE_UNSPECIFIED | Default user role. |
| ADMINISTRATOR | Product administrator with elevated privileges. |
| SERVICE_ACCOUNT | System service account for automated privilege access. |
extensions.vulns.vulnerabilities[n].about.domain.billing.attribute.roles¶
Description: System IAM roles to be assumed by resources to use the role's permissions for access control.
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.billing.company_name¶
Description: User job company name.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.department¶
Description: User job department
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.billing.email_addresses¶
Description: Email addresses of the user.
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.billing.employee_id¶
Description: Human capital management identifier.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.first_name¶
Description: First name of the user (e.g. "John").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.first_seen_time¶
Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.group_identifiers¶
Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.billing.groupid¶
Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.hire_date¶
Description: User job employment hire date.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.last_name¶
Description: Last name of the user (e.g. "Locke").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.managers¶
Description: User job manager(s).
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.billing.middle_name¶
Description: Middle name of the user.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.office_address.city¶
Description: The city.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.office_address.country_or_region¶
Description: The country or region.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.office_address.desk_name¶
Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.office_address.floor_name¶
Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.office_address.name¶
Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.office_address.region_latitude¶
Description: Latitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.domain.billing.office_address.region_longitude¶
Description: Longitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.domain.billing.office_address.state¶
Description: The state.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.personal_address.city¶
Description: The city.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.personal_address.country_or_region¶
Description: The country or region.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.personal_address.desk_name¶
Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.personal_address.floor_name¶
Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.personal_address.name¶
Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.personal_address.region_latitude¶
Description: Latitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.domain.billing.personal_address.region_longitude¶
Description: Longitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.domain.billing.personal_address.state¶
Description: The state.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.phone_numbers¶
Description: Phone numbers for the user.
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.billing.product_object_id¶
Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.role_description¶
Description: System role description for user. DEPRECATED: use attribute.roles.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.role_name¶
Description: System role name for user. DEPRECATED: use attribute.roles.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.termination_date¶
Description: User job employment termination date.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.time_off[n].description¶
Description: Description of the leave if available (e.g. 'Vacation').
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.time_off[n].interval.end_time¶
Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.time_off[n].interval.start_time¶
Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.time_off¶
Description: User time off leaves from active work.
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.billing.title¶
Description: User job title.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.user_authentication_status¶
Description: System authentication status for user.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_AUTHENTICATION_STATUS | The default authentication status. |
| ACTIVE | The authentication method is in active state. |
| SUSPENDED | The authentication method is in suspended/disabled state. |
| NO_ACTIVE_CREDENTIALS | The authentication method has no active credentials. |
| DELETED | The authentication method has been deleted. |
extensions.vulns.vulnerabilities[n].about.domain.billing.user_display_name¶
Description: The display name of the user (e.g. "John Locke").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.user_role¶
Description: System role for user. DEPRECATED: use attribute.roles.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_ROLE | Default user role. |
| ADMINISTRATOR | Product administrator with elevated privileges. |
| SERVICE_ACCOUNT | System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type. |
extensions.vulns.vulnerabilities[n].about.domain.billing.userid¶
Description: The ID of the user.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.billing.windows_sid¶
Description: The windows SID of the user.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.contact_email¶
Description: Contact email address.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.creation_time¶
Description: Domain creation time.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.expiration_time¶
Description: Expiration time.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.first_seen_time¶
Description: First seen timestamp of the domain in the customer tenant.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.iana_registrar_id¶
Description: IANA Registrar ID. See: https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml
Type: Integer
extensions.vulns.vulnerabilities[n].about.domain.last_seen_time¶
Description: Last seen timestamp of the domain in the customer tenant.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.name¶
Description: The domain name.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.name_server¶
Description: Repeated list of name servers.
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.prevalence.day_count¶
Description: The number of days over which rolling_max is calculated.
Type: Integer
extensions.vulns.vulnerabilities[n].about.domain.prevalence.rolling_max¶
Description: The maximum number of assets per day accessing the resource over the trailing day_count days.
Type: Integer
extensions.vulns.vulnerabilities[n].about.domain.prevalence.rolling_max_sub_domains¶
Description: The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This fields is only valid for domains
Type: Integer
extensions.vulns.vulnerabilities[n].about.domain.private_registration¶
Description: Indicates whether the domain appears to be using a private registration service to mask the owner's contact information.
Type: Boolean
extensions.vulns.vulnerabilities[n].about.domain.registrant.account_type¶
Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/
Type: Enum
| Enum | Description |
|---|---|
| ACCOUNT_TYPE_UNSPECIFIED | Default user account type. |
| DOMAIN_ACCOUNT_TYPE | A human account part of some domain in directory services. |
| LOCAL_ACCOUNT_TYPE | A local machine account. |
| CLOUD_ACCOUNT_TYPE | A SaaS service account type (Slack, GitHub, etc). |
| SERVICE_ACCOUNT_TYPE | A non-human account for data access. |
| DEFAULT_ACCOUNT_TYPE | A system built in default account. |
extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.cloud.availability_zone¶
Description: The cloud environment availability zone (different from region which is location.name).
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.cloud.environment¶
Description: The Cloud environment.
Type: Enum
| Enum | Description |
|---|---|
| UNSPECIFIED_CLOUD_ENVIRONMENT | Default. |
| GOOGLE_CLOUD_PLATFORM | Google Cloud Platform. |
| AMAZON_WEB_SERVICES | Amazon Web Services. |
| MICROSOFT_AZURE | Microsoft Azure. |
extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.creation_time¶
Description: Time the resource or entity was created or provisioned.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.labels[n].key¶
Description: The key.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.labels[n].value¶
Description: The value.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.labels¶
Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.last_update_time¶
Description: Time the resource or entity was last updated.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.permissions[n].description¶
Description: Description of the permission (e.g. 'Ability to update detect rules').
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.permissions[n].name¶
Description: Name of the permission (e.g. chronicle.analyst.updateRule).
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.permissions[n].type¶
Description: Type of the permission.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_PERMISSION_TYPE | Default permission type. |
| ADMIN_WRITE | Administrator write permission. |
| ADMIN_READ | Administrator read permission. |
| DATA_WRITE | Data resource access write permission. |
| DATA_READ | Data resource access read permission. |
extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.permissions¶
Description: System permissions for IAM entity (human principal, service account, group).
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.roles[n].description¶
Description: System role description for user.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.roles[n].name¶
Description: System role name for user.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.roles[n].type¶
Description: System role type for well known roles.
Type: Enum
| Enum | Description |
|---|---|
| TYPE_UNSPECIFIED | Default user role. |
| ADMINISTRATOR | Product administrator with elevated privileges. |
| SERVICE_ACCOUNT | System service account for automated privilege access. |
extensions.vulns.vulnerabilities[n].about.domain.registrant.attribute.roles¶
Description: System IAM roles to be assumed by resources to use the role's permissions for access control.
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.registrant.company_name¶
Description: User job company name.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.department¶
Description: User job department
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.registrant.email_addresses¶
Description: Email addresses of the user.
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.registrant.employee_id¶
Description: Human capital management identifier.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.first_name¶
Description: First name of the user (e.g. "John").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.first_seen_time¶
Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.group_identifiers¶
Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.registrant.groupid¶
Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.hire_date¶
Description: User job employment hire date.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.last_name¶
Description: Last name of the user (e.g. "Locke").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.managers¶
Description: User job manager(s).
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.registrant.middle_name¶
Description: Middle name of the user.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.office_address.city¶
Description: The city.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.office_address.country_or_region¶
Description: The country or region.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.office_address.desk_name¶
Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.office_address.floor_name¶
Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.office_address.name¶
Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.office_address.region_latitude¶
Description: Latitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.domain.registrant.office_address.region_longitude¶
Description: Longitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.domain.registrant.office_address.state¶
Description: The state.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.personal_address.city¶
Description: The city.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.personal_address.country_or_region¶
Description: The country or region.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.personal_address.desk_name¶
Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.personal_address.floor_name¶
Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.personal_address.name¶
Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.personal_address.region_latitude¶
Description: Latitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.domain.registrant.personal_address.region_longitude¶
Description: Longitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.domain.registrant.personal_address.state¶
Description: The state.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.phone_numbers¶
Description: Phone numbers for the user.
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.registrant.product_object_id¶
Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.role_description¶
Description: System role description for user. DEPRECATED: use attribute.roles.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.role_name¶
Description: System role name for user. DEPRECATED: use attribute.roles.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.termination_date¶
Description: User job employment termination date.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.time_off[n].description¶
Description: Description of the leave if available (e.g. 'Vacation').
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.time_off[n].interval.end_time¶
Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.time_off[n].interval.start_time¶
Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.time_off¶
Description: User time off leaves from active work.
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.registrant.title¶
Description: User job title.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.user_authentication_status¶
Description: System authentication status for user.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_AUTHENTICATION_STATUS | The default authentication status. |
| ACTIVE | The authentication method is in active state. |
| SUSPENDED | The authentication method is in suspended/disabled state. |
| NO_ACTIVE_CREDENTIALS | The authentication method has no active credentials. |
| DELETED | The authentication method has been deleted. |
extensions.vulns.vulnerabilities[n].about.domain.registrant.user_display_name¶
Description: The display name of the user (e.g. "John Locke").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.user_role¶
Description: System role for user. DEPRECATED: use attribute.roles.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_ROLE | Default user role. |
| ADMINISTRATOR | Product administrator with elevated privileges. |
| SERVICE_ACCOUNT | System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type. |
extensions.vulns.vulnerabilities[n].about.domain.registrant.userid¶
Description: The ID of the user.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrant.windows_sid¶
Description: The windows SID of the user.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registrar¶
Description: Registrar name - e.g. "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM", etc.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.registry_data_raw_text¶
Description: Registry Data raw text
Type: String
extensions.vulns.vulnerabilities[n].about.domain.status¶
Description: Domain status. see: https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.account_type¶
Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/
Type: Enum
| Enum | Description |
|---|---|
| ACCOUNT_TYPE_UNSPECIFIED | Default user account type. |
| DOMAIN_ACCOUNT_TYPE | A human account part of some domain in directory services. |
| LOCAL_ACCOUNT_TYPE | A local machine account. |
| CLOUD_ACCOUNT_TYPE | A SaaS service account type (Slack, GitHub, etc). |
| SERVICE_ACCOUNT_TYPE | A non-human account for data access. |
| DEFAULT_ACCOUNT_TYPE | A system built in default account. |
extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.cloud.availability_zone¶
Description: The cloud environment availability zone (different from region which is location.name).
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.cloud.environment¶
Description: The Cloud environment.
Type: Enum
| Enum | Description |
|---|---|
| UNSPECIFIED_CLOUD_ENVIRONMENT | Default. |
| GOOGLE_CLOUD_PLATFORM | Google Cloud Platform. |
| AMAZON_WEB_SERVICES | Amazon Web Services. |
| MICROSOFT_AZURE | Microsoft Azure. |
extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.creation_time¶
Description: Time the resource or entity was created or provisioned.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.labels[n].key¶
Description: The key.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.labels[n].value¶
Description: The value.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.labels¶
Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.last_update_time¶
Description: Time the resource or entity was last updated.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.permissions[n].description¶
Description: Description of the permission (e.g. 'Ability to update detect rules').
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.permissions[n].name¶
Description: Name of the permission (e.g. chronicle.analyst.updateRule).
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.permissions[n].type¶
Description: Type of the permission.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_PERMISSION_TYPE | Default permission type. |
| ADMIN_WRITE | Administrator write permission. |
| ADMIN_READ | Administrator read permission. |
| DATA_WRITE | Data resource access write permission. |
| DATA_READ | Data resource access read permission. |
extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.permissions¶
Description: System permissions for IAM entity (human principal, service account, group).
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.roles[n].description¶
Description: System role description for user.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.roles[n].name¶
Description: System role name for user.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.roles[n].type¶
Description: System role type for well known roles.
Type: Enum
| Enum | Description |
|---|---|
| TYPE_UNSPECIFIED | Default user role. |
| ADMINISTRATOR | Product administrator with elevated privileges. |
| SERVICE_ACCOUNT | System service account for automated privilege access. |
extensions.vulns.vulnerabilities[n].about.domain.tech.attribute.roles¶
Description: System IAM roles to be assumed by resources to use the role's permissions for access control.
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.tech.company_name¶
Description: User job company name.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.department¶
Description: User job department
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.tech.email_addresses¶
Description: Email addresses of the user.
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.tech.employee_id¶
Description: Human capital management identifier.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.first_name¶
Description: First name of the user (e.g. "John").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.first_seen_time¶
Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.group_identifiers¶
Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.tech.groupid¶
Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.hire_date¶
Description: User job employment hire date.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.last_name¶
Description: Last name of the user (e.g. "Locke").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.managers¶
Description: User job manager(s).
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.tech.middle_name¶
Description: Middle name of the user.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.office_address.city¶
Description: The city.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.office_address.country_or_region¶
Description: The country or region.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.office_address.desk_name¶
Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.office_address.floor_name¶
Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.office_address.name¶
Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.office_address.region_latitude¶
Description: Latitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.domain.tech.office_address.region_longitude¶
Description: Longitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.domain.tech.office_address.state¶
Description: The state.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.personal_address.city¶
Description: The city.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.personal_address.country_or_region¶
Description: The country or region.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.personal_address.desk_name¶
Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.personal_address.floor_name¶
Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.personal_address.name¶
Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.personal_address.region_latitude¶
Description: Latitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.domain.tech.personal_address.region_longitude¶
Description: Longitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.domain.tech.personal_address.state¶
Description: The state.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.phone_numbers¶
Description: Phone numbers for the user.
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.tech.product_object_id¶
Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.role_description¶
Description: System role description for user. DEPRECATED: use attribute.roles.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.role_name¶
Description: System role name for user. DEPRECATED: use attribute.roles.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.termination_date¶
Description: User job employment termination date.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.time_off[n].description¶
Description: Description of the leave if available (e.g. 'Vacation').
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.time_off[n].interval.end_time¶
Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.time_off[n].interval.start_time¶
Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.time_off¶
Description: User time off leaves from active work.
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.tech.title¶
Description: User job title.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.user_authentication_status¶
Description: System authentication status for user.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_AUTHENTICATION_STATUS | The default authentication status. |
| ACTIVE | The authentication method is in active state. |
| SUSPENDED | The authentication method is in suspended/disabled state. |
| NO_ACTIVE_CREDENTIALS | The authentication method has no active credentials. |
| DELETED | The authentication method has been deleted. |
extensions.vulns.vulnerabilities[n].about.domain.tech.user_display_name¶
Description: The display name of the user (e.g. "John Locke").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.user_role¶
Description: System role for user. DEPRECATED: use attribute.roles.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_ROLE | Default user role. |
| ADMINISTRATOR | Product administrator with elevated privileges. |
| SERVICE_ACCOUNT | System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type. |
extensions.vulns.vulnerabilities[n].about.domain.tech.userid¶
Description: The ID of the user.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.tech.windows_sid¶
Description: The windows SID of the user.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.update_time¶
Description: Last updated time.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.whois_record_raw_text¶
Description: unix epoch of the time when the domaintools first catches the record, or the time when domaintools catch the record changes. domaintools_time_ms is also used as the bigtable timestamp.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.whois_server¶
Description: Whois server name.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.account_type¶
Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/
Type: Enum
| Enum | Description |
|---|---|
| ACCOUNT_TYPE_UNSPECIFIED | Default user account type. |
| DOMAIN_ACCOUNT_TYPE | A human account part of some domain in directory services. |
| LOCAL_ACCOUNT_TYPE | A local machine account. |
| CLOUD_ACCOUNT_TYPE | A SaaS service account type (Slack, GitHub, etc). |
| SERVICE_ACCOUNT_TYPE | A non-human account for data access. |
| DEFAULT_ACCOUNT_TYPE | A system built in default account. |
extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.cloud.availability_zone¶
Description: The cloud environment availability zone (different from region which is location.name).
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.cloud.environment¶
Description: The Cloud environment.
Type: Enum
| Enum | Description |
|---|---|
| UNSPECIFIED_CLOUD_ENVIRONMENT | Default. |
| GOOGLE_CLOUD_PLATFORM | Google Cloud Platform. |
| AMAZON_WEB_SERVICES | Amazon Web Services. |
| MICROSOFT_AZURE | Microsoft Azure. |
extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.creation_time¶
Description: Time the resource or entity was created or provisioned.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.labels[n].key¶
Description: The key.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.labels[n].value¶
Description: The value.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.labels¶
Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.last_update_time¶
Description: Time the resource or entity was last updated.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.permissions[n].description¶
Description: Description of the permission (e.g. 'Ability to update detect rules').
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.permissions[n].name¶
Description: Name of the permission (e.g. chronicle.analyst.updateRule).
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.permissions[n].type¶
Description: Type of the permission.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_PERMISSION_TYPE | Default permission type. |
| ADMIN_WRITE | Administrator write permission. |
| ADMIN_READ | Administrator read permission. |
| DATA_WRITE | Data resource access write permission. |
| DATA_READ | Data resource access read permission. |
extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.permissions¶
Description: System permissions for IAM entity (human principal, service account, group).
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.roles[n].description¶
Description: System role description for user.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.roles[n].name¶
Description: System role name for user.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.roles[n].type¶
Description: System role type for well known roles.
Type: Enum
| Enum | Description |
|---|---|
| TYPE_UNSPECIFIED | Default user role. |
| ADMINISTRATOR | Product administrator with elevated privileges. |
| SERVICE_ACCOUNT | System service account for automated privilege access. |
extensions.vulns.vulnerabilities[n].about.domain.zone.attribute.roles¶
Description: System IAM roles to be assumed by resources to use the role's permissions for access control.
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.zone.company_name¶
Description: User job company name.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.department¶
Description: User job department
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.zone.email_addresses¶
Description: Email addresses of the user.
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.zone.employee_id¶
Description: Human capital management identifier.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.first_name¶
Description: First name of the user (e.g. "John").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.first_seen_time¶
Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.group_identifiers¶
Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.zone.groupid¶
Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.hire_date¶
Description: User job employment hire date.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.last_name¶
Description: Last name of the user (e.g. "Locke").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.managers¶
Description: User job manager(s).
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.zone.middle_name¶
Description: Middle name of the user.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.office_address.city¶
Description: The city.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.office_address.country_or_region¶
Description: The country or region.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.office_address.desk_name¶
Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.office_address.floor_name¶
Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.office_address.name¶
Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.office_address.region_latitude¶
Description: Latitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.domain.zone.office_address.region_longitude¶
Description: Longitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.domain.zone.office_address.state¶
Description: The state.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.personal_address.city¶
Description: The city.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.personal_address.country_or_region¶
Description: The country or region.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.personal_address.desk_name¶
Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.personal_address.floor_name¶
Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.personal_address.name¶
Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.personal_address.region_latitude¶
Description: Latitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.domain.zone.personal_address.region_longitude¶
Description: Longitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.domain.zone.personal_address.state¶
Description: The state.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.phone_numbers¶
Description: Phone numbers for the user.
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.zone.product_object_id¶
Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.role_description¶
Description: System role description for user. DEPRECATED: use attribute.roles.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.role_name¶
Description: System role name for user. DEPRECATED: use attribute.roles.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.termination_date¶
Description: User job employment termination date.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.time_off[n].description¶
Description: Description of the leave if available (e.g. 'Vacation').
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.time_off[n].interval.end_time¶
Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.time_off[n].interval.start_time¶
Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.time_off¶
Description: User time off leaves from active work.
Type: Array
extensions.vulns.vulnerabilities[n].about.domain.zone.title¶
Description: User job title.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.user_authentication_status¶
Description: System authentication status for user.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_AUTHENTICATION_STATUS | The default authentication status. |
| ACTIVE | The authentication method is in active state. |
| SUSPENDED | The authentication method is in suspended/disabled state. |
| NO_ACTIVE_CREDENTIALS | The authentication method has no active credentials. |
| DELETED | The authentication method has been deleted. |
extensions.vulns.vulnerabilities[n].about.domain.zone.user_display_name¶
Description: The display name of the user (e.g. "John Locke").
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.user_role¶
Description: System role for user. DEPRECATED: use attribute.roles.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_ROLE | Default user role. |
| ADMINISTRATOR | Product administrator with elevated privileges. |
| SERVICE_ACCOUNT | System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type. |
extensions.vulns.vulnerabilities[n].about.domain.zone.userid¶
Description: The ID of the user.
Type: String
extensions.vulns.vulnerabilities[n].about.domain.zone.windows_sid¶
Description: The windows SID of the user.
Type: String
extensions.vulns.vulnerabilities[n].about.email¶
Description: Email address. Only filled in for security_result.about
Type: String
extensions.vulns.vulnerabilities[n].about.file.ahash¶
Description: Authentihash of the file.
Type: String
extensions.vulns.vulnerabilities[n].about.file.capabilities_tags¶
Description: Capabilities tags.
Type: Array
extensions.vulns.vulnerabilities[n].about.file.file_metadata.pe.import_hash¶
Description: Hash of PE imports.
Type: String
extensions.vulns.vulnerabilities[n].about.file.file_type¶
Description: FileType field.
Type: Enum
| Enum | Description |
|---|---|
| FILE_TYPE_UNSPECIFIED | File type is UNSPECIFIED. |
| FILE_TYPE_PE_EXE | -- OS specific executable related files -- File type is PE_EXE. |
| FILE_TYPE_PE_DLL | We acknowledge the fact that DLLs are actually portable executables, but want to make the distinction so as to be able to treat them differently in sandboxing systems and the like. File type is PE_DLL. |
| FILE_TYPE_MSI | File type is MSI. |
| FILE_TYPE_NE_EXE | File type is NE_EXE. |
| FILE_TYPE_NE_DLL | File type is NE_DLL. |
| FILE_TYPE_DOS_EXE | File type is DOS_EXE. |
| FILE_TYPE_DOS_COM | File type is DOS_COM. |
| FILE_TYPE_COFF | File type is COFF. |
| FILE_TYPE_ELF | File type is ELF. |
| FILE_TYPE_LINUX_KERNEL | File type is LINUX_KERNEL. |
| FILE_TYPE_RPM | File type is RPM. |
| FILE_TYPE_LINUX | File type is LINUX. |
| FILE_TYPE_MACH_O | File type is MACH_O. |
| FILE_TYPE_JAVA_BYTECODE | File type is JAVA_BYTECODE. |
| FILE_TYPE_DMG | File type is DMG. |
| FILE_TYPE_DEB | File type is DEB. |
| FILE_TYPE_PKG | File type is PKG. |
| FILE_TYPE_LNK | -- Shortcuts -- File type is LNK. |
| FILE_TYPE_JPEG | -- Image related types -- File type is JPEG. |
| FILE_TYPE_TIFF | File type is TIFF. |
| FILE_TYPE_GIF | File type is GIF. |
| FILE_TYPE_PNG | File type is PNG. |
| FILE_TYPE_BMP | File type is BMP. |
| FILE_TYPE_GIMP | File type is GIMP. |
| FILE_TYPE_IN_DESIGN | File type is IN_DESIGN. |
| FILE_TYPE_PSD | File type is PSD. Adobe Photoshop. |
| FILE_TYPE_TARGA | File type is TARGA. |
| FILE_TYPE_XWD | File type is XWD. |
| FILE_TYPE_DIB | File type is DIB. |
| FILE_TYPE_JNG | File type is JNG. |
| FILE_TYPE_ICO | File type is ICO. |
| FILE_TYPE_FPX | File type is FPX. |
| FILE_TYPE_EPS | File type is EPS. |
| FILE_TYPE_SVG | File type is SVG. |
| FILE_TYPE_EMF | File type is EMF. |
| FILE_TYPE_WEBP | File type is WEBP. |
| FILE_TYPE_OGG | -- Video related types -- File type is OGG. |
| FILE_TYPE_FLC | File type is FLC. |
| FILE_TYPE_FLI | File type is FLI. |
| FILE_TYPE_MP3 | File type is MP3. |
| FILE_TYPE_FLAC | File type is FLAC. |
| FILE_TYPE_WAV | File type is WAV. |
| FILE_TYPE_MIDI | File type is MIDI. |
| FILE_TYPE_AVI | File type is AVI. |
| FILE_TYPE_MPEG | File type is MPEG. |
| FILE_TYPE_QUICKTIME | File type is QUICKTIME. |
| FILE_TYPE_ASF | File type is ASF. |
| FILE_TYPE_DIVX | File type is DIVX. |
| FILE_TYPE_FLV | File type is FLV. |
| FILE_TYPE_WMA | File type is WMA. |
| FILE_TYPE_WMV | File type is WMV. |
| FILE_TYPE_RM | File type is RM. RealMedia type. |
| FILE_TYPE_MOV | File type is MOV. |
| FILE_TYPE_MP4 | File type is MP4. |
| FILE_TYPE_T3GP | File type is T3GP. |
| FILE_TYPE_PDF | -- Document types -- File type is PDF. |
| FILE_TYPE_PS | File type is PS. |
| FILE_TYPE_DOC | File type is DOC. |
| FILE_TYPE_DOCX | File type is DOCX. |
| FILE_TYPE_PPT | File type is PPT. |
| FILE_TYPE_PPTX | File type is PPTX. |
| FILE_TYPE_PPSX | File type is PPSX. |
| FILE_TYPE_XLS | File type is XLS. |
| FILE_TYPE_XLSX | File type is XLSX. |
| FILE_TYPE_RTF | File type is RTF. |
| FILE_TYPE_ODP | File type is ODP. |
| FILE_TYPE_ODS | File type is ODS. |
| FILE_TYPE_ODT | File type is ODT. |
| FILE_TYPE_HWP | File type is HWP. |
| FILE_TYPE_GUL | File type is GUL. |
| FILE_TYPE_ODF | File type is ODF. |
| FILE_TYPE_ODG | File type is ODG. |
| FILE_TYPE_EBOOK | -- Text/ebook related -- File type is EBOOK. |
| FILE_TYPE_LATEX | File type is LATEX. |
| FILE_TYPE_TTF | File type is TTF. |
| FILE_TYPE_EOT | File type is EOT. |
| FILE_TYPE_WOFF | File type is WOFF. |
| FILE_TYPE_CHM | File type is CHM. |
| FILE_TYPE_ZIP | -- Compressed bundles -- File type is ZIP. |
| FILE_TYPE_GZIP | File type is GZIP. |
| FILE_TYPE_BZIP | File type is BZIP. |
| FILE_TYPE_RZIP | File type is RZIP. |
| FILE_TYPE_DZIP | File type is DZIP. |
| FILE_TYPE_SEVENZIP | File type is SEVENZIP. |
| FILE_TYPE_CAB | File type is CAB. |
| FILE_TYPE_JAR | File type is JAR. |
| FILE_TYPE_RAR | File type is RAR. |
| FILE_TYPE_MSCOMPRESS | File type is MSCOMPRESS. |
| FILE_TYPE_ACE | File type is ACE. |
| FILE_TYPE_ARC | File type is ARC. |
| FILE_TYPE_ARJ | File type is ARJ. |
| FILE_TYPE_ASD | File type is ASD. |
| FILE_TYPE_BLACKHOLE | File type is BLACKHOLE. |
| FILE_TYPE_KGB | File type is KGB. |
| FILE_TYPE_ZLIB | File type is ZLIB. |
| FILE_TYPE_TAR | File type is TAR. |
| FILE_TYPE_TEXT | -- Scripting -- File type is TEXT. |
| FILE_TYPE_SCRIPT | File type is SCRIPT. |
| FILE_TYPE_PHP | File type is PHP. |
| FILE_TYPE_PYTHON | File type is PYTHON. |
| FILE_TYPE_PERL | File type is PERL. |
| FILE_TYPE_RUBY | File type is RUBY. |
| FILE_TYPE_C | File type is C. |
| FILE_TYPE_CPP | File type is CPP. |
| FILE_TYPE_JAVA | File type is JAVA. |
| FILE_TYPE_SHELLSCRIPT | File type is SHELLSCRIPT. |
| FILE_TYPE_PASCAL | File type is PASCAL. |
| FILE_TYPE_AWK | File type is AWK. |
| FILE_TYPE_DYALOG | File type is DYALOG. |
| FILE_TYPE_FORTRAN | File type is FORTRAN. |
| FILE_TYPE_JAVASCRIPT | File type is JAVASCRIPT. |
| FILE_TYPE_POWERSHELL | File type is POWERSHELL. |
| FILE_TYPE_VBA | File type is VBA. |
| FILE_TYPE_SYMBIAN | -- Mobile phone types -- File type is SYMBIAN. |
| FILE_TYPE_PALMOS | File type is PALMOS. |
| FILE_TYPE_WINCE | File type is WINCE. |
| FILE_TYPE_ANDROID | File type is ANDROID. |
| FILE_TYPE_IPHONE | File type is IPHONE. |
| FILE_TYPE_HTML | -- Web related -- File type is HTML. |
| FILE_TYPE_XML | File type is XML. |
| FILE_TYPE_SWF | File type is SWF. |
| FILE_TYPE_FLA | File type is FLA. |
| FILE_TYPE_COOKIE | File type is COOKIE. |
| FILE_TYPE_TORRENT | File type is TORRENT. |
| FILE_TYPE_EMAIL_TYPE | File type is EMAIL_TYPE. |
| FILE_TYPE_OUTLOOK | File type is OUTLOOK. |
| FILE_TYPE_CAP | -- Network traffic captures -- File type is CAP. |
| FILE_TYPE_ISOIMAGE | -- Disk images -- File type is ISOIMAGE. |
| FILE_TYPE_APPLE | -- Apple environment related, executables aside -- File type is APPLE. |
| FILE_TYPE_MACINTOSH | File type is MACINTOSH. |
| FILE_TYPE_APPLESINGLE | File type is APPLESINGLE. |
| FILE_TYPE_APPLEDOUBLE | File type is APPLEDOUBLE. |
| FILE_TYPE_MACINTOSH_HFS | File type is MACINTOSH_HFS. |
| FILE_TYPE_APPLE_PLIST | File type is APPLE_PLIST. |
| FILE_TYPE_MACINTOSH_LIB | File type is MACINTOSH_LIB. |
| FILE_TYPE_APPLESCRIPT | File type is APPLESCRIPT. |
| FILE_TYPE_APPLESCRIPT_COMPILED | File type is APPLESCRIPT_COMPILED . |
| FILE_TYPE_CRX | -- Browser extensions -- File type is CRX. |
| FILE_TYPE_XPI | File type is XPI. |
| FILE_TYPE_ROM | -- Firmware related -- File type is ROM. |
extensions.vulns.vulnerabilities[n].about.file.first_seen_time¶
Description: First seen timestamp of the File in the customer tenant.
Type: String
extensions.vulns.vulnerabilities[n].about.file.full_path¶
Description: The full path identifying the location of the file on the system.
Type: String
extensions.vulns.vulnerabilities[n].about.file.last_modification_time¶
Description: Timestamp when the file was last updated.
Type: String
extensions.vulns.vulnerabilities[n].about.file.last_seen_time¶
Description: Last seen timestamp of the IP in the customer tenant.
Type: String
extensions.vulns.vulnerabilities[n].about.file.md5¶
Description: The MD5 hash of the file.
Type: String
extensions.vulns.vulnerabilities[n].about.file.mime_type¶
Description: The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", "powershell script", etc.
Type: String
extensions.vulns.vulnerabilities[n].about.file.names¶
Description: Names fields.
Type: Array
extensions.vulns.vulnerabilities[n].about.file.pe_file.compilation_exiftool_time¶
Description: info.exiftool.TimeStamp.
Type: String
extensions.vulns.vulnerabilities[n].about.file.pe_file.compilation_time¶
Description: info.pe-timestamp.
Type: String
extensions.vulns.vulnerabilities[n].about.file.pe_file.entry_point¶
Description: info.pe-entry-point.
Type: String
extensions.vulns.vulnerabilities[n].about.file.pe_file.entry_point_exiftool¶
Description: info.exiftool.EntryPoint.
Type: String
extensions.vulns.vulnerabilities[n].about.file.pe_file.imphash¶
Description: Imphash of the file.
Type: String
extensions.vulns.vulnerabilities[n].about.file.pe_file.imports[n].functions¶
Description: Function field.
Type: Array
extensions.vulns.vulnerabilities[n].about.file.pe_file.imports[n].library¶
Description: Library field.
Type: String
extensions.vulns.vulnerabilities[n].about.file.pe_file.imports¶
Description: FilemetadataImports fields.
Type: Array
extensions.vulns.vulnerabilities[n].about.file.pe_file.resource[n].entropy¶
Description: Entropy of the resource.
Type: Number
extensions.vulns.vulnerabilities[n].about.file.pe_file.resource[n].file_type¶
Description: File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum.
Type: String
extensions.vulns.vulnerabilities[n].about.file.pe_file.resource[n].filetype_magic¶
Description: Type of resource content, as identified by the magic Python module. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/magic.py END GOOGLE-INTERNAL
Type: String
extensions.vulns.vulnerabilities[n].about.file.pe_file.resource[n].language_code¶
Description: Human-readable version of the language and sublanguage identifiers, as defined in the Windows PE specification. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/toolpefile.py?l=419&rcl=df1fcff7c5e82a39875359608b47669d5aff82c7 END GOOGLE-INTERNAL Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US |
Type: String
extensions.vulns.vulnerabilities[n].about.file.pe_file.resource[n].sha256_hex¶
Description: SHA256_hex field..
Type: String
extensions.vulns.vulnerabilities[n].about.file.pe_file.resource¶
Description: FilemetadataPeResourceInfo fields.
Type: Array
extensions.vulns.vulnerabilities[n].about.file.pe_file.resources_language_count[n].key¶
Description: Key field.
Type: String
extensions.vulns.vulnerabilities[n].about.file.pe_file.resources_language_count[n].value¶
Description: Value field.
Type: String
extensions.vulns.vulnerabilities[n].about.file.pe_file.resources_language_count¶
Description: Deprecated. Use resources_language_count_str.
Type: Array
extensions.vulns.vulnerabilities[n].about.file.pe_file.resources_language_count_str[n].key¶
Description: The key.
Type: String
extensions.vulns.vulnerabilities[n].about.file.pe_file.resources_language_count_str[n].value¶
Description: The value.
Type: String
extensions.vulns.vulnerabilities[n].about.file.pe_file.resources_language_count_str¶
Description: Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10
Type: Array
extensions.vulns.vulnerabilities[n].about.file.pe_file.resources_type_count[n].key¶
Description: Key field.
Type: String
extensions.vulns.vulnerabilities[n].about.file.pe_file.resources_type_count[n].value¶
Description: Value field.
Type: String
extensions.vulns.vulnerabilities[n].about.file.pe_file.resources_type_count¶
Description: Deprecated. Use resources_type_count_str.
Type: Array
extensions.vulns.vulnerabilities[n].about.file.pe_file.resources_type_count_str[n].key¶
Description: The key.
Type: String
extensions.vulns.vulnerabilities[n].about.file.pe_file.resources_type_count_str[n].value¶
Description: The value.
Type: String
extensions.vulns.vulnerabilities[n].about.file.pe_file.resources_type_count_str¶
Description: Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5
Type: Array
extensions.vulns.vulnerabilities[n].about.file.pe_file.section[n].entropy¶
Description: Entropy of the section.
Type: Number
extensions.vulns.vulnerabilities[n].about.file.pe_file.section[n].md5_hex¶
Description: MD5 hex of the file.
Type: String
extensions.vulns.vulnerabilities[n].about.file.pe_file.section[n].name¶
Description: Name of the section.
Type: String
extensions.vulns.vulnerabilities[n].about.file.pe_file.section[n].raw_size_bytes¶
Description: Raw file size in bytes.
Type: String
extensions.vulns.vulnerabilities[n].about.file.pe_file.section[n].virtual_size_bytes¶
Description: Virtual file size in bytes.
Type: String
extensions.vulns.vulnerabilities[n].about.file.pe_file.section¶
Description: FilemetadataSection fields.
Type: Array
extensions.vulns.vulnerabilities[n].about.file.pe_file.signature_info.signer¶
Description: Common name of the signers. The order of the signers matters. Each element is a higher level authority, being the last the root authority.
Type: Array
extensions.vulns.vulnerabilities[n].about.file.pe_file.signature_info.verification_message¶
Description: Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found.
Type: String
extensions.vulns.vulnerabilities[n].about.file.pe_file.signature_info.verified¶
Description: True iff verification_message == "Signed"
Type: Boolean
extensions.vulns.vulnerabilities[n].about.file.prevalence.day_count¶
Description: The number of days over which rolling_max is calculated.
Type: Integer
extensions.vulns.vulnerabilities[n].about.file.prevalence.rolling_max¶
Description: The maximum number of assets per day accessing the resource over the trailing day_count days.
Type: Integer
extensions.vulns.vulnerabilities[n].about.file.prevalence.rolling_max_sub_domains¶
Description: The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This fields is only valid for domains
Type: Integer
extensions.vulns.vulnerabilities[n].about.file.sha1¶
Description: The SHA1 hash of the file.
Type: String
extensions.vulns.vulnerabilities[n].about.file.sha256¶
Description: The SHA256 hash of the file.
Type: String
extensions.vulns.vulnerabilities[n].about.file.size¶
Description: The size of the file in bytes.
Type: String
extensions.vulns.vulnerabilities[n].about.file.ssdeep¶
Description: Ssdeep of the file
Type: String
extensions.vulns.vulnerabilities[n].about.file.vhash¶
Description: Vhash of the file.
Type: String
extensions.vulns.vulnerabilities[n].about.group.attribute.cloud.availability_zone¶
Description: The cloud environment availability zone (different from region which is location.name).
Type: String
extensions.vulns.vulnerabilities[n].about.group.attribute.cloud.environment¶
Description: The Cloud environment.
Type: Enum
| Enum | Description |
|---|---|
| UNSPECIFIED_CLOUD_ENVIRONMENT | Default. |
| GOOGLE_CLOUD_PLATFORM | Google Cloud Platform. |
| AMAZON_WEB_SERVICES | Amazon Web Services. |
| MICROSOFT_AZURE | Microsoft Azure. |
extensions.vulns.vulnerabilities[n].about.group.attribute.creation_time¶
Description: Time the resource or entity was created or provisioned.
Type: String
extensions.vulns.vulnerabilities[n].about.group.attribute.labels[n].key¶
Description: The key.
Type: String
extensions.vulns.vulnerabilities[n].about.group.attribute.labels[n].value¶
Description: The value.
Type: String
extensions.vulns.vulnerabilities[n].about.group.attribute.labels¶
Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.
Type: Array
extensions.vulns.vulnerabilities[n].about.group.attribute.last_update_time¶
Description: Time the resource or entity was last updated.
Type: String
extensions.vulns.vulnerabilities[n].about.group.attribute.permissions[n].description¶
Description: Description of the permission (e.g. 'Ability to update detect rules').
Type: String
extensions.vulns.vulnerabilities[n].about.group.attribute.permissions[n].name¶
Description: Name of the permission (e.g. chronicle.analyst.updateRule).
Type: String
extensions.vulns.vulnerabilities[n].about.group.attribute.permissions[n].type¶
Description: Type of the permission.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_PERMISSION_TYPE | Default permission type. |
| ADMIN_WRITE | Administrator write permission. |
| ADMIN_READ | Administrator read permission. |
| DATA_WRITE | Data resource access write permission. |
| DATA_READ | Data resource access read permission. |
extensions.vulns.vulnerabilities[n].about.group.attribute.permissions¶
Description: System permissions for IAM entity (human principal, service account, group).
Type: Array
extensions.vulns.vulnerabilities[n].about.group.attribute.roles[n].description¶
Description: System role description for user.
Type: String
extensions.vulns.vulnerabilities[n].about.group.attribute.roles[n].name¶
Description: System role name for user.
Type: String
extensions.vulns.vulnerabilities[n].about.group.attribute.roles[n].type¶
Description: System role type for well known roles.
Type: Enum
| Enum | Description |
|---|---|
| TYPE_UNSPECIFIED | Default user role. |
| ADMINISTRATOR | Product administrator with elevated privileges. |
| SERVICE_ACCOUNT | System service account for automated privilege access. |
extensions.vulns.vulnerabilities[n].about.group.attribute.roles¶
Description: System IAM roles to be assumed by resources to use the role's permissions for access control.
Type: Array
extensions.vulns.vulnerabilities[n].about.group.creation_time¶
Description: Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata.
Type: String
extensions.vulns.vulnerabilities[n].about.group.email_addresses¶
Description: Email addresses of the group.
Type: Array
extensions.vulns.vulnerabilities[n].about.group.group_display_name¶
Description: Group display name. e.g. "Finance".
Type: String
extensions.vulns.vulnerabilities[n].about.group.product_object_id¶
Description: Product globally unique user object identifier, such as an LDAP Object Identifier.
Type: String
extensions.vulns.vulnerabilities[n].about.group.windows_sid¶
Description: Windows SID of the group.
Type: String
extensions.vulns.vulnerabilities[n].about.hostname¶
Description: Client hostname or domain name field. Hostname also doubles as the domain for remote entities.
Type: String
extensions.vulns.vulnerabilities[n].about.investigation.comments¶
Description: Comment added by the Analyst.
Type: Array
extensions.vulns.vulnerabilities[n].about.investigation.reputation¶
Description: Describes whether a finding was useful or not-useful.
Type: Enum
| Enum | Description |
|---|---|
| REPUTATION_UNSPECIFIED | An unspecified reputation. |
| USEFUL | A categorization of the finding as useful. |
| NOT_USEFUL | A categorization of the finding as not useful. |
extensions.vulns.vulnerabilities[n].about.investigation.severity_score¶
Description: Severity score for a finding set by an analyst.
Type: Integer
extensions.vulns.vulnerabilities[n].about.investigation.status¶
Description: Describes the workflow status of a finding.
Type: Enum
| Enum | Description |
|---|---|
| STATUS_UNSPECIFIED | Unspecified finding status. |
| NEW | New finding. |
| REVIEWED | When a finding has feedback. |
| CLOSED | When an analyst closes an finding. |
extensions.vulns.vulnerabilities[n].about.investigation.verdict¶
Description: Describes reason a finding investigation was resolved.
Type: Enum
| Enum | Description |
|---|---|
| VERDICT_UNSPECIFIED | An unspecified verdict. |
| TRUE_POSITIVE | A categorization of the finding as a "true positive". |
| FALSE_POSITIVE | A categorization of the finding as a "false positive". |
extensions.vulns.vulnerabilities[n].about.ip¶
Description: A list of IP addresses associated with a network connection.
Type: Array
extensions.vulns.vulnerabilities[n].about.labels[n].key¶
Description: The key.
Type: String
extensions.vulns.vulnerabilities[n].about.labels[n].value¶
Description: The value.
Type: String
extensions.vulns.vulnerabilities[n].about.labels¶
Description: Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels).
Type: Array
extensions.vulns.vulnerabilities[n].about.location.city¶
Description: The city.
Type: String
extensions.vulns.vulnerabilities[n].about.location.country_or_region¶
Description: The country or region.
Type: String
extensions.vulns.vulnerabilities[n].about.location.desk_name¶
Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").
Type: String
extensions.vulns.vulnerabilities[n].about.location.floor_name¶
Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").
Type: String
extensions.vulns.vulnerabilities[n].about.location.name¶
Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").
Type: String
extensions.vulns.vulnerabilities[n].about.location.region_latitude¶
Description: Latitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.location.region_longitude¶
Description: Longitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.location.state¶
Description: The state.
Type: String
extensions.vulns.vulnerabilities[n].about.mac¶
Description: List of MAC addresses associated with a device.
Type: Array
extensions.vulns.vulnerabilities[n].about.namespace¶
Description: Namespace which the device belongs to (e.g. AD forest) Uses for this field include Windows AD forest, name of subsidiary or acquisition, etc.
Type: String
extensions.vulns.vulnerabilities[n].about.nat_ip¶
Description: A list of NAT translated IP addresses associated with a network connection.
Type: Array
extensions.vulns.vulnerabilities[n].about.nat_port¶
Description: NAT external network port number when a specific network connection is described within an event.
Type: Integer
extensions.vulns.vulnerabilities[n].about.object_reference.id¶
Description: Full raw ID.
Type: String
extensions.vulns.vulnerabilities[n].about.object_reference.namespace¶
Description: Namespace the id belongs to.
Type: Enum
| Enum | Description |
|---|---|
| NORMALIZED_TELEMETRY | Ingested and Normalized telemetry events |
| RAW_TELEMETRY | Ingested Raw telemetry |
| RULE_DETECTIONS | Chronicle Rules engine |
| UPPERCASE | Uppercase |
| MACHINE_INTELLIGENCE | DSML - Machine Intelligence |
| SECURITY_COMMAND_CENTER | A normalized telemetry event from Google Security Command Center. |
extensions.vulns.vulnerabilities[n].about.platform¶
Description: Platform.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_PLATFORM | Default value. |
| WINDOWS | Windows. |
| MAC | Mac OS. |
| LINUX | Linux. |
| GCP | DEPRECATED - See cloud.environment. |
| AWS | DEPRECATED - See cloud.environment. |
| AZURE | DEPRECATED - See cloud.environment. |
extensions.vulns.vulnerabilities[n].about.platform_patch_level¶
Description: Platform patch level. e.g. "Build 17134.48"
Type: String
extensions.vulns.vulnerabilities[n].about.platform_version¶
Description: Platform version. e.g. "Microsoft Windows 1803"
Type: String
extensions.vulns.vulnerabilities[n].about.port¶
Description: Source or destination network port number when a specific network connection is described within an event.
Type: Integer
extensions.vulns.vulnerabilities[n].about.process.access_mask¶
Description: A bit mask representing the level of access.
Type: String
extensions.vulns.vulnerabilities[n].about.process.command_line¶
Description: The command line command that created the process.
Type: String
extensions.vulns.vulnerabilities[n].about.process.command_line_history¶
Description: The command line history of the process.
Type: Array
extensions.vulns.vulnerabilities[n].about.process.file.ahash¶
Description: Authentihash of the file.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.capabilities_tags¶
Description: Capabilities tags.
Type: Array
extensions.vulns.vulnerabilities[n].about.process.file.file_metadata.pe.import_hash¶
Description: Hash of PE imports.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.file_type¶
Description: FileType field.
Type: Enum
| Enum | Description |
|---|---|
| FILE_TYPE_UNSPECIFIED | File type is UNSPECIFIED. |
| FILE_TYPE_PE_EXE | -- OS specific executable related files -- File type is PE_EXE. |
| FILE_TYPE_PE_DLL | We acknowledge the fact that DLLs are actually portable executables, but want to make the distinction so as to be able to treat them differently in sandboxing systems and the like. File type is PE_DLL. |
| FILE_TYPE_MSI | File type is MSI. |
| FILE_TYPE_NE_EXE | File type is NE_EXE. |
| FILE_TYPE_NE_DLL | File type is NE_DLL. |
| FILE_TYPE_DOS_EXE | File type is DOS_EXE. |
| FILE_TYPE_DOS_COM | File type is DOS_COM. |
| FILE_TYPE_COFF | File type is COFF. |
| FILE_TYPE_ELF | File type is ELF. |
| FILE_TYPE_LINUX_KERNEL | File type is LINUX_KERNEL. |
| FILE_TYPE_RPM | File type is RPM. |
| FILE_TYPE_LINUX | File type is LINUX. |
| FILE_TYPE_MACH_O | File type is MACH_O. |
| FILE_TYPE_JAVA_BYTECODE | File type is JAVA_BYTECODE. |
| FILE_TYPE_DMG | File type is DMG. |
| FILE_TYPE_DEB | File type is DEB. |
| FILE_TYPE_PKG | File type is PKG. |
| FILE_TYPE_LNK | -- Shortcuts -- File type is LNK. |
| FILE_TYPE_JPEG | -- Image related types -- File type is JPEG. |
| FILE_TYPE_TIFF | File type is TIFF. |
| FILE_TYPE_GIF | File type is GIF. |
| FILE_TYPE_PNG | File type is PNG. |
| FILE_TYPE_BMP | File type is BMP. |
| FILE_TYPE_GIMP | File type is GIMP. |
| FILE_TYPE_IN_DESIGN | File type is IN_DESIGN. |
| FILE_TYPE_PSD | File type is PSD. Adobe Photoshop. |
| FILE_TYPE_TARGA | File type is TARGA. |
| FILE_TYPE_XWD | File type is XWD. |
| FILE_TYPE_DIB | File type is DIB. |
| FILE_TYPE_JNG | File type is JNG. |
| FILE_TYPE_ICO | File type is ICO. |
| FILE_TYPE_FPX | File type is FPX. |
| FILE_TYPE_EPS | File type is EPS. |
| FILE_TYPE_SVG | File type is SVG. |
| FILE_TYPE_EMF | File type is EMF. |
| FILE_TYPE_WEBP | File type is WEBP. |
| FILE_TYPE_OGG | -- Video related types -- File type is OGG. |
| FILE_TYPE_FLC | File type is FLC. |
| FILE_TYPE_FLI | File type is FLI. |
| FILE_TYPE_MP3 | File type is MP3. |
| FILE_TYPE_FLAC | File type is FLAC. |
| FILE_TYPE_WAV | File type is WAV. |
| FILE_TYPE_MIDI | File type is MIDI. |
| FILE_TYPE_AVI | File type is AVI. |
| FILE_TYPE_MPEG | File type is MPEG. |
| FILE_TYPE_QUICKTIME | File type is QUICKTIME. |
| FILE_TYPE_ASF | File type is ASF. |
| FILE_TYPE_DIVX | File type is DIVX. |
| FILE_TYPE_FLV | File type is FLV. |
| FILE_TYPE_WMA | File type is WMA. |
| FILE_TYPE_WMV | File type is WMV. |
| FILE_TYPE_RM | File type is RM. RealMedia type. |
| FILE_TYPE_MOV | File type is MOV. |
| FILE_TYPE_MP4 | File type is MP4. |
| FILE_TYPE_T3GP | File type is T3GP. |
| FILE_TYPE_PDF | -- Document types -- File type is PDF. |
| FILE_TYPE_PS | File type is PS. |
| FILE_TYPE_DOC | File type is DOC. |
| FILE_TYPE_DOCX | File type is DOCX. |
| FILE_TYPE_PPT | File type is PPT. |
| FILE_TYPE_PPTX | File type is PPTX. |
| FILE_TYPE_PPSX | File type is PPSX. |
| FILE_TYPE_XLS | File type is XLS. |
| FILE_TYPE_XLSX | File type is XLSX. |
| FILE_TYPE_RTF | File type is RTF. |
| FILE_TYPE_ODP | File type is ODP. |
| FILE_TYPE_ODS | File type is ODS. |
| FILE_TYPE_ODT | File type is ODT. |
| FILE_TYPE_HWP | File type is HWP. |
| FILE_TYPE_GUL | File type is GUL. |
| FILE_TYPE_ODF | File type is ODF. |
| FILE_TYPE_ODG | File type is ODG. |
| FILE_TYPE_EBOOK | -- Text/ebook related -- File type is EBOOK. |
| FILE_TYPE_LATEX | File type is LATEX. |
| FILE_TYPE_TTF | File type is TTF. |
| FILE_TYPE_EOT | File type is EOT. |
| FILE_TYPE_WOFF | File type is WOFF. |
| FILE_TYPE_CHM | File type is CHM. |
| FILE_TYPE_ZIP | -- Compressed bundles -- File type is ZIP. |
| FILE_TYPE_GZIP | File type is GZIP. |
| FILE_TYPE_BZIP | File type is BZIP. |
| FILE_TYPE_RZIP | File type is RZIP. |
| FILE_TYPE_DZIP | File type is DZIP. |
| FILE_TYPE_SEVENZIP | File type is SEVENZIP. |
| FILE_TYPE_CAB | File type is CAB. |
| FILE_TYPE_JAR | File type is JAR. |
| FILE_TYPE_RAR | File type is RAR. |
| FILE_TYPE_MSCOMPRESS | File type is MSCOMPRESS. |
| FILE_TYPE_ACE | File type is ACE. |
| FILE_TYPE_ARC | File type is ARC. |
| FILE_TYPE_ARJ | File type is ARJ. |
| FILE_TYPE_ASD | File type is ASD. |
| FILE_TYPE_BLACKHOLE | File type is BLACKHOLE. |
| FILE_TYPE_KGB | File type is KGB. |
| FILE_TYPE_ZLIB | File type is ZLIB. |
| FILE_TYPE_TAR | File type is TAR. |
| FILE_TYPE_TEXT | -- Scripting -- File type is TEXT. |
| FILE_TYPE_SCRIPT | File type is SCRIPT. |
| FILE_TYPE_PHP | File type is PHP. |
| FILE_TYPE_PYTHON | File type is PYTHON. |
| FILE_TYPE_PERL | File type is PERL. |
| FILE_TYPE_RUBY | File type is RUBY. |
| FILE_TYPE_C | File type is C. |
| FILE_TYPE_CPP | File type is CPP. |
| FILE_TYPE_JAVA | File type is JAVA. |
| FILE_TYPE_SHELLSCRIPT | File type is SHELLSCRIPT. |
| FILE_TYPE_PASCAL | File type is PASCAL. |
| FILE_TYPE_AWK | File type is AWK. |
| FILE_TYPE_DYALOG | File type is DYALOG. |
| FILE_TYPE_FORTRAN | File type is FORTRAN. |
| FILE_TYPE_JAVASCRIPT | File type is JAVASCRIPT. |
| FILE_TYPE_POWERSHELL | File type is POWERSHELL. |
| FILE_TYPE_VBA | File type is VBA. |
| FILE_TYPE_SYMBIAN | -- Mobile phone types -- File type is SYMBIAN. |
| FILE_TYPE_PALMOS | File type is PALMOS. |
| FILE_TYPE_WINCE | File type is WINCE. |
| FILE_TYPE_ANDROID | File type is ANDROID. |
| FILE_TYPE_IPHONE | File type is IPHONE. |
| FILE_TYPE_HTML | -- Web related -- File type is HTML. |
| FILE_TYPE_XML | File type is XML. |
| FILE_TYPE_SWF | File type is SWF. |
| FILE_TYPE_FLA | File type is FLA. |
| FILE_TYPE_COOKIE | File type is COOKIE. |
| FILE_TYPE_TORRENT | File type is TORRENT. |
| FILE_TYPE_EMAIL_TYPE | File type is EMAIL_TYPE. |
| FILE_TYPE_OUTLOOK | File type is OUTLOOK. |
| FILE_TYPE_CAP | -- Network traffic captures -- File type is CAP. |
| FILE_TYPE_ISOIMAGE | -- Disk images -- File type is ISOIMAGE. |
| FILE_TYPE_APPLE | -- Apple environment related, executables aside -- File type is APPLE. |
| FILE_TYPE_MACINTOSH | File type is MACINTOSH. |
| FILE_TYPE_APPLESINGLE | File type is APPLESINGLE. |
| FILE_TYPE_APPLEDOUBLE | File type is APPLEDOUBLE. |
| FILE_TYPE_MACINTOSH_HFS | File type is MACINTOSH_HFS. |
| FILE_TYPE_APPLE_PLIST | File type is APPLE_PLIST. |
| FILE_TYPE_MACINTOSH_LIB | File type is MACINTOSH_LIB. |
| FILE_TYPE_APPLESCRIPT | File type is APPLESCRIPT. |
| FILE_TYPE_APPLESCRIPT_COMPILED | File type is APPLESCRIPT_COMPILED . |
| FILE_TYPE_CRX | -- Browser extensions -- File type is CRX. |
| FILE_TYPE_XPI | File type is XPI. |
| FILE_TYPE_ROM | -- Firmware related -- File type is ROM. |
extensions.vulns.vulnerabilities[n].about.process.file.first_seen_time¶
Description: First seen timestamp of the File in the customer tenant.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.full_path¶
Description: The full path identifying the location of the file on the system.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.last_modification_time¶
Description: Timestamp when the file was last updated.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.last_seen_time¶
Description: Last seen timestamp of the IP in the customer tenant.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.md5¶
Description: The MD5 hash of the file.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.mime_type¶
Description: The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", "powershell script", etc.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.names¶
Description: Names fields.
Type: Array
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.compilation_exiftool_time¶
Description: info.exiftool.TimeStamp.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.compilation_time¶
Description: info.pe-timestamp.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.entry_point¶
Description: info.pe-entry-point.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.entry_point_exiftool¶
Description: info.exiftool.EntryPoint.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.imphash¶
Description: Imphash of the file.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.imports[n].functions¶
Description: Function field.
Type: Array
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.imports[n].library¶
Description: Library field.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.imports¶
Description: FilemetadataImports fields.
Type: Array
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resource[n].entropy¶
Description: Entropy of the resource.
Type: Number
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resource[n].file_type¶
Description: File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resource[n].filetype_magic¶
Description: Type of resource content, as identified by the magic Python module. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/magic.py END GOOGLE-INTERNAL
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resource[n].language_code¶
Description: Human-readable version of the language and sublanguage identifiers, as defined in the Windows PE specification. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/toolpefile.py?l=419&rcl=df1fcff7c5e82a39875359608b47669d5aff82c7 END GOOGLE-INTERNAL Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US |
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resource[n].sha256_hex¶
Description: SHA256_hex field..
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resource¶
Description: FilemetadataPeResourceInfo fields.
Type: Array
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resources_language_count[n].key¶
Description: Key field.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resources_language_count[n].value¶
Description: Value field.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resources_language_count¶
Description: Deprecated. Use resources_language_count_str.
Type: Array
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resources_language_count_str[n].key¶
Description: The key.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resources_language_count_str[n].value¶
Description: The value.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resources_language_count_str¶
Description: Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10
Type: Array
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resources_type_count[n].key¶
Description: Key field.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resources_type_count[n].value¶
Description: Value field.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resources_type_count¶
Description: Deprecated. Use resources_type_count_str.
Type: Array
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resources_type_count_str[n].key¶
Description: The key.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resources_type_count_str[n].value¶
Description: The value.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.resources_type_count_str¶
Description: Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5
Type: Array
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.section[n].entropy¶
Description: Entropy of the section.
Type: Number
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.section[n].md5_hex¶
Description: MD5 hex of the file.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.section[n].name¶
Description: Name of the section.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.section[n].raw_size_bytes¶
Description: Raw file size in bytes.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.section[n].virtual_size_bytes¶
Description: Virtual file size in bytes.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.section¶
Description: FilemetadataSection fields.
Type: Array
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.signature_info.signer¶
Description: Common name of the signers. The order of the signers matters. Each element is a higher level authority, being the last the root authority.
Type: Array
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.signature_info.verification_message¶
Description: Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.pe_file.signature_info.verified¶
Description: True iff verification_message == "Signed"
Type: Boolean
extensions.vulns.vulnerabilities[n].about.process.file.prevalence.day_count¶
Description: The number of days over which rolling_max is calculated.
Type: Integer
extensions.vulns.vulnerabilities[n].about.process.file.prevalence.rolling_max¶
Description: The maximum number of assets per day accessing the resource over the trailing day_count days.
Type: Integer
extensions.vulns.vulnerabilities[n].about.process.file.prevalence.rolling_max_sub_domains¶
Description: The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This fields is only valid for domains
Type: Integer
extensions.vulns.vulnerabilities[n].about.process.file.sha1¶
Description: The SHA1 hash of the file.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.sha256¶
Description: The SHA256 hash of the file.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.size¶
Description: The size of the file in bytes.
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.ssdeep¶
Description: Ssdeep of the file
Type: String
extensions.vulns.vulnerabilities[n].about.process.file.vhash¶
Description: Vhash of the file.
Type: String
extensions.vulns.vulnerabilities[n].about.process.parent_pid¶
Description: The ID of the parent process. Deprecated. Please use parent_process.pid instead.
Type: String
extensions.vulns.vulnerabilities[n].about.process.pid¶
Description: The process ID.
Type: String
extensions.vulns.vulnerabilities[n].about.process.product_specific_parent_process_id¶
Description: A product specific id for the parent process. Please use parent_process.product_specific_process_id instead.
Type: String
extensions.vulns.vulnerabilities[n].about.process.product_specific_process_id¶
Description: A product specific process id.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].access_mask¶
Description: A bit mask representing the level of access.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].command_line¶
Description: The command line command that created the process.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].command_line_history¶
Description: The command line history of the process.
Type: Array
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.ahash¶
Description: Authentihash of the file.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.capabilities_tags¶
Description: Capabilities tags.
Type: Array
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.file_metadata.pe.import_hash¶
Description: Hash of PE imports.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.file_type¶
Description: FileType field.
Type: Enum
| Enum | Description |
|---|---|
| FILE_TYPE_UNSPECIFIED | File type is UNSPECIFIED. |
| FILE_TYPE_PE_EXE | -- OS specific executable related files -- File type is PE_EXE. |
| FILE_TYPE_PE_DLL | We acknowledge the fact that DLLs are actually portable executables, but want to make the distinction so as to be able to treat them differently in sandboxing systems and the like. File type is PE_DLL. |
| FILE_TYPE_MSI | File type is MSI. |
| FILE_TYPE_NE_EXE | File type is NE_EXE. |
| FILE_TYPE_NE_DLL | File type is NE_DLL. |
| FILE_TYPE_DOS_EXE | File type is DOS_EXE. |
| FILE_TYPE_DOS_COM | File type is DOS_COM. |
| FILE_TYPE_COFF | File type is COFF. |
| FILE_TYPE_ELF | File type is ELF. |
| FILE_TYPE_LINUX_KERNEL | File type is LINUX_KERNEL. |
| FILE_TYPE_RPM | File type is RPM. |
| FILE_TYPE_LINUX | File type is LINUX. |
| FILE_TYPE_MACH_O | File type is MACH_O. |
| FILE_TYPE_JAVA_BYTECODE | File type is JAVA_BYTECODE. |
| FILE_TYPE_DMG | File type is DMG. |
| FILE_TYPE_DEB | File type is DEB. |
| FILE_TYPE_PKG | File type is PKG. |
| FILE_TYPE_LNK | -- Shortcuts -- File type is LNK. |
| FILE_TYPE_JPEG | -- Image related types -- File type is JPEG. |
| FILE_TYPE_TIFF | File type is TIFF. |
| FILE_TYPE_GIF | File type is GIF. |
| FILE_TYPE_PNG | File type is PNG. |
| FILE_TYPE_BMP | File type is BMP. |
| FILE_TYPE_GIMP | File type is GIMP. |
| FILE_TYPE_IN_DESIGN | File type is IN_DESIGN. |
| FILE_TYPE_PSD | File type is PSD. Adobe Photoshop. |
| FILE_TYPE_TARGA | File type is TARGA. |
| FILE_TYPE_XWD | File type is XWD. |
| FILE_TYPE_DIB | File type is DIB. |
| FILE_TYPE_JNG | File type is JNG. |
| FILE_TYPE_ICO | File type is ICO. |
| FILE_TYPE_FPX | File type is FPX. |
| FILE_TYPE_EPS | File type is EPS. |
| FILE_TYPE_SVG | File type is SVG. |
| FILE_TYPE_EMF | File type is EMF. |
| FILE_TYPE_WEBP | File type is WEBP. |
| FILE_TYPE_OGG | -- Video related types -- File type is OGG. |
| FILE_TYPE_FLC | File type is FLC. |
| FILE_TYPE_FLI | File type is FLI. |
| FILE_TYPE_MP3 | File type is MP3. |
| FILE_TYPE_FLAC | File type is FLAC. |
| FILE_TYPE_WAV | File type is WAV. |
| FILE_TYPE_MIDI | File type is MIDI. |
| FILE_TYPE_AVI | File type is AVI. |
| FILE_TYPE_MPEG | File type is MPEG. |
| FILE_TYPE_QUICKTIME | File type is QUICKTIME. |
| FILE_TYPE_ASF | File type is ASF. |
| FILE_TYPE_DIVX | File type is DIVX. |
| FILE_TYPE_FLV | File type is FLV. |
| FILE_TYPE_WMA | File type is WMA. |
| FILE_TYPE_WMV | File type is WMV. |
| FILE_TYPE_RM | File type is RM. RealMedia type. |
| FILE_TYPE_MOV | File type is MOV. |
| FILE_TYPE_MP4 | File type is MP4. |
| FILE_TYPE_T3GP | File type is T3GP. |
| FILE_TYPE_PDF | -- Document types -- File type is PDF. |
| FILE_TYPE_PS | File type is PS. |
| FILE_TYPE_DOC | File type is DOC. |
| FILE_TYPE_DOCX | File type is DOCX. |
| FILE_TYPE_PPT | File type is PPT. |
| FILE_TYPE_PPTX | File type is PPTX. |
| FILE_TYPE_PPSX | File type is PPSX. |
| FILE_TYPE_XLS | File type is XLS. |
| FILE_TYPE_XLSX | File type is XLSX. |
| FILE_TYPE_RTF | File type is RTF. |
| FILE_TYPE_ODP | File type is ODP. |
| FILE_TYPE_ODS | File type is ODS. |
| FILE_TYPE_ODT | File type is ODT. |
| FILE_TYPE_HWP | File type is HWP. |
| FILE_TYPE_GUL | File type is GUL. |
| FILE_TYPE_ODF | File type is ODF. |
| FILE_TYPE_ODG | File type is ODG. |
| FILE_TYPE_EBOOK | -- Text/ebook related -- File type is EBOOK. |
| FILE_TYPE_LATEX | File type is LATEX. |
| FILE_TYPE_TTF | File type is TTF. |
| FILE_TYPE_EOT | File type is EOT. |
| FILE_TYPE_WOFF | File type is WOFF. |
| FILE_TYPE_CHM | File type is CHM. |
| FILE_TYPE_ZIP | -- Compressed bundles -- File type is ZIP. |
| FILE_TYPE_GZIP | File type is GZIP. |
| FILE_TYPE_BZIP | File type is BZIP. |
| FILE_TYPE_RZIP | File type is RZIP. |
| FILE_TYPE_DZIP | File type is DZIP. |
| FILE_TYPE_SEVENZIP | File type is SEVENZIP. |
| FILE_TYPE_CAB | File type is CAB. |
| FILE_TYPE_JAR | File type is JAR. |
| FILE_TYPE_RAR | File type is RAR. |
| FILE_TYPE_MSCOMPRESS | File type is MSCOMPRESS. |
| FILE_TYPE_ACE | File type is ACE. |
| FILE_TYPE_ARC | File type is ARC. |
| FILE_TYPE_ARJ | File type is ARJ. |
| FILE_TYPE_ASD | File type is ASD. |
| FILE_TYPE_BLACKHOLE | File type is BLACKHOLE. |
| FILE_TYPE_KGB | File type is KGB. |
| FILE_TYPE_ZLIB | File type is ZLIB. |
| FILE_TYPE_TAR | File type is TAR. |
| FILE_TYPE_TEXT | -- Scripting -- File type is TEXT. |
| FILE_TYPE_SCRIPT | File type is SCRIPT. |
| FILE_TYPE_PHP | File type is PHP. |
| FILE_TYPE_PYTHON | File type is PYTHON. |
| FILE_TYPE_PERL | File type is PERL. |
| FILE_TYPE_RUBY | File type is RUBY. |
| FILE_TYPE_C | File type is C. |
| FILE_TYPE_CPP | File type is CPP. |
| FILE_TYPE_JAVA | File type is JAVA. |
| FILE_TYPE_SHELLSCRIPT | File type is SHELLSCRIPT. |
| FILE_TYPE_PASCAL | File type is PASCAL. |
| FILE_TYPE_AWK | File type is AWK. |
| FILE_TYPE_DYALOG | File type is DYALOG. |
| FILE_TYPE_FORTRAN | File type is FORTRAN. |
| FILE_TYPE_JAVASCRIPT | File type is JAVASCRIPT. |
| FILE_TYPE_POWERSHELL | File type is POWERSHELL. |
| FILE_TYPE_VBA | File type is VBA. |
| FILE_TYPE_SYMBIAN | -- Mobile phone types -- File type is SYMBIAN. |
| FILE_TYPE_PALMOS | File type is PALMOS. |
| FILE_TYPE_WINCE | File type is WINCE. |
| FILE_TYPE_ANDROID | File type is ANDROID. |
| FILE_TYPE_IPHONE | File type is IPHONE. |
| FILE_TYPE_HTML | -- Web related -- File type is HTML. |
| FILE_TYPE_XML | File type is XML. |
| FILE_TYPE_SWF | File type is SWF. |
| FILE_TYPE_FLA | File type is FLA. |
| FILE_TYPE_COOKIE | File type is COOKIE. |
| FILE_TYPE_TORRENT | File type is TORRENT. |
| FILE_TYPE_EMAIL_TYPE | File type is EMAIL_TYPE. |
| FILE_TYPE_OUTLOOK | File type is OUTLOOK. |
| FILE_TYPE_CAP | -- Network traffic captures -- File type is CAP. |
| FILE_TYPE_ISOIMAGE | -- Disk images -- File type is ISOIMAGE. |
| FILE_TYPE_APPLE | -- Apple environment related, executables aside -- File type is APPLE. |
| FILE_TYPE_MACINTOSH | File type is MACINTOSH. |
| FILE_TYPE_APPLESINGLE | File type is APPLESINGLE. |
| FILE_TYPE_APPLEDOUBLE | File type is APPLEDOUBLE. |
| FILE_TYPE_MACINTOSH_HFS | File type is MACINTOSH_HFS. |
| FILE_TYPE_APPLE_PLIST | File type is APPLE_PLIST. |
| FILE_TYPE_MACINTOSH_LIB | File type is MACINTOSH_LIB. |
| FILE_TYPE_APPLESCRIPT | File type is APPLESCRIPT. |
| FILE_TYPE_APPLESCRIPT_COMPILED | File type is APPLESCRIPT_COMPILED . |
| FILE_TYPE_CRX | -- Browser extensions -- File type is CRX. |
| FILE_TYPE_XPI | File type is XPI. |
| FILE_TYPE_ROM | -- Firmware related -- File type is ROM. |
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.first_seen_time¶
Description: First seen timestamp of the File in the customer tenant.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.full_path¶
Description: The full path identifying the location of the file on the system.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.last_modification_time¶
Description: Timestamp when the file was last updated.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.last_seen_time¶
Description: Last seen timestamp of the IP in the customer tenant.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.md5¶
Description: The MD5 hash of the file.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.mime_type¶
Description: The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", "powershell script", etc.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.names¶
Description: Names fields.
Type: Array
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.compilation_exiftool_time¶
Description: info.exiftool.TimeStamp.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.compilation_time¶
Description: info.pe-timestamp.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.entry_point¶
Description: info.pe-entry-point.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.entry_point_exiftool¶
Description: info.exiftool.EntryPoint.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.imphash¶
Description: Imphash of the file.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.imports[n].functions¶
Description: Function field.
Type: Array
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.imports[n].library¶
Description: Library field.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.imports¶
Description: FilemetadataImports fields.
Type: Array
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resource[n].entropy¶
Description: Entropy of the resource.
Type: Number
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resource[n].file_type¶
Description: File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resource[n].filetype_magic¶
Description: Type of resource content, as identified by the magic Python module. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/magic.py END GOOGLE-INTERNAL
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resource[n].language_code¶
Description: Human-readable version of the language and sublanguage identifiers, as defined in the Windows PE specification. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/toolpefile.py?l=419&rcl=df1fcff7c5e82a39875359608b47669d5aff82c7 END GOOGLE-INTERNAL Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US |
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resource[n].sha256_hex¶
Description: SHA256_hex field..
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resource¶
Description: FilemetadataPeResourceInfo fields.
Type: Array
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resources_language_count[n].key¶
Description: Key field.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resources_language_count[n].value¶
Description: Value field.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resources_language_count¶
Description: Deprecated. Use resources_language_count_str.
Type: Array
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resources_language_count_str[n].key¶
Description: The key.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resources_language_count_str[n].value¶
Description: The value.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resources_language_count_str¶
Description: Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10
Type: Array
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resources_type_count[n].key¶
Description: Key field.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resources_type_count[n].value¶
Description: Value field.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resources_type_count¶
Description: Deprecated. Use resources_type_count_str.
Type: Array
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resources_type_count_str[n].key¶
Description: The key.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resources_type_count_str[n].value¶
Description: The value.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.resources_type_count_str¶
Description: Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5
Type: Array
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.section[n].entropy¶
Description: Entropy of the section.
Type: Number
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.section[n].md5_hex¶
Description: MD5 hex of the file.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.section[n].name¶
Description: Name of the section.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.section[n].raw_size_bytes¶
Description: Raw file size in bytes.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.section[n].virtual_size_bytes¶
Description: Virtual file size in bytes.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.section¶
Description: FilemetadataSection fields.
Type: Array
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.signature_info.signer¶
Description: Common name of the signers. The order of the signers matters. Each element is a higher level authority, being the last the root authority.
Type: Array
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.signature_info.verification_message¶
Description: Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.pe_file.signature_info.verified¶
Description: True iff verification_message == "Signed"
Type: Boolean
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.prevalence.day_count¶
Description: The number of days over which rolling_max is calculated.
Type: Integer
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.prevalence.rolling_max¶
Description: The maximum number of assets per day accessing the resource over the trailing day_count days.
Type: Integer
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.prevalence.rolling_max_sub_domains¶
Description: The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This fields is only valid for domains
Type: Integer
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.sha1¶
Description: The SHA1 hash of the file.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.sha256¶
Description: The SHA256 hash of the file.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.size¶
Description: The size of the file in bytes.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.ssdeep¶
Description: Ssdeep of the file
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].file.vhash¶
Description: Vhash of the file.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].parent_pid¶
Description: The ID of the parent process. Deprecated. Please use parent_process.pid instead.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].pid¶
Description: The process ID.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].product_specific_parent_process_id¶
Description: A product specific id for the parent process. Please use parent_process.product_specific_process_id instead.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors[n].product_specific_process_id¶
Description: A product specific process id.
Type: String
extensions.vulns.vulnerabilities[n].about.process_ancestors¶
Description: Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery.
Type: Array
extensions.vulns.vulnerabilities[n].about.registry.registry_key¶
Description: Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...).
Type: String
extensions.vulns.vulnerabilities[n].about.registry.registry_value_data¶
Description: Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp).
Type: String
extensions.vulns.vulnerabilities[n].about.registry.registry_value_name¶
Description: Name of the registry value associated with an application or system component (e.g. TEMP).
Type: String
extensions.vulns.vulnerabilities[n].about.resource.attribute.cloud.availability_zone¶
Description: The cloud environment availability zone (different from region which is location.name).
Type: String
extensions.vulns.vulnerabilities[n].about.resource.attribute.cloud.environment¶
Description: The Cloud environment.
Type: Enum
| Enum | Description |
|---|---|
| UNSPECIFIED_CLOUD_ENVIRONMENT | Default. |
| GOOGLE_CLOUD_PLATFORM | Google Cloud Platform. |
| AMAZON_WEB_SERVICES | Amazon Web Services. |
| MICROSOFT_AZURE | Microsoft Azure. |
extensions.vulns.vulnerabilities[n].about.resource.attribute.creation_time¶
Description: Time the resource or entity was created or provisioned.
Type: String
extensions.vulns.vulnerabilities[n].about.resource.attribute.labels[n].key¶
Description: The key.
Type: String
extensions.vulns.vulnerabilities[n].about.resource.attribute.labels[n].value¶
Description: The value.
Type: String
extensions.vulns.vulnerabilities[n].about.resource.attribute.labels¶
Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.
Type: Array
extensions.vulns.vulnerabilities[n].about.resource.attribute.last_update_time¶
Description: Time the resource or entity was last updated.
Type: String
extensions.vulns.vulnerabilities[n].about.resource.attribute.permissions[n].description¶
Description: Description of the permission (e.g. 'Ability to update detect rules').
Type: String
extensions.vulns.vulnerabilities[n].about.resource.attribute.permissions[n].name¶
Description: Name of the permission (e.g. chronicle.analyst.updateRule).
Type: String
extensions.vulns.vulnerabilities[n].about.resource.attribute.permissions[n].type¶
Description: Type of the permission.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_PERMISSION_TYPE | Default permission type. |
| ADMIN_WRITE | Administrator write permission. |
| ADMIN_READ | Administrator read permission. |
| DATA_WRITE | Data resource access write permission. |
| DATA_READ | Data resource access read permission. |
extensions.vulns.vulnerabilities[n].about.resource.attribute.permissions¶
Description: System permissions for IAM entity (human principal, service account, group).
Type: Array
extensions.vulns.vulnerabilities[n].about.resource.attribute.roles[n].description¶
Description: System role description for user.
Type: String
extensions.vulns.vulnerabilities[n].about.resource.attribute.roles[n].name¶
Description: System role name for user.
Type: String
extensions.vulns.vulnerabilities[n].about.resource.attribute.roles[n].type¶
Description: System role type for well known roles.
Type: Enum
| Enum | Description |
|---|---|
| TYPE_UNSPECIFIED | Default user role. |
| ADMINISTRATOR | Product administrator with elevated privileges. |
| SERVICE_ACCOUNT | System service account for automated privilege access. |
extensions.vulns.vulnerabilities[n].about.resource.attribute.roles¶
Description: System IAM roles to be assumed by resources to use the role's permissions for access control.
Type: Array
extensions.vulns.vulnerabilities[n].about.resource.id¶
Description: DEPRECATED
Type: String
extensions.vulns.vulnerabilities[n].about.resource.name¶
Description: The name of the resource.
Type: String
extensions.vulns.vulnerabilities[n].about.resource.parent¶
Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.
Type: String
extensions.vulns.vulnerabilities[n].about.resource.product_object_id¶
Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)
Type: String
extensions.vulns.vulnerabilities[n].about.resource.resource_subtype¶
Description: Resource sub-type (e.g. "BigQuery", "Bigtable").
Type: String
extensions.vulns.vulnerabilities[n].about.resource.resource_type¶
Description: Resource type.
Type: Enum
| Enum | Description |
|---|---|
| UNSPECIFIED | Default type. |
| MUTEX | Mutex. |
| TASK | Task. |
| PIPE | Named pipe. |
| DEVICE | Device. |
| FIREWALL_RULE | Firewall rule. |
| MAILBOX_FOLDER | Mailbox folder. |
| VPC_NETWORK | VPC Network. |
| VIRTUAL_MACHINE | Virtual machine. |
| STORAGE_BUCKET | Storage bucket. |
| STORAGE_OBJECT | Storage object. |
| DATABASE | Database. |
| TABLE | Data table. |
| CLOUD_PROJECT | Cloud project. |
| CLOUD_ORGANIZATION | Cloud organization. |
| SERVICE_ACCOUNT | Service account. DEPRECATED. Service accounts should be type User. |
| ACCESS_POLICY | Access policy. |
| CLUSTER | Cluster. |
| SETTING | Settings. |
| DATASET | Dataset. |
| BACKEND_SERVICE | Endpoint that receive traffic from a load balancer or proxy. |
extensions.vulns.vulnerabilities[n].about.resource.type¶
Description: DEPRECATED - use resource_type instead.
Type: String
extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.cloud.availability_zone¶
Description: The cloud environment availability zone (different from region which is location.name).
Type: String
extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.cloud.environment¶
Description: The Cloud environment.
Type: Enum
| Enum | Description |
|---|---|
| UNSPECIFIED_CLOUD_ENVIRONMENT | Default. |
| GOOGLE_CLOUD_PLATFORM | Google Cloud Platform. |
| AMAZON_WEB_SERVICES | Amazon Web Services. |
| MICROSOFT_AZURE | Microsoft Azure. |
extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.creation_time¶
Description: Time the resource or entity was created or provisioned.
Type: String
extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.labels[n].key¶
Description: The key.
Type: String
extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.labels[n].value¶
Description: The value.
Type: String
extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.labels¶
Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.
Type: Array
extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.last_update_time¶
Description: Time the resource or entity was last updated.
Type: String
extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.permissions[n].description¶
Description: Description of the permission (e.g. 'Ability to update detect rules').
Type: String
extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.permissions[n].name¶
Description: Name of the permission (e.g. chronicle.analyst.updateRule).
Type: String
extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.permissions[n].type¶
Description: Type of the permission.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_PERMISSION_TYPE | Default permission type. |
| ADMIN_WRITE | Administrator write permission. |
| ADMIN_READ | Administrator read permission. |
| DATA_WRITE | Data resource access write permission. |
| DATA_READ | Data resource access read permission. |
extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.permissions¶
Description: System permissions for IAM entity (human principal, service account, group).
Type: Array
extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.roles[n].description¶
Description: System role description for user.
Type: String
extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.roles[n].name¶
Description: System role name for user.
Type: String
extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.roles[n].type¶
Description: System role type for well known roles.
Type: Enum
| Enum | Description |
|---|---|
| TYPE_UNSPECIFIED | Default user role. |
| ADMINISTRATOR | Product administrator with elevated privileges. |
| SERVICE_ACCOUNT | System service account for automated privilege access. |
extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].attribute.roles¶
Description: System IAM roles to be assumed by resources to use the role's permissions for access control.
Type: Array
extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].id¶
Description: DEPRECATED
Type: String
extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].name¶
Description: The name of the resource.
Type: String
extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].parent¶
Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.
Type: String
extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].product_object_id¶
Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)
Type: String
extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].resource_subtype¶
Description: Resource sub-type (e.g. "BigQuery", "Bigtable").
Type: String
extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].resource_type¶
Description: Resource type.
Type: Enum
| Enum | Description |
|---|---|
| UNSPECIFIED | Default type. |
| MUTEX | Mutex. |
| TASK | Task. |
| PIPE | Named pipe. |
| DEVICE | Device. |
| FIREWALL_RULE | Firewall rule. |
| MAILBOX_FOLDER | Mailbox folder. |
| VPC_NETWORK | VPC Network. |
| VIRTUAL_MACHINE | Virtual machine. |
| STORAGE_BUCKET | Storage bucket. |
| STORAGE_OBJECT | Storage object. |
| DATABASE | Database. |
| TABLE | Data table. |
| CLOUD_PROJECT | Cloud project. |
| CLOUD_ORGANIZATION | Cloud organization. |
| SERVICE_ACCOUNT | Service account. DEPRECATED. Service accounts should be type User. |
| ACCESS_POLICY | Access policy. |
| CLUSTER | Cluster. |
| SETTING | Settings. |
| DATASET | Dataset. |
| BACKEND_SERVICE | Endpoint that receive traffic from a load balancer or proxy. |
extensions.vulns.vulnerabilities[n].about.resource_ancestors[n].type¶
Description: DEPRECATED - use resource_type instead.
Type: String
extensions.vulns.vulnerabilities[n].about.resource_ancestors¶
Description: Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource).
Type: Array
extensions.vulns.vulnerabilities[n].about.url¶
Description: The URL.
Type: String
extensions.vulns.vulnerabilities[n].about.user.account_type¶
Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/
Type: Enum
| Enum | Description |
|---|---|
| ACCOUNT_TYPE_UNSPECIFIED | Default user account type. |
| DOMAIN_ACCOUNT_TYPE | A human account part of some domain in directory services. |
| LOCAL_ACCOUNT_TYPE | A local machine account. |
| CLOUD_ACCOUNT_TYPE | A SaaS service account type (Slack, GitHub, etc). |
| SERVICE_ACCOUNT_TYPE | A non-human account for data access. |
| DEFAULT_ACCOUNT_TYPE | A system built in default account. |
extensions.vulns.vulnerabilities[n].about.user.attribute.cloud.availability_zone¶
Description: The cloud environment availability zone (different from region which is location.name).
Type: String
extensions.vulns.vulnerabilities[n].about.user.attribute.cloud.environment¶
Description: The Cloud environment.
Type: Enum
| Enum | Description |
|---|---|
| UNSPECIFIED_CLOUD_ENVIRONMENT | Default. |
| GOOGLE_CLOUD_PLATFORM | Google Cloud Platform. |
| AMAZON_WEB_SERVICES | Amazon Web Services. |
| MICROSOFT_AZURE | Microsoft Azure. |
extensions.vulns.vulnerabilities[n].about.user.attribute.creation_time¶
Description: Time the resource or entity was created or provisioned.
Type: String
extensions.vulns.vulnerabilities[n].about.user.attribute.labels[n].key¶
Description: The key.
Type: String
extensions.vulns.vulnerabilities[n].about.user.attribute.labels[n].value¶
Description: The value.
Type: String
extensions.vulns.vulnerabilities[n].about.user.attribute.labels¶
Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.
Type: Array
extensions.vulns.vulnerabilities[n].about.user.attribute.last_update_time¶
Description: Time the resource or entity was last updated.
Type: String
extensions.vulns.vulnerabilities[n].about.user.attribute.permissions[n].description¶
Description: Description of the permission (e.g. 'Ability to update detect rules').
Type: String
extensions.vulns.vulnerabilities[n].about.user.attribute.permissions[n].name¶
Description: Name of the permission (e.g. chronicle.analyst.updateRule).
Type: String
extensions.vulns.vulnerabilities[n].about.user.attribute.permissions[n].type¶
Description: Type of the permission.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_PERMISSION_TYPE | Default permission type. |
| ADMIN_WRITE | Administrator write permission. |
| ADMIN_READ | Administrator read permission. |
| DATA_WRITE | Data resource access write permission. |
| DATA_READ | Data resource access read permission. |
extensions.vulns.vulnerabilities[n].about.user.attribute.permissions¶
Description: System permissions for IAM entity (human principal, service account, group).
Type: Array
extensions.vulns.vulnerabilities[n].about.user.attribute.roles[n].description¶
Description: System role description for user.
Type: String
extensions.vulns.vulnerabilities[n].about.user.attribute.roles[n].name¶
Description: System role name for user.
Type: String
extensions.vulns.vulnerabilities[n].about.user.attribute.roles[n].type¶
Description: System role type for well known roles.
Type: Enum
| Enum | Description |
|---|---|
| TYPE_UNSPECIFIED | Default user role. |
| ADMINISTRATOR | Product administrator with elevated privileges. |
| SERVICE_ACCOUNT | System service account for automated privilege access. |
extensions.vulns.vulnerabilities[n].about.user.attribute.roles¶
Description: System IAM roles to be assumed by resources to use the role's permissions for access control.
Type: Array
extensions.vulns.vulnerabilities[n].about.user.company_name¶
Description: User job company name.
Type: String
extensions.vulns.vulnerabilities[n].about.user.department¶
Description: User job department
Type: Array
extensions.vulns.vulnerabilities[n].about.user.email_addresses¶
Description: Email addresses of the user.
Type: Array
extensions.vulns.vulnerabilities[n].about.user.employee_id¶
Description: Human capital management identifier.
Type: String
extensions.vulns.vulnerabilities[n].about.user.first_name¶
Description: First name of the user (e.g. "John").
Type: String
extensions.vulns.vulnerabilities[n].about.user.first_seen_time¶
Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.
Type: String
extensions.vulns.vulnerabilities[n].about.user.group_identifiers¶
Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).
Type: Array
extensions.vulns.vulnerabilities[n].about.user.groupid¶
Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.
Type: String
extensions.vulns.vulnerabilities[n].about.user.hire_date¶
Description: User job employment hire date.
Type: String
extensions.vulns.vulnerabilities[n].about.user.last_name¶
Description: Last name of the user (e.g. "Locke").
Type: String
extensions.vulns.vulnerabilities[n].about.user.managers¶
Description: User job manager(s).
Type: Array
extensions.vulns.vulnerabilities[n].about.user.middle_name¶
Description: Middle name of the user.
Type: String
extensions.vulns.vulnerabilities[n].about.user.office_address.city¶
Description: The city.
Type: String
extensions.vulns.vulnerabilities[n].about.user.office_address.country_or_region¶
Description: The country or region.
Type: String
extensions.vulns.vulnerabilities[n].about.user.office_address.desk_name¶
Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").
Type: String
extensions.vulns.vulnerabilities[n].about.user.office_address.floor_name¶
Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").
Type: String
extensions.vulns.vulnerabilities[n].about.user.office_address.name¶
Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").
Type: String
extensions.vulns.vulnerabilities[n].about.user.office_address.region_latitude¶
Description: Latitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.user.office_address.region_longitude¶
Description: Longitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.user.office_address.state¶
Description: The state.
Type: String
extensions.vulns.vulnerabilities[n].about.user.personal_address.city¶
Description: The city.
Type: String
extensions.vulns.vulnerabilities[n].about.user.personal_address.country_or_region¶
Description: The country or region.
Type: String
extensions.vulns.vulnerabilities[n].about.user.personal_address.desk_name¶
Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").
Type: String
extensions.vulns.vulnerabilities[n].about.user.personal_address.floor_name¶
Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").
Type: String
extensions.vulns.vulnerabilities[n].about.user.personal_address.name¶
Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").
Type: String
extensions.vulns.vulnerabilities[n].about.user.personal_address.region_latitude¶
Description: Latitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.user.personal_address.region_longitude¶
Description: Longitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.user.personal_address.state¶
Description: The state.
Type: String
extensions.vulns.vulnerabilities[n].about.user.phone_numbers¶
Description: Phone numbers for the user.
Type: Array
extensions.vulns.vulnerabilities[n].about.user.product_object_id¶
Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).
Type: String
extensions.vulns.vulnerabilities[n].about.user.role_description¶
Description: System role description for user. DEPRECATED: use attribute.roles.
Type: String
extensions.vulns.vulnerabilities[n].about.user.role_name¶
Description: System role name for user. DEPRECATED: use attribute.roles.
Type: String
extensions.vulns.vulnerabilities[n].about.user.termination_date¶
Description: User job employment termination date.
Type: String
extensions.vulns.vulnerabilities[n].about.user.time_off[n].description¶
Description: Description of the leave if available (e.g. 'Vacation').
Type: String
extensions.vulns.vulnerabilities[n].about.user.time_off[n].interval.end_time¶
Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.
Type: String
extensions.vulns.vulnerabilities[n].about.user.time_off[n].interval.start_time¶
Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.
Type: String
extensions.vulns.vulnerabilities[n].about.user.time_off¶
Description: User time off leaves from active work.
Type: Array
extensions.vulns.vulnerabilities[n].about.user.title¶
Description: User job title.
Type: String
extensions.vulns.vulnerabilities[n].about.user.user_authentication_status¶
Description: System authentication status for user.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_AUTHENTICATION_STATUS | The default authentication status. |
| ACTIVE | The authentication method is in active state. |
| SUSPENDED | The authentication method is in suspended/disabled state. |
| NO_ACTIVE_CREDENTIALS | The authentication method has no active credentials. |
| DELETED | The authentication method has been deleted. |
extensions.vulns.vulnerabilities[n].about.user.user_display_name¶
Description: The display name of the user (e.g. "John Locke").
Type: String
extensions.vulns.vulnerabilities[n].about.user.user_role¶
Description: System role for user. DEPRECATED: use attribute.roles.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_ROLE | Default user role. |
| ADMINISTRATOR | Product administrator with elevated privileges. |
| SERVICE_ACCOUNT | System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type. |
extensions.vulns.vulnerabilities[n].about.user.userid¶
Description: The ID of the user.
Type: String
extensions.vulns.vulnerabilities[n].about.user.windows_sid¶
Description: The windows SID of the user.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].account_type¶
Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/
Type: Enum
| Enum | Description |
|---|---|
| ACCOUNT_TYPE_UNSPECIFIED | Default user account type. |
| DOMAIN_ACCOUNT_TYPE | A human account part of some domain in directory services. |
| LOCAL_ACCOUNT_TYPE | A local machine account. |
| CLOUD_ACCOUNT_TYPE | A SaaS service account type (Slack, GitHub, etc). |
| SERVICE_ACCOUNT_TYPE | A non-human account for data access. |
| DEFAULT_ACCOUNT_TYPE | A system built in default account. |
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.cloud.availability_zone¶
Description: The cloud environment availability zone (different from region which is location.name).
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.cloud.environment¶
Description: The Cloud environment.
Type: Enum
| Enum | Description |
|---|---|
| UNSPECIFIED_CLOUD_ENVIRONMENT | Default. |
| GOOGLE_CLOUD_PLATFORM | Google Cloud Platform. |
| AMAZON_WEB_SERVICES | Amazon Web Services. |
| MICROSOFT_AZURE | Microsoft Azure. |
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.creation_time¶
Description: Time the resource or entity was created or provisioned.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.labels[n].key¶
Description: The key.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.labels[n].value¶
Description: The value.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.labels¶
Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.
Type: Array
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.last_update_time¶
Description: Time the resource or entity was last updated.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.permissions[n].description¶
Description: Description of the permission (e.g. 'Ability to update detect rules').
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.permissions[n].name¶
Description: Name of the permission (e.g. chronicle.analyst.updateRule).
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.permissions[n].type¶
Description: Type of the permission.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_PERMISSION_TYPE | Default permission type. |
| ADMIN_WRITE | Administrator write permission. |
| ADMIN_READ | Administrator read permission. |
| DATA_WRITE | Data resource access write permission. |
| DATA_READ | Data resource access read permission. |
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.permissions¶
Description: System permissions for IAM entity (human principal, service account, group).
Type: Array
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.roles[n].description¶
Description: System role description for user.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.roles[n].name¶
Description: System role name for user.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.roles[n].type¶
Description: System role type for well known roles.
Type: Enum
| Enum | Description |
|---|---|
| TYPE_UNSPECIFIED | Default user role. |
| ADMINISTRATOR | Product administrator with elevated privileges. |
| SERVICE_ACCOUNT | System service account for automated privilege access. |
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].attribute.roles¶
Description: System IAM roles to be assumed by resources to use the role's permissions for access control.
Type: Array
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].company_name¶
Description: User job company name.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].department¶
Description: User job department
Type: Array
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].email_addresses¶
Description: Email addresses of the user.
Type: Array
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].employee_id¶
Description: Human capital management identifier.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].first_name¶
Description: First name of the user (e.g. "John").
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].first_seen_time¶
Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].group_identifiers¶
Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).
Type: Array
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].groupid¶
Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].hire_date¶
Description: User job employment hire date.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].last_name¶
Description: Last name of the user (e.g. "Locke").
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].managers¶
Description: User job manager(s).
Type: Array
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].middle_name¶
Description: Middle name of the user.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].office_address.city¶
Description: The city.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].office_address.country_or_region¶
Description: The country or region.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].office_address.desk_name¶
Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].office_address.floor_name¶
Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].office_address.name¶
Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].office_address.region_latitude¶
Description: Latitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].office_address.region_longitude¶
Description: Longitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].office_address.state¶
Description: The state.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].personal_address.city¶
Description: The city.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].personal_address.country_or_region¶
Description: The country or region.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].personal_address.desk_name¶
Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].personal_address.floor_name¶
Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].personal_address.name¶
Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].personal_address.region_latitude¶
Description: Latitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].personal_address.region_longitude¶
Description: Longitude of the center of the associated region.
Type: Number
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].personal_address.state¶
Description: The state.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].phone_numbers¶
Description: Phone numbers for the user.
Type: Array
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].product_object_id¶
Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].role_description¶
Description: System role description for user. DEPRECATED: use attribute.roles.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].role_name¶
Description: System role name for user. DEPRECATED: use attribute.roles.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].termination_date¶
Description: User job employment termination date.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].time_off[n].description¶
Description: Description of the leave if available (e.g. 'Vacation').
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].time_off[n].interval.end_time¶
Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].time_off[n].interval.start_time¶
Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].time_off¶
Description: User time off leaves from active work.
Type: Array
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].title¶
Description: User job title.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].user_authentication_status¶
Description: System authentication status for user.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_AUTHENTICATION_STATUS | The default authentication status. |
| ACTIVE | The authentication method is in active state. |
| SUSPENDED | The authentication method is in suspended/disabled state. |
| NO_ACTIVE_CREDENTIALS | The authentication method has no active credentials. |
| DELETED | The authentication method has been deleted. |
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].user_display_name¶
Description: The display name of the user (e.g. "John Locke").
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].user_role¶
Description: System role for user. DEPRECATED: use attribute.roles.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_ROLE | Default user role. |
| ADMINISTRATOR | Product administrator with elevated privileges. |
| SERVICE_ACCOUNT | System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type. |
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].userid¶
Description: The ID of the user.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain[n].windows_sid¶
Description: The windows SID of the user.
Type: String
extensions.vulns.vulnerabilities[n].about.user_management_chain¶
Description: Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery.
Type: Array
extensions.vulns.vulnerabilities[n].cve_description¶
Description: Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record
Type: String
extensions.vulns.vulnerabilities[n].cve_id¶
Description: Common Vulnerabilities and Exposures Id. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id
Type: String
extensions.vulns.vulnerabilities[n].cvss_base_score¶
Description: CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting.
Type: Number
extensions.vulns.vulnerabilities[n].cvss_vector¶
Description: Vector of CVSS properties (e.g. "AV:L/AC:H/Au:N/C:N/I:P/A:C") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=VALUE
Type: String
extensions.vulns.vulnerabilities[n].cvss_version¶
Description: Version of CVSS Vector/Score.
Type: String
extensions.vulns.vulnerabilities[n].description¶
Description: Description of the vulnerability.
Type: String
extensions.vulns.vulnerabilities[n].first_found¶
Description: Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset.
Type: String
extensions.vulns.vulnerabilities[n].last_found¶
Description: Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset.
Type: String
extensions.vulns.vulnerabilities[n].name¶
Description: Name of the vulnerability (e.g. "Unsupported OS Version detected").
Type: String
extensions.vulns.vulnerabilities[n].scan_end_time¶
Description: If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable.
Type: String
extensions.vulns.vulnerabilities[n].scan_start_time¶
Description: If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable.
Type: String
extensions.vulns.vulnerabilities[n].severity¶
Description: The severity of the vulnerability.
Type: Enum
| Enum | Description |
|---|---|
| UNKNOWN_SEVERITY | The default severity level. |
| LOW | Low severity. |
| MEDIUM | Medium severity. |
| HIGH | High severity. |
| CRITICAL | Critical severity. |
extensions.vulns.vulnerabilities[n].severity_details¶
Description: Vendor-specific severity
Type: String
extensions.vulns.vulnerabilities[n].vendor¶
Description: Vendor of scan that discovered vulnerability.
Type: String
extensions.vulns.vulnerabilities[n].vendor_knowledge_base_article_id¶
Description: Vendor specific knowledge base article (e.g. "KBXXXXXX" from Microsoft) https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase
Type: String
extensions.vulns.vulnerabilities[n].vendor_vulnerability_id¶
Description: Vendor specific vulnerability id (e.g. Microsoft security bulletin id).
Type: String
extensions.vulns.vulnerabilities¶
Description: A list of vulnerabilities.
Type: Array