File Threat Intelligence
File Threat Intelligence is a searchable entity at the top of Query's UI.
file_intelligence
Insights from threat intelligence platforms about files
Contents
Attributes
| Caption | Name | Type | Is Array | Default | Description |
|---|---|---|---|---|---|
| Details | details | String | Details about the IP address. | ||
| Filenames | filenames | String | The names a file is known by. | ||
| Findings | findings | Finding | The findings from threat intelligence platforms | ||
| Fingerprints | fingerprints | Fingerprint | An array of known fingerprints for the file. | ||
| First Seen | first_seen_time | Timestamp | The initial detection time of the activity or object. See specific usage | ||
| Labels | labels | String | The labels or tags in the intelligence. | ||
| Last Seen | last_seen_time | Timestamp | The most recent detection time of the activity or object. See specific usage. | ||
| Raw Data | raw_data | JSON | The event data as received from the event source. | ||
| Record ID | record_id | String | Unique identifier for the object | ||
| Additional references for more information. | references | String | A list of reference URLs supporting the finding/detection. | ||
| Reputations | reputations | Reputation | Reputation score as reported by provider | ||
| Unmapped Data | unmapped | Unmapped | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. | ||
| Vendor Name | vendor_name | String | The vendor that provided the intelligence. |
References
Referenced By
Context
JSON
{
"description": "Insights from threat intelligence platforms about files",
"caption": "File Threat Intelligence",
"name": "file_intelligence",
"extends": "_base_threat_intelligence",
"attributes": {
"fingerprints": {
"description": "An array of known fingerprints for the file.",
"requirement": "optional",
"caption": "Fingerprints",
"type": "fingerprint",
"is_array": true
},
"filenames": {
"description": "The names a file is known by.",
"requirement": "optional",
"caption": "Filenames",
"type": "string_t",
"is_array": true
},
"first_seen_time": {
"requirement": "optional",
"caption": "First Seen",
"description": "The initial detection time of the activity or object. See specific usage",
"type": "timestamp_t"
},
"last_seen_time": {
"requirement": "optional",
"caption": "Last Seen",
"description": "The most recent detection time of the activity or object. See specific usage.",
"type": "timestamp_t"
},
"vendor_name": {
"description": "The vendor that provided the intelligence.",
"requirement": "optional",
"caption": "Vendor Name",
"type": "string_t"
},
"references": {
"caption": "Additional references for more information.",
"requirement": "optional",
"description": "A list of reference URLs supporting the finding/detection.",
"type": "string_t",
"is_array": true
},
"reputations": {
"description": "Reputation score as reported by provider",
"requirement": "optional",
"caption": "Reputations",
"is_array": true,
"type": "reputation"
},
"findings": {
"description": "The findings from threat intelligence platforms",
"requirement": "optional",
"caption": "Findings",
"type": "finding",
"is_array": true
},
"labels": {
"description": "The labels or tags in the intelligence.",
"requirement": "optional",
"caption": "Labels",
"type": "string_t",
"is_array": true
},
"details": {
"description": "Details about the IP address.",
"requirement": "optional",
"caption": "Details",
"type": "string_t"
},
"raw_data": {
"group": "context",
"caption": "Raw Data",
"description": "The event data as received from the event source.",
"type": "json_t"
},
"record_id": {
"description": "Unique identifier for the object",
"group": "primary",
"requirement": "required",
"caption": "Record ID",
"type": "string_t"
},
"unmapped": {
"caption": "Unmapped Data",
"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
"type": "unmapped",
"is_array": true
}
},
"extension": "query"
}