9.2. Engine log data structure

The logs are composed of different parts:

  • The leading part

  • The source part defined by "_source"

  • The field portion defined by "_fields"

9.2.1. Counters of the header part of logs

Table header part of Malcore logs

Fields

Required

Description

Values or example

_index

Yes

Internal index

engines_alerts-2024.11.26-000022

_type

Yes

default type

_doc

_id

Yes

internal identifier

q5zQZ5MBe7GX5B2fx7DG

_version

Yes

internal version

1

_score

Yes

relevance of the response to the request

0

9.2.2. Counters of the source part of logs

9.2.2.1. dga category

dga

Level 1

Level 2

Data type

Description

Value or example

dga

dga_count

numeric

Number of DGAs

29

dga

dga_ratio

numeric

Ratio of DGAs (dga_count/nx_domain_count)

1

dga

malware_behavior_confidence

numeric

Malware behavior confidence in percent

50

dga

nx_domain_count

numeric

Number of NX domains analysed

29

dga

top_DGA

string

Top DGAs based on score
tjzjyiheo.com",
"nvtcvimt.com",
"vmfyaxnse.com",
"htjykhvta.com",
"csmanuivsrlx.com",
"sbxsgfddr.com",
"oyttwuyshcgxxaenbit.com",
"seklusaprnkwhvybzc.com",
"xxcnirvbqivbucfsbliu.com",
"jgjvgfetpammdrxwn.com"

9.2.2.2. destination category

destination

Level 1

Level 2

Data type

Description

Value or example

destination

ip

string

IP address of the destination

x.x.x.x

destination

mac

string

MAC address of the destination IP

90:e2:ba:a6:a4:91

destination

port

numeric

Port of the destination IP

19609

9.2.2.3. ecs category

ecs

Level 1

Level 2

Data type

Description

Value or example

ecs

version

numeric

ECS version this event conforms to

8.6.0

9.2.2.4. event category

event

Level 1

Level 2

Data type

Description

Value or example

event

category

string

Event category

event

category

string

file category. The second categorization field in the hierarchy.

event

category

string

The second categorization field in the hierarchy.
network category.
intrusion_detection category

event

created

date

Time when the event was first read by an agent or by your pipeline

2024-11-26T09:17:00.775521+0000

event

dataset

string

Name of the dataset

alert

event

end

date

event

id

string

Unique ID to describe the event

28e92cac-b1de-4b20-ab71-5eeb325f64ed

event

kind

string

The kind of the event. The highest categorization field in the hierarchy

alert

event

module

string

Name of the module this data is coming from

Malcore or malcore_retroanalyzer or ...

event

severity

numeric

Analysis result code.
Between 0 and 3.
0=clean, 1=infected, 2=suspicious, 3=Other

event

start

date

9.2.2.5. file category

file

Level 1

Level 2

Level 3

Data type

Description

Value or example

file

file_id

numeric

The file id

646

file

gaps

boolean

Monitoring inconsistency in file size

false

file

hash

md5

string

MD5 hash of the analyzed file

c279be702893....

file

hash

sha1

string

SHA1 of the analyzed file

file

hash

sha256

string

SHA256sum of the analyzed file

4679e7f2018c19...

file

magic

string

File format identifier (Magic signature): detected by Sigflow using a reduced database.

Zip archive data, at least v2.0 to extract

file

name

string

Name of the file including the extension, without the directory

smtptest-2021-02-24T17-30-01Z.zip

file

sid

string

Alert ID. Must be unique.

1100043

file

size

numeric

File size in bytes

77068

file

state

string
Completeness of the analyzed file (CLOSED) otherwise TRUNCATED.
The Sigflow file-store.stream-depth variable defines the size of the reconstructed files.
The file is TRUNCATED if its size is > File-store stream depth (10 MB) by default.

CLOSED

file

stored

boolean

Still at "true", the file was stored on disk for further analysis

true

file

tx_id

numeric

transaction identification (query/response pair)

1

9.2.2.6. flow category

flow

Level 1

Level 2

Data type

Description

Value or example

flow

bytes_toclient

numeric

Size of flow to customer

15280

flow

bytes_toserver

numeric

Size of flow to server

128

flow

pkts_toclient

numeric

Number of packets to client

12

flow

pkts_toserver

numeric

Number of packets to server

4

flow

start

date

Date and time of first package seen by Sigflow

2024-11-26T09:16:56.277148+0000

9.2.2.7. HTTP category

http

Level 1

Level 2

Level 3

Level 4

Data type

Description

Value or example

http

accept

string

Accept header of the request

http

date

date

http

hostname

string

The hostname this HTTP event is attributed to

tsevid-synonymi.justdanceatsea.com

http

http_port

numeric

Port HTTP

8080

http

http_refer

string

"http://tsevid-synonymi.justdanceatsea.com:8080/ndf4xx22ci.php",

http

http_user_agent

string

http

http2

request

priority

numeric

http

http2

stream_id

numeric

http

http2

response

numeric

http

last_modified

string

http

request

method

string

HTTP request method

"GET"

http

request

mime_type

string

http

request_headers

name=

accept

string

http

request_headers

value

string

http

request_headers

name=

accept-encoding

string

http

request_headers

value

string

http

request_headers

name=

:authority

string

http

request_headers

value

string

http

request_headers

name=

:method

string

http

request_headers

value

string

http

request_headers

name=

:path

string

http

request_headers

value

string

http

request_headers

name=

:scheme

string

http

request_headers

value

string

http

request_headers

name=

user-agent

string

http

request_headers

value

string

http

response

bytes

numeric

Total size in bytes of the response (body and headers)

77068

http

response

mime_type

HTTP response status code

string

Mime type of the body of the response

application/x-shockwave-flash

http

response

status

numeric
HTTP response code
1xx informational response – the request was received, continuing process
2xx successful – the request was successfully received, understood, and accepted
3xx redirection – further action needs to be taken in order to complete the request
4xx client error – the request contains bad syntax or cannot be fulfilled
5xx server error – the server failed to fulfil an apparently valid request

200

http

response_headers

name=

accept-ranges

string

http

response_headers

value

string

http

response_headers

name=

content-length

string

http

response_headers

value

string

http

response_headers

name=

content-type

string

http

response_headers

value

string

http

response_headers

name=

date

string

http

response_headers

value

string

http

response_headers

name=

etag

string

http

response_headers

value

string

http

response_headers

last_modified

etag

string

http

response_headers

value

string

http

response_headers

last_modified

server

string

http

response_headers

value

string

http

response_headers

last_modified

:status

string

http

response_headers

value

string

http

url

string

http

version

string

HTTP version

HTTP/1.1

9.2.2.8. ioc category

ioc

Level 1

Level 2

Level 3

Level 4

Data type

Description

ioc

id

numeric

ioc

campaigns

string

The campaigns of the IOC

ioc

case_id

string

The case id of the IOC

ioc

categories

string

The categories of the IOC

ioc

creation_date

date

The creation date of the IOC

ioc

description

string

The description of the IOC

ioc

external_links

source_name

string

ioc

external_links

url

string

The external links of the IOC

ioc

families

string

The families of the IOC

ioc

kill_chain_phases

string

The kill chain phases of the IOC

ioc

meta_data

cwe

string

The meta data of the IOC

ioc

meta_data

descriptions

string

ioc

meta_data

usageMode

string

ioc

package_date

date

The package date of the IOC

ioc

relations

string

The uuid related to the IOC

ioc

signature

string

The signature of the IOC

ioc

tags

string

The signature of the IOC

ioc

targeted_countries

string

The targeted countries of the IOC

ioc

targeted_organizations

string

The targeted organizations of the IOC

ioc

targeted_platforms

string

The targeted platforms of the IOC

ioc

targeted_sectors

string

The targeted sectors of the IOC

ioc

threat_actor

string

The threat actor of the IOC

ioc

tlp

string

The color based level of the IOC

ioc

ttp

string

The tactics, techniques, and procedures of the IOC

ioc

type

string

The type of the IOC

ioc

updated_date

date

The updated date of the IOC

ioc

usage_mode

string

The usage mode of the IOC

ioc

value

string

The value of the IOC

ioc

vulnerabilities

string

The vulnerabilities of the IOC

9.2.2.9. malcore category

malcore

Level 1

Level 2

Level 3

Level 4

Data type

Description

Value or example

malcore

analyzed_clean

numeric

Number of engines with result CLEAN

0

malcore

analyzed_error

numeric

Number of engines with FAILED, CLEANED or DELETED result

0

malcore

analyzed_infected

numeric

Number of engines with INFECTED result

9

malcore

analyzed_other

numeric

Number of engines with result other than CLEAN, INFECTED or SUSPICIOUS

7

malcore

analyzed_suspicious

numeric

Number of engines with SUSPICIOUS result

0

malcore

analyzers_up

numeric

Total number of engines used for analysis

16

malcore

code

numeric
malcore analysis return code
See the table Malcore engine results

1

malcore

detail_scan_time

numeric

File analysis time (ms) by malcore engines

245

malcore

detail_threat_found

string

Comma separated list of detected threat names

"Infected: EICAR-Test-File (not a virus) (B)....

malcore

detail_wait_time

numeric

Time elapsed between sending the file to the node and receiving the engine result in milliseconds

1096

malcore

engine_id

0-15

numeric

malcore engine number (0 to 15)

4

malcore

engine_id

0-15

id

string

engine id

b557a5r

malcore

engine_id

0-15

scan_result

string

analysis result (INFECTED or CLEAN)

INFECTED

malcore

engine_id

0-15

threat_details

string

treat details of the result for this engine

EICAR-Test-File (not a virus) (B)

malcore

engines_last_update_date

date

Date of last update of malcore engines

2023-07-11T11:32:00Z

malcore

file_type

string

Type of file analyzed

application/zip

malcore

file_type_description

string

Description of the file type

ZIP Archive

malcore

magic_details

string

Detailed magic information (payload type)

Zip archive data, at least v2.0 to extract

malcore

processing_time

numeric

Analysis processing time

1341

malcore

reporting_token

string
Token used with GBox
If no GBox then message NO GBOX

GBOX#

malcore

state

string
Malcore engine analysis result
Result is "Infected" as soon as the result of an engine is "Infected"

Infected

malcore

total_found

string

Number of engines that detected the file as infected divided by the total number of engines

XX/YY with YY between 0 and 16 and XX between 0 and YY; example 9/16

9.2.2.10. malcore_retroanalyzer category

malcore

Level 1

Level 2

Level 3

Level 4

Data type

Description

Value or example

malcore_retroanalyzer

analyzed_clean

numeric

Number of engines with result CLEAN

0

malcore_retroanalyzer

analyzed_error

numeric

Number of engines with result in FAILED, CLEANED_OR_DELETED, SCAN_SKIPPED_WHITELIST, SCAN_SKIPPED_BLACKLIST, NOT_SCANNED, CANCELED, UNSUPPORTED_FILE_TYPE, IN_PROGRESS

0

malcore_retroanalyzer

analyzed_infected

numeric

Number of engines with INFECTED result

9

malcore_retroanalyzer

analyzed_other

numeric

Number of engines with result other than CLEAN, INFECTED or SUSPICIOUS

7

malcore_retroanalyzer

analyzed_suspicious

numeric

Number of engines with SUSPICIOUS result

0

malcore_retroanalyzer

analyzers_up

numeric

Total number of engines used for analysis

16

malcore_retroanalyzer

code

numeric
malcore analysis return code
See the table Malcore engine results

1

malcore_retroanalyzer

detail_scan_time

numeric

File analysis time (ms) by malcore engines

245

malcore_retroanalyzer

detail_threat_found

string

Comma separated list of detected threat names

"Infected: EICAR-Test-File (not a virus) (B)....

malcore_retroanalyzer

detail_wait_time

numeric

Time elapsed between sending the file to the node and receiving the engine result in milliseconds

1096

malcore_retroanalyzer

engine_id

numeric

malcore engine number (0 to 15)

4

malcore_retroanalyzer

engine_id

0-15

id

string

engine id

b557a5r

malcore_retroanalyzer

engine_id

0-15

scan_result

string

analysis result (INFECTED or CLEAN)

INFECTED

malcore_retroanalyzer

engine_id

0-15

threat_details

string

treat details of the result for this engine

EICAR-Test-File (not a virus) (B)

malcore_retroanalyzer

engines_last_update_date

date

Date of last update of malcore engines

2023-07-11T11:32:00Z

malcore_retroanalyzer

file_type

string

Type of file analyzed

application/zip

malcore_retroanalyzer

file_type_description

string

Description of the file type

ZIP Archive

malcore_retroanalyzer

magic_details

string

Detailed magic information (payload type)

Zip archive data, at least v2.0 to extract

malcore_retroanalyzer

processing_time

numeric

Analysis processing time

1341

malcore_retroanalyzer

reporting_token

string
Token used with GBox
If no GBox then message NO GBOX

GBOX#

malcore_retroanalyzer

state

string
Malcore engine analysis result
Result is "Infected" as soon as the result of an engine is "Infected"

Infected

malcore_retroanalyzer

total_found

string

Number of engines that detected the file as infected divided by the total number of engines

XX/YY with YY between 0 and 16 and XX between 0 and YY; example 9/16

9.2.2.11. malicious_powershell category

malicious_powershell

Level 1

Level 2

Level 3

Level 4

Data type

Description

Value or example

malicious_powershell

id

string

malicious_powershell

proba_obfuscated

numeric

Probability that the powershell is offended. Value between 0 and 1

1

malicious_powershell

sample_id (id)

string

file id

12-04-2024T14:12:40_03afe38854c8443db03807bcc51cf935_gcap-gatewatcher.com",

malicious_powershell

score

numeric

score of the powershell script

malicious_powershell

score_details

AddContent

numeric
Category scores/analysis_detailed
Adds content to a file/folder

0

malicious_powershell

score_details

Base64

numeric
Category scores/analysis_detailed
Score represented by an integer of a/patterns base64 detected

188

malicious_powershell

score_details

CharInt

numeric
Category scores/analysis_detailed
Score represented by an integer of one/of the detected charitable patterns

6

malicious_powershell

score_details

FmtStr

numeric
Category scores/analysis_detailed
Score represented by an integer of a/of detected fmtstr patterns

8

malicious_powershell

score_details

GetContent

numeric
Category scores/analysis_detailed
Get-Content applet to read file data

0

malicious_powershell

score_details

InvokeExpression

numeric
Category scores/analysis_detailed
InvokeExpression Applet

100

malicious_powershell

score_details

InvokeRestMethod

numeric

0

malicious_powershell

score_details

InvokeWebRequest

numeric
Category scores/analysis_detailed
Invoke-WebRequest applet sends HTTP and HTTPS requests to a webpage

0

malicious_powershell

score_details

SetContent

numeric
Category scores/analysis_detailed
Applet SetContent writes new content or replaces existing content in a file

0

malicious_powershell

score_details

StartBitsTransfer

numeric
Category scores/analysis_detailed
Start-BitsTransfer Order

0

malicious_powershell

score_details

StrCat

numeric
Category scores/analysis_detailed
Function that concatenates strings

4

malicious_powershell

score_details

StreamReader

numeric
Category scores/analysis_detailed
Object to read and display each directory name

0

malicious_powershell

score_details

StreamWriter

numeric
Category scores/analysis_detailed
Write a file that lists directories

0

malicious_powershell

score_details

StrJoin

numeric
Category scores/analysis_detailed
Score represented by an integer of a/strjoin patterns detected

6

malicious_powershell

score_details

StrReplace

numeric
Category scores/analysis_detailed
Score represented by an integer of a/strreplace patterns detected

0

malicious_powershell

score_details

SystemIOFile

numeric
Category scores/analysis_detailed
Manipulation of a file (creation, opening, copy, etc.)

0

malicious_powershell

score_details

WebClientInvokation

numeric
Category scores/analysis_detailed
Score represented by an integer of one/of detected webclientinvokation patterns

20

9.2.2.12. matched_event category

matched_event events

Level 1

Level 2

Level 3

Level 4

Data type

Description

Value or example

matched_event

id

numeric

The ID of the matched event

9.2.2.13. metadata category

metadata

Level 1

Level 2

Level 3

Level 4

Data type

Description

Value or example

metadata

flowbits

string

min.gethttp

9.2.2.14. network category

network

Level 1

Level 2

Data type

Description

Value or example

network

community_id

string

Unique id to correlate the rise between the different security equipment

1:r6LvcE7ltny4a6Y9xt1Vr...

network

flow_id

numeric

Flow identifier

363747525458479

network

protocol

string

network protocol

http

network

timestamp

date

Date and time of alert generation by suricata

2024-11-26T09:17:00.775521+0000

network

transport

string

protocol layer (TCP or UDP)

tcp

network

tx_id

numeric

transaction identification (query/response pair)

0

9.2.2.15. observer category

observer

Level 1

Level 2

Level 3

Level 4

Data type

Description

Value or example

observer

gcap

string

GCap observer related fields

observer

gcap

hostname

string

The hostname of the gcap

gcap-xxx.domain.local

observer

gcap

ingress

interface/name

string

GCap input interface used for capture (monx or monvirt)

monvirt

observer

gcap

version

string

The version of the gcap

"2.5.4"

observer

hostname

string

Hostname of the observer

"gcenter.domain",

observer

log_format_version

string

The log format version

"1.0.0"

observer

product

string

The product name of the observer

gcenter

observer

uuid

string

Unique identifier of the alert

f639c844-3f6f-40fa-86c4-47ff603880e2

observer

vendor

string

Vendor name of the observer

gatewatcher

observer

version

string

Observer version

"2.5.x."

9.2.2.16. shellcode category

shellcode

Level 1

Level 2

Level 3

Level 4

Data type

Description

Value or example

shellcode

analysis

args

string

Arguments of the system call used

"{'pathname': '//etc/passwd', 'flags': 'O_WRONLY|O_APPEND', 'mode': 'None'}",

shellcode

analysis

call

string

Name of system call used

sys_open

shellcode

analysis

info

string

More info

"Stop : End of shellcode (Exit)"

shellcode

analysis

ret

string

The retention

0

shellcode

analysis

_id

numeric

Internal index

-1

shellcode

analysis

stop

numeric

Marks the end of shellcode (End of shellcode)

End of shellcode (output)

shellcode

encodings

count

numeric

Number of successive encodings

1

shellcode

encodings

name

string

The name of the encoding

"Shikata_ga_nai",

shellcode

encodings

options

string

shellcode

id

string

The id of the shellcode

8ae5f9d35f3878cac3064fe93e4c311d"

shellcode

sample_id

string

The sample id of the shellcode

shellcode

sub_type

string

The sub type of the shellcode

"Linux_x86_32",

9.2.2.17. sigflow category

sigflow

Level 1

Level 2

Level 3

Level 4

Data type

Description

Value or example

sigflow

action

string

Allowed if alert or pass is used and blocked if drop or reject is used.

alert, drop, reject, pass "action": "allowed"

sigflow

category

string

Description of alert classification

Potentially Bad Traffic"

sigflow

gid

numeric

Identifier of an alert group

1

sigflow

metadata

affected_product

string

sigflow

metadata

attack_target

string

sigflow

metadata

confidence

string

sigflow

metadata

created_at

string

Created at YEAR_MONTH_DAY

2014_11_15

sigflow

metadata

deployment

string

sigflow

metadata

malware_family

string

sigflow

metadata

performance_impact

string

Performance impact

Significant

sigflow

metadata

reviewed_at

string

sigflow

metadata

signature_severity

string

Signature severity

sigflow

metadata

updated_at

string

Updated at YEAR_MONTH_DAY

2024_04_22

sigflow

packet

string

packet that triggered the alert registered in base64 (only for UDP)

kOK6pqSQkOK6pqSRCABFAAA0dnRAAEAG9Ak....

sigflow

packet_info

linktype

numeric

Type of link-layer header

1

sigflow

payload

string
Payload of the base64 package
Present only if the payload option of the gcap "variable bases" menu is enabled

Potentially Bad Traffic

sigflow

payload_printable

string
Payload of the package in a readable format.
Present only if the printable payload option of the gcap «variable bases» menu is activated.

GET /emd.exe HTTP/1.1rnHost: opred.netrnConnection: Keep-Alivernrn

sigflow

rev

numeric

Alert Revision Number

11

sigflow

signature

string

The signature of the signature flow

ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile",

sigflow

signature_id

numeric

Alert ID. Must be unique

2019714

sigflow

stream

numeric

The stream of the signature flow

9.2.2.18. source category

source

Level 1

Level 2

Level 3

Level 4

Data type

Description

Value or example

source

ip

string

Source IP address detected by Sigflow

x.y.z.A"

source

mac

string

MAC address of the source netwok card

xx....

source

port

numeric

Source port detected by Sigflow

8080

9.2.2.19. @timestamp category

timestamp

Level 1

Level 2

Data type

Description

Value or example

@timestamp

string

Timestamp of the processing of the alert by the GCenter (corresponds to the passage in logstash)

2023-10-09T08:31:04.503Z

@timestamp

dest_macs

string

Date/time when the event originated

9.2.2.20. @version category

@version

Level 1

Level 2

Level 3

Level 4

Data type

Description

Value or example

@version

1

9.2.2.21. url category

url

Level 1

Level 2

Data type

Description

Value or example

url

domain

string

The domain of the URL

"tsevid-synonymi.justdanceatsea.com"

url

full

string

The full URL

url

path

string

The path of the URL

/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23EU-Af2zwWdHgpn6mEGu5XlxFust

9.2.2.22. user_agent category

user_agent

Level 1

Level 2

Data type

Description

Value or example

user_agent

original

string

The user agent of the software used

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; ...)

9.2.2.23. DNS events

dns events

Level 1

Level 2

Level 3

Level 4

Data type

description

dns

answers

name

string

dns

answers

type

string

dns

authorities

rrname

string

dns

authorities

rrtype

string

dns

authorities

soa

expire

numeric

dns

authorities

soa

minimum

numeric

dns

authorities

soa

mname

string

dns

authorities

soa

refresh

numeric

dns

authorities

soa

retry

numeric

dns

authorities

soa

rname

string

dns

authorities

soa

serial

numeric

dns

authorities

ttl

numeric

dns

flags

string

dns

id

numeric

dns

qr

boolean

dns

ra

boolean

dns

rd

boolean

dns

response_code

string

dns

type

string

dns

version

numeric

9.2.2.24. HTTP2 events

http2 events

Level 1

Level 2

Level 3

Level 4

Data type

http2

http_method

string

http2

http_user_agent

string

http2

http2

request

priority

numeric

http2

http2

stream_id

numeric

http2

http2

response

string

http2

http2

length

numeric

http2

request_headers

name=

accept

string

http2

request_headers

value

string

http2

request_headers

name=

accept-encoding

string

http2

request_headers

value

string

http2

request_headers

name=

:authority

string

http2

request_headers

value

string

http2

request_headers

name=

:method

string

http2

request_headers

value

string

http2

request_headers

name=

:path

string

http2

request_headers

value

string

http2

request_headers

name=

:scheme

string

http2

request_headers

value

string

http2

request_headers

name=

user-agent

string

http2

request_headers

value

string

http2

response_headers

name=

accept-ranges

string

http2

response_headers

value

string

http2

response_headers

name=

content-length

string

http2

response_headers

value

string

http2

response_headers

name=

content-type

string

http2

response_headers

value

string

http2

response_headers

name=

date

string

http2

response_headers

value

string

http2

response_headers

name=

etag

string

http2

response_headers

value

string

http2

response_headers

last_modified

etag

string

http2

response_headers

value

string

http2

response_headers

last_modified

server

string

http2

response_headers

value

string

http2

response_headers

last_modified

:status

string

http2

response_headers

value

string

http2

status

numeric

http2

url

string

http2

version

string

9.2.2.25. TLS events

TlS events

Level 1

Level 2

Level 3

Level 4

Data type

tls

client

server_name

string

tls

ja3

hash

string

tls

ja3

string

string

tls

ja3s

hash

string

tls

ja3s

string

string

tls

serial

string

tls

server

certificate

chain

string

tls

server

hash

md5

string

tls

server

hash

sha1

string

tls

server

hash

sha256

string

tls

server

issuer

string

tls

server

not_after

date

tls

server

not_before

date

tls

server

subject

string

tls

sni

string

tls

version

string

9.2.2.26. SMTP events

SMTP events

Level 1

Level 2

Level 3

Level 4

Data type

smtp

helo

string

smtp

mail_from

string

smtp

rcpt_to

string

9.2.2.27. SMB events

SMB events

Level 1

Level 2

Level 3

Level 4

Data type

Description

smb

command

string

smb

dialect

string

smb

filename

string

smb

fuid

string

smb

id

numeric

smb

session_id

numeric

SMB2+ session_id. SMB1 user id

smb

share

string

smb

status

string

smb

status_code

string

smb

tree_id

numeric

9.2.2.28. NFS events

NFS events

Level 1

Level 2

Level 3

Level 4

Data type

nfs

filename

string

nfs

file_tx

boolean

nfs

hhash

string

nfs

id

numeric

nfs

procedure

string

nfs

status

string

nfs

type

string

nfs

version

numeric

9.2.2.29. FTP events

FTP events

Level 1

Level 2

Level 3

Level 4

Data type

ftp

command

string

ftp

completion_code

string

ftp

dynamic_port

numeric

ftp

reply

string

ftp

reply

string

ftp

reply_received

string

ftp

reply_truncated

boolean

9.2.2.30. TFTP events

TFTP events

Level 1

Level 2

Level 3

Level 4

Data type

tftp

file

string

tftp

mode

string

tftp

packet

string

9.2.2.31. SSH events

ssh events

Level 1

Level 2

Level 3

Level 4

Data type

ssh

client

hassh

hash

string

ssh

client

hassh

string

string

ssh

client

proto_version

string

ssh

client

software_version

string

ssh

server

hassh

hash

string

ssh

server

hassh

string

string

ssh

server

proto_version

string

ssh

server

software_version

string

9.2.2.32. krb5 events

krb5 events

Level 1

Level 2

Level 3

Level 4

Data type

krb5

cname

string

krb5

encryption

string

krb5

msg_type

string

krb5

realm

string

krb5

sname

string

krb5

weak_encryption

boolean

9.2.2.33. DHCP events

dhcp events

Level 1

Level 2

Level 3

Level 4

Data type

Description

dhcp

assigned_ip

string

dhcp

client_ip

string

dhcp

client_mac

string

dhcp

dhcp_type

string

dhcp

dns_servers

string

dhcp

hostname

string

dhcp

id

numeric

dhcp

lease_time

numeric

dhcp

next_server_ip

string

dhcp

relay_ip

string

dhcp

routers

string

dhcp

subnet_mask

string

dhcp

type

string

9.2.2.34. SNMP events

snmp events

Level 1

Level 2

Level 3

Level 4

Data type

snmp

community

string

snmp

pdu_type

string

snmp

vars

string

snmp

version

numeric

9.2.2.35. RDP events

rdp events

Level 1

Level 2

Level 3

Level 4

Data type

rdp

channels

string

rdp

client

build

string

rdp

client

capabilities

string

rdp

client

client_name

string

rdp

client

client_name

string

rdp

client

color_depth

numeric

rdp

client

desktop_height

numeric

rdp

client

desktop_width

numeric

rdp

client

function_keys

numeric

rdp

client

id

string

rdp

client

keyboard_layout

string

rdp

client

keyboard_type

string

rdp

client

product_id

numeric

rdp

client

version

string

rdp

event_type

string

rdp

tx_id

numeric

9.2.2.36. RFB events

rfb events

Level 1

Level 2

Level 3

Level 4

Data type

rfb

authentication

security_type

numeric

rfb

authentication

vnc

challenge

string

rfb

authentication

vnc

response

string

rfb

client_protocol_version

major

string

rfb

client_protocol_version

minor

string

rfb

server_protocol_version

major

string

rfb

server_protocol_version

minor

string

rfb

server_security_failure_reason

string

9.2.2.37. IKEV2 events

ikev2 events

Level 1

Level 2

Level 3

Level 4

Data type

ikev2

alg_auth

numeric

ikev2

alg_dh

string

ikev2

alg_enc

string

ikev2

alg_esn

string

ikev2

alg_perf

string

ikev2

errors

boolean

ikev2

exchange_type

boolean

ikev2

init_spi

string

ikev2

message_id

boolean

ikev2

notify

string

ikev2

payload

string

ikev2

resp_spi

string

ikev2

role

string

ikev2

version_major

numeric

ikev2

version_minor

numeric

9.2.2.38. SIP events

sip events

Level 1

Level 2

Level 3

Level 4

Data type

sip

code

string

sip

reason

string

sip

response_line

string

sip

version

string

9.2.2.39. DNP3 events

dnp3 events

Level 1

Level 2

Level 3

Level 4

Data type

dnp3

application

control

con

boolean

dnp3

application

control

fin

boolean

dnp3

application

control

fir

boolean

dnp3

application

control

sequence

numeric

dnp3

application

control

uns

boolean

dnp3

application

complete

boolean

dnp3

application

function_code

numeric

dnp3

application

objects

count

numeric

dnp3

application

objects

group

numeric

dnp3

application

objects

group

numeric

dnp3

application

objects
points. sub :
- comm_lost
- index
- local_forced
- online
- prefix
- remote_forced
- reserved0
- reserved1
- restart
- state

numeric

dnp3

application

objects

prefix_code

numeric

dnp3

application

objects

prefix_code

numeric

dnp3

application

objects

qualifier

numeric

dnp3

application

objects

range_code

numeric

dnp3

application

objects

start

numeric

dnp3

application

objects

stop

numeric

dnp3

application

objects

variation

numeric

dnp3

control

dir

boolean

dnp3

control

fcb

boolean

dnp3

control

fcv

boolean

dnp3

control

function_code

numeric

dnp3

control

pri

boolean

dnp3

dst

numeric

dnp3

iin

indicators

string

dnp3

src

numeric

dnp3

type

string

9.2.2.40. DCERPC events

dcerpc events

Level 1

Level 2

Level 3

Level 4

Data type

dcerpc

call_id

numeric

dcerpc

req

frag_cnt

numeric

dcerpc

req

opnum

numeric

dcerpc

req

stub_data_size

numeric

dcerpc

request

string

dcerpc

res

frag_cnt

numeric

dcerpc

res

stub_data_size

numeric

dcerpc

response

string

dcerpc

rpc_version

string

9.2.2.41. MQTT events

mqtt events

Level 1

Level 2

Level 3

Level 4

Data type

Description

mqtt

connack

dup

boolean

mqtt

connack

qos

numeric

mqtt

connack

retain

boolean

mqtt

connack

return_code

numeric

mqtt

connack

session_present

boolean

9.2.2.42. ransomware events

ransomware events

Level 1

Level 2

Level 3

Level 4

Description

Data type

ransomware

alert_threshold

numeric

The alert threshold

ransomware

malicious_behavior_confidence

numeric

Malicious behavior confidence in percent

ransomware

session_score

numeric

The session score

9.2.2.43. beacon events

beacon events

Level 1

Level 2

Level 3

Level 4

Data type

beacon

active

boolean

beacon

hostname_resolution

string

beacon

id

string

beacon

mean_time_interval

numeric

beacon

possible_cnc

string

beacon

session_count

numeric

beacon

type

string

9.2.2.44. nba events

nba events

Level 1

Level 2

Level 3

Level 4

Data type

Description

nba

action

string

nba

category

string

nba

gid

numeric

nba

metadata

performance_impact

string

nba

metadata

signature_severity

string

nba

packet

string

nba

payload

string

nba

payload_printable

string

nba

rev

numeric

nba

signature

string

nba

signature_id

numeric

nba

stream

numeric
files events

Level 1

Level 2

Level 3

Level 4

Data type

description

files

filename

string

files

gaps

boolean

files

magic

string

files

sha256

string

files

sid

string

files

size

numeric

files

state

string

files

stored

boolean

files

tx_id

numeric

9.2.2.45. tcp events

tcp events

Level 1

Level 2

Level 3

Level 4

Data type

description

tcp

ack

boolean

tcp

fin

boolean

tcp

psh

boolean

tcp

rst

boolean

tcp

syn

boolean

tcp

tcp_flags

string

9.2.2.46. ether events

ether events

Level 1

Level 2

Level 3

Level 4

Data type

ether

dest_macs

string

ether

src_macs

string

9.2.3. Malcore engine results

Malcore engine results. are valid only for Malcore configuration at the time of analysis

Return code

Result

Description

0

No Threat Detected

File was analyzed and declared healthy

1

Infected

File was scanned and declared infected

2

Suspicious
The file was analyzed and declared as likely to be infected:
some Malcore engines have detected this file as malicious..

3

Failed Scan

An error occurred during the run.

7

Skipped - Whitelisted

The file is not analyzed and considered healthy since this file is defined in the Malcore whitelist

8

Skipped – Blacklisted

The file is not scanned and considered infected since this file is defined in the Malcore blacklist

9

Exceeded Archive Depth

The number of times the file is compressed is limited (max recursion level). The message indicates that the defined value has been exceeded.

10

Not scanned

Engine not available at time of run

12

Encrypted Archive

The archive is encrypted and therefore not parsable: the password indicated does not work

13

Exceeded Archive Size

The maximum file size should not exceed the defined value (maximum value 10MB). The analyzed archive is larger than the value set

14

Exceeded Archive File Number

The maximum number of files in the archive must not exceed the defined value. The analyzed archive contains a number of files greater than the defined value

15

Password Protected Document

Solution detected inconsistent behaviour with password protected document

16

Exceeded Archive Timeout

The archive scan time has been exceeded, Malcore engines are not responding within the deadline

17

Filetype Mismatch

File type mismatch problem: the solution detects the file extension with its contents and compares it with the file extension displayed

18

Potentially Vulnerable File

Potentially vulnerable files are files associated with identified vulnerable components or applications

19

Cancelled

User explicitly canceled this file analysis request

21

Yara Rule Matched

The verdict of the result is: a Yara rule matches (malware sample identification)

22

Potentially Unwanted

Solution detected potentially unwanted applications

23

Unsupported File Type

File type not supported by the solution

255

In Progress

Analysis in progress..