9.2. Engine log data structure

The logs are composed of different parts:

  • The header part

  • The source part defined by "_source"

  • The field part defined by "_fields"

9.2.1. Counters of the header part of logs

Table header part of Malcore logs

Fields

Required

Description

Values or example

_index

Yes

Internal index

engines_alerts-2024.11.26-000022

_type

Yes

default type

_doc

_id

Yes

internal identifier

q5zQZ5MBe7GX5B2fx7DG

_version

Yes

internal version

1

_score

Yes

relevance of the response to the request

0

9.2.2. Counters of the source part of logs

9.2.2.1. beacon category

Level 1

Level 2

Data type

Description

Value or example

beacon

active

boolean

Beacon is active

true

beacon

hostname_resolution

string

Hostname resolution status

"not_analyzed"

beacon

id

string

unique identifier for the beaconing activity or signal

"c4c886b4ad"

beacon

mean_time_interval

numeric

Mean time interval between beacons

1

beacon

possible_cnc

string

Possible CNC

"not_recognized"

beacon

session_count

numeric

Session count

260

beacon

type

string

Type of beacon. unique identifier for the beaconing activity or signal

The type of connection. Can be user, token or nothing

9.2.2.2. DCERPC category

Level 1

Level 2

Level 3

Data type

Description

Value or example

dcerpc

call_id

numeric

unique identifier for RPC call

27

dcerpc

interfacesx[x]

ack_result

acknowledgment result of RPC interface call

dcerpc

interfaces[x]

uuid

universally unique identifier for the RPC interface

dcerpc

interfaces[x]

version

version of the RPC interface

dcerpc

req

frag_cnt

numeric

number of fragments in the RPC request

1

dcerpc

req

opnum

numeric

operation number for the RPC request

4

dcerpc

req

stub_data_size

numeric

size of the stub data in the request

24

dcerpc

request

raw data of the RPC request

string

REQUEST

dcerpc

res

frag_cnt

numeric

number of fragments in the RPC response

1

dcerpc

res

stub_data_size

numeric

size of the stub data in the response

68

dcerpc

response

raw data of the RPC response

string

RESPONSE

dcerpc

rpc_version

string

version of the RPC protocol used

5.0

9.2.2.3. destination category

Level 1

Level 2

Data type

Description

Value or example

destination

ip

string

IP address of the destination

x.x.x.x

destination

mac

string

MAC address of the destination

90:e2:ba:a6:a4:91

destination

port

numeric

Port of the destination

19609

9.2.2.4. dga category

Level 1

Level 2

Data type

Description

Value or example

dga

dga_count

numeric

Number of DGAs

29

dga

dga_ratio

numeric

Ratio of DGAs (dga_count/nx_domain_count)

1

dga

malware_behavior_confidence

numeric

Malware behavior confidence in percent

50

dga

nx_domain_count

numeric

Number of NX domains analyzed

29

dga

top_DGA

string

Top DGAs based on score
tjzjyiheo.com",
"nvtcvimt.com",
"vmfyaxnse.com",
"htjykhvta.com",
"csmanuivsrlx.com",
"sbxsgfddr.com",
"oyttwuyshcgxxaenbit.com",
"seklusaprnkwhvybzc.com",
"xxcnirvbqivbucfsbliu.com",
"jgjvgfetpammdrxwn.com"

9.2.2.5. DHCP category

Level 1

Level 2

Data type

Description

Value or example

dhcp

assigned_ip

string

IP address assigned by the DHCP server

192.168.1.2

dhcp

client_ip

string

Client IP address

x.y.z.a

dhcp

client_mac

string

Client MAC address

00:e0:ed:01:6e:bd

dhcp

dhcp_type

string

Type of dhcp message

dhcp

dns_servers

string

List of DNS servers provided by DHCP

192.168.1.1

dhcp

hostname

string

Hostname of the client

d002465

dhcp

id

numeric

Id of the dhcp message

107809848

dhcp

lease_time

numeric

duration for which the DHCP lease is valid

3600

dhcp

params

numeric

Parameters of dhcp message

dhcp

next_server_ip

string

IP address of the next DHCP server to contact

0.0.0.0

dhcp

relay_ip

string

IP address of the DHCP relay agent

0.0.0.0

dhcp

routers

string

list of routers/gateway addresses provided by DHCP

192.168.1.1

dhcp

subnet_mask

string

subnet mask assigned by the DHCP server

255.255.255.0

dhcp

type

string

Type of the dhcp message

Type of DHCP message (e.g. request, offer)

9.2.2.6. DNP3 category

Level 1

Level 2

Level 3

Level 4

Data type

Description

Value or example

dnp3

application

control

con

boolean

false

dnp3

application

control

fin

boolean

true

dnp3

application

control

fir

boolean

true

dnp3

application

control

sequence

numeric

7

dnp3

application

control

uns

boolean

false

dnp3

application

complete

boolean

true

dnp3

application

function_code

numeric

129

dnp3

application

objects

count

numeric

6

dnp3

application

objects

group

numeric

1

dnp3

application

objects
points. sub :
- comm_lost
- index
- local_forced
- online
- prefix
- remote_forced
- reserved0
- reserved1
- restart
- state

numeric
values:
- 0
- 0
- 0
- 1
- 0
- 0
- 0
- 0
- 0
- 1

dnp3

application

objects

prefix_code

numeric

0

dnp3

application

objects

qualifier

numeric

0

dnp3

application

objects

range_code

numeric

0

dnp3

application

objects

start

numeric

0

dnp3

application

objects

stop

numeric

5

dnp3

application

objects

variation

numeric

1

dnp3

control

dir

boolean

false

dnp3

control

fcb

boolean

false

dnp3

control

fcv

boolean

false

dnp3

control

function_code

numeric

dnp3

control

pri

boolean

true

dnp3

dst

numeric

3

dnp3

iin

indicators

array

[]

dnp3

src

numeric

4

dnp3

type

string

response

9.2.2.7. DNS category

Level 1

Level 2

Level 3

Level 4

Data type

Description

Values or example

dns

answers

name

string

The domain name to which this resource record pertains.

ztqnmsruernxksa0l.com

dns

answers

data[0]

rdata

string

Resource Data (ex: IP that domain name resolves to)

dns

answers

data[0]

rrname

string

Resource Record Name (ex: a domain name)

dns

answers

data[0]

rrtype

string

Resource Record Type (ex: A, AAAA, NS, PTR)

dns

answers

data[0]

tttl

string

Time-To-Live for this resource record

dns

answers

type

string

The type of data contained in this resource record.

A

dns

authorities

rrname

string

name of the resource record in the authority section

com

dns

authorities

rrtype

string

type of the resource record in the authority section

SOA

dns

authorities

soa

expire

numeric

expiration time for the SOA (Start of Authority) record

604800

dns

authorities

soa

minimum

numeric

minimum TTL (Time to Live) for the SOA record

86400

dns

authorities

soa

mname

string

primary master name server in the SOA record

nstld.verisign-grs.com

dns

authorities

soa

refresh

numeric

refresh interval for the SOA record

1800

dns

authorities

soa

retry

numeric

retry interval for the SOA record

900

dns

authorities

soa

rname

string

responsible person’s email address in the SOA record

a.gtld-servers.net

dns

authorities

soa

serial

numeric

serial number for the SOA record

1410273997

dns

authorities

ttl

numeric

Time to Live (TTL) for the authority section

5

dns

flags

string

Indicating DNS answer flag, in hexadecimal

8183

dns

grouped

A[0]

string

A record

dns

id

numeric

The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.

26738

dns

query

rrname

string

dns

query

rrtype

string

A

dns

query

tx_id

numeric

193630

dns

query

opcode

numeric

0

dns

query

type

string

query

dns

query

id

numeric

The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.

57318

dns

qr

boolean

Indicating in case of DNS answer flag, Query/Response flag (ex: true if set)

true

dns

ra

boolean

Indicating in case of DNS answer flag, Recursion Available flag (ex: true if set)

true

dns

rd

boolean

Indicating in case of DNS answer flag, Recursion Desired flag (ex: true if set)

true

dns

response_code

The DNS response code.

string

The DNS response code.

NXDOMAIN

dns

type

string

Indicating DNS message type, can be “answer” or “query”

answer

dns

version

numeric

Indicating DNS logging version in use

2

9.2.2.8. ecs category

Level 1

Level 2

Data type

Description

Value or example

ecs

version

numeric

ECS version this event conforms to

8.6.0

9.2.2.9. email category

Level 1

Level 2

Data type

Description

Value or example

email

attachments[0]

string

List of objects describing the attachments.

email

body_md5

MD5 hash of the email body

email

message_id

unique identifier for the email message

email

status

Status of the email

email

subject

The subject of the email message.

email

subject_md5

MD5 hash of the email subject

email

to.address[0]

Email address of recipient

9.2.2.10. event category

Level 1

Level 2

Data type

Description

Value or example

event

category

string
file category
network category
intrusion_detection
file
network
intrusion_detection

event

created

date

Time when the event was first read by an agent or by your pipeline

2024-12-17T11:01:15.955324+00:00

event

dataset

string

Name of the dataset

alert

event

end

date

2024-12-17T11:00:05.717000+00:00

event

id

string

Unique ID to describe the event

28e92cac-b1de-4b20-ab71-5eeb325f64ed

event

kind

string

The kind of the event. The highest categorization field in the hierarchy

alert

event

module

string

Name of the module this data is coming from

Malcore or malcore_retroanalyzer, active_cti or ...

event

severity

numeric

Analysis result code
Between 0 and 3
0=clean
1=infected
2=suspicious
3=Other

event

severity_human

string

Analysis result

Suspicious

event

start

date

9.2.2.11. ether category

Level 1

Level 2

Data type

Description

Value or example

ether

src_macs

source MAC address of the Ethernet frame

52:54:10:f5:71:63

ether

dest_macs

destination MAC address of the Ethernet frame

fa:2a:73:90:d5:3d

9.2.2.12. file category

Level 1

Level 2

Level 3

Data type

Description

Value or example

file

file_id

numeric

The file id

646

file

gaps

boolean

Monitoring inconsistency in file size

false

file

hash

md5

string

MD5 hash of the analyzed file

c279be702893....

file

hash

sha1

string

SHA1 of the analyzed file

file

hash

sha256

string

SHA256sum of the analyzed file

4679e7f2018c19...

file

magic

string

File format identifier (Magic signature): detected by Sigflow using a reduced database.

Zip archive data, at least v2.0 to extract

file

name

string

Name of the file including the extension, without the directory

smtptest-2021-02-24T17-30-01Z.zip

file

sid

string

Alert ID. Must be unique.

1100043

file

size

numeric

File size in bytes

77068

file

state

string
Completeness of the analyzed file (CLOSED) otherwise TRUNCATED.
The Sigflow file-store.stream-depth variable defines the size of the reconstructed files.
The file is TRUNCATED if its size is > File-store stream depth (10 MB) by default.

CLOSED

file

stored

boolean

Still at "true", the file was stored on disk for further analysis

true

file

tx_id

numeric

transaction identification (query/response pair)

1

9.2.2.13. flow category

Level 1

Level 2

Data type

Description

Value or example

flow

bytes_toclient

numeric

Size of flow to customer

15280

flow

bytes_toserver

numeric

Size of flow to server

128

flow

pkts_toclient

numeric

Number of packets to client

12

flow

pkts_toserver

numeric

Number of packets to server

4

flow

start

date

Date and time of first package seen by Sigflow

2024-11-26T09:16:56.277148+0000

9.2.2.14. FTP category

Level 1

Level 2

Data type

Description

Value or example

ftp

command

string

FTP command issued by the client

EPSV

ftp

completion_code

string

FTP response code indicating the result of a command

229

ftp

dynamic_port

numeric

port used by FTP for dynamic data transfer (PASV mode)

1024

ftp

reply

string

FTP server’s reply message to the client

"Extended Passive Mode OK (|||1024|)"

ftp

reply_received

string

timestamp when the FTP reply was received

yes

ftp

reply_truncated

boolean

indicates if the FTP reply was truncated

false

9.2.2.15. FTP data category

Level 1

Level 2

Data type

Description

Value or example

ftp_data

filename

string

name fo the file involved in FTP data transfer

README.txt

ftp_data

command

string

FTP command related to the data transfer (e.g. RETR, STOR)

RETR

9.2.2.16. HTTP category

Level 1

Level 2

Level 3

Level 4

Data type

Description

Value or example

http

accept

string

Accept header of the request

http

accept_encoding

string

Accept encoding header of the request

"accept-encoding"

http

date

date

Date header of the request

"gzip, deflate"

http

hostname

string

The hostname this HTTP event is attributed to

tsevid-synonymi.justdanceatsea.com

http

http_port

port used for the HTTP connection

numeric

Port HTTP

8080

http

http_refer

string

"http://tsevid-synonymi.justdanceatsea.com:8080/ndf4xx22ci.php",

http

http_user_agent

referrer URL in the HTTP request

string

User agent of the request

http

http2

request

priority

numeric

priority of the HTTP/2 request

15

http

http2

stream_id

stream ID in an HTTP/2 request/response

numeric

13

http

http2

response

HTTP/2 response sent by the server

numeric

{}

http

last_modified

string

http

request

method

string

HTTP request method

"GET"

http

request

mime_type

string

Mime type of the body of the request.

http

request_headers

name=

accept

string

acceptable content types in the HTTP request

"accept"

http

request_headers

value

string

value of the specific HTTP header ("/FireInstaller4.exe","GET","http", "nghttp2/1.43.0".. )

"/"

http

request_headers

name=

accept-encoding

string

encoding methods accepted by the client

http

request_headers

name=

:authority

string

authority (host and port) in the HTTP/2 request

":authority"

http

request_headers

name=

:method

string

HTTP method (e.g., GET, POST)

:method

http

request_headers

name=

:path

string

path of the resource in the HTTP requests

":path"

http

request_headers

name=

:scheme

string

URI scheme (e.g. HTTP, HTTPS)

":scheme"

http

request_headers

name=

user-agent

string

client’s user agent information

"user-agent"

http

response

bytes

numeric

Total size in bytes of the response (body and headers)

77068

http

response

mime_type

HTTP response status code

string

Mime type of the body of the response

application/x-shockwave-flash

http

response

status

numeric
HTTP response code
1xx informational response – the request was received, continuing process
2xx successful – the request was successfully received, understood, and accepted
3xx redirection – further action needs to be taken in order to complete the request
4xx client error – the request contains bad syntax or cannot be fulfilled
5xx server error – the server failed to fulfil an apparently valid request

200

http

response_headers

name=

accept-ranges

string

indicates if the server supports range requests

http

response_headers

name=

content-length

string

length of the response body

http

response_headers

name=

content-type

string

type of the content returned in the response

http

response_headers

name=

date

string

date and time the response was sent

http

response_headers

name=

etag

string

entity tag for caching validation

http

response_headers

last_modified

etag

string

entity tag for the last modified version of the resource

http

response_headers

last_modified

server

string

server providing the last modified resource

http

response_headers

last_modified

status

string

status of the HTTP response

http

response_headers

value

string

http

server

value

string

Server header of the request

http

url

string

URL of the request

http

version

string

HTTP version

HTTP/1.1

9.2.2.17. HTTP2 category

Level 1

Level 2

Level 3

Level 4

Data type

Value or example

http2

http_method

string

GET

http2

http_user_agent

string

nghttp2/1.43.0

http2

http2

request

priority

numeric

15

http2

http2

stream_id

numeric

13

http2

http2

response

string

{}

http2

http2

length

numeric

3663

http2

request_headers

name=

accept

string

http2

request_headers

value

string

/

http2

request_headers

name=

accept-encoding

string

http2

request_headers

value

string

gzip, deflate

http2

request_headers

name=

:authority

string

http2

request_headers

value

string

10.2.10.205

http2

request_headers

name=

:method

string

http2

request_headers

value

string

GET

http2

request_headers

name=

:path

string

http2

request_headers

value

string

/3k.zip

http2

request_headers

name=

:scheme

string

http2

request_headers

value

string

http

http2

request_headers

name=

user-agent

string

http2

request_headers

value

string

15

http2

response_headers

name=

accept-ranges

string

http2

response_headers

value

string

bytes

http2

response_headers

name=

content-length

string

http2

response_headers

value

string

3663

http2

response_headers

name=

content-type

string

http2

response_headers

value

string

text/plain

http2

response_headers

name=

date

string

http2

response_headers

value

string

Mon, 08 Jan 2024 15:28:50 GMT

http2

response_headers

name=

etag

string

http2

response_headers

value

string

"659c131d-e4f"

http2

response_headers

last_modified

etag

string

http2

response_headers

value

string

Mon, 08 Jan 2024 15:22:05 GMT

http2

response_headers

last_modified

server

string

http2

response_headers

value

string

nginx/1.25.2

http2

response_headers

last_modified

:status

string

http2

response_headers

value

string

200

http2

status

numeric

200

http2

url

string

/3k.zip

http2

version

string

2

9.2.2.18. IKEV2 category

Level 1

Level 2

Data type

Description

Value or example

ikev2

alg_auth

numeric

Authentication algorithm

"AUTH_HMAC_SHA1_96"

ikev2

alg_dh

string

Diffie-Hellman group

"2048-bit MODP Group"

ikev2

alg_enc

string

Encryption algorithm

"ENCR_AES_CBC"

ikev2

alg_esn

string

Extended Sequence Numbers

"NoESN"

ikev2

alg_perf

string

Pseudo-Random Function

"PRF_HMAC_SHA1"

ikev2

errors

numeric

Number of errors

0

ikev2

exchange_type

numeric

IKEv2 exchange type

34

ikev2

init_spi

string

Initiator's SPI

"605830378bec4174"

ikev2

message_id

boolean

Message ID

0

ikev2

notify

string

Notify message
[
"NAT_DETECTION_SOURCE_IP",
"NAT_DETECTION_DESTINATION_IP",
"IKEV2_FRAGMENTATION_SUPPORTED",
"MULTIPLE_AUTH_SUPPORTED"
]

ikev2

payload

string

Payload type
[
"SecurityAssociation",
"KeyExchange",
"Nonce",
"Notify",
"Notify",
"Notify",
"Notify",
"NoNextPayload"
]

ikev2

resp_spi

string

Responder's SPI

"5afa8990956d8af0"

ikev2

role

string

Role of the participant

"responder"

ikev2

version_major

numeric

Major version

2

ikev2

version_minor

numeric

Minor version

0

9.2.2.19. ioc category

Level 1

Level 2

Level 3

Data type

Description

Value or example

ioc

id

numeric

ioc

campaigns

string

The campaigns of the IOC

ioc

case_id

string

The case id of the IOC

aa8d51ed-0883-4b12-8b43

ioc

categories

string

The categories of the IOC
trojan
malware

ioc

creation_date

date

The creation date of the IOC

2025-01-28T08:02:50+00:00

ioc

description

string

The description of the IOC

eb4db30601b1f4babefa4...' is a Suspicious SHA256.nThis SHA256 is linked to a trojan attack.nWe advised to use this IoC in detection mode.

ioc

external_links

source_name

string

The external links of the IOC

ioc

external_links

url

string
"url": "https://info.gatewatcher.com/fr/speed-meeting-lastinfosec",
"source_name": "IOCAnalysisCollector"

ioc

families

string

The families of the IOC

ioc

id

string

e9a6f382-d06b-490f-9b6e

ioc

kill_chain_phases

string

The kill chain phases of the IOC

ioc

meta_data

cwe

string

ioc

meta_data

descriptions

string

ioc

meta_data

usageMode

string
"descriptions": [],
"usageMode": "detection",
"cwe": []

ioc

package_date

date

The package date of the IOC

025-01-28T08:50:04.124404+00:00

ioc

relations

string

The uuid related to the IOC
"0e3cc27b-7999-48ce-8484",
"5556c4ab-3e5e-4d56-8410"

ioc

signature

string

The signature of the IOC

SHA256 - trojan/malware - Unknown family - Unknown threat actor - e9a6f3

ioc

tags

string

The tags of the IOC
"trojan.generickd.66527077",
"troj/drodzp-cf",
"trojan.generickd.66527077 (b)",
"trojan/generickd!vemnohoo"

ioc

targeted_countries

string

The targeted countries of the IOC

ioc

targeted_organizations

string

The targeted organizations of the IOC

ioc

targeted_platforms

string

The targeted platforms of the IOC

ioc

targeted_sectors

string

The targeted sectors of the IOC

Services - Autres

ioc

threat_actor

string

The threat actor of the IOC

ioc

tlp

string

The color based level of the IOC

green

ioc

ttp

string

The tactics, techniques, and procedures of the IOC

ioc

type

string

The type of the IOC

SHA256

ioc

updated_date

date

The updated date of the IOC

2025-01-28T08:04:31+00:00

ioc

usage_mode

string

The usage mode of the IOC

detection

ioc

value

string

The value of the IOC

eb4db357dc6f2dd8facf132ecafd...

ioc

vulnerabilities

string

The vulnerabilities of the IOC

9.2.2.20. krb5 category

Level 1

Level 2

Data type

Description

Value or example

krb5

string

cli-krb5

krb5

encryption

string

encryption

aes256-cts-hmac-sha1-96

krb5

msg_type

string

msg_type

KRB_AS_REP

krb5

realm

string

the Kerberos Realm

GATEWATCHER.COM

krb5

sname

string

sname

krbtgt/GATEWATCHER.COM

krb5

weak_encryption

boolean

weak_encryption

false

9.2.2.21. malcore category

Level 1

Level 2

Level 3

Level 4

Data type

Description

Value or example

malcore

analyzed_clean

numeric

GEYEGO: Number of engines with result CLEAN

0

malcore

analyzed_error

numeric

GEYEGO: Number of engines with result in FAILED, CLEANED_OR_DELETED, SCAN_SKIPPED_WHITELIST, SCAN_SKIPPED_BLACKLIST, NOT_SCANNED, CANCELED, UNSUPPORTED_FILE_TYPE, IN_PROGRESS

0

malcore

analyzed_infected

numeric

GEYEGO: Number of engines with result INFECTED

9

malcore

analyzed_other

numeric

GEYEGO: Number of engines with result other results than the one described above

7

malcore

analyzed_suspicious

numeric

GEYEGO: Number of engines with result SUSPICIOUS

0

malcore

analyzers_up

MALCORE: Total number of engines used for this analysis

numeric

Total number of engines used for analysis

16

malcore

code

numeric
Usually. Can be forced to SCAN_SKIPPED_BLACKLIST(8) or SCAN_SKIPPED_WHITELIST(7) if filtered or NOT_SCANNED(10) if file is lost.
See the table Malcore engine results (Malcore engine results)

1

malcore

detail_scan_time

numeric

File analysis time (ms) by malcore engines

245

malcore

detail_threat_found

string

Comma separated list of detected threat names

"Infected: EICAR-Test-File (not a virus) (B)....

malcore

detail_wait_time

numeric

Time elapsed between sending the file to the node and receiving the engine result in milliseconds

1096

malcore

engine_id

0-15

numeric

unique identifier for a Malcore engine (0 to 15)

4

malcore

engine_id

0-15

id

string

engine id

b557a5r

malcore

engine_id

0-15

scan_result

string

analysis result (INFECTED, UNSUPPORTED_FILE_TYPE, NOT_SCANNED or CLEAN)

INFECTED

malcore

engine_id

0-15

string

threat_details

EICAR-Test-File (not a virus) (B)

malcore

engines_last_update_date

date

GEYEGO: median last update time of all analyzers used.

2023-07-11T11:32:00Z

malcore

file_type

string

MALCORE: file type.

application/zip

malcore

file_type_description

string

MALCORE: file type, but longer.

ZIP Archive

malcore

magic_details

string

GEYEGO: Lib magic result

Zip archive data, at least v2.0 to extract

malcore

processing_time

numeric

1341

malcore

reporting_token

string

GEYEGO: GBOX analysis token, if available

GBOX#

malcore

state

string

Result is "Infected" as soon as the result of an engine is "Infected"

Infected

malcore

total_found

string

GEYEGO: string presenting <infected>/<total number>

XX/YY with YY between 0 and 16 and XX between 0 and YY; example 9/16

9.2.2.22. malcore_retroanalyzer category

Level 1

Level 2

Level 3

Level 4

Data type

Description

Value or example

malcore_retroanalyzer

analyzed_clean

numeric

GEYEGO: Number of engines with result CLEAN

0

malcore_retroanalyzer

analyzed_error

numeric

GEYEGO: Number of engines with result in FAILED, CLEANED_OR_DELETED, SCAN_SKIPPED_WHITELIST, SCAN_SKIPPED_BLACKLIST, NOT_SCANNED, CANCELED, UNSUPPORTED_FILE_TYPE, IN_PROGRESS

0

malcore_retroanalyzer

analyzed_infected

numeric

GEYEGO: Number of engines with INFECTED result

9

malcore_retroanalyzer

analyzed_other

numeric

GEYEGO: Number of engines with result other results than the one described above

7

malcore_retroanalyzer

analyzed_suspicious

numeric

GEYEGO: Number of engines with result SUSPICIOUS

0

malcore_retroanalyzer

analyzers_up

numeric

MALCORE: Total number of engines used for this analysis

16

malcore_retroanalyzer

code

numeric
Can be forced to SCAN_SKIPPED_BLACKLIST(8) or SCAN_SKIPPED_WHITELIST(7) if filtered or NOT_SCANNED(10) if file is lost.
See the table Malcore engine results (Malcore engine results)

1

malcore_retroanalyzer

detail_scan_time

numeric

Analysis time of the files (ms) by the malcore engines

245

malcore_retroanalyzer

detail_threat_found

string

List of detected threat names, separated by commas

"Infected: EICAR-Test-File (not a virus) (B)....

malcore_retroanalyzer

detail_wait_time

numeric

MALCORE: process_info.processing_time_details.others_time_process_info_processing_time_details_filetype_time,

1096

malcore_retroanalyzer

engine_id

numeric

malcore engine number (0 to 15)

4

malcore_retroanalyzer

engine_id

0-15

id

string

engine id

b557a5r

malcore_retroanalyzer

engine_id

0-15

scan_result

string

analysis result (INFECTED or CLEAN)

INFECTED

malcore_retroanalyzer

engine_id

0-15

threat_details

string

treat details of the result for this engine

EICAR-Test-File (not a virus) (B)

malcore_retroanalyzer

engines_last_update_date

date

GEYEGO: median last update time of all analyzers used.

2023-07-11T11:32:00Z

malcore_retroanalyzer

file_type

string

MALCORE: file type.

application/zip

malcore_retroanalyzer

file_type_description

string

MALCORE: file type, but longer.

ZIP Archive

malcore_retroanalyzer

magic_details

string

GEYEGO: Lib magic result

Zip archive data, at least v2.0 to extract

malcore_retroanalyzer

processing_time

numeric

1341

malcore_retroanalyzer

reporting_token

string

GEYEGO: GBOX analysis token, if available

GBOX#

malcore_retroanalyzer

state

string

The result is "Infected" as soon as the result of a motor is "Infected"

Infected

malcore_retroanalyzer

total_found

string

GEYEGO: string presenting <infected>/<total number>

XX/YY with YY between 0 and 16 and XX between 0 and YY; example 9/16

9.2.2.23. malicious_powershell category

Level 1

Level 2

Level 3

Data type

Description

Value or example

malicious_powershell

id

string

MD5 of the file

b5c38e2159f80a5a3076a353360cb5f1

malicious_powershell

proba_obfuscated

numeric

probability of obfuscation

0.6

malicious_powershell

sample_id (id)

string

file id

12-04-2024T14:12:40_03afe38854c8443db03-gatewatcher.com",

malicious_powershell

score

numeric

score of the PowerShell script

332

malicious_powershell

score_details

AddContent

numeric

Adds content to a file/folder

0

malicious_powershell

score_details

Base64

numeric

Score represented by an integer of a/patterns base64 detected

188

malicious_powershell

score_details

CharInt

numeric

Score represented by an integer of one/of the detected charitable patterns

6

malicious_powershell

score_details

FmtStr

numeric

Score represented by an integer of a/of detected fmtstr patterns

8

malicious_powershell

score_details

GetContent

numeric

Get-Content applet to read file data

0

malicious_powershell

score_details

InvokeExpression

numeric

InvokeExpression Applet

100

malicious_powershell

score_details

InvokeRestMethod

numeric

0

malicious_powershell

score_details

InvokeWebRequest

numeric

Invoke-WebRequest applet sends HTTP and HTTPS requests to a webpage

0

malicious_powershell

score_details

SetContent

numeric

Applet SetContent writes new content or replaces existing content in a file

0

malicious_powershell

score_details

StartBitsTransfer

numeric

Start-BitsTransfer Order

0

malicious_powershell

score_details

StrCat

numeric

Function that concatenates strings

4

malicious_powershell

score_details

StreamReader

numeric

Object to read and display each directory name

0

malicious_powershell

score_details

StreamWriter

numeric

Write a file that lists directories

0

malicious_powershell

score_details

StrJoin

numeric

Score represented by an integer of a/strjoin patterns detected

6

malicious_powershell

score_details

StrReplace

numeric

Score represented by an integer of a/strreplace patterns detected

0

malicious_powershell

score_details

SystemIOFile

numeric

Manipulation of a file (creation, opening, copy, etc.)

0

malicious_powershell

score_details

WebClientInvokation

numeric

Score represented by an integer of one/of detected webclientinvokation patterns

20

9.2.2.24. matched_event category

Level 1

Level 2

Data type

Description

Value or example

matched_event

id

numeric

The ID of the matched event

matched_event

content

string

Content all categories of the matched event

9.2.2.25. metadata category

Level 1

Level 2

Data type

Description

Value or example

metadata

flowbits

string

min.gethttp

9.2.2.26. MQTT category

Level 1

Level 2

Level 3

Data type

Description

Value or example

mqtt

connack

dup

boolean

false

mqtt

connack

qos

numeric

0

mqtt

connack

retain

boolean

false

mqtt

connack

return_code

numeric

0

mqtt

connack

session_present

boolean

false

9.2.2.27. nba category

Level 1

Level 2

Level 3

Data type

Description

Value or example

nba

action

string

nba

category

string

nba

gid

numeric

nba

metadata

performance_impact

string

nba

metadata

signature_severity

string

nba

packet

string

nba

payload

string

nba

payload_printable

string

nba

rev

numeric

nba

signature

string

nba

signature_id

numeric

nba

stream

numeric

9.2.2.28. netflow category

Level 1

Level 2

Data type

Description

Value or example

netflow

pkts

numeric

Packets of the flow

1

netflow

age

numeric

Age of the flow

0

netflow

end

date

End time of the flow

2024-09-12T15:00:07.959357+0000

netflow

min_ttl

numeric

Minimum TTL of the flow

255

netflow

bytes

numeric

Bytes of the flow

62

netflow

start

date

Start time of the flow

2024-09-12T15:00:07.959357+0000

netflow

max_ttl

numeric

Maximum TTL of the flow

255

9.2.2.29. network category

Level 1

Level 2

Data type

Description

Value or example

network

community_id

string

hash of source and destination IPs and ports, as well as the protocol used in a communication

1:r6LvcE7ltny4a6Y9xt1Vr...

network

flow_id

numeric

Flow identifier

363747525458479

network

protocol

string

Application Layer protocol. For example, http, dns, or ssh

http

network

timestamp

date

Date and time of alert generation by Sigflow

2024-11-26T09:17:00.775521+0000

network

transport

string

name of the transport layer (udp, tcp, ipv6-icmp, etc.)

tcp

network

tx_id

numeric

transaction identification (query/response pair)

0

9.2.2.30. NFS category

Level 1

Level 2

Data type

Description

Value or example

nfs

filename

string

""

nfs

file_tx

boolean

true

nfs

hhash

string

Hash of the file

87b5a66e

nfs

id

numeric

ID of the NFS event

1

nfs

procedure

string

NFS procedure

WRITE

nfs

status

string

Status of the NFS event

OK

nfs

type

string

Type of the NFS event

response

nfs

version

numeric

NFS version

4

9.2.2.31. observer category

Level 1

Level 2

Level 3

Level 4

Data type

Description

Value or example

observer

gcap

hostname

string

The hostname of the gcap

gcap-xxx.domain.local

observer

gcap

ingress

interface/name

string

GCap input interface used for capture (monx or monvirt)

monvirt

observer

gcap

version

string

The version of the gcap

"2.5.4"

observer

hostname

string

Hostname of the observer

"gcenter.domain",

observer

log_format_version

string

The log format version

"1.0.0"

observer

product

string

The product name of the observer

gcenter

observer

uuid

string

Unique identifier of the alert

f639c844-3f6f-40fa-86c4-47ff603880e2

observer

vendor

string

Vendor name of the observer

gatewatcher

observer

version

string

Observer version

"2.5.x."

9.2.2.32. ransomware events

Level 1

Level 2

Data type

Description

Value or example

ransomware

alert_threshold

numeric

The alert threshold

930

ransomware

malicious_behavior_confidence

numeric

Malicious behavior confidence in percent

80

ransomware

session_score

numeric

The session score

35

9.2.2.33. RDP category

Level 1

Level 2

Level 3

Data type

Description

Value or example

rdp

channels

string

The optional channel field is a list of requested data channel names
[
"rdpdr",
"cliprdr",
"rdpsnd"
]

rdp

client

build

string

"Windows XP"

rdp

client

capabilities

string

features and capabilities supported by the RDP client

[ "support_errinfo_pdf" ]

rdp

client

client_name

string

name of the RDP client

"ISD2-KM84178"

rdp

client

color_depth

numeric

color depth supported by the RDP client

15

rdp

client

desktop_height

numeric

height of the desktop displayed by the RDP client

rdp

client

desktop_width

numeric

width of the desktop displayed by the RDP client

864

rdp

client

function_keys

numeric

function keys supported or configured by the RDP client

12

rdp

client

id

string

unique identifier for the RDP client session

"55274-OEM-0011903-00107"

rdp

client

keyboard_layout

string

keyboard layout used by the RDP client

"en-US"

rdp

client

keyboard_type

string

type of keyboard supported by the RDP client

"enhanced"

rdp

client

product_id

numeric

product ID for the RDP client software

1

rdp

client

version

string

version number of the RDP client

"v5"

rdp

event_type

string
The event_type field indicates an RDP event subtype.
Possible values: initial_request,initial_response,connect_request,connect_response,tls_handshake

"connect_request"

rdp

protocol

The protocol field is the selected protocol. Possible values: rdp, ssl, hybrid, rds_tls, hybrid_ex

rdp

server_supports[0]

The optional server_supports field is a list of server capabilities

rdp

tx_id

numeric

Each RDP record contains a per-flow incrementing tx_id field

2

9.2.2.34. RFB category

Level 1

Level 2

Level 3

Level 4

Data type

Description

Value or example

rfb

authentication

security_type

numeric

type of security method used during RFB (Remote Framebuffer) authentication

2

rfb

authentication

vnc

challenge

string

challenge sent by the VNC server during authentication

"435414a03f719e3bab73fd2de5"

rfb

authentication

vnc

response

string

response sent by the VNC client to the authentication challend

"50e93126e93f23a52"

rfb

client_protocol_version

major

string

major version of the protocol used by the RFB client

"003"

rfb

client_protocol_version

minor

string

minor version of the protocol used by the RFB client

"008"

rfb

server_protocol_version

major

string

major version of the protocol used by the RFB server

"003"

rfb

server_protocol_version

minor

string

minor version of the protocol used by the RFB server

"008"

rfb

server_security_failure_reason

string

reason for security failure during RFB server authentication

"Authentication failed from 192.168.0.1"

9.2.2.35. rpc category

Level 1

Level 2

Level 3

Data type

Description

Value or example

rpc

creds

gid

group ID associated with the RPC credentials

rpc

creds

machine_name

name of the machine that initiated the RPC request

rpc

creds

uid

numeric

user ID associated with the RPC credentials

35

rpc

status

string

status of the RPC call

ACCEPTED

rpc

xid

numeric

transaction ID for the RPC request, used for matching requests and responses

1299444754

9.2.2.36. Shellcode category

Level 1

Level 2

Level 3

Data type

Description

Value or example

Shellcode

analysis

args

string

The args of the call

"{'pathname': '//etc/passwd', 'flags': 'O_WRONLY|O_APPEND', 'mode': 'None'}",

Shellcode

analysis

call

string

The call

sys_open

Shellcode

analysis

info

string

More info

"Stop : End of Shellcode (Exit)"

Shellcode

analysis

ret

string

The retention

0

Shellcode

analysis

_id

numeric

The id of the analysis

-1

Shellcode

analysis

stop

numeric

The stop

End of Shellcode (output)

Shellcode

encodings

count

numeric

The count of the encoding

1

Shellcode

encodings

name

string

The name of the encoding

"Shikata_ga_nai",

Shellcode

encodings

options

string

available encoding options used to encode shellcode

Shellcode

id

string

The id of the Shellcode

8ae5f9d35f3878cace4c311d"

Shellcode

sample_id

string

The sample id of the Shellcode

12-04-2024T14:17:25_925...c1c7_gcap-int-xxx.gatewatcher.com

Shellcode

sub_type

string

The sub type of the Shellcode

"Linux_x86_32",

9.2.2.37. sigflow category

Level 1

Level 2

Level 3

Data type

Description

Value or example

sigflow

action

string

The action of the signature flow

alert, drop, reject, pass "action": "allowed"

sigflow

category

string

The category of the signature flow
Potentially Bad Traffic"
Active CTI

sigflow

gid

numeric

The gid of the signature flow

1

sigflow

metadata

affected_product

string

sigflow

metadata

attack_target

string

sigflow

metadata

confidence

string

sigflow

metadata

created_at

string

Created at YEAR_MONTH_DAY

2014_11_15

sigflow

metadata

deployment

string

sigflow

metadata

ioc

string

fffc7e75-cb75-4210-..

sigflow

metadata

malware_family

string

sigflow

metadata

performance_impact

string

Performance impact

Significant

sigflow

metadata

reviewed_at

string

sigflow

metadata

risk

string

highly suspicious

sigflow

metadata

signature_severity

string

Signature severity

2

sigflow

metadata

updated_at

string

Updated at YEAR_MONTH_DAY

2024_04_22

sigflow

packet

string

The packet of the signature flow

kOK6pqSQkOK...

sigflow

packet_info

linktype

numeric

Type of link-layer header

1

sigflow

payload

string

The payload of the signature flow

Potentially Bad Traffic

sigflow

payload_printable

string

The printable payload of the signature flow

GET /emd.exe HTTP/1.1rnHost: opred.netrnConnection: Keep-Alivernrn

sigflow

rev

numeric

The revision of the signature flow

11

sigflow

signature

string

The signature of the signature flow

ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile",

sigflow

signature_id

numeric

The signature id of the signature flow

2019714

sigflow

stream

numeric

The stream of the signature flow

0

9.2.2.38. SIP category

Level 1

Level 2

Data type

Description

Value or example

sip

code

string

"183"

sip

reason

string

"In band info available"

sip

response_line

string

"SIP/2.0 183 In band info available"

sip

version

string

"SIP/2.0"

9.2.2.39. SMB category

Level 1

Level 2

Data type

Description

Value or example

smb

client_dialects[0]

string

smb

client_guid

string

smb

command

string

command name

"SMB2_COMMAND_SESSION_LOGOFF"

smb

dialect

string

The negotiated protocol dialect, or “unknown” if missing

3.11

smb

filename

string

filename for CREATE and other commands.

smb

fuid

string

SMB2+ file GUID. SMB1 FID as hex.

smb

id

numeric

internal transaction id

12

smb

max_read_size

numeric

smb

max_write_size

numeric

smb

session_id

numeric

SMB2+ session_id. SMB1 user id

593737889611

smb

server_guid

string

smb

share

string

smb

status

string

status string. Can be both NT_STATUS or DOS_ERR and other variants

STATUS_SUCCESS

smb

status_code

string

status code as hex string

0x0

smb

tree_id

numeric

Tree ID

0

9.2.2.40. SMTP category

Level 1

Level 2

Data type

Description

Value or example

smtp

helo

string

the HELO command sent by the SMTP client to initiate communication

qal-internet.internet

smtp

mail_from

string

the sender’s email address in the MAIL FROM command

smtp

rcpt_to

string

the recipient’s email address in the RCPT TO command

9.2.2.41. SNMP category

Level 1

Level 2

Data type

Description

Value or example

snmp

community

string

""

snmp

pdu_type

string

"set_request"

snmp

vars

string
[
"1.3.6.1.2.1.1.5.0"
]

snmp

version

numeric

1

9.2.2.42. source category

Level 1

Level 2

Data type

Description

Value or example

source

ip

string

Source IP address detected by Sigflow

x.y.z.A"

source

mac

string

MAC address of the source network card

xx....

source

port

numeric

Source port detected by Sigflow

8080

9.2.2.43. SSH category

Level 1

Level 2

Level 3

Level 4

Data type

Description

Value or example

ssh

client

hassh

string

ssh

client

proto_version

string

2.0

ssh

client

software_version

string

OpenSSH_7.4p1

ssh

server

hassh

hash

string

b12d1a1189eff264cf533361ee

ssh

server

hassh

string

curve25519-sha256, ... umac-64@openssh.com,umac-128@oppenssh.com

ssh

server

proto_version

string

2.0

ssh

server

software_version

string

abbix_agent

9.2.2.44. tcp category

Level 1

Level 2

Data type

Description

Value or example

tcp

ack

boolean

tcp

fin

boolean

tcp

psh

boolean

tcp

rst

boolean

tcp

syn

boolean

tcp

tcp_flags

string

9.2.2.45. TFTP category

Level 1

Level 2

Data type

Description

Value or example

tftp

file

string

rfc1350.txt

tftp

mode

string

"octet"

tftp

packet

string

"read"

9.2.2.46. TLS category

Level 1

Level 2

Level 3

Level 4

Data type

Value or example

tls

client

server_name

string

qacrcgtyzm.com

tls

ja3

hash

string

tls

ja3

string

string

tls

ja3s

hash

string

tls

ja3s

string

string

tls

serial

string

tls

server

certificate

chain

string

MIIDjBCVBAYv2NFV7jMvdyoO...

tls

server

hash

md5

string

tls

server

hash

sha1

string

29:d8:c7:2d:fa:30:26:5f:92:e8:2c:e6:62:e2:40

tls

server

hash

sha256

string

tls

server

issuer

string

C=US, ST=USA, L=NY, O=Company Ltd, OU=office, CN=web

tls

server

not_after

date

2024-08-30T15:56:58

tls

server

not_before

date

2014-09-02T15:56:58

tls

server

subject

string

C=US, ST=USA, L=NY, O=Company Ltd, OU=office, CN=web

tls

sni

string

tls

version

string

TLSv1

9.2.2.47. url category

Level 1

Level 2

Data type

Description

Value or example

url

domain

string

The domain of the URL

"tsevid-synonymi.justdanceatsea.com"

url

full

string

The full URL

url

path

string

The path of the URL

/6SuCHKKkf8Sf1aFXJPqD0R6r3oEDCrbwHFm23E...

9.2.2.48. user_agent category

Level 1

Level 2

Data type

Description

Value or example

user_agent

original

string

The user agent of the software used

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; ...)

9.2.2.49. @timestamp category

Level 1

Level 2

Data type

Description

Value or example

@timestamp

string

Date/time when the event was generated by the source.

2023-10-09T08:31:04.503Z

@timestamp

dest_macs

string

9.2.2.50. @version

Level 1

Data type

Description

Value or example

@version

numeric

1