├── COPYRIGHT ├── LICENSE ├── README.md ├── dist ├── PyIOCe-0.9.8-OSX.zip └── PyIOCe-0.9.8-WIN64.zip ├── images ├── and.png ├── case.png ├── check.png ├── delete.png ├── insert.png ├── land.png ├── lnot.png ├── lor.png ├── new.png ├── not.png ├── open.png ├── or.png ├── save.png └── saveall.png ├── indicator_terms.default ├── indicator_terms.legacy ├── ioc.py ├── ioc_et.py ├── parameters.default └── pyioce.py /COPYRIGHT: -------------------------------------------------------------------------------- 1 | Python IOC Editor 2 | 3 | Copyright 2014 Yahoo! 4 | Authored by Sean Gillespie 5 | Licensed under the Apache 2.0 license. 6 | Code and contents listed below are attributed with the copyright holder and 7 | license as follows: 8 | 9 | Copyright: Yahoo! 10 | Author: Sean Gillespie 11 | License: Apache 2.0 12 | -------------------------------------------------------- 13 | pyioce.py 14 | ioc.py 15 | images/and.png 16 | images/case.png 17 | images/delete.png 18 | images/insert.png 19 | images/land.png 20 | images/lnot.png 21 | images/lor.png 22 | images/not.png 23 | images/or.png 24 | 25 | 26 | Copyright: Mandiant 27 | Author: William Gibb 28 | License: Apache 2.0 29 | -------------------------------------------------------- 30 | ioc_et.py - Modifications by Sean Gillespie/Yahoo 31 | 32 | 33 | Icon Pack: Must Have 34 | Designer: VisualPharm (Ivan Boyko) 35 | License: Creative Commons Attribution (by) 36 | -------------------------------------------------------- 37 | images/check.png http://findicons.com/icon/51032/check 38 | 39 | 40 | Icon Pack: GiNUX 41 | Designer: Asher 42 | License: Creative Commons Attribution (by) 43 | -------------------------------------------------------- 44 | images/open.png http://findicons.com/icon/68711/opened 45 | images/save.png http://findicons.com/icon/68731/floppy - Modifications by Sean Gillespie/Yahoo! 46 | images/saveall.png http://findicons.com/icon/68731/floppy - Modifications by Sean Gillespie/Yahoo! 47 | images/new.png http://findicons.com/icon/68749/default - Modifications by Sean Gillespie/Yahoo! 48 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright 2014 Yahoo! 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Python IOC Editor v0.9.8 2 | 3 | 4 | Description: 5 | PyIOCe is an OpenIOC editor built using Python 2.7 and wxPython 3.0.0.0. 6 | 7 | There are many systems for storing complete threat intelligence, but OpenIOC excels at manipulating that data into a reduced and 8 | operationalized search method. This can be used to build IOCs that describe broad threat behavior such as persistence mechanisms 9 | or important forensic sources or it can be used to search for more narrowly identified threats during incident response to rapidly 10 | scope a compromise across large enterprise networks. 11 | 12 | This project is meant to expand ongoing efforts to broaden the use of OpenIOC with other systems such as Snort, GRR, Splunk, and Yara 13 | 14 | Standalone binaries are available under /dist 15 | 16 | Required Python Modules: 17 | wxPython 18 | lxml 19 | 20 | Features: 21 | - Almost entirely keyboard driven 22 | - Support for opening and editing OpenIOC 1.0 and 1.1 IOCs simultaneously (OpenIOC 1.0 support is MIR only using legacy MIR terms) 23 | - Indicator Term management 24 | - Parameter management 25 | - Preferences for default IOC version, default IOC context, and default IOC author 26 | - IOC Cloning 27 | - Revert IOC Changes to last saved 28 | - Cut/Copy/Paste & drag and drop for Indicator tree 29 | - Indicator Terms and Paramters defined for MIR, Yara, Splunk, and Volatility 30 | 31 | Roadmap: 32 | - Term Conversion Map to associate related terms across context types 33 | - Term Conversions to quickly change context types of IndicatorTerms based on the Conversion Map 34 | - Import Indicator Terms from Intel sources such as CybOX, STIX, or CRITS 35 | - IOC Validation/Testing 36 | - More well defined Indicator Terms and parameters for GRR, Snort, and other systems 37 | - Output relevant formats for use, Splunk searches from Splunk terms, Yara signature outputs from Yara terms, XPATH from MIR terms, etc 38 | 39 | 40 | Bug reports, questions, comments, requests: 41 | seagill at yahoo-inc dot com 42 | -------------------------------------------------------------------------------- /dist/PyIOCe-0.9.8-OSX.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/YahooArchive/PyIOCe/e7022cb1acc7e5f61775979cdb8e98da9090ae42/dist/PyIOCe-0.9.8-OSX.zip -------------------------------------------------------------------------------- /dist/PyIOCe-0.9.8-WIN64.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/YahooArchive/PyIOCe/e7022cb1acc7e5f61775979cdb8e98da9090ae42/dist/PyIOCe-0.9.8-WIN64.zip -------------------------------------------------------------------------------- /images/and.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/YahooArchive/PyIOCe/e7022cb1acc7e5f61775979cdb8e98da9090ae42/images/and.png -------------------------------------------------------------------------------- /images/case.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/YahooArchive/PyIOCe/e7022cb1acc7e5f61775979cdb8e98da9090ae42/images/case.png -------------------------------------------------------------------------------- /images/check.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/YahooArchive/PyIOCe/e7022cb1acc7e5f61775979cdb8e98da9090ae42/images/check.png -------------------------------------------------------------------------------- /images/delete.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/YahooArchive/PyIOCe/e7022cb1acc7e5f61775979cdb8e98da9090ae42/images/delete.png -------------------------------------------------------------------------------- /images/insert.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/YahooArchive/PyIOCe/e7022cb1acc7e5f61775979cdb8e98da9090ae42/images/insert.png -------------------------------------------------------------------------------- /images/land.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/YahooArchive/PyIOCe/e7022cb1acc7e5f61775979cdb8e98da9090ae42/images/land.png -------------------------------------------------------------------------------- /images/lnot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/YahooArchive/PyIOCe/e7022cb1acc7e5f61775979cdb8e98da9090ae42/images/lnot.png -------------------------------------------------------------------------------- /images/lor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/YahooArchive/PyIOCe/e7022cb1acc7e5f61775979cdb8e98da9090ae42/images/lor.png -------------------------------------------------------------------------------- /images/new.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/YahooArchive/PyIOCe/e7022cb1acc7e5f61775979cdb8e98da9090ae42/images/new.png -------------------------------------------------------------------------------- /images/not.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/YahooArchive/PyIOCe/e7022cb1acc7e5f61775979cdb8e98da9090ae42/images/not.png -------------------------------------------------------------------------------- /images/open.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/YahooArchive/PyIOCe/e7022cb1acc7e5f61775979cdb8e98da9090ae42/images/open.png -------------------------------------------------------------------------------- /images/or.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/YahooArchive/PyIOCe/e7022cb1acc7e5f61775979cdb8e98da9090ae42/images/or.png -------------------------------------------------------------------------------- /images/save.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/YahooArchive/PyIOCe/e7022cb1acc7e5f61775979cdb8e98da9090ae42/images/save.png -------------------------------------------------------------------------------- /images/saveall.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/YahooArchive/PyIOCe/e7022cb1acc7e5f61775979cdb8e98da9090ae42/images/saveall.png -------------------------------------------------------------------------------- /indicator_terms.legacy: -------------------------------------------------------------------------------- 1 | {"mir": {"DriverItem/PEInfo/Exports/NumberOfNames": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "int"}, "EventLogItem/writeTime": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "EventLogItem", "content_type": "dateTime"}, "CookieHistoryItem/IsSecure": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "CookieHistoryItem", "content_type": "string"}, "PortItem/CreationTime": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "PortItem", "content_type": "dateTime"}, "ServiceItem/pathsha1sum": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "string"}, "SystemInfoItem/timezoneStandard": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "DriverItem/DeviceItem/AttachedDeviceObject": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "int"}, "FileItem/PEInfo/BaseAddress": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "int"}, "VolumeItem/BytesPerSector": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "VolumeItem", "content_type": "int"}, "ProcessItem/SectionList/MemorySection/PEInfo/Sections/Section/Entropy/CurveData/float": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "int"}, "SystemInfoItem/networkArray/networkInfo/dhcpLeaseObtained": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "dateTime"}, "DriverItem/DriverObjectAddress": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "int"}, "ProcessItem/SectionList/MemorySection/PEInfo/DetectedEntryPointSignature/Type": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "ProcessItem/name": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "TaskItem/TriggerList/Trigger/TriggerValueQueries": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "VolumeItem/Name": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "VolumeItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/Sha1sum": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "ServiceItem/path": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "string"}, "UrlHistoryItem/PageTitle": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UrlHistoryItem", "content_type": "string"}, "HookItem/DigitalSignatureHooked/SignatureExists": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "HookItem", "content_type": "string"}, "FileItem/FileName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/PEInfo/DigitalSignature/CertificateSubject": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "CookieHistoryItem/Profile": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "CookieHistoryItem", "content_type": "string"}, "RouteEntryItem/IsIPv6": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "RouteEntryItem", "content_type": "string"}, "ArpEntryItem/IPv4Address": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ArpEntryItem", "content_type": "string"}, "ProcessItem/PortList/PortItem/remoteIP": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "FileItem/PEInfo/Sections/ActualNumberOfSections": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "int"}, "DnsEntryItem/RecordData/IPv4Address": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DnsEntryItem", "content_type": "string"}, "FileItem/Created": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "dateTime"}, "FormHistoryItem/FormFieldValue": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FormHistoryItem", "content_type": "string"}, "EventLogItem/CorrelationActivityId": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "EventLogItem", "content_type": "string"}, "FileDownloadHistoryItem/CacheHitCount": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileDownloadHistoryItem", "content_type": "int"}, "SystemRestoreItem/ChangeLogEntryType": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemRestoreItem", "content_type": "string"}, "DiskItem/DiskSize": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DiskItem", "content_type": "int"}, "PortItem/path": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "PortItem", "content_type": "string"}, "FileItem/PEInfo/VersionInfoList/VersionInfoItem/OriginalFilename": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "Email/X-filetypes": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Email", "content_type": "string"}, "EventLogItem/category": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "EventLogItem", "content_type": "string"}, "CookieHistoryItem/LastAccessedDate": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "CookieHistoryItem", "content_type": "dateTime"}, "TaskItem/AccountName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "SystemInfoItem/OS": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "RouteEntryItem/RouteAge": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "RouteEntryItem", "content_type": "string"}, "TaskItem/ActionList/Action/EmailCC": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "DriverItem/PEInfo/Sections/Section/Entropy/CurveData/float": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "int"}, "EventLogItem/EID": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "EventLogItem", "content_type": "int"}, "ProcessItem/HandleList/Handle/Name": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "FileItem/PEInfo/PETimeStamp": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "dateTime"}, "EventLogItem/unformattedMessage/string": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "EventLogItem", "content_type": "string"}, "DnsEntryItem/DataLength": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DnsEntryItem", "content_type": "int"}, "ArpEntryItem/Interface": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ArpEntryItem", "content_type": "string"}, "DriverItem/DeviceItem/AttachedDriverObject": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "int"}, "HookItem/DigitalSignatureHooking/SignatureVerified": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "HookItem", "content_type": "string"}, "FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileDescription": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/PEInfo/Exports/NumberOfNames": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "int"}, "FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Name": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "Snort/Snort": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Snort", "content_type": "string"}, "Email/Subject": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Email", "content_type": "string"}, "FormHistoryItem/PasswordFieldName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FormHistoryItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/Mapped": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "Email/X-filenames": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Email", "content_type": "string"}, "SystemInfoItem/networkArray/networkInfo/dhcpServerArray/dhcpServer": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "TaskItem/ActionList/Action/EmailSubject": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "ProcessItem/StringList/string": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "UserItem/SecurityType": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UserItem", "content_type": "string"}, "RegistryItem/NumValues": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "RegistryItem", "content_type": "int"}, "FileItem/Changed": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "dateTime"}, "SystemInfoItem/patchLevel": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "EventLogItem/blob": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "EventLogItem", "content_type": "string"}, "TaskItem/ActionList/Action/EmailFrom": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "CookieHistoryItem/BrowserName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "CookieHistoryItem", "content_type": "string"}, "FileDownloadHistoryItem/MaxBytes": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileDownloadHistoryItem", "content_type": "int"}, "Network/HTTP_Referr": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Network", "content_type": "string"}, "TaskItem/SignatureDescription": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "FormHistoryItem/Username": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FormHistoryItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/PEInfo/EpJumpCodes/Opcodes": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "FormHistoryItem/BrowserName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FormHistoryItem", "content_type": "string"}, "DriverItem/PEInfo/DetectedAnomalies/string": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "SystemInfoItem/domain": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "TaskItem/ActionList/Action/DigitalSignature/CertificateIssuer": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "DriverItem/DeviceItem/AttachedToDriverObject": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "int"}, "FileItem/FileExtension": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "FileItem/PEInfo/Sections/NumberOfSections": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "int"}, "SystemRestoreItem/RestorePointDescription": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemRestoreItem", "content_type": "string"}, "ServiceItem/serviceDLLsha256sum": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "string"}, "DriverItem/ImageBase": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "int"}, "DriverItem/DeviceItem/DriverName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "RegistryItem/detectedAnomaly": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "RegistryItem", "content_type": "string"}, "SystemInfoItem/availphysical": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "int"}, "TaskItem/Flag": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "FileDownloadHistoryItem/SourceURL": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileDownloadHistoryItem", "content_type": "string"}, "DriverItem/StringList/string": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "FileItem/FilePath": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "ServiceItem/pathSignatureDescription": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "string"}, "DriverItem/PEInfo/DigitalSignature/SignatureVerified": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "SystemInfoItem/networkArray/networkInfo/ipGatewayArray/ipGateway": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "VolumeItem/SerialNumber": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "VolumeItem", "content_type": "string"}, "FileItem/SecurityID": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "FileDownloadHistoryItem/Profile": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileDownloadHistoryItem", "content_type": "string"}, "FileItem/PEInfo/Type": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "FileItem/Drive": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "FileItem/PEInfo/Exports/ExportedFunctions/string": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "FileItem/PEInfo/VersionInfoList/VersionInfoItem/ProductName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "CookieHistoryItem/CookiePath": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "CookieHistoryItem", "content_type": "string"}, "DriverItem/DeviceItem/AttachedToDriverName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "PortItem/remotePort": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "PortItem", "content_type": "int"}, "UrlHistoryItem/VisitCount": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UrlHistoryItem", "content_type": "int"}, "ProcessItem/detectedAnomaly": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "UrlHistoryItem/FirstVisitDate": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UrlHistoryItem", "content_type": "dateTime"}, "Email/CC": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Email", "content_type": "string"}, "FileItem/PeakEntropy": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "int"}, "FileDownloadHistoryItem/LastCacheSynchDate": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileDownloadHistoryItem", "content_type": "dateTime"}, "FileItem/PEInfo/Exports/NumberOfFunctions": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "int"}, "CookieHistoryItem/ExpirationDate": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "CookieHistoryItem", "content_type": "dateTime"}, "FileItem/PEInfo/Sections/Section/Entropy/CurveData/float": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "int"}, "HookItem/DigitalSignatureHooked/CertificateSubject": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "HookItem", "content_type": "string"}, "DiskItem/PartitionList/Partition/PartitionType": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DiskItem", "content_type": "string"}, "FileItem/PEInfo/PEChecksum/PEFileRaw": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "int"}, "SystemRestoreItem/RestorePointFullPath": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemRestoreItem", "content_type": "string"}, "SystemRestoreItem/RegistryHives/String": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemRestoreItem", "content_type": "string"}, "RegistryItem/NumSubKeys": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "RegistryItem", "content_type": "int"}, "PrefetchItem/VolumeList/VolumeItem/SerialNumber": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "PrefetchItem", "content_type": "string"}, "DriverItem/PEInfo/DetectedEntryPointSignature/Name": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "FileItem/StreamList/Stream/SizeInBytes": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "int"}, "FileDownloadHistoryItem/LastModifiedDate": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileDownloadHistoryItem", "content_type": "dateTime"}, "FileItem/FullPath": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "SystemInfoItem/totalphysical": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "int"}, "SystemInfoItem/biosInfo/biosVersion": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "SystemInfoItem/biosInfo/biosDate": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "FileItem/detectedAnomaly": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "FileItem/Modified": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "dateTime"}, "ProcessItem/HandleList/Handle/HandleCount": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "int"}, "ServiceItem/serviceDLLsha1sum": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "string"}, "DriverItem/PEInfo/DigitalSignature/Description": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "DriverItem/SignatureVerified": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "TaskItem/ActionList/Action/DigitalSignature/SignatureVerified": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/PEInfo/BaseAddress": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "int"}, "PortItem/state": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "PortItem", "content_type": "string"}, "CookieHistoryItem/CookieName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "CookieHistoryItem", "content_type": "string"}, "SystemRestoreItem/OriginalFileName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemRestoreItem", "content_type": "string"}, "VolumeItem/FileSystemFlags": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "VolumeItem", "content_type": "string"}, "VolumeItem/Type": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "VolumeItem", "content_type": "string"}, "FileItem/PEInfo/DigitalSignature/CertificateSubject": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "ArpEntryItem/PhysicalAddress": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ArpEntryItem", "content_type": "string"}, "FileItem/PEInfo/VersionInfoList/VersionInfoItem/SpecialBuild": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "DriverItem/DeviceItem/AttachedToDeviceObject": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "int"}, "FormHistoryItem/UsernameFieldValue": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FormHistoryItem", "content_type": "string"}, "SystemRestoreItem/OriginalShortFileName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemRestoreItem", "content_type": "string"}, "ServiceItem/pid": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "int"}, "SystemRestoreItem/Created": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemRestoreItem", "content_type": "string"}, "DnsEntryItem/RecordName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DnsEntryItem", "content_type": "string"}, "SystemInfoItem/machine": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "EventLogItem/message": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "EventLogItem", "content_type": "string"}, "UrlHistoryItem/VisitType": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UrlHistoryItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/PEInfo/PEChecksum/PEFileAPI": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "int"}, "CookieHistoryItem/CookieFlags": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "CookieHistoryItem", "content_type": "string"}, "ProcessItem/PortList/PortItem/path": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "DiskItem/PartitionList/Partition/PartitionNumber": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DiskItem", "content_type": "int"}, "FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileVersion": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "DriverItem/Sha1sum": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "VolumeItem/IsMounted": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "VolumeItem", "content_type": "string"}, "Email/Body": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Email", "content_type": "string"}, "EventLogItem/source": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "EventLogItem", "content_type": "string"}, "TaskItem/ActionList/Action/COMClassId": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "FileItem/PEInfo/PEChecksum/PEFileAPI": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "int"}, "FileItem/PEInfo/Sections/Section/Type": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "TaskItem/ApplicationName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "SystemInfoItem/timezoneDST": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "ProcessItem/PortList/PortItem/remotePort": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "int"}, "ServiceItem/serviceDLLCertificateIssuer": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "string"}, "UserItem/disabled": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UserItem", "content_type": "string"}, "TaskItem/ActionList/Action/EmailBCC": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "Email/AttachmentCount": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Email", "content_type": "int"}, "Email/Date": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Email", "content_type": "dateTime"}, "FormHistoryItem/Profile": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FormHistoryItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/PEInfo/DetectedAnomalies/string": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "UrlHistoryItem/Username": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UrlHistoryItem", "content_type": "string"}, "DriverItem/PEInfo/Exports/NumberOfFunctions": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "int"}, "ProcessItem/SectionList/MemorySection/Protection": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "FileItem/PEInfo/VersionInfoList/VersionInfoItem/LegalTrademarks": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "FileItem/PEInfo/Sections/Section/DetectedSignatureKeys/string": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "ProcessItem/SecurityID": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "Email/Thread-Topic": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Email", "content_type": "string"}, "Email/X-MS-Has-Attach": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Email", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/Injected": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "TaskItem/ActionList/Action/ExecArguments": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "FormHistoryItem/CreationDate": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FormHistoryItem", "content_type": "dateTime"}, "FileItem/PEInfo/DigitalSignature/CertificateIssuer": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "CookieHistoryItem/FileName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "CookieHistoryItem", "content_type": "string"}, "Email/In-Reply-To": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Email", "content_type": "string"}, "ServiceItem/pathmd5sum": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "string"}, "ServiceItem/serviceDLLmd5sum": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "string"}, "EventLogItem/ExecutionProcessId": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "EventLogItem", "content_type": "int"}, "Email/To": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Email", "content_type": "string"}, "UrlHistoryItem/BrowserVersion": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UrlHistoryItem", "content_type": "string"}, "DriverItem/PEInfo/Subsystem": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "TaskItem/ActionList/Action/DigitalSignature/CertificateSubject": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "ModuleItem/ModuleSize": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ModuleItem", "content_type": "int"}, "TaskItem/CreationDate": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "dateTime"}, "TaskItem/NextRunTime": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "dateTime"}, "FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Size": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "int"}, "CookieHistoryItem/CreationDate": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "CookieHistoryItem", "content_type": "dateTime"}, "FileItem/FilenameAccessed": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "dateTime"}, "ServiceItem/pathCertificateIssuer": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "string"}, "TaskItem/Comment": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "DriverItem/PEInfo/DetectedEntryPointSignature/Type": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "FileItem/INode": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "int"}, "TaskItem/WorkItemData": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "RegistryItem/ValueName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "RegistryItem", "content_type": "string"}, "ProcessItem/PortList/PortItem/pid": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "int"}, "FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Type": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "Email/X-filesizes": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Email", "content_type": "int"}, "UserItem/LastLogin": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UserItem", "content_type": "dateTime"}, "ProcessItem/SectionList/MemorySection/RegionSize": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "int"}, "ModuleItem/ModulePath": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ModuleItem", "content_type": "string"}, "FormHistoryItem/HttpRealm": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FormHistoryItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/PEInfo/Exports/ExportsTimeStamp": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "dateTime"}, "EventLogItem/machine": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "EventLogItem", "content_type": "string"}, "SystemInfoItem/procType": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "PortItem/remoteIP": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "PortItem", "content_type": "string"}, "FormHistoryItem/LastUsedDate": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FormHistoryItem", "content_type": "dateTime"}, "Network/UserAgent": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Network", "content_type": "string"}, "SystemRestoreItem/BackupFileName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemRestoreItem", "content_type": "string"}, "RouteEntryItem/Protocol": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "RouteEntryItem", "content_type": "string"}, "ModuleItem/ModuleName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ModuleItem", "content_type": "string"}, "TaskItem/ActionList/Action/ShowMessageTitle": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "HookItem/HookedModule": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "HookItem", "content_type": "string"}, "ProcessItem/HandleList/Handle/Index": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "int"}, "PrefetchItem/ReportedSizeInBytes": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "PrefetchItem", "content_type": "int"}, "RouteEntryItem/Interface": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "RouteEntryItem", "content_type": "string"}, "FileItem/PEInfo/Subsystem": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "TaskItem/ActionList/Action/EmailReplyTo": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "UrlHistoryItem/LastVisitDate": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UrlHistoryItem", "content_type": "dateTime"}, "ProcessItem/SectionList/MemorySection/PEInfo/DigitalSignature/SignatureExists": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "VolumeItem/ActualAvailableAllocationUnits": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "VolumeItem", "content_type": "int"}, "FileItem/PEInfo/VersionInfoList/VersionInfoItem/PrivateBuild": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "PortItem/localIP": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "PortItem", "content_type": "string"}, "TaskItem/ActionList/Action/ExecProgramSha1sum": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "Email/Thread-Index": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Email", "content_type": "string"}, "FileItem/PEInfo/DigitalSignature/SignatureExists": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "DriverItem/DriverName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "TaskItem/TriggerList/Trigger/TriggerFrequency": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "FileDownloadHistoryItem/MimeType": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileDownloadHistoryItem", "content_type": "string"}, "ServiceItem/descriptiveName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "string"}, "TaskItem/ActionList/Action/DigitalSignature/SignatureExists": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/PEInfo/Exports/ExportedFunctions/string": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "TaskItem/AccountLogonType": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "FormHistoryItem/FirstUsedDate": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FormHistoryItem", "content_type": "dateTime"}, "SystemRestoreItem/AclChangeSecurityID": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemRestoreItem", "content_type": "string"}, "DriverItem/PEInfo/BaseAddress": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "int"}, "FormHistoryItem/EncryptedPassword": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FormHistoryItem", "content_type": "string"}, "DriverItem/DeviceItem/AttachedDriverName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "VolumeItem/DevicePath": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "VolumeItem", "content_type": "string"}, "DiskItem/PartitionList/Partition/PartitionLength": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DiskItem", "content_type": "int"}, "Email/Attachment/Name": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Email", "content_type": "string"}, "PrefetchItem/AccessedFileList/AccessedFile": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "PrefetchItem", "content_type": "string"}, "SystemRestoreItem/RestorePointType": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemRestoreItem", "content_type": "string"}, "FileItem/StreamList/Stream/Md5sum": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/DigitalSignature/SignatureVerified": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "SystemInfoItem/networkArray/networkInfo/description": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "DnsEntryItem/Flags": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DnsEntryItem", "content_type": "string"}, "DriverItem/SignatureDescription": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "UserItem/passwordrequired": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UserItem", "content_type": "string"}, "Email/Attachment/Content": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Email", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/PEInfo/EpJumpCodes/Depth": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "int"}, "ProcessItem/SectionList/MemorySection/PEInfo/Sections/Section/Type": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "FileItem/StreamList/Stream/Sha1sum": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "DnsEntryItem/RecordType": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DnsEntryItem", "content_type": "string"}, "UserItem/scriptpath": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UserItem", "content_type": "string"}, "FileItem/PEInfo/DigitalSignature/Description": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "FileItem/PEInfo/DetectedAnomalies/string": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "DriverItem/Sha256sum": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "DriverItem/CertificateIssuer": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "DriverItem/PEInfo/Exports/ExportsTimeStamp": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "dateTime"}, "PrefetchItem/VolumeList/VolumeItem/DevicePath": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "PrefetchItem", "content_type": "string"}, "FileDownloadHistoryItem/AutoResume": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileDownloadHistoryItem", "content_type": "string"}, "TaskItem/CertificateSubject": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "ModuleItem/ModuleInit": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ModuleItem", "content_type": "int"}, "TaskItem/SignatureVerified": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "DriverItem/PEInfo/Type": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "ServiceItem/serviceDLL": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "string"}, "EventLogItem/user": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "EventLogItem", "content_type": "string"}, "UrlHistoryItem/Profile": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UrlHistoryItem", "content_type": "string"}, "TaskItem/CertificateIssuer": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "HookItem/HookDescription": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "HookItem", "content_type": "string"}, "FileItem/StreamList/Stream/Sha256sum": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "EventLogItem/log": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "EventLogItem", "content_type": "string"}, "Email/ReceivedFromIP": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Email", "content_type": "string"}, "ServiceItem/serviceDLLSignatureDescription": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "string"}, "FileItem/Md5sum": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "TaskItem/ActionList/Action/ExecProgramMd5sum": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "FileItem/Sha256sum": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "ServiceItem/startedAs": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "string"}, "SystemInfoItem/installDate": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "dateTime"}, "ProcessItem/SecurityType": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "Network/URI": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Network", "content_type": "string"}, "ServiceItem/pathCertificateSubject": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "string"}, "SystemInfoItem/regOwner": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "FileDownloadHistoryItem/Username": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileDownloadHistoryItem", "content_type": "string"}, "SystemInfoItem/user": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "TaskItem/Status": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "ModuleItem/ModuleAddress": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ModuleItem", "content_type": "int"}, "FileDownloadHistoryItem/TemporaryPath": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileDownloadHistoryItem", "content_type": "string"}, "FileItem/SecurityType": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "UserItem/SecurityID": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UserItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/DigitalSignature/CertificateSubject": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "EventLogItem/type": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "EventLogItem", "content_type": "string"}, "FileItem/PEInfo/Exports/ExportsTimeStamp": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "dateTime"}, "UrlHistoryItem/Hidden": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UrlHistoryItem", "content_type": "string"}, "VolumeItem/CreationTime": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "VolumeItem", "content_type": "dateTime"}, "FormHistoryItem/HostName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FormHistoryItem", "content_type": "string"}, "SystemInfoItem/productName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/RegionStart": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "int"}, "CookieHistoryItem/BrowserVersion": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "CookieHistoryItem", "content_type": "string"}, "TaskItem/MaxRunTime": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "FileItem/Username": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "EventLogItem/ExecutionThreadId": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "EventLogItem", "content_type": "int"}, "CookieHistoryItem/HostName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "CookieHistoryItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/PEInfo/Sections/Section/DetectedSignatureKeys/string": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "RouteEntryItem/RouteType": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "RouteEntryItem", "content_type": "string"}, "FileDownloadHistoryItem/BytesDownloaded": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileDownloadHistoryItem", "content_type": "int"}, "ProcessItem/SectionList/MemorySection/PEInfo/ImportedModules/Module/Name": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "FileDownloadHistoryItem/FileName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileDownloadHistoryItem", "content_type": "string"}, "DriverItem/PEInfo/EpJumpCodes/Depth": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "int"}, "FormHistoryItem/FormFieldName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FormHistoryItem", "content_type": "string"}, "HookItem/DigitalSignatureHooking/CertificateSubject": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "HookItem", "content_type": "string"}, "ServiceItem/arguments": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "string"}, "ProcessItem/pid": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "int"}, "ProcessItem/SectionList/MemorySection/PEInfo/DigitalSignature/Description": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "FileItem/PEInfo/Sections/Section/DetectedCharacteristics": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "DnsEntryItem/Host": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DnsEntryItem", "content_type": "string"}, "CookieHistoryItem/LastModifiedDate": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "CookieHistoryItem", "content_type": "dateTime"}, "ServiceItem/description": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "string"}, "ArpEntryItem/CacheType": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ArpEntryItem", "content_type": "string"}, "DriverItem/CertificateSubject": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "UserItem/homedirectory": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UserItem", "content_type": "string"}, "DriverItem/PEInfo/Exports/ExportedFunctions/string": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "RouteEntryItem/Gateway": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "RouteEntryItem", "content_type": "string"}, "EventLogItem/reserved": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "EventLogItem", "content_type": "string"}, "SystemInfoItem/hostname": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "SystemInfoItem/directory": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "SystemInfoItem/networkArray/networkInfo/MAC": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "TaskItem/ActionList/Action/EmailTo": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "DriverItem/PEInfo/Sections/Section/DetectedSignatureKeys/string": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "FileDownloadHistoryItem/BrowserVersion": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileDownloadHistoryItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/PEInfo/DigitalSignature/SignatureVerified": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "FileDownloadHistoryItem/StartDate": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileDownloadHistoryItem", "content_type": "dateTime"}, "ProcessItem/SectionList/MemorySection/PEInfo/Sections/Section/DetectedCharacteristics": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "PrefetchItem/Created": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "PrefetchItem", "content_type": "dateTime"}, "EventLogItem/categoryNum": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "EventLogItem", "content_type": "string"}, "DriverItem/Md5sum": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "DriverItem/PEInfo/Sections/Section/Name": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "SystemRestoreItem/FileAttributes": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemRestoreItem", "content_type": "string"}, "FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Language": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "FileDownloadHistoryItem/LastCheckedDate": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileDownloadHistoryItem", "content_type": "dateTime"}, "ServiceItem/pathSignatureVerified": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "string"}, "DriverItem/PEInfo/PEChecksum/PEFileRaw": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "int"}, "SystemInfoItem/networkArray/networkInfo/ipArray/ipInfo/subnetMask": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "UserItem/Username": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UserItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/PEInfo/Sections/Section/Name": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/PEInfo/Type": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "TaskItem/TriggerList/Trigger/TriggerBegin": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "dateTime"}, "Email/References": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Email", "content_type": "string"}, "FileItem/PEInfo/VersionInfoList/VersionInfoItem/Language": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "TaskItem/TriggerList/Trigger/TriggerSessionChangeType": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "TaskItem/TriggerList/Trigger/TriggerUsername": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "RegistryItem/Hive": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "RegistryItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/PEInfo/Subsystem": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "PrefetchItem/TimesExecuted": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "PrefetchItem", "content_type": "int"}, "TaskItem/VirtualPath": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "ProcessItem/parentpid": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "int"}, "DriverItem/PEInfo/Sections/Section/SizeInBytes": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "int"}, "TaskItem/ActionList/Action/ExecProgramPath": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/RawFlags": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/Name": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "DriverItem/PEInfo/ImportedModules/Module/Name": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "Email/Received": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Email", "content_type": "string"}, "TaskItem/WorkingDirectory": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "CookieHistoryItem/Username": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "CookieHistoryItem", "content_type": "string"}, "FormHistoryItem/FormSubmitURL": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FormHistoryItem", "content_type": "string"}, "FileItem/PEInfo/DetectedEntryPointSignature/Type": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "PrefetchItem/SizeInBytes": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "PrefetchItem", "content_type": "int"}, "ProcessItem/SectionList/MemorySection/PEInfo/PEChecksum/PEFileRaw": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "int"}, "FormHistoryItem/UsernameFieldName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FormHistoryItem", "content_type": "string"}, "FileItem/PEInfo/Exports/NumberOfNames": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "int"}, "UserItem/lockedout": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UserItem", "content_type": "string"}, "RouteEntryItem/Metric": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "RouteEntryItem", "content_type": "int"}, "HookItem/HookedFunction": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "HookItem", "content_type": "string"}, "FileItem/PEInfo/Sections/Section/SizeInBytes": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "int"}, "DriverItem/PEInfo/DigitalSignature/SignatureExists": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "DnsEntryItem/RecordData/Host": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DnsEntryItem", "content_type": "string"}, "FileItem/PEInfo/VersionInfoList/VersionInfoItem/InternalName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "SystemInfoItem/networkArray/networkInfo/dhcpLeaseExpires": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "dateTime"}, "ProcessItem/SectionList/MemorySection/PEInfo/Sections/Section/SizeInBytes": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "int"}, "UrlHistoryItem/URL": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UrlHistoryItem", "content_type": "string"}, "ServiceItem/pathSignatureExists": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "string"}, "TaskItem/ActionList/Action/ExecProgramSha256sum": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "FileItem/PEInfo/VersionInfoList/VersionInfoItem/ProductVersion": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "Email/From": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Email", "content_type": "string"}, "UrlHistoryItem/IndexedContent": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UrlHistoryItem", "content_type": "string"}, "DriverItem/PEInfo/ExtraneousBytes": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "FileItem/FilenameChanged": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "dateTime"}, "DriverItem/PEInfo/Sections/Section/DetectedCharacteristics": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "UrlHistoryItem/BrowserName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UrlHistoryItem", "content_type": "string"}, "TaskItem/ActionList/Action/ActionType": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "HookItem/HookingAddress": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "HookItem", "content_type": "int"}, "ProcessItem/SectionList/MemorySection/PEInfo/DetectedEntryPointSignature/Name": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "Email/MIME-Version": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Email", "content_type": "string"}, "UserItem/userpasswordage": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UserItem", "content_type": "string"}, "PortItem/localPort": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "PortItem", "content_type": "int"}, "Email/Return-Path": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Email", "content_type": "string"}, "PrefetchItem/ApplicationFileName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "PrefetchItem", "content_type": "string"}, "Network/String": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Network", "content_type": "string"}, "UserItem/grouplist/groupname": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UserItem", "content_type": "string"}, "DriverItem/DeviceItem/AttachedToDeviceName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "ProcessItem/PortList/PortItem/protocol": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "SystemInfoItem/regOrg": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "FileDownloadHistoryItem/TargetDirectory": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileDownloadHistoryItem", "content_type": "string"}, "TaskItem/ExitCode": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "Network/DNS": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Network", "content_type": "string"}, "PrefetchItem/PrefetchHash": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "PrefetchItem", "content_type": "string"}, "FileItem/PEInfo/ExtraneousBytes": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "ServiceItem/serviceDLLSignatureExists": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "string"}, "TaskItem/AccountRunLevel": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "TaskItem/ActionList/Action/EmailBody": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "ServiceItem/mode": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "string"}, "HookItem/DigitalSignatureHooking/SignatureExists": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "HookItem", "content_type": "string"}, "DriverItem/DriverStartIo": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "int"}, "DriverItem/PEInfo/DigitalSignature/CertificateIssuer": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "UserItem/description": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UserItem", "content_type": "string"}, "RegistryItem/Value": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "RegistryItem", "content_type": "string"}, "ProcessItem/arguments": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "FileItem/PEInfo/Exports/DllName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "TaskItem/Creator": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "FileItem/PEInfo/ImportedModules/Module/NumberOfFunctions": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "int"}, "ProcessItem/SectionList/MemorySection/DigitalSignature/SignatureExists": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "Email/ReceivedFromHost": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Email", "content_type": "string"}, "ProcessItem/userTime": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "SystemRestoreItem/AclChangeUsername": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemRestoreItem", "content_type": "string"}, "DriverItem/PEInfo/Exports/DllName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "ProcessItem/startTime": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "dateTime"}, "UrlHistoryItem/LastVisitDateLocal": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UrlHistoryItem", "content_type": "dateTime"}, "ProcessItem/SectionList/MemorySection/PEInfo/Exports/NumberOfFunctions": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "int"}, "FileDownloadHistoryItem/Referrer": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileDownloadHistoryItem", "content_type": "string"}, "DriverItem/DriverInit": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "int"}, "FormHistoryItem/EncryptionType": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FormHistoryItem", "content_type": "string"}, "RouteEntryItem/Netmask": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "RouteEntryItem", "content_type": "string"}, "ProcessItem/PortList/PortItem/localIP": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "SystemRestoreItem/ChangeLogEntryFlags": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemRestoreItem", "content_type": "string"}, "ProcessItem/PortList/PortItem/state": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "FileItem/Accessed": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "dateTime"}, "TaskItem/ActionList/Action/EmailServer": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "CookieHistoryItem/FilePath": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "CookieHistoryItem", "content_type": "string"}, "EventLogItem/index": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "EventLogItem", "content_type": "int"}, "RegistryItem/Modified": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "RegistryItem", "content_type": "dateTime"}, "ProcessItem/path": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "PortItem/protocol": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "PortItem", "content_type": "string"}, "TaskItem/Parameters": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "FileDownloadHistoryItem/DownloadType": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileDownloadHistoryItem", "content_type": "string"}, "HookItem/DigitalSignatureHooked/Description": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "HookItem", "content_type": "string"}, "DiskItem/PartitionList/Partition/PartitionOffset": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DiskItem", "content_type": "int"}, "DriverItem/ImageSize": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "int"}, "FileDownloadHistoryItem/LastAccessedDate": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileDownloadHistoryItem", "content_type": "dateTime"}, "RegistryItem/Username": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "RegistryItem", "content_type": "string"}, "ProcessItem/HandleList/Handle/Type": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "FileItem/PEInfo/DetectedEntryPointSignature/Name": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "FileItem/PEInfo/PEChecksum/PEComputedAPI": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "int"}, "DriverItem/PEInfo/PEChecksum/PEFileAPI": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "int"}, "TaskItem/SignatureExists": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "EventLogItem/genTime": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "EventLogItem", "content_type": "dateTime"}, "ProcessItem/SectionList/MemorySection/Md5sum": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "SystemRestoreItem/ChangeLogFileName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemRestoreItem", "content_type": "string"}, "FormHistoryItem/FormType": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FormHistoryItem", "content_type": "string"}, "SystemInfoItem/networkArray/networkInfo/ipArray/ipInfo/ipAddress": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "ProcessItem/HandleList/Handle/PointerCount": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "FileDownloadHistoryItem/EndDate": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileDownloadHistoryItem", "content_type": "dateTime"}, "RouteEntryItem/Destination": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "RouteEntryItem", "content_type": "string"}, "TaskItem/ActionList/Action/EmailAttachments": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "PrefetchItem/ApplicationFullPath": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "PrefetchItem", "content_type": "string"}, "FileItem/FilenameCreated": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "dateTime"}, "UrlHistoryItem/VisitFrom": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UrlHistoryItem", "content_type": "string"}, "HookItem/DigitalSignatureHooking/CertificateIssuer": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "HookItem", "content_type": "string"}, "TaskItem/md5sum": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "UserItem/fullname": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UserItem", "content_type": "string"}, "FileItem/FileAttributes": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "ServiceItem/serviceDLLSignatureVerified": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "string"}, "VolumeItem/VolumeName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "VolumeItem", "content_type": "string"}, "RegistryItem/KeyPath": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "RegistryItem", "content_type": "string"}, "FileDownloadHistoryItem/CacheFlags": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileDownloadHistoryItem", "content_type": "string"}, "TaskItem/TriggerList/Trigger/TriggerMaxRunTime": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "FileItem/PEInfo/VersionInfoList/VersionInfoItem/CompanyName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "PrefetchItem/VolumeList/VolumeItem/CreationTime": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "PrefetchItem", "content_type": "dateTime"}, "ModuleItem/ModuleBase": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ModuleItem", "content_type": "int"}, "ProcessItem/hidden": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "TaskItem/TriggerList/Trigger/TriggerDelay": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "Email/BCC": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Email", "content_type": "string"}, "FileItem/PEInfo/ImportedModules/Module/Name": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "RegistryItem/Path": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "RegistryItem", "content_type": "string"}, "DriverItem/DeviceItem/DeviceObject": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "int"}, "SystemInfoItem/date": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "dateTime"}, "DnsEntryItem/TimeToLive": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DnsEntryItem", "content_type": "string"}, "EventLogItem/CorrelationRelatedActivityId": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "EventLogItem", "content_type": "string"}, "DriverItem/DriverUnload": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "int"}, "FileItem/PeakCodeEntropy": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "int"}, "UrlHistoryItem/Thumbnail": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UrlHistoryItem", "content_type": "string"}, "ServiceItem/serviceDLLCertificateSubject": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "string"}, "ServiceItem/name": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "string"}, "FileDownloadHistoryItem/BrowserName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileDownloadHistoryItem", "content_type": "string"}, "VolumeItem/FileSystemName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "VolumeItem", "content_type": "string"}, "FileItem/StringList/string": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "VolumeItem/DriveLetter": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "VolumeItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/DigitalSignature/Description": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "FileItem/StreamList/Stream/Name": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "TaskItem/ActionList/Action/DigitalSignature/Description": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "TaskItem/TriggerList/Trigger/TriggerSubscription": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "SystemInfoItem/uptime": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "UrlHistoryItem/HostName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UrlHistoryItem", "content_type": "string"}, "DriverItem/PEInfo/PEChecksum/PEComputedAPI": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "int"}, "HookItem/HookingModule": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "HookItem", "content_type": "string"}, "SystemInfoItem/productID": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "UrlHistoryItem/FirstBookmarkDate": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UrlHistoryItem", "content_type": "string"}, "FileDownloadHistoryItem/FullHttpHeader": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileDownloadHistoryItem", "content_type": "string"}, "CookieHistoryItem/CookieValue": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "CookieHistoryItem", "content_type": "string"}, "TaskItem/TriggerList/Trigger/TriggerEnd": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "ProcessItem/PortList/PortItem/process": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/Sha256sum": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "RegistryItem/Type": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "RegistryItem", "content_type": "string"}, "DriverItem/DeviceItem/AttachedDeviceName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "SystemInfoItem/MAC": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "TaskItem/ActionList/Action/ExecWorkingDirectory": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "UrlHistoryItem/Typed": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "UrlHistoryItem", "content_type": "string"}, "DiskItem/DiskName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DiskItem", "content_type": "string"}, "FileDownloadHistoryItem/State": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileDownloadHistoryItem", "content_type": "string"}, "SystemInfoItem/processor": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/PEInfo/ExtraneousBytes": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/PEInfo/PETimeStamp": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "dateTime"}, "TaskItem/MostRecentRunTime": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "dateTime"}, "TaskItem/Name": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "RegistryItem/ReportedLengthInBytes": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "RegistryItem", "content_type": "int"}, "ProcessItem/SectionList/MemorySection/PEInfo/DigitalSignature/CertificateIssuer": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "ProcessItem/PortList/PortItem/localPort": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "int"}, "Email/Attachment/MIMEType": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Email", "content_type": "string"}, "ServiceItem/pathsha256sum": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "string"}, "FileItem/PEInfo/EpJumpCodes/Opcodes": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/PEInfo/ImportedModules/Module/ImportedFunctions/string": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "VolumeItem/SectorsPerAllocationUnit": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "VolumeItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/PEInfo/PEChecksum/PEComputedAPI": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "int"}, "FormHistoryItem/Guid": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FormHistoryItem", "content_type": "string"}, "FormHistoryItem/TimesUsed": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FormHistoryItem", "content_type": "int"}, "RegistryItem/Text": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "RegistryItem", "content_type": "string"}, "ProcessItem/PortList/PortItem/CreationTime": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "dateTime"}, "DriverItem/SignatureExists": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "HookItem/DigitalSignatureHooking/Description": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "HookItem", "content_type": "string"}, "DriverItem/PEInfo/EpJumpCodes/Opcodes": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "Email/Attachment/SizeInBytes": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Email", "content_type": "int"}, "DriverItem/DeviceItem/DeviceName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "TaskItem/ActionList/Action/COMData": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "SystemRestoreItem/RestorePointName": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemRestoreItem", "content_type": "string"}, "FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Data": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "ProcessItem/Username": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "ProcessItem/SectionList/MemorySection/DigitalSignature/CertificateIssuer": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "SystemRestoreItem/ChangeLogEntrySequenceNumber": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemRestoreItem", "content_type": "string"}, "FileItem/Sha1sum": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "FileItem/PEInfo/VersionInfoList/VersionInfoItem/Comments": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "TaskItem/Priority": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "DriverItem/PEInfo/DigitalSignature/CertificateSubject": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "FileItem/PEInfo/Sections/Section/Name": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "ProcessItem/kernelTime": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "HiveItem/Path": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "HiveItem", "content_type": "string"}, "HookItem/DigitalSignatureHooked/SignatureVerified": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "HookItem", "content_type": "string"}, "FileItem/PEInfo/EpJumpCodes/Depth": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "int"}, "TaskItem/sha256sum": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "HiveItem/Name": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "HiveItem", "content_type": "string"}, "TaskItem/sha1sum": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "PrefetchItem/FullPath": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "PrefetchItem", "content_type": "string"}, "TaskItem/ActionList/Action/ShowMessageBody": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}, "ProcessItem/HandleList/Handle/ObjectAddress": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "DriverItem/PEInfo/ImportedModules/Module/ImportedFunctions/string": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "FormHistoryItem/BrowserVersion": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FormHistoryItem", "content_type": "string"}, "ProcessItem/HandleList/Handle/AccessMask": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ProcessItem", "content_type": "string"}, "ServiceItem/status": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "string"}, "FileItem/PEInfo/VersionInfoList/VersionInfoItem/LegalCopyright": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "PrefetchItem/LastRun": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "PrefetchItem", "content_type": "dateTime"}, "CookieHistoryItem/IsHttpOnly": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "CookieHistoryItem", "content_type": "string"}, "FileItem/FilenameModified": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "dateTime"}, "SystemInfoItem/buildNumber": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "ServiceItem/type": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "ServiceItem", "content_type": "string"}, "DriverItem/PEInfo/PETimeStamp": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "dateTime"}, "Email/Content-Type": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "Email", "content_type": "string"}, "HookItem/DigitalSignatureHooked/CertificateIssuer": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "HookItem", "content_type": "string"}, "SystemInfoItem/networkArray/networkInfo/adapter": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "SystemInfoItem", "content_type": "string"}, "VolumeItem/TotalAllocationUnits": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "VolumeItem", "content_type": "string"}, "DriverItem/PEInfo/Sections/Section/Type": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "DriverItem", "content_type": "string"}, "PortItem/process": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "PortItem", "content_type": "string"}, "FileItem/DevicePath": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "FileItem/SizeInBytes": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "int"}, "FileItem/PEInfo/DigitalSignature/SignatureVerified": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "FileItem", "content_type": "string"}, "PortItem/pid": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "PortItem", "content_type": "int"}, "TaskItem/TriggerList/Trigger/TriggerEnabled": {"last_modified": "2011-12-02T08:54:05Z", "context_doc": "TaskItem", "content_type": "string"}}} -------------------------------------------------------------------------------- /ioc.py: -------------------------------------------------------------------------------- 1 | # Copyright 2014 Yahoo! Inc. 2 | # Licensed under the Apache 2.0 license. Developed for Yahoo! by Sean Gillespie. 3 | # 4 | # Yahoo! licenses this file to you under the Apache License, Version 5 | # 2.0 (the "License"); you may not use this file except in compliance with the 6 | # License. You may obtain a copy of the License at: 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 | # implied. See the License for the specific language governing 14 | # permissions and limitations under the License. 15 | 16 | import os 17 | from lxml import etree as et 18 | import copy 19 | import ioc_et 20 | import wx 21 | 22 | def strip_namespace(ioc_xml): 23 | if ioc_xml.tag.startswith('{'): 24 | ns_length = ioc_xml.tag.find('}') 25 | namespace = ioc_xml.tag[0:ns_length+1] 26 | for element in ioc_xml.getiterator(): 27 | if element.tag.startswith(namespace): 28 | element.tag = element.tag[len(namespace):] 29 | return ioc_xml 30 | 31 | def generate_label(element): 32 | if element.tag == "Indicator": 33 | return (element.get('operator'), wx.BLACK) 34 | 35 | if element.tag == "IndicatorItem": 36 | color = wx.BLUE 37 | 38 | context = element.find('Context') 39 | content = element.find('Content') 40 | 41 | condition = "" 42 | search_type = "" 43 | search_path = "" 44 | search_text = "" 45 | 46 | if element.get('condition'): 47 | condition = element.get('condition') 48 | 49 | if context.get('type'): 50 | search_type = context.get('type') 51 | 52 | if context.get('search'): 53 | search_path = context.get('search') 54 | 55 | if content.text: 56 | search_text = content.text 57 | 58 | if "preserve-case" in element.keys(): 59 | if element.get('preserve-case') == "true": 60 | color = "#009900" 61 | 62 | negate = "" 63 | if "negate" in element.keys(): 64 | if element.get('negate') == "true": 65 | negate = " NOT" 66 | if element.get('preserve-case') == "true": 67 | color = "#7300FF" 68 | else: 69 | color = wx.RED 70 | 71 | 72 | if condition == "isnot": 73 | condition = "is" 74 | negate = " NOT" 75 | color = wx.RED 76 | 77 | if condition == "containsnot": 78 | condition = "contains" 79 | negate = " NOT" 80 | color = wx.RED 81 | 82 | label = negate + " " + search_type + ":" + search_path + " " + condition + " " + search_text 83 | return (label, color) 84 | return "Bad Indicator" 85 | 86 | class IOC(): 87 | def __init__(self, ioc_xml): 88 | self.working_xml = copy.deepcopy(ioc_xml) 89 | self.orig_xml = copy.deepcopy(ioc_xml) 90 | 91 | self.attributes = self.working_xml.attrib 92 | metadata_root = "TEST" 93 | 94 | if self.working_xml.nsmap[None] == "http://schemas.mandiant.com/2010/ioc": 95 | self.version = "1.0" 96 | metadata_root = self.working_xml 97 | 98 | self.criteria = self.working_xml.find('definition') 99 | if self.criteria == None: 100 | self.working_xml.append(ioc_et.make_definition_node(ioc_et.make_Indicator_node("OR"))) 101 | self.criteria = self.working_xml.find('definition') 102 | 103 | self.parameters = None 104 | 105 | elif self.working_xml.nsmap[None] == "http://openioc.org/schemas/OpenIOC_1.1": 106 | self.version = "1.1" 107 | metadata_root = self.working_xml.find('metadata') 108 | if metadata_root == None: 109 | self.working_xml.append(ioc_et.make_metadata_node(name = "*Missing*", author = "*Missing*", description = "*Missing*", links=ioc_et.make_links_node())) 110 | metadata_root = self.working_xml.find('metadata') 111 | 112 | self.criteria = self.working_xml.find('criteria') 113 | if self.criteria == None: 114 | self.working_xml.append(ioc_et.make_criteria_node(ioc_et.make_Indicator_node("OR"))) 115 | self.criteria = self.working_xml.find('criteria') 116 | 117 | self.parameters = self.working_xml.find('parameters') 118 | if self.parameters == None: 119 | self.working_xml.append(ioc_et.make_parameters_node()) 120 | self.parameters = self.working_xml.find('parameters') 121 | 122 | self.name = metadata_root.find('short_description') 123 | if self.name == None: 124 | metadata_root.append(ioc_et.make_short_description_node("*Missing*")) 125 | self.name = metadata_root.find('short_description') 126 | 127 | self.desc = metadata_root.find('description') 128 | if self.desc == None: 129 | metadata_root.append(ioc_et.make_description_node("*Missing*")) 130 | self.desc = metadata_root.find('description') 131 | 132 | self.author = metadata_root.find('authored_by') 133 | if self.author == None: 134 | metadata_root.append(ioc_et.make_authored_by_node("*Missing*")) 135 | self.author = metadata_root.find('authored_by') 136 | 137 | self.created = metadata_root.find('authored_date') 138 | if self.created == None: 139 | metadata_root.append(ioc_et.make_authored_date_node()) 140 | self.created = metadata_root.find('authored_date') 141 | 142 | self.links = metadata_root.find('links') 143 | if self.links == None: 144 | metadata_root.append(ioc_et.make_links_node()) 145 | self.links = metadata_root.find('links') 146 | 147 | 148 | def get_uuid(self): 149 | return self.attributes['id'] 150 | 151 | def get_name(self): 152 | return self.name.text 153 | 154 | def set_name(self, name): 155 | self.name.text = name 156 | 157 | def get_modified(self): 158 | return self.attributes['last-modified'] 159 | 160 | def set_modified(self): 161 | self.attributes['last-modified'] = ioc_et.get_current_date() 162 | 163 | def get_author(self): 164 | if self.author.text is not None: 165 | return self.author.text 166 | else: 167 | return "" 168 | 169 | def set_author(self, author): 170 | self.author.text = author 171 | 172 | def get_created(self): 173 | return self.created.text 174 | 175 | def set_created(self): 176 | self.created.text = ioc_et.get_current_date() 177 | 178 | def get_metadata(field): 179 | pass 180 | 181 | def get_desc(self): 182 | if self.desc.text is not None: 183 | if os.name == "nt": 184 | return self.desc.text.replace('\n', '\r\n') 185 | else: 186 | return self.desc.text 187 | else: 188 | return "" 189 | 190 | def set_desc(self, desc): 191 | self.desc.text = desc 192 | 193 | def get_links(self): 194 | pass 195 | 196 | def get_indicator(self): 197 | pass 198 | 199 | class IOCList(): 200 | def __init__(self): 201 | self.working_dir = None 202 | self.iocs = {} 203 | 204 | def save_iocs(self, full_path=None): 205 | if full_path: 206 | if et.tostring(self.iocs[full_path].working_xml) != et.tostring(self.iocs[full_path].orig_xml): 207 | self.iocs[full_path].set_modified() 208 | ioc_xml_string = et.tostring(self.iocs[full_path].working_xml, encoding="utf-8", xml_declaration=True, pretty_print = True) 209 | ioc_file = open(full_path, 'w') 210 | ioc_file.write(ioc_xml_string) 211 | ioc_file.close() 212 | self.iocs[full_path].orig_xml = copy.deepcopy(self.iocs[full_path].working_xml) 213 | else: 214 | for full_path in self.iocs: 215 | if et.tostring(self.iocs[full_path].working_xml) != et.tostring(self.iocs[full_path].orig_xml): 216 | self.iocs[full_path].set_modified() 217 | ioc_xml_string = et.tostring(self.iocs[full_path].working_xml, encoding="utf-8", xml_declaration=True, pretty_print = True) 218 | ioc_file = open(full_path, 'w') 219 | ioc_file.write(ioc_xml_string) 220 | ioc_file.close() 221 | self.iocs[full_path].orig_xml = copy.deepcopy(self.iocs[full_path].working_xml) 222 | 223 | def clone_ioc(self,current_ioc): 224 | new_ioc_xml = copy.deepcopy(current_ioc.working_xml) 225 | new_uuid = ioc_et.get_guid() 226 | ioc_file = new_uuid + ".ioc" 227 | full_path = os.path.join(self.working_dir, ioc_file) 228 | 229 | new_ioc_xml.attrib['id'] = new_uuid 230 | self.iocs[full_path] = IOC(new_ioc_xml) 231 | self.iocs[full_path].set_modified() 232 | self.iocs[full_path].set_created() 233 | self.iocs[full_path].orig_xml = et.Element('Clone') 234 | 235 | return full_path 236 | 237 | def add_ioc(self, author, version): 238 | new_ioc_xml = ioc_et.make_IOC_root(version=version) 239 | 240 | ioc_file = new_ioc_xml.attrib['id'] + ".ioc" 241 | full_path = os.path.join(self.working_dir, ioc_file) 242 | 243 | if version == "1.0": 244 | new_ioc_xml.append(ioc_et.make_short_description_node(name = "*New IOC*")) 245 | new_ioc_xml.append(ioc_et.make_description_node(text="PyIOCe Generated IOC")) 246 | new_ioc_xml.append(ioc_et.make_authored_by_node(author = author)) 247 | new_ioc_xml.append(ioc_et.make_authored_date_node()) 248 | new_ioc_xml.append(ioc_et.make_links_node()) 249 | new_ioc_xml.append(ioc_et.make_definition_node(ioc_et.make_Indicator_node("OR"))) 250 | elif version == "1.1": 251 | new_ioc_xml.append(ioc_et.make_metadata_node( name = "*New IOC*", author = "PyIOCe", description = "PyIOCe Generated IOC")) 252 | new_ioc_xml.append(ioc_et.make_criteria_node(ioc_et.make_Indicator_node("OR"))) 253 | new_ioc_xml.append(ioc_et.make_parameters_node()) 254 | 255 | self.iocs[full_path] = IOC(new_ioc_xml) 256 | self.iocs[full_path].orig_xml = et.Element('New') 257 | 258 | return full_path 259 | 260 | def open_ioc_path(self,dir): 261 | self.iocs = {} 262 | self.working_dir = dir 263 | for base, sub, files in os.walk(self.working_dir): 264 | for filename in files: 265 | if os.path.splitext(filename)[1][1:].lower() == "ioc": 266 | full_path = os.path.join(base, filename) 267 | 268 | ioc_file = open(full_path, 'r') 269 | 270 | try: 271 | ioc_xml = et.fromstring(ioc_file.read()) 272 | 273 | clean_ioc_xml = strip_namespace(ioc_xml) 274 | 275 | self.iocs[full_path] = IOC(clean_ioc_xml) 276 | except: 277 | pass #FIXME Logging/Alerts for failed files -------------------------------------------------------------------------------- /ioc_et.py: -------------------------------------------------------------------------------- 1 | # ioc_et.py 2 | # 3 | # Copyright 2013 Mandiant Corporation. 4 | # Licensed under the Apache 2.0 license. Developed for Mandiant by William 5 | # Gibb. 6 | # 7 | # Mandiant licenses this file to you under the Apache License, Version 8 | # 2.0 (the "License"); you may not use this file except in compliance with the 9 | # License. You may obtain a copy of the License at: 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, software 14 | # distributed under the License is distributed on an "AS IS" BASIS, 15 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 16 | # implied. See the License for the specific language governing 17 | # permissions and limitations under the License. 18 | # 19 | # Provides support for ioc_api. 20 | # 21 | 22 | # 23 | # Modifications to file for Yahoo! by Sean Gillespie 24 | # 25 | 26 | import uuid 27 | import datetime 28 | 29 | from lxml import etree as et 30 | 31 | ############################################## 32 | NSMAP = {'xsi' : 'http://www.w3.org/2001/XMLSchema-instance', 33 | 'xsd' : 'http://www.w3.org/2001/XMLSchema', } 34 | 35 | 36 | def make_IOC_root(id=None, version="1.1"): 37 | if version == "1.0": 38 | NSMAP[None] = "http://schemas.mandiant.com/2010/ioc" 39 | root = et.Element('ioc', nsmap = NSMAP) 40 | elif version == "1.1": 41 | NSMAP[None] = "http://openioc.org/schemas/OpenIOC_1.1" 42 | root = et.Element('OpenIOC', nsmap = NSMAP) 43 | else: 44 | raise ValueError('Invalid Version') 45 | 46 | if id: 47 | root.attrib['id'] = id 48 | else: 49 | root.attrib['id'] = get_guid() 50 | # default dates 51 | root.attrib['last-modified'] = '0001-01-01T00:00:00' 52 | root.attrib['published-date'] = '0001-01-01T00:00:00' 53 | return root 54 | 55 | def make_metadata_node(name = None, 56 | description = 'Automatically generated IOC', 57 | author = 'IOC_et', 58 | links = None,): 59 | metadata_node = et.Element('metadata') 60 | metadata_node.append(make_short_description_node(name)) 61 | metadata_node.append(make_description_node(description)) 62 | #metadata_node.append(make_keywords_node()) 63 | metadata_node.append(make_authored_by_node(author)) 64 | metadata_node.append(make_authored_date_node()) 65 | metadata_node.append(make_links_node(links)) 66 | return metadata_node 67 | 68 | def make_keywords_node(keywords = None): 69 | keywords_node = et.Element('keywords') 70 | if keywords: 71 | keywords_node.text = keywords 72 | return keywords_node 73 | 74 | def make_short_description_node(name): 75 | description_node = et.Element('short_description') 76 | description_node.text=name 77 | return description_node 78 | 79 | def update_node_text(node, text): 80 | node.text = text 81 | return node 82 | 83 | def make_description_node(text): 84 | description_node = et.Element('description') 85 | description_node.text=text 86 | return description_node 87 | 88 | 89 | def make_authored_by_node(author = 'ioc_et'): 90 | authored_node = et.Element('authored_by') 91 | authored_node.text = author 92 | return authored_node 93 | 94 | def make_links_node(links = None): 95 | links_node = et.Element('links') 96 | if links: 97 | for rel, href, value in links: 98 | links_node.append(make_link_node(rel,value, href)) 99 | return links_node 100 | 101 | def set_root_lastmodified(root_node, date=None): 102 | if date: 103 | root_node.attrib['last-modified'] = date 104 | else: 105 | root_node.attrib['last-modified'] = get_current_date() 106 | 107 | def set_root_published_date(root_node, date=None): 108 | if date: 109 | root_node.attrib['published-date'] = date 110 | else: 111 | root_node.attrib['published-date'] = get_current_date() 112 | 113 | def set_root_created_date(root_node, date=None): 114 | date_node = root_node.find('.//authored_date') 115 | if date_node is None: 116 | raise ValueError('authored_date node does not exist. IOC is not schema compliant.') 117 | if date: 118 | date_node.text = date 119 | else: 120 | date_node.text = get_current_date() 121 | 122 | def make_criteria_node(indicator_node = None): 123 | definition_node = et.Element('criteria') 124 | if indicator_node is not None: 125 | if indicator_node.tag != 'Indicator': 126 | raise ValueError('IndicatorNode has the incorrect tag.') 127 | definition_node.append(indicator_node) 128 | return definition_node 129 | 130 | def make_definition_node(indicator_node = None): 131 | definition_node = et.Element('definition') 132 | if indicator_node is not None: 133 | if indicator_node.tag != 'Indicator': 134 | raise ValueError('IndicatorNode has the incorrect tag.') 135 | definition_node.append(indicator_node) 136 | return definition_node 137 | 138 | def make_parameters_node(): 139 | parameters_node = et.Element('parameters') 140 | return parameters_node 141 | 142 | def make_param_node(id, content, name='comment', type='string',): 143 | param_node = et.Element('param') 144 | param_node.attrib['id'] = get_guid() 145 | param_node.attrib['ref-id'] = id 146 | param_node.attrib['name'] = name 147 | value_node = et.Element('value') 148 | value_node.attrib['type'] = type 149 | value_node.text = content 150 | param_node.append(value_node) 151 | return param_node 152 | 153 | def make_Indicator_node(operator, id = None): 154 | ''' 155 | This makes a Indicator node element. These allow the construction of a 156 | logic tree within the IOC. 157 | 158 | input 159 | operator: 'AND' or 'OR'. 160 | id: a string value. This is used to provide a GUID for the Indicator. 161 | The ID should NOT be specified under normal circumstances. 162 | 163 | return: elementTree element 164 | ''' 165 | Indicator_node = et.Element('Indicator') 166 | if id: 167 | Indicator_node.attrib['id'] = id 168 | else: 169 | Indicator_node.attrib['id'] = get_guid() 170 | if operator.upper() not in ['AND','OR']: 171 | raise ValueError('Indicator operator must be "AND" or "OR".') 172 | Indicator_node.attrib['operator'] = operator.upper() 173 | return Indicator_node 174 | 175 | def make_IndicatorItem_node(condition="is", 176 | document="Undefined", 177 | search="", 178 | content_type="Undefined", 179 | content="", 180 | preserve_case = False, 181 | negate = False, 182 | context_type = 'mir', 183 | id = None, 184 | version = "1.1"): 185 | ''' 186 | This makes a IndicatorItem element. This contains the actual threat 187 | intelligence in the IOC. 188 | 189 | input 190 | condition: This is the condition of the item ('is', 'contains', 191 | 'matches', etc). 192 | document: String value. Denotes the type of document to look for 193 | the encoded artifact in. 194 | search: String value. Specifies what attribute of the doucment type 195 | the encoded value is. 196 | content_type: This is the display type of the item, which is derived 197 | from the iocterm for the search value. 198 | content: a string value, containing the data to be identified. 199 | preserve_case: Boolean value. Specify if the 200 | IndicatorItem/content/text() is case sensitive. 201 | negate: Boolean value. Specify if the IndicatorItem/@condition is 202 | negated, ie: 203 | @condition = 'is' & @negate = 'true' would be equal to the 204 | @condition = 'isnot' in OpenIOC 1.0. 205 | context_type: a string value, giving context to the document/search 206 | information. This defaults to 'mir'. 207 | id: a string value. This is used to provide a GUID for the IndicatorItem 208 | The ID should NOT be specified under normal circumstances. 209 | 210 | returns 211 | an elementTree Element item 212 | 213 | ''' 214 | 215 | IndicatorItem_node = et.Element('IndicatorItem') 216 | 217 | if version != "1.0": 218 | if preserve_case: 219 | IndicatorItem_node.attrib['preserve-case'] = 'true' 220 | else: 221 | IndicatorItem_node.attrib['preserve-case'] = 'false' 222 | if negate: 223 | IndicatorItem_node.attrib['negate'] = 'true' 224 | else: 225 | IndicatorItem_node.attrib['negate'] = 'false' 226 | 227 | if id: 228 | IndicatorItem_node.attrib['id'] = id 229 | else: 230 | IndicatorItem_node.attrib['id'] = get_guid() 231 | IndicatorItem_node.attrib['condition'] = condition 232 | 233 | 234 | 235 | context_node = make_context_node(document, search, context_type) 236 | content_node = make_content_node(content_type, content) 237 | IndicatorItem_node.append(context_node) 238 | IndicatorItem_node.append(content_node) 239 | return IndicatorItem_node 240 | 241 | 242 | ############################################## 243 | 244 | def make_authored_date_node(): 245 | authored_node = et.Element('authored_date') 246 | authored_node.text = get_current_date() 247 | return authored_node 248 | 249 | def make_link_node(rel, value, href=None): 250 | link_node = et.Element('link') 251 | link_node.attrib['rel'] = rel 252 | if href: 253 | link_node.attrib['href'] = href 254 | link_node.text = value 255 | return link_node 256 | 257 | def make_context_node(document,search,context_type='mir'): 258 | context_node = et.Element('Context') 259 | context_node.attrib['document'] = document 260 | context_node.attrib['search'] = search 261 | if context_type: 262 | context_node.attrib['type'] = context_type 263 | return context_node 264 | 265 | def make_content_node(type, content): 266 | content_node = et.Element('Content') 267 | content_node.attrib['type'] = type 268 | content_node.text = content 269 | return content_node 270 | 271 | 272 | ############################################## 273 | 274 | def get_guid(): 275 | return str(uuid.uuid4()) 276 | 277 | def get_current_date(): 278 | # xsdDate format. not TZ format. 279 | time = datetime.datetime.utcnow() 280 | timestring = time.strftime('%Y-%m-%dT%H:%M:%S') 281 | return timestring 282 | 283 | -------------------------------------------------------------------------------- /parameters.default: -------------------------------------------------------------------------------- 1 | {"yara": {"count": {"last_modified": "2014-09-26T06:31:50", "value_type": "int"}, "wide": {"last_modified": "2014-09-26T06:31:18", "value_type": "bool"}, "offset/at": {"last_modified": "2014-09-26T06:29:49", "value_type": "string"}, "set": {"last_modified": "2014-09-26T06:31:47", "value_type": "int"}, "offset/in": {"last_modified": "2014-09-26T06:29:59", "value_type": "string"}, "fullword": {"last_modified": "2014-09-26T06:32:12", "value_type": "bool"}, "ascii": {"last_modified": "2014-09-26T06:31:10", "value_type": "bool"}}, "volatility": {"score": {"last_modified": "2014-10-24T06:12:19", "value_type": "integer"}, "detail": {"last_modified": "2014-10-23T10:04:27", "value_type": "string"}}, "mir": {"comment": {"last_modified": "2014-09-26T06:22:37", "value_type": "string"}}, "splunk": {"eventstats": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "makemv": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "rest": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "mvexpand": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "dbinspect": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "gauge": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "iplocation": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "concurrency": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "localize": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "geostats": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "anomalousvalue": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "relevancy": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "sendemail": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "crawl": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "kvform": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "tail": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "xmlkv": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "addtotals": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "accum": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "fieldsummary": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "spath": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "return": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "format": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "appendcols": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "typelearner": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "filldown": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "addcoltotals": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "sichart": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "xyseries": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "fields": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "collect": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "history": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "appendpipe": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "outputtext": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "x11": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "where": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "set": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "strcat": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "trendline": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "rangemap": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "pivot": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "extract": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "append": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "rex": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "stats": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "erex": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "associate": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "dedup": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "overlap": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "metadata": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "run": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "tags": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "findtypes": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "transpose": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "outputlookup": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "xmlunescape": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "rtorder": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "convert": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "rare": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "reverse": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "arules": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "makecontinuous": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "mvcombine": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "fillnull": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "contingency": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "localop": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "timechart": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "datamodel": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "untable": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "multikv": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "eval": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "kmeans": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "dispatch": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "replace": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "anomalies": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "table": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "uniq": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "diff": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "reltime": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "regex": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "script": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "top": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "folderize": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "sitimechart": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "nomv": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "sitop": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "abstract": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "xpath": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "head": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "eventcount": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "correlate": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "search": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "autoregress": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "delta": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "metasearch": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "inputcsv": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "join": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "input": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "bucket": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "sistats": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "highlight": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "delete": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "rename": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "sort": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "outputcsv": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "predict": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "tscollect": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "bucketdir": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "cluster": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "typeahead": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "addinfo": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "multisearch": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "selfjoin": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "fieldformat": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "loadjob": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "lookup": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "foreach": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "searchtxn": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "gentimes": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "map": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "scrub": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "analyzefields": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "outlier": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "tstats": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "chart": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "sirare": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "typer": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "audit": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "transaction": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "setfields": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "savedsearch": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "inputlookup": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}, "streamstats": {"last_modified": "2014-09-26T21:45:01", "value_type": "string"}}} --------------------------------------------------------------------------------