The Malware object describes the classification of known malicious software, which is intentionally designed to cause damage to a computer, server, client, or computer network.
- Extends:
_entity
Attributes
Section titled “Attributes”classification_ids
- Type:
integer_t - Requirement: required
- Values:
0-Unknown: The classification is unknown.1-Adware2-Backdoor3-Bot4-Bootkit5-DDOS6-Downloader7-Dropper8-Exploit-Kit9-Keylogger10-Ransomware11-Remote-Access-Trojan13-Resource-Exploitation14-Rogue-Security-Software15-Rootkit16-Screen-Capture17-Spyware18-Trojan19-Virus20-Webshell21-Wiper22-Worm99-Other: The classification is not mapped. See theclassificationsattribute, which contains a data source specific value.
The list of normalized identifiers of the malware classifications.
name
- Type:
string_t - Requirement: recommended
The malware name, as reported by the detection engine.
path
- Type:
file_path_t - Requirement: recommended
The filesystem path of the malware that was observed.
provider
- Type:
string_t - Requirement: recommended
The name or identifier of the security solution or service that provided the malware detection information.
severity_id
- Type:
integer_t - Requirement: recommended
- Values:
0-Unknown: The event/finding severity is unknown.1-Informational: Informational message. No action required.2-Low: The user decides if action is needed.3-Medium: Action is required but the situation is not serious at this time.4-High: Action is required immediately.5-Critical: Action is required immediately and the scope is broad.6-Fatal: An error occurred but it is too late to take remedial action.99-Other: The event/finding severity is not mapped. See theseverityattribute, which contains a data source specific value.
The normalized identifier of the malware severity.
uid
- Type:
string_t - Requirement: recommended
A unique identifier for the specific malware instance, as assigned by the detection engine (e.g., virus signature ID or IPS rule ID).
classifications
- Type:
string_t - Requirement: optional
The list of malware classifications, normalized to the captions of the classification_ids values. In the case of ‘Other’, they are defined by the event source.
cves
- Type:
cve - Requirement: optional
The list of Common Vulnerabilities and Exposures (CVE) identifiers associated with the malware. Reference: CVE
files
- Type:
file - Requirement: optional
The list of file objects representing files that were identified as infected by the malware.
num_infected
- Type:
integer_t - Requirement: optional
The number of files that were identified to be infected by the malware.
severity
- Type:
string_t - Requirement: optional
The severity of the malware, normalized to the captions of the severity_id values. In the case of ‘Other’, they are defined by the event source.
Constraints
Section titled “Constraints”At least one of: name, uid
Used By
Section titled “Used By”account_changeadmin_group_queryairborne_broadcast_activityapi_activityapplication_errorapplication_lifecycleapplication_security_posture_findingauthenticationauthorize_sessionbase_eventcloud_resources_inventory_infocompliance_findingconfig_statedata_security_findingdatastore_activitydetection_findingdevice_config_state_changedhcp_activitydns_activitydrone_flights_activityemail_activityemail_file_activityemail_url_activityentity_managementevent_log_actvityevidence_infofile_activityfile_hostingfile_queryfile_remediation_activityfolder_queryftp_activitygroup_managementhttp_activityiam_analysis_findingincident_findinginventory_infojob_querykernel_activitykernel_extension_activitykernel_object_querymemory_activitymodule_activitymodule_querynetwork_activitynetwork_connection_querynetwork_file_activitynetwork_remediation_activitynetworks_queryntp_activityosint_inventory_infopatch_stateperipheral_activityperipheral_device_queryprocess_activityprocess_queryprocess_remediation_activityrdp_activityremediation_activityscan_activityscheduled_job_activityscript_activitysecurity_findingservice_querysession_querysmb_activitysoftware_infossh_activitystartup_item_querytunnel_activityuser_accessuser_inventoryuser_queryvulnerability_findingweb_resource_access_activityweb_resources_activitywin/prefetch_querywin/registry_key_activitywin/registry_key_querywin/registry_value_activitywin/registry_value_querywin/windows_resource_activitywin/windows_service_activity