Partner McAfee Threat Intelligence Exchange (Latest)

McAfee Threat Intelligence Exchange (TIE) shares local threat reputations to close the gap from encounter to containment

McAfee Threat Intelligence Exchange shares and exchanges emerging threat data instantly, operationalizing intelligence sharing and encouraging rapid response across your endpoint, gateway, network, and data center security solutions in real time. Making the most of locally generated intelligence and McAfee Global Threat Intelligence, it continually assesses evolving reputations. As reputations change, updates are distributed over the Data Exchange Layer immediately, allowing security solutions from any vendor to operate as one, exchanging and acting on shared intelligence.


As the first service over the Data Exchange Layer, TIE has the most extensive integration ecosystem. Many McAfee and industry products consume updated reputations and then take action, or send TIE changes to reputations, for example when a sandbox convicts a file, or a SIEM uses a TIE reputation to score an IOC.




An OpenDXL TIE Python client is available for accessing McAfee Threat Intelligence Exchange information via DXL.

  • Version (Latest)

Bootprint

McAfee Threat Intelligence Exchange (TIE)

Version: 0.1

McAfee Threat Intelligence Exchange (TIE) shares local threat reputations to close the gap from encounter to containment.

Solutions

Services

Events

/mcafee/event/tie/cert/repchange

The certificate reputation change event allows for a client to receive notifications when a previously requested certificate reputation has changed. Subscribing to this event avoids having to periodically check for updated reputations.

payload: object

For more information regarding event keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"hashes": [
{
"type": "sha1",
"value": "X/1fNllXfncgp4Sx0qgRnYB5Klg="
}
]
,
"newReputations": {
"props": {
"serverTime": 1487856678
}
,
"reputations": [
{
"createDate": 1396563520,
"providerId": 2,
"trustLevel": 99
},
{
"attributes": {
"2109333": "1",
"2109589": "1396563520"
}
,
"createDate": 1396563520,
"providerId": 4,
"trustLevel": 0
}
]
}
,
"oldReputations": {
"props": {
"serverTime": 1487856678
}
,
"reputations": [
{
"createDate": 1396563520,
"providerId": 2,
"trustLevel": 0
},
{
"attributes": {
"2109333": "1",
"2109589": "1396563520"
}
,
"createDate": 1396563520,
"providerId": 4,
"trustLevel": 0
}
]
}
,
"publicKeySha1": "qi4bD+Y7VI1abbYyLjJLUAi2+Zg=",
"updateTime": 1409851328
}
oldReputations: Old Reputations Object
newReputations: New Reputations Object
hashes: Hashes Object
publicKeySha1: Public Key SHA1 Property
updateTime: Update Time Property

/mcafee/event/tie/file/detection

The file detection event allows for a client to receive notifications when a client takes an action over a file. Subscribing to this event allows consumers to be notified about files that had been convicted.

payload:

For more information regarding event keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"agentGuid": "{abc5d2c6-e959-11e3-baeb-005056c00009}",
"detectionTime": 1402617156,
"hashes": [
{
"type": "md5",
"value": "CZnbhOFq32TBWnuAOUhLMw=="
},
{
"type": "sha1",
"value": "7vZcAfgW1DgH2WrHY5A3h14Fbks="
},
{
"type": "sha256",
"value": "yXfKH1ESH+5YzaiIJ6YXOtTx1y2AJihOTE9EMCqWfkA="
}
]
,
"localReputation": 1,
"remediationAction": 5
}
remediationAction: integer

A numeric value indicating the type of remediation that occurred in response to the detection. See remediation types table in the TIE SDK.

localReputation: integer

The local reputation determined for the file that triggered the detection. See the TIE SDK or the OpenDXL McAfee TIE Client Documentation: TrustLevel.

detectionTime: integer

The time the detection occurred (Epoch time).

/mcafee/event/tie/file/firstinstance

The file first instance event allows for a client to receive notifications when a file is first reported (a reputation is requested for the file) by any client. Subscribing to this event allows to follow new files seen in the environment.

payload: object

For more information regarding event keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"agentGuid": "{abc5d2c6-e959-11e3-baeb-005056c00009}",
"hashes": [
{
"type": "sha1",
"value": "0wzjHGXydh+ijtstLjkl1CkZgqU="
},
{
"type": "md5",
"value": "FvdpvB03zBTjCTuYgc8WkQ=="
},
{
"type": "sha256",
"value": "yXfKH1ESH+5YzaiIJ6YXOtTx1y2AJihOTE9EMCqWfkA="
}
]
}
hashes: Hashes Object
agentGuid: string

The GUID of the system where the first instance of the file was found.

/mcafee/event/tie/file/prevalence

The file prevalence change event allows a client to receive notifications when the file prevalence (number of different agents that have asked for the file reputation) changes. Subscribing to this event allows to follow the progress of the spread of the file.

payload:

For more information regarding event keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"agentFirstReference": 1392320769,
"agentGuid": "{abc5d2c6-e959-11e3-baeb-005056c00009}",
"enterpriseCount": 125,
"hashes": [
{
"type": "sha1",
"value": "0wzjHGXydh+ijtstLjkl1CkZgqU="
},
{
"type": "md5",
"value": "FvdpvB03zBTjCTuYgc8WkQ=="
},
{
"type": "sha256",
"value": "yXfKH1ESH+5YzaiIJ6YXOtTx1y2AJihOTE9EMCqWfkA="
}
]
,
"prevalent": false
}
agentFirstReference: integer

Epoch time for the first reputation request by the agent that changed the file prevalence.

enterpriseCount: integer

Total number of agents that have asked for the reputation of the file at least once. The minimum value for this attribute is 1.

prevalent: boolean

"true" if the file is considered prevalent in the Enterprise or "false" otherwise. Once TIE generates the event with prevalent = true it will no longer send prevalence change events for this file.

/mcafee/event/tie/file/repchange

The file reputation change event allows for a client to receive notifications when a previously requested file reputation has changed. Subscribing to this event avoids having to periodically check for updated reputations.

payload: object

For more information regarding event keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"hashes": [
{
"type": "md5",
"value": "bQvLG6j1WmwRB8LZ2gPa1w=="
},
{
"type": "sha1",
"value": "OxbrjQd0H6+3meBW5YuBoInTcqM="
},
{
"type": "sha256",
"value": "yXfKH1ESH+5YzaiIJ6YXOtTx1y2AJihOTE9EMCqWfkA="
}
]
,
"newReputations": {
"props": {
"serverTime": 1409851328
}
,
"reputations": [
{
"attributes": {
"2098277": "256",
"2112660": "99"
}
,
"createDate": 1409783001,
"providerId": 3,
"trustLevel": 85
},
{
"attributes": {
"2120340": "2139160704"
}
,
"createDate": 1409783001,
"providerId": 1,
"trustLevel": 99
}
]
}
,
"oldReputations": {
"props": {
"serverTime": 1409851328
}
,
"reputations": [
{
"attributes": {
"2098277": "256",
"2112660": "99"
}
,
"createDate": 1409783001,
"providerId": 3,
"trustLevel": 0
},
{
"attributes": {
"2120340": "2139160704"
}
,
"createDate": 1409783001,
"providerId": 1,
"trustLevel": 99
}
]
}
,
"relationships": {
"certificate": {
"hashes": [
{
"type": "sha1",
"value": "rB/QkipKKm5XeazdYodHwoOUsLk="
}
]
}
}
,
"updateTime": 1409851328
}
oldReputations: Old Reputations Object
newReputations: New Reputations Object
hashes: Hashes Object
updateTime: Update Time Property
relationships: object

Contains information regarding the certificate associated with this file (if such a relationship exists).

certificate: object
hashes: Hashes Object

/mcafee/event/tie/file/repchange/broadcast

The file reputation change broadcast event allows for a client to receive notifications when any file reputation have changed. Subscribing to this event allows to follow reputation changes on all files.

payload: object

For more information regarding event keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"hashes": [
{
"type": "md5",
"value": "bQvLG6j1WmwRB8LZ2gPa1w=="
},
{
"type": "sha1",
"value": "OxbrjQd0H6+3meBW5YuBoInTcqM="
},
{
"type": "sha256",
"value": "yXfKH1ESH+5YzaiIJ6YXOtTx1y2AJihOTE9EMCqWfkA="
}
]
,
"newReputations": {
"props": {
"serverTime": 1409851328
}
,
"reputations": [
{
"attributes": {
"2098277": "256",
"2112660": "99"
}
,
"createDate": 1409783001,
"providerId": 3,
"trustLevel": 85
},
{
"attributes": {
"2120340": "2139160704"
}
,
"createDate": 1409783001,
"providerId": 1,
"trustLevel": 99
}
]
}
,
"oldReputations": {
"props": {
"serverTime": 1409851328
}
,
"reputations": [
{
"attributes": {
"2098277": "256",
"2112660": "99"
}
,
"createDate": 1409783001,
"providerId": 3,
"trustLevel": 0
},
{
"attributes": {
"2120340": "2139160704"
}
,
"createDate": 1409783001,
"providerId": 1,
"trustLevel": 99
}
]
}
,
"updateTime": 1409851328
}
oldReputations: Old Reputations Object
newReputations: New Reputations Object
hashes: Hashes Object
updateTime: Update Time Property

Requests

/mcafee/service/tie/cert/agents

The certificate first references operation flow allows for a client to receive a data bundle from TIE Server containing a list of agents that made the first reference to a particular certificate.

payload:

For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"hashes": [
{
"type": "sha1",
"value": "rB/QkipKKm5XeazdYodHwoOUsLk="
}
]
,
"publicKeySha1": "3lHcG/IeSgU/EhzBvMOzZSyRBZg=",
"queryLimit": 100
}
queryLimit: integer

The max number of systems to return. By default is 100, ranging from 1 to 5000.

publicKeySha1: Public Key SHA1 Property

payload: object

For more information regarding response keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"agents": [
{
"agentGuid": "{66c5d2c6-e959-11e3-baeb-005056c00008}",
"date": 1402676072
},
{
"agentGuid": "{abc5d2c6-e959-11e3-baeb-005056c00009}",
"date": 1402676078
},
{
"agentGuid": "{86c5d2c6-e959-11e3-baeb-005056c00067}",
"date": 1402676082
}
]
,
"totalCount": 3
}
totalCount: integer

The total count of systems that have referenced this file (First references)

agents: object[]

List of agents.

object
date: integer
agentGuid: Agent GUID Property

/mcafee/service/tie/cert/reputation

The certificate reputation service operation flow allows for a client to receive certificate reputation information on demand. Invoking this service method from a client will also cause the TIE Server to automatically include that client when broadcasting certificate reputation events in the future.

payload:

For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"hashes": [
{
"type": "sha1",
"value": "rB/QkipKKm5XeazdYodHwoOUsLk="
}
]
,
"publicKeySha1": "3lHcG/IeSgU/EhzBvMOzZSyRBZg="
}

payload: object

For more information regarding response keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"overridden": {
"files": [
{
"hashes": [
{
"type": "md5",
"value": "CTWz2oVIu0RisXjZnCG4cA=="
},
{
"type": "sha1",
"value": "FHHwTNDzxzt+YqcdCGk8MGVKVV8="
},
{
"type": "sha256",
"value": "RjU4pJdE+gXo0LH4pRwO/4B4vjSSS1kvgriSJ+IwWAo="
}
]
},
{
"hashes": [
{
"type": "md5",
"value": "2LB7JR27x99WGbxm68kxcg=="
},
{
"type": "sha256",
"value": "mjeiJBg+iAcXbRwOyFYMwj10AQFjyA/YP+N0oP91cLI="
}
]
}
]
,
"truncated": 0
}
,
"props": {
"serverTime": 1396655764,
"submitMetaData": 1
}
,
"reputations": [
{
"createDate": 1396563520,
"providerId": 2,
"trustLevel": 99
},
{
"attributes": {
"2109333": "1",
"2109589": "1396563520"
}
,
"createDate": 1396563520,
"providerId": 4,
"trustLevel": 0
}
]
}
reputations: object[]
object
providerId: integer

The identifier for the particular "provider" that provided the reputation. See the TIE SDK or the OpenDXL McAfee TIE Client Documentation: FileProvider and CertProvider

createDate: integer

The time this reputation was created (Epoch time).

trustLevel: integer

The trust level for the reputation subject (file, certificate, etc.). See the TIE SDK or the OpenDXL McAfee TIE Client Documentation: TrustLevel.

attributes: object

A provider-specific set of attributes as a JSON dictionary.

string
props: object
submitMetaData: Submit Metadata Property
serverTime: Server Time Property
overridden: object

Included if there are files signed with this certificate and for which an override (Enterprise) reputation is set.

files: object[]

List of files signed with this certificate and for which an override (Enterprise) reputation is set. This list will contain one entry for each file with overrides. If there are too many files, then the list will be populated with as many

truncated: integer

If set to 1 this means that the list of overridden files has been truncated as there were too many files to report. There could be files with overrides and that are not present in the list of files in this message. If set to 0 this means that the list of overridden files is complete and there are no other files signed with this certificate and for which an override (Enterprise) reputation is set.

/mcafee/service/tie/cert/update_metadata

The Certificate Update Metadata service allows clients to provide additional contextual information about a certificate. The request will include details which will assist the security admin on their threat analysis activities.

payload:

For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"algorithm": "sha1RSA",
"contentVersion": "47850746040811521",
"hashes": [
{
"type": "sha1",
"value": "npN587OCHVtutV0Tu3VWiG29uOc="
}
]
,
"issuer": "Microsoft Windows Verification PCA",
"issuerDN": "CN=Microsoft Windows Verification PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"issuerPublicKeySha1": "KxfRYCjaN34LrVZGgVqX6WlorWE=",
"issuerSha1": "XfDXVxsHgHg5YMaLeFcf/X7a8CE=",
"productEnforcing": 1,
"publicKeySha1": "qKEUVpy1IfEloPPnGq+eeNFrKIM=",
"ruleEnforcing": 1,
"serialNumber": "YRU0ZAAAAAAADA==",
"subject": "CN=Microsoft Windows, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"subjectName": "Microsoft Windows",
"validFrom": 1260223064,
"validTo": 1299535064
}
publicKeySha1: Public Key SHA1 Property
algorithm: string

Certificate's algorithm.

issuerDN: string

Distinguished Name of the certificate's Issuer.

issuerPublicKeySha1: Public Key SHA1 Property
serialNumber: string

Serial Number of the certificate.

subjectName: string

Subject of the certificate.

validFrom: integer

Certificate's valid From date (long value).

validTo: integer

Certificate's valid To date (long value)

contentVersion: string

The major and minor versions of the content. Representation of major,minor,subminor,build in Little Endian format.

productEnforcing: boolean

Whether the client is running in Enforcement mode.

ruleEnforcing: boolean

Whether the rule was enforced or not (1 for enforced and 0 for not).

subject: string

Distinguished Name of the certificate.

issuer: string

Name of the certificate's Issuer.

issuerSha1: Public Key SHA1 Property

No response will be provided by the TIE server.

/mcafee/service/tie/file/agents

The file first references operation flow allows for a client to receive a data bundle from TIE Server containing a list of agents that made the first reference to a particular file.

payload:

For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"hashes": [
{
"type": "sha1",
"value": "8nG/TX+SLaCjQjLw6xwWZZX6kI4="
}
]
,
"queryLimit": 5000
}
queryLimit: integer

The max number of systems to return. By default is 100, ranging from 1 to 5000.

payload: object

For more information regarding response keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"agents": [
{
"agentGuid": "{66c5d2c6-e959-11e3-baeb-005056c00008}",
"date": 1402676072
},
{
"agentGuid": "{abc5d2c6-e959-11e3-baeb-005056c00009}",
"date": 1402676078
},
{
"agentGuid": "{86c5d2c6-e959-11e3-baeb-005056c00067}",
"date": 1402676082
}
]
,
"totalCount": 3
}
totalCount: integer

The total count of systems that have referenced this file (First references)

agents: object[]

List of agents

object
date: integer
agentGuid: Agent GUID Property

/mcafee/service/tie/file/reputation

The file reputation service operation flow allows for a client to receive file reputation information on demand. Invoking this service queries the TIE Server for the reputations associated with a file identified by any known hash values.

payload:

For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"certPublicKeySha1": "qKEUVpy1IfEloPPnGq+eeNFrKIM=",
"certSha1": "npN587OCHVtutV0Tu3VWiG29uOc=",
"fileType": 18,
"hashes": [
{
"type": "sha1",
"value": "3tt/SI6IFXSHHisJtOUWhRFp0Y4="
},
{
"type": "md5",
"value": "MQKz601c9VO26cNqWRdcCg=="
}
]
,
"scanType": 1
}
fileType: integer

Encoded file type, used to improve search behaviour (Example: "EXE" or "JS". Providing the file type enables effective down-selection and retention policies. For encoding details, see Encoded File Types in the TIE SDK for more information.

scanType: integer

NOTE: This property is accepted but not currently honored by the current version of TIE Server. The default value is currently always assumed. The type of scan operation to which this report applies.

certSha1: string

NOTE: This property is accepted but will be ignored by the current version of TIE Server. SHA-1 of the certificate signing the file.

payload:

For more information regarding response keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"props": {
"atdCandidate": 1,
"masterServer": "masterhost;10.111.111.111",
"serverTime": 1392321493,
"submitMetaData": 1
}
,
"reputations": [
{
"attributes": {
"2098277": "256",
"2101652": "0",
"2102165": "1392320762",
"2111893": "1",
"2114965": "0",
"2123412": "1",
"2123668": "26",
"2123924": "100",
"2124180": "99",
"2124436": "98",
"2124692": "72",
"2124948": "61",
"2125204": "44",
"2125460": "12",
"2125716": "44"
}
,
"createDate": 1392320762,
"providerId": 3,
"trustLevel": 0
},
{
"createDate": 1392321493,
"providerId": 1,
"trustLevel": 0
}
]
}
props: object
submitMetaData: Submit Metadata Property
atdCandidate: integer

Optional sent only when ATD is enabled and the file is an ATD candidate. When this flag is set to 1, the TIE server is requesting the client to submit the file sample for sandboxing.

masterServer: string

Hostname and IP of the TIE Server. Only present when atdCandidate is present. This is the server that should be used by the clients to submit the file sample for sandboxing.

/mcafee/service/tie/file/update_metadata

The File Update Metadata service allows clients to provide additional contextual information about a file. The request will include details which will assist the security admin on their threat analysis activities. Metadata also includes information about file detections, relationships with other files and certificates and also details which could be used by other clients to enhance their defense.

payload:

For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"actorLocalRep": 0,
"actorSha1": null,
"agentGuid": "testGuid",
"caRep": 0,
"certIssuer": null,
"certPublicKeySha1": null,
"certSha1": null,
"certSubject": null,
"companyName": null,
"contentVersion": "47850746040811521",
"detectionName": null,
"detectionType": 0,
"fileType": 16,
"hashes": [
{
"type": "sha256",
"value": "cgF66fVGT1CMxZG2BfWrcDd1ws2BzWCU619XEOj3uCo="
},
{
"type": "sha1",
"value": "5tt/SI6IFXSHHisJtOUWhRFp0Y4="
},
{
"type": "md5",
"value": "MQKz501c9VO24cNqWRdcCg=="
}
]
,
"jtiAvProductId": "28600",
"localRep": 85,
"localRepRuleId": 0,
"name": "Notepad++.exe",
"objectType": 1,
"osVersion": "25769803777",
"parentLocalRep": 0,
"parentSha1": null,
"path": "C:\\Users\\Administrator\\Desktop\\Notepad++\\Notepad++.exe",
"prePromptLocalRep": 50,
"productEnforcing": 1,
"productName": "Sample",
"productVersion": "6.1.7601.18128",
"profilerFlags": "465:1a200;5a5:20;6a5:414c2700;765:41e4bd80;865:fffffffc;965:3;a65:0;b65:0;c65:0;e65:2024842;f65:10a4640;1065:5;1165:69;1265:6;1365:0;1465:5c00;1565:2a0;1665:e0;17a5:101000;19a5:1",
"remediation": 0,
"ruleEnforcing": 1,
"scanType": 1,
"signedBits": 0,
"size": 107008,
"userPrompted": 1,
"version": 22,
"vseContentVersion": "12345",
"vseDetectionName": "TestVseDetection",
"vseDetectionType": 2,
"vseProductId": 25,
"vseRemediation": 20,
"vseSuppressed": false
}
scanType: integer

NOTE: This property is accepted but not currently honored by the current version of TIE Server. The default value is currently always assumed. The type of scan operation to which this report applies.

agentGuid: Agent GUID Property
name: string

UTF-8 encoded name of the file. TIE Server will store filenames up to a configurable limit (default value: 500).

size: integer

File size in bytes.

path: string

UTF-8 encoded path of the file. TIE Server will store file paths up to a configurable limit (default value: 500).

version: string

File version.

fileType: integer

(X) File type of a given file: driver, dll, exe or non-PE.

signedBits: integer
companyName: string

UTF-8 encoded name of the publisher of the file.

profilerFlags: string

Profiler attributes.

certIssuer: string

Issuer of the signing certificate.

certSubject: string

Subject of the signing certificate.

productName: string

UTF-8 encoded name of the product corresponding to the file (as extracted from the binary’s version info).

productVersion: string

UTF-8 encoded version string of the application corresponding to the file.

objectType: integer

The type of object being reported upon. Currently supported types are: 1 (File) - This is the default if omitted - and 4 (Process). TIE will not keep agregate local reputation data reported for processes. Only for files.

localRep: integer

Local reputation for the file.

parentLocalRep: integer

Reputation of the main executable of the process that created the file.

prePromptLocalRep: integer

Pre-prompt local reputation of the file.

localRepRuleId: integer
parentSha1: string

"SHA-1" of the main executable of the process that created the file being reported.

osVersion: string

OS version that the file was found on. Representation of major and minor in Little Endian format.

actorLocalRep: integer
caRep: string

Reputation of the Certificate Authority (CA).

contentVersion: string

The major and minor versions of the content .Representation of major,minor,subminor,build in Little Endian format.

productEnforcing: boolean

Whether the client is running in Enforcement mode.

ruleEnforcing: boolean

Whether the rule was enforced or not (1 for enforced and 0 for not).

jtiAvProductId: string

Product Id of the client.

userPrompted: boolean

Whether the user was prompted or not (1 for prompted and 0 for not).

detectionType: integer

Detection type.

detectionName: string

Detection name from the detecting product.

certSha1: string

Base 64 encoding of the SHA-1 of the certificate signing the file.

certPublicKeySha1: Public Key SHA1 Property
actorSha1: string

Base 64 encoding of the "SHA-1" hash of the primary actor. This is the main process that loaded the file/process being reported on.

remediation: integer

Indicates that a detection has occurred and provides the action applied. See remediation types table in the TIE SDK.

No response will be provided by the TIE server.

/mcafee/service/tie/reputation/updates

The reputation update operation flow allows for a client to receive a data bundle from TIE Server containing all reputations that have changed in a given time period.

payload: object

For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"queryLimit": 300,
"sinceTime": 1402612347,
"targetTypes": {
"cert": "sha1",
"file": "sha256"
}
,
"targeted": true
}
sinceTime: integer

The timestamp (epoch time - in seconds) to retrieve changed reputations from. It is strongly recommended that this is set to the value returned in the serverTime property of the response to the latest reputation request. Note that both File and Certificate reputation requests will return the server time in the response.

queryLimit: integer

The max number of reputations to return (Allowed values: 1-5000). If omitted this defaults to a configurable parameter by server or 100 if the server parameter is unconfigured.

targeted: boolean

When set to true the server will include only items that the consumer has previously requested reputations for or that are prevalent. If omitted this defaults to a configurable parameter by server or False if unconfigured.

targetTypes: object

Types of reputation subjects to include in the response, alongside with the hash type to return for each subject. If "targetTypes" is omitted TIE will include both files and certificates in the response and it will default to the backwards compatible behavior: It will return the SHA1 hash for certificates and for files it will return the SHA1 hash if available, else the MD5 or the SHA256 in this order.

file: string

Possible values are "sha1", "md5", "sha256".

cert: string

Possible values are "sha1".

payload: object

For more information regarding response keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"certificateHashes": [
{
"type": "sha1",
"value": "ERD6shE0rp1D+F3rUdrKLH/Wuet="
}
]
,
"fileHashes": [
{
"type": "sha1",
"value": "ESK6sSE0rp1D+F3K9xrKLH/Wuaw="
},
{
"type": "sha1",
"value": "3tt/SI6IFXSHHisJtOUWhRFp0Y4="
},
{
"type": "md5",
"value": "MQKz601c9VO26cNqWRdcCg=="
}
]
,
"latestUpdateTime": 1402602516,
"props": {
"queryLimitExceeded": true,
"serverTime": 1518720115
}
}
fileHashes: object[]

This is included only if "file" is a selected subject type or when using default options. Between this and certificateHashes will contain at most as many entries as the queryLimit provided, or the server default if no limit was specified. For targeted requests, only prevalent items or items for which the invoker has previously issued a reputation request will be included. Note that only one hash for each updated file will be included in this response. The hash included will depend on the available hashes for the given file and on the value of "targetTypes"."file" attribute.

certificateHashes: object[]

This is included only if "cert" is a selected subject type or when using default options. Between this and fileHashes will contain at most as many entries as the queryLimit provided, or the server default if no limit was specified.

latestUpdateTime: integer

The epoch time of the latest update amongst the hashes listed.

props: object

Will be present when there are more updates in the server than the provided queryLimit.

serverTime: integer

Will be present and set to the current server epoch time in seconds if there are more updates in the server than the provided queryLimit.

queryLimitExceeded: integer

Will be present and set to "true" if there are more updates in the server than the provided queryLimit.

Definitions

Agent GUID Property: string

Agent GUID in standard format of the system.

Certificate First References Request Payload:

For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"hashes": [
{
"type": "sha1",
"value": "rB/QkipKKm5XeazdYodHwoOUsLk="
}
]
,
"publicKeySha1": "3lHcG/IeSgU/EhzBvMOzZSyRBZg=",
"queryLimit": 100
}
queryLimit: integer

The max number of systems to return. By default is 100, ranging from 1 to 5000.

publicKeySha1: Public Key SHA1 Property

Certificate First References Response Payload: object

For more information regarding response keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"agents": [
{
"agentGuid": "{66c5d2c6-e959-11e3-baeb-005056c00008}",
"date": 1402676072
},
{
"agentGuid": "{abc5d2c6-e959-11e3-baeb-005056c00009}",
"date": 1402676078
},
{
"agentGuid": "{86c5d2c6-e959-11e3-baeb-005056c00067}",
"date": 1402676082
}
]
,
"totalCount": 3
}
totalCount: integer

The total count of systems that have referenced this file (First references)

agents: object[]

List of agents.

object
date: integer
agentGuid: Agent GUID Property

Certificate Reputation Change Event Payload: object

For more information regarding event keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"hashes": [
{
"type": "sha1",
"value": "X/1fNllXfncgp4Sx0qgRnYB5Klg="
}
]
,
"newReputations": {
"props": {
"serverTime": 1487856678
}
,
"reputations": [
{
"createDate": 1396563520,
"providerId": 2,
"trustLevel": 99
},
{
"attributes": {
"2109333": "1",
"2109589": "1396563520"
}
,
"createDate": 1396563520,
"providerId": 4,
"trustLevel": 0
}
]
}
,
"oldReputations": {
"props": {
"serverTime": 1487856678
}
,
"reputations": [
{
"createDate": 1396563520,
"providerId": 2,
"trustLevel": 0
},
{
"attributes": {
"2109333": "1",
"2109589": "1396563520"
}
,
"createDate": 1396563520,
"providerId": 4,
"trustLevel": 0
}
]
}
,
"publicKeySha1": "qi4bD+Y7VI1abbYyLjJLUAi2+Zg=",
"updateTime": 1409851328
}
oldReputations: Old Reputations Object
newReputations: New Reputations Object
hashes: Hashes Object
publicKeySha1: Public Key SHA1 Property
updateTime: Update Time Property

Certificate Reputation Request Payload:

For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"hashes": [
{
"type": "sha1",
"value": "rB/QkipKKm5XeazdYodHwoOUsLk="
}
]
,
"publicKeySha1": "3lHcG/IeSgU/EhzBvMOzZSyRBZg="
}

Certificate Reputation Response Payload: object

For more information regarding response keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"overridden": {
"files": [
{
"hashes": [
{
"type": "md5",
"value": "CTWz2oVIu0RisXjZnCG4cA=="
},
{
"type": "sha1",
"value": "FHHwTNDzxzt+YqcdCGk8MGVKVV8="
},
{
"type": "sha256",
"value": "RjU4pJdE+gXo0LH4pRwO/4B4vjSSS1kvgriSJ+IwWAo="
}
]
},
{
"hashes": [
{
"type": "md5",
"value": "2LB7JR27x99WGbxm68kxcg=="
},
{
"type": "sha256",
"value": "mjeiJBg+iAcXbRwOyFYMwj10AQFjyA/YP+N0oP91cLI="
}
]
}
]
,
"truncated": 0
}
,
"props": {
"serverTime": 1396655764,
"submitMetaData": 1
}
,
"reputations": [
{
"createDate": 1396563520,
"providerId": 2,
"trustLevel": 99
},
{
"attributes": {
"2109333": "1",
"2109589": "1396563520"
}
,
"createDate": 1396563520,
"providerId": 4,
"trustLevel": 0
}
]
}
reputations: object[]
object
providerId: integer

The identifier for the particular "provider" that provided the reputation. See the TIE SDK or the OpenDXL McAfee TIE Client Documentation: FileProvider and CertProvider

createDate: integer

The time this reputation was created (Epoch time).

trustLevel: integer

The trust level for the reputation subject (file, certificate, etc.). See the TIE SDK or the OpenDXL McAfee TIE Client Documentation: TrustLevel.

attributes: object

A provider-specific set of attributes as a JSON dictionary.

string
props: object
submitMetaData: Submit Metadata Property
serverTime: Server Time Property
overridden: object

Included if there are files signed with this certificate and for which an override (Enterprise) reputation is set.

files: object[]

List of files signed with this certificate and for which an override (Enterprise) reputation is set. This list will contain one entry for each file with overrides. If there are too many files, then the list will be populated with as many

truncated: integer

If set to 1 this means that the list of overridden files has been truncated as there were too many files to report. There could be files with overrides and that are not present in the list of files in this message. If set to 0 this means that the list of overridden files is complete and there are no other files signed with this certificate and for which an override (Enterprise) reputation is set.

Certificate Update Metadata Request Payload:

For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"algorithm": "sha1RSA",
"contentVersion": "47850746040811521",
"hashes": [
{
"type": "sha1",
"value": "npN587OCHVtutV0Tu3VWiG29uOc="
}
]
,
"issuer": "Microsoft Windows Verification PCA",
"issuerDN": "CN=Microsoft Windows Verification PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"issuerPublicKeySha1": "KxfRYCjaN34LrVZGgVqX6WlorWE=",
"issuerSha1": "XfDXVxsHgHg5YMaLeFcf/X7a8CE=",
"productEnforcing": 1,
"publicKeySha1": "qKEUVpy1IfEloPPnGq+eeNFrKIM=",
"ruleEnforcing": 1,
"serialNumber": "YRU0ZAAAAAAADA==",
"subject": "CN=Microsoft Windows, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"subjectName": "Microsoft Windows",
"validFrom": 1260223064,
"validTo": 1299535064
}
publicKeySha1: Public Key SHA1 Property
algorithm: string

Certificate's algorithm.

issuerDN: string

Distinguished Name of the certificate's Issuer.

issuerPublicKeySha1: Public Key SHA1 Property
serialNumber: string

Serial Number of the certificate.

subjectName: string

Subject of the certificate.

validFrom: integer

Certificate's valid From date (long value).

validTo: integer

Certificate's valid To date (long value)

contentVersion: string

The major and minor versions of the content. Representation of major,minor,subminor,build in Little Endian format.

productEnforcing: boolean

Whether the client is running in Enforcement mode.

ruleEnforcing: boolean

Whether the rule was enforced or not (1 for enforced and 0 for not).

subject: string

Distinguished Name of the certificate.

issuer: string

Name of the certificate's Issuer.

issuerSha1: Public Key SHA1 Property

File Detection Event Payload:

For more information regarding event keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"agentGuid": "{abc5d2c6-e959-11e3-baeb-005056c00009}",
"detectionTime": 1402617156,
"hashes": [
{
"type": "md5",
"value": "CZnbhOFq32TBWnuAOUhLMw=="
},
{
"type": "sha1",
"value": "7vZcAfgW1DgH2WrHY5A3h14Fbks="
},
{
"type": "sha256",
"value": "yXfKH1ESH+5YzaiIJ6YXOtTx1y2AJihOTE9EMCqWfkA="
}
]
,
"localReputation": 1,
"remediationAction": 5
}
remediationAction: integer

A numeric value indicating the type of remediation that occurred in response to the detection. See remediation types table in the TIE SDK.

localReputation: integer

The local reputation determined for the file that triggered the detection. See the TIE SDK or the OpenDXL McAfee TIE Client Documentation: TrustLevel.

detectionTime: integer

The time the detection occurred (Epoch time).

File First Instance Event Payload: object

For more information regarding event keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"agentGuid": "{abc5d2c6-e959-11e3-baeb-005056c00009}",
"hashes": [
{
"type": "sha1",
"value": "0wzjHGXydh+ijtstLjkl1CkZgqU="
},
{
"type": "md5",
"value": "FvdpvB03zBTjCTuYgc8WkQ=="
},
{
"type": "sha256",
"value": "yXfKH1ESH+5YzaiIJ6YXOtTx1y2AJihOTE9EMCqWfkA="
}
]
}
hashes: Hashes Object
agentGuid: string

The GUID of the system where the first instance of the file was found.

File First References Request Payload:

For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"hashes": [
{
"type": "sha1",
"value": "8nG/TX+SLaCjQjLw6xwWZZX6kI4="
}
]
,
"queryLimit": 5000
}
queryLimit: integer

The max number of systems to return. By default is 100, ranging from 1 to 5000.

File First References Response Payload: object

For more information regarding response keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"agents": [
{
"agentGuid": "{66c5d2c6-e959-11e3-baeb-005056c00008}",
"date": 1402676072
},
{
"agentGuid": "{abc5d2c6-e959-11e3-baeb-005056c00009}",
"date": 1402676078
},
{
"agentGuid": "{86c5d2c6-e959-11e3-baeb-005056c00067}",
"date": 1402676082
}
]
,
"totalCount": 3
}
totalCount: integer

The total count of systems that have referenced this file (First references)

agents: object[]

List of agents

object
date: integer
agentGuid: Agent GUID Property

File Prevalence Event Payload:

For more information regarding event keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"agentFirstReference": 1392320769,
"agentGuid": "{abc5d2c6-e959-11e3-baeb-005056c00009}",
"enterpriseCount": 125,
"hashes": [
{
"type": "sha1",
"value": "0wzjHGXydh+ijtstLjkl1CkZgqU="
},
{
"type": "md5",
"value": "FvdpvB03zBTjCTuYgc8WkQ=="
},
{
"type": "sha256",
"value": "yXfKH1ESH+5YzaiIJ6YXOtTx1y2AJihOTE9EMCqWfkA="
}
]
,
"prevalent": false
}
agentFirstReference: integer

Epoch time for the first reputation request by the agent that changed the file prevalence.

enterpriseCount: integer

Total number of agents that have asked for the reputation of the file at least once. The minimum value for this attribute is 1.

prevalent: boolean

"true" if the file is considered prevalent in the Enterprise or "false" otherwise. Once TIE generates the event with prevalent = true it will no longer send prevalence change events for this file.

File Reputation Change Broadcast Event Payload: object

For more information regarding event keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"hashes": [
{
"type": "md5",
"value": "bQvLG6j1WmwRB8LZ2gPa1w=="
},
{
"type": "sha1",
"value": "OxbrjQd0H6+3meBW5YuBoInTcqM="
},
{
"type": "sha256",
"value": "yXfKH1ESH+5YzaiIJ6YXOtTx1y2AJihOTE9EMCqWfkA="
}
]
,
"newReputations": {
"props": {
"serverTime": 1409851328
}
,
"reputations": [
{
"attributes": {
"2098277": "256",
"2112660": "99"
}
,
"createDate": 1409783001,
"providerId": 3,
"trustLevel": 85
},
{
"attributes": {
"2120340": "2139160704"
}
,
"createDate": 1409783001,
"providerId": 1,
"trustLevel": 99
}
]
}
,
"oldReputations": {
"props": {
"serverTime": 1409851328
}
,
"reputations": [
{
"attributes": {
"2098277": "256",
"2112660": "99"
}
,
"createDate": 1409783001,
"providerId": 3,
"trustLevel": 0
},
{
"attributes": {
"2120340": "2139160704"
}
,
"createDate": 1409783001,
"providerId": 1,
"trustLevel": 99
}
]
}
,
"updateTime": 1409851328
}
oldReputations: Old Reputations Object
newReputations: New Reputations Object
hashes: Hashes Object
updateTime: Update Time Property

File Reputation Change Event Payload: object

For more information regarding event keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"hashes": [
{
"type": "md5",
"value": "bQvLG6j1WmwRB8LZ2gPa1w=="
},
{
"type": "sha1",
"value": "OxbrjQd0H6+3meBW5YuBoInTcqM="
},
{
"type": "sha256",
"value": "yXfKH1ESH+5YzaiIJ6YXOtTx1y2AJihOTE9EMCqWfkA="
}
]
,
"newReputations": {
"props": {
"serverTime": 1409851328
}
,
"reputations": [
{
"attributes": {
"2098277": "256",
"2112660": "99"
}
,
"createDate": 1409783001,
"providerId": 3,
"trustLevel": 85
},
{
"attributes": {
"2120340": "2139160704"
}
,
"createDate": 1409783001,
"providerId": 1,
"trustLevel": 99
}
]
}
,
"oldReputations": {
"props": {
"serverTime": 1409851328
}
,
"reputations": [
{
"attributes": {
"2098277": "256",
"2112660": "99"
}
,
"createDate": 1409783001,
"providerId": 3,
"trustLevel": 0
},
{
"attributes": {
"2120340": "2139160704"
}
,
"createDate": 1409783001,
"providerId": 1,
"trustLevel": 99
}
]
}
,
"relationships": {
"certificate": {
"hashes": [
{
"type": "sha1",
"value": "rB/QkipKKm5XeazdYodHwoOUsLk="
}
]
}
}
,
"updateTime": 1409851328
}
oldReputations: Old Reputations Object
newReputations: New Reputations Object
hashes: Hashes Object
updateTime: Update Time Property
relationships: object

Contains information regarding the certificate associated with this file (if such a relationship exists).

certificate: object
hashes: Hashes Object

File Reputation Request Payload:

For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"certPublicKeySha1": "qKEUVpy1IfEloPPnGq+eeNFrKIM=",
"certSha1": "npN587OCHVtutV0Tu3VWiG29uOc=",
"fileType": 18,
"hashes": [
{
"type": "sha1",
"value": "3tt/SI6IFXSHHisJtOUWhRFp0Y4="
},
{
"type": "md5",
"value": "MQKz601c9VO26cNqWRdcCg=="
}
]
,
"scanType": 1
}
fileType: integer

Encoded file type, used to improve search behaviour (Example: "EXE" or "JS". Providing the file type enables effective down-selection and retention policies. For encoding details, see Encoded File Types in the TIE SDK for more information.

scanType: integer

NOTE: This property is accepted but not currently honored by the current version of TIE Server. The default value is currently always assumed. The type of scan operation to which this report applies.

certSha1: string

NOTE: This property is accepted but will be ignored by the current version of TIE Server. SHA-1 of the certificate signing the file.

File Reputation Response Payload:

For more information regarding response keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"props": {
"atdCandidate": 1,
"masterServer": "masterhost;10.111.111.111",
"serverTime": 1392321493,
"submitMetaData": 1
}
,
"reputations": [
{
"attributes": {
"2098277": "256",
"2101652": "0",
"2102165": "1392320762",
"2111893": "1",
"2114965": "0",
"2123412": "1",
"2123668": "26",
"2123924": "100",
"2124180": "99",
"2124436": "98",
"2124692": "72",
"2124948": "61",
"2125204": "44",
"2125460": "12",
"2125716": "44"
}
,
"createDate": 1392320762,
"providerId": 3,
"trustLevel": 0
},
{
"createDate": 1392321493,
"providerId": 1,
"trustLevel": 0
}
]
}
props: object
submitMetaData: Submit Metadata Property
atdCandidate: integer

Optional sent only when ATD is enabled and the file is an ATD candidate. When this flag is set to 1, the TIE server is requesting the client to submit the file sample for sandboxing.

masterServer: string

Hostname and IP of the TIE Server. Only present when atdCandidate is present. This is the server that should be used by the clients to submit the file sample for sandboxing.

File Update Metadata Request Payload:

For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"actorLocalRep": 0,
"actorSha1": null,
"agentGuid": "testGuid",
"caRep": 0,
"certIssuer": null,
"certPublicKeySha1": null,
"certSha1": null,
"certSubject": null,
"companyName": null,
"contentVersion": "47850746040811521",
"detectionName": null,
"detectionType": 0,
"fileType": 16,
"hashes": [
{
"type": "sha256",
"value": "cgF66fVGT1CMxZG2BfWrcDd1ws2BzWCU619XEOj3uCo="
},
{
"type": "sha1",
"value": "5tt/SI6IFXSHHisJtOUWhRFp0Y4="
},
{
"type": "md5",
"value": "MQKz501c9VO24cNqWRdcCg=="
}
]
,
"jtiAvProductId": "28600",
"localRep": 85,
"localRepRuleId": 0,
"name": "Notepad++.exe",
"objectType": 1,
"osVersion": "25769803777",
"parentLocalRep": 0,
"parentSha1": null,
"path": "C:\\Users\\Administrator\\Desktop\\Notepad++\\Notepad++.exe",
"prePromptLocalRep": 50,
"productEnforcing": 1,
"productName": "Sample",
"productVersion": "6.1.7601.18128",
"profilerFlags": "465:1a200;5a5:20;6a5:414c2700;765:41e4bd80;865:fffffffc;965:3;a65:0;b65:0;c65:0;e65:2024842;f65:10a4640;1065:5;1165:69;1265:6;1365:0;1465:5c00;1565:2a0;1665:e0;17a5:101000;19a5:1",
"remediation": 0,
"ruleEnforcing": 1,
"scanType": 1,
"signedBits": 0,
"size": 107008,
"userPrompted": 1,
"version": 22,
"vseContentVersion": "12345",
"vseDetectionName": "TestVseDetection",
"vseDetectionType": 2,
"vseProductId": 25,
"vseRemediation": 20,
"vseSuppressed": false
}
scanType: integer

NOTE: This property is accepted but not currently honored by the current version of TIE Server. The default value is currently always assumed. The type of scan operation to which this report applies.

agentGuid: Agent GUID Property
name: string

UTF-8 encoded name of the file. TIE Server will store filenames up to a configurable limit (default value: 500).

size: integer

File size in bytes.

path: string

UTF-8 encoded path of the file. TIE Server will store file paths up to a configurable limit (default value: 500).

version: string

File version.

fileType: integer

(X) File type of a given file: driver, dll, exe or non-PE.

signedBits: integer
companyName: string

UTF-8 encoded name of the publisher of the file.

profilerFlags: string

Profiler attributes.

certIssuer: string

Issuer of the signing certificate.

certSubject: string

Subject of the signing certificate.

productName: string

UTF-8 encoded name of the product corresponding to the file (as extracted from the binary’s version info).

productVersion: string

UTF-8 encoded version string of the application corresponding to the file.

objectType: integer

The type of object being reported upon. Currently supported types are: 1 (File) - This is the default if omitted - and 4 (Process). TIE will not keep agregate local reputation data reported for processes. Only for files.

localRep: integer

Local reputation for the file.

parentLocalRep: integer

Reputation of the main executable of the process that created the file.

prePromptLocalRep: integer

Pre-prompt local reputation of the file.

localRepRuleId: integer
parentSha1: string

"SHA-1" of the main executable of the process that created the file being reported.

osVersion: string

OS version that the file was found on. Representation of major and minor in Little Endian format.

actorLocalRep: integer
caRep: string

Reputation of the Certificate Authority (CA).

contentVersion: string

The major and minor versions of the content .Representation of major,minor,subminor,build in Little Endian format.

productEnforcing: boolean

Whether the client is running in Enforcement mode.

ruleEnforcing: boolean

Whether the rule was enforced or not (1 for enforced and 0 for not).

jtiAvProductId: string

Product Id of the client.

userPrompted: boolean

Whether the user was prompted or not (1 for prompted and 0 for not).

detectionType: integer

Detection type.

detectionName: string

Detection name from the detecting product.

certSha1: string

Base 64 encoding of the SHA-1 of the certificate signing the file.

certPublicKeySha1: Public Key SHA1 Property
actorSha1: string

Base 64 encoding of the "SHA-1" hash of the primary actor. This is the main process that loaded the file/process being reported on.

remediation: integer

Indicates that a detection has occurred and provides the action applied. See remediation types table in the TIE SDK.

Hash Object: object

Possible hashes are "sha1", "sha256 and "md5". Note: in backwards compatible mode only sha1 and md5 will be provided.

type: string

Base 64 encoding of the hash bytes.

value: string

"sha1", "md5", and "sha256" are currently supported values

Hashes Object: object

Known hashes for the file or certificate. Possible hashes are "sha1", "sha256" and "md5". Note: in backwards compatible mode only sha1 and md5 will be provided. Also the event will only be sent for files for which both sha1 and md5 are known.

hashes: object[]

New Reputations Object:

The content of this section will be exactly as the full reputation response message after the change that triggered the event. Thus, all reputation providers are detailed, including both that one for which the reputation has changed and those for which there has been no actual reputation change.

Old Reputations Object:

The content of this section will be exactly as the full reputation response message before the change that triggered the event.

Public Key SHA1 Property: string

Base 64 encoding of the SHA-1 hash of the certificate's public key.

Reputation Request Base Object:

Reputation Updates Request Payload: object

For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"queryLimit": 300,
"sinceTime": 1402612347,
"targetTypes": {
"cert": "sha1",
"file": "sha256"
}
,
"targeted": true
}
sinceTime: integer

The timestamp (epoch time - in seconds) to retrieve changed reputations from. It is strongly recommended that this is set to the value returned in the serverTime property of the response to the latest reputation request. Note that both File and Certificate reputation requests will return the server time in the response.

queryLimit: integer

The max number of reputations to return (Allowed values: 1-5000). If omitted this defaults to a configurable parameter by server or 100 if the server parameter is unconfigured.

targeted: boolean

When set to true the server will include only items that the consumer has previously requested reputations for or that are prevalent. If omitted this defaults to a configurable parameter by server or False if unconfigured.

targetTypes: object

Types of reputation subjects to include in the response, alongside with the hash type to return for each subject. If "targetTypes" is omitted TIE will include both files and certificates in the response and it will default to the backwards compatible behavior: It will return the SHA1 hash for certificates and for files it will return the SHA1 hash if available, else the MD5 or the SHA256 in this order.

file: string

Possible values are "sha1", "md5", "sha256".

cert: string

Possible values are "sha1".

Reputation Updates Response Payload: object

For more information regarding response keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.

{
"certificateHashes": [
{
"type": "sha1",
"value": "ERD6shE0rp1D+F3rUdrKLH/Wuet="
}
]
,
"fileHashes": [
{
"type": "sha1",
"value": "ESK6sSE0rp1D+F3K9xrKLH/Wuaw="
},
{
"type": "sha1",
"value": "3tt/SI6IFXSHHisJtOUWhRFp0Y4="
},
{
"type": "md5",
"value": "MQKz601c9VO26cNqWRdcCg=="
}
]
,
"latestUpdateTime": 1402602516,
"props": {
"queryLimitExceeded": true,
"serverTime": 1518720115
}
}
fileHashes: object[]

This is included only if "file" is a selected subject type or when using default options. Between this and certificateHashes will contain at most as many entries as the queryLimit provided, or the server default if no limit was specified. For targeted requests, only prevalent items or items for which the invoker has previously issued a reputation request will be included. Note that only one hash for each updated file will be included in this response. The hash included will depend on the available hashes for the given file and on the value of "targetTypes"."file" attribute.

certificateHashes: object[]

This is included only if "cert" is a selected subject type or when using default options. Between this and fileHashes will contain at most as many entries as the queryLimit provided, or the server default if no limit was specified.

latestUpdateTime: integer

The epoch time of the latest update amongst the hashes listed.

props: object

Will be present when there are more updates in the server than the provided queryLimit.

serverTime: integer

Will be present and set to the current server epoch time in seconds if there are more updates in the server than the provided queryLimit.

queryLimitExceeded: integer

Will be present and set to "true" if there are more updates in the server than the provided queryLimit.

Reputations Object: object

reputations: object[]
object
trustLevel: integer

Constants that are used to indicate the trust level of a file or certificate. See the TIE SDK or the OpenDXL McAfee TIE Client Documentation: TrustLevel.

providerId: integer

The identifier for the particular "provider" that provided the reputation. See the TIE SDK or the OpenDXL McAfee TIE Client Documentation: FileProvider and CertProvider

detectTime: integer

Timestamp of the detection.

attributes: object

A provider-specific set of attributes as a JSON dictionary.

string
props: object
serverTime: integer

TIE Server epoch time (in seconds).

Server Time Property: integer

TIE Server epoch time (in seconds).

Submit Metadata Property: integer

Flag to send a update_metadata call for this certificate.

Update Time Property: integer

Time the reputation for this file was updated.