- Website
- https://www.mcafee.com/us/products/threat-intelligence-exchange.aspx
- Commercial Solution
- Yes
- API Specification
- raw.githubusercontent.com/open…/tie/v0.1/tie-server.yaml
McAfee Threat Intelligence Exchange shares and exchanges emerging threat data instantly, operationalizing intelligence sharing and encouraging rapid response across your endpoint, gateway, network, and data center security solutions in real time. Making the most of locally generated intelligence and McAfee Global Threat Intelligence, it continually assesses evolving reputations. As reputations change, updates are distributed over the Data Exchange Layer immediately, allowing security solutions from any vendor to operate as one, exchanging and acting on shared intelligence.
As the first service over the Data Exchange Layer, TIE has the most extensive integration ecosystem. Many McAfee and industry products consume updated reputations and then take action, or send TIE changes to reputations, for example when a sandbox convicts a file, or a SIEM uses a TIE reputation to score an IOC.
An OpenDXL TIE Python client is available for accessing McAfee Threat Intelligence Exchange information via DXL.
-
Version (Latest)
McAfee Threat Intelligence Exchange (TIE)
Version: 0.1
McAfee Threat Intelligence Exchange (TIE) shares local threat reputations to close the gap from encounter to containment.
Solutions
TIE Server
Services
McAfee TIE Service
DXL service hosted by the McAfee TIE Server.
- Version:
-
2.3.0
Events
/mcafee/event/tie/cert/repchange
The certificate reputation change event allows for a client to receive notifications when a previously requested certificate reputation has changed. Subscribing to this event avoids having to periodically check for updated reputations.
For more information regarding event keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"hashes": [
{
"type": "sha1",
"value": "X/1fNllXfncgp4Sx0qgRnYB5Klg="
}
],
"newReputations": {
"props": {
"serverTime": 1487856678
},
"reputations": [
{
"createDate": 1396563520,
"providerId": 2,
"trustLevel": 99
},
{
"attributes": {
"2109333": "1",
"2109589": "1396563520"
},
"createDate": 1396563520,
"providerId": 4,
"trustLevel": 0
}
]
},
"oldReputations": {
"props": {
"serverTime": 1487856678
},
"reputations": [
{
"createDate": 1396563520,
"providerId": 2,
"trustLevel": 0
},
{
"attributes": {
"2109333": "1",
"2109589": "1396563520"
},
"createDate": 1396563520,
"providerId": 4,
"trustLevel": 0
}
]
},
"publicKeySha1": "qi4bD+Y7VI1abbYyLjJLUAi2+Zg=",
"updateTime": 1409851328
}
- oldReputations: Old Reputations Object
-
- newReputations: New Reputations Object
-
- hashes: Hashes Object
-
- publicKeySha1: Public Key SHA1 Property
-
- updateTime: Update Time Property
-
/mcafee/event/tie/file/detection
The file detection event allows for a client to receive notifications when a client takes an action over a file. Subscribing to this event allows consumers to be notified about files that had been convicted.
For more information regarding event keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"agentGuid": "{abc5d2c6-e959-11e3-baeb-005056c00009}",
"detectionTime": 1402617156,
"hashes": [
{
"type": "md5",
"value": "CZnbhOFq32TBWnuAOUhLMw=="
},
{
"type": "sha1",
"value": "7vZcAfgW1DgH2WrHY5A3h14Fbks="
},
{
"type": "sha256",
"value": "yXfKH1ESH+5YzaiIJ6YXOtTx1y2AJihOTE9EMCqWfkA="
}
],
"localReputation": 1,
"remediationAction": 5
}
- remediationAction: integer
-
A numeric value indicating the type of remediation that occurred in response to the detection. See remediation types table in the TIE SDK.
- localReputation: integer
-
The local reputation determined for the file that triggered the detection. See the TIE SDK or the OpenDXL McAfee TIE Client Documentation: TrustLevel.
- detectionTime: integer
-
The time the detection occurred (Epoch time).
/mcafee/event/tie/file/firstinstance
The file first instance event allows for a client to receive notifications when a file is first reported (a reputation is requested for the file) by any client. Subscribing to this event allows to follow new files seen in the environment.
For more information regarding event keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"agentGuid": "{abc5d2c6-e959-11e3-baeb-005056c00009}",
"hashes": [
{
"type": "sha1",
"value": "0wzjHGXydh+ijtstLjkl1CkZgqU="
},
{
"type": "md5",
"value": "FvdpvB03zBTjCTuYgc8WkQ=="
},
{
"type": "sha256",
"value": "yXfKH1ESH+5YzaiIJ6YXOtTx1y2AJihOTE9EMCqWfkA="
}
]
}
- hashes: Hashes Object
-
- agentGuid: string
-
The GUID of the system where the first instance of the file was found.
/mcafee/event/tie/file/prevalence
The file prevalence change event allows a client to receive notifications when the file prevalence (number of different agents that have asked for the file reputation) changes. Subscribing to this event allows to follow the progress of the spread of the file.
For more information regarding event keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"agentFirstReference": 1392320769,
"agentGuid": "{abc5d2c6-e959-11e3-baeb-005056c00009}",
"enterpriseCount": 125,
"hashes": [
{
"type": "sha1",
"value": "0wzjHGXydh+ijtstLjkl1CkZgqU="
},
{
"type": "md5",
"value": "FvdpvB03zBTjCTuYgc8WkQ=="
},
{
"type": "sha256",
"value": "yXfKH1ESH+5YzaiIJ6YXOtTx1y2AJihOTE9EMCqWfkA="
}
],
"prevalent": false
}
- agentFirstReference: integer
-
Epoch time for the first reputation request by the agent that changed the file prevalence.
- enterpriseCount: integer
-
Total number of agents that have asked for the reputation of the file at least once. The minimum value for this attribute is 1.
- prevalent: boolean
-
"true" if the file is considered prevalent in the Enterprise or "false" otherwise. Once TIE generates the event with prevalent = true it will no longer send prevalence change events for this file.
/mcafee/event/tie/file/repchange
The file reputation change event allows for a client to receive notifications when a previously requested file reputation has changed. Subscribing to this event avoids having to periodically check for updated reputations.
For more information regarding event keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"hashes": [
{
"type": "md5",
"value": "bQvLG6j1WmwRB8LZ2gPa1w=="
},
{
"type": "sha1",
"value": "OxbrjQd0H6+3meBW5YuBoInTcqM="
},
{
"type": "sha256",
"value": "yXfKH1ESH+5YzaiIJ6YXOtTx1y2AJihOTE9EMCqWfkA="
}
],
"newReputations": {
"props": {
"serverTime": 1409851328
},
"reputations": [
{
"attributes": {
"2098277": "256",
"2112660": "99"
},
"createDate": 1409783001,
"providerId": 3,
"trustLevel": 85
},
{
"attributes": {
"2120340": "2139160704"
},
"createDate": 1409783001,
"providerId": 1,
"trustLevel": 99
}
]
},
"oldReputations": {
"props": {
"serverTime": 1409851328
},
"reputations": [
{
"attributes": {
"2098277": "256",
"2112660": "99"
},
"createDate": 1409783001,
"providerId": 3,
"trustLevel": 0
},
{
"attributes": {
"2120340": "2139160704"
},
"createDate": 1409783001,
"providerId": 1,
"trustLevel": 99
}
]
},
"relationships": {
"certificate": {
"hashes": [
{
"type": "sha1",
"value": "rB/QkipKKm5XeazdYodHwoOUsLk="
}
]
}
},
"updateTime": 1409851328
}
- oldReputations: Old Reputations Object
-
- newReputations: New Reputations Object
-
- hashes: Hashes Object
-
- updateTime: Update Time Property
-
- relationships: object
-
Contains information regarding the certificate associated with this file (if such a relationship exists).
- certificate: object
-
- hashes: Hashes Object
-
/mcafee/event/tie/file/repchange/broadcast
The file reputation change broadcast event allows for a client to receive notifications when any file reputation have changed. Subscribing to this event allows to follow reputation changes on all files.
For more information regarding event keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"hashes": [
{
"type": "md5",
"value": "bQvLG6j1WmwRB8LZ2gPa1w=="
},
{
"type": "sha1",
"value": "OxbrjQd0H6+3meBW5YuBoInTcqM="
},
{
"type": "sha256",
"value": "yXfKH1ESH+5YzaiIJ6YXOtTx1y2AJihOTE9EMCqWfkA="
}
],
"newReputations": {
"props": {
"serverTime": 1409851328
},
"reputations": [
{
"attributes": {
"2098277": "256",
"2112660": "99"
},
"createDate": 1409783001,
"providerId": 3,
"trustLevel": 85
},
{
"attributes": {
"2120340": "2139160704"
},
"createDate": 1409783001,
"providerId": 1,
"trustLevel": 99
}
]
},
"oldReputations": {
"props": {
"serverTime": 1409851328
},
"reputations": [
{
"attributes": {
"2098277": "256",
"2112660": "99"
},
"createDate": 1409783001,
"providerId": 3,
"trustLevel": 0
},
{
"attributes": {
"2120340": "2139160704"
},
"createDate": 1409783001,
"providerId": 1,
"trustLevel": 99
}
]
},
"updateTime": 1409851328
}
- oldReputations: Old Reputations Object
-
- newReputations: New Reputations Object
-
- hashes: Hashes Object
-
- updateTime: Update Time Property
-
Requests
/mcafee/service/tie/cert/agents
The certificate first references operation flow allows for a client to receive a data bundle from TIE Server containing a list of agents that made the first reference to a particular certificate.
For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"hashes": [
{
"type": "sha1",
"value": "rB/QkipKKm5XeazdYodHwoOUsLk="
}
],
"publicKeySha1": "3lHcG/IeSgU/EhzBvMOzZSyRBZg=",
"queryLimit": 100
}
- queryLimit: integer
-
The max number of systems to return. By default is 100, ranging from 1 to 5000.
- publicKeySha1: Public Key SHA1 Property
-
For more information regarding response keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"agents": [
{
"agentGuid": "{66c5d2c6-e959-11e3-baeb-005056c00008}",
"date": 1402676072
},
{
"agentGuid": "{abc5d2c6-e959-11e3-baeb-005056c00009}",
"date": 1402676078
},
{
"agentGuid": "{86c5d2c6-e959-11e3-baeb-005056c00067}",
"date": 1402676082
}
],
"totalCount": 3
}
- totalCount: integer
-
The total count of systems that have referenced this file (First references)
- agents: object[]
-
List of agents.
object - date: integer
-
- agentGuid: Agent GUID Property
-
/mcafee/service/tie/cert/reputation
The certificate reputation service operation flow allows for a client to receive certificate reputation information on demand. Invoking this service method from a client will also cause the TIE Server to automatically include that client when broadcasting certificate reputation events in the future.
For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"hashes": [
{
"type": "sha1",
"value": "rB/QkipKKm5XeazdYodHwoOUsLk="
}
],
"publicKeySha1": "3lHcG/IeSgU/EhzBvMOzZSyRBZg="
}
For more information regarding response keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"overridden": {
"files": [
{
"hashes": [
{
"type": "md5",
"value": "CTWz2oVIu0RisXjZnCG4cA=="
},
{
"type": "sha1",
"value": "FHHwTNDzxzt+YqcdCGk8MGVKVV8="
},
{
"type": "sha256",
"value": "RjU4pJdE+gXo0LH4pRwO/4B4vjSSS1kvgriSJ+IwWAo="
}
]
},
{
"hashes": [
{
"type": "md5",
"value": "2LB7JR27x99WGbxm68kxcg=="
},
{
"type": "sha256",
"value": "mjeiJBg+iAcXbRwOyFYMwj10AQFjyA/YP+N0oP91cLI="
}
]
}
],
"truncated": 0
},
"props": {
"serverTime": 1396655764,
"submitMetaData": 1
},
"reputations": [
{
"createDate": 1396563520,
"providerId": 2,
"trustLevel": 99
},
{
"attributes": {
"2109333": "1",
"2109589": "1396563520"
},
"createDate": 1396563520,
"providerId": 4,
"trustLevel": 0
}
]
}
- reputations: object[]
-
object - providerId: integer
-
The identifier for the particular "provider" that provided the reputation. See the TIE SDK or the OpenDXL McAfee TIE Client Documentation: FileProvider and CertProvider
- createDate: integer
-
The time this reputation was created (Epoch time).
- trustLevel: integer
-
The trust level for the reputation subject (file, certificate, etc.). See the TIE SDK or the OpenDXL McAfee TIE Client Documentation: TrustLevel.
- attributes: object
-
A provider-specific set of attributes as a JSON dictionary.
string
- props: object
-
- submitMetaData: Submit Metadata Property
-
- serverTime: Server Time Property
-
- overridden: object
-
Included if there are files signed with this certificate and for which an override (Enterprise) reputation is set.
- files: object[]
-
List of files signed with this certificate and for which an override (Enterprise) reputation is set. This list will contain one entry for each file with overrides. If there are too many files, then the list will be populated with as many
- truncated: integer
-
If set to 1 this means that the list of overridden files has been truncated as there were too many files to report. There could be files with overrides and that are not present in the list of files in this message. If set to 0 this means that the list of overridden files is complete and there are no other files signed with this certificate and for which an override (Enterprise) reputation is set.
/mcafee/service/tie/cert/update_metadata
The Certificate Update Metadata service allows clients to provide additional contextual information about a certificate. The request will include details which will assist the security admin on their threat analysis activities.
For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"algorithm": "sha1RSA",
"contentVersion": "47850746040811521",
"hashes": [
{
"type": "sha1",
"value": "npN587OCHVtutV0Tu3VWiG29uOc="
}
],
"issuer": "Microsoft Windows Verification PCA",
"issuerDN": "CN=Microsoft Windows Verification PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"issuerPublicKeySha1": "KxfRYCjaN34LrVZGgVqX6WlorWE=",
"issuerSha1": "XfDXVxsHgHg5YMaLeFcf/X7a8CE=",
"productEnforcing": 1,
"publicKeySha1": "qKEUVpy1IfEloPPnGq+eeNFrKIM=",
"ruleEnforcing": 1,
"serialNumber": "YRU0ZAAAAAAADA==",
"subject": "CN=Microsoft Windows, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"subjectName": "Microsoft Windows",
"validFrom": 1260223064,
"validTo": 1299535064
}
- publicKeySha1: Public Key SHA1 Property
-
- algorithm: string
-
Certificate's algorithm.
- issuerDN: string
-
Distinguished Name of the certificate's Issuer.
- issuerPublicKeySha1: Public Key SHA1 Property
-
- serialNumber: string
-
Serial Number of the certificate.
- subjectName: string
-
Subject of the certificate.
- validFrom: integer
-
Certificate's valid From date (long value).
- validTo: integer
-
Certificate's valid To date (long value)
- contentVersion: string
-
The major and minor versions of the content. Representation of major,minor,subminor,build in Little Endian format.
- productEnforcing: boolean
-
Whether the client is running in Enforcement mode.
- ruleEnforcing: boolean
-
Whether the rule was enforced or not (1 for enforced and 0 for not).
- subject: string
-
Distinguished Name of the certificate.
- issuer: string
-
Name of the certificate's Issuer.
- issuerSha1: Public Key SHA1 Property
-
No response will be provided by the TIE server.
/mcafee/service/tie/file/agents
The file first references operation flow allows for a client to receive a data bundle from TIE Server containing a list of agents that made the first reference to a particular file.
For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"hashes": [
{
"type": "sha1",
"value": "8nG/TX+SLaCjQjLw6xwWZZX6kI4="
}
],
"queryLimit": 5000
}
- queryLimit: integer
-
The max number of systems to return. By default is 100, ranging from 1 to 5000.
For more information regarding response keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"agents": [
{
"agentGuid": "{66c5d2c6-e959-11e3-baeb-005056c00008}",
"date": 1402676072
},
{
"agentGuid": "{abc5d2c6-e959-11e3-baeb-005056c00009}",
"date": 1402676078
},
{
"agentGuid": "{86c5d2c6-e959-11e3-baeb-005056c00067}",
"date": 1402676082
}
],
"totalCount": 3
}
- totalCount: integer
-
The total count of systems that have referenced this file (First references)
- agents: object[]
-
List of agents
object - date: integer
-
- agentGuid: Agent GUID Property
-
/mcafee/service/tie/file/reputation
The file reputation service operation flow allows for a client to receive file reputation information on demand. Invoking this service queries the TIE Server for the reputations associated with a file identified by any known hash values.
For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"certPublicKeySha1": "qKEUVpy1IfEloPPnGq+eeNFrKIM=",
"certSha1": "npN587OCHVtutV0Tu3VWiG29uOc=",
"fileType": 18,
"hashes": [
{
"type": "sha1",
"value": "3tt/SI6IFXSHHisJtOUWhRFp0Y4="
},
{
"type": "md5",
"value": "MQKz601c9VO26cNqWRdcCg=="
}
],
"scanType": 1
}
- fileType: integer
-
Encoded file type, used to improve search behaviour (Example: "EXE" or "JS". Providing the file type enables effective down-selection and retention policies. For encoding details, see Encoded File Types in the TIE SDK for more information.
- scanType: integer
-
NOTE: This property is accepted but not currently honored by the current version of TIE Server. The default value is currently always assumed. The type of scan operation to which this report applies.
- certSha1: string
-
NOTE: This property is accepted but will be ignored by the current version of TIE Server. SHA-1 of the certificate signing the file.
For more information regarding response keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"props": {
"atdCandidate": 1,
"masterServer": "masterhost;10.111.111.111",
"serverTime": 1392321493,
"submitMetaData": 1
},
"reputations": [
{
"attributes": {
"2098277": "256",
"2101652": "0",
"2102165": "1392320762",
"2111893": "1",
"2114965": "0",
"2123412": "1",
"2123668": "26",
"2123924": "100",
"2124180": "99",
"2124436": "98",
"2124692": "72",
"2124948": "61",
"2125204": "44",
"2125460": "12",
"2125716": "44"
},
"createDate": 1392320762,
"providerId": 3,
"trustLevel": 0
},
{
"createDate": 1392321493,
"providerId": 1,
"trustLevel": 0
}
]
}
- props: object
-
- submitMetaData: Submit Metadata Property
-
- atdCandidate: integer
-
Optional sent only when ATD is enabled and the file is an ATD candidate. When this flag is set to 1, the TIE server is requesting the client to submit the file sample for sandboxing.
- masterServer: string
-
Hostname and IP of the TIE Server. Only present when atdCandidate is present. This is the server that should be used by the clients to submit the file sample for sandboxing.
/mcafee/service/tie/file/update_metadata
The File Update Metadata service allows clients to provide additional contextual information about a file. The request will include details which will assist the security admin on their threat analysis activities. Metadata also includes information about file detections, relationships with other files and certificates and also details which could be used by other clients to enhance their defense.
For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"actorLocalRep": 0,
"actorSha1": null,
"agentGuid": "testGuid",
"caRep": 0,
"certIssuer": null,
"certPublicKeySha1": null,
"certSha1": null,
"certSubject": null,
"companyName": null,
"contentVersion": "47850746040811521",
"detectionName": null,
"detectionType": 0,
"fileType": 16,
"hashes": [
{
"type": "sha256",
"value": "cgF66fVGT1CMxZG2BfWrcDd1ws2BzWCU619XEOj3uCo="
},
{
"type": "sha1",
"value": "5tt/SI6IFXSHHisJtOUWhRFp0Y4="
},
{
"type": "md5",
"value": "MQKz501c9VO24cNqWRdcCg=="
}
],
"jtiAvProductId": "28600",
"localRep": 85,
"localRepRuleId": 0,
"name": "Notepad++.exe",
"objectType": 1,
"osVersion": "25769803777",
"parentLocalRep": 0,
"parentSha1": null,
"path": "C:\\Users\\Administrator\\Desktop\\Notepad++\\Notepad++.exe",
"prePromptLocalRep": 50,
"productEnforcing": 1,
"productName": "Sample",
"productVersion": "6.1.7601.18128",
"profilerFlags": "465:1a200;5a5:20;6a5:414c2700;765:41e4bd80;865:fffffffc;965:3;a65:0;b65:0;c65:0;e65:2024842;f65:10a4640;1065:5;1165:69;1265:6;1365:0;1465:5c00;1565:2a0;1665:e0;17a5:101000;19a5:1",
"remediation": 0,
"ruleEnforcing": 1,
"scanType": 1,
"signedBits": 0,
"size": 107008,
"userPrompted": 1,
"version": 22,
"vseContentVersion": "12345",
"vseDetectionName": "TestVseDetection",
"vseDetectionType": 2,
"vseProductId": 25,
"vseRemediation": 20,
"vseSuppressed": false
}
- scanType: integer
-
NOTE: This property is accepted but not currently honored by the current version of TIE Server. The default value is currently always assumed. The type of scan operation to which this report applies.
- agentGuid: Agent GUID Property
-
- name: string
-
UTF-8 encoded name of the file. TIE Server will store filenames up to a configurable limit (default value: 500).
- size: integer
-
File size in bytes.
- path: string
-
UTF-8 encoded path of the file. TIE Server will store file paths up to a configurable limit (default value: 500).
- version: string
-
File version.
- fileType: integer
-
(X) File type of a given file: driver, dll, exe or non-PE.
- signedBits: integer
-
- companyName: string
-
UTF-8 encoded name of the publisher of the file.
- profilerFlags: string
-
Profiler attributes.
- certIssuer: string
-
Issuer of the signing certificate.
- certSubject: string
-
Subject of the signing certificate.
- productName: string
-
UTF-8 encoded name of the product corresponding to the file (as extracted from the binary’s version info).
- productVersion: string
-
UTF-8 encoded version string of the application corresponding to the file.
- objectType: integer
-
The type of object being reported upon. Currently supported types are: 1 (File) - This is the default if omitted - and 4 (Process). TIE will not keep agregate local reputation data reported for processes. Only for files.
- localRep: integer
-
Local reputation for the file.
- parentLocalRep: integer
-
Reputation of the main executable of the process that created the file.
- prePromptLocalRep: integer
-
Pre-prompt local reputation of the file.
- localRepRuleId: integer
-
- parentSha1: string
-
"SHA-1" of the main executable of the process that created the file being reported.
- osVersion: string
-
OS version that the file was found on. Representation of major and minor in Little Endian format.
- actorLocalRep: integer
-
- caRep: string
-
Reputation of the Certificate Authority (CA).
- contentVersion: string
-
The major and minor versions of the content .Representation of major,minor,subminor,build in Little Endian format.
- productEnforcing: boolean
-
Whether the client is running in Enforcement mode.
- ruleEnforcing: boolean
-
Whether the rule was enforced or not (1 for enforced and 0 for not).
- jtiAvProductId: string
-
Product Id of the client.
- userPrompted: boolean
-
Whether the user was prompted or not (1 for prompted and 0 for not).
- detectionType: integer
-
Detection type.
- detectionName: string
-
Detection name from the detecting product.
- certSha1: string
-
Base 64 encoding of the SHA-1 of the certificate signing the file.
- certPublicKeySha1: Public Key SHA1 Property
-
- actorSha1: string
-
Base 64 encoding of the "SHA-1" hash of the primary actor. This is the main process that loaded the file/process being reported on.
- remediation: integer
-
Indicates that a detection has occurred and provides the action applied. See remediation types table in the TIE SDK.
No response will be provided by the TIE server.
/mcafee/service/tie/reputation/updates
The reputation update operation flow allows for a client to receive a data bundle from TIE Server containing all reputations that have changed in a given time period.
For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"queryLimit": 300,
"sinceTime": 1402612347,
"targetTypes": {
"cert": "sha1",
"file": "sha256"
},
"targeted": true
}
- sinceTime: integer
-
The timestamp (epoch time - in seconds) to retrieve changed reputations from. It is strongly recommended that this is set to the value returned in the serverTime property of the response to the latest reputation request. Note that both File and Certificate reputation requests will return the server time in the response.
- queryLimit: integer
-
The max number of reputations to return (Allowed values: 1-5000). If omitted this defaults to a configurable parameter by server or 100 if the server parameter is unconfigured.
- targeted: boolean
-
When set to true the server will include only items that the consumer has previously requested reputations for or that are prevalent. If omitted this defaults to a configurable parameter by server or False if unconfigured.
- targetTypes: object
-
Types of reputation subjects to include in the response, alongside with the hash type to return for each subject. If "targetTypes" is omitted TIE will include both files and certificates in the response and it will default to the backwards compatible behavior: It will return the SHA1 hash for certificates and for files it will return the SHA1 hash if available, else the MD5 or the SHA256 in this order.
- file: string
-
Possible values are "sha1", "md5", "sha256".
- cert: string
-
Possible values are "sha1".
For more information regarding response keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"certificateHashes": [
{
"type": "sha1",
"value": "ERD6shE0rp1D+F3rUdrKLH/Wuet="
}
],
"fileHashes": [
{
"type": "sha1",
"value": "ESK6sSE0rp1D+F3K9xrKLH/Wuaw="
},
{
"type": "sha1",
"value": "3tt/SI6IFXSHHisJtOUWhRFp0Y4="
},
{
"type": "md5",
"value": "MQKz601c9VO26cNqWRdcCg=="
}
],
"latestUpdateTime": 1402602516,
"props": {
"queryLimitExceeded": true,
"serverTime": 1518720115
}
}
- fileHashes: object[]
-
This is included only if "file" is a selected subject type or when using default options. Between this and certificateHashes will contain at most as many entries as the queryLimit provided, or the server default if no limit was specified. For targeted requests, only prevalent items or items for which the invoker has previously issued a reputation request will be included. Note that only one hash for each updated file will be included in this response. The hash included will depend on the available hashes for the given file and on the value of "targetTypes"."file" attribute.
- certificateHashes: object[]
-
This is included only if "cert" is a selected subject type or when using default options. Between this and fileHashes will contain at most as many entries as the queryLimit provided, or the server default if no limit was specified.
- latestUpdateTime: integer
-
The epoch time of the latest update amongst the hashes listed.
- props: object
-
Will be present when there are more updates in the server than the provided queryLimit.
- serverTime: integer
-
Will be present and set to the current server epoch time in seconds if there are more updates in the server than the provided queryLimit.
- queryLimitExceeded: integer
-
Will be present and set to "true" if there are more updates in the server than the provided queryLimit.
Definitions
For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"hashes": [
{
"type": "sha1",
"value": "rB/QkipKKm5XeazdYodHwoOUsLk="
}
],
"publicKeySha1": "3lHcG/IeSgU/EhzBvMOzZSyRBZg=",
"queryLimit": 100
}
- queryLimit: integer
-
The max number of systems to return. By default is 100, ranging from 1 to 5000.
- publicKeySha1: Public Key SHA1 Property
-
For more information regarding response keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"agents": [
{
"agentGuid": "{66c5d2c6-e959-11e3-baeb-005056c00008}",
"date": 1402676072
},
{
"agentGuid": "{abc5d2c6-e959-11e3-baeb-005056c00009}",
"date": 1402676078
},
{
"agentGuid": "{86c5d2c6-e959-11e3-baeb-005056c00067}",
"date": 1402676082
}
],
"totalCount": 3
}
- totalCount: integer
-
The total count of systems that have referenced this file (First references)
- agents: object[]
-
List of agents.
object - date: integer
-
- agentGuid: Agent GUID Property
-
For more information regarding event keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"hashes": [
{
"type": "sha1",
"value": "X/1fNllXfncgp4Sx0qgRnYB5Klg="
}
],
"newReputations": {
"props": {
"serverTime": 1487856678
},
"reputations": [
{
"createDate": 1396563520,
"providerId": 2,
"trustLevel": 99
},
{
"attributes": {
"2109333": "1",
"2109589": "1396563520"
},
"createDate": 1396563520,
"providerId": 4,
"trustLevel": 0
}
]
},
"oldReputations": {
"props": {
"serverTime": 1487856678
},
"reputations": [
{
"createDate": 1396563520,
"providerId": 2,
"trustLevel": 0
},
{
"attributes": {
"2109333": "1",
"2109589": "1396563520"
},
"createDate": 1396563520,
"providerId": 4,
"trustLevel": 0
}
]
},
"publicKeySha1": "qi4bD+Y7VI1abbYyLjJLUAi2+Zg=",
"updateTime": 1409851328
}
- oldReputations: Old Reputations Object
-
- newReputations: New Reputations Object
-
- hashes: Hashes Object
-
- publicKeySha1: Public Key SHA1 Property
-
- updateTime: Update Time Property
-
For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"hashes": [
{
"type": "sha1",
"value": "rB/QkipKKm5XeazdYodHwoOUsLk="
}
],
"publicKeySha1": "3lHcG/IeSgU/EhzBvMOzZSyRBZg="
}
For more information regarding response keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"overridden": {
"files": [
{
"hashes": [
{
"type": "md5",
"value": "CTWz2oVIu0RisXjZnCG4cA=="
},
{
"type": "sha1",
"value": "FHHwTNDzxzt+YqcdCGk8MGVKVV8="
},
{
"type": "sha256",
"value": "RjU4pJdE+gXo0LH4pRwO/4B4vjSSS1kvgriSJ+IwWAo="
}
]
},
{
"hashes": [
{
"type": "md5",
"value": "2LB7JR27x99WGbxm68kxcg=="
},
{
"type": "sha256",
"value": "mjeiJBg+iAcXbRwOyFYMwj10AQFjyA/YP+N0oP91cLI="
}
]
}
],
"truncated": 0
},
"props": {
"serverTime": 1396655764,
"submitMetaData": 1
},
"reputations": [
{
"createDate": 1396563520,
"providerId": 2,
"trustLevel": 99
},
{
"attributes": {
"2109333": "1",
"2109589": "1396563520"
},
"createDate": 1396563520,
"providerId": 4,
"trustLevel": 0
}
]
}
- reputations: object[]
-
object - providerId: integer
-
The identifier for the particular "provider" that provided the reputation. See the TIE SDK or the OpenDXL McAfee TIE Client Documentation: FileProvider and CertProvider
- createDate: integer
-
The time this reputation was created (Epoch time).
- trustLevel: integer
-
The trust level for the reputation subject (file, certificate, etc.). See the TIE SDK or the OpenDXL McAfee TIE Client Documentation: TrustLevel.
- attributes: object
-
A provider-specific set of attributes as a JSON dictionary.
string
- props: object
-
- submitMetaData: Submit Metadata Property
-
- serverTime: Server Time Property
-
- overridden: object
-
Included if there are files signed with this certificate and for which an override (Enterprise) reputation is set.
- files: object[]
-
List of files signed with this certificate and for which an override (Enterprise) reputation is set. This list will contain one entry for each file with overrides. If there are too many files, then the list will be populated with as many
- truncated: integer
-
If set to 1 this means that the list of overridden files has been truncated as there were too many files to report. There could be files with overrides and that are not present in the list of files in this message. If set to 0 this means that the list of overridden files is complete and there are no other files signed with this certificate and for which an override (Enterprise) reputation is set.
For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"algorithm": "sha1RSA",
"contentVersion": "47850746040811521",
"hashes": [
{
"type": "sha1",
"value": "npN587OCHVtutV0Tu3VWiG29uOc="
}
],
"issuer": "Microsoft Windows Verification PCA",
"issuerDN": "CN=Microsoft Windows Verification PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"issuerPublicKeySha1": "KxfRYCjaN34LrVZGgVqX6WlorWE=",
"issuerSha1": "XfDXVxsHgHg5YMaLeFcf/X7a8CE=",
"productEnforcing": 1,
"publicKeySha1": "qKEUVpy1IfEloPPnGq+eeNFrKIM=",
"ruleEnforcing": 1,
"serialNumber": "YRU0ZAAAAAAADA==",
"subject": "CN=Microsoft Windows, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
"subjectName": "Microsoft Windows",
"validFrom": 1260223064,
"validTo": 1299535064
}
- publicKeySha1: Public Key SHA1 Property
-
- algorithm: string
-
Certificate's algorithm.
- issuerDN: string
-
Distinguished Name of the certificate's Issuer.
- issuerPublicKeySha1: Public Key SHA1 Property
-
- serialNumber: string
-
Serial Number of the certificate.
- subjectName: string
-
Subject of the certificate.
- validFrom: integer
-
Certificate's valid From date (long value).
- validTo: integer
-
Certificate's valid To date (long value)
- contentVersion: string
-
The major and minor versions of the content. Representation of major,minor,subminor,build in Little Endian format.
- productEnforcing: boolean
-
Whether the client is running in Enforcement mode.
- ruleEnforcing: boolean
-
Whether the rule was enforced or not (1 for enforced and 0 for not).
- subject: string
-
Distinguished Name of the certificate.
- issuer: string
-
Name of the certificate's Issuer.
- issuerSha1: Public Key SHA1 Property
-
For more information regarding event keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"agentGuid": "{abc5d2c6-e959-11e3-baeb-005056c00009}",
"detectionTime": 1402617156,
"hashes": [
{
"type": "md5",
"value": "CZnbhOFq32TBWnuAOUhLMw=="
},
{
"type": "sha1",
"value": "7vZcAfgW1DgH2WrHY5A3h14Fbks="
},
{
"type": "sha256",
"value": "yXfKH1ESH+5YzaiIJ6YXOtTx1y2AJihOTE9EMCqWfkA="
}
],
"localReputation": 1,
"remediationAction": 5
}
- remediationAction: integer
-
A numeric value indicating the type of remediation that occurred in response to the detection. See remediation types table in the TIE SDK.
- localReputation: integer
-
The local reputation determined for the file that triggered the detection. See the TIE SDK or the OpenDXL McAfee TIE Client Documentation: TrustLevel.
- detectionTime: integer
-
The time the detection occurred (Epoch time).
For more information regarding event keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"agentGuid": "{abc5d2c6-e959-11e3-baeb-005056c00009}",
"hashes": [
{
"type": "sha1",
"value": "0wzjHGXydh+ijtstLjkl1CkZgqU="
},
{
"type": "md5",
"value": "FvdpvB03zBTjCTuYgc8WkQ=="
},
{
"type": "sha256",
"value": "yXfKH1ESH+5YzaiIJ6YXOtTx1y2AJihOTE9EMCqWfkA="
}
]
}
- hashes: Hashes Object
-
- agentGuid: string
-
The GUID of the system where the first instance of the file was found.
For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"hashes": [
{
"type": "sha1",
"value": "8nG/TX+SLaCjQjLw6xwWZZX6kI4="
}
],
"queryLimit": 5000
}
- queryLimit: integer
-
The max number of systems to return. By default is 100, ranging from 1 to 5000.
For more information regarding response keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"agents": [
{
"agentGuid": "{66c5d2c6-e959-11e3-baeb-005056c00008}",
"date": 1402676072
},
{
"agentGuid": "{abc5d2c6-e959-11e3-baeb-005056c00009}",
"date": 1402676078
},
{
"agentGuid": "{86c5d2c6-e959-11e3-baeb-005056c00067}",
"date": 1402676082
}
],
"totalCount": 3
}
- totalCount: integer
-
The total count of systems that have referenced this file (First references)
- agents: object[]
-
List of agents
object - date: integer
-
- agentGuid: Agent GUID Property
-
For more information regarding event keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"agentFirstReference": 1392320769,
"agentGuid": "{abc5d2c6-e959-11e3-baeb-005056c00009}",
"enterpriseCount": 125,
"hashes": [
{
"type": "sha1",
"value": "0wzjHGXydh+ijtstLjkl1CkZgqU="
},
{
"type": "md5",
"value": "FvdpvB03zBTjCTuYgc8WkQ=="
},
{
"type": "sha256",
"value": "yXfKH1ESH+5YzaiIJ6YXOtTx1y2AJihOTE9EMCqWfkA="
}
],
"prevalent": false
}
- agentFirstReference: integer
-
Epoch time for the first reputation request by the agent that changed the file prevalence.
- enterpriseCount: integer
-
Total number of agents that have asked for the reputation of the file at least once. The minimum value for this attribute is 1.
- prevalent: boolean
-
"true" if the file is considered prevalent in the Enterprise or "false" otherwise. Once TIE generates the event with prevalent = true it will no longer send prevalence change events for this file.
For more information regarding event keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"hashes": [
{
"type": "md5",
"value": "bQvLG6j1WmwRB8LZ2gPa1w=="
},
{
"type": "sha1",
"value": "OxbrjQd0H6+3meBW5YuBoInTcqM="
},
{
"type": "sha256",
"value": "yXfKH1ESH+5YzaiIJ6YXOtTx1y2AJihOTE9EMCqWfkA="
}
],
"newReputations": {
"props": {
"serverTime": 1409851328
},
"reputations": [
{
"attributes": {
"2098277": "256",
"2112660": "99"
},
"createDate": 1409783001,
"providerId": 3,
"trustLevel": 85
},
{
"attributes": {
"2120340": "2139160704"
},
"createDate": 1409783001,
"providerId": 1,
"trustLevel": 99
}
]
},
"oldReputations": {
"props": {
"serverTime": 1409851328
},
"reputations": [
{
"attributes": {
"2098277": "256",
"2112660": "99"
},
"createDate": 1409783001,
"providerId": 3,
"trustLevel": 0
},
{
"attributes": {
"2120340": "2139160704"
},
"createDate": 1409783001,
"providerId": 1,
"trustLevel": 99
}
]
},
"updateTime": 1409851328
}
- oldReputations: Old Reputations Object
-
- newReputations: New Reputations Object
-
- hashes: Hashes Object
-
- updateTime: Update Time Property
-
For more information regarding event keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"hashes": [
{
"type": "md5",
"value": "bQvLG6j1WmwRB8LZ2gPa1w=="
},
{
"type": "sha1",
"value": "OxbrjQd0H6+3meBW5YuBoInTcqM="
},
{
"type": "sha256",
"value": "yXfKH1ESH+5YzaiIJ6YXOtTx1y2AJihOTE9EMCqWfkA="
}
],
"newReputations": {
"props": {
"serverTime": 1409851328
},
"reputations": [
{
"attributes": {
"2098277": "256",
"2112660": "99"
},
"createDate": 1409783001,
"providerId": 3,
"trustLevel": 85
},
{
"attributes": {
"2120340": "2139160704"
},
"createDate": 1409783001,
"providerId": 1,
"trustLevel": 99
}
]
},
"oldReputations": {
"props": {
"serverTime": 1409851328
},
"reputations": [
{
"attributes": {
"2098277": "256",
"2112660": "99"
},
"createDate": 1409783001,
"providerId": 3,
"trustLevel": 0
},
{
"attributes": {
"2120340": "2139160704"
},
"createDate": 1409783001,
"providerId": 1,
"trustLevel": 99
}
]
},
"relationships": {
"certificate": {
"hashes": [
{
"type": "sha1",
"value": "rB/QkipKKm5XeazdYodHwoOUsLk="
}
]
}
},
"updateTime": 1409851328
}
- oldReputations: Old Reputations Object
-
- newReputations: New Reputations Object
-
- hashes: Hashes Object
-
- updateTime: Update Time Property
-
- relationships: object
-
Contains information regarding the certificate associated with this file (if such a relationship exists).
- certificate: object
-
- hashes: Hashes Object
-
For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"certPublicKeySha1": "qKEUVpy1IfEloPPnGq+eeNFrKIM=",
"certSha1": "npN587OCHVtutV0Tu3VWiG29uOc=",
"fileType": 18,
"hashes": [
{
"type": "sha1",
"value": "3tt/SI6IFXSHHisJtOUWhRFp0Y4="
},
{
"type": "md5",
"value": "MQKz601c9VO26cNqWRdcCg=="
}
],
"scanType": 1
}
- fileType: integer
-
Encoded file type, used to improve search behaviour (Example: "EXE" or "JS". Providing the file type enables effective down-selection and retention policies. For encoding details, see Encoded File Types in the TIE SDK for more information.
- scanType: integer
-
NOTE: This property is accepted but not currently honored by the current version of TIE Server. The default value is currently always assumed. The type of scan operation to which this report applies.
- certSha1: string
-
NOTE: This property is accepted but will be ignored by the current version of TIE Server. SHA-1 of the certificate signing the file.
For more information regarding response keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"props": {
"atdCandidate": 1,
"masterServer": "masterhost;10.111.111.111",
"serverTime": 1392321493,
"submitMetaData": 1
},
"reputations": [
{
"attributes": {
"2098277": "256",
"2101652": "0",
"2102165": "1392320762",
"2111893": "1",
"2114965": "0",
"2123412": "1",
"2123668": "26",
"2123924": "100",
"2124180": "99",
"2124436": "98",
"2124692": "72",
"2124948": "61",
"2125204": "44",
"2125460": "12",
"2125716": "44"
},
"createDate": 1392320762,
"providerId": 3,
"trustLevel": 0
},
{
"createDate": 1392321493,
"providerId": 1,
"trustLevel": 0
}
]
}
- props: object
-
- submitMetaData: Submit Metadata Property
-
- atdCandidate: integer
-
Optional sent only when ATD is enabled and the file is an ATD candidate. When this flag is set to 1, the TIE server is requesting the client to submit the file sample for sandboxing.
- masterServer: string
-
Hostname and IP of the TIE Server. Only present when atdCandidate is present. This is the server that should be used by the clients to submit the file sample for sandboxing.
For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"actorLocalRep": 0,
"actorSha1": null,
"agentGuid": "testGuid",
"caRep": 0,
"certIssuer": null,
"certPublicKeySha1": null,
"certSha1": null,
"certSubject": null,
"companyName": null,
"contentVersion": "47850746040811521",
"detectionName": null,
"detectionType": 0,
"fileType": 16,
"hashes": [
{
"type": "sha256",
"value": "cgF66fVGT1CMxZG2BfWrcDd1ws2BzWCU619XEOj3uCo="
},
{
"type": "sha1",
"value": "5tt/SI6IFXSHHisJtOUWhRFp0Y4="
},
{
"type": "md5",
"value": "MQKz501c9VO24cNqWRdcCg=="
}
],
"jtiAvProductId": "28600",
"localRep": 85,
"localRepRuleId": 0,
"name": "Notepad++.exe",
"objectType": 1,
"osVersion": "25769803777",
"parentLocalRep": 0,
"parentSha1": null,
"path": "C:\\Users\\Administrator\\Desktop\\Notepad++\\Notepad++.exe",
"prePromptLocalRep": 50,
"productEnforcing": 1,
"productName": "Sample",
"productVersion": "6.1.7601.18128",
"profilerFlags": "465:1a200;5a5:20;6a5:414c2700;765:41e4bd80;865:fffffffc;965:3;a65:0;b65:0;c65:0;e65:2024842;f65:10a4640;1065:5;1165:69;1265:6;1365:0;1465:5c00;1565:2a0;1665:e0;17a5:101000;19a5:1",
"remediation": 0,
"ruleEnforcing": 1,
"scanType": 1,
"signedBits": 0,
"size": 107008,
"userPrompted": 1,
"version": 22,
"vseContentVersion": "12345",
"vseDetectionName": "TestVseDetection",
"vseDetectionType": 2,
"vseProductId": 25,
"vseRemediation": 20,
"vseSuppressed": false
}
- scanType: integer
-
NOTE: This property is accepted but not currently honored by the current version of TIE Server. The default value is currently always assumed. The type of scan operation to which this report applies.
- agentGuid: Agent GUID Property
-
- name: string
-
UTF-8 encoded name of the file. TIE Server will store filenames up to a configurable limit (default value: 500).
- size: integer
-
File size in bytes.
- path: string
-
UTF-8 encoded path of the file. TIE Server will store file paths up to a configurable limit (default value: 500).
- version: string
-
File version.
- fileType: integer
-
(X) File type of a given file: driver, dll, exe or non-PE.
- signedBits: integer
-
- companyName: string
-
UTF-8 encoded name of the publisher of the file.
- profilerFlags: string
-
Profiler attributes.
- certIssuer: string
-
Issuer of the signing certificate.
- certSubject: string
-
Subject of the signing certificate.
- productName: string
-
UTF-8 encoded name of the product corresponding to the file (as extracted from the binary’s version info).
- productVersion: string
-
UTF-8 encoded version string of the application corresponding to the file.
- objectType: integer
-
The type of object being reported upon. Currently supported types are: 1 (File) - This is the default if omitted - and 4 (Process). TIE will not keep agregate local reputation data reported for processes. Only for files.
- localRep: integer
-
Local reputation for the file.
- parentLocalRep: integer
-
Reputation of the main executable of the process that created the file.
- prePromptLocalRep: integer
-
Pre-prompt local reputation of the file.
- localRepRuleId: integer
-
- parentSha1: string
-
"SHA-1" of the main executable of the process that created the file being reported.
- osVersion: string
-
OS version that the file was found on. Representation of major and minor in Little Endian format.
- actorLocalRep: integer
-
- caRep: string
-
Reputation of the Certificate Authority (CA).
- contentVersion: string
-
The major and minor versions of the content .Representation of major,minor,subminor,build in Little Endian format.
- productEnforcing: boolean
-
Whether the client is running in Enforcement mode.
- ruleEnforcing: boolean
-
Whether the rule was enforced or not (1 for enforced and 0 for not).
- jtiAvProductId: string
-
Product Id of the client.
- userPrompted: boolean
-
Whether the user was prompted or not (1 for prompted and 0 for not).
- detectionType: integer
-
Detection type.
- detectionName: string
-
Detection name from the detecting product.
- certSha1: string
-
Base 64 encoding of the SHA-1 of the certificate signing the file.
- certPublicKeySha1: Public Key SHA1 Property
-
- actorSha1: string
-
Base 64 encoding of the "SHA-1" hash of the primary actor. This is the main process that loaded the file/process being reported on.
- remediation: integer
-
Indicates that a detection has occurred and provides the action applied. See remediation types table in the TIE SDK.
Possible hashes are "sha1", "sha256 and "md5". Note: in backwards compatible mode only sha1 and md5 will be provided.
- type: string
-
Base 64 encoding of the hash bytes.
- value: string
-
"sha1", "md5", and "sha256" are currently supported values
Known hashes for the file or certificate. Possible hashes are "sha1", "sha256" and "md5". Note: in backwards compatible mode only sha1 and md5 will be provided. Also the event will only be sent for files for which both sha1 and md5 are known.
- hashes: object[]
The content of this section will be exactly as the full reputation response message after the change that triggered the event. Thus, all reputation providers are detailed, including both that one for which the reputation has changed and those for which there has been no actual reputation change.
The content of this section will be exactly as the full reputation response message before the change that triggered the event.
Base 64 encoding of the SHA-1 hash of the certificate's public key.
- certPublicKeySha1: Public Key SHA1 Property
-
For more information regarding available request parameters, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"queryLimit": 300,
"sinceTime": 1402612347,
"targetTypes": {
"cert": "sha1",
"file": "sha256"
},
"targeted": true
}
- sinceTime: integer
-
The timestamp (epoch time - in seconds) to retrieve changed reputations from. It is strongly recommended that this is set to the value returned in the serverTime property of the response to the latest reputation request. Note that both File and Certificate reputation requests will return the server time in the response.
- queryLimit: integer
-
The max number of reputations to return (Allowed values: 1-5000). If omitted this defaults to a configurable parameter by server or 100 if the server parameter is unconfigured.
- targeted: boolean
-
When set to true the server will include only items that the consumer has previously requested reputations for or that are prevalent. If omitted this defaults to a configurable parameter by server or False if unconfigured.
- targetTypes: object
-
Types of reputation subjects to include in the response, alongside with the hash type to return for each subject. If "targetTypes" is omitted TIE will include both files and certificates in the response and it will default to the backwards compatible behavior: It will return the SHA1 hash for certificates and for files it will return the SHA1 hash if available, else the MD5 or the SHA256 in this order.
- file: string
-
Possible values are "sha1", "md5", "sha256".
- cert: string
-
Possible values are "sha1".
For more information regarding response keys/values, please see the OpenDXL McAfee TIE Client Documentation: dxltieclient.constants.module.
{
"certificateHashes": [
{
"type": "sha1",
"value": "ERD6shE0rp1D+F3rUdrKLH/Wuet="
}
],
"fileHashes": [
{
"type": "sha1",
"value": "ESK6sSE0rp1D+F3K9xrKLH/Wuaw="
},
{
"type": "sha1",
"value": "3tt/SI6IFXSHHisJtOUWhRFp0Y4="
},
{
"type": "md5",
"value": "MQKz601c9VO26cNqWRdcCg=="
}
],
"latestUpdateTime": 1402602516,
"props": {
"queryLimitExceeded": true,
"serverTime": 1518720115
}
}
- fileHashes: object[]
-
This is included only if "file" is a selected subject type or when using default options. Between this and certificateHashes will contain at most as many entries as the queryLimit provided, or the server default if no limit was specified. For targeted requests, only prevalent items or items for which the invoker has previously issued a reputation request will be included. Note that only one hash for each updated file will be included in this response. The hash included will depend on the available hashes for the given file and on the value of "targetTypes"."file" attribute.
- certificateHashes: object[]
-
This is included only if "cert" is a selected subject type or when using default options. Between this and fileHashes will contain at most as many entries as the queryLimit provided, or the server default if no limit was specified.
- latestUpdateTime: integer
-
The epoch time of the latest update amongst the hashes listed.
- props: object
-
Will be present when there are more updates in the server than the provided queryLimit.
- serverTime: integer
-
Will be present and set to the current server epoch time in seconds if there are more updates in the server than the provided queryLimit.
- queryLimitExceeded: integer
-
Will be present and set to "true" if there are more updates in the server than the provided queryLimit.
- reputations: object[]
-
object - trustLevel: integer
-
Constants that are used to indicate the
trust level
of a file or certificate. See the TIE SDK or the OpenDXL McAfee TIE Client Documentation: TrustLevel. - providerId: integer
-
The identifier for the particular "provider" that provided the reputation. See the TIE SDK or the OpenDXL McAfee TIE Client Documentation: FileProvider and CertProvider
- detectTime: integer
-
Timestamp of the detection.
- attributes: object
-
A provider-specific set of attributes as a JSON dictionary.
string
- props: object
-
- serverTime: integer
-
TIE Server epoch time (in seconds).