FileInspectionEvent

FileInspectionEvent
FileInspectionEvent

File Inspection Event.

JSON Example 
{
    "inspection_time": 0,
    "server": {
        "vm_id": "string",
        "ip_address": "string",
        "fqdn": "string"
    },
    "client": {
        "vm_id": "string",
        "ip_address": "string",
        "fqdn": "string"
    },
    "sha256": "string",
    "sha1": "string",
    "md5": "string",
    "file_name": "string",
    "inspection_status": "string",
    "threat_score": 0,
    "verdict": "string",
    "error_message": "string",
    "error_code": "string",
    "is_blocked": false,
    "allow_listed": false,
    "transport_node_type": "string",
    "transport_node_id": "string",
    "gateway_id": "string"
}
EpochMsTimestamp
inspection_time
Optional

Timestamp in milliseconds since epoch

VirtualMachineDetails
server
Optional

Details about virtual machine.

VirtualMachineDetails
client
Optional

Details about virtual machine.

string
sha256
Optional

SHA256 hash of the file.

string
sha1
Optional

SHA1 hash of the file.

string
md5
Optional

MD5 hash of the file.

string
file_name
Optional

Name of the file as observed in this instance of inspection.

InspectionStatus
inspection_status
Optional

Status of the inspection event.

Possible values are : IN_PROGRESS, COMPLETED, ERROR,
integer
threat_score
Optional

Threat score assigned to this inspection event. Threat score in the range of 0 to 100 for known verdict. A score of 100 is considered high potential threat. Score -1 indicates the verdict is UNINSPECTED because file is allowlisted. Any score outside the range of -1 to 100 will mean that verdict is UNKNOWN.

Verdict
verdict
Optional

This property describes the behavior of the file at runtime. Meanings are described below BENIGN: This is a benign file with no malicious code TRUSTED: This is a TRUSTED file based on the behaviour of the file HIGHLY_TRUSTED: This is a file from a highly trusted source like for e.g microsft published the file SUSPICIOUS: This file contains suspicious code and on execution can turn out to be malware MALICIOUS: This file is a malicious file containing malware or bad code that can harm the system UNKNOWN: Either this file behavior is UNKNOWN at this point in time or there is some error in file anlaysis pipeline and verdict could not be concluded. UNINSPECTED: This file is marked as allowlisted and hence the verdict is UNINSPECTED.

Possible values are : BENIGN, TRUSTED, HIGHLY_TRUSTED, SUSPICIOUS, MALICIOUS, UNKNOWN, UNINSPECTED,
string
error_message
Optional

Error message corresponding to this inspection event. This field will be populated only when there is some error in the inspection.

string
error_code
Optional

Error code corresponding to this inspection event. This field will be populated only when there is some error in the inspection.

boolean
is_blocked
Optional

This field conveys if the file is blocked by malware prevention service.

boolean
allow_listed
Optional

Specifies whether this file is present in allow list. If true, the file is present in the allow-list.

TransportNodeType
transport_node_type
Optional

Type of transport node by which file is downloaded.

Possible values are : HOST, GATEWAY, INVALID,
string
transport_node_id
Optional

ID of the transport node on which this file is detected. Transport nodes are hypervisor hosts or NSX Edges that participated in the NSX-T topology.

string
gateway_id
Optional

ID of the Tier0 or Tier1 gateway on which this file is detected. Tier0 or Tier1 gateway are logical routers of NSX-T topology.