The Dynamic Report

This is the Go structure definition of the JSON report that Triage creates.

// Copyright (C) 2019 Hatching B.V.
// All rights reserved.

package triage

type (
    TriageReport struct {
        Sample struct {
            ID        string   `json:"id"`
            Score     int      `json:"score,omitempty"`
            Submitted string   `json:"submitted,omitempty"`
            Completed string   `json:"completed,omitempty"`
            Target    string   `json:"target"`
            Type      string   `json:"type,omitempty"`
            Size      int64    `json:"size,omitempty"`
            SHA256    string   `json:"sha256,omitempty"`
            Filetype  string   `json:"filetype,omitempty"`
            Tags      []string `json:"tags,omitempty"`
            Family    string   `json:"family,omitempty"`
        } `json:"sample"`
        Errors     []ReportTaskFailure    `json:"errors,omitempty"`
        Analysis   ReportAnalysisInfo     `json:"analysis,omitempty"`
        Processes  []Process              `json:"processes,omitempty"`
        Signatures []Signature            `json:"signatures"`
        Tags       []string               `json:"tags"`
        TTP        []string               `json:"ttp"`
        Network    NetworkReport          `json:"network"`
        Debug      map[string]interface{} `json:"debug,omitempty"`
        Dumped     []Dump                 `json:"dumped,omitempty"`
        Extracted  []Extract              `json:"extracted,omitempty"`
    }
    ReportTaskFailure struct {
        Task    string `json:"task,omitempty"`
        Backend string `json:"backend,omitempty"`
        Reason  string `json:"reason"`
    }
    ReportAnalysisInfo struct {
        Backend        string   `json:"backend,omitempty"`
        Resource       string   `json:"resource,omitempty"`
        ResourceTags   []string `json:"resource_tags,omitempty"`
        MaxTimeNetwork uint64   `json:"max_time_network,omitempty"`
        MaxTimeKernel  uint32   `json:"max_time_kernel,omitempty"`
    }
    Process struct {
        ProcID     uint64      `json:"procid,omitempty"`
        PID        uint64      `json:"pid"`
        PPID       uint64      `json:"ppid"`
        Cmd        interface{} `json:"cmd"`
        Image      string      `json:"image,omitempty"`
        Orig       *bool       `json:"orig,omitempty"`
        Started    uint32      `json:"started"`
        Terminated uint32      `json:"terminated,omitempty"`
    }
    Signature struct {
        Name        string      `json:"name"`
        Score       int         `json:"score,omitempty"`
        TTP         []string    `json:"ttp,omitempty"`
        Tags        []string    `json:"tags,omitempty"`
        Indicators  []Indicator `json:"indicators,omitempty"`
        Description string      `json:"desc,omitempty"`
        URL         string      `json:"url,omitempty"`
    }
    NetworkReport struct {
        Flows    []NetworkFlow    `json:"flows,omitempty"`
        Requests []NetworkRequest `json:"requests,omitempty"`
    }
    Dump struct {
        At     uint32 `json:"at"`
        PID    uint64 `json:"pid,omitempty"`
        ProcID uint64 `json:"procid,omitempty"`
        Path   string `json:"path,omitempty"`
        Name   string `json:"name,omitempty"`
        Kind   string `json:"kind,omitempty"`
        Addr   uint64 `json:"addr,omitempty"`
        Length uint64 `json:"length,omitempty"`
    }
    Extract struct {
        DumpedFile string  `json:"dumped_file,omitempty"`
        Config     *Config `json:"config,omitempty"`
        Path       string  `json:"path,omitempty"`
        RansomNote *Ransom `json:"ransom_note,omitempty"`
    }
    Indicator struct {
        IOC          string `json:"ioc,omitempty"`
        Description  string `json:"description,omitempty"`
        At           uint32 `json:"at,omitempty"`
        SourcePID    uint64 `json:"pid,omitempty"`
        SourceProcID uint64 `json:"procid,omitempty"`
        TargetPID    uint64 `json:"pid_target,omitempty"`
        TargetProcID uint64 `json:"procid_target,omitempty"`
        Flow         int    `json:"flow,omitempty"`
    }
    NetworkFlow struct {
        ID        int    `json:"id,omitempty"`
        Source    string `json:"src,omitempty"`
        Dest      string `json:"dst,omitempty"`
        Proto     string `json:"proto,omitempty"`
        PID       uint64 `json:"pid,omitempty"`
        ProcID    uint64 `json:"procid,omitempty"`
        FirstSeen uint64 `json:"first_seen,omitempty"`
        LastSeen  uint64 `json:"last_seen,omitempty"`
        RxBytes   uint64 `json:"rx_bytes,omitempty"`
        RxPackets uint64 `json:"rx_packets,omitempty"`
        TxBytes   uint64 `json:"tx_bytes,omitempty"`
        TxPackets uint64 `json:"tx_packets,omitempty"`
        Domain    string `json:"domain,omitempty"`
        JA3       string `json:"tls_ja3,omitempty"`
        SNI       string `json:"tls_sni,omitempty"`
        Country   string `json:"country,omitempty"`
        AS        string `json:"as_num,omitempty"`
        Org       string `json:"as_org,omitempty"`
    }
    NetworkRequest struct {
        Flow       int                    `json:"flow,omitempty"`
        At         uint32                 `json:"at,omitempty"`
        DomainReq  *NetworkDomainRequest  `json:"dns_request,omitempty"`
        DomainResp *NetworkDomainResponse `json:"dns_response,omitempty"`
        WebReq     *NetworkWebRequest     `json:"http_request,omitempty"`
        WebResp    *NetworkWebResponse    `json:"http_response,omitempty"`
    }
    Config struct {
        Family     string      `json:"family"`
        Rule       string      `json:"rule"`
        C2         []string    `json:"c2,omitempty"`
        Version    string      `json:"version,omitempty"`
        Botnet     string      `json:"botnet,omitempty"`
        Campaign   string      `json:"campaign,omitempty"`
        Keys       []Key       `json:"keys,omitempty"`
        Webinject  []string    `json:"webinject,omitempty"`
        Attributes interface{} `json:"attr,omitempty"`
    }
    Ransom struct {
        Family  string   `json:"family"`
        Emails  []string `json:"emails,omitempty"`
        Wallets []string `json:"wallets,omitempty"`
        URLs    []string `json:"urls,omitempty"`
        Note    string   `json:"note"`
    }
    NetworkDomainRequest struct {
        Domains []string `json:"domains,omitempty"`
    }
    NetworkDomainResponse struct {
        Domains []string `json:"domains,omitempty"`
        IP      []string `json:"ip,omitempty"`
    }
    NetworkWebRequest struct {
        Method  string   `json:"method,omitempty"`
        URL     string   `json:"url"`
        Headers []string `json:"headers,omitempty"`
    }
    NetworkWebResponse struct {
        Status  string   `json:"status"`
        Headers []string `json:"headers,omitempty"`
    }
    Key struct {
        Kind  string      `json:"kind"`
        Key   string      `json:"key"`
        Value interface{} `json:"value"`
    }
)