dxltieclient.constants module¶

class dxltieclient.constants.AtdAttrib¶

Bases: object

Attributes associated with file reputations returned by the Advanced Threat Defense (ATD) reputation provider.

Name Numeric Description

GAM_SCORE 4194962
The trust score reported by the Gateway Anti-Malware (GAM)

See the AtdTrustLevel constants class for the list of ATD trust levels

AV_ENGINE_SCORE 4195218
The trust score reported by the Anti-Virus engine

See the AtdTrustLevel constants class for the list of ATD trust levels

SANDBOX_SCORE 4195474
The trust score as a result of the sandbox evaluation

See the AtdTrustLevel constants class for the list of ATD trust levels

VERDICT 4195730
The overall verdict (taking into consideration all available information)

See the AtdTrustLevel constants class for the list of ATD trust levels

BEHAVIORS 4197784 An encoded structure that contains observed behaviors of the file.

AV_ENGINE_SCORE = '4195218'¶

BEHAVIORS = '4197784'¶

GAM_SCORE = '4194962'¶

SANDBOX_SCORE = '4195474'¶

VERDICT = '4195730'¶

class dxltieclient.constants.AtdTrustLevel¶

Bases: object

Constants that are used to indicate the trust level of a file or certificate as returned by the Advanced Threat Defense (ATD) reputation provider.

Trust Level Numeric Description

KNOWN_TRUSTED -1 It is a trusted file or certificate.

MOST_LIKELY_TRUSTED 0 It is almost certain that the file or certificate is trusted.

MIGHT_BE_TRUSTED 1 It seems to be a benign file or certificate.

UNKNOWN 2 The reputation provider has encountered the file or certificate before but the provider can't determine its reputation at the moment.

MIGHT_BE_MALICIOUS 3 It seems to be a suspicious file or certificate.

MOST_LIKELY_MALICIOUS 4 It is almost certain that the file or certificate is malicious.

KNOWN_MALICIOUS 5 It is a malicious file or certificate.

NOT_SET -2 The file or certificate's reputation hasn't been determined yet.

KNOWN_MALICIOUS = 5¶

KNOWN_TRUSTED = -1¶

MIGHT_BE_MALICIOUS = 3¶

MIGHT_BE_TRUSTED = 1¶

MOST_LIKELY_MALICIOUS = 4¶

MOST_LIKELY_TRUSTED = 0¶

NOT_SET = -2¶

UNKNOWN = 2¶

class dxltieclient.constants.CertEnterpriseAttrib¶

Bases: dxltieclient.constants.EnterpriseAttrib

Attributes associated with certificate reputations returned by the Enterprise reputation provider.

This class extends the attributes defined in the EnterpriseAttrib class.

Name Numeric Description

FIRST_CONTACT 2109589
The time the certificate was first seen (Epoch time)

See the EpochMixin class for helper methods used to parse the Epoch time.

PREVALENCE 2109333 The count of unique systems that have executed a file that is associated with the certificate (via signing)

HAS_FILE_OVERRIDES 2122901 Whether one or more files associated with the certificate is overriding its reputation

IS_PREVALENT 2125972 Whether the certificate is considered to be prevalent within the enterprise

FIRST_CONTACT = '2109589'¶

HAS_FILE_OVERRIDES = '2122901'¶

IS_PREVALENT = '2125972'¶

PREVALENCE = '2109333'¶

class dxltieclient.constants.CertGtiAttrib¶

Bases: dxltieclient.constants.GtiAttrib

Attributes associated with certificate reputations returned by the Global Threat Intelligence (GTI) reputation provider.

This class extends the attributes defined in the GtiAttrib class.

Name Numeric Description

FIRST_CONTACT 2109077
The time the certificate was first seen (Epoch time)

See the EpochMixin class for helper methods used to parse the Epoch time.

PREVALENCE 2108821 The number of times the certificate has been requested.

REVOKED 2117524 Whether the certificate has been revoked

FIRST_CONTACT = '2109077'¶

PREVALENCE = '2108821'¶

REVOKED = '2117524'¶

class dxltieclient.constants.CertProvider¶

Bases: object

Constants that are used to indicate the provider of a particular certificate reputation.

Provider Numeric Description

GTI 2 Global Threat Intelligence (GTI)

ENTERPRISE 4 Enterprise reputation (specific to the local enterprise)

ENTERPRISE = 4¶

GTI = 2¶

class dxltieclient.constants.CertRepChangeEventProp¶

Bases: dxltieclient.constants.RepChangeEventProp

The standard set of properties that are included with a certificate reputation change event.

This class extends the properties defined in the RepChangeEventProp class.

Name Description

PUBLIC_KEY_SHA1 The SHA-1 of the certificate's public key

PUBLIC_KEY_SHA1 = 'publicKeySha1'¶

class dxltieclient.constants.CertReputationOverriddenProp¶

Bases: object

The set of properties associated with the OVERRIDDEN property of a certificate reputation (see CertReputationProp).

Name	Description
FILES	The `list` of files that currently override the certificate identified by their `"hashes"`.
TRUNCATED	Whether the `list` of files has been truncated (indicated by a `1`).

FILES = 'files'¶

TRUNCATED = 'truncated'¶

class dxltieclient.constants.CertReputationProp¶

Bases: dxltieclient.constants.ReputationProp

The standard set of properties that are included with each certificate reputation.

This class extends the properties defined in the ReputationProp class.

Name Description

OVERRIDDEN

Includes the list of files that are currently overriding the reputation of this certificate.

The value associated with this property is a dict (dictionary) containing the properties listed in the CertReputationOverriddenProp constants class.

OVERRIDDEN = 'overridden'¶

class dxltieclient.constants.DetectionEventProp¶

Bases: object

The standard set of properties that are included with a detection event.

See the dxltieclient.callbacks.DetectionCallback class for more information about detection events.

Name Description

SYSTEM_GUID The GUID of the system that the detection occurred on.

HASHES A dict (dictionary) of hashes that identify the file that triggered the detection. The key in the dictionary is the hash type and the value is the hex representation of the hash value. See the HashType class for the list of hash type constants.

DETECTION_TIME
The time the detection occurred (Epoch time).

See the EpochMixin class for helper methods used to parse the Epoch time.

LOCAL_REPUTATION
The local reputation determined for the file that triggered the detection.

See the TrustLevel constants class for the standard set of trust levels.

NAME The name of the file that triggered the detection.

REMEDIATION_ACTION A numeric value indicating the type of remediation that occurred in response to the detection.

DETECTION_TIME = 'detectionTime'¶

HASHES = 'hashes'¶

LOCAL_REPUTATION = 'localReputation'¶

NAME = 'name'¶

REMEDIATION_ACTION = 'remediationAction'¶

SYSTEM_GUID = 'agentGuid'¶

class dxltieclient.constants.EnterpriseAttrib¶

Bases: dxltieclient.constants.EpochMixin

Attributes associated with reputations (for files and certificates) returned by the Enterprise reputation provider.

Name Numeric Description

SERVER_VERSION 2139285
The version of the TIE server that returned the reputations (encoded version string)

See the to_version_tuple() and to_version_string() helper methods used to parse the encoded version string.

SERVER_VERSION = '2139285'¶

static to_version_string(version_attrib)¶

Returns a version string corresponding to the specified encoded version string

For example: 1.4.0.190

Example Usage

ent_rep = reputations_dict[FileProvider.ENTERPRISE]
ent_rep_attribs = ent_rep[ReputationProp.ATTRIBUTES]
version_string = EnterpriseAttrib.to_version_string(
    ent_rep_attribs[EnterpriseAttrib.SERVER_VERSION])

Parameters:	version_attrib -- The encoded version string
Returns:	A version string corresponding to the specified encoded version string

static to_version_tuple(version_attrib)¶

Returns a tuple of version values corresponding to the specified encoded version string

For example: (1L, 4L, 0L, 190L)

Example Usage

ent_rep = reputations_dict[FileProvider.ENTERPRISE]
ent_rep_attribs = ent_rep[ReputationProp.ATTRIBUTES]
version_tuple = EnterpriseAttrib.to_version_tuple(
    ent_rep_attribs[EnterpriseAttrib.SERVER_VERSION])

Result

This method will return a tuple containing the server version values in the following order:

The major version

The minor version

The patch version

The build version

Parameters:	version_attrib -- The encoded version string
Returns:	A `tuple` corresponding to the specified encoded version string

class dxltieclient.constants.EpochMixin¶

Bases: object

Mixin (helper) class that provides utility methods for parsing properties/attributes that contain Epoch times.

static to_localtime(epoch_time)¶

Converts the specified Epoch time to local time.

Example Usage

ent_rep = reputations_dict[FileProvider.ENTERPRISE]
ent_rep_attribs = ent_rep[ReputationProp.ATTRIBUTES]
local_time = FileEnterpriseAttrib.to_localtime(
    ent_rep_attribs[FileEnterpriseAttrib.FIRST_CONTACT])

Parameters:	epoch_time -- Time as an Epoch time
Returns:	Time in local time

static to_localtime_string(epoch_time, format='%Y-%m-%d %H:%M:%S')¶

Converts the specified Epoch time to a local time string.

Example Usage

ent_rep = reputations_dict[FileProvider.ENTERPRISE]
ent_rep_attribs = ent_rep[ReputationProp.ATTRIBUTES]
local_time_string = FileEnterpriseAttrib.to_localtime_string(
    ent_rep_attribs[FileEnterpriseAttrib.FIRST_CONTACT])

Parameters:	epoch_time -- Time as an Epoch time format -- The format to use to convert time to a string (optional)
Returns:	Time as a local time string

class dxltieclient.constants.FileEnterpriseAttrib¶

Bases: dxltieclient.constants.EnterpriseAttrib

Attributes associated with file reputations returned by the Enterprise reputation provider.

This class extends the attributes defined in the EnterpriseAttrib class.

Name Numeric Description

FIRST_CONTACT 2102165
The time the file was first seen (Epoch time)

See the EpochMixin class for helper methods used to parse the Epoch time string.

PREVALENCE 2101652 The count of unique systems that have executed the file

ENTERPRISE_SIZE 2111893 The count of systems within the local enterprise

MIN_LOCAL_REP 2112148 The lowest reputation found locally on a system

MAX_LOCAL_REP 2112404 The highest reputation found locally on a system

AVG_LOCAL_REP 2112660 The average reputation found locally on systems

PARENT_MIN_LOCAL_REP 2112916 The lowest reputation for the parent found locally on a system

PARENT_MAX_LOCAL_REP 2113172 The highest reputation for the parent found locally on a system

PARENT_AVG_LOCAL_REP 2113428 The average reputation for the parent found locally on systems

FILE_NAME_COUNT 2114965 The count of unique file names for the file

DETECTION_COUNT 2113685 The count of detections for the file or certificate

LAST_DETECTION_TIME 2113942
The last time a detection occurred (Epoch time)

See the EpochMixin class for helper methods used to parse the Epoch time.

IS_PREVALENT 2123156 Whether the file is considered to be prevalent within the enterprise

CHILD_FILE_REPS 2138520
The child file reputations (aggregate string)

Use the to_aggregate_tuple() helper function to parse this attribute

PARENT_FILE_REPS 2138264
The parent file reputations (aggregate string)

Use the to_aggregate_tuple() helper function to parse this attribute

AVG_LOCAL_REP = '2112660'¶

CHILD_FILE_REPS = '2138520'¶

DETECTION_COUNT = '2113685'¶

ENTERPRISE_SIZE = '2111893'¶

FILE_NAME_COUNT = '2114965'¶

FIRST_CONTACT = '2102165'¶

IS_PREVALENT = '2123156'¶

LAST_DETECTION_TIME = '2113942'¶

MAX_LOCAL_REP = '2112404'¶

MIN_LOCAL_REP = '2112148'¶

PARENT_AVG_LOCAL_REP = '2113428'¶

PARENT_FILE_REPS = '2138264'¶

PARENT_MAX_LOCAL_REP = '2113172'¶

PARENT_MIN_LOCAL_REP = '2112916'¶

PREVALENCE = '2101652'¶

static to_aggregate_tuple(aggregate_attrib)¶

Returns a tuple containing the values from the specified aggregate string.

For example: (2, 100, 50, 100, 75.0)

Example Usage

ent_rep = reputations_dict[FileProvider.ENTERPRISE]
ent_rep_attribs = ent_rep[ReputationProp.ATTRIBUTES]
aggregate_tuple = FileEnterpriseAttrib.to_aggregate_tuple(
    ent_rep_attribs[FileEnterpriseAttrib.CHILD_FILE_REPS])

Result

This method will return a tuple containing the values that were in the aggregate string in the following order:

The count of files

The maximum trust level found across the files

The minimum trust level found across the files

The trust level for the last file

The average trust level across the files

Parameters:	aggregate_attrib -- The aggregate string
Returns:	A tuple containing the values in the specified aggregate string

class dxltieclient.constants.FileGtiAttrib¶

Bases: dxltieclient.constants.GtiAttrib

Attributes associated with file reputations returned by the Global Threat Intelligence (GTI) reputation provider.

This class extends the attributes defined in the GtiAttrib class.

Name Numeric Description

FIRST_CONTACT 2101908
The time the file was first seen (Epoch time)

See the EpochMixin class for helper methods used to parse the Epoch time.

PREVALENCE 2102421 The number of times the file has been requested.

FIRST_CONTACT = '2101908'¶

PREVALENCE = '2102421'¶

class dxltieclient.constants.FileProvider¶

Bases: object

Constants that are used to indicate the provider of a particular file reputation.

Provider Numeric Description

GTI 1 Global Threat Intelligence (GTI)

ENTERPRISE 3 Enterprise reputation (specific to the local enterprise)

ATD 5 McAfee Advanced Threat Defense (ATD)

MWG 7 McAfee Web Gateway (MWG)

ATD = 5¶

ENTERPRISE = 3¶

EXTERNAL = 15¶

GTI = 1¶

MWG = 7¶

class dxltieclient.constants.FileRepChangeEventProp¶

Bases: dxltieclient.constants.RepChangeEventProp

The standard set of properties that are included with a file reputation change event.

This class extends the properties defined in the RepChangeEventProp class.

Name Description

RELATIONSHIPS Contains information regarding the certificate associated with this file (if such a relationship exists).

RELATIONSHIPS = 'relationships'¶

class dxltieclient.constants.FileReputationProp¶

Bases: dxltieclient.constants.ReputationProp

The standard set of properties that are included with each file reputation.

This class extends the properties defined in the ReputationProp class.

class dxltieclient.constants.FileType¶

Bases: object

APK = 1073741824¶

BAT = 143360¶

BOOT = 8¶

CAB = 67141632¶

CLASS = 2147483648¶

COM = 1¶

DLL = 144¶

DLLNONPE = 128¶

DRV = 4¶

ELF = 2048¶

EXE = 2¶

HTA = 524288¶

HTML = 262144¶

HTMLTEXT = 393216¶

JAR = 4328554496¶

JS = 4096¶

MACHO = 536870912¶

MMEDIA = 4194304¶

MZSTUB = 512¶

NLM = 1024¶

NONE = 0¶

OLE = 16384¶

OOXML = 167772160¶

OOXMLPK = 301989888¶

PDF = 2097152¶

PE = 16¶

PEEXE = 18¶

PIC = 65536¶

RAR = 134250496¶

RARNOARC = 134217728¶

RTF = 1048576¶

SCRIPT = 12288¶

SYS = 16777232¶

TEXT = 131072¶

URL = 8388608¶

VBS = 8192¶

VXD = 64¶

WIN = 272¶

ZIP = 33587200¶

class dxltieclient.constants.FirstInstanceEventProp¶

Bases: object

The standard set of properties that are included with a first instance event.

See the dxltieclient.callbacks.FirstInstanceCallback class for more information about first instance events.

Name Description

SYSTEM_GUID The GUID of the system where the first instance of the file was found.

HASHES A dict (dictionary) of hashes that identify the file. The key in the dictionary is the hash type and the value is the hex representation of the hash value. See the HashType class for the list of hash type constants.

NAME The name of the file.

HASHES = 'hashes'¶

NAME = 'name'¶

SYSTEM_GUID = 'agentGuid'¶

class dxltieclient.constants.FirstRefProp¶

Bases: dxltieclient.constants.EpochMixin

The properties that are available in a dict (dictionary) for each system that has referenced a file or certificate.

For more information, see the "first reference" methods:

For files:

dxltieclient.client.TieClient.get_file_first_references()

For certificates:

dxltieclient.client.TieClient.get_certificate_first_references()

Name Description

DATE
The time the system first referenced the file or certificate (Epoch time)

See the EpochMixin class for helper methods used to parse the Epoch time.

SYSTEM_GUID The GUID of the system that referenced the file or certificate

DATE = 'date'¶

SYSTEM_GUID = 'agentGuid'¶

class dxltieclient.constants.GtiAttrib¶

Bases: object

Attributes associated with reputations (for files and certificates) returned by the Global Threat Intelligence (GTI) reputation provider.

Name Numeric Description

ORIGINAL_RESPONSE 2120340 The raw response as returned by the Global Threat Intelligence (GTI) reputation provider

ORIGINAL_RESPONSE = '2120340'¶

class dxltieclient.constants.HashType¶

Bases: object

Constants that are used to indicate hash type.

Type Description

MD5 The MD5 algorithm (128-bit)

SHA1 The Secure Hash Algorithm 1 (SHA-1) (160-bit)

SHA256 The Secure Hash Algorithm 2, 256 bit digest (SHA-256)

MD5 = 'md5'¶

SHA1 = 'sha1'¶

SHA256 = 'sha256'¶

class dxltieclient.constants.RepChangeEventProp¶

Bases: object

The standard set of properties that are included with a reputation change event.

See the dxltieclient.callbacks.ReputationChangeCallback class for more information about reputation change events.

Name Description

HASHES A dict (dictionary) of hashes that identify the file or certificate whose reputation has changed. The key in the dictionary is the hash type and the value is the hex representation of the hash value. See the HashType class for the list of hash type constants.

NEW_REPUTATIONS The new Reputations for the file or certificate whose reputation has changed as a Python dict (dictionary).

OLD_REPUTATIONS The previous Reputations for the file or certificate whose reputation has changed as a Python dict (dictionary).

UPDATE_TIME
The time the reputation change occurred (Epoch time).

See the EpochMixin class for helper methods used to parse the Epoch time.

HASHES = 'hashes'¶

NEW_REPUTATIONS = 'newReputations'¶

OLD_REPUTATIONS = 'oldReputations'¶

UPDATE_TIME = 'updateTime'¶

class dxltieclient.constants.ReputationProp¶

Bases: object

The standard set of properties that are included with each reputation.

Name Description

PROVIDER_ID
The identifier of the particular provider that provided the reputation.

See the FileProvider constants class for the list of file reputation providers.

See the CertProvider constants class for the list of certificate reputation providers.

TRUST_LEVEL
The trust level for the reputation subject (file, certificate, etc.)

See the TrustLevel constants class for the standard set of trust levels.

CREATE_DATE
The time this reputation was created (Epoch time)

See the EpochMixin class for helper methods used to parse the Epoch time.

ATTRIBUTES
A provider-specific set of attributes associated with the reputation as a Python dict (dictionary)

FileEnterpriseAttrib

Attributes associated with the Enterprise reputation provider for files

FileGtiAttrib

Attributes associated with the Global Threat Intelligence (GTI) reputation provider for files

AtdAttrib

Attributes associated with the Advanced Threat Defense (ATD) reputation provider

CertEnterpriseAttrib

Attributes associated with the Enterprise reputation provider for certificates

CertGtiAttrib

Attributes associated with the Global Threat Intelligence (GTI) reputation provider for certificates

ATTRIBUTES = 'attributes'¶

CREATE_DATE = 'createDate'¶

PROVIDER_ID = 'providerId'¶

TRUST_LEVEL = 'trustLevel'¶

class dxltieclient.constants.TrustLevel¶

Bases: object

Constants that are used to indicate the trust level of a file or certificate.

Trust Level Numeric Description

KNOWN_TRUSTED_INSTALLER 100 It is a trusted installer.

KNOWN_TRUSTED 99 It is a trusted file or certificate.

MOST_LIKELY_TRUSTED 85 It is almost certain that the file or certificate is trusted.

MIGHT_BE_TRUSTED 70 It seems to be a benign file or certificate.

UNKNOWN 50 The reputation provider has encountered the file or certificate before but the provider can't determine its reputation at the moment.

MIGHT_BE_MALICIOUS 30 It seems to be a suspicious file or certificate.

MOST_LIKELY_MALICIOUS 15 It is almost certain that the file or certificate is malicious.

KNOWN_MALICIOUS 1 It is a malicious file or certificate.

NOT_SET 0 The file or certificate's reputation hasn't been determined yet.

KNOWN_MALICIOUS = 1¶

KNOWN_TRUSTED = 99¶

KNOWN_TRUSTED_INSTALLER = 100¶

MIGHT_BE_MALICIOUS = 30¶

MIGHT_BE_TRUSTED = 70¶

MOST_LIKELY_MALICIOUS = 15¶

MOST_LIKELY_TRUSTED = 85¶

NOT_SET = 0¶

UNKNOWN = 50¶

dxltieclient.constants module¶

Previous topic

Next topic

This Page

Name	Numeric	Description
GAM_SCORE	4194962	The trust score reported by the Gateway Anti-Malware (GAM) See the `AtdTrustLevel` constants class for the list of ATD trust levels
AV_ENGINE_SCORE	4195218	The trust score reported by the Anti-Virus engine See the `AtdTrustLevel` constants class for the list of ATD trust levels
SANDBOX_SCORE	4195474	The trust score as a result of the sandbox evaluation See the `AtdTrustLevel` constants class for the list of ATD trust levels
VERDICT	4195730	The overall verdict (taking into consideration all available information) See the `AtdTrustLevel` constants class for the list of ATD trust levels
BEHAVIORS	4197784	An encoded structure that contains observed behaviors of the file.

Trust Level	Numeric	Description
KNOWN_TRUSTED	-1	It is a trusted file or certificate.
MOST_LIKELY_TRUSTED	0	It is almost certain that the file or certificate is trusted.
MIGHT_BE_TRUSTED	1	It seems to be a benign file or certificate.
UNKNOWN	2	The reputation provider has encountered the file or certificate before but the provider can't determine its reputation at the moment.
MIGHT_BE_MALICIOUS	3	It seems to be a suspicious file or certificate.
MOST_LIKELY_MALICIOUS	4	It is almost certain that the file or certificate is malicious.
KNOWN_MALICIOUS	5	It is a malicious file or certificate.
NOT_SET	-2	The file or certificate's reputation hasn't been determined yet.

Name	Numeric	Description
FIRST_CONTACT	2109589	The time the certificate was first seen (Epoch time) See the `EpochMixin` class for helper methods used to parse the Epoch time.
PREVALENCE	2109333	The count of unique systems that have executed a file that is associated with the certificate (via signing)
HAS_FILE_OVERRIDES	2122901	Whether one or more files associated with the certificate is overriding its reputation
IS_PREVALENT	2125972	Whether the certificate is considered to be prevalent within the enterprise

Provider	Numeric	Description
GTI	2	Global Threat Intelligence (GTI)
ENTERPRISE	4	Enterprise reputation (specific to the local enterprise)

Name	Description
SYSTEM_GUID	The GUID of the system that the detection occurred on.
HASHES	A `dict` (dictionary) of hashes that identify the file that triggered the detection. The `key` in the dictionary is the hash type and the `value` is the hex representation of the hash value. See the `HashType` class for the list of hash type constants.
DETECTION_TIME	The time the detection occurred (Epoch time). See the `EpochMixin` class for helper methods used to parse the Epoch time.
LOCAL_REPUTATION	The local reputation determined for the file that triggered the detection. See the `TrustLevel` constants class for the standard set of trust levels.
NAME	The name of the file that triggered the detection.
REMEDIATION_ACTION	A numeric value indicating the type of remediation that occurred in response to the detection.

Name	Numeric	Description
FIRST_CONTACT	2102165	The time the file was first seen (Epoch time) See the `EpochMixin` class for helper methods used to parse the Epoch time string.
PREVALENCE	2101652	The count of unique systems that have executed the file
ENTERPRISE_SIZE	2111893	The count of systems within the local enterprise
MIN_LOCAL_REP	2112148	The lowest reputation found locally on a system
MAX_LOCAL_REP	2112404	The highest reputation found locally on a system
AVG_LOCAL_REP	2112660	The average reputation found locally on systems
PARENT_MIN_LOCAL_REP	2112916	The lowest reputation for the parent found locally on a system
PARENT_MAX_LOCAL_REP	2113172	The highest reputation for the parent found locally on a system
PARENT_AVG_LOCAL_REP	2113428	The average reputation for the parent found locally on systems
FILE_NAME_COUNT	2114965	The count of unique file names for the file
DETECTION_COUNT	2113685	The count of detections for the file or certificate
LAST_DETECTION_TIME	2113942	The last time a detection occurred (Epoch time) See the `EpochMixin` class for helper methods used to parse the Epoch time.
IS_PREVALENT	2123156	Whether the file is considered to be prevalent within the enterprise
CHILD_FILE_REPS	2138520	The child file reputations (aggregate string) Use the `to_aggregate_tuple()` helper function to parse this attribute
PARENT_FILE_REPS	2138264	The parent file reputations (aggregate string) Use the `to_aggregate_tuple()` helper function to parse this attribute

Name	Description
SYSTEM_GUID	The GUID of the system where the first instance of the file was found.
HASHES	A `dict` (dictionary) of hashes that identify the file. The `key` in the dictionary is the hash type and the `value` is the hex representation of the hash value. See the `HashType` class for the list of hash type constants.
NAME	The name of the file.

Type	Description
MD5	The MD5 algorithm (128-bit)
SHA1	The Secure Hash Algorithm 1 (SHA-1) (160-bit)
SHA256	The Secure Hash Algorithm 2, 256 bit digest (SHA-256)

Name	Description
HASHES	A `dict` (dictionary) of hashes that identify the file or certificate whose reputation has changed. The `key` in the dictionary is the hash type and the `value` is the hex representation of the hash value. See the `HashType` class for the list of hash type constants.
NEW_REPUTATIONS	The new Reputations for the file or certificate whose reputation has changed as a Python `dict` (dictionary).
OLD_REPUTATIONS	The previous Reputations for the file or certificate whose reputation has changed as a Python `dict` (dictionary).
UPDATE_TIME	The time the reputation change occurred (Epoch time). See the `EpochMixin` class for helper methods used to parse the Epoch time.

Name	Description
PROVIDER_ID	The identifier of the particular provider that provided the reputation. See the `FileProvider` constants class for the list of file reputation providers. See the `CertProvider` constants class for the list of certificate reputation providers.
TRUST_LEVEL	The trust level for the reputation subject (file, certificate, etc.) See the `TrustLevel` constants class for the standard set of trust levels.
CREATE_DATE	The time this reputation was created (Epoch time) See the `EpochMixin` class for helper methods used to parse the Epoch time.
ATTRIBUTES	A provider-specific set of attributes associated with the reputation as a Python `dict` (dictionary) `FileEnterpriseAttrib` Attributes associated with the Enterprise reputation provider for files `FileGtiAttrib` Attributes associated with the Global Threat Intelligence (GTI) reputation provider for files `AtdAttrib` Attributes associated with the Advanced Threat Defense (ATD) reputation provider `CertEnterpriseAttrib` Attributes associated with the Enterprise reputation provider for certificates `CertGtiAttrib` Attributes associated with the Global Threat Intelligence (GTI) reputation provider for certificates

Trust Level	Numeric	Description
KNOWN_TRUSTED_INSTALLER	100	It is a trusted installer.
KNOWN_TRUSTED	99	It is a trusted file or certificate.
MOST_LIKELY_TRUSTED	85	It is almost certain that the file or certificate is trusted.
MIGHT_BE_TRUSTED	70	It seems to be a benign file or certificate.
UNKNOWN	50	The reputation provider has encountered the file or certificate before but the provider can't determine its reputation at the moment.
MIGHT_BE_MALICIOUS	30	It seems to be a suspicious file or certificate.
MOST_LIKELY_MALICIOUS	15	It is almost certain that the file or certificate is malicious.
KNOWN_MALICIOUS	1	It is a malicious file or certificate.
NOT_SET	0	The file or certificate's reputation hasn't been determined yet.