ngfcti-files
Retrieve a list of malicious files from the FCTI service.
ngfcti-files [proxy=PROXY] [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss] [order=asc|desc] [assessment=0|1|2|3|4|5]
- proxy=PROXY
- Proxy server URL
- duration=NUM{mon|w|d|h|m|s}
- Limited to logs within a certain time range from the current time. Can be specified in s (seconds), m (minutes), h (hours), d (days), and mon (months). For example, 10s means a range from the current time to 10 seconds before.
- from=yyyyMMddHHmmss
- Specify the start of the range in the format yyyyMMddHHmmss. If you don't write a trailing digit, it will be filled with zeros.
- to=yyyyMMddHHmmss
- Specify the end of the range in the format yyyyMMddHHmmss. If you don't write a trailing digit, it will be filled with zeros.
- order=asc|desc
- Sort order. If unspecified, fetches the most recent data first.
- assessment=0|1|2|3|4|5
- Selectively look up only domains with a specified Threat Intelligence Assessment level or higher.
Output fields
| field | type | name | description |
|---|---|---|---|
| _time | Datetime | Registration time | e.g.: 2022-12-30 01:19:04+0900 |
| file_name | String | File name | e.g.: phishingeyes.apk |
| file_size | 64-bit integer | File size | |
| file_type | String | File type | e.g.: DOC |
| md5 | String | MD5 hash | e.g.: fca30b4d4e3d28ac1bfaefa404feb3f3 |
| sha1 | String | SHA1 hash | |
| sha256 | String | SHA256 hash | e.g.: 0f9db0f431b363b0ca3b397f33ca405f4260e234fb49a1c491e9da5338233561 |
| sha512 | String | SHA512 hash | |
| classification | 32-bit integer | Maliciousness | -1: Clean, 0: Unclassified, 1: Malicious |
| classification_name | String | Maliciousness name | e.g.: Malicious |
| signature | String | Detection | e.g.: Android/Agent.DSI!tr |
| tlp | 32-bit integer | Scope of information disclosure | 0: TLP:CLEAR, 1: TLP:GREEN, 2: TLP:AMBER, 3: TLP:AMBER+STRICT, 4: TLP:RED |
| tlp_name | String | Scope of information disclosure name | e.g.: TLP:GREEN |
| assessment | 32-bit integer | Threat Information Assessment Level | 0: Safe, 1: Unknown, 2: Low, 3: Moderate, 4: Danger, 5: Critical |
| assessment_name | String | Threat Information Assessment Level name | e.g.: Moderate |
| created_at | Datetime | Threat level creation date | e.g.: 2022-12-30 01:19:04+0900 |
| modified_at | Datetime | Threat level modification date | e.g.: 2023-01-06 17:08:15+0900 |
| expire_at | Datetime | Threat level expiration date | |
| first_seen_at | Datetime | First discovered date | e.g.: 2022-12-30 01:19:04+0900 |
| last_seen_at | Datetime | Latest discovered date | e.g.: 2022-12-30 01:19:04+0900 |
| intel_id | String | Unique identifier | e.g.: 02rwR1vEOgGxPVqyNp8eyx |
| virustotal_reputation | Map | Virustotal information | |
| relationships_outgoing | Array | List of outgoing relationships | |
| relationships_incoming | Array | List of incoming relationships |