|
This is the unique ID of the InstaQuery. |
|
This is the status of the InstaQuery. |
|
This is the list of responses to the InstaQuery. |
|
This is the timestamp that the result was reported in Unix epoch time. |
|
This is the hostname of the device that returned the result. |
|
This is the unique ID of the device that returned the result. |
|
This is the version format of the result. |
|
This is the unique correlation ID of the result object. |
|
This is the object containing response data. |
|
This is the timestamp that the result was first observed on the system (for example, when a file was first observed on the system as in a file being created)
. |
|
This is the timestamp that the result was last observed on the system (for example, when a file was last observed as in the last time a file was interacted with). This value will be the same as the FirstObservedTimestamp for NetworkConnection and process artifacts. |
|
This is the unique ID of the result. |
|
This is the type of artifact that the result's "properties" contain. |
|
This is the object containing the individual elements of the result. This will vary depending on the artifact and type that was queried. The following 4 cells outline the possible property values: |
|
Path: This is the full path to the file. CreationDateTime: This is the timestamp (in UTC) of when the file was created on the responding system. Md5: This is the MD5 hash of the file result (where applicable). Sha256: This is the SHA256 hash of the file result (where applicable). Owner: This is the owner of the file. SuspectedFileType: This is the suspected file type of the file object (where applicable). FileSignature: This is a set of information derived about the file's signature status. Size: This is the size of the file object (in bytes). OwnerUid: This is the unique ID of the owner of the file.
|
|
Name: This is the name of the process. CommandLine: This is the command line arguments that the process was executed with. StartDateTime: This is the timestamp (in UTC) of when the process was executed on the responding system. PrimaryImagePath: This is the image file path of the process. PrimaryImageMd5: This is the MD5 hash of the image file of the process. PrimaryImageSha256: This is the SHA256 hash of the image file of the process. PrimaryImageUid: This is the unique ID of the image file of the process. Owner: This is the user who owns the process. OwnerUid: This is the unique ID of the user who owns the process. SuspectedFileType: This is the suspected file type of the image file of the process. FileSignature: This is a set of information derived about the image file's siganture status. IsBeingDebugged: This is a Boolean value to determine if the process has a debugger attached to it.
|
|
DestinationAddress: This is the IP address that the connection was destined to. DestinationPort: This is the port associated with the remote IP address. ProcessName: This is the process name that was associated with the connection. ProcessPrimaryImageUid: This is the unique ID of the process associated with the connection. ProcessPrimaryImagePath: This is the image file path of the process associated with the connection. ProcessImageMd5: This is the MD5 hash of the image file of the process associated with the connection. ProcessImageSha256: This is the SHA256 hash of the image file of the process associated with the connection. SuspectedFileType: This is the suspected file type of the image file of the process associated with the connection.
|
|
IsPersistencePoint: This is a binary value (1 or 0) to determine if the resulting Registry item is a common persistence location. ValueName: This is the name of the Registry Value that was interacted with. Path: This is the full path of the Registry Key. FilePath: This is the full path of the file referenced in the Registry Value (where applicable). FileMd5: This is the MD5 hash of the file referenced in the Registry Value (where applicable). FileSha256: This is the SHA256 hash of the file referenced in the Registry Value (where applicable). FileUid: This is the unique ID of the file referenced in the Registry Value (where applicable). SuspectedFileType: This is the suspected file type of the file referenced in the Registry Value (where applicable). FileSignature: This is a set of information derived about a file's signature status that is referenced in the Registry Value (where applicable).
|