assemblyline_models/datastore/
tagging.rs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
use std::collections::HashMap;

use serde::{Deserialize, Serialize};
use struct_metadata::Described;

use crate::{Sha1, Sha256, MD5, Domain, IP, Uri, Platform, Processor, SSDeepHash, PhoneNumber, UpperString, UNCPath, UriPath, Email, Mac, ElasticMeta};

/// Attribution Tag Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct Attribution {
    /// Attribution Actor
    pub actor: Option<Vec<UpperString>>,
    /// Attribution Campaign
    pub campaign: Option<Vec<UpperString>>,
    /// Attribution Category
    pub category: Option<Vec<UpperString>>,
    /// Attribution Exploit
    pub exploit: Option<Vec<UpperString>>,
    /// Attribution Implant
    pub implant: Option<Vec<UpperString>>,
    /// Attribution Family
    pub family: Option<Vec<UpperString>>,
    /// Attribution Network
    pub network: Option<Vec<UpperString>>,
}

/// Antivirus Tag Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct AV {
    /// List of heuristics
    pub heuristic: Option<Vec<String>>,
    /// Collection of virus names identified by antivirus tools
    pub virus_name: Option<Vec<String>>,
}

/// Valid Certificate Period
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct CertValid {
    /// Start date of certificate validity
    pub start: Option<Vec<String>>,
    /// End date of certificate validity
    pub end: Option<Vec<String>>,
}

/// Certificate Tag Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct Cert {
    /// Extended Key Usage
    pub extended_key_usage: Option<Vec<String>>,
    /// Issuer
    pub issuer: Option<Vec<String>>,
    /// Key Usage
    pub key_usage: Option<Vec<String>>,
    /// Owner
    pub owner: Option<Vec<String>>,
    /// Serial Number
    pub serial_no: Option<Vec<String>>,
    /// Signature Algorithm
    pub signature_algo: Option<Vec<String>>,
    /// Subject Name
    pub subject: Option<Vec<String>>,
    /// Alternative Subject Name
    pub subject_alt_name: Option<Vec<String>>,
    /// Thumbprint
    pub thumbprint: Option<Vec<String>>,
    /// Validity Information
    pub valid: Option<CertValid>,
    /// Version
    pub version: Option<Vec<String>>,
}

/// Dynamic Process
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct DynamicProcess {
    /// Commandline
    pub command_line: Option<Vec<String>>,
    /// Filename
    pub file_name: Option<Vec<String>>,
    /// Shortcut
    pub shortcut: Option<Vec<String>>,
}

/// Signatures
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct DynamicSignature {
    /// Signature Category
    pub category: Option<Vec<String>>,
    /// Signature Family
    pub family: Option<Vec<String>>,
    /// Signature Name
    pub name: Option<Vec<String>>,
}

/// SSDeep
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct DynamicSSDeep {
    /// CLSIDs
    pub cls_ids: Option<Vec<SSDeepHash>>,
    /// Dynamic Classes
    pub dynamic_classes: Option<Vec<SSDeepHash>>,
    /// Registry Keys
    pub regkeys: Option<Vec<SSDeepHash>>,
}

/// Windows
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct DynamicWindow {
    /// CLSIDs
    pub cls_ids: Option<Vec<String>>,
    /// Dynamic Classes
    pub dynamic_classes: Option<Vec<String>>,
    /// Registry Keys
    pub regkeys: Option<Vec<String>>,
}

/// Operating System
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct DynamicOperatingSystem {
    /// Platform
    pub platform: Option<Vec<Platform>>,
    /// Version
    pub version: Option<Vec<String>>,
    /// Processor
    pub processor: Option<Vec<Processor>>,
}

/// Dynamic Tag Model. Commonly Used by Dynamic Analysis
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct Dynamic {
    /// Autorun location
    pub autorun_location: Option<Vec<String>>,
    /// DOS Device
    pub dos_device: Option<Vec<String>>,
    /// Mutex
    pub mutex: Option<Vec<String>>,
    /// Registy Keys
    pub registry_key: Option<Vec<String>>,
    /// Sandbox Processes
    pub process: Option<DynamicProcess>,
    /// Sandbox Signatures
    pub signature: Option<DynamicSignature>,
    /// Sandbox SSDeep
    pub ssdeep: Option<DynamicSSDeep>,
    /// Sandbox Window
    pub window: Option<DynamicWindow>,
    /// Sandbox Operating System
    pub operating_system: Option<DynamicOperatingSystem>,
    /// Process Tree ID
    pub processtree_id: Option<Vec<String>>,
}

/// General Information Tag Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct TaggingInfo {
    pub phone_number: Option<Vec<PhoneNumber>>,
    /// Password
    pub password: Option<Vec<String>>,
}

/// APK Application Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FileAPKApp {
    /// Label
    pub label: Option<Vec<String>>,
    /// Version
    pub version: Option<Vec<String>>,
}

/// APK SDK Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FileAPKSDK {
    /// Minimum OS required
    pub min: Option<Vec<String>>,
    /// Target OS
    pub target: Option<Vec<String>>,
}

/// APK File Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FileAPK {
    /// Activity
    pub activity: Option<Vec<String>>,
    /// APK Application Information
    pub app: Option<FileAPKApp>,
    /// Features
    pub feature: Option<Vec<String>>,
    /// Locale
    pub locale: Option<Vec<String>>,
    /// Permissions
    pub permission: Option<Vec<String>>,
    /// Package Name
    pub pkg_name: Option<Vec<String>>,
    /// Components Provided
    pub provides_component: Option<Vec<String>>,
    /// APK SDK Information
    pub sdk: Option<FileAPKSDK>,
    /// Libraries Used
    pub used_library: Option<Vec<String>>,
}

/// File Date Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FileDate {
    /// File Creation Date
    pub creation: Option<Vec<String>>,
    /// File Last Modified Date
    pub last_modified: Option<Vec<String>>,
}

/// ELF Sections
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FileELFSections {
    /// Section Name
    pub name: Option<Vec<String>>,
}

/// ELF Segments
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FileELFSegments {
    /// Segment Type
    #[serde(rename = "type")]
    pub segment_type: Option<Vec<String>>,
}

/// ELF Notes
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FileELFNotes {
    /// Note Name
    pub name: Option<Vec<String>>,
    /// Note Type
    #[serde(rename = "type")]
    pub note_type: Option<Vec<String>>,
    /// Note Core Type
    pub type_core: Option<Vec<String>>,
}

/// ELF File Tag Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FileELF {
    /// Libraries
    pub libraries: Option<Vec<String>>,
    /// Interpreter
    pub interpreter: Option<Vec<String>>,
    /// ELF Sections
    pub sections: Option<FileELFSections>,
    /// ELF Segments
    pub segments: Option<FileELFSegments>,
    /// ELF Notes
    pub notes: Option<FileELFNotes>,
}

/// Exiftool Information Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FileIMGExiftool {
    /// Image Creation Tool
    pub creator_tool: Option<Vec<String>>,
    /// Derived Document ID
    pub derived_document_id: Option<Vec<String>>,
    /// Document ID
    pub document_id: Option<Vec<String>>,
    /// Instance ID
    pub instance_id: Option<Vec<String>>,
    /// Toolkit
    pub toolkit: Option<Vec<String>>,
}

/// Image File Tag Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FileIMG {
    /// Exiftool Information
    pub exif_tool: Option<FileIMGExiftool>,
    /// Megapixels
    pub mega_pixels: Option<Vec<String>>,
    /// Image Mode
    pub mode: Option<Vec<String>>,
    /// Image Size
    pub size: Option<Vec<String>>,
    /// Sorted Metadata Hash
    pub sorted_metadata_hash: Option<Vec<String>>,
}

/// JAR File Tag Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FileJAR {
    /// Main Class
    pub main_class: Option<Vec<String>>,
    /// Main Package
    pub main_package: Option<Vec<String>>,
}

/// File Name Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FileName {
    /// Name of Anomaly
    pub anomaly: Option<Vec<String>>,
    /// Name of Extracted
    pub extracted: Option<Vec<String>>,
}

/// OLE Macro Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FileOLEMacro {
    /// SHA256 of Macro
    pub sha256: Option<Vec<Sha256>>,
    /// Suspicious Strings
    pub suspicious_string: Option<Vec<String>>,
}

/// OLE Summary Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FileOLESummary {
    /// Author
    pub author: Option<Vec<String>>,
    /// Code Page
    pub codepage: Option<Vec<String>>,
    /// Comment
    pub comment: Option<Vec<String>>,
    /// Company
    pub company: Option<Vec<String>>,
    /// Creation Time
    pub create_time: Option<Vec<String>>,
    /// Date Last Printed
    pub last_printed: Option<Vec<String>>,
    /// User Last Saved By
    pub last_saved_by: Option<Vec<String>>,
    /// Date Last Saved
    pub last_saved_time: Option<Vec<String>>,
    /// Manager
    pub manager: Option<Vec<String>>,
    /// Subject
    pub subject: Option<Vec<String>>,
    /// Title
    pub title: Option<Vec<String>>,
}

/// OLE File Tag Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FileOLE {
    /// OLE Macro
    #[serde(rename = "macro")]
    pub ole_macro: Option<FileOLEMacro>,
    /// OLE Summary
    pub summary: Option<FileOLESummary>,
    /// CLSID
    pub clsid: Option<Vec<String>>,
    /// DDE Link
    pub dde_link: Option<Vec<String>>,
    /// FIB Timestamp
    pub fib_timestamp: Option<Vec<String>>,
}

/// PDF Date Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FilePDFDate {
    /// Date Modified
    pub modified: Option<Vec<String>>,
    /// PDFx
    pub pdfx: Option<Vec<String>>,
    /// Date Source Modified
    pub source_modified: Option<Vec<String>>,
}

/// PDF Javascript Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FilePDFJavascript {
    /// SHA1 of Javascript
    pub sha1: Option<Vec<Sha1>>,
}

/// PDF Statistics Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FilePDFStats {
    /// SHA1 of Statistics
    pub sha1: Option<Vec<Sha1>>,
}

/// PDF File Tag Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FilePDF {
    /// PDF Date Information
    pub date: Option<FilePDFDate>,
    /// PDF Javascript Information
    pub javascript: Option<FilePDFJavascript>,
    /// PDF Statistics Information
    pub stats: Option<FilePDFStats>,
}

/// PE Debug Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FilePEDebug {
    /// GUID
    pub guid: Option<Vec<String>>,
}

/// PE Exports Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FilePEExports {
    /// Function Name
    pub function_name: Option<Vec<String>>,
    /// Module Name
    pub module_name: Option<Vec<String>>,
}

/// PE Imports Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FilePEImports {
    /// Fuzzy
    pub fuzzy: Option<Vec<SSDeepHash>>,
    /// MD5
    pub md5: Option<Vec<MD5>>,
    /// Imphash
    pub imphash: Option<Vec<MD5>>,
    /// Sorted Fuzzy
    pub sorted_fuzzy: Option<Vec<SSDeepHash>>,
    /// Sorted SHA1
    pub sorted_sha1: Option<Vec<Sha1>>,
    /// Go Import hash
    pub gimphash: Option<Vec<Sha256>>,
    /// Suspicious
    pub suspicious: Option<Vec<String>>,
}

/// PE Linker Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FilePELinker {
    /// Timestamp
    pub timestamp: Option<Vec<String>>,
}

/// PE OEP Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FilePEOEP {
    /// Bytes
    pub bytes: Option<Vec<String>>,
    /// Hex Dump
    pub hexdump: Option<Vec<String>>,
}

/// PE Resources Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FilePEResources {
    /// Language
    pub language: Option<Vec<String>>,
    /// Name
    pub name: Option<Vec<String>>,
}

/// PE Rich Header Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FilePERichHeader {
    /// Hash
    pub hash: Option<Vec<String>>,
}

/// PE Sections Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FilePESections {
    /// Hash
    pub hash: Option<Vec<String>>,
    /// Name
    pub name: Option<Vec<String>>,
}

/// PE Versions Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FilePEVersions {
    /// Description
    pub description: Option<Vec<String>>,
    /// Filename
    pub filename: Option<Vec<String>>,
}

/// PE File Tag Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FilePE {
    /// API Vector
    pub api_vector: Option<Vec<String>>,
    /// PE Debug Information
    pub debug: Option<FilePEDebug>,
    /// PE Exports Information
    pub exports: Option<FilePEExports>,
    /// PE Imports Information
    pub imports: Option<FilePEImports>,
    /// PE Linker Information
    pub linker: Option<FilePELinker>,
    /// PE OEP Information
    pub oep: Option<FilePEOEP>,
    /// PDB Filename
    pub pdb_filename: Option<Vec<String>>,
    /// PE Resources Information
    pub resources: Option<FilePEResources>,
    /// PE Rich Header Information
    pub rich_header: Option<FilePERichHeader>,
    /// PE Sections Information
    pub sections: Option<FilePESections>,
    /// PE Versions Information
    pub versions: Option<FilePEVersions>,
}

/// PList Build Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FilePListBuild {
    /// Machine OS
    pub machine_os: Option<Vec<String>>,
}

/// PList CF Bundle Version Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FilePListCFBundleVersion {
    /// Long Version
    pub long: Option<Vec<String>>,
    /// Short Version
    pub short: Option<Vec<String>>,
}

/// PList CF Bundle Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FilePListCFBundle {
    /// Development Region
    pub development_region: Option<Vec<String>>,
    /// Display Name
    pub display_name: Option<Vec<String>>,
    /// Executable Name
    pub executable: Option<Vec<String>>,
    /// Identifier Name
    pub identifier: Option<Vec<String>>,
    /// Bundle Name
    pub name: Option<Vec<String>>,
    /// Package Type
    pub pkg_type: Option<Vec<String>>,
    /// Signature
    pub signature: Option<Vec<String>>,
    /// URL Scheme
    pub url_scheme: Option<Vec<String>>,
    /// Bundle Version Information
    pub version: Option<FilePListCFBundleVersion>,
}

/// PList DT Platform Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FilePListDTPlatform {
    /// Build
    pub build: Option<Vec<String>>,
    /// Name
    pub name: Option<Vec<String>>,
    /// Version
    pub version: Option<Vec<String>>,
}

/// PList DT Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FilePListDT {
    /// Compiler
    pub compiler: Option<Vec<String>>,
    /// Platform Information
    pub platform: Option<FilePListDTPlatform>,
}

/// PList LS Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FilePListLS {
    /// Background Only
    pub background_only: Option<Vec<String>>,
    /// Minimum System Versuion
    pub min_system_version: Option<Vec<String>>,
}

/// PList NS Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FilePListNS {
    /// Apple Script Enabled
    pub apple_script_enabled: Option<Vec<String>>,
    /// Principal Class
    pub principal_class: Option<Vec<String>>,
}

/// PList UI Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FilePListUI {
    /// Background Modes
    pub background_modes: Option<Vec<String>>,
    /// Requires Persistent WIFI
    pub requires_persistent_wifi: Option<Vec<String>>,
}

/// PList WK Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FilePListWK {
    /// App Bundle ID
    pub app_bundle_identifier: Option<Vec<String>>,
}

/// PList File Tag Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FilePList {
    /// Installer URL
    pub installer_url: Option<Vec<String>>,
    /// Minimum OS Version
    pub min_os_version: Option<Vec<String>>,
    /// Requests Open Access
    pub requests_open_access: Option<Vec<String>>,
    /// Build Information
    pub build: Option<FilePListBuild>,
    /// CF Bundle Information
    pub cf_bundle: Option<FilePListCFBundle>,
    /// DT Information
    pub dt: Option<FilePListDT>,
    /// LS Information
    pub ls: Option<FilePListLS>,
    /// NS Information
    pub ns: Option<FilePListNS>,
    /// UI Information
    pub ui: Option<FilePListUI>,
    /// WK Information
    pub wk: Option<FilePListWK>,
}

/// PowerShell File Tag Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FilePowerShell {
    /// Cmdlet
    pub cmdlet: Option<Vec<String>>,
}

/// Shortcut File Tag Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FileShortcut {
    /// Command Line
    pub command_line: Option<Vec<String>>,
    /// Icon Location
    pub icon_location: Option<Vec<String>>,
    /// Machine ID
    pub machine_id: Option<Vec<String>>,
    /// Possible MAC address from the Tracker block
    pub tracker_mac: Option<Vec<String>>,
}

/// Strings File Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FileStrings {
    /// API
    pub api: Option<Vec<String>>,
    /// Blacklisted
    pub blacklisted: Option<Vec<String>>,
    /// Decoded
    pub decoded: Option<Vec<String>>,
    /// Extracted
    pub extracted: Option<Vec<String>>,
}

/// SWF Header Frame
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FileSWFHeaderFrame {
    /// Number of Frames
    pub count: Option<Vec<i64>>,
    /// Speed of Animation
    pub rate: Option<Vec<String>>,
    /// Size of Frame
    pub size: Option<Vec<String>>,
}

/// SWF Header Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FileSWFHeader {
    /// Header Frame Information
    pub frame: Option<FileSWFHeaderFrame>,
    /// Version
    pub version: Option<Vec<String>>,
}

/// SWF File Tag Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct FileSWF {
    /// Header Information
    pub header: Option<FileSWFHeader>,
    /// Tags SSDeep
    pub tags_ssdeep: Option<Vec<SSDeepHash>>,
}

/// Network IOC Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct NetworkIOCs {
    /// Domain
    pub domain: Option<Vec<Domain>>,
    /// IP
    pub ip: Option<Vec<IP>>,
    /// UNC Path
    pub unc_path: Option<Vec<UNCPath>>,
    /// URI
    pub uri: Option<Vec<Uri>>,
    /// URI Path
    pub uri_path: Option<Vec<UriPath>>,
}

/// Network Email Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct NetworkEmail {
    /// Email Address
    pub address: Option<Vec<Email>>,
    /// Date
    pub date: Option<Vec<String>>,
    /// Subject
    pub subject: Option<Vec<String>>,
    /// Message ID
    pub msg_id: Option<Vec<String>>,
}

/// Network Signature Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct NetworkSignature {
    /// Signature ID
    pub signature_id: Option<Vec<String>>,
    /// Signature Message
    pub message: Option<Vec<String>>,
}

/// Network TLS Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct NetworkTLS {
    /// JA3 Hash
    pub ja3_hash: Option<Vec<MD5>>,
    /// JA3 String
    pub ja3_string: Option<Vec<String>>,
    /// SNI
    pub sni: Option<Vec<String>>,
}

/// Network Tag Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct Network {
    /// Attack
    pub attack: Option<Vec<String>>,
    /// Dynamic IOCs
    pub dynamic: Option<NetworkIOCs>,
    /// Email
    pub email: Option<NetworkEmail>,
    /// MAC Address
    pub mac_address: Option<Vec<Mac>>,
    /// Port
    pub port: Option<Vec<i64>>,
    /// Protocol
    pub protocol: Option<Vec<String>>,
    /// Signatures
    pub signature: Option<NetworkSignature>,
    /// Static IOCs
    #[serde(rename = "static")]
    pub static_ioc: Option<NetworkIOCs>,
    /// TLS
    pub tls: Option<NetworkTLS>,
    /// User Agent
    pub user_agent: Option<Vec<String>>,
}

/// Technique Tag Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct Technique {
    /// Communication Routine
    pub comms_routine: Option<Vec<String>>,
    /// Configuration
    pub config: Option<Vec<String>>,
    /// Cryptography
    pub crypto: Option<Vec<String>>,
    /// Keylogger
    pub keylogger: Option<Vec<String>>,
    /// Macro
    #[serde(rename = "macro")]
    pub macro_string: Option<Vec<String>>,
    /// Masking Algorithm
    pub masking_algo: Option<Vec<String>>,
    /// Obfuscation
    pub obfuscation: Option<Vec<String>>,
    /// Packer
    pub packer: Option<Vec<String>>,
    /// Persistence
    pub persistence: Option<Vec<String>>,
    /// Shell Code
    pub shellcode: Option<Vec<String>>,
    /// String
    pub string: Option<Vec<String>>,
}

/// File Tag Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
pub struct TaggingFile {
    /// File Genealogy
    pub ancestry: Option<Vec<String>>,
    /// File Behaviour
    pub behavior: Option<Vec<String>>,
    /// Compiler of File
    pub compiler: Option<Vec<String>>,
    /// File Configuration
    pub config: Option<Vec<String>>,
    /// File's Date Information
    pub date: Option<FileDate>,
    /// ELF File Properties
    pub elf: Option<FileELF>,
    /// File Libraries
    pub lib: Option<Vec<String>>,
    /// File LSH hashes
    pub lsh: Option<Vec<String>>,
    /// File Name
    pub name: Option<FileName>,
    /// File Path
    pub path: Option<Vec<String>>,
    /// Rule/Signature File
    pub rule: Option<HashMap<String, Vec<String>>>,
    /// File Strings Properties
    pub string: Option<FileStrings>,
    /// APK File Properties
    pub apk: Option<FileAPK>,
    /// JAR File Properties
    pub jar: Option<FileJAR>,
    /// Image File Properties
    pub img: Option<FileIMG>,
    /// OLE File Properties
    pub ole: Option<FileOLE>,
    /// PE File Properties
    pub pe: Option<FilePE>,
    /// PDF File Properties
    pub pdf: Option<FilePDF>,
    /// PList File Properties
    pub plist: Option<FilePList>,
    /// PowerShell File Properties
    pub powershell: Option<FilePowerShell>,
    /// Shortcut File Properties
    pub shortcut: Option<FileShortcut>,
    /// SWF File Properties
    pub swf: Option<FileSWF>,
}

/// Tagging Model
#[derive(Serialize, Deserialize, Debug, Default, Described)]
#[metadata_type(ElasticMeta)]
#[metadata(copyto="__text__")]
pub struct Tagging {
    /// Attribution Tagging
    pub attribution: Option<Box<Attribution>>,
    /// Antivirus Tagging
    pub av: Option<Box<AV>>,
    /// Certificate Tagging
    pub cert: Option<Box<Cert>>,
    /// Dynamic Analysis Tagging
    pub dynamic: Option<Box<Dynamic>>,
    /// Informational Tagging
    pub info: Option<Box<TaggingInfo>>,
    /// File Tagging
    pub file: Option<Box<TaggingFile>>,
    /// Network Tagging
    pub network: Option<Box<Network>>,
    /// Source Tagging
    pub source: Option<Box<Vec<String>>>,
    /// Technique Tagging
    pub technique: Option<Box<Technique>>,
    /// Vector Tagging
    pub vector: Option<Box<Vec<String>>>,
}