This schema describes and represents the metadata of an item to be analyzed. It corresponds to the data retrieved from the ThreatHunter/Enterprise EDR Retrieve Metadata API. It contains the following defined elements:

• sha256: (type: str) - The SHA-256 hash value of the specified item. Always 64 characters in length.
• url: (type: str) The URL from which the contents of the item may be downloaded. Your analysis engine will use this URL to retrieve the actual binary data for analysis.
• architecture: (type: list) A list of string values, which represent the architecture(s) that this item was compiled for. This may contain one or more of the following values: "none", "x86", "amd64", and "arm64".
• available_file_size: (type: int, may be None) The number of bytes of the item which may be downloaded through the given URL. If the item is unavailable, the value of this property will be 0 and the value of the file_available property will be False. If the item is of zero length, this value will be 0 and the value of the file_available property will be True. This number will be less than the value of the file_size property if the item was truncated before it was uploaded.
• charset_id: (type: int, may be None) The ID of the character set used by the item (from Windows VERSIONINFO; see below).
• comments: (type: str, may be None) Comments associated with the given item (from Windows VERSIONINFO; see below).
• company_name: (type: str, may be None) The name of the company producing the associated item (from Windows VERSIONINFO; see below).
• copyright: (type: str, may be None) Copyright message associated with the item (from Windows VERSIONINFO; see below).
• file_available: (type: bool) Indicates whether the item is actually available for download through the given URL. If this property is False, attempting to download the item may produce an error.
• file_description: (type: str, may be None) Description of the associated item (from Windows VERSIONINFO; see below).
• file_size: (type: int, may be None) The number of bytes in the original item. The value of the available_file_size property will be less than or equal to this value.
• file_version: (type: str, may be None) The version number associated with the specified item (from Windows VERSIONINFO; see below).
• internal_name: (type: str, may be None) The internal name associated with the specified item (from Windows VERSIONINFO; see below).
• lang_id: (type: int, may be None) The ID of the language associated with the specified item (from Windows VERSIONINFO; see below).
• md5: (type: str) The MD5 hash value of the specified item. Always 32 characters in length. The value of the sha256 property should be used in preference to this value.
• original_filename: (type: str, may be None) The original name given to the specified item, if it was renamed (from Windows VERSIONINFO; see below).
• os_type: (type: str, may be None) The operating system type this item is intended for. This may contain one or more of the following values: "WINDOWS", "ANDROID", "MAC", "IOS", "LINUX", and "OTHER".
• private_build: (type: str, may be None) Information about the private build status of this item, which indicates that it was built not using standard release procedures. (From Windows VERSIONINFO; see below.)
• product_description: (type: str, may be None) Description of the product this item belongs to (from Windows VERSIONINFO; see below).
• product_name: (type: str, may be None) Name of the product this item belongs to (from Windows VERSIONINFO; see below).
• product_version: (type: str, may be None) Version number of the product this item belongs to (from Windows VERSIONINFO; see below).
• special_build: (type: str, may be None) Information about the special build status of this item, which indicates that it was built using standard release procedures, but differing from the standard item of this name that carries its same version number. (From Windows VERSIONINFO; see below.)
• trademark: (type: str, may be None) Trademark message associated with the item (from Windows VERSIONINFO; see below).

N.B.: Much of this data is specific to executable files, and, in particular, to Windows executables that carry a VERSIONINFO resource.