Important UDM fields for parser data mapping
Certain Google Security Operations features depend on valid data being populated in specific fields in a Unified Data Model (UDM) record. If data does not exist in one or more of these fields, or if the wrong data is populated in a field, the feature may not function as intended.
Data mapping instructions in a parser control how data from an original raw log is mapped to one or more fields in the UDM data structure. When creating a parser, make sure the data mapping instructions populate as many important UDM fields as possible.
The following table summarizes important UDM fields and where the field is used. The Feature area or use case column includes the following feature areas:
- Curated detections: These are out-of-the-box rule sets that Google Security Operations manages and you run against your data to help identify threats.
- Indexing: This feature enables security analysts to easily search for information about resources, such as assets, domains, IP addresses, users, and files. It also enriches UDM records with information related to prevalence, first time seen, last time seen, and more.
- Artifact aliasing: This feature enriches UDM records with additional data, such as geolocation data using an external IP address.
- Asset aliasing: This feature identifies relationships across individual UDM records related to the same physical asset, such as a server, laptop, mobile device, etc.
- Process aliasing: This feature identifies relationships across individual UDM records that describe one or more related processes, files, and users who executed a process.
- User aliasing: This feature identifies relationships across individual UDM records related to the same user.
- Entity graph: This feature identifies relationships between entities and resources in your environment.
- IoC: This feature matches your data against data ingested from IoC feeds.
The value Threat hunting is not a feature, but a use case. Fields with this value are recommended to facilitate Threat hunting activities. For a list of all UDM fields, see the Unified Data Model field list.
| Fully qualified field name | Feature area or use case |
|---|---|
<event>.security_result.threat_id_namespace |
Indexing |
<event>.security_result.threat_id |
Indexing |
<event>.security_result.category |
Indexing |
<event>.security_result.summary |
Indexing |
<event>.security_result.description |
Indexing |
<event>.security_result.action |
Curated detections |
<event>.security_result.detection_fields.key |
Curated detections |
<event>.security_result.detection_fields.value |
Curated detections |
<event>.security_result.threat_name |
Threat hunting |
<event>.metadata.event_timestamp |
Indexing |
<event>.metadata.event_type |
Curated detections, Indexing |
<event>.metadata.product_name |
Curated detections, Indexing |
<event>.metadata.vendor_name |
Curated detections, Indexing |
<event>.metadata.description |
Curated detections |
<event>.metadata.ingestion_labels.key |
Curated detections |
<event>.metadata.ingestion_labels.value |
Curated detections |
<event>.metadata.product_event_type |
Curated detections |
<event>.metadata.product_deployment_id |
Threat hunting |
<event>.metadata.product_log_id |
Threat hunting |
<event>.principal.ip |
Curated detections, Indexing, Artifact aliasing, Asset aliasing |
<event>.principal.mac |
Indexing, Asset aliasing |
<event>.principal.hostname |
Curated detections, Indexing, Asset aliasing |
<event>.principal.asset_id |
Indexing, Asset aliasing |
<event>.principal.asset.ip |
Indexing |
<event>.principal.asset.mac |
Indexing |
<event>.principal.asset.hostname |
Indexing |
<event>.principal.asset.asset_id |
Indexing |
<event>.principal.user.email_address |
Curated detections, Indexing, User aliasing |
<event>.principal.user.userid |
Indexing, User aliasing |
<event>.principal.user.windows_sid |
Indexing, User aliasing |
<event>.principal.user.product_object_id |
Indexing, User aliasing |
<event>.principal.user.attribute.permissions.name |
Curated detections |
<event>.principal.user.attribute.permissions.type |
Curated detections |
<event>.principal.user.attribute.roles.name |
Curated detections |
<event>.principal.user.attribute.roles.description |
Curated detections |
<event>.principal.file.sha1 |
Artifact aliasing |
<event>.principal.file.md5 |
Artifact aliasing |
<event>.principal.file.sha256 |
Artifact aliasing |
<event>.principal.file.full_path |
Curated detections |
<event>.principal.process.parent_process |
Process aliasing |
<event>.principal.process.product_specific_process_id |
Process aliasing |
<event>.principal.process.pid |
Curated detections |
<event>.principal.process.command_line |
Curated detections |
<event>.principal.process.file.full_path |
Curated detections |
<event>.principal.process.parent_process.command_line |
Curated detections |
<event>.principal.process.parent_process.file.full_path |
Curated detections |
<event>.principal.cloud.environment |
Curated detections |
<event>.principal.resource.name |
Curated detections |
<event>.principal.resource.attribute.cloud.project.name |
Curated detections |
<event>.principal.resource.attribute.cloud.project.resource_subtype |
Curated detections |
<event>.principal.registry.registry_key |
Curated detections |
<event>.principal.registry.registry_value_name |
Curated detections |
<event>.principal.url |
Curated detections |
<event>.source.ip |
Indexing, Artifact aliasing, Asset aliasing |
<event>.source.mac |
Indexing, Asset aliasing |
<event>.source.hostname |
Indexing, Asset aliasing |
<event>.source.asset_id |
Indexing, Asset aliasing |
<event>.source.asset.ip |
Indexing |
<event>.source.asset.mac |
Indexing |
<event>.source.asset.hostname |
Indexing |
<event>.source.asset.asset_id |
Indexing |
<event>.source.user.email_address |
Indexing, User aliasing |
<event>.source.user.userid |
Indexing, User aliasing |
<event>.source.user.windows_sid |
Indexing, User aliasing |
<event>.source.user.product_object_id |
Indexing, User aliasing |
<event>.source.file.sha1 |
Artifact aliasing |
<event>.source.file.md5 |
Artifact aliasing |
<event>.source.file.sha256 |
Artifact aliasing |
<event>.source.process.parent_process |
Process aliasing |
<event>.source.process.product_specific_process_id |
Process aliasing |
<event>.target.ip |
Curated detections, Indexing, Artifact aliasing, Asset aliasing |
<event>.target.port |
Curated detections |
<event>.target.mac |
Indexing, Asset aliasing |
<event>.target.hostname |
Curated detections, Indexing, Asset aliasing |
<event>.target.asset_id |
Indexing, Asset aliasing |
<event>.target.asset.ip |
Indexing |
<event>.target.asset.mac |
Indexing |
<event>.target.asset.hostname |
Indexing |
<event>.target.asset.asset_id |
Indexing |
<event>.target.user.email_address |
Curated detections, Indexing, User aliasing |
<event>.target.user.userid |
Indexing, User aliasing |
<event>.target.user.windows_sid |
Indexing, User aliasing |
<event>.target.user.product_object_id |
Indexing, User aliasing |
<event>.target.file.sha1 |
Artifact aliasing |
<event>.target.file.md5 |
Artifact aliasing |
<event>.target.file.sha256 |
Artifact aliasing |
<event>.target.file.full_path |
Curated detections |
<event>.target.process.parent_process |
Process aliasing |
<event>.target.process.product_specific_process_id |
Process aliasing |
<event>.target.process.pid |
Curated detections |
<event>.target.process.command_line |
Curated detections |
<event>.target.process.file.full_path |
Curated detections |
<event>.target.process.parent_process.command_line |
Curated detections |
<event>.target.process.parent_process.file.full_path |
Curated detections |
<event>.target.application |
Curated detections |
<event>.target.cloud.environment |
Curated detections |
<event>.target.cloud.project.name |
Curated detections |
<event>.target.resource.name |
Curated detections |
<event>.target.resource.resource_type |
Curated detections |
<event>.target.registry.registry_key |
Curated detections |
<event>.target.registry.registry_value_name |
Curated detections |
<event>.network.application_protocol |
Curated detections |
<event>.network.ip_protocol |
Curated detections |
<event>.network.dns_domain |
Threat hunting |
<event>.network.http.method |
Curated detections |
<event>.network.http.user_agent |
Curated detections |
<event>.network.http.referral_url |
Threat hunting |
<event>.network.http.response_code |
Threat hunting |
<event>.network.dns.questions.name |
Curated detections |
<event>.network.dns.questions.type |
Curated detections |
<event>.network.dns.answers.name |
Curated detections |
<event>.network.dns.answers.data |
Threat hunting |
<event>.network.dns.answers.type |
Curated detections |
<event>.network.email.bcc |
Threat hunting |
<event>.network.email.email.cc |
Threat hunting |
<event>.network.email.from |
Threat hunting |
<event>.network.email.reply_to |
Threat hunting |
<event>.network.email.subject |
Threat hunting |
<event>.network.email.to |
Threat hunting |
<event>.network.ftp.command |
Threat hunting |
<entity>.entity.user.email_address |
Entity graph, IoC |
<entity>.entity.user.userid |
Entity graph |
<entity>.entity.user.windows_sid |
Entity graph |
<entity>.entity.user.product_object_id |
Entity graph, IoC |
<entity>.entity.user.employee_id |
Entity graph |
<entity>.entity.group.email_address |
Entity graph |
<entity>.entity.group.windows_sid |
Entity graph |
<entity>.entity.group.product_object_id |
Entity graph, IoC |
<entity>.entity.asset.ip |
Entity graph |
<entity>.entity.asset.mac |
Entity graph |
<entity>.entity.asset.hostname |
Entity graph |
<entity>.entity.asset.asset_id |
Entity graph |
<entity>.entity.asset.product_object_id |
Entity graph, IoC |
<entity>.entity.resource.product_object_id |
Entity graph, IoC |
<entity>.entity.resource.name |
IoC |
<entity>.entity.file |
Entity graph |
<entity>.entity.hostname |
IoC |
<entity>.entity.url |
Threat hunting |
<entity>.metadata.threat |
IoC |
<entity>.metadata.collected_timestamp |
Entity graph, IoC |