- JSON representation
- Vulnerabilities
- LinuxUtmp
- WindowsEventLog
- ResourceUsage
- SystemEventDetails
- OutlookMetadata
- Srum
- UserAssist
Extensions to a UDM event.
| JSON representation |
|---|
{ "auth": { object ( |
| Fields | |
|---|---|
auth |
An authentication extension. |
vulns |
A vulnerability extension. |
entityRisk |
An entity risk change extension. |
linuxUtmp |
A Linux Utmp extension. This captures details specific to Linux Utmp events, which record login and logout sessions on a Linux system. |
windowsEventLog |
A Windows Event Log extension. This captures details specific to Windows Event Log events, providing structured information from various Windows logs. |
resourceUsage |
A resource usage extension. This captures details about what entity (e.g., process, user) is using a specific resource. |
systemEventDetails |
A system event details extension. This captures additional details for system-level events, such as message type, sender image ID, and subsystem. |
outlookMetadata |
A Microsoft Outlook specific metadata extension. This includes metadata related to Outlook items, such as comments, templates, and security flags. |
srum |
A SRUM extension. This captures details specific to Windows System Resource Usage Monitor (SRUM) events, providing insights into application resource consumption. |
userAssist |
A UserAssist extension. This captures details specific to Windows User Assist events, which track application usage and execution. |
Vulnerabilities
The Vulnerabilities extension captures details on observed/detected vulnerabilities.
| JSON representation |
|---|
{
"vulnerabilities": [
{
object ( |
| Fields | |
|---|---|
vulnerabilities[] |
A list of vulnerabilities. |
LinuxUtmp
The LinuxUtmp extension captures details specific to Linux Utmp events.
| JSON representation |
|---|
{
"recordType": enum ( |
| Fields | |
|---|---|
recordType |
The activity record type. |
WindowsEventLog
The WindowsEventLog extension captures details specific to Windows Event Log events.
| JSON representation |
|---|
{
"channel": enum ( |
| Fields | |
|---|---|
channel |
The channel of the event. |
eventId |
A unique identifier for a specific type of event. |
activityId |
A GUID (Globally Unique Identifier) used to link a sequence of related events together. |
ResourceUsage
The ResourceUsage extension captures details about what is using a resource.
| JSON representation |
|---|
{ "usedEntity": string, "usedEntityId": string } |
| Fields | |
|---|---|
usedEntity |
The name of the entity (e.g., process, user) that is using the resource. |
usedEntityId |
A numerical identifier for the entity using the resource (e.g., PID, UID). |
SystemEventDetails
Captures additional details for system-level events.
| JSON representation |
|---|
{ "messageType": string, "senderImageId": string, "subsystem": string } |
| Fields | |
|---|---|
messageType |
The specific type or category of the message. |
senderImageId |
An identifier for the image associated with the sender of the message. |
subsystem |
The subsystem or component that generated the event. |
OutlookMetadata
Microsoft Outlook specific metadata.
| JSON representation |
|---|
{ "comment": string, "template": string, "title": string, "securityFlagsCount": integer } |
| Fields | |
|---|---|
comment |
A user-defined comment or note associated with the Outlook item. |
template |
The name of the template file used to create the Outlook item. |
title |
The title of the Outlook item. |
securityFlagsCount |
Count of Security-related flags for the message, such as encryption or signing status. |
Srum
The Srum extension captures details specific to Windows System Resource Usage Monitor (SRUM) events.
| JSON representation |
|---|
{ "id": string, "backgroundBytesRead": string, "backgroundBytesWritten": string, "backgroundContextSwitches": string, "backgroundCycleCount": string, "backgroundFlushesCount": string, "backgroundReadOperations": string, "backgroundWriteOperations": string, "interfaceLuid": string } |
| Fields | |
|---|---|
id |
A unique identifier for the SRUM record or the application/user being monitored. |
backgroundBytesRead |
The number of bytes read by the application while running in the background. |
backgroundBytesWritten |
The number of bytes written by the application while running in the background. |
backgroundContextSwitches |
The number of context switches performed by the application's threads while in the background. |
backgroundCycleCount |
The amount of CPU cycle time consumed by the application in the background, measured in clock cycles. |
backgroundFlushesCount |
The number of flush operations performed by the application in the background. |
backgroundReadOperations |
The number of read operations performed by the application in the background. |
backgroundWriteOperations |
The number of write operations performed by the application in the background. |
interfaceLuid |
The Locally Unique Identifier (LUID) for the network interface used for data transfer. |
UserAssist
The UserAssist extension captures details specific to Windows User Assist events.
| JSON representation |
|---|
{ "applicationFocusCount": string, "applicationFocusDuration": string, "executionsCount": string, "entryIndex": string } |
| Fields | |
|---|---|
applicationFocusCount |
The number of times the application associated with the entry gained focus. |
applicationFocusDuration |
The total duration the application associated with the entry was in focus. A duration in seconds with up to nine fractional digits, ending with ' |
executionsCount |
The number of times the application associated with the entry has been executed. |
entryIndex |
The index or identifier of the user assist entry, unique per user. |