UDM

A Unified Data Model event.

JSON representation 
{
  "metadata": {
    object (Metadata)
  },
  "additional": {
    object
  },
  "principal": {
    object (Noun)
  },
  "src": {
    object (Noun)
  },
  "target": {
    object (Noun)
  },
  "intermediary": [
    {
      object (Noun)
    }
  ],
  "observer": {
    object (Noun)
  },
  "about": [
    {
      object (Noun)
    }
  ],
  "securityResult": [
    {
      object (SecurityResult)
    }
  ],
  "network": {
    object (Network)
  },
  "extensions": {
    object (Extensions)
  },
  "extracted": {
    object
  }
}
Fields
metadata

object (Metadata)

Event metadata such as timestamp, source product, etc.
additional

object (Struct format)

Any important vendor-specific event data that cannot be adequately represented within the formal sections of the UDM model.
principal

object (Noun)

Represents the acting entity that originates the activity described in the event. The principal must include at least one machine detail (hostname, MACs, IPs, port, product-specific identifiers like an EDR asset ID) or user detail (for example, username), and optionally include process details. It must NOT include any of the following fields: email, files, registry keys or values.
src

object (Noun)

Represents a source entity being acted upon by the participant along with the device or process context for the source object (the machine where the source object resides). For example, if user U copies file A on machine X to file B on machine Y, both file A and machine X would be specified in the src portion of the UDM event.
target

object (Noun)

Represents a target entity being referenced by the event or an object on the target entity. For example, in a firewall connection from device A to device B, A is described as the principal and B is described as the target. For a process injection by process C into target process D, process C is described as the principal and process D is described as the target.
intermediary[]

object (Noun)

Represents details on one or more intermediate entities processing activity described in the event. This includes device details about a proxy server or SMTP relay server. If an active event (that has a principal and possibly target) passes through any intermediaries, they're added here. Intermediaries can impact the overall action, for example blocking or modifying an ongoing request. A rule of thumb here is that 'principal', 'target', and description of the initial action should be the same regardless of the intermediary or its action. A successful network connection from A->B should look the same in principal/target/intermediary as one blocked by firewall C: principal: A, target: B (intermediary: C).
observer

object (Noun)

Represents an observer entity (for example, a packet sniffer or network-based vulnerability scanner), which is not a direct intermediary, but which observes and reports on the event in question.
about[]

object (Noun)

Represents entities referenced by the event that are not otherwise described in principal, src, target, intermediary or observer. For example, it could be used to track email file attachments, domains/URLs/IPs embedded within an email body, and DLLs that are loaded during a PROCESS_LAUNCH event.
securityResult[]

object (SecurityResult)

A list of security results.
network

object (Network)

All network details go here, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP).
extensions

object (Extensions)

All other first-class, event-specific metadata goes in this message. Do not place protocol metadata in Extensions; put it in Network.
extracted

object (Struct format)

Flattened fields extracted from the log.