YaraL2Detection

JSON representation

JSON representation
{ "id": string, "ruleType": enum (`RuleType`), "fields": [ { object (`Value`) } ], "outcomes": [ { object (`Value`) } ], "timeWindow": { object (`Interval`) }, "resultEvents": { string: { object (`EventSampleList`) }, ... }, "resultEntityEvents": { string: { object (`EventSampleList`) }, ... }, "detectionTimestamp": string, "commitTimestamp": string, "alertingType": enum (`AlertingType`) }

{
  "id": string,
  "ruleType": enum (RuleType),
  "fields": [
    {
      object (Value)
    }
  ],
  "outcomes": [
    {
      object (Value)
    }
  ],
  "timeWindow": {
    object (Interval)
  },
  "resultEvents": {
    string: {
      object (EventSampleList)
    },
    ...
  },
  "resultEntityEvents": {
    string: {
      object (EventSampleList)
    },
    ...
  },
  "detectionTimestamp": string,
  "commitTimestamp": string,
  "alertingType": enum (AlertingType)
}

Fields
`id`	`string`
`ruleType`	`enum (RuleType)`
`fields[]`	`object (Value)`
`outcomes[]`	`object (Value)`
`timeWindow`	`object (Interval)`
`resultEvents`	`map (key: string, value: object (EventSampleList))` An object containing a list of `"key": value` pairs. Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
`resultEntityEvents`	`map (key: string, value: object (EventSampleList))` An object containing a list of `"key": value` pairs. Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
`detectionTimestamp`	`string (Timestamp format)` Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`commitTimestamp`	`string (Timestamp format)` Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`alertingType`	`enum (AlertingType)`

RuleType

Enums
`UNKNOWN`
`SINGLE_EVENT`
`MULTI_EVENT`
`WINDOWED_SINGLE_EVENT`

Value

JSON representation

JSON representation
{ "name": string, "fieldPath": string, // Union field `value` can be only one of the following: "boolVal": boolean, "bytesVal": string, "doubleVal": number, "int64Val": string, "uint64Val": string, "stringVal": string, "nullVal": boolean, "boolList": { object (`BoolList`) }, "bytesList": { object (`BytesList`) }, "doubleList": { object (`DoubleList`) }, "int64List": { object (`Int64List`) }, "uint64List": { object (`Uint64List`) }, "stringList": { object (`StringList`) }, "boolSeq": { object (`BoolSequence`) }, "bytesSeq": { object (`BytesSequence`) }, "doubleSeq": { object (`DoubleSequence`) }, "int64Seq": { object (`Int64Sequence`) }, "uint64Seq": { object (`Uint64Sequence`) }, "stringSeq": { object (`StringSequence`) }, "timestampVal": string // End of list of possible types for union field `value`. }

{
  "name": string,
  "fieldPath": string,

  // Union field value can be only one of the following:
  "boolVal": boolean,
  "bytesVal": string,
  "doubleVal": number,
  "int64Val": string,
  "uint64Val": string,
  "stringVal": string,
  "nullVal": boolean,
  "boolList": {
    object (BoolList)
  },
  "bytesList": {
    object (BytesList)
  },
  "doubleList": {
    object (DoubleList)
  },
  "int64List": {
    object (Int64List)
  },
  "uint64List": {
    object (Uint64List)
  },
  "stringList": {
    object (StringList)
  },
  "boolSeq": {
    object (BoolSequence)
  },
  "bytesSeq": {
    object (BytesSequence)
  },
  "doubleSeq": {
    object (DoubleSequence)
  },
  "int64Seq": {
    object (Int64Sequence)
  },
  "uint64Seq": {
    object (Uint64Sequence)
  },
  "stringSeq": {
    object (StringSequence)
  },
  "timestampVal": string
  // End of list of possible types for union field value.
}

Fields
`name`	`string`
`fieldPath`	`string`
Union field `value`. `value` can be only one of the following:
`boolVal`	`boolean`
`bytesVal`	`string (bytes format)` A base64-encoded string.
`doubleVal`	`number`
`int64Val`	`string (int64 format)`
`uint64Val`	`string`
`stringVal`	`string`
`nullVal`	`boolean`
`boolList (deprecated)`	`object (BoolList)` This item is deprecated!
`bytesList (deprecated)`	`object (BytesList)` This item is deprecated!
`doubleList (deprecated)`	`object (DoubleList)` This item is deprecated!
`int64List (deprecated)`	`object (Int64List)` This item is deprecated!
`uint64List (deprecated)`	`object (Uint64List)` This item is deprecated!
`stringList (deprecated)`	`object (StringList)` This item is deprecated!
`boolSeq`	`object (BoolSequence)`
`bytesSeq`	`object (BytesSequence)`
`doubleSeq`	`object (DoubleSequence)`
`int64Seq`	`object (Int64Sequence)`
`uint64Seq`	`object (Uint64Sequence)`
`stringSeq`	`object (StringSequence)`
`timestampVal`	`string (Timestamp format)` Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.

BoolList

JSON representation
{ "boolVals": [ boolean ] }

Fields
`boolVals[]`	`boolean`

BytesList

JSON representation
{ "bytesVals": [ string ] }

Fields

Fields
`bytesVals[]`	`string (bytes format)` A base64-encoded string.

bytesVals[]

string (bytes format)

A base64-encoded string.

DoubleList

JSON representation
{ "doubleVals": [ number ] }

Fields
`doubleVals[]`	`number`

Int64List

JSON representation
{ "int64Vals": [ string ] }

Fields
`int64Vals[]`	`string (int64 format)`

Uint64List

JSON representation
{ "uint64Vals": [ string ] }

Fields
`uint64Vals[]`	`string`

StringList

JSON representation
{ "stringVals": [ string ] }

Fields
`stringVals[]`	`string`

EventSampleList

JSON representation
{ "eventSamples": [ { object (`EventSample`) } ], "tooManyEventSamples": boolean }

Fields
`eventSamples[]`	`object (EventSample)`
`tooManyEventSamples`	`boolean`

EventSample

JSON representation

JSON representation
{ "rawLogToken": string, "joinedDataTableRows": [ { object (`DataTableRowDetails`) } ], // Union field `event_sample` can be only one of the following: "event": { object (`UDM`) }, "entity": { object (`Entity`) } // End of list of possible types for union field `event_sample`. }

{
  "rawLogToken": string,
  "joinedDataTableRows": [
    {
      object (DataTableRowDetails)
    }
  ],

  // Union field event_sample can be only one of the following:
  "event": {
    object (UDM)
  },
  "entity": {
    object (Entity)
  }
  // End of list of possible types for union field event_sample.
}

Fields
`rawLogToken`	`string`
`joinedDataTableRows[]`	`object (DataTableRowDetails)`
Union field `event_sample`. `event_sample` can be only one of the following:
`event`	`object (UDM)`
`entity`	`object (Entity)`

AlertingType

Enums
`UNSPECIFIED`
`NOT_ALERTING`
`ALERTING`