YaraL2Detection

JSON representation

JSON representation
{ "id": string, "rule_type": enum (`RuleType`), "fields": [ { object (`Value`) } ], "outcomes": [ { object (`Value`) } ], "time_window": { object (`Interval`) }, "result_events": { string: { object (`EventSampleList`) }, ... }, "result_entity_events": { string: { object (`EventSampleList`) }, ... }, "detection_timestamp": string, "commit_timestamp": string, "alerting_type": enum (`AlertingType`) }

{
  "id": string,
  "rule_type": enum (RuleType),
  "fields": [
    {
      object (Value)
    }
  ],
  "outcomes": [
    {
      object (Value)
    }
  ],
  "time_window": {
    object (Interval)
  },
  "result_events": {
    string: {
      object (EventSampleList)
    },
    ...
  },
  "result_entity_events": {
    string: {
      object (EventSampleList)
    },
    ...
  },
  "detection_timestamp": string,
  "commit_timestamp": string,
  "alerting_type": enum (AlertingType)
}

Fields
`id`	`string`
`rule_type`	`enum (RuleType)`
`fields[]`	`object (Value)`
`outcomes[]`	`object (Value)`
`time_window`	`object (Interval)`
`result_events`	`map (key: string, value: object (EventSampleList))` An object containing a list of `"key": value` pairs. Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
`result_entity_events`	`map (key: string, value: object (EventSampleList))` An object containing a list of `"key": value` pairs. Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }`.
`detection_timestamp`	`string (Timestamp format)` Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`commit_timestamp`	`string (Timestamp format)` Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`alerting_type`	`enum (AlertingType)`

RuleType

Enums
`UNKNOWN`
`SINGLE_EVENT`
`MULTI_EVENT`
`WINDOWED_SINGLE_EVENT`

Value

JSON representation

JSON representation
{ "name": string, "field_path": string, // Union field `value` can be only one of the following: "bool_val": boolean, "bytes_val": string, "double_val": number, "int64_val": string, "uint64_val": string, "string_val": string, "null_val": boolean, "bool_list": { object (`BoolList`) }, "bytes_list": { object (`BytesList`) }, "double_list": { object (`DoubleList`) }, "int64_list": { object (`Int64List`) }, "uint64_list": { object (`Uint64List`) }, "string_list": { object (`StringList`) }, "bool_seq": { object (`BoolSequence`) }, "bytes_seq": { object (`BytesSequence`) }, "double_seq": { object (`DoubleSequence`) }, "int64_seq": { object (`Int64Sequence`) }, "uint64_seq": { object (`Uint64Sequence`) }, "string_seq": { object (`StringSequence`) }, "timestamp_val": string // End of list of possible types for union field `value`. }

{
  "name": string,
  "field_path": string,

  // Union field value can be only one of the following:
  "bool_val": boolean,
  "bytes_val": string,
  "double_val": number,
  "int64_val": string,
  "uint64_val": string,
  "string_val": string,
  "null_val": boolean,
  "bool_list": {
    object (BoolList)
  },
  "bytes_list": {
    object (BytesList)
  },
  "double_list": {
    object (DoubleList)
  },
  "int64_list": {
    object (Int64List)
  },
  "uint64_list": {
    object (Uint64List)
  },
  "string_list": {
    object (StringList)
  },
  "bool_seq": {
    object (BoolSequence)
  },
  "bytes_seq": {
    object (BytesSequence)
  },
  "double_seq": {
    object (DoubleSequence)
  },
  "int64_seq": {
    object (Int64Sequence)
  },
  "uint64_seq": {
    object (Uint64Sequence)
  },
  "string_seq": {
    object (StringSequence)
  },
  "timestamp_val": string
  // End of list of possible types for union field value.
}

Fields
`name`	`string`
`field_path`	`string`
Union field `value`. `value` can be only one of the following:
`bool_val`	`boolean`
`bytes_val`	`string (bytes format)` A base64-encoded string.
`double_val`	`number`
`int64_val`	`string (int64 format)`
`uint64_val`	`string`
`string_val`	`string`
`null_val`	`boolean`
`bool_list (deprecated)`	`object (BoolList)` This item is deprecated!
`bytes_list (deprecated)`	`object (BytesList)` This item is deprecated!
`double_list (deprecated)`	`object (DoubleList)` This item is deprecated!
`int64_list (deprecated)`	`object (Int64List)` This item is deprecated!
`uint64_list (deprecated)`	`object (Uint64List)` This item is deprecated!
`string_list (deprecated)`	`object (StringList)` This item is deprecated!
`bool_seq`	`object (BoolSequence)`
`bytes_seq`	`object (BytesSequence)`
`double_seq`	`object (DoubleSequence)`
`int64_seq`	`object (Int64Sequence)`
`uint64_seq`	`object (Uint64Sequence)`
`string_seq`	`object (StringSequence)`
`timestamp_val`	`string (Timestamp format)` Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.

BoolList

JSON representation
{ "bool_vals": [ boolean ] }

Fields
`bool_vals[]`	`boolean`

BytesList

JSON representation
{ "bytes_vals": [ string ] }

Fields

Fields
`bytes_vals[]`	`string (bytes format)` A base64-encoded string.

bytes_vals[]

string (bytes format)

A base64-encoded string.

DoubleList

JSON representation
{ "double_vals": [ number ] }

Fields
`double_vals[]`	`number`

Int64List

JSON representation
{ "int64_vals": [ string ] }

Fields
`int64_vals[]`	`string (int64 format)`

Uint64List

JSON representation
{ "uint64_vals": [ string ] }

Fields
`uint64_vals[]`	`string`

StringList

JSON representation
{ "string_vals": [ string ] }

Fields
`string_vals[]`	`string`

EventSampleList

JSON representation
{ "event_samples": [ { object (`EventSample`) } ], "too_many_event_samples": boolean }

Fields
`event_samples[]`	`object (EventSample)`
`too_many_event_samples`	`boolean`

EventSample

JSON representation

JSON representation
{ "raw_log_token": string, // Union field `event_sample` can be only one of the following: "event": { object (`UDM`) }, "entity": { object (`Entity`) } // End of list of possible types for union field `event_sample`. }

{
  "raw_log_token": string,

  // Union field event_sample can be only one of the following:
  "event": {
    object (UDM)
  },
  "entity": {
    object (Entity)
  }
  // End of list of possible types for union field event_sample.
}

Fields
`raw_log_token`	`string`
Union field `event_sample`. `event_sample` can be only one of the following:
`event`	`object (UDM)`
`entity`	`object (Entity)`

AlertingType

Enums
`UNSPECIFIED`
`NOT_ALERTING`
`ALERTING`