- Resource: Entity
- EntityMetadata
- EntityType
- SourceType
- EntityRisk
- RiskDelta
- Metric
- Measure
- AggregateFunction
- MetricName
- Dimension
- Relation
- Relationship
- Directionality
- EntityLabel
- Methods
Resource: Entity
An Entity provides additional context about an entity in a UDM event (asset, user, etc.). For example, a PROCESS_LAUNCH event describes that user 'abc@example.corp' launched process 'shady.exe'. The event does not include information that user 'abc@example.com' is a recently terminated employee who administers a server storing finance data. Information stored in one or more Entities can add this additional context.
JSON representation |
---|
{ "name": string, "metadata": { object ( |
Fields | |
---|---|
name |
The resource name of the entity. Format: projects/{project}/locations/{location}/instances/{instance}/entities/{entity} projects/{project}/locations/{location}/instances/{instance}/analytics/{analytic}/entities/{entity} projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist}/entities/{entity} |
metadata |
Entity metadata such as timestamp, product, etc. |
entity |
Noun in the UDM event that this entity represents. |
additional |
Important entity data that cannot be adequately represented within the formal sections of the Entity. |
risk_ |
Represents the entity risk scores resource |
metric |
Metric details of the entity. Used if EntityType is METRIC. |
relations[] |
One or more relationships between the entity (a) and other entities, including the relationship type and related entity. |
EntityMetadata
Information about the Entity and the product where the entity was created. Next Tag: 17
JSON representation |
---|
{ "product_entity_id": string, "collected_timestamp": string, "creation_timestamp": string, "interval": { object ( |
Fields | |
---|---|
product_ |
A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar). |
collected_ |
GMT timestamp when the entity information was collected by the vendor's local collection infrastructure. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
creation_ |
GMT timestamp when the entity described by the product_entity_id was created on the system where data was collected. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
interval |
Valid existence time range for the version of the entity represented by this entity data. |
vendor_ |
Vendor name of the product that produced the entity information. |
product_ |
Product name that produced the entity information. |
feed |
Vendor feed name for a threat indicator feed. |
product_ |
Version of the product that produced the entity information. |
entity_ |
Entity type. If an entity has multiple possible types, this specifies the most specific type. |
description |
Human-readable description of the entity. |
threat[] |
Metadata provided by a threat intelligence feed that identified the entity as malicious. |
source_ |
The source of the entity. |
source_ |
Entity source metadata labels. |
event_ |
Metadata field from the event. |
structured_fields |
Structured fields extracted from the log. |
extracted |
Flattened fields extracted from the log. |
EntityType
Describes the type of entity. An unknown event type.
Enums | |
---|---|
UNKNOWN_ENTITYTYPE |
@hide_from_doc |
ASSET |
An asset, such as workstation, laptop, phone, virtual machine, etc. |
USER |
User. |
GROUP |
Group. |
RESOURCE |
Resource. |
IP_ADDRESS |
An external IP address. |
FILE |
A file. |
DOMAIN_NAME |
A domain. |
URL |
A url. |
MUTEX |
A mutex. |
METRIC |
A metric. |
SourceType
Describes the source of an entity.
Enums | |
---|---|
SOURCE_TYPE_UNSPECIFIED |
Default source type |
ENTITY_CONTEXT |
Entities ingested from customers (e.g. AD_CONTEXT, DLP_CONTEXT) |
DERIVED_CONTEXT |
Entities derived from customer data such as prevalence, artifact first/last seen, or asset/user first seen stats. |
GLOBAL_CONTEXT |
Global contextual entities such as WHOIS or Safe Browsing. |
EntityRisk
Stores information related to the risk score of an entity.
JSON representation |
---|
{ "risk_version": string, "risk_window": { object ( |
Fields | |
---|---|
risk_ |
Version of the risk score calculation algorithm. |
risk_ |
Time window used when computing the risk score for an entity, for example 24 hours or 7 days. |
DEPRECATED_risk_score |
Deprecated risk score. |
detections_ |
Number of detections that make up the risk score within the time window. |
first_ |
Timestamp of the first detection within the specified time window. This field is empty when there are no detections. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
last_ |
Timestamp of the last detection within the specified time window. This field is empty when there are no detections. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
risk_ |
Raw risk score for the entity. |
normalized_ |
Normalized risk score for the entity. This value is between 0-1000. |
risk_ |
Risk window duration for the Entity. A duration in seconds with up to nine fractional digits, ending with ' |
last_ |
Timestamp for UEBA risk score reset based deduplication. Used specifically for risk based meta rules. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
detail_ |
Link to the Google Security Operations UI with information about the entity risk score. If the SecOps instance has multiple frontend paths configured, this will be a relative path that can be used to construct the full URL. |
risk_ |
Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window. |
raw_ |
Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window. |
RiskDelta
Describes the difference in risk score between two points in time.
JSON representation |
---|
{ "previous_range_end_time": string, "risk_score_delta": integer, "previous_risk_score": integer, "risk_score_numeric_delta": integer } |
Fields | |
---|---|
previous_ |
End time of the previous time window. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
risk_ |
Difference in the normalized risk score from the previous recorded value. |
previous_ |
Risk score from previous risk window |
risk_ |
Numeric change between current and previous risk score |
Metric
Stores precomputed aggregated analytic data for an entity.
JSON representation |
---|
{ "first_seen": string, "last_seen": string, "sum_measure": { object ( |
Fields | |
---|---|
first_ |
Timestamp of the first time the entity was seen in the environment. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
last_ |
Time stamp of the last time last time the entity was seen in the environment. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
sum_ |
Sum of all precomputed measures for the given metric. |
total_ |
Total number of events used to calculate the given precomputed metric. |
metric_ |
Name of the analytic. |
dimensions[] |
All group by clauses used to calculate the metric. |
export_ |
Export window for which the metric was exported. |
Measure
Describes the precomputed measure.
JSON representation |
---|
{
"value": number,
"aggregate_function": enum ( |
Fields | |
---|---|
value |
Value of the aggregated measure. |
aggregate_ |
Function used to calculate the aggregated measure. |
AggregateFunction
Mathematic function used to calculate the value.
Enums | |
---|---|
AGGREGATE_FUNCTION_UNSPECIFIED |
Default value. |
MIN |
Minimum. |
MAX |
Maximum. |
COUNT |
Count. |
SUM |
Sum. |
AVG |
Average. |
STDDEV |
Standard Deviation. |
MetricName
The name of the precomputed analytic.
Enums | |
---|---|
METRIC_NAME_UNSPECIFIED |
Default |
NETWORK_BYTES_INBOUND |
Total received network bytes. |
NETWORK_BYTES_OUTBOUND |
Total network sent bytes. |
NETWORK_BYTES_TOTAL |
Total network sent bytes and received bytes. |
AUTH_ATTEMPTS_SUCCESS |
Successful authentication attempts. |
AUTH_ATTEMPTS_FAIL |
Failed authentication attempts. |
AUTH_ATTEMPTS_TOTAL |
Total authentication attempts. |
DNS_BYTES_OUTBOUND |
Total number of sent bytes for DNS events. |
NETWORK_FLOWS_INBOUND |
Total number of events having non-null received bytes. |
NETWORK_FLOWS_OUTBOUND |
Total number of events having non-null sent bytes. |
NETWORK_FLOWS_TOTAL |
Total events having non-null sent or received bytes. |
DNS_QUERIES_SUCCESS |
DNS query success count - Number of events with response_code = 0. |
DNS_QUERIES_FAIL |
Number of events with response_code != 0. |
DNS_QUERIES_TOTAL |
Total number of DNS queries made. |
FILE_EXECUTIONS_SUCCESS |
Number of successfule file executions. |
FILE_EXECUTIONS_FAIL |
Number of failed file executions. |
FILE_EXECUTIONS_TOTAL |
Total number file executions. |
HTTP_QUERIES_SUCCESS |
Number of successful HTTP queries. |
HTTP_QUERIES_FAIL |
Number of failed HTTP queries. |
HTTP_QUERIES_TOTAL |
Total number of HTTP queries. |
WORKSPACE_EMAILS_SENT_TOTAL |
Total number of emails sent in Google Workspace. |
WORKSPACE_TOTAL_DOWNLOAD_ACTIONS |
Total number of download actions in Google Workspace. |
WORKSPACE_TOTAL_CHANGE_ACTIONS |
Total number of change actions in Google Workspace. |
WORKSPACE_AUTH_ATTEMPTS_TOTAL |
Total number of authentication attempts in Google Workspace. |
WORKSPACE_NETWORK_BYTES_OUTBOUND |
Number of outbound network bytes (total sent) in Google Workspace. |
WORKSPACE_NETWORK_BYTES_TOTAL |
Total number of network bytes (both sent and received) in Google Workspace. |
ALERT_EVENT_NAME_COUNT |
Track number of alerts fired by EDR/SENTINEL/MICROSOFT_GRAPH. |
RESOURCE_CREATION_TOTAL |
First-time analytic tracking successful resource creations. |
RESOURCE_CREATION_SUCCESS |
Volume-based analytic tracking successful resource creations. |
RESOURCE_READ_SUCCESS |
Volume-based analytic tracking successful resource reads. |
RESOURCE_READ_FAIL |
Volume-based analytic tracking failed resource reads. |
RESOURCE_DELETION_SUCCESS |
Volume-based analytic tracking successful resource deletions. |
Dimension
Describes field used as the dimension when grouping data to calculate the aggregate metric.
Enums | |
---|---|
DIMENSION_UNSPECIFIED |
Default |
PRINCIPAL_DEVICE |
Principal Device |
TARGET_USER |
Target User |
TARGET_DEVICE |
Target Device |
PRINCIPAL_USER |
Principal User |
TARGET_IP |
Target IP |
PRINCIPAL_FILE_HASH |
Principal File Hash |
PRINCIPAL_COUNTRY |
Principal Country |
SECURITY_CATEGORY |
Security Category |
NETWORK_ASN |
Network ASN |
CLIENT_CERTIFICATE_HASH |
Client Certificate Hash |
DNS_QUERY_TYPE |
DNS Query Type |
DNS_DOMAIN |
DNS Domain |
HTTP_USER_AGENT |
HTTP User Agent |
EVENT_TYPE |
Event Type |
PRODUCT_NAME |
Product Name |
PRODUCT_EVENT_TYPE |
Product Event Type |
PARENT_FOLDER_PATH |
Parent Folder Path |
TARGET_RESOURCE_NAME |
Target resource Name |
PRINCIPAL_APPLICATION |
Principal Application. |
TARGET_APPLICATION |
Target Application. |
EMAIL_TO_ADDRESS |
Email To Address. |
EMAIL_FROM_ADDRESS |
Email From Address. |
MAIL_ID |
Mail Id. |
PRINCIPAL_IP |
Principal IP. |
SECURITY_ACTION |
Security Action. |
SECURITY_RULE_ID |
Security Rule Id. |
TARGET_NETWORK_ORGANIZATION_NAME |
Target Network Organization name. |
PRINCIPAL_NETWORK_ORGANIZATION_NAME |
Principal Network Organization name. |
PRINCIPAL_PROCESS_FILE_PATH |
Principal Process File Path. |
PRINCIPAL_PROCESS_FILE_HASH |
Principal Process File SHA256 Hash. |
SECURITY_RESULT_RULE_NAME |
Security Result rule name. |
TARGET_RESOURCE_LABEL_KEY |
Target Resource label key. |
VENDOR_NAME |
Vendor name. |
TARGET_RESOURCE_TYPE |
Target Resource type. |
TARGET_LOCATION_NAME |
Target Location name. |
Relation
Defines the relationship between the entity (a) and another entity (b).
JSON representation |
---|
{ "entity": { object ( |
Fields | |
---|---|
entity |
Entity (b) that the primary entity (a) is related to. |
entity_ |
Type of the related entity (b) in this relationship. |
relationship |
Type of relationship. |
direction |
Directionality of relationship between primary entity (a) and the related entity (b). |
uid |
UID of the relationship. A base64-encoded string. |
entity_ |
Label to identify the Noun of the relation. |
Relationship
Type of relationship between the primary entity (a) and related entity (b).
Enums | |
---|---|
RELATIONSHIP_UNSPECIFIED |
Default value |
OWNS |
Related entity is owned by the primary entity (e.g. user owns device asset). |
ADMINISTERS |
Related entity is administered by the primary entity (e.g. user administers a group). |
MEMBER |
Primary entity is a member of the related entity (e.g. user is a member of a group). |
EXECUTES |
Primary entity may have executed the related entity. |
DOWNLOADED_FROM |
Primary entity may have been downloaded from the related entity. |
CONTACTS |
Primary entity contacts the related entity. |
Directionality
Describes the relationship model as directed or undirected.
Enums | |
---|---|
DIRECTIONALITY_UNSPECIFIED |
Default value. |
BIDIRECTIONAL |
Modeled in both directions. Primary entity (a) to related entity (b) and related entity (b) to primary entity (a). |
UNIDIRECTIONAL |
Modeled in a single direction. Primary entity (a) to related entity (b). |
EntityLabel
Entity label of the relation.
Enums | |
---|---|
ENTITY_LABEL_UNSPECIFIED |
Default value. |
PRINCIPAL |
The Noun represents a principal type object. |
TARGET |
The Noun represents a target type object. |
OBSERVER |
The Noun represents an observer type object. |
SRC |
The Noun represents src type object. |
NETWORK |
The Noun represents a network type object. |
SECURITY_RESULT |
The Noun represents a SecurityResult object. |
INTERMEDIARY |
The Noun represents an intermediary type object. |
Methods |
|
---|---|
|
Gets an entity by name. |
|
ImportEntities import the entities. |
|
Modify base entity risk score for an entity. |
|
Query modifications to base entity risk score for an entity. |