REST Resource: projects.locations.instances.entities

Resource: Entity

An Entity provides additional context about an entity in a UDM event (asset, user, etc.). For example, a PROCESS_LAUNCH event describes that user 'abc@example.corp' launched process 'shady.exe'. The event does not include information that user 'abc@example.com' is a recently terminated employee who administers a server storing finance data. Information stored in one or more Entities can add this additional context.

JSON representation

JSON representation
{ "name": string, "metadata": { object (`EntityMetadata`) }, "entity": { object (`Noun`) }, "additional": { object }, "risk_score": { object (`EntityRisk`) }, "metric": { object (`Metric`) }, "relations": [ { object (`Relation`) } ] }

{
  "name": string,
  "metadata": {
    object (EntityMetadata)
  },
  "entity": {
    object (Noun)
  },
  "additional": {
    object
  },
  "risk_score": {
    object (EntityRisk)
  },
  "metric": {
    object (Metric)
  },
  "relations": [
    {
      object (Relation)
    }
  ]
}

Fields
`name`	`string` The resource name of the entity. Format: projects/{project}/locations/{location}/instances/{instance}/entities/{entity} projects/{project}/locations/{location}/instances/{instance}/analytics/{analytic}/entities/{entity} projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist}/entities/{entity}
`metadata`	`object (EntityMetadata)` Entity metadata such as timestamp, product, etc.
`entity`	`object (Noun)` Noun in the UDM event that this entity represents.
`additional`	`object (Struct format)` Important entity data that cannot be adequately represented within the formal sections of the Entity.
`risk_score`	`object (EntityRisk)` Represents the entity risk scores resource
`metric`	`object (Metric)` Metric details of the entity. Used if EntityType is METRIC.
`relations[]`	`object (Relation)` One or more relationships between the entity (a) and other entities, including the relationship type and related entity.

EntityMetadata

Information about the Entity and the product where the entity was created. Next Tag: 17

JSON representation

JSON representation
{ "product_entity_id": string, "collected_timestamp": string, "creation_timestamp": string, "interval": { object (`Interval`) }, "vendor_name": string, "product_name": string, "feed": string, "product_version": string, "entity_type": enum (`EntityType`), "description": string, "threat": [ { object (`SecurityResult`) } ], "source_type": enum (`SourceType`), "source_labels": [ { object (`Label`) } ], "event_metadata": { object (`Metadata`) }, "structured_fields": { object }, "extracted": { object } }

{
  "product_entity_id": string,
  "collected_timestamp": string,
  "creation_timestamp": string,
  "interval": {
    object (Interval)
  },
  "vendor_name": string,
  "product_name": string,
  "feed": string,
  "product_version": string,
  "entity_type": enum (EntityType),
  "description": string,
  "threat": [
    {
      object (SecurityResult)
    }
  ],
  "source_type": enum (SourceType),
  "source_labels": [
    {
      object (Label)
    }
  ],
  "event_metadata": {
    object (Metadata)
  },
  "structured_fields": {
    object
  },
  "extracted": {
    object
  }
}

Fields
`product_entity_id`	`string` A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar).
`collected_timestamp`	`string (Timestamp format)` GMT timestamp when the entity information was collected by the vendor's local collection infrastructure. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`creation_timestamp`	`string (Timestamp format)` GMT timestamp when the entity described by the product_entity_id was created on the system where data was collected. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`interval`	`object (Interval)` Valid existence time range for the version of the entity represented by this entity data.
`vendor_name`	`string` Vendor name of the product that produced the entity information.
`product_name`	`string` Product name that produced the entity information.
`feed`	`string` Vendor feed name for a threat indicator feed.
`product_version`	`string` Version of the product that produced the entity information.
`entity_type`	`enum (EntityType)` Entity type. If an entity has multiple possible types, this specifies the most specific type.
`description`	`string` Human-readable description of the entity.
`threat[]`	`object (SecurityResult)` Metadata provided by a threat intelligence feed that identified the entity as malicious.
`source_type`	`enum (SourceType)` The source of the entity.
`source_labels[]`	`object (Label)` Entity source metadata labels.
`event_metadata`	`object (Metadata)` Metadata field from the event.
`structured_fields (deprecated)`	`object (Struct format)` This item is deprecated! Structured fields extracted from the log.
`extracted`	`object (Struct format)` Flattened fields extracted from the log.

EntityType

Describes the type of entity. An unknown event type.

Enums
`UNKNOWN_ENTITYTYPE`	@hide_from_doc
`ASSET`	An asset, such as workstation, laptop, phone, virtual machine, etc.
`USER`	User.
`GROUP`	Group.
`RESOURCE`	Resource.
`IP_ADDRESS`	An external IP address.
`FILE`	A file.
`DOMAIN_NAME`	A domain.
`URL`	A url.
`MUTEX`	A mutex.
`METRIC`	A metric.

SourceType

Describes the source of an entity.

Enums
`SOURCE_TYPE_UNSPECIFIED`	Default source type
`ENTITY_CONTEXT`	Entities ingested from customers (e.g. AD_CONTEXT, DLP_CONTEXT)
`DERIVED_CONTEXT`	Entities derived from customer data such as prevalence, artifact first/last seen, or asset/user first seen stats.
`GLOBAL_CONTEXT`	Global contextual entities such as WHOIS or Safe Browsing.

EntityRisk

Stores information related to the risk score of an entity.

JSON representation

JSON representation
{ "risk_version": string, "risk_window": { object (`Interval`) }, "DEPRECATED_risk_score": integer, "detections_count": integer, "first_detection_time": string, "last_detection_time": string, "risk_score": number, "normalized_risk_score": integer, "risk_window_size": string, "last_reset_time": string, "detail_uri": string, "risk_delta": { object (`RiskDelta`) }, "raw_risk_delta": { object (`RiskDelta`) } }

{
  "risk_version": string,
  "risk_window": {
    object (Interval)
  },
  "DEPRECATED_risk_score": integer,
  "detections_count": integer,
  "first_detection_time": string,
  "last_detection_time": string,
  "risk_score": number,
  "normalized_risk_score": integer,
  "risk_window_size": string,
  "last_reset_time": string,
  "detail_uri": string,
  "risk_delta": {
    object (RiskDelta)
  },
  "raw_risk_delta": {
    object (RiskDelta)
  }
}

Fields
`risk_version`	`string` Version of the risk score calculation algorithm.
`risk_window`	`object (Interval)` Time window used when computing the risk score for an entity, for example 24 hours or 7 days.
`DEPRECATED_risk_score (deprecated)`	`integer` This item is deprecated! Deprecated risk score.
`detections_count`	`integer` Number of detections that make up the risk score within the time window.
`first_detection_time`	`string (Timestamp format)` Timestamp of the first detection within the specified time window. This field is empty when there are no detections. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`last_detection_time`	`string (Timestamp format)` Timestamp of the last detection within the specified time window. This field is empty when there are no detections. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`risk_score`	`number` Raw risk score for the entity.
`normalized_risk_score`	`integer` Normalized risk score for the entity. This value is between 0-1000.
`risk_window_size`	`string (Duration format)` Risk window duration for the Entity. A duration in seconds with up to nine fractional digits, ending with '`s`'. Example: `"3.5s"`.
`last_reset_time`	`string (Timestamp format)` Timestamp for UEBA risk score reset based deduplication. Used specifically for risk based meta rules. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`detail_uri`	`string` Link to the Google Security Operations UI with information about the entity risk score. If the SecOps instance has multiple frontend paths configured, this will be a relative path that can be used to construct the full URL.
`risk_delta`	`object (RiskDelta)` Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window.
`raw_risk_delta`	`object (RiskDelta)` Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window.

RiskDelta

Describes the difference in risk score between two points in time.

JSON representation
{ "previous_range_end_time": string, "risk_score_delta": integer, "previous_risk_score": integer, "risk_score_numeric_delta": integer }

Fields
`previous_range_end_time`	`string (Timestamp format)` End time of the previous time window. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`risk_score_delta`	`integer` Difference in the normalized risk score from the previous recorded value.
`previous_risk_score`	`integer` Risk score from previous risk window
`risk_score_numeric_delta`	`integer` Numeric change between current and previous risk score

Metric

Stores precomputed aggregated analytic data for an entity.

JSON representation

JSON representation
{ "first_seen": string, "last_seen": string, "sum_measure": { object (`Measure`) }, "total_events": string, "metric_name": enum (`MetricName`), "dimensions": [ enum (`Dimension`) ], "export_window": string }

{
  "first_seen": string,
  "last_seen": string,
  "sum_measure": {
    object (Measure)
  },
  "total_events": string,
  "metric_name": enum (MetricName),
  "dimensions": [
    enum (Dimension)
  ],
  "export_window": string
}

Fields
`first_seen`	`string (Timestamp format)` Timestamp of the first time the entity was seen in the environment. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`last_seen`	`string (Timestamp format)` Time stamp of the last time last time the entity was seen in the environment. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`sum_measure`	`object (Measure)` Sum of all precomputed measures for the given metric.
`total_events`	`string (int64 format)` Total number of events used to calculate the given precomputed metric.
`metric_name`	`enum (MetricName)` Name of the analytic.
`dimensions[]`	`enum (Dimension)` All group by clauses used to calculate the metric.
`export_window`	`string (int64 format)` Export window for which the metric was exported.

Measure

Describes the precomputed measure.

JSON representation
{ "value": number, "aggregate_function": enum (`AggregateFunction`) }

Fields

Fields
`value`	`number` Value of the aggregated measure.
`aggregate_function`	`enum (AggregateFunction)` Function used to calculate the aggregated measure.

value

number

Value of the aggregated measure.

aggregate_function

enum (AggregateFunction)

Function used to calculate the aggregated measure.

AggregateFunction

Mathematic function used to calculate the value.

Enums
`AGGREGATE_FUNCTION_UNSPECIFIED`	Default value.
`MIN`	Minimum.
`MAX`	Maximum.
`COUNT`	Count.
`SUM`	Sum.
`AVG`	Average.
`STDDEV`	Standard Deviation.

MetricName

The name of the precomputed analytic.

Enums
`METRIC_NAME_UNSPECIFIED`	Default
`NETWORK_BYTES_INBOUND`	Total received network bytes.
`NETWORK_BYTES_OUTBOUND`	Total network sent bytes.
`NETWORK_BYTES_TOTAL`	Total network sent bytes and received bytes.
`AUTH_ATTEMPTS_SUCCESS`	Successful authentication attempts.
`AUTH_ATTEMPTS_FAIL`	Failed authentication attempts.
`AUTH_ATTEMPTS_TOTAL`	Total authentication attempts.
`DNS_BYTES_OUTBOUND`	Total number of sent bytes for DNS events.
`NETWORK_FLOWS_INBOUND`	Total number of events having non-null received bytes.
`NETWORK_FLOWS_OUTBOUND`	Total number of events having non-null sent bytes.
`NETWORK_FLOWS_TOTAL`	Total events having non-null sent or received bytes.
`DNS_QUERIES_SUCCESS`	DNS query success count - Number of events with response_code = 0.
`DNS_QUERIES_FAIL`	Number of events with response_code != 0.
`DNS_QUERIES_TOTAL`	Total number of DNS queries made.
`FILE_EXECUTIONS_SUCCESS`	Number of successfule file executions.
`FILE_EXECUTIONS_FAIL`	Number of failed file executions.
`FILE_EXECUTIONS_TOTAL`	Total number file executions.
`HTTP_QUERIES_SUCCESS`	Number of successful HTTP queries.
`HTTP_QUERIES_FAIL`	Number of failed HTTP queries.
`HTTP_QUERIES_TOTAL`	Total number of HTTP queries.
`WORKSPACE_EMAILS_SENT_TOTAL`	Total number of emails sent in Google Workspace.
`WORKSPACE_TOTAL_DOWNLOAD_ACTIONS`	Total number of download actions in Google Workspace.
`WORKSPACE_TOTAL_CHANGE_ACTIONS`	Total number of change actions in Google Workspace.
`WORKSPACE_AUTH_ATTEMPTS_TOTAL`	Total number of authentication attempts in Google Workspace.
`WORKSPACE_NETWORK_BYTES_OUTBOUND`	Number of outbound network bytes (total sent) in Google Workspace.
`WORKSPACE_NETWORK_BYTES_TOTAL`	Total number of network bytes (both sent and received) in Google Workspace.
`ALERT_EVENT_NAME_COUNT`	Track number of alerts fired by EDR/SENTINEL/MICROSOFT_GRAPH.
`RESOURCE_CREATION_TOTAL`	First-time analytic tracking successful resource creations.
`RESOURCE_CREATION_SUCCESS`	Volume-based analytic tracking successful resource creations.
`RESOURCE_READ_SUCCESS`	Volume-based analytic tracking successful resource reads.
`RESOURCE_READ_FAIL`	Volume-based analytic tracking failed resource reads.
`RESOURCE_DELETION_SUCCESS`	Volume-based analytic tracking successful resource deletions.

Dimension

Describes field used as the dimension when grouping data to calculate the aggregate metric.

Enums
`DIMENSION_UNSPECIFIED`	Default
`PRINCIPAL_DEVICE`	Principal Device
`TARGET_USER`	Target User
`TARGET_DEVICE`	Target Device
`PRINCIPAL_USER`	Principal User
`TARGET_IP`	Target IP
`PRINCIPAL_FILE_HASH`	Principal File Hash
`PRINCIPAL_COUNTRY`	Principal Country
`SECURITY_CATEGORY`	Security Category
`NETWORK_ASN`	Network ASN
`CLIENT_CERTIFICATE_HASH`	Client Certificate Hash
`DNS_QUERY_TYPE`	DNS Query Type
`DNS_DOMAIN`	DNS Domain
`HTTP_USER_AGENT`	HTTP User Agent
`EVENT_TYPE`	Event Type
`PRODUCT_NAME`	Product Name
`PRODUCT_EVENT_TYPE`	Product Event Type
`PARENT_FOLDER_PATH`	Parent Folder Path
`TARGET_RESOURCE_NAME`	Target resource Name
`PRINCIPAL_APPLICATION`	Principal Application.
`TARGET_APPLICATION`	Target Application.
`EMAIL_TO_ADDRESS`	Email To Address.
`EMAIL_FROM_ADDRESS`	Email From Address.
`MAIL_ID`	Mail Id.
`PRINCIPAL_IP`	Principal IP.
`SECURITY_ACTION`	Security Action.
`SECURITY_RULE_ID`	Security Rule Id.
`TARGET_NETWORK_ORGANIZATION_NAME`	Target Network Organization name.
`PRINCIPAL_NETWORK_ORGANIZATION_NAME`	Principal Network Organization name.
`PRINCIPAL_PROCESS_FILE_PATH`	Principal Process File Path.
`PRINCIPAL_PROCESS_FILE_HASH`	Principal Process File SHA256 Hash.
`SECURITY_RESULT_RULE_NAME`	Security Result rule name.
`TARGET_RESOURCE_LABEL_KEY`	Target Resource label key.
`VENDOR_NAME`	Vendor name.
`TARGET_RESOURCE_TYPE`	Target Resource type.
`TARGET_LOCATION_NAME`	Target Location name.

Relation

Defines the relationship between the entity (a) and another entity (b).

JSON representation
{ "entity": { object (`Noun`) }, "entity_type": enum (`EntityType`), "relationship": enum (`Relationship`), "direction": enum (`Directionality`), "uid": string, "entity_label": enum (`EntityLabel`) }

Fields
`entity`	`object (Noun)` Entity (b) that the primary entity (a) is related to.
`entity_type`	`enum (EntityType)` Type of the related entity (b) in this relationship.
`relationship`	`enum (Relationship)` Type of relationship.
`direction`	`enum (Directionality)` Directionality of relationship between primary entity (a) and the related entity (b).
`uid`	`string (bytes format)` UID of the relationship. A base64-encoded string.
`entity_label`	`enum (EntityLabel)` Label to identify the Noun of the relation.

Relationship

Type of relationship between the primary entity (a) and related entity (b).

Enums
`RELATIONSHIP_UNSPECIFIED`	Default value
`OWNS`	Related entity is owned by the primary entity (e.g. user owns device asset).
`ADMINISTERS`	Related entity is administered by the primary entity (e.g. user administers a group).
`MEMBER`	Primary entity is a member of the related entity (e.g. user is a member of a group).
`EXECUTES`	Primary entity may have executed the related entity.
`DOWNLOADED_FROM`	Primary entity may have been downloaded from the related entity.
`CONTACTS`	Primary entity contacts the related entity.

Directionality

Describes the relationship model as directed or undirected.

Enums
`DIRECTIONALITY_UNSPECIFIED`	Default value.
`BIDIRECTIONAL`	Modeled in both directions. Primary entity (a) to related entity (b) and related entity (b) to primary entity (a).
`UNIDIRECTIONAL`	Modeled in a single direction. Primary entity (a) to related entity (b).

EntityLabel

Entity label of the relation.

Enums
`ENTITY_LABEL_UNSPECIFIED`	Default value.
`PRINCIPAL`	The Noun represents a principal type object.
`TARGET`	The Noun represents a target type object.
`OBSERVER`	The Noun represents an observer type object.
`SRC`	The Noun represents src type object.
`NETWORK`	The Noun represents a network type object.
`SECURITY_RESULT`	The Noun represents a SecurityResult object.
`INTERMEDIARY`	The Noun represents an intermediary type object.

Methods
`get`	Gets an entity by name.
`import`	ImportEntities import the entities.
`modifyEntityRiskScore`	Modify base entity risk score for an entity.
`queryEntityRiskScoreModifications`	Query modifications to base entity risk score for an entity.

REST Resource: projects.locations.instances.entities

Resource: Entity

EntityMetadata

EntityType

SourceType

EntityRisk

RiskDelta

Metric

Measure

AggregateFunction

MetricName

Dimension

Relation

Relationship

Directionality

EntityLabel

Methods

`get`

`import`

`modifyEntityRiskScore`

`queryEntityRiskScoreModifications`