Method: legacy.legacyFindRawLogs

Full name: projects.locations.instances.legacy.legacyFindRawLogs

Legacy endpoint for getting events for a raw log search query.

HTTP request


Path parameters

Parameters
instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Query parameters

Parameters
batchToken[]

string

Optional. A list of tokens that should be downloaded.

query

string

Required. All search parameters that expand or restrict the search.

caseSensitive

boolean

Whether or not search is case sensitive. By default it is false.

maxResponseByteSize

string (int64 format)

Optional. The maximum response size in bytes. The default value is 50MiB. If this field is empty(0) or greater than default value, the default value will be applied.

ids[]

string (bytes format)

Optional. A list of raw log ids that should be downloaded. If both batchToken and ids are provided, batchToken will be discarded.

A base64-encoded string.

Request body

The request body must be empty.

Response body

Message passed back to the client containing the search results.

If successful, the response body contains data with the following structure:

JSON representation
{
  "events": [
    {
      object (Event)
    }
  ],
  "rawLogs": [
    {
      object (RawLogsAssociatedWithAnEvent)
    }
  ],
  "tooManyResults": boolean
}
Fields
events[]

object (Event)

A list of events, sorted in ascending order of timestamp.

rawLogs[]

object (RawLogsAssociatedWithAnEvent)

The logs, when batch_tokens or ids are set. Each group of raw logs is associated with a single token/id in the request, and are listed in the same order as in the request.

tooManyResults

boolean

If there are too many results to return and some have been omitted.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

  • chronicle.legacies.legacyFindRawLogs

For more information, see the IAM documentation.

Event

JSON representation
{
  "timestamp": string,
  "collectionTime": string,
  "ingestedTime": string,
  "source": {
    object (EventSource)
  },
  "rawLogIndex": integer,
  "disambiguationKey": string,
  "siEventData": {
    object (SIEventData)
  },
  "idm": {
    object (IDM)
  },
  "isDuplicate": boolean,

  // Union field payload can be only one of the following:
  "stats": {
    object (StatsEvent)
  },
  "dns": {
    object (DnsEvent)
  },
  "dhcp": {
    object (DhcpEvent)
  },
  "alert": {
    object (AlertEvent)
  },
  "webproxy": {
    object (WebProxyEvent)
  },
  "edr": {
    object (EdrEvent)
  },
  "ioc": {
    object (IocEvent)
  },
  "whoisRecord": {
    object (WhoisRecord)
  },
  "assetInfo": {
    object (AssetInfo)
  },
  "binary": {
    object (BinaryInfo)
  },
  "agentStats": {
    object (AgentStatsEvent)
  }
  // End of list of possible types for union field payload.
}
Fields
timestamp

string (Timestamp format)

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

collectionTime

string (Timestamp format)

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

ingestedTime

string (Timestamp format)

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

source

object (EventSource)

rawLogIndex

integer

disambiguationKey

string (bytes format)

A base64-encoded string.

siEventData

object (SIEventData)

idm

object (IDM)

isDuplicate

boolean

Union field payload.

payload can be only one of the following:

stats

object (StatsEvent)

dns

object (DnsEvent)

dhcp

object (DhcpEvent)

alert

object (AlertEvent)

webproxy

object (WebProxyEvent)

edr

object (EdrEvent)

ioc

object (IocEvent)

whoisRecord

object (WhoisRecord)

assetInfo

object (AssetInfo)

binary

object (BinaryInfo)

agentStats

object (AgentStatsEvent)

DnsEvent

JSON representation
{
  "client": {
    object (Device)
  },
  "server": {
    object (Device)
  },
  "class": enum (DnsEventClass),
  "queryingIpTtl": integer,
  "id": integer,
  "response": boolean,
  "opcode": integer,
  "authoritative": boolean,
  "truncated": boolean,
  "recursionDesired": boolean,
  "recursionAvailable": boolean,
  "responseCode": integer,
  "questions": [
    {
      object (DnsQuestion)
    }
  ],
  "answers": [
    {
      object (DnsRR)
    }
  ],
  "authority": [
    {
      object (DnsRR)
    }
  ],
  "additional": [
    {
      object (DnsRR)
    }
  ],
  "action": enum (Action),
  "summary": {
    object (DnsSummary)
  }
}
Fields
client

object (Device)

server

object (Device)

class

enum (DnsEventClass)

queryingIpTtl

integer (uint32 format)

id

integer (uint32 format)

response

boolean

opcode

integer (uint32 format)

authoritative

boolean

truncated

boolean

recursionDesired

boolean

recursionAvailable

boolean

responseCode

integer (uint32 format)

questions[]

object (DnsQuestion)

answers[]

object (DnsRR)

authority[]

object (DnsRR)

additional[]

object (DnsRR)

action

enum (Action)

summary

object (DnsSummary)

Device

JSON representation
{
  "hostname": string,
  "ipAddresses": [
    string
  ],
  "mac": [
    string
  ],
  "onEnterpriseNetwork": boolean,
  "productIdentifierType": string,
  "productIdentifierValue": string,
  "namespace": string
}
Fields
hostname

string

ipAddresses[]

string (bytes format)

A base64-encoded string.

mac[]

string (bytes format)

A base64-encoded string.

onEnterpriseNetwork

boolean

productIdentifierType

string

productIdentifierValue

string

namespace

string

DnsEventClass

Enums
EC_FULL_FIDELITY
EC_RESPONSE_BASED
EC_REQUEST_BASED

DnsQuestion

JSON representation
{
  "name": string,
  "type": integer,
  "class": integer
}
Fields
name

string

type

integer (uint32 format)

class

integer (uint32 format)

DnsRR

JSON representation
{
  "name": string,
  "type": integer,
  "class": integer,
  "ttl": integer,
  "data": string
}
Fields
name

string

type

integer (uint32 format)

class

integer (uint32 format)

ttl

integer (uint32 format)

data

string (bytes format)

A base64-encoded string.

Action

Enums
ACTION_UNSPECIFIED
ALLOWED
BLOCKED
CLIENT_RST
CLOSED
ERROR
OTHER
SERVER_RST

DnsSummary

JSON representation
{
  "queries": [
    {
      object (Query)
    }
  ],
  "edr": {
    object (EdrEvent)
  }
}
Fields
queries[]

object (Query)

edr

object (EdrEvent)

Query

JSON representation
{
  "name": string,
  "ipAddresses": [
    string
  ],
  "url": string,
  "md5": string,
  "sha256": string,
  "filename": string,
  "httpDetails": {
    object (HttpDetails)
  },
  "networkConnectionDetails": {
    object (NetworkConnectionDetails)
  }
}
Fields
name

string

ipAddresses[]

string (bytes format)

A base64-encoded string.

url

string

md5

string (bytes format)

A base64-encoded string.

sha256

string (bytes format)

A base64-encoded string.

filename

string

httpDetails

object (HttpDetails)

networkConnectionDetails

object (NetworkConnectionDetails)

NetworkConnectionDetails

JSON representation
{
  "status": enum (Action)
}
Fields
status

enum (Action)

Action

Enums
ACTION_UNSPECIFIED
ALLOWED
BLOCKED
CLIENT_RST
CLOSED
ERROR
OTHER
SERVER_RST

EdrEvent

JSON representation
{
  "client": {
    object (Device)
  },
  "server": {
    object (Device)
  },
  "dataSource": enum (Product),
  "rawEventName": string,
  "category": enum (Category),
  "processIdType": string,
  "processIdValue": string,
  "processFilename": string,
  "processMd5": string,
  "processSha256": string,
  "currentProcess": {
    object (ProcessDetails)
  },
  "targetProcess": {
    object (ProcessDetails)
  },
  "childProcess": {
    object (ProcessDetails)
  },
  "parentProcess": {
    object (ProcessDetails)
  },
  "targetFile": {
    object (FileDetails)
  },
  "sourceFile": {
    object (FileDetails)
  },
  "user": {
    object (UserDetails)
  },
  "firewall": {
    object (FirewallDetails)
  },
  "service": {
    object (ServiceDetails)
  },
  "share": {
    object (ShareDetails)
  },
  "registry": {
    object (RegistryDetails)
  },
  "device": {
    object (DeviceDetails)
  },
  "uac": {
    object (UACDetails)
  },
  "task": {
    object (TaskDetails)
  },
  "volume": {
    object (VolumeDetails)
  },

  // Union field event_details can be only one of the following:
  "network": {
    object (EdrNetworkEvent)
  },
  "alert": {
    object (AlertEvent)
  },
  "mapping": {
    object (EdrMappingEvent)
  }
  // End of list of possible types for union field event_details.
}
Fields
client

object (Device)

server

object (Device)

dataSource

enum (Product)

rawEventName

string

category

enum (Category)

processIdType
(deprecated)

string

processIdValue
(deprecated)

string

processFilename
(deprecated)

string

processMd5
(deprecated)

string (bytes format)

A base64-encoded string.

processSha256
(deprecated)

string (bytes format)

A base64-encoded string.

currentProcess

object (ProcessDetails)

targetProcess

object (ProcessDetails)

childProcess

object (ProcessDetails)

parentProcess

object (ProcessDetails)

targetFile

object (FileDetails)

sourceFile

object (FileDetails)

user

object (UserDetails)

firewall

object (FirewallDetails)

service

object (ServiceDetails)

share

object (ShareDetails)

registry

object (RegistryDetails)

device

object (DeviceDetails)

uac

object (UACDetails)

task

object (TaskDetails)

volume

object (VolumeDetails)

Union field event_details.

event_details can be only one of the following:

network

object (EdrNetworkEvent)

alert

object (AlertEvent)

mapping

object (EdrMappingEvent)

EdrNetworkEvent

JSON representation
{
  "direction": enum (Direction),
  "targetIp": string,
  "targetDomain": string,
  "clientPort": integer,
  "targetPort": integer,
  "processFilename": string,
  "processMd5": string,
  "processSha256": string,
  "processIdType": string,
  "processIdValue": string,
  "protocol": integer
}
Fields
direction

enum (Direction)

targetIp

string (bytes format)

A base64-encoded string.

targetDomain

string

clientPort

integer (uint32 format)

targetPort

integer (uint32 format)

processFilename
(deprecated)

string

processMd5
(deprecated)

string (bytes format)

A base64-encoded string.

processSha256
(deprecated)

string (bytes format)

A base64-encoded string.

processIdType
(deprecated)

string

processIdValue
(deprecated)

string

protocol

integer (uint32 format)

Direction

Enums
DIRECTION_UNSPECIFIED
INBOUND
OUTBOUND
NEITHER

AlertEvent

JSON representation
{
  "devices": [
    {
      object (Device)
    }
  ],
  "rawAlertMessage": string,
  "sourceProduct": string,
  "alertShortName": string,
  "severity": enum (AlertSeverity),
  "rawSeverity": string,
  "isSignificant": boolean,
  "hashMd5": string,
  "hashSha1": string,
  "hashSha256": string
}
Fields
devices[]

object (Device)

rawAlertMessage
(deprecated)

string

sourceProduct

string

alertShortName

string

severity
(deprecated)

enum (AlertSeverity)

rawSeverity

string

isSignificant

boolean

hashMd5

string (bytes format)

A base64-encoded string.

hashSha1

string (bytes format)

A base64-encoded string.

hashSha256

string (bytes format)

A base64-encoded string.

AlertSeverity

Enums
SEVERITY_UNSPECIFIED
SEVERITY_INFO
SEVERITY_LOW
SEVERITY_MEDIUM
SEVERITY_HIGH
SEVERITY_CRITICAL

EdrMappingEvent

JSON representation
{
  "type": enum (MappingType)
}
Fields
type

enum (MappingType)

MappingType

Enums
MAPPING_UNSPECIFIED
HOSTNAME_TO_PRODUCT_ID
MAC_TO_PRODUCT_ID

Product

Enums
UNSPECIFIED
CROWDSTRIKE
CARBON_BLACK
CHECKPOINT_SANDBLAST
CYLANCE
DIGITAL_GUARDIAN
ELASTIC
ENDGAME
ESET
JAMF
LIMA_CHARLIE
MALWAREBYTES
MANDIANT
MCAFEE_EPO
MICROSOFT
OSQUERY
PAN_TRAPS
QUALYS
RAPID7
RED_CANARY
SENTINEL_ONE
SYMANTEC
TANIUM
TRELLIX
VMRAY
WHITE_CLOUD
WINDOWS
WINDOWS_SYSMON
VECTRA
FORTINET

Category

Enums
EVENT_UNSPECIFIED
PROCESS_MAPPING

ProcessDetails

JSON representation
{
  "processId": string,
  "rawPid": string,
  "processFile": {
    object (FileDetails)
  },
  "fullCommandLine": string,
  "userName": {
    object (UserDetails)
  },
  "accessMask": string
}
Fields
processId

string

rawPid

string

processFile

object (FileDetails)

fullCommandLine

string

userName

object (UserDetails)

accessMask

string

FileDetails

JSON representation
{
  "fileName": string,
  "fullPath": string,
  "hashMd5": string,
  "hashSha256": string,
  "hashSha1": string
}
Fields
fileName

string

fullPath

string

hashMd5

string (bytes format)

A base64-encoded string.

hashSha256

string (bytes format)

A base64-encoded string.

hashSha1

string (bytes format)

A base64-encoded string.

UserDetails

JSON representation
{
  "userName": string,
  "authenticationId": string,
  "userPrincipal": string,
  "userSid": string
}
Fields
userName

string

authenticationId

string

userPrincipal

string

userSid

string

FirewallDetails

JSON representation
{
  "firewallRule": string,
  "firewallRuleId": string,
  "firewallOption": string
}
Fields
firewallRule

string

firewallRuleId

string

firewallOption

string

ServiceDetails

JSON representation
{
  "serviceName": string,
  "serviceUser": string
}
Fields
serviceName

string

serviceUser

string

ShareDetails

JSON representation
{
  "shareName": string
}
Fields
shareName

string

RegistryDetails

JSON representation
{
  "regObjectName": string,
  "regValueName": string,
  "regStringValue": string
}
Fields
regObjectName

string

regValueName

string

regStringValue

string

DeviceDetails

JSON representation
{
  "productName": string,
  "deviceName": string
}
Fields
productName

string

deviceName

string

UACDetails

JSON representation
{
  "exeToValidate": string,
  "dllToValidate": string,
  "commandLineToValidate": string,
  "applicationNameToValidate": string,
  "msiProductName": string,
  "msiPackagePath": string,
  "comFriendlyName": string,
  "comServerBinary": string,
  "comRequestorPath": string,
  "axisInstallPoint": string,
  "axisUrl": string
}
Fields
exeToValidate

string

dllToValidate

string

commandLineToValidate

string

applicationNameToValidate

string

msiProductName

string

msiPackagePath

string

comFriendlyName

string

comServerBinary

string

comRequestorPath

string

axisInstallPoint

string

axisUrl

string

TaskDetails

JSON representation
{
  "taskName": string,
  "taskAuthor": string,
  "taskCommand": {
    object (ProcessDetails)
  }
}
Fields
taskName

string

taskAuthor

string

taskCommand

object (ProcessDetails)

VolumeDetails

JSON representation
{
  "volumeName": string,
  "volumeDevice": {
    object (DeviceDetails)
  },
  "volumeMountPoint": string
}
Fields
volumeName

string

volumeDevice

object (DeviceDetails)

volumeMountPoint

string

DhcpEvent

JSON representation
{
  "client": {
    object (Device)
  },
  "server": {
    object (Device)
  },
  "class": enum (DhcpEventClass),
  "op": enum (DhcpOp),
  "htype": enum (DhcpHType),
  "hlen": integer,
  "hops": integer,
  "xid": integer,
  "secs": integer,
  "flags": integer,
  "ciaddr": string,
  "yiaddr": string,
  "siaddr": string,
  "giaddr": string,
  "chaddr": string,
  "sname": string,
  "file": string,
  "options": [
    {
      object (DhcpOption)
    }
  ],
  "optType": enum (MessageType),
  "optHostname": string,
  "optLeaseTime": integer,
  "optRequestedAddress": string,
  "optClientIdentifier": string
}
Fields
client

object (Device)

server

object (Device)

class

enum (DhcpEventClass)

op

enum (DhcpOp)

htype

enum (DhcpHType)

hlen

integer (uint32 format)

hops

integer (uint32 format)

xid

integer (uint32 format)

secs

integer (uint32 format)

flags

integer (uint32 format)

ciaddr

string (bytes format)

A base64-encoded string.

yiaddr

string (bytes format)

A base64-encoded string.

siaddr

string (bytes format)

A base64-encoded string.

giaddr

string (bytes format)

A base64-encoded string.

chaddr

string (bytes format)

A base64-encoded string.

sname

string

file

string

options[]

object (DhcpOption)

optType

enum (MessageType)

optHostname

string

optLeaseTime

integer (uint32 format)

optRequestedAddress

string (bytes format)

A base64-encoded string.

optClientIdentifier

string (bytes format)

A base64-encoded string.

DhcpEventClass

Enums
EC_FULL_FIDELITY
EC_RESPONSE_BASED
EC_REQUEST_BASED

DhcpOp

Enums
OP_INVALID
OP_REQUEST
OP_REPLY

DhcpHType

Enums
HT_NULL
HT_ETHERNET
HT_AX25
HT_TOKEN_RING
HT_ARC_NET
HT_SLIP
HT_PPP
HT_FDDI
HT_PPP_HDLC
HT_PPP_ETHERNET
HT_ATM_RFC1483
HT_RAW
HT_C_HDLC
HT_IEEE802_11
HT_F_RELAY
HT_LOOP
HT_LINUX_SSL
HT_L_TALK
HT_PF_LOG
HT_PRISM_HEADER
HT_IP_OVER_FC
HT_SUN_ATM
HT_IEEE80211_RADIO
HT_ARC_NET_LINUX
HT_IP_OVER_1394
HT_MTP2P_HDR
HT_MTP2
HT_MTP3
HT_SCCP
HT_DOCSIS
HT_LINUX_IRDA
HT_LINUX_LAPD
HT_LINUX_USB
HT_IPV4
HT_IPV6

DhcpOption

JSON representation
{
  "type": enum (DhcpOptionType),
  "data": string
}
Fields
type

enum (DhcpOptionType)

data

string (bytes format)

A base64-encoded string.

DhcpOptionType

Enums
OT_PAD
OT_SUBNET_MASK
OT_TIME_OFFSET
OT_ROUTER
OT_TIME_SERVER
OT_NAME_SERVER
OT_DNS
OT_LOG_SERVER
OT_LPR_SERVER
OT_IMPRESS_SERVER
OT_RES_LOC_SERVER
OT_HOSTNAME
OT_BOOTFILE_SIZE
OT_MERIT_DUMP_FILE
OT_DOMAIN_NAME
OT_SWAP_SERVER
OT_ROOT_PATH
OT_EXTENSION_PATH
OT_IP_FORWARDING
OT_SOURCE_ROUTING
OT_POLICY_FILTER
OT_DATAGRAM_MTU
OT_DEFAULT_TTL
OT_PATH_MTU_AGING_TIMEOUT
OT_PATH_PLATEAU_TABLE_OPTION
OT_INTERFACE_MTU
OT_ALL_SUBS_LOCAL
OT_BROADCAST_ADDR
OT_MASK_DISCOVERY
OT_MASK_SUPPLIER
OT_ROUTER_DISCOVERY
OT_SOLICIT_ADDR
OT_STATIC_ROUTE
OT_ARP_TRAILERS
OT_ARP_TIMEOUT
OT_ETHERNET_ENCAP
OT_TCP_TTL
OT_TCP_KEEPALIVE_INT
OT_TCP_KEEPALIBE_GARBAGE
OT_NIS_DOMAIN
OT_NIS_SERVERS
OT_NTP_SERVERS
OT_VENDOR_OPTION
OT_NETBIOS_TCP_NS
OT_NETBIOS_TCP_DDS
OT_NETBIOS_TCP_NODE_TYPE
OT_NETBIOS_TCP_SCOPE
OT_X_FONT_SERVER
OT_X_DISPLAY_MANAGER
OT_REQUEST_IP
OT_LEASE_TIME
OT_EXT_OPTIONS
OT_MESSAGE_TYPE
OT_SERVER_ID
OT_PARAMS_REQUEST
OT_MESSAGE
OT_MAX_MESSAGE_SIZE
OT_T1
OT_T2
OT_CLASS_ID
OT_CLIENT_ID
OT_SIP_SERVERS
OT_CLASSLESS_STATIC_ROUTE

MessageType

Enums
MT_UNSPECIFIED
MT_DISCOVER
MT_OFFER
MT_REQUEST
MT_DECLINE
MT_ACK
MT_NACK
MT_RELEASE
MT_INFO
MT_WIN_DELETED
MT_WIN_EXPIRED

WebProxyEvent

JSON representation
{
  "client": {
    object (Device)
  },
  "clientPort": integer,
  "server": {
    object (Device)
  },
  "target": {
    object (Device)
  },
  "targetPort": integer,
  "protocol": enum (HttpProtocol),
  "request": {
    object (Request)
  },
  "response": {
    object (Response)
  },
  "action": enum (Action),
  "blockReason": string,
  "userIdentifier": string
}
Fields
client

object (Device)

clientPort

integer (uint32 format)

server

object (Device)

target

object (Device)

targetPort

integer (uint32 format)

protocol

enum (HttpProtocol)

request

object (Request)

response

object (Response)

action

enum (Action)

blockReason

string

userIdentifier

string

Request

JSON representation
{
  "method": enum (HttpMethod),
  "resource": string,
  "userAgent": string,
  "referer": string
}
Fields
method

enum (HttpMethod)

resource

string

userAgent

string

referer

string

Response

JSON representation
{
  "code": integer,
  "size": string,
  "hashMd5": string
}
Fields
code

integer (uint32 format)

size

string

hashMd5

string (bytes format)

A base64-encoded string.

WhoisRecord

JSON representation
{
  "domainName": string,
  "registrarName": string,
  "contactEmail": string,
  "whoisServer": string,
  "nameServer": [
    string
  ],
  "creationTime": string,
  "updateTime": string,
  "expirationTime": string,
  "auditUpdateTime": string,
  "status": string,
  "registrant": {
    object (Contact)
  },
  "adminContact": {
    object (Contact)
  },
  "techContact": {
    object (Contact)
  },
  "billingContact": {
    object (Contact)
  },
  "zoneContact": {
    object (Contact)
  },
  "whoisRecordRawText": string,
  "registryDataRawText": string,
  "ianaRegistrarId": integer,
  "privateRegistration": boolean
}
Fields
domainName

string

registrarName

string

contactEmail

string

whoisServer

string

nameServer[]

string

creationTime

string (Timestamp format)

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

updateTime

string (Timestamp format)

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

expirationTime

string (Timestamp format)

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

auditUpdateTime

string (Timestamp format)

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

status

string

registrant

object (Contact)

adminContact

object (Contact)

techContact

object (Contact)

billingContact

object (Contact)

zoneContact

object (Contact)

whoisRecordRawText

string (bytes format)

A base64-encoded string.

registryDataRawText

string (bytes format)

A base64-encoded string.

ianaRegistrarId

integer

privateRegistration

boolean

Contact

JSON representation
{
  "emailAddress": string,
  "name": string,
  "organization": string,
  "phoneNumber": string,
  "phoneNumberExt": string,
  "faxNumber": string,
  "faxNumberExt": string,
  "address": {
    object (Address)
  },
  "rawText": string
}
Fields
emailAddress

string

name

string

organization

string

phoneNumber

string

phoneNumberExt

string

faxNumber

string

faxNumberExt

string

address

object (Address)

rawText

string (bytes format)

A base64-encoded string.

Address

JSON representation
{
  "country": string,
  "street": [
    string
  ],
  "city": string,
  "state": string,
  "postalCode": string
}
Fields
country

string

street[]

string

city

string

state

string

postalCode

string

AssetInfo

JSON representation
{
  "client": {
    object (Device)
  },
  "operatingSystem": string,
  "vulnerabilities": [
    {
      object (AssetVulnerability)
    }
  ]
}
Fields
client

object (Device)

operatingSystem

string

vulnerabilities[]

object (AssetVulnerability)

AssetVulnerability

JSON representation
{
  "name": string,
  "description": string,
  "scanStartTime": string,
  "scanEndTime": string,
  "firstFound": string,
  "lastFound": string,
  "severity": string,
  "cvssBaseScore": number,
  "cvssVector": string,
  "cvssVersion": string
}
Fields
name

string

description

string

scanStartTime

string (Timestamp format)

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

scanEndTime

string (Timestamp format)

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

firstFound

string (Timestamp format)

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

lastFound

string (Timestamp format)

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

severity

string

cvssBaseScore

number

cvssVector

string

cvssVersion

string

BinaryInfo

JSON representation
{
  "hashMd5": string,
  "hashSha256": string,
  "hashSha1": string,
  "sizeBytes": string,
  "mimeType": string,
  "type": enum (FileType),
  "version": {
    object (VersionInfo)
  },
  "sign": {
    object (SigningInfo)
  }
}
Fields
hashMd5

string (bytes format)

A base64-encoded string.

hashSha256

string (bytes format)

A base64-encoded string.

hashSha1

string (bytes format)

A base64-encoded string.

sizeBytes

string

mimeType

string

type

enum (FileType)

version

object (VersionInfo)

sign

object (SigningInfo)

FileType

Enums
UNSPECIFIED
OTHER
BZIP2
ELF
JAR
LZH
LZW
OFFICE_LEGACY
OFFICE_OPENXML
PDF
PE
RAR
RTF
SEVEN_ZIP
TAR
UNIVERSAL
XAR
ZIP

VersionInfo

JSON representation
{
  "companyName": string,
  "fileDescription": string,
  "fileVersion": string,
  "internalName": string,
  "originalName": string,
  "productName": string,
  "productVersion": string
}
Fields
companyName

string

fileDescription

string

fileVersion

string

internalName

string

originalName

string

productName

string

productVersion

string

SigningInfo

JSON representation
{
  "status": enum (SignStatus),
  "subject": string,
  "issuer": string
}
Fields
status

enum (SignStatus)

subject

string

issuer

string

SignStatus

Enums
UNSPECIFIED
OTHER
SIGNED
UNSIGNED
INVALID_SIGNATURE
EXPIRED
INVALID_CHAIN
UNTRUSTED_ROOT
NOT_TRUSTED

EventSource

JSON representation
{
  "customerId": string,
  "collectorId": string,
  "filename": string,
  "namespace": string,
  "labels": [
    {
      object (Label)
    }
  ]
}
Fields
customerId

string (bytes format)

A base64-encoded string.

collectorId

string (bytes format)

A base64-encoded string.

filename

string

namespace

string

labels[]

object (Label)

SIEventData

JSON representation
{
  "batchId": string,
  "rawLogType": enum (LogType),
  "snippet": string,
  "rawLogIndex": integer,
  "disambiguationKey": string,
  "eventType": enum (EventType),
  "timestamp": string,
  "replayTime": string
}
Fields
batchId

string (bytes format)

A base64-encoded string.

rawLogType

enum (LogType)

snippet

string (bytes format)

A base64-encoded string.

rawLogIndex

integer

disambiguationKey

string (bytes format)

A base64-encoded string.

eventType

enum (EventType)

timestamp

string (Timestamp format)

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

replayTime

string (Timestamp format)

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

IDM

JSON representation
{
  "readOnlyUdm": {
    object (UDM)
  },
  "filteredUdm": {
    object (UDM)
  },
  "context": {
    object (Noun)
  },
  "entity": {
    object (Entity)
  },
  "isAlert": boolean,
  "isSignificant": boolean,
  "baseLabels": {
    object (DataAccessLabels)
  },
  "enrichmentLabels": {
    object (DataAccessLabels)
  },
  "enrichmentProvenances": [
    {
      object (EnrichmentProvenance)
    }
  ],
  "assetEnrichmentInfo": {
    object (EnrichmentInfo)
  },
  "userEnrichmentInfo": {
    object (EnrichmentInfo)
  },
  "processEnrichmentInfo": {
    object (EnrichmentInfo)
  },
  "vtFilemetadataEnrichmentInfo": {
    object (EnrichmentInfo)
  },
  "geoipEnrichmentInfo": {
    object (EnrichmentInfo)
  },
  "udmProvenance": {
    object (UdmProvenance)
  }
}
Fields
readOnlyUdm

object (UDM)

filteredUdm

object (UDM)

context
(deprecated)

object (Noun)

entity

object (Entity)

isAlert

boolean

isSignificant

boolean

baseLabels
(deprecated)

object (DataAccessLabels)

enrichmentLabels
(deprecated)

object (DataAccessLabels)

enrichmentProvenances[]

object (EnrichmentProvenance)

assetEnrichmentInfo

object (EnrichmentInfo)

userEnrichmentInfo

object (EnrichmentInfo)

processEnrichmentInfo

object (EnrichmentInfo)

vtFilemetadataEnrichmentInfo

object (EnrichmentInfo)

geoipEnrichmentInfo

object (EnrichmentInfo)

udmProvenance

object (UdmProvenance)

EnrichmentInfo

JSON representation
{
  "enrichmentStatus": enum (EnrichmentStatus)
}
Fields
enrichmentStatus

enum (EnrichmentStatus)

EnrichmentStatus

Enums
ENRICHMENT_STATUS_UNSPECIFIED
FULL_ENRICHMENT
PARTIAL_ENRICHMENT
FAILED_ENRICHMENT

RawLogsAssociatedWithAnEvent

JSON representation
{
  "rawLogs": [
    {
      object (RawLog)
    }
  ]
}
Fields
rawLogs[]

object (RawLog)

RawLog

JSON representation
{
  "timestamp": string,
  "sourceProduct": string,
  "logBytes": string,
  "searchResults": [
    {
      object (Range)
    }
  ],
  "type": enum (LogType)
}
Fields
timestamp

string (Timestamp format)

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

sourceProduct

string

logBytes

string (bytes format)

A base64-encoded string.

searchResults[]

object (Range)

type

enum (LogType)

Range

JSON representation
{
  "start": string,
  "end": string
}
Fields
start

string (int64 format)

end

string (int64 format)