Method: legacy.legacyFindRawLogs

Full name: projects.locations.instances.legacy.legacyFindRawLogs

Legacy endpoint for getting events for a raw log search query.

HTTP request

GET https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacyFindRawLogs

Path parameters

Parameters
instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Query parameters

Parameters
batchToken[]

string

Optional. A list of tokens that should be downloaded.
query

string

Required. All search parameters that expand or restrict the search.
caseSensitive

boolean

Whether or not search is case sensitive. By default it is false.
maxResponseByteSize

string (int64 format)

Optional. The maximum response size in bytes. The default value is 50MiB. If this field is empty(0) or greater than default value, the default value will be applied.
ids[]

string (bytes format)

Optional. A list of raw log ids that should be downloaded. If both batch_token and ids are provided, batch_token will be discarded.

A base64-encoded string.

Request body

The request body must be empty.

Response body

Message passed back to the client containing the search results.

If successful, the response body contains data with the following structure:

JSON representation 
{
  "events": [
    {
      object (Event)
    }
  ],
  "raw_logs": [
    {
      object (RawLogsAssociatedWithAnEvent)
    }
  ],
  "too_many_results": boolean
}
Fields
events[]

object (Event)

A list of events, sorted in ascending order of timestamp.
raw_logs[]

object (RawLogsAssociatedWithAnEvent)

The logs, when batch_tokens or ids are set. Each group of raw logs is associated with a single token/id in the request, and are listed in the same order as in the request.
too_many_results

boolean

If there are too many results to return and some have been omitted.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

  • chronicle.legacies.legacyFindRawLogs

For more information, see the IAM documentation.

Event

JSON representation 
{
  "timestamp": string,
  "collection_time": string,
  "ingested_time": string,
  "source": {
    object (EventSource)
  },
  "raw_log_index": integer,
  "disambiguation_key": string,
  "si_event_data": {
    object (SIEventData)
  },
  "idm": {
    object (IDM)
  },
  "is_duplicate": boolean,

  // Union field payload can be only one of the following:
  "stats": {
    object (StatsEvent)
  },
  "dns": {
    object (DnsEvent)
  },
  "dhcp": {
    object (DhcpEvent)
  },
  "alert": {
    object (AlertEvent)
  },
  "webproxy": {
    object (WebProxyEvent)
  },
  "edr": {
    object (EdrEvent)
  },
  "ioc": {
    object (IocEvent)
  },
  "whois_record": {
    object (WhoisRecord)
  },
  "asset_info": {
    object (AssetInfo)
  },
  "binary": {
    object (BinaryInfo)
  }
  // End of list of possible types for union field payload.
}
Fields
timestamp

string (Timestamp format)

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
collection_time

string (Timestamp format)

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
ingested_time

string (Timestamp format)

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
source

object (EventSource)
raw_log_index

integer
disambiguation_key

string (bytes format)

A base64-encoded string.
si_event_data

object (SIEventData)
idm

object (IDM)
is_duplicate

boolean

Union field payload.

payload can be only one of the following:
stats

object (StatsEvent)
dns

object (DnsEvent)
dhcp

object (DhcpEvent)
alert

object (AlertEvent)
webproxy

object (WebProxyEvent)
edr

object (EdrEvent)
ioc

object (IocEvent)
whois_record

object (WhoisRecord)
asset_info

object (AssetInfo)
binary

object (BinaryInfo)

StatsEvent

JSON representation 
{
  "start_time": string,
  "window_start_time": string,
  "last_successful_upload": string,
  "num_batches_dropped": integer,
  "num_batches_uploaded": integer,
  "bytes_uploaded": string,
  "bytes_before_compression": string,
  "bytes_after_compression": string,
  "num_upload_retries": integer,
  "collector_hostname": string,
  "collector_version": string,
  "bundle_version": string,
  "container_version": string,
  "num_batches_resized": integer,
  "num_input_dropped": integer,
  "compression_level": integer,
  "pcap_stats": {
    object (PcapStats)
  },
  "last_failed_upload": string,
  "last_attempted_upload": string,
  "last_failed_status_code": integer,
  "error_info": [
    {
      object (ErrorInfo)
    }
  ],
  "rusage": {
    object (RUsage)
  },
  "last_received_timestamp": {
    string: string,
    ...
  },
  "local_logging_verbosity_level": integer,
  "remote_logging_verbosity_level": integer,
  "logs": [
    string
  ],
  "num_splunk_input_restarts": integer,
  "max_splunk_latency_ms": integer,
  "min_splunk_latency_ms": integer,
  "num_splunk_query_attempts": integer,
  "num_log_lines_discarded": integer,
  "last_splunk_input_restart": string,
  "command_line_args": string,
  "batch_backlog_size_bytes": {
    string: string,
    ...
  },
  "aggregated_batch_stats": {
    object (LogEntryBatchMetrics)
  },
  "input_stats": [
    {
      object (InputStatsEvent)
    }
  ],
  "container_stats": {
    object (ContainerStats)
  },
  "os": string,
  "os_version": string,
  "ingestion_latency": string,
  "upload_try_count": integer,
  "config_hash": string,
  "auth_config_hash": string,
  "forwarder_id": string,
  "semantic_version": string
}
Fields
start_time

string (Timestamp format)

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
window_start_time

string (Timestamp format)

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
last_successful_upload

string (Timestamp format)

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
num_batches_dropped
(deprecated)

integer (uint32 format)
num_batches_uploaded
(deprecated)

integer (uint32 format)
bytes_uploaded
(deprecated)

string
bytes_before_compression

string
bytes_after_compression

string
num_upload_retries

integer (uint32 format)
collector_hostname

string
collector_version

string
bundle_version

string
container_version

string
num_batches_resized
(deprecated)

integer (uint32 format)
num_input_dropped

integer (uint32 format)
compression_level

integer
pcap_stats

object (PcapStats)
last_failed_upload

string (Timestamp format)

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
last_attempted_upload

string (Timestamp format)

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
last_failed_status_code

integer (uint32 format)
error_info[]

object (ErrorInfo)
rusage

object (RUsage)
last_received_timestamp

map (key: string, value: string (Timestamp format))

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
local_logging_verbosity_level

integer
remote_logging_verbosity_level

integer
logs[]

string
num_splunk_input_restarts

integer (uint32 format)
max_splunk_latency_ms

integer (uint32 format)
min_splunk_latency_ms

integer (uint32 format)
num_splunk_query_attempts

integer (uint32 format)
num_log_lines_discarded

integer (uint32 format)
last_splunk_input_restart

string (Timestamp format)

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
command_line_args

string
batch_backlog_size_bytes
(deprecated)

map (key: string, value: string)

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
aggregated_batch_stats

object (LogEntryBatchMetrics)
input_stats[]

object (InputStatsEvent)
container_stats

object (ContainerStats)
os

string
os_version

string
ingestion_latency

string (int64 format)
upload_try_count

integer
config_hash

string
auth_config_hash

string
forwarder_id

string (bytes format)

A base64-encoded string.
semantic_version

string

PcapStats

JSON representation 
{
  "packets_received": string,
  "no_room_dropped": string,
  "interface_dropped": string
}
Fields
packets_received

string
no_room_dropped

string
interface_dropped

string

ErrorInfo

JSON representation 
{
  "status_code": integer,
  "count": integer
}
Fields
status_code

integer (uint32 format)
count

integer (uint32 format)

RUsage

JSON representation 
{
  "utime": string,
  "stime": string,
  "maxrss": string,
  "ixrss": string,
  "idrss": string,
  "isrss": string,
  "minflt": string,
  "majflt": string,
  "nswap": string,
  "inblock": string,
  "oublock": string,
  "msgsnd": string,
  "msgrcv": string,
  "nsignals": string,
  "nvcsw": string,
  "nivcsw": string
}
Fields
utime

string (Timestamp format)

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
stime

string (Timestamp format)

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
maxrss

string (int64 format)
ixrss

string (int64 format)
idrss

string (int64 format)
isrss

string (int64 format)
minflt

string (int64 format)
majflt

string (int64 format)
nswap

string (int64 format)
inblock

string (int64 format)
oublock

string (int64 format)
msgsnd

string (int64 format)
msgrcv

string (int64 format)
nsignals

string (int64 format)
nvcsw

string (int64 format)
nivcsw

string (int64 format)

LogEntryBatchMetrics

JSON representation 
{
  "size_of_batches_bytes": string,
  "num_logs": string,
  "num_batches": string
}
Fields
size_of_batches_bytes

string
num_logs

string
num_batches

string

InputStatsEvent

JSON representation 
{
  "id": string,
  "log_type": string,
  "input_type": string,
  "uploaded": {
    object (LogEntryBatchMetrics)
  },
  "backlog": {
    object (LogEntryBatchMetrics)
  },
  "backlog_dropped": {
    object (LogEntryBatchMetrics)
  },
  "regex_filter_dropped": {
    string: {
      object (LogEntryBatchMetrics)
    },
    ...
  },
  "output_stats": {
    string: {
      object (OutputStatsEvent)
    },
    ...
  },
  "buffer_stats": {
    object (BufferStats)
  },
  "bytes_compressed": string,
  "bytes_uncompressed": string
}
Fields
id

string
log_type

string
input_type

string
uploaded

object (LogEntryBatchMetrics)
backlog

object (LogEntryBatchMetrics)
backlog_dropped

object (LogEntryBatchMetrics)
regex_filter_dropped

map (key: string, value: object (LogEntryBatchMetrics))

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
output_stats

map (key: string, value: object (OutputStatsEvent))

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
buffer_stats

object (BufferStats)
bytes_compressed

string (int64 format)
bytes_uncompressed

string (int64 format)

OutputStatsEvent

JSON representation 
{
  "name": string,
  "output_type": string,
  "uploaded": {
    object (LogEntryBatchMetrics)
  },
  "backlog": {
    object (LogEntryBatchMetrics)
  },
  "backlog_dropped": {
    object (LogEntryBatchMetrics)
  },
  "buffer_stats": {
    object (BufferStats)
  }
}
Fields
name

string
output_type

string
uploaded

object (LogEntryBatchMetrics)
backlog

object (LogEntryBatchMetrics)
backlog_dropped

object (LogEntryBatchMetrics)
buffer_stats

object (BufferStats)

BufferStats

JSON representation 
{
  "buffer_type": string,
  "current_buffer_used_bytes": string,
  "buffer_ceiling": string,
  "transmission_threads": string,
  "lock_wait_latency": string
}
Fields
buffer_type

string
current_buffer_used_bytes

string (int64 format)
buffer_ceiling

string (int64 format)
transmission_threads

string (int64 format)
lock_wait_latency

string (int64 format)

ContainerStats

JSON representation 
{
  "processes": [
    {
      object (ContainerProcess)
    }
  ],
  "mem_stats": {
    object (MemStats)
  },
  "disk_stats": [
    {
      object (DiskStats)
    }
  ],
  "cpu_stats": {
    object (CpuStats)
  },
  "network_stats": [
    {
      object (NetworkStats)
    }
  ],
  "load_avg": {
    object (LoadAvg)
  },
  "uptime": string
}
Fields
processes[]

object (ContainerProcess)
mem_stats

object (MemStats)
disk_stats[]

object (DiskStats)
cpu_stats

object (CpuStats)
network_stats[]

object (NetworkStats)
load_avg

object (LoadAvg)
uptime

string (int64 format)

ContainerProcess

JSON representation 
{
  "pid": integer,
  "ppid": integer,
  "executable": string
}
Fields
pid

integer
ppid

integer
executable

string

MemStats

JSON representation 
{
  "mem_total": string,
  "mem_used": string
}
Fields
mem_total

string (int64 format)
mem_used

string (int64 format)

DiskStats

JSON representation 
{
  "name": string,
  "disk_total": string,
  "disk_used": string
}
Fields
name

string
disk_total

string (int64 format)
disk_used

string (int64 format)

CpuStats

JSON representation 
{
  "user": string,
  "nice": string,
  "system": string,
  "idle": string,
  "iowait": string,
  "irq": string,
  "soft_irq": string,
  "steal": string,
  "guest": string,
  "guest_nice": string,
  "total": string,
  "cpu_count": integer,
  "stat_count": integer
}
Fields
user

string (int64 format)
nice

string (int64 format)
system

string (int64 format)
idle

string (int64 format)
iowait

string (int64 format)
irq

string (int64 format)
soft_irq

string (int64 format)
steal

string (int64 format)
guest

string (int64 format)
guest_nice

string (int64 format)
total

string (int64 format)
cpu_count

integer
stat_count

integer

NetworkStats

JSON representation 
{
  "name": string,
  "rx_bytes": string,
  "tx_bytes": string
}
Fields
name

string
rx_bytes

string (int64 format)
tx_bytes

string (int64 format)

LoadAvg

JSON representation 
{
  "load_avg1": number,
  "load_avg5": number,
  "load_avg15": number
}
Fields
load_avg1

number
load_avg5

number
load_avg15

number

DnsEvent

JSON representation 
{
  "client": {
    object (Device)
  },
  "server": {
    object (Device)
  },
  "class": enum (DnsEventClass),
  "querying_ip_ttl": integer,
  "id": integer,
  "response": boolean,
  "opcode": integer,
  "authoritative": boolean,
  "truncated": boolean,
  "recursion_desired": boolean,
  "recursion_available": boolean,
  "response_code": integer,
  "questions": [
    {
      object (DnsQuestion)
    }
  ],
  "answers": [
    {
      object (DnsRR)
    }
  ],
  "authority": [
    {
      object (DnsRR)
    }
  ],
  "additional": [
    {
      object (DnsRR)
    }
  ],
  "action": enum (Action),
  "summary": {
    object (DnsSummary)
  }
}
Fields
client

object (Device)
server

object (Device)
class

enum (DnsEventClass)
querying_ip_ttl

integer (uint32 format)
id

integer (uint32 format)
response

boolean
opcode

integer (uint32 format)
authoritative

boolean
truncated

boolean
recursion_desired

boolean
recursion_available

boolean
response_code

integer (uint32 format)
questions[]

object (DnsQuestion)
answers[]

object (DnsRR)
authority[]

object (DnsRR)
additional[]

object (DnsRR)
action

enum (Action)
summary

object (DnsSummary)

Device

JSON representation 
{
  "hostname": string,
  "ip_addresses": [
    string
  ],
  "mac": [
    string
  ],
  "on_enterprise_network": boolean,
  "product_identifier_type": string,
  "product_identifier_value": string,
  "namespace": string
}
Fields
hostname

string
ip_addresses[]

string (bytes format)

A base64-encoded string.
mac[]

string (bytes format)

A base64-encoded string.
on_enterprise_network

boolean
product_identifier_type

string
product_identifier_value

string
namespace

string

DnsEventClass

Enums
EC_FULL_FIDELITY
EC_RESPONSE_BASED
EC_REQUEST_BASED

DnsQuestion

JSON representation 
{
  "name": string,
  "type": integer,
  "class": integer
}
Fields
name

string
type

integer (uint32 format)
class

integer (uint32 format)

DnsRR

JSON representation 
{
  "name": string,
  "type": integer,
  "class": integer,
  "ttl": integer,
  "data": string
}
Fields
name

string
type

integer (uint32 format)
class

integer (uint32 format)
ttl

integer (uint32 format)
data

string (bytes format)

A base64-encoded string.

Action

Enums
ACTION_UNSPECIFIED
ALLOWED
BLOCKED
CLIENT_RST
CLOSED
ERROR
OTHER
SERVER_RST

DnsSummary

JSON representation 
{
  "queries": [
    {
      object (Query)
    }
  ],
  "edr": {
    object (EdrEvent)
  }
}
Fields
queries[]

object (Query)
edr

object (EdrEvent)

Query

JSON representation 
{
  "name": string,
  "ip_addresses": [
    string
  ],
  "url": string,
  "md5": string,
  "sha256": string,
  "filename": string,
  "http_details": {
    object (HttpDetails)
  },
  "network_connection_details": {
    object (NetworkConnectionDetails)
  }
}
Fields
name

string
ip_addresses[]

string (bytes format)

A base64-encoded string.
url

string
md5

string (bytes format)

A base64-encoded string.
sha256

string (bytes format)

A base64-encoded string.
filename

string
http_details

object (HttpDetails)
network_connection_details

object (NetworkConnectionDetails)

NetworkConnectionDetails

JSON representation 
{
  "status": enum (Action)
}
Fields
status

enum (Action)

Action

Enums
ACTION_UNSPECIFIED
ALLOWED
BLOCKED
CLIENT_RST
CLOSED
ERROR
OTHER
SERVER_RST

EdrEvent

JSON representation 
{
  "client": {
    object (Device)
  },
  "server": {
    object (Device)
  },
  "data_source": enum (Product),
  "raw_event_name": string,
  "category": enum (Category),
  "process_id_type": string,
  "process_id_value": string,
  "process_filename": string,
  "process_md5": string,
  "process_sha256": string,
  "current_process": {
    object (ProcessDetails)
  },
  "target_process": {
    object (ProcessDetails)
  },
  "child_process": {
    object (ProcessDetails)
  },
  "parent_process": {
    object (ProcessDetails)
  },
  "target_file": {
    object (FileDetails)
  },
  "source_file": {
    object (FileDetails)
  },
  "user": {
    object (UserDetails)
  },
  "firewall": {
    object (FirewallDetails)
  },
  "service": {
    object (ServiceDetails)
  },
  "share": {
    object (ShareDetails)
  },
  "registry": {
    object (RegistryDetails)
  },
  "device": {
    object (DeviceDetails)
  },
  "uac": {
    object (UACDetails)
  },
  "task": {
    object (TaskDetails)
  },
  "volume": {
    object (VolumeDetails)
  },

  // Union field event_details can be only one of the following:
  "network": {
    object (EdrNetworkEvent)
  },
  "alert": {
    object (AlertEvent)
  },
  "mapping": {
    object (EdrMappingEvent)
  }
  // End of list of possible types for union field event_details.
}
Fields
client

object (Device)
server

object (Device)
data_source

enum (Product)
raw_event_name

string
category

enum (Category)
process_id_type
(deprecated)

string
process_id_value
(deprecated)

string
process_filename
(deprecated)

string
process_md5
(deprecated)

string (bytes format)

A base64-encoded string.
process_sha256
(deprecated)

string (bytes format)

A base64-encoded string.
current_process

object (ProcessDetails)
target_process

object (ProcessDetails)
child_process

object (ProcessDetails)
parent_process

object (ProcessDetails)
target_file

object (FileDetails)
source_file

object (FileDetails)
user

object (UserDetails)
firewall

object (FirewallDetails)
service

object (ServiceDetails)
share

object (ShareDetails)
registry

object (RegistryDetails)
device

object (DeviceDetails)
uac

object (UACDetails)
task

object (TaskDetails)
volume

object (VolumeDetails)

Union field event_details.

event_details can be only one of the following:
network

object (EdrNetworkEvent)
alert

object (AlertEvent)
mapping

object (EdrMappingEvent)

EdrNetworkEvent

JSON representation 
{
  "direction": enum (Direction),
  "target_ip": string,
  "target_domain": string,
  "client_port": integer,
  "target_port": integer,
  "process_filename": string,
  "process_md5": string,
  "process_sha256": string,
  "process_id_type": string,
  "process_id_value": string,
  "protocol": integer
}
Fields
direction

enum (Direction)
target_ip

string (bytes format)

A base64-encoded string.
target_domain

string
client_port

integer (uint32 format)
target_port

integer (uint32 format)
process_filename
(deprecated)

string
process_md5
(deprecated)

string (bytes format)

A base64-encoded string.
process_sha256
(deprecated)

string (bytes format)

A base64-encoded string.
process_id_type
(deprecated)

string
process_id_value
(deprecated)

string
protocol

integer (uint32 format)

Direction

Enums
DIRECTION_UNSPECIFIED
INBOUND
OUTBOUND
NEITHER

AlertEvent

JSON representation 
{
  "devices": [
    {
      object (Device)
    }
  ],
  "raw_alert_message": string,
  "source_product": string,
  "alert_short_name": string,
  "severity": enum (AlertSeverity),
  "raw_severity": string,
  "is_significant": boolean,
  "hash_md5": string,
  "hash_sha1": string,
  "hash_sha256": string
}
Fields
devices[]

object (Device)
raw_alert_message
(deprecated)

string
source_product

string
alert_short_name

string
severity
(deprecated)

enum (AlertSeverity)
raw_severity

string
is_significant

boolean
hash_md5

string (bytes format)

A base64-encoded string.
hash_sha1

string (bytes format)

A base64-encoded string.
hash_sha256

string (bytes format)

A base64-encoded string.

AlertSeverity

Enums
SEVERITY_UNSPECIFIED
SEVERITY_INFO
SEVERITY_LOW
SEVERITY_MEDIUM
SEVERITY_HIGH
SEVERITY_CRITICAL

EdrMappingEvent

JSON representation 
{
  "type": enum (MappingType)
}
Fields
type

enum (MappingType)

MappingType

Enums
MAPPING_UNSPECIFIED
HOSTNAME_TO_PRODUCT_ID
MAC_TO_PRODUCT_ID

Product

Enums
UNSPECIFIED
CROWDSTRIKE
CARBON_BLACK
CHECKPOINT_SANDBLAST
CYLANCE
DIGITAL_GUARDIAN
ENDGAME
ESET
JAMF
LIMA_CHARLIE
MALWAREBYTES
MANDIANT
MCAFEE_EPO
MICROSOFT
OSQUERY
PAN_TRAPS
QUALYS
RAPID7
RED_CANARY
SENTINEL_ONE
SYMANTEC
TANIUM
VMRAY
WHITE_CLOUD
WINDOWS
WINDOWS_SYSMON

Category

Enums
EVENT_UNSPECIFIED
PROCESS_MAPPING

ProcessDetails

JSON representation 
{
  "process_id": string,
  "raw_pid": string,
  "process_file": {
    object (FileDetails)
  },
  "full_command_line": string,
  "user_name": {
    object (UserDetails)
  },
  "access_mask": string
}
Fields
process_id

string
raw_pid

string
process_file

object (FileDetails)
full_command_line

string
user_name

object (UserDetails)
access_mask

string

FileDetails

JSON representation 
{
  "file_name": string,
  "full_path": string,
  "hash_md5": string,
  "hash_sha256": string,
  "hash_sha1": string
}
Fields
file_name

string
full_path

string
hash_md5

string (bytes format)

A base64-encoded string.
hash_sha256

string (bytes format)

A base64-encoded string.
hash_sha1

string (bytes format)

A base64-encoded string.

UserDetails

JSON representation 
{
  "user_name": string,
  "authentication_id": string,
  "user_principal": string,
  "user_sid": string
}
Fields
user_name

string
authentication_id

string
user_principal

string
user_sid

string

FirewallDetails

JSON representation 
{
  "firewall_rule": string,
  "firewall_rule_id": string,
  "firewall_option": string
}
Fields
firewall_rule

string
firewall_rule_id

string
firewall_option

string

ServiceDetails

JSON representation 
{
  "service_name": string,
  "service_user": string
}
Fields
service_name

string
service_user

string

ShareDetails

JSON representation 
{
  "share_name": string
}
Fields
share_name

string

RegistryDetails

JSON representation 
{
  "reg_object_name": string,
  "reg_value_name": string,
  "reg_string_value": string
}
Fields
reg_object_name

string
reg_value_name

string
reg_string_value

string

DeviceDetails

JSON representation 
{
  "product_name": string,
  "device_name": string
}
Fields
product_name

string
device_name

string

UACDetails

JSON representation 
{
  "exe_to_validate": string,
  "dll_to_validate": string,
  "command_line_to_validate": string,
  "application_name_to_validate": string,
  "msi_product_name": string,
  "msi_package_path": string,
  "com_friendly_name": string,
  "com_server_binary": string,
  "com_requestor_path": string,
  "axis_install_point": string,
  "axis_url": string
}
Fields
exe_to_validate

string
dll_to_validate

string
command_line_to_validate

string
application_name_to_validate

string
msi_product_name

string
msi_package_path

string
com_friendly_name

string
com_server_binary

string
com_requestor_path

string
axis_install_point

string
axis_url

string

TaskDetails

JSON representation 
{
  "task_name": string,
  "task_author": string,
  "task_command": {
    object (ProcessDetails)
  }
}
Fields
task_name

string
task_author

string
task_command

object (ProcessDetails)

VolumeDetails

JSON representation 
{
  "volume_name": string,
  "volume_device": {
    object (DeviceDetails)
  },
  "volume_mount_point": string
}
Fields
volume_name

string
volume_device

object (DeviceDetails)
volume_mount_point

string

DhcpEvent

JSON representation 
{
  "client": {
    object (Device)
  },
  "server": {
    object (Device)
  },
  "class": enum (DhcpEventClass),
  "op": enum (DhcpOp),
  "htype": enum (DhcpHType),
  "hlen": integer,
  "hops": integer,
  "xid": integer,
  "secs": integer,
  "flags": integer,
  "ciaddr": string,
  "yiaddr": string,
  "siaddr": string,
  "giaddr": string,
  "chaddr": string,
  "sname": string,
  "file": string,
  "options": [
    {
      object (DhcpOption)
    }
  ],
  "opt_type": enum (MessageType),
  "opt_hostname": string,
  "opt_lease_time": integer,
  "opt_requested_address": string,
  "opt_client_identifier": string
}
Fields
client

object (Device)
server

object (Device)
class

enum (DhcpEventClass)
op

enum (DhcpOp)
htype

enum (DhcpHType)
hlen

integer (uint32 format)
hops

integer (uint32 format)
xid

integer (uint32 format)
secs

integer (uint32 format)
flags

integer (uint32 format)
ciaddr

string (bytes format)

A base64-encoded string.
yiaddr

string (bytes format)

A base64-encoded string.
siaddr

string (bytes format)

A base64-encoded string.
giaddr

string (bytes format)

A base64-encoded string.
chaddr

string (bytes format)

A base64-encoded string.
sname

string
file

string
options[]

object (DhcpOption)
opt_type

enum (MessageType)
opt_hostname

string
opt_lease_time

integer (uint32 format)
opt_requested_address

string (bytes format)

A base64-encoded string.
opt_client_identifier

string (bytes format)

A base64-encoded string.

DhcpEventClass

Enums
EC_FULL_FIDELITY
EC_RESPONSE_BASED
EC_REQUEST_BASED

DhcpOp

Enums
OP_INVALID
OP_REQUEST
OP_REPLY

DhcpHType

Enums
HT_NULL
HT_ETHERNET
HT_AX25
HT_TOKEN_RING
HT_ARC_NET
HT_SLIP
HT_PPP
HT_FDDI
HT_PPP_HDLC
HT_PPP_ETHERNET
HT_ATM_RFC1483
HT_RAW
HT_C_HDLC
HT_IEEE802_11
HT_F_RELAY
HT_LOOP
HT_LINUX_SSL
HT_L_TALK
HT_PF_LOG
HT_PRISM_HEADER
HT_IP_OVER_FC
HT_SUN_ATM
HT_IEEE80211_RADIO
HT_ARC_NET_LINUX
HT_IP_OVER_1394
HT_MTP2P_HDR
HT_MTP2
HT_MTP3
HT_SCCP
HT_DOCSIS
HT_LINUX_IRDA
HT_LINUX_LAPD
HT_LINUX_USB
HT_IPV4
HT_IPV6

DhcpOption

JSON representation 
{
  "type": enum (DhcpOptionType),
  "data": string
}
Fields
type

enum (DhcpOptionType)
data

string (bytes format)

A base64-encoded string.

DhcpOptionType

Enums
OT_PAD
OT_SUBNET_MASK
OT_TIME_OFFSET
OT_ROUTER
OT_TIME_SERVER
OT_NAME_SERVER
OT_DNS
OT_LOG_SERVER
OT_LPR_SERVER
OT_IMPRESS_SERVER
OT_RES_LOC_SERVER
OT_HOSTNAME
OT_BOOTFILE_SIZE
OT_MERIT_DUMP_FILE
OT_DOMAIN_NAME
OT_SWAP_SERVER
OT_ROOT_PATH
OT_EXTENSION_PATH
OT_IP_FORWARDING
OT_SOURCE_ROUTING
OT_POLICY_FILTER
OT_DATAGRAM_MTU
OT_DEFAULT_TTL
OT_PATH_MTU_AGING_TIMEOUT
OT_PATH_PLATEAU_TABLE_OPTION
OT_INTERFACE_MTU
OT_ALL_SUBS_LOCAL
OT_BROADCAST_ADDR
OT_MASK_DISCOVERY
OT_MASK_SUPPLIER
OT_ROUTER_DISCOVERY
OT_SOLICIT_ADDR
OT_STATIC_ROUTE
OT_ARP_TRAILERS
OT_ARP_TIMEOUT
OT_ETHERNET_ENCAP
OT_TCP_TTL
OT_TCP_KEEPALIVE_INT
OT_TCP_KEEPALIBE_GARBAGE
OT_NIS_DOMAIN
OT_NIS_SERVERS
OT_NTP_SERVERS
OT_VENDOR_OPTION
OT_NETBIOS_TCP_NS
OT_NETBIOS_TCP_DDS
OT_NETBIOS_TCP_NODE_TYPE
OT_NETBIOS_TCP_SCOPE
OT_X_FONT_SERVER
OT_X_DISPLAY_MANAGER
OT_REQUEST_IP
OT_LEASE_TIME
OT_EXT_OPTIONS
OT_MESSAGE_TYPE
OT_SERVER_ID
OT_PARAMS_REQUEST
OT_MESSAGE
OT_MAX_MESSAGE_SIZE
OT_T1
OT_T2
OT_CLASS_ID
OT_CLIENT_ID
OT_SIP_SERVERS
OT_CLASSLESS_STATIC_ROUTE

MessageType

Enums
MT_UNSPECIFIED
MT_DISCOVER
MT_OFFER
MT_REQUEST
MT_DECLINE
MT_ACK
MT_NACK
MT_RELEASE
MT_INFO
MT_WIN_DELETED
MT_WIN_EXPIRED

WebProxyEvent

JSON representation 
{
  "client": {
    object (Device)
  },
  "client_port": integer,
  "server": {
    object (Device)
  },
  "target": {
    object (Device)
  },
  "target_port": integer,
  "protocol": enum (HttpProtocol),
  "request": {
    object (Request)
  },
  "response": {
    object (Response)
  },
  "action": enum (Action),
  "block_reason": string,
  "user_identifier": string
}
Fields
client

object (Device)
client_port

integer (uint32 format)
server

object (Device)
target

object (Device)
target_port

integer (uint32 format)
protocol

enum (HttpProtocol)
request

object (Request)
response

object (Response)
action

enum (Action)
block_reason

string
user_identifier

string

Request

JSON representation 
{
  "method": enum (HttpMethod),
  "resource": string,
  "user_agent": string,
  "referer": string
}
Fields
method

enum (HttpMethod)
resource

string
user_agent

string
referer

string

Response

JSON representation 
{
  "code": integer,
  "size": string,
  "hash_md5": string
}
Fields
code

integer (uint32 format)
size

string
hash_md5

string (bytes format)

A base64-encoded string.

WhoisRecord

JSON representation 
{
  "domain_name": string,
  "registrar_name": string,
  "contact_email": string,
  "whois_server": string,
  "name_server": [
    string
  ],
  "creation_time": string,
  "update_time": string,
  "expiration_time": string,
  "audit_update_time": string,
  "status": string,
  "registrant": {
    object (Contact)
  },
  "admin_contact": {
    object (Contact)
  },
  "tech_contact": {
    object (Contact)
  },
  "billing_contact": {
    object (Contact)
  },
  "zone_contact": {
    object (Contact)
  },
  "whois_record_raw_text": string,
  "registry_data_raw_text": string,
  "iana_registrar_id": integer,
  "private_registration": boolean
}
Fields
domain_name

string
registrar_name

string
contact_email

string
whois_server

string
name_server[]

string
creation_time

string (Timestamp format)

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
update_time

string (Timestamp format)

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
expiration_time

string (Timestamp format)

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
audit_update_time

string (Timestamp format)

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
status

string
registrant

object (Contact)
admin_contact

object (Contact)
tech_contact

object (Contact)
billing_contact

object (Contact)
zone_contact

object (Contact)
whois_record_raw_text

string (bytes format)

A base64-encoded string.
registry_data_raw_text

string (bytes format)

A base64-encoded string.
iana_registrar_id

integer
private_registration

boolean

Contact

JSON representation 
{
  "email_address": string,
  "name": string,
  "organization": string,
  "phone_number": string,
  "phone_number_ext": string,
  "fax_number": string,
  "fax_number_ext": string,
  "address": {
    object (Address)
  },
  "raw_text": string
}
Fields
email_address

string
name

string
organization

string
phone_number

string
phone_number_ext

string
fax_number

string
fax_number_ext

string
address

object (Address)
raw_text

string (bytes format)

A base64-encoded string.

Address

JSON representation 
{
  "country": string,
  "street": [
    string
  ],
  "city": string,
  "state": string,
  "postal_code": string
}
Fields
country

string
street[]

string
city

string
state

string
postal_code

string

AssetInfo

JSON representation 
{
  "client": {
    object (Device)
  },
  "operating_system": string,
  "vulnerabilities": [
    {
      object (AssetVulnerability)
    }
  ]
}
Fields
client

object (Device)
operating_system

string
vulnerabilities[]

object (AssetVulnerability)

AssetVulnerability

JSON representation 
{
  "name": string,
  "description": string,
  "scan_start_time": string,
  "scan_end_time": string,
  "first_found": string,
  "last_found": string,
  "severity": string,
  "cvss_base_score": number,
  "cvss_vector": string,
  "cvss_version": string
}
Fields
name

string
description

string
scan_start_time

string (Timestamp format)

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
scan_end_time

string (Timestamp format)

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
first_found

string (Timestamp format)

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
last_found

string (Timestamp format)

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
severity

string
cvss_base_score

number
cvss_vector

string
cvss_version

string

BinaryInfo

JSON representation 
{
  "hash_md5": string,
  "hash_sha256": string,
  "hash_sha1": string,
  "size_bytes": string,
  "mime_type": string,
  "type": enum (FileType),
  "version": {
    object (VersionInfo)
  },
  "sign": {
    object (SigningInfo)
  }
}
Fields
hash_md5

string (bytes format)

A base64-encoded string.
hash_sha256

string (bytes format)

A base64-encoded string.
hash_sha1

string (bytes format)

A base64-encoded string.
size_bytes

string
mime_type

string
type

enum (FileType)
version

object (VersionInfo)
sign

object (SigningInfo)

FileType

Enums
UNSPECIFIED
OTHER
BZIP2
ELF
JAR
LZH
LZW
OFFICE_LEGACY
OFFICE_OPENXML
PDF
PE
RAR
RTF
SEVEN_ZIP
TAR
UNIVERSAL
XAR
ZIP

VersionInfo

JSON representation 
{
  "company_name": string,
  "file_description": string,
  "file_version": string,
  "internal_name": string,
  "original_name": string,
  "product_name": string,
  "product_version": string
}
Fields
company_name

string
file_description

string
file_version

string
internal_name

string
original_name

string
product_name

string
product_version

string

SigningInfo

JSON representation 
{
  "status": enum (SignStatus),
  "subject": string,
  "issuer": string
}
Fields
status

enum (SignStatus)
subject

string
issuer

string

SignStatus

Enums
UNSPECIFIED
OTHER
SIGNED
UNSIGNED
INVALID_SIGNATURE
EXPIRED
INVALID_CHAIN
UNTRUSTED_ROOT
NOT_TRUSTED

EventSource

JSON representation 
{
  "customer_id": string,
  "collector_id": string,
  "filename": string,
  "namespace": string,
  "labels": [
    {
      object (Label)
    }
  ]
}
Fields
customer_id

string (bytes format)

A base64-encoded string.
collector_id

string (bytes format)

A base64-encoded string.
filename

string
namespace

string
labels[]

object (Label)

SIEventData

JSON representation 
{
  "batch_id": string,
  "raw_log_type": enum (LogType),
  "snippet": string,
  "raw_log_index": integer,
  "disambiguation_key": string,
  "event_type": enum (EventType),
  "timestamp": string,
  "replay_time": string
}
Fields
batch_id

string (bytes format)

A base64-encoded string.
raw_log_type

enum (LogType)
snippet

string (bytes format)

A base64-encoded string.
raw_log_index

integer
disambiguation_key

string (bytes format)

A base64-encoded string.
event_type

enum (EventType)
timestamp

string (Timestamp format)

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
replay_time

string (Timestamp format)

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

IDM

JSON representation 
{
  "read_only_udm": {
    object (UDM)
  },
  "filtered_udm": {
    object (UDM)
  },
  "context": {
    object (Noun)
  },
  "entity": {
    object (Entity)
  },
  "is_alert": boolean,
  "is_significant": boolean,
  "base_labels": {
    object (DataAccessLabels)
  },
  "enrichment_labels": {
    object (DataAccessLabels)
  }
}
Fields
read_only_udm

object (UDM)
filtered_udm

object (UDM)
context
(deprecated)

object (Noun)
entity

object (Entity)
is_alert

boolean
is_significant

boolean
base_labels
(deprecated)

object (DataAccessLabels)
enrichment_labels
(deprecated)

object (DataAccessLabels)

RawLogsAssociatedWithAnEvent

JSON representation 
{
  "raw_logs": [
    {
      object (RawLog)
    }
  ]
}
Fields
raw_logs[]

object (RawLog)

RawLog

JSON representation 
{
  "timestamp": string,
  "source_product": string,
  "log_bytes": string,
  "search_results": [
    {
      object (Range)
    }
  ],
  "type": enum (LogType)
}
Fields
timestamp

string (Timestamp format)

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
source_product

string
log_bytes

string (bytes format)

A base64-encoded string.
search_results[]

object (Range)
type

enum (LogType)

Range

JSON representation 
{
  "start": string,
  "end": string
}
Fields
start

string (int64 format)
end

string (int64 format)