UDM field list

This document provides a list of fields available in the Unified Data Model (UDM) schema.

Field name and field type values can look similar. This document uses style conventions to help you identify the differences:

  • Field type values use CamelCase characters; for example, Platform and EventType.
  • Field name values use lowercase characters; for example, platform and event_type. When a field name consists of more than one word, an underscore is used to separate the words.
  • Standard data type values use lowercase characters.

UDM field name formats

When specifying a field, use the following format:

<prefix>.<field_name1>.<field_name2>.<...>.<field_nameN>=<value>

Field name format for Detect Engine

When writing rules for Detect Engine:

  • Use the <prefix> pattern $event for Event fields; for example:

    • $event.metadata.event_type
    • $event.network.dhcp.opcode
    • $event.principal.user.location.city
  • Use the <prefix> pattern $entity for Entity fields; for example:

    • $entity.graph.entity.hostname
    • $entity.graph.metadata.product_name

Field name format for parsers

When writing configuration-based normalizer (CBN) parsers:

  • Use the <prefix> pattern event.idm.read_only_udm for UDM Event fields; for example:

    • event.idm.read_only_udm.metadata.event_type
    • event.idm.read_only_udm.network.dhcp.opcode
    • event.idm.read_only_udm.principal.user.location.city
  • Use the <prefix> pattern event.idm.entity for UDM Entity fields; for example:

    • event.idm.entity.entity.user.user_display_name
    • event.idm.entity.entity.asset.hostname

UDM Entity data model

Entity

An Entity provides additional context about an item in a UDM event. For example, a PROCESS_LAUNCH event describes that user 'abc@example.corp' launched process 'shady.exe'. The event does not include information that user 'abc@example.com' is a recently terminated employee who administers a server storing finance data. Information stored in one or more Entities can add this additional context.

Field Name Type Label Description
additional google.protobuf.Struct Important entity data that cannot be adequately represented within the formal sections of the Entity.
entity Noun Noun in the UDM event that this entity represents.
metadata EntityMetadata Entity metadata such as timestamp, product, etc.
metric Metric Stores statistical metrics about the entity. Used if metadata.entity_type is METRIC.
relations Relation repeated One or more relationships between the entity (a) and other entities, including the relationship type and related entity.
risk_score EntityRisk optional Stores information related to the entity's risk score.

EntityMetadata

Information about the Entity and the product where the entity was created.

Field Name Type Label Description
collected_timestamp google.protobuf.Timestamp GMT timestamp when the entity information was collected by the vendor's local collection infrastructure.
creation_timestamp google.protobuf.Timestamp GMT timestamp when the entity described by the product_entity_id was created on the system where data was collected.
description string Human-readable description of the entity.
entity_type EntityMetadata.EntityType (Enumerated list) Entity type. If an entity has multiple possible types, this specifies the most specific type.
event_metadata Metadata Metadata field from the event.
feed string Vendor feed name for a threat indicator feed.
interval google.type.Interval Valid existence time range for the version of the entity represented by this entity data.
product_entity_id string A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar).
product_name string Product name that produced the entity information.
product_version string Version of the product that produced the entity information.
source_labels Label repeated Entity source metadata labels.
source_type EntityMetadata.SourceType (Enumerated list) The source of the entity.
threat SecurityResult repeated Metadata provided by a threat intelligence feed that identified the entity as malicious.
vendor_name string Vendor name of the product that produced the entity information.

EntityRisk

Stores information related to the risk score of an entity.

Field Name Type Label Description
DEPRECATED_risk_score int32 Deprecated risk score.
detections_count int32 Number of detections that make up the risk score within the time window.
first_detection_time google.protobuf.Timestamp Timestamp of the first detection within the specified time window. This field is empty when there are no detections.
last_detection_time google.protobuf.Timestamp Timestamp of the last detection within the specified time window. This field is empty when there are no detections.
normalized_risk_score int32 Normalized risk score for the entity. This value is between 0-1000.
raw_risk_delta RiskDelta optional Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window.
risk_delta RiskDelta optional Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window.
risk_score float Raw risk score for the entity.
risk_version string Version of the risk score calculation algorithm.
risk_window google.type.Interval Time window used when computing the risk score for an entity, for example 24 hours or 7 days.
risk_window_size Int64 Risk window duration for the Entity.

Metric

Stores precomputed aggregated analytic data for an entity.

Field Name Type Label Description
dimensions Metric.Dimension (Enumerated list) repeated All group by clauses used to calculate the metric.
export_window int64 Export window for which the metric was exported.
first_seen google.protobuf.Timestamp Timestamp of the first time the entity was seen in the environment.
last_seen google.protobuf.Timestamp Timestamp of the last time the entity was seen in the environment.
metric_name Metric.MetricName (Enumerated list) Name of the analytic.
sum_measure Metric.Measure Sum of all precomputed measures for the given metric.
total_events int64 Total number of events used to calculate the given precomputed metric.

Metric.Measure

Describes the precomputed measure.

Field Name Type Label Description
aggregate_function Metric.AggregateFunction (Enumerated list) Function used to calculate the aggregated measure.
value double Value of the aggregated measure.

Relation

Defines the relationship between the entity (a) and another entity (b).

Field Name Type Label Description
direction Relation.Directionality (Enumerated list) Directionality of relationship between primary entity (a) and the related entity (b).
entity Noun Entity (b) that the primary entity (a) is related to.
entity_label Relation.EntityLabel (Enumerated list) Label to identify the Noun of the relation.
entity_type EntityMetadata.EntityType (Enumerated list) Type of the related entity (b) in this relationship.
relationship Relation.Relationship (Enumerated list) Type of relationship.
uid bytes UID of the relationship.

RiskDelta

Describes the difference in risk score between two points in time.

Field Name Type Label Description
previous_range_end_time google.protobuf.Timestamp End time of the previous time window.
previous_risk_score int32 Risk score from previous risk window
risk_score_delta int32 Difference in the normalized risk score from the previous recorded value.
risk_score_numeric_delta int32 Numeric change between current and previous risk score

Entity enumerated types

EntityMetadata.EntityType

Describes the type of entity. An unknown event type.

Enum Value Enum Number Description
ASSET 1 An asset, such as workstation, laptop, phone, or virtual machine.
DOMAIN_NAME 5 A domain. The request should include IOC intel threat metadata for each entity to be ingested.
FILE 4 A file. The request should include IOC intel threat metadata for each entity to be ingested.
GROUP 10001 Group.
IP_ADDRESS 3 An external IP address. The request should include IOC intel threat metadata for each entity to be ingested.
MUTEX 7 A mutex. The request should include IOC intel threat metadata for each entity to be ingested.
RESOURCE 2 Resource.
URL 6 A URL.
USER 10000 User.

EntityMetadata.SourceType

Describes the source of an entity.

Enum Value Enum Number Description
DERIVED_CONTEXT 2 Entities derived from customer data such as prevalence, artifact first/last seen, or asset/user first seen stats.
ENTITY_CONTEXT 1 Entities ingested from customers (e.g. AD_CONTEXT, DLP_CONTEXT)
GLOBAL_CONTEXT 3 Global contextual entities such as WHOIS or Safe Browsing.
SOURCE_TYPE_UNSPECIFIED 0 Default source type

Metric.AggregateFunction

Mathematic function used to calculate the value.

Enum Value Enum Number Description
AGGREGATE_FUNCTION_UNSPECIFIED 0 Default value.
AVG 5 Average.
COUNT 3 Count.
MAX 2 Maximum.
MIN 1 Minimum.
STDDEV 6 Standard Deviation.
SUM 4 Sum.

Metric.Dimension

Describes field used as the dimension when grouping data to calculate the aggregate metric.

Enum Value Enum Number Description
CLIENT_CERTIFICATE_HASH 10 Client Certificate Hash
DIMENSION_UNSPECIFIED 0 Default
DNS_DOMAIN 12 DNS Domain
DNS_QUERY_TYPE 11 DNS Query Type
EMAIL_FROM_ADDRESS 22 Email From Address.
EMAIL_TO_ADDRESS 21 Email To Address.
EVENT_TYPE 14 Event Type
HTTP_USER_AGENT 13 HTTP User Agent
MAIL_ID 23 Mail Id.
NETWORK_ASN 9 Network ASN
PARENT_FOLDER_PATH 17 Parent Folder Path
PRINCIPAL_APPLICATION 19 Principal Application.
PRINCIPAL_COUNTRY 7 Principal Country
PRINCIPAL_DEVICE 1 Principal Device
PRINCIPAL_FILE_HASH 6 Principal File Hash
PRINCIPAL_IP 24 Principal IP.
PRINCIPAL_NETWORK_ORGANIZATION_NAME 30 Principal Network Organization name.
PRINCIPAL_PROCESS_FILE_HASH 32 Principal Process File SHA256 Hash.
PRINCIPAL_PROCESS_FILE_PATH 31 Principal Process File Path.
PRINCIPAL_USER 4 Principal User
PRODUCT_EVENT_TYPE 16 Product Event Type
PRODUCT_NAME 15 Product Name
SECURITY_ACTION 25 Security Action.
SECURITY_CATEGORY 8 Security Category
SECURITY_RESULT_RULE_NAME 33 Security Result rule name.
SECURITY_RULE_ID 28 Security Rule Id.
TARGET_APPLICATION 20 Target Application.
TARGET_DEVICE 3 Target Device
TARGET_IP 5 Target IP
TARGET_NETWORK_ORGANIZATION_NAME 29 Target Network Organization name.
TARGET_RESOURCE_NAME 18 Target resource Name
TARGET_USER 2 Target User

Metric.MetricName

The name of the precomputed analytic.

Enum Value Enum Number Description
ALERT_EVENT_NAME_COUNT 26 Track number of alerts fired by EDR/SENTINEL/MICROSOFT_GRAPH.
AUTH_ATTEMPTS_FAIL 5 Failed authentication attempts.
AUTH_ATTEMPTS_SUCCESS 4 Successful authentication attempts.
AUTH_ATTEMPTS_TOTAL 6 Total authentication attempts.
DNS_BYTES_OUTBOUND 7 Total number of sent bytes for DNS events.
DNS_QUERIES_FAIL 12 Number of events with response_code != 0.
DNS_QUERIES_SUCCESS 11 DNS query success count - Number of events with response_code = 0.
DNS_QUERIES_TOTAL 13 Total number of DNS queries made.
FILE_EXECUTIONS_FAIL 15 Number of failed file executions.
FILE_EXECUTIONS_SUCCESS 14 Number of successfule file executions.
FILE_EXECUTIONS_TOTAL 16 Total number file executions.
HTTP_QUERIES_FAIL 18 Number of failed HTTP queries.
HTTP_QUERIES_SUCCESS 17 Number of successful HTTP queries.
HTTP_QUERIES_TOTAL 19 Total number of HTTP queries.
METRIC_NAME_UNSPECIFIED 0 Default
NETWORK_BYTES_INBOUND 1 Total received network bytes.
NETWORK_BYTES_OUTBOUND 2 Total network sent bytes.
NETWORK_BYTES_TOTAL 3 Total network sent bytes and received bytes.
NETWORK_FLOWS_INBOUND 8 Total number of events having non-null received bytes.
NETWORK_FLOWS_OUTBOUND 9 Total number of events having non-null sent bytes.
NETWORK_FLOWS_TOTAL 10 Total events having non-null sent or received bytes.
WORKSPACE_AUTH_ATTEMPTS_TOTAL 23 Total number of authentication attempts in Google Workspace.
WORKSPACE_EMAILS_SENT_TOTAL 20 Total number of emails sent in Google Workspace.
WORKSPACE_NETWORK_BYTES_OUTBOUND 24 Number of outbound network bytes (total sent) in Google Workspace.
WORKSPACE_NETWORK_BYTES_TOTAL 25 Total number of network bytes (both sent and received) in Google Workspace.
WORKSPACE_TOTAL_CHANGE_ACTIONS 22 Total number of change actions in Google Workspace.
WORKSPACE_TOTAL_DOWNLOAD_ACTIONS 21 Total number of download actions in Google Workspace.

Relation.Directionality

Describes the relationship model as directed or undirected.

Enum Value Enum Number Description
BIDIRECTIONAL 1 Modeled in both directions. Primary entity (a) to related entity (b) and related entity (b) to primary entity (a).
DIRECTIONALITY_UNSPECIFIED 0 Default value.
UNIDIRECTIONAL 2 Modeled in a single direction. Primary entity (a) to related entity (b).

Relation.EntityLabel

Entity label of the relation.

Enum Value Enum Number Description
ENTITY_LABEL_UNSPECIFIED 0 Default value.
INTERMEDIARY 7 The Noun represents an intermediary type object.
NETWORK 5 The Noun represents a network type object.
OBSERVER 3 The Noun represents an observer type object.
PRINCIPAL 1 The Noun represents a principal type object.
SECURITY_RESULT 6 The Noun represents a SecurityResult object.
SRC 4 The Noun represents src type object.
TARGET 2 The Noun represents a target type object.

Relation.Relationship

Type of relationship between the primary entity (a) and related entity (b).

Enum Value Enum Number Description
ADMINISTERS 2 Related entity is administered by the primary entity (for example: user administers a group).
CONTACTS 6 Primary entity contacts the related entity.
DOWNLOADED_FROM 5 Primary entity may have been downloaded from the related entity.
EXECUTES 4 Primary entity may have executed the related entity.
MEMBER 3 Primary entity is a member of the related entity (foe example: user is a member of a group).
OWNS 1 Related entity is owned by the primary entity (for example: user owns device asset).
RELATIONSHIP_UNSPECIFIED 0 Default value

UDM Event data model

A UDM event.

Field Name Type Label Description
about Noun repeated Represents entities referenced by the event that are not otherwise described in principal, src, target, intermediary or observer. For example, it could be used to track email file attachments, domains/URLs/IPs embedded within an email body, and DLLs that are loaded during a PROCESS_LAUNCH event.
additional google.protobuf.Struct Any important vendor-specific event data that cannot be adequately represented within the formal sections of the UDM model.
extensions Extensions All other first-class, event-specific metadata goes in this message. Don't place protocol metadata in Extensions; put it in Network.
intermediary Noun repeated Represents details on one or more intermediate entities processing activity described in the event. This includes device details about a proxy server or SMTP relay server. If an active event (that has a principal and possibly target) passes through any intermediaries, they're added here. Intermediaries can impact the overall action, for example blocking or modifying an ongoing request. A rule of thumb here is that 'principal', 'target', and description of the initial action should be the same regardless of the intermediary or its action. A successful network connection from A->B should look the same in principal/target/intermediary as one blocked by firewall C: principal: A, target: B (intermediary: C).
metadata Metadata Event metadata such as timestamp, source product, etc.
network Network All network details go here, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP).
observer Noun Represents an observer entity (for example, a packet sniffer or network-based vulnerability scanner), which is not a direct intermediary, but which observes and reports on the event in question.
principal Noun Represents the acting entity that originates the activity described in the event. The principal must include at least one machine detail (hostname, MACs, IPs, port, product-specific identifiers like an EDR asset ID) or user detail (for example, username), and optionally include process details. It must NOT include any of the following fields: email, files, registry keys, or values.
security_result SecurityResult repeated A list of security results.
src Noun Represents a source entity being acted upon by the participant along with the device or process context for the source object (the machine where the source object resides). For example, if user U copies file A on machine X to file B on machine Y, both file A and machine X would be specified in the src portion of the UDM event.
target Noun Represents a target entity being referenced by the event or an object on the target entity. For example, in a firewall connection from device A to device B, A is described as the principal and B is described as the target. For a process injection by process C into target process D, process C is described as the principal and process D is described as the target.

Event top level types

Extensions

Extensions to a UDM event.

Field Name Type Label Description
auth Authentication An authentication extension.
vulns Vulnerabilities A vulnerability extension.

Metadata

General information associated with a UDM event.

Field Name Type Label Description
base_labels DataAccessLabels Data access labels on the base event.
collected_timestamp google.protobuf.Timestamp The GMT timestamp when the event was collected by the vendor's local collection infrastructure.
description string A human-readable unparsable description of the event.
enrichment_labels DataAccessLabels Data access labels from all the contextual events used to enrich the base event.
enrichment_state Metadata.EnrichmentState The enrichment state.
event_timestamp google.protobuf.Timestamp The GMT timestamp when the event was generated.
event_type Metadata.EventType The event type. If an event has multiple possible types, this specifies the most specific type.
id bytes ID of the UDM event. Can be used for raw and normalized event retrieval.
ingested_timestamp google.protobuf.Timestamp The GMT timestamp when the event was ingested (received) by Google Security Operations.
ingestion_labels Label repeated User-configured ingestion metadata labels.
log_type string The string value of log type.
product_deployment_id string The deployment identifier assigned by the vendor for a product deployment.
product_event_type string A short, descriptive, human-readable, product-specific event name or type (for example: "Scanned X", "User account created", "process_start").
product_log_id string A vendor-specific event identifier to uniquely identify the event (for example: a GUID).
product_name string The name of the product.
product_version string The version of the product.
tags Tags Tags added by Google Security Operations after an event is parsed. It is an error to populate this field from within a parser.
url_back_to_product string A URL that takes the user to the source product console for this event.
vendor_name string The name of the product vendor.

Network

A network event.

Field Name Type Label Description
application_protocol Network.ApplicationProtocol The application protocol.
application_protocol_version string The version of the application protocol. e.g. "1.1, 2.0"
asn string Autonomous system number.
carrier_name string Carrier identification.
community_id string Community ID network flow value.
dhcp Dhcp DHCP info.
direction Network.Direction The direction of network traffic.
dns Dns DNS info.
dns_domain string DNS domain name.
email Email Email info for the sender/recipient.
ftp Ftp FTP info.
http Http HTTP info.
ip_protocol Network.IpProtocol The IP protocol.
ip_subnet_range string Associated human-readable IP subnet range (e.g. 10.1.2.0/24).
organization_name string Organization name (e.g Google).
parent_session_id string The ID of the parent network session.
received_bytes uint64 The number of bytes received.
received_packets int64 The number of packets received.
sent_bytes uint64 The number of bytes sent.
sent_packets int64 The number of packets sent.
session_duration Int64 The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer.
session_id string The ID of the network session.
smtp Smtp SMTP info. Store fields specific to SMTP not covered by Email.
tls Tls TLS info.

Noun

The Noun type is used to represent the different entities in an event: principal, src, target, observer, intermediary, and about. It stores attributes known about the entity. For example, if the entity is a device with multiple IP or MAC addresses, it stores the IP and MAC addresses that are relevant to the event.

Field Name Type Label Description
administrative_domain string Domain which the device belongs to (for example, the Microsoft Windows domain).
application string The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Google".
artifact Artifact Information about an artifact.
asset Asset Information about the asset.
asset_id string The asset ID.
cloud Cloud Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud).
domain Domain Information about the domain.
email string Email address. Only filled in for security_result.about
file File Information about the file.
group Group Information about the group.
hostname string Client hostname or domain name field. Hostname also doubles as the domain for remote entities.
investigation Investigation Analyst feedback/investigation for alerts.
ip string repeated A list of IP addresses associated with a network connection.
ip_geo_artifact Artifact repeated Enriched geographic information corresponding to an IP address. Specifically, location and network data.
ip_location Location repeated Deprecated: use ip_geo_artifact.location instead.
labels Label repeated Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels).
location Location Physical location. For cloud environments, set the region in location.name.
mac string repeated List of MAC addresses associated with a device.
namespace string Namespace which the device belongs to, such as "AD forest". Uses for this field include Microsoft Windows AD forest, the name of subsidiary, or the name of acquisition.
nat_ip string repeated A list of NAT translated IP addresses associated with a network connection.
nat_port int32 NAT external network port number when a specific network connection is described within an event.
network Network Network details, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP).
object_reference Id Finding to which the Analyst updated the feedback.
platform Noun.Platform Platform.
platform_patch_level string Platform patch level. For example, "Build 17134.48"
platform_version string Platform version. For example, "Microsoft Windows 1803".
port int32 Source or destination network port number when a specific network connection is described within an event.
process Process Information about the process.
process_ancestors Process repeated Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery.
registry Registry Registry information.
resource Resource Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, or processes because these objects are already part of Noun.
resource_ancestors Resource repeated Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource).
security_result SecurityResult repeated A list of security results.
URL string The URL.
url_metadata URL Information about the URL.
user User Information about the user.
user_management_chain User repeated Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery.

SecurityResult

Security related metadata for the event. A security result might be something like "virus detected and quarantined," "malicious connection blocked," or "sensitive data included in document foo.doc." Each security result, of which there may be more than one, may either pertain to the whole event, or to a

specific object or device referenced in the event (e.g. a malicious file that was detected, or a sensitive document sent as an email attachment). For

security results that apply to a particular object referenced in the event, the security_results message MUST contain details about the implicated object (such as process, user, IP, domain, URL, IP, or email address) in the about field. For security results that apply to the entire event (e.g. SPAM found in this email), the about field must remain empty.

Field Name Type Label Description
about Noun If the security result is about a specific entity (Noun), add it here.
action SecurityResult.Action repeated Actions taken for this event.
action_details string The detail of the action taken as provided by the vendor.
alert_state SecurityResult.AlertState The alerting types of this security result.
analytics_metadata AnalyticsMetadata repeated Stores metadata about each risk analytic metric the rule uses.
associations SecurityResult.Association repeated Associations related to the threat.
attack_details AttackDetails MITRE ATT&CK details.
campaigns string repeated Campaigns using this IOC threat.
category SecurityResult.SecurityCategory repeated The security category.
category_details string repeated For vendor-specific categories. For web categorization, put type in here such as "gambling" or "porn".
confidence SecurityResult.ProductConfidence The confidence level of the result as estimated by the product.
confidence_details string Additional detail with regards to the confidence of a security event as estimated by the product vendor.
confidence_score float The confidence score of the security result.
description string A human readable description (e.g. "user password was wrong")
detection_fields Label repeated An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (i.e. the security result matched variables) .
first_discovered_time google.protobuf.Timestamp First time the IoC threat was discovered in the provider.
last_discovered_time google.protobuf.Timestamp Last time the IoC was seen in the provider data.
last_updated_time google.protobuf.Timestamp Last time the IoC threat was updated in the provider.
outcomes Label repeated A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to their values.
priority SecurityResult.ProductPriority The priority of the result.
priority_details string Vendor-specific information about the security result priority.
risk_score float The risk score of the security result.
rule_author string Author of the security rule.
rule_id string A vendor-specific ID and name for a rule, varying by observerer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe").
rule_labels Label repeated A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John").
rule_name string Name of the security rule (e.g. "BlockInboundToOracle").
rule_set string The result's rule set identifier. (e.g. "windows-threats")
rule_set_display_name string The curated detections rule set display name.
rule_type string The type of security rule.
rule_version string Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependant and lexical ordering should not be assumed.
ruleset_category_display_name string The curated detection rule set category display name. (for example, if rule_set_display_name is "CDIR SCC Enhanced Exfiltration", the rule_set_category is "Cloud Threats").
severity SecurityResult.ProductSeverity The severity of the result.
severity_details string Vendor-specific severity.
summary string A human readable summary (e.g. "failed login occurred")
threat_feed_name string Vendor feed name for a threat indicator feed.
threat_id string Vendor-specific ID for a threat.
threat_id_namespace Id.Namespace The attribute threat_id_namespace qualifies threat_id with an ID namespace to get an unique ID. The attribute threat_id by itself is not unique across Google SecOps as it is a vendor specific ID.
threat_name string A vendor-assigned classification common across multiple customers (e.g. "W32/File-A", "Slammer").
threat_status SecurityResult.ThreatStatus Current status of the threat
threat_verdict ThreatVerdict GCTI threat verdict on the security result entity.
url_back_to_product string URL that takes the user to the source product console for this event.
verdict SecurityResult.Verdict Verdict about the IoC from the provider. This field is now deprecated. Use VerdictInfo instead.
verdict_info SecurityResult.VerdictInfo repeated Verdict information about the IoC from the provider.

Event subtypes

AnalyticsMetadata

Stores information about an analytics metric used in a rule.

Field Name Type Label Description
analytic string Name of the analytic.

Artifact

Information about an artifact. The artifact can only be an IP.

Field Name Type Label Description
as_owner string Owner of the Autonomous System to which the IP address belongs.
asn int64 Autonomous System Number to which the IP address belongs.
first_seen_time google.protobuf.Timestamp First seen timestamp of the IP in the customer's environment.
ip string IP address of the artifact.
jarm string The JARM hash for the IP address. (https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a).
last_https_certificate SSLCertificate SSL certificate information about the IP address.
last_https_certificate_date google.protobuf.Timestamp Most recent date for the certificate in VirusTotal.
last_seen_time google.protobuf.Timestamp Last seen timestamp of the IP address in the customer's environment.
location Location Location of the Artifact's IP address.
network Network Network information related to the Artifact's IP address.
prevalence Prevalence The prevalence of the artifact within the customer's environment.
regional_internet_registry string RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC).
tags string repeated Identification attributes
whois string WHOIS information as returned from the pertinent WHOIS server.
whois_date google.protobuf.Timestamp Date of the last update of the WHOIS record in VirusTotal.

Asset

Information about a compute asset such as a workstation, laptop, phone, virtual desktop, or VM.

Field Name Type Label Description
asset_id string The asset ID. Value must contain the ':' character. For example, cs:abcdd23434.
attribute Attribute Generic entity metadata attributes of the asset.
category string The category of the asset (e.g. "End User Asset", "Workstation", "Server").
creation_time google.protobuf.Timestamp Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata.
deployment_status Asset.DeploymentStatus The deployment status of the asset for device lifecycle purposes.
first_discover_time google.protobuf.Timestamp Time the asset was first discovered (by asset management/discoverability software).
first_seen_time google.protobuf.Timestamp The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed.
hardware Hardware repeated The asset hardware specifications.
hostname string Asset hostname or domain name field.
ip string repeated A list of IP addresses associated with an asset.
labels Label repeated Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata.
last_boot_time google.protobuf.Timestamp Time the asset was last boot started.
last_discover_time google.protobuf.Timestamp Time the asset was last discovered (by asset management/discoverability software).
location Location Location of the asset.
mac string repeated List of MAC addresses associated with an asset.
nat_ip string repeated List of NAT IP addresses associated with an asset.
network_domain string The network domain of the asset (e.g. "corp.acme.com")
platform_software PlatformSoftware The asset operating system platform software.
product_object_id string A vendor-specific identifier to uniquely identify the entity (a GUID or similar).
software Software repeated The asset software details.
system_last_update_time google.protobuf.Timestamp Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a VM), use Attribute.last_update_time.
type Asset.AssetType The type of the asset (e.g. workstation or laptop or server).
vulnerabilities Vulnerability repeated Vulnerabilities discovered on asset.

AttackDetails

MITRE ATT&CK details.

Field Name Type Label Description
tactics AttackDetails.Tactic repeated Tactics employed.
techniques AttackDetails.Technique repeated Techniques employed.
version string ATT&CK version (e.g. 12.1).

AttackDetails.Tactic

Tactic information related to an attack or threat.

Field Name Type Label Description
id string Tactic ID (e.g. "TA0043").
name string Tactic Name (e.g. "Reconnaissance")

AttackDetails.Technique

Technique information related to an attack or threat.

Field Name Type Label Description
id string Technique ID (e.g. "T1595").
name string Technique Name (e.g. "Active Scanning").
subtechnique_id string Subtechnique ID (e.g. "T1595.001").
subtechnique_name string Subtechnique Name (e.g. "Scanning IP Blocks").

Attribute

Attribute is a container for generic entity attributes including common attributes across core entities (such as, user or asset). For example, Cloud is a generic entity attribute since it can apply to an asset (for example, a VM) or a user (for example, an identity service account).

Field Name Type Label Description
cloud Cloud Cloud metadata attributes such as project ID, account ID, or organizational hierarchy.
creation_time google.protobuf.Timestamp Time the resource or entity was created or provisioned.
labels Label repeated Set of labels for the entity. Should only be used for product labels (for example, Google Cloud resource labels or Azure AD sensitivity labels. Should not be used for arbitrary key-value mappings.
last_update_time google.protobuf.Timestamp Time the resource or entity was last updated.
permissions Permission repeated System permissions for IAM entity (human principal, service account, group).
roles Role repeated System IAM roles to be assumed by resources to use the role's permissions for access control.

Authentication

The Authentication extension captures details specific to authentication events. General guidelines for authentication events:

  • Details about the source of the authentication event (for example, client IP or hostname), should be captured in principal. The principal may be empty if we have no details about the source of the login.

  • Details about the target of the authentication event (for example, details about the machine that is being logged into or logged out of) should be captured in target.

  • Some authentication events may involve a third-party. For example, a user logs into a cloud service (for example, Google Security Operations) using their company's SSO (the event is logged by their SSO solution). In this case, the principal captures information about the user's device, the target captures details about the cloud service they logged into, and the intermediary captures details about the SSO solution.

Field Name Type Label Description
auth_details string The vendor defined details of the authentication.
mechanism Authentication.Mechanism repeated The authentication mechanism.
type Authentication.AuthType The type of authentication.

Certificate

Certificate information

Field Name Type Label Description
issuer string Issuer of the certificate.
md5 string The MD5 hash of the certificate, as a hex-encoded string.
not_after google.protobuf.Timestamp Indicates when the certificate is no longer valid.
not_before google.protobuf.Timestamp Indicates when the certificate is first valid.
serial string Certificate serial number.
sha1 string The SHA1 hash of the certificate, as a hex-encoded string.
sha256 string The SHA256 hash of the certificate, as a hex-encoded string.
subject string Subject of the certificate.
version string Certificate version.

Cloud

Metadata related to the cloud environment.

Field Name Type Label Description
availability_zone string The cloud environment availability zone (different from region which is location.name).
environment Cloud.CloudEnvironment The Cloud environment.
project Resource The cloud environment project information. Deprecated: Use Resource.resource_ancestors
vpc Resource The cloud environment VPC. Deprecated.

DNSRecord

DNS record.

Field Name Type Label Description
expire Int64 Expire.
minimum Int64 Minimum.
priority int64 Priority.
refresh Int64 Refresh.
retry int64 Retry.
rname string Rname.
serial int64 Serial.
ttl Int64 Time to live.
type string Type.
value string Value.

Dhcp

DHCP information.

Field Name Type Label Description
chaddr string Client hardware address (chaddr).
ciaddr string Client IP address (ciaddr).
client_hostname string Client hostname. See RFC2132, section 3.14.
client_identifier bytes Client identifier. See RFC2132, section 9.14.
file string Boot image filename.
flags uint32 Flags.
giaddr string Relay agent IP address (giaddr).
hlen uint32 Hardware address length.
hops uint32 Hardware ops.
htype uint32 Hardware address type.
lease_time_seconds uint32 Lease time in seconds. See RFC2132, section 9.2.
opcode Dhcp.OpCode The BOOTP op code.
options Dhcp.Option repeated List of DHCP options.
requested_address string Requested IP address. See RFC2132, section 9.1.
seconds uint32 Seconds elapsed since client began address acquisition/renewal process.
siaddr string IP address of the next bootstrap server.
sname string Server name that the client wishes to boot from.
transaction_id uint32 Transaction ID.
type Dhcp.MessageType DHCP message type.
yiaddr string Your IP address (yiaddr).

Dhcp.Option

DHCP options.

Field Name Type Label Description
code uint32 Code. See RFC1533.
data bytes Data.

Dns

DNS information.

Field Name Type Label Description
additional Dns.ResourceRecord repeated A list of additional domain name servers that can be used to verify the answer to the domain.
answers Dns.ResourceRecord repeated A list of answers to the domain name query.
authoritative bool Other DNS header flags. See RFC1035, section 4.1.1.
authority Dns.ResourceRecord repeated A list of domain name servers which verified the answers to the domain name queries.
id uint32 DNS query id.
opcode uint32 The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS).
questions Dns.Question repeated A list of domain protocol message questions.
recursion_available bool Whether a recursive DNS lookup is available.
recursion_desired bool Whether a recursive DNS lookup is desired.
response bool Set to true if the event is a DNS response. See QR field from RFC1035.
response_code uint32 Response code. See RCODE from RFC1035.
truncated bool Whether the DNS response was truncated.

Dns.Question

DNS Questions. See RFC1035, section 4.1.2.

Field Name Type Label Description
class uint32 The code specifying the class of the query.
name string The domain name.
prevalence Prevalence The prevalence of the domain within the customer's environment.
type uint32 The code specifying the type of the query.

Dns.ResourceRecord

DNS Resource Records. See RFC1035, section 4.1.3.

Field Name Type Label Description
binary_data bytes The raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
class uint32 The code specifying the class of the resource record.
data string The payload or response to the DNS question for all responses encoded in UTF-8 format
name string The name of the owner of the resource record.
ttl uint32 The time interval for which the resource record can be cached before the source of the information should again be queried.
type uint32 The code specifying the type of the resource record.

Domain

Information about a domain.

Field Name Type Label Description
admin User Parsed contact information for the administrative contact for the domain.
audit_update_time google.protobuf.Timestamp Audit updated time.
billing User Parsed contact information for the billing contact of the domain.
categories string repeated Categories assign to the domain as retrieved from VirusTotal.
contact_email string Contact email address.
creation_time google.protobuf.Timestamp Domain creation time.
expiration_time google.protobuf.Timestamp Expiration time.
favicon Favicon Includes difference hash and MD5 hash of the domain's favicon.
first_seen_time google.protobuf.Timestamp First seen timestamp of the domain in the customer's environment.
iana_registrar_id int32 IANA Registrar ID. See https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml
jarm string Domain's JARM hash.
last_dns_records DNSRecord repeated Domain's DNS records from the last scan.
last_dns_records_time google.protobuf.Timestamp Date when the DNS records list was retrieved by VirusTotal.
last_https_certificate SSLCertificate SSL certificate object retrieved last time the domain was analyzed.
last_https_certificate_time google.protobuf.Timestamp When the certificate was retrieved by VirusTotal.
last_seen_time google.protobuf.Timestamp Last seen timestamp of the domain in the customer's environment.
name string The domain name.
name_server string repeated Repeated list of name servers.
popularity_ranks PopularityRank repeated Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc
prevalence Prevalence The prevalence of the domain within the customer's environment.
private_registration bool Indicates whether the domain appears to be using a private registration service to mask the owner's contact information.
registrant User Parsed contact information for the registrant of the domain.
registrar string Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM".
registry_data_raw_text bytes Registry Data raw text.
status string Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values
tags string repeated List of representative attributes.
tech User Parsed contact information for the technical contact for the domain
update_time google.protobuf.Timestamp Last updated time.
whois_record_raw_text bytes WHOIS raw text.
whois_server string Whois server name.
whois_time google.protobuf.Timestamp Date of the last update of the WHOIS record.
zone User Parsed contact information for the zone.

Email

Email info.

Field Name Type Label Description
bcc string repeated A list of 'bcc' addresses.
bounce_address string The envelope from address. https://en.wikipedia.org/wiki/Bounce_address
cc string repeated A list of 'cc' addresses.
from string The 'from' address.
mail_id string The mail (or message) ID.
reply_to string The 'reply to' address.
subject string repeated The subject line(s) of the email.
to string repeated A list of 'to' addresses.

Favicon

Difference hash and MD5 hash of the domain's favicon.

Field Name Type Label Description
dhash string Difference hash.
raw_md5 string Favicon's MD5 hash.

File

Information about a file.

Field Name Type Label Description
ahash string Deprecated. Use authentihash instead.
authentihash string Authentihash of the file.
capabilities_tags string repeated Capabilities tags.
embedded_domains string repeated Embedded domains found in the file.
embedded_ips string repeated Embedded IP addresses found in the file.
embedded_urls string repeated Embedded URLs found in the file.
exif_info ExifInfo Exif metadata from different file formats extracted by exiftool.
file_metadata FileMetadata Metadata associated with the file. Deprecate FileMetadata in favor of using fields in File.
file_type File.FileType FileType field.
first_seen_time google.protobuf.Timestamp Timestamp the file was first seen in the customer's environment.
first_submission_time google.protobuf.Timestamp First submission time of the file.
full_path string The full path identifying the location of the file on the system.
last_analysis_time google.protobuf.Timestamp Timestamp the file was last analysed.
last_modification_time google.protobuf.Timestamp Timestamp when the file was last updated.
last_seen_time google.protobuf.Timestamp Timestamp the file was last seen in the customer's environment.
last_submission_time google.protobuf.Timestamp Last submission time of the file.
main_icon Favicon Icon's relevant hashes.
md5 string The MD5 hash of the file, as a hex-encoded string.
mime_type string The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", or "powershell script".
names string repeated Names fields.
pdf_info PDFInfo Information about the PDF file structure.
pe_file FileMetadataPE Metadata about the Portable Executable (PE) file.
prevalence Prevalence Prevalence of the file hash in the customer's environment.
security_result SecurityResult Google Cloud Threat Intelligence (GCTI) security result for the file including threat context and detection metadata.
sha1 string The SHA1 hash of the file, as a hex-encoded string.
sha256 string The SHA256 hash of the file, as a hex-encoded string.
signature_info SignatureInfo File signature information extracted from different tools.
size uint64 The size of the file in bytes.
ssdeep string Ssdeep of the file
stat_dev uint64 The file system identifier to which the object belongs.
stat_flags uint32 User defined flags for file.
stat_inode uint64 The file identifier. Unique identifier of object within a file system.
stat_mode uint64 The mode of the file. A bit string indicating the permissions and privileges of the file.
stat_nlink uint64 Number of links to file.
tags string repeated Tags for the file.
vhash string Vhash of the file.

FileMetadataCodesign

File metadata from the codesign utility.

Field Name Type Label Description
compilation_time google.protobuf.Timestamp Code sign timestamp
format string Code sign format.
id string Code sign identifier.

FileMetadataPE

Metadata about the Portable Executable (PE) file.

Field Name Type Label Description
compilation_exiftool_time google.protobuf.Timestamp info.exiftool.TimeStamp.
compilation_time google.protobuf.Timestamp info.pe-timestamp.
entry_point int64 info.pe-entry-point.
entry_point_exiftool int64 info.exiftool.EntryPoint.
imphash string Imphash of the file.
imports FileMetadataImports repeated FilemetadataImports fields.
resource FileMetadataPeResourceInfo repeated FilemetadataPeResourceInfo fields.
resources_language_count StringToInt64MapEntry repeated Deprecated: use resources_language_count_str.
resources_language_count_str Label repeated Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10
resources_type_count StringToInt64MapEntry repeated Deprecated: use resources_type_count_str.
resources_type_count_str Label repeated Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5
section FileMetadataSection repeated FilemetadataSection fields.
signature_info FileMetadataSignatureInfo FilemetadataSignatureInfo field. deprecated, user File.signature_info instead.

FileMetadataSignatureInfo

Signature information.

Field Name Type Label Description
signer string repeated Deprecated: use signers field.
signers SignerInfo repeated File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority.
verification_message string Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found.
verified bool True if verification_message == "Signed"
x509 X509 repeated List of certificates.

Ftp

FTP info.

Field Name Type Label Description
command string The FTP command.

Group

Information about an organizational group.

Field Name Type Label Description
attribute Attribute Generic entity metadata attributes of the group.
creation_time google.protobuf.Timestamp Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata.
email_addresses string repeated Email addresses of the group.
group_display_name string Group display name. e.g. "Finance".
product_object_id string Product globally unique user object identifier, such as an LDAP Object Identifier.
windows_sid string Microsoft Windows SID of the group.

Hardware

Hardware specification details for a resource, including both physical and virtual hardware.

Field Name Type Label Description
cpu_clock_speed uint64 Clock speed of the hardware CPU in MHz.
cpu_max_clock_speed uint64 Maximum possible clock speed of the hardware CPU in MHz.
cpu_model string Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5").
cpu_number_cores uint64 Number of CPU cores.
cpu_platform string Platform of the hardware CPU (e.g. "Intel Broadwell").
manufacturer string Hardware manufacturer.
model string Hardware model.
ram uint64 Amount of the hardware ramdom access memory (RAM) in Mb.
serial_number string Hardware serial number.

Http

Specify the full URL of the HTTP request within "target". Also specify any uploaded or downloaded file information within "source" or "target".

Field Name Type Label Description
method string The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE").
parsed_user_agent The parsed user_agent string.
referral_url string The URL for the HTTP referer.
response_code int32 The response status code, for example 200, 302, 404, or 500.
user_agent string The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent.

Investigation

Represents the aggregated state of an investigation such as categorization,

severity, and status. Can be expanded to include analyst assignment details and more.

Field Name Type Label Description
comments string repeated Comment added by the Analyst.
priority Priority optional Priority of the Alert or Finding set by analyst.
reason Reason optional Reason for closing the Case or Alert.
reputation Reputation optional Describes whether a finding was useful or not-useful.
risk_score uint32 optional Risk score for a finding set by an analyst.
root_cause string optional Root cause of the Alert or Finding set by analyst.
severity_score uint32 optional Severity score for a finding set by an analyst.
status Status optional Describes the workflow status of a finding.
verdict Verdict optional Describes reason a finding investigation was resolved.

Label

Key value labels.

Field Name Type Label Description
key string The key.
rbac_enabled bool Indicates whether this label can be used for Data RBAC
value string The value.

Location

Information about a location.

Field Name Type Label Description
city string The city.
country_or_region string The country or region.
desk_name string Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").
floor_name string Floor name, number or a combination of the two for a building. (e.g. "1-A").
name string Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").
region_coordinates google.type.LatLng Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields.
region_latitude float Deprecated: use region_coordinates.
region_longitude float Deprecated: use region_coordinates.
state string The state.

PDFInfo

Information about the PDF file structure. See https://developers.virustotal.com/reference/pdf_info

Field Name Type Label Description
acroform int64 Number of /AcroForm tags found in the PDF.
autoaction int64 Number of /AA tags found in the PDF.
embedded_file int64 Number of /EmbeddedFile tags found in the PDF.
encrypted int64 Whether the document is encrypted or not. This is defined by the /Encrypt tag.
endobj_count int64 Number of object definitions (endobj keyword).
endstream_count int64 Number of defined stream objects (stream keyword).
flash int64 Number of /RichMedia tags found in the PDF.
header string PDF version.
javascript int64 Number of /JavaScript tags found in the PDF file. Should be the same as the js field in normal scenarios.
jbig2_compression int64 Number of /JBIG2Decode tags found in the PDF.
js int64 Number of /JS tags found in the PDF file. Should be the same as javascript field in normal scenarios.
launch_action_count int64 Number of /Launch tags found in the PDF file.
obj_count int64 Number of objects definitions (obj keyword).
object_stream_count int64 Number of object streams.
openaction int64 Number of /OpenAction tags found in the PDF.
page_count int64 Number of pages in the PDF.
startxref int64 Number of startxref keywords in the PDF.
stream_count int64 Number of defined stream objects (stream keyword).
suspicious_colors int64 Number of colors expressed with more than 3 bytes (CVE-2009-3459).
trailer int64 Number of trailer keywords in the PDF.
xfa int64 Number of \XFA tags found in the PDF.
xref int64 Number of xref keywords in the PDF.

PeFileMetadata

Metadata about a Microsoft Windows Portable Executable.

Field Name Type Label Description
import_hash string Hash of PE imports.

Permission

System permission for resource access and modification.

Field Name Type Label Description
description string Description of the permission (e.g. 'Ability to update detect rules').
name string Name of the permission (e.g. chronicle.analyst.updateRule).
type Permission.PermissionType Type of the permission.

PlatformSoftware

Platform software information about an operating system.

Field Name Type Label Description
platform Noun.Platform The platform operating system.
platform_patch_level string The platform software patch level ( e.g. "Build 17134.48", "SP1").
platform_version string The platform software version ( e.g. "Microsoft Windows 1803").

PopularityRank

Domain's position in popularity ranks for sources such as Alexa, Quantcast, or Statvoo.

Field Name Type Label Description
giver string Name of the rank serial number hexdump.
ingestion_time google.protobuf.Timestamp Timestamp when the rank was ingested.
rank int64 Rank position.

Prevalence

The prevalence of a resource within the customer's environment. This measures how common it is for assets to access the resource.

Field Name Type Label Description
day_count int32 The number of days over which rolling_max is calculated.
day_max int32 The max prevalence score in a day interval window.
day_max_sub_domains int32 The max prevalence score in a day interval window across sub-domains. This field is only valid for domains.
rolling_max int32 The maximum number of assets per day accessing the resource over the trailing day_count days.
rolling_max_sub_domains int32 The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains.

Process

Information about a process.

Field Name Type Label Description
access_mask uint64 A bit mask representing the level of access.
command_line string The command line command that created the process.
command_line_history string repeated The command line history of the process.
file File Information about the file in use by the process.
integrity_level_rid uint64 The Microsoft Windows integrity level relative ID (RID) of the process.
parent_pid string The ID of the parent process. Deprecated: use parent_process.pid instead.
parent_process Process Information about the parent process.
pid string The process ID.
product_specific_parent_process_id string A product specific id for the parent process. Please use parent_process.product_specific_process_id instead.
product_specific_process_id string A product specific process id.
token_elevation_type Process.TokenElevationType The elevation type of the process on Microsoft Windows. This determines if any privileges are removed when UAC is enabled.

Registry

Information about a registry key or value.

Field Name Type Label Description
registry_key string Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...).
registry_value_data string Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp).
registry_value_name string Name of the registry value associated with an application or system component (e.g. TEMP).

Resource

Information about a resource such as a task, Cloud Storage bucket, database, disk, logical policy, or something similar.

Field Name Type Label Description
attribute Attribute Generic entity metadata attributes of the resource.
id string Deprecated: Use resource.name or resource.product_object_id.
name string The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe.
parent string The parent of the resource. For a database table, the parent is the database. For a storage object, the bucket name. Deprecated: use resource_ancestors.name.
product_object_id string A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)
resource_subtype string Resource sub-type (e.g. "BigQuery", "Bigtable").
resource_type Resource.ResourceType Resource type.
type string Deprecated: use resource_type instead.

Role

System role for resource access and modification.

Field Name Type Label Description
description string System role description for user.
name string System role name for user.
type Role.Type System role type for well known roles.

SSLCertificate

SSL certificate.

Field Name Type Label Description
cert_extensions google.protobuf.Struct Certificate's extensions.
cert_signature SSLCertificate.CertSignature Certificate's signature and algorithm.
ec SSLCertificate.EC EC public key information.
extension SSLCertificate.Extension (DEPRECATED) certificate's extension.
first_seen_time google.protobuf.Timestamp Date the certificate was first retrieved by VirusTotal.
issuer SSLCertificate.Subject Certificate's issuer data.
serial_number string Certificate's serial number hexdump.
signature_algorithm string Algorithm used for the signature (for example, "sha1RSA").
size int64 Certificate content length.
subject SSLCertificate.Subject Certificate's subject data.
thumbprint string Certificate's content SHA1 hash.
thumbprint_sha256 string Certificate's content SHA256 hash.
validity SSLCertificate.Validity Certificate's validity period.
version string Certificate version (typically "V1", "V2" or "V3").

SSLCertificate.AuthorityKeyId

Identifies the public key to be used to verify the signature on this certificate or CRL.

Field Name Type Label Description
keyid string Key hexdump.
serial_number string Serial number hexdump.

SSLCertificate.CertSignature

Certificate's signature and algorithm.

Field Name Type Label Description
signature string Signature.
signature_algorithm string Algorithm.

SSLCertificate.DSA

DSA public key information.

Field Name Type Label Description
g string g component hexdump.
p string p component hexdump.
pub string Public key hexdump.
q string q component hexdump.

SSLCertificate.EC

EC public key information.

Field Name Type Label Description
oid string Curve name.
pub string Public key hexdump.

SSLCertificate.Extension

Certificate's extensions.

Field Name Type Label Description
authority_key_id SSLCertificate.AuthorityKeyId Identifies the public key to be used to verify the signature on this certificate or CRL.
ca bool Whether the subject acts as a certificate authority (CA) or not.
ca_info_access string Authority information access locations are URLs that are added to a certificate in its authority information access extension.
cert_template_name_dc string BMP data value "DomainController". See MS Q291010.
certificate_policies string Different certificate policies will relate to different applications which may use the certified key.
crl_distribution_points string CRL distribution points to which a certificate user should refer to ascertain if the certificate has been revoked.
extended_key_usage string One or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension field.
key_usage string The purpose for which the certified public key is used.
netscape_cert_comment string Used to include free-form text comments inside certificates.
netscape_certificate bool Identify whether the certificate subject is an SSL client, an SSL server, or a CA.
old_authority_key_id bool Whether the certificate has an old authority key identifier extension.
pe_logotype bool Whether the certificate includes a logotype.
subject_alternative_name string Contains one or more alternative names, using any of a variety of name forms, for the entity that is bound by the CA to the certified public key.
subject_key_id string Identifies the public key being certified.

SSLCertificate.PublicKey

Subject public key info.

Field Name Type Label Description
algorithm string Any of "RSA", "DSA" or "EC". Indicates the algorithm used to generate the certificate.
rsa SSLCertificate.RSA RSA public key information.

SSLCertificate.RSA

RSA public key information.

Field Name Type Label Description
exponent string Key exponent hexdump.
key_size int64 Key size.
modulus string Key modulus hexdump.

SSLCertificate.Subject

Subject data.

Field Name Type Label Description
common_name string CN: CommonName.
country_name string C: Country name.
locality string L: Locality.
organization string O: Organization.
organizational_unit string OU: OrganizationalUnit.
state_or_province_name string ST: StateOrProvinceName.

SSLCertificate.Validity

Defines certificate's validity period.

Field Name Type Label Description
expiry_time google.protobuf.Timestamp Expiry date.
issue_time google.protobuf.Timestamp Issue date.

SecurityResult.AnalystVerdict

Verdict provided by the human analyst. These fields are used to model Mandiant sources.

Field Name Type Label Description
confidence_score int32 Confidence score of the verdict.
verdict_response SecurityResult.VerdictResponse Details of the verdict.
verdict_time google.protobuf.Timestamp Timestamp at which the verdict was generated.

SecurityResult.Association

Associations represents different metadata about malware and threat actors involved with an IoC.

Field Name Type Label Description
alias SecurityResult.Association.AssociationAlias repeated Different aliases of the threat actor given by different sources.
associated_actors SecurityResult.Association repeated List of associated threat actors for a malware. Not applicable for threat actors.
country_code string repeated Country from which the threat actor/ malware is originated.
description string Human readable description about the association.
first_reference_time google.protobuf.Timestamp First time the threat actor was referenced or seen.
id string Unique association id generated by mandiant.
industries_affected string repeated List of industries the threat actor affects.
last_reference_time google.protobuf.Timestamp Last time the threat actor was referenced or seen.
name string Name of the threat actor/malware.
region_code Location Name of the country, the threat is originating from.
role string Role of the malware. Not applicable for threat actor.
source_country string Name of the country the threat originated from.
sponsor_region Location Sponsor region of the threat actor.
tags string repeated Tags.
targeted_regions Location repeated Targeted regions.
type SecurityResult.Association.AssociationType Signifies the type of association.

SecurityResult.Association.AssociationAlias

Association Alias used to represent Mandiant Threat Intelligence.

Field Name Type Label Description
company string Name of the provider who gave the association's name.
name string Name of the alias.

SecurityResult.IoCStats

Information about the threat intelligence source. These fields are used to model Mandiant sources.

Field Name Type Label Description
benign_count int32 Count of responses where the IoC was identified as benign.
first_level_source string Name of first level IoC source, for example Mandiant or a third-party.
ioc_stats_type SecurityResult.IoCStatsType Describes the source of the IoCStat.
malicious_count int32 Count of responses where the IoC was identified as malicious.
quality SecurityResult.ProductConfidence Level of confidence in the IoC mapping extracted from the source.
response_count int32 Total number of response from the source.
second_level_source string Name of the second-level IoC source, for example Crowdsourced Threat Analysis or Knowledge Graph.
source_count int32 Number of sources from which information was extracted.

SecurityResult.ProviderMLVerdict

MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources.

Field Name Type Label Description
benign_count int32 Count of responses where this IoC was marked benign.
confidence_score int32 Confidence score of the verdict.
malicious_count int32 Count of responses where this IoC was marked malicious.
mandiant_sources SecurityResult.Source repeated List of mandiant sources from which the verdict was generated.
source_provider string Source provider giving the ML verdict.
third_party_sources SecurityResult.Source repeated List of third-party sources from which the verdict was generated.

SecurityResult.Source

Information about the threat intelligence source. These fields are used to model Mandiant sources.

Field Name Type Label Description
benign_count int32 Count of responses where this IoC was marked benign.
malicious_count int32 Count of responses where this IoC was marked malicious.
name string Name of the IoC source.
quality SecurityResult.ProductConfidence Quality of the IoC mapping extracted from the source.
response_count int32 Total response count from this source.
source_count int32 Number of sources from which intelligence was extracted.
threat_intelligence_sources SecurityResult.Source repeated Different threat intelligence sources from which IoC info was extracted.

SecurityResult.Verdict

Encapsulates the threat verdict provided by human analysts and ML models. These fields are used to model Mandiant sources.

Field Name Type Label Description
analyst_verdict SecurityResult.AnalystVerdict Human analyst verdict provided by sources like Mandiant.
neighbour_influence string Describes the neighbour influence of the verdict.
response_count int32 Total response count across all sources.
source_count int32 Number of sources from which intelligence was extracted.
verdict SecurityResult.ProviderMLVerdict ML Verdict provided by sources like Mandiant.

SecurityResult.VerdictInfo

Describes the threat verdict provided by human analysts and machine learning models. These fields are used to model Mandiant sources.

Field Name Type Label Description
benign_count int32 Count of responses where this IoC was marked as benign.
category_details string Tags related to the verdict.
confidence_score int32 Confidence score of the verdict.
global_customer_count int32 Global customer count over the last 30 days
global_hits_count int32 Global hit count over the last 30 days.
ioc_stats SecurityResult.IoCStats repeated List of IoCStats from which the verdict was generated.
malicious_count int32 Count of responses where this IoC was marked as malicious.
neighbour_influence string Describes the near neighbor influence of the verdict.
pwn bool Whether one or more Mandiant incident response customers had this indicator in their environment.
pwn_first_tagged_time google.protobuf.Timestamp The timestamp of the first time a pwn was associated to this entity.
response_count int32 Total response count across all sources.
source_count int32 Number of sources from which intelligence was extracted.
source_provider string Source provider giving the machine learning verdict.
verdict_response SecurityResult.VerdictResponse Details about the verdict.
verdict_time google.protobuf.Timestamp Timestamp when the verdict was generated.
verdict_type SecurityResult.VerdictType Type of verdict.

SignatureInfo

File signature information extracted from different tools.

Field Name Type Label Description
codesign FileMetadataCodesign Signature information extracted from the codesign utility.
sigcheck FileMetadataSignatureInfo Signature information extracted from the sigcheck tool.

SignerInfo

File metadata related to the signer information.

Field Name Type Label Description
cert_issuer string optional Company that issued the certificate.
name string optional Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority.
status string optional It can say "Valid" or state the problem with the certificate if any (e.g. "This certificate or one of the certificates in the certificate chain is not time valid.").
valid_usage string optional Indicates which situations the certificate is valid for (e.g. "Code Signing").

Smtp

SMTP info. See RFC 2821.

Field Name Type Label Description
helo string The client's 'HELO'/'EHLO' string.
is_tls bool If the connection switched to TLS.
is_webmail bool If the message was sent via a webmail client.
mail_from string The client's 'MAIL FROM' string.
message_path string The message's path (extracted from the headers).
rcpt_to string repeated The client's 'RCPT TO' string(s).
server_response string repeated The server's response(s) to the client.

Software

Information about a software package or application.

Field Name Type Label Description
description string The description of the software.
name string The name of the software.
permissions Permission repeated System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE"
vendor_name string The name of the software vendor.
version string The version of the software.

Tags

Tags are event metadata which is set by examining event contents post-parsing. For example, a UDM event may be assigned a tenant_id based on certain customer-defined parameters.

Field Name Type Label Description
data_tap_config_name string repeated A list of sink name values defined in DataTap configurations.
tenant_id bytes repeated A list of subtenant ids that this event belongs to.

TimeOff

System record for leave/time-off from a Human Capital Management (HCM)

system.

Field Name Type Label Description
description string Description of the leave if available (e.g. 'Vacation').
interval google.type.Interval Interval duration of the leave.

Tls

Transport Layer Security (TLS) information.

Field Name Type Label Description
cipher string Cipher used during the connection.
client Tls.Client Certificate information for the client certificate.
curve string Elliptical curve used for a given cipher.
established bool Indicates whether the TLS negotiation was successful.
next_protocol string Protocol to be used for tunnel.
resumed bool Indicates whether the TLS connection was resumed from a previous TLS negotiation.
server Tls.Server Certificate information for the server certificate.
version string TLS version.
version_protocol string Protocol.

Tls.Client

Transport Layer Security (TLS) information associated with the client (for example, Certificate or JA3 hash).

Field Name Type Label Description
certificate Certificate Client certificate.
ja3 string JA3 hash from the TLS ClientHello, as a hex-encoded string.
server_name string Host name of the server, that the client is connecting to.
supported_ciphers string repeated Ciphers supported by the client during client hello.

Tls.Server

Transport Layer Security (TLS) information associated with the server (for example, Certificate or JA3 hash).

Field Name Type Label Description
certificate Certificate Server certificate.
ja3s string JA3 hash from the TLS ServerHello, as a hex-encoded string.

Tracker

URL Tracker.

Field Name Type Label Description
id string Tracker ID, if available.
timestamp google.protobuf.Timestamp Tracker ingestion date.
tracker string Tracker name.
URL string Tracker script URL.

URL

URL.

Field Name Type Label Description
categories string repeated Categorisation done by VirusTotal partners.
favicon Favicon Difference hash and MD5 hash of the URL's.
html_meta google.protobuf.Struct Meta tags (only for URLs downloading HTML).
last_final_url string If the original URL redirects, where does it end.
last_http_response_code int32 HTTP response code of the last response.
last_http_response_content_length int64 Length in bytes of the content received.
last_http_response_content_sha256 string URL response body's SHA256 hash.
last_http_response_cookies google.protobuf.Struct Website's cookies.
last_http_response_headers google.protobuf.Struct Headers and values of the last HTTP response.
tags string repeated Tags.
title string Webpage title.
trackers Tracker repeated Trackers found in the URL in a historical manner.
URL string URL.

User

Information about a user.

Field Name Type Label Description
account_expiration_time google.protobuf.Timestamp User account expiration timestamp.
account_lockout_time google.protobuf.Timestamp User account lockout timestamp.
account_type User.AccountType Type of user account (for example, service, domain, or cloud). This is somewhat aligned to: https://attack.mitre.org/techniques/T1078/
attribute Attribute Generic entity metadata attributes of the user.
company_name string User job company name.
department string repeated User job department
email_addresses string repeated Email addresses of the user.
employee_id string Human capital management identifier.
first_name string First name of the user (e.g. "John").
first_seen_time google.protobuf.Timestamp The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.
group_identifiers string repeated Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).
groupid string The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field.
hire_date google.protobuf.Timestamp User job employment hire date.
last_bad_password_attempt_time google.protobuf.Timestamp User last bad password attempt timestamp.
last_login_time google.protobuf.Timestamp User last login timestamp.
last_name string Last name of the user (e.g. "Locke").
last_password_change_time google.protobuf.Timestamp User last password change timestamp.
managers User repeated User job manager(s).
middle_name string Middle name of the user.
office_address Location User job office location.
password_expiration_time google.protobuf.Timestamp User password expiration timestamp.
personal_address Location Personal address of the user.
phone_numbers string repeated Phone numbers for the user.
product_object_id string A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).
role_description string System role description for user. Deprecated: use attribute.roles.
role_name string System role name for user. Deprecated: use attribute.roles.
termination_date google.protobuf.Timestamp User job employment termination date.
time_off TimeOff repeated User time off leaves from active work.
title string User job title.
user_authentication_status Authentication.AuthenticationStatus System authentication status for user.
user_display_name string The display name of the user (e.g. "John Locke").
user_role User.Role System role for user. Deprecated: use attribute.roles.
userid string The ID of the user.
windows_sid string The Microsoft Windows SID of the user.

Vulnerabilities

The Vulnerabilities extension captures details on observed/detected vulnerabilities.

Field Name Type Label Description
vulnerabilities Vulnerability repeated A list of vulnerabilities.

Vulnerability

A vulnerability.

Field Name Type Label Description
about Noun If the vulnerability is about a specific noun (e.g. executable), then add it here.
cve_description string Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record
cve_id string Common Vulnerabilities and Exposures Id. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id
cvss_base_score float CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting.
cvss_vector string Vector of CVSS properties (e.g. "AV:L/AC:H/Au:N/C:N/I:P/A:C") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator
cvss_version string Version of CVSS Vector/Score.
description string Description of the vulnerability.
first_found google.protobuf.Timestamp Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset.
last_found google.protobuf.Timestamp Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset.
name string Name of the vulnerability (e.g. "Unsupported OS Version detected").
scan_end_time google.protobuf.Timestamp If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable.
scan_start_time google.protobuf.Timestamp If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable.
severity Vulnerability.Severity The severity of the vulnerability.
severity_details string Vendor-specific severity
vendor string Vendor of scan that discovered vulnerability.
vendor_knowledge_base_article_id string Vendor specific knowledge base article (e.g. "KBXXXXXX" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase
vendor_vulnerability_id string Vendor specific vulnerability id (e.g. Microsoft security bulletin id).

X509

File certificate.

Field Name Type Label Description
algorithm string Certificate algorithm.
cert_issuer string Issuer of the certificate.
name string Certificate name.
serial_number string Certificate serial number.
thumbprint string Certificate thumbprint.

Event enumerated types

Asset.AssetType

The role type of the asset.

Enum Value Enum Number Description
IOT 3 An IOT asset.
LAPTOP 2 A laptop computer.
MOBILE 9 A mobile device such as a mobile phone or PDA.
NETWORK_ATTACHED_STORAGE 4 A network attached storage device.
PRINTER 5 A printer.
ROLE_UNSPECIFIED 0 Unspecified asset role.
SCANNER 6 A scanner.
SERVER 7 A server.
TAPE_LIBRARY 8 A tape library device.
WORKSTATION 1 A workstation or desktop.

Asset.DeploymentStatus

Deployment status states.

Enum Value Enum Number Description
ACTIVE 1 Asset is active, functional and deployed.
DECOMMISSIONED 3 Asset is decommissioned.
DEPLOYMENT_STATUS_UNSPECIFIED 0 Unspecified deployment status.
PENDING_DECOMMISSION 2 Asset is pending decommission and no longer deployed.

Authentication.AuthType

Type of system the authentication event is associated with.

Enum Value Enum Number Description
AUTHTYPE_UNSPECIFIED 0 The default type.
MACHINE 1 A machine authentication.
PHYSICAL 4 A Physical authentication (e.g. "Badge reader").
SSO 2 An SSO authentication.
TACACS 5 A TACACS family protocol for networked systems authentication (e.g. TACACS, TACACS+).
VPN 3 A VPN authentication.

Authentication.AuthenticationStatus

Authentication status, can be used to describe the status of authentication for a user or particular credential.

Enum Value Enum Number Description
ACTIVE 1 The authentication method is in active state.
DELETED 4 The authentication method has been deleted.
NO_ACTIVE_CREDENTIALS 3 The authentication method has no active credentials.
SUSPENDED 2 The authentication method is in suspended/disabled state.
UNKNOWN_AUTHENTICATION_STATUS 0 The default authentication status.

Authentication.Mechanism

Mechanism(s) used to authenticate.

Enum Value Enum Number Description
BADGE_READER 8 Badge reader authentication
BATCH 10 Batch authentication.
CACHED_INTERACTIVE 16 Interactive authentication using cached credentials.
CACHED_REMOTE_INTERACTIVE 17 Cached Remote Interactive authentication using cached credentials.
CACHED_UNLOCK 18 Cached Remote Interactive authentication using cached credentials.
HARDWARE_KEY 3 Hardware key authentication.
INTERACTIVE 15 Interactive authentication.
LOCAL 4 Local authentication.
MECHANISM_OTHER 7 Some other mechanism that is not defined here.
MECHANISM_UNSPECIFIED 0 The default mechanism.
NETWORK 9 Network authentication.
NETWORK_CLEAR_TEXT 13 Network clear text authentication.
NEW_CREDENTIALS 14 Authentication with new credentials.
OTP 2 OTP authentication.
REMOTE 5 Remote authentication.
REMOTE_INTERACTIVE 6 RDP, Terminal Services, or VNC.
SERVICE 11 Service authentication
UNLOCK 12 Direct human-interactive unlock authentication.
USERNAME_PASSWORD 1 Username + password authentication.

Cloud.CloudEnvironment

The service provider environment.

Enum Value Enum Number Description
AMAZON_WEB_SERVICES 2 Amazon Web Services.
GOOGLE_CLOUD_PLATFORM 1 Google Cloud Platform.
MICROSOFT_AZURE 3 Microsoft Azure.
UNSPECIFIED_CLOUD_ENVIRONMENT 0 Default.

Dhcp.MessageType

DHCP message type. See RFC2131, section 3.1.

Enum Value Enum Number Description
ACK 5 DHCPACK.
DECLINE 4 DHCPDECLINE.
DISCOVER 1 DHCPDISCOVER.
INFORM 8 DHCPINFORM.
NAK 6 DHCPNAK.
OFFER 2 DHCPOFFER.
RELEASE 7 DHCPRELEASE.
REQUEST 3 DHCPREQUEST.
UNKNOWN_MESSAGE_TYPE 0 Default message type.
WIN_DELETED 100 Microsoft Windows DHCP "lease deleted".
WIN_EXPIRED 101 Microsoft Windows DHCP "lease expired".

Dhcp.OpCode

BOOTP op code. See RFC951, section 3.

Enum Value Enum Number Description
BOOTREPLY 2 Reply.
BOOTREQUEST 1 Request.
UNKNOWN_OPCODE 0 Default opcode.

File.FileType

The file type, for example Microsoft Windows executable.

Enum Value Enum Number Description
FILE_TYPE_ACE 310 File type is ACE.
FILE_TYPE_ANDROID 503 File type is ANDROID.
FILE_TYPE_APPLE 1000 File type is APPLE.
FILE_TYPE_APPLE_PLIST 1005 File type is APPLE_PLIST.
FILE_TYPE_APPLEDOUBLE 1003 File type is APPLEDOUBLE.
FILE_TYPE_APPLESCRIPT 1007 File type is APPLESCRIPT.
FILE_TYPE_APPLESCRIPT_COMPILED 1008 File type is APPLESCRIPT_COMPILED .
FILE_TYPE_APPLESINGLE 1002 File type is APPLESINGLE.
FILE_TYPE_ARC 311 File type is ARC.
FILE_TYPE_ARJ 312 File type is ARJ.
FILE_TYPE_ASD 313 File type is ASD.
FILE_TYPE_ASF 160 File type is ASF.
FILE_TYPE_AVI 157 File type is AVI.
FILE_TYPE_AWK 411 File type is AWK.
FILE_TYPE_BLACKHOLE 314 File type is BLACKHOLE.
FILE_TYPE_BMP 104 File type is BMP.
FILE_TYPE_BZIP 302 File type is BZIP.
FILE_TYPE_C 406 File type is C.
FILE_TYPE_CAB 306 File type is CAB.
FILE_TYPE_CAP 700 File type is CAP.
FILE_TYPE_CHM 265 File type is CHM.
FILE_TYPE_CLJ 422 File type is CLJ.
FILE_TYPE_COFF 30 File type is COFF.
FILE_TYPE_COOKIE 604 File type is COOKIE.
FILE_TYPE_CPP 407 File type is CPP.
FILE_TYPE_CRT 1302 File type is CRT.
FILE_TYPE_CRX 1100 File type is CRX.
FILE_TYPE_CSV 610 File type is CSV.
FILE_TYPE_DEB 38 File type is DEB.
FILE_TYPE_DIB 110 File type is DIB.
FILE_TYPE_DIVX 161 File type is DIVX.
FILE_TYPE_DMG 37 File type is DMG.
FILE_TYPE_DOC 202 File type is DOC.
FILE_TYPE_DOCX 203 File type is DOCX.
FILE_TYPE_DOS_COM 21 File type is DOS_COM.
FILE_TYPE_DOS_EXE 20 File type is DOS_EXE.
FILE_TYPE_DWG 118 File type is DWG.
FILE_TYPE_DXF 119 File type is DXF.
FILE_TYPE_DYALOG 412 File type is DYALOG.
FILE_TYPE_DZIP 304 File type is DZIP.
FILE_TYPE_EBOOK 260 File type is EBOOK.
FILE_TYPE_ELF 31 File type is ELF.
FILE_TYPE_EMAIL_TYPE 606 File type is EMAIL_TYPE.
FILE_TYPE_EMF 116 File type is EMF.
FILE_TYPE_EOT 263 File type is EOT.
FILE_TYPE_EPS 114 File type is EPS.
FILE_TYPE_FLA 603 File type is FLA.
FILE_TYPE_FLAC 154 File type is FLAC.
FILE_TYPE_FLC 151 File type is FLC.
FILE_TYPE_FLI 152 File type is FLI.
FILE_TYPE_FLV 162 File type is FLV.
FILE_TYPE_FORTRAN 413 File type is FORTRAN.
FILE_TYPE_FPX 113 File type is FPX.
FILE_TYPE_GIF 102 File type is GIF.
FILE_TYPE_GIMP 105 File type is GIMP.
FILE_TYPE_GOLANG 429 File type is GOLANG.
FILE_TYPE_GUL 254 File type is GUL.
FILE_TYPE_GZIP 301 File type is GZIP.
FILE_TYPE_HTML 600 File type is HTML.
FILE_TYPE_HWP 253 File type is HWP.
FILE_TYPE_ICO 112 File type is ICO.
FILE_TYPE_IN_DESIGN 106 File type is Adobe InDesign.
FILE_TYPE_INI 421 File type is INI.
FILE_TYPE_IPHONE 504 File type is IPHONE.
FILE_TYPE_IPS 1201 File type is IPS.
FILE_TYPE_ISOIMAGE 800 File type is ISOIMAGE.
FILE_TYPE_JAR 307 File type is JAR.
FILE_TYPE_JAVA 408 File type is JAVA.
FILE_TYPE_JAVA_BYTECODE 36 File type is JAVA_BYTECODE.
FILE_TYPE_JAVASCRIPT 414 File type is JAVASCRIPT.
FILE_TYPE_JMOD 419 File type is JMOD.
FILE_TYPE_JNG 111 File type is JNG.
FILE_TYPE_JPEG 100 File type is JPEG.
FILE_TYPE_JSON 609 File type is JSON.
FILE_TYPE_KGB 315 File type is KGB.
FILE_TYPE_LATEX 261 File type is LATEX.
FILE_TYPE_LINUX 34 File type is LINUX.
FILE_TYPE_LINUX_KERNEL 32 File type is LINUX_KERNEL.
FILE_TYPE_LNK 50 File type is LNK.
FILE_TYPE_LZFSE 319 File type is LZFSE.
FILE_TYPE_M4 417 File type is M4.
FILE_TYPE_MACH_O 35 File type is MACH_O.
FILE_TYPE_MACINTOSH 1001 File type is MACINTOSH.
FILE_TYPE_MACINTOSH_HFS 1004 File type is MACINTOSH_HFS.
FILE_TYPE_MACINTOSH_LIB 1006 File type is MACINTOSH_LIB.
FILE_TYPE_MAKEFILE 420 File type is MAKEFILE.
FILE_TYPE_MIDI 156 File type is MIDI.
FILE_TYPE_MKV 170 File type is MKV.
FILE_TYPE_MOV 166 File type is MOV.
FILE_TYPE_MP3 153 File type is MP3.
FILE_TYPE_MP4 167 File type is MP4.
FILE_TYPE_MPEG 158 File type is MPEG.
FILE_TYPE_MSCOMPRESS 309 File type is MSCOMPRESS.
FILE_TYPE_MSI 3 File type is MSI.
FILE_TYPE_NE_DLL 11 File type is NE_DLL.
FILE_TYPE_NE_EXE 10 File type is NE_EXE.
FILE_TYPE_NEKO 427 File type is NEKO.
FILE_TYPE_OBJETIVEC 418 File type is OBJETIVEC.
FILE_TYPE_ODF 255 File type is ODF.
FILE_TYPE_ODG 256 File type is ODG.
FILE_TYPE_ODP 250 File type is ODP.
FILE_TYPE_ODS 251 File type is ODS.
FILE_TYPE_ODT 252 File type is ODT.
FILE_TYPE_OGG 150 File type is OGG.
FILE_TYPE_ONE_NOTE 257 File type is ONE_NOTE.
FILE_TYPE_OOXML 258 File type is OOXML.
FILE_TYPE_OUTLOOK 607 File type is OUTLOOK.
FILE_TYPE_PALMOS 501 File type is PALMOS.
FILE_TYPE_PASCAL 410 File type is PASCAL.
FILE_TYPE_PDB 425 File type is PDB.
FILE_TYPE_PDF 200 File type is PDF.
FILE_TYPE_PE_DLL 2 Although DLLs are actually portable executables, this value enables the file type to be identified separately. File type is PE_DLL.
FILE_TYPE_PE_EXE 1 File type is PE_EXE.
FILE_TYPE_PEM 1300 File type is PEM.
FILE_TYPE_PERL 404 File type is PERL.
FILE_TYPE_PGP 1301 File type is PGP.
FILE_TYPE_PHP 402 File type is PHP.
FILE_TYPE_PKG 39 File type is PKG.
FILE_TYPE_PNG 103 File type is PNG.
FILE_TYPE_POWERSHELL 415 File type is POWERSHELL.
FILE_TYPE_PPSX 209 File type is PPSX.
FILE_TYPE_PPT 204 File type is PPT.
FILE_TYPE_PPTX 205 File type is PPTX.
FILE_TYPE_PS 201 File type is PS.
FILE_TYPE_PSD 107 File type is PSD. Adobe Photoshop.
FILE_TYPE_PYC 40 File type is PYC.
FILE_TYPE_PYTHON 403 File type is PYTHON.
FILE_TYPE_PYTHON_PKG 321 File type is PYTHON_PKG.
FILE_TYPE_PYTHON_WHL 320 File type is PYTHON_WHL.
FILE_TYPE_QUICKTIME 159 File type is QUICKTIME.
FILE_TYPE_RAR 308 File type is RAR.
FILE_TYPE_RM 165 File type is RM. RealMedia type.
FILE_TYPE_ROM 1200 File type is ROM.
FILE_TYPE_RPM 33 File type is RPM.
FILE_TYPE_RTF 208 File type is RTF.
FILE_TYPE_RUBY 405 File type is RUBY.
FILE_TYPE_RZIP 303 File type is RZIP.
FILE_TYPE_SCRIPT 401 File type is SCRIPT.
FILE_TYPE_SEVENZIP 305 File type is SEVENZIP.
FILE_TYPE_SGML 608 File type is SGML.
FILE_TYPE_SHELLSCRIPT 409 File type is SHELLSCRIPT.
FILE_TYPE_SQL 426 File type is SQL.
FILE_TYPE_SQUASHFS 801 File type is SQUASHFS.
FILE_TYPE_SVG 115 File type is SVG.
FILE_TYPE_SWF 602 File type is SWF.
FILE_TYPE_SYMBIAN 500 File type is SYMBIAN.
FILE_TYPE_T3GP 168 File type is T3GP.
FILE_TYPE_TAR 317 File type is TAR.
FILE_TYPE_TARGA 108 File type is TARGA.
FILE_TYPE_TEXT 400 File type is TEXT.
FILE_TYPE_THREEDS 120 File type is 3DS.
FILE_TYPE_TIFF 101 File type is TIFF.
FILE_TYPE_TORRENT 605 File type is TORRENT.
FILE_TYPE_TTF 262 File type is TTF.
FILE_TYPE_UNSPECIFIED 0 File type is UNSPECIFIED.
FILE_TYPE_VBA 416 File type is VBA.
FILE_TYPE_VHD 802 File type is VHD.
FILE_TYPE_WAV 155 File type is WAV.
FILE_TYPE_WEBM 169 File type is WEBM.
FILE_TYPE_WEBP 117 File type is WEBP.
FILE_TYPE_WER 428 File type is WER.
FILE_TYPE_WINCE 502 File type is WINCE.
FILE_TYPE_WMA 163 File type is WMA.
FILE_TYPE_WMV 164 File type is WMV.
FILE_TYPE_WOFF 264 File type is WOFF.
FILE_TYPE_XLS 206 File type is XLS.
FILE_TYPE_XLSX 207 File type is XLSX.
FILE_TYPE_XML 601 File type is XML.
FILE_TYPE_XPI 1101 File type is XPI.
FILE_TYPE_XWD 109 File type is XWD.
FILE_TYPE_ZIP 300 File type is ZIP.
FILE_TYPE_ZLIB 316 File type is ZLIB.
FILE_TYPE_ZST 318 File type is ZST.

Metadata.EnrichmentState

An enrichment state.

Enum Value Enum Number Description
ENRICHED 1 The event has been enriched by Google Security Operations.
ENRICHMENT_STATE_UNSPECIFIED 0 Unspecified.
UNENRICHED 2 The event has not been enriched by Google Security Operations.

Metadata.EventType

An event type. Choose event type not based on the product that generated the event but the one that logged the event itself. So, for example, an antivirus (AV)

scanning email on a client would generate an SMTP_PROXY event, not an AV event. A DLP device scanning a web upload would generate an HTTP_PROXY event and not a DLP or process activity event. Note: In the case of a HTTP_PROXY event, you might also include process details if this occurred on an endpoint. That would be optional, but there are a certain set of required fields and banned fields due to its status as an HTTP_PROXY event.

Enum Value Enum Number Description
ANALYST_ADD_COMMENT 24008 Analyst addition of a comment for a finding.
ANALYST_UPDATE_PRIORITY 24009 Analyst update about the priority (such as low, medium, or high) for a finding.
ANALYST_UPDATE_REASON 24011 Analyst update about the reason (such as malicious or not malicious) for a finding.
ANALYST_UPDATE_REPUTATION 24001 Analyst update about the Reputation (such as useful or not useful) of a finding.
ANALYST_UPDATE_RISK_SCORE 24012 Analyst update about the risk score (0-100) of a finding.
ANALYST_UPDATE_ROOT_CAUSE 24010 Analyst update about the root cause for a finding.
ANALYST_UPDATE_SEVERITY_SCORE 24002 Analyst update about the Severity score (0-100) of a finding.
ANALYST_UPDATE_STATUS 24007 Analyst update about the finding status.
ANALYST_UPDATE_VERDICT 24000 Analyst update about the Verdict (such as true positive, false positive, or disregard) of a finding.
DEVICE_CONFIG_UPDATE 25001 Configuration update.
DEVICE_FIRMWARE_UPDATE 25000 Firmware update.
DEVICE_PROGRAM_DOWNLOAD 25003 A program or application downloaded to a device.
DEVICE_PROGRAM_UPLOAD 25002 A program or application uploaded to a device.
EMAIL_TRANSACTION 19001 An email transaction.
EMAIL_UNCATEGORIZED 19000 Email messages
EMAIL_URL_CLICK 19002 Deprecated: use NETWORK_HTTP instead. An email URL click event.
EVENTTYPE_UNSPECIFIED 0 Default event type
FILE_COPY 14005 File copied. Used for file copies, for example, to a thumb drive.
FILE_CREATION 14001 File created.
FILE_DELETION 14002 File deleted.
FILE_MODIFICATION 14003 File modified.
FILE_MOVE 14007 File moved or renamed.
FILE_OPEN 14006 File opened.
FILE_READ 14004 File read.
FILE_SYNC 14008 File synced (for example, Google Drive, Dropbox, backup).
FILE_UNCATEGORIZED 14000 File event which does not match any of the other event types.
GENERIC_EVENT 100000 Operating system events that are not described by any of the other event types. Might include uncategorized Microsoft Windows event logs.
GROUP_CREATION 23001 A group creation.
GROUP_DELETION 23002 A group deletion.
GROUP_MODIFICATION 23003 A group modification.
GROUP_UNCATEGORIZED 23000 A group activity that does not fall into one of the other event types.
MUTEX_CREATION 13001 Mutex creation.
MUTEX_UNCATEGORIZED 13000 Any mutex event other than creation.
NETWORK_CONNECTION 16002 Network connection details like from a FW.
NETWORK_DHCP 16004 DHCP payload.
NETWORK_DNS 16005 DNS payload.
NETWORK_FLOW 16001 Aggregated flow stats like netflow.
NETWORK_FTP 16003 FTP telemetry.
NETWORK_HTTP 16006 HTTP telemetry.
NETWORK_SMTP 16007 SMTP telemetry.
NETWORK_UNCATEGORIZED 16000 A network event that does not fit into one of the other event types.
PROCESS_INJECTION 10002 Process injecting into another process.
PROCESS_LAUNCH 10001 Process launch.
PROCESS_MODULE_LOAD 10006 Process loading a module.
PROCESS_OPEN 10005 Process being opened.
PROCESS_PRIVILEGE_ESCALATION 10003 Process privilege escalation.
PROCESS_TERMINATION 10004 Process termination.
PROCESS_UNCATEGORIZED 10000 Activity related to a process which does not match any other event types.
REGISTRY_CREATION 11001 Registry creation.
REGISTRY_DELETION 11003 Registry deletion.
REGISTRY_MODIFICATION 11002 Registry modification.
REGISTRY_UNCATEGORIZED 11000 Registry event which does not match any of the other event types.
RESOURCE_CREATION 1 The resource was created/provisioned. This is equivalent to USER_RESOURCE_CREATION.
RESOURCE_DELETION 2 The resource was deleted/deprovisioned. This is equivalent to USER_RESOURCE_DELETION.
RESOURCE_PERMISSIONS_CHANGE 3 The resource had it's permissions or ACLs updated. This is equivalent to USER_RESOURCE_UPDATE_PERMISSIONS.
RESOURCE_READ 4 The resource was read. This is equivalent to USER_RESOURCE_ACCESS.
RESOURCE_WRITTEN 5 The resource was written to. This is equivalent to USER_RESOURCE_UPDATE_CONTENT.
SCAN_FILE 18001 A file scan.
SCAN_HOST 18004 Scan results from scanning an entire host device for threats/sensitive documents.
SCAN_NETWORK 18007 Scan network for suspicious activity
SCAN_PROCESS 18003 Scan process.
SCAN_PROCESS_BEHAVIORS 18002 Scan process behaviors. Please use SCAN_PROCESS instead.
SCAN_UNCATEGORIZED 18000 Scan item that does not fit into one of the other event types.
SCAN_VULN_HOST 18005 Vulnerability scan logs about host vulnerabilities (e.g., out of date software) and network vulnerabilities (e.g., unprotected service detected via a network scan).
SCAN_VULN_NETWORK 18006 Vulnerability scan logs about network vulnerabilities.
SCHEDULED_TASK_CREATION 20001 Scheduled task creation.
SCHEDULED_TASK_DELETION 20002 Scheduled task deletion.
SCHEDULED_TASK_DISABLE 20004 Scheduled task being disabled.
SCHEDULED_TASK_ENABLE 20003 Scheduled task being enabled.
SCHEDULED_TASK_MODIFICATION 20005 Scheduled task being modified.
SCHEDULED_TASK_UNCATEGORIZED 20000 Scheduled task event that does not fall into one of the other event types.
SERVICE_CREATION 22001 A service creation.
SERVICE_DELETION 22002 A service deletion.
SERVICE_MODIFICATION 22005 A service modification.
SERVICE_START 22003 A service start.
SERVICE_STOP 22004 A service stop.
SERVICE_UNSPECIFIED 22000 Service event that does not fit into one of the other event types.
SETTING_CREATION 12001 Setting creation.
SETTING_DELETION 12003 Setting deletion.
SETTING_MODIFICATION 12002 Setting modification.
SETTING_UNCATEGORIZED 12000 Settings-related event which does not match any of the other event types.
STATUS_HEARTBEAT 17001 Heartbeat indicating product is alive.
STATUS_SHUTDOWN 17003 An agent shutdown.
STATUS_STARTUP 17002 An agent startup.
STATUS_UNCATEGORIZED 17000 A status message that does not fit into one of the other event types.
STATUS_UPDATE 17004 A software or fingerprint update.
SYSTEM_AUDIT_LOG_UNCATEGORIZED 21000 A system audit log event that is not a wipe.
SYSTEM_AUDIT_LOG_WIPE 21001 A system audit log wipe.
USER_BADGE_IN 15007 User physically badging into a location.
USER_CHANGE_PASSWORD 15004 User password change event.
USER_CHANGE_PERMISSIONS 15005 Change in user permissions.
USER_COMMUNICATION 15012 User initiating communication through a medium (for example, video).
USER_CREATION 15003 User creation.
USER_DELETION 15008 User deletion.
USER_LOGIN 15001 User login.
USER_LOGOUT 15002 User logout.
USER_RESOURCE_ACCESS 15013 User accessing a virtual resource. This is equivalent to RESOURCE_READ.
USER_RESOURCE_CREATION 15009 User creating a virtual resource. This is equivalent to RESOURCE_CREATION.
USER_RESOURCE_DELETION 15014 User deleting a virtual resource. This is equivalent to RESOURCE_DELETION.
USER_RESOURCE_UPDATE_CONTENT 15010 User updating content of a virtual resource. This is equivalent to RESOURCE_WRITTEN.
USER_RESOURCE_UPDATE_PERMISSIONS 15011 User updating permissions of a virtual resource. This is equivalent to RESOURCE_PERMISSIONS_CHANGE.
USER_STATS 15006 Deprecated. Used to update user info for an LDAP dump.
USER_UNCATEGORIZED 15000 User activity which does not match any of the other event types.

Network.ApplicationProtocol

A network application protocol.

Enum Value Enum Number Description
AFP 1 Apple Filing Protocol.
AMQP 3 Advanced Message Queuing Protocol.
APPC 2 Advanced Program-to-Program Communication.
ATOM 4 Publishing Protocol.
BEEP 5 Block Extensible Exchange Protocol.
BIT_TORRENT 7 Peer-to-peer file sharing.
BITCOIN 6 Crypto currency protocol.
CFDP 8 Coherent File Distribution Protocol.
CIP 67 Common Industrial Protocol.
COAP 9 Constrained Application Protocol.
COTP 68 Connection Oriented Transport Protocol.
DCERPC 66 DCE/RPC.
DDS 10 Data Distribution Service.
DEVICE_NET 11 Automation industry protocol.
DHCP 4000 DHCP.
DICOM 69 Digital Imaging and Communications in Medicine Protocol.
DNP3 70 Distributed Network Protocol 3 (DNP3)
DNS 3000 DNS.
E_DONKEY 12 Classic file sharing protocol.
ENRP 13 Endpoint Handlespace Redundancy Protocol.
FAST_TRACK 14 Filesharing peer-to-peer protocol.
FINGER 15 User Information Protocol.
FREENET 16 Censorship resistant peer-to-peer network.
FTAM 17 File Transfer Access and Management.
GOOSE 71 GOOSE Protocol.
GOPHER 18 Gopher protocol.
GRPC 77 gRPC Remote Procedure Call.
H323 20 Packet-based multimedia communications system.
HL7 19 Health Level Seven.
HTTP 2000 HTTP.
HTTPS 2001 HTTPS.
IEC104 72 IEC 60870-5-104 (IEC 104) Protocol.
IRCP 21 Internet Relay Chat Protocol.
KADEMLIA 22 Peer-to-peer hashtables.
KRB5 65 Kerberos 5.
LDAP 23 Lightweight Directory Access Protocol.
LPD 24 Line Printer Daemon Protocol.
MIME 25 Multipurpose Internet Mail Extensions and Secure MIME.
MMS 73 Multimedia Messaging Service.
MODBUS 26 Serial communications protocol.
MQTT 27 Message Queuing Telemetry Transport.
NETCONF 28 Network Configuration.
NFS 29 Network File System.
NIS 30 Network Information Service.
NNTP 31 Network News Transfer Protocol.
NTCIP 32 National Transportation Communications for Intelligent Transportation System.
NTP 33 Network Time Protocol.
OSCAR 34 AOL Instant Messenger Protocol.
PNRP 35 Peer Name Resolution Protocol.
PTP 74 Precision Time Protocol.
QUIC 1000 QUIC.
RDP 36 Remote Desktop Protocol.
RELP 37 Reliable Event Logging Protocol.
RIP 38 Routing Information Protocol.
RLOGIN 39 Remote Login in UNIX Systems.
RPC 40 Remote Procedure Call.
RTMP 41 Real Time Messaging Protocol.
RTP 42 Real-time Transport Protocol.
RTPS 43 Real Time Publish Subscribe.
RTSP 44 Real Time Streaming Protocol.
SAP 45 Session Announcement Protocol.
SDP 46 Session Description Protocol.
SIP 47 Session Initiation Protocol.
SLP 48 Service Location Protocol.
SMB 49 Server Message Block.
SMTP 50 Simple Mail Transfer Protocol.
SNMP 75 Simple Network Management Protocol.
SNTP 51 Simple Network Time Protocol.
SSH 52 Secure Shell.
SSMS 53 Secure SMS Messaging Protocol.
STYX 54 Styx/9P - Plan 9 from Bell Labs distributed file system protocol.
SV 76 Sampled Values Protocol.
TCAP 55 Transaction Capabilities Application Part.
TDS 56 Tabular Data Stream.
TOR 57 Anonymity network.
TSP 58 Time Stamp Protocol.
UNKNOWN_APPLICATION_PROTOCOL 0 The default application protocol.
VTP 59 Virtual Terminal Protocol.
WEB_DAV 61 Web Distributed Authoring and Versioning.
WHOIS 60 Remote Directory Access Protocol.
X400 62 Message Handling Service Protocol.
X500 63 Directory Access Protocol (DAP).
XMPP 64 Extensible Messaging and Presence Protocol.

Network.Direction

A network traffic direction.

Enum Value Enum Number Description
BROADCAST 3 A broadcast.
INBOUND 1 An inbound request.
OUTBOUND 2 An outbound request.
UNKNOWN_DIRECTION 0 The default direction.

Network.IpProtocol

An IP protocol.

Enum Value Enum Number Description
EIGRP 88 Enhanced Interior Gateway Routing
ESP 50 Encapsulating Security Payload
ETHERIP 97 Ethernet-within-IP Encapsulation
GRE 47 Generic Routing Encapsulation
ICMP 1 ICMP.
ICMP6 58 ICMPv6
IGMP 2 IGMP
IP6IN4 41 IPv6 Encapsulation
PIM 103 Protocol Independent Multicast
SCTP 132 Stream Control Transmission Protocol
TCP 6 TCP.
UDP 17 UDP.
UNKNOWN_IP_PROTOCOL 0 The default protocol.
VRRP 112 Virtual Router Redundancy Protocol

Noun.Platform

Operating system platform.

Enum Value Enum Number Description
ANDROID 8 Android
AWS 5 Deprecated: see cloud.environment.
AZURE 6 Deprecated: see cloud.environment.
CHROME_OS 9 Chrome OS
Google Cloud 4 Deprecated: see cloud.environment.
IOS 7 IOS
LINUX 3 Linux.
MAC 2 macOS.
UNKNOWN_PLATFORM 0 Default value.
WINDOWS 1 Microsoft Windows.

Permission.PermissionType

High level categorizations of permission type.

Enum Value Enum Number Description
ADMIN_READ 2 Administrator read permission.
ADMIN_WRITE 1 Administrator write permission.
DATA_READ 4 Data resource access read permission.
DATA_WRITE 3 Data resource access write permission.
UNKNOWN_PERMISSION_TYPE 0 Default permission type.

Priority

Priority that is assigned to a Case or Alert.

Enum Value Enum Number Description
PRIORITY_CRITICAL 500 Critical priority.
PRIORITY_HIGH 400 High priority.
PRIORITY_INFO 100 Informational priority.
PRIORITY_LOW 200 Low priority.
PRIORITY_MEDIUM 300 Medium priority.
PRIORITY_UNSPECIFIED 0 Default priority level.

Process.TokenElevationType

The elevation type of the process's token. See https://learn.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-token_elevation_type

Enum Value Enum Number Description
TYPE_1 1 A full token with no privileges removed or groups disabled.
TYPE_2 2 An elevated token with no privileges removed or groups disabled. Used when running as administrator.
TYPE_3 3 A limited token with administrative privileges removed and administrative groups disabled.
UNKNOWN 0 An undetermined token type.

Reason

Reason for closing an Alert or Case in the SOAR product.

Enum Value Enum Number Description
REASON_MAINTENANCE 3 Case or Alert is under maintenance.
REASON_MALICIOUS 2 Case or Alert is malicious.
REASON_NOT_MALICIOUS 1 Case or Alert not malicious.
REASON_UNSPECIFIED 0 Default reason.

Reputation

Categorization options for the usefulness of a Finding.

Enum Value Enum Number Description
NOT_USEFUL 2 A categorization of the finding as not useful.
REPUTATION_UNSPECIFIED 0 An unspecified reputation.
USEFUL 1 A categorization of the finding as useful.

Resource.ResourceType

Enum Value Enum Number Description
ACCESS_POLICY 16 Access policy.
BACKEND_SERVICE 20 Endpoint that receive traffic from a load balancer or proxy.
CLOUD_ORGANIZATION 14 Cloud organization.
CLOUD_PROJECT 13 Cloud project.
CLUSTER 17 Cluster.
CONTAINER 22 Container.
CREDENTIAL 31 Credential, e.g. access keys, ssh keys, tokens, certificates.
DATABASE 11 Database.
DATASET 19 Dataset.
DEVICE 4 Device.
DISK 26 Disk.
FIREWALL_RULE 5 Firewall rule.
FUNCTION 23 Cloud function.
GATEWAY 33 Gateway.
IMAGE 28 Machine image.
IP_ADDRESS 25 IP address.
LOAD_BALANCER 32 Load balancer.
MAILBOX_FOLDER 6 Mailbox folder.
MUTEX 1 Mutex.
PIPE 3 Named pipe.
POD 21 Pod, which is a collection of containers. Often used in Kubernetes.
REPOSITORY 30 Repository.
RUNTIME 24 Runtime.
SERVICE_ACCOUNT 15 Service account.
SETTING 18 Settings.
SNAPSHOT 29 Snapshot.
STORAGE_BUCKET 9 Storage bucket.
STORAGE_OBJECT 10 Storage object.
SUBNET 34 Subnet.
TABLE 12 Data table.
TASK 2 Task.
UNSPECIFIED 0 Default type.
USER 35 User
VIRTUAL_MACHINE 8 Virtual machine.
VOLUME 27 Volume.
VPC_NETWORK 7 VPC Network.

Role.Type

Well-known system roles.

Enum Value Enum Number Description
ADMINISTRATOR 1 Product administrator with elevated privileges.
SERVICE_ACCOUNT 2 System service account for automated privilege access.
TYPE_UNSPECIFIED 0 Default user role.

SecurityResult.Action

Enum representing different possible actions taken by the product that created the event.

Enum Value Enum Number Description
ALLOW 1 Allowed.
ALLOW_WITH_MODIFICATION 3 Strip, modify something (e.g. File or email was disinfected or rewritten and still forwarded).
BLOCK 2 Blocked.
CHALLENGE 6 Challenged (e.g. the user was challenged by a Captcha, 2FA).
FAIL 5 Failed (e.g. the event was allowed but failed).
QUARANTINE 4 Put somewhere for later analysis (does NOT imply block).
UNKNOWN_ACTION 0 The default action.

SecurityResult.AlertState

The type of alerting set up for a security result.

Enum Value Enum Number Description
ALERTING 2 The security result is an alert.
NOT_ALERTING 1 The security result is not an alert.
UNSPECIFIED 0 The security result type is not known.

SecurityResult.Association.AssociationType

Represents different possible Association types. Can be threat or malware. Used to represent Mandiant threat intelligence.

Enum Value Enum Number Description
ASSOCIATION_TYPE_UNSPECIFIED 0 The default Association Type.
MALWARE 2 Association type Malware.
THREAT_ACTOR 1 Association type Threat actor.

SecurityResult.IoCStatsType

Type of IoCStat based on source.

Enum Value Enum Number Description
MANDIANT_SOURCES 1 IoCStat is from a Mandiant Source.
THIRD_PARTY_SOURCES 2 IoCStat is from a third-party source.
THREAT_INTELLIGENCE_IOC_STATS 3 IoCStat is from a threat intelligence feed.
UNSPECIFIED_IOC_STATS_TYPE 0 IoCStat source is unidentified.

SecurityResult.ProductConfidence

A level of confidence in the result.

Enum Value Enum Number Description
HIGH_CONFIDENCE 400 High confidence.
LOW_CONFIDENCE 200 Low confidence.
MEDIUM_CONFIDENCE 300 Medium confidence.
UNKNOWN_CONFIDENCE 0 The default confidence level.

SecurityResult.ProductPriority

A product priority level.

Enum Value Enum Number Description
HIGH_PRIORITY 400 High priority.
LOW_PRIORITY 200 Low priority.
MEDIUM_PRIORITY 300 Medium priority.
UNKNOWN_PRIORITY 0 Default priority level.

SecurityResult.ProductSeverity

Defined by the product

Enum Value Enum Number Description
CRITICAL 500 Critical-severity malicious result.
ERROR 150 An error.
HIGH 400 High-severity malicious result.
INFORMATIONAL 100 Info severity.
LOW 200 Low-severity malicious result.
MEDIUM 300 Medium-severity malicious result.
NONE 101 No malicious result.
UNKNOWN_SEVERITY 0 The default severity level.

SecurityResult.SecurityCategory

SecurityCategory is used to standardize security categories across products

so one event is not categorized as "malware" and another as a "virus".

Enum Value Enum Number Description
ACL_VIOLATION 30000 Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc.
AUTH_VIOLATION 40000 Authentication failed (e.g. bad password or bad 2-factor authentication).
DATA_AT_REST 60100 DLP: Sensitive data found at rest in a scan.
DATA_DESTRUCTION 60200 Attempt to destroy/delete data.
DATA_EXFILTRATION 60000 DLP: Sensitive data transmission, copy to thumb drive.
EXPLOIT 50000 Exploit: For all manner of exploits including attempted overflows, bad protocol encodings, ROP, SQL injection, etc. For both network and host- based exploits.
MAIL_PHISHING 70100 Phishing email, chat messages, etc.
MAIL_SPAM 70000 Spam email, message, etc.
MAIL_SPOOFING 70200 Spoofed source email address, etc.
NETWORK_CATEGORIZED_CONTENT 20200 Non-security related: URL has category like gambling or porn.
NETWORK_COMMAND_AND_CONTROL 20500 If we know this is a C&C channel.
NETWORK_DENIAL_OF_SERVICE 20300 DoS, DDoS.
NETWORK_MALICIOUS 20000 Includes C&C or network exploit.
NETWORK_RECON 20400 Port scan detected by an IDS, probing of web app.
NETWORK_SUSPICIOUS 20100 Suspicious activity, such as potential reverse tunnel.
PHISHING 90002 Phishing pages, pops, https phishing etc.
POLICY_VIOLATION 80000 Security-related policy violation (e.g. firewall/proxy/HIPS rule violated, NAC block action).
SOCIAL_ENGINEERING 90001 Threats which manipulate to break normal security procedures.
SOFTWARE_MALICIOUS 10000 Malware, spyware, rootkit.
SOFTWARE_PUA 10200 Potentially Unwanted App (such as adware).
SOFTWARE_SUSPICIOUS 10100 Below the conviction threshold; probably bad.
TOR_EXIT_NODE 60300 TOR Exit Nodes.
UNKNOWN_CATEGORY 0 The default category.

SecurityResult.ThreatStatus

Vendor-specific information about the status of a threat (ITW).

Enum Value Enum Number Description
ACTIVE 1 Active threat.
CLEARED 2 Cleared threat.
FALSE_POSITIVE 3 False positive.
THREAT_STATUS_UNSPECIFIED 0 Default threat status

SecurityResult.VerdictResponse

Represents different verdict types. Used to represent Mandiant threat intelligence.

Enum Value Enum Number Description
BENIGN 2 VerdictResponse resulted a threat as benign.
MALICIOUS 1 VerdictResponse resulted a threat as malicious.
VERDICT_RESPONSE_UNSPECIFIED 0 The default verdict response type.

SecurityResult.VerdictType

Category of the verdict.

Enum Value Enum Number Description
ANALYST_VERDICT 2 Verdict provided by the human analyst. These fields are used to model Mandiant sources.
PROVIDER_ML_VERDICT 1 MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources.
VERDICT_TYPE_UNSPECIFIED 0 Verdict category not specified.

Status

Describes status of a Finding.

Enum Value Enum Number Description
CLOSED 3 When an analyst closes an finding.
NEW 1 New finding.
OPEN 4 Open. Used to indicate that a Case / Alert is open.
REVIEWED 2 When a finding has feedback.
STATUS_UNSPECIFIED 0 Unspecified finding status.

ThreatVerdict

GCTI threat verdict levels.

Enum Value Enum Number Description
MALICIOUS 3 Malicious threat verdict level.
SUSPICIOUS 2 Suspicious threat verdict level.
THREAT_VERDICT_UNSPECIFIED 0 Unspecified threat verdict level.
UNDETECTED 1 Undetected threat verdict level.

User.AccountType

User Account Type.

Enum Value Enum Number Description
ACCOUNT_TYPE_UNSPECIFIED 0 Default user account type.
CLOUD_ACCOUNT_TYPE 3 A SaaS service account type (such as Slack or GitHub).
DEFAULT_ACCOUNT_TYPE 5 A system built in default account.
DOMAIN_ACCOUNT_TYPE 1 A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE 2 A local machine account.
SERVICE_ACCOUNT_TYPE 4 A non-human account for data access.

User.Role

User system roles.

Enum Value Enum Number Description
ADMINISTRATOR 1 Product administrator with elevated privileges.
SERVICE_ACCOUNT 2 System service account for automated privilege access. Deprecated: not a role, instead set User.account_type.
UNKNOWN_ROLE 0 Default user role.

Verdict

Categorization options for the validity of a Finding (i.e. whether it reflects an actual security incident).

Enum Value Enum Number Description
FALSE_POSITIVE 2 A categorization of the finding as a "false positive".
TRUE_POSITIVE 1 A categorization of the finding as a "true positive".
VERDICT_UNSPECIFIED 0 An unspecified verdict.

Vulnerability.Severity

Severity of the vulnerability.

Enum Value Enum Number Description
CRITICAL 4 Critical severity.
HIGH 3 High severity.
LOW 1 Low severity.
MEDIUM 2 Medium severity.
UNKNOWN_SEVERITY 0 The default severity level.

Standard datatypes

Standard datatypes and the equivalent types in other languages.

Datatype Notes C++ Java Python Go C# PHP Ruby
bool bool boolean boolean bool bool boolean TrueClass/FalseClass
bytes May contain any arbitrary sequence of bytes. string ByteString str []byte ByteString string String (ASCII-8BIT)
double double double float float64 double float Float
fixed32 Always four bytes. More efficient than uint32 if values are often greater than 2^28. uint32 int int uint32 uint integer Bignum or Fixnum (as required)
fixed64 Always eight bytes. More efficient than uint64 if values are often greater than 2^56. uint64 long int/long uint64 ulong integer/string Bignum
float float float float float32 float float Float
int32 Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead. int32 int int int32 int integer Bignum or Fixnum (as required)
int64 Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead. int64 long int/long int64 long integer/string Bignum
sfixed32 Always four bytes. int32 int int int32 int integer Bignum or Fixnum (as required)
sfixed64 Always eight bytes. int64 long int/long int64 long integer/string Bignum
sint32 Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s. int32 int int int32 int integer Bignum or Fixnum (as required)
sint64 Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s. int64 long int/long int64 long integer/string Bignum
string A string must always contain UTF-8 encoded or 7-bit ASCII text. string String str/unicode string string string String (UTF-8)
uint32 Uses variable-length encoding. uint32 int int/long uint32 uint integer Bignum or Fixnum (as required)
uint64 Uses variable-length encoding. uint64 long int/long uint64 ulong integer/string Bignum or Fixnum (as required)