UDM field list
bookmark_borderbookmark
Stay organized with collections
Save and categorize content based on your preferences.
This document provides a list of fields available in the Unified Data Model
(UDM) schema.
Field name and field type values can look similar. This document uses style
conventions to help you identify the differences:
- Field type values use CamelCase characters; for example,
Platform
and
EventType
.
- Field name values use lowercase characters; for example,
platform
and
event_type
. When a field name consists of more than one word, an
underscore is used to separate the words.
- Standard data type values use lowercase characters.
When specifying a field, use the following format:
<prefix>.<field_name1>.<field_name2>.<...>.<field_nameN>=<value>
When writing rules for Detect Engine:
When writing configuration-based normalizer (CBN) parsers:
UDM Entity data model
Entity
An Entity provides additional context about an item in a UDM event. For
example, a PROCESS_LAUNCH event describes that user 'abc@example.corp'
launched process 'shady.exe'.
The event does not include information that user 'abc@example.com' is a
recently terminated employee who administers a server storing finance data.
Information stored in one or more Entities can add this additional context.
Field Name |
Type |
Label |
Description |
additional |
google.protobuf.Struct |
|
Important entity data that cannot be adequately represented within
the formal sections of the Entity. |
entity |
Noun |
|
Noun in the UDM event that this entity represents. |
metadata |
EntityMetadata |
|
Entity metadata such as timestamp, product, etc. |
metric |
Metric |
|
Stores statistical metrics about the entity. Used if metadata.entity_type
is METRIC. |
relations |
Relation |
repeated |
One or more relationships between the entity (a) and other entities,
including the relationship type and related entity. |
risk_score |
EntityRisk |
optional |
Stores information related to the entity's risk score. |
Information about the Entity and the product where the entity was created.
Field Name |
Type |
Label |
Description |
collected_timestamp |
google.protobuf.Timestamp |
|
GMT timestamp when the entity information was collected by the vendor's
local collection infrastructure. |
creation_timestamp |
google.protobuf.Timestamp |
|
GMT timestamp when the entity described by the product_entity_id was
created on the system where data was collected. |
description |
string |
|
Human-readable description of the entity. |
entity_type |
EntityMetadata.EntityType (Enumerated list) |
|
Entity type.
If an entity has multiple possible types, this specifies the most specific
type. |
event_metadata |
Metadata |
|
Metadata field from the event. |
feed |
string |
|
Vendor feed name for a threat indicator feed. |
interval |
google.type.Interval |
|
Valid existence time range for the version of the entity represented by
this entity data. |
product_entity_id |
string |
|
A vendor-specific identifier that uniquely identifies the entity
(e.g. a GUID, LDAP, OID, or similar). |
product_name |
string |
|
Product name that produced the entity information. |
product_version |
string |
|
Version of the product that produced the entity information. |
source_labels |
Label |
repeated |
Entity source metadata labels. |
source_type |
EntityMetadata.SourceType (Enumerated list) |
|
The source of the entity. |
threat |
SecurityResult |
repeated |
Metadata provided by a threat intelligence feed that identified the
entity as malicious. |
vendor_name |
string |
|
Vendor name of the product that produced the entity information. |
EntityRisk
Stores information related to the risk score of an entity.
Field Name |
Type |
Label |
Description |
DEPRECATED_risk_score |
int32 |
|
Deprecated risk score. |
detections_count |
int32 |
|
Number of detections that make up the risk score within the time window. |
first_detection_time |
google.protobuf.Timestamp |
|
Timestamp of the first detection within the specified time window.
This field is empty when there are no detections. |
last_detection_time |
google.protobuf.Timestamp |
|
Timestamp of the last detection within the specified time window.
This field is empty when there are no detections. |
normalized_risk_score |
int32 |
|
Normalized risk score for the entity. This value is between 0-1000. |
raw_risk_delta |
RiskDelta |
optional |
Represents the change in raw risk score for an entity between the end of
the previous time window and the end of the current time window. |
risk_delta |
RiskDelta |
optional |
Represents the change in risk score for an entity between the end of the
previous time window and the end of the current time window. |
risk_score |
float |
|
Raw risk score for the entity. |
risk_version |
string |
|
Version of the risk score calculation algorithm. |
risk_window |
google.type.Interval |
|
Time window used when computing the risk score for an entity, for
example 24 hours or 7 days. |
risk_window_size |
Int64 |
|
Risk window duration for the Entity. |
Metric
Stores precomputed aggregated analytic data for an entity.
Field Name |
Type |
Label |
Description |
dimensions |
Metric.Dimension (Enumerated list) |
repeated |
All group by clauses used to calculate the metric. |
export_window |
int64 |
|
Export window for which the metric was exported. |
first_seen |
google.protobuf.Timestamp |
|
Timestamp of the first time the entity was seen in the environment. |
last_seen |
google.protobuf.Timestamp |
|
Timestamp of the last time the entity was seen in the environment. |
metric_name |
Metric.MetricName (Enumerated list) |
|
Name of the analytic. |
sum_measure |
Metric.Measure |
|
Sum of all precomputed measures for the given metric. |
total_events |
int64 |
|
Total number of events used to calculate the given precomputed metric. |
Metric.Measure
Describes the precomputed measure.
Field Name |
Type |
Label |
Description |
aggregate_function |
Metric.AggregateFunction (Enumerated list) |
|
Function used to calculate the aggregated measure. |
value |
double |
|
Value of the aggregated measure. |
Relation
Defines the relationship between the entity (a) and another entity (b).
Field Name |
Type |
Label |
Description |
direction |
Relation.Directionality (Enumerated list) |
|
Directionality of relationship between primary entity (a) and the
related entity (b). |
entity |
Noun |
|
Entity (b) that the primary entity (a) is related to. |
entity_label |
Relation.EntityLabel (Enumerated list) |
|
Label to identify the Noun of the relation. |
entity_type |
EntityMetadata.EntityType (Enumerated list) |
|
Type of the related entity (b) in this relationship. |
relationship |
Relation.Relationship (Enumerated list) |
|
Type of relationship. |
uid |
bytes |
|
UID of the relationship. |
RiskDelta
Describes the difference in risk score between two points in time.
Field Name |
Type |
Label |
Description |
previous_range_end_time |
google.protobuf.Timestamp |
|
End time of the previous time window. |
previous_risk_score |
int32 |
|
Risk score from previous risk window |
risk_score_delta |
int32 |
|
Difference in the normalized risk score from the previous recorded value. |
risk_score_numeric_delta |
int32 |
|
Numeric change between current and previous risk score |
Entity enumerated types
Describes the type of entity.
An unknown event type.
Enum Value |
Enum Number |
Description |
ASSET |
1 |
An asset, such as workstation, laptop, phone, or virtual machine. |
DOMAIN_NAME |
5 |
A domain. The request should include IOC intel threat metadata for each entity to be ingested.
|
FILE |
4 |
A file. The request should include IOC intel threat metadata for each entity to be ingested.
|
GROUP |
10001 |
Group. |
IP_ADDRESS |
3 |
An external IP address. The request should include IOC intel threat metadata for each entity to be ingested. |
MUTEX |
7 |
A mutex. The request should include IOC intel threat metadata for each entity to be ingested.
|
RESOURCE |
2 |
Resource. |
URL |
6 |
A URL. |
USER |
10000 |
User. |
Describes the source of an entity.
Enum Value |
Enum Number |
Description |
DERIVED_CONTEXT |
2 |
Entities derived from customer data such as prevalence, artifact
first/last seen, or asset/user first seen stats. |
ENTITY_CONTEXT |
1 |
Entities ingested from customers (e.g. AD_CONTEXT, DLP_CONTEXT) |
GLOBAL_CONTEXT |
3 |
Global contextual entities such as WHOIS or Safe Browsing. |
SOURCE_TYPE_UNSPECIFIED |
0 |
Default source type |
Metric.AggregateFunction
Mathematic function used to calculate the value.
Enum Value |
Enum Number |
Description |
AGGREGATE_FUNCTION_UNSPECIFIED |
0 |
Default value. |
AVG |
5 |
Average. |
COUNT |
3 |
Count. |
MAX |
2 |
Maximum. |
MIN |
1 |
Minimum. |
STDDEV |
6 |
Standard Deviation. |
SUM |
4 |
Sum. |
Metric.Dimension
Describes field used as the dimension when grouping data to calculate the
aggregate metric.
Enum Value |
Enum Number |
Description |
CLIENT_CERTIFICATE_HASH |
10 |
Client Certificate Hash |
DIMENSION_UNSPECIFIED |
0 |
Default |
DNS_DOMAIN |
12 |
DNS Domain |
DNS_QUERY_TYPE |
11 |
DNS Query Type |
EMAIL_FROM_ADDRESS |
22 |
Email From Address. |
EMAIL_TO_ADDRESS |
21 |
Email To Address. |
EVENT_TYPE |
14 |
Event Type |
HTTP_USER_AGENT |
13 |
HTTP User Agent |
MAIL_ID |
23 |
Mail Id. |
NETWORK_ASN |
9 |
Network ASN |
PARENT_FOLDER_PATH |
17 |
Parent Folder Path |
PRINCIPAL_APPLICATION |
19 |
Principal Application. |
PRINCIPAL_COUNTRY |
7 |
Principal Country |
PRINCIPAL_DEVICE |
1 |
Principal Device |
PRINCIPAL_FILE_HASH |
6 |
Principal File Hash |
PRINCIPAL_IP |
24 |
Principal IP. |
PRINCIPAL_NETWORK_ORGANIZATION_NAME |
30 |
Principal Network Organization name. |
PRINCIPAL_PROCESS_FILE_HASH |
32 |
Principal Process File SHA256 Hash. |
PRINCIPAL_PROCESS_FILE_PATH |
31 |
Principal Process File Path. |
PRINCIPAL_USER |
4 |
Principal User |
PRODUCT_EVENT_TYPE |
16 |
Product Event Type |
PRODUCT_NAME |
15 |
Product Name |
SECURITY_ACTION |
25 |
Security Action. |
SECURITY_CATEGORY |
8 |
Security Category |
SECURITY_RESULT_RULE_NAME |
33 |
Security Result rule name. |
SECURITY_RULE_ID |
28 |
Security Rule Id. |
TARGET_APPLICATION |
20 |
Target Application. |
TARGET_DEVICE |
3 |
Target Device |
TARGET_IP |
5 |
Target IP |
TARGET_NETWORK_ORGANIZATION_NAME |
29 |
Target Network Organization name. |
TARGET_RESOURCE_NAME |
18 |
Target resource Name |
TARGET_USER |
2 |
Target User |
Metric.MetricName
The name of the precomputed analytic.
Enum Value |
Enum Number |
Description |
ALERT_EVENT_NAME_COUNT |
26 |
Track number of alerts fired by EDR/SENTINEL/MICROSOFT_GRAPH. |
AUTH_ATTEMPTS_FAIL |
5 |
Failed authentication attempts. |
AUTH_ATTEMPTS_SUCCESS |
4 |
Successful authentication attempts. |
AUTH_ATTEMPTS_TOTAL |
6 |
Total authentication attempts. |
DNS_BYTES_OUTBOUND |
7 |
Total number of sent bytes for DNS events. |
DNS_QUERIES_FAIL |
12 |
Number of events with response_code != 0. |
DNS_QUERIES_SUCCESS |
11 |
DNS query success count - Number of events with response_code = 0. |
DNS_QUERIES_TOTAL |
13 |
Total number of DNS queries made. |
FILE_EXECUTIONS_FAIL |
15 |
Number of failed file executions. |
FILE_EXECUTIONS_SUCCESS |
14 |
Number of successfule file executions. |
FILE_EXECUTIONS_TOTAL |
16 |
Total number file executions. |
HTTP_QUERIES_FAIL |
18 |
Number of failed HTTP queries. |
HTTP_QUERIES_SUCCESS |
17 |
Number of successful HTTP queries. |
HTTP_QUERIES_TOTAL |
19 |
Total number of HTTP queries. |
METRIC_NAME_UNSPECIFIED |
0 |
Default |
NETWORK_BYTES_INBOUND |
1 |
Total received network bytes. |
NETWORK_BYTES_OUTBOUND |
2 |
Total network sent bytes. |
NETWORK_BYTES_TOTAL |
3 |
Total network sent bytes and received bytes. |
NETWORK_FLOWS_INBOUND |
8 |
Total number of events having non-null received bytes. |
NETWORK_FLOWS_OUTBOUND |
9 |
Total number of events having non-null sent bytes. |
NETWORK_FLOWS_TOTAL |
10 |
Total events having non-null sent or received bytes. |
WORKSPACE_AUTH_ATTEMPTS_TOTAL |
23 |
Total number of authentication attempts in Google Workspace. |
WORKSPACE_EMAILS_SENT_TOTAL |
20 |
Total number of emails sent in Google Workspace. |
WORKSPACE_NETWORK_BYTES_OUTBOUND |
24 |
Number of outbound network bytes (total sent) in Google Workspace. |
WORKSPACE_NETWORK_BYTES_TOTAL |
25 |
Total number of network bytes (both sent and received) in Google Workspace. |
WORKSPACE_TOTAL_CHANGE_ACTIONS |
22 |
Total number of change actions in Google Workspace. |
WORKSPACE_TOTAL_DOWNLOAD_ACTIONS |
21 |
Total number of download actions in Google Workspace. |
Relation.Directionality
Describes the relationship model as directed or undirected.
Enum Value |
Enum Number |
Description |
BIDIRECTIONAL |
1 |
Modeled in both directions. Primary entity (a) to related entity (b) and
related entity (b) to primary entity (a). |
DIRECTIONALITY_UNSPECIFIED |
0 |
Default value. |
UNIDIRECTIONAL |
2 |
Modeled in a single direction. Primary entity (a) to related entity (b). |
Relation.EntityLabel
Entity label of the relation.
Enum Value |
Enum Number |
Description |
ENTITY_LABEL_UNSPECIFIED |
0 |
Default value. |
INTERMEDIARY |
7 |
The Noun represents an intermediary type object. |
NETWORK |
5 |
The Noun represents a network type object. |
OBSERVER |
3 |
The Noun represents an observer type object. |
PRINCIPAL |
1 |
The Noun represents a principal type object. |
SECURITY_RESULT |
6 |
The Noun represents a SecurityResult object. |
SRC |
4 |
The Noun represents src type object. |
TARGET |
2 |
The Noun represents a target type object. |
Relation.Relationship
Type of relationship between the primary entity (a) and related entity (b).
Enum Value |
Enum Number |
Description |
ADMINISTERS |
2 |
Related entity is administered by the primary entity (for example: user
administers a group). |
CONTACTS |
6 |
Primary entity contacts the related entity. |
DOWNLOADED_FROM |
5 |
Primary entity may have been downloaded from the related entity. |
EXECUTES |
4 |
Primary entity may have executed the related entity. |
MEMBER |
3 |
Primary entity is a member of the related entity (foe example: user is a member
of a group). |
OWNS |
1 |
Related entity is owned by the primary entity (for example: user owns device
asset). |
RELATIONSHIP_UNSPECIFIED |
0 |
Default value |
UDM Event data model
A UDM event.
Field Name |
Type |
Label |
Description |
about |
Noun |
repeated |
Represents entities referenced by the event that are not otherwise
described in principal, src, target, intermediary or observer. For example,
it could be used to track email file attachments, domains/URLs/IPs embedded
within an email body, and DLLs that are loaded during a PROCESS_LAUNCH
event. |
additional |
google.protobuf.Struct |
|
Any important vendor-specific event data that cannot be adequately
represented within the formal sections of the UDM model. |
extensions |
Extensions |
|
All other first-class, event-specific metadata goes in this message.
Don't place protocol metadata in Extensions; put it in Network. |
intermediary |
Noun |
repeated |
Represents details on one or more intermediate entities processing activity
described in the event. This includes device details about a proxy server
or SMTP relay server. If an active event (that has a principal and
possibly target) passes through any intermediaries, they're added here.
Intermediaries can impact the overall action, for example blocking or
modifying an ongoing request. A rule of thumb here is that 'principal',
'target', and description of the initial action should be the same
regardless of the intermediary or its action. A successful network
connection from A->B should look the same in principal/target/intermediary
as one blocked by firewall C: principal: A, target: B (intermediary: C). |
metadata |
Metadata |
|
Event metadata such as timestamp, source product, etc. |
network |
Network |
|
All network details go here, including sub-messages with details on each
protocol (for example, DHCP, DNS, or HTTP). |
observer |
Noun |
|
Represents an observer entity (for example, a packet sniffer or
network-based vulnerability scanner), which is not a direct intermediary,
but which observes and reports on the event in question. |
principal |
Noun |
|
Represents the acting entity that originates the activity
described in the event. The principal must include at least one machine
detail (hostname, MACs, IPs, port, product-specific identifiers like an
EDR asset ID) or user detail (for example, username), and optionally
include process details. It must NOT include any of the following fields:
email, files, registry keys, or values. |
security_result |
SecurityResult |
repeated |
A list of security results. |
src |
Noun |
|
Represents a source entity being acted upon by the participant along with
the device or process context for the source object (the machine where the
source object resides). For example, if user U copies file A on machine X
to file B on machine Y, both file A and machine X would be specified in the
src portion of the UDM event. |
target |
Noun |
|
Represents a target entity being referenced by the event or an object on
the target entity. For example, in a firewall connection from device A to
device B, A is described as the principal and B is described as the target.
For a process injection by process C into target process D, process C is
described as the principal and process D is described as the target. |
Event top level types
Extensions
Extensions to a UDM event.
General information associated with a UDM event.
Field Name |
Type |
Label |
Description |
base_labels |
DataAccessLabels |
|
Data access labels on the base event. |
collected_timestamp |
google.protobuf.Timestamp |
|
The GMT timestamp when the event was collected by the vendor's local
collection infrastructure. |
description |
string |
|
A human-readable unparsable description of the event. |
enrichment_labels |
DataAccessLabels |
|
Data access labels from all the contextual events used to enrich the base
event. |
enrichment_state |
Metadata.EnrichmentState |
|
The enrichment state. |
event_timestamp |
google.protobuf.Timestamp |
|
The GMT timestamp when the event was generated. |
event_type |
Metadata.EventType |
|
The event type.
If an event has multiple possible types, this specifies the most specific
type. |
id |
bytes |
|
ID of the UDM event. Can be used for raw and normalized event retrieval. |
ingested_timestamp |
google.protobuf.Timestamp |
|
The GMT timestamp when the event was ingested (received) by Google Security Operations. |
ingestion_labels |
Label |
repeated |
User-configured ingestion metadata labels. |
log_type |
string |
|
The string value of log type. |
product_deployment_id |
string |
|
The deployment identifier assigned by the vendor for a product deployment. |
product_event_type |
string |
|
A short, descriptive, human-readable, product-specific event name or type
(for example: "Scanned X", "User account created", "process_start"). |
product_log_id |
string |
|
A vendor-specific event identifier to uniquely identify the event (for example: a
GUID). |
product_name |
string |
|
The name of the product. |
product_version |
string |
|
The version of the product. |
tags |
Tags |
|
Tags added by Google Security Operations after an event is parsed. It is an error to
populate this field from within a parser. |
url_back_to_product |
string |
|
A URL that takes the user to the source product console for this event. |
vendor_name |
string |
|
The name of the product vendor. |
Network
A network event.
Field Name |
Type |
Label |
Description |
application_protocol |
Network.ApplicationProtocol |
|
The application protocol. |
application_protocol_version |
string |
|
The version of the application protocol. e.g. "1.1, 2.0" |
asn |
string |
|
Autonomous system number. |
carrier_name |
string |
|
Carrier identification. |
community_id |
string |
|
Community ID network flow value. |
dhcp |
Dhcp |
|
DHCP info. |
direction |
Network.Direction |
|
The direction of network traffic. |
dns |
Dns |
|
DNS info. |
dns_domain |
string |
|
DNS domain name. |
email |
Email |
|
Email info for the sender/recipient. |
ftp |
Ftp |
|
FTP info. |
http |
Http |
|
HTTP info. |
ip_protocol |
Network.IpProtocol |
|
The IP protocol. |
ip_subnet_range |
string |
|
Associated human-readable IP subnet range (e.g. 10.1.2.0/24). |
organization_name |
string |
|
Organization name (e.g Google). |
parent_session_id |
string |
|
The ID of the parent network session. |
received_bytes |
uint64 |
|
The number of bytes received. |
received_packets |
int64 |
|
The number of packets received. |
sent_bytes |
uint64 |
|
The number of bytes sent. |
sent_packets |
int64 |
|
The number of packets sent. |
session_duration |
Int64 |
|
The duration of the session as the number of seconds and nanoseconds.
For seconds, network.session_duration.seconds, the type is a 64-bit
integer. For nanoseconds, network.session_duration.nanos, the type is a
32-bit integer. |
session_id |
string |
|
The ID of the network session. |
smtp |
Smtp |
|
SMTP info.
Store fields specific to SMTP not covered by Email. |
tls |
Tls |
|
TLS info. |
Noun
The Noun type is used to represent the different entities in an event:
principal, src, target, observer, intermediary, and about. It stores
attributes known about the entity. For example, if the entity is a device
with multiple IP or MAC addresses, it stores the IP and MAC addresses that
are relevant to the event.
Field Name |
Type |
Label |
Description |
administrative_domain |
string |
|
Domain which the device belongs to (for example, the Microsoft Windows
domain). |
application |
string |
|
The name of an application or service.
Some SSO solutions only capture the name of a target application
such as "Atlassian" or "Google". |
artifact |
Artifact |
|
Information about an artifact. |
asset |
Asset |
|
Information about the asset. |
asset_id |
string |
|
The asset ID. |
cloud |
Cloud |
|
Cloud metadata.
Deprecated: cloud should be populated in entity Attribute as generic
metadata (e.g. asset.attribute.cloud). |
domain |
Domain |
|
Information about the domain. |
email |
string |
|
Email address.
Only filled in for security_result.about |
file |
File |
|
Information about the file. |
group |
Group |
|
Information about the group. |
hostname |
string |
|
Client hostname or domain name field.
Hostname also doubles as the domain for remote entities. |
investigation |
Investigation |
|
Analyst feedback/investigation for alerts. |
ip |
string |
repeated |
A list of IP addresses associated with a network connection. |
ip_geo_artifact |
Artifact |
repeated |
Enriched geographic information corresponding to an IP address.
Specifically, location and network data. |
ip_location |
Location |
repeated |
Deprecated: use ip_geo_artifact.location instead. |
labels |
Label |
repeated |
Labels are key-value pairs.
For example: key = "env", value = "prod".
Deprecated: labels should be populated in entity Attribute as generic
metadata (e.g. user.attribute.labels). |
location |
Location |
|
Physical location. For cloud environments, set the region in
location.name. |
mac |
string |
repeated |
List of MAC addresses associated with a device. |
namespace |
string |
|
Namespace which the device belongs to, such as "AD forest".
Uses for this field include Microsoft Windows AD forest, the name of
subsidiary, or the name of acquisition. |
nat_ip |
string |
repeated |
A list of NAT translated IP addresses associated with a network connection. |
nat_port |
int32 |
|
NAT external network port number when a specific network connection is
described within an event. |
network |
Network |
|
Network details, including sub-messages with details on each protocol
(for example, DHCP, DNS, or HTTP). |
object_reference |
Id |
|
Finding to which the Analyst updated the feedback. |
platform |
Noun.Platform |
|
Platform. |
platform_patch_level |
string |
|
Platform patch level.
For example, "Build 17134.48" |
platform_version |
string |
|
Platform version. For example,
"Microsoft Windows 1803". |
port |
int32 |
|
Source or destination network port number when a specific network
connection is described within an event. |
process |
Process |
|
Information about the process. |
process_ancestors |
Process |
repeated |
Information about the process's ancestors ordered from immediate ancestor
(parent process) to root.
Note: process_ancestors is only populated when data is exported to BigQuery
since recursive fields (e.g. process.parent_process) are not supported by
BigQuery. |
registry |
Registry |
|
Registry information. |
resource |
Resource |
|
Information about the resource (e.g. scheduled task, calendar entry).
This field should not be used for files, registry, or processes because
these objects are already part of Noun. |
resource_ancestors |
Resource |
repeated |
Information about the resource's ancestors ordered from immediate ancestor
(starting with parent resource). |
security_result |
SecurityResult |
repeated |
A list of security results. |
URL |
string |
|
The URL. |
url_metadata |
URL |
|
Information about the URL. |
user |
User |
|
Information about the user. |
user_management_chain |
User |
repeated |
Information about the user's management chain (reporting hierarchy).
Note: user_management_chain is only populated when data is exported to
BigQuery since recursive fields (e.g. user.managers) are not supported by
BigQuery. |
SecurityResult
Security related metadata for the event. A security result might be something
like "virus detected and quarantined," "malicious connection blocked," or
"sensitive data included in document foo.doc." Each security result, of which
there may be more than one, may either pertain to the whole event, or to a
specific object or device referenced in the event (e.g. a malicious file
that was detected, or a sensitive document sent as an email attachment). For
security results that apply to a particular object referenced in the event,
the security_results message MUST contain details about the implicated object
(such as process, user, IP, domain, URL, IP, or email address) in the about
field. For security results that apply to the entire event (e.g. SPAM found
in this email), the about field must remain empty.
Field Name |
Type |
Label |
Description |
about |
Noun |
|
If the security result is about a specific entity (Noun), add it here. |
action |
SecurityResult.Action |
repeated |
Actions taken for this event. |
action_details |
string |
|
The detail of the action taken as provided by the vendor. |
alert_state |
SecurityResult.AlertState |
|
The alerting types of this security result. |
analytics_metadata |
AnalyticsMetadata |
repeated |
Stores metadata about each risk analytic metric the rule uses. |
associations |
SecurityResult.Association |
repeated |
Associations related to the threat. |
attack_details |
AttackDetails |
|
MITRE ATT&CK details. |
campaigns |
string |
repeated |
Campaigns using this IOC threat. |
category |
SecurityResult.SecurityCategory |
repeated |
The security category. |
category_details |
string |
repeated |
For vendor-specific categories. For web categorization, put type in here
such as "gambling" or "porn". |
confidence |
SecurityResult.ProductConfidence |
|
The confidence level of the result as estimated by the product. |
confidence_details |
string |
|
Additional detail with regards to the confidence of a security event as
estimated by the product vendor. |
confidence_score |
float |
|
The confidence score of the security result. |
description |
string |
|
A human readable description (e.g. "user password was wrong") |
detection_fields |
Label |
repeated |
An ordered list of values, that represent fields in detections for a
security finding. This list represents mapping of names of requested
entities to their values (i.e. the security result matched variables) . |
first_discovered_time |
google.protobuf.Timestamp |
|
First time the IoC threat was discovered in the provider. |
last_discovered_time |
google.protobuf.Timestamp |
|
Last time the IoC was seen in the provider data. |
last_updated_time |
google.protobuf.Timestamp |
|
Last time the IoC threat was updated in the provider. |
outcomes |
Label |
repeated |
A list of outcomes that represent the results of this security finding.
This list represents a mapping of names of the requested outcomes,
to their values. |
priority |
SecurityResult.ProductPriority |
|
The priority of the result. |
priority_details |
string |
|
Vendor-specific information about the security result priority. |
risk_score |
float |
|
The risk score of the security result. |
rule_author |
string |
|
Author of the security rule. |
rule_id |
string |
|
A vendor-specific ID and name for a rule, varying by observerer type
(e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe"). |
rule_labels |
Label |
repeated |
A list of rule labels that can't be captured by the other fields
in security result
(e.g. "reference : AnotherRule", "contributor : John"). |
rule_name |
string |
|
Name of the security rule
(e.g. "BlockInboundToOracle"). |
rule_set |
string |
|
The result's rule set identifier.
(e.g. "windows-threats") |
rule_set_display_name |
string |
|
The curated detections rule set display name. |
rule_type |
string |
|
The type of security rule. |
rule_version |
string |
|
Version of the security rule.
(e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00").
Note that rule versions are source-dependant and lexical ordering
should not be assumed. |
ruleset_category_display_name |
string |
|
The curated detection rule set category display name.
(for example, if rule_set_display_name is "CDIR SCC Enhanced Exfiltration",
the rule_set_category is "Cloud Threats"). |
severity |
SecurityResult.ProductSeverity |
|
The severity of the result. |
severity_details |
string |
|
Vendor-specific severity. |
summary |
string |
|
A human readable summary (e.g. "failed login occurred") |
threat_feed_name |
string |
|
Vendor feed name for a threat indicator feed. |
threat_id |
string |
|
Vendor-specific ID for a threat. |
threat_id_namespace |
Id.Namespace |
|
The attribute threat_id_namespace qualifies threat_id with an ID namespace
to get an
unique ID. The attribute threat_id by itself is not unique across Google SecOps
as it is a vendor specific ID. |
threat_name |
string |
|
A vendor-assigned classification common across multiple customers
(e.g. "W32/File-A", "Slammer"). |
threat_status |
SecurityResult.ThreatStatus |
|
Current status of the threat |
threat_verdict |
ThreatVerdict |
|
GCTI threat verdict on the security result entity. |
url_back_to_product |
string |
|
URL that takes the user to the source product console for this event. |
verdict |
SecurityResult.Verdict |
|
Verdict about the IoC from the provider.
This field is now deprecated. Use VerdictInfo instead. |
verdict_info |
SecurityResult.VerdictInfo |
repeated |
Verdict information about the IoC from the provider. |
Event subtypes
Stores information about an analytics metric used in a rule.
Field Name |
Type |
Label |
Description |
analytic |
string |
|
Name of the analytic. |
Artifact
Information about an artifact. The artifact can only be an IP.
Field Name |
Type |
Label |
Description |
as_owner |
string |
|
Owner of the Autonomous System to which the IP address belongs. |
asn |
int64 |
|
Autonomous System Number to which the IP address belongs. |
first_seen_time |
google.protobuf.Timestamp |
|
First seen timestamp of the IP in the customer's environment. |
ip |
string |
|
IP address of the artifact. |
jarm |
string |
|
The JARM hash for the IP address.
(https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a). |
last_https_certificate |
SSLCertificate |
|
SSL certificate information about the IP address. |
last_https_certificate_date |
google.protobuf.Timestamp |
|
Most recent date for the certificate in VirusTotal. |
last_seen_time |
google.protobuf.Timestamp |
|
Last seen timestamp of the IP address in the customer's environment. |
location |
Location |
|
Location of the Artifact's IP address. |
network |
Network |
|
Network information related to the Artifact's IP address. |
prevalence |
Prevalence |
|
The prevalence of the artifact within the customer's environment. |
regional_internet_registry |
string |
|
RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC). |
tags |
string |
repeated |
Identification attributes |
whois |
string |
|
WHOIS information as returned from the pertinent WHOIS server. |
whois_date |
google.protobuf.Timestamp |
|
Date of the last update of the WHOIS record in VirusTotal. |
Asset
Information about a compute asset such as a workstation, laptop, phone,
virtual desktop, or VM.
Field Name |
Type |
Label |
Description |
asset_id |
string |
|
The asset ID. Value must contain the ':' character. For example,
cs:abcdd23434. |
attribute |
Attribute |
|
Generic entity metadata attributes of the asset. |
category |
string |
|
The category of the asset (e.g. "End User Asset", "Workstation", "Server"). |
creation_time |
google.protobuf.Timestamp |
|
Time the asset was created or provisioned.
Deprecate: creation_time should be populated in Attribute as generic
metadata. |
deployment_status |
Asset.DeploymentStatus |
|
The deployment status of the asset for device lifecycle purposes. |
first_discover_time |
google.protobuf.Timestamp |
|
Time the asset was first discovered (by asset management/discoverability
software). |
first_seen_time |
google.protobuf.Timestamp |
|
The first observed time for an asset.
The value is calculated on the basis of the
first time the identifier was observed. |
hardware |
Hardware |
repeated |
The asset hardware specifications. |
hostname |
string |
|
Asset hostname or domain name field. |
ip |
string |
repeated |
A list of IP addresses associated with an asset. |
labels |
Label |
repeated |
Metadata labels for the asset.
Deprecated: labels should be populated in Attribute as generic metadata. |
last_boot_time |
google.protobuf.Timestamp |
|
Time the asset was last boot started. |
last_discover_time |
google.protobuf.Timestamp |
|
Time the asset was last discovered (by asset management/discoverability
software). |
location |
Location |
|
Location of the asset. |
mac |
string |
repeated |
List of MAC addresses associated with an asset. |
nat_ip |
string |
repeated |
List of NAT IP addresses associated with an asset. |
network_domain |
string |
|
The network domain of the asset (e.g. "corp.acme.com") |
platform_software |
PlatformSoftware |
|
The asset operating system platform software. |
product_object_id |
string |
|
A vendor-specific identifier to uniquely identify the entity (a GUID or
similar). |
software |
Software |
repeated |
The asset software details. |
system_last_update_time |
google.protobuf.Timestamp |
|
Time the asset system or OS was last updated.
For all other operations that are not system updates (such as resizing a
VM), use Attribute.last_update_time. |
type |
Asset.AssetType |
|
The type of the asset (e.g. workstation or laptop or server). |
vulnerabilities |
Vulnerability |
repeated |
Vulnerabilities discovered on asset. |
AttackDetails
MITRE ATT&CK details.
AttackDetails.Tactic
Tactic information related to an attack or threat.
Field Name |
Type |
Label |
Description |
id |
string |
|
Tactic ID (e.g. "TA0043"). |
name |
string |
|
Tactic Name (e.g. "Reconnaissance") |
AttackDetails.Technique
Technique information related to an attack or threat.
Field Name |
Type |
Label |
Description |
id |
string |
|
Technique ID (e.g. "T1595"). |
name |
string |
|
Technique Name (e.g. "Active Scanning"). |
subtechnique_id |
string |
|
Subtechnique ID (e.g. "T1595.001"). |
subtechnique_name |
string |
|
Subtechnique Name (e.g. "Scanning IP Blocks"). |
Attribute
Attribute is a container for generic entity attributes including common
attributes across core entities (such as, user or asset). For example, Cloud
is a generic entity attribute since it can apply to an asset (for example, a
VM) or a user (for example, an identity service account).
Field Name |
Type |
Label |
Description |
cloud |
Cloud |
|
Cloud metadata attributes such as project ID, account ID, or organizational
hierarchy. |
creation_time |
google.protobuf.Timestamp |
|
Time the resource or entity was created or provisioned. |
labels |
Label |
repeated |
Set of labels for the entity. Should only be used for product labels (for
example, Google Cloud resource labels or Azure AD sensitivity labels.
Should not be used for arbitrary key-value mappings. |
last_update_time |
google.protobuf.Timestamp |
|
Time the resource or entity was last updated. |
permissions |
Permission |
repeated |
System permissions for IAM entity
(human principal, service account, group). |
roles |
Role |
repeated |
System IAM roles to be assumed by resources to use the role's permissions
for access control. |
Authentication
The Authentication extension captures details specific to authentication
events.
General guidelines for authentication events:
Details about the source of the authentication event (for example, client
IP or hostname), should be captured in principal. The principal may be
empty if we have no details about the source of the login.
Details about the target of the authentication event (for example, details
about the machine that is being logged into or logged out of) should be
captured in target.
Some authentication events may involve a third-party. For example, a user
logs into a cloud service (for example, Google Security Operations) using their company's SSO (the
event is logged by their SSO solution). In this case, the principal
captures information about the user's device, the target captures details
about the cloud service they logged into, and the intermediary captures
details about the SSO solution.
Certificate
Certificate information
Field Name |
Type |
Label |
Description |
issuer |
string |
|
Issuer of the certificate. |
md5 |
string |
|
The MD5 hash of the certificate, as a hex-encoded string. |
not_after |
google.protobuf.Timestamp |
|
Indicates when the certificate is no longer valid. |
not_before |
google.protobuf.Timestamp |
|
Indicates when the certificate is first valid. |
serial |
string |
|
Certificate serial number. |
sha1 |
string |
|
The SHA1 hash of the certificate, as a hex-encoded string. |
sha256 |
string |
|
The SHA256 hash of the certificate, as a hex-encoded string. |
subject |
string |
|
Subject of the certificate. |
version |
string |
|
Certificate version. |
Cloud
Metadata related to the cloud environment.
Field Name |
Type |
Label |
Description |
availability_zone |
string |
|
The cloud environment availability zone (different from region which is
location.name). |
environment |
Cloud.CloudEnvironment |
|
The Cloud environment. |
project |
Resource |
|
The cloud environment project information.
Deprecated: Use Resource.resource_ancestors |
vpc |
Resource |
|
The cloud environment VPC.
Deprecated. |
DNSRecord
DNS record.
Field Name |
Type |
Label |
Description |
expire |
Int64 |
|
Expire. |
minimum |
Int64 |
|
Minimum. |
priority |
int64 |
|
Priority. |
refresh |
Int64 |
|
Refresh. |
retry |
int64 |
|
Retry. |
rname |
string |
|
Rname. |
serial |
int64 |
|
Serial. |
ttl |
Int64 |
|
Time to live. |
type |
string |
|
Type. |
value |
string |
|
Value. |
Dhcp
DHCP information.
Field Name |
Type |
Label |
Description |
chaddr |
string |
|
Client hardware address (chaddr). |
ciaddr |
string |
|
Client IP address (ciaddr). |
client_hostname |
string |
|
Client hostname. See RFC2132, section 3.14. |
client_identifier |
bytes |
|
Client identifier. See RFC2132, section 9.14. |
file |
string |
|
Boot image filename. |
flags |
uint32 |
|
Flags. |
giaddr |
string |
|
Relay agent IP address (giaddr). |
hlen |
uint32 |
|
Hardware address length. |
hops |
uint32 |
|
Hardware ops. |
htype |
uint32 |
|
Hardware address type. |
lease_time_seconds |
uint32 |
|
Lease time in seconds. See RFC2132, section 9.2. |
opcode |
Dhcp.OpCode |
|
The BOOTP op code. |
options |
Dhcp.Option |
repeated |
List of DHCP options. |
requested_address |
string |
|
Requested IP address. See RFC2132, section 9.1. |
seconds |
uint32 |
|
Seconds elapsed since client began address acquisition/renewal process. |
siaddr |
string |
|
IP address of the next bootstrap server. |
sname |
string |
|
Server name that the client wishes to boot from. |
transaction_id |
uint32 |
|
Transaction ID. |
type |
Dhcp.MessageType |
|
DHCP message type. |
yiaddr |
string |
|
Your IP address (yiaddr). |
Dhcp.Option
DHCP options.
Field Name |
Type |
Label |
Description |
code |
uint32 |
|
Code. See RFC1533. |
data |
bytes |
|
Data. |
Dns
DNS information.
Field Name |
Type |
Label |
Description |
additional |
Dns.ResourceRecord |
repeated |
A list of additional domain name servers that can be used to verify the
answer to the domain. |
answers |
Dns.ResourceRecord |
repeated |
A list of answers to the domain name query. |
authoritative |
bool |
|
Other DNS header flags. See RFC1035, section 4.1.1. |
authority |
Dns.ResourceRecord |
repeated |
A list of domain name servers which verified the answers to the domain name
queries. |
id |
uint32 |
|
DNS query id. |
opcode |
uint32 |
|
The DNS OpCode used to specify the type of DNS query
(for example, QUERY, IQUERY, or STATUS). |
questions |
Dns.Question |
repeated |
A list of domain protocol message questions. |
recursion_available |
bool |
|
Whether a recursive DNS lookup is available. |
recursion_desired |
bool |
|
Whether a recursive DNS lookup is desired. |
response |
bool |
|
Set to true if the event is a DNS response. See QR field from RFC1035. |
response_code |
uint32 |
|
Response code. See RCODE from RFC1035. |
truncated |
bool |
|
Whether the DNS response was truncated. |
Dns.Question
DNS Questions. See RFC1035, section 4.1.2.
Field Name |
Type |
Label |
Description |
class |
uint32 |
|
The code specifying the class of the query. |
name |
string |
|
The domain name. |
prevalence |
Prevalence |
|
The prevalence of the domain within the customer's environment. |
type |
uint32 |
|
The code specifying the type of the query. |
Dns.ResourceRecord
DNS Resource Records. See RFC1035, section 4.1.3.
Field Name |
Type |
Label |
Description |
binary_data |
bytes |
|
The raw bytes of any non-UTF8 strings that might be included as part of a
DNS response. |
class |
uint32 |
|
The code specifying the class of the resource record. |
data |
string |
|
The payload or response to the DNS question for all responses encoded in
UTF-8 format |
name |
string |
|
The name of the owner of the resource record. |
ttl |
uint32 |
|
The time interval for which the resource record can be cached before the
source of the information should again be queried. |
type |
uint32 |
|
The code specifying the type of the resource record. |
Domain
Information about a domain.
Field Name |
Type |
Label |
Description |
admin |
User |
|
Parsed contact information for the administrative contact for the domain. |
audit_update_time |
google.protobuf.Timestamp |
|
Audit updated time. |
billing |
User |
|
Parsed contact information for the billing contact of the domain. |
categories |
string |
repeated |
Categories assign to the domain as retrieved from VirusTotal. |
contact_email |
string |
|
Contact email address. |
creation_time |
google.protobuf.Timestamp |
|
Domain creation time. |
expiration_time |
google.protobuf.Timestamp |
|
Expiration time. |
favicon |
Favicon |
|
Includes difference hash and MD5 hash of the domain's favicon. |
first_seen_time |
google.protobuf.Timestamp |
|
First seen timestamp of the domain in the customer's environment. |
iana_registrar_id |
int32 |
|
IANA Registrar ID. See
https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml |
jarm |
string |
|
Domain's JARM hash. |
last_dns_records |
DNSRecord |
repeated |
Domain's DNS records from the last scan. |
last_dns_records_time |
google.protobuf.Timestamp |
|
Date when the DNS records list was retrieved by VirusTotal. |
last_https_certificate |
SSLCertificate |
|
SSL certificate object retrieved last time the domain was analyzed. |
last_https_certificate_time |
google.protobuf.Timestamp |
|
When the certificate was retrieved by VirusTotal. |
last_seen_time |
google.protobuf.Timestamp |
|
Last seen timestamp of the domain in the customer's environment. |
name |
string |
|
The domain name. |
name_server |
string |
repeated |
Repeated list of name servers. |
popularity_ranks |
PopularityRank |
repeated |
Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo,
etc |
prevalence |
Prevalence |
|
The prevalence of the domain within the customer's environment. |
private_registration |
bool |
|
Indicates whether the domain appears to be using a private registration
service to mask the owner's contact information. |
registrant |
User |
|
Parsed contact information for the registrant of the domain. |
registrar |
string |
|
Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)",
"GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM". |
registry_data_raw_text |
bytes |
|
Registry Data raw text. |
status |
string |
|
Domain status. See
https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en
for meanings of possible values |
tags |
string |
repeated |
List of representative attributes. |
tech |
User |
|
Parsed contact information for the technical contact for the domain |
update_time |
google.protobuf.Timestamp |
|
Last updated time. |
whois_record_raw_text |
bytes |
|
WHOIS raw text. |
whois_server |
string |
|
Whois server name. |
whois_time |
google.protobuf.Timestamp |
|
Date of the last update of the WHOIS record. |
zone |
User |
|
Parsed contact information for the zone. |
Email
Email info.
Favicon
Difference hash and MD5 hash of the domain's favicon.
Field Name |
Type |
Label |
Description |
dhash |
string |
|
Difference hash. |
raw_md5 |
string |
|
Favicon's MD5 hash. |
File
Information about a file.
Field Name |
Type |
Label |
Description |
ahash |
string |
|
Deprecated. Use authentihash instead. |
authentihash |
string |
|
Authentihash of the file. |
capabilities_tags |
string |
repeated |
Capabilities tags. |
embedded_domains |
string |
repeated |
Embedded domains found in the file. |
embedded_ips |
string |
repeated |
Embedded IP addresses found in the file. |
embedded_urls |
string |
repeated |
Embedded URLs found in the file. |
exif_info |
ExifInfo |
|
Exif metadata from different file formats extracted by exiftool. |
file_metadata |
FileMetadata |
|
Metadata associated with the file.
Deprecate FileMetadata in favor of using fields in File. |
file_type |
File.FileType |
|
FileType field. |
first_seen_time |
google.protobuf.Timestamp |
|
Timestamp the file was first seen in the customer's environment. |
first_submission_time |
google.protobuf.Timestamp |
|
First submission time of the file. |
full_path |
string |
|
The full path identifying the location of the file on the system. |
last_analysis_time |
google.protobuf.Timestamp |
|
Timestamp the file was last analysed. |
last_modification_time |
google.protobuf.Timestamp |
|
Timestamp when the file was last updated. |
last_seen_time |
google.protobuf.Timestamp |
|
Timestamp the file was last seen in the customer's environment. |
last_submission_time |
google.protobuf.Timestamp |
|
Last submission time of the file. |
main_icon |
Favicon |
|
Icon's relevant hashes. |
md5 |
string |
|
The MD5 hash of the file, as a hex-encoded string. |
mime_type |
string |
|
The MIME (Multipurpose Internet Mail Extensions) type of the file,
for example "PE", "PDF", or "powershell script". |
names |
string |
repeated |
Names fields. |
pdf_info |
PDFInfo |
|
Information about the PDF file structure. |
pe_file |
FileMetadataPE |
|
Metadata about the Portable Executable (PE) file. |
prevalence |
Prevalence |
|
Prevalence of the file hash in the customer's environment. |
security_result |
SecurityResult |
|
Google Cloud Threat Intelligence (GCTI) security result for the file
including threat context and detection metadata. |
sha1 |
string |
|
The SHA1 hash of the file, as a hex-encoded string. |
sha256 |
string |
|
The SHA256 hash of the file, as a hex-encoded string. |
signature_info |
SignatureInfo |
|
File signature information extracted from different tools. |
size |
uint64 |
|
The size of the file in bytes. |
ssdeep |
string |
|
Ssdeep of the file |
stat_dev |
uint64 |
|
The file system identifier to which the object belongs. |
stat_flags |
uint32 |
|
User defined flags for file. |
stat_inode |
uint64 |
|
The file identifier. Unique identifier of object within a file system. |
stat_mode |
uint64 |
|
The mode of the file. A bit string indicating the permissions and
privileges of the file. |
stat_nlink |
uint64 |
|
Number of links to file. |
tags |
string |
repeated |
Tags for the file. |
vhash |
string |
|
Vhash of the file. |
File metadata from the codesign utility.
Metadata about the Portable Executable (PE) file.
Field Name |
Type |
Label |
Description |
compilation_exiftool_time |
google.protobuf.Timestamp |
|
info.exiftool.TimeStamp. |
compilation_time |
google.protobuf.Timestamp |
|
info.pe-timestamp. |
entry_point |
int64 |
|
info.pe-entry-point. |
entry_point_exiftool |
int64 |
|
info.exiftool.EntryPoint. |
imphash |
string |
|
Imphash of the file. |
imports |
FileMetadataImports |
repeated |
FilemetadataImports fields. |
resource |
FileMetadataPeResourceInfo |
repeated |
FilemetadataPeResourceInfo fields. |
resources_language_count |
StringToInt64MapEntry |
repeated |
Deprecated: use resources_language_count_str. |
resources_language_count_str |
Label |
repeated |
Number of resources by language.
Example: NEUTRAL: 20, ENGLISH US: 10 |
resources_type_count |
StringToInt64MapEntry |
repeated |
Deprecated: use resources_type_count_str. |
resources_type_count_str |
Label |
repeated |
Number of resources by resource type.
Example: RT_ICON: 10, RT_DIALOG: 5 |
section |
FileMetadataSection |
repeated |
FilemetadataSection fields. |
signature_info |
FileMetadataSignatureInfo |
|
FilemetadataSignatureInfo field.
deprecated, user File.signature_info instead. |
Signature information.
Field Name |
Type |
Label |
Description |
signer |
string |
repeated |
Deprecated: use signers field. |
signers |
SignerInfo |
repeated |
File metadata signer information.
The order of the signers matters. Each element is a higher level
authority, being the last the root authority. |
verification_message |
string |
|
Status of the certificate.
Valid values are "Signed", "Unsigned" or a description of the certificate
anomaly, if found. |
verified |
bool |
|
True if verification_message == "Signed" |
x509 |
X509 |
repeated |
List of certificates. |
Ftp
FTP info.
Field Name |
Type |
Label |
Description |
command |
string |
|
The FTP command. |
Group
Information about an organizational group.
Field Name |
Type |
Label |
Description |
attribute |
Attribute |
|
Generic entity metadata attributes of the group. |
creation_time |
google.protobuf.Timestamp |
|
Group creation time.
Deprecated: creation_time should be populated in Attribute as generic
metadata. |
email_addresses |
string |
repeated |
Email addresses of the group. |
group_display_name |
string |
|
Group display name. e.g. "Finance". |
product_object_id |
string |
|
Product globally unique user object identifier, such as an LDAP Object
Identifier. |
windows_sid |
string |
|
Microsoft Windows SID of the group. |
Hardware
Hardware specification details for a resource, including both physical and
virtual hardware.
Field Name |
Type |
Label |
Description |
cpu_clock_speed |
uint64 |
|
Clock speed of the hardware CPU in MHz. |
cpu_max_clock_speed |
uint64 |
|
Maximum possible clock speed of the hardware CPU in MHz. |
cpu_model |
string |
|
Model description of the hardware CPU
(e.g. "2.8 GHz Quad-Core Intel Core i5"). |
cpu_number_cores |
uint64 |
|
Number of CPU cores. |
cpu_platform |
string |
|
Platform of the hardware CPU (e.g. "Intel Broadwell"). |
manufacturer |
string |
|
Hardware manufacturer. |
model |
string |
|
Hardware model. |
ram |
uint64 |
|
Amount of the hardware ramdom access memory (RAM) in Mb. |
serial_number |
string |
|
Hardware serial number. |
Http
Specify the full URL of the HTTP request within "target".
Also specify any uploaded or downloaded file information within "source"
or "target".
Field Name |
Type |
Label |
Description |
method |
string |
|
The HTTP request method
(e.g. "GET", "POST", "PATCH", "DELETE"). |
parsed_user_agent |
|
|
The parsed user_agent string. |
referral_url |
string |
|
The URL for the HTTP referer. |
response_code |
int32 |
|
The response status code, for example
200, 302, 404, or 500. |
user_agent |
string |
|
The User-Agent request header which includes the application type,
operating system, software vendor or software version of the requesting
software user agent. |
Investigation
Represents the aggregated state of an investigation such as categorization,
severity, and status. Can be expanded to include analyst assignment details
and more.
Field Name |
Type |
Label |
Description |
comments |
string |
repeated |
Comment added by the Analyst. |
priority |
Priority |
optional |
Priority of the Alert or Finding set by analyst. |
reason |
Reason |
optional |
Reason for closing the Case or Alert. |
reputation |
Reputation |
optional |
Describes whether a finding was useful or not-useful. |
risk_score |
uint32 |
optional |
Risk score for a finding set by an analyst. |
root_cause |
string |
optional |
Root cause of the Alert or Finding set by analyst. |
severity_score |
uint32 |
optional |
Severity score for a finding set by an analyst. |
status |
Status |
optional |
Describes the workflow status of a finding. |
verdict |
Verdict |
optional |
Describes reason a finding investigation was resolved. |
Label
Key value labels.
Field Name |
Type |
Label |
Description |
key |
string |
|
The key. |
rbac_enabled |
bool |
|
Indicates whether this label can be used for Data RBAC |
value |
string |
|
The value. |
Location
Information about a location.
Field Name |
Type |
Label |
Description |
city |
string |
|
The city. |
country_or_region |
string |
|
The country or region. |
desk_name |
string |
|
Desk name or individual location, typically for an employee in an
office.
(e.g. "IN-BLR-BCPC-11-1121D"). |
floor_name |
string |
|
Floor name, number or a combination of the two for a building.
(e.g. "1-A"). |
name |
string |
|
Custom location name (e.g. building or site name like "London Office").
For cloud environments, this is the region (e.g. "us-west2"). |
region_coordinates |
google.type.LatLng |
|
Coordinates for the associated region.
See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng
for a description of the fields. |
region_latitude |
float |
|
Deprecated: use region_coordinates. |
region_longitude |
float |
|
Deprecated: use region_coordinates. |
state |
string |
|
The state. |
PDFInfo
Information about the PDF file structure. See
https://developers.virustotal.com/reference/pdf_info
Field Name |
Type |
Label |
Description |
acroform |
int64 |
|
Number of /AcroForm tags found in the PDF. |
autoaction |
int64 |
|
Number of /AA tags found in the PDF. |
embedded_file |
int64 |
|
Number of /EmbeddedFile tags found in the PDF. |
encrypted |
int64 |
|
Whether the document is encrypted or not. This is defined by the /Encrypt
tag. |
endobj_count |
int64 |
|
Number of object definitions (endobj keyword). |
endstream_count |
int64 |
|
Number of defined stream objects (stream keyword). |
flash |
int64 |
|
Number of /RichMedia tags found in the PDF. |
header |
string |
|
PDF version. |
javascript |
int64 |
|
Number of /JavaScript tags found in the PDF file. Should be the same as
the js field in normal scenarios. |
jbig2_compression |
int64 |
|
Number of /JBIG2Decode tags found in the PDF. |
js |
int64 |
|
Number of /JS tags found in the PDF file. Should be the same as
javascript field in normal scenarios. |
launch_action_count |
int64 |
|
Number of /Launch tags found in the PDF file. |
obj_count |
int64 |
|
Number of objects definitions (obj keyword). |
object_stream_count |
int64 |
|
Number of object streams. |
openaction |
int64 |
|
Number of /OpenAction tags found in the PDF. |
page_count |
int64 |
|
Number of pages in the PDF. |
startxref |
int64 |
|
Number of startxref keywords in the PDF. |
stream_count |
int64 |
|
Number of defined stream objects (stream keyword). |
suspicious_colors |
int64 |
|
Number of colors expressed with more than 3 bytes (CVE-2009-3459). |
trailer |
int64 |
|
Number of trailer keywords in the PDF. |
xfa |
int64 |
|
Number of \XFA tags found in the PDF. |
xref |
int64 |
|
Number of xref keywords in the PDF. |
Metadata about a Microsoft Windows Portable Executable.
Field Name |
Type |
Label |
Description |
import_hash |
string |
|
Hash of PE imports. |
Permission
System permission for resource access and modification.
Field Name |
Type |
Label |
Description |
description |
string |
|
Description of the permission (e.g. 'Ability to update detect rules'). |
name |
string |
|
Name of the permission (e.g. chronicle.analyst.updateRule). |
type |
Permission.PermissionType |
|
Type of the permission. |
Platform software information about an operating system.
Field Name |
Type |
Label |
Description |
platform |
Noun.Platform |
|
The platform operating system. |
platform_patch_level |
string |
|
The platform software patch level (
e.g. "Build 17134.48", "SP1"). |
platform_version |
string |
|
The platform software version (
e.g. "Microsoft Windows 1803"). |
PopularityRank
Domain's position in popularity ranks for sources such as Alexa, Quantcast,
or Statvoo.
Field Name |
Type |
Label |
Description |
giver |
string |
|
Name of the rank serial number hexdump. |
ingestion_time |
google.protobuf.Timestamp |
|
Timestamp when the rank was ingested. |
rank |
int64 |
|
Rank position. |
Prevalence
The prevalence of a resource within the customer's environment.
This measures how common it is for assets to access the resource.
Field Name |
Type |
Label |
Description |
day_count |
int32 |
|
The number of days over which rolling_max is calculated. |
day_max |
int32 |
|
The max prevalence score in a day interval window. |
day_max_sub_domains |
int32 |
|
The max prevalence score in a day interval window across sub-domains. This
field is only valid for domains. |
rolling_max |
int32 |
|
The maximum number of assets per day accessing the resource over the
trailing day_count days. |
rolling_max_sub_domains |
int32 |
|
The maximum number of assets per day accessing the domain along with
sub-domains over the trailing day_count days. This field is only valid for
domains. |
Process
Information about a process.
Field Name |
Type |
Label |
Description |
access_mask |
uint64 |
|
A bit mask representing the level of access. |
command_line |
string |
|
The command line command that created the process. |
command_line_history |
string |
repeated |
The command line history of the process. |
file |
File |
|
Information about the file in use by the process. |
integrity_level_rid |
uint64 |
|
The Microsoft Windows integrity level relative ID (RID) of the process. |
parent_pid |
string |
|
The ID of the parent process.
Deprecated: use parent_process.pid instead. |
parent_process |
Process |
|
Information about the parent process. |
pid |
string |
|
The process ID. |
product_specific_parent_process_id |
string |
|
A product specific id for the parent process.
Please use parent_process.product_specific_process_id instead. |
product_specific_process_id |
string |
|
A product specific process id. |
token_elevation_type |
Process.TokenElevationType |
|
The elevation type of the process on Microsoft Windows. This determines if
any privileges are removed when UAC is enabled. |
Registry
Information about a registry key or value.
Field Name |
Type |
Label |
Description |
registry_key |
string |
|
Registry key associated with an application or system component
(e.g., HKEY_, HKCU\Environment...). |
registry_value_data |
string |
|
Data associated with a registry value
(e.g. %USERPROFILE%\Local Settings\Temp). |
registry_value_name |
string |
|
Name of the registry value associated with an application or system
component (e.g. TEMP). |
Resource
Information about a resource such as a task, Cloud Storage
bucket, database, disk, logical policy, or something similar.
Field Name |
Type |
Label |
Description |
attribute |
Attribute |
|
Generic entity metadata attributes of the resource. |
id |
string |
|
Deprecated: Use resource.name or resource.product_object_id. |
name |
string |
|
The full name of the resource. For example,
Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123,
and AWS: arn:aws:iam::123456789012:user/johndoe. |
parent |
string |
|
The parent of the resource.
For a database table, the parent is the database. For a storage object,
the bucket name. Deprecated: use resource_ancestors.name. |
product_object_id |
string |
|
A vendor-specific identifier to uniquely identify the entity (a GUID,
OID, or similar) |
resource_subtype |
string |
|
Resource sub-type (e.g. "BigQuery", "Bigtable"). |
resource_type |
Resource.ResourceType |
|
Resource type. |
type |
string |
|
Deprecated: use resource_type instead. |
Role
System role for resource access and modification.
Field Name |
Type |
Label |
Description |
description |
string |
|
System role description for user. |
name |
string |
|
System role name for user. |
type |
Role.Type |
|
System role type for well known roles. |
SSLCertificate
SSL certificate.
SSLCertificate.AuthorityKeyId
Identifies the public key to be used to verify the signature on this
certificate or CRL.
Field Name |
Type |
Label |
Description |
keyid |
string |
|
Key hexdump. |
serial_number |
string |
|
Serial number hexdump. |
SSLCertificate.CertSignature
Certificate's signature and algorithm.
Field Name |
Type |
Label |
Description |
signature |
string |
|
Signature. |
signature_algorithm |
string |
|
Algorithm. |
SSLCertificate.DSA
DSA public key information.
Field Name |
Type |
Label |
Description |
g |
string |
|
g component hexdump. |
p |
string |
|
p component hexdump. |
pub |
string |
|
Public key hexdump. |
q |
string |
|
q component hexdump. |
SSLCertificate.EC
EC public key information.
Field Name |
Type |
Label |
Description |
oid |
string |
|
Curve name. |
pub |
string |
|
Public key hexdump. |
SSLCertificate.Extension
Certificate's extensions.
Field Name |
Type |
Label |
Description |
authority_key_id |
SSLCertificate.AuthorityKeyId |
|
Identifies the public key to be used to verify the signature on this
certificate or CRL. |
ca |
bool |
|
Whether the subject acts as a certificate authority (CA) or not. |
ca_info_access |
string |
|
Authority information access locations are URLs that are added to a
certificate in its authority information access extension. |
cert_template_name_dc |
string |
|
BMP data value "DomainController". See MS Q291010. |
certificate_policies |
string |
|
Different certificate policies will relate to different applications
which may use the certified key. |
crl_distribution_points |
string |
|
CRL distribution points to which a certificate user should refer to
ascertain if the certificate has been revoked. |
extended_key_usage |
string |
|
One or more purposes for which the certified public key may be used, in
addition to or in place of the basic purposes indicated in the key usage
extension field. |
key_usage |
string |
|
The purpose for which the certified public key is used. |
netscape_cert_comment |
string |
|
Used to include free-form text comments inside certificates. |
netscape_certificate |
bool |
|
Identify whether the certificate subject is an SSL client, an SSL server,
or a CA. |
old_authority_key_id |
bool |
|
Whether the certificate has an old authority key identifier extension. |
pe_logotype |
bool |
|
Whether the certificate includes a logotype. |
subject_alternative_name |
string |
|
Contains one or more alternative names, using any of a variety of name
forms, for the entity that is bound by the CA to the certified public
key. |
subject_key_id |
string |
|
Identifies the public key being certified. |
SSLCertificate.PublicKey
Subject public key info.
Field Name |
Type |
Label |
Description |
algorithm |
string |
|
Any of "RSA", "DSA" or "EC". Indicates the algorithm used to generate the
certificate. |
rsa |
SSLCertificate.RSA |
|
RSA public key information. |
SSLCertificate.RSA
RSA public key information.
Field Name |
Type |
Label |
Description |
exponent |
string |
|
Key exponent hexdump. |
key_size |
int64 |
|
Key size. |
modulus |
string |
|
Key modulus hexdump. |
SSLCertificate.Subject
Subject data.
Field Name |
Type |
Label |
Description |
common_name |
string |
|
CN: CommonName. |
country_name |
string |
|
C: Country name. |
locality |
string |
|
L: Locality. |
organization |
string |
|
O: Organization. |
organizational_unit |
string |
|
OU: OrganizationalUnit. |
state_or_province_name |
string |
|
ST: StateOrProvinceName. |
SSLCertificate.Validity
Defines certificate's validity period.
SecurityResult.AnalystVerdict
Verdict provided by the human analyst. These fields are used to model
Mandiant sources.
SecurityResult.Association
Associations represents different metadata about malware and threat actors
involved with an IoC.
Field Name |
Type |
Label |
Description |
alias |
SecurityResult.Association.AssociationAlias |
repeated |
Different aliases of the threat actor given by different sources. |
associated_actors |
SecurityResult.Association |
repeated |
List of associated threat actors for a malware. Not applicable for threat
actors. |
country_code |
string |
repeated |
Country from which the threat actor/ malware is originated. |
description |
string |
|
Human readable description about the association. |
first_reference_time |
google.protobuf.Timestamp |
|
First time the threat actor was referenced or seen. |
id |
string |
|
Unique association id generated by mandiant. |
industries_affected |
string |
repeated |
List of industries the threat actor affects. |
last_reference_time |
google.protobuf.Timestamp |
|
Last time the threat actor was referenced or seen. |
name |
string |
|
Name of the threat actor/malware. |
region_code |
Location |
|
Name of the country, the threat is originating from. |
role |
string |
|
Role of the malware. Not applicable for threat actor. |
source_country |
string |
|
Name of the country the threat originated from. |
sponsor_region |
Location |
|
Sponsor region of the threat actor. |
tags |
string |
repeated |
Tags. |
targeted_regions |
Location |
repeated |
Targeted regions. |
type |
SecurityResult.Association.AssociationType |
|
Signifies the type of association. |
SecurityResult.Association.AssociationAlias
Association Alias used to represent Mandiant Threat Intelligence.
Field Name |
Type |
Label |
Description |
company |
string |
|
Name of the provider who gave the association's name. |
name |
string |
|
Name of the alias. |
SecurityResult.IoCStats
Information about the threat intelligence source. These fields are used to
model Mandiant sources.
Field Name |
Type |
Label |
Description |
benign_count |
int32 |
|
Count of responses where the IoC was identified as benign. |
first_level_source |
string |
|
Name of first level IoC source, for example Mandiant or a third-party. |
ioc_stats_type |
SecurityResult.IoCStatsType |
|
Describes the source of the IoCStat. |
malicious_count |
int32 |
|
Count of responses where the IoC was identified as malicious. |
quality |
SecurityResult.ProductConfidence |
|
Level of confidence in the IoC mapping extracted from the source. |
response_count |
int32 |
|
Total number of response from the source. |
second_level_source |
string |
|
Name of the second-level IoC source, for example Crowdsourced Threat
Analysis or Knowledge Graph. |
source_count |
int32 |
|
Number of sources from which information was extracted. |
SecurityResult.ProviderMLVerdict
MLVerdict result provided from threat providers, like Mandiant. These
fields are used to model Mandiant sources.
Field Name |
Type |
Label |
Description |
benign_count |
int32 |
|
Count of responses where this IoC was marked benign. |
confidence_score |
int32 |
|
Confidence score of the verdict. |
malicious_count |
int32 |
|
Count of responses where this IoC was marked malicious. |
mandiant_sources |
SecurityResult.Source |
repeated |
List of mandiant sources from which the verdict was generated. |
source_provider |
string |
|
Source provider giving the ML verdict. |
third_party_sources |
SecurityResult.Source |
repeated |
List of third-party sources from which the verdict was generated. |
SecurityResult.Source
Information about the threat intelligence source. These fields are used to
model Mandiant sources.
Field Name |
Type |
Label |
Description |
benign_count |
int32 |
|
Count of responses where this IoC was marked benign. |
malicious_count |
int32 |
|
Count of responses where this IoC was marked malicious. |
name |
string |
|
Name of the IoC source. |
quality |
SecurityResult.ProductConfidence |
|
Quality of the IoC mapping extracted from the source. |
response_count |
int32 |
|
Total response count from this source. |
source_count |
int32 |
|
Number of sources from which intelligence was extracted. |
threat_intelligence_sources |
SecurityResult.Source |
repeated |
Different threat intelligence sources from which IoC info was extracted. |
SecurityResult.Verdict
Encapsulates the threat verdict provided by human analysts and ML models.
These fields are used to model Mandiant sources.
Field Name |
Type |
Label |
Description |
analyst_verdict |
SecurityResult.AnalystVerdict |
|
Human analyst verdict provided by sources like Mandiant. |
neighbour_influence |
string |
|
Describes the neighbour influence of the verdict. |
response_count |
int32 |
|
Total response count across all sources. |
source_count |
int32 |
|
Number of sources from which intelligence was extracted. |
verdict |
SecurityResult.ProviderMLVerdict |
|
ML Verdict provided by sources like Mandiant. |
SecurityResult.VerdictInfo
Describes the threat verdict provided by human analysts and machine
learning models. These fields are used to model Mandiant sources.
Field Name |
Type |
Label |
Description |
benign_count |
int32 |
|
Count of responses where this IoC was marked as benign. |
category_details |
string |
|
Tags related to the verdict. |
confidence_score |
int32 |
|
Confidence score of the verdict. |
global_customer_count |
int32 |
|
Global customer count over the last 30 days |
global_hits_count |
int32 |
|
Global hit count over the last 30 days. |
ioc_stats |
SecurityResult.IoCStats |
repeated |
List of IoCStats from which the verdict was generated. |
malicious_count |
int32 |
|
Count of responses where this IoC was marked as malicious. |
neighbour_influence |
string |
|
Describes the near neighbor influence of the verdict. |
pwn |
bool |
|
Whether one or more Mandiant incident response customers had this
indicator in their environment. |
pwn_first_tagged_time |
google.protobuf.Timestamp |
|
The timestamp of the first time a pwn was associated to this entity. |
response_count |
int32 |
|
Total response count across all sources. |
source_count |
int32 |
|
Number of sources from which intelligence was extracted. |
source_provider |
string |
|
Source provider giving the machine learning verdict. |
verdict_response |
SecurityResult.VerdictResponse |
|
Details about the verdict. |
verdict_time |
google.protobuf.Timestamp |
|
Timestamp when the verdict was generated. |
verdict_type |
SecurityResult.VerdictType |
|
Type of verdict. |
SignatureInfo
File signature information extracted from different tools.
SignerInfo
File metadata related to the signer information.
Field Name |
Type |
Label |
Description |
cert_issuer |
string |
optional |
Company that issued the certificate. |
name |
string |
optional |
Common name of the signers/certificate.
The order of the signers matters. Each element is a higher level
authority, the last being the root authority. |
status |
string |
optional |
It can say "Valid" or state the problem with the certificate if any (e.g.
"This certificate or one of the certificates in the certificate chain is
not time valid."). |
valid_usage |
string |
optional |
Indicates which situations the certificate is valid for (e.g. "Code
Signing"). |
Smtp
SMTP info. See RFC 2821.
Field Name |
Type |
Label |
Description |
helo |
string |
|
The client's 'HELO'/'EHLO' string. |
is_tls |
bool |
|
If the connection switched to TLS. |
is_webmail |
bool |
|
If the message was sent via a webmail client. |
mail_from |
string |
|
The client's 'MAIL FROM' string. |
message_path |
string |
|
The message's path (extracted from the headers). |
rcpt_to |
string |
repeated |
The client's 'RCPT TO' string(s). |
server_response |
string |
repeated |
The server's response(s) to the client. |
Software
Information about a software package or application.
Field Name |
Type |
Label |
Description |
description |
string |
|
The description of the software. |
name |
string |
|
The name of the software. |
permissions |
Permission |
repeated |
System permissions granted to the software.
For example, "android.permission.WRITE_EXTERNAL_STORAGE" |
vendor_name |
string |
|
The name of the software vendor. |
version |
string |
|
The version of the software. |
Tags are event metadata which is set by examining event contents
post-parsing. For example, a UDM event may be assigned a tenant_id based on
certain customer-defined parameters.
Field Name |
Type |
Label |
Description |
data_tap_config_name |
string |
repeated |
A list of sink name values defined in DataTap configurations. |
tenant_id |
bytes |
repeated |
A list of subtenant ids that this event belongs to. |
TimeOff
System record for leave/time-off from a Human Capital Management (HCM)
system.
Field Name |
Type |
Label |
Description |
description |
string |
|
Description of the leave if available (e.g. 'Vacation'). |
interval |
google.type.Interval |
|
Interval duration of the leave. |
Tls
Transport Layer Security (TLS) information.
Field Name |
Type |
Label |
Description |
cipher |
string |
|
Cipher used during the connection. |
client |
Tls.Client |
|
Certificate information for the client certificate. |
curve |
string |
|
Elliptical curve used for a given cipher. |
established |
bool |
|
Indicates whether the TLS negotiation was successful. |
next_protocol |
string |
|
Protocol to be used for tunnel. |
resumed |
bool |
|
Indicates whether the TLS connection was resumed from a previous
TLS negotiation. |
server |
Tls.Server |
|
Certificate information for the server certificate. |
version |
string |
|
TLS version. |
version_protocol |
string |
|
Protocol. |
Tls.Client
Transport Layer Security (TLS) information associated with the client
(for example, Certificate or JA3 hash).
Field Name |
Type |
Label |
Description |
certificate |
Certificate |
|
Client certificate. |
ja3 |
string |
|
JA3 hash from the TLS ClientHello, as a hex-encoded string. |
server_name |
string |
|
Host name of the server, that the client is connecting to. |
supported_ciphers |
string |
repeated |
Ciphers supported by the client during client hello. |
Tls.Server
Transport Layer Security (TLS) information associated with the server
(for example, Certificate or JA3 hash).
Field Name |
Type |
Label |
Description |
certificate |
Certificate |
|
Server certificate. |
ja3s |
string |
|
JA3 hash from the TLS ServerHello, as a hex-encoded string. |
Tracker
URL Tracker.
URL
URL.
Field Name |
Type |
Label |
Description |
categories |
string |
repeated |
Categorisation done by VirusTotal partners. |
favicon |
Favicon |
|
Difference hash and MD5 hash of the URL's. |
html_meta |
google.protobuf.Struct |
|
Meta tags (only for URLs downloading HTML). |
last_final_url |
string |
|
If the original URL redirects, where does it end. |
last_http_response_code |
int32 |
|
HTTP response code of the last response. |
last_http_response_content_length |
int64 |
|
Length in bytes of the content received. |
last_http_response_content_sha256 |
string |
|
URL response body's SHA256 hash. |
last_http_response_cookies |
google.protobuf.Struct |
|
Website's cookies. |
last_http_response_headers |
google.protobuf.Struct |
|
Headers and values of the last HTTP response. |
tags |
string |
repeated |
Tags. |
title |
string |
|
Webpage title. |
trackers |
Tracker |
repeated |
Trackers found in the URL in a historical manner. |
URL |
string |
|
URL. |
User
Information about a user.
Field Name |
Type |
Label |
Description |
account_expiration_time |
google.protobuf.Timestamp |
|
User account expiration timestamp. |
account_lockout_time |
google.protobuf.Timestamp |
|
User account lockout timestamp. |
account_type |
User.AccountType |
|
Type of user account (for example, service, domain, or cloud). This is
somewhat aligned to: https://attack.mitre.org/techniques/T1078/ |
attribute |
Attribute |
|
Generic entity metadata attributes of the user. |
company_name |
string |
|
User job company name. |
department |
string |
repeated |
User job department |
email_addresses |
string |
repeated |
Email addresses of the user. |
employee_id |
string |
|
Human capital management identifier. |
first_name |
string |
|
First name of the user (e.g. "John"). |
first_seen_time |
google.protobuf.Timestamp |
|
The first observed time for a user.
The value is calculated on the basis of the
first time the identifier was observed. |
group_identifiers |
string |
repeated |
Product object identifiers of the group(s) the user belongs to
A vendor-specific identifier to uniquely identify the group(s) the user
belongs to (a GUID, LDAP OID, or similar). |
groupid |
string |
|
The ID of the group that the user belongs to.
Deprecated in favor of the repeated group_identifiers field. |
hire_date |
google.protobuf.Timestamp |
|
User job employment hire date. |
last_bad_password_attempt_time |
google.protobuf.Timestamp |
|
User last bad password attempt timestamp. |
last_login_time |
google.protobuf.Timestamp |
|
User last login timestamp. |
last_name |
string |
|
Last name of the user (e.g. "Locke"). |
last_password_change_time |
google.protobuf.Timestamp |
|
User last password change timestamp. |
managers |
User |
repeated |
User job manager(s). |
middle_name |
string |
|
Middle name of the user. |
office_address |
Location |
|
User job office location. |
password_expiration_time |
google.protobuf.Timestamp |
|
User password expiration timestamp. |
personal_address |
Location |
|
Personal address of the user. |
phone_numbers |
string |
repeated |
Phone numbers for the user. |
product_object_id |
string |
|
A vendor-specific identifier to uniquely identify the entity (e.g. a GUID,
LDAP, OID, or similar). |
role_description |
string |
|
System role description for user.
Deprecated: use attribute.roles. |
role_name |
string |
|
System role name for user.
Deprecated: use attribute.roles. |
termination_date |
google.protobuf.Timestamp |
|
User job employment termination date. |
time_off |
TimeOff |
repeated |
User time off leaves from active work. |
title |
string |
|
User job title. |
user_authentication_status |
Authentication.AuthenticationStatus |
|
System authentication status for user. |
user_display_name |
string |
|
The display name of the user
(e.g. "John Locke"). |
user_role |
User.Role |
|
System role for user.
Deprecated: use attribute.roles. |
userid |
string |
|
The ID of the user. |
windows_sid |
string |
|
The Microsoft Windows SID of the user. |
Vulnerabilities
The Vulnerabilities extension captures details on observed/detected
vulnerabilities.
Field Name |
Type |
Label |
Description |
vulnerabilities |
Vulnerability |
repeated |
A list of vulnerabilities. |
Vulnerability
A vulnerability.
X509
File certificate.
Field Name |
Type |
Label |
Description |
algorithm |
string |
|
Certificate algorithm. |
cert_issuer |
string |
|
Issuer of the certificate. |
name |
string |
|
Certificate name. |
serial_number |
string |
|
Certificate serial number. |
thumbprint |
string |
|
Certificate thumbprint. |
Event enumerated types
Asset.AssetType
The role type of the asset.
Enum Value |
Enum Number |
Description |
IOT |
3 |
An IOT asset. |
LAPTOP |
2 |
A laptop computer. |
MOBILE |
9 |
A mobile device such as a mobile phone or PDA. |
NETWORK_ATTACHED_STORAGE |
4 |
A network attached storage device. |
PRINTER |
5 |
A printer. |
ROLE_UNSPECIFIED |
0 |
Unspecified asset role. |
SCANNER |
6 |
A scanner. |
SERVER |
7 |
A server. |
TAPE_LIBRARY |
8 |
A tape library device. |
WORKSTATION |
1 |
A workstation or desktop. |
Asset.DeploymentStatus
Deployment status states.
Enum Value |
Enum Number |
Description |
ACTIVE |
1 |
Asset is active, functional and deployed. |
DECOMMISSIONED |
3 |
Asset is decommissioned. |
DEPLOYMENT_STATUS_UNSPECIFIED |
0 |
Unspecified deployment status. |
PENDING_DECOMMISSION |
2 |
Asset is pending decommission and no longer deployed. |
Authentication.AuthType
Type of system the authentication event is associated with.
Enum Value |
Enum Number |
Description |
AUTHTYPE_UNSPECIFIED |
0 |
The default type. |
MACHINE |
1 |
A machine authentication. |
PHYSICAL |
4 |
A Physical authentication (e.g. "Badge reader"). |
SSO |
2 |
An SSO authentication. |
TACACS |
5 |
A TACACS family protocol for networked systems authentication
(e.g. TACACS, TACACS+). |
VPN |
3 |
A VPN authentication. |
Authentication.AuthenticationStatus
Authentication status, can be used to describe the status of authentication
for a user or particular credential.
Enum Value |
Enum Number |
Description |
ACTIVE |
1 |
The authentication method is in active state. |
DELETED |
4 |
The authentication method has been deleted. |
NO_ACTIVE_CREDENTIALS |
3 |
The authentication method has no active credentials. |
SUSPENDED |
2 |
The authentication method is in suspended/disabled state. |
UNKNOWN_AUTHENTICATION_STATUS |
0 |
The default authentication status. |
Authentication.Mechanism
Mechanism(s) used to authenticate.
Enum Value |
Enum Number |
Description |
BADGE_READER |
8 |
Badge reader authentication |
BATCH |
10 |
Batch authentication. |
CACHED_INTERACTIVE |
16 |
Interactive authentication using cached credentials. |
CACHED_REMOTE_INTERACTIVE |
17 |
Cached Remote Interactive authentication using cached credentials. |
CACHED_UNLOCK |
18 |
Cached Remote Interactive authentication using cached credentials. |
HARDWARE_KEY |
3 |
Hardware key authentication. |
INTERACTIVE |
15 |
Interactive authentication. |
LOCAL |
4 |
Local authentication. |
MECHANISM_OTHER |
7 |
Some other mechanism that is not defined here. |
MECHANISM_UNSPECIFIED |
0 |
The default mechanism. |
NETWORK |
9 |
Network authentication. |
NETWORK_CLEAR_TEXT |
13 |
Network clear text authentication. |
NEW_CREDENTIALS |
14 |
Authentication with new credentials. |
OTP |
2 |
OTP authentication. |
REMOTE |
5 |
Remote authentication. |
REMOTE_INTERACTIVE |
6 |
RDP, Terminal Services, or VNC. |
SERVICE |
11 |
Service authentication |
UNLOCK |
12 |
Direct human-interactive unlock authentication. |
USERNAME_PASSWORD |
1 |
Username + password authentication. |
Cloud.CloudEnvironment
The service provider environment.
Enum Value |
Enum Number |
Description |
AMAZON_WEB_SERVICES |
2 |
Amazon Web Services. |
GOOGLE_CLOUD_PLATFORM |
1 |
Google Cloud Platform. |
MICROSOFT_AZURE |
3 |
Microsoft Azure. |
UNSPECIFIED_CLOUD_ENVIRONMENT |
0 |
Default. |
Dhcp.MessageType
DHCP message type. See RFC2131, section 3.1.
Enum Value |
Enum Number |
Description |
ACK |
5 |
DHCPACK. |
DECLINE |
4 |
DHCPDECLINE. |
DISCOVER |
1 |
DHCPDISCOVER. |
INFORM |
8 |
DHCPINFORM. |
NAK |
6 |
DHCPNAK. |
OFFER |
2 |
DHCPOFFER. |
RELEASE |
7 |
DHCPRELEASE. |
REQUEST |
3 |
DHCPREQUEST. |
UNKNOWN_MESSAGE_TYPE |
0 |
Default message type. |
WIN_DELETED |
100 |
Microsoft Windows DHCP "lease deleted". |
WIN_EXPIRED |
101 |
Microsoft Windows DHCP "lease expired". |
Dhcp.OpCode
BOOTP op code. See RFC951, section 3.
Enum Value |
Enum Number |
Description |
BOOTREPLY |
2 |
Reply. |
BOOTREQUEST |
1 |
Request. |
UNKNOWN_OPCODE |
0 |
Default opcode. |
File.FileType
The file type, for example Microsoft Windows executable.
Enum Value |
Enum Number |
Description |
FILE_TYPE_ACE |
310 |
File type is ACE. |
FILE_TYPE_ANDROID |
503 |
File type is ANDROID. |
FILE_TYPE_APPLE |
1000 |
File type is APPLE. |
FILE_TYPE_APPLE_PLIST |
1005 |
File type is APPLE_PLIST. |
FILE_TYPE_APPLEDOUBLE |
1003 |
File type is APPLEDOUBLE. |
FILE_TYPE_APPLESCRIPT |
1007 |
File type is APPLESCRIPT. |
FILE_TYPE_APPLESCRIPT_COMPILED |
1008 |
File type is APPLESCRIPT_COMPILED . |
FILE_TYPE_APPLESINGLE |
1002 |
File type is APPLESINGLE. |
FILE_TYPE_ARC |
311 |
File type is ARC. |
FILE_TYPE_ARJ |
312 |
File type is ARJ. |
FILE_TYPE_ASD |
313 |
File type is ASD. |
FILE_TYPE_ASF |
160 |
File type is ASF. |
FILE_TYPE_AVI |
157 |
File type is AVI. |
FILE_TYPE_AWK |
411 |
File type is AWK. |
FILE_TYPE_BLACKHOLE |
314 |
File type is BLACKHOLE. |
FILE_TYPE_BMP |
104 |
File type is BMP. |
FILE_TYPE_BZIP |
302 |
File type is BZIP. |
FILE_TYPE_C |
406 |
File type is C. |
FILE_TYPE_CAB |
306 |
File type is CAB. |
FILE_TYPE_CAP |
700 |
File type is CAP. |
FILE_TYPE_CHM |
265 |
File type is CHM. |
FILE_TYPE_CLJ |
422 |
File type is CLJ. |
FILE_TYPE_COFF |
30 |
File type is COFF. |
FILE_TYPE_COOKIE |
604 |
File type is COOKIE. |
FILE_TYPE_CPP |
407 |
File type is CPP. |
FILE_TYPE_CRT |
1302 |
File type is CRT. |
FILE_TYPE_CRX |
1100 |
File type is CRX. |
FILE_TYPE_CSV |
610 |
File type is CSV. |
FILE_TYPE_DEB |
38 |
File type is DEB. |
FILE_TYPE_DIB |
110 |
File type is DIB. |
FILE_TYPE_DIVX |
161 |
File type is DIVX. |
FILE_TYPE_DMG |
37 |
File type is DMG. |
FILE_TYPE_DOC |
202 |
File type is DOC. |
FILE_TYPE_DOCX |
203 |
File type is DOCX. |
FILE_TYPE_DOS_COM |
21 |
File type is DOS_COM. |
FILE_TYPE_DOS_EXE |
20 |
File type is DOS_EXE. |
FILE_TYPE_DWG |
118 |
File type is DWG. |
FILE_TYPE_DXF |
119 |
File type is DXF. |
FILE_TYPE_DYALOG |
412 |
File type is DYALOG. |
FILE_TYPE_DZIP |
304 |
File type is DZIP. |
FILE_TYPE_EBOOK |
260 |
File type is EBOOK. |
FILE_TYPE_ELF |
31 |
File type is ELF. |
FILE_TYPE_EMAIL_TYPE |
606 |
File type is EMAIL_TYPE. |
FILE_TYPE_EMF |
116 |
File type is EMF. |
FILE_TYPE_EOT |
263 |
File type is EOT. |
FILE_TYPE_EPS |
114 |
File type is EPS. |
FILE_TYPE_FLA |
603 |
File type is FLA. |
FILE_TYPE_FLAC |
154 |
File type is FLAC. |
FILE_TYPE_FLC |
151 |
File type is FLC. |
FILE_TYPE_FLI |
152 |
File type is FLI. |
FILE_TYPE_FLV |
162 |
File type is FLV. |
FILE_TYPE_FORTRAN |
413 |
File type is FORTRAN. |
FILE_TYPE_FPX |
113 |
File type is FPX. |
FILE_TYPE_GIF |
102 |
File type is GIF. |
FILE_TYPE_GIMP |
105 |
File type is GIMP. |
FILE_TYPE_GOLANG |
429 |
File type is GOLANG. |
FILE_TYPE_GUL |
254 |
File type is GUL. |
FILE_TYPE_GZIP |
301 |
File type is GZIP. |
FILE_TYPE_HTML |
600 |
File type is HTML. |
FILE_TYPE_HWP |
253 |
File type is HWP. |
FILE_TYPE_ICO |
112 |
File type is ICO. |
FILE_TYPE_IN_DESIGN |
106 |
File type is Adobe InDesign. |
FILE_TYPE_INI |
421 |
File type is INI. |
FILE_TYPE_IPHONE |
504 |
File type is IPHONE. |
FILE_TYPE_IPS |
1201 |
File type is IPS. |
FILE_TYPE_ISOIMAGE |
800 |
File type is ISOIMAGE. |
FILE_TYPE_JAR |
307 |
File type is JAR. |
FILE_TYPE_JAVA |
408 |
File type is JAVA. |
FILE_TYPE_JAVA_BYTECODE |
36 |
File type is JAVA_BYTECODE. |
FILE_TYPE_JAVASCRIPT |
414 |
File type is JAVASCRIPT. |
FILE_TYPE_JMOD |
419 |
File type is JMOD. |
FILE_TYPE_JNG |
111 |
File type is JNG. |
FILE_TYPE_JPEG |
100 |
File type is JPEG. |
FILE_TYPE_JSON |
609 |
File type is JSON. |
FILE_TYPE_KGB |
315 |
File type is KGB. |
FILE_TYPE_LATEX |
261 |
File type is LATEX. |
FILE_TYPE_LINUX |
34 |
File type is LINUX. |
FILE_TYPE_LINUX_KERNEL |
32 |
File type is LINUX_KERNEL. |
FILE_TYPE_LNK |
50 |
File type is LNK. |
FILE_TYPE_LZFSE |
319 |
File type is LZFSE. |
FILE_TYPE_M4 |
417 |
File type is M4. |
FILE_TYPE_MACH_O |
35 |
File type is MACH_O. |
FILE_TYPE_MACINTOSH |
1001 |
File type is MACINTOSH. |
FILE_TYPE_MACINTOSH_HFS |
1004 |
File type is MACINTOSH_HFS. |
FILE_TYPE_MACINTOSH_LIB |
1006 |
File type is MACINTOSH_LIB. |
FILE_TYPE_MAKEFILE |
420 |
File type is MAKEFILE. |
FILE_TYPE_MIDI |
156 |
File type is MIDI. |
FILE_TYPE_MKV |
170 |
File type is MKV. |
FILE_TYPE_MOV |
166 |
File type is MOV. |
FILE_TYPE_MP3 |
153 |
File type is MP3. |
FILE_TYPE_MP4 |
167 |
File type is MP4. |
FILE_TYPE_MPEG |
158 |
File type is MPEG. |
FILE_TYPE_MSCOMPRESS |
309 |
File type is MSCOMPRESS. |
FILE_TYPE_MSI |
3 |
File type is MSI. |
FILE_TYPE_NE_DLL |
11 |
File type is NE_DLL. |
FILE_TYPE_NE_EXE |
10 |
File type is NE_EXE. |
FILE_TYPE_NEKO |
427 |
File type is NEKO. |
FILE_TYPE_OBJETIVEC |
418 |
File type is OBJETIVEC. |
FILE_TYPE_ODF |
255 |
File type is ODF. |
FILE_TYPE_ODG |
256 |
File type is ODG. |
FILE_TYPE_ODP |
250 |
File type is ODP. |
FILE_TYPE_ODS |
251 |
File type is ODS. |
FILE_TYPE_ODT |
252 |
File type is ODT. |
FILE_TYPE_OGG |
150 |
File type is OGG. |
FILE_TYPE_ONE_NOTE |
257 |
File type is ONE_NOTE. |
FILE_TYPE_OOXML |
258 |
File type is OOXML. |
FILE_TYPE_OUTLOOK |
607 |
File type is OUTLOOK. |
FILE_TYPE_PALMOS |
501 |
File type is PALMOS. |
FILE_TYPE_PASCAL |
410 |
File type is PASCAL. |
FILE_TYPE_PDB |
425 |
File type is PDB. |
FILE_TYPE_PDF |
200 |
File type is PDF. |
FILE_TYPE_PE_DLL |
2 |
Although DLLs are actually portable executables, this value
enables the file type to be identified separately.
File type is PE_DLL. |
FILE_TYPE_PE_EXE |
1 |
File type is PE_EXE. |
FILE_TYPE_PEM |
1300 |
File type is PEM. |
FILE_TYPE_PERL |
404 |
File type is PERL. |
FILE_TYPE_PGP |
1301 |
File type is PGP. |
FILE_TYPE_PHP |
402 |
File type is PHP. |
FILE_TYPE_PKG |
39 |
File type is PKG. |
FILE_TYPE_PNG |
103 |
File type is PNG. |
FILE_TYPE_POWERSHELL |
415 |
File type is POWERSHELL. |
FILE_TYPE_PPSX |
209 |
File type is PPSX. |
FILE_TYPE_PPT |
204 |
File type is PPT. |
FILE_TYPE_PPTX |
205 |
File type is PPTX. |
FILE_TYPE_PS |
201 |
File type is PS. |
FILE_TYPE_PSD |
107 |
File type is PSD.
Adobe Photoshop. |
FILE_TYPE_PYC |
40 |
File type is PYC. |
FILE_TYPE_PYTHON |
403 |
File type is PYTHON. |
FILE_TYPE_PYTHON_PKG |
321 |
File type is PYTHON_PKG. |
FILE_TYPE_PYTHON_WHL |
320 |
File type is PYTHON_WHL. |
FILE_TYPE_QUICKTIME |
159 |
File type is QUICKTIME. |
FILE_TYPE_RAR |
308 |
File type is RAR. |
FILE_TYPE_RM |
165 |
File type is RM.
RealMedia type. |
FILE_TYPE_ROM |
1200 |
File type is ROM. |
FILE_TYPE_RPM |
33 |
File type is RPM. |
FILE_TYPE_RTF |
208 |
File type is RTF. |
FILE_TYPE_RUBY |
405 |
File type is RUBY. |
FILE_TYPE_RZIP |
303 |
File type is RZIP. |
FILE_TYPE_SCRIPT |
401 |
File type is SCRIPT. |
FILE_TYPE_SEVENZIP |
305 |
File type is SEVENZIP. |
FILE_TYPE_SGML |
608 |
File type is SGML. |
FILE_TYPE_SHELLSCRIPT |
409 |
File type is SHELLSCRIPT. |
FILE_TYPE_SQL |
426 |
File type is SQL. |
FILE_TYPE_SQUASHFS |
801 |
File type is SQUASHFS. |
FILE_TYPE_SVG |
115 |
File type is SVG. |
FILE_TYPE_SWF |
602 |
File type is SWF. |
FILE_TYPE_SYMBIAN |
500 |
File type is SYMBIAN. |
FILE_TYPE_T3GP |
168 |
File type is T3GP. |
FILE_TYPE_TAR |
317 |
File type is TAR. |
FILE_TYPE_TARGA |
108 |
File type is TARGA. |
FILE_TYPE_TEXT |
400 |
File type is TEXT. |
FILE_TYPE_THREEDS |
120 |
File type is 3DS. |
FILE_TYPE_TIFF |
101 |
File type is TIFF. |
FILE_TYPE_TORRENT |
605 |
File type is TORRENT. |
FILE_TYPE_TTF |
262 |
File type is TTF. |
FILE_TYPE_UNSPECIFIED |
0 |
File type is UNSPECIFIED. |
FILE_TYPE_VBA |
416 |
File type is VBA. |
FILE_TYPE_VHD |
802 |
File type is VHD. |
FILE_TYPE_WAV |
155 |
File type is WAV. |
FILE_TYPE_WEBM |
169 |
File type is WEBM. |
FILE_TYPE_WEBP |
117 |
File type is WEBP. |
FILE_TYPE_WER |
428 |
File type is WER. |
FILE_TYPE_WINCE |
502 |
File type is WINCE. |
FILE_TYPE_WMA |
163 |
File type is WMA. |
FILE_TYPE_WMV |
164 |
File type is WMV. |
FILE_TYPE_WOFF |
264 |
File type is WOFF. |
FILE_TYPE_XLS |
206 |
File type is XLS. |
FILE_TYPE_XLSX |
207 |
File type is XLSX. |
FILE_TYPE_XML |
601 |
File type is XML. |
FILE_TYPE_XPI |
1101 |
File type is XPI. |
FILE_TYPE_XWD |
109 |
File type is XWD. |
FILE_TYPE_ZIP |
300 |
File type is ZIP. |
FILE_TYPE_ZLIB |
316 |
File type is ZLIB. |
FILE_TYPE_ZST |
318 |
File type is ZST. |
An enrichment state.
Enum Value |
Enum Number |
Description |
ENRICHED |
1 |
The event has been enriched by Google Security Operations. |
ENRICHMENT_STATE_UNSPECIFIED |
0 |
Unspecified. |
UNENRICHED |
2 |
The event has not been enriched by Google Security Operations. |
An event type.
Choose event type not based on the product that generated the event but the
one that logged the event itself. So, for example, an antivirus (AV)
scanning email on a client would generate an SMTP_PROXY event, not an AV
event. A DLP device scanning a web upload would generate an HTTP_PROXY
event and not a DLP or process activity event. Note: In the case of a
HTTP_PROXY event, you might also include process details if this occurred
on an endpoint. That would be optional, but there are a certain set of
required fields and banned fields due to its status as an HTTP_PROXY event.
Enum Value |
Enum Number |
Description |
ANALYST_ADD_COMMENT |
24008 |
Analyst addition of a comment for a finding. |
ANALYST_UPDATE_PRIORITY |
24009 |
Analyst update about the priority (such as low, medium, or high) for a
finding. |
ANALYST_UPDATE_REASON |
24011 |
Analyst update about the reason (such as malicious or not malicious) for
a finding. |
ANALYST_UPDATE_REPUTATION |
24001 |
Analyst update about the Reputation (such as useful or not useful) of a
finding. |
ANALYST_UPDATE_RISK_SCORE |
24012 |
Analyst update about the risk score (0-100) of a finding. |
ANALYST_UPDATE_ROOT_CAUSE |
24010 |
Analyst update about the root cause for a finding. |
ANALYST_UPDATE_SEVERITY_SCORE |
24002 |
Analyst update about the Severity score (0-100) of a finding. |
ANALYST_UPDATE_STATUS |
24007 |
Analyst update about the finding status. |
ANALYST_UPDATE_VERDICT |
24000 |
Analyst update about the Verdict (such as true positive, false positive,
or disregard) of a finding. |
DEVICE_CONFIG_UPDATE |
25001 |
Configuration update. |
DEVICE_FIRMWARE_UPDATE |
25000 |
Firmware update. |
DEVICE_PROGRAM_DOWNLOAD |
25003 |
A program or application downloaded to a device. |
DEVICE_PROGRAM_UPLOAD |
25002 |
A program or application uploaded to a device. |
EMAIL_TRANSACTION |
19001 |
An email transaction. |
EMAIL_UNCATEGORIZED |
19000 |
Email messages |
EMAIL_URL_CLICK |
19002 |
Deprecated: use NETWORK_HTTP instead. An email URL click event. |
EVENTTYPE_UNSPECIFIED |
0 |
Default event type |
FILE_COPY |
14005 |
File copied.
Used for file copies, for example, to a thumb drive. |
FILE_CREATION |
14001 |
File created. |
FILE_DELETION |
14002 |
File deleted. |
FILE_MODIFICATION |
14003 |
File modified. |
FILE_MOVE |
14007 |
File moved or renamed. |
FILE_OPEN |
14006 |
File opened. |
FILE_READ |
14004 |
File read. |
FILE_SYNC |
14008 |
File synced (for example, Google Drive, Dropbox, backup). |
FILE_UNCATEGORIZED |
14000 |
File event which does not match any of the other event types. |
GENERIC_EVENT |
100000 |
Operating system events that are not described by any of the other
event types. Might include uncategorized Microsoft Windows event logs. |
GROUP_CREATION |
23001 |
A group creation. |
GROUP_DELETION |
23002 |
A group deletion. |
GROUP_MODIFICATION |
23003 |
A group modification. |
GROUP_UNCATEGORIZED |
23000 |
A group activity that does not fall into one of the other event types. |
MUTEX_CREATION |
13001 |
Mutex creation. |
MUTEX_UNCATEGORIZED |
13000 |
Any mutex event other than creation. |
NETWORK_CONNECTION |
16002 |
Network connection details like from a FW. |
NETWORK_DHCP |
16004 |
DHCP payload. |
NETWORK_DNS |
16005 |
DNS payload. |
NETWORK_FLOW |
16001 |
Aggregated flow stats like netflow. |
NETWORK_FTP |
16003 |
FTP telemetry. |
NETWORK_HTTP |
16006 |
HTTP telemetry. |
NETWORK_SMTP |
16007 |
SMTP telemetry. |
NETWORK_UNCATEGORIZED |
16000 |
A network event that does not fit into one of the other event types. |
PROCESS_INJECTION |
10002 |
Process injecting into another process. |
PROCESS_LAUNCH |
10001 |
Process launch. |
PROCESS_MODULE_LOAD |
10006 |
Process loading a module. |
PROCESS_OPEN |
10005 |
Process being opened. |
PROCESS_PRIVILEGE_ESCALATION |
10003 |
Process privilege escalation. |
PROCESS_TERMINATION |
10004 |
Process termination. |
PROCESS_UNCATEGORIZED |
10000 |
Activity related to a process which does not match any other event types. |
REGISTRY_CREATION |
11001 |
Registry creation. |
REGISTRY_DELETION |
11003 |
Registry deletion. |
REGISTRY_MODIFICATION |
11002 |
Registry modification. |
REGISTRY_UNCATEGORIZED |
11000 |
Registry event which does not match any of the other event types. |
RESOURCE_CREATION |
1 |
The resource was created/provisioned.
This is equivalent to USER_RESOURCE_CREATION. |
RESOURCE_DELETION |
2 |
The resource was deleted/deprovisioned.
This is equivalent to USER_RESOURCE_DELETION. |
RESOURCE_PERMISSIONS_CHANGE |
3 |
The resource had it's permissions or ACLs updated.
This is equivalent to USER_RESOURCE_UPDATE_PERMISSIONS. |
RESOURCE_READ |
4 |
The resource was read.
This is equivalent to USER_RESOURCE_ACCESS. |
RESOURCE_WRITTEN |
5 |
The resource was written to.
This is equivalent to USER_RESOURCE_UPDATE_CONTENT. |
SCAN_FILE |
18001 |
A file scan. |
SCAN_HOST |
18004 |
Scan results from scanning an entire host device for threats/sensitive
documents. |
SCAN_NETWORK |
18007 |
Scan network for suspicious activity |
SCAN_PROCESS |
18003 |
Scan process. |
SCAN_PROCESS_BEHAVIORS |
18002 |
Scan process behaviors.
Please use SCAN_PROCESS instead. |
SCAN_UNCATEGORIZED |
18000 |
Scan item that does not fit into one of the other event types. |
SCAN_VULN_HOST |
18005 |
Vulnerability scan logs about host vulnerabilities (e.g., out of date
software) and network vulnerabilities (e.g., unprotected service detected
via a network scan). |
SCAN_VULN_NETWORK |
18006 |
Vulnerability scan logs about network vulnerabilities. |
SCHEDULED_TASK_CREATION |
20001 |
Scheduled task creation. |
SCHEDULED_TASK_DELETION |
20002 |
Scheduled task deletion. |
SCHEDULED_TASK_DISABLE |
20004 |
Scheduled task being disabled. |
SCHEDULED_TASK_ENABLE |
20003 |
Scheduled task being enabled. |
SCHEDULED_TASK_MODIFICATION |
20005 |
Scheduled task being modified. |
SCHEDULED_TASK_UNCATEGORIZED |
20000 |
Scheduled task event that does not fall into one of the other
event types. |
SERVICE_CREATION |
22001 |
A service creation. |
SERVICE_DELETION |
22002 |
A service deletion. |
SERVICE_MODIFICATION |
22005 |
A service modification. |
SERVICE_START |
22003 |
A service start. |
SERVICE_STOP |
22004 |
A service stop. |
SERVICE_UNSPECIFIED |
22000 |
Service event that does not fit into one of the other event types. |
SETTING_CREATION |
12001 |
Setting creation. |
SETTING_DELETION |
12003 |
Setting deletion. |
SETTING_MODIFICATION |
12002 |
Setting modification. |
SETTING_UNCATEGORIZED |
12000 |
Settings-related event which does not match any of the other
event types. |
STATUS_HEARTBEAT |
17001 |
Heartbeat indicating product is alive. |
STATUS_SHUTDOWN |
17003 |
An agent shutdown. |
STATUS_STARTUP |
17002 |
An agent startup. |
STATUS_UNCATEGORIZED |
17000 |
A status message that does not fit into one of the other event types. |
STATUS_UPDATE |
17004 |
A software or fingerprint update. |
SYSTEM_AUDIT_LOG_UNCATEGORIZED |
21000 |
A system audit log event that is not a wipe. |
SYSTEM_AUDIT_LOG_WIPE |
21001 |
A system audit log wipe. |
USER_BADGE_IN |
15007 |
User physically badging into a location. |
USER_CHANGE_PASSWORD |
15004 |
User password change event. |
USER_CHANGE_PERMISSIONS |
15005 |
Change in user permissions. |
USER_COMMUNICATION |
15012 |
User initiating communication through a medium (for example, video). |
USER_CREATION |
15003 |
User creation. |
USER_DELETION |
15008 |
User deletion. |
USER_LOGIN |
15001 |
User login. |
USER_LOGOUT |
15002 |
User logout. |
USER_RESOURCE_ACCESS |
15013 |
User accessing a virtual resource.
This is equivalent to RESOURCE_READ. |
USER_RESOURCE_CREATION |
15009 |
User creating a virtual resource.
This is equivalent to RESOURCE_CREATION. |
USER_RESOURCE_DELETION |
15014 |
User deleting a virtual resource.
This is equivalent to RESOURCE_DELETION. |
USER_RESOURCE_UPDATE_CONTENT |
15010 |
User updating content of a virtual resource.
This is equivalent to RESOURCE_WRITTEN. |
USER_RESOURCE_UPDATE_PERMISSIONS |
15011 |
User updating permissions of a virtual resource.
This is equivalent to RESOURCE_PERMISSIONS_CHANGE. |
USER_STATS |
15006 |
Deprecated. Used to update user info for an LDAP dump. |
USER_UNCATEGORIZED |
15000 |
User activity which does not match any of the other event types. |
Network.ApplicationProtocol
A network application protocol.
Enum Value |
Enum Number |
Description |
AFP |
1 |
Apple Filing Protocol. |
AMQP |
3 |
Advanced Message Queuing Protocol. |
APPC |
2 |
Advanced Program-to-Program Communication. |
ATOM |
4 |
Publishing Protocol. |
BEEP |
5 |
Block Extensible Exchange Protocol. |
BIT_TORRENT |
7 |
Peer-to-peer file sharing. |
BITCOIN |
6 |
Crypto currency protocol. |
CFDP |
8 |
Coherent File Distribution Protocol. |
CIP |
67 |
Common Industrial Protocol. |
COAP |
9 |
Constrained Application Protocol. |
COTP |
68 |
Connection Oriented Transport Protocol. |
DCERPC |
66 |
DCE/RPC. |
DDS |
10 |
Data Distribution Service. |
DEVICE_NET |
11 |
Automation industry protocol. |
DHCP |
4000 |
DHCP. |
DICOM |
69 |
Digital Imaging and Communications in Medicine Protocol. |
DNP3 |
70 |
Distributed Network Protocol 3 (DNP3) |
DNS |
3000 |
DNS. |
E_DONKEY |
12 |
Classic file sharing protocol. |
ENRP |
13 |
Endpoint Handlespace Redundancy Protocol. |
FAST_TRACK |
14 |
Filesharing peer-to-peer protocol. |
FINGER |
15 |
User Information Protocol. |
FREENET |
16 |
Censorship resistant peer-to-peer network. |
FTAM |
17 |
File Transfer Access and Management. |
GOOSE |
71 |
GOOSE Protocol. |
GOPHER |
18 |
Gopher protocol. |
GRPC |
77 |
gRPC Remote Procedure Call. |
H323 |
20 |
Packet-based multimedia communications system. |
HL7 |
19 |
Health Level Seven. |
HTTP |
2000 |
HTTP. |
HTTPS |
2001 |
HTTPS. |
IEC104 |
72 |
IEC 60870-5-104 (IEC 104) Protocol. |
IRCP |
21 |
Internet Relay Chat Protocol. |
KADEMLIA |
22 |
Peer-to-peer hashtables. |
KRB5 |
65 |
Kerberos 5. |
LDAP |
23 |
Lightweight Directory Access Protocol. |
LPD |
24 |
Line Printer Daemon Protocol. |
MIME |
25 |
Multipurpose Internet Mail Extensions and Secure MIME. |
MMS |
73 |
Multimedia Messaging Service. |
MODBUS |
26 |
Serial communications protocol. |
MQTT |
27 |
Message Queuing Telemetry Transport. |
NETCONF |
28 |
Network Configuration. |
NFS |
29 |
Network File System. |
NIS |
30 |
Network Information Service. |
NNTP |
31 |
Network News Transfer Protocol. |
NTCIP |
32 |
National Transportation Communications for Intelligent Transportation
System. |
NTP |
33 |
Network Time Protocol. |
OSCAR |
34 |
AOL Instant Messenger Protocol. |
PNRP |
35 |
Peer Name Resolution Protocol. |
PTP |
74 |
Precision Time Protocol. |
QUIC |
1000 |
QUIC. |
RDP |
36 |
Remote Desktop Protocol. |
RELP |
37 |
Reliable Event Logging Protocol. |
RIP |
38 |
Routing Information Protocol. |
RLOGIN |
39 |
Remote Login in UNIX Systems. |
RPC |
40 |
Remote Procedure Call. |
RTMP |
41 |
Real Time Messaging Protocol. |
RTP |
42 |
Real-time Transport Protocol. |
RTPS |
43 |
Real Time Publish Subscribe. |
RTSP |
44 |
Real Time Streaming Protocol. |
SAP |
45 |
Session Announcement Protocol. |
SDP |
46 |
Session Description Protocol. |
SIP |
47 |
Session Initiation Protocol. |
SLP |
48 |
Service Location Protocol. |
SMB |
49 |
Server Message Block. |
SMTP |
50 |
Simple Mail Transfer Protocol. |
SNMP |
75 |
Simple Network Management Protocol. |
SNTP |
51 |
Simple Network Time Protocol. |
SSH |
52 |
Secure Shell. |
SSMS |
53 |
Secure SMS Messaging Protocol. |
STYX |
54 |
Styx/9P - Plan 9 from Bell Labs distributed file system protocol. |
SV |
76 |
Sampled Values Protocol. |
TCAP |
55 |
Transaction Capabilities Application Part. |
TDS |
56 |
Tabular Data Stream. |
TOR |
57 |
Anonymity network. |
TSP |
58 |
Time Stamp Protocol. |
UNKNOWN_APPLICATION_PROTOCOL |
0 |
The default application protocol. |
VTP |
59 |
Virtual Terminal Protocol. |
WEB_DAV |
61 |
Web Distributed Authoring and Versioning. |
WHOIS |
60 |
Remote Directory Access Protocol. |
X400 |
62 |
Message Handling Service Protocol. |
X500 |
63 |
Directory Access Protocol (DAP). |
XMPP |
64 |
Extensible Messaging and Presence Protocol. |
Network.Direction
A network traffic direction.
Enum Value |
Enum Number |
Description |
BROADCAST |
3 |
A broadcast. |
INBOUND |
1 |
An inbound request. |
OUTBOUND |
2 |
An outbound request. |
UNKNOWN_DIRECTION |
0 |
The default direction. |
Network.IpProtocol
An IP protocol.
Enum Value |
Enum Number |
Description |
EIGRP |
88 |
Enhanced Interior Gateway Routing |
ESP |
50 |
Encapsulating Security Payload |
ETHERIP |
97 |
Ethernet-within-IP Encapsulation |
GRE |
47 |
Generic Routing Encapsulation |
ICMP |
1 |
ICMP. |
ICMP6 |
58 |
ICMPv6 |
IGMP |
2 |
IGMP |
IP6IN4 |
41 |
IPv6 Encapsulation |
PIM |
103 |
Protocol Independent Multicast |
SCTP |
132 |
Stream Control Transmission Protocol |
TCP |
6 |
TCP. |
UDP |
17 |
UDP. |
UNKNOWN_IP_PROTOCOL |
0 |
The default protocol. |
VRRP |
112 |
Virtual Router Redundancy Protocol |
Operating system platform.
Enum Value |
Enum Number |
Description |
ANDROID |
8 |
Android |
AWS |
5 |
Deprecated: see cloud.environment. |
AZURE |
6 |
Deprecated: see cloud.environment. |
CHROME_OS |
9 |
Chrome OS |
Google Cloud |
4 |
Deprecated: see cloud.environment. |
IOS |
7 |
IOS |
LINUX |
3 |
Linux. |
MAC |
2 |
macOS. |
UNKNOWN_PLATFORM |
0 |
Default value. |
WINDOWS |
1 |
Microsoft Windows. |
Permission.PermissionType
High level categorizations of permission type.
Enum Value |
Enum Number |
Description |
ADMIN_READ |
2 |
Administrator read permission. |
ADMIN_WRITE |
1 |
Administrator write permission. |
DATA_READ |
4 |
Data resource access read permission. |
DATA_WRITE |
3 |
Data resource access write permission. |
UNKNOWN_PERMISSION_TYPE |
0 |
Default permission type. |
Priority
Priority that is assigned to a Case or Alert.
Enum Value |
Enum Number |
Description |
PRIORITY_CRITICAL |
500 |
Critical priority. |
PRIORITY_HIGH |
400 |
High priority. |
PRIORITY_INFO |
100 |
Informational priority. |
PRIORITY_LOW |
200 |
Low priority. |
PRIORITY_MEDIUM |
300 |
Medium priority. |
PRIORITY_UNSPECIFIED |
0 |
Default priority level. |
Process.TokenElevationType
The elevation type of the process's token.
See
https://learn.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-token_elevation_type
Enum Value |
Enum Number |
Description |
TYPE_1 |
1 |
A full token with no privileges removed or groups disabled. |
TYPE_2 |
2 |
An elevated token with no privileges removed or groups disabled. Used
when running as administrator. |
TYPE_3 |
3 |
A limited token with administrative privileges removed and
administrative groups disabled. |
UNKNOWN |
0 |
An undetermined token type. |
Reason
Reason for closing an Alert or Case in the SOAR product.
Enum Value |
Enum Number |
Description |
REASON_MAINTENANCE |
3 |
Case or Alert is under maintenance. |
REASON_MALICIOUS |
2 |
Case or Alert is malicious. |
REASON_NOT_MALICIOUS |
1 |
Case or Alert not malicious. |
REASON_UNSPECIFIED |
0 |
Default reason. |
Reputation
Categorization options for the usefulness of a Finding.
Enum Value |
Enum Number |
Description |
NOT_USEFUL |
2 |
A categorization of the finding as not useful. |
REPUTATION_UNSPECIFIED |
0 |
An unspecified reputation. |
USEFUL |
1 |
A categorization of the finding as useful. |
Resource.ResourceType
Enum Value |
Enum Number |
Description |
ACCESS_POLICY |
16 |
Access policy. |
BACKEND_SERVICE |
20 |
Endpoint that receive traffic from a load balancer or proxy. |
CLOUD_ORGANIZATION |
14 |
Cloud organization. |
CLOUD_PROJECT |
13 |
Cloud project. |
CLUSTER |
17 |
Cluster. |
CONTAINER |
22 |
Container. |
CREDENTIAL |
31 |
Credential, e.g. access keys, ssh keys, tokens, certificates. |
DATABASE |
11 |
Database. |
DATASET |
19 |
Dataset. |
DEVICE |
4 |
Device. |
DISK |
26 |
Disk. |
FIREWALL_RULE |
5 |
Firewall rule. |
FUNCTION |
23 |
Cloud function. |
GATEWAY |
33 |
Gateway. |
IMAGE |
28 |
Machine image. |
IP_ADDRESS |
25 |
IP address. |
LOAD_BALANCER |
32 |
Load balancer. |
MAILBOX_FOLDER |
6 |
Mailbox folder. |
MUTEX |
1 |
Mutex. |
PIPE |
3 |
Named pipe. |
POD |
21 |
Pod, which is a collection of containers. Often used in Kubernetes. |
REPOSITORY |
30 |
Repository. |
RUNTIME |
24 |
Runtime. |
SERVICE_ACCOUNT |
15 |
Service account. |
SETTING |
18 |
Settings. |
SNAPSHOT |
29 |
Snapshot. |
STORAGE_BUCKET |
9 |
Storage bucket. |
STORAGE_OBJECT |
10 |
Storage object. |
SUBNET |
34 |
Subnet. |
TABLE |
12 |
Data table. |
TASK |
2 |
Task. |
UNSPECIFIED |
0 |
Default type. |
USER |
35 |
User |
VIRTUAL_MACHINE |
8 |
Virtual machine. |
VOLUME |
27 |
Volume. |
VPC_NETWORK |
7 |
VPC Network. |
Role.Type
Well-known system roles.
Enum Value |
Enum Number |
Description |
ADMINISTRATOR |
1 |
Product administrator with elevated privileges. |
SERVICE_ACCOUNT |
2 |
System service account for automated privilege access. |
TYPE_UNSPECIFIED |
0 |
Default user role. |
SecurityResult.Action
Enum representing different possible actions taken by the product that
created the event.
Enum Value |
Enum Number |
Description |
ALLOW |
1 |
Allowed. |
ALLOW_WITH_MODIFICATION |
3 |
Strip, modify something
(e.g. File or email was disinfected or rewritten and still forwarded). |
BLOCK |
2 |
Blocked. |
CHALLENGE |
6 |
Challenged (e.g. the user was challenged by a Captcha, 2FA). |
FAIL |
5 |
Failed (e.g. the event was allowed but failed). |
QUARANTINE |
4 |
Put somewhere for later analysis (does NOT imply block). |
UNKNOWN_ACTION |
0 |
The default action. |
SecurityResult.AlertState
The type of alerting set up for a security result.
Enum Value |
Enum Number |
Description |
ALERTING |
2 |
The security result is an alert. |
NOT_ALERTING |
1 |
The security result is not an alert. |
UNSPECIFIED |
0 |
The security result type is not known. |
SecurityResult.Association.AssociationType
Represents different possible Association types. Can be threat or
malware. Used to represent Mandiant threat intelligence.
Enum Value |
Enum Number |
Description |
ASSOCIATION_TYPE_UNSPECIFIED |
0 |
The default Association Type. |
MALWARE |
2 |
Association type Malware. |
THREAT_ACTOR |
1 |
Association type Threat actor. |
SecurityResult.IoCStatsType
Type of IoCStat based on source.
Enum Value |
Enum Number |
Description |
MANDIANT_SOURCES |
1 |
IoCStat is from a Mandiant Source. |
THIRD_PARTY_SOURCES |
2 |
IoCStat is from a third-party source. |
THREAT_INTELLIGENCE_IOC_STATS |
3 |
IoCStat is from a threat intelligence feed. |
UNSPECIFIED_IOC_STATS_TYPE |
0 |
IoCStat source is unidentified. |
SecurityResult.ProductConfidence
A level of confidence in the result.
Enum Value |
Enum Number |
Description |
HIGH_CONFIDENCE |
400 |
High confidence. |
LOW_CONFIDENCE |
200 |
Low confidence. |
MEDIUM_CONFIDENCE |
300 |
Medium confidence. |
UNKNOWN_CONFIDENCE |
0 |
The default confidence level. |
SecurityResult.ProductPriority
A product priority level.
Enum Value |
Enum Number |
Description |
HIGH_PRIORITY |
400 |
High priority. |
LOW_PRIORITY |
200 |
Low priority. |
MEDIUM_PRIORITY |
300 |
Medium priority. |
UNKNOWN_PRIORITY |
0 |
Default priority level. |
SecurityResult.ProductSeverity
Defined by the product
Enum Value |
Enum Number |
Description |
CRITICAL |
500 |
Critical-severity malicious result. |
ERROR |
150 |
An error. |
HIGH |
400 |
High-severity malicious result. |
INFORMATIONAL |
100 |
Info severity. |
LOW |
200 |
Low-severity malicious result. |
MEDIUM |
300 |
Medium-severity malicious result. |
NONE |
101 |
No malicious result. |
UNKNOWN_SEVERITY |
0 |
The default severity level. |
SecurityResult.SecurityCategory
SecurityCategory is used to standardize security categories across products
so one event is not categorized as "malware" and another as a "virus".
Enum Value |
Enum Number |
Description |
ACL_VIOLATION |
30000 |
Unauthorized access attempted, including attempted access to files,
web services, processes, web objects, etc. |
AUTH_VIOLATION |
40000 |
Authentication failed (e.g. bad password or bad 2-factor authentication). |
DATA_AT_REST |
60100 |
DLP: Sensitive data found at rest in a scan. |
DATA_DESTRUCTION |
60200 |
Attempt to destroy/delete data. |
DATA_EXFILTRATION |
60000 |
DLP: Sensitive data transmission, copy to thumb drive. |
EXPLOIT |
50000 |
Exploit: For all manner of exploits including attempted overflows, bad
protocol encodings, ROP, SQL injection, etc. For both network and host-
based exploits. |
MAIL_PHISHING |
70100 |
Phishing email, chat messages, etc. |
MAIL_SPAM |
70000 |
Spam email, message, etc. |
MAIL_SPOOFING |
70200 |
Spoofed source email address, etc. |
NETWORK_CATEGORIZED_CONTENT |
20200 |
Non-security related: URL has category like gambling or porn. |
NETWORK_COMMAND_AND_CONTROL |
20500 |
If we know this is a C&C channel. |
NETWORK_DENIAL_OF_SERVICE |
20300 |
DoS, DDoS. |
NETWORK_MALICIOUS |
20000 |
Includes C&C or network exploit. |
NETWORK_RECON |
20400 |
Port scan detected by an IDS, probing of web app. |
NETWORK_SUSPICIOUS |
20100 |
Suspicious activity, such as potential reverse tunnel. |
PHISHING |
90002 |
Phishing pages, pops, https phishing etc. |
POLICY_VIOLATION |
80000 |
Security-related policy violation (e.g. firewall/proxy/HIPS rule
violated, NAC block action). |
SOCIAL_ENGINEERING |
90001 |
Threats which manipulate to break normal security procedures. |
SOFTWARE_MALICIOUS |
10000 |
Malware, spyware, rootkit. |
SOFTWARE_PUA |
10200 |
Potentially Unwanted App (such as adware). |
SOFTWARE_SUSPICIOUS |
10100 |
Below the conviction threshold; probably bad. |
TOR_EXIT_NODE |
60300 |
TOR Exit Nodes. |
UNKNOWN_CATEGORY |
0 |
The default category. |
SecurityResult.ThreatStatus
Vendor-specific information about the status of a threat (ITW).
Enum Value |
Enum Number |
Description |
ACTIVE |
1 |
Active threat. |
CLEARED |
2 |
Cleared threat. |
FALSE_POSITIVE |
3 |
False positive. |
THREAT_STATUS_UNSPECIFIED |
0 |
Default threat status |
SecurityResult.VerdictResponse
Represents different verdict types. Used to represent Mandiant
threat intelligence.
Enum Value |
Enum Number |
Description |
BENIGN |
2 |
VerdictResponse resulted a threat as benign. |
MALICIOUS |
1 |
VerdictResponse resulted a threat as malicious. |
VERDICT_RESPONSE_UNSPECIFIED |
0 |
The default verdict response type. |
SecurityResult.VerdictType
Category of the verdict.
Enum Value |
Enum Number |
Description |
ANALYST_VERDICT |
2 |
Verdict provided by the human analyst. These fields are used to model
Mandiant sources. |
PROVIDER_ML_VERDICT |
1 |
MLVerdict result provided from threat providers, like Mandiant. These
fields are used to model Mandiant sources. |
VERDICT_TYPE_UNSPECIFIED |
0 |
Verdict category not specified. |
Status
Describes status of a Finding.
Enum Value |
Enum Number |
Description |
CLOSED |
3 |
When an analyst closes an finding. |
NEW |
1 |
New finding. |
OPEN |
4 |
Open. Used to indicate that a Case / Alert is open. |
REVIEWED |
2 |
When a finding has feedback. |
STATUS_UNSPECIFIED |
0 |
Unspecified finding status. |
ThreatVerdict
GCTI threat verdict levels.
Enum Value |
Enum Number |
Description |
MALICIOUS |
3 |
Malicious threat verdict level. |
SUSPICIOUS |
2 |
Suspicious threat verdict level. |
THREAT_VERDICT_UNSPECIFIED |
0 |
Unspecified threat verdict level. |
UNDETECTED |
1 |
Undetected threat verdict level. |
User.AccountType
User Account Type.
Enum Value |
Enum Number |
Description |
ACCOUNT_TYPE_UNSPECIFIED |
0 |
Default user account type. |
CLOUD_ACCOUNT_TYPE |
3 |
A SaaS service account type (such as Slack or GitHub). |
DEFAULT_ACCOUNT_TYPE |
5 |
A system built in default account. |
DOMAIN_ACCOUNT_TYPE |
1 |
A human account part of some domain in directory services. |
LOCAL_ACCOUNT_TYPE |
2 |
A local machine account. |
SERVICE_ACCOUNT_TYPE |
4 |
A non-human account for data access. |
User.Role
User system roles.
Enum Value |
Enum Number |
Description |
ADMINISTRATOR |
1 |
Product administrator with elevated privileges. |
SERVICE_ACCOUNT |
2 |
System service account for automated privilege access.
Deprecated: not a role, instead set User.account_type. |
UNKNOWN_ROLE |
0 |
Default user role. |
Verdict
Categorization options for the validity of a Finding (i.e. whether it
reflects an actual security incident).
Enum Value |
Enum Number |
Description |
FALSE_POSITIVE |
2 |
A categorization of the finding as a "false positive". |
TRUE_POSITIVE |
1 |
A categorization of the finding as a "true positive". |
VERDICT_UNSPECIFIED |
0 |
An unspecified verdict. |
Vulnerability.Severity
Severity of the vulnerability.
Enum Value |
Enum Number |
Description |
CRITICAL |
4 |
Critical severity. |
HIGH |
3 |
High severity. |
LOW |
1 |
Low severity. |
MEDIUM |
2 |
Medium severity. |
UNKNOWN_SEVERITY |
0 |
The default severity level. |
Standard datatypes
Standard datatypes and the equivalent types in other languages.
Datatype |
Notes |
C++ |
Java |
Python |
Go |
C# |
PHP |
Ruby |
bool |
|
bool |
boolean |
boolean |
bool |
bool |
boolean |
TrueClass/FalseClass |
bytes |
May contain any arbitrary sequence of bytes. |
string |
ByteString |
str |
[]byte |
ByteString |
string |
String (ASCII-8BIT) |
double |
|
double |
double |
float |
float64 |
double |
float |
Float |
fixed32 |
Always four bytes. More efficient than uint32 if values are often greater than 2^28. |
uint32 |
int |
int |
uint32 |
uint |
integer |
Bignum or Fixnum (as required) |
fixed64 |
Always eight bytes. More efficient than uint64 if values are often greater than 2^56. |
uint64 |
long |
int/long |
uint64 |
ulong |
integer/string |
Bignum |
float |
|
float |
float |
float |
float32 |
float |
float |
Float |
int32 |
Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead. |
int32 |
int |
int |
int32 |
int |
integer |
Bignum or Fixnum (as required) |
int64 |
Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead. |
int64 |
long |
int/long |
int64 |
long |
integer/string |
Bignum |
sfixed32 |
Always four bytes. |
int32 |
int |
int |
int32 |
int |
integer |
Bignum or Fixnum (as required) |
sfixed64 |
Always eight bytes. |
int64 |
long |
int/long |
int64 |
long |
integer/string |
Bignum |
sint32 |
Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s. |
int32 |
int |
int |
int32 |
int |
integer |
Bignum or Fixnum (as required) |
sint64 |
Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s. |
int64 |
long |
int/long |
int64 |
long |
integer/string |
Bignum |
string |
A string must always contain UTF-8 encoded or 7-bit ASCII text. |
string |
String |
str/unicode |
string |
string |
string |
String (UTF-8) |
uint32 |
Uses variable-length encoding. |
uint32 |
int |
int/long |
uint32 |
uint |
integer |
Bignum or Fixnum (as required) |
uint64 |
Uses variable-length encoding. |
uint64 |
long |
int/long |
uint64 |
ulong |
integer/string |
Bignum or Fixnum (as required) |