Stay organized with collections Save and categorize content based on your preferences.

Unified Data Model field list

This document provides a list of fields available in the Unified Data Model schema. When specifying a field, use the following format: <prefix>.<field_name1>.<field_name2>.<...>.<field_nameN>=<value>

When writing rules for Detect Engine, use the <prefix> pattern "$u" for Event fields and "$e" for Entity fields. For example:

  • $u.metadata.event_type
  • $u.network.dhcp.opcode
  • $u.principal.user.location.city
  • $e.graph.entity.hostname
  • $e.graph.metadata.product_name

When writing configuration-based normalizer (CBN) parsers, use the <prefix> pattern "event.idm.read_only_udm" for UDM Event fields and "event.idm.graph" for UDM Entity fields. For example:

  • event.idm.read_only_udm.metadata.event_type
  • event.idm.read_only_udm.network.dhcp.opcode
  • event.idm.read_only_udm.principal.user.location.city
  • event.idm.graph.entity.user.user_display_name
  • event.idm.graph.entity.asset.hostname

Please Note: Field name and field type values can look similar. This document uses style conventions to help you identify the differences:

  • Field type values use CamelCase characters. For example, Platform and EventType.
  • Field name values use lowercase characters. For example, platform and event_type.
  • Standard datatype values use lowercase characters.

UDM Entity data model

Entity

An Entity provides additional context about an item in a UDM event. For example, a PROCESS_LAUNCH event describes that user 'abc@example.corp' launched process 'shady.exe'. The event does not include information that user 'abc@foo.corp' is a recently-terminated employee who administers a

server storing finance data. Information stored in one or more Entities can add this additional context.

Field Name Type Label Description
metadata EntityMetadata Entity metadata such as timestamp, product, etc.
entity Noun Noun in the UDM event that this entity represents.
relations Relation repeated One or more relationships between the entity (a) and other entities, including the relationship type and related entity.
additional google.protobuf.Struct Important entity data that cannot be adequately represented within the formal sections of the Entity.

EntityMetadata

Information about the Entity and the product where the entity was created.

Field Name Type Label Description
product_entity_id string A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar).
collected_timestamp Timestamp GMT timestamp when the entity information was collected by the vendor's local collection infrastructure.
creation_timestamp Timestamp GMT timestamp when the entity described by the product_entity_id was created on the system where data was collected.
interval google.type.Interval Valid existence time range for the version of the entity represented by this entity data.
vendor_name string Vendor name of the product that produced the entity information.
product_name string Product name that produced the entity information.
product_version string Version of the product that produced the entity information.
entity_type EntityMetadata.EntityType (Enumerated list) Entity type. If an entity has multiple possible types, this specifies the most specific type.
description string Human-readable description of the entity.
threat SecurityResult repeated Metadata provided by a threat intelligence feed that identified the entity as malicious.
source_type EntityMetadata.SourceType (Enumerated list) The source of the entity.

Relation

Defines the relationship between the entity (a) and another entity (b).

Field Name Type Label Description
entity Noun Entity (b) that the primary entity (a) is related to.
entity_type EntityMetadata.EntityType (Enumerated list) Type of the related entity (b) in this relationship.
relationship Relation.Relationship (Enumerated list) Type of relationship.
direction Relation.Directionality (Enumerated list) Directionality of relationship between primary entity (a) and the related entity (b).
uid bytes UID of the relationship.

Entity enumerated types

EntityMetadata.EntityType

Describes the type of entity.

Enum Value Enum Number Description
UNKNOWN_ENTITYTYPE 0 An unknown event type.
ASSET 1 An asset, such as workstation, laptop, phone, virtual machine, etc.
USER 10000 User.
GROUP 10001 Group.
RESOURCE 2 Resource.
IP_ADDRESS 3 An external IP address.
FILE 4 A file.
DOMAIN_NAME 5 A domain.
URL 6 A url.
MUTEX 7 A mutex.

EntityMetadata.SourceType

Describes the source of an entity.

Enum Value Enum Number Description
SOURCE_TYPE_UNSPECIFIED 0 Default source type
ENTITY_CONTEXT 1 Entities ingested from customers (e.g. AD_CONTEXT, DLP_CONTEXT)
DERIVED_CONTEXT 2 Entities derived from customer data such as prevalence, artifact first/last seen, asset/user first seen stats, etc.
GLOBAL_CONTEXT 3 Global contextual entities such as WHOIS, Safe Browsing, etc.

Relation.Directionality

Describes the relationship model as directed or undirected.

Enum Value Enum Number Description
DIRECTIONALITY_UNSPECIFIED 0 Default value.
BIDIRECTIONAL 1 Modeled in both directions. Primary entity (a) to Related entity (b) and Related entity (b) to Primary entity (a).
UNIDIRECTIONAL 2 Modeled in a single direction. Primary entity (a) to Related entity (b).

Relation.Relationship

Type of relationship between the primary entity (a) and related entity (b).

Enum Value Enum Number Description
RELATIONSHIP_UNSPECIFIED 0 Default value
OWNS 1 Related entity is owned by the primary entity (e.g. user owns device asset).
ADMINISTERS 2 Related entity is administered by the primary entity (e.g. user administers a group).
MEMBER 3 Primary entity is a member of the related entity (e.g. user is a member of a group).

UDM Event data model

A Unified Data Model event.

Field Name Type Label Description
metadata Metadata Event metadata such as timestamp, source product, etc.
additional google.protobuf.Struct Any important vendor-specific event data that cannot be adequately represented within the formal sections of the UDM model.
principal Noun Represents the acting entity that originates the activity described in the event. The principal must include at least one machine detail (hostname, MACs, IPs, port, product-specific identifiers like an EDR asset ID) or user detail (for example, username), and optionally include process details. It must NOT include any of the following fields: email, files, registry keys or values.
src Noun Represents a source entity being acted upon by the participant along with the device or process context for the source object (the machine where the source object resides). For example, if user U copies file A on machine X to file B on machine Y, both file A and machine X would be specified in the src portion of the UDM event.
target Noun Represents a target entity being referenced by the event or an object on the target entity. For example, in a firewall connection from device A to device B, A is described as the principal and B is described as the target. For a process injection by process C into target process D, process C is described as the principal and process D is described as the target.
intermediary Noun repeated Represents details on one or more intermediate entities processing activity described in the event. This includes device details about a proxy server, SMTP relay server, etc. If an active event (that has a principal and possibly target) passes through any intermediaries, they're added here. Intermediaries can impact the overall action, for example blocking or modifying an ongoing request. A rule of thumb here is that 'principal', 'target', and description of the initial action should be the same regardless of the intermediary or its action. A successful network connection from A->B should look the same in principal/target/intermediary as one blocked by firewall C: principal: A, target: B (intermediary: C).
observer Noun Represents an observer entity (for example, a packet sniffer or network-based vulnerability scanner), which is not a direct intermediary, but which observes and reports on the event in question.
about Noun repeated Represents entities referenced by the event that are not otherwise described in principal, src, target, intermediary or observer. For example, it could be used to track email file attachments, domains/URLs/IPs embedded within an email body, and DLLs that are loaded during a PROCESS_LAUNCH event.
security_result SecurityResult repeated A list of security results.
network Network All network details go here, including sub-messages with details on each protocol (e.g., DHCP, DNS, HTTP, etc).
extensions Extensions All other first-class, event-specific metadata goes in this message. Do not place protocol metadata in Extensions; put it in Network.

Event top level types

Extensions

Extensions to a UDM event.

Field Name Type Label Description
auth Authentication An authentication extension.
vulns Vulnerabilities A vulnerability extension.

Metadata

General information associated with a UDM event.

Field Name Type Label Description
id bytes ID of the UDM event. Can be used for raw and normalized event retrieval.
product_log_id string A vendor-specific event identifier to uniquely identify the event (e.g. a GUID).
event_timestamp Timestamp The GMT timestamp when the event was generated.
collected_timestamp Timestamp The GMT timestamp when the event was collected by the vendor's local collection infrastructure.
ingested_timestamp Timestamp The GMT timestamp when the event was ingested (received) by Chronicle.
event_type Metadata.EventType If an event has multiple possible types, this specifies the most specific type.
vendor_name string The name of the product vendor.
product_name string The name of the product.
product_version string The version of the product.
product_event_type string A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start").
product_deployment_id string The deployment identifier assigned by the vendor for a product deployment.
description string A human-readable unparsable description of the event.
url_back_to_product string A URL that takes the user to the source product console for this event.
ingestion_labels Label repeated User-configured ingestion metadata labels.
tags Tags Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser.

Network

A network event.

Field Name Type Label Description
sent_bytes uint64 The number of bytes sent.
received_bytes uint64 The number of bytes received.
session_duration Int64 The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 32-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 64-bit integer.
session_id string The ID of the network session.
parent_session_id string The ID of the parent network session.
community_id string Community ID network flow hash.
direction Network.Direction The direction of network traffic.
ip_protocol Network.IpProtocol The IP protocol.
application_protocol Network.ApplicationProtocol The application protocol.
ftp Ftp FTP info.
email Email Email info for the sender/recipient.
dns Dns DNS info.
dhcp Dhcp DHCP info.
http Http HTTP info.
tls Tls TLS info.
smtp Smtp SMTP info. Store fields specific to SMTP not covered by Email.
asn string Autonomous system number.
dns_domain string DNS domain name.
carrier_name string Carrier identification.
organization_name string Organization name (e.g Google).

Noun

The Noun type is used to represent the different entities in an event: principal, src, target, observer, intermediary, and about. It stores attributes known about the entity. For example, if the entity is a device with multiple IP or MAC addresses, it stores the IP and MAC addresses that are relevant to the event.

Field Name Type Label Description
hostname string Client hostname or domain name field. Hostname also doubles as the domain for remote entities.
domain Domain Information about the domain.
artifact Artifact Information about an artifact.
asset_id string The asset ID.
user User Information about the user.
user_management_chain User repeated Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery.
group Group Information about the group.
process Process Information about the process.
process_ancestors Process repeated Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery.
asset Asset Information about the asset.
ip string repeated A list of IP addresses associated with a network connection.
nat_ip string repeated A list of NAT translated IP addresses associated with a network connection.
port int32 Source or destination network port number when a specific network connection is described within an event.
nat_port int32 NAT external network port number when a specific network connection is described within an event.
mac string repeated List of MAC addresses associated with a device.
administrative_domain string Domain which the device belongs to (for example, the Windows domain).
namespace string Namespace which the device belongs to (e.g. AD forest) Uses for this field include Windows AD forest, name of subsidiary or acquisition, etc.
url string The URL.
file File Information about the file.
email string Email address. Only filled in for security_result.about
registry Registry Registry information.
application string The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle".
platform Noun.Platform Platform.
platform_version string Platform version. e.g. "Microsoft Windows 1803"
platform_patch_level string Platform patch level. e.g. "Build 17134.48"
cloud Cloud Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud).
location Location Physical location. For cloud environments, set the region in location.name.
ip_location Location repeated Enriched location information corresponding to IP address. Note: This field can include both ingested location data and a location field retrieved from artifact aliasing.
resource Resource Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, processes, etc. since these objects are already part of Noun.
resource_ancestors Resource repeated Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource).
labels Label repeated Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels).
object_reference Id Finding to which the Analyst updated the feedback.
investigation Investigation Analyst feedback/investigation for alerts.

SecurityResult

Security related metadata for the event. A security result might be something like "virus detected and quarantined," "malicious connection blocked," or "sensitive data included in document foo.doc." Each security result, of which there may be more than one, may either pertain to the whole event, or to a

specific object or device referenced in the event (e.g. a malicious file that was detected, or a sensitive document sent as an email attachment). For

security results that apply to a particular object referenced in the event, the security_results message MUST contain details about the implicated object (process, user, IP, domain, URL, IP, email address, etc.) in its about field. For security results that apply to the entire event (e.g. SPAM found in this email), the about field must remain empty.

Field Name Type Label Description
about Noun If the security result is about a specific entity (noun), add it here.
category SecurityResult.SecurityCategory repeated The security category.
category_details string repeated For vendor-specific categories. For web categorization, put type in here such as "gambling", "porn", etc.
threat_name string A vendor-assigned classification common across multiple customers (e.g. "W32/File-A", "Slammer").
rule_set string The result's rule set identifier. (e.g. "windows-threats")
rule_set_display_name string The result's rule set display name. (e.g. "Windows Threats")
rule_id string A vendor-specific ID and name for a rule, varying by observerer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe").
rule_name string Name of the security rule (e.g. "BlockInboundToOracle").
rule_version string Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependant and lexical ordering should not be assumed.
rule_type string The type of security rule.
rule_author string Author of the security rule.
rule_labels Label repeated A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John").
alert_state SecurityResult.AlertState The alerting types of this security result.
detection_fields Label repeated An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (i.e. the security result matched variables) .
outcomes Label repeated A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to their values.
summary string A human readable summary (e.g. "failed login occurred")
description string A human readable description (e.g. "user password was wrong")
action SecurityResult.Action repeated Actions taken for this event.
action_details string The detail of the action taken as provided by the vendor.
severity SecurityResult.ProductSeverity The severity of the result.
confidence SecurityResult.ProductConfidence The confidence level of the result as estimated by the product.
priority SecurityResult.ProductPriority The priority of the result.
severity_details string Vendor-specific severity.
confidence_details string Additional detail with regards to the confidence of a security event as estimated by the product vendor.
priority_details string Vendor-specific information about the security result priority.
url_back_to_product string URL that takes the user to the source product console for this event.
threat_id string Vendor-specific ID for a threat.
threat_feed_name string Vendor feed name for a threat indicator feed.
threat_id_namespace Id.Namespace The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id.
threat_status SecurityResult.ThreatStatus Current status of the threat

Event subtypes

Artifact

Information about an artifact. The artifact can only be an IP.

Field Name Type Label Description
ip string IP address of the artifact.
prevalence Prevalence The prevalence of the artifact within the customer's environment.
first_seen_time Timestamp First seen timestamp of the IP in the customer's environment.
last_seen_time Timestamp Last seen timestamp of the IP in the customer's environment.

Asset

Information about a compute asset such as a workstation, laptop, phone, virtual desktop, or VM.

Field Name Type Label Description
product_object_id string A vendor-specific identifier to uniquely identify the entity (a GUID or similar).
hostname string Asset hostname or domain name field.
asset_id string The asset ID.
ip string repeated A list of IP addresses associated with an asset.
mac string repeated List of MAC addresses associated with an asset.
nat_ip string repeated List of NAT IP addresses associated with an asset.
first_seen_time Timestamp The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed.
hardware Hardware repeated The asset hardware specifications.
platform_software PlatformSoftware The asset operating system platform software.
software Software repeated The asset software details.
location Location Location of the asset.
category string The category of the asset (e.g. "End User Asset", "Workstation", "Server").
type Asset.AssetType The type of the asset (e.g. workstation or laptop or server).
network_domain string The network domain of the asset (e.g. "corp.acme.com")
creation_time Timestamp Time the asset was created or provisioned. Deprecated: creation_time should be populated in Attribute as generic metadata.
first_discover_time Timestamp Time the asset was first discovered (by asset management/discoverability software).
last_discover_time Timestamp Time the asset was last discovered (by asset management/discoverability software).
system_last_update_time Timestamp Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a vm, etc.) use Attribute.last_update_time.
last_boot_time Timestamp Time the asset was last boot started.
labels Label repeated Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata.
deployment_status Asset.DeploymentStatus The deployment status of the asset for device lifecycle purposes.
vulnerabilities Vulnerability repeated Vulnerabilities discovered on asset.
attribute Attribute Generic entity metadata attributes of the asset.

Attribute

Attribute is a a container for generic entity attributes including common attributes across core entities (user, asset, etc). For example, Cloud is a generic entity attribute since it can apply to an asset (e.g. a VM) or a user (e.g. an identity service account). If an entity attribute is specific to a particular type of top-level core entity it should go in the respective proto (user, asset, group, etc), if it is generic across entity types it

should be included as a generic attribute.

Field Name Type Label Description
cloud Cloud Cloud metadata attributes such as project or account id, organizational hierarchy, etc.
labels Label repeated Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.
permissions Permission repeated System permissions for IAM entity (human principal, service account, group).
roles Role repeated System IAM roles to be assumed by resources to use the role's permissions for access control.
creation_time Timestamp Time the resource or entity was created or provisioned.
last_update_time Timestamp Time the resource or entity was last updated.

Authentication

The Authentication extension captures details specific to authentication events. General guidelines for authentication events:

  • Details on the source of the auth event (e.g. client IP, hostname), should be captured in principal. The principal may be empty if we have no details on the source of the login.

  • Details on the target of the auth event (e.g. details on the machine that is being logged into or logged out of) should be captured in target.

  • Some auth events may involve a third party. For example, a user logs into a cloud service (e.g. Chronicle) via their company's SSO (the event is logged by their SSO solution). In this case, the principal captures information about the user's device, the target captures details about the cloud service they logged into, and the intermediary captures details about the SSO solution.

Field Name Type Label Description
type Authentication.AuthType The type of authentication.
mechanism Authentication.Mechanism repeated The authentication mechanism.
auth_details string The vendor defined details of the authentication.

Certificate

Certificate information

Field Name Type Label Description
version string Certificate version.
serial string Certificate serial number.
subject string Subject of the certificate.
issuer string Issuer of the certificate.
md5 string The MD5 hash of the certificate.
sha1 string The SHA1 hash of the certificate.
sha256 string The SHA256 hash of the certificate.
not_before Timestamp Indicates when the certificate is first valid.
not_after Timestamp Indicates when the certificate is no longer valid.

Cloud

Metadata related to the cloud environment.

Field Name Type Label Description
environment Cloud.CloudEnvironment The Cloud environment.
vpc Resource The cloud environment VPC. DEPRECATED
project Resource The cloud environment project information. DEPRECATED
availability_zone string The cloud environment availability zone (different from region which is location.name).

Dhcp

DHCP information.

Field Name Type Label Description
opcode Dhcp.OpCode The BOOTP op code.
htype uint32 Hardware address type.
hlen uint32 Hardware address length.
hops uint32 Hardware ops.
transaction_id uint32 Transaction ID.
seconds uint32 Seconds elapsed since client began address acquisition/renewal process.
flags uint32 Flags.
ciaddr string Client IP address (ciaddr).
yiaddr string Your IP address (yiaddr).
siaddr string IP address of the next bootstrap server.
giaddr string Relay agent IP address (giaddr).
chaddr string Client hardware address (chaddr).
sname string Server name that the client wishes to boot from.
file string Boot image filename.
options Dhcp.Option repeated List of DHCP options.
type Dhcp.MessageType DHCP message type.
lease_time_seconds uint32 Lease time in seconds. See RFC2132, section 9.2.
client_hostname string Client hostname. See RFC2132, section 3.14.
client_identifier bytes Client identifier. See RFC2132, section 9.14.
requested_address string Requested IP address. See RFC2132, section 9.1.

Dhcp.Option

DHCP options.

Field Name Type Label Description
code uint32 Code. See RFC1533.
data bytes Data.

Dns

DNS information.

Field Name Type Label Description
id uint32 DNS query id.
response bool Set to true if the event is a DNS response. See QR field from RFC1035.
opcode uint32 The DNS OpCode used to specify the type of DNS query (e.g. QUERY, IQUERY, STATUS, etc.).
authoritative bool Other DNS header flags. See RFC1035, section 4.1.1.
truncated bool Whether the DNS response was truncated.
recursion_desired bool Whether a recursive DNS lookup is desired.
recursion_available bool Whether a recursive DNS lookup is available.
response_code uint32 Response code. See RCODE from RFC1035.
questions Dns.Question repeated A list of domain protocol message questions.
answers Dns.ResourceRecord repeated A list of answers to the domain name query.
authority Dns.ResourceRecord repeated A list of domain name servers which verified the answers to the domain name queries.
additional Dns.ResourceRecord repeated A list of additional domain name servers that can be used to verify the answer to the domain.

Dns.Question

DNS Questions. See RFC1035, section 4.1.2.

Field Name Type Label Description
name string The domain name.
type uint32 The code specifying the type of the query.
class uint32 The code specifying the class of the query.
prevalence Prevalence The prevalence of the domain within the customer's environment.

Dns.ResourceRecord

DNS Resource Records. See RFC1035, section 4.1.3.

Field Name Type Label Description
name string The name of the owner of the resource record.
type uint32 The code specifying the type of the resource record.
class uint32 The code specifying the class of the resource record.
ttl uint32 The time interval for which the resource record can be cached before the source of the information should again be queried.
data string The payload or response to the DNS question for all responses encoded in UTF-8 format
binary_data bytes The raw bytes of any non-UTF8 strings that might be included as part of a DNS response.

Domain

Information about a domain.

Field Name Type Label Description
name string The domain name.
prevalence Prevalence The prevalence of the domain within the customer's environment.
first_seen_time Timestamp First seen timestamp of the domain in the customer's environment.
last_seen_time Timestamp Last seen timestamp of the domain in the customer's environment.
registrar string Registrar name - e.g. "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM", etc.
contact_email string Contact email address.
whois_server string Whois server name.
name_server string repeated Repeated list of name servers.
creation_time Timestamp Domain creation time.
update_time Timestamp Last updated time.
expiration_time Timestamp Expiration time.
audit_update_time Timestamp Audit updated time.
status string Domain status. see: https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values
registrant User Parsed contact information for the registrant of the domain
admin User Parsed contact information for the administrative contact for the domain
tech User Parsed contact information for the technical contact for the domain
billing User Parsed contact information for the billing contact of the domain
zone User Parsed contact information for the zone.
whois_record_raw_text bytes unix epoch of the time when the domaintools first catches the record, or the time when domaintools catch the record changes. domaintools_time_ms is also used as the bigtable timestamp.
registry_data_raw_text bytes Registry Data raw text
iana_registrar_id int32 IANA Registrar ID. See: https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml
private_registration bool Indicates whether the domain appears to be using a private registration service to mask the owner's contact information.

Email

Email info.

Field Name Type Label Description
from string The 'from' address.
reply_to string The 'reply to' address.
to string repeated A list of 'to' addresses.
cc string repeated A list of 'cc' addresses.
bcc string repeated A list of 'bcc' addresses.
mail_id string The mail (or message) ID.
subject string repeated The subject line(s) of the email.
bounce_address string The envelope from address. https://en.wikipedia.org/wiki/Bounce_address

File

Information about a file.

Field Name Type Label Description
sha256 string The SHA256 hash of the file.
md5 string The MD5 hash of the file.
sha1 string The SHA1 hash of the file.
size uint64 The size of the file in bytes.
full_path string The full path identifying the location of the file on the system.
mime_type string The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", "powershell script", etc.
file_metadata FileMetadata Metadata associated with the file. Deprecate FileMetadata in favor of single File proto.
ssdeep string Ssdeep of the file
vhash string Vhash of the file.
ahash string Deprecated, please use authentihash instead.
authentihash string Authentihash of the file.
file_type File.FileType FileType field.
capabilities_tags string repeated Capabilities tags.
names string repeated Names fields.
last_modification_time Timestamp Timestamp when the file was last updated.
prevalence Prevalence Prevalence of the file hash in the customer's environment.
first_seen_time Timestamp First seen timestamp of the File in the customer's environment.
last_seen_time Timestamp Last seen timestamp of the IP in the customer's environment.

Ftp

FTP info.

Field Name Type Label Description
command string The FTP command.

Group

Information about an organizational group.

Field Name Type Label Description
product_object_id string Product globally unique user object identifier, such as an LDAP Object Identifier.
creation_time Timestamp Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata.
group_display_name string Group display name. e.g. "Finance".
attribute Attribute Generic entity metadata attributes of the group.
email_addresses string repeated Email addresses of the group.
windows_sid string Windows SID of the group.

Hardware

Hardware specification details for a resource, including both physical and virtual hardware.

Field Name Type Label Description
serial_number string Hardware serial number.
manufacturer string Hardware manufacturer.
model string Hardware model.
cpu_platform string Platform of the hardware CPU (e.g. "Intel Broadwell").
cpu_model string Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5").
cpu_clock_speed uint64 Clock speed of the hardware CPU in MHz.
cpu_max_clock_speed uint64 Maximum possible clock speed of the hardware CPU in MHz.
cpu_number_cores uint64 Number of CPU cores.
ram uint64 Amount of the hardware ramdom access memory (RAM) in Mb.

Http

Specify the full URL of the HTTP request within "target". Also specify any uploaded or downloaded file information within "source" or "target".

Field Name Type Label Description
method string The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE").
referral_url string The URL for the HTTP referer.
user_agent string The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent.
response_code int32 The response status code. e.g. 200, 302, 404, 500, etc.

Investigation

Represents the aggregated state of an investigation such as categorization,

severity, and status. Can be expanded to include analyst assignment details and more.

Field Name Type Label Description
verdict Verdict Describes reason a finding investigation was resolved.
reputation Reputation Describes whether a finding was useful or not-useful.
severity_score uint32 Severity score for a finding set by an analyst.
status Status Describes the workflow status of a finding.
comments string repeated Comment added by the Analyst.
priority Priority Priority of the Alert or Finding set by analyst.
root_cause string Root cause of the Alert or Finding set by analyst.
reason Reason Reason for closing the Case or Alert.

Label

Key value labels.

Field Name Type Label Description
key string The key.
value string The value.

Location

Information about a location.

Field Name Type Label Description
city string The city.
state string The state.
country_or_region string The country or region.
name string Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").
desk_name string Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").
floor_name string Floor name, number or a combination of the two for a building. (e.g. "1-A").
region_latitude float Latitude of the center of the associated region.
region_longitude float Longitude of the center of the associated region.

PeFileMetadata

Metadata about a Windows Portable Executable.

Field Name Type Label Description
import_hash string Hash of PE imports.

Permission

System permission for resource access and modification.

Field Name Type Label Description
name string Name of the permission (e.g. chronicle.analyst.updateRule).
description string Description of the permission (e.g. 'Ability to update detect rules').
type Permission.PermissionType Type of the permission.

PlatformSoftware

Platform software information about an operating system.

Field Name Type Label Description
platform Noun.Platform The platform operating system.
platform_version string The platform software version ( e.g. "Microsoft Windows 1803").
platform_patch_level string The platform software patch level ( e.g. "Build 17134.48", "SP1").

Prevalence

The prevalence of a resource within the customer's environment. This measures how common it is for assets to access the resource.

Field Name Type Label Description
rolling_max int32 The maximum number of assets per day accessing the resource over the trailing day_count days.
day_count int32 The number of days over which rolling_max is calculated.
rolling_max_sub_domains int32 The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This fields is only valid for domains
day_max int32 The max prevalance score in a day interval window.
day_max_sub_domains int32 The max prevalance score in a day interval window across sub domains.

Process

Information about a process.

Field Name Type Label Description
pid string The process ID.
parent_pid string The ID of the parent process. Deprecated. Please use parent_process.pid instead.
parent_process Process Information about the parent process.
file File Information about the file in use by the process.
command_line string The command line command that created the process.
command_line_history string repeated The command line history of the process.
product_specific_process_id string A product specific process id.
access_mask uint64 A bit mask representing the level of access.
product_specific_parent_process_id string A product specific id for the parent process. Please use parent_process.product_specific_process_id instead.

Registry

Information about a registry key or value.

Field Name Type Label Description
registry_key string Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...).
registry_value_name string Name of the registry value associated with an application or system component (e.g. TEMP).
registry_value_data string Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp).

Resource

Field Name Type Label Description
type string DEPRECATED - use resource_type instead.
resource_type Resource.ResourceType Resource type.
resource_subtype string Resource sub-type (e.g. "BigQuery", "Bigtable").
id string DEPRECATED
name string The name of the resource.
parent string The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.
product_object_id string A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)
attribute Attribute Generic entity metadata attributes of the resource.

Role

System role for resource access and modification.

Field Name Type Label Description
name string System role name for user.
description string System role description for user.
type Role.Type System role type for well known roles.

SignerInfo

File metadata signer information.

Field Name Type Label Description
name string optional Common name of the signers. The order of the signers matters. Each element is a higher level authority, being the last the root authority.

Smtp

SMTP info. See RFC 2821.

Field Name Type Label Description
helo string The client's 'HELO'/'EHLO' string.
mail_from string The client's 'MAIL FROM' string.
rcpt_to string repeated The client's 'RCPT TO' string(s).
server_response string repeated The server's response(s) to the client.
message_path string The message's path (extracted from the headers).
is_webmail bool If the message was sent via a webmail client.
is_tls bool If the connection switched to TLS.

Software

Information about a software package or application.

Field Name Type Label Description
name string The name of the software.
version string The version of the software.
permissions Permission repeated System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE"

Tags

Tags are event metadata which is set by examining event contents post-parsing. For example, a UDM event may be assigned a tenant_id based on certain customer-defined parameters.

Field Name Type Label Description
tenant_id bytes repeated A list of subtenant ids that this event belongs to. .

TimeOff

System record for leave/time-off from a Human Capital Management (HCM)

system.

Field Name Type Label Description
interval google.type.Interval Interval duration of the leave.
description string Description of the leave if available (e.g. 'Vacation').

Tls

Transport Layer Security (TLS) information.

Field Name Type Label Description
client Tls.Client Certificate information for the client certificate.
server Tls.Server Certificate information for the server certificate.
cipher string Cipher used during the connection.
curve string Elliptical curve used for a given cipher.
version string TLS version.
version_protocol string Protocol.
established bool Indicates whether the TLS negotiation was successful.
next_protocol string Protocol to be used for tunnel.
resumed bool Indicates whether the TLS connection was resumed from a previous TLS negotiation.

Tls.Client

Transport Layer Security (TLS) information associated with the client (e.g. Certificate, ja3 hash, etc.).

Field Name Type Label Description
certificate Certificate Client certificate.
ja3 string JA3 hash from client hello.
server_name string Host name of the server, that the client is connecting to.
supported_ciphers string repeated Ciphers supported by the client during client hello.

Tls.Server

Transport Layer Security (TLS) information associated with the server (e.g. Certificate, ja3 hash, etc.).

Field Name Type Label Description
certificate Certificate Server certificate.
ja3s string JA3 hash from server hello.

User

Information about a user.

Field Name Type Label Description
product_object_id string A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).
userid string The ID of the user.
user_display_name string The display name of the user (e.g. "John Locke").
first_name string First name of the user (e.g. "John").
middle_name string Middle name of the user.
last_name string Last name of the user (e.g. "Locke").
phone_numbers string repeated Phone numbers for the user.
personal_address Location Personal address of the user.
attribute Attribute Generic entity metadata attributes of the user.
first_seen_time Timestamp The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.
account_type User.AccountType Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/
groupid string The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.
group_identifiers string repeated Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).
windows_sid string The windows SID of the user.
email_addresses string repeated Email addresses of the user.
employee_id string Human capital management identifier.
title string User job title.
company_name string User job company name.
department string repeated User job department
office_address Location User job office location.
managers User repeated User job manager(s).
hire_date Timestamp User job employment hire date.
termination_date Timestamp User job employment termination date.
time_off TimeOff repeated User time off leaves from active work.
user_authentication_status Authentication.AuthenticationStatus System authentication status for user.
role_name string System role name for user. DEPRECATED: use attribute.roles.
role_description string System role description for user. DEPRECATED: use attribute.roles.
user_role User.Role System role for user. DEPRECATED: use attribute.roles.

Vulnerabilities

The Vulnerabilities extension captures details on observed/detected vulnerabilities.

Field Name Type Label Description
vulnerabilities Vulnerability repeated A list of vulnerabilities.

Vulnerability

A vulnerability.

Field Name Type Label Description
about Noun If the vulnerability is about a specific noun (e.g. executable), then add it here.
name string Name of the vulnerability (e.g. "Unsupported OS Version detected").
description string Description of the vulnerability.
vendor string Vendor of scan that discovered vulnerability.
scan_start_time Timestamp If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable.
scan_end_time Timestamp If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable.
first_found Timestamp Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset.
last_found Timestamp Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset.
severity Vulnerability.Severity The severity of the vulnerability.
severity_details string Vendor-specific severity
cvss_base_score float CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting.
cvss_vector string Vector of CVSS properties (e.g. "AV:L/AC:H/Au:N/C:N/I:P/A:C") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=VALUE
cvss_version string Version of CVSS Vector/Score.
cve_id string Common Vulnerabilities and Exposures Id. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id
cve_description string Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record
vendor_vulnerability_id string Vendor specific vulnerability id (e.g. Microsoft security bulletin id).
vendor_knowledge_base_article_id string Vendor specific knowledge base article (e.g. "KBXXXXXX" from Microsoft) https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase

Event enumerated types

Asset.AssetType

The role type of the asset.

Enum Value Enum Number Description
ROLE_UNSPECIFIED 0 Unspecified asset role.
WORKSTATION 1 A workstation or desktop.
LAPTOP 2 A laptop computer.
IOT 3 An IOT asset.
NETWORK_ATTACHED_STORAGE 4 A network attached storage device.
PRINTER 5 A printer.
SCANNER 6 A scanner.
SERVER 7 A server.
TAPE_LIBRARY 8 A tape library device.
MOBILE 9 A mobile device such as a mobile phone or PDA.

Asset.DeploymentStatus

Deployment status states.

Enum Value Enum Number Description
DEPLOYMENT_STATUS_UNSPECIFIED 0 Unspecified deployment status.
ACTIVE 1 Asset is active, functional and deployed.
PENDING_DECOMISSION 2 Asset is pending decommission and no longer deployed.
DECOMISSIONED 3 Asset is decomissioned.

Authentication.AuthType

Type of system the authentication event is associated with.

Enum Value Enum Number Description
AUTHTYPE_UNSPECIFIED 0 The default type.
MACHINE 1 A machine authentication.
SSO 2 An SSO authentication.
VPN 3 A VPN authentication.
PHYSICAL 4 A Physical authentication (e.g. "Badge reader").
TACACS 5 A TACACS family protocol for networked systems authentication (e.g. TACACS, TACACS+).

Authentication.AuthenticationStatus

Authentication status, can be used to describe the status of authentication for a user or particular credential.

Enum Value Enum Number Description
UNKNOWN_AUTHENTICATION_STATUS 0 The default authentication status.
ACTIVE 1 The authentication method is in active state.
SUSPENDED 2 The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS 3 The authentication method has no active credentials.
DELETED 4 The authentication method has been deleted.

Authentication.Mechanism

Mechanism(s) used to authenticate.

Enum Value Enum Number Description
MECHANISM_UNSPECIFIED 0 The default mechanism.
USERNAME_PASSWORD 1 Username + password authentication.
OTP 2 OTP authentication.
HARDWARE_KEY 3 Hardware key authentication.
LOCAL 4 Local authentication.
REMOTE 5 Remote authentication.
REMOTE_INTERACTIVE 6 RDP, Terminal Services, VNC, etc.
MECHANISM_OTHER 7 Some other mechanism that is not defined here.
BADGE_READER 8 Badge reader authentication
NETWORK 9 Network authentication.
BATCH 10 Batch authentication.
SERVICE 11 Service authentication
UNLOCK 12 Direct human-interactive unlock authentication.
NETWORK_CLEAR_TEXT 13 Network clear text authentication.
NEW_CREDENTIALS 14 Authentication with new credentials.
INTERACTIVE 15 Interactive authentication.
CACHED_INTERACTIVE 16 Interactive authentication using cached credentials.
CACHED_REMOTE_INTERACTIVE 17 Cached Remote Interactive authentication using cached credentials.
CACHED_UNLOCK 18 Cached Remote Interactive authentication using cached credentials.

Cloud.CloudEnvironment

The service provider environment.

Enum Value Enum Number Description
UNSPECIFIED_CLOUD_ENVIRONMENT 0 Default.
GOOGLE_CLOUD_PLATFORM 1 Google Cloud Platform.
AMAZON_WEB_SERVICES 2 Amazon Web Services.
MICROSOFT_AZURE 3 Microsoft Azure.

Dhcp.MessageType

DHCP message type. See RFC2131, section 3.1.

Enum Value Enum Number Description
UNKNOWN_MESSAGE_TYPE 0 Default message type.
DISCOVER 1 DHCPDISCOVER.
OFFER 2 DHCPOFFER.
REQUEST 3 DHCPREQUEST.
DECLINE 4 DHCPDECLINE.
ACK 5 DHCPACK.
NAK 6 DHCPNAK.
RELEASE 7 DHCPRELEASE.
INFORM 8 DHCPINFORM.
WIN_DELETED 100 Windows DHCP "lease deleted".
WIN_EXPIRED 101 Windows DHCP "lease expired".

Dhcp.OpCode

BOOTP op code. See RFC951, section 3.

Enum Value Enum Number Description
UNKNOWN_OPCODE 0 Default opcode.
BOOTREQUEST 1 Request.
BOOTREPLY 2 Reply.

File.FileType

The file type, for example Windows executable.

Enum Value Enum Number Description
FILE_TYPE_UNSPECIFIED 0 File type is UNSPECIFIED.
FILE_TYPE_PE_EXE 1 File type is PE_EXE.
FILE_TYPE_PE_DLL 2 Although DLLs are actually portable executables, this value enables the file type to be identified separately. File type is PE_DLL.
FILE_TYPE_MSI 3 File type is MSI.
FILE_TYPE_NE_EXE 10 File type is NE_EXE.
FILE_TYPE_NE_DLL 11 File type is NE_DLL.
FILE_TYPE_DOS_EXE 20 File type is DOS_EXE.
FILE_TYPE_DOS_COM 21 File type is DOS_COM.
FILE_TYPE_COFF 30 File type is COFF.
FILE_TYPE_ELF 31 File type is ELF.
FILE_TYPE_LINUX_KERNEL 32 File type is LINUX_KERNEL.
FILE_TYPE_RPM 33 File type is RPM.
FILE_TYPE_LINUX 34 File type is LINUX.
FILE_TYPE_MACH_O 35 File type is MACH_O.
FILE_TYPE_JAVA_BYTECODE 36 File type is JAVA_BYTECODE.
FILE_TYPE_DMG 37 File type is DMG.
FILE_TYPE_DEB 38 File type is DEB.
FILE_TYPE_PKG 39 File type is PKG.
FILE_TYPE_LNK 50 File type is LNK.
FILE_TYPE_JPEG 100 File type is JPEG.
FILE_TYPE_TIFF 101 File type is TIFF.
FILE_TYPE_GIF 102 File type is GIF.
FILE_TYPE_PNG 103 File type is PNG.
FILE_TYPE_BMP 104 File type is BMP.
FILE_TYPE_GIMP 105 File type is GIMP.
FILE_TYPE_IN_DESIGN 106 File type is Adobe InDesign.
FILE_TYPE_PSD 107 File type is PSD. Adobe Photoshop.
FILE_TYPE_TARGA 108 File type is TARGA.
FILE_TYPE_XWD 109 File type is XWD.
FILE_TYPE_DIB 110 File type is DIB.
FILE_TYPE_JNG 111 File type is JNG.
FILE_TYPE_ICO 112 File type is ICO.
FILE_TYPE_FPX 113 File type is FPX.
FILE_TYPE_EPS 114 File type is EPS.
FILE_TYPE_SVG 115 File type is SVG.
FILE_TYPE_EMF 116 File type is EMF.
FILE_TYPE_WEBP 117 File type is WEBP.
FILE_TYPE_OGG 150 File type is OGG.
FILE_TYPE_FLC 151 File type is FLC.
FILE_TYPE_FLI 152 File type is FLI.
FILE_TYPE_MP3 153 File type is MP3.
FILE_TYPE_FLAC 154 File type is FLAC.
FILE_TYPE_WAV 155 File type is WAV.
FILE_TYPE_MIDI 156 File type is MIDI.
FILE_TYPE_AVI 157 File type is AVI.
FILE_TYPE_MPEG 158 File type is MPEG.
FILE_TYPE_QUICKTIME 159 File type is QUICKTIME.
FILE_TYPE_ASF 160 File type is ASF.
FILE_TYPE_DIVX 161 File type is DIVX.
FILE_TYPE_FLV 162 File type is FLV.
FILE_TYPE_WMA 163 File type is WMA.
FILE_TYPE_WMV 164 File type is WMV.
FILE_TYPE_RM 165 File type is RM. RealMedia type.
FILE_TYPE_MOV 166 File type is MOV.
FILE_TYPE_MP4 167 File type is MP4.
FILE_TYPE_T3GP 168 File type is T3GP.
FILE_TYPE_PDF 200 File type is PDF.
FILE_TYPE_PS 201 File type is PS.
FILE_TYPE_DOC 202 File type is DOC.
FILE_TYPE_DOCX 203 File type is DOCX.
FILE_TYPE_PPT 204 File type is PPT.
FILE_TYPE_PPTX 205 File type is PPTX.
FILE_TYPE_PPSX 209 File type is PPSX.
FILE_TYPE_XLS 206 File type is XLS.
FILE_TYPE_XLSX 207 File type is XLSX.
FILE_TYPE_RTF 208 File type is RTF.
FILE_TYPE_ODP 250 File type is ODP.
FILE_TYPE_ODS 251 File type is ODS.
FILE_TYPE_ODT 252 File type is ODT.
FILE_TYPE_HWP 253 File type is HWP.
FILE_TYPE_GUL 254 File type is GUL.
FILE_TYPE_ODF 255 File type is ODF.
FILE_TYPE_ODG 256 File type is ODG.
FILE_TYPE_EBOOK 260 File type is EBOOK.
FILE_TYPE_LATEX 261 File type is LATEX.
FILE_TYPE_TTF 262 File type is TTF.
FILE_TYPE_EOT 263 File type is EOT.
FILE_TYPE_WOFF 264 File type is WOFF.
FILE_TYPE_CHM 265 File type is CHM.
FILE_TYPE_ZIP 300 File type is ZIP.
FILE_TYPE_GZIP 301 File type is GZIP.
FILE_TYPE_BZIP 302 File type is BZIP.
FILE_TYPE_RZIP 303 File type is RZIP.
FILE_TYPE_DZIP 304 File type is DZIP.
FILE_TYPE_SEVENZIP 305 File type is SEVENZIP.
FILE_TYPE_CAB 306 File type is CAB.
FILE_TYPE_JAR 307 File type is JAR.
FILE_TYPE_RAR 308 File type is RAR.
FILE_TYPE_MSCOMPRESS 309 File type is MSCOMPRESS.
FILE_TYPE_ACE 310 File type is ACE.
FILE_TYPE_ARC 311 File type is ARC.
FILE_TYPE_ARJ 312 File type is ARJ.
FILE_TYPE_ASD 313 File type is ASD.
FILE_TYPE_BLACKHOLE 314 File type is BLACKHOLE.
FILE_TYPE_KGB 315 File type is KGB.
FILE_TYPE_ZLIB 316 File type is ZLIB.
FILE_TYPE_TAR 317 File type is TAR.
FILE_TYPE_TEXT 400 File type is TEXT.
FILE_TYPE_SCRIPT 401 File type is SCRIPT.
FILE_TYPE_PHP 402 File type is PHP.
FILE_TYPE_PYTHON 403 File type is PYTHON.
FILE_TYPE_PERL 404 File type is PERL.
FILE_TYPE_RUBY 405 File type is RUBY.
FILE_TYPE_C 406 File type is C.
FILE_TYPE_CPP 407 File type is CPP.
FILE_TYPE_JAVA 408 File type is JAVA.
FILE_TYPE_SHELLSCRIPT 409 File type is SHELLSCRIPT.
FILE_TYPE_PASCAL 410 File type is PASCAL.
FILE_TYPE_AWK 411 File type is AWK.
FILE_TYPE_DYALOG 412 File type is DYALOG.
FILE_TYPE_FORTRAN 413 File type is FORTRAN.
FILE_TYPE_JAVASCRIPT 414 File type is JAVASCRIPT.
FILE_TYPE_POWERSHELL 415 File type is POWERSHELL.
FILE_TYPE_VBA 416 File type is VBA.
FILE_TYPE_SYMBIAN 500 File type is SYMBIAN.
FILE_TYPE_PALMOS 501 File type is PALMOS.
FILE_TYPE_WINCE 502 File type is WINCE.
FILE_TYPE_ANDROID 503 File type is ANDROID.
FILE_TYPE_IPHONE 504 File type is IPHONE.
FILE_TYPE_HTML 600 File type is HTML.
FILE_TYPE_XML 601 File type is XML.
FILE_TYPE_SWF 602 File type is SWF.
FILE_TYPE_FLA 603 File type is FLA.
FILE_TYPE_COOKIE 604 File type is COOKIE.
FILE_TYPE_TORRENT 605 File type is TORRENT.
FILE_TYPE_EMAIL_TYPE 606 File type is EMAIL_TYPE.
FILE_TYPE_OUTLOOK 607 File type is OUTLOOK.
FILE_TYPE_CAP 700 File type is CAP.
FILE_TYPE_ISOIMAGE 800 File type is ISOIMAGE.
FILE_TYPE_APPLE 1000 File type is APPLE.
FILE_TYPE_MACINTOSH 1001 File type is MACINTOSH.
FILE_TYPE_APPLESINGLE 1002 File type is APPLESINGLE.
FILE_TYPE_APPLEDOUBLE 1003 File type is APPLEDOUBLE.
FILE_TYPE_MACINTOSH_HFS 1004 File type is MACINTOSH_HFS.
FILE_TYPE_APPLE_PLIST 1005 File type is APPLE_PLIST.
FILE_TYPE_MACINTOSH_LIB 1006 File type is MACINTOSH_LIB.
FILE_TYPE_APPLESCRIPT 1007 File type is APPLESCRIPT.
FILE_TYPE_APPLESCRIPT_COMPILED 1008 File type is APPLESCRIPT_COMPILED .
FILE_TYPE_CRX 1100 File type is CRX.
FILE_TYPE_XPI 1101 File type is XPI.
FILE_TYPE_ROM 1200 File type is ROM.

Metadata.EventType

An event type. Choose event type not based on the product that generated the event but the one that logged the event itself. So, for example, an antivirus (AV)

scanning email on a client would generate an SMTP_PROXY event, not an AV event. A DLP device scanning a web upload would generate an HTTP_PROXY event and not a DLP or process activity event. Note: In the case of a HTTP_PROXY event, you might also include process details if this occurred on an endpoint. That would be optional, but there are a certain set of required fields and banned fields due to its status as an HTTP_PROXY event.

Enum Value Enum Number Description
EVENTTYPE_UNSPECIFIED 0 Default event type
PROCESS_UNCATEGORIZED 10000 Activity related to a process which does not match any other event types.
PROCESS_LAUNCH 10001 Process launch.
PROCESS_INJECTION 10002 Process injecting into another process.
PROCESS_PRIVILEGE_ESCALATION 10003 Process privilege escalation.
PROCESS_TERMINATION 10004 Process termination.
PROCESS_OPEN 10005 Process being opened.
PROCESS_MODULE_LOAD 10006 Process loading a module.
REGISTRY_UNCATEGORIZED 11000 Registry event which does not match any of the other event types.
REGISTRY_CREATION 11001 Registry creation.
REGISTRY_MODIFICATION 11002 Registry modification.
REGISTRY_DELETION 11003 Registry deletion.
SETTING_UNCATEGORIZED 12000 Settings-related event which does not match any of the other event types.
SETTING_CREATION 12001 Setting creation.
SETTING_MODIFICATION 12002 Setting modification.
SETTING_DELETION 12003 Setting deletion.
MUTEX_UNCATEGORIZED 13000 Any mutex event other than creation.
MUTEX_CREATION 13001 Mutex creation.
FILE_UNCATEGORIZED 14000 File event which does not match any of the other event types.
FILE_CREATION 14001 File created.
FILE_DELETION 14002 File deleted.
FILE_MODIFICATION 14003 File modified.
FILE_READ 14004 File read.
FILE_COPY 14005 File copied. Used for file copies, for example, to a thumb drive.
FILE_OPEN 14006 File opened.
FILE_MOVE 14007 File moved or renamed.
FILE_SYNC 14008 File synced (for example, Google Drive, Dropbox, backup).
USER_UNCATEGORIZED 15000 User activity which does not match any of the other event types.
USER_LOGIN 15001 User login.
USER_LOGOUT 15002 User logout.
USER_CREATION 15003 User creation.
USER_CHANGE_PASSWORD 15004 User password change event.
USER_CHANGE_PERMISSIONS 15005 Change in user permissions.
USER_STATS 15006 Deprecated. Used to update user info for an LDAP dump.
USER_BADGE_IN 15007 User physically badging into a location.
USER_DELETION 15008 User deletion.
USER_RESOURCE_CREATION 15009 User creating a virtual resource. This is equivalent to RESOURCE_CREATION.
USER_RESOURCE_UPDATE_CONTENT 15010 User updating content of a virtual resource. This is equivalent to RESOURCE_WRITTEN.
USER_RESOURCE_UPDATE_PERMISSIONS 15011 User updating permissions of a virtual resource. This is equivalent to RESOURCE_PERMISSIONS_CHANGE.
USER_COMMUNICATION 15012 User initiating communication through a medium (for example, video).
USER_RESOURCE_ACCESS 15013 User accessing a virtual resource. This is equivalent to RESOURCE_READ.
USER_RESOURCE_DELETION 15014 User deleting a virtual resource. This is equivalent to RESOURCE_DELETION.
GROUP_UNCATEGORIZED 23000 A group activity that does not fall into one of the other event types.
GROUP_CREATION 23001 A group creation.
GROUP_DELETION 23002 A group deletion.
GROUP_MODIFICATION 23003 A group modification.
EMAIL_UNCATEGORIZED 19000 Email messages
EMAIL_TRANSACTION 19001 An email transaction.
EMAIL_URL_CLICK 19002 Deprecated. An email URL click event. Use NETWORK_HTTP instead.
NETWORK_UNCATEGORIZED 16000 A network event that does not fit into one of the other event types.
NETWORK_FLOW 16001 Aggregated flow stats like netflow.
NETWORK_CONNECTION 16002 Network connection details like from a FW.
NETWORK_FTP 16003 FTP telemetry.
NETWORK_DHCP 16004 DHCP payload.
NETWORK_DNS 16005 DNS payload.
NETWORK_HTTP 16006 HTTP telemetry.
NETWORK_SMTP 16007 SMTP telemetry.
STATUS_UNCATEGORIZED 17000 A status message that does not fit into one of the other event types.
STATUS_HEARTBEAT 17001 Heartbeat indicating product is alive.
STATUS_STARTUP 17002 An agent startup.
STATUS_SHUTDOWN 17003 An agent shutdown.
STATUS_UPDATE 17004 A software or fingerprint update.
SCAN_UNCATEGORIZED 18000 Scan item that does not fit into one of the other event types.
SCAN_FILE 18001 A file scan.
SCAN_PROCESS_BEHAVIORS 18002 Scan process behaviors. Please use SCAN_PROCESS instead.
SCAN_PROCESS 18003 Scan process.
SCAN_HOST 18004 Scan results from scanning an entire host device for threats/sensitive documents.
SCAN_VULN_HOST 18005 Vulnerability scan logs about host vulnerabilities (e.g., out of date software) and network vulnerabilities (e.g., unprotected service detected via a network scan).
SCAN_VULN_NETWORK 18006 Vulnerability scan logs about network vulnerabilities.
SCAN_NETWORK 18007 Scan network for suspicious activity
SCHEDULED_TASK_UNCATEGORIZED 20000 Scheduled task event that does not fall into one of the other event types.
SCHEDULED_TASK_CREATION 20001 Scheduled task creation.
SCHEDULED_TASK_DELETION 20002 Scheduled task deletion.
SCHEDULED_TASK_ENABLE 20003 Scheduled task being enabled.
SCHEDULED_TASK_DISABLE 20004 Scheduled task being disabled.
SCHEDULED_TASK_MODIFICATION 20005 Scheduled task being modified.
SYSTEM_AUDIT_LOG_UNCATEGORIZED 21000 A system audit log event that is not a wipe.
SYSTEM_AUDIT_LOG_WIPE 21001 A system audit log wipe.
SERVICE_UNSPECIFIED 22000 Service event that does not fit into one of the other event types.
SERVICE_CREATION 22001 A service creation.
SERVICE_DELETION 22002 A service deletion.
SERVICE_START 22003 A service start.
SERVICE_STOP 22004 A service stop.
SERVICE_MODIFICATION 22005 A service modification.
GENERIC_EVENT 100000 OS events that do not fall in any of the other above event types. Might include uncategorized Windows event logs, etc.
RESOURCE_CREATION 1 The resource was created/provisioned. This is equivalent to USER_RESOURCE_CREATION.
RESOURCE_DELETION 2 The resource was deleted/deprovisioned. This is equivalent to USER_RESOURCE_DELETION.
RESOURCE_PERMISSIONS_CHANGE 3 The resource had it's permissions or ACLs updated. This is equivalent to USER_RESOURCE_UPDATE_PERMISSIONS.
RESOURCE_READ 4 The resource was read. This is equivalent to USER_RESOURCE_ACCESS.
RESOURCE_WRITTEN 5 The resource was written to. This is equivalent to USER_RESOURCE_UPDATE_CONTENT.
ANALYST_UPDATE_VERDICT 24000 Analyst updating the Verdict (True-positive, False positive, Disregard etc.) of a finding
ANALYST_UPDATE_REPUTATION 24001 Analyst updating the Reputation (useful, not useful) of a finding
ANALYST_UPDATE_SEVERITY_SCORE 24002 Analyst updating the Severity score(0-100) of a finding.
ANALYST_UPDATE_STATUS 24007 Analyst updating the finding status.
ANALYST_ADD_COMMENT 24008 Analyst adding a comment for a finding.
ANALYST_UPDATE_PRIORITY 24009 Analyst updating the priority (low, meduim, high, etc.) for a finding.
ANALYST_UPDATE_ROOT_CAUSE 24010 Analyst updating the root cause for a finding.
ANALYST_UPDATE_REASON 24011 Analyst updating the reason (malicious, not malicious, etc.) for a finding.

Network.ApplicationProtocol

A network application protocol.

Enum Value Enum Number Description
UNKNOWN_APPLICATION_PROTOCOL 0 The default application protocol.
AFP 1 Apple Filing Protocol.
APPC 2 Advanced Program-to-Program Communication.
AMQP 3 Advanced Message Queuing Protocol.
ATOM 4 Publishing Protocol.
BEEP 5 Block Extensible Exchange Protocol.
BITCOIN 6 Crypto currency protocol.
BIT_TORRENT 7 Peer-to-peer file sharing.
CFDP 8 Coherent File Distribution Protocol.
COAP 9 Constrained Application Protocol.
DCERPC 66 DCE/RPC.
DDS 10 Data Distribution Service.
DEVICE_NET 11 Automation industry protocol.
DHCP 4000 DHCP.
DNS 3000 DNS.
E_DONKEY 12 Classic file sharing protocol.
ENRP 13 Endpoint Handlespace Redundancy Protocol.
FAST_TRACK 14 Filesharing peer-to-peer protocol.
FINGER 15 User Information Protocol.
FREENET 16 Censorship resistant peer-to-peer network.
FTAM 17 File Transfer Access and Management.
GOPHER 18 Gopher protocol.
HL7 19 Health Level Seven.
H323 20 Packet-based multimedia communications system.
HTTP 2000 HTTP.
HTTPS 2001 HTTPS.
IRCP 21 Internet Relay Chat Protocol.
KADEMLIA 22 Peer-to-peer hashtables.
KRB5 65 Kerberos 5.
LDAP 23 Lightweight Directory Access Protocol.
LPD 24 Line Printer Daemon Protocol.
MIME 25 Multipurpose Internet Mail Extensions and Secure MIME.
MODBUS 26 Serial communications protocol.
MQTT 27 Message Queuing Telemetry Transport.
NETCONF 28 Network Configuration.
NFS 29 Network File System.
NIS 30 Network Information Service.
NNTP 31 Network News Transfer Protocol.
NTCIP 32 National Transportation Communications for Intelligent Transportation System.
NTP 33 Network Time Protocol.
OSCAR 34 AOL Instant Messenger Protocol.
PNRP 35 Peer Name Resolution Protocol.
QUIC 1000 QUIC.
RDP 36 Remote Desktop Protocol.
RELP 37 Reliable Event Logging Protocol.
RIP 38 Routing Information Protocol.
RLOGIN 39 Remote Login in UNIX Systems.
RPC 40 Remote Procedure Call.
RTMP 41 Real Time Messaging Protocol.
RTP 42 Real-time Transport Protocol.
RTPS 43 Real Time Publish Subscribe.
RTSP 44 Real Time Streaming Protocol.
SAP 45 Session Announcement Protocol.
SDP 46 Session Description Protocol.
SIP 47 Session Initiation Protocol.
SLP 48 Service Location Protocol.
SMB 49 Server Message Block.
SMTP 50 Simple Mail Transfer Protocol.
SNTP 51 Simple Network Time Protocol.
SSH 52 Secure Shell.
SSMS 53 Secure SMS Messaging Protocol.
STYX 54 Styx/9P - Plan 9 from Bell Labs distributed file system protocol.
TCAP 55 Transaction Capabilities Application Part.
TDS 56 Tabular Data Stream.
TOR 57 Anonymity network.
TSP 58 Time Stamp Protocol.
VTP 59 Virtual Terminal Protocol.
WHOIS 60 Remote Directory Access Protocol.
WEB_DAV 61 Web Distributed Authoring and Versioning.
X400 62 Message Handling Service Protocol.
X500 63 Directory Access Protocol (DAP).
XMPP 64 Extensible Messaging and Presence Protocol.

Network.Direction

A network traffic direction.

Enum Value Enum Number Description
UNKNOWN_DIRECTION 0 The default direction.
INBOUND 1 An inbound request.
OUTBOUND 2 An outbound request.
BROADCAST 3 A broadcast.

Network.IpProtocol

An IP protocol.

Enum Value Enum Number Description
UNKNOWN_IP_PROTOCOL 0 The default protocol.
ICMP 1 ICMP.
IGMP 2 IGMP
TCP 6 TCP.
UDP 17 UDP.
IP6IN4 41 IPv6 Encapsulation
GRE 47 Generic Routing Encapsulation
ESP 50 Encapsulating Security Payload
EIGRP 88 Enhanced Interior Gateway Routing
ETHERIP 97 Ethernet-within-IP Encapsulation
PIM 103 Protocol Independent Multicast
VRRP 112 Virtual Router Redundancy Protocol

Noun.Platform

Operating system platform.

Enum Value Enum Number Description
UNKNOWN_PLATFORM 0 Default value.
WINDOWS 1 Windows.
MAC 2 Mac OS.
LINUX 3 Linux.
GCP 4 DEPRECATED - See cloud.environment.
AWS 5 DEPRECATED - See cloud.environment.
AZURE 6 DEPRECATED - See cloud.environment.

Permission.PermissionType

High level categorizations of permission type.

Enum Value Enum Number Description
UNKNOWN_PERMISSION_TYPE 0 Default permission type.
ADMIN_WRITE 1 Administrator write permission.
ADMIN_READ 2 Administrator read permission.
DATA_WRITE 3 Data resource access write permission.
DATA_READ 4 Data resource access read permission.

Priority

Priority that is assigned to a Case or Alert.

Enum Value Enum Number Description
PRIORITY_UNSPECIFIED 0 Default priority level.
PRIORITY_INFO 100 Informational priority.
PRIORITY_LOW 200 Low priority.
PRIORITY_MEDIUM 300 Medium priority.
PRIORITY_HIGH 400 High priority.
PRIORITY_CRITICAL 500 Critical priority.

Reason

Reason for closing an Alert or Case in the SOAR product.

Enum Value Enum Number Description
REASON_UNSPECIFIED 0 Default reason.
REASON_NOT_MALICIOUS 1 Case or Alert not malicious.
REASON_MALICIOUS 2 Case or Alert is malicious.
REASON_MAINTENANCE 3 Case or Alert is under maintenance.

Reputation

Categorization options for the usefulness of a Finding.

Enum Value Enum Number Description
REPUTATION_UNSPECIFIED 0 An unspecified reputation.
USEFUL 1 A categorization of the finding as useful.
NOT_USEFUL 2 A categorization of the finding as not useful.

Resource.ResourceType

Enum Value Enum Number Description
UNSPECIFIED 0 Default type.
MUTEX 1 Mutex.
TASK 2 Task.
PIPE 3 Named pipe.
DEVICE 4 Device.
FIREWALL_RULE 5 Firewall rule.
MAILBOX_FOLDER 6 Mailbox folder.
VPC_NETWORK 7 VPC Network.
VIRTUAL_MACHINE 8 Virtual machine.
STORAGE_BUCKET 9 Storage bucket.
STORAGE_OBJECT 10 Storage object.
DATABASE 11 Database.
TABLE 12 Data table.
CLOUD_PROJECT 13 Cloud project.
CLOUD_ORGANIZATION 14 Cloud organization.
SERVICE_ACCOUNT 15 Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY 16 Access policy.
CLUSTER 17 Cluster.
SETTING 18 Settings.
DATASET 19 Dataset.
BACKEND_SERVICE 20 Endpoint that receive traffic from a load balancer or proxy.

Role.Type

Well-known system roles.

Enum Value Enum Number Description
TYPE_UNSPECIFIED 0 Default user role.
ADMINISTRATOR 1 Product administrator with elevated privileges.
SERVICE_ACCOUNT 2 System service account for automated privilege access.

SecurityResult.Action

Enum representing different possible actions taken by the product that created the event.

Enum Value Enum Number Description
UNKNOWN_ACTION 0 The default action.
ALLOW 1 Allowed.
BLOCK 2 Blocked.
ALLOW_WITH_MODIFICATION 3 Strip, modify something (e.g. File or email was disinfected or rewritten and still forwarded).
QUARANTINE 4 Put somewhere for later analysis (does NOT imply block).
FAIL 5 Failed (e.g. the event was allowed but failed).

SecurityResult.AlertState

The type of alerting set up for a security result.

Enum Value Enum Number Description
UNSPECIFIED 0 The security result type is not known.
NOT_ALERTING 1 The security result is not an alert.
ALERTING 2 The security result is an alert.

SecurityResult.ProductConfidence

A level of confidence in the result.

Enum Value Enum Number Description
UNKNOWN_CONFIDENCE 0 The default confidence level.
LOW_CONFIDENCE 200 Low confidence.
MEDIUM_CONFIDENCE 300 Medium confidence.
HIGH_CONFIDENCE 400 High confidence.

SecurityResult.ProductPriority

A product priority level.

Enum Value Enum Number Description
UNKNOWN_PRIORITY 0 Default priority level.
LOW_PRIORITY 200 Low priority.
MEDIUM_PRIORITY 300 Medium priority.
HIGH_PRIORITY 400 High priority.

SecurityResult.ProductSeverity

Defined by the product

Enum Value Enum Number Description
UNKNOWN_SEVERITY 0 The default severity level.
INFORMATIONAL 100 Info severity.
ERROR 150 An error.
LOW 200 Low-severity malicious result.
MEDIUM 300 Medium-severity malicious result.
HIGH 400 High-severity malicious result.
CRITICAL 500 Critical-severity malicious result.

SecurityResult.SecurityCategory

SecurityCategory is used to standardize security categories across products

so one event is not categorized as "malware" and another as a "virus".

Enum Value Enum Number Description
UNKNOWN_CATEGORY 0 The default category.
SOFTWARE_MALICIOUS 10000 Malware, spyware, rootkit.
SOFTWARE_SUSPICIOUS 10100 Below the conviction threshold; probably bad.
SOFTWARE_PUA 10200 Potentially Unwanted App (adware, etc.).
NETWORK_MALICIOUS 20000 C&C, network exploit, etc.
NETWORK_SUSPICIOUS 20100 Suspicious activity, potential reverse tunnel, etc.
NETWORK_CATEGORIZED_CONTENT 20200 Non-security related: URL has category like gambling, porn, etc.
NETWORK_DENIAL_OF_SERVICE 20300 DoS, DDoS.
NETWORK_RECON 20400 Port scan detected by an IDS, probing of web app.
NETWORK_COMMAND_AND_CONTROL 20500 If we know this is a C&C channel.
ACL_VIOLATION 30000 Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc.
AUTH_VIOLATION 40000 Authentication failed (e.g. bad password or bad 2-factor authentication).
EXPLOIT 50000 Exploit: For all manner of exploits including attempted overflows, bad protocol encodings, ROP, SQL injection, etc. For both network and host- based exploits.
DATA_EXFILTRATION 60000 DLP: Sensitive data transmission, copy to thumb drive.
DATA_AT_REST 60100 DLP: Sensitive data found at rest in a scan.
DATA_DESTRUCTION 60200 Attempt to destroy/delete data.
MAIL_SPAM 70000
MAIL_PHISHING 70100 Phishing email, chat messages, etc.
MAIL_SPOOFING 70200 Spoofed source email address, etc.
POLICY_VIOLATION 80000 Security-related policy violation (e.g. firewall/proxy/HIPS rule violated, NAC block action).
SOCIAL_ENGINEERING 90001 Threats which manipulate to break normal security procedures.
PHISHING 90002 Phishing pages, pops, https phishing etc.

SecurityResult.ThreatStatus

Vendor-specific information about the status of a threat (ITW).

Enum Value Enum Number Description
THREAT_STATUS_UNSPECIFIED 0 Default threat status
ACTIVE 1 Active threat.
CLEARED 2 Cleared threat.
FALSE_POSITIVE 3 False positive.

Status

Describes status of a Finding.

Enum Value Enum Number Description
STATUS_UNSPECIFIED 0 Unspecified finding status.
NEW 1 New finding.
REVIEWED 2 When a finding has feedback.
CLOSED 3 When an analyst closes an finding.
OPEN 4 Open. Used to indicate that a Case / Alert is open.

User.AccountType

User Account Type.

Enum Value Enum Number Description
ACCOUNT_TYPE_UNSPECIFIED 0 Default user account type.
DOMAIN_ACCOUNT_TYPE 1 A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE 2 A local machine account.
CLOUD_ACCOUNT_TYPE 3 A SaaS service account type (Slack, GitHub, etc).
SERVICE_ACCOUNT_TYPE 4 A non-human account for data access.
DEFAULT_ACCOUNT_TYPE 5 A system built in default account.

User.Role

User system roles.

Enum Value Enum Number Description
UNKNOWN_ROLE 0 Default user role.
ADMINISTRATOR 1 Product administrator with elevated privileges.
SERVICE_ACCOUNT 2 System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type.

Verdict

Categorization options for the validity of a Finding (i.e. whether it reflects an actual security incident).

Enum Value Enum Number Description
VERDICT_UNSPECIFIED 0 An unspecified verdict.
TRUE_POSITIVE 1 A categorization of the finding as a "true positive".
FALSE_POSITIVE 2 A categorization of the finding as a "false positive".

Vulnerability.Severity

Severity of the vulnerability.

Enum Value Enum Number Description
UNKNOWN_SEVERITY 0 The default severity level.
LOW 1 Low severity.
MEDIUM 2 Medium severity.
HIGH 3 High severity.
CRITICAL 4 Critical severity.

Standard datatypes

Standard datatypes and the equivalent types in other languages.

Datatype Notes C++ Java Python Go C# PHP Ruby
double double double float float64 double float Float
float float float float float32 float float Float
int32 Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead. int32 int int int32 int integer Bignum or Fixnum (as required)
int64 Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead. int64 long int/long int64 long integer/string Bignum
uint32 Uses variable-length encoding. uint32 int int/long uint32 uint integer Bignum or Fixnum (as required)
uint64 Uses variable-length encoding. uint64 long int/long uint64 ulong integer/string Bignum or Fixnum (as required)
sint32 Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s. int32 int int int32 int integer Bignum or Fixnum (as required)
sint64 Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s. int64 long int/long int64 long integer/string Bignum
fixed32 Always four bytes. More efficient than uint32 if values are often greater than 2^28. uint32 int int uint32 uint integer Bignum or Fixnum (as required)
fixed64 Always eight bytes. More efficient than uint64 if values are often greater than 2^56. uint64 long int/long uint64 ulong integer/string Bignum
sfixed32 Always four bytes. int32 int int int32 int integer Bignum or Fixnum (as required)
sfixed64 Always eight bytes. int64 long int/long int64 long integer/string Bignum
bool bool boolean boolean bool bool boolean TrueClass/FalseClass
string A string must always contain UTF-8 encoded or 7-bit ASCII text. string String str/unicode string string string String (UTF-8)
bytes May contain any arbitrary sequence of bytes. string ByteString str []byte ByteString string String (ASCII-8BIT)