Unified Data Model field list

This document provides a list of fields available in the Unified Data Model schema. When specifying a field, use the following format: <prefix>.<field_name1>.<field_name2>.<...>.<field_nameN>=<value>

When writing rules for Detect Engine, use the <prefix> pattern $event for Event fields and $entity for Entity fields. For example:

  • $event.metadata.event_type
  • $event.network.dhcp.opcode
  • $event.principal.user.location.city
  • $entity.graph.entity.hostname
  • $entity.graph.metadata.product_name

When writing configuration-based normalizer (CBN) parsers, use the <prefix> pattern event.idm.read_only_udm for UDM Event fields and event.idm.graph for UDM Entity fields. For example:

  • event.idm.read_only_udm.metadata.event_type
  • event.idm.read_only_udm.network.dhcp.opcode
  • event.idm.read_only_udm.principal.user.location.city
  • event.idm.graph.entity.user.user_display_name
  • event.idm.graph.entity.asset.hostname

Field name and field type values can look similar. This document uses style conventions to help you identify the differences:

  • Field type values use CamelCase characters. For example, Platform and EventType.
  • Field name values use lowercase characters. For example, platform and event_type.
  • Standard datatype values use lowercase characters.

UDM Entity data model

Entity

An Entity provides additional context about an item in a UDM event. For example, a PROCESS_LAUNCH event describes that user 'abc@example.corp' launched process 'shady.exe'. The event does not include information that user 'abc@example.com' is a recently terminated employee who administers a server storing finance data. Information stored in one or more Entities can add this additional context.

Field Name Type Label Description
metadata EntityMetadata Entity metadata such as timestamp, product, etc.
entity Noun Noun in the UDM event that this entity represents.
relations Relation repeated One or more relationships between the entity (a) and other entities, including the relationship type and related entity.
additional google.protobuf.Struct Important entity data that cannot be adequately represented within the formal sections of the Entity.
risk_score EntityRisk optional Stores information related to the entity's risk score.
metric Metric Stores statistical metrics about the entity. Used if metadata.entity_type is METRIC.

EntityMetadata

Information about the Entity and the product where the entity was created.

Field Name Type Label Description
product_entity_id string A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar).
collected_timestamp google.protobuf.Timestamp GMT timestamp when the entity information was collected by the vendor's local collection infrastructure.
creation_timestamp google.protobuf.Timestamp GMT timestamp when the entity described by the product_entity_id was created on the system where data was collected.
interval google.type.Interval Valid existence time range for the version of the entity represented by this entity data.
vendor_name string Vendor name of the product that produced the entity information.
product_name string Product name that produced the entity information.
feed string Vendor feed name for a threat indicator feed.
product_version string Version of the product that produced the entity information.
entity_type EntityMetadata.EntityType (Enumerated list) Entity type. If an entity has multiple possible types, this specifies the most specific type.
description string Human-readable description of the entity.
threat SecurityResult repeated Metadata provided by a threat intelligence feed that identified the entity as malicious.
source_type EntityMetadata.SourceType (Enumerated list) The source of the entity.
source_labels Label repeated Entity source metadata labels.
event_metadata Metadata Metadata field from the event.

EntityRisk

Stores information related to the risk score of an entity.

Field Name Type Label Description
risk_version string Version of the risk score calculation algorithm.
risk_window google.type.Interval Time window used when computing the risk score for an entity, for example 24 hours or 7 days.
DEPRECATED_risk_score int32 Deprecated risk score.
risk_delta RiskDelta optional Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window.
detections_count int32 Number of detections that make up the risk score within the time window.
first_detection_time google.protobuf.Timestamp Timestamp of the first detection within the specified time window. This field is empty when there are no detections.
last_detection_time google.protobuf.Timestamp Timestamp of the last detection within the specified time window. This field is empty when there are no detections.
risk_score float Raw risk score for the entity.
normalized_risk_score int32 Normalized risk score for the entity. This value is between 0-1000.
risk_window_size Int64 Risk window duration for the Entity.
raw_risk_delta RiskDelta optional Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window.

Metric

Stores precomputed aggregated analytic data for an entity.

Field Name Type Label Description
first_seen google.protobuf.Timestamp Timestamp of the first time the entity was seen in the environment.
last_seen google.protobuf.Timestamp Time stamp of the last time last time the entity was seen in the environment.
sum_measure Metric.Measure Sum of all precomputed measures for the given metric.
total_events int64 Total number of events used to calculate the given precomputed metric.
metric_name Metric.MetricName (Enumerated list) Name of the analytic.
dimensions Metric.Dimension (Enumerated list) repeated All group by clauses used to calculate the metric.
export_window int64 Export window for which the metric was exported.

Metric.Measure

Describes the precomputed measure.

Field Name Type Label Description
value double Value of the aggregated measure.
aggregate_function Metric.AggregateFunction (Enumerated list) Function used to calculate the aggregated measure.

Relation

Defines the relationship between the entity (a) and another entity (b).

Field Name Type Label Description
entity Noun Entity (b) that the primary entity (a) is related to.
entity_type EntityMetadata.EntityType (Enumerated list) Type of the related entity (b) in this relationship.
relationship Relation.Relationship (Enumerated list) Type of relationship.
direction Relation.Directionality (Enumerated list) Directionality of relationship between primary entity (a) and the related entity (b).
uid bytes UID of the relationship.
entity_label Relation.EntityLabel (Enumerated list) Label to identify the Noun of the relation.

RiskDelta

Describes the difference in risk score between two points in time.

Field Name Type Label Description
previous_range_end_time google.protobuf.Timestamp End time of the previous time window.
risk_score_delta int32 Difference in the normalized risk score from the previous recorded value.
previous_risk_score int32 Risk score from previous risk window
risk_score_numeric_delta int32 Numeric change between current and previous risk score

Entity enumerated types

EntityMetadata.EntityType

Describes the type of entity. An unknown event type.

Enum Value Enum Number Description
ASSET 1 An asset, such as workstation, laptop, phone, virtual machine, etc.
USER 10000 User.
GROUP 10001 Group.
RESOURCE 2 Resource.
IP_ADDRESS 3 An external IP address.
FILE 4 A file.
DOMAIN_NAME 5 A domain.
URL 6 A url.
MUTEX 7 A mutex.
METRIC 8 A metric.

EntityMetadata.SourceType

Describes the source of an entity.

Enum Value Enum Number Description
SOURCE_TYPE_UNSPECIFIED 0 Default source type
ENTITY_CONTEXT 1 Entities ingested from customers (e.g. AD_CONTEXT, DLP_CONTEXT)
DERIVED_CONTEXT 2 Entities derived from customer data such as prevalence, artifact first/last seen, or asset/user first seen stats.
GLOBAL_CONTEXT 3 Global contextual entities such as WHOIS or Safe Browsing.

Metric.AggregateFunction

Mathematic function used to calculate the value.

Enum Value Enum Number Description
AGGREGATE_FUNCTION_UNSPECIFIED 0 Default value.
MIN 1 Minimum.
MAX 2 Maximum.
COUNT 3 Count.
SUM 4 Sum.
AVG 5 Average.
STDDEV 6 Standard Deviation.

Metric.Dimension

Describes field used as the dimension when grouping data to calculate the aggregate metric.

Enum Value Enum Number Description
DIMENSION_UNSPECIFIED 0 Default
PRINCIPAL_DEVICE 1 Principal Device
TARGET_USER 2 Target User
TARGET_DEVICE 3 Target Device
PRINCIPAL_USER 4 Principal User
TARGET_IP 5 Target IP
PRINCIPAL_FILE_HASH 6 Principal File Hash
PRINCIPAL_COUNTRY 7 Principal Country
SECURITY_CATEGORY 8 Security Category
NETWORK_ASN 9 Network ASN
CLIENT_CERTIFICATE_HASH 10 Client Certificate Hash
DNS_QUERY_TYPE 11 DNS Query Type
DNS_DOMAIN 12 DNS Domain
HTTP_USER_AGENT 13 HTTP User Agent
EVENT_TYPE 14 Event Type
PRODUCT_NAME 15 Product Name
PRODUCT_EVENT_TYPE 16 Product Event Type
PARENT_FOLDER_PATH 17 Parent Folder Path
TARGET_RESOURCE_NAME 18 Target resource Name
PRINCIPAL_APPLICATION 19 Principal Application.
TARGET_APPLICATION 20 Target Application.
EMAIL_TO_ADDRESS 21 Email To Address.
EMAIL_FROM_ADDRESS 22 Email From Address.
MAIL_ID 23 Mail Id.
PRINCIPAL_IP 24 Principal IP.
SECURITY_ACTION 25 Security Action.
SECURITY_RULE_ID 28 Security Rule Id.
TARGET_NETWORK_ORGANIZATION_NAME 29 Target Network Organization name.
PRINCIPAL_NETWORK_ORGANIZATION_NAME 30 Principal Network Organization name.
PRINCIPAL_PROCESS_FILE_PATH 31 Principal Process File Path.
PRINCIPAL_PROCESS_FILE_HASH 32 Principal Process File SHA256 Hash.
SECURITY_RESULT_RULE_NAME 33 Security Result rule name.

Metric.MetricName

The name of the precomputed analytic.

Enum Value Enum Number Description
METRIC_NAME_UNSPECIFIED 0 Default
NETWORK_BYTES_INBOUND 1 Total received network bytes.
NETWORK_BYTES_OUTBOUND 2 Total network sent bytes.
NETWORK_BYTES_TOTAL 3 Total network sent bytes and received bytes.
AUTH_ATTEMPTS_SUCCESS 4 Successful authentication attempts.
AUTH_ATTEMPTS_FAIL 5 Failed authentication attempts.
AUTH_ATTEMPTS_TOTAL 6 Total authentication attempts.
DNS_BYTES_OUTBOUND 7 Total number of sent bytes for DNS events.
NETWORK_FLOWS_INBOUND 8 Total number of events having non-null received bytes.
NETWORK_FLOWS_OUTBOUND 9 Total number of events having non-null sent bytes.
NETWORK_FLOWS_TOTAL 10 Total events having non-null sent or received bytes.
DNS_QUERIES_SUCCESS 11 DNS query success count - Number of events with response_code = 0.
DNS_QUERIES_FAIL 12 Number of events with response_code != 0.
DNS_QUERIES_TOTAL 13 Total number of DNS queries made.
FILE_EXECUTIONS_SUCCESS 14 Number of successfule file executions.
FILE_EXECUTIONS_FAIL 15 Number of failed file executions.
FILE_EXECUTIONS_TOTAL 16 Total number file executions.
HTTP_QUERIES_SUCCESS 17 Number of successful HTTP queries.
HTTP_QUERIES_FAIL 18 Number of failed HTTP queries.
HTTP_QUERIES_TOTAL 19 Total number of HTTP queries.
WORKSPACE_EMAILS_SENT_TOTAL 20 Total number of emails sent in Google Workspace.
WORKSPACE_TOTAL_DOWNLOAD_ACTIONS 21 Total number of download actions in Google Workspace.
WORKSPACE_TOTAL_CHANGE_ACTIONS 22 Total number of change actions in Google Workspace.
WORKSPACE_AUTH_ATTEMPTS_TOTAL 23 Total number of authentication attempts in Google Workspace.
WORKSPACE_NETWORK_BYTES_OUTBOUND 24 Number of outbound network bytes (total sent) in Google Workspace.
WORKSPACE_NETWORK_BYTES_TOTAL 25 Total number of network bytes (both sent and received) in Google Workspace.
ALERT_EVENT_NAME_COUNT 26 Track number of alerts fired by EDR/SENTINEL/MICROSOFT_GRAPH.

Relation.Directionality

Describes the relationship model as directed or undirected.

Enum Value Enum Number Description
DIRECTIONALITY_UNSPECIFIED 0 Default value.
BIDIRECTIONAL 1 Modeled in both directions. Primary entity (a) to related entity (b) and related entity (b) to primary entity (a).
UNIDIRECTIONAL 2 Modeled in a single direction. Primary entity (a) to related entity (b).

Relation.EntityLabel

Entity label of the relation.

Enum Value Enum Number Description
ENTITY_LABEL_UNSPECIFIED 0 Default value.
PRINCIPAL 1 The Noun represents a principal type object.
TARGET 2 The Noun represents a target type object.
OBSERVER 3 The Noun represents an observer type object.
SRC 4 The Noun represents src type object.
NETWORK 5 The Noun represents a network type object.
SECURITY_RESULT 6 The Noun represents a SecurityResult object.
INTERMEDIARY 7 The Noun represents an intermediary type object.

Relation.Relationship

Type of relationship between the primary entity (a) and related entity (b).

Enum Value Enum Number Description
RELATIONSHIP_UNSPECIFIED 0 Default value
OWNS 1 Related entity is owned by the primary entity (e.g. user owns device asset).
ADMINISTERS 2 Related entity is administered by the primary entity (e.g. user administers a group).
MEMBER 3 Primary entity is a member of the related entity (e.g. user is a member of a group).
EXECUTES 4 Primary entity may have executed the related entity.
DOWNLOADED_FROM 5 Primary entity may have been downloaded from the related entity.
CONTACTS 6 Primary entity contacts the related entity.

UDM Event data model

A Unified Data Model event.

Field Name Type Label Description
metadata Metadata Event metadata such as timestamp, source product, etc.
additional google.protobuf.Struct Any important vendor-specific event data that cannot be adequately represented within the formal sections of the UDM model.
principal Noun Represents the acting entity that originates the activity described in the event. The principal must include at least one machine detail (hostname, MACs, IPs, port, product-specific identifiers like an EDR asset ID) or user detail (for example, username), and optionally include process details. It must NOT include any of the following fields: email, files, registry keys or values.
src Noun Represents a source entity being acted upon by the participant along with the device or process context for the source object (the machine where the source object resides). For example, if user U copies file A on machine X to file B on machine Y, both file A and machine X would be specified in the src portion of the UDM event.
target Noun Represents a target entity being referenced by the event or an object on the target entity. For example, in a firewall connection from device A to device B, A is described as the principal and B is described as the target. For a process injection by process C into target process D, process C is described as the principal and process D is described as the target.
intermediary Noun repeated Represents details on one or more intermediate entities processing activity described in the event. This includes device details about a proxy server or SMTP relay server. If an active event (that has a principal and possibly target) passes through any intermediaries, they're added here. Intermediaries can impact the overall action, for example blocking or modifying an ongoing request. A rule of thumb here is that 'principal', 'target', and description of the initial action should be the same regardless of the intermediary or its action. A successful network connection from A->B should look the same in principal/target/intermediary as one blocked by firewall C: principal: A, target: B (intermediary: C).
observer Noun Represents an observer entity (for example, a packet sniffer or network-based vulnerability scanner), which is not a direct intermediary, but which observes and reports on the event in question.
about Noun repeated Represents entities referenced by the event that are not otherwise described in principal, src, target, intermediary or observer. For example, it could be used to track email file attachments, domains/URLs/IPs embedded within an email body, and DLLs that are loaded during a PROCESS_LAUNCH event.
security_result SecurityResult repeated A list of security results.
network Network All network details go here, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP).
extensions Extensions All other first-class, event-specific metadata goes in this message. Do not place protocol metadata in Extensions; put it in Network.

Event top level types

Extensions

Extensions to a UDM event.

Field Name Type Label Description
auth Authentication An authentication extension.
vulns Vulnerabilities A vulnerability extension.

Metadata

General information associated with a UDM event.

Field Name Type Label Description
id bytes ID of the UDM event. Can be used for raw and normalized event retrieval.
product_log_id string A vendor-specific event identifier to uniquely identify the event (e.g. a GUID).
event_timestamp google.protobuf.Timestamp The GMT timestamp when the event was generated.
collected_timestamp google.protobuf.Timestamp The GMT timestamp when the event was collected by the vendor's local collection infrastructure.
ingested_timestamp google.protobuf.Timestamp The GMT timestamp when the event was ingested (received) by Chronicle.
event_type Metadata.EventType The event type. If an event has multiple possible types, this specifies the most specific type.
vendor_name string The name of the product vendor.
product_name string The name of the product.
product_version string The version of the product.
product_event_type string A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start").
product_deployment_id string The deployment identifier assigned by the vendor for a product deployment.
description string A human-readable unparsable description of the event.
url_back_to_product string A URL that takes the user to the source product console for this event.
ingestion_labels Label repeated User-configured ingestion metadata labels.
tags Tags Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser.
enrichment_state Metadata.EnrichmentState The enrichment state.
log_type string The string value of log type.
base_labels DataAccessLabels Data access labels on the base event.
enrichment_labels DataAccessLabels Data access labels from all the contextual events used to enrich the base event.

Network

A network event.

Field Name Type Label Description
sent_bytes uint64 The number of bytes sent.
received_bytes uint64 The number of bytes received.
sent_packets int64 The number of packets sent.
received_packets int64 The number of packets received.
session_duration Int64 The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer.
session_id string The ID of the network session.
parent_session_id string The ID of the parent network session.
application_protocol_version string The version of the application protocol. e.g. "1.1, 2.0"
community_id string Community ID network flow value.
direction Network.Direction The direction of network traffic.
ip_protocol Network.IpProtocol The IP protocol.
application_protocol Network.ApplicationProtocol The application protocol.
ftp Ftp FTP info.
email Email Email info for the sender/recipient.
dns Dns DNS info.
dhcp Dhcp DHCP info.
http Http HTTP info.
tls Tls TLS info.
smtp Smtp SMTP info. Store fields specific to SMTP not covered by Email.
asn string Autonomous system number.
dns_domain string DNS domain name.
carrier_name string Carrier identification.
organization_name string Organization name (e.g Google).
ip_subnet_range string Associated human-readable IP subnet range (e.g. 10.1.2.0/24).

Noun

The Noun type is used to represent the different entities in an event: principal, src, target, observer, intermediary, and about. It stores attributes known about the entity. For example, if the entity is a device with multiple IP or MAC addresses, it stores the IP and MAC addresses that are relevant to the event.

Field Name Type Label Description
hostname string Client hostname or domain name field. Hostname also doubles as the domain for remote entities.
domain Domain Information about the domain.
artifact Artifact Information about an artifact.
url_metadata Url Information about the URL.
asset_id string The asset ID.
user User Information about the user.
user_management_chain User repeated Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery.
group Group Information about the group.
process Process Information about the process.
process_ancestors Process repeated Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery.
asset Asset Information about the asset.
ip string repeated A list of IP addresses associated with a network connection.
nat_ip string repeated A list of NAT translated IP addresses associated with a network connection.
port int32 Source or destination network port number when a specific network connection is described within an event.
nat_port int32 NAT external network port number when a specific network connection is described within an event.
mac string repeated List of MAC addresses associated with a device.
administrative_domain string Domain which the device belongs to (for example, the Microsoft Windows domain).
namespace string Namespace which the device belongs to, such as "AD forest". Uses for this field include Microsoft Windows AD forest, the name of subsidiary, or the name of acquisition.
url string The URL.
file File Information about the file.
email string Email address. Only filled in for security_result.about
registry Registry Registry information.
application string The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle".
platform Noun.Platform Platform.
platform_version string Platform version. For example, "Microsoft Windows 1803".
platform_patch_level string Platform patch level. For example, "Build 17134.48"
cloud Cloud Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud).
location Location Physical location. For cloud environments, set the region in location.name.
ip_location Location repeated Deprecated: use ip_geo_artifact.location instead.
ip_geo_artifact Artifact repeated Enriched geographic information corresponding to an IP address. Specifically, location and network data.
resource Resource Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, or processes because these objects are already part of Noun.
resource_ancestors Resource repeated Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource).
labels Label repeated Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels).
object_reference Id Finding to which the Analyst updated the feedback.
investigation Investigation Analyst feedback/investigation for alerts.
network Network Network details, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP).
security_result SecurityResult repeated A list of security results.

SecurityResult

Security related metadata for the event. A security result might be something like "virus detected and quarantined," "malicious connection blocked," or "sensitive data included in document foo.doc." Each security result, of which there may be more than one, may either pertain to the whole event, or to a

specific object or device referenced in the event (e.g. a malicious file that was detected, or a sensitive document sent as an email attachment). For

security results that apply to a particular object referenced in the event, the security_results message MUST contain details about the implicated object (such as process, user, IP, domain, URL, IP, or email address) in the about field. For security results that apply to the entire event (e.g. SPAM found in this email), the about field must remain empty.

Field Name Type Label Description
about Noun If the security result is about a specific entity (Noun), add it here.
category SecurityResult.SecurityCategory repeated The security category.
category_details string repeated For vendor-specific categories. For web categorization, put type in here such as "gambling" or "porn".
threat_name string A vendor-assigned classification common across multiple customers (e.g. "W32/File-A", "Slammer").
rule_set string The result's rule set identifier. (e.g. "windows-threats")
rule_set_display_name string The curated detections rule set display name.
ruleset_category_display_name string The curated detection rule set category display name. (for example, if rule_set_display_name is "CDIR SCC Enhanced Exfiltration", the rule_set_category is "Cloud Threats").
rule_id string A vendor-specific ID and name for a rule, varying by observerer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe").
rule_name string Name of the security rule (e.g. "BlockInboundToOracle").
rule_version string Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependant and lexical ordering should not be assumed.
rule_type string The type of security rule.
rule_author string Author of the security rule.
rule_labels Label repeated A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John").
alert_state SecurityResult.AlertState The alerting types of this security result.
detection_fields Label repeated An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (i.e. the security result matched variables) .
outcomes Label repeated A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to their values.
summary string A human readable summary (e.g. "failed login occurred")
description string A human readable description (e.g. "user password was wrong")
action SecurityResult.Action repeated Actions taken for this event.
action_details string The detail of the action taken as provided by the vendor.
severity SecurityResult.ProductSeverity The severity of the result.
confidence SecurityResult.ProductConfidence The confidence level of the result as estimated by the product.
priority SecurityResult.ProductPriority The priority of the result.
risk_score float The risk score of the security result.
confidence_score float The confidence score of the security result.
analytics_metadata AnalyticsMetadata repeated Stores metadata about each risk analytic metric the rule uses.
severity_details string Vendor-specific severity.
confidence_details string Additional detail with regards to the confidence of a security event as estimated by the product vendor.
priority_details string Vendor-specific information about the security result priority.
url_back_to_product string URL that takes the user to the source product console for this event.
threat_id string Vendor-specific ID for a threat.
threat_feed_name string Vendor feed name for a threat indicator feed.
threat_id_namespace Id.Namespace The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id.
threat_status SecurityResult.ThreatStatus Current status of the threat
attack_details AttackDetails MITRE ATT&CK details.
first_discovered_time google.protobuf.Timestamp First time the IoC threat was discovered in the provider.
associations SecurityResult.Association repeated Associations related to the threat.
campaigns string repeated Campaigns using this IOC threat.
verdict SecurityResult.Verdict Verdict about the IoC from the provider. This field is now deprecated. Use VerdictInfo instead.
last_updated_time google.protobuf.Timestamp Last time the IoC threat was updated in the provider.
verdict_info SecurityResult.VerdictInfo repeated Verdict information about the IoC from the provider.
threat_verdict ThreatVerdict GCTI threat verdict on the security result entity.
last_discovered_time google.protobuf.Timestamp Last time the IoC was seen in the provider data.

Event subtypes

AnalyticsMetadata

Stores information about an analytics metric used in a rule.

Field Name Type Label Description
analytic string Name of the analytic.

Artifact

Information about an artifact. The artifact can only be an IP.

Field Name Type Label Description
ip string IP address of the artifact.
prevalence Prevalence The prevalence of the artifact within the customer's environment.
first_seen_time google.protobuf.Timestamp First seen timestamp of the IP in the customer's environment.
last_seen_time google.protobuf.Timestamp Last seen timestamp of the IP address in the customer's environment.
location Location Location of the Artifact's IP address.
network Network Network information related to the Artifact's IP address.
as_owner string Owner of the Autonomous System to which the IP address belongs.
asn int64 Autonomous System Number to which the IP address belongs.
jarm string The JARM hash for the IP address. (https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a).
last_https_certificate SSLCertificate SSL certificate information about the IP address.
last_https_certificate_date google.protobuf.Timestamp Most recent date for the certificate in VirusTotal.
regional_internet_registry string RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC).
tags string repeated Identification attributes
whois string WHOIS information as returned from the pertinent WHOIS server.
whois_date google.protobuf.Timestamp Date of the last update of the WHOIS record in VirusTotal.

Asset

Information about a compute asset such as a workstation, laptop, phone, virtual desktop, or VM.

Field Name Type Label Description
product_object_id string A vendor-specific identifier to uniquely identify the entity (a GUID or similar).
hostname string Asset hostname or domain name field.
asset_id string The asset ID. Value must contain the ':' character. For example, cs:abcdd23434.
ip string repeated A list of IP addresses associated with an asset.
mac string repeated List of MAC addresses associated with an asset.
nat_ip string repeated List of NAT IP addresses associated with an asset.
first_seen_time google.protobuf.Timestamp The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed.
hardware Hardware repeated The asset hardware specifications.
platform_software PlatformSoftware The asset operating system platform software.
software Software repeated The asset software details.
location Location Location of the asset.
category string The category of the asset (e.g. "End User Asset", "Workstation", "Server").
type Asset.AssetType The type of the asset (e.g. workstation or laptop or server).
network_domain string The network domain of the asset (e.g. "corp.acme.com")
creation_time google.protobuf.Timestamp Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata.
first_discover_time google.protobuf.Timestamp Time the asset was first discovered (by asset management/discoverability software).
last_discover_time google.protobuf.Timestamp Time the asset was last discovered (by asset management/discoverability software).
system_last_update_time google.protobuf.Timestamp Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a VM), use Attribute.last_update_time.
last_boot_time google.protobuf.Timestamp Time the asset was last boot started.
labels Label repeated Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata.
deployment_status Asset.DeploymentStatus The deployment status of the asset for device lifecycle purposes.
vulnerabilities Vulnerability repeated Vulnerabilities discovered on asset.
attribute Attribute Generic entity metadata attributes of the asset.

AttackDetails

MITRE ATT&CK details.

Field Name Type Label Description
version string ATT&CK version (e.g. 12.1).
tactics AttackDetails.Tactic repeated Tactics employed.
techniques AttackDetails.Technique repeated Techniques employed.

AttackDetails.Tactic

Tactic information related to an attack or threat.

Field Name Type Label Description
id string Tactic ID (e.g. "TA0043").
name string Tactic Name (e.g. "Reconnaissance")

AttackDetails.Technique

Technique information related to an attack or threat.

Field Name Type Label Description
id string Technique ID (e.g. "T1595").
name string Technique Name (e.g. "Active Scanning").
subtechnique_id string Subtechnique ID (e.g. "T1595.001").
subtechnique_name string Subtechnique Name (e.g. "Scanning IP Blocks").

Attribute

Attribute is a container for generic entity attributes including common attributes across core entities (such as, user or asset). For example, Cloud is a generic entity attribute since it can apply to an asset (for example, a VM) or a user (for example, an identity service account).

Field Name Type Label Description
cloud Cloud Cloud metadata attributes such as project ID, account ID, or organizational hierarchy.
labels Label repeated Set of labels for the entity. Should only be used for product labels (for example, Google Cloud resource labels or Azure AD sensitivity labels. Should not be used for arbitrary key-value mappings.
permissions Permission repeated System permissions for IAM entity (human principal, service account, group).
roles Role repeated System IAM roles to be assumed by resources to use the role's permissions for access control.
creation_time google.protobuf.Timestamp Time the resource or entity was created or provisioned.
last_update_time google.protobuf.Timestamp Time the resource or entity was last updated.

Authentication

The Authentication extension captures details specific to authentication events. General guidelines for authentication events:

  • Details about the source of the authentication event (for example, client IP or hostname), should be captured in principal. The principal may be empty if we have no details about the source of the login.

  • Details about the target of the authentication event (for example, details about the machine that is being logged into or logged out of) should be captured in target.

  • Some authentication events may involve a third-party. For example, a user logs into a cloud service (for example, Chronicle) via their company's SSO (the event is logged by their SSO solution). In this case, the principal captures information about the user's device, the target captures details about the cloud service they logged into, and the intermediary captures details about the SSO solution.

Field Name Type Label Description
type Authentication.AuthType The type of authentication.
mechanism Authentication.Mechanism repeated The authentication mechanism.
auth_details string The vendor defined details of the authentication.

Certificate

Certificate information

Field Name Type Label Description
version string Certificate version.
serial string Certificate serial number.
subject string Subject of the certificate.
issuer string Issuer of the certificate.
md5 string The MD5 hash of the certificate, as a hex-encoded string.
sha1 string The SHA1 hash of the certificate, as a hex-encoded string.
sha256 string The SHA256 hash of the certificate, as a hex-encoded string.
not_before google.protobuf.Timestamp Indicates when the certificate is first valid.
not_after google.protobuf.Timestamp Indicates when the certificate is no longer valid.

Cloud

Metadata related to the cloud environment.

Field Name Type Label Description
environment Cloud.CloudEnvironment The Cloud environment.
vpc Resource The cloud environment VPC. Deprecated.
project Resource The cloud environment project information. Deprecated: Use Resource.resource_ancestors
availability_zone string The cloud environment availability zone (different from region which is location.name).

DNSRecord

DNS record.

Field Name Type Label Description
type string Type.
value string Value.
ttl Int64 Time to live.
priority int64 Priority.
retry int64 Retry.
refresh Int64 Refresh.
minimum Int64 Minimum.
expire Int64 Expire.
serial int64 Serial.
rname string Rname.

Dhcp

DHCP information.

Field Name Type Label Description
opcode Dhcp.OpCode The BOOTP op code.
htype uint32 Hardware address type.
hlen uint32 Hardware address length.
hops uint32 Hardware ops.
transaction_id uint32 Transaction ID.
seconds uint32 Seconds elapsed since client began address acquisition/renewal process.
flags uint32 Flags.
ciaddr string Client IP address (ciaddr).
yiaddr string Your IP address (yiaddr).
siaddr string IP address of the next bootstrap server.
giaddr string Relay agent IP address (giaddr).
chaddr string Client hardware address (chaddr).
sname string Server name that the client wishes to boot from.
file string Boot image filename.
options Dhcp.Option repeated List of DHCP options.
type Dhcp.MessageType DHCP message type.
lease_time_seconds uint32 Lease time in seconds. See RFC2132, section 9.2.
client_hostname string Client hostname. See RFC2132, section 3.14.
client_identifier bytes Client identifier. See RFC2132, section 9.14.
requested_address string Requested IP address. See RFC2132, section 9.1.

Dhcp.Option

DHCP options.

Field Name Type Label Description
code uint32 Code. See RFC1533.
data bytes Data.

Dns

DNS information.

Field Name Type Label Description
id uint32 DNS query id.
response bool Set to true if the event is a DNS response. See QR field from RFC1035.
opcode uint32 The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS).
authoritative bool Other DNS header flags. See RFC1035, section 4.1.1.
truncated bool Whether the DNS response was truncated.
recursion_desired bool Whether a recursive DNS lookup is desired.
recursion_available bool Whether a recursive DNS lookup is available.
response_code uint32 Response code. See RCODE from RFC1035.
questions Dns.Question repeated A list of domain protocol message questions.
answers Dns.ResourceRecord repeated A list of answers to the domain name query.
authority Dns.ResourceRecord repeated A list of domain name servers which verified the answers to the domain name queries.
additional Dns.ResourceRecord repeated A list of additional domain name servers that can be used to verify the answer to the domain.

Dns.Question

DNS Questions. See RFC1035, section 4.1.2.

Field Name Type Label Description
name string The domain name.
type uint32 The code specifying the type of the query.
class uint32 The code specifying the class of the query.
prevalence Prevalence The prevalence of the domain within the customer's environment.

Dns.ResourceRecord

DNS Resource Records. See RFC1035, section 4.1.3.

Field Name Type Label Description
name string The name of the owner of the resource record.
type uint32 The code specifying the type of the resource record.
class uint32 The code specifying the class of the resource record.
ttl uint32 The time interval for which the resource record can be cached before the source of the information should again be queried.
data string The payload or response to the DNS question for all responses encoded in UTF-8 format
binary_data bytes The raw bytes of any non-UTF8 strings that might be included as part of a DNS response.

Domain

Information about a domain.

Field Name Type Label Description
name string The domain name.
prevalence Prevalence The prevalence of the domain within the customer's environment.
first_seen_time google.protobuf.Timestamp First seen timestamp of the domain in the customer's environment.
last_seen_time google.protobuf.Timestamp Last seen timestamp of the domain in the customer's environment.
registrar string Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM".
contact_email string Contact email address.
whois_server string Whois server name.
name_server string repeated Repeated list of name servers.
creation_time google.protobuf.Timestamp Domain creation time.
update_time google.protobuf.Timestamp Last updated time.
expiration_time google.protobuf.Timestamp Expiration time.
audit_update_time google.protobuf.Timestamp Audit updated time.
status string Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values
registrant User Parsed contact information for the registrant of the domain.
admin User Parsed contact information for the administrative contact for the domain.
tech User Parsed contact information for the technical contact for the domain
billing User Parsed contact information for the billing contact of the domain.
zone User Parsed contact information for the zone.
whois_record_raw_text bytes WHOIS raw text.
registry_data_raw_text bytes Registry Data raw text.
iana_registrar_id int32 IANA Registrar ID. See https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml
private_registration bool Indicates whether the domain appears to be using a private registration service to mask the owner's contact information.
categories string repeated Categories assign to the domain as retrieved from VirusTotal.
favicon Favicon Includes difference hash and MD5 hash of the domain's favicon.
jarm string Domain's JARM hash.
last_dns_records DNSRecord repeated Domain's DNS records from the last scan.
last_dns_records_time google.protobuf.Timestamp Date when the DNS records list was retrieved by VirusTotal.
last_https_certificate SSLCertificate SSL certificate object retrieved last time the domain was analyzed.
last_https_certificate_time google.protobuf.Timestamp When the certificate was retrieved by VirusTotal.
popularity_ranks PopularityRank repeated Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc
tags string repeated List of representative attributes.
whois_time google.protobuf.Timestamp Date of the last update of the WHOIS record.

Email

Email info.

Field Name Type Label Description
from string The 'from' address.
reply_to string The 'reply to' address.
to string repeated A list of 'to' addresses.
cc string repeated A list of 'cc' addresses.
bcc string repeated A list of 'bcc' addresses.
mail_id string The mail (or message) ID.
subject string repeated The subject line(s) of the email.
bounce_address string The envelope from address. https://en.wikipedia.org/wiki/Bounce_address

Favicon

Difference hash and MD5 hash of the domain's favicon.

Field Name Type Label Description
raw_md5 string Favicon's MD5 hash.
dhash string Difference hash.

File

Information about a file.

Field Name Type Label Description
sha256 string The SHA256 hash of the file, as a hex-encoded string.
md5 string The MD5 hash of the file, as a hex-encoded string.
sha1 string The SHA1 hash of the file, as a hex-encoded string.
size uint64 The size of the file in bytes.
full_path string The full path identifying the location of the file on the system.
mime_type string The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", or "powershell script".
file_metadata FileMetadata Metadata associated with the file. Deprecate FileMetadata in favor of using fields in File.
security_result SecurityResult Google Cloud Threat Intelligence (GCTI) security result for the file including threat context and detection metadata.
pe_file FileMetadataPE Metadata about the Portable Executable (PE) file.
ssdeep string Ssdeep of the file
vhash string Vhash of the file.
ahash string Deprecated. Use authentihash instead.
authentihash string Authentihash of the file.
file_type File.FileType FileType field.
capabilities_tags string repeated Capabilities tags.
names string repeated Names fields.
tags string repeated Tags for the file.
last_modification_time google.protobuf.Timestamp Timestamp when the file was last updated.
prevalence Prevalence Prevalence of the file hash in the customer's environment.
first_seen_time google.protobuf.Timestamp Timestamp the file was first seen in the customer's environment.
last_seen_time google.protobuf.Timestamp Timestamp the file was last seen in the customer's environment.
stat_mode uint64 The mode of the file. A bit string indicating the permissions and privileges of the file.
stat_inode uint64 The file identifier. Unique identifier of object within a file system.
stat_dev uint64 The file system identifier to which the object belongs.
stat_nlink uint64 Number of links to file.
stat_flags uint32 User defined flags for file.
last_analysis_time google.protobuf.Timestamp Timestamp the file was last analysed.
embedded_urls string repeated Embedded urls found in the file.
embedded_domains string repeated Embedded domains found in the file.
embedded_ips string repeated Embedded IP addresses found in the file.
exif_info ExifInfo Exif metadata from different file formats extracted by exiftool.
signature_info SignatureInfo File signature information extracted from different tools.
pdf_info PDFInfo Information about the PDF file structure.
first_submission_time google.protobuf.Timestamp First submission time of the file.
last_submission_time google.protobuf.Timestamp Last submission time of the file.
main_icon Favicon Icon's relevant hashes.

FileMetadataCodesign

File metadata from the codesign utility.

Field Name Type Label Description
id string Code sign identifier.
format string Code sign format.
compilation_time google.protobuf.Timestamp Code sign timestamp

FileMetadataPE

Metadata about the Portable Executable (PE) file.

Field Name Type Label Description
imphash string Imphash of the file.
entry_point int64 info.pe-entry-point.
entry_point_exiftool int64 info.exiftool.EntryPoint.
compilation_time google.protobuf.Timestamp info.pe-timestamp.
compilation_exiftool_time google.protobuf.Timestamp info.exiftool.TimeStamp.
section FileMetadataSection repeated FilemetadataSection fields.
imports FileMetadataImports repeated FilemetadataImports fields.
resource FileMetadataPeResourceInfo repeated FilemetadataPeResourceInfo fields.
resources_type_count StringToInt64MapEntry repeated Deprecated: use resources_type_count_str.
resources_language_count StringToInt64MapEntry repeated Deprecated: use resources_language_count_str.
resources_type_count_str Label repeated Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5
resources_language_count_str Label repeated Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10
signature_info FileMetadataSignatureInfo FilemetadataSignatureInfo field. deprecated, user File.signature_info instead.

FileMetadataSignatureInfo

Signature information.

Field Name Type Label Description
verification_message string Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found.
verified bool True if verification_message == "Signed"
signer string repeated Deprecated: use signers field.
signers SignerInfo repeated File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority.
x509 X509 repeated List of certificates.

Ftp

FTP info.

Field Name Type Label Description
command string The FTP command.

Group

Information about an organizational group.

Field Name Type Label Description
product_object_id string Product globally unique user object identifier, such as an LDAP Object Identifier.
creation_time google.protobuf.Timestamp Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata.
group_display_name string Group display name. e.g. "Finance".
attribute Attribute Generic entity metadata attributes of the group.
email_addresses string repeated Email addresses of the group.
windows_sid string Microsoft Windows SID of the group.

Hardware

Hardware specification details for a resource, including both physical and virtual hardware.

Field Name Type Label Description
serial_number string Hardware serial number.
manufacturer string Hardware manufacturer.
model string Hardware model.
cpu_platform string Platform of the hardware CPU (e.g. "Intel Broadwell").
cpu_model string Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5").
cpu_clock_speed uint64 Clock speed of the hardware CPU in MHz.
cpu_max_clock_speed uint64 Maximum possible clock speed of the hardware CPU in MHz.
cpu_number_cores uint64 Number of CPU cores.
ram uint64 Amount of the hardware ramdom access memory (RAM) in Mb.

Http

Specify the full URL of the HTTP request within "target". Also specify any uploaded or downloaded file information within "source" or "target".

Field Name Type Label Description
method string The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE").
referral_url string The URL for the HTTP referer.
user_agent string The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent.
response_code int32 The response status code, for example 200, 302, 404, or 500.
parsed_user_agent The parsed user_agent string.

Investigation

Represents the aggregated state of an investigation such as categorization,

severity, and status. Can be expanded to include analyst assignment details and more.

Field Name Type Label Description
verdict Verdict optional Describes reason a finding investigation was resolved.
reputation Reputation optional Describes whether a finding was useful or not-useful.
severity_score uint32 optional Severity score for a finding set by an analyst.
status Status optional Describes the workflow status of a finding.
comments string repeated Comment added by the Analyst.
priority Priority optional Priority of the Alert or Finding set by analyst.
root_cause string optional Root cause of the Alert or Finding set by analyst.
reason Reason optional Reason for closing the Case or Alert.
risk_score uint32 optional Risk score for a finding set by an analyst.

Label

Key value labels.

Field Name Type Label Description
key string The key.
value string The value.
rbac_enabled bool Indicates whether this label can be used for Data RBAC

Location

Information about a location.

Field Name Type Label Description
city string The city.
state string The state.
country_or_region string The country or region.
name string Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").
desk_name string Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").
floor_name string Floor name, number or a combination of the two for a building. (e.g. "1-A").
region_latitude float Deprecated: use region_coordinates.
region_longitude float Deprecated: use region_coordinates.
region_coordinates google.type.LatLng Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields.

PDFInfo

Information about the PDF file structure. See https://developers.virustotal.com/reference/pdf_info

Field Name Type Label Description
js int64 Number of /JS tags found in the PDF file. Should be the same as javascript field in normal scenarios.
javascript int64 Number of /JavaScript tags found in the PDF file. Should be the same as the js field in normal scenarios.
launch_action_count int64 Number of /Launch tags found in the PDF file.
object_stream_count int64 Number of object streams.
endobj_count int64 Number of object definitions (endobj keyword).
header string PDF version.
acroform int64 Number of /AcroForm tags found in the PDF.
autoaction int64 Number of /AA tags found in the PDF.
embedded_file int64 Number of /EmbeddedFile tags found in the PDF.
encrypted int64 Whether the document is encrypted or not. This is defined by the /Encrypt tag.
flash int64 Number of /RichMedia tags found in the PDF.
jbig2_compression int64 Number of /JBIG2Decode tags found in the PDF.
obj_count int64 Number of objects definitions (obj keyword).
endstream_count int64 Number of defined stream objects (stream keyword).
page_count int64 Number of pages in the PDF.
stream_count int64 Number of defined stream objects (stream keyword).
openaction int64 Number of /OpenAction tags found in the PDF.
startxref int64 Number of startxref keywords in the PDF.
suspicious_colors int64 Number of colors expressed with more than 3 bytes (CVE-2009-3459).
trailer int64 Number of trailer keywords in the PDF.
xfa int64 Number of \XFA tags found in the PDF.
xref int64 Number of xref keywords in the PDF.

PeFileMetadata

Metadata about a Microsoft Windows Portable Executable.

Field Name Type Label Description
import_hash string Hash of PE imports.

Permission

System permission for resource access and modification.

Field Name Type Label Description
name string Name of the permission (e.g. chronicle.analyst.updateRule).
description string Description of the permission (e.g. 'Ability to update detect rules').
type Permission.PermissionType Type of the permission.

PlatformSoftware

Platform software information about an operating system.

Field Name Type Label Description
platform Noun.Platform The platform operating system.
platform_version string The platform software version ( e.g. "Microsoft Windows 1803").
platform_patch_level string The platform software patch level ( e.g. "Build 17134.48", "SP1").

PopularityRank

Domain's position in popularity ranks for sources such as Alexa, Quantcast, or Statvoo.

Field Name Type Label Description
giver string Name of the rank serial number hexdump.
rank int64 Rank position.
ingestion_time google.protobuf.Timestamp Timestamp when the rank was ingested.

Prevalence

The prevalence of a resource within the customer's environment. This measures how common it is for assets to access the resource.

Field Name Type Label Description
rolling_max int32 The maximum number of assets per day accessing the resource over the trailing day_count days.
day_count int32 The number of days over which rolling_max is calculated.
rolling_max_sub_domains int32 The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains.
day_max int32 The max prevalence score in a day interval window.
day_max_sub_domains int32 The max prevalence score in a day interval window across sub-domains. This field is only valid for domains.

Process

Information about a process.

Field Name Type Label Description
pid string The process ID.
parent_pid string The ID of the parent process. Deprecated: use parent_process.pid instead.
parent_process Process Information about the parent process.
file File Information about the file in use by the process.
command_line string The command line command that created the process.
command_line_history string repeated The command line history of the process.
product_specific_process_id string A product specific process id.
access_mask uint64 A bit mask representing the level of access.
integrity_level_rid uint64 The Microsoft Windows integrity level relative ID (RID) of the process.
token_elevation_type Process.TokenElevationType The elevation type of the process on Microsoft Windows. This determines if any privileges are removed when UAC is enabled.
product_specific_parent_process_id string A product specific id for the parent process. Please use parent_process.product_specific_process_id instead.

Registry

Information about a registry key or value.

Field Name Type Label Description
registry_key string Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...).
registry_value_name string Name of the registry value associated with an application or system component (e.g. TEMP).
registry_value_data string Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp).

Resource

Information about a resource such as a task, Cloud Storage bucket, database, disk, logical policy, or something similar.

Field Name Type Label Description
type string Deprecated: use resource_type instead.
resource_type Resource.ResourceType Resource type.
resource_subtype string Resource sub-type (e.g. "BigQuery", "Bigtable").
id string Deprecated: Use resource.name or resource.product_object_id.
name string The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe.
parent string The parent of the resource. For a database table, the parent is the database. For a storage object, the bucket name. Deprecated: use resource_ancestors.name.
product_object_id string A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)
attribute Attribute Generic entity metadata attributes of the resource.

Role

System role for resource access and modification.

Field Name Type Label Description
name string System role name for user.
description string System role description for user.
type Role.Type System role type for well known roles.

SSLCertificate

SSL certificate.

Field Name Type Label Description
cert_signature SSLCertificate.CertSignature Certificate's signature and algorithm.
extension SSLCertificate.Extension (DEPRECATED) certificate's extension.
cert_extensions google.protobuf.Struct Certificate's extensions.
first_seen_time google.protobuf.Timestamp Date the certificate was first retrieved by VirusTotal.
issuer SSLCertificate.Subject Certificate's issuer data.
ec SSLCertificate.EC EC public key information.
serial_number string Certificate's serial number hexdump.
signature_algorithm string Algorithm used for the signature (for example, "sha1RSA").
size int64 Certificate content length.
subject SSLCertificate.Subject Certificate's subject data.
thumbprint string Certificate's content SHA1 hash.
thumbprint_sha256 string Certificate's content SHA256 hash.
validity SSLCertificate.Validity Certificate's validity period.
version string Certificate version (typically "V1", "V2" or "V3").

SSLCertificate.AuthorityKeyId

Identifies the public key to be used to verify the signature on this certificate or CRL.

Field Name Type Label Description
keyid string Key hexdump.
serial_number string Serial number hexdump.

SSLCertificate.CertSignature

Certificate's signature and algorithm.

Field Name Type Label Description
signature string Signature.
signature_algorithm string Algorithm.

SSLCertificate.DSA

DSA public key information.

Field Name Type Label Description
p string p component hexdump.
q string q component hexdump.
g string g component hexdump.
pub string Public key hexdump.

SSLCertificate.EC

EC public key information.

Field Name Type Label Description
oid string Curve name.
pub string Public key hexdump.

SSLCertificate.Extension

Certificate's extensions.

Field Name Type Label Description
ca bool Whether the subject acts as a certificate authority (CA) or not.
subject_key_id string Identifies the public key being certified.
authority_key_id SSLCertificate.AuthorityKeyId Identifies the public key to be used to verify the signature on this certificate or CRL.
key_usage string The purpose for which the certified public key is used.
ca_info_access string Authority information access locations are URLs that are added to a certificate in its authority information access extension.
crl_distribution_points string CRL distribution points to which a certificate user should refer to ascertain if the certificate has been revoked.
extended_key_usage string One or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension field.
subject_alternative_name string Contains one or more alternative names, using any of a variety of name forms, for the entity that is bound by the CA to the certified public key.
certificate_policies string Different certificate policies will relate to different applications which may use the certified key.
netscape_cert_comment string Used to include free-form text comments inside certificates.
cert_template_name_dc string BMP data value "DomainController". See MS Q291010.
netscape_certificate bool Identify whether the certificate subject is an SSL client, an SSL server, or a CA.
pe_logotype bool Whether the certificate includes a logotype.
old_authority_key_id bool Whether the certificate has an old authority key identifier extension.

SSLCertificate.PublicKey

Subject public key info.

Field Name Type Label Description
algorithm string Any of "RSA", "DSA" or "EC". Indicates the algorithm used to generate the certificate.
rsa SSLCertificate.RSA RSA public key information.

SSLCertificate.RSA

RSA public key information.

Field Name Type Label Description
key_size int64 Key size.
modulus string Key modulus hexdump.
exponent string Key exponent hexdump.

SSLCertificate.Subject

Subject data.

Field Name Type Label Description
country_name string C: Country name.
common_name string CN: CommonName.
locality string L: Locality.
organization string O: Organization.
organizational_unit string OU: OrganizationalUnit.
state_or_province_name string ST: StateOrProvinceName.

SSLCertificate.Validity

Defines certificate's validity period.

Field Name Type Label Description
expiry_time google.protobuf.Timestamp Expiry date.
issue_time google.protobuf.Timestamp Issue date.

SecurityResult.AnalystVerdict

Verdict provided by the human analyst. These fields are used to model Mandiant sources.

Field Name Type Label Description
confidence_score int32 Confidence score of the verdict.
verdict_time google.protobuf.Timestamp Timestamp at which the verdict was generated.
verdict_response SecurityResult.VerdictResponse Details of the verdict.

SecurityResult.Association

Associations represents different metadata about malware and threat actors involved with an IoC.

Field Name Type Label Description
id string Unique association id generated by mandiant.
country_code string repeated Country from which the threat actor/ malware is originated.
type SecurityResult.Association.AssociationType Signifies the type of association.
name string Name of the threat actor/malware.
description string Human readable description about the association.
role string Role of the malware. Not applicable for threat actor.
source_country string Name of the country the threat originated from.
alias SecurityResult.Association.AssociationAlias repeated Different aliases of the threat actor given by different sources.
first_reference_time google.protobuf.Timestamp First time the threat actor was referenced or seen.
last_reference_time google.protobuf.Timestamp Last time the threat actor was referenced or seen.
industries_affected string repeated List of industries the threat actor affects.
associated_actors SecurityResult.Association repeated List of associated threat actors for a malware. Not applicable for threat actors.
region_code Location Name of the country, the threat is originating from.
sponsor_region Location Sponsor region of the threat actor.
targeted_regions Location repeated Targeted regions.
tags string repeated Tags.

SecurityResult.Association.AssociationAlias

Association Alias used to represent Mandiant Threat Intelligence.

Field Name Type Label Description
name string Name of the alias.
company string Name of the provider who gave the association's name.

SecurityResult.IoCStats

Information about the threat intelligence source. These fields are used to model Mandiant sources.

Field Name Type Label Description
ioc_stats_type SecurityResult.IoCStatsType Describes the source of the IoCStat.
first_level_source string Name of first level IoC source, for example Mandiant or a third-party.
second_level_source string Name of the second-level IoC source, for example Crowdsourced Threat Analysis or Knowledge Graph.
benign_count int32 Count of responses where the IoC was identified as benign.
quality SecurityResult.ProductConfidence Level of confidence in the IoC mapping extracted from the source.
malicious_count int32 Count of responses where the IoC was identified as malicious.
response_count int32 Total number of response from the source.
source_count int32 Number of sources from which information was extracted.

SecurityResult.ProviderMLVerdict

MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources.

Field Name Type Label Description
source_provider string Source provider giving the ML verdict.
benign_count int32 Count of responses where this IoC was marked benign.
malicious_count int32 Count of responses where this IoC was marked malicious.
confidence_score int32 Confidence score of the verdict.
mandiant_sources SecurityResult.Source repeated List of mandiant sources from which the verdict was generated.
third_party_sources SecurityResult.Source repeated List of third-party sources from which the verdict was generated.

SecurityResult.Source

Information about the threat intelligence source. These fields are used to model Mandiant sources.

Field Name Type Label Description
name string Name of the IoC source.
benign_count int32 Count of responses where this IoC was marked benign.
malicious_count int32 Count of responses where this IoC was marked malicious.
quality SecurityResult.ProductConfidence Quality of the IoC mapping extracted from the source.
response_count int32 Total response count from this source.
source_count int32 Number of sources from which intelligence was extracted.
threat_intelligence_sources SecurityResult.Source repeated Different threat intelligence sources from which IoC info was extracted.

SecurityResult.Verdict

Encapsulates the threat verdict provided by human analysts and ML models. These fields are used to model Mandiant sources.

Field Name Type Label Description
source_count int32 Number of sources from which intelligence was extracted.
response_count int32 Total response count across all sources.
neighbour_influence string Describes the neighbour influence of the verdict.
verdict SecurityResult.ProviderMLVerdict ML Verdict provided by sources like Mandiant.
analyst_verdict SecurityResult.AnalystVerdict Human analyst verdict provided by sources like Mandiant.

SecurityResult.VerdictInfo

Describes the threat verdict provided by human analysts and machine learning models. These fields are used to model Mandiant sources.

Field Name Type Label Description
source_count int32 Number of sources from which intelligence was extracted.
response_count int32 Total response count across all sources.
neighbour_influence string Describes the near neighbor influence of the verdict.
verdict_type SecurityResult.VerdictType Type of verdict.
source_provider string Source provider giving the machine learning verdict.
benign_count int32 Count of responses where this IoC was marked as benign.
malicious_count int32 Count of responses where this IoC was marked as malicious.
confidence_score int32 Confidence score of the verdict.
ioc_stats SecurityResult.IoCStats repeated List of IoCStats from which the verdict was generated.
verdict_time google.protobuf.Timestamp Timestamp when the verdict was generated.
verdict_response SecurityResult.VerdictResponse Details about the verdict.
global_customer_count int32 Global customer count over the last 30 days
global_hits_count int32 Global hit count over the last 30 days.
pwn bool Whether one or more Mandiant incident response customers had this indicator in their environment.
category_details string Tags related to the verdict.
pwn_first_tagged_time google.protobuf.Timestamp The timestamp of the first time a pwn was associated to this entity.

SignatureInfo

File signature information extracted from different tools.

Field Name Type Label Description
sigcheck FileMetadataSignatureInfo Signature information extracted from the sigcheck tool.
codesign FileMetadataCodesign Signature information extracted from the codesign utility.

SignerInfo

File metadata related to the signer information.

Field Name Type Label Description
name string optional Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority.
status string optional It can say "Valid" or state the problem with the certificate if any (e.g. "This certificate or one of the certificates in the certificate chain is not time valid.").
valid_usage string optional Indicates which situations the certificate is valid for (e.g. "Code Signing").
cert_issuer string optional Company that issued the certificate.

Smtp

SMTP info. See RFC 2821.

Field Name Type Label Description
helo string The client's 'HELO'/'EHLO' string.
mail_from string The client's 'MAIL FROM' string.
rcpt_to string repeated The client's 'RCPT TO' string(s).
server_response string repeated The server's response(s) to the client.
message_path string The message's path (extracted from the headers).
is_webmail bool If the message was sent via a webmail client.
is_tls bool If the connection switched to TLS.

Software

Information about a software package or application.

Field Name Type Label Description
name string The name of the software.
version string The version of the software.
permissions Permission repeated System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE"
description string The description of the software.
vendor_name string The name of the software vendor.

Tags

Tags are event metadata which is set by examining event contents post-parsing. For example, a UDM event may be assigned a tenant_id based on certain customer-defined parameters.

Field Name Type Label Description
tenant_id bytes repeated A list of subtenant ids that this event belongs to.
data_tap_config_name string repeated A list of sink name values defined in DataTap configurations.

TimeOff

System record for leave/time-off from a Human Capital Management (HCM)

system.

Field Name Type Label Description
interval google.type.Interval Interval duration of the leave.
description string Description of the leave if available (e.g. 'Vacation').

Tls

Transport Layer Security (TLS) information.

Field Name Type Label Description
client Tls.Client Certificate information for the client certificate.
server Tls.Server Certificate information for the server certificate.
cipher string Cipher used during the connection.
curve string Elliptical curve used for a given cipher.
version string TLS version.
version_protocol string Protocol.
established bool Indicates whether the TLS negotiation was successful.
next_protocol string Protocol to be used for tunnel.
resumed bool Indicates whether the TLS connection was resumed from a previous TLS negotiation.

Tls.Client

Transport Layer Security (TLS) information associated with the client (for example, Certificate or JA3 hash).

Field Name Type Label Description
certificate Certificate Client certificate.
ja3 string JA3 hash from the TLS ClientHello, as a hex-encoded string.
server_name string Host name of the server, that the client is connecting to.
supported_ciphers string repeated Ciphers supported by the client during client hello.

Tls.Server

Transport Layer Security (TLS) information associated with the server (for example, Certificate or JA3 hash).

Field Name Type Label Description
certificate Certificate Server certificate.
ja3s string JA3 hash from the TLS ServerHello, as a hex-encoded string.

Tracker

URL Tracker.

Field Name Type Label Description
tracker string Tracker name.
id string Tracker ID, if available.
timestamp google.protobuf.Timestamp Tracker ingestion date.
url string Tracker script URL.

Url

Url.

Field Name Type Label Description
url string URL.
categories string repeated Categorisation done by VirusTotal partners.
favicon Favicon Difference hash and MD5 hash of the URL's.
html_meta google.protobuf.Struct Meta tags (only for URLs downloading HTML).
last_final_url string If the original URL redirects, where does it end.
last_http_response_code int32 HTTP response code of the last response.
last_http_response_content_length int64 Length in bytes of the content received.
last_http_response_content_sha256 string URL response body's SHA256 hash.
last_http_response_cookies google.protobuf.Struct Website's cookies.
last_http_response_headers google.protobuf.Struct Headers and values of the last HTTP response.
tags string repeated Tags.
title string Webpage title.
trackers Tracker repeated Trackers found in the URL in a historical manner.

User

Information about a user.

Field Name Type Label Description
product_object_id string A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).
userid string The ID of the user.
user_display_name string The display name of the user (e.g. "John Locke").
first_name string First name of the user (e.g. "John").
middle_name string Middle name of the user.
last_name string Last name of the user (e.g. "Locke").
phone_numbers string repeated Phone numbers for the user.
personal_address Location Personal address of the user.
attribute Attribute Generic entity metadata attributes of the user.
first_seen_time google.protobuf.Timestamp The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.
account_type User.AccountType Type of user account (for example, service, domain, or cloud). This is somewhat aligned to: https://attack.mitre.org/techniques/T1078/
groupid string The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field.
group_identifiers string repeated Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).
windows_sid string The Microsoft Windows SID of the user.
email_addresses string repeated Email addresses of the user.
employee_id string Human capital management identifier.
title string User job title.
company_name string User job company name.
department string repeated User job department
office_address Location User job office location.
managers User repeated User job manager(s).
hire_date google.protobuf.Timestamp User job employment hire date.
termination_date google.protobuf.Timestamp User job employment termination date.
time_off TimeOff repeated User time off leaves from active work.
last_login_time google.protobuf.Timestamp User last login timestamp.
last_password_change_time google.protobuf.Timestamp User last password change timestamp.
password_expiration_time google.protobuf.Timestamp User password expiration timestamp.
account_expiration_time google.protobuf.Timestamp User account expiration timestamp.
account_lockout_time google.protobuf.Timestamp User account lockout timestamp.
last_bad_password_attempt_time google.protobuf.Timestamp User last bad password attempt timestamp.
user_authentication_status Authentication.AuthenticationStatus System authentication status for user.
role_name string System role name for user. Deprecated: use attribute.roles.
role_description string System role description for user. Deprecated: use attribute.roles.
user_role User.Role System role for user. Deprecated: use attribute.roles.

Vulnerabilities

The Vulnerabilities extension captures details on observed/detected vulnerabilities.

Field Name Type Label Description
vulnerabilities Vulnerability repeated A list of vulnerabilities.

Vulnerability

A vulnerability.

Field Name Type Label Description
about Noun If the vulnerability is about a specific noun (e.g. executable), then add it here.
name string Name of the vulnerability (e.g. "Unsupported OS Version detected").
description string Description of the vulnerability.
vendor string Vendor of scan that discovered vulnerability.
scan_start_time google.protobuf.Timestamp If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable.
scan_end_time google.protobuf.Timestamp If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable.
first_found google.protobuf.Timestamp Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset.
last_found google.protobuf.Timestamp Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset.
severity Vulnerability.Severity The severity of the vulnerability.
severity_details string Vendor-specific severity
cvss_base_score float CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting.
cvss_vector string Vector of CVSS properties (e.g. "AV:L/AC:H/Au:N/C:N/I:P/A:C") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator
cvss_version string Version of CVSS Vector/Score.
cve_id string Common Vulnerabilities and Exposures Id. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id
cve_description string Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record
vendor_vulnerability_id string Vendor specific vulnerability id (e.g. Microsoft security bulletin id).
vendor_knowledge_base_article_id string Vendor specific knowledge base article (e.g. "KBXXXXXX" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase

X509

File certificate.

Field Name Type Label Description
name string Certificate name.
algorithm string Certificate algorithm.
thumbprint string Certificate thumbprint.
cert_issuer string Issuer of the certificate.
serial_number string Certificate serial number.

Event enumerated types

Asset.AssetType

The role type of the asset.

Enum Value Enum Number Description
ROLE_UNSPECIFIED 0 Unspecified asset role.
WORKSTATION 1 A workstation or desktop.
LAPTOP 2 A laptop computer.
IOT 3 An IOT asset.
NETWORK_ATTACHED_STORAGE 4 A network attached storage device.
PRINTER 5 A printer.
SCANNER 6 A scanner.
SERVER 7 A server.
TAPE_LIBRARY 8 A tape library device.
MOBILE 9 A mobile device such as a mobile phone or PDA.

Asset.DeploymentStatus

Deployment status states.

Enum Value Enum Number Description
DEPLOYMENT_STATUS_UNSPECIFIED 0 Unspecified deployment status.
ACTIVE 1 Asset is active, functional and deployed.
PENDING_DECOMISSION 2 Asset is pending decommission and no longer deployed.
DECOMISSIONED 3 Asset is decommissioned.

Authentication.AuthType

Type of system the authentication event is associated with.

Enum Value Enum Number Description
AUTHTYPE_UNSPECIFIED 0 The default type.
MACHINE 1 A machine authentication.
SSO 2 An SSO authentication.
VPN 3 A VPN authentication.
PHYSICAL 4 A Physical authentication (e.g. "Badge reader").
TACACS 5 A TACACS family protocol for networked systems authentication (e.g. TACACS, TACACS+).

Authentication.AuthenticationStatus

Authentication status, can be used to describe the status of authentication for a user or particular credential.

Enum Value Enum Number Description
UNKNOWN_AUTHENTICATION_STATUS 0 The default authentication status.
ACTIVE 1 The authentication method is in active state.
SUSPENDED 2 The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS 3 The authentication method has no active credentials.
DELETED 4 The authentication method has been deleted.

Authentication.Mechanism

Mechanism(s) used to authenticate.

Enum Value Enum Number Description
MECHANISM_UNSPECIFIED 0 The default mechanism.
USERNAME_PASSWORD 1 Username + password authentication.
OTP 2 OTP authentication.
HARDWARE_KEY 3 Hardware key authentication.
LOCAL 4 Local authentication.
REMOTE 5 Remote authentication.
REMOTE_INTERACTIVE 6 RDP, Terminal Services, or VNC.
MECHANISM_OTHER 7 Some other mechanism that is not defined here.
BADGE_READER 8 Badge reader authentication
NETWORK 9 Network authentication.
BATCH 10 Batch authentication.
SERVICE 11 Service authentication
UNLOCK 12 Direct human-interactive unlock authentication.
NETWORK_CLEAR_TEXT 13 Network clear text authentication.
NEW_CREDENTIALS 14 Authentication with new credentials.
INTERACTIVE 15 Interactive authentication.
CACHED_INTERACTIVE 16 Interactive authentication using cached credentials.
CACHED_REMOTE_INTERACTIVE 17 Cached Remote Interactive authentication using cached credentials.
CACHED_UNLOCK 18 Cached Remote Interactive authentication using cached credentials.

Cloud.CloudEnvironment

The service provider environment.

Enum Value Enum Number Description
UNSPECIFIED_CLOUD_ENVIRONMENT 0 Default.
GOOGLE_CLOUD_PLATFORM 1 Google Cloud Platform.
AMAZON_WEB_SERVICES 2 Amazon Web Services.
MICROSOFT_AZURE 3 Microsoft Azure.

Dhcp.MessageType

DHCP message type. See RFC2131, section 3.1.

Enum Value Enum Number Description
UNKNOWN_MESSAGE_TYPE 0 Default message type.
DISCOVER 1 DHCPDISCOVER.
OFFER 2 DHCPOFFER.
REQUEST 3 DHCPREQUEST.
DECLINE 4 DHCPDECLINE.
ACK 5 DHCPACK.
NAK 6 DHCPNAK.
RELEASE 7 DHCPRELEASE.
INFORM 8 DHCPINFORM.
WIN_DELETED 100 Microsoft Windows DHCP "lease deleted".
WIN_EXPIRED 101 Microsoft Windows DHCP "lease expired".

Dhcp.OpCode

BOOTP op code. See RFC951, section 3.

Enum Value Enum Number Description
UNKNOWN_OPCODE 0 Default opcode.
BOOTREQUEST 1 Request.
BOOTREPLY 2 Reply.

File.FileType

The file type, for example Microsoft Windows executable.

Enum Value Enum Number Description
FILE_TYPE_UNSPECIFIED 0 File type is UNSPECIFIED.
FILE_TYPE_PE_EXE 1 File type is PE_EXE.
FILE_TYPE_PE_DLL 2 Although DLLs are actually portable executables, this value enables the file type to be identified separately. File type is PE_DLL.
FILE_TYPE_MSI 3 File type is MSI.
FILE_TYPE_NE_EXE 10 File type is NE_EXE.
FILE_TYPE_NE_DLL 11 File type is NE_DLL.
FILE_TYPE_DOS_EXE 20 File type is DOS_EXE.
FILE_TYPE_DOS_COM 21 File type is DOS_COM.
FILE_TYPE_COFF 30 File type is COFF.
FILE_TYPE_ELF 31 File type is ELF.
FILE_TYPE_LINUX_KERNEL 32 File type is LINUX_KERNEL.
FILE_TYPE_RPM 33 File type is RPM.
FILE_TYPE_LINUX 34 File type is LINUX.
FILE_TYPE_MACH_O 35 File type is MACH_O.
FILE_TYPE_JAVA_BYTECODE 36 File type is JAVA_BYTECODE.
FILE_TYPE_DMG 37 File type is DMG.
FILE_TYPE_DEB 38 File type is DEB.
FILE_TYPE_PKG 39 File type is PKG.
FILE_TYPE_PYC 40 File type is PYC.
FILE_TYPE_LNK 50 File type is LNK.
FILE_TYPE_JPEG 100 File type is JPEG.
FILE_TYPE_TIFF 101 File type is TIFF.
FILE_TYPE_GIF 102 File type is GIF.
FILE_TYPE_PNG 103 File type is PNG.
FILE_TYPE_BMP 104 File type is BMP.
FILE_TYPE_GIMP 105 File type is GIMP.
FILE_TYPE_IN_DESIGN 106 File type is Adobe InDesign.
FILE_TYPE_PSD 107 File type is PSD. Adobe Photoshop.
FILE_TYPE_TARGA 108 File type is TARGA.
FILE_TYPE_XWD 109 File type is XWD.
FILE_TYPE_DIB 110 File type is DIB.
FILE_TYPE_JNG 111 File type is JNG.
FILE_TYPE_ICO 112 File type is ICO.
FILE_TYPE_FPX 113 File type is FPX.
FILE_TYPE_EPS 114 File type is EPS.
FILE_TYPE_SVG 115 File type is SVG.
FILE_TYPE_EMF 116 File type is EMF.
FILE_TYPE_WEBP 117 File type is WEBP.
FILE_TYPE_DWG 118 File type is DWG.
FILE_TYPE_DXF 119 File type is DXF.
FILE_TYPE_THREEDS 120 File type is 3DS.
FILE_TYPE_OGG 150 File type is OGG.
FILE_TYPE_FLC 151 File type is FLC.
FILE_TYPE_FLI 152 File type is FLI.
FILE_TYPE_MP3 153 File type is MP3.
FILE_TYPE_FLAC 154 File type is FLAC.
FILE_TYPE_WAV 155 File type is WAV.
FILE_TYPE_MIDI 156 File type is MIDI.
FILE_TYPE_AVI 157 File type is AVI.
FILE_TYPE_MPEG 158 File type is MPEG.
FILE_TYPE_QUICKTIME 159 File type is QUICKTIME.
FILE_TYPE_ASF 160 File type is ASF.
FILE_TYPE_DIVX 161 File type is DIVX.
FILE_TYPE_FLV 162 File type is FLV.
FILE_TYPE_WMA 163 File type is WMA.
FILE_TYPE_WMV 164 File type is WMV.
FILE_TYPE_RM 165 File type is RM. RealMedia type.
FILE_TYPE_MOV 166 File type is MOV.
FILE_TYPE_MP4 167 File type is MP4.
FILE_TYPE_T3GP 168 File type is T3GP.
FILE_TYPE_WEBM 169 File type is WEBM.
FILE_TYPE_MKV 170 File type is MKV.
FILE_TYPE_PDF 200 File type is PDF.
FILE_TYPE_PS 201 File type is PS.
FILE_TYPE_DOC 202 File type is DOC.
FILE_TYPE_DOCX 203 File type is DOCX.
FILE_TYPE_PPT 204 File type is PPT.
FILE_TYPE_PPTX 205 File type is PPTX.
FILE_TYPE_PPSX 209 File type is PPSX.
FILE_TYPE_XLS 206 File type is XLS.
FILE_TYPE_XLSX 207 File type is XLSX.
FILE_TYPE_RTF 208 File type is RTF.
FILE_TYPE_ODP 250 File type is ODP.
FILE_TYPE_ODS 251 File type is ODS.
FILE_TYPE_ODT 252 File type is ODT.
FILE_TYPE_HWP 253 File type is HWP.
FILE_TYPE_GUL 254 File type is GUL.
FILE_TYPE_ODF 255 File type is ODF.
FILE_TYPE_ODG 256 File type is ODG.
FILE_TYPE_ONE_NOTE 257 File type is ONE_NOTE.
FILE_TYPE_OOXML 258 File type is OOXML.
FILE_TYPE_EBOOK 260 File type is EBOOK.
FILE_TYPE_LATEX 261 File type is LATEX.
FILE_TYPE_TTF 262 File type is TTF.
FILE_TYPE_EOT 263 File type is EOT.
FILE_TYPE_WOFF 264 File type is WOFF.
FILE_TYPE_CHM 265 File type is CHM.
FILE_TYPE_ZIP 300 File type is ZIP.
FILE_TYPE_GZIP 301 File type is GZIP.
FILE_TYPE_BZIP 302 File type is BZIP.
FILE_TYPE_RZIP 303 File type is RZIP.
FILE_TYPE_DZIP 304 File type is DZIP.
FILE_TYPE_SEVENZIP 305 File type is SEVENZIP.
FILE_TYPE_CAB 306 File type is CAB.
FILE_TYPE_JAR 307 File type is JAR.
FILE_TYPE_RAR 308 File type is RAR.
FILE_TYPE_MSCOMPRESS 309 File type is MSCOMPRESS.
FILE_TYPE_ACE 310 File type is ACE.
FILE_TYPE_ARC 311 File type is ARC.
FILE_TYPE_ARJ 312 File type is ARJ.
FILE_TYPE_ASD 313 File type is ASD.
FILE_TYPE_BLACKHOLE 314 File type is BLACKHOLE.
FILE_TYPE_KGB 315 File type is KGB.
FILE_TYPE_ZLIB 316 File type is ZLIB.
FILE_TYPE_TAR 317 File type is TAR.
FILE_TYPE_ZST 318 File type is ZST.
FILE_TYPE_LZFSE 319 File type is LZFSE.
FILE_TYPE_PYTHON_WHL 320 File type is PYTHON_WHL.
FILE_TYPE_PYTHON_PKG 321 File type is PYTHON_PKG.
FILE_TYPE_TEXT 400 File type is TEXT.
FILE_TYPE_SCRIPT 401 File type is SCRIPT.
FILE_TYPE_PHP 402 File type is PHP.
FILE_TYPE_PYTHON 403 File type is PYTHON.
FILE_TYPE_PERL 404 File type is PERL.
FILE_TYPE_RUBY 405 File type is RUBY.
FILE_TYPE_C 406 File type is C.
FILE_TYPE_CPP 407 File type is CPP.
FILE_TYPE_JAVA 408 File type is JAVA.
FILE_TYPE_SHELLSCRIPT 409 File type is SHELLSCRIPT.
FILE_TYPE_PASCAL 410 File type is PASCAL.
FILE_TYPE_AWK 411 File type is AWK.
FILE_TYPE_DYALOG 412 File type is DYALOG.
FILE_TYPE_FORTRAN 413 File type is FORTRAN.
FILE_TYPE_JAVASCRIPT 414 File type is JAVASCRIPT.
FILE_TYPE_POWERSHELL 415 File type is POWERSHELL.
FILE_TYPE_VBA 416 File type is VBA.
FILE_TYPE_M4 417 File type is M4.
FILE_TYPE_OBJETIVEC 418 File type is OBJETIVEC.
FILE_TYPE_JMOD 419 File type is JMOD.
FILE_TYPE_MAKEFILE 420 File type is MAKEFILE.
FILE_TYPE_INI 421 File type is INI.
FILE_TYPE_CLJ 422 File type is CLJ.
FILE_TYPE_PDB 425 File type is PDB.
FILE_TYPE_SQL 426 File type is SQL.
FILE_TYPE_NEKO 427 File type is NEKO.
FILE_TYPE_WER 428 File type is WER.
FILE_TYPE_GOLANG 429 File type is GOLANG.
FILE_TYPE_SYMBIAN 500 File type is SYMBIAN.
FILE_TYPE_PALMOS 501 File type is PALMOS.
FILE_TYPE_WINCE 502 File type is WINCE.
FILE_TYPE_ANDROID 503 File type is ANDROID.
FILE_TYPE_IPHONE 504 File type is IPHONE.
FILE_TYPE_HTML 600 File type is HTML.
FILE_TYPE_XML 601 File type is XML.
FILE_TYPE_SWF 602 File type is SWF.
FILE_TYPE_FLA 603 File type is FLA.
FILE_TYPE_COOKIE 604 File type is COOKIE.
FILE_TYPE_TORRENT 605 File type is TORRENT.
FILE_TYPE_EMAIL_TYPE 606 File type is EMAIL_TYPE.
FILE_TYPE_OUTLOOK 607 File type is OUTLOOK.
FILE_TYPE_SGML 608 File type is SGML.
FILE_TYPE_JSON 609 File type is JSON.
FILE_TYPE_CSV 610 File type is CSV.
FILE_TYPE_CAP 700 File type is CAP.
FILE_TYPE_ISOIMAGE 800 File type is ISOIMAGE.
FILE_TYPE_SQUASHFS 801 File type is SQUASHFS.
FILE_TYPE_VHD 802 File type is VHD.
FILE_TYPE_APPLE 1000 File type is APPLE.
FILE_TYPE_MACINTOSH 1001 File type is MACINTOSH.
FILE_TYPE_APPLESINGLE 1002 File type is APPLESINGLE.
FILE_TYPE_APPLEDOUBLE 1003 File type is APPLEDOUBLE.
FILE_TYPE_MACINTOSH_HFS 1004 File type is MACINTOSH_HFS.
FILE_TYPE_APPLE_PLIST 1005 File type is APPLE_PLIST.
FILE_TYPE_MACINTOSH_LIB 1006 File type is MACINTOSH_LIB.
FILE_TYPE_APPLESCRIPT 1007 File type is APPLESCRIPT.
FILE_TYPE_APPLESCRIPT_COMPILED 1008 File type is APPLESCRIPT_COMPILED .
FILE_TYPE_CRX 1100 File type is CRX.
FILE_TYPE_XPI 1101 File type is XPI.
FILE_TYPE_ROM 1200 File type is ROM.
FILE_TYPE_IPS 1201 File type is IPS.
FILE_TYPE_PEM 1300 File type is PEM.
FILE_TYPE_PGP 1301 File type is PGP.
FILE_TYPE_CRT 1302 File type is CRT.

Metadata.EnrichmentState

An enrichment state.

Enum Value Enum Number Description
ENRICHMENT_STATE_UNSPECIFIED 0 Unspecified.
ENRICHED 1 The event has been enriched by Chronicle.
UNENRICHED 2 The event has not been enriched by Chronicle.

Metadata.EventType

An event type. Choose event type not based on the product that generated the event but the one that logged the event itself. So, for example, an antivirus (AV)

scanning email on a client would generate an SMTP_PROXY event, not an AV event. A DLP device scanning a web upload would generate an HTTP_PROXY event and not a DLP or process activity event. Note: In the case of a HTTP_PROXY event, you might also include process details if this occurred on an endpoint. That would be optional, but there are a certain set of required fields and banned fields due to its status as an HTTP_PROXY event.

Enum Value Enum Number Description
EVENTTYPE_UNSPECIFIED 0 Default event type
PROCESS_UNCATEGORIZED 10000 Activity related to a process which does not match any other event types.
PROCESS_LAUNCH 10001 Process launch.
PROCESS_INJECTION 10002 Process injecting into another process.
PROCESS_PRIVILEGE_ESCALATION 10003 Process privilege escalation.
PROCESS_TERMINATION 10004 Process termination.
PROCESS_OPEN 10005 Process being opened.
PROCESS_MODULE_LOAD 10006 Process loading a module.
REGISTRY_UNCATEGORIZED 11000 Registry event which does not match any of the other event types.
REGISTRY_CREATION 11001 Registry creation.
REGISTRY_MODIFICATION 11002 Registry modification.
REGISTRY_DELETION 11003 Registry deletion.
SETTING_UNCATEGORIZED 12000 Settings-related event which does not match any of the other event types.
SETTING_CREATION 12001 Setting creation.
SETTING_MODIFICATION 12002 Setting modification.
SETTING_DELETION 12003 Setting deletion.
MUTEX_UNCATEGORIZED 13000 Any mutex event other than creation.
MUTEX_CREATION 13001 Mutex creation.
FILE_UNCATEGORIZED 14000 File event which does not match any of the other event types.
FILE_CREATION 14001 File created.
FILE_DELETION 14002 File deleted.
FILE_MODIFICATION 14003 File modified.
FILE_READ 14004 File read.
FILE_COPY 14005 File copied. Used for file copies, for example, to a thumb drive.
FILE_OPEN 14006 File opened.
FILE_MOVE 14007 File moved or renamed.
FILE_SYNC 14008 File synced (for example, Google Drive, Dropbox, backup).
USER_UNCATEGORIZED 15000 User activity which does not match any of the other event types.
USER_LOGIN 15001 User login.
USER_LOGOUT 15002 User logout.
USER_CREATION 15003 User creation.
USER_CHANGE_PASSWORD 15004 User password change event.
USER_CHANGE_PERMISSIONS 15005 Change in user permissions.
USER_STATS 15006 Deprecated. Used to update user info for an LDAP dump.
USER_BADGE_IN 15007 User physically badging into a location.
USER_DELETION 15008 User deletion.
USER_RESOURCE_CREATION 15009 User creating a virtual resource. This is equivalent to RESOURCE_CREATION.
USER_RESOURCE_UPDATE_CONTENT 15010 User updating content of a virtual resource. This is equivalent to RESOURCE_WRITTEN.
USER_RESOURCE_UPDATE_PERMISSIONS 15011 User updating permissions of a virtual resource. This is equivalent to RESOURCE_PERMISSIONS_CHANGE.
USER_COMMUNICATION 15012 User initiating communication through a medium (for example, video).
USER_RESOURCE_ACCESS 15013 User accessing a virtual resource. This is equivalent to RESOURCE_READ.
USER_RESOURCE_DELETION 15014 User deleting a virtual resource. This is equivalent to RESOURCE_DELETION.
GROUP_UNCATEGORIZED 23000 A group activity that does not fall into one of the other event types.
GROUP_CREATION 23001 A group creation.
GROUP_DELETION 23002 A group deletion.
GROUP_MODIFICATION 23003 A group modification.
EMAIL_UNCATEGORIZED 19000 Email messages
EMAIL_TRANSACTION 19001 An email transaction.
EMAIL_URL_CLICK 19002 Deprecated: use NETWORK_HTTP instead. An email URL click event.
NETWORK_UNCATEGORIZED 16000 A network event that does not fit into one of the other event types.
NETWORK_FLOW 16001 Aggregated flow stats like netflow.
NETWORK_CONNECTION 16002 Network connection details like from a FW.
NETWORK_FTP 16003 FTP telemetry.
NETWORK_DHCP 16004 DHCP payload.
NETWORK_DNS 16005 DNS payload.
NETWORK_HTTP 16006 HTTP telemetry.
NETWORK_SMTP 16007 SMTP telemetry.
STATUS_UNCATEGORIZED 17000 A status message that does not fit into one of the other event types.
STATUS_HEARTBEAT 17001 Heartbeat indicating product is alive.
STATUS_STARTUP 17002 An agent startup.
STATUS_SHUTDOWN 17003 An agent shutdown.
STATUS_UPDATE 17004 A software or fingerprint update.
SCAN_UNCATEGORIZED 18000 Scan item that does not fit into one of the other event types.
SCAN_FILE 18001 A file scan.
SCAN_PROCESS_BEHAVIORS 18002 Scan process behaviors. Please use SCAN_PROCESS instead.
SCAN_PROCESS 18003 Scan process.
SCAN_HOST 18004 Scan results from scanning an entire host device for threats/sensitive documents.
SCAN_VULN_HOST 18005 Vulnerability scan logs about host vulnerabilities (e.g., out of date software) and network vulnerabilities (e.g., unprotected service detected via a network scan).
SCAN_VULN_NETWORK 18006 Vulnerability scan logs about network vulnerabilities.
SCAN_NETWORK 18007 Scan network for suspicious activity
SCHEDULED_TASK_UNCATEGORIZED 20000 Scheduled task event that does not fall into one of the other event types.
SCHEDULED_TASK_CREATION 20001 Scheduled task creation.
SCHEDULED_TASK_DELETION 20002 Scheduled task deletion.
SCHEDULED_TASK_ENABLE 20003 Scheduled task being enabled.
SCHEDULED_TASK_DISABLE 20004 Scheduled task being disabled.
SCHEDULED_TASK_MODIFICATION 20005 Scheduled task being modified.
SYSTEM_AUDIT_LOG_UNCATEGORIZED 21000 A system audit log event that is not a wipe.
SYSTEM_AUDIT_LOG_WIPE 21001 A system audit log wipe.
SERVICE_UNSPECIFIED 22000 Service event that does not fit into one of the other event types.
SERVICE_CREATION 22001 A service creation.
SERVICE_DELETION 22002 A service deletion.
SERVICE_START 22003 A service start.
SERVICE_STOP 22004 A service stop.
SERVICE_MODIFICATION 22005 A service modification.
GENERIC_EVENT 100000 Operating system events that are not described by any of the other event types. Might include uncategorized Microsoft Windows event logs.
RESOURCE_CREATION 1 The resource was created/provisioned. This is equivalent to USER_RESOURCE_CREATION.
RESOURCE_DELETION 2 The resource was deleted/deprovisioned. This is equivalent to USER_RESOURCE_DELETION.
RESOURCE_PERMISSIONS_CHANGE 3 The resource had it's permissions or ACLs updated. This is equivalent to USER_RESOURCE_UPDATE_PERMISSIONS.
RESOURCE_READ 4 The resource was read. This is equivalent to USER_RESOURCE_ACCESS.
RESOURCE_WRITTEN 5 The resource was written to. This is equivalent to USER_RESOURCE_UPDATE_CONTENT.
DEVICE_FIRMWARE_UPDATE 25000 Firmware update.
DEVICE_CONFIG_UPDATE 25001 Configuration update.
DEVICE_PROGRAM_UPLOAD 25002 A program or application uploaded to a device.
DEVICE_PROGRAM_DOWNLOAD 25003 A program or application downloaded to a device.
ANALYST_UPDATE_VERDICT 24000 Analyst update about the Verdict (such as true positive, false positive, or disregard) of a finding.
ANALYST_UPDATE_REPUTATION 24001 Analyst update about the Reputation (such as useful or not useful) of a finding.
ANALYST_UPDATE_SEVERITY_SCORE 24002 Analyst update about the Severity score (0-100) of a finding.
ANALYST_UPDATE_STATUS 24007 Analyst update about the finding status.
ANALYST_ADD_COMMENT 24008 Analyst addition of a comment for a finding.
ANALYST_UPDATE_PRIORITY 24009 Analyst update about the priority (such as low, medium, or high) for a finding.
ANALYST_UPDATE_ROOT_CAUSE 24010 Analyst update about the root cause for a finding.
ANALYST_UPDATE_REASON 24011 Analyst update about the reason (such as malicious or not malicious) for a finding.
ANALYST_UPDATE_RISK_SCORE 24012 Analyst update about the risk score (0-100) of a finding.

Network.ApplicationProtocol

A network application protocol.

Enum Value Enum Number Description
UNKNOWN_APPLICATION_PROTOCOL 0 The default application protocol.
AFP 1 Apple Filing Protocol.
APPC 2 Advanced Program-to-Program Communication.
AMQP 3 Advanced Message Queuing Protocol.
ATOM 4 Publishing Protocol.
BEEP 5 Block Extensible Exchange Protocol.
BITCOIN 6 Crypto currency protocol.
BIT_TORRENT 7 Peer-to-peer file sharing.
CFDP 8 Coherent File Distribution Protocol.
CIP 67 Common Industrial Protocol.
COAP 9 Constrained Application Protocol.
COTP 68 Connection Oriented Transport Protocol.
DCERPC 66 DCE/RPC.
DDS 10 Data Distribution Service.
DEVICE_NET 11 Automation industry protocol.
DHCP 4000 DHCP.
DICOM 69 Digital Imaging and Communications in Medicine Protocol.
DNP3 70 Distributed Network Protocol 3 (DNP3)
DNS 3000 DNS.
E_DONKEY 12 Classic file sharing protocol.
ENRP 13 Endpoint Handlespace Redundancy Protocol.
FAST_TRACK 14 Filesharing peer-to-peer protocol.
FINGER 15 User Information Protocol.
FREENET 16 Censorship resistant peer-to-peer network.
FTAM 17 File Transfer Access and Management.
GOOSE 71 GOOSE Protocol.
GOPHER 18 Gopher protocol.
GRPC 77 gRPC Remote Procedure Call.
HL7 19 Health Level Seven.
H323 20 Packet-based multimedia communications system.
HTTP 2000 HTTP.
HTTPS 2001 HTTPS.
IEC104 72 IEC 60870-5-104 (IEC 104) Protocol.
IRCP 21 Internet Relay Chat Protocol.
KADEMLIA 22 Peer-to-peer hashtables.
KRB5 65 Kerberos 5.
LDAP 23 Lightweight Directory Access Protocol.
LPD 24 Line Printer Daemon Protocol.
MIME 25 Multipurpose Internet Mail Extensions and Secure MIME.
MMS 73 Multimedia Messaging Service.
MODBUS 26 Serial communications protocol.
MQTT 27 Message Queuing Telemetry Transport.
NETCONF 28 Network Configuration.
NFS 29 Network File System.
NIS 30 Network Information Service.
NNTP 31 Network News Transfer Protocol.
NTCIP 32 National Transportation Communications for Intelligent Transportation System.
NTP 33 Network Time Protocol.
OSCAR 34 AOL Instant Messenger Protocol.
PNRP 35 Peer Name Resolution Protocol.
PTP 74 Precision Time Protocol.
QUIC 1000 QUIC.
RDP 36 Remote Desktop Protocol.
RELP 37 Reliable Event Logging Protocol.
RIP 38 Routing Information Protocol.
RLOGIN 39 Remote Login in UNIX Systems.
RPC 40 Remote Procedure Call.
RTMP 41 Real Time Messaging Protocol.
RTP 42 Real-time Transport Protocol.
RTPS 43 Real Time Publish Subscribe.
RTSP 44 Real Time Streaming Protocol.
SAP 45 Session Announcement Protocol.
SDP 46 Session Description Protocol.
SIP 47 Session Initiation Protocol.
SLP 48 Service Location Protocol.
SMB 49 Server Message Block.
SMTP 50 Simple Mail Transfer Protocol.
SNMP 75 Simple Network Management Protocol.
SNTP 51 Simple Network Time Protocol.
SSH 52 Secure Shell.
SSMS 53 Secure SMS Messaging Protocol.
STYX 54 Styx/9P - Plan 9 from Bell Labs distributed file system protocol.
SV 76 Sampled Values Protocol.
TCAP 55 Transaction Capabilities Application Part.
TDS 56 Tabular Data Stream.
TOR 57 Anonymity network.
TSP 58 Time Stamp Protocol.
VTP 59 Virtual Terminal Protocol.
WHOIS 60 Remote Directory Access Protocol.
WEB_DAV 61 Web Distributed Authoring and Versioning.
X400 62 Message Handling Service Protocol.
X500 63 Directory Access Protocol (DAP).
XMPP 64 Extensible Messaging and Presence Protocol.

Network.Direction

A network traffic direction.

Enum Value Enum Number Description
UNKNOWN_DIRECTION 0 The default direction.
INBOUND 1 An inbound request.
OUTBOUND 2 An outbound request.
BROADCAST 3 A broadcast.

Network.IpProtocol

An IP protocol.

Enum Value Enum Number Description
UNKNOWN_IP_PROTOCOL 0 The default protocol.
ICMP 1 ICMP.
IGMP 2 IGMP
TCP 6 TCP.
UDP 17 UDP.
IP6IN4 41 IPv6 Encapsulation
GRE 47 Generic Routing Encapsulation
ESP 50 Encapsulating Security Payload
ICMP6 58 ICMPv6
EIGRP 88 Enhanced Interior Gateway Routing
ETHERIP 97 Ethernet-within-IP Encapsulation
PIM 103 Protocol Independent Multicast
VRRP 112 Virtual Router Redundancy Protocol
SCTP 132 Stream Control Transmission Protocol

Noun.Platform

Operating system platform.

Enum Value Enum Number Description
UNKNOWN_PLATFORM 0 Default value.
WINDOWS 1 Microsoft Windows.
MAC 2 macOS.
LINUX 3 Linux.
GCP 4 Deprecated: see cloud.environment.
AWS 5 Deprecated: see cloud.environment.
AZURE 6 Deprecated: see cloud.environment.
IOS 7 IOS
ANDROID 8 Android
CHROME_OS 9 Chrome OS

Permission.PermissionType

High level categorizations of permission type.

Enum Value Enum Number Description
UNKNOWN_PERMISSION_TYPE 0 Default permission type.
ADMIN_WRITE 1 Administrator write permission.
ADMIN_READ 2 Administrator read permission.
DATA_WRITE 3 Data resource access write permission.
DATA_READ 4 Data resource access read permission.

Priority

Priority that is assigned to a Case or Alert.

Enum Value Enum Number Description
PRIORITY_UNSPECIFIED 0 Default priority level.
PRIORITY_INFO 100 Informational priority.
PRIORITY_LOW 200 Low priority.
PRIORITY_MEDIUM 300 Medium priority.
PRIORITY_HIGH 400 High priority.
PRIORITY_CRITICAL 500 Critical priority.

Process.TokenElevationType

The elevation type of the process's token. See https://learn.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-token_elevation_type

Enum Value Enum Number Description
UNKNOWN 0 An undetermined token type.
TYPE_1 1 A full token with no privileges removed or groups disabled.
TYPE_2 2 An elevated token with no privileges removed or groups disabled. Used when running as administrator.
TYPE_3 3 A limited token with administrative privileges removed and administrative groups disabled.

Reason

Reason for closing an Alert or Case in the SOAR product.

Enum Value Enum Number Description
REASON_UNSPECIFIED 0 Default reason.
REASON_NOT_MALICIOUS 1 Case or Alert not malicious.
REASON_MALICIOUS 2 Case or Alert is malicious.
REASON_MAINTENANCE 3 Case or Alert is under maintenance.

Reputation

Categorization options for the usefulness of a Finding.

Enum Value Enum Number Description
REPUTATION_UNSPECIFIED 0 An unspecified reputation.
USEFUL 1 A categorization of the finding as useful.
NOT_USEFUL 2 A categorization of the finding as not useful.

Resource.ResourceType

Enum Value Enum Number Description
UNSPECIFIED 0 Default type.
MUTEX 1 Mutex.
TASK 2 Task.
PIPE 3 Named pipe.
DEVICE 4 Device.
FIREWALL_RULE 5 Firewall rule.
MAILBOX_FOLDER 6 Mailbox folder.
VPC_NETWORK 7 VPC Network.
VIRTUAL_MACHINE 8 Virtual machine.
STORAGE_BUCKET 9 Storage bucket.
STORAGE_OBJECT 10 Storage object.
DATABASE 11 Database.
TABLE 12 Data table.
CLOUD_PROJECT 13 Cloud project.
CLOUD_ORGANIZATION 14 Cloud organization.
SERVICE_ACCOUNT 15 Service account.
ACCESS_POLICY 16 Access policy.
CLUSTER 17 Cluster.
SETTING 18 Settings.
DATASET 19 Dataset.
BACKEND_SERVICE 20 Endpoint that receive traffic from a load balancer or proxy.
POD 21 Pod, which is a collection of nodes, but smaller than a cluster. Often used in Kubernetes.
CONTAINER 22 Container.
FUNCTION 23 Cloud function.
RUNTIME 24 Runtime.
IP_ADDRESS 25 IP address.
DISK 26 Disk.
VOLUME 27 Volume.
IMAGE 28 Machine image.
SNAPSHOT 29 Snapshot.
REPOSITORY 30 Repository.
CREDENTIAL 31 Credential, e.g. access keys, ssh keys, tokens, certificates.
LOAD_BALANCER 32 Load balancer.
GATEWAY 33 Gateway.
SUBNET 34 Subnet.

Role.Type

Well-known system roles.

Enum Value Enum Number Description
TYPE_UNSPECIFIED 0 Default user role.
ADMINISTRATOR 1 Product administrator with elevated privileges.
SERVICE_ACCOUNT 2 System service account for automated privilege access.

SecurityResult.Action

Enum representing different possible actions taken by the product that created the event.

Enum Value Enum Number Description
UNKNOWN_ACTION 0 The default action.
ALLOW 1 Allowed.
BLOCK 2 Blocked.
ALLOW_WITH_MODIFICATION 3 Strip, modify something (e.g. File or email was disinfected or rewritten and still forwarded).
QUARANTINE 4 Put somewhere for later analysis (does NOT imply block).
FAIL 5 Failed (e.g. the event was allowed but failed).
CHALLENGE 6 Challenged (e.g. the user was challenged by a Captcha, 2FA).

SecurityResult.AlertState

The type of alerting set up for a security result.

Enum Value Enum Number Description
UNSPECIFIED 0 The security result type is not known.
NOT_ALERTING 1 The security result is not an alert.
ALERTING 2 The security result is an alert.

SecurityResult.Association.AssociationType

Represents different possible Association types. Can be threat or malware. Used to represent Mandiant threat intelligence.

Enum Value Enum Number Description
ASSOCIATION_TYPE_UNSPECIFIED 0 The default Association Type.
THREAT_ACTOR 1 Association type Threat actor.
MALWARE 2 Association type Malware.

SecurityResult.IoCStatsType

Type of IoCStat based on source.

Enum Value Enum Number Description
UNSPECIFIED_IOC_STATS_TYPE 0 IoCStat source is unidentified.
MANDIANT_SOURCES 1 IoCStat is from a Mandiant Source.
THIRD_PARTY_SOURCES 2 IoCStat is from a third-party source.
THREAT_INTELLIGENCE_IOC_STATS 3 IoCStat is from a threat intelligence feed.

SecurityResult.ProductConfidence

A level of confidence in the result.

Enum Value Enum Number Description
UNKNOWN_CONFIDENCE 0 The default confidence level.
LOW_CONFIDENCE 200 Low confidence.
MEDIUM_CONFIDENCE 300 Medium confidence.
HIGH_CONFIDENCE 400 High confidence.

SecurityResult.ProductPriority

A product priority level.

Enum Value Enum Number Description
UNKNOWN_PRIORITY 0 Default priority level.
LOW_PRIORITY 200 Low priority.
MEDIUM_PRIORITY 300 Medium priority.
HIGH_PRIORITY 400 High priority.

SecurityResult.ProductSeverity

Defined by the product

Enum Value Enum Number Description
UNKNOWN_SEVERITY 0 The default severity level.
INFORMATIONAL 100 Info severity.
ERROR 150 An error.
NONE 101 No malicious result.
LOW 200 Low-severity malicious result.
MEDIUM 300 Medium-severity malicious result.
HIGH 400 High-severity malicious result.
CRITICAL 500 Critical-severity malicious result.

SecurityResult.SecurityCategory

SecurityCategory is used to standardize security categories across products

so one event is not categorized as "malware" and another as a "virus".

Enum Value Enum Number Description
UNKNOWN_CATEGORY 0 The default category.
SOFTWARE_MALICIOUS 10000 Malware, spyware, rootkit.
SOFTWARE_SUSPICIOUS 10100 Below the conviction threshold; probably bad.
SOFTWARE_PUA 10200 Potentially Unwanted App (such as adware).
NETWORK_MALICIOUS 20000 Includes C&C or network exploit.
NETWORK_SUSPICIOUS 20100 Suspicious activity, such as potential reverse tunnel.
NETWORK_CATEGORIZED_CONTENT 20200 Non-security related: URL has category like gambling or porn.
NETWORK_DENIAL_OF_SERVICE 20300 DoS, DDoS.
NETWORK_RECON 20400 Port scan detected by an IDS, probing of web app.
NETWORK_COMMAND_AND_CONTROL 20500 If we know this is a C&C channel.
ACL_VIOLATION 30000 Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc.
AUTH_VIOLATION 40000 Authentication failed (e.g. bad password or bad 2-factor authentication).
EXPLOIT 50000 Exploit: For all manner of exploits including attempted overflows, bad protocol encodings, ROP, SQL injection, etc. For both network and host- based exploits.
DATA_EXFILTRATION 60000 DLP: Sensitive data transmission, copy to thumb drive.
DATA_AT_REST 60100 DLP: Sensitive data found at rest in a scan.
DATA_DESTRUCTION 60200 Attempt to destroy/delete data.
TOR_EXIT_NODE 60300 TOR Exit Nodes.
MAIL_SPAM 70000 Spam email, message, etc.
MAIL_PHISHING 70100 Phishing email, chat messages, etc.
MAIL_SPOOFING 70200 Spoofed source email address, etc.
POLICY_VIOLATION 80000 Security-related policy violation (e.g. firewall/proxy/HIPS rule violated, NAC block action).
SOCIAL_ENGINEERING 90001 Threats which manipulate to break normal security procedures.
PHISHING 90002 Phishing pages, pops, https phishing etc.

SecurityResult.ThreatStatus

Vendor-specific information about the status of a threat (ITW).

Enum Value Enum Number Description
THREAT_STATUS_UNSPECIFIED 0 Default threat status
ACTIVE 1 Active threat.
CLEARED 2 Cleared threat.
FALSE_POSITIVE 3 False positive.

SecurityResult.VerdictResponse

Represents different verdict types. Used to represent Mandiant threat intelligence.

Enum Value Enum Number Description
VERDICT_RESPONSE_UNSPECIFIED 0 The default verdict response type.
MALICIOUS 1 VerdictResponse resulted a threat as malicious.
BENIGN 2 VerdictResponse resulted a threat as benign.

SecurityResult.VerdictType

Category of the verdict.

Enum Value Enum Number Description
VERDICT_TYPE_UNSPECIFIED 0 Verdict category not specified.
PROVIDER_ML_VERDICT 1 MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources.
ANALYST_VERDICT 2 Verdict provided by the human analyst. These fields are used to model Mandiant sources.

Status

Describes status of a Finding.

Enum Value Enum Number Description
STATUS_UNSPECIFIED 0 Unspecified finding status.
NEW 1 New finding.
REVIEWED 2 When a finding has feedback.
CLOSED 3 When an analyst closes an finding.
OPEN 4 Open. Used to indicate that a Case / Alert is open.

ThreatVerdict

GCTI threat verdict levels.

Enum Value Enum Number Description
THREAT_VERDICT_UNSPECIFIED 0 Unspecified threat verdict level.
UNDETECTED 1 Undetected threat verdict level.
SUSPICIOUS 2 Suspicious threat verdict level.
MALICIOUS 3 Malicious threat verdict level.

User.AccountType

User Account Type.

Enum Value Enum Number Description
ACCOUNT_TYPE_UNSPECIFIED 0 Default user account type.
DOMAIN_ACCOUNT_TYPE 1 A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE 2 A local machine account.
CLOUD_ACCOUNT_TYPE 3 A SaaS service account type (such as Slack or GitHub).
SERVICE_ACCOUNT_TYPE 4 A non-human account for data access.
DEFAULT_ACCOUNT_TYPE 5 A system built in default account.

User.Role

User system roles.

Enum Value Enum Number Description
UNKNOWN_ROLE 0 Default user role.
ADMINISTRATOR 1 Product administrator with elevated privileges.
SERVICE_ACCOUNT 2 System service account for automated privilege access. Deprecated: not a role, instead set User.account_type.

Verdict

Categorization options for the validity of a Finding (i.e. whether it reflects an actual security incident).

Enum Value Enum Number Description
VERDICT_UNSPECIFIED 0 An unspecified verdict.
TRUE_POSITIVE 1 A categorization of the finding as a "true positive".
FALSE_POSITIVE 2 A categorization of the finding as a "false positive".

Vulnerability.Severity

Severity of the vulnerability.

Enum Value Enum Number Description
UNKNOWN_SEVERITY 0 The default severity level.
LOW 1 Low severity.
MEDIUM 2 Medium severity.
HIGH 3 High severity.
CRITICAL 4 Critical severity.

Standard datatypes

Standard datatypes and the equivalent types in other languages.

Datatype Notes C++ Java Python Go C# PHP Ruby
double double double float float64 double float Float
float float float float float32 float float Float
int32 Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead. int32 int int int32 int integer Bignum or Fixnum (as required)
int64 Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead. int64 long int/long int64 long integer/string Bignum
uint32 Uses variable-length encoding. uint32 int int/long uint32 uint integer Bignum or Fixnum (as required)
uint64 Uses variable-length encoding. uint64 long int/long uint64 ulong integer/string Bignum or Fixnum (as required)
sint32 Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s. int32 int int int32 int integer Bignum or Fixnum (as required)
sint64 Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s. int64 long int/long int64 long integer/string Bignum
fixed32 Always four bytes. More efficient than uint32 if values are often greater than 2^28. uint32 int int uint32 uint integer Bignum or Fixnum (as required)
fixed64 Always eight bytes. More efficient than uint64 if values are often greater than 2^56. uint64 long int/long uint64 ulong integer/string Bignum
sfixed32 Always four bytes. int32 int int int32 int integer Bignum or Fixnum (as required)
sfixed64 Always eight bytes. int64 long int/long int64 long integer/string Bignum
bool bool boolean boolean bool bool boolean TrueClass/FalseClass
string A string must always contain UTF-8 encoded or 7-bit ASCII text. string String str/unicode string string string String (UTF-8)
bytes May contain any arbitrary sequence of bytes. string ByteString str []byte ByteString string String (ASCII-8BIT)