Unified Data Model field list
This document provides a list of fields available in the Unified Data Model schema.
When specifying a field, use the following format: <prefix>.<field_name1>.<field_name2>.<...>.<field_nameN>=<value>
When writing rules for Detect Engine, use the <prefix> pattern $event for Event
fields and $entity for Entity fields. For example:
$event.metadata.event_type$event.network.dhcp.opcode$event.principal.user.location.city$entity.graph.entity.hostname$entity.graph.metadata.product_name
When writing configuration-based normalizer (CBN) parsers, use the <prefix> pattern event.idm.read_only_udm for UDM Event fields and event.idm.graph for UDM Entity fields.
For example:
event.idm.read_only_udm.metadata.event_typeevent.idm.read_only_udm.network.dhcp.opcodeevent.idm.read_only_udm.principal.user.location.cityevent.idm.graph.entity.user.user_display_nameevent.idm.graph.entity.asset.hostname
Field name and field type values can look similar. This document uses style conventions to help you identify the differences:
- Field type values use CamelCase characters. For example, Platform and EventType.
- Field name values use lowercase characters. For example, platform and event_type.
- Standard data type values use lowercase characters.
UDM Entity data model
Entity
An Entity provides additional context about an item in a UDM event. For
example, a PROCESS_LAUNCH event describes that user 'abc@example.corp'
launched process 'shady.exe'.
The event does not include information that user 'abc@example.com' is a
recently terminated employee who administers a server storing finance data.
Information stored in one or more Entities can add this additional context.
| Field Name |
Type |
Label |
Description |
| metadata |
EntityMetadata |
|
Entity metadata such as timestamp, product, etc. |
| entity |
Noun |
|
Noun in the UDM event that this entity represents. |
| relations |
Relation |
repeated |
One or more relationships between the entity (a) and other entities,
including the relationship type and related entity. |
| additional |
google.protobuf.Struct |
|
Important entity data that cannot be adequately represented within
the formal sections of the Entity. |
| risk_score |
EntityRisk |
optional |
Stores information related to the entity's risk score. |
| metric |
Metric |
|
Stores statistical metrics about the entity. Used if metadata.entity_type
is METRIC. |
Information about the Entity and the product where the entity was created.
| Field Name |
Type |
Label |
Description |
| product_entity_id |
string |
|
A vendor-specific identifier that uniquely identifies the entity
(e.g. a GUID, LDAP, OID, or similar). |
| collected_timestamp |
google.protobuf.Timestamp |
|
GMT timestamp when the entity information was collected by the vendor's
local collection infrastructure. |
| creation_timestamp |
google.protobuf.Timestamp |
|
GMT timestamp when the entity described by the product_entity_id was
created on the system where data was collected. |
| interval |
google.type.Interval |
|
Valid existence time range for the version of the entity represented by
this entity data. |
| vendor_name |
string |
|
Vendor name of the product that produced the entity information. |
| product_name |
string |
|
Product name that produced the entity information. |
| feed |
string |
|
Vendor feed name for a threat indicator feed. |
| product_version |
string |
|
Version of the product that produced the entity information. |
| entity_type |
EntityMetadata.EntityType (Enumerated list) |
|
Entity type.
If an entity has multiple possible types, this specifies the most specific
type. |
| description |
string |
|
Human-readable description of the entity. |
| threat |
SecurityResult |
repeated |
Metadata provided by a threat intelligence feed that identified the
entity as malicious. |
| source_type |
EntityMetadata.SourceType (Enumerated list) |
|
The source of the entity. |
| source_labels |
Label |
repeated |
Entity source metadata labels. |
| event_metadata |
Metadata |
|
Metadata field from the event. |
EntityRisk
Stores information related to the risk score of an entity.
| Field Name |
Type |
Label |
Description |
| risk_version |
string |
|
Version of the risk score calculation algorithm. |
| risk_window |
google.type.Interval |
|
Time window used when computing the risk score for an entity, for
example 24 hours or 7 days. |
| DEPRECATED_risk_score |
int32 |
|
Deprecated risk score. |
| risk_delta |
RiskDelta |
optional |
Represents the change in risk score for an entity between the end of the
previous time window and the end of the current time window. |
| detections_count |
int32 |
|
Number of detections that make up the risk score within the time window. |
| first_detection_time |
google.protobuf.Timestamp |
|
Timestamp of the first detection within the specified time window.
This field is empty when there are no detections. |
| last_detection_time |
google.protobuf.Timestamp |
|
Timestamp of the last detection within the specified time window.
This field is empty when there are no detections. |
| risk_score |
float |
|
Raw risk score for the entity. |
| normalized_risk_score |
int32 |
|
Normalized risk score for the entity. This value is between 0-1000. |
| risk_window_size |
Int64 |
|
Risk window duration for the Entity. |
| raw_risk_delta |
RiskDelta |
optional |
Represents the change in raw risk score for an entity between the end of
the previous time window and the end of the current time window. |
Metric
Stores precomputed aggregated analytic data for an entity.
| Field Name |
Type |
Label |
Description |
| first_seen |
google.protobuf.Timestamp |
|
Timestamp of the first time the entity was seen in the environment. |
| last_seen |
google.protobuf.Timestamp |
|
Timestamp of the last time the entity was seen in the environment. |
| sum_measure |
Metric.Measure |
|
Sum of all precomputed measures for the given metric. |
| total_events |
int64 |
|
Total number of events used to calculate the given precomputed metric. |
| metric_name |
Metric.MetricName (Enumerated list) |
|
Name of the analytic. |
| dimensions |
Metric.Dimension (Enumerated list) |
repeated |
All group by clauses used to calculate the metric. |
| export_window |
int64 |
|
Export window for which the metric was exported. |
Metric.Measure
Describes the precomputed measure.
| Field Name |
Type |
Label |
Description |
| value |
double |
|
Value of the aggregated measure. |
| aggregate_function |
Metric.AggregateFunction (Enumerated list) |
|
Function used to calculate the aggregated measure. |
Relation
Defines the relationship between the entity (a) and another entity (b).
| Field Name |
Type |
Label |
Description |
| entity |
Noun |
|
Entity (b) that the primary entity (a) is related to. |
| entity_type |
EntityMetadata.EntityType (Enumerated list) |
|
Type of the related entity (b) in this relationship. |
| relationship |
Relation.Relationship (Enumerated list) |
|
Type of relationship. |
| direction |
Relation.Directionality (Enumerated list) |
|
Directionality of relationship between primary entity (a) and the
related entity (b). |
| uid |
bytes |
|
UID of the relationship. |
| entity_label |
Relation.EntityLabel (Enumerated list) |
|
Label to identify the Noun of the relation. |
RiskDelta
Describes the difference in risk score between two points in time.
| Field Name |
Type |
Label |
Description |
| previous_range_end_time |
google.protobuf.Timestamp |
|
End time of the previous time window. |
| risk_score_delta |
int32 |
|
Difference in the normalized risk score from the previous recorded value. |
| previous_risk_score |
int32 |
|
Risk score from previous risk window |
| risk_score_numeric_delta |
int32 |
|
Numeric change between current and previous risk score |
Entity enumerated types
Describes the type of entity.
An unknown event type.
| Enum Value |
Enum Number |
Description |
| ASSET |
1 |
An asset, such as workstation, laptop, phone, or virtual machine. |
| USER |
10000 |
User. |
| GROUP |
10001 |
Group. |
| RESOURCE |
2 |
Resource. |
| IP_ADDRESS |
3 |
An external IP address. The request should include IOC intel threat metadata for each entity to be ingested. |
| FILE |
4 |
A file. The request should include IOC intel threat metadata for each entity to be ingested.
|
| DOMAIN_NAME |
5 |
A domain. The request should include IOC intel threat metadata for each entity to be ingested.
|
| URL |
6 |
A URL. |
| MUTEX |
7 |
A mutex. The request should include IOC intel threat metadata for each entity to be ingested.
|
Describes the source of an entity.
| Enum Value |
Enum Number |
Description |
| SOURCE_TYPE_UNSPECIFIED |
0 |
Default source type |
| ENTITY_CONTEXT |
1 |
Entities ingested from customers (e.g. AD_CONTEXT, DLP_CONTEXT) |
| DERIVED_CONTEXT |
2 |
Entities derived from customer data such as prevalence, artifact
first/last seen, or asset/user first seen stats. |
| GLOBAL_CONTEXT |
3 |
Global contextual entities such as WHOIS or Safe Browsing. |
Metric.AggregateFunction
Mathematic function used to calculate the value.
| Enum Value |
Enum Number |
Description |
| AGGREGATE_FUNCTION_UNSPECIFIED |
0 |
Default value. |
| MIN |
1 |
Minimum. |
| MAX |
2 |
Maximum. |
| COUNT |
3 |
Count. |
| SUM |
4 |
Sum. |
| AVG |
5 |
Average. |
| STDDEV |
6 |
Standard Deviation. |
Metric.Dimension
Describes field used as the dimension when grouping data to calculate the
aggregate metric.
| Enum Value |
Enum Number |
Description |
| DIMENSION_UNSPECIFIED |
0 |
Default |
| PRINCIPAL_DEVICE |
1 |
Principal Device |
| TARGET_USER |
2 |
Target User |
| TARGET_DEVICE |
3 |
Target Device |
| PRINCIPAL_USER |
4 |
Principal User |
| TARGET_IP |
5 |
Target IP |
| PRINCIPAL_FILE_HASH |
6 |
Principal File Hash |
| PRINCIPAL_COUNTRY |
7 |
Principal Country |
| SECURITY_CATEGORY |
8 |
Security Category |
| NETWORK_ASN |
9 |
Network ASN |
| CLIENT_CERTIFICATE_HASH |
10 |
Client Certificate Hash |
| DNS_QUERY_TYPE |
11 |
DNS Query Type |
| DNS_DOMAIN |
12 |
DNS Domain |
| HTTP_USER_AGENT |
13 |
HTTP User Agent |
| EVENT_TYPE |
14 |
Event Type |
| PRODUCT_NAME |
15 |
Product Name |
| PRODUCT_EVENT_TYPE |
16 |
Product Event Type |
| PARENT_FOLDER_PATH |
17 |
Parent Folder Path |
| TARGET_RESOURCE_NAME |
18 |
Target resource Name |
| PRINCIPAL_APPLICATION |
19 |
Principal Application. |
| TARGET_APPLICATION |
20 |
Target Application. |
| EMAIL_TO_ADDRESS |
21 |
Email To Address. |
| EMAIL_FROM_ADDRESS |
22 |
Email From Address. |
| MAIL_ID |
23 |
Mail Id. |
| PRINCIPAL_IP |
24 |
Principal IP. |
| SECURITY_ACTION |
25 |
Security Action. |
| SECURITY_RULE_ID |
28 |
Security Rule Id. |
| TARGET_NETWORK_ORGANIZATION_NAME |
29 |
Target Network Organization name. |
| PRINCIPAL_NETWORK_ORGANIZATION_NAME |
30 |
Principal Network Organization name. |
| PRINCIPAL_PROCESS_FILE_PATH |
31 |
Principal Process File Path. |
| PRINCIPAL_PROCESS_FILE_HASH |
32 |
Principal Process File SHA256 Hash. |
| SECURITY_RESULT_RULE_NAME |
33 |
Security Result rule name. |
Metric.MetricName
The name of the precomputed analytic.
| Enum Value |
Enum Number |
Description |
| METRIC_NAME_UNSPECIFIED |
0 |
Default |
| NETWORK_BYTES_INBOUND |
1 |
Total received network bytes. |
| NETWORK_BYTES_OUTBOUND |
2 |
Total network sent bytes. |
| NETWORK_BYTES_TOTAL |
3 |
Total network sent bytes and received bytes. |
| AUTH_ATTEMPTS_SUCCESS |
4 |
Successful authentication attempts. |
| AUTH_ATTEMPTS_FAIL |
5 |
Failed authentication attempts. |
| AUTH_ATTEMPTS_TOTAL |
6 |
Total authentication attempts. |
| DNS_BYTES_OUTBOUND |
7 |
Total number of sent bytes for DNS events. |
| NETWORK_FLOWS_INBOUND |
8 |
Total number of events having non-null received bytes. |
| NETWORK_FLOWS_OUTBOUND |
9 |
Total number of events having non-null sent bytes. |
| NETWORK_FLOWS_TOTAL |
10 |
Total events having non-null sent or received bytes. |
| DNS_QUERIES_SUCCESS |
11 |
DNS query success count - Number of events with response_code = 0. |
| DNS_QUERIES_FAIL |
12 |
Number of events with response_code != 0. |
| DNS_QUERIES_TOTAL |
13 |
Total number of DNS queries made. |
| FILE_EXECUTIONS_SUCCESS |
14 |
Number of successfule file executions. |
| FILE_EXECUTIONS_FAIL |
15 |
Number of failed file executions. |
| FILE_EXECUTIONS_TOTAL |
16 |
Total number file executions. |
| HTTP_QUERIES_SUCCESS |
17 |
Number of successful HTTP queries. |
| HTTP_QUERIES_FAIL |
18 |
Number of failed HTTP queries. |
| HTTP_QUERIES_TOTAL |
19 |
Total number of HTTP queries. |
| WORKSPACE_EMAILS_SENT_TOTAL |
20 |
Total number of emails sent in Google Workspace. |
| WORKSPACE_TOTAL_DOWNLOAD_ACTIONS |
21 |
Total number of download actions in Google Workspace. |
| WORKSPACE_TOTAL_CHANGE_ACTIONS |
22 |
Total number of change actions in Google Workspace. |
| WORKSPACE_AUTH_ATTEMPTS_TOTAL |
23 |
Total number of authentication attempts in Google Workspace. |
| WORKSPACE_NETWORK_BYTES_OUTBOUND |
24 |
Number of outbound network bytes (total sent) in Google Workspace. |
| WORKSPACE_NETWORK_BYTES_TOTAL |
25 |
Total number of network bytes (both sent and received) in Google Workspace. |
| ALERT_EVENT_NAME_COUNT |
26 |
Track number of alerts fired by EDR/SENTINEL/MICROSOFT_GRAPH. |
Relation.Directionality
Describes the relationship model as directed or undirected.
| Enum Value |
Enum Number |
Description |
| DIRECTIONALITY_UNSPECIFIED |
0 |
Default value. |
| BIDIRECTIONAL |
1 |
Modeled in both directions. Primary entity (a) to related entity (b) and
related entity (b) to primary entity (a). |
| UNIDIRECTIONAL |
2 |
Modeled in a single direction. Primary entity (a) to related entity (b). |
Relation.EntityLabel
Entity label of the relation.
| Enum Value |
Enum Number |
Description |
| ENTITY_LABEL_UNSPECIFIED |
0 |
Default value. |
| PRINCIPAL |
1 |
The Noun represents a principal type object. |
| TARGET |
2 |
The Noun represents a target type object. |
| OBSERVER |
3 |
The Noun represents an observer type object. |
| SRC |
4 |
The Noun represents src type object. |
| NETWORK |
5 |
The Noun represents a network type object. |
| SECURITY_RESULT |
6 |
The Noun represents a SecurityResult object. |
| INTERMEDIARY |
7 |
The Noun represents an intermediary type object. |
Relation.Relationship
Type of relationship between the primary entity (a) and related entity (b).
| Enum Value |
Enum Number |
Description |
| RELATIONSHIP_UNSPECIFIED |
0 |
Default value |
| OWNS |
1 |
Related entity is owned by the primary entity (for example: user owns device
asset). |
| ADMINISTERS |
2 |
Related entity is administered by the primary entity (for example: user
administers a group). |
| MEMBER |
3 |
Primary entity is a member of the related entity (foe example: user is a member
of a group). |
| EXECUTES |
4 |
Primary entity may have executed the related entity. |
| DOWNLOADED_FROM |
5 |
Primary entity may have been downloaded from the related entity. |
| CONTACTS |
6 |
Primary entity contacts the related entity. |
UDM Event data model
A Unified Data Model event.
| Field Name |
Type |
Label |
Description |
| metadata |
Metadata |
|
Event metadata such as timestamp, source product, etc. |
| additional |
google.protobuf.Struct |
|
Any important vendor-specific event data that cannot be adequately
represented within the formal sections of the UDM model. |
| principal |
Noun |
|
Represents the acting entity that originates the activity
described in the event. The principal must include at least one machine
detail (hostname, MACs, IPs, port, product-specific identifiers like an
EDR asset ID) or user detail (for example, username), and optionally
include process details. It must NOT include any of the following fields:
email, files, registry keys, or values. |
| src |
Noun |
|
Represents a source entity being acted upon by the participant along with
the device or process context for the source object (the machine where the
source object resides). For example, if user U copies file A on machine X
to file B on machine Y, both file A and machine X would be specified in the
src portion of the UDM event. |
| target |
Noun |
|
Represents a target entity being referenced by the event or an object on
the target entity. For example, in a firewall connection from device A to
device B, A is described as the principal and B is described as the target.
For a process injection by process C into target process D, process C is
described as the principal and process D is described as the target. |
| intermediary |
Noun |
repeated |
Represents details on one or more intermediate entities processing activity
described in the event. This includes device details about a proxy server
or SMTP relay server. If an active event (that has a principal and
possibly target) passes through any intermediaries, they're added here.
Intermediaries can impact the overall action, for example blocking or
modifying an ongoing request. A rule of thumb here is that 'principal',
'target', and description of the initial action should be the same
regardless of the intermediary or its action. A successful network
connection from A->B should look the same in principal/target/intermediary
as one blocked by firewall C: principal: A, target: B (intermediary: C). |
| observer |
Noun |
|
Represents an observer entity (for example, a packet sniffer or
network-based vulnerability scanner), which is not a direct intermediary,
but which observes and reports on the event in question. |
| about |
Noun |
repeated |
Represents entities referenced by the event that are not otherwise
described in principal, src, target, intermediary or observer. For example,
it could be used to track email file attachments, domains/URLs/IPs embedded
within an email body, and DLLs that are loaded during a PROCESS_LAUNCH
event. |
| security_result |
SecurityResult |
repeated |
A list of security results. |
| network |
Network |
|
All network details go here, including sub-messages with details on each
protocol (for example, DHCP, DNS, or HTTP). |
| extensions |
Extensions |
|
All other first-class, event-specific metadata goes in this message.
Don't place protocol metadata in Extensions; put it in Network. |
Event top level types
Extensions
Extensions to a UDM event.
General information associated with a UDM event.
| Field Name |
Type |
Label |
Description |
| id |
bytes |
|
ID of the UDM event. Can be used for raw and normalized event retrieval. |
| product_log_id |
string |
|
A vendor-specific event identifier to uniquely identify the event (for example: a
GUID). |
| event_timestamp |
google.protobuf.Timestamp |
|
The GMT timestamp when the event was generated. |
| collected_timestamp |
google.protobuf.Timestamp |
|
The GMT timestamp when the event was collected by the vendor's local
collection infrastructure. |
| ingested_timestamp |
google.protobuf.Timestamp |
|
The GMT timestamp when the event was ingested (received) by Google Security Operations. |
| event_type |
Metadata.EventType |
|
The event type.
If an event has multiple possible types, this specifies the most specific
type. |
| vendor_name |
string |
|
The name of the product vendor. |
| product_name |
string |
|
The name of the product. |
| product_version |
string |
|
The version of the product. |
| product_event_type |
string |
|
A short, descriptive, human-readable, product-specific event name or type
(for example: "Scanned X", "User account created", "process_start"). |
| product_deployment_id |
string |
|
The deployment identifier assigned by the vendor for a product deployment. |
| description |
string |
|
A human-readable unparsable description of the event. |
| url_back_to_product |
string |
|
A URL that takes the user to the source product console for this event. |
| ingestion_labels |
Label |
repeated |
User-configured ingestion metadata labels. |
| tags |
Tags |
|
Tags added by Google Security Operations after an event is parsed. It is an error to
populate this field from within a parser. |
| enrichment_state |
Metadata.EnrichmentState |
|
The enrichment state. |
| log_type |
string |
|
The string value of log type. |
| base_labels |
DataAccessLabels |
|
Data access labels on the base event. |
| enrichment_labels |
DataAccessLabels |
|
Data access labels from all the contextual events used to enrich the base
event. |
Network
A network event.
| Field Name |
Type |
Label |
Description |
| sent_bytes |
uint64 |
|
The number of bytes sent. |
| received_bytes |
uint64 |
|
The number of bytes received. |
| sent_packets |
int64 |
|
The number of packets sent. |
| received_packets |
int64 |
|
The number of packets received. |
| session_duration |
Int64 |
|
The duration of the session as the number of seconds and nanoseconds.
For seconds, network.session_duration.seconds, the type is a 64-bit
integer. For nanoseconds, network.session_duration.nanos, the type is a
32-bit integer. |
| session_id |
string |
|
The ID of the network session. |
| parent_session_id |
string |
|
The ID of the parent network session. |
| application_protocol_version |
string |
|
The version of the application protocol. e.g. "1.1, 2.0" |
| community_id |
string |
|
Community ID network flow value. |
| direction |
Network.Direction |
|
The direction of network traffic. |
| ip_protocol |
Network.IpProtocol |
|
The IP protocol. |
| application_protocol |
Network.ApplicationProtocol |
|
The application protocol. |
| ftp |
Ftp |
|
FTP info. |
| email |
Email |
|
Email info for the sender/recipient. |
| dns |
Dns |
|
DNS info. |
| dhcp |
Dhcp |
|
DHCP info. |
| http |
Http |
|
HTTP info. |
| tls |
Tls |
|
TLS info. |
| smtp |
Smtp |
|
SMTP info.
Store fields specific to SMTP not covered by Email. |
| asn |
string |
|
Autonomous system number. |
| dns_domain |
string |
|
DNS domain name. |
| carrier_name |
string |
|
Carrier identification. |
| organization_name |
string |
|
Organization name (e.g Google). |
| ip_subnet_range |
string |
|
Associated human-readable IP subnet range (e.g. 10.1.2.0/24). |
Noun
The Noun type is used to represent the different entities in an event:
principal, src, target, observer, intermediary, and about. It stores
attributes known about the entity. For example, if the entity is a device
with multiple IP or MAC addresses, it stores the IP and MAC addresses that
are relevant to the event.
| Field Name |
Type |
Label |
Description |
| hostname |
string |
|
Client hostname or domain name field.
Hostname also doubles as the domain for remote entities. |
| domain |
Domain |
|
Information about the domain. |
| artifact |
Artifact |
|
Information about an artifact. |
| url_metadata |
URL |
|
Information about the URL. |
| asset_id |
string |
|
The asset ID. |
| user |
User |
|
Information about the user. |
| user_management_chain |
User |
repeated |
Information about the user's management chain (reporting hierarchy).
Note: user_management_chain is only populated when data is exported to
BigQuery since recursive fields (e.g. user.managers) are not supported by
BigQuery. |
| group |
Group |
|
Information about the group. |
| process |
Process |
|
Information about the process. |
| process_ancestors |
Process |
repeated |
Information about the process's ancestors ordered from immediate ancestor
(parent process) to root.
Note: process_ancestors is only populated when data is exported to BigQuery
since recursive fields (e.g. process.parent_process) are not supported by
BigQuery. |
| asset |
Asset |
|
Information about the asset. |
| ip |
string |
repeated |
A list of IP addresses associated with a network connection. |
| nat_ip |
string |
repeated |
A list of NAT translated IP addresses associated with a network connection. |
| port |
int32 |
|
Source or destination network port number when a specific network
connection is described within an event. |
| nat_port |
int32 |
|
NAT external network port number when a specific network connection is
described within an event. |
| mac |
string |
repeated |
List of MAC addresses associated with a device. |
| administrative_domain |
string |
|
Domain which the device belongs to (for example, the Microsoft Windows
domain). |
| namespace |
string |
|
Namespace which the device belongs to, such as "AD forest".
Uses for this field include Microsoft Windows AD forest, the name of
subsidiary, or the name of acquisition. |
| URL |
string |
|
The URL. |
| file |
File |
|
Information about the file. |
| email |
string |
|
Email address.
Only filled in for security_result.about |
| registry |
Registry |
|
Registry information. |
| application |
string |
|
The name of an application or service.
Some SSO solutions only capture the name of a target application
such as "Atlassian" or "Google". |
| platform |
Noun.Platform |
|
Platform. |
| platform_version |
string |
|
Platform version. For example,
"Microsoft Windows 1803". |
| platform_patch_level |
string |
|
Platform patch level.
For example, "Build 17134.48" |
| cloud |
Cloud |
|
Cloud metadata.
Deprecated: cloud should be populated in entity Attribute as generic
metadata (e.g. asset.attribute.cloud). |
| location |
Location |
|
Physical location. For cloud environments, set the region in
location.name. |
| ip_location |
Location |
repeated |
Deprecated: use ip_geo_artifact.location instead. |
| ip_geo_artifact |
Artifact |
repeated |
Enriched geographic information corresponding to an IP address.
Specifically, location and network data. |
| resource |
Resource |
|
Information about the resource (e.g. scheduled task, calendar entry).
This field should not be used for files, registry, or processes because
these objects are already part of Noun. |
| resource_ancestors |
Resource |
repeated |
Information about the resource's ancestors ordered from immediate ancestor
(starting with parent resource). |
| labels |
Label |
repeated |
Labels are key-value pairs.
For example: key = "env", value = "prod".
Deprecated: labels should be populated in entity Attribute as generic
metadata (e.g. user.attribute.labels). |
| object_reference |
Id |
|
Finding to which the Analyst updated the feedback. |
| investigation |
Investigation |
|
Analyst feedback/investigation for alerts. |
| network |
Network |
|
Network details, including sub-messages with details on each protocol
(for example, DHCP, DNS, or HTTP). |
| security_result |
SecurityResult |
repeated |
A list of security results. |
SecurityResult
Security related metadata for the event. A security result might be something
like "virus detected and quarantined," "malicious connection blocked," or
"sensitive data included in document foo.doc." Each security result, of which
there may be more than one, may either pertain to the whole event, or to a
specific object or device referenced in the event (e.g. a malicious file
that was detected, or a sensitive document sent as an email attachment). For
security results that apply to a particular object referenced in the event,
the security_results message MUST contain details about the implicated object
(such as process, user, IP, domain, URL, IP, or email address) in the about
field. For security results that apply to the entire event (e.g. SPAM found
in this email), the about field must remain empty.
| Field Name |
Type |
Label |
Description |
| about |
Noun |
|
If the security result is about a specific entity (Noun), add it here. |
| category |
SecurityResult.SecurityCategory |
repeated |
The security category. |
| category_details |
string |
repeated |
For vendor-specific categories. For web categorization, put type in here
such as "gambling" or "porn". |
| threat_name |
string |
|
A vendor-assigned classification common across multiple customers
(e.g. "W32/File-A", "Slammer"). |
| rule_set |
string |
|
The result's rule set identifier.
(e.g. "windows-threats") |
| rule_set_display_name |
string |
|
The curated detections rule set display name. |
| ruleset_category_display_name |
string |
|
The curated detection rule set category display name.
(for example, if rule_set_display_name is "CDIR SCC Enhanced Exfiltration",
the rule_set_category is "Cloud Threats"). |
| rule_id |
string |
|
A vendor-specific ID and name for a rule, varying by observerer type
(e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe"). |
| rule_name |
string |
|
Name of the security rule
(e.g. "BlockInboundToOracle"). |
| rule_version |
string |
|
Version of the security rule.
(e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00").
Note that rule versions are source-dependant and lexical ordering
should not be assumed. |
| rule_type |
string |
|
The type of security rule. |
| rule_author |
string |
|
Author of the security rule. |
| rule_labels |
Label |
repeated |
A list of rule labels that can't be captured by the other fields
in security result
(e.g. "reference : AnotherRule", "contributor : John"). |
| alert_state |
SecurityResult.AlertState |
|
The alerting types of this security result. |
| detection_fields |
Label |
repeated |
An ordered list of values, that represent fields in detections for a
security finding. This list represents mapping of names of requested
entities to their values (i.e. the security result matched variables) . |
| outcomes |
Label |
repeated |
A list of outcomes that represent the results of this security finding.
This list represents a mapping of names of the requested outcomes,
to their values. |
| summary |
string |
|
A human readable summary (e.g. "failed login occurred") |
| description |
string |
|
A human readable description (e.g. "user password was wrong") |
| action |
SecurityResult.Action |
repeated |
Actions taken for this event. |
| action_details |
string |
|
The detail of the action taken as provided by the vendor. |
| severity |
SecurityResult.ProductSeverity |
|
The severity of the result. |
| confidence |
SecurityResult.ProductConfidence |
|
The confidence level of the result as estimated by the product. |
| priority |
SecurityResult.ProductPriority |
|
The priority of the result. |
| risk_score |
float |
|
The risk score of the security result. |
| confidence_score |
float |
|
The confidence score of the security result. |
| analytics_metadata |
AnalyticsMetadata |
repeated |
Stores metadata about each risk analytic metric the rule uses. |
| severity_details |
string |
|
Vendor-specific severity. |
| confidence_details |
string |
|
Additional detail with regards to the confidence of a security event as
estimated by the product vendor. |
| priority_details |
string |
|
Vendor-specific information about the security result priority. |
| url_back_to_product |
string |
|
URL that takes the user to the source product console for this event. |
| threat_id |
string |
|
Vendor-specific ID for a threat. |
| threat_feed_name |
string |
|
Vendor feed name for a threat indicator feed. |
| threat_id_namespace |
Id.Namespace |
|
The attribute threat_id_namespace qualifies threat_id with an ID namespace
to get an
unique ID. The attribute threat_id by itself is not unique across Google SecOps
as it is a vendor specific ID. |
| threat_status |
SecurityResult.ThreatStatus |
|
Current status of the threat |
| attack_details |
AttackDetails |
|
MITRE ATT&CK details. |
| first_discovered_time |
google.protobuf.Timestamp |
|
First time the IoC threat was discovered in the provider. |
| associations |
SecurityResult.Association |
repeated |
Associations related to the threat. |
| campaigns |
string |
repeated |
Campaigns using this IOC threat. |
| verdict |
SecurityResult.Verdict |
|
Verdict about the IoC from the provider.
This field is now deprecated. Use VerdictInfo instead. |
| last_updated_time |
google.protobuf.Timestamp |
|
Last time the IoC threat was updated in the provider. |
| verdict_info |
SecurityResult.VerdictInfo |
repeated |
Verdict information about the IoC from the provider. |
| threat_verdict |
ThreatVerdict |
|
GCTI threat verdict on the security result entity. |
| last_discovered_time |
google.protobuf.Timestamp |
|
Last time the IoC was seen in the provider data. |
Event subtypes
Stores information about an analytics metric used in a rule.
| Field Name |
Type |
Label |
Description |
| analytic |
string |
|
Name of the analytic. |
Artifact
Information about an artifact. The artifact can only be an IP.
| Field Name |
Type |
Label |
Description |
| ip |
string |
|
IP address of the artifact. |
| prevalence |
Prevalence |
|
The prevalence of the artifact within the customer's environment. |
| first_seen_time |
google.protobuf.Timestamp |
|
First seen timestamp of the IP in the customer's environment. |
| last_seen_time |
google.protobuf.Timestamp |
|
Last seen timestamp of the IP address in the customer's environment. |
| location |
Location |
|
Location of the Artifact's IP address. |
| network |
Network |
|
Network information related to the Artifact's IP address. |
| as_owner |
string |
|
Owner of the Autonomous System to which the IP address belongs. |
| asn |
int64 |
|
Autonomous System Number to which the IP address belongs. |
| jarm |
string |
|
The JARM hash for the IP address.
(https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a). |
| last_https_certificate |
SSLCertificate |
|
SSL certificate information about the IP address. |
| last_https_certificate_date |
google.protobuf.Timestamp |
|
Most recent date for the certificate in VirusTotal. |
| regional_internet_registry |
string |
|
RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC). |
| tags |
string |
repeated |
Identification attributes |
| whois |
string |
|
WHOIS information as returned from the pertinent WHOIS server. |
| whois_date |
google.protobuf.Timestamp |
|
Date of the last update of the WHOIS record in VirusTotal. |
Asset
Information about a compute asset such as a workstation, laptop, phone,
virtual desktop, or VM.
| Field Name |
Type |
Label |
Description |
| product_object_id |
string |
|
A vendor-specific identifier to uniquely identify the entity (a GUID or
similar). |
| hostname |
string |
|
Asset hostname or domain name field. |
| asset_id |
string |
|
The asset ID. Value must contain the ':' character. For example,
cs:abcdd23434. |
| ip |
string |
repeated |
A list of IP addresses associated with an asset. |
| mac |
string |
repeated |
List of MAC addresses associated with an asset. |
| nat_ip |
string |
repeated |
List of NAT IP addresses associated with an asset. |
| first_seen_time |
google.protobuf.Timestamp |
|
The first observed time for an asset.
The value is calculated on the basis of the
first time the identifier was observed. |
| hardware |
Hardware |
repeated |
The asset hardware specifications. |
| platform_software |
PlatformSoftware |
|
The asset operating system platform software. |
| software |
Software |
repeated |
The asset software details. |
| location |
Location |
|
Location of the asset. |
| category |
string |
|
The category of the asset (e.g. "End User Asset", "Workstation", "Server"). |
| type |
Asset.AssetType |
|
The type of the asset (e.g. workstation or laptop or server). |
| network_domain |
string |
|
The network domain of the asset (e.g. "corp.acme.com") |
| creation_time |
google.protobuf.Timestamp |
|
Time the asset was created or provisioned.
Deprecate: creation_time should be populated in Attribute as generic
metadata. |
| first_discover_time |
google.protobuf.Timestamp |
|
Time the asset was first discovered (by asset management/discoverability
software). |
| last_discover_time |
google.protobuf.Timestamp |
|
Time the asset was last discovered (by asset management/discoverability
software). |
| system_last_update_time |
google.protobuf.Timestamp |
|
Time the asset system or OS was last updated.
For all other operations that are not system updates (such as resizing a
VM), use Attribute.last_update_time. |
| last_boot_time |
google.protobuf.Timestamp |
|
Time the asset was last boot started. |
| labels |
Label |
repeated |
Metadata labels for the asset.
Deprecated: labels should be populated in Attribute as generic metadata. |
| deployment_status |
Asset.DeploymentStatus |
|
The deployment status of the asset for device lifecycle purposes. |
| vulnerabilities |
Vulnerability |
repeated |
Vulnerabilities discovered on asset. |
| attribute |
Attribute |
|
Generic entity metadata attributes of the asset. |
AttackDetails
MITRE ATT&CK details.
AttackDetails.Tactic
Tactic information related to an attack or threat.
| Field Name |
Type |
Label |
Description |
| id |
string |
|
Tactic ID (e.g. "TA0043"). |
| name |
string |
|
Tactic Name (e.g. "Reconnaissance") |
AttackDetails.Technique
Technique information related to an attack or threat.
| Field Name |
Type |
Label |
Description |
| id |
string |
|
Technique ID (e.g. "T1595"). |
| name |
string |
|
Technique Name (e.g. "Active Scanning"). |
| subtechnique_id |
string |
|
Subtechnique ID (e.g. "T1595.001"). |
| subtechnique_name |
string |
|
Subtechnique Name (e.g. "Scanning IP Blocks"). |
Attribute
Attribute is a container for generic entity attributes including common
attributes across core entities (such as, user or asset). For example, Cloud
is a generic entity attribute since it can apply to an asset (for example, a
VM) or a user (for example, an identity service account).
| Field Name |
Type |
Label |
Description |
| cloud |
Cloud |
|
Cloud metadata attributes such as project ID, account ID, or organizational
hierarchy. |
| labels |
Label |
repeated |
Set of labels for the entity. Should only be used for product labels (for
example, Google Cloud resource labels or Azure AD sensitivity labels.
Should not be used for arbitrary key-value mappings. |
| permissions |
Permission |
repeated |
System permissions for IAM entity
(human principal, service account, group). |
| roles |
Role |
repeated |
System IAM roles to be assumed by resources to use the role's permissions
for access control. |
| creation_time |
google.protobuf.Timestamp |
|
Time the resource or entity was created or provisioned. |
| last_update_time |
google.protobuf.Timestamp |
|
Time the resource or entity was last updated. |
Authentication
The Authentication extension captures details specific to authentication
events.
General guidelines for authentication events:
Details about the source of the authentication event (for example, client
IP or hostname), should be captured in principal. The principal may be
empty if we have no details about the source of the login.
Details about the target of the authentication event (for example, details
about the machine that is being logged into or logged out of) should be
captured in target.
Some authentication events may involve a third-party. For example, a user
logs into a cloud service (for example, Google Security Operations) using their company's SSO (the
event is logged by their SSO solution). In this case, the principal
captures information about the user's device, the target captures details
about the cloud service they logged into, and the intermediary captures
details about the SSO solution.
Certificate
Certificate information
| Field Name |
Type |
Label |
Description |
| version |
string |
|
Certificate version. |
| serial |
string |
|
Certificate serial number. |
| subject |
string |
|
Subject of the certificate. |
| issuer |
string |
|
Issuer of the certificate. |
| md5 |
string |
|
The MD5 hash of the certificate, as a hex-encoded string. |
| sha1 |
string |
|
The SHA1 hash of the certificate, as a hex-encoded string. |
| sha256 |
string |
|
The SHA256 hash of the certificate, as a hex-encoded string. |
| not_before |
google.protobuf.Timestamp |
|
Indicates when the certificate is first valid. |
| not_after |
google.protobuf.Timestamp |
|
Indicates when the certificate is no longer valid. |
Cloud
Metadata related to the cloud environment.
| Field Name |
Type |
Label |
Description |
| environment |
Cloud.CloudEnvironment |
|
The Cloud environment. |
| vpc |
Resource |
|
The cloud environment VPC.
Deprecated. |
| project |
Resource |
|
The cloud environment project information.
Deprecated: Use Resource.resource_ancestors |
| availability_zone |
string |
|
The cloud environment availability zone (different from region which is
location.name). |
DNSRecord
DNS record.
| Field Name |
Type |
Label |
Description |
| type |
string |
|
Type. |
| value |
string |
|
Value. |
| ttl |
Int64 |
|
Time to live. |
| priority |
int64 |
|
Priority. |
| retry |
int64 |
|
Retry. |
| refresh |
Int64 |
|
Refresh. |
| minimum |
Int64 |
|
Minimum. |
| expire |
Int64 |
|
Expire. |
| serial |
int64 |
|
Serial. |
| rname |
string |
|
Rname. |
Dhcp
DHCP information.
| Field Name |
Type |
Label |
Description |
| opcode |
Dhcp.OpCode |
|
The BOOTP op code. |
| htype |
uint32 |
|
Hardware address type. |
| hlen |
uint32 |
|
Hardware address length. |
| hops |
uint32 |
|
Hardware ops. |
| transaction_id |
uint32 |
|
Transaction ID. |
| seconds |
uint32 |
|
Seconds elapsed since client began address acquisition/renewal process. |
| flags |
uint32 |
|
Flags. |
| ciaddr |
string |
|
Client IP address (ciaddr). |
| yiaddr |
string |
|
Your IP address (yiaddr). |
| siaddr |
string |
|
IP address of the next bootstrap server. |
| giaddr |
string |
|
Relay agent IP address (giaddr). |
| chaddr |
string |
|
Client hardware address (chaddr). |
| sname |
string |
|
Server name that the client wishes to boot from. |
| file |
string |
|
Boot image filename. |
| options |
Dhcp.Option |
repeated |
List of DHCP options. |
| type |
Dhcp.MessageType |
|
DHCP message type. |
| lease_time_seconds |
uint32 |
|
Lease time in seconds. See RFC2132, section 9.2. |
| client_hostname |
string |
|
Client hostname. See RFC2132, section 3.14. |
| client_identifier |
bytes |
|
Client identifier. See RFC2132, section 9.14. |
| requested_address |
string |
|
Requested IP address. See RFC2132, section 9.1. |
Dhcp.Option
DHCP options.
| Field Name |
Type |
Label |
Description |
| code |
uint32 |
|
Code. See RFC1533. |
| data |
bytes |
|
Data. |
Dns
DNS information.
| Field Name |
Type |
Label |
Description |
| id |
uint32 |
|
DNS query id. |
| response |
bool |
|
Set to true if the event is a DNS response. See QR field from RFC1035. |
| opcode |
uint32 |
|
The DNS OpCode used to specify the type of DNS query
(for example, QUERY, IQUERY, or STATUS). |
| authoritative |
bool |
|
Other DNS header flags. See RFC1035, section 4.1.1. |
| truncated |
bool |
|
Whether the DNS response was truncated. |
| recursion_desired |
bool |
|
Whether a recursive DNS lookup is desired. |
| recursion_available |
bool |
|
Whether a recursive DNS lookup is available. |
| response_code |
uint32 |
|
Response code. See RCODE from RFC1035. |
| questions |
Dns.Question |
repeated |
A list of domain protocol message questions. |
| answers |
Dns.ResourceRecord |
repeated |
A list of answers to the domain name query. |
| authority |
Dns.ResourceRecord |
repeated |
A list of domain name servers which verified the answers to the domain name
queries. |
| additional |
Dns.ResourceRecord |
repeated |
A list of additional domain name servers that can be used to verify the
answer to the domain. |
Dns.Question
DNS Questions. See RFC1035, section 4.1.2.
| Field Name |
Type |
Label |
Description |
| name |
string |
|
The domain name. |
| type |
uint32 |
|
The code specifying the type of the query. |
| class |
uint32 |
|
The code specifying the class of the query. |
| prevalence |
Prevalence |
|
The prevalence of the domain within the customer's environment. |
Dns.ResourceRecord
DNS Resource Records. See RFC1035, section 4.1.3.
| Field Name |
Type |
Label |
Description |
| name |
string |
|
The name of the owner of the resource record. |
| type |
uint32 |
|
The code specifying the type of the resource record. |
| class |
uint32 |
|
The code specifying the class of the resource record. |
| ttl |
uint32 |
|
The time interval for which the resource record can be cached before the
source of the information should again be queried. |
| data |
string |
|
The payload or response to the DNS question for all responses encoded in
UTF-8 format |
| binary_data |
bytes |
|
The raw bytes of any non-UTF8 strings that might be included as part of a
DNS response. |
Domain
Information about a domain.
| Field Name |
Type |
Label |
Description |
| name |
string |
|
The domain name. |
| prevalence |
Prevalence |
|
The prevalence of the domain within the customer's environment. |
| first_seen_time |
google.protobuf.Timestamp |
|
First seen timestamp of the domain in the customer's environment. |
| last_seen_time |
google.protobuf.Timestamp |
|
Last seen timestamp of the domain in the customer's environment. |
| registrar |
string |
|
Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)",
"GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM". |
| contact_email |
string |
|
Contact email address. |
| whois_server |
string |
|
Whois server name. |
| name_server |
string |
repeated |
Repeated list of name servers. |
| creation_time |
google.protobuf.Timestamp |
|
Domain creation time. |
| update_time |
google.protobuf.Timestamp |
|
Last updated time. |
| expiration_time |
google.protobuf.Timestamp |
|
Expiration time. |
| audit_update_time |
google.protobuf.Timestamp |
|
Audit updated time. |
| status |
string |
|
Domain status. See
https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en
for meanings of possible values |
| registrant |
User |
|
Parsed contact information for the registrant of the domain. |
| admin |
User |
|
Parsed contact information for the administrative contact for the domain. |
| tech |
User |
|
Parsed contact information for the technical contact for the domain |
| billing |
User |
|
Parsed contact information for the billing contact of the domain. |
| zone |
User |
|
Parsed contact information for the zone. |
| whois_record_raw_text |
bytes |
|
WHOIS raw text. |
| registry_data_raw_text |
bytes |
|
Registry Data raw text. |
| iana_registrar_id |
int32 |
|
IANA Registrar ID. See
https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml |
| private_registration |
bool |
|
Indicates whether the domain appears to be using a private registration
service to mask the owner's contact information. |
| categories |
string |
repeated |
Categories assign to the domain as retrieved from VirusTotal. |
| favicon |
Favicon |
|
Includes difference hash and MD5 hash of the domain's favicon. |
| jarm |
string |
|
Domain's JARM hash. |
| last_dns_records |
DNSRecord |
repeated |
Domain's DNS records from the last scan. |
| last_dns_records_time |
google.protobuf.Timestamp |
|
Date when the DNS records list was retrieved by VirusTotal. |
| last_https_certificate |
SSLCertificate |
|
SSL certificate object retrieved last time the domain was analyzed. |
| last_https_certificate_time |
google.protobuf.Timestamp |
|
When the certificate was retrieved by VirusTotal. |
| popularity_ranks |
PopularityRank |
repeated |
Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo,
etc |
| tags |
string |
repeated |
List of representative attributes. |
| whois_time |
google.protobuf.Timestamp |
|
Date of the last update of the WHOIS record. |
Email
Email info.
Favicon
Difference hash and MD5 hash of the domain's favicon.
| Field Name |
Type |
Label |
Description |
| raw_md5 |
string |
|
Favicon's MD5 hash. |
| dhash |
string |
|
Difference hash. |
File
Information about a file.
| Field Name |
Type |
Label |
Description |
| sha256 |
string |
|
The SHA256 hash of the file, as a hex-encoded string. |
| md5 |
string |
|
The MD5 hash of the file, as a hex-encoded string. |
| sha1 |
string |
|
The SHA1 hash of the file, as a hex-encoded string. |
| size |
uint64 |
|
The size of the file in bytes. |
| full_path |
string |
|
The full path identifying the location of the file on the system. |
| mime_type |
string |
|
The MIME (Multipurpose Internet Mail Extensions) type of the file,
for example "PE", "PDF", or "powershell script". |
| file_metadata |
FileMetadata |
|
Metadata associated with the file.
Deprecate FileMetadata in favor of using fields in File. |
| security_result |
SecurityResult |
|
Google Cloud Threat Intelligence (GCTI) security result for the file
including threat context and detection metadata. |
| pe_file |
FileMetadataPE |
|
Metadata about the Portable Executable (PE) file. |
| ssdeep |
string |
|
Ssdeep of the file |
| vhash |
string |
|
Vhash of the file. |
| ahash |
string |
|
Deprecated. Use authentihash instead. |
| authentihash |
string |
|
Authentihash of the file. |
| file_type |
File.FileType |
|
FileType field. |
| capabilities_tags |
string |
repeated |
Capabilities tags. |
| names |
string |
repeated |
Names fields. |
| tags |
string |
repeated |
Tags for the file. |
| last_modification_time |
google.protobuf.Timestamp |
|
Timestamp when the file was last updated. |
| prevalence |
Prevalence |
|
Prevalence of the file hash in the customer's environment. |
| first_seen_time |
google.protobuf.Timestamp |
|
Timestamp the file was first seen in the customer's environment. |
| last_seen_time |
google.protobuf.Timestamp |
|
Timestamp the file was last seen in the customer's environment. |
| stat_mode |
uint64 |
|
The mode of the file. A bit string indicating the permissions and
privileges of the file. |
| stat_inode |
uint64 |
|
The file identifier. Unique identifier of object within a file system. |
| stat_dev |
uint64 |
|
The file system identifier to which the object belongs. |
| stat_nlink |
uint64 |
|
Number of links to file. |
| stat_flags |
uint32 |
|
User defined flags for file. |
| last_analysis_time |
google.protobuf.Timestamp |
|
Timestamp the file was last analysed. |
| embedded_urls |
string |
repeated |
Embedded URLs found in the file. |
| embedded_domains |
string |
repeated |
Embedded domains found in the file. |
| embedded_ips |
string |
repeated |
Embedded IP addresses found in the file. |
| exif_info |
ExifInfo |
|
Exif metadata from different file formats extracted by exiftool. |
| signature_info |
SignatureInfo |
|
File signature information extracted from different tools. |
| pdf_info |
PDFInfo |
|
Information about the PDF file structure. |
| first_submission_time |
google.protobuf.Timestamp |
|
First submission time of the file. |
| last_submission_time |
google.protobuf.Timestamp |
|
Last submission time of the file. |
| main_icon |
Favicon |
|
Icon's relevant hashes. |
File metadata from the codesign utility.
Metadata about the Portable Executable (PE) file.
| Field Name |
Type |
Label |
Description |
| imphash |
string |
|
Imphash of the file. |
| entry_point |
int64 |
|
info.pe-entry-point. |
| entry_point_exiftool |
int64 |
|
info.exiftool.EntryPoint. |
| compilation_time |
google.protobuf.Timestamp |
|
info.pe-timestamp. |
| compilation_exiftool_time |
google.protobuf.Timestamp |
|
info.exiftool.TimeStamp. |
| section |
FileMetadataSection |
repeated |
FilemetadataSection fields. |
| imports |
FileMetadataImports |
repeated |
FilemetadataImports fields. |
| resource |
FileMetadataPeResourceInfo |
repeated |
FilemetadataPeResourceInfo fields. |
| resources_type_count |
StringToInt64MapEntry |
repeated |
Deprecated: use resources_type_count_str. |
| resources_language_count |
StringToInt64MapEntry |
repeated |
Deprecated: use resources_language_count_str. |
| resources_type_count_str |
Label |
repeated |
Number of resources by resource type.
Example: RT_ICON: 10, RT_DIALOG: 5 |
| resources_language_count_str |
Label |
repeated |
Number of resources by language.
Example: NEUTRAL: 20, ENGLISH US: 10 |
| signature_info |
FileMetadataSignatureInfo |
|
FilemetadataSignatureInfo field.
deprecated, user File.signature_info instead. |
Signature information.
| Field Name |
Type |
Label |
Description |
| verification_message |
string |
|
Status of the certificate.
Valid values are "Signed", "Unsigned" or a description of the certificate
anomaly, if found. |
| verified |
bool |
|
True if verification_message == "Signed" |
| signer |
string |
repeated |
Deprecated: use signers field. |
| signers |
SignerInfo |
repeated |
File metadata signer information.
The order of the signers matters. Each element is a higher level
authority, being the last the root authority. |
| x509 |
X509 |
repeated |
List of certificates. |
Ftp
FTP info.
| Field Name |
Type |
Label |
Description |
| command |
string |
|
The FTP command. |
Group
Information about an organizational group.
| Field Name |
Type |
Label |
Description |
| product_object_id |
string |
|
Product globally unique user object identifier, such as an LDAP Object
Identifier. |
| creation_time |
google.protobuf.Timestamp |
|
Group creation time.
Deprecated: creation_time should be populated in Attribute as generic
metadata. |
| group_display_name |
string |
|
Group display name. e.g. "Finance". |
| attribute |
Attribute |
|
Generic entity metadata attributes of the group. |
| email_addresses |
string |
repeated |
Email addresses of the group. |
| windows_sid |
string |
|
Microsoft Windows SID of the group. |
Hardware
Hardware specification details for a resource, including both physical and
virtual hardware.
| Field Name |
Type |
Label |
Description |
| serial_number |
string |
|
Hardware serial number. |
| manufacturer |
string |
|
Hardware manufacturer. |
| model |
string |
|
Hardware model. |
| cpu_platform |
string |
|
Platform of the hardware CPU (e.g. "Intel Broadwell"). |
| cpu_model |
string |
|
Model description of the hardware CPU
(e.g. "2.8 GHz Quad-Core Intel Core i5"). |
| cpu_clock_speed |
uint64 |
|
Clock speed of the hardware CPU in MHz. |
| cpu_max_clock_speed |
uint64 |
|
Maximum possible clock speed of the hardware CPU in MHz. |
| cpu_number_cores |
uint64 |
|
Number of CPU cores. |
| ram |
uint64 |
|
Amount of the hardware ramdom access memory (RAM) in Mb. |
Http
Specify the full URL of the HTTP request within "target".
Also specify any uploaded or downloaded file information within "source"
or "target".
| Field Name |
Type |
Label |
Description |
| method |
string |
|
The HTTP request method
(e.g. "GET", "POST", "PATCH", "DELETE"). |
| referral_url |
string |
|
The URL for the HTTP referer. |
| user_agent |
string |
|
The User-Agent request header which includes the application type,
operating system, software vendor or software version of the requesting
software user agent. |
| response_code |
int32 |
|
The response status code, for example
200, 302, 404, or 500. |
| parsed_user_agent |
|
|
The parsed user_agent string. |
Investigation
Represents the aggregated state of an investigation such as categorization,
severity, and status. Can be expanded to include analyst assignment details
and more.
| Field Name |
Type |
Label |
Description |
| verdict |
Verdict |
optional |
Describes reason a finding investigation was resolved. |
| reputation |
Reputation |
optional |
Describes whether a finding was useful or not-useful. |
| severity_score |
uint32 |
optional |
Severity score for a finding set by an analyst. |
| status |
Status |
optional |
Describes the workflow status of a finding. |
| comments |
string |
repeated |
Comment added by the Analyst. |
| priority |
Priority |
optional |
Priority of the Alert or Finding set by analyst. |
| root_cause |
string |
optional |
Root cause of the Alert or Finding set by analyst. |
| reason |
Reason |
optional |
Reason for closing the Case or Alert. |
| risk_score |
uint32 |
optional |
Risk score for a finding set by an analyst. |
Label
Key value labels.
| Field Name |
Type |
Label |
Description |
| key |
string |
|
The key. |
| value |
string |
|
The value. |
| rbac_enabled |
bool |
|
Indicates whether this label can be used for Data RBAC |
Location
Information about a location.
| Field Name |
Type |
Label |
Description |
| city |
string |
|
The city. |
| state |
string |
|
The state. |
| country_or_region |
string |
|
The country or region. |
| name |
string |
|
Custom location name (e.g. building or site name like "London Office").
For cloud environments, this is the region (e.g. "us-west2"). |
| desk_name |
string |
|
Desk name or individual location, typically for an employee in an
office.
(e.g. "IN-BLR-BCPC-11-1121D"). |
| floor_name |
string |
|
Floor name, number or a combination of the two for a building.
(e.g. "1-A"). |
| region_latitude |
float |
|
Deprecated: use region_coordinates. |
| region_longitude |
float |
|
Deprecated: use region_coordinates. |
| region_coordinates |
google.type.LatLng |
|
Coordinates for the associated region.
See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng
for a description of the fields. |
PDFInfo
Information about the PDF file structure. See
https://developers.virustotal.com/reference/pdf_info
| Field Name |
Type |
Label |
Description |
| js |
int64 |
|
Number of /JS tags found in the PDF file. Should be the same as
javascript field in normal scenarios. |
| javascript |
int64 |
|
Number of /JavaScript tags found in the PDF file. Should be the same as
the js field in normal scenarios. |
| launch_action_count |
int64 |
|
Number of /Launch tags found in the PDF file. |
| object_stream_count |
int64 |
|
Number of object streams. |
| endobj_count |
int64 |
|
Number of object definitions (endobj keyword). |
| header |
string |
|
PDF version. |
| acroform |
int64 |
|
Number of /AcroForm tags found in the PDF. |
| autoaction |
int64 |
|
Number of /AA tags found in the PDF. |
| embedded_file |
int64 |
|
Number of /EmbeddedFile tags found in the PDF. |
| encrypted |
int64 |
|
Whether the document is encrypted or not. This is defined by the /Encrypt
tag. |
| flash |
int64 |
|
Number of /RichMedia tags found in the PDF. |
| jbig2_compression |
int64 |
|
Number of /JBIG2Decode tags found in the PDF. |
| obj_count |
int64 |
|
Number of objects definitions (obj keyword). |
| endstream_count |
int64 |
|
Number of defined stream objects (stream keyword). |
| page_count |
int64 |
|
Number of pages in the PDF. |
| stream_count |
int64 |
|
Number of defined stream objects (stream keyword). |
| openaction |
int64 |
|
Number of /OpenAction tags found in the PDF. |
| startxref |
int64 |
|
Number of startxref keywords in the PDF. |
| suspicious_colors |
int64 |
|
Number of colors expressed with more than 3 bytes (CVE-2009-3459). |
| trailer |
int64 |
|
Number of trailer keywords in the PDF. |
| xfa |
int64 |
|
Number of \XFA tags found in the PDF. |
| xref |
int64 |
|
Number of xref keywords in the PDF. |
Metadata about a Microsoft Windows Portable Executable.
| Field Name |
Type |
Label |
Description |
| import_hash |
string |
|
Hash of PE imports. |
Permission
System permission for resource access and modification.
| Field Name |
Type |
Label |
Description |
| name |
string |
|
Name of the permission (e.g. chronicle.analyst.updateRule). |
| description |
string |
|
Description of the permission (e.g. 'Ability to update detect rules'). |
| type |
Permission.PermissionType |
|
Type of the permission. |
Platform software information about an operating system.
| Field Name |
Type |
Label |
Description |
| platform |
Noun.Platform |
|
The platform operating system. |
| platform_version |
string |
|
The platform software version (
e.g. "Microsoft Windows 1803"). |
| platform_patch_level |
string |
|
The platform software patch level (
e.g. "Build 17134.48", "SP1"). |
PopularityRank
Domain's position in popularity ranks for sources such as Alexa, Quantcast,
or Statvoo.
| Field Name |
Type |
Label |
Description |
| giver |
string |
|
Name of the rank serial number hexdump. |
| rank |
int64 |
|
Rank position. |
| ingestion_time |
google.protobuf.Timestamp |
|
Timestamp when the rank was ingested. |
Prevalence
The prevalence of a resource within the customer's environment.
This measures how common it is for assets to access the resource.
| Field Name |
Type |
Label |
Description |
| rolling_max |
int32 |
|
The maximum number of assets per day accessing the resource over the
trailing day_count days. |
| day_count |
int32 |
|
The number of days over which rolling_max is calculated. |
| rolling_max_sub_domains |
int32 |
|
The maximum number of assets per day accessing the domain along with
sub-domains over the trailing day_count days. This field is only valid for
domains. |
| day_max |
int32 |
|
The max prevalence score in a day interval window. |
| day_max_sub_domains |
int32 |
|
The max prevalence score in a day interval window across sub-domains. This
field is only valid for domains. |
Process
Information about a process.
| Field Name |
Type |
Label |
Description |
| pid |
string |
|
The process ID. |
| parent_pid |
string |
|
The ID of the parent process.
Deprecated: use parent_process.pid instead. |
| parent_process |
Process |
|
Information about the parent process. |
| file |
File |
|
Information about the file in use by the process. |
| command_line |
string |
|
The command line command that created the process. |
| command_line_history |
string |
repeated |
The command line history of the process. |
| product_specific_process_id |
string |
|
A product specific process id. |
| access_mask |
uint64 |
|
A bit mask representing the level of access. |
| integrity_level_rid |
uint64 |
|
The Microsoft Windows integrity level relative ID (RID) of the process. |
| token_elevation_type |
Process.TokenElevationType |
|
The elevation type of the process on Microsoft Windows. This determines if
any privileges are removed when UAC is enabled. |
| product_specific_parent_process_id |
string |
|
A product specific id for the parent process.
Please use parent_process.product_specific_process_id instead. |
Registry
Information about a registry key or value.
| Field Name |
Type |
Label |
Description |
| registry_key |
string |
|
Registry key associated with an application or system component
(e.g., HKEY_, HKCU\Environment...). |
| registry_value_name |
string |
|
Name of the registry value associated with an application or system
component (e.g. TEMP). |
| registry_value_data |
string |
|
Data associated with a registry value
(e.g. %USERPROFILE%\Local Settings\Temp). |
Resource
Information about a resource such as a task, Cloud Storage
bucket, database, disk, logical policy, or something similar.
| Field Name |
Type |
Label |
Description |
| type |
string |
|
Deprecated: use resource_type instead. |
| resource_type |
Resource.ResourceType |
|
Resource type. |
| resource_subtype |
string |
|
Resource sub-type (e.g. "BigQuery", "Bigtable"). |
| id |
string |
|
Deprecated: Use resource.name or resource.product_object_id. |
| name |
string |
|
The full name of the resource. For example,
Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123,
and AWS: arn:aws:iam::123456789012:user/johndoe. |
| parent |
string |
|
The parent of the resource.
For a database table, the parent is the database. For a storage object,
the bucket name. Deprecated: use resource_ancestors.name. |
| product_object_id |
string |
|
A vendor-specific identifier to uniquely identify the entity (a GUID,
OID, or similar) |
| attribute |
Attribute |
|
Generic entity metadata attributes of the resource. |
Role
System role for resource access and modification.
| Field Name |
Type |
Label |
Description |
| name |
string |
|
System role name for user. |
| description |
string |
|
System role description for user. |
| type |
Role.Type |
|
System role type for well known roles. |
SSLCertificate
SSL certificate.
SSLCertificate.AuthorityKeyId
Identifies the public key to be used to verify the signature on this
certificate or CRL.
| Field Name |
Type |
Label |
Description |
| keyid |
string |
|
Key hexdump. |
| serial_number |
string |
|
Serial number hexdump. |
SSLCertificate.CertSignature
Certificate's signature and algorithm.
| Field Name |
Type |
Label |
Description |
| signature |
string |
|
Signature. |
| signature_algorithm |
string |
|
Algorithm. |
SSLCertificate.DSA
DSA public key information.
| Field Name |
Type |
Label |
Description |
| p |
string |
|
p component hexdump. |
| q |
string |
|
q component hexdump. |
| g |
string |
|
g component hexdump. |
| pub |
string |
|
Public key hexdump. |
SSLCertificate.EC
EC public key information.
| Field Name |
Type |
Label |
Description |
| oid |
string |
|
Curve name. |
| pub |
string |
|
Public key hexdump. |
SSLCertificate.Extension
Certificate's extensions.
| Field Name |
Type |
Label |
Description |
| ca |
bool |
|
Whether the subject acts as a certificate authority (CA) or not. |
| subject_key_id |
string |
|
Identifies the public key being certified. |
| authority_key_id |
SSLCertificate.AuthorityKeyId |
|
Identifies the public key to be used to verify the signature on this
certificate or CRL. |
| key_usage |
string |
|
The purpose for which the certified public key is used. |
| ca_info_access |
string |
|
Authority information access locations are URLs that are added to a
certificate in its authority information access extension. |
| crl_distribution_points |
string |
|
CRL distribution points to which a certificate user should refer to
ascertain if the certificate has been revoked. |
| extended_key_usage |
string |
|
One or more purposes for which the certified public key may be used, in
addition to or in place of the basic purposes indicated in the key usage
extension field. |
| subject_alternative_name |
string |
|
Contains one or more alternative names, using any of a variety of name
forms, for the entity that is bound by the CA to the certified public
key. |
| certificate_policies |
string |
|
Different certificate policies will relate to different applications
which may use the certified key. |
| netscape_cert_comment |
string |
|
Used to include free-form text comments inside certificates. |
| cert_template_name_dc |
string |
|
BMP data value "DomainController". See MS Q291010. |
| netscape_certificate |
bool |
|
Identify whether the certificate subject is an SSL client, an SSL server,
or a CA. |
| pe_logotype |
bool |
|
Whether the certificate includes a logotype. |
| old_authority_key_id |
bool |
|
Whether the certificate has an old authority key identifier extension. |
SSLCertificate.PublicKey
Subject public key info.
| Field Name |
Type |
Label |
Description |
| algorithm |
string |
|
Any of "RSA", "DSA" or "EC". Indicates the algorithm used to generate the
certificate. |
| rsa |
SSLCertificate.RSA |
|
RSA public key information. |
SSLCertificate.RSA
RSA public key information.
| Field Name |
Type |
Label |
Description |
| key_size |
int64 |
|
Key size. |
| modulus |
string |
|
Key modulus hexdump. |
| exponent |
string |
|
Key exponent hexdump. |
SSLCertificate.Subject
Subject data.
| Field Name |
Type |
Label |
Description |
| country_name |
string |
|
C: Country name. |
| common_name |
string |
|
CN: CommonName. |
| locality |
string |
|
L: Locality. |
| organization |
string |
|
O: Organization. |
| organizational_unit |
string |
|
OU: OrganizationalUnit. |
| state_or_province_name |
string |
|
ST: StateOrProvinceName. |
SSLCertificate.Validity
Defines certificate's validity period.
SecurityResult.AnalystVerdict
Verdict provided by the human analyst. These fields are used to model
Mandiant sources.
SecurityResult.Association
Associations represents different metadata about malware and threat actors
involved with an IoC.
| Field Name |
Type |
Label |
Description |
| id |
string |
|
Unique association id generated by mandiant. |
| country_code |
string |
repeated |
Country from which the threat actor/ malware is originated. |
| type |
SecurityResult.Association.AssociationType |
|
Signifies the type of association. |
| name |
string |
|
Name of the threat actor/malware. |
| description |
string |
|
Human readable description about the association. |
| role |
string |
|
Role of the malware. Not applicable for threat actor. |
| source_country |
string |
|
Name of the country the threat originated from. |
| alias |
SecurityResult.Association.AssociationAlias |
repeated |
Different aliases of the threat actor given by different sources. |
| first_reference_time |
google.protobuf.Timestamp |
|
First time the threat actor was referenced or seen. |
| last_reference_time |
google.protobuf.Timestamp |
|
Last time the threat actor was referenced or seen. |
| industries_affected |
string |
repeated |
List of industries the threat actor affects. |
| associated_actors |
SecurityResult.Association |
repeated |
List of associated threat actors for a malware. Not applicable for threat
actors. |
| region_code |
Location |
|
Name of the country, the threat is originating from. |
| sponsor_region |
Location |
|
Sponsor region of the threat actor. |
| targeted_regions |
Location |
repeated |
Targeted regions. |
| tags |
string |
repeated |
Tags. |
SecurityResult.Association.AssociationAlias
Association Alias used to represent Mandiant Threat Intelligence.
| Field Name |
Type |
Label |
Description |
| name |
string |
|
Name of the alias. |
| company |
string |
|
Name of the provider who gave the association's name. |
SecurityResult.IoCStats
Information about the threat intelligence source. These fields are used to
model Mandiant sources.
| Field Name |
Type |
Label |
Description |
| ioc_stats_type |
SecurityResult.IoCStatsType |
|
Describes the source of the IoCStat. |
| first_level_source |
string |
|
Name of first level IoC source, for example Mandiant or a third-party. |
| second_level_source |
string |
|
Name of the second-level IoC source, for example Crowdsourced Threat
Analysis or Knowledge Graph. |
| benign_count |
int32 |
|
Count of responses where the IoC was identified as benign. |
| quality |
SecurityResult.ProductConfidence |
|
Level of confidence in the IoC mapping extracted from the source. |
| malicious_count |
int32 |
|
Count of responses where the IoC was identified as malicious. |
| response_count |
int32 |
|
Total number of response from the source. |
| source_count |
int32 |
|
Number of sources from which information was extracted. |
SecurityResult.ProviderMLVerdict
MLVerdict result provided from threat providers, like Mandiant. These
fields are used to model Mandiant sources.
| Field Name |
Type |
Label |
Description |
| source_provider |
string |
|
Source provider giving the ML verdict. |
| benign_count |
int32 |
|
Count of responses where this IoC was marked benign. |
| malicious_count |
int32 |
|
Count of responses where this IoC was marked malicious. |
| confidence_score |
int32 |
|
Confidence score of the verdict. |
| mandiant_sources |
SecurityResult.Source |
repeated |
List of mandiant sources from which the verdict was generated. |
| third_party_sources |
SecurityResult.Source |
repeated |
List of third-party sources from which the verdict was generated. |
SecurityResult.Source
Information about the threat intelligence source. These fields are used to
model Mandiant sources.
| Field Name |
Type |
Label |
Description |
| name |
string |
|
Name of the IoC source. |
| benign_count |
int32 |
|
Count of responses where this IoC was marked benign. |
| malicious_count |
int32 |
|
Count of responses where this IoC was marked malicious. |
| quality |
SecurityResult.ProductConfidence |
|
Quality of the IoC mapping extracted from the source. |
| response_count |
int32 |
|
Total response count from this source. |
| source_count |
int32 |
|
Number of sources from which intelligence was extracted. |
| threat_intelligence_sources |
SecurityResult.Source |
repeated |
Different threat intelligence sources from which IoC info was extracted. |
SecurityResult.Verdict
Encapsulates the threat verdict provided by human analysts and ML models.
These fields are used to model Mandiant sources.
| Field Name |
Type |
Label |
Description |
| source_count |
int32 |
|
Number of sources from which intelligence was extracted. |
| response_count |
int32 |
|
Total response count across all sources. |
| neighbour_influence |
string |
|
Describes the neighbour influence of the verdict. |
| verdict |
SecurityResult.ProviderMLVerdict |
|
ML Verdict provided by sources like Mandiant. |
| analyst_verdict |
SecurityResult.AnalystVerdict |
|
Human analyst verdict provided by sources like Mandiant. |
SecurityResult.VerdictInfo
Describes the threat verdict provided by human analysts and machine
learning models. These fields are used to model Mandiant sources.
| Field Name |
Type |
Label |
Description |
| source_count |
int32 |
|
Number of sources from which intelligence was extracted. |
| response_count |
int32 |
|
Total response count across all sources. |
| neighbour_influence |
string |
|
Describes the near neighbor influence of the verdict. |
| verdict_type |
SecurityResult.VerdictType |
|
Type of verdict. |
| source_provider |
string |
|
Source provider giving the machine learning verdict. |
| benign_count |
int32 |
|
Count of responses where this IoC was marked as benign. |
| malicious_count |
int32 |
|
Count of responses where this IoC was marked as malicious. |
| confidence_score |
int32 |
|
Confidence score of the verdict. |
| ioc_stats |
SecurityResult.IoCStats |
repeated |
List of IoCStats from which the verdict was generated. |
| verdict_time |
google.protobuf.Timestamp |
|
Timestamp when the verdict was generated. |
| verdict_response |
SecurityResult.VerdictResponse |
|
Details about the verdict. |
| global_customer_count |
int32 |
|
Global customer count over the last 30 days |
| global_hits_count |
int32 |
|
Global hit count over the last 30 days. |
| pwn |
bool |
|
Whether one or more Mandiant incident response customers had this
indicator in their environment. |
| category_details |
string |
|
Tags related to the verdict. |
| pwn_first_tagged_time |
google.protobuf.Timestamp |
|
The timestamp of the first time a pwn was associated to this entity. |
SignatureInfo
File signature information extracted from different tools.
SignerInfo
File metadata related to the signer information.
| Field Name |
Type |
Label |
Description |
| name |
string |
optional |
Common name of the signers/certificate.
The order of the signers matters. Each element is a higher level
authority, the last being the root authority. |
| status |
string |
optional |
It can say "Valid" or state the problem with the certificate if any (e.g.
"This certificate or one of the certificates in the certificate chain is
not time valid."). |
| valid_usage |
string |
optional |
Indicates which situations the certificate is valid for (e.g. "Code
Signing"). |
| cert_issuer |
string |
optional |
Company that issued the certificate. |
Smtp
SMTP info. See RFC 2821.
| Field Name |
Type |
Label |
Description |
| helo |
string |
|
The client's 'HELO'/'EHLO' string. |
| mail_from |
string |
|
The client's 'MAIL FROM' string. |
| rcpt_to |
string |
repeated |
The client's 'RCPT TO' string(s). |
| server_response |
string |
repeated |
The server's response(s) to the client. |
| message_path |
string |
|
The message's path (extracted from the headers). |
| is_webmail |
bool |
|
If the message was sent via a webmail client. |
| is_tls |
bool |
|
If the connection switched to TLS. |
Software
Information about a software package or application.
| Field Name |
Type |
Label |
Description |
| name |
string |
|
The name of the software. |
| version |
string |
|
The version of the software. |
| permissions |
Permission |
repeated |
System permissions granted to the software.
For example, "android.permission.WRITE_EXTERNAL_STORAGE" |
| description |
string |
|
The description of the software. |
| vendor_name |
string |
|
The name of the software vendor. |
Tags are event metadata which is set by examining event contents
post-parsing. For example, a UDM event may be assigned a tenant_id based on
certain customer-defined parameters.
| Field Name |
Type |
Label |
Description |
| tenant_id |
bytes |
repeated |
A list of subtenant ids that this event belongs to. |
| data_tap_config_name |
string |
repeated |
A list of sink name values defined in DataTap configurations. |
TimeOff
System record for leave/time-off from a Human Capital Management (HCM)
system.
| Field Name |
Type |
Label |
Description |
| interval |
google.type.Interval |
|
Interval duration of the leave. |
| description |
string |
|
Description of the leave if available (e.g. 'Vacation'). |
Tls
Transport Layer Security (TLS) information.
| Field Name |
Type |
Label |
Description |
| client |
Tls.Client |
|
Certificate information for the client certificate. |
| server |
Tls.Server |
|
Certificate information for the server certificate. |
| cipher |
string |
|
Cipher used during the connection. |
| curve |
string |
|
Elliptical curve used for a given cipher. |
| version |
string |
|
TLS version. |
| version_protocol |
string |
|
Protocol. |
| established |
bool |
|
Indicates whether the TLS negotiation was successful. |
| next_protocol |
string |
|
Protocol to be used for tunnel. |
| resumed |
bool |
|
Indicates whether the TLS connection was resumed from a previous
TLS negotiation. |
Tls.Client
Transport Layer Security (TLS) information associated with the client
(for example, Certificate or JA3 hash).
| Field Name |
Type |
Label |
Description |
| certificate |
Certificate |
|
Client certificate. |
| ja3 |
string |
|
JA3 hash from the TLS ClientHello, as a hex-encoded string. |
| server_name |
string |
|
Host name of the server, that the client is connecting to. |
| supported_ciphers |
string |
repeated |
Ciphers supported by the client during client hello. |
Tls.Server
Transport Layer Security (TLS) information associated with the server
(for example, Certificate or JA3 hash).
| Field Name |
Type |
Label |
Description |
| certificate |
Certificate |
|
Server certificate. |
| ja3s |
string |
|
JA3 hash from the TLS ServerHello, as a hex-encoded string. |
Tracker
URL Tracker.
URL
URL.
| Field Name |
Type |
Label |
Description |
| URL |
string |
|
URL. |
| categories |
string |
repeated |
Categorisation done by VirusTotal partners. |
| favicon |
Favicon |
|
Difference hash and MD5 hash of the URL's. |
| html_meta |
google.protobuf.Struct |
|
Meta tags (only for URLs downloading HTML). |
| last_final_url |
string |
|
If the original URL redirects, where does it end. |
| last_http_response_code |
int32 |
|
HTTP response code of the last response. |
| last_http_response_content_length |
int64 |
|
Length in bytes of the content received. |
| last_http_response_content_sha256 |
string |
|
URL response body's SHA256 hash. |
| last_http_response_cookies |
google.protobuf.Struct |
|
Website's cookies. |
| last_http_response_headers |
google.protobuf.Struct |
|
Headers and values of the last HTTP response. |
| tags |
string |
repeated |
Tags. |
| title |
string |
|
Webpage title. |
| trackers |
Tracker |
repeated |
Trackers found in the URL in a historical manner. |
User
Information about a user.
| Field Name |
Type |
Label |
Description |
| product_object_id |
string |
|
A vendor-specific identifier to uniquely identify the entity (e.g. a GUID,
LDAP, OID, or similar). |
| userid |
string |
|
The ID of the user. |
| user_display_name |
string |
|
The display name of the user
(e.g. "John Locke"). |
| first_name |
string |
|
First name of the user (e.g. "John"). |
| middle_name |
string |
|
Middle name of the user. |
| last_name |
string |
|
Last name of the user (e.g. "Locke"). |
| phone_numbers |
string |
repeated |
Phone numbers for the user. |
| personal_address |
Location |
|
Personal address of the user. |
| attribute |
Attribute |
|
Generic entity metadata attributes of the user. |
| first_seen_time |
google.protobuf.Timestamp |
|
The first observed time for a user.
The value is calculated on the basis of the
first time the identifier was observed. |
| account_type |
User.AccountType |
|
Type of user account (for example, service, domain, or cloud). This is
somewhat aligned to: https://attack.mitre.org/techniques/T1078/ |
| groupid |
string |
|
The ID of the group that the user belongs to.
Deprecated in favor of the repeated group_identifiers field. |
| group_identifiers |
string |
repeated |
Product object identifiers of the group(s) the user belongs to
A vendor-specific identifier to uniquely identify the group(s) the user
belongs to (a GUID, LDAP OID, or similar). |
| windows_sid |
string |
|
The Microsoft Windows SID of the user. |
| email_addresses |
string |
repeated |
Email addresses of the user. |
| employee_id |
string |
|
Human capital management identifier. |
| title |
string |
|
User job title. |
| company_name |
string |
|
User job company name. |
| department |
string |
repeated |
User job department |
| office_address |
Location |
|
User job office location. |
| managers |
User |
repeated |
User job manager(s). |
| hire_date |
google.protobuf.Timestamp |
|
User job employment hire date. |
| termination_date |
google.protobuf.Timestamp |
|
User job employment termination date. |
| time_off |
TimeOff |
repeated |
User time off leaves from active work. |
| last_login_time |
google.protobuf.Timestamp |
|
User last login timestamp. |
| last_password_change_time |
google.protobuf.Timestamp |
|
User last password change timestamp. |
| password_expiration_time |
google.protobuf.Timestamp |
|
User password expiration timestamp. |
| account_expiration_time |
google.protobuf.Timestamp |
|
User account expiration timestamp. |
| account_lockout_time |
google.protobuf.Timestamp |
|
User account lockout timestamp. |
| last_bad_password_attempt_time |
google.protobuf.Timestamp |
|
User last bad password attempt timestamp. |
| user_authentication_status |
Authentication.AuthenticationStatus |
|
System authentication status for user. |
| role_name |
string |
|
System role name for user.
Deprecated: use attribute.roles. |
| role_description |
string |
|
System role description for user.
Deprecated: use attribute.roles. |
| user_role |
User.Role |
|
System role for user.
Deprecated: use attribute.roles. |
Vulnerabilities
The Vulnerabilities extension captures details on observed/detected
vulnerabilities.
| Field Name |
Type |
Label |
Description |
| vulnerabilities |
Vulnerability |
repeated |
A list of vulnerabilities. |
Vulnerability
A vulnerability.
X509
File certificate.
| Field Name |
Type |
Label |
Description |
| name |
string |
|
Certificate name. |
| algorithm |
string |
|
Certificate algorithm. |
| thumbprint |
string |
|
Certificate thumbprint. |
| cert_issuer |
string |
|
Issuer of the certificate. |
| serial_number |
string |
|
Certificate serial number. |
Event enumerated types
Asset.AssetType
The role type of the asset.
| Enum Value |
Enum Number |
Description |
| ROLE_UNSPECIFIED |
0 |
Unspecified asset role. |
| WORKSTATION |
1 |
A workstation or desktop. |
| LAPTOP |
2 |
A laptop computer. |
| IOT |
3 |
An IOT asset. |
| NETWORK_ATTACHED_STORAGE |
4 |
A network attached storage device. |
| PRINTER |
5 |
A printer. |
| SCANNER |
6 |
A scanner. |
| SERVER |
7 |
A server. |
| TAPE_LIBRARY |
8 |
A tape library device. |
| MOBILE |
9 |
A mobile device such as a mobile phone or PDA. |
Asset.DeploymentStatus
Deployment status states.
| Enum Value |
Enum Number |
Description |
| DEPLOYMENT_STATUS_UNSPECIFIED |
0 |
Unspecified deployment status. |
| ACTIVE |
1 |
Asset is active, functional and deployed. |
| PENDING_DECOMMISSION |
2 |
Asset is pending decommission and no longer deployed. |
| DECOMMISSIONED |
3 |
Asset is decommissioned. |
Authentication.AuthType
Type of system the authentication event is associated with.
| Enum Value |
Enum Number |
Description |
| AUTHTYPE_UNSPECIFIED |
0 |
The default type. |
| MACHINE |
1 |
A machine authentication. |
| SSO |
2 |
An SSO authentication. |
| VPN |
3 |
A VPN authentication. |
| PHYSICAL |
4 |
A Physical authentication (e.g. "Badge reader"). |
| TACACS |
5 |
A TACACS family protocol for networked systems authentication
(e.g. TACACS, TACACS+). |
Authentication.AuthenticationStatus
Authentication status, can be used to describe the status of authentication
for a user or particular credential.
| Enum Value |
Enum Number |
Description |
| UNKNOWN_AUTHENTICATION_STATUS |
0 |
The default authentication status. |
| ACTIVE |
1 |
The authentication method is in active state. |
| SUSPENDED |
2 |
The authentication method is in suspended/disabled state. |
| NO_ACTIVE_CREDENTIALS |
3 |
The authentication method has no active credentials. |
| DELETED |
4 |
The authentication method has been deleted. |
Authentication.Mechanism
Mechanism(s) used to authenticate.
| Enum Value |
Enum Number |
Description |
| MECHANISM_UNSPECIFIED |
0 |
The default mechanism. |
| USERNAME_PASSWORD |
1 |
Username + password authentication. |
| OTP |
2 |
OTP authentication. |
| HARDWARE_KEY |
3 |
Hardware key authentication. |
| LOCAL |
4 |
Local authentication. |
| REMOTE |
5 |
Remote authentication. |
| REMOTE_INTERACTIVE |
6 |
RDP, Terminal Services, or VNC. |
| MECHANISM_OTHER |
7 |
Some other mechanism that is not defined here. |
| BADGE_READER |
8 |
Badge reader authentication |
| NETWORK |
9 |
Network authentication. |
| BATCH |
10 |
Batch authentication. |
| SERVICE |
11 |
Service authentication |
| UNLOCK |
12 |
Direct human-interactive unlock authentication. |
| NETWORK_CLEAR_TEXT |
13 |
Network clear text authentication. |
| NEW_CREDENTIALS |
14 |
Authentication with new credentials. |
| INTERACTIVE |
15 |
Interactive authentication. |
| CACHED_INTERACTIVE |
16 |
Interactive authentication using cached credentials. |
| CACHED_REMOTE_INTERACTIVE |
17 |
Cached Remote Interactive authentication using cached credentials. |
| CACHED_UNLOCK |
18 |
Cached Remote Interactive authentication using cached credentials. |
Cloud.CloudEnvironment
The service provider environment.
| Enum Value |
Enum Number |
Description |
| UNSPECIFIED_CLOUD_ENVIRONMENT |
0 |
Default. |
| GOOGLE_CLOUD_PLATFORM |
1 |
Google Cloud Platform. |
| AMAZON_WEB_SERVICES |
2 |
Amazon Web Services. |
| MICROSOFT_AZURE |
3 |
Microsoft Azure. |
Dhcp.MessageType
DHCP message type. See RFC2131, section 3.1.
| Enum Value |
Enum Number |
Description |
| UNKNOWN_MESSAGE_TYPE |
0 |
Default message type. |
| DISCOVER |
1 |
DHCPDISCOVER. |
| OFFER |
2 |
DHCPOFFER. |
| REQUEST |
3 |
DHCPREQUEST. |
| DECLINE |
4 |
DHCPDECLINE. |
| ACK |
5 |
DHCPACK. |
| NAK |
6 |
DHCPNAK. |
| RELEASE |
7 |
DHCPRELEASE. |
| INFORM |
8 |
DHCPINFORM. |
| WIN_DELETED |
100 |
Microsoft Windows DHCP "lease deleted". |
| WIN_EXPIRED |
101 |
Microsoft Windows DHCP "lease expired". |
Dhcp.OpCode
BOOTP op code. See RFC951, section 3.
| Enum Value |
Enum Number |
Description |
| UNKNOWN_OPCODE |
0 |
Default opcode. |
| BOOTREQUEST |
1 |
Request. |
| BOOTREPLY |
2 |
Reply. |
File.FileType
The file type, for example Microsoft Windows executable.
| Enum Value |
Enum Number |
Description |
| FILE_TYPE_UNSPECIFIED |
0 |
File type is UNSPECIFIED. |
| FILE_TYPE_PE_EXE |
1 |
File type is PE_EXE. |
| FILE_TYPE_PE_DLL |
2 |
Although DLLs are actually portable executables, this value
enables the file type to be identified separately.
File type is PE_DLL. |
| FILE_TYPE_MSI |
3 |
File type is MSI. |
| FILE_TYPE_NE_EXE |
10 |
File type is NE_EXE. |
| FILE_TYPE_NE_DLL |
11 |
File type is NE_DLL. |
| FILE_TYPE_DOS_EXE |
20 |
File type is DOS_EXE. |
| FILE_TYPE_DOS_COM |
21 |
File type is DOS_COM. |
| FILE_TYPE_COFF |
30 |
File type is COFF. |
| FILE_TYPE_ELF |
31 |
File type is ELF. |
| FILE_TYPE_LINUX_KERNEL |
32 |
File type is LINUX_KERNEL. |
| FILE_TYPE_RPM |
33 |
File type is RPM. |
| FILE_TYPE_LINUX |
34 |
File type is LINUX. |
| FILE_TYPE_MACH_O |
35 |
File type is MACH_O. |
| FILE_TYPE_JAVA_BYTECODE |
36 |
File type is JAVA_BYTECODE. |
| FILE_TYPE_DMG |
37 |
File type is DMG. |
| FILE_TYPE_DEB |
38 |
File type is DEB. |
| FILE_TYPE_PKG |
39 |
File type is PKG. |
| FILE_TYPE_PYC |
40 |
File type is PYC. |
| FILE_TYPE_LNK |
50 |
File type is LNK. |
| FILE_TYPE_JPEG |
100 |
File type is JPEG. |
| FILE_TYPE_TIFF |
101 |
File type is TIFF. |
| FILE_TYPE_GIF |
102 |
File type is GIF. |
| FILE_TYPE_PNG |
103 |
File type is PNG. |
| FILE_TYPE_BMP |
104 |
File type is BMP. |
| FILE_TYPE_GIMP |
105 |
File type is GIMP. |
| FILE_TYPE_IN_DESIGN |
106 |
File type is Adobe InDesign. |
| FILE_TYPE_PSD |
107 |
File type is PSD.
Adobe Photoshop. |
| FILE_TYPE_TARGA |
108 |
File type is TARGA. |
| FILE_TYPE_XWD |
109 |
File type is XWD. |
| FILE_TYPE_DIB |
110 |
File type is DIB. |
| FILE_TYPE_JNG |
111 |
File type is JNG. |
| FILE_TYPE_ICO |
112 |
File type is ICO. |
| FILE_TYPE_FPX |
113 |
File type is FPX. |
| FILE_TYPE_EPS |
114 |
File type is EPS. |
| FILE_TYPE_SVG |
115 |
File type is SVG. |
| FILE_TYPE_EMF |
116 |
File type is EMF. |
| FILE_TYPE_WEBP |
117 |
File type is WEBP. |
| FILE_TYPE_DWG |
118 |
File type is DWG. |
| FILE_TYPE_DXF |
119 |
File type is DXF. |
| FILE_TYPE_THREEDS |
120 |
File type is 3DS. |
| FILE_TYPE_OGG |
150 |
File type is OGG. |
| FILE_TYPE_FLC |
151 |
File type is FLC. |
| FILE_TYPE_FLI |
152 |
File type is FLI. |
| FILE_TYPE_MP3 |
153 |
File type is MP3. |
| FILE_TYPE_FLAC |
154 |
File type is FLAC. |
| FILE_TYPE_WAV |
155 |
File type is WAV. |
| FILE_TYPE_MIDI |
156 |
File type is MIDI. |
| FILE_TYPE_AVI |
157 |
File type is AVI. |
| FILE_TYPE_MPEG |
158 |
File type is MPEG. |
| FILE_TYPE_QUICKTIME |
159 |
File type is QUICKTIME. |
| FILE_TYPE_ASF |
160 |
File type is ASF. |
| FILE_TYPE_DIVX |
161 |
File type is DIVX. |
| FILE_TYPE_FLV |
162 |
File type is FLV. |
| FILE_TYPE_WMA |
163 |
File type is WMA. |
| FILE_TYPE_WMV |
164 |
File type is WMV. |
| FILE_TYPE_RM |
165 |
File type is RM.
RealMedia type. |
| FILE_TYPE_MOV |
166 |
File type is MOV. |
| FILE_TYPE_MP4 |
167 |
File type is MP4. |
| FILE_TYPE_T3GP |
168 |
File type is T3GP. |
| FILE_TYPE_WEBM |
169 |
File type is WEBM. |
| FILE_TYPE_MKV |
170 |
File type is MKV. |
| FILE_TYPE_PDF |
200 |
File type is PDF. |
| FILE_TYPE_PS |
201 |
File type is PS. |
| FILE_TYPE_DOC |
202 |
File type is DOC. |
| FILE_TYPE_DOCX |
203 |
File type is DOCX. |
| FILE_TYPE_PPT |
204 |
File type is PPT. |
| FILE_TYPE_PPTX |
205 |
File type is PPTX. |
| FILE_TYPE_PPSX |
209 |
File type is PPSX. |
| FILE_TYPE_XLS |
206 |
File type is XLS. |
| FILE_TYPE_XLSX |
207 |
File type is XLSX. |
| FILE_TYPE_RTF |
208 |
File type is RTF. |
| FILE_TYPE_ODP |
250 |
File type is ODP. |
| FILE_TYPE_ODS |
251 |
File type is ODS. |
| FILE_TYPE_ODT |
252 |
File type is ODT. |
| FILE_TYPE_HWP |
253 |
File type is HWP. |
| FILE_TYPE_GUL |
254 |
File type is GUL. |
| FILE_TYPE_ODF |
255 |
File type is ODF. |
| FILE_TYPE_ODG |
256 |
File type is ODG. |
| FILE_TYPE_ONE_NOTE |
257 |
File type is ONE_NOTE. |
| FILE_TYPE_OOXML |
258 |
File type is OOXML. |
| FILE_TYPE_EBOOK |
260 |
File type is EBOOK. |
| FILE_TYPE_LATEX |
261 |
File type is LATEX. |
| FILE_TYPE_TTF |
262 |
File type is TTF. |
| FILE_TYPE_EOT |
263 |
File type is EOT. |
| FILE_TYPE_WOFF |
264 |
File type is WOFF. |
| FILE_TYPE_CHM |
265 |
File type is CHM. |
| FILE_TYPE_ZIP |
300 |
File type is ZIP. |
| FILE_TYPE_GZIP |
301 |
File type is GZIP. |
| FILE_TYPE_BZIP |
302 |
File type is BZIP. |
| FILE_TYPE_RZIP |
303 |
File type is RZIP. |
| FILE_TYPE_DZIP |
304 |
File type is DZIP. |
| FILE_TYPE_SEVENZIP |
305 |
File type is SEVENZIP. |
| FILE_TYPE_CAB |
306 |
File type is CAB. |
| FILE_TYPE_JAR |
307 |
File type is JAR. |
| FILE_TYPE_RAR |
308 |
File type is RAR. |
| FILE_TYPE_MSCOMPRESS |
309 |
File type is MSCOMPRESS. |
| FILE_TYPE_ACE |
310 |
File type is ACE. |
| FILE_TYPE_ARC |
311 |
File type is ARC. |
| FILE_TYPE_ARJ |
312 |
File type is ARJ. |
| FILE_TYPE_ASD |
313 |
File type is ASD. |
| FILE_TYPE_BLACKHOLE |
314 |
File type is BLACKHOLE. |
| FILE_TYPE_KGB |
315 |
File type is KGB. |
| FILE_TYPE_ZLIB |
316 |
File type is ZLIB. |
| FILE_TYPE_TAR |
317 |
File type is TAR. |
| FILE_TYPE_ZST |
318 |
File type is ZST. |
| FILE_TYPE_LZFSE |
319 |
File type is LZFSE. |
| FILE_TYPE_PYTHON_WHL |
320 |
File type is PYTHON_WHL. |
| FILE_TYPE_PYTHON_PKG |
321 |
File type is PYTHON_PKG. |
| FILE_TYPE_TEXT |
400 |
File type is TEXT. |
| FILE_TYPE_SCRIPT |
401 |
File type is SCRIPT. |
| FILE_TYPE_PHP |
402 |
File type is PHP. |
| FILE_TYPE_PYTHON |
403 |
File type is PYTHON. |
| FILE_TYPE_PERL |
404 |
File type is PERL. |
| FILE_TYPE_RUBY |
405 |
File type is RUBY. |
| FILE_TYPE_C |
406 |
File type is C. |
| FILE_TYPE_CPP |
407 |
File type is CPP. |
| FILE_TYPE_JAVA |
408 |
File type is JAVA. |
| FILE_TYPE_SHELLSCRIPT |
409 |
File type is SHELLSCRIPT. |
| FILE_TYPE_PASCAL |
410 |
File type is PASCAL. |
| FILE_TYPE_AWK |
411 |
File type is AWK. |
| FILE_TYPE_DYALOG |
412 |
File type is DYALOG. |
| FILE_TYPE_FORTRAN |
413 |
File type is FORTRAN. |
| FILE_TYPE_JAVASCRIPT |
414 |
File type is JAVASCRIPT. |
| FILE_TYPE_POWERSHELL |
415 |
File type is POWERSHELL. |
| FILE_TYPE_VBA |
416 |
File type is VBA. |
| FILE_TYPE_M4 |
417 |
File type is M4. |
| FILE_TYPE_OBJETIVEC |
418 |
File type is OBJETIVEC. |
| FILE_TYPE_JMOD |
419 |
File type is JMOD. |
| FILE_TYPE_MAKEFILE |
420 |
File type is MAKEFILE. |
| FILE_TYPE_INI |
421 |
File type is INI. |
| FILE_TYPE_CLJ |
422 |
File type is CLJ. |
| FILE_TYPE_PDB |
425 |
File type is PDB. |
| FILE_TYPE_SQL |
426 |
File type is SQL. |
| FILE_TYPE_NEKO |
427 |
File type is NEKO. |
| FILE_TYPE_WER |
428 |
File type is WER. |
| FILE_TYPE_GOLANG |
429 |
File type is GOLANG. |
| FILE_TYPE_SYMBIAN |
500 |
File type is SYMBIAN. |
| FILE_TYPE_PALMOS |
501 |
File type is PALMOS. |
| FILE_TYPE_WINCE |
502 |
File type is WINCE. |
| FILE_TYPE_ANDROID |
503 |
File type is ANDROID. |
| FILE_TYPE_IPHONE |
504 |
File type is IPHONE. |
| FILE_TYPE_HTML |
600 |
File type is HTML. |
| FILE_TYPE_XML |
601 |
File type is XML. |
| FILE_TYPE_SWF |
602 |
File type is SWF. |
| FILE_TYPE_FLA |
603 |
File type is FLA. |
| FILE_TYPE_COOKIE |
604 |
File type is COOKIE. |
| FILE_TYPE_TORRENT |
605 |
File type is TORRENT. |
| FILE_TYPE_EMAIL_TYPE |
606 |
File type is EMAIL_TYPE. |
| FILE_TYPE_OUTLOOK |
607 |
File type is OUTLOOK. |
| FILE_TYPE_SGML |
608 |
File type is SGML. |
| FILE_TYPE_JSON |
609 |
File type is JSON. |
| FILE_TYPE_CSV |
610 |
File type is CSV. |
| FILE_TYPE_CAP |
700 |
File type is CAP. |
| FILE_TYPE_ISOIMAGE |
800 |
File type is ISOIMAGE. |
| FILE_TYPE_SQUASHFS |
801 |
File type is SQUASHFS. |
| FILE_TYPE_VHD |
802 |
File type is VHD. |
| FILE_TYPE_APPLE |
1000 |
File type is APPLE. |
| FILE_TYPE_MACINTOSH |
1001 |
File type is MACINTOSH. |
| FILE_TYPE_APPLESINGLE |
1002 |
File type is APPLESINGLE. |
| FILE_TYPE_APPLEDOUBLE |
1003 |
File type is APPLEDOUBLE. |
| FILE_TYPE_MACINTOSH_HFS |
1004 |
File type is MACINTOSH_HFS. |
| FILE_TYPE_APPLE_PLIST |
1005 |
File type is APPLE_PLIST. |
| FILE_TYPE_MACINTOSH_LIB |
1006 |
File type is MACINTOSH_LIB. |
| FILE_TYPE_APPLESCRIPT |
1007 |
File type is APPLESCRIPT. |
| FILE_TYPE_APPLESCRIPT_COMPILED |
1008 |
File type is APPLESCRIPT_COMPILED . |
| FILE_TYPE_CRX |
1100 |
File type is CRX. |
| FILE_TYPE_XPI |
1101 |
File type is XPI. |
| FILE_TYPE_ROM |
1200 |
File type is ROM. |
| FILE_TYPE_IPS |
1201 |
File type is IPS. |
| FILE_TYPE_PEM |
1300 |
File type is PEM. |
| FILE_TYPE_PGP |
1301 |
File type is PGP. |
| FILE_TYPE_CRT |
1302 |
File type is CRT. |
An enrichment state.
| Enum Value |
Enum Number |
Description |
| ENRICHMENT_STATE_UNSPECIFIED |
0 |
Unspecified. |
| ENRICHED |
1 |
The event has been enriched by Google Security Operations. |
| UNENRICHED |
2 |
The event has not been enriched by Google Security Operations. |
An event type.
Choose event type not based on the product that generated the event but the
one that logged the event itself. So, for example, an antivirus (AV)
scanning email on a client would generate an SMTP_PROXY event, not an AV
event. A DLP device scanning a web upload would generate an HTTP_PROXY
event and not a DLP or process activity event. Note: In the case of a
HTTP_PROXY event, you might also include process details if this occurred
on an endpoint. That would be optional, but there are a certain set of
required fields and banned fields due to its status as an HTTP_PROXY event.
| Enum Value |
Enum Number |
Description |
| EVENTTYPE_UNSPECIFIED |
0 |
Default event type |
| PROCESS_UNCATEGORIZED |
10000 |
Activity related to a process which does not match any other event types. |
| PROCESS_LAUNCH |
10001 |
Process launch. |
| PROCESS_INJECTION |
10002 |
Process injecting into another process. |
| PROCESS_PRIVILEGE_ESCALATION |
10003 |
Process privilege escalation. |
| PROCESS_TERMINATION |
10004 |
Process termination. |
| PROCESS_OPEN |
10005 |
Process being opened. |
| PROCESS_MODULE_LOAD |
10006 |
Process loading a module. |
| REGISTRY_UNCATEGORIZED |
11000 |
Registry event which does not match any of the other event types. |
| REGISTRY_CREATION |
11001 |
Registry creation. |
| REGISTRY_MODIFICATION |
11002 |
Registry modification. |
| REGISTRY_DELETION |
11003 |
Registry deletion. |
| SETTING_UNCATEGORIZED |
12000 |
Settings-related event which does not match any of the other
event types. |
| SETTING_CREATION |
12001 |
Setting creation. |
| SETTING_MODIFICATION |
12002 |
Setting modification. |
| SETTING_DELETION |
12003 |
Setting deletion. |
| MUTEX_UNCATEGORIZED |
13000 |
Any mutex event other than creation. |
| MUTEX_CREATION |
13001 |
Mutex creation. |
| FILE_UNCATEGORIZED |
14000 |
File event which does not match any of the other event types. |
| FILE_CREATION |
14001 |
File created. |
| FILE_DELETION |
14002 |
File deleted. |
| FILE_MODIFICATION |
14003 |
File modified. |
| FILE_READ |
14004 |
File read. |
| FILE_COPY |
14005 |
File copied.
Used for file copies, for example, to a thumb drive. |
| FILE_OPEN |
14006 |
File opened. |
| FILE_MOVE |
14007 |
File moved or renamed. |
| FILE_SYNC |
14008 |
File synced (for example, Google Drive, Dropbox, backup). |
| USER_UNCATEGORIZED |
15000 |
User activity which does not match any of the other event types. |
| USER_LOGIN |
15001 |
User login. |
| USER_LOGOUT |
15002 |
User logout. |
| USER_CREATION |
15003 |
User creation. |
| USER_CHANGE_PASSWORD |
15004 |
User password change event. |
| USER_CHANGE_PERMISSIONS |
15005 |
Change in user permissions. |
| USER_STATS |
15006 |
Deprecated. Used to update user info for an LDAP dump. |
| USER_BADGE_IN |
15007 |
User physically badging into a location. |
| USER_DELETION |
15008 |
User deletion. |
| USER_RESOURCE_CREATION |
15009 |
User creating a virtual resource.
This is equivalent to RESOURCE_CREATION. |
| USER_RESOURCE_UPDATE_CONTENT |
15010 |
User updating content of a virtual resource.
This is equivalent to RESOURCE_WRITTEN. |
| USER_RESOURCE_UPDATE_PERMISSIONS |
15011 |
User updating permissions of a virtual resource.
This is equivalent to RESOURCE_PERMISSIONS_CHANGE. |
| USER_COMMUNICATION |
15012 |
User initiating communication through a medium (for example, video). |
| USER_RESOURCE_ACCESS |
15013 |
User accessing a virtual resource.
This is equivalent to RESOURCE_READ. |
| USER_RESOURCE_DELETION |
15014 |
User deleting a virtual resource.
This is equivalent to RESOURCE_DELETION. |
| GROUP_UNCATEGORIZED |
23000 |
A group activity that does not fall into one of the other event types. |
| GROUP_CREATION |
23001 |
A group creation. |
| GROUP_DELETION |
23002 |
A group deletion. |
| GROUP_MODIFICATION |
23003 |
A group modification. |
| EMAIL_UNCATEGORIZED |
19000 |
Email messages |
| EMAIL_TRANSACTION |
19001 |
An email transaction. |
| EMAIL_URL_CLICK |
19002 |
Deprecated: use NETWORK_HTTP instead. An email URL click event. |
| NETWORK_UNCATEGORIZED |
16000 |
A network event that does not fit into one of the other event types. |
| NETWORK_FLOW |
16001 |
Aggregated flow stats like netflow. |
| NETWORK_CONNECTION |
16002 |
Network connection details like from a FW. |
| NETWORK_FTP |
16003 |
FTP telemetry. |
| NETWORK_DHCP |
16004 |
DHCP payload. |
| NETWORK_DNS |
16005 |
DNS payload. |
| NETWORK_HTTP |
16006 |
HTTP telemetry. |
| NETWORK_SMTP |
16007 |
SMTP telemetry. |
| STATUS_UNCATEGORIZED |
17000 |
A status message that does not fit into one of the other event types. |
| STATUS_HEARTBEAT |
17001 |
Heartbeat indicating product is alive. |
| STATUS_STARTUP |
17002 |
An agent startup. |
| STATUS_SHUTDOWN |
17003 |
An agent shutdown. |
| STATUS_UPDATE |
17004 |
A software or fingerprint update. |
| SCAN_UNCATEGORIZED |
18000 |
Scan item that does not fit into one of the other event types. |
| SCAN_FILE |
18001 |
A file scan. |
| SCAN_PROCESS_BEHAVIORS |
18002 |
Scan process behaviors.
Please use SCAN_PROCESS instead. |
| SCAN_PROCESS |
18003 |
Scan process. |
| SCAN_HOST |
18004 |
Scan results from scanning an entire host device for threats/sensitive
documents. |
| SCAN_VULN_HOST |
18005 |
Vulnerability scan logs about host vulnerabilities (e.g., out of date
software) and network vulnerabilities (e.g., unprotected service detected
via a network scan). |
| SCAN_VULN_NETWORK |
18006 |
Vulnerability scan logs about network vulnerabilities. |
| SCAN_NETWORK |
18007 |
Scan network for suspicious activity |
| SCHEDULED_TASK_UNCATEGORIZED |
20000 |
Scheduled task event that does not fall into one of the other
event types. |
| SCHEDULED_TASK_CREATION |
20001 |
Scheduled task creation. |
| SCHEDULED_TASK_DELETION |
20002 |
Scheduled task deletion. |
| SCHEDULED_TASK_ENABLE |
20003 |
Scheduled task being enabled. |
| SCHEDULED_TASK_DISABLE |
20004 |
Scheduled task being disabled. |
| SCHEDULED_TASK_MODIFICATION |
20005 |
Scheduled task being modified. |
| SYSTEM_AUDIT_LOG_UNCATEGORIZED |
21000 |
A system audit log event that is not a wipe. |
| SYSTEM_AUDIT_LOG_WIPE |
21001 |
A system audit log wipe. |
| SERVICE_UNSPECIFIED |
22000 |
Service event that does not fit into one of the other event types. |
| SERVICE_CREATION |
22001 |
A service creation. |
| SERVICE_DELETION |
22002 |
A service deletion. |
| SERVICE_START |
22003 |
A service start. |
| SERVICE_STOP |
22004 |
A service stop. |
| SERVICE_MODIFICATION |
22005 |
A service modification. |
| GENERIC_EVENT |
100000 |
Operating system events that are not described by any of the other
event types. Might include uncategorized Microsoft Windows event logs. |
| RESOURCE_CREATION |
1 |
The resource was created/provisioned.
This is equivalent to USER_RESOURCE_CREATION. |
| RESOURCE_DELETION |
2 |
The resource was deleted/deprovisioned.
This is equivalent to USER_RESOURCE_DELETION. |
| RESOURCE_PERMISSIONS_CHANGE |
3 |
The resource had it's permissions or ACLs updated.
This is equivalent to USER_RESOURCE_UPDATE_PERMISSIONS. |
| RESOURCE_READ |
4 |
The resource was read.
This is equivalent to USER_RESOURCE_ACCESS. |
| RESOURCE_WRITTEN |
5 |
The resource was written to.
This is equivalent to USER_RESOURCE_UPDATE_CONTENT. |
| DEVICE_FIRMWARE_UPDATE |
25000 |
Firmware update. |
| DEVICE_CONFIG_UPDATE |
25001 |
Configuration update. |
| DEVICE_PROGRAM_UPLOAD |
25002 |
A program or application uploaded to a device. |
| DEVICE_PROGRAM_DOWNLOAD |
25003 |
A program or application downloaded to a device. |
| ANALYST_UPDATE_VERDICT |
24000 |
Analyst update about the Verdict (such as true positive, false positive,
or disregard) of a finding. |
| ANALYST_UPDATE_REPUTATION |
24001 |
Analyst update about the Reputation (such as useful or not useful) of a
finding. |
| ANALYST_UPDATE_SEVERITY_SCORE |
24002 |
Analyst update about the Severity score (0-100) of a finding. |
| ANALYST_UPDATE_STATUS |
24007 |
Analyst update about the finding status. |
| ANALYST_ADD_COMMENT |
24008 |
Analyst addition of a comment for a finding. |
| ANALYST_UPDATE_PRIORITY |
24009 |
Analyst update about the priority (such as low, medium, or high) for a
finding. |
| ANALYST_UPDATE_ROOT_CAUSE |
24010 |
Analyst update about the root cause for a finding. |
| ANALYST_UPDATE_REASON |
24011 |
Analyst update about the reason (such as malicious or not malicious) for
a finding. |
| ANALYST_UPDATE_RISK_SCORE |
24012 |
Analyst update about the risk score (0-100) of a finding. |
Network.ApplicationProtocol
A network application protocol.
| Enum Value |
Enum Number |
Description |
| UNKNOWN_APPLICATION_PROTOCOL |
0 |
The default application protocol. |
| AFP |
1 |
Apple Filing Protocol. |
| APPC |
2 |
Advanced Program-to-Program Communication. |
| AMQP |
3 |
Advanced Message Queuing Protocol. |
| ATOM |
4 |
Publishing Protocol. |
| BEEP |
5 |
Block Extensible Exchange Protocol. |
| BITCOIN |
6 |
Crypto currency protocol. |
| BIT_TORRENT |
7 |
Peer-to-peer file sharing. |
| CFDP |
8 |
Coherent File Distribution Protocol. |
| CIP |
67 |
Common Industrial Protocol. |
| COAP |
9 |
Constrained Application Protocol. |
| COTP |
68 |
Connection Oriented Transport Protocol. |
| DCERPC |
66 |
DCE/RPC. |
| DDS |
10 |
Data Distribution Service. |
| DEVICE_NET |
11 |
Automation industry protocol. |
| DHCP |
4000 |
DHCP. |
| DICOM |
69 |
Digital Imaging and Communications in Medicine Protocol. |
| DNP3 |
70 |
Distributed Network Protocol 3 (DNP3) |
| DNS |
3000 |
DNS. |
| E_DONKEY |
12 |
Classic file sharing protocol. |
| ENRP |
13 |
Endpoint Handlespace Redundancy Protocol. |
| FAST_TRACK |
14 |
Filesharing peer-to-peer protocol. |
| FINGER |
15 |
User Information Protocol. |
| FREENET |
16 |
Censorship resistant peer-to-peer network. |
| FTAM |
17 |
File Transfer Access and Management. |
| GOOSE |
71 |
GOOSE Protocol. |
| GOPHER |
18 |
Gopher protocol. |
| GRPC |
77 |
gRPC Remote Procedure Call. |
| HL7 |
19 |
Health Level Seven. |
| H323 |
20 |
Packet-based multimedia communications system. |
| HTTP |
2000 |
HTTP. |
| HTTPS |
2001 |
HTTPS. |
| IEC104 |
72 |
IEC 60870-5-104 (IEC 104) Protocol. |
| IRCP |
21 |
Internet Relay Chat Protocol. |
| KADEMLIA |
22 |
Peer-to-peer hashtables. |
| KRB5 |
65 |
Kerberos 5. |
| LDAP |
23 |
Lightweight Directory Access Protocol. |
| LPD |
24 |
Line Printer Daemon Protocol. |
| MIME |
25 |
Multipurpose Internet Mail Extensions and Secure MIME. |
| MMS |
73 |
Multimedia Messaging Service. |
| MODBUS |
26 |
Serial communications protocol. |
| MQTT |
27 |
Message Queuing Telemetry Transport. |
| NETCONF |
28 |
Network Configuration. |
| NFS |
29 |
Network File System. |
| NIS |
30 |
Network Information Service. |
| NNTP |
31 |
Network News Transfer Protocol. |
| NTCIP |
32 |
National Transportation Communications for Intelligent Transportation
System. |
| NTP |
33 |
Network Time Protocol. |
| OSCAR |
34 |
AOL Instant Messenger Protocol. |
| PNRP |
35 |
Peer Name Resolution Protocol. |
| PTP |
74 |
Precision Time Protocol. |
| QUIC |
1000 |
QUIC. |
| RDP |
36 |
Remote Desktop Protocol. |
| RELP |
37 |
Reliable Event Logging Protocol. |
| RIP |
38 |
Routing Information Protocol. |
| RLOGIN |
39 |
Remote Login in UNIX Systems. |
| RPC |
40 |
Remote Procedure Call. |
| RTMP |
41 |
Real Time Messaging Protocol. |
| RTP |
42 |
Real-time Transport Protocol. |
| RTPS |
43 |
Real Time Publish Subscribe. |
| RTSP |
44 |
Real Time Streaming Protocol. |
| SAP |
45 |
Session Announcement Protocol. |
| SDP |
46 |
Session Description Protocol. |
| SIP |
47 |
Session Initiation Protocol. |
| SLP |
48 |
Service Location Protocol. |
| SMB |
49 |
Server Message Block. |
| SMTP |
50 |
Simple Mail Transfer Protocol. |
| SNMP |
75 |
Simple Network Management Protocol. |
| SNTP |
51 |
Simple Network Time Protocol. |
| SSH |
52 |
Secure Shell. |
| SSMS |
53 |
Secure SMS Messaging Protocol. |
| STYX |
54 |
Styx/9P - Plan 9 from Bell Labs distributed file system protocol. |
| SV |
76 |
Sampled Values Protocol. |
| TCAP |
55 |
Transaction Capabilities Application Part. |
| TDS |
56 |
Tabular Data Stream. |
| TOR |
57 |
Anonymity network. |
| TSP |
58 |
Time Stamp Protocol. |
| VTP |
59 |
Virtual Terminal Protocol. |
| WHOIS |
60 |
Remote Directory Access Protocol. |
| WEB_DAV |
61 |
Web Distributed Authoring and Versioning. |
| X400 |
62 |
Message Handling Service Protocol. |
| X500 |
63 |
Directory Access Protocol (DAP). |
| XMPP |
64 |
Extensible Messaging and Presence Protocol. |
Network.Direction
A network traffic direction.
| Enum Value |
Enum Number |
Description |
| UNKNOWN_DIRECTION |
0 |
The default direction. |
| INBOUND |
1 |
An inbound request. |
| OUTBOUND |
2 |
An outbound request. |
| BROADCAST |
3 |
A broadcast. |
Network.IpProtocol
An IP protocol.
| Enum Value |
Enum Number |
Description |
| UNKNOWN_IP_PROTOCOL |
0 |
The default protocol. |
| ICMP |
1 |
ICMP. |
| IGMP |
2 |
IGMP |
| TCP |
6 |
TCP. |
| UDP |
17 |
UDP. |
| IP6IN4 |
41 |
IPv6 Encapsulation |
| GRE |
47 |
Generic Routing Encapsulation |
| ESP |
50 |
Encapsulating Security Payload |
| ICMP6 |
58 |
ICMPv6 |
| EIGRP |
88 |
Enhanced Interior Gateway Routing |
| ETHERIP |
97 |
Ethernet-within-IP Encapsulation |
| PIM |
103 |
Protocol Independent Multicast |
| VRRP |
112 |
Virtual Router Redundancy Protocol |
| SCTP |
132 |
Stream Control Transmission Protocol |
Operating system platform.
| Enum Value |
Enum Number |
Description |
| UNKNOWN_PLATFORM |
0 |
Default value. |
| WINDOWS |
1 |
Microsoft Windows. |
| MAC |
2 |
macOS. |
| LINUX |
3 |
Linux. |
| Google Cloud |
4 |
Deprecated: see cloud.environment. |
| AWS |
5 |
Deprecated: see cloud.environment. |
| AZURE |
6 |
Deprecated: see cloud.environment. |
| IOS |
7 |
IOS |
| ANDROID |
8 |
Android |
| CHROME_OS |
9 |
Chrome OS |
Permission.PermissionType
High level categorizations of permission type.
| Enum Value |
Enum Number |
Description |
| UNKNOWN_PERMISSION_TYPE |
0 |
Default permission type. |
| ADMIN_WRITE |
1 |
Administrator write permission. |
| ADMIN_READ |
2 |
Administrator read permission. |
| DATA_WRITE |
3 |
Data resource access write permission. |
| DATA_READ |
4 |
Data resource access read permission. |
Priority
Priority that is assigned to a Case or Alert.
| Enum Value |
Enum Number |
Description |
| PRIORITY_UNSPECIFIED |
0 |
Default priority level. |
| PRIORITY_INFO |
100 |
Informational priority. |
| PRIORITY_LOW |
200 |
Low priority. |
| PRIORITY_MEDIUM |
300 |
Medium priority. |
| PRIORITY_HIGH |
400 |
High priority. |
| PRIORITY_CRITICAL |
500 |
Critical priority. |
Process.TokenElevationType
The elevation type of the process's token.
See
https://learn.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-token_elevation_type
| Enum Value |
Enum Number |
Description |
| UNKNOWN |
0 |
An undetermined token type. |
| TYPE_1 |
1 |
A full token with no privileges removed or groups disabled. |
| TYPE_2 |
2 |
An elevated token with no privileges removed or groups disabled. Used
when running as administrator. |
| TYPE_3 |
3 |
A limited token with administrative privileges removed and
administrative groups disabled. |
Reason
Reason for closing an Alert or Case in the SOAR product.
| Enum Value |
Enum Number |
Description |
| REASON_UNSPECIFIED |
0 |
Default reason. |
| REASON_NOT_MALICIOUS |
1 |
Case or Alert not malicious. |
| REASON_MALICIOUS |
2 |
Case or Alert is malicious. |
| REASON_MAINTENANCE |
3 |
Case or Alert is under maintenance. |
Reputation
Categorization options for the usefulness of a Finding.
| Enum Value |
Enum Number |
Description |
| REPUTATION_UNSPECIFIED |
0 |
An unspecified reputation. |
| USEFUL |
1 |
A categorization of the finding as useful. |
| NOT_USEFUL |
2 |
A categorization of the finding as not useful. |
Resource.ResourceType
| Enum Value |
Enum Number |
Description |
| UNSPECIFIED |
0 |
Default type. |
| MUTEX |
1 |
Mutex. |
| TASK |
2 |
Task. |
| PIPE |
3 |
Named pipe. |
| DEVICE |
4 |
Device. |
| FIREWALL_RULE |
5 |
Firewall rule. |
| MAILBOX_FOLDER |
6 |
Mailbox folder. |
| VPC_NETWORK |
7 |
VPC Network. |
| VIRTUAL_MACHINE |
8 |
Virtual machine. |
| STORAGE_BUCKET |
9 |
Storage bucket. |
| STORAGE_OBJECT |
10 |
Storage object. |
| DATABASE |
11 |
Database. |
| TABLE |
12 |
Data table. |
| CLOUD_PROJECT |
13 |
Cloud project. |
| CLOUD_ORGANIZATION |
14 |
Cloud organization. |
| SERVICE_ACCOUNT |
15 |
Service account. |
| ACCESS_POLICY |
16 |
Access policy. |
| CLUSTER |
17 |
Cluster. |
| SETTING |
18 |
Settings. |
| DATASET |
19 |
Dataset. |
| BACKEND_SERVICE |
20 |
Endpoint that receive traffic from a load balancer or proxy. |
| POD |
21 |
Pod, which is a collection of containers. Often used in Kubernetes. |
| CONTAINER |
22 |
Container. |
| FUNCTION |
23 |
Cloud function. |
| RUNTIME |
24 |
Runtime. |
| IP_ADDRESS |
25 |
IP address. |
| DISK |
26 |
Disk. |
| VOLUME |
27 |
Volume. |
| IMAGE |
28 |
Machine image. |
| SNAPSHOT |
29 |
Snapshot. |
| REPOSITORY |
30 |
Repository. |
| CREDENTIAL |
31 |
Credential, e.g. access keys, ssh keys, tokens, certificates. |
| LOAD_BALANCER |
32 |
Load balancer. |
| GATEWAY |
33 |
Gateway. |
| SUBNET |
34 |
Subnet. |
| USER |
35 |
User |
Role.Type
Well-known system roles.
| Enum Value |
Enum Number |
Description |
| TYPE_UNSPECIFIED |
0 |
Default user role. |
| ADMINISTRATOR |
1 |
Product administrator with elevated privileges. |
| SERVICE_ACCOUNT |
2 |
System service account for automated privilege access. |
SecurityResult.Action
Enum representing different possible actions taken by the product that
created the event.
| Enum Value |
Enum Number |
Description |
| UNKNOWN_ACTION |
0 |
The default action. |
| ALLOW |
1 |
Allowed. |
| BLOCK |
2 |
Blocked. |
| ALLOW_WITH_MODIFICATION |
3 |
Strip, modify something
(e.g. File or email was disinfected or rewritten and still forwarded). |
| QUARANTINE |
4 |
Put somewhere for later analysis (does NOT imply block). |
| FAIL |
5 |
Failed (e.g. the event was allowed but failed). |
| CHALLENGE |
6 |
Challenged (e.g. the user was challenged by a Captcha, 2FA). |
SecurityResult.AlertState
The type of alerting set up for a security result.
| Enum Value |
Enum Number |
Description |
| UNSPECIFIED |
0 |
The security result type is not known. |
| NOT_ALERTING |
1 |
The security result is not an alert. |
| ALERTING |
2 |
The security result is an alert. |
SecurityResult.Association.AssociationType
Represents different possible Association types. Can be threat or
malware. Used to represent Mandiant threat intelligence.
| Enum Value |
Enum Number |
Description |
| ASSOCIATION_TYPE_UNSPECIFIED |
0 |
The default Association Type. |
| THREAT_ACTOR |
1 |
Association type Threat actor. |
| MALWARE |
2 |
Association type Malware. |
SecurityResult.IoCStatsType
Type of IoCStat based on source.
| Enum Value |
Enum Number |
Description |
| UNSPECIFIED_IOC_STATS_TYPE |
0 |
IoCStat source is unidentified. |
| MANDIANT_SOURCES |
1 |
IoCStat is from a Mandiant Source. |
| THIRD_PARTY_SOURCES |
2 |
IoCStat is from a third-party source. |
| THREAT_INTELLIGENCE_IOC_STATS |
3 |
IoCStat is from a threat intelligence feed. |
SecurityResult.ProductConfidence
A level of confidence in the result.
| Enum Value |
Enum Number |
Description |
| UNKNOWN_CONFIDENCE |
0 |
The default confidence level. |
| LOW_CONFIDENCE |
200 |
Low confidence. |
| MEDIUM_CONFIDENCE |
300 |
Medium confidence. |
| HIGH_CONFIDENCE |
400 |
High confidence. |
SecurityResult.ProductPriority
A product priority level.
| Enum Value |
Enum Number |
Description |
| UNKNOWN_PRIORITY |
0 |
Default priority level. |
| LOW_PRIORITY |
200 |
Low priority. |
| MEDIUM_PRIORITY |
300 |
Medium priority. |
| HIGH_PRIORITY |
400 |
High priority. |
SecurityResult.ProductSeverity
Defined by the product
| Enum Value |
Enum Number |
Description |
| UNKNOWN_SEVERITY |
0 |
The default severity level. |
| INFORMATIONAL |
100 |
Info severity. |
| ERROR |
150 |
An error. |
| NONE |
101 |
No malicious result. |
| LOW |
200 |
Low-severity malicious result. |
| MEDIUM |
300 |
Medium-severity malicious result. |
| HIGH |
400 |
High-severity malicious result. |
| CRITICAL |
500 |
Critical-severity malicious result. |
SecurityResult.SecurityCategory
SecurityCategory is used to standardize security categories across products
so one event is not categorized as "malware" and another as a "virus".
| Enum Value |
Enum Number |
Description |
| UNKNOWN_CATEGORY |
0 |
The default category. |
| SOFTWARE_MALICIOUS |
10000 |
Malware, spyware, rootkit. |
| SOFTWARE_SUSPICIOUS |
10100 |
Below the conviction threshold; probably bad. |
| SOFTWARE_PUA |
10200 |
Potentially Unwanted App (such as adware). |
| NETWORK_MALICIOUS |
20000 |
Includes C&C or network exploit. |
| NETWORK_SUSPICIOUS |
20100 |
Suspicious activity, such as potential reverse tunnel. |
| NETWORK_CATEGORIZED_CONTENT |
20200 |
Non-security related: URL has category like gambling or porn. |
| NETWORK_DENIAL_OF_SERVICE |
20300 |
DoS, DDoS. |
| NETWORK_RECON |
20400 |
Port scan detected by an IDS, probing of web app. |
| NETWORK_COMMAND_AND_CONTROL |
20500 |
If we know this is a C&C channel. |
| ACL_VIOLATION |
30000 |
Unauthorized access attempted, including attempted access to files,
web services, processes, web objects, etc. |
| AUTH_VIOLATION |
40000 |
Authentication failed (e.g. bad password or bad 2-factor authentication). |
| EXPLOIT |
50000 |
Exploit: For all manner of exploits including attempted overflows, bad
protocol encodings, ROP, SQL injection, etc. For both network and host-
based exploits. |
| DATA_EXFILTRATION |
60000 |
DLP: Sensitive data transmission, copy to thumb drive. |
| DATA_AT_REST |
60100 |
DLP: Sensitive data found at rest in a scan. |
| DATA_DESTRUCTION |
60200 |
Attempt to destroy/delete data. |
| TOR_EXIT_NODE |
60300 |
TOR Exit Nodes. |
| MAIL_SPAM |
70000 |
Spam email, message, etc. |
| MAIL_PHISHING |
70100 |
Phishing email, chat messages, etc. |
| MAIL_SPOOFING |
70200 |
Spoofed source email address, etc. |
| POLICY_VIOLATION |
80000 |
Security-related policy violation (e.g. firewall/proxy/HIPS rule
violated, NAC block action). |
| SOCIAL_ENGINEERING |
90001 |
Threats which manipulate to break normal security procedures. |
| PHISHING |
90002 |
Phishing pages, pops, https phishing etc. |
SecurityResult.ThreatStatus
Vendor-specific information about the status of a threat (ITW).
| Enum Value |
Enum Number |
Description |
| THREAT_STATUS_UNSPECIFIED |
0 |
Default threat status |
| ACTIVE |
1 |
Active threat. |
| CLEARED |
2 |
Cleared threat. |
| FALSE_POSITIVE |
3 |
False positive. |
SecurityResult.VerdictResponse
Represents different verdict types. Used to represent Mandiant
threat intelligence.
| Enum Value |
Enum Number |
Description |
| VERDICT_RESPONSE_UNSPECIFIED |
0 |
The default verdict response type. |
| MALICIOUS |
1 |
VerdictResponse resulted a threat as malicious. |
| BENIGN |
2 |
VerdictResponse resulted a threat as benign. |
SecurityResult.VerdictType
Category of the verdict.
| Enum Value |
Enum Number |
Description |
| VERDICT_TYPE_UNSPECIFIED |
0 |
Verdict category not specified. |
| PROVIDER_ML_VERDICT |
1 |
MLVerdict result provided from threat providers, like Mandiant. These
fields are used to model Mandiant sources. |
| ANALYST_VERDICT |
2 |
Verdict provided by the human analyst. These fields are used to model
Mandiant sources. |
Status
Describes status of a Finding.
| Enum Value |
Enum Number |
Description |
| STATUS_UNSPECIFIED |
0 |
Unspecified finding status. |
| NEW |
1 |
New finding. |
| REVIEWED |
2 |
When a finding has feedback. |
| CLOSED |
3 |
When an analyst closes an finding. |
| OPEN |
4 |
Open. Used to indicate that a Case / Alert is open. |
ThreatVerdict
GCTI threat verdict levels.
| Enum Value |
Enum Number |
Description |
| THREAT_VERDICT_UNSPECIFIED |
0 |
Unspecified threat verdict level. |
| UNDETECTED |
1 |
Undetected threat verdict level. |
| SUSPICIOUS |
2 |
Suspicious threat verdict level. |
| MALICIOUS |
3 |
Malicious threat verdict level. |
User.AccountType
User Account Type.
| Enum Value |
Enum Number |
Description |
| ACCOUNT_TYPE_UNSPECIFIED |
0 |
Default user account type. |
| DOMAIN_ACCOUNT_TYPE |
1 |
A human account part of some domain in directory services. |
| LOCAL_ACCOUNT_TYPE |
2 |
A local machine account. |
| CLOUD_ACCOUNT_TYPE |
3 |
A SaaS service account type (such as Slack or GitHub). |
| SERVICE_ACCOUNT_TYPE |
4 |
A non-human account for data access. |
| DEFAULT_ACCOUNT_TYPE |
5 |
A system built in default account. |
User.Role
User system roles.
| Enum Value |
Enum Number |
Description |
| UNKNOWN_ROLE |
0 |
Default user role. |
| ADMINISTRATOR |
1 |
Product administrator with elevated privileges. |
| SERVICE_ACCOUNT |
2 |
System service account for automated privilege access.
Deprecated: not a role, instead set User.account_type. |
Verdict
Categorization options for the validity of a Finding (i.e. whether it
reflects an actual security incident).
| Enum Value |
Enum Number |
Description |
| VERDICT_UNSPECIFIED |
0 |
An unspecified verdict. |
| TRUE_POSITIVE |
1 |
A categorization of the finding as a "true positive". |
| FALSE_POSITIVE |
2 |
A categorization of the finding as a "false positive". |
Vulnerability.Severity
Severity of the vulnerability.
| Enum Value |
Enum Number |
Description |
| UNKNOWN_SEVERITY |
0 |
The default severity level. |
| LOW |
1 |
Low severity. |
| MEDIUM |
2 |
Medium severity. |
| HIGH |
3 |
High severity. |
| CRITICAL |
4 |
Critical severity. |
Standard datatypes
Standard datatypes and the equivalent types in other languages.
| Datatype |
Notes |
C++ |
Java |
Python |
Go |
C# |
PHP |
Ruby |
| double |
|
double |
double |
float |
float64 |
double |
float |
Float |
| float |
|
float |
float |
float |
float32 |
float |
float |
Float |
| int32 |
Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead. |
int32 |
int |
int |
int32 |
int |
integer |
Bignum or Fixnum (as required) |
| int64 |
Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead. |
int64 |
long |
int/long |
int64 |
long |
integer/string |
Bignum |
| uint32 |
Uses variable-length encoding. |
uint32 |
int |
int/long |
uint32 |
uint |
integer |
Bignum or Fixnum (as required) |
| uint64 |
Uses variable-length encoding. |
uint64 |
long |
int/long |
uint64 |
ulong |
integer/string |
Bignum or Fixnum (as required) |
| sint32 |
Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s. |
int32 |
int |
int |
int32 |
int |
integer |
Bignum or Fixnum (as required) |
| sint64 |
Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s. |
int64 |
long |
int/long |
int64 |
long |
integer/string |
Bignum |
| fixed32 |
Always four bytes. More efficient than uint32 if values are often greater than 2^28. |
uint32 |
int |
int |
uint32 |
uint |
integer |
Bignum or Fixnum (as required) |
| fixed64 |
Always eight bytes. More efficient than uint64 if values are often greater than 2^56. |
uint64 |
long |
int/long |
uint64 |
ulong |
integer/string |
Bignum |
| sfixed32 |
Always four bytes. |
int32 |
int |
int |
int32 |
int |
integer |
Bignum or Fixnum (as required) |
| sfixed64 |
Always eight bytes. |
int64 |
long |
int/long |
int64 |
long |
integer/string |
Bignum |
| bool |
|
bool |
boolean |
boolean |
bool |
bool |
boolean |
TrueClass/FalseClass |
| string |
A string must always contain UTF-8 encoded or 7-bit ASCII text. |
string |
String |
str/unicode |
string |
string |
string |
String (UTF-8) |
| bytes |
May contain any arbitrary sequence of bytes. |
string |
ByteString |
str |
[]byte |
ByteString |
string |
String (ASCII-8BIT) |
