Unified Data Model field list


udm

A Unified Data Model event.

Field Type Label Description
metadata metadata Event metadata such as timestamp, source product, etc.
additional google.protobuf.struct Provides a catch-all to allow third-parties to add any additional information they require to an event, in cases where it can't be fit in the above structured protos.
principal noun The principal is an instance of a Noun that holds information about the acting entity/participant of the event. This includes hostname, MAC, IP, port, user, product-specific asset IDs, and active process details that details the primary device/user/process involved in the event. Principal does NOT include any details on operated-on objects, like files, registry keys, injected processes, created/modified user accounts, etc. For example, if an event is describing a file copy: Process A.exe running as user 'nach' on 1.2.3.4 copies file B on 5.6.7.8 to file C on 9.8.7.6 Then we'd place 1.2.3.4, 'nach' and A.exe in principal.
src noun For all two-operand events (e.g. principal copies file B to file C), the src entry MUST contain details on the src object (file B) and its device. If the device is the same as principal's device, then device details in the src message MUST be empty. For example, if an event is describing a file copy: Process A.exe running as user 'nach' on 1.2.3.4 copies file B on 5.6.7.8 to file C on 9.8.7.6. Then we'd place B and 5.6.7.8 in src.
target noun The target message holds up to two pieces of info: 1. The target device of the event. This includes hostname, MAC, IP, port, product-specific asset IDs. If the event occurs on the same device as the principal then target's device/process info MUST be left empty; user information must also be empty unless the target user is different from the principal's user. For instance, a connection from device A to device B would require us to place B's details in target. 2a For single-operand operations (e.g., open a file f, delete a reg key r, login as user u, inject into process p, etc.): target ALSO holds target object being accessed/read/modified/written to as part of the event, e.g., file being modified, created or deleted, a process being injected into, a registry value being changed, a user whose permissions are being changed, etc. 2b For two-operand operations (e.g., principal copies file B to file C): target holds the target object being modified/written (file C's details) along with the target device/user details (#1 above) if different from principal's device/user details. For example, if an event is describing a file copy: Process A.exe running as user 'nach' on 1.2.3.4 copies file B on 5.6.7.8 to file C on 9.8.7.6. Then we'd place C and 9.8.7.6 in target.
intermediary noun repeated The intermediary is an instance of a Noun that holds information about an entity that is an intermediary in the event. If an active event (has principal & possibly target) passes through some # of intermediaries, they're added here. Intermediaries can impact the overall action, for example blocking or modifying an ongoing request. A rule of thumb here is that 'principal', 'target', and description of the initial action should be the same regardless of the intermediary or its action. A successful network connection from A->B should look the same in principal/target/intermediary as one blocked by firewall C: principal: A, target: B (intermediary: C).
observer noun Fill in the observer field to describe the device information for a security product observer if it's not an intermediary. An example would be a passive network tap.
about noun repeated An About entry is an instance of a Noun. About entries are optional and may contain details on other objects the event is operating on. Use for point-in-time descriptions of a thing, for example vulnerability scan results, etc. About entries are instances of a Noun.
security_result securityresult repeated A list of security results.
network network All network details go here, including sub-messages with details on each protocol (e.g., DHCP, DNS, HTTP, etc).
extensions extensions All other first-class, event-specific metadata goes in this message. Do not place protocol metadata in Extensions; put it in Network.

metadata

General information associated with a UDM event.

Field Type Label Description
product_log_id string A vendor-specific event identifier to uniquely identify the event (e.g. a GUID).
event_timestamp timestamp The GMT timestamp when the event was generated.
collected_timestamp timestamp The GMT timestamp when the event was collected by the vendor's local collection infrastructure.
ingested_timestamp timestamp The GMT timestamp when the event was ingested (received) by Chronicle.
event_type metadata.eventtype (Enumerated List) If an event has multiple possible types, this specifies the most specific type.
vendor_name string The name of the product vendor.
product_name string The name of the product.
product_version string The version of the product.
product_event_type string A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start").
product_deployment_id string The deployment identifier assigned by the vendor for the product deployment that generated the event (e.g. a Crowdstrike cid).
description string A human-readable unparsable description of the event.
url_back_to_product string A URL that takes the user to the source product console for this event.
ingestion_labels label repeated User-configured ingestion metadata labels.
tags tags Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser.

principal

Captures all of the relevant attributes that we know about the entity, for example, if the entity is a device and it has multiple IP or MAC addresses, add all that are relevant.

Field Type Label Description
hostname string Client hostname or domain name field. Hostname also doubles as the domain for remote entities.
asset_id string The asset ID.
user user Information about the user.
user_management_chain user repeated Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery.
group group Information about the group.
process process Information about the process.
process_ancestors process repeated Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery.
asset asset Information about the asset.
ip string repeated A list of IP addresses associated with a network connection.
nat_ip string repeated A list of NAT translated IP addresses associated with a network connection.
port int32 Source or destination network port number when a specific network connection is described within an event.
nat_port int32 NAT external network port number when a specific network connection is described within an event.
mac string repeated List of MAC addresses associated with a device.
administrative_domain string Domain which the device belongs to (for example, the Windows domain).
namespace string Namespace which the device belongs to (e.g. AD forest) Uses for this field include Windows AD forest, name of subsidiary or acquisition, etc.
url string The URL.
file file Information about the file.
email string Email address. Only filled in for security_result.about
registry registry Registry information.
application string The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle".
platform noun.platform (Enumerated List) The platform.
platform_version string The platform version. e.g. "Microsoft Windows 1803"
platform_patch_level string The platform patch level. e.g. "Build 17134.48"
cloud cloud Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud).
location location The physical location. For cloud environments, set the region in location.name.
resource resource Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, processes, etc. since these objects are already part of Noun.
labels label repeated Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels).
object_reference id Finding to which the Analyst updated the feedback.
investigation investigation Analyst feedback/investigation for alerts.

src

Captures all of the relevant attributes that we know about the entity, for example, if the entity is a device and it has multiple IP or MAC addresses, add all that are relevant.

Field Type Label Description
hostname string Client hostname or domain name field. Hostname also doubles as the domain for remote entities.
asset_id string The asset ID.
user user Information about the user.
user_management_chain user repeated Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery.
group group Information about the group.
process process Information about the process.
process_ancestors process repeated Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery.
asset asset Information about the asset.
ip string repeated A list of IP addresses associated with a network connection.
nat_ip string repeated A list of NAT translated IP addresses associated with a network connection.
port int32 Source or destination network port number when a specific network connection is described within an event.
nat_port int32 NAT external network port number when a specific network connection is described within an event.
mac string repeated List of MAC addresses associated with a device.
administrative_domain string Domain which the device belongs to (for example, the Windows domain).
namespace string Namespace which the device belongs to (e.g. AD forest) Uses for this field include Windows AD forest, name of subsidiary or acquisition, etc.
url string The URL.
file file Information about the file.
email string Email address. Only filled in for security_result.about
registry registry Registry information.
application string The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle".
platform noun.platform (Enumerated List) The platform.
platform_version string The platform version. e.g. "Microsoft Windows 1803"
platform_patch_level string The platform patch level. e.g. "Build 17134.48"
cloud cloud Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud).
location location The physical location. For cloud environments, set the region in location.name.
resource resource Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, processes, etc. since these objects are already part of Noun.
labels label repeated Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels).
object_reference id Finding to which the Analyst updated the feedback.
investigation investigation Analyst feedback/investigation for alerts.

target

Captures all of the relevant attributes that we know about the entity, for example, if the entity is a device and it has multiple IP or MAC addresses, add all that are relevant.

Field Type Label Description
hostname string Client hostname or domain name field. Hostname also doubles as the domain for remote entities.
asset_id string The asset ID.
user user Information about the user.
user_management_chain user repeated Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery.
group group Information about the group.
process process Information about the process.
process_ancestors process repeated Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery.
asset asset Information about the asset.
ip string repeated A list of IP addresses associated with a network connection.
nat_ip string repeated A list of NAT translated IP addresses associated with a network connection.
port int32 Source or destination network port number when a specific network connection is described within an event.
nat_port int32 NAT external network port number when a specific network connection is described within an event.
mac string repeated List of MAC addresses associated with a device.
administrative_domain string Domain which the device belongs to (for example, the Windows domain).
namespace string Namespace which the device belongs to (e.g. AD forest) Uses for this field include Windows AD forest, name of subsidiary or acquisition, etc.
url string The URL.
file file Information about the file.
email string Email address. Only filled in for security_result.about
registry registry Registry information.
application string The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle".
platform noun.platform (Enumerated List) The platform.
platform_version string The platform version. e.g. "Microsoft Windows 1803"
platform_patch_level string The platform patch level. e.g. "Build 17134.48"
cloud cloud Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud).
location location The physical location. For cloud environments, set the region in location.name.
resource resource Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, processes, etc. since these objects are already part of Noun.
labels label repeated Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels).
object_reference id Finding to which the Analyst updated the feedback.
investigation investigation Analyst feedback/investigation for alerts.

intermediary

Captures all of the relevant attributes that we know about the entity, for example, if the entity is a device and it has multiple IP or MAC addresses, add all that are relevant.

Field Type Label Description
hostname string Client hostname or domain name field. Hostname also doubles as the domain for remote entities.
asset_id string The asset ID.
user user Information about the user.
user_management_chain user repeated Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery.
group group Information about the group.
process process Information about the process.
process_ancestors process repeated Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery.
asset asset Information about the asset.
ip string repeated A list of IP addresses associated with a network connection.
nat_ip string repeated A list of NAT translated IP addresses associated with a network connection.
port int32 Source or destination network port number when a specific network connection is described within an event.
nat_port int32 NAT external network port number when a specific network connection is described within an event.
mac string repeated List of MAC addresses associated with a device.
administrative_domain string Domain which the device belongs to (for example, the Windows domain).
namespace string Namespace which the device belongs to (e.g. AD forest) Uses for this field include Windows AD forest, name of subsidiary or acquisition, etc.
url string The URL.
file file Information about the file.
email string Email address. Only filled in for security_result.about
registry registry Registry information.
application string The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle".
platform noun.platform (Enumerated List) The platform.
platform_version string The platform version. e.g. "Microsoft Windows 1803"
platform_patch_level string The platform patch level. e.g. "Build 17134.48"
cloud cloud Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud).
location location The physical location. For cloud environments, set the region in location.name.
resource resource Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, processes, etc. since these objects are already part of Noun.
labels label repeated Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels).
object_reference id Finding to which the Analyst updated the feedback.
investigation investigation Analyst feedback/investigation for alerts.

observer

Captures all of the relevant attributes that we know about the entity, for example, if the entity is a device and it has multiple IP or MAC addresses, add all that are relevant.

Field Type Label Description
hostname string Client hostname or domain name field. Hostname also doubles as the domain for remote entities.
asset_id string The asset ID.
user user Information about the user.
user_management_chain user repeated Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery.
group group Information about the group.
process process Information about the process.
process_ancestors process repeated Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery.
asset asset Information about the asset.
ip string repeated A list of IP addresses associated with a network connection.
nat_ip string repeated A list of NAT translated IP addresses associated with a network connection.
port int32 Source or destination network port number when a specific network connection is described within an event.
nat_port int32 NAT external network port number when a specific network connection is described within an event.
mac string repeated List of MAC addresses associated with a device.
administrative_domain string Domain which the device belongs to (for example, the Windows domain).
namespace string Namespace which the device belongs to (e.g. AD forest) Uses for this field include Windows AD forest, name of subsidiary or acquisition, etc.
url string The URL.
file file Information about the file.
email string Email address. Only filled in for security_result.about
registry registry Registry information.
application string The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle".
platform noun.platform (Enumerated List) The platform.
platform_version string The platform version. e.g. "Microsoft Windows 1803"
platform_patch_level string The platform patch level. e.g. "Build 17134.48"
cloud cloud Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud).
location location The physical location. For cloud environments, set the region in location.name.
resource resource Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, processes, etc. since these objects are already part of Noun.
labels label repeated Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels).
object_reference id Finding to which the Analyst updated the feedback.
investigation investigation Analyst feedback/investigation for alerts.

about

Captures all of the relevant attributes that we know about the entity, for example, if the entity is a device and it has multiple IP or MAC addresses, add all that are relevant.

Field Type Label Description
hostname string Client hostname or domain name field. Hostname also doubles as the domain for remote entities.
asset_id string The asset ID.
user user Information about the user.
user_management_chain user repeated Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery.
group group Information about the group.
process process Information about the process.
process_ancestors process repeated Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery.
asset asset Information about the asset.
ip string repeated A list of IP addresses associated with a network connection.
nat_ip string repeated A list of NAT translated IP addresses associated with a network connection.
port int32 Source or destination network port number when a specific network connection is described within an event.
nat_port int32 NAT external network port number when a specific network connection is described within an event.
mac string repeated List of MAC addresses associated with a device.
administrative_domain string Domain which the device belongs to (for example, the Windows domain).
namespace string Namespace which the device belongs to (e.g. AD forest) Uses for this field include Windows AD forest, name of subsidiary or acquisition, etc.
url string The URL.
file file Information about the file.
email string Email address. Only filled in for security_result.about
registry registry Registry information.
application string The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle".
platform noun.platform (Enumerated List) The platform.
platform_version string The platform version. e.g. "Microsoft Windows 1803"
platform_patch_level string The platform patch level. e.g. "Build 17134.48"
cloud cloud Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud).
location location The physical location. For cloud environments, set the region in location.name.
resource resource Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, processes, etc. since these objects are already part of Noun.
labels label repeated Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels).
object_reference id Finding to which the Analyst updated the feedback.
investigation investigation Analyst feedback/investigation for alerts.

Entity Attributes

asset

Information about a compute asset such as a workstation, laptop, phone, virtual desktop, or VM.

Field Type Label Description
product_object_id string A vendor-specific identifier to uniquely identify the entity (a GUID or similar).
hostname string Asset hostname or domain name field.
asset_id string The asset ID.
ip string repeated A list of IP addresses associated with an asset.
mac string repeated List of MAC addresses associated with an asset.
nat_ip string repeated List of NAT IP addresses associated with an asset.
hardware hardware repeated The asset hardware specifications.
platform_software platformsoftware The asset operating system platform software.
software software repeated The asset software details.
location location Location of the asset.
category string The category of the asset (e.g. "End User Asset", "Workstation", "Server").
type asset.assettype (Enumerated List) The type of the asset (e.g. workstation or laptop or server).
network_domain string The network domain of the asset (e.g. "corp.acme.com")
creation_time timestamp Time the asset was created or provisioned.
first_discover_time timestamp Time the asset was first discovered (by asset management/discoverability software).
last_discover_time timestamp Time the asset was last discovered (by asset management/discoverability software).
system_last_update_time timestamp Time the asset was last updated.
last_boot_time timestamp Time the asset was last boot started.
labels label repeated Deprecated. Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata.
deployment_status asset.deploymentstatus (Enumerated List) The deployment status of the asset for device lifecycle purposes.
vulnerabilities vulnerability repeated Vulnerabilities discovered on asset.
attribute attribute Generic entity metadata attributes of the asset.

attribute

Attribute is a a container for generic entity attributes including common attributes across core entities (user, asset, etc). For example, Cloud is a generic entity attribute since it can apply to an asset (e.g. a VM) or a user (e.g. an identity service account). If an entity attribute is specific to a particular type of top-level core entity it should go in the respective proto (user, asset, group, etc), if it is generic across entity types it should be included as a generic attribute.

Field Type Label Description
cloud cloud Cloud metadata attributes such as project or account id, organizational hierarchy, etc.
labels label repeated Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.
permissions permission repeated System permissions for IAM entity (human principal, service account, group).
roles role (Enumerated List) repeated System IAM roles to be assumed by resources to use the role's permissions for access control.

authentication

The Authentication extension captures details specific to authentication events. General guidelines for authentication events:

  • Details on the source of the auth event (e.g. client IP, hostname), should be captured in principal. The principal may be empty if we have no details on the source of the login.
  • Details on the target of the auth event (e.g. details on the machine that is being logged into or logged out of) should be captured in target.
  • Some auth events may involve a third party. For example, a user logs into a cloud service (e.g. Chronicle) via their company's SSO (the event is logged by their SSO solution). In this case, the principal captures information about the user's device, the target captures details about the cloud service they logged into, and the intermediary captures details about the SSO solution.
Field Type Label Description
type authentication.authtype (Enumerated List) The type of authentication.
mechanism authentication.mechanism (Enumerated List) repeated The authentication mechanism.
auth_details string The vendor defined details of the authentication.

certificate

Certificate information

Field Type Label Description
version string Certificate version.
serial string Certificate serial number.
subject string Subject of the certificate.
issuer string Issuer of the certificate.
md5 string The MD5 hash of the certificate.
sha1 string The SHA1 hash of the certificate.
sha256 string The SHA256 hash of the certificate.
not_before timestamp Indicates when the certificate is first valid.
not_after timestamp Indicates when the certificate is no longer valid.

cloud

Metadata related to the cloud environment.

Field Type Label Description
environment cloud.cloudenvironment (Enumerated List) The Cloud environment.
vpc resource The cloud environment VPC.
project resource The cloud environment project information.
availability_zone string The cloud environment availability zone (different from region which is location.name).

dhcp

DHCP information.

Field Type Label Description
opcode dhcp.opcode (Enumerated List) The BOOTP op code.
htype uint32 Hardware address type.
hlen uint32 Hardware address length.
hops uint32 Hardware ops.
transaction_id uint32 Transaction ID.
seconds uint32 Seconds elapsed since client began address acquisition/renewal process.
flags uint32 Flags.
ciaddr string Client IP address (ciaddr).
yiaddr string Your IP address (yiaddr).
siaddr string IP address of the next bootstrap server.
giaddr string Relay agent IP address (giaddr).
chaddr string Client hardware address (chaddr).
sname string Server name that the client wishes to boot from.
file string Boot image filename.
options dhcp.option repeated List of DHCP options.
type dhcp.messagetype (Enumerated List) DHCP message type.
lease_time_seconds uint32 Lease time in seconds. See RFC2132, section 9.2.
client_hostname string Client hostname. See RFC2132, section 3.14.
client_identifier bytes Client identifier. See RFC2132, section 9.14.
requested_address string Requested IP address. See RFC2132, section 9.1.

dhcp.option

DHCP options.

Field Type Label Description
code uint32 Code. See RFC1533.
data bytes Data.

dns

DNS information.

Field Type Label Description
id uint32 DNS query id.
response bool Set to true if the event is a DNS response. See QR field from RFC1035.
opcode uint32 The DNS OpCode used to specify the type of DNS query (e.g. QUERY, IQUERY, STATUS, etc.).
authoritative bool Other DNS header flags. See RFC1035, section 4.1.1.
truncated bool Whether the DNS response was truncated.
recursion_desired bool Whether a recursive DNS lookup is desired.
recursion_available bool Whether a recursive DNS lookup is available.
response_code uint32 Response code. See RCODE from RFC1035.
questions dns.question repeated A list of domain protocol message questions.
answers dns.resourcerecord repeated A list of answers to the domain name query.
authority dns.resourcerecord repeated A list of domain name servers which verified the answers to the domain name queries.
additional dns.resourcerecord repeated A list of additional domain name servers that can be used to verify the answer to the domain.

dns.question

DNS Questions. See RFC1035, section 4.1.2.

Field Type Label Description
name string The domain name.
type uint32 The code specifying the type of the query.
class uint32 The code specifying the class of the query.

dns.resourcerecord

DNS Resource Records. See RFC1035, section 4.1.3.

Field Type Label Description
name string The name of the owner of the resource record.
type uint32 The code specifying the type of the resource record.
class uint32 The code specifying the class of the resource record.
ttl uint32 The time interval for which the resource record can be cached before the source of the information should again be queried.
data string The payload or response to the DNS question for all responses encoded in UTF-8 format
binary_data bytes The raw bytes of any non-UTF8 strings that might be included as part of a DNS response.

email

Email info.

Field Type Label Description
from string The 'from' address.
reply_to string The 'reply to' address.
to string repeated A list of 'to' addresses.
cc string repeated A list of 'cc' addresses.
bcc string repeated A list of 'bcc' addresses.
mail_id string The mail (or message) ID.
subject string repeated The subject line(s) of the email.

extensions

Extensions to a UDM event.

Field Type Label Description
auth authentication An authentication extension.
vulns vulnerabilities A vulnerability extension.

file

Information about a file.

Field Type Label Description
sha256 string The SHA256 hash of the file.
md5 string The MD5 hash of the file.
sha1 string The SHA1 hash of the file.
size uint64 The size of the file in bytes.
full_path string The full path identifying the location of the file on the system.
mime_type string The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", "powershell script", etc.
file_metadata filemetadata Metadata associated with the file.

filemetadata

Metadata about a file. Place metadata about different file types here, for example data from the Windows VersionInfo block, digital signer details, etc. Use a different sub-message per file type.

Field Type Label Description
pe pefilemetadata Metadata for windows PE files.

ftp

FTP info.

Field Type Label Description
command string The FTP command.

group

Information about an organizational group.

Field Type Label Description
product_object_id string Product globally unique user object identifier, such as an LDAP Object Identifier.
creation_time timestamp Group creation time.
group_display_name string Group display name. e.g. "Finance".
attribute attribute Generic entity metadata attributes of the group.
email_addresses string repeated Email addresses of the group.
windows_sid string The windows SID of the group.

hardware

Hardware specification details for a resource, including both physical and virtual hardware.

Field Type Label Description
serial_number string Hardware serial number.
manufacturer string Hardware manufacturer.
model string Hardware model.
cpu_platform string Platform of the hardware CPU (e.g. "Intel Broadwell").
cpu_model string Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5").
cpu_clock_speed uint64 Clock speed of the hardware CPU in MHz.
cpu_max_clock_speed uint64 Maximum possible clock speed of the hardware CPU in MHz.
cpu_number_cores uint64 Number of CPU cores.
ram uint64 Amount of the hardware ramdom access memory (RAM) in Mb.

http

Specify the full URL of the HTTP request within "target". Also specify any uploaded or downloaded file information within "source" or "target".

Field Type Label Description
method string The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE").
referral_url string The URL for the HTTP referer.
user_agent string The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent.
response_code int32 The response status code. e.g. 200, 302, 404, 500, etc.

investigation

Represents the aggregated state of an investigation such as categorization, severity, and status. Can be expanded to include analyst assignment details and more.

Field Type Label Description
verdict verdict (Enumerated List) Describes reason a finding investigation was resolved.
reputation reputation (Enumerated List) Describes whether a finding was useful or not-useful.
severity_score uint32 Severity score for a finding set by an analyst.
status status (Enumerated List) Describes the workflow status of a finding.
comments string repeated Comment added by the Analyst.

label

Key value labels.

Field Type Label Description
key string The key.
value string The value.

location

Information about a location.

Field Type Label Description
city string The city.
state string The state.
country_or_region string The country or region.
name string Custom location name (e.g. building or site name). For cloud environments, this is the region (e.g. "us-west2").

network

A network event.

Field Type Label Description
sent_bytes uint64 The number of bytes sent.
received_bytes uint64 The number of bytes received.
session_duration int64 The duration of the session.
session_id string The ID of the network session.
community_id string Community ID network flow hash.
direction network.direction (Enumerated List) The direction of network traffic.
ip_protocol network.ipprotocol (Enumerated List) The IP protocol.
application_protocol network.applicationprotocol (Enumerated List) The application protocol.
ftp ftp FTP info.
email email Email info for the sender/recipient.
dns dns DNS info.
dhcp dhcp DHCP info.
http http HTTP info.
tls tls TLS info.
smtp smtp SMTP info. Store fields specific to SMTP not covered by Email.

pefilemetadata

Metadata about a Windows Portable Executable.

Field Type Label Description
import_hash string Hash of PE imports.

permission

System permission for resource access and modification.

Field Type Label Description
name string Name of the permission (e.g. chronicle.analyst.updateRule).
description string Description of the permission (e.g. 'Ability to update detect rules').
type permission.permissiontype (Enumerated List) Type of the permission.

platformsoftware

Platform software information about an operating system.

Field Type Label Description
platform noun.platform (Enumerated List) The platform operating system.
platform_version string The platform software version ( e.g. "Microsoft Windows 1803").
platform_patch_level string The platform software patch level ( e.g. "Build 17134.48", "SP1").

process

Information about a process.

Field Type Label Description
pid string The process ID.
parent_pid string Deprecated. The ID of the parent process. Deprecated. Please use parent_process.pid instead.
parent_process process Information about the parent process.
file file Information about the file in use by the process.
command_line string The command line command that created the process.
command_line_history string repeated The command line history of the process.
product_specific_process_id string A product specific process id.
access_mask uint64 A bit mask representing the level of access.
product_specific_parent_process_id string Deprecated. A product specific id for the parent process. Please use parent_process.product_specific_process_id instead.

registry

Information about a registry key or value.

Field Type Label Description
registry_key string The registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...).
registry_value_name string The name of the registry value associated with an application or system component (e.g. TEMP).
registry_value_data string The data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp).

resource

Information about a resource such as a task, cloud storage bucket, database, disk, logical policy, or similar.

Field Type Label Description
type string Deprecated. DEPRECATED - use resource_type instead.
resource_type resource.resourcetype (Enumerated List) Resource type.
resource_subtype string Resource sub-type (e.g. "BigQuery", "Bigtable").
id string Deprecated. DEPRECATED
name string The name of the resource.
parent string The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc.
product_object_id string A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)
attribute attribute Generic entity metadata attributes of the resource.

role

System role for resource access and modification.

Field Type Label Description
name string System role name for user.
description string System role description for user.
type role.type (Enumerated List) System role type for well known roles.

securityresult

Security related metadata for the event. A security result might be something like "virus detected and quarantined," "malicious connection blocked," or "sensitive data included in document foo.doc." Each security result, of which there may be more than one, may either pertain to the whole event, or to a specific object or device referenced in the event (e.g. a malicious file that was detected, or a sensitive document sent as an email attachment). For security results that apply to a particular object referenced in the event, the security_results message MUST contain details about the implicated object (process, user, IP, domain, URL, IP, email address, etc.) in its about field. For security results that apply to the entire event (e.g. SPAM found in this email), the about field must remain empty.

Field Type Label Description
about noun If the security result is about a specific entity (noun), add it here.
category securityresult.securitycategory (Enumerated List) repeated The security category.
category_details string repeated For vendor-specific categories. For web categorization, put type in here such as "gambling", "porn", etc.
threat_name string A vendor-assigned classification common across multiple customers (e.g. "W32/File-A", "Slammer").
rule_id string A vendor-specific ID and name for a rule, varying by observerer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe").
rule_name string Name of the security rule (e.g. "BlockInboundToOracle").
rule_version string Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependant and lexical ordering should not be assumed.
rule_type string The type of security rule.
rule_author string Author of the security rule.
rule_labels label repeated A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John").
alert_state securityresult.alertstate (Enumerated List) The alerting types of this security result.
detection_fields label repeated An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (i.e. the security result matched variables) .
summary string A human readable summary (e.g. "failed login occurred")
description string A human readable description (e.g. "user password was wrong")
action securityresult.action (Enumerated List) repeated Actions taken for this event.
action_details string The detail of the action taken as provided by the vendor.
severity securityresult.productseverity (Enumerated List) The severity of the result.
confidence securityresult.productconfidence (Enumerated List) The confidence level of the result as estimated by the product.
priority securityresult.productpriority (Enumerated List) The priority of the result.
severity_details string Vendor-specific severity.
confidence_details string Additional detail with regards to the confidence of a security event as estimated by the product vendor.
priority_details string Vendor-specific information about the security result priority.
url_back_to_product string URL that takes the user to the source product console for this event.
threat_id string Vendor-specific ID for a threat.
threat_id_namespace id.namespace The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id.
threat_status securityresult.threatstatus (Enumerated List) Current status of the threat

smtp

SMTP info.

software

Information about a software package or application.

Field Type Label Description
name string The name of the software.
version string The version of the software.

tags

Tags are event metadata which is set by examining event contents post-parsing. For example, a UDM event may be assigned a tenant_id based on certain customer-defined parameters.

Field Type Label Description
tenant_id bytes repeated A list of subtenant ids that this event belongs to. .

timeoff

System record for leave/time-off from a Human Capital Management (HCM) system.

Field Type Label Description
interval google.type.interval Interval duration of the leave.
description string Description of the leave if available (e.g. 'Vacation').

tls

Transport Layer Security (TLS) information.

Field Type Label Description
client tls.client Certificate information for the client certificate.
server tls.server Certificate information for the server certificate.
cipher string Cipher used during the connection.
curve string Elliptical curve used for a given cipher.
version string TLS version.
version_protocol string Protocol.
established bool Indicates whether the TLS negotiation was successful.
next_protocol string Protocol to be used for tunnel.
resumed bool Indicates whether the TLS connection was resumed from a previous TLS negotiation.

tls.client

Transport Layer Security (TLS) information associated with the client (e.g. Certificate, ja3 hash, etc.).

Field Type Label Description
certificate certificate Client certificate.
ja3 string JA3 hash from client hello.
server_name string Host name of the server, that the client is connecting to.
supported_ciphers string repeated Ciphers supported by the client during client hello.

tls.server

Transport Layer Security (TLS) information associated with the server (e.g. Certificate, ja3 hash, etc.).

Field Type Label Description
certificate certificate Server certificate.
ja3s string JA3 hash from server hello.

user

Information about a user.

Field Type Label Description
product_object_id string A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).
userid string The ID of the user.
user_display_name string The display name of the user (e.g. "John Locke").
first_name string First name of the user (e.g. "John").
middle_name string Middle name of the user.
last_name string Last name of the user (e.g. "Locke").
phone_numbers string repeated Phone numbers for the user.
personal_address location Personal address of the user.
attribute attribute Generic entity metadata attributes of the user.
groupid string Deprecated. The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.
group_identifiers string repeated Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).
windows_sid string The windows SID of the user.
email_addresses string repeated Email addresses of the user.
employee_id string Human capital management identifier.
title string User job title.
company_name string User job company name.
department string repeated User job department
office_address location User job office location.
managers user repeated User job manager(s).
hire_date timestamp User job employment hire date.
termination_date timestamp User job employment termination date.
time_off timeoff repeated User time off leaves from active work.
user_authentication_status authentication.authenticationstatus (Enumerated List) System authentication status for user.
role_name string Deprecated. System role name for user. DEPRECATED: use attribute.roles.
role_description string Deprecated. System role description for user. DEPRECATED: use attribute.roles.
user_role user.role (Enumerated List) Deprecated. System role for user. DEPRECATED: use attribute.roles.

vulnerabilities

The Vulnerabilities extension captures details on observed/detected vulnerabilities.

Field Type Label Description
vulnerabilities vulnerability repeated A list of vulnerabilities.

vulnerability

A vulnerability.

Field Type Label Description
about noun If the vulnerability is about a specific noun (e.g. executable), then add it here.
name string Name of the vulnerability (e.g. "Unsupported OS Version detected").
description string Description of the vulnerability.
vendor string Vendor of scan that discovered vulnerability.
scan_start_time timestamp If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable.
scan_end_time timestamp If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable.
first_found timestamp Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset.
last_found timestamp Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset.
severity vulnerability.severity (Enumerated List) The severity of the vulnerability.
severity_details string Vendor-specific severity
cvss_base_score float CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting.
cvss_vector string Vector of CVSS properties (e.g. "AV:L/AC:H/Au:N/C:N/I:P/A:C") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=VALUE
cvss_version string Version of CVSS Vector/Score.
cve_id string Common Vulnerabilities and Exposures Id. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id
cve_description string Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record
vendor_vulnerability_id string Vendor specific vulnerability id (e.g. Microsoft security bulletin id).
vendor_knowledge_base_article_id string Vendor specific knowledge base article (e.g. "KBXXXXXX" from Microsoft) https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase

Enumerated Lists

asset.assettype

The role type of the asset.

Name Number Description
ROLE_UNSPECIFIED 0 Unspecified asset role.
WORKSTATION 1 A workstation or desktop.
LAPTOP 2 A laptop computer.
IOT 3 An IOT asset.
NETWORK_ATTACHED_STORAGE 4 A network attached storage device.
PRINTER 5 A printer.
SCANNER 6 A scanner.
SERVER 7 A server.
TAPE_LIBRARY 8 A tape library device.
MOBILE 9 A mobile device such as a mobile phone or PDA.

asset.deploymentstatus

Deployment status states.

Name Number Description
DEPLOYMENT_STATUS_UNSPECIFIED 0 Unspecified deployment status.
ACTIVE 1 Asset is active, functional and deployed.
PENDING_DECOMISSION 2 Asset is pending decomission and no longer deployed.
DECOMISSIONED 3 Asset is decomissioned.

authentication.authtype

Type of system the authentication event is associated with.

Name Number Description
AUTHTYPE_UNSPECIFIED 0 The default type.
MACHINE 1 A machine authentication.
SSO 2 An SSO authentication.
VPN 3 A VPN authentication.
PHYSICAL 4 A Physical authentication (e.g. "Badge reader").
TACACS 5 A TACACS family protocol for networked systems authentication (e.g. TACACS, TACACS+).

authentication.authenticationstatus

Authentication status, can be used to describe the status of authentication for a user or particular credential.

Name Number Description
UNKNOWN_AUTHENTICATION_STATUS 0 The default authentication status.
ACTIVE 1 The authentication method is in active state.
SUSPENDED 2 The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS 3 The authentication method has no active credentials.
DELETED 4 The authentication method has been deleted.

authentication.mechanism

Mechanism(s) used to authenticate.

Name Number Description
MECHANISM_UNSPECIFIED 0 The default mechanism.
USERNAME_PASSWORD 1 Username + password authentication.
OTP 2 OTP authentication.
HARDWARE_KEY 3 Hardware key authentication.
LOCAL 4 Local authentication.
REMOTE 5 Remote authentication.
REMOTE_INTERACTIVE 6 RDP, Terminal Services, VNC, etc.
MECHANISM_OTHER 7 Some other mechanism that is not defined here.
BADGE_READER 8 Badge reader authentication
NETWORK 9 Network authentication.
BATCH 10 Batch authentication.
SERVICE 11 Service authentication
UNLOCK 12 Direct human-interactive unlock authentication.
NETWORK_CLEAR_TEXT 13 Network clear text authentication.
NEW_CREDENTIALS 14 Authentication with new credentials.
INTERACTIVE 15 Interactive authentication.
CACHED_INTERACTIVE 16 Interactive authentication using cached credentials.
CACHED_REMOTE_INTERACTIVE 17 Cached Remote Interactive authentication using cached credentials.
CACHED_UNLOCK 18 Cached Remote Interactive authentication using cached credentials.

cloud.cloudenvironment

The service provider environment.

Name Number Description
UNSPECIFIED_CLOUD_ENVIRONMENT 0 Default.
GOOGLE_CLOUD_PLATFORM 1 Google Cloud Platform.
AMAZON_WEB_SERVICES 2 Amazon Web Services.
MICROSOFT_AZURE 3 Microsoft Azure.

dhcp.messagetype

DHCP message type. See RFC2131, section 3.1.

Name Number Description
UNKNOWN_MESSSAGE_TYPE 0 Default message type.
DISCOVER 1 DHCPDISCOVER.
OFFER 2 DHCPOFFER.
REQUEST 3 DHCPREQUEST.
DECLINE 4 DHCPDECLINE.
ACK 5 DHCPACK.
NAK 6 DHCPNAK.
RELEASE 7 DHCPRELEASE.
INFORM 8 DHCPINFORM.
WIN_DELETED 100 Windows DHCP "lease deleted".
WIN_EXPIRED 101 Windows DHCP "lease expired".

dhcp.opcode

BOOTP op code. See RFC951, section 3.

Name Number Description
UNKNOWN_OPCODE 0 Default opcode.
BOOTREQUEST 1 Request.
BOOTREPLY 2 Reply.

metadata.eventtype

An event type. Choose event type not based on the product that generated the event but the one that logged the event itself. So, for example, an antivirus (AV) scanning email on a client would generate an SMTP_PROXY event, not an AV event. A DLP device scanning a web upload would generate an HTTP_PROXY event and not a DLP or process activity event. Note: In the case of a HTTP_PROXY event, you might also include process details if this occurred on an endpoint. That would be optional, but there are a certain set of required fields and banned fields due to its status as an HTTP_PROXY event.

Name Number Description
EVENTTYPE_UNSPECIFIED 0 Default event type
PROCESS_UNCATEGORIZED 10000 An activity related to a process that does not fit into any of the other categories.
PROCESS_LAUNCH 10001 A process launch.
PROCESS_INJECTION 10002 A process injecting into another process.
PROCESS_PRIVILEGE_ESCALATION 10003 A process privilege escalation.
PROCESS_TERMINATION 10004 A process termination.
PROCESS_OPEN 10005 A process being opened.
PROCESS_MODULE_LOAD 10006 A process loading a module.
REGISTRY_UNCATEGORIZED 11000 A registry event that does not fall into one of the other categories.
REGISTRY_CREATION 11001 A registry creation.
REGISTRY_MODIFICATION 11002 A registry modification.
REGISTRY_DELETION 11003 A registry deletion.
SETTING_UNCATEGORIZED 12000 A settings related event that does not fall into one of the other categories.
SETTING_CREATION 12001 A setting creation.
SETTING_MODIFICATION 12002 A setting modification.
SETTING_DELETION 12003 A setting deletion.
MUTEX_UNCATEGORIZED 13000 A mutex event other than creation.
MUTEX_CREATION 13001 A mutex creation.
FILE_UNCATEGORIZED 14000 A file event that does not fall into one of the other categories.
FILE_CREATION 14001 A file being created.
FILE_DELETION 14002 A file being deleted.
FILE_MODIFICATION 14003 A file being modified.
FILE_READ 14004 A file being read. Used for things like reading a password file.
FILE_COPY 14005 A file being copied. Used for file copies, e.g. to a thumb drive.
FILE_OPEN 14006 A file being opened. Often has a security result.
FILE_MOVE 14007 A file being moved or renamed.
FILE_SYNC 14008 A file being synced (e.g. Dropbox, Sharepoint upload/download, backup).
USER_UNCATEGORIZED 15000 A user activity that does not fall into one of the other categories.
USER_LOGIN 15001 A user login.
USER_LOGOUT 15002 A user logout.
USER_CREATION 15003 A user creation.
USER_CHANGE_PASSWORD 15004 A user password change event.
USER_CHANGE_PERMISSIONS 15005 A change in user permissions.
USER_STATS 15006 Deprecated. Used to update user info for an LDAP dump.
USER_BADGE_IN 15007 When a user physically badges into a site.
USER_DELETION 15008 A user deletion.
USER_RESOURCE_CREATION 15009 A user creates a virtual resource. This is equivalent to RESOURCE_CREATION.
USER_RESOURCE_UPDATE_CONTENT 15010 A user updates content of a virtual resource. This is equivalent to RESOURCE_WRITTEN.
USER_RESOURCE_UPDATE_PERMISSIONS 15011 A user updates permissions of a virtual resource. This is equivalent to RESOURCE_PERMISSIONS_CHANGE.
USER_COMMUNICATION 15012 A user initiates communication through a medium such as video conference.
USER_RESOURCE_ACCESS 15013 A user accesses a virtual resource. This is equivalent to RESOURCE_READ.
USER_RESOURCE_DELETION 15014 A user deletes a virtual resource. This is equivalent to RESOURCE_DELETION.
GROUP_UNCATEGORIZED 23000 A group activity that does not fall into one of the other categories.
GROUP_CREATION 23001 A group creation.
GROUP_DELETION 23002 A group deletion.
GROUP_MODIFICATION 23003 A group modification.
EMAIL_UNCATEGORIZED 19000 Email messages
EMAIL_TRANSACTION 19001 An email transaction.
EMAIL_URL_CLICK 19002 Deprecated. An email URL click event. Use NETWORK_HTTP instead.
NETWORK_UNCATEGORIZED 16000 A network event that does not fit into one of the other categories.
NETWORK_FLOW 16001 Aggregated flow stats like netflow.
NETWORK_CONNECTION 16002 Network connection details like from a FW.
NETWORK_FTP 16003 FTP telemetry.
NETWORK_DHCP 16004 DHCP payload.
NETWORK_DNS 16005 DNS payload.
NETWORK_HTTP 16006 HTTP telemetry.
NETWORK_SMTP 16007 SMTP telemetry.
STATUS_UNCATEGORIZED 17000 A status message that does not fit into one of the other categories.
STATUS_HEARTBEAT 17001 Heartbeat indicating product is alive.
STATUS_STARTUP 17002 An agent startup.
STATUS_SHUTDOWN 17003 An agent shutdown.
STATUS_UPDATE 17004 A software or fingerprint update.
SCAN_UNCATEGORIZED 18000 A scan item that does not fit into one of the other categories.
SCAN_FILE 18001 A file scan.
SCAN_PROCESS_BEHAVIORS 18002 Scan process behaviors. Please use SCAN_PROCESS instead.
SCAN_PROCESS 18003 Scan process.
SCAN_HOST 18004 Scan results from scanning an entire host device for threats/sensitive documents.
SCAN_VULN_HOST 18005 Vulnerability scan logs about host vulnerabilities (e.g., out of date software) and network vulnerabilities (e.g., unprotected service detected via a network scan).
SCAN_VULN_NETWORK 18006 Vulnerability scan logs about network vulnerabilities.
SCAN_NETWORK 18007 Scan network for suspicious activity
SCHEDULED_TASK_UNCATEGORIZED 20000 A scheduled task event that does not fall into one of the other categories.
SCHEDULED_TASK_CREATION 20001 Scheduled task creation.
SCHEDULED_TASK_DELETION 20002 Scheduled task deletion.
SCHEDULED_TASK_ENABLE 20003 Scheduled task being enabled.
SCHEDULED_TASK_DISABLE 20004 Scheduled task being disabled.
SCHEDULED_TASK_MODIFICATION 20005 Scheduled task being modified.
SYSTEM_AUDIT_LOG_UNCATEGORIZED 21000 A system audit log event that is not a wipe.
SYSTEM_AUDIT_LOG_WIPE 21001 A system audit log wipe.
SERVICE_UNSPECIFIED 22000 A service event that does not fit into one of the other categories.
SERVICE_CREATION 22001 A service creation.
SERVICE_DELETION 22002 A service deletion.
SERVICE_START 22003 A service start.
SERVICE_STOP 22004 A service stop.
SERVICE_MODIFICATION 22005 A service modification.
GENERIC_EVENT 100000 OS events that do not fall in any of the other above categories. Might include uncategorized Windows event logs, etc.
RESOURCE_CREATION 1 The resource was created/provisioned. This is equivalent to USER_RESOURCE_CREATION.
RESOURCE_DELETION 2 The resource was deleted/deprovisioned. This is equivalent to USER_RESOURCE_DELETION.
RESOURCE_PERMISSIONS_CHANGE 3 The resource had it's permissions or ACLs updated. This is equivalent to USER_RESOURCE_UPDATE_PERMISSIONS.
RESOURCE_READ 4 The resource was read. This is equivalent to USER_RESOURCE_ACCESS.
RESOURCE_WRITTEN 5 The resource was written to. This is equivalent to USER_RESOURCE_UPDATE_CONTENT.
ANALYST_UPDATE_VERDICT 24000 Analyst updating the Verdict (True-positive, False positive, Disregard etc.) of a Finding
ANALYST_UPDATE_REPUTATION 24001 Analyst updating the Reputation (useful, nont useful) of a Finding
ANALYST_UPDATE_SEVERITY_SCORE 24002 Analyst updating the Severity score(0-100) of a Finding.
ANALYST_UPDATE_STATUS 24007 Analyst updating the Finding status.
ANALYST_ADD_COMMENT 24008 Analyst adding an comment for a Finding.

network.applicationprotocol

A network application protocol.

Name Number Description
UNKNOWN_APPLICATION_PROTOCOL 0 The default application protocol.
AFP 1 Apple Filing Protocol.
APPC 2 Advanced Program-to-Program Communication.
AMQP 3 Advanced Message Queuing Protocol.
ATOM 4 Publishing Protocol.
BEEP 5 Block Extensible Exchange Protocol.
BITCOIN 6 Crypto currency protocol.
BIT_TORRENT 7 Peer-to-peer file sharing.
CFDP 8 Coherent File Distribution Protocol.
COAP 9 Constrained Application Protocol.
DDS 10 Data Distribution Service.
DEVICE_NET 11 Automation industry protocol.
DHCP 4000 DHCP.
DNS 3000 DNS.
E_DONKEY 12 Classic file sharing protocol.
ENRP 13 Endpoint Handlespace Redundancy Protocol.
FAST_TRACK 14 Filesharing peer-to-peer protocol.
FINGER 15 User Information Protocol.
FREENET 16 Censorship resistant peer-to-peer network.
FTAM 17 File Transfer Access and Management.
GOPHER 18 Gopher protocol.
HL7 19 Health Level Seven.
H323 20 Packet-based multimedia communications system.
HTTP 2000 HTTP.
HTTPS 2001 HTTPS.
IRCP 21 Internet Relay Chat Protocol.
KADEMLIA 22 Peer-to-peer hashtables.
LDAP 23 Lightweight Directory Access Protocol.
LPD 24 Line Printer Daemon Protocol.
MIME 25 Multipurpose Internet Mail Extensions and Secure MIME.
MODBUS 26 Serial communications protocol.
MQTT 27 Message Queuing Telemetry Transport.
NETCONF 28 Network Configuration.
NFS 29 Network File System.
NIS 30 Network Information Service.
NNTP 31 Network News Transfer Protocol.
NTCIP 32 National Transportation Communications for Intelligent Transportation System.
NTP 33 Network Time Protocol.
OSCAR 34 AOL Instant Messenger Protocol.
PNRP 35 Peer Name Resolution Protocol.
QUIC 1000 QUIC.
RDP 36 Remote Desktop Protocol.
RELP 37 Reliable Event Logging Protocol.
RIP 38 Routing Information Protocol.
RLOGIN 39 Remote Login in UNIX Systems.
RPC 40 Remote Procedure Call.
RTMP 41 Real Time Messaging Protocol.
RTP 42 Real-time Transport Protocol.
RTPS 43 Real Time Publish Subscribe.
RTSP 44 Real Time Streaming Protocol.
SAP 45 Session Announcement Protocol.
SDP 46 Session Description Protocol.
SIP 47 Session Initiation Protocol.
SLP 48 Service Location Protocol.
SMB 49 Server Message Block.
SMTP 50 Simple Mail Transfer Protocol.
SNTP 51 Simple Network Time Protocol.
SSH 52 Secure Shell.
SSMS 53 Secure SMS Messaging Protocol.
STYX 54 Styx/9P - Plan 9 from Bell Labs distributed file system protocol.
TCAP 55 Transaction Capabilities Application Part.
TDS 56 Tabular Data Stream.
TOR 57 Anonymity network.
TSP 58 Time Stamp Protocol.
VTP 59 Virtual Terminal Protocol.
WHOIS 60 Remote Directory Access Protocol.
WEB_DAV 61 Web Distributed Authoring and Versioning.
X400 62 Message Handling Service Protocol.
X500 63 Directory Access Protocol (DAP).
XMPP 64 Extensible Messaging and Presence Protocol.

network.direction

A network traffic direction.

Name Number Description
UNKNOWN_DIRECTION 0 The default direction.
INBOUND 1 An inbound request.
OUTBOUND 2 An outbound request.
BROADCAST 3 A broadcast.

network.ipprotocol

An IP protocol.

Name Number Description
UNKNOWN_IP_PROTOCOL 0 The default protocol.
ICMP 1 ICMP.
IGMP 2 IGMP
TCP 6 TCP.
UDP 17 UDP.
IP6IN4 41 IPv6 Encapsulation
GRE 47 Generic Routing Encapsulation
ESP 50 Encapsulating Security Payload
EIGRP 88 Enhanced Interior Gateway Routing
ETHERIP 97 Ethernet-within-IP Encapsulation
PIM 103 Protocol Independent Multicast
VRRP 112 Virtual Router Redundancy Protocol

noun.platform

The operating system platform.

Name Number Description
UNKNOWN_PLATFORM 0 The default value.
WINDOWS 1 Windows.
MAC 2 Mac OS.
LINUX 3 Linux.
GCP 4 DEPRECATED - See cloud.environment.
AWS 5 DEPRECATED - See cloud.environment.
AZURE 6 DEPRECATED - See cloud.environment.

permission.permissiontype

High level categorizations of permission type.

Name Number Description
UNKNOWN_PERMISSION_TYPE 0 Default permission type.
ADMIN_WRITE 1 Administrator write permission.
ADMIN_READ 2 Administrator read permission.
DATA_WRITE 3 Data resource access write permission.
DATA_READ 4 Data resource access read permission.

reputation

Categorization options for the usefulness of a Finding.

Name Number Description
REPUTATION_UNSPECIFIED 0 An unspecified reputation.
USEFUL 1 A categorization of the finding as useful.
NOT_USEFUL 2 A categorization of the finding as not useful.

resource.resourcetype

Name Number Description
UNSPECIFIED 0 Default type.
MUTEX 1 Mutex
TASK 2 Device.
PIPE 3 Named pipe.
DEVICE 4 Device.
FIREWALL_RULE 5 Firewall rule.
VPC_NETWORK 7 VPC Network.
VIRTUAL_MACHINE 8 Virtual machine.
STORAGE_BUCKET 9 Storage bucket.
STORAGE_OBJECT 10 Storage object.
DATABASE 11 Database.
TABLE 12 Data table.
CLOUD_PROJECT 13 Cloud project.
CLOUD_ORGANIZATION 14 Cloud organization
SERVICE_ACCOUNT 15 Service account
ACCESS_POLICY 16 Access policy
CLUSTER 17 Cluster
SETTING 18 Settings

role.type

Well-known system roles.

Name Number Description
TYPE_UNSPECIFIED 0 Default user role.
ADMINISTRATOR 1 Product administrator with elevated privileges.
SERVICE_ACCOUNT 2 System service account for automated privilege access.

securityresult.action

Enum representing different possible actions taken by the product that created the event.

Name Number Description
UNKNOWN_ACTION 0 The default action.
ALLOW 1 Allowed.
BLOCK 2 Blocked.
ALLOW_WITH_MODIFICATION 3 Strip, modify something (e.g. File or email was disinfected or rewritten and still forwarded).
QUARANTINE 4 Put somewhere for later analysis (does NOT imply block).

securityresult.alertstate

The type of alerting set up for a security result.

Name Number Description
UNSPECIFIED 0 The security result type is not known.
NOT_ALERTING 1 The security result is an alert.
ALERTING 2 The security result type is not an alert.

securityresult.productconfidence

A level of confidence in the result.

Name Number Description
UNKNOWN_CONFIDENCE 0 The default confidence level.
LOW_CONFIDENCE 200 Low confidence.
MEDIUM_CONFIDENCE 300 Medium confidence.
HIGH_CONFIDENCE 400 High confidence.

securityresult.productpriority

A product priority level.

Name Number Description
UNKNOWN_PRIORITY 0 Default priority level.
LOW_PRIORITY 200 Low priority.
MEDIUM_PRIORITY 300 Medium priority.
HIGH_PRIORITY 400 High priority.

securityresult.productseverity

Defined by the product

Name Number Description
UNKNOWN_SEVERITY 0 The default severity level.
INFORMATIONAL 100 Info severity.
ERROR 150 An error.
LOW 200 Low-severity malicious result.
MEDIUM 300 Medium-severity malicious result.
HIGH 400 High-severity malicious result.
CRITICAL 500 Critical-severity malicious result.

securityresult.securitycategory

SecurityCategory is used to standardize security categories across products so one event is not categorized as "malware" and another as a "virus".

Name Number Description
UNKNOWN_CATEGORY 0 The default category.
SOFTWARE_MALICIOUS 10000 Malware, spyware, rootkit.
SOFTWARE_SUSPICIOUS 10100 Below the conviction threshold; probably bad.
SOFTWARE_PUA 10200 Potentially Unwanted App (adware, etc.).
NETWORK_MALICIOUS 20000 C&C, network exploit, etc.
NETWORK_SUSPICIOUS 20100 Suspicious activity, potential reverse tunnel, etc.
NETWORK_CATEGORIZED_CONTENT 20200 Non-security related: URL has category like gambling, porn, etc.
NETWORK_DENIAL_OF_SERVICE 20300 DoS, DDoS.
NETWORK_RECON 20400 Port scan detected by an IDS, probing of web app.
NETWORK_COMMAND_AND_CONTROL 20500 If we know this is a C&C channel.
ACL_VIOLATION 30000 Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc.
AUTH_VIOLATION 40000 Authentication failed (e.g. bad password or bad 2-factor authentication).
EXPLOIT 50000 Exploit: For all manner of exploits including attempted overflows, bad protocol encodings, ROP, SQL injection, etc. For both network and host- based exploits.
DATA_EXFILTRATION 60000 DLP: Sensitive data transmission, copy to thumb drive.
DATA_AT_REST 60100 DLP: Sensitive data found at rest in a scan.
DATA_DESTRUCTION 60200 Attempt to destroy/delete data.
MAIL_SPAM 70000 Spam email, message, etc.
MAIL_PHISHING 70100 Phishing email, chat messages, etc.
MAIL_SPOOFING 70200 Spoofed source email address, etc.
POLICY_VIOLATION 80000 Security-related policy violation (e.g. firewall/proxy/HIPS rule violated, NAC block action).

securityresult.threatstatus

Vendor-specific information about the status of a threat (ITW).

Name Number Description
THREAT_STATUS_UNSPECIFIED 0 Default threat status
ACTIVE 1 Active threat.
CLEARED 2 Cleared threat.
FALSE_POSITIVE 3 False positive.

status

Describes status of a Finding.

Name Number Description
STATUS_UNSPECIFIED 0 Unspecified finding status.
NEW 1 New finding.
REVIEWED 2 When a finding has feedback.
CLOSED 3 When an analyst closes an finding.

user.role

User system roles.

Name Number Description
UNKNOWN_ROLE 0 Default user role.
ADMINISTRATOR 1 Product administrator with elevated privileges.
SERVICE_ACCOUNT 2 System service account for automated privilege access.

verdict

Categorization options for the validity of a Finding (i.e. whether it reflects an actual security incident).

Name Number Description
VERDICT_UNSPECIFIED 0 An unspecified verdict.
TRUE_POSITIVE 1 A categorization of the finding as a "true positive".
FALSE_POSITIVE 2 A categorization of the finding as a "false positive".

vulnerability.severity

Severity of the vulnerability.

Name Number Description
UNKNOWN_SEVERITY 0 The default severity level.
LOW 1 Low severity.
MEDIUM 2 Medium severity.
HIGH 3 High severity.
CRITICAL 4 Critical severity.

Datatypes

UDM datatypes and the equivalent types in other languages.

UDM Datatype Notes C++ Java Python Go C# PHP Ruby
double double double float float64 double float Float
float float float float float32 float float Float
int32 Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead. int32 int int int32 int integer Bignum or Fixnum (as required)
int64 Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead. int64 long int/long int64 long integer/string Bignum
uint32 Uses variable-length encoding. uint32 int int/long uint32 uint integer Bignum or Fixnum (as required)
uint64 Uses variable-length encoding. uint64 long int/long uint64 ulong integer/string Bignum or Fixnum (as required)
sint32 Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s. int32 int int int32 int integer Bignum or Fixnum (as required)
sint64 Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s. int64 long int/long int64 long integer/string Bignum
fixed32 Always four bytes. More efficient than uint32 if values are often greater than 2^28. uint32 int int uint32 uint integer Bignum or Fixnum (as required)
fixed64 Always eight bytes. More efficient than uint64 if values are often greater than 2^56. uint64 long int/long uint64 ulong integer/string Bignum
sfixed32 Always four bytes. int32 int int int32 int integer Bignum or Fixnum (as required)
sfixed64 Always eight bytes. int64 long int/long int64 long integer/string Bignum
bool bool boolean boolean bool bool boolean TrueClass/FalseClass
string A string must always contain UTF-8 encoded or 7-bit ASCII text. string String str/unicode string string string String (UTF-8)
bytes May contain any arbitrary sequence of bytes. string ByteString str []byte ByteString string String (ASCII-8BIT)