Unified Data Model field list

This document provides a list of all the fields available in the Unified Data Model (UDM) schema. For rules engine evaluation, the prefix begins udm., while configuration-based normalizer (CBN) prefix begins event.idm.read_only_udm.

Population of Event metadata

The event metadata section for UDM events stores general information about each event.

Metadata.event_type

  • Purpose: Specifies the type of the event; if an event has multiple possible types, this value must specify the most specific type.
  • Required: Yes
  • Encoding: Must be one of the pre-defined UDM event_type enumerated types.
  • Possible Values: The following lists all of the possible values for event_type within the UDM.

Email events:

  • EMAIL_TRANSACTION
  • EMAIL_UNCATEGORIZED

File events performed on an endpoint:

  • FILE_UNCATEGORIZED
  • FILE_CREATION
  • FILE_DELETION
  • FILE_MODIFICATION
  • FILE_READ (for example, reading a password file)
  • FILE_COPY (for example, copying a file to a thumb drive)
  • FILE_OPEN (for example, opening a file might indicate a security breach)

Events that do not fall in any other category, including uncategorized Windows events.

  • GENERIC_EVENT

Mutex (mutual exclusion object) events:

  • MUTEX_UNCATEGORIZED
  • MUTEX_CREATION

Network telemetry, including raw protocol payloads, such as DHCP and DNS, as well as protocol summaries for protocols such as HTTP, SMTP, and FTP and flow and connection events from Netflow and firewalls.

  • NETWORK_UNCATEGORIZED
  • NETWORK_FLOW (for example, aggregated flow statistics from Netflow)
  • NETWORK_CONNECTION (for example, network connection details from a firewall)
  • NETWORK_FTP
  • NETWORK_DHCP
  • NETWORK_DNS
  • NETWORK_HTTP
  • NETWORK_SMTP

Any events pertaining to a process such as a process launch, a process creating something malicious, a process injecting into another process, a change of a registry key, creating a malicious file on disk, etc.

  • PROCESS_INJECTION
  • PROCESS_LAUNCH
  • PROCESS_MODULE_LOAD
  • PROCESS_OPEN
  • PROCESS_PRIVILEGE_ESCALATION
  • PROCESS_TERMINATION
  • PROCESS_UNCATEGORIZED

Use the REGISTRY events rather than the SETTING events when dealing with Microsoft Windows-specific registry events:

  • REGISTRY_UNCATEGORIZED
  • REGISTRY_CREATION
  • REGISTRY_MODIFICATION
  • REGISTRY_DELETION

Scan-oriented events. Includes on-demand scans and behavioral detections performed by endpoint security products (EDR, AV, DLP). Only used when attaching a SecurityResult to another event type (such as PROCESS_LAUNCH).

  • SCAN_UNCATEGORIZED
  • SCAN_FILE
  • SCAN_HOST
  • SCAN_PROCESS
  • SCAN_VULN_HOST
  • SCAN_VULN_NETWORK

Scheduled tasks events (Windows Task Scheduler, cron, etc.):

  • SCHEDULED_TASK_UNCATEGORIZED
  • SCHEDULED_TASK_CREATION
  • SCHEDULED_TASK_DELETION
  • SCHEDULED_TASK_ENABLE
  • SCHEDULED_TASK_DISABLE
  • SCHEDULED_TASK_MODIFICATION

Service events:

  • SERVICE_UNSPECIFIED
  • SERVICE_CREATION
  • SERVICE_DELETION
  • SERVICE_START
  • SERVICE_STOP

Setting events, including when a system setting is changed on an endpoint.

  • SETTING_UNCATEGORIZED
  • SETTING_CREATION
  • SETTING_MODIFICATION
  • SETTING_DELETION

Status messages from security products to indicate that agents are alive and to send version, fingerprint, or other types of data.

  • STATUS_UNCATEGORIZED
  • STATUS_HEARTBEAT (indicates product is alive)
  • STATUS_STARTUP
  • STATUS_SHUTDOWN
  • STATUS_UPDATE (software or fingerprint update)

System audit log events:

  • SYSTEM_AUDIT_LOG_UNCATEGORIZED
  • SYSTEM_AUDIT_LOG_WIPE

User authentication activity events:

  • USER_UNCATEGORIZED
  • USER_BADGE_IN (for example, when a user physically badges in to a site)
  • USER_CHANGE_PASSWORD
  • USER_CHANGE_PERMISSIONS
  • USER_COMMUNICATION
  • USER_CREATION
  • USER_DELETION
  • USER_LOGIN
  • USER_LOGOUT
  • USER_RESOURCE_ACCESS
  • USER_RESOURCE_CREATION
  • USER_RESOURCE_DELETION
  • USER_RESOURCE_UPDATE_CONTENT
  • USER_RESOURCE_UPDATE_PERMISSIONS

Metadata.collected_timestamp

  • Purpose: Encodes the GMT timestamp when the event was collected by the vendor's local collection infrastructure.
  • Encoding: RFC 3339, as appropriate for JSON or Proto3 timestamp format.
  • Example:
    • RFC 3339: '2019-09-10T20:32:31-08:00'
    • Proto3 format: '2012-04-23T18:25:43.511Z'

Metadata.event_timestamp

  • Purpose: Encodes the GMT timestamp when the event was generated.
  • Required: Yes
  • Encoding: RFC 3339, as appropriate for JSON or Proto3 timestamp format.
  • Example:
    • RFC 3339: 2019-09-10T20:32:31-08:00
    • Proto3 format: 2012-04-23T18:25:43.511Z

Metadata.description

  • Purpose: Human-readable description of the event.
  • Encoding: Alpha-numeric string, punctuation allowed, 1024 bytes maximum
  • Example: File c:\bar\foo.exe blocked from accessing sensitive document c:\documents\earnings.docx.

Metadata.product_event_type

  • Purpose: Short, descriptive, human-readable, and product-specific event name or type.
  • Encoding: Alpha-numeric string, punctuation allowed, 64 bytes maximum.
  • Examples:
    • Registry Creation Event
    • ProcessRollUp
    • Privilege Escalation Detected
    • Malware blocked

Metadata.product_log_id

  • Purpose: Encodes a vendor-specific event identifier to uniquely identify the event (a GUID). Users might use this identifier to search the vendor's proprietary console for the event in question.
  • Encoding: Case-sensitive, alphanumeric string, punctuation allowed, 256 bytes maximum.
  • Example: ABcd1234-98766

Metadata.product_name

  • Purpose: Specifies the name of the product.
  • Encoding: Case-sensitive, alphanumeric string, punctuation allowed, 256 bytes maximum.
  • Examples:
    • Falcon
    • Symantec Endpoint Protection

Metadata.product_version

  • Purpose: Specifies the version of the product.
  • Encoding: Alphanumeric string, periods and dashes allowed, 32 bytes maximum
  • Examples:
    • 1.2.3b
    • 10.3:rev1

Metadata.url_back_to_product

  • Purpose: URL linking to a relevant website where you can view more information about this specific event (or the general event category).
  • Encoding: Valid RFC 3986 URL with optional parameters such as port information, etc. Must have a protocol prefix before the URL (for example, https:// or http://).
  • Example: https://newco.altostrat.com:8080/event_info?event_id=12345

Metadata.vendor_name

  • Purpose: Specifies the product vendor's name.
  • Encoding: Case-sensitive, alphanumeric string, punctuation allowed, 256 bytes maximum
  • Examples:
    • CrowdStrike
    • Symantec

Population of Noun metadata

In this section, the word Noun is a overarching term used to represent the entities; principal, src, target, intermediary, observer, and about. These entities have common attributes, but represent different objects in an event. For more information about entities and what each represents in an event, see Formatting log data as UDM.

Noun.asset_id

  • Purpose: Vendor-specific unique device identifier (for example, a GUID that is generated when installing endpoint security software on a new device that is used to track that unique device over time).
  • Encoding: VendorName.ProductName:ID where VendorName is a case insensitive* *vendor name like "Carbon Black", ProductName is a case insensitive product name, like "Response" or "Endpoint Protection", and ID is a vendor-specific customer identifier that is globally unique within their customer's environment (for example, a GUID or unique value identifying a unique device). VendorName and ProductName are alphanumeric and no more than 32 characters long. ID can be a maximum of 128 characters in length and can include alphanumeric characters, dashes, and periods.
  • Example: CrowdStrike.Falcon:0bce4259-4ada-48f3-a904-9a526b01311f

Noun.email

  • Purpose: Email address
  • Encoding: Standard email address format.
  • Example: johns@test.altostrat.com

Noun.file

Noun.hostname

  • Purpose: Client hostname or domain name field. Do not include if a URL is present.
  • Encoding: Valid RFC 1123 hostname.
  • Examples:
    • userwin10
    • www.altostrat.com

Noun.platform

  • Purpose: Platform operating system.
  • Encoding: Enum
  • Possible Values:
    • LINUX
    • MAC
    • WINDOWS
    • UNKNOWN_PLATFORM

Noun.platform_patch_level

  • Purpose: Platform operating system patch level.
  • Encoding: Alphanumeric string with punctuation, 64 characters maximum.
  • Example: Build 17134.48

Noun.platform_version

  • Purpose: Platform operating system version.
  • Encoding: Alphanumeric string with punctuation, 64 characters maximum.
  • Example: Microsoft Windows 10 version 1803

Noun.process

Noun.ip

  • Purpose:
    • Single IP address associated with a network connection.
    • One or more IP addresses associated with a participant device at the time of the event (for example, if an EDR product knows all of the IP addresses associated with a device, it can encode all of these within IP fields).
  • Encoding: Valid IPv4 or IPv6 address (RFC 5942) encoded in ASCII.
  • Repeatability:
    • If an event is describing a specific network connection (for example, srcip:srcport > dstip:dstport), the vendor must provide only a single IP address.
    • If an event is describing general activity occurring on a participant device but not a specific network connection, the vendor might provide all of the associated IP addresses for the device at the time of the event.
  • Examples:
    • 192.168.1.2
    • 2001:db8:1:3::1

Noun.port

  • Purpose: Source or destination network port number when a specific network connection is described within an event.
  • Encoding: Valid TCP/IP port number from 1 through 65,535.
  • Examples:

    • 80
    • 443

Noun.mac

  • Purpose: One or more MAC addresses associated with a device.
  • Encoding: Valid MAC address (EUI-48) in ASCII.
  • Repeatability: Vendor might provide all of the associated MAC addresses for the device at the time of the event.
  • Examples:
    • fedc:ba98:7654:3210:fedc:ba98:7654:3210
    • 1080:0:0:0:8:800:200c:417a
    • 00:a0:0:0:c9:14:c8:29

Noun.administrative_domain

  • Purpose: Domain which the device belongs to (for example, the Windows domain).
  • Encoding: Valid domain name string (128 characters maximum).
  • Example: corp.altostrat.com

Noun.registry

Noun.url

  • Purpose: Standard URL
  • Encoding: URL (RFC 3986). Must have a valid protocol prefix (for example, https:// or ftp://). Must include the full domain and path. Might include the URL's parameters.
  • Example: https://foo.altostrat.com/bletch?a=b;c=d

Noun.user

Population of Authentication metadata

Authentication.AuthType

  • Purpose: Type of system an authentication event is associated with (Chronicle UDM).
  • Encoding: Enumerated type.
  • Possible Values:
    • AUTHTYPE_UNSPECIFIED
    • MACHINE—Machine authentication
    • PHYSICAL—Physical authentication (for example, a badge reader)
    • SSO
    • TACACS—TACACS family protocol for authentication of networked systems (for example, TACACS or TACACS+)
    • VPN

Authentication.Authentication_Status

  • Purpose: Describes the authentication status of a user or specific credential.
  • Encoding: Enumerated type.
  • Possible Values:
    • UNKNOWN_AUTHENTICATION_STATUS—Default authentication status
    • ACTIVE—Authentication method is in an active state
    • SUSPENDED—Authentication method is in a suspended or disabled state
    • DELETED—Authentication method has been deleted
    • NO_ACTIVE_CREDENTIALS—Authentication method has no active credentials.

Authentication.auth_details

  • Purpose: Vendor-defined authentication details.
  • Encoding: String.

Authentication.Mechanism

  • Purpose: Mechanism(s) used for authentication.
  • Encoding: Enumerated type.
  • Possible Values:
    • MECHANISM_UNSPECIFIED—Default authentication mechanism.
    • BADGE_READER
    • BATCH—Batch authentication.
    • CACHED_INTERACTIVE—Interactive authentication using cached credentials.
    • HARDWARE_KEY
    • LOCAL
    • MECHANISM_OTHER—Some other mechanism that is not defined here.
    • NETWORK—Network authentication.
    • NETWORK_CLEAR_TEXT—Network clear text authentication.
    • NEW_CREDENTIALS—Authentication with new credentials.
    • OTP
    • REMOTE—Remote authentication
    • REMOTE_INTERACTIVE—RDP, terminal services, Virtual Network Computing (VNC), etc.
    • SERVICE—Service authentication.
    • UNLOCK—Direct human-interactive unlock authentication.
    • USERNAME_PASSWORD

Population of DHCP metadata

The Dynamic Host Control Protocol (DHCP) metadata fields capture DHCP network management protocol log information.

Dhcp.client_hostname

  • Purpose: Hostname for the client. See RFC 2132, DHCP Options and BOOTP Vendor Extensions, for more information.
  • Encoding: String.

Dhcp.client_identifier

  • Purpose: Client identifier. See RFC 2132, DHCP Options and BOOTP Vendor Extensions, for more information.
  • Encoding: Bytes.

Dhcp.file

  • Purpose: Filename for the boot image.
  • Encoding: String.

Dhcp.flags

  • Purpose: Value for the DHCP flags field.
  • Encoding: 32-bit unsigned integer.

Dhcp.hlen

  • Purpose: Hardware address length.
  • Encoding: 32-bit unsigned integer.

Dhcp.hops

  • Purpose: DHCP hop count.
  • Encoding: 32-bit unsigned integer.

Dhcp.htype

  • Purpose: Hardware address type.
  • Encoding: 32-bit unsigned integer.

Dhcp.lease_time_seconds

  • Purpose: Client-requested lease time for an IP address in seconds. See RFC 2132, DHCP Options and BOOTP Vendor Extensions, for more information.
  • Encoding: 32-bit unsigned integer.

Dhcp.opcode

  • Purpose: BOOTP op code (see section 3 of RFC 951).
  • Encoding: Enumerated type.
  • Possible Values:
    • UNKNOWN_OPCODE
    • BOOTREQUEST
    • BOOTREPLY

Dhcp.requested_address

  • Purpose: Client identifier. See RFC 2132, DHCP Options and BOOTP Vendor Extensions, for more information.
  • Encoding: Valid IPv4 or IPv6 address (RFC 5942) encoded in ASCII.

Dhcp.seconds

  • Purpose: Seconds elapsed since the client began the address acquisition/renewal process.
  • Encoding: 32-bit unsigned integer.

Dhcp.sname

  • Purpose: Name of the server which the client has requested to boot from.
  • Encoding: String.

Dhcp.transaction_id

  • Purpose: Client transaction ID.
  • Encoding: 32-bit unsigned integer.

Dhcp.type

  • Purpose: DHCP message type. See RFC 1533 for more information.
  • Encoding: Enumerated type.
  • Possible values:
    • UNKNOWN_MESSAGE_TYPE
    • DISCOVER
    • OFFER
    • REQUEST
    • DECLINE
    • ACK
    • NAK
    • RELEASE
    • INFORM
    • WIN_DELECTED
    • WIN_EXPIRED

Dhcp.chaddr

  • Purpose: IP address for the client hardware.
  • Encoding: Valid IPv4 or IPv6 address (RFC 5942) encoded in ASCII.

Dhcp.ciaddr

  • Purpose: IP address for the client.
  • Encoding: Valid IPv4 or IPv6 address (RFC 5942) encoded in ASCII.

Dhcp.giaddr

  • Purpose: IP address for the relay agent.
  • Encoding: Valid IPv4 or IPv6 address (RFC 5942) encoded in ASCII.

Dhcp.siaddr

  • Purpose: IP address for the next bootstrap server.
  • Encoding: Valid IPv4 or IPv6 address (RFC 5942) encoded in ASCII.

Dhcp.yiaddr

  • Purpose: Your IP address.
  • Encoding: Valid IPv4 or IPv6 address (RFC 5942) encoded in ASCII.

Population of DHCP Option metadata

The DHCP option metadata fields capture the DHCP option log information.

Option.code

  • Purpose: Stores the DHCP option code. See RFC 1533, DHCP Options and BOOTP Vendor Extensions, for more information.
  • Encoding: Unsigned 32-bit integer.

Option.data

  • Purpose: Stores the DHCP option data. See RFC 1533, DHCP Options and BOOTP Vendor Extensions, for more information.
  • Encoding: Bytes.

Population of DNS metadata

The DNS metadata fields capture information related to DNS request and response packets. They have a one-to-one correspondence to the data found in DNS request and response datagrams.

Dns.authoritative

  • Purpose: Set to true for authoritative DNS servers.
  • Encoding: Boolean.

Dns.id

  • Purpose: Stores the DNS query identifier.
  • Encoding: 32-bit integer.

Dns.response

  • Purpose: Set to true if the event is a DNS response.
  • Encoding: Boolean.

Dns.opcode

  • Purpose: Stores the DNS OpCode used to specify the type of DNS query (standard, inverse, server status, etc.).
  • Encoding: 32-bit integer.

Dns.recursion_available

  • Purpose: Set to true if a recursive DNS lookup is available.
  • Encoding: Boolean.

Dns.recursion_desired

  • Purpose: Set to true if a recursive DNS lookup is requested.
  • Encoding: Boolean.

Dns.response_code

  • Purpose: Stores the DNS response code as defined by RFC 1035, Domain Names - Implementation and Specification.
  • Encoding: 32-bit integer.

Dns.truncated

  • Purpose: Set to true if this is a truncated DNS response.
  • Encoding: Boolean.

Dns.questions

Dns.answers

Dns.authority

Dns.additional

Population of DNS Question metadata

The DNS question metadata fields capture the information contained within the question section of a domain protocol message.

Question.name

  • Purpose: Stores the domain name.
  • Encoding: String.

Question.class

  • Purpose: Stores the code specifying the class of the query.
  • Encoding: 32-bit integer.

Question.type

  • Purpose: Stores the code specifying the type of the query.
  • Encoding: 32-bit integer.

Population of DNS Resource Record metadata

The DNS resource record metadata fields capture the information contained within the resource record of a domain protocol message.

ResourceRecord.binary_data

  • Purpose: Stores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response. This field must only be used if the response data returned by the DNS server contains non-UTF8 data. Otherwise, place the DNS response in the data field below. This type of information must be stored here rather than in ResourceRecord.data.
  • Encoding: Bytes.

ResourceRecord.class

  • Purpose: Stores the code specifying the class of the resource record.
  • Encoding: 32-bit integer.

ResourceRecord.data

  • Purpose: Stores the payload or response to the DNS question for all responses encoded in UTF-8 format. For example, the data field could return the IP address of the machine that the domain name refers to. If the resource record is for a different type or class, it might contain another domain name (when one domain name is redirected to another domain name). Data must be stored just as it is in the DNS response.
  • Encoding: String.

ResourceRecord.name

  • Purpose: Stores the name of the owner of the resource record.
  • Encoding: String.

ResourceRecord.ttl

  • Purpose: Stores the time interval for which the resource record can be cached before the source of the information should again be queried.
  • Encoding: 32-bit integer.

ResourceRecord.type

  • Purpose: Stores the code specifying the type of the resource record.
  • Encoding: 32-bit integer.

Population of Email metadata

Most of the Email Metadata fields capture the email addresses included in the message header and should conform to the standard email address format (local-mailbox@domain) as defined in RFC 5322. For example, frank@email.example.com.

Email.from

  • Purpose: Stores the from email address.
  • Encoding: String.

Email.reply_to

  • Purpose: Stores the reply_to email address.
  • Encoding: String.

Email.to

  • Purpose: Stores the to email addresses.
  • Encoding: String.

Email.cc

  • Purpose: Stores the cc email addresses.
  • Encoding: String.

Email.bcc

  • Purpose: Stores the bcc email addresses.
  • Encoding: String.

Email.mail_id

  • Purpose: Stores the mail (or message) id.
  • Encoding: String.
  • Example: 192544.132632@email.example.com

Email.subject

  • Purpose: Stores the email subject line.
  • Encoding: String.
  • Example: "Please read this message."

Population of Extensions metadata

Event types with first-class metadata that are not already categorized by the Chronicle UDM. Extensions.auth

  • Purpose: Extension to the authentication metadata.
  • Encoding: String.
  • Examples:
    • Sandbox metadata (all behaviors exhibited by a file, for example, FireEye).
    • Network Access Control (NAC) data.
    • LDAP details about a user (for example, role, organization, etc.).

Extensions.auth.auth_details

  • Purpose: Specify the vendor specific details for the authentication type or mechanism. Authentication providers often define types such as via_mfa, via_ad and so on that provide useful information on the authentication type. These types can still be generalized in auth.type or auth.mechanism for usability and cross dataset rule compatibility.
  • Encoding: String.
  • Examples: via_mfa, via_ad.

Extensions.vulns

  • Purpose: Extension to the vulnerability metadata.
  • Encoding: String.
  • Example:
    • Host vulnerability scan data.

Population of File metadata

File.file_metadata

  • Purpose: Metadata associated with the file.
  • Encoding: String.
  • Examples:
    • Author
    • Revision number
    • Version number
    • Date last saved

File.full_path

  • Purpose: Full path identifying the location of the file on the system.
  • Encoding: String.
  • Example: \Program Files\Custom Utilities\Test.exe

File.md5

  • Purpose: MD5 hash value for the file.
  • Encoding: String, lower-case hexadecimal.
  • Example: 35bf623e7db9bf0d68d0dda764fd9e8c

File.mime_type

  • Purpose: Multipurpose Internet Mail Extensions (MIME) type for the file.
  • Encoding: String.
  • Examples:
    • PE
    • PDF
    • powershell script

File.sha1

  • Purpose: SHA-1 hash value for the file.
  • Encoding: String, lower-case hexadecimal.
  • Example: eb3520d53b45815912f2391b713011453ed8abcf

File.sha256

  • Purpose: SHA-256 hash value for the file.
  • Encoding: String, lower-case hexadecimal.
  • Example:
    • d7173c568b8985e61b4050f81b3fd8e75bc922d2a0843d7079c81ca4b6e36417

File.size

  • Purpose: Size of the file.
  • Encoding: 64-bit unsigned integer.
  • Example: 342135.

Population of FTP metadata

Ftp.command

  • Purpose: Stores the FTP command.
  • Encoding: String.
  • Examples:
    • binary
    • delete
    • get
    • put

Population of Group metadata

Information about an organizational group.

Group.creation_time

  • Purpose: Group creation time.
  • Encoding: RFC 3339, as appropriate for JSON or Proto3 timestamp format.

Group.email_addresses

  • Purpose: Group contact information.
  • Encoding: Email.

Group.group_display_name

  • Purpose: Group display name.
  • Encoding: String.
  • Examples:
    • Finance
    • HR
    • Marketing

Group.product_object_id

  • Purpose: Globally unique user object identifier for the product, such as an LDAP object identifier.
  • Encoding: String.

Group.windows_sid

  • Purpose: Microsoft Windows Security Identifier (SID) group attribute field.
  • Encoding: String.

Population of HTTP metadata

Http.method

  • Purpose: Stores the HTTP request method.
  • Encoding: String.
  • Examples:
    • GET
    • HEAD
    • POST

Http.referral_url

  • Purpose: Stores the URL for the HTTP referer.
  • Encoding: Valid RFC 3986 URL.
  • Example: https://www.altostrat.com

Http.response_code

  • Purpose: Stores the HTTP response status code, which indicates whether a specific HTTP request has been successfully completed.
  • Encoding: 32-bit integer.
  • Examples:
    • 400
    • 404

Http.useragent

  • Purpose: Stores the User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent.
  • Encoding: String.
  • Examples:
    • Mozilla/5.0 (X11; Linux x86_64)
    • AppleWebKit/534.26 (KHTML, like Gecko)
    • Chrome/41.0.2217.0
    • Safari/527.33

Population of Location metadata

Location.city

  • Purpose: Stores the name of the city.
  • Encoding: String.
  • Examples:
    • Sunnyvale
    • Chicago
    • Málaga

Location.country_or_region

  • Purpose: Stores the name of the country or region of the world.
  • Encoding: String.
  • Examples:
    • United States
    • United Kingdom
    • Spain

Location.name

  • Purpose: Stores the name specific to the enterprise, such as a building or campus.
  • Encoding: String.
  • Examples:
    • Campus 7B
    • Building A2

Location.state

  • Purpose: Stores the name of the state, province, or territory.
  • Encoding: String.
  • Examples:
    • California
    • Illinois
    • Ontario

Population of Network metadata

Network.application_protocol

  • Purpose: Indicates the network application protocol.
  • Encoding: Enumerated type.
  • Possible Values:
    • UNKNOWN_APPLICATION_PROTOCOL
    • QUIC
    • HTTP
    • HTTPS
    • DNS
    • DHCP

Network.direction

  • Purpose: Indicates the direction of network traffic.
  • Encoding: Enumerated type.
  • Possible Values:
    • UNKNOWN_DIRECTION
    • INBOUND
    • OUTBOUND
    • BROADCAST

Network.email

  • Purpose: Specifies the email address for the sender/recipient.
  • Encoding: String.
  • Example: jcheng@company.example.com

Network.ip_protocol

  • Purpose: Indicates the IP protocol.
  • Encoding: Enumerated type.
  • Possible Values:
    • UNKNOWN_IP_PROTOCOL
    • EIGRP—Enhanced Interior Gateway Routing Protocol
    • ESP—Encapsulating Security Payload
    • ETHERIP—Ethernet-within-IP Encapsulation
    • GRE—Generic Routing Encapsulation
    • ICMP—Internet Control Message Protocol
    • IGMP—Internet Group Management Protocol
    • IP6IN4—IPv6 Encapsulation
    • PIM—Protocol Independent Multicast
    • TCP—Transmission Control Protocol
    • UDP—User Datagram Protocol
    • VRRP—Virtual Router Redundancy Protocol

Network.received_bytes

  • Purpose: Specifies the number of bytes received.
  • Encoding: 64-bit unsigned integer.
  • Example: 12,453,654,768

Network.sent_bytes

  • Purpose: Specifies the number of bytes sent.
  • Encoding: 64-bit unsigned integer.
  • Example: 7,654,876

Network.session_duration

  • Purpose: Stores the network session duration, typically returned in a drop event for the session. To set the duration you can set either network.session_duration.seconds = 1, (type int64) or network.session_duration.nanos = 1 (type int32).
  • Encoding:
    • 32-bit integer—For seconds (network.session_duration.seconds).
    • 64-bit integer—For nanoseconds (network.session_duration.nanos).

Network.session_id

  • Purpose: Stores the network session identifier.
  • Encoding: String.
  • Example: SID:ANON:www.w3.org:j6oAOxCWZh/CD723LGeXlf-01:34

Population of Process metadata

Process.command_line

  • Purpose: Stores the command line string for the process.
  • Encoding: String.
  • Example: c:\windows\system32\net.exe group

Process.product_specific_process_id

  • Purpose: Stores the product specific process ID.
  • Encoding: String.

Process.parent_process.product_specific_process_id

  • Purpose: Stores the product specific process ID for the parent process.
  • Encoding: String.

Process.file

  • Purpose: Stores the file name of the file in use by the process.
  • Encoding: String.
  • Example: report.xls

Process.parent_process

  • Purpose: Stores the details of the parent process.
  • Encoding: Noun (Process)

Process.pid

  • Purpose: Stores the process ID.
  • Encoding: String.
  • Examples:
    • 308
    • 2002

Population of Registry metadata

Registry.registry_key

  • Purpose: Stores the registry key associated with an application or system component.
  • Encoding: String.
  • Example: HKEY_LOCAL_MACHINE/SYSTEM/DriverDatabase

Registry.registry_value_name

  • Purpose: Stores the name of the registry value associated with an application or system component.
  • Encoding: String.
  • Example: TEMP

Registry.registry_value_data

  • Purpose: Stores the data associated with a registry value.
  • Encoding: String.
  • Example: %USERPROFILE%\Local Settings\Temp

Population of Security Result metadata

The Security Result metadata includes details about security risks and threats that were found by a security system as well as the actions taken to mitigate those risks and threats.

SecurityResult.about

  • Purpose: Provide a description of the security result.
  • Encoding: Noun.

SecurityResult.action

  • Purpose: Specify a security action.
  • Encoding: Enumerated type.
  • Possible Values: Chronicle UDM defines the following security actions:
    • ALLOW
    • ALLOW_WITH_MODIFICATION—File or email was disinfected or rewritten and still forwarded.
    • BLOCK
    • QUARANTINE—Store for later analysis (does not mean block).
    • UNKNOWN_ACTION

SecurityResult.action_details

  • Purpose: Vendor-provided details of the action taken as a result of the security incident. Security actions often best translate into the more general Security_Result.action UDM field. However, you might need to write rules for the exact vendor-provided description of the action.
  • Encoding: String.
  • Examples: Drop, block, decrypt, encrypt.

SecurityResult.category

  • Purpose: Specify a security category.
  • Encoding: Enum.
  • Possible Values: Chronicle UDM defines the following security categories:
    • ACL_VIOLATION—Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc.
    • AUTH_VIOLATION—Authentication failed, such as a bad password or bad 2-factor authentication.
    • DATA_AT_REST—DLP: sensor data found at rest in a scan.
    • DATA_DESTRUCTION—Attempt to destroy/delete data.
    • DATA_EXFILTRATION—DLP: sensor data transmission, copy to thumb drive.
    • EXPLOIT—Attempted overflows, bad protocol encodings, ROP, SQL injection, etc, both network and host-based.
    • MAIL_PHISHING—Phishing email, chat messages, etc.
    • MAIL_SPAM—Spam email, message, etc.
    • MAIL_SPOOFING—Spoofed source email address, etc.
    • NETWORK_CATEGORIZED_CONTENT
    • NETWORK_COMMAND_AND_CONTROL—If the command and control channel is known.
    • NETWORK_DENIAL_OF_SERVICE
    • NETWORK_MALICIOUS—Command and control, network exploit, suspicious activity, potential reverse tunnel, etc.
    • NETWORK_SUSPICIOUS—Non-security related, for example, the URL is linked to gambling, etc.
    • NETWORK_RECON—Port scan detected by an IDS, probing by a web application.
    • POLICY_VIOLATION—Security policy violation, including firewall, proxy, and HIPS rule violations or NAC block actions.
    • SOFTWARE_MALICIOUS—Malware, spyware, rootkits, etc.
    • SOFTWARE_PUA—Potentially unwanted app, such as adware, etc.
    • SOFTWARE_SUSPICIOUS
    • UNKNOWN_CATEGORY

SecurityResult.confidence

  • Purpose: Specify a confidence with regards to a security event as estimated by the product.
  • Encoding: Enum.
  • Possible Values: Chronicle UDM defines the following product confidence categories:
    • UNKNOWN_CONFIDENCE
    • LOW_CONFIDENCE
    • MEDIUM_CONFIDENCE
    • HIGH_CONFIDENCE

SecurityResult.confidence_details

  • Purpose: Additional detail with regards to the confidence of a security event as estimated by the product vendor.
  • Encoding: String.

SecurityResult.priority

  • Purpose: Specify a priority with regards to a security event as estimated by the product vendor.
  • Encoding: Enum.
  • Possible Values: Chronicle UDM defines the following product priority categories:
    • UNKNOWN_PRIORITY
    • LOW_PRIORITY
    • MEDIUM_PRIORITY
    • HIGH_PRIORITY

SecurityResult.priority_details

  • Purpose: Vendor-specific information about the security result priority.
  • Encoding: String.

SecurityResult.rule_id

  • Purpose: Identifier for the security rule.
  • Encoding: String.
  • Examples:
    • 08123
    • 5d2b44d0-5ef6-40f5-a704-47d61d3babbe

SecurityResult.rule_name

  • Purpose: Name of the security rule.
  • Encoding: String.
  • Example: BlockInboundToOracle.

SecurityResult.severity

  • Purpose: Severity of a security event as estimated by the product vendor using values defined by the Chronicle UDM.
  • Encoding: Enum.
  • Possible Values: Chronicle UDM defines the following product severities:
    • UNKNOWN_SEVERITY—Non-malicious
    • INFORMATIONAL—Non-malicious
    • ERROR—Non-malicious
    • LOW—Malicious
    • MEDIUM—Malicious
    • HIGH—Malicious

SecurityResult.severity_details

  • Purpose: Severity for a security event as estimated by the product vendor.
  • Encoding: String.

SecurityResult.threat_name

  • Purpose: Name of the security threat.
  • Encoding: String.
  • Examples:
    • W32/File-A
    • Slammer

SecurityResult.url_back_to_product

  • Purpose: URL to direct you to the source product console for this security event.
  • Encoding: String.

Population of User metadata

User.email_addresses

  • Purpose: Stores the email addresses for the user.
  • Encoding: Repeated String.
  • Example: johnlocke@company.example.com

User.employee_id

  • Purpose: Stores the human resources employee ID for the user.
  • Encoding: String.
  • Example: 11223344.

User.first_name

  • Purpose: Stores the first name for the user.
  • Encoding: String.
  • Example: John.

User.middle_name

  • Purpose: Stores the middle name for the user.
  • Encoding: String.
  • Example: Anthony.

User.last_name

  • Purpose: Stores the last name for the user.
  • Encoding: String.
  • Example: Locke.

User.group_identifiers

  • Purpose: Stores the group ID(s) (a GUID, LDAP OID, or similar) associated with a user.
  • Encoding: Repeated String.
  • Example: admin-users.

User.phone_numbers

  • Purpose: Stores the phone numbers for the user.
  • Encoding: Repeated String.
  • Example: 800-555-0101

User.title

  • Purpose: Stores the job title for the user.
  • Encoding: String.
  • Example: Customer Relationship Manager.

User.user_display_name

  • Purpose: Stores the display name for the user.
  • Encoding: String.
  • Example: John Locke.

User.userid

  • Purpose: Stores the user ID.
  • Encoding: String.
  • Example: jlocke.

User.windows_sid

  • Purpose: Stores the Microsoft Windows security identifier (SID) associated with a user.
  • Encoding: String.
  • Example: S-1-5-21-1180649209-123456789-3582944384-1064

Population of Vulnerability metadata

Vulnerability.about

  • Purpose: If the vulnerability is about a specific noun (for example, executable), add it here.
  • Encoding: Noun. See Population of Noun metadata
  • Example: executable.

Vulnerability.cvss_base_score

  • Purpose: Base score for Common Vulnerability Scoring System (CVSS).
  • Encoding: Floating-point.
  • Range: 0.0 through 10.0
  • Example: 8.5

Vulnerability.cvss_vector

  • Purpose: Vector for the CVSS properties of the vulnerability. A CVSS score is composed of the following metrics:

    • Attack Vector (AV)
    • Access Complexity (AC)
    • Authentication (Au)
    • Confidentiality Impact (C)
    • Integrity Impact (I)
    • Availability Impact (A)

    For more information, see https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=VALUE.

  • Encoding: String.

  • Example: AV:L/AC:H/Au:N/C:N/I:P/A:C

Vulnerability.cvss_version

  • Purpose: CVSS version for the vulnerability score or vector.
  • Encoding: String.
  • Example: 3.1

Vulnerability.description

  • Purpose: Description of the vulnerability.
  • Encoding: String.

Vulnerability.first_found

  • Purpose: Products that maintain a history of vulnerability scans should populate first_found with the time the vulnerability for this asset was first detected.
  • Encoding: String.

Vulnerability.last_found

  • Purpose: Products that maintain a history of vulnerability scans should populate last_found with the time the vulnerability for this asset was most recently detected.
  • Encoding: String.

Vulnerability.name

  • Purpose: Name of the vulnerability.
  • Encoding: String.
  • Example: Unsupported OS Version detected.

Vulnerability.scan_end_time

  • Purpose: If the vulnerability was discovered during an asset scan, populate this field with the time the scan ended. Leave this field empty if the end time is not available or not applicable.
  • Encoding: String.

Vulnerability.scan_start_time

  • Purpose: If the vulnerability was discovered during an asset scan, populate this field with the time the scan started. Leave this field empty if the start time is not available or not applicable.
  • Encoding: String.

Vulnerability.severity

  • Purpose: Severity of the vulnerability.
  • Encoding: Enumerated type.
  • Possible Values:
    • UNKNOWN_SEVERITY
    • LOW
    • MEDIUM
    • HIGH

Vulnerability.severity_details

  • Purpose: Vendor specific severity details.
  • Encoding: String.