Tool: list_security_alerts
List security alerts directly from Chronicle SIEM.
Retrieves a list of recent security alerts generated within Chronicle, based on detection rules or other alert sources configured in the SIEM.
Agent Responsibilities: 1. Time Range Calculation: The agent MUST provide the start_time and end_time arguments as ISO 8601 formatted strings (e.g., YYYY-MM-DDTHH:MM:SSZ) to define the search window. 2. Response Parsing: The API returns a stream of JSON objects. The agent must handle this stream, typically by concatenating and parsing the complete JSON response. The alerts are found within the alerts.alerts array in the response object. Each element in this array is an alert. 3. Data Extraction: From each alert object, extract relevant fields such as: - detection[0].ruleName or ruleName - createdTime - feedbackSummary.status or status - feedbackSummary.severityDisplay or severity - caseName (if available) 4. Output Formatting: Format the extracted details into a human-readable summary.
Workflow Integration: - Use this for direct monitoring of SIEM alert activity, potentially identifying issues before they are ingested or processed by other platforms (e.g., SOAR). - Can be used as an initial step to get a sense of recent high-priority events directly from the source SIEM. - Contrast this with tools that list alerts associated with a specific case in a case management or SOAR system.
Use Cases: - Get a quick overview of recent, non-closed alerts generated by the SIEM. - Monitor for specific high-severity alerts or rule triggers. - Check for SIEM alerts that might not have corresponding cases yet in other systems.
Args: project_id (Optional[str]): Google Cloud project ID. customer_id (Optional[str]): Chronicle customer ID. start_time (str): The start of the time range in ISO 8601 format (e.g., YYYY-MM-DDTHH:MM:SSZ). end_time (str): The end of the time range in ISO 8601 format (e.g., YYYY-MM-DDTHH:MM:SSZ). max_alerts (int): Maximum number of alerts to return. Defaults to 10. status_filter (str): Query string to filter alerts (e.g., 'feedback_summary.status != "CLOSED"'). Defaults to excluding closed alerts. region (Optional[str]): Chronicle region (e.g., "us", "europe").
Returns: str: The raw JSON response stream from the API. The agent must parse this. Returns 'No security alerts found...' if the parsed result is empty.
Example Usage: # Agent calculates start_time and end_time for the last 48 hours end_time = datetime.utcnow().isoformat() + "Z" start_time = (datetime.utcnow() - timedelta(hours=48)).isoformat() + "Z"
# Get up to 50 alerts that are not closed in the last 48 hours
list_security_alerts(
project_id="my-project",
customer_id="my-customer",
region="us",
start_time=start_time,
end_time=end_time,
max_alerts=50,
status_filter='feedback_summary.status != "CLOSED"'
)
# Get all alerts in the last 24 hours, regardless of status
end_time = datetime.utcnow().isoformat() + "Z"
start_time = (datetime.utcnow() - timedelta(hours=24)).isoformat() + "Z"
list_security_alerts(
project_id="my-project",
customer_id="my-customer",
region="us",
start_time=start_time,
end_time=end_time,
status_filter=""
)
Next Steps (using MCP-enabled tools): - Analyze the returned alerts for priority and relevance. - For high-priority alerts, check if a corresponding case exists using list_cases with a filter on alert ID or name. - If no case exists, consider creating one using a case management tool. - Use entity lookup tools (like summarize_entity) on indicators found within the alert details (e.g., IPs, domains, users, hashes). - Use UDM Search tools (like udm_search) to find related raw logs or events around the time of the alert. - Correlate alert information with findings from other security tools (EDR, Cloud Posture, TI) via their MCP tools. - Get more details on a specific rule firing by using list_rules or get_rule_detections.
The following sample demonstrate how to use curl to invoke the list_security_alerts MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "list_security_alerts", "arguments": { // provide these details according to the tool's MCP specification } }, "jsonrpc": "2.0", "id": 1 }' |
Input Schema
Request message for LegacyFetchAlertsView.
LegacyFetchAlertsViewRequest
| JSON representation |
|---|
{ "projectId": string, "customerId": string, "region": string, "statusFilter": string, "startTime": string, "endTime": string, "maxAlerts": integer } |
| Fields | |
|---|---|
projectId |
Project ID of the customer. |
customerId |
Customer ID of the customer. |
region |
Region of the customer. |
statusFilter |
Status filter of the alerts to return. |
startTime |
Start time of the time range to list alerts. |
endTime |
End time of the time range to list alerts. |
maxAlerts |
Maximum number of alerts to return. If not set, the default value is 100. |
Output Schema
Depending on the parameters in FetchAlertsViewRequest, stream back some combination of |alerts| and |field_aggregations|.
NEXT TAG: 13;
LegacyFetchAlertsViewResponse
| JSON representation |
|---|
{ "progress": number, "tooManyAlerts": boolean, "complete": boolean, "validBaselineQuery": boolean, "baselineAlertsCount": integer, "validSnapshotQuery": boolean, "queryValidationErrors": [ { object ( |
| Fields | |
|---|---|
progress |
Progress of the query represented as a double between 0 and 1. |
tooManyAlerts |
If true, there are too many alerts matched and some have been omitted from both the "Too many alerts" depends on the server-side limit of 1,000,000 matched alerts to serve as a base for the field aggregations, rather than on the |
complete |
Streaming for this response is done. There will be no additional updates. |
validBaselineQuery |
Whether the request baseline_query is a valid structured query. If not, |
baselineAlertsCount |
The number of alerts matched by the baseline query. |
validSnapshotQuery |
Whether the request baseline and snapshot queries are valid. If not, |
queryValidationErrors[] |
Parse error for the baseline_query and/or the snapshot_query. |
runtimeErrors[] |
Runtime errors. |
filteredAlertsCount |
The number of alerts in the snapshot that match the snapshot_query. This is <= |
memoryLimitExceeded |
True if the list of alerts was truncated because its total size exceeded the |
Union field
|
|
alerts |
The list of the first N matched alerts. The value of N is determined by the AlertListOptions.max_returned_alerts field in the request. |
Union field
|
|
fieldAggregations |
List of fields with aggregated values. |
ErrorMessage
| JSON representation |
|---|
{
"type": enum ( |
| Fields | |
|---|---|
type |
|
errorText |
|
RuntimeError
| JSON representation |
|---|
{ "timeRange": { object ( |
| Fields | |
|---|---|
timeRange |
|
errorText |
|
Union field
|
|
status |
|
Interval
| JSON representation |
|---|
{ "startTime": string, "endTime": string } |
| Fields | |
|---|---|
startTime |
Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
endTime |
Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
Timestamp
| JSON representation |
|---|
{ "seconds": string, "nanos": integer } |
| Fields | |
|---|---|
seconds |
Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z). |
nanos |
Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive. |
StatusProto
| JSON representation |
|---|
{
"code": integer,
"space": string,
"message": string,
"canonicalCode": integer,
"messageSet": {
object ( |
| Fields | |
|---|---|
code |
Numeric code drawn from the space specified below. |
space |
Space to which this status belongs |
message |
Detail message |
canonicalCode |
The canonical error code that most closely corresponds to this status. |
messageSet |
Associates an arbitrary proto message with the status. |
AlertList
| JSON representation |
|---|
{
"alerts": [
{
object ( |
| Fields | |
|---|---|
alerts[] |
|
Collection
| JSON representation |
|---|
{ "id": string, "type": enum ( |
| Fields | |
|---|---|
id |
Unique ID for the collection. The ID is specific to the type of collection. For example, with rule detections this is the detection ID. |
type |
What the collection represents. |
idNamespace |
The ID namespace used for the Collection. |
createdTime |
Time the collection was created. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastUpdatedTime |
Time the collection was last updated. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
timeWindow |
Time interval that the collection represents. |
collectionElements[] |
Constituent elements of the collection. Each element shares an association that groups it together and is a component of the overall collection. For example, a detection collection may have several constituent elements that each share a correlation association that together represent a particular pattern or behavior. |
detection[] |
Detection metadata for findings that represent detections, can include rule details, machine learning model metadata, and indicators implicated in the detection (using the .about field). |
detectionTime |
Timestamp within the time_window related to the time of the collection_elements. For Rule Detections, this timestamp is the end of the the time_window for multi-event rules or the time of the event for single event rules. For late-arriving events that trigger new alerts, the detection_time will be the event time of the event. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
investigation |
Consolidated investigation details (categorization, status, etc) typically for collections that begin as detection findings and then evolve with analyst action and feedback into investigations around the detection output. |
tags[] |
Tags set by UC/DSML/RE for the Finding during creation. |
responsePlatformInfo |
Alert related info of this same alert in customer's SOAR platform. |
caseName |
The resource name of the Case that this collection belongs to. Example: projects/{project id}/locations/{region}/chronicle/cases/{internal_case_id} |
feedbackSummary |
The current primary analyst feedback. This does not include the history of feedback given, which may be supplied in |
feedbackHistory[] |
The history of feedback submitted by analysts for this finding, in descending order by timestamp. This field is limited to the most recent 1000 feedback events. The primary feedback will also be included in this list. |
soarAlert |
A boolean field indicating that the alert is present in SOAR. |
soarAlertMetadata |
Metadata fields of alerts coming from other SIEM systems via SOAR. |
dataAccessScope |
The resource name of the DataAccessScope of this collection. |
detectionTimingDetails[] |
Detection timing details for the collection. These details are used to determine prossible causes of latency for the detection. This field is only set for detections that are generated by rules. |
latencyMetrics |
The latency metrics for the specific detection. These metrics are calculated from ALL of the events that contribute to the detection, not just the sampled ones. |
ruleRunFrequency |
The run frequency of the rule when it generated the detection. |
Element
| JSON representation |
|---|
{ "association": { object ( |
| Fields | |
|---|---|
association |
Metadata that provides the relevant association for the references in the element. For a detection, this can be the correlated aspect of the references that contributed to the overall detection. For example, may include sub-rule condition, machine learning model metadata, and/or indicators implicated in this component of the detection (using the .about field). |
references[] |
References to model primatives including events and entities that share a common association. Even though a reference can have both UDM and entity, a collection of references (of a single element) will only have one type of message in it (either UDM / Entity). |
label |
A name that labels the entire references group. |
referencesSampled |
Copied from the detection event_sample.too_many_event_samples field. If true, the number of references will be capped at the sample limit (set at rule service). This is applicable to both UDM references and Entity references. |
latencyMetrics |
Latency metrics for the specific element. These are calculated from all the contributing events or entities for a single event variable, not just the sampled ones included in references. This is currently only populated for UDM events. |
SecurityResult
| JSON representation |
|---|
{ "about": { object ( |
| Fields | |
|---|---|
about |
If the security result is about a specific entity (Noun), add it here. This field is not populated when the SecurityResult appears in a detection. |
category[] |
The security category. This field is not populated when the SecurityResult appears in a detection. |
categoryDetails[] |
For vendor-specific categories. For web categorization, put type in here such as "gambling" or "porn". This field is not populated when the SecurityResult appears in a detection. |
threatName |
A vendor-assigned classification common across multiple customers (for example, "W32/File-A", "Slammer"). This field is not populated when the SecurityResult appears in a detection. |
ruleSet |
The curated detection's rule set identifier. (for example, "windows-threats") This is primarily set in rule-generated detections and alerts. |
ruleSetDisplayName |
The curated detections rule set display name. This is primarily set in rule-generated detections and alerts. |
rulesetCategoryDisplayName |
The curated detection rule set category display name. (for example, if rule_set_display_name is "CDIR SCC Enhanced Exfiltration", the rule_set_category is "Cloud Threats"). This is primarily set in rule-generated detections and alerts. |
ruleId |
A vendor-specific ID for a rule, varying by observer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe"). |
ruleName |
Name of the security rule (e.g. "BlockInboundToOracle"). |
ruleVersion |
Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependant and lexical ordering should not be assumed. |
ruleType |
The type of security rule. |
ruleAuthor |
Author of the security rule. This field is not populated when the SecurityResult appears in a detection. |
ruleLabels[] |
A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John"). This is primarily set in rule-generated detections and alerts. |
alertState |
The alerting types of this security result. This is primarily set for rule-generated detections and alerts. |
detectionFields[] |
An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (the security result matched variables). For Collection SecurityResults, prefer variables instead. |
outcomes[] |
A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to a stringified version of their values. This is only populated when the SecurityResult appears in a detection. This is deprecated. Use variables instead. |
variables |
A list of outcomes and match variables that represent the results of this security finding. This list represents a mapping of names of the requested outcomes or match variables, to their values. This is only populated when the SecurityResult appears in a detection. An object containing a list of |
summary |
A short human-readable summary (e.g. "failed login occurred") |
description |
A human-readable description (e.g. "user password was wrong"). This can be more detailed than the summary. |
action[] |
Actions taken for this event. This field is not populated when the SecurityResult appears in a detection. |
actionDetails |
The detail of the action taken as provided by the vendor. This field is not populated when the SecurityResult appears in a detection. |
severity |
The severity of the result. |
confidence |
The confidence level of the result as estimated by the product. This field is not populated when the SecurityResult appears in a detection. |
priority |
The priority of the result. This field is not populated when the SecurityResult appears in a detection. |
riskScore |
The risk score of the security result. |
confidenceScore |
The confidence score of the security result. This field is not populated when the SecurityResult appears in a detection. |
analyticsMetadata[] |
Stores metadata about each risk analytic metric the rule uses. This field is not populated when the SecurityResult appears in a detection. |
severityDetails |
Vendor-specific severity. This field is not populated when the SecurityResult appears in a detection. |
confidenceDetails |
Additional detail with regards to the confidence of a security event as estimated by the product vendor. This field is not populated when the SecurityResult appears in a detection. |
priorityDetails |
Vendor-specific information about the security result priority. This field is not populated when the SecurityResult appears in a detection. |
urlBackToProduct |
URL that takes the user to the source product console for this event. This field is not populated when the SecurityResult appears in a detection. |
threatId |
Vendor-specific ID for a threat. This field is not populated when the SecurityResult appears in a detection. |
threatFeedName |
Vendor feed name for a threat indicator feed. This field is not populated when the SecurityResult appears in a detection. |
threatIdNamespace |
The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id. This field is not populated when the SecurityResult appears in a detection. |
threatStatus |
Current status of the threat This field is not populated when the SecurityResult appears in a detection. |
attackDetails |
MITRE ATT&CK details. This field is not populated when the SecurityResult appears in a detection. |
firstDiscoveredTime |
First time the IoC threat was discovered in the provider. This field is not populated when the SecurityResult appears in a detection. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
associations[] |
Associations related to the threat. |
campaigns[] |
Campaigns using this IOC threat. This is deprecated. Use threat_collections instead. |
reports[] |
Reports that reference this IOC threat. These are the report IDs. This is deprecated. Use threat_collections instead. |
verdict |
Verdict about the IoC from the provider. This field is now deprecated. Use VerdictInfo instead. |
lastUpdatedTime |
Last time the IoC threat was updated in the provider. This field is not populated when the SecurityResult appears in a detection. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
verdictInfo[] |
Verdict information about the IoC from the provider. This field is not populated when the SecurityResult appears in a detection. |
threatVerdict |
GCTI threat verdict on the security result entity. This field is not populated when the SecurityResult appears in a detection. |
lastDiscoveredTime |
Last time the IoC was seen in the provider data. This field is not populated when the SecurityResult appears in a detection. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
detectionDepth |
The depth of the detection chain. Applies only to composite detections. |
threatCollections[] |
GTI collections associated with the security result. |
Noun
| JSON representation |
|---|
{ "hostname": string, "domain": { object ( |
| Fields | |
|---|---|
hostname |
Client hostname or domain name field. Hostname also doubles as the domain for remote entities. This field can be used as an entity indicator for asset entities. |
domain |
Information about the domain. |
artifact |
Information about an artifact. |
urlMetadata |
Information about the URL. |
browser |
Information about an entry in the web browser's local history database. |
assetId |
The asset ID. This field can be used as an entity indicator for asset entities. |
user |
Information about the user. |
userManagementChain[] |
Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery. |
group |
Information about the group. |
process |
Information about the process. |
processAncestors[] |
Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery. |
asset |
Information about the asset. |
ip[] |
A list of IP addresses associated with a network connection. This field can be used as an entity indicator for asset entities. |
natIp[] |
A list of NAT translated IP addresses associated with a network connection. |
port |
Source or destination network port number when a specific network connection is described within an event. |
natPort |
NAT external network port number when a specific network connection is described within an event. |
mac[] |
List of MAC addresses associated with a device. This field can be used as an entity indicator for asset entities. |
administrativeDomain |
Domain which the device belongs to (for example, the Microsoft Windows domain). |
namespace |
Namespace which the device belongs to, such as "AD forest". Uses for this field include Microsoft Windows AD forest, the name of subsidiary, or the name of acquisition. This field can be used along with an asset indicator to identify an asset. |
url |
The URL. |
file |
Information about the file. |
email |
Email address. Only filled in for security_result.about |
registry |
Registry information. |
application |
The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle". |
platform |
Platform. |
platformVersion |
Platform version. For example, "Microsoft Windows 1803". |
platformPatchLevel |
Platform patch level. For example, "Build 17134.48" |
cloud |
Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud). |
location |
Physical location. For cloud environments, set the region in location.name. |
ipLocation[] |
Deprecated: use ip_geo_artifact.location instead. |
ipGeoArtifact[] |
Enriched geographic information corresponding to an IP address. Specifically, location and network data. |
resource |
Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, or processes because these objects are already part of Noun. |
resourceAncestors[] |
Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource). |
labels[] |
Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels). |
objectReference |
Finding to which the Analyst updated the feedback. |
investigation |
Analyst feedback/investigation for alerts. |
network |
Network details, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). |
securityResult[] |
A list of security results. |
Domain
| JSON representation |
|---|
{ "name": string, "prevalence": { object ( |
| Fields | |
|---|---|
name |
The domain name. This field can be used as an entity indicator for Domain entities. |
prevalence |
The prevalence of the domain within the customer's environment. |
firstSeenTime |
First seen timestamp of the domain in the customer's environment. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastSeenTime |
Last seen timestamp of the domain in the customer's environment. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
registrar |
Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM". |
contactEmail |
Contact email address. |
whoisServer |
Whois server name. |
nameServer[] |
Repeated list of name servers. |
creationTime |
Domain creation time. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
updateTime |
Last updated time. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
expirationTime |
Expiration time. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
auditUpdateTime |
Audit updated time. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
status |
Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values |
registrant |
Parsed contact information for the registrant of the domain. |
admin |
Parsed contact information for the administrative contact for the domain. |
tech |
Parsed contact information for the technical contact for the domain |
billing |
Parsed contact information for the billing contact of the domain. |
zone |
Parsed contact information for the zone. |
whoisRecordRawText |
WHOIS raw text. A base64-encoded string. |
registryDataRawText |
Registry Data raw text. A base64-encoded string. |
ianaRegistrarId |
IANA Registrar ID. See https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml |
privateRegistration |
Indicates whether the domain appears to be using a private registration service to mask the owner's contact information. |
categories[] |
Categories assign to the domain as retrieved from VirusTotal. |
favicon |
Includes difference hash and MD5 hash of the domain's favicon. |
jarm |
Domain's JARM hash. |
lastDnsRecords[] |
Domain's DNS records from the last scan. |
lastDnsRecordsTime |
Date when the DNS records list was retrieved by VirusTotal. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastHttpsCertificate |
SSL certificate object retrieved last time the domain was analyzed. |
lastHttpsCertificateTime |
When the certificate was retrieved by VirusTotal. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
popularityRanks[] |
Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc |
tags[] |
List of representative attributes. |
whoisTime |
Date of the last update of the WHOIS record. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
Prevalence
| JSON representation |
|---|
{ "rollingMax": integer, "dayCount": integer, "rollingMaxSubDomains": integer, "dayMax": integer, "dayMaxSubDomains": integer } |
| Fields | |
|---|---|
rollingMax |
The maximum number of assets per day accessing the resource over the trailing day_count days. |
dayCount |
The number of days over which rolling_max is calculated. |
rollingMaxSubDomains |
The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains. |
dayMax |
The max prevalence score in a day interval window. |
dayMaxSubDomains |
The max prevalence score in a day interval window across sub-domains. This field is only valid for domains. |
User
| JSON representation |
|---|
{ "productObjectId": string, "userid": string, "userDisplayName": string, "firstName": string, "middleName": string, "lastName": string, "phoneNumbers": [ string ], "personalAddress": { object ( |
| Fields | |
|---|---|
productObjectId |
A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar). This field can be used as an entity indicator for user entities. |
userid |
The ID of the user. This field can be used as an entity indicator for user entities. |
userDisplayName |
The display name of the user (e.g. "John Locke"). |
firstName |
First name of the user (e.g. "John"). |
middleName |
Middle name of the user. |
lastName |
Last name of the user (e.g. "Locke"). |
phoneNumbers[] |
Phone numbers for the user. |
personalAddress |
Personal address of the user. |
attribute |
Generic entity metadata attributes of the user. |
firstSeenTime |
The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
accountType |
Type of user account (for example, service, domain, or cloud). This is somewhat aligned to: https://attack.mitre.org/techniques/T1078/ |
groupid |
The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. |
groupIdentifiers[] |
Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar). |
windowsSid |
The Microsoft Windows SID of the user. This field can be used as an entity indicator for user entities. |
emailAddresses[] |
Email addresses of the user. This field can be used as an entity indicator for user entities. |
employeeId |
Human capital management identifier. This field can be used as an entity indicator for user entities. |
title |
User job title. |
companyName |
User job company name. |
department[] |
User job department |
officeAddress |
User job office location. |
managers[] |
User job manager(s). |
hireDate |
User job employment hire date. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
terminationDate |
User job employment termination date. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
timeOff[] |
User time off leaves from active work. |
lastLoginTime |
User last login timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastPasswordChangeTime |
User last password change timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
passwordExpirationTime |
User password expiration timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
accountExpirationTime |
User account expiration timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
accountLockoutTime |
User account lockout timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastBadPasswordAttemptTime |
User last bad password attempt timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
userAuthenticationStatus |
System authentication status for user. |
roleName |
System role name for user. Deprecated: use attribute.roles. |
roleDescription |
System role description for user. Deprecated: use attribute.roles. |
userRole |
System role for user. Deprecated: use attribute.roles. |
Location
| JSON representation |
|---|
{
"city": string,
"state": string,
"countryOrRegion": string,
"name": string,
"deskName": string,
"floorName": string,
"regionLatitude": number,
"regionLongitude": number,
"regionCoordinates": {
object ( |
| Fields | |
|---|---|
city |
The city. |
state |
The state. |
countryOrRegion |
The country or region. |
name |
Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2"). |
deskName |
Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D"). |
floorName |
Floor name, number or a combination of the two for a building. (e.g. "1-A"). |
regionLatitude |
Deprecated: use region_coordinates. |
regionLongitude |
Deprecated: use region_coordinates. |
regionCoordinates |
Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. |
LatLng
| JSON representation |
|---|
{ "latitude": number, "longitude": number } |
| Fields | |
|---|---|
latitude |
The latitude in degrees. It must be in the range [-90.0, +90.0]. |
longitude |
The longitude in degrees. It must be in the range [-180.0, +180.0]. |
Attribute
| JSON representation |
|---|
{ "cloud": { object ( |
| Fields | |
|---|---|
cloud |
Cloud metadata attributes such as project ID, account ID, or organizational hierarchy. |
labels[] |
Set of labels for the entity. Should only be used for product labels (for example, Google Cloud resource labels or Azure AD sensitivity labels. Should not be used for arbitrary key-value mappings. |
permissions[] |
System permissions for IAM entity (human principal, service account, group). |
roles[] |
System IAM roles to be assumed by resources to use the role's permissions for access control. |
creationTime |
Time the resource or entity was created or provisioned. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastUpdateTime |
Time the resource or entity was last updated. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
Cloud
| JSON representation |
|---|
{ "environment": enum ( |
| Fields | |
|---|---|
environment |
The Cloud environment. |
vpc |
The cloud environment VPC. Deprecated. |
project |
The cloud environment project information. Deprecated: Use Resource.resource_ancestors |
availabilityZone |
The cloud environment availability zone (different from region which is location.name). |
Resource
| JSON representation |
|---|
{ "type": string, "resourceType": enum ( |
| Fields | |
|---|---|
type |
Deprecated: use resource_type instead. |
resourceType |
Resource type. |
resourceSubtype |
Resource sub-type (e.g. "BigQuery", "Bigtable"). |
id |
Deprecated: Use resource.name or resource.product_object_id. |
name |
The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. |
parent |
The parent of the resource. For a database table, the parent is the database. For a storage object, the bucket name. Deprecated: use resource_ancestors.name. |
productObjectId |
A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) This field can be used as an entity indicator for a Resource entity. |
attribute |
Generic entity metadata attributes of the resource. |
scheduledTask |
Information about a scheduled task associated with the resource. |
volume |
Information about a storage volume associated with the resource. |
service |
Information about a Windows service associated with the resource. |
ScheduledTask
| JSON representation |
|---|
{ "minute": integer, "hour": integer, "monthDay": integer, "month": integer, "weekDay": integer, "comment": string, "author": string } |
| Fields | |
|---|---|
minute |
The minute of the hour (0-59). |
hour |
The hour of the day (0-23). |
monthDay |
The day of the month (1-31). |
month |
The month of the year (1-12). |
weekDay |
The day of the week (0-6, Sunday=0). |
comment |
A comment or description for the task. |
author |
The author or creator of the task. |
Volume
| JSON representation |
|---|
{ "fileSystem": string, "mountPoint": string, "devicePath": string, "isMounted": boolean, "isReadOnly": boolean, "name": string } |
| Fields | |
|---|---|
fileSystem |
The name of the file system on the volume (e.g., "NTFS", "FAT32"). |
mountPoint |
The path where the volume is mounted (e.g., "C:", "/mnt/data"). |
devicePath |
The system path to the device (e.g., "\.\HarddiskVolume1", "/dev/sda1"). |
isMounted |
Indicates whether the volume is currently mounted. |
isReadOnly |
Indicates whether the volume is mounted as read-only. |
name |
The user-assigned label or name for the volume. |
Service
| JSON representation |
|---|
{ "displayName": string, "serviceType": enum ( |
| Fields | |
|---|---|
displayName |
The user-friendly display name of the service. |
serviceType |
The type of service. |
startupType |
The startup type of the service. |
state |
Output only. The status of the service. |
Label
| JSON representation |
|---|
{ "key": string, "value": string, "source": string, "rbacEnabled": boolean } |
| Fields | |
|---|---|
key |
The key. |
value |
The value. |
source |
Where the label is derived from. |
rbacEnabled |
Indicates whether this label can be used for Data RBAC |
Permission
| JSON representation |
|---|
{
"name": string,
"description": string,
"type": enum ( |
| Fields | |
|---|---|
name |
Name of the permission (e.g. chronicle.analyst.updateRule). |
description |
Description of the permission (e.g. 'Ability to update detect rules'). |
type |
Type of the permission. |
Role
| JSON representation |
|---|
{
"name": string,
"description": string,
"type": enum ( |
| Fields | |
|---|---|
name |
System role name for user. |
description |
System role description for user. |
type |
System role type for well known roles. |
TimeOff
| JSON representation |
|---|
{
"interval": {
object ( |
| Fields | |
|---|---|
interval |
Interval duration of the leave. |
description |
Description of the leave if available (e.g. 'Vacation'). |
Favicon
| JSON representation |
|---|
{ "rawMd5": string, "dhash": string } |
| Fields | |
|---|---|
rawMd5 |
Favicon's MD5 hash. |
dhash |
Difference hash. |
DNSRecord
| JSON representation |
|---|
{ "type": string, "value": string, "ttl": string, "priority": string, "retry": string, "refresh": string, "minimum": string, "expire": string, "serial": string, "rname": string } |
| Fields | |
|---|---|
type |
Type. |
value |
Value. |
ttl |
Time to live. A duration in seconds with up to nine fractional digits, ending with ' |
priority |
Priority. |
retry |
Retry. |
refresh |
Refresh. A duration in seconds with up to nine fractional digits, ending with ' |
minimum |
Minimum. A duration in seconds with up to nine fractional digits, ending with ' |
expire |
Expire. A duration in seconds with up to nine fractional digits, ending with ' |
serial |
Serial. |
rname |
Rname. |
Duration
| JSON representation |
|---|
{ "seconds": string, "nanos": integer } |
| Fields | |
|---|---|
seconds |
Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
nanos |
Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 |
SSLCertificate
| JSON representation |
|---|
{ "certSignature": { object ( |
| Fields | |
|---|---|
certSignature |
Certificate's signature and algorithm. |
extension |
(DEPRECATED) certificate's extension. |
certExtensions |
Certificate's extensions. |
firstSeenTime |
Date the certificate was first retrieved by VirusTotal. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
issuer |
Certificate's issuer data. |
ec |
EC public key information. |
serialNumber |
Certificate's serial number hexdump. |
signatureAlgorithm |
Algorithm used for the signature (for example, "sha1RSA"). |
size |
Certificate content length. |
subject |
Certificate's subject data. |
thumbprint |
Certificate's content SHA1 hash. |
thumbprintSha256 |
Certificate's content SHA256 hash. |
validity |
Certificate's validity period. |
version |
Certificate version (typically "V1", "V2" or "V3"). |
publicKey |
Public key information. |
CertSignature
| JSON representation |
|---|
{ "signature": string, "signatureAlgorithm": string } |
| Fields | |
|---|---|
signature |
Signature. |
signatureAlgorithm |
Algorithm. |
Extension
| JSON representation |
|---|
{
"ca": boolean,
"subjectKeyId": string,
"authorityKeyId": {
object ( |
| Fields | |
|---|---|
ca |
Whether the subject acts as a certificate authority (CA) or not. |
subjectKeyId |
Identifies the public key being certified. |
authorityKeyId |
Identifies the public key to be used to verify the signature on this certificate or CRL. |
keyUsage |
The purpose for which the certified public key is used. |
caInfoAccess |
Authority information access locations are URLs that are added to a certificate in its authority information access extension. |
crlDistributionPoints |
CRL distribution points to which a certificate user should refer to ascertain if the certificate has been revoked. |
extendedKeyUsage |
One or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension field. |
subjectAlternativeName |
Contains one or more alternative names, using any of a variety of name forms, for the entity that is bound by the CA to the certified public key. |
certificatePolicies |
Different certificate policies will relate to different applications which may use the certified key. |
netscapeCertComment |
Used to include free-form text comments inside certificates. |
certTemplateNameDc |
BMP data value "DomainController". See MS Q291010. |
netscapeCertificate |
Identify whether the certificate subject is an SSL client, an SSL server, or a CA. |
peLogotype |
Whether the certificate includes a logotype. |
oldAuthorityKeyId |
Whether the certificate has an old authority key identifier extension. |
AuthorityKeyId
| JSON representation |
|---|
{ "keyid": string, "serialNumber": string } |
| Fields | |
|---|---|
keyid |
Key hexdump. |
serialNumber |
Serial number hexdump. |
Struct
| JSON representation |
|---|
{ "fields": { string: value, ... } } |
| Fields | |
|---|---|
fields |
Unordered map of dynamically typed values. An object containing a list of |
FieldsEntry
| JSON representation |
|---|
{ "key": string, "value": value } |
| Fields | |
|---|---|
key |
|
value |
|
Value
| JSON representation |
|---|
{ // Union field |
| Fields | |
|---|---|
Union field kind. The kind of value. kind can be only one of the following: |
|
nullValue |
Represents a null value. |
numberValue |
Represents a double value. |
stringValue |
Represents a string value. |
boolValue |
Represents a boolean value. |
structValue |
Represents a structured value. |
listValue |
Represents a repeated |
ListValue
| JSON representation |
|---|
{ "values": [ value ] } |
| Fields | |
|---|---|
values[] |
Repeated field of dynamically typed values. |
Subject
| JSON representation |
|---|
{ "countryName": string, "commonName": string, "locality": string, "organization": string, "organizationalUnit": string, "stateOrProvinceName": string } |
| Fields | |
|---|---|
countryName |
C: Country name. |
commonName |
CN: CommonName. |
locality |
L: Locality. |
organization |
O: Organization. |
organizationalUnit |
OU: OrganizationalUnit. |
stateOrProvinceName |
ST: StateOrProvinceName. |
EC
| JSON representation |
|---|
{ "oid": string, "pub": string } |
| Fields | |
|---|---|
oid |
Curve name. |
pub |
Public key hexdump. |
Validity
| JSON representation |
|---|
{ "expiryTime": string, "issueTime": string } |
| Fields | |
|---|---|
expiryTime |
Expiry date. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
issueTime |
Issue date. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
PublicKey
| JSON representation |
|---|
{
"algorithm": string,
"rsa": {
object ( |
| Fields | |
|---|---|
algorithm |
Any of "RSA", "DSA" or "EC". Indicates the algorithm used to generate the certificate. |
rsa |
RSA public key information. |
RSA
| JSON representation |
|---|
{ "keySize": string, "modulus": string, "exponent": string } |
| Fields | |
|---|---|
keySize |
Key size. |
modulus |
Key modulus hexdump. |
exponent |
Key exponent hexdump. |
PopularityRank
| JSON representation |
|---|
{ "giver": string, "rank": string, "ingestionTime": string } |
| Fields | |
|---|---|
giver |
Name of the rank serial number hexdump. |
rank |
Rank position. |
ingestionTime |
Timestamp when the rank was ingested. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
Artifact
| JSON representation |
|---|
{ "ip": string, "prevalence": { object ( |
| Fields | |
|---|---|
ip |
IP address of the artifact. This field can be used as an entity indicator for an external destination IP entity. |
prevalence |
The prevalence of the artifact within the customer's environment. |
firstSeenTime |
First seen timestamp of the IP in the customer's environment. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastSeenTime |
Last seen timestamp of the IP address in the customer's environment. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
location |
Location of the Artifact's IP address. |
network |
Network information related to the Artifact's IP address. |
asOwner |
Owner of the Autonomous System to which the IP address belongs. |
asn |
Autonomous System Number to which the IP address belongs. |
jarm |
The JARM hash for the IP address. (https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a). |
lastHttpsCertificate |
SSL certificate information about the IP address. |
lastHttpsCertificateDate |
Most recent date for the certificate in VirusTotal. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
regionalInternetRegistry |
RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC). |
tags[] |
Identification attributes |
whois |
WHOIS information as returned from the pertinent WHOIS server. |
whoisDate |
Date of the last update of the WHOIS record in VirusTotal. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
tunnels[] |
VPN tunnels. |
anonymous |
Whether the VPN tunnels are configured for anonymous browsing or not. |
artifactClient |
Entity or software accessing or utilizing network resources. |
risks[] |
This field lists potential risks associated with the network activity. |
Network
| JSON representation |
|---|
{ "sentBytes": string, "receivedBytes": string, "totalBytes": string, "sentPackets": string, "receivedPackets": string, "sessionDuration": string, "sessionId": string, "parentSessionId": string, "applicationProtocolVersion": string, "communityId": string, "direction": enum ( |
| Fields | |
|---|---|
sentBytes |
The number of bytes sent. |
receivedBytes |
The number of bytes received. |
totalBytes |
The number of total bytes. |
sentPackets |
The number of packets sent. |
receivedPackets |
The number of packets received. |
sessionDuration |
The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer. A duration in seconds with up to nine fractional digits, ending with ' |
sessionId |
The ID of the network session. |
parentSessionId |
The ID of the parent network session. |
applicationProtocolVersion |
The version of the application protocol. e.g. "1.1, 2.0" |
communityId |
Community ID network flow value. |
direction |
The direction of network traffic. |
ipProtocol |
The IP protocol. |
applicationProtocol |
The application protocol. |
ftp |
FTP info. |
email |
Email info for the sender/recipient. |
dns |
DNS info. |
dhcp |
DHCP info. |
http |
HTTP info. |
tls |
TLS info. |
smtp |
SMTP info. Store fields specific to SMTP not covered by Email. |
asn |
Autonomous system number. |
dnsDomain |
DNS domain name. |
carrierName |
Carrier identification. |
organizationName |
Organization name (e.g Google). |
ipSubnetRange |
Associated human-readable IP subnet range (e.g. 10.1.2.0/24). |
isProxy |
Whether the IP address is a known proxy. |
proxyInfo |
Proxy information. Only set if is_proxy is true. |
connectionState |
Output only. The state of the network connection. |
Ftp
| JSON representation |
|---|
{ "command": string } |
| Fields | |
|---|---|
command |
The FTP command. |
| JSON representation |
|---|
{ "from": string, "replyTo": string, "to": [ string ], "cc": [ string ], "bcc": [ string ], "mailId": string, "subject": [ string ], "bounceAddress": string } |
| Fields | |
|---|---|
from |
The 'from' address. |
replyTo |
The 'reply to' address. |
to[] |
A list of 'to' addresses. |
cc[] |
A list of 'cc' addresses. |
bcc[] |
A list of 'bcc' addresses. |
mailId |
The mail (or message) ID. |
subject[] |
The subject line(s) of the email. |
bounceAddress |
The envelope from address. https://en.wikipedia.org/wiki/Bounce_address |
Dns
| JSON representation |
|---|
{ "id": integer, "response": boolean, "opcode": integer, "authoritative": boolean, "truncated": boolean, "recursionDesired": boolean, "recursionAvailable": boolean, "responseCode": integer, "questions": [ { object ( |
| Fields | |
|---|---|
id |
DNS query id. |
response |
Set to true if the event is a DNS response. See QR field from RFC1035. |
opcode |
The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS). |
authoritative |
Other DNS header flags. See RFC1035, section 4.1.1. |
truncated |
Whether the DNS response was truncated. |
recursionDesired |
Whether a recursive DNS lookup is desired. |
recursionAvailable |
Whether a recursive DNS lookup is available. |
responseCode |
Response code. See RCODE from RFC1035. |
questions[] |
A list of domain protocol message questions. |
answers[] |
A list of answers to the domain name query. |
authority[] |
A list of domain name servers which verified the answers to the domain name queries. |
additional[] |
A list of additional domain name servers that can be used to verify the answer to the domain. |
Question
| JSON representation |
|---|
{
"name": string,
"type": integer,
"class": integer,
"prevalence": {
object ( |
| Fields | |
|---|---|
name |
The domain name. |
type |
The code specifying the type of the query. |
class |
The code specifying the class of the query. |
prevalence |
The prevalence of the domain within the customer's environment. |
ResourceRecord
| JSON representation |
|---|
{ "name": string, "type": integer, "class": integer, "ttl": integer, "data": string, "binaryData": string } |
| Fields | |
|---|---|
name |
The name of the owner of the resource record. |
type |
The code specifying the type of the resource record. |
class |
The code specifying the class of the resource record. |
ttl |
The time interval for which the resource record can be cached before the source of the information should again be queried. |
data |
The payload or response to the DNS question for all responses encoded in UTF-8 format |
binaryData |
The raw bytes of any non-UTF8 strings that might be included as part of a DNS response. A base64-encoded string. |
Dhcp
| JSON representation |
|---|
{ "opcode": enum ( |
| Fields | |
|---|---|
opcode |
The BOOTP op code. |
htype |
Hardware address type. |
hlen |
Hardware address length. |
hops |
Hardware ops. |
transactionId |
Transaction ID. |
seconds |
Seconds elapsed since client began address acquisition/renewal process. |
flags |
Flags. |
ciaddr |
Client IP address (ciaddr). |
yiaddr |
Your IP address (yiaddr). |
siaddr |
IP address of the next bootstrap server. |
giaddr |
Relay agent IP address (giaddr). |
chaddr |
Client hardware address (chaddr). |
sname |
Server name that the client wishes to boot from. |
file |
Boot image filename. |
options[] |
List of DHCP options. |
type |
DHCP message type. |
leaseTimeSeconds |
Lease time in seconds. See RFC2132, section 9.2. |
clientHostname |
Client hostname. See RFC2132, section 3.14. |
clientIdentifier |
Client identifier. See RFC2132, section 9.14. Note: Make sure to update the client_identifier_string field as well if you update this field. A base64-encoded string. |
requestedAddress |
Requested IP address. See RFC2132, section 9.1. |
clientIdentifierString |
Client identifier as string. See RFC2132, section 9.14. This field holds the string value of the client_identifier. |
Option
| JSON representation |
|---|
{ "code": integer, "data": string } |
| Fields | |
|---|---|
code |
Code. See RFC1533. |
data |
Data. A base64-encoded string. |
Http
| JSON representation |
|---|
{
"method": string,
"referralUrl": string,
"userAgent": string,
"responseCode": integer,
"parsedUserAgent": {
object ( |
| Fields | |
|---|---|
method |
The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE"). |
referralUrl |
The URL for the HTTP referer. |
userAgent |
The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent. |
responseCode |
The response status code, for example 200, 302, 404, or 500. |
parsedUserAgent |
The parsed user_agent string. |
UserAgentProto
| JSON representation |
|---|
{ "family": enum ( |
| Fields | |
|---|---|
family |
User agent family captures the type of browser/app at a high-level e.g. MSIE, Gecko, Safari etc.. |
subFamily |
Sub-family identifies individual regexps when a family has more than 1. This is used to generate the right UA string from a protobuf. Examples in the AppleWebKit family: Chrome and Safari. Can also be an arbitrary identifier. |
platform |
The platform describes the environment in which the browser or app runs. For desktop user agents, Platform is a string describing the OS family e.g. Windows, Macintosh, Linux. For mobile user agents, Platform either describes the OS family (if available) or the hardware maker. e.g. Linux, or HTC, LG, Palm. |
device |
(Usually) Mobile specific: name of hardware device, may or may not contain the full model name. e.g. iPhone, Palm750, SPH-M800. Reduced to "K" for Android devices with reduced User-Agent and no client hints (https://www.chromium.org/updates/ua-reduction/). |
deviceVersion |
(Usually) Mobile specific: version of hardware device Unavailable with reduced User-Agent and no client hints (https://www.chromium.org/updates/ua-reduction/). |
carrier |
Mobile specific: name of mobile carrier |
security |
Security level reported by user agent, either U, I or N. Unavailable with reduced User-Agent and no client hints (https://www.chromium.org/updates/ua-reduction/). |
locale |
Locale in which the browser is running as country code and optionally language pair. Unavailable with reduced User-Agent and no client hints (https://www.chromium.org/updates/ua-reduction/). |
os |
Full name of the operating system e.g. "Darwin/9.7.0", "Android 1.5", "Windows 98" Version is reduced, and other data might also be missing, for reduced User-Agent and no client hints (https://www.chromium.org/updates/ua-reduction/). |
osVariant |
Extra qualifier for the OS e.g. "(i386)", "Build/CUPCAKE", "PalmSource/Palm-D061" Unavailable with reduced User-Agent and no client hints (https://www.chromium.org/updates/ua-reduction/). |
browser |
Product brand within the family: Firefox, Netscape, Camino etc.. Or Earth, Windows-Media-Player etc.. for non-browser user agents. |
browserVersion |
Minor and lower versions unavailable with reduced User-Agent and no client hints (https://www.chromium.org/updates/ua-reduction/). |
browserEngineVersion |
Version of the rendering engine e.g. "8.01" for "Opera/8.01" |
googleToolbarVersion |
Version number of GoogleToolbar, if installed. Applies only to MSIE and Firefox at this time. |
javaProfile |
Mobile specific: e.g. Profile/MIDP-2.0 |
javaProfileVersion |
|
javaConfiguration |
Mobile specific: e.g. Configuration/CLDC-1.1 |
javaConfigurationVersion |
|
messaging |
Mobile specific: e.g. MMP/2.0 |
messagingVersion |
|
annotation[] |
|
Annotation
| JSON representation |
|---|
{ "key": string, "value": string } |
| Fields | |
|---|---|
key |
|
value |
|
Tls
| JSON representation |
|---|
{ "client": { object ( |
| Fields | |
|---|---|
client |
Certificate information for the client certificate. |
server |
Certificate information for the server certificate. |
cipher |
Cipher used during the connection. |
curve |
Elliptical curve used for a given cipher. |
version |
TLS version. |
versionProtocol |
Protocol. |
established |
Indicates whether the TLS negotiation was successful. |
nextProtocol |
Protocol to be used for tunnel. |
resumed |
Indicates whether the TLS connection was resumed from a previous TLS negotiation. |
Client
| JSON representation |
|---|
{
"certificate": {
object ( |
| Fields | |
|---|---|
certificate |
Client certificate. |
ja3 |
JA3 hash from the TLS ClientHello, as a hex-encoded string. |
serverName |
Host name of the server, that the client is connecting to. |
supportedCiphers[] |
Ciphers supported by the client during client hello. |
Certificate
| JSON representation |
|---|
{ "version": string, "serial": string, "subject": string, "issuer": string, "md5": string, "sha1": string, "sha256": string, "notBefore": string, "notAfter": string } |
| Fields | |
|---|---|
version |
Certificate version. |
serial |
Certificate serial number. |
subject |
Subject of the certificate. |
issuer |
Issuer of the certificate. |
md5 |
The MD5 hash of the certificate, as a hex-encoded string. |
sha1 |
The SHA1 hash of the certificate, as a hex-encoded string. |
sha256 |
The SHA256 hash of the certificate, as a hex-encoded string. |
notBefore |
Indicates when the certificate is first valid. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
notAfter |
Indicates when the certificate is no longer valid. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
Server
| JSON representation |
|---|
{
"certificate": {
object ( |
| Fields | |
|---|---|
certificate |
Server certificate. |
ja3s |
JA3 hash from the TLS ServerHello, as a hex-encoded string. |
Smtp
| JSON representation |
|---|
{ "helo": string, "mailFrom": string, "rcptTo": [ string ], "serverResponse": [ string ], "messagePath": string, "isWebmail": boolean, "isTls": boolean } |
| Fields | |
|---|---|
helo |
The client's 'HELO'/'EHLO' string. |
mailFrom |
The client's 'MAIL FROM' string. |
rcptTo[] |
The client's 'RCPT TO' string(s). |
serverResponse[] |
The server's response(s) to the client. |
messagePath |
The message's path (extracted from the headers). |
isWebmail |
If the message was sent via a webmail client. |
isTls |
If the connection switched to TLS. |
ProxyInfo
| JSON representation |
|---|
{ "anonymous": boolean, "anonymousVpn": boolean, "publicProxy": boolean, "torExitNode": boolean, "smartDnsProxy": boolean, "hostingProvider": boolean, "vpnDatacenter": boolean, "residentialProxy": boolean, "vpnServiceName": string, "proxyOverVpn": boolean, "relayProxy": boolean } |
| Fields | |
|---|---|
anonymous |
Whether the IP address is anonymous. |
anonymousVpn |
Whether the IP address is an anonymous VPN. |
publicProxy |
Whether the IP address is a public proxy. |
torExitNode |
Whether the IP address is a tor exit node. |
smartDnsProxy |
Whether the IP address is a smart DNS proxy. |
hostingProvider |
Whether the IP address is a hosting provider. |
vpnDatacenter |
Whether the IP address is a VPN datacenter. |
residentialProxy |
Whether the IP address is a residential proxy. |
vpnServiceName |
The name of the VPN service. |
proxyOverVpn |
Whether the IP address is a proxy over VPN. |
relayProxy |
Whether the IP address is a relay proxy. |
Tunnels
| JSON representation |
|---|
{ "provider": string, "type": string } |
| Fields | |
|---|---|
provider |
The provider of the VPN tunnels being used. |
type |
The type of the VPN tunnels. |
ArtifactClient
| JSON representation |
|---|
{ "behaviors": [ string ], "proxies": [ string ] } |
| Fields | |
|---|---|
behaviors[] |
The behaviors of the client accessing the network. |
proxies[] |
The type of proxies used by the client. |
Url
| JSON representation |
|---|
{ "url": string, "categories": [ string ], "favicon": { object ( |
| Fields | |
|---|---|
url |
URL. |
categories[] |
Categorisation done by VirusTotal partners. |
favicon |
Difference hash and MD5 hash of the URL's. |
htmlMeta |
Meta tags (only for URLs downloading HTML). |
lastFinalUrl |
If the original URL redirects, where does it end. |
lastHttpResponseCode |
HTTP response code of the last response. |
lastHttpResponseContentLength |
Length in bytes of the content received. |
lastHttpResponseContentSha256 |
URL response body's SHA256 hash. |
lastHttpResponseCookies |
Website's cookies. |
lastHttpResponseHeaders |
Headers and values of the last HTTP response. |
tags[] |
Tags. |
title |
Webpage title. |
trackers[] |
Trackers found in the URL in a historical manner. |
Tracker
| JSON representation |
|---|
{ "tracker": string, "id": string, "timestamp": string, "url": string } |
| Fields | |
|---|---|
tracker |
Tracker name. |
id |
Tracker ID, if available. |
timestamp |
Tracker ingestion date. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
url |
Tracker script URL. |
Browser
| JSON representation |
|---|
{ "browserType": enum ( |
| Fields | |
|---|---|
browserType |
The browser that recorded the history entry (e.g. "Chrome", "Firefox", "Safari", etc.). |
browserVersion |
The browser version. |
firstVisitTime |
The timestamp indicating the initial visit to the URL. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastVisitTime |
The timestamp indicating the most recent visit to the URL. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
profile |
The browser profile associated with the history entry. |
typed |
A boolean value indicating if the URL was typed by the user. |
visitType |
Describes the type of navigation or visit (e.g., direct, redirect, etc.). |
hidden |
A boolean value indicating if the history entry is hidden. |
requestOriginUri |
Indicates the URI from which the current visit originated. |
visitCount |
The total number of times the Url has been visited. |
visitCountCriteria |
Describes the criteria used to calculate the visit_count. |
indexedContent |
Represents the textual content of a web page. This field should be kept short. Large strings may affect latency and payload sizes. |
firstBookmarkedTime |
The timestamp indicating the first time the URL was bookmarked. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
cookies[] |
Information about the cookies. |
typedCount |
The number of times the URL was visited with this specific visit type and visit source. |
visitSource |
The source of the visit. |
Cookie
| JSON representation |
|---|
{
"name": string,
"value": string,
"domain": string,
"path": string,
"expirationTime": string,
"httpOnly": boolean,
"secure": boolean,
"maxAge": string,
"sameSite": enum ( |
| Fields | |
|---|---|
name |
The unique name identifying the cookie. |
value |
The data stored within the cookie. |
domain |
The domain for which the cookie is valid. |
path |
The URL path for which the cookie is valid. |
expirationTime |
The date and time when the cookie will expire. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
httpOnly |
Indicates if the cookie is inaccessible via client-side scripts (e.g., JavaScript). |
secure |
Indicates if the cookie should only be sent over secure HTTPS connections. |
maxAge |
The maximum age of the cookie in seconds. |
sameSite |
Affects cross-site request behavior. |
session |
Indicates if the cookie is persistent. |
partitioned |
Shows if the cookies is stored using partitioned storage. |
Group
| JSON representation |
|---|
{
"productObjectId": string,
"creationTime": string,
"groupDisplayName": string,
"attribute": {
object ( |
| Fields | |
|---|---|
productObjectId |
Product globally unique user object identifier, such as an LDAP Object Identifier. |
creationTime |
Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
groupDisplayName |
Group display name. e.g. "Finance". |
attribute |
Generic entity metadata attributes of the group. |
emailAddresses[] |
Email addresses of the group. |
windowsSid |
Microsoft Windows SID of the group. |
Process
| JSON representation |
|---|
{ "pid": string, "parentPid": string, "parentProcess": { object ( |
| Fields | |
|---|---|
pid |
The process ID. This field can be used as an entity indicator for process entities. |
parentPid |
The ID of the parent process. Deprecated: use parent_process.pid instead. |
parentProcess |
Information about the parent process. |
file |
Information about the file in use by the process. |
commandLine |
The command line command that created the process. This field can be used as an entity indicator for process entities. |
commandLineHistory[] |
The command line history of the process. |
productSpecificProcessId |
A product specific process id. |
accessMask |
A bit mask representing the level of access. |
integrityLevelRid |
The Microsoft Windows integrity level relative ID (RID) of the process. |
euid |
The effective user ID of the process. |
ruid |
The real user ID of the process. |
egid |
The effective group ID of the process. |
rgid |
The real group ID of the process. |
pgid |
The identifier that points to the process group ID leader. |
sessionLeaderPid |
The process ID of the session leader process. |
tty |
The teletype terminal which the command was executed within. |
tokenElevationType |
The elevation type of the process on Microsoft Windows. This determines if any privileges are removed when UAC is enabled. |
productSpecificParentProcessId |
A product specific id for the parent process. Please use parent_process.product_specific_process_id instead. |
ipv6 |
This is used to determine if the process is an IPv6 process. |
kernelDuration |
The kernel time spent in the process. A duration in seconds with up to nine fractional digits, ending with ' |
userDuration |
The user time spent in the process. A duration in seconds with up to nine fractional digits, ending with ' |
realDuration |
The real time spent in the process. This is the sum of the kernel and user time. A duration in seconds with up to nine fractional digits, ending with ' |
File
| JSON representation |
|---|
{ "sha256": string, "md5": string, "sha1": string, "size": string, "fullPath": string, "mimeType": string, "fileMetadata": { object ( |
| Fields | |
|---|---|
sha256 |
The SHA256 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. |
md5 |
The MD5 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. |
sha1 |
The SHA1 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. |
size |
The size of the file in bytes. |
fullPath |
The full path identifying the location of the file on the system. This field can be used as an entity indicator for file entities. |
mimeType |
The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", or "powershell script". |
fileMetadata |
Metadata associated with the file. Deprecate FileMetadata in favor of using fields in File. |
securityResult |
Google Cloud Threat Intelligence (GCTI) security result for the file including threat context and detection metadata. |
peFile |
Metadata about the Portable Executable (PE) file. |
ssdeep |
Ssdeep of the file |
vhash |
Vhash of the file. |
ahash |
Deprecated. Use authentihash instead. |
authentihash |
Authentihash of the file. |
symhash |
SymHash of the file. Used for Mach-O (e.g. MacOS) binaries, to identify similar files based on their symbol table. |
prefetchFileMetadata |
Metadata about the prefetch file. |
fileType |
FileType field. |
capabilitiesTags[] |
Capabilities tags. |
names[] |
Names fields. |
tags[] |
Tags for the file. |
lastModificationTime |
Timestamp when the file was last updated. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
createTime |
Timestamp when the file was created. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastAccessTime |
Timestamp when the file was accessed. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
prevalence |
Prevalence of the file hash in the customer's environment. |
firstSeenTime |
Timestamp the file was first seen in the customer's environment. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastSeenTime |
Timestamp the file was last seen in the customer's environment. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
statMode |
The mode of the file. A bit string indicating the permissions and privileges of the file. |
statInode |
The file identifier. Unique identifier of object within a file system. |
statDev |
The file system identifier to which the object belongs. |
statNlink |
Number of links to file. |
statFlags |
User defined flags for file. |
lastAnalysisTime |
Timestamp the file was last analysed. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
embeddedUrls[] |
Embedded urls found in the file. |
embeddedDomains[] |
Embedded domains found in the file. |
embeddedIps[] |
Embedded IP addresses found in the file. |
exifInfo |
Exif metadata from different file formats extracted by exiftool. |
signatureInfo |
File signature information extracted from different tools. |
pdfInfo |
Information about the PDF file structure. |
firstSubmissionTime |
First submission time of the file. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastSubmissionTime |
Last submission time of the file. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
mainIcon |
Icon's relevant hashes. |
ntfs |
NTFS metadata. |
appCompatCache |
Windows AppCompatCache (Application Compatibility) metadata. |
FileMetadata
| JSON representation |
|---|
{
"pe": {
object ( |
| Fields | |
|---|---|
pe |
Metadata for Microsoft Windows PE files. Deprecate PeFileMetadata in favor of single File proto. |
PeFileMetadata
| JSON representation |
|---|
{ "importHash": string } |
| Fields | |
|---|---|
importHash |
Hash of PE imports. |
FileMetadataPE
| JSON representation |
|---|
{ "imphash": string, "entryPoint": string, "entryPointExiftool": string, "compilationTime": string, "compilationExiftoolTime": string, "section": [ { object ( |
| Fields | |
|---|---|
imphash |
Imphash of the file. |
entryPoint |
info.pe-entry-point. |
entryPointExiftool |
info.exiftool.EntryPoint. |
compilationTime |
info.pe-timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
compilationExiftoolTime |
info.exiftool.TimeStamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
section[] |
FilemetadataSection fields. |
imports[] |
FilemetadataImports fields. |
resource[] |
FilemetadataPeResourceInfo fields. |
resourcesTypeCount[] |
Deprecated: use resources_type_count_str. |
resourcesLanguageCount[] |
Deprecated: use resources_language_count_str. |
resourcesTypeCountStr[] |
Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5 |
resourcesLanguageCountStr[] |
Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10 |
signatureInfo |
FilemetadataSignatureInfo field. deprecated, user File.signature_info instead. |
FileMetadataSection
| JSON representation |
|---|
{ "name": string, "entropy": number, "rawSizeBytes": string, "virtualSizeBytes": string, "md5Hex": string } |
| Fields | |
|---|---|
name |
Name of the section. |
entropy |
Entropy of the section. |
rawSizeBytes |
Raw file size in bytes. |
virtualSizeBytes |
Virtual file size in bytes. |
md5Hex |
MD5 hex of the file. |
FileMetadataImports
| JSON representation |
|---|
{ "library": string, "functions": [ string ] } |
| Fields | |
|---|---|
library |
Library field. |
functions[] |
Function field. |
FileMetadataPeResourceInfo
| JSON representation |
|---|
{ "sha256Hex": string, "filetypeMagic": string, "languageCode": string, "entropy": number, "fileType": string } |
| Fields | |
|---|---|
sha256Hex |
SHA256_hex field.. |
filetypeMagic |
Type of resource content, as identified by the magic Python module. |
languageCode |
Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification. Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US | |
entropy |
Entropy of the resource. |
fileType |
File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum. |
StringToInt64MapEntry
| JSON representation |
|---|
{ // Union field |
| Fields | |
|---|---|
Union field
|
|
key |
Key field. |
Union field
|
|
value |
Value field. |
FileMetadataSignatureInfo
| JSON representation |
|---|
{ "verificationMessage": string, "verified": boolean, "signer": [ string ], "signers": [ { object ( |
| Fields | |
|---|---|
verificationMessage |
Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found. |
verified |
True if verification_message == "Signed" |
signer[] |
Deprecated: use signers field. |
signers[] |
File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority. |
x509[] |
List of certificates. |
SignerInfo
| JSON representation |
|---|
{ // Union field |
| Fields | |
|---|---|
Union field
|
|
name |
Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority. |
Union field
|
|
status |
It can say "Valid" or state the problem with the certificate if any (e.g. "This certificate or one of the certificates in the certificate chain is not time valid."). |
Union field
|
|
validUsage |
Indicates which situations the certificate is valid for (e.g. "Code Signing"). |
Union field
|
|
certIssuer |
Company that issued the certificate. |
X509
| JSON representation |
|---|
{ "name": string, "algorithm": string, "thumbprint": string, "certIssuer": string, "serialNumber": string } |
| Fields | |
|---|---|
name |
Certificate name. |
algorithm |
Certificate algorithm. |
thumbprint |
Certificate thumbprint. |
certIssuer |
Issuer of the certificate. |
serialNumber |
Certificate serial number. |
PrefetchFileMetadata
| JSON representation |
|---|
{ "runCount": string, "prefetchHash": string } |
| Fields | |
|---|---|
runCount |
The number of times the application has been run. |
prefetchHash |
A hash of the executable path used to identify the prefetch file. |
ExifInfo
| JSON representation |
|---|
{ "originalFile": string, "product": string, "company": string, "fileDescription": string, "entryPoint": string, "compilationTime": string } |
| Fields | |
|---|---|
originalFile |
original file name. |
product |
product name. |
company |
company name. |
fileDescription |
description of a file. |
entryPoint |
entry point. |
compilationTime |
Compilation time. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
SignatureInfo
| JSON representation |
|---|
{ "sigcheck": { object ( |
| Fields | |
|---|---|
sigcheck |
Signature information extracted from the sigcheck tool. |
codesign |
Signature information extracted from the codesign utility. |
FileMetadataCodesign
| JSON representation |
|---|
{ "id": string, "format": string, "compilationTime": string, "teamId": string } |
| Fields | |
|---|---|
id |
Code sign identifier. |
format |
Code sign format. |
compilationTime |
Code sign timestamp Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
teamId |
The assigned team identifier of the developer who signed the application. |
PDFInfo
| JSON representation |
|---|
{ "js": string, "javascript": string, "launchActionCount": string, "objectStreamCount": string, "endobjCount": string, "header": string, "acroform": string, "autoaction": string, "embeddedFile": string, "encrypted": string, "flash": string, "jbig2Compression": string, "objCount": string, "endstreamCount": string, "pageCount": string, "streamCount": string, "openaction": string, "startxref": string, "suspiciousColors": string, "trailer": string, "xfa": string, "xref": string } |
| Fields | |
|---|---|
js |
Number of /JS tags found in the PDF file. Should be the same as javascript field in normal scenarios. |
javascript |
Number of /JavaScript tags found in the PDF file. Should be the same as the js field in normal scenarios. |
launchActionCount |
Number of /Launch tags found in the PDF file. |
objectStreamCount |
Number of object streams. |
endobjCount |
Number of object definitions (endobj keyword). |
header |
PDF version. |
acroform |
Number of /AcroForm tags found in the PDF. |
autoaction |
Number of /AA tags found in the PDF. |
embeddedFile |
Number of /EmbeddedFile tags found in the PDF. |
encrypted |
Whether the document is encrypted or not. This is defined by the /Encrypt tag. |
flash |
Number of /RichMedia tags found in the PDF. |
jbig2Compression |
Number of /JBIG2Decode tags found in the PDF. |
objCount |
Number of objects definitions (obj keyword). |
endstreamCount |
Number of defined stream objects (stream keyword). |
pageCount |
Number of pages in the PDF. |
streamCount |
Number of defined stream objects (stream keyword). |
openaction |
Number of /OpenAction tags found in the PDF. |
startxref |
Number of startxref keywords in the PDF. |
suspiciousColors |
Number of colors expressed with more than 3 bytes (CVE-2009-3459). |
trailer |
Number of trailer keywords in the PDF. |
xfa |
Number of \XFA tags found in the PDF. |
xref |
Number of xref keywords in the PDF. |
NtfsFileMetadata
| JSON representation |
|---|
{
"changeTime": string,
"filenameCreateTime": string,
"filenameModifyTime": string,
"filenameAccessTime": string,
"filenameChangeTime": string,
"usnJournal": [
{
object ( |
| Fields | |
|---|---|
changeTime |
NTFS MFT entry changed timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
filenameCreateTime |
NTFS $FILE_NAME attribute created timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
filenameModifyTime |
NTFS $FILE_NAME attribute modified timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
filenameAccessTime |
NTFS $FILE_NAME attribute accessed timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
filenameChangeTime |
NTFS $FILE_NAME attribute changed timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
usnJournal[] |
NTFS USN journal. |
UsnJournal
| JSON representation |
|---|
{ "attributesFlag": string, "attributes": enum ( |
| Fields | |
|---|---|
attributesFlag |
File attributes flags from the USN record (e.g., "0x20"). |
attributes |
Deprecated: Use file_attributes instead. File attributes from the USN record. |
fileAttributes[] |
File attributes from the USN record. |
allocated |
Indicates whether the file is allocated in the Master File Table (MFT). |
reason |
Human-readable string describing the reason for the USN journal entry (e.g., "USN_REASON_FILE_CREATE"). |
AppCompatMetadata
| JSON representation |
|---|
{ "sequence": integer, "executed": boolean, "controlSet": string } |
| Fields | |
|---|---|
sequence |
Indicates the chronological order in which the entry was added to the cache. |
executed |
Indicates whether the file associated with the entry was executed. |
controlSet |
Indicates which registry Control Set the AppCompatCache data belongs to (e.g., "ControlSet001"). |
Asset
| JSON representation |
|---|
{ "productObjectId": string, "hostname": string, "assetId": string, "ip": [ string ], "mac": [ string ], "natIp": [ string ], "firstSeenTime": string, "hardware": [ { object ( |
| Fields | |
|---|---|
productObjectId |
A vendor-specific identifier to uniquely identify the entity (a GUID or similar). This field can be used as an entity indicator for asset entities. |
hostname |
Asset hostname or domain name field. This field can be used as an entity indicator for asset entities. |
assetId |
The asset ID. Value must contain the ':' character. For example, cs:abcdd23434. This field can be used as an entity indicator for asset entities. |
ip[] |
A list of IP addresses associated with an asset. This field can be used as an entity indicator for asset entities. |
mac[] |
List of MAC addresses associated with an asset. This field can be used as an entity indicator for asset entities. |
natIp[] |
List of NAT IP addresses associated with an asset. |
firstSeenTime |
The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
hardware[] |
The asset hardware specifications. |
platformSoftware |
The asset operating system platform software. |
software[] |
The asset software details. |
location |
Location of the asset. |
category |
The category of the asset (e.g. "End User Asset", "Workstation", "Server"). |
type |
The type of the asset (e.g. workstation or laptop or server). |
networkDomain |
The network domain of the asset (e.g. "corp.acme.com") |
creationTime |
Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
firstDiscoverTime |
Time the asset was first discovered (by asset management/discoverability software). Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastDiscoverTime |
Time the asset was last discovered (by asset management/discoverability software). Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
systemLastUpdateTime |
Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a VM), use Attribute.last_update_time. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastBootTime |
Time the asset was last boot started. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
labels[] |
Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata. |
deploymentStatus |
The deployment status of the asset for device lifecycle purposes. |
vulnerabilities[] |
Vulnerabilities discovered on asset. |
attribute |
Generic entity metadata attributes of the asset. |
wmiPersistenceItem |
Information about a WMI persistence item. |
Hardware
| JSON representation |
|---|
{ "serialNumber": string, "manufacturer": string, "model": string, "cpuPlatform": string, "cpuModel": string, "cpuClockSpeed": string, "cpuMaxClockSpeed": string, "cpuNumberCores": string, "ram": string } |
| Fields | |
|---|---|
serialNumber |
Hardware serial number. |
manufacturer |
Hardware manufacturer. |
model |
Hardware model. |
cpuPlatform |
Platform of the hardware CPU (e.g. "Intel Broadwell"). |
cpuModel |
Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5"). |
cpuClockSpeed |
Clock speed of the hardware CPU in MHz. |
cpuMaxClockSpeed |
Maximum possible clock speed of the hardware CPU in MHz. |
cpuNumberCores |
Number of CPU cores. |
ram |
Amount of the hardware ramdom access memory (RAM) in Mb. |
PlatformSoftware
| JSON representation |
|---|
{
"platform": enum ( |
| Fields | |
|---|---|
platform |
The platform operating system. |
platformVersion |
The platform software version ( e.g. "Microsoft Windows 1803"). |
platformPatchLevel |
The platform software patch level ( e.g. "Build 17134.48", "SP1"). |
Software
| JSON representation |
|---|
{
"name": string,
"version": string,
"permissions": [
{
object ( |
| Fields | |
|---|---|
name |
The name of the software. |
version |
The version of the software. |
permissions[] |
System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE" |
description |
The description of the software. |
vendorName |
The name of the software vendor. |
Vulnerability
| JSON representation |
|---|
{ "about": { object ( |
| Fields | |
|---|---|
about |
If the vulnerability is about a specific noun (e.g. executable), then add it here. |
name |
Name of the vulnerability (e.g. "Unsupported OS Version detected"). |
description |
Description of the vulnerability. |
vendor |
Vendor of scan that discovered vulnerability. |
scanStartTime |
If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
scanEndTime |
If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
firstFound |
Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastFound |
Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
severity |
The severity of the vulnerability. |
severityDetails |
Vendor-specific severity |
cvssBaseScore |
CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting. |
cvssVector |
Vector of CVSS properties (e.g. "AV:L/AC:H/Au:N/C:N/I:P/A:C") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator |
cvssVersion |
Version of CVSS Vector/Score. |
cveId |
Common Vulnerabilities and Exposures Id. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id |
cveDescription |
Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record |
vendorVulnerabilityId |
Vendor specific vulnerability id (e.g. Microsoft security bulletin id). |
vendorKnowledgeBaseArticleId |
Vendor specific knowledge base article (e.g. "KBXXXXXX" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase |
WmiPersistenceItem
| JSON representation |
|---|
{ "caption": string, "name": string, "settingId": string, "derivation": string, "propertyCount": string, "relPath": string, "dynasty": string, "wmiSuperClass": string, "wmiClass": string, "genus": string } |
| Fields | |
|---|---|
caption |
A brief title or caption for the WMI object. |
name |
The name of the WMI object. |
settingId |
The identifier for the setting. |
derivation |
The base class from which the WMI class is derived (e.g., CIM_Setting). |
propertyCount |
The number of properties in the WMI object. |
relPath |
The relative path to the WMI object (e.g., Win32_StartupCommand.Command='''). |
dynasty |
The top-level class in the WMI inheritance hierarchy (e.g., CMI_Setting). |
wmiSuperClass |
The immediate parent class in the WMI inheritance hierarchy. |
wmiClass |
The name of the WMI class. |
genus |
An integer representing the type or version of the WMI object. |
Registry
| JSON representation |
|---|
{
"registryKey": string,
"registryValueName": string,
"registryValueData": string,
"registryValueType": enum ( |
| Fields | |
|---|---|
registryKey |
Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...). |
registryValueName |
Name of the registry value associated with an application or system component (e.g. TEMP). |
registryValueData |
Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp). |
registryValueType |
Type of the registry value. |
registryValueBinaryData |
Binary data associated with a registry value. This field is only populated if the registry value type is BINARY. This field is not populated for other registry value types. A base64-encoded string. |
Id
| JSON representation |
|---|
{
"namespace": enum ( |
| Fields | |
|---|---|
namespace |
Namespace the id belongs to. |
id |
Full raw ID. A base64-encoded string. |
stringId |
Some ids are stored as strings that are not able to be translated to bytes, so store these separately. Ex. detection id of the form de_aaaaaaaa-aaaa... |
Investigation
| JSON representation |
|---|
{ "comments": [ string ], // Union field |
| Fields | |
|---|---|
comments[] |
Comment added by the Analyst. |
Union field
|
|
verdict |
Describes reason a finding investigation was resolved. |
Union field
|
|
reputation |
Describes whether a finding was useful or not-useful. |
Union field
|
|
severityScore |
Severity score for a finding set by an analyst. |
Union field
|
|
status |
Describes the workflow status of a finding. |
Union field
|
|
priority |
Priority of the Alert or Finding set by analyst. |
Union field
|
|
rootCause |
Root cause of the Alert or Finding set by analyst. |
Union field
|
|
reason |
Reason for closing the Case or Alert. |
Union field
|
|
riskScore |
Risk score for a finding set by an analyst. |
Union field
|
|
id |
Identifier for the investigation |
VariablesEntry
| JSON representation |
|---|
{
"key": string,
"value": {
object ( |
| Fields | |
|---|---|
key |
|
value |
|
FindingVariable
| JSON representation |
|---|
{ "type": enum ( |
| Fields | |
|---|---|
type |
The type of the variable. |
value |
The value in string form. |
sourcePath |
The UDM field path for the field which this value was derived from. Example: |
Union field typed_value. The typed value of the variable. typed_value can be only one of the following: |
|
boolVal |
The value in boolean format. |
bytesVal |
The value in bytes format. A base64-encoded string. |
doubleVal |
The value in double format. |
int64Val |
The value in int64 format. |
uint64Val |
The value in uint64 format. |
stringVal |
The value in string format. Enum values are returned as strings. |
timestampTime |
The value in timestamp format. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
nullVal |
Whether the value is null. |
boolSeq |
The value in boolsequence format. |
bytesSeq |
The value in bytessequence format. |
doubleSeq |
The value in doublesequence format. |
int64Seq |
The value in int64sequence format. |
uint64Seq |
The value in uint64sequence format. |
stringSeq |
The value in stringsequence format. |
BoolSequence
| JSON representation |
|---|
{ "boolVals": [ boolean ] } |
| Fields | |
|---|---|
boolVals[] |
bool sequence. |
BytesSequence
| JSON representation |
|---|
{ "bytesVals": [ string ] } |
| Fields | |
|---|---|
bytesVals[] |
bytes sequence. A base64-encoded string. |
DoubleSequence
| JSON representation |
|---|
{ "doubleVals": [ number ] } |
| Fields | |
|---|---|
doubleVals[] |
double sequence. |
Int64Sequence
| JSON representation |
|---|
{ "int64Vals": [ string ] } |
| Fields | |
|---|---|
int64Vals[] |
int64 sequence. |
Uint64Sequence
| JSON representation |
|---|
{ "uint64Vals": [ string ] } |
| Fields | |
|---|---|
uint64Vals[] |
uint64 sequence. |
StringSequence
| JSON representation |
|---|
{ "stringVals": [ string ] } |
| Fields | |
|---|---|
stringVals[] |
string sequence. |
AnalyticsMetadata
| JSON representation |
|---|
{ "analytic": string } |
| Fields | |
|---|---|
analytic |
Name of the analytic. |
AttackDetails
| JSON representation |
|---|
{ "version": string, "tactics": [ { object ( |
| Fields | |
|---|---|
version |
ATT&CK version (e.g. 12.1). |
tactics[] |
Tactics employed. |
techniques[] |
Techniques employed. |
Tactic
| JSON representation |
|---|
{ "id": string, "name": string } |
| Fields | |
|---|---|
id |
Tactic ID (e.g. "TA0043"). |
name |
Tactic Name (e.g. "Reconnaissance") |
Technique
| JSON representation |
|---|
{ "id": string, "name": string, "subtechniqueId": string, "subtechniqueName": string } |
| Fields | |
|---|---|
id |
Technique ID (e.g. "T1595"). |
name |
Technique Name (e.g. "Active Scanning"). |
subtechniqueId |
Subtechnique ID (e.g. "T1595.001"). |
subtechniqueName |
Subtechnique Name (e.g. "Scanning IP Blocks"). |
Association
| JSON representation |
|---|
{ "id": string, "countryCode": [ string ], "type": enum ( |
| Fields | |
|---|---|
id |
Unique association id generated by mandiant. |
countryCode[] |
Country from which the threat actor/ malware is originated. |
type |
Signifies the type of association. |
name |
Name of the threat actor/malware. |
description |
Human readable description about the association. |
role |
Role of the malware. Not applicable for threat actor. |
sourceCountry |
Name of the country the threat originated from. |
alias[] |
Different aliases of the threat actor given by different sources. |
firstReferenceTime |
First time the threat actor was referenced or seen. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastReferenceTime |
Last time the threat actor was referenced or seen. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
industriesAffected[] |
List of industries the threat actor affects. |
associatedActors[] |
List of associated threat actors for a malware. Not applicable for threat actors. |
regionCode |
Name of the country, the threat is originating from. |
sponsorRegion |
Sponsor region of the threat actor. |
targetedRegions[] |
Targeted regions. |
tags[] |
Tags. |
AssociationAlias
| JSON representation |
|---|
{ "name": string, "company": string } |
| Fields | |
|---|---|
name |
Name of the alias. |
company |
Name of the provider who gave the association's name. |
Verdict
| JSON representation |
|---|
{ "sourceCount": integer, "responseCount": integer, "neighbourInfluence": string, "verdict": { object ( |
| Fields | |
|---|---|
sourceCount |
Number of sources from which intelligence was extracted. |
responseCount |
Total response count across all sources. |
neighbourInfluence |
Describes the neighbour influence of the verdict. |
verdict |
ML Verdict provided by sources like Mandiant. |
analystVerdict |
Human analyst verdict provided by sources like Mandiant. |
ProviderMLVerdict
| JSON representation |
|---|
{ "sourceProvider": string, "benignCount": integer, "maliciousCount": integer, "confidenceScore": integer, "mandiantSources": [ { object ( |
| Fields | |
|---|---|
sourceProvider |
Source provider giving the ML verdict. |
benignCount |
Count of responses where this IoC was marked benign. |
maliciousCount |
Count of responses where this IoC was marked malicious. |
confidenceScore |
Confidence score of the verdict. |
mandiantSources[] |
List of mandiant sources from which the verdict was generated. |
thirdPartySources[] |
List of third-party sources from which the verdict was generated. |
Source
| JSON representation |
|---|
{ "name": string, "benignCount": integer, "maliciousCount": integer, "quality": enum ( |
| Fields | |
|---|---|
name |
Name of the IoC source. |
benignCount |
Count of responses where this IoC was marked benign. |
maliciousCount |
Count of responses where this IoC was marked malicious. |
quality |
Quality of the IoC mapping extracted from the source. |
responseCount |
Total response count from this source. |
sourceCount |
Number of sources from which intelligence was extracted. |
threatIntelligenceSources[] |
Different threat intelligence sources from which IoC info was extracted. |
AnalystVerdict
| JSON representation |
|---|
{
"confidenceScore": integer,
"verdictTime": string,
"verdictResponse": enum ( |
| Fields | |
|---|---|
confidenceScore |
Confidence score of the verdict. |
verdictTime |
Timestamp at which the verdict was generated. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
verdictResponse |
Details of the verdict. |
VerdictInfo
| JSON representation |
|---|
{ "sourceCount": integer, "responseCount": integer, "neighbourInfluence": string, "verdictType": enum ( |
| Fields | |
|---|---|
sourceCount |
Number of sources from which intelligence was extracted. |
responseCount |
Total response count across all sources. |
neighbourInfluence |
Describes the near neighbor influence of the verdict. |
verdictType |
Type of verdict. |
sourceProvider |
Source provider giving the machine learning verdict. |
benignCount |
Count of responses where this IoC was marked as benign. |
maliciousCount |
Count of responses where this IoC was marked as malicious. |
confidenceScore |
Confidence score of the verdict. |
iocStats[] |
List of IoCStats from which the verdict was generated. |
verdictTime |
Timestamp when the verdict was generated. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
verdictResponse |
Details about the verdict. |
globalCustomerCount |
Global customer count over the last 30 days |
globalHitsCount |
Global hit count over the last 30 days. |
pwn |
Whether one or more Mandiant incident response customers had this indicator in their environment. |
categoryDetails |
Tags related to the verdict. |
pwnFirstTaggedTime |
The timestamp of the first time a pwn was associated to this entity. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
IoCStats
| JSON representation |
|---|
{ "iocStatsType": enum ( |
| Fields | |
|---|---|
iocStatsType |
Describes the source of the IoCStat. |
firstLevelSource |
Name of first level IoC source, for example Mandiant or a third-party. |
secondLevelSource |
Name of the second-level IoC source, for example Crowdsourced Threat Analysis or Knowledge Graph. |
benignCount |
Count of responses where the IoC was identified as benign. |
quality |
Level of confidence in the IoC mapping extracted from the source. |
maliciousCount |
Count of responses where the IoC was identified as malicious. |
responseCount |
Total number of response from the source. |
sourceCount |
Number of sources from which information was extracted. |
ThreatCollectionItem
| JSON representation |
|---|
{
"id": string,
"type": enum ( |
| Fields | |
|---|---|
id |
The ID of the threat collection. |
type |
The type of threat collection (e.g., "campaign"). |
altNames[] |
The name of the threat collection. |
Reference
| JSON representation |
|---|
{ "event": { object ( |
| Fields | |
|---|---|
event |
Only one of event or entity will be populated for a single reference. Start one-of Event being referenced. |
entity |
Entity being referenced. In cases where the entity graph is overridden by data table, this will represent the original entity. End one-of |
joinedDataTableRows[] |
The data table rows joined with the event. |
graphEnrichment |
The entity graph enrichment details. Only set when the reference is an Entity which has been overridden by a data table or appended from a data table. |
id |
Id being referenced. This field will also be populated for both event and entity with the event id. For detections, only this field will be populated. |
logBatchToken |
The log batch token of the event being referenced. This field is used to fetch the raw log associated with the event in some legacy systems. This field is only populated for events/entities. |
UDM
| JSON representation |
|---|
{ "metadata": { object ( |
| Fields | |
|---|---|
metadata |
Event metadata such as timestamp, source product, etc. |
additional |
Any important vendor-specific event data that cannot be adequately represented within the formal sections of the UDM model. |
principal |
Represents the acting entity that originates the activity described in the event. The principal must include at least one machine detail (hostname, MACs, IPs, port, product-specific identifiers like an EDR asset ID) or user detail (for example, username), and optionally include process details. It must NOT include any of the following fields: email, files, registry keys or values. |
src |
Represents a source entity being acted upon by the participant along with the device or process context for the source object (the machine where the source object resides). For example, if user U copies file A on machine X to file B on machine Y, both file A and machine X would be specified in the src portion of the UDM event. |
target |
Represents a target entity being referenced by the event or an object on the target entity. For example, in a firewall connection from device A to device B, A is described as the principal and B is described as the target. For a process injection by process C into target process D, process C is described as the principal and process D is described as the target. |
intermediary[] |
Represents details on one or more intermediate entities processing activity described in the event. This includes device details about a proxy server or SMTP relay server. If an active event (that has a principal and possibly target) passes through any intermediaries, they're added here. Intermediaries can impact the overall action, for example blocking or modifying an ongoing request. A rule of thumb here is that 'principal', 'target', and description of the initial action should be the same regardless of the intermediary or its action. A successful network connection from A->B should look the same in principal/target/intermediary as one blocked by firewall C: principal: A, target: B (intermediary: C). |
observer |
Represents an observer entity (for example, a packet sniffer or network-based vulnerability scanner), which is not a direct intermediary, but which observes and reports on the event in question. |
about[] |
Represents entities referenced by the event that are not otherwise described in principal, src, target, intermediary or observer. For example, it could be used to track email file attachments, domains/URLs/IPs embedded within an email body, and DLLs that are loaded during a PROCESS_LAUNCH event. |
securityResult[] |
A list of security results. |
network |
All network details go here, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). |
extensions |
All other first-class, event-specific metadata goes in this message. Do not place protocol metadata in Extensions; put it in Network. |
extracted |
Flattened fields extracted from the log. |
Metadata
| JSON representation |
|---|
{ "id": string, "productLogId": string, "eventTimestamp": string, "eventTimestampAttributes": [ enum ( |
| Fields | |
|---|---|
id |
ID of the UDM event. Can be used for raw and normalized event retrieval. A base64-encoded string. |
productLogId |
A vendor-specific event identifier to uniquely identify the event (e.g. a GUID). |
eventTimestamp |
The GMT timestamp when the event was generated. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
eventTimestampAttributes[] |
Attributes associated with event_timestamp. This field is used to distinguish between different types of timestamps that can be used to represent the event_timestamp. |
collectedTimestamp |
The GMT timestamp when the event was collected by the vendor's local collection infrastructure. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
ingestedTimestamp |
The GMT timestamp when the event was ingested (received) by Chronicle. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
eventType |
The event type. If an event has multiple possible types, this specifies the most specific type. |
vendorName |
The name of the product vendor. |
productName |
The name of the product. |
productVersion |
The version of the product. |
productEventType |
A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start"). |
productDeploymentId |
The deployment identifier assigned by the vendor for a product deployment. |
description |
A human-readable unparsable description of the event. |
urlBackToProduct |
A URL that takes the user to the source product console for this event. |
ingestionLabels[] |
User-configured ingestion metadata labels. |
tags |
Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser. |
enrichmentState |
The enrichment state. |
logType |
The string value of log type. |
baseLabels |
Data access labels on the base event. |
enrichmentLabels |
Data access labels from all the contextual events used to enrich the base event. |
structuredFields |
Flattened fields extracted from the log. |
parserVersion |
The version of the parser that generated this UDM event. |
Tags
| JSON representation |
|---|
{ "tenantId": [ string ], "dataTapConfigName": [ string ] } |
| Fields | |
|---|---|
tenantId[] |
A list of subtenant ids that this event belongs to. A base64-encoded string. |
dataTapConfigName[] |
A list of sink name values defined in DataTap configurations. |
DataAccessLabels
| JSON representation |
|---|
{
"logTypes": [
string
],
"ingestionLabels": [
string
],
"namespaces": [
string
],
"customLabels": [
string
],
"ingestionKvLabels": [
{
object ( |
| Fields | |
|---|---|
logTypes[] |
All the LogType labels. |
ingestionLabels[] |
All the ingestion labels. |
namespaces[] |
All the namespaces. |
customLabels[] |
All the complex labels (UDM search syntax based). |
ingestionKvLabels[] |
All the ingestion labels (key/value pairs). |
allowScopedAccess |
Are the labels ready for scoped access |
DataAccessIngestionLabel
| JSON representation |
|---|
{ "key": string, "value": string } |
| Fields | |
|---|---|
key |
The key. |
value |
The value. |
Extensions
| JSON representation |
|---|
{ "auth": { object ( |
| Fields | |
|---|---|
auth |
An authentication extension. |
vulns |
A vulnerability extension. |
entityRisk |
An entity risk change extension. |
linuxUtmp |
A Linux Utmp extension. This captures details specific to Linux Utmp events, which record login and logout sessions on a Linux system. |
windowsEventLog |
A Windows Event Log extension. This captures details specific to Windows Event Log events, providing structured information from various Windows logs. |
resourceUsage |
A resource usage extension. This captures details about what entity (e.g., process, user) is using a specific resource. |
systemEventDetails |
A system event details extension. This captures additional details for system-level events, such as message type, sender image ID, and subsystem. |
outlookMetadata |
A Microsoft Outlook specific metadata extension. This includes metadata related to Outlook items, such as comments, templates, and security flags. |
srum |
A SRUM extension. This captures details specific to Windows System Resource Usage Monitor (SRUM) events, providing insights into application resource consumption. |
userAssist |
A UserAssist extension. This captures details specific to Windows User Assist events, which track application usage and execution. |
Authentication
| JSON representation |
|---|
{ "type": enum ( |
| Fields | |
|---|---|
type |
The type of authentication. |
mechanism[] |
The authentication mechanism. |
authDetails |
The vendor defined details of the authentication. |
outcome |
The outcome of the authentication event. |
Vulnerabilities
| JSON representation |
|---|
{
"vulnerabilities": [
{
object ( |
| Fields | |
|---|---|
vulnerabilities[] |
A list of vulnerabilities. |
EntityRisk
| JSON representation |
|---|
{ "riskVersion": string, "riskWindow": { object ( |
| Fields | |
|---|---|
riskVersion |
Version of the risk score calculation algorithm. |
riskWindow |
Time window used when computing the risk score for an entity, for example 24 hours or 7 days. |
DEPRECATEDRiskScore |
Deprecated risk score. |
detectionsCount |
Number of detections that make up the risk score within the time window. |
firstDetectionTime |
Timestamp of the first detection within the specified time window. This field is empty when there are no detections. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastDetectionTime |
Timestamp of the last detection within the specified time window. This field is empty when there are no detections. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
riskScore |
Raw risk score for the entity. |
normalizedRiskScore |
Normalized risk score for the entity. This value is between 0-1000. |
riskWindowSize |
Risk window duration for the entity. A duration in seconds with up to nine fractional digits, ending with ' |
lastResetTime |
Timestamp for UEBA risk score reset based deduplication. Used specifically for risk based meta rules. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
detailUri |
Link to the Google Security Operations UI with information about the entity risk score. If the SecOps instance has multiple frontend paths configured, this will be a relative path that can be used to construct the full URL. |
riskWindowHasNewDetections |
Whether there are new detections for the risk window. |
Union field
|
|
riskDelta |
Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window. |
Union field
|
|
rawRiskDelta |
Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window. |
RiskDelta
| JSON representation |
|---|
{ "previousRangeEndTime": string, "riskScoreDelta": integer, "previousRiskScore": integer, "riskScoreNumericDelta": integer } |
| Fields | |
|---|---|
previousRangeEndTime |
End time of the previous time window. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
riskScoreDelta |
Difference in the normalized risk score from the previous recorded value. |
previousRiskScore |
Risk score from previous risk window |
riskScoreNumericDelta |
Numeric change between current and previous risk score |
LinuxUtmp
| JSON representation |
|---|
{
"recordType": enum ( |
| Fields | |
|---|---|
recordType |
The activity record type. |
WindowsEventLog
| JSON representation |
|---|
{
"channel": enum ( |
| Fields | |
|---|---|
channel |
The channel of the event. |
eventId |
A unique identifier for a specific type of event. |
activityId |
A GUID (Globally Unique Identifier) used to link a sequence of related events together. |
ResourceUsage
| JSON representation |
|---|
{ "usedEntity": string, "usedEntityId": string } |
| Fields | |
|---|---|
usedEntity |
The name of the entity (e.g., process, user) that is using the resource. |
usedEntityId |
A numerical identifier for the entity using the resource (e.g., PID, UID). |
SystemEventDetails
| JSON representation |
|---|
{ "messageType": string, "senderImageId": string, "subsystem": string } |
| Fields | |
|---|---|
messageType |
The specific type or category of the message. |
senderImageId |
An identifier for the image associated with the sender of the message. |
subsystem |
The subsystem or component that generated the event. |
OutlookMetadata
| JSON representation |
|---|
{ "comment": string, "template": string, "title": string, "securityFlagsCount": integer } |
| Fields | |
|---|---|
comment |
A user-defined comment or note associated with the Outlook item. |
template |
The name of the template file used to create the Outlook item. |
title |
The title of the Outlook item. |
securityFlagsCount |
Count of Security-related flags for the message, such as encryption or signing status. |
Srum
| JSON representation |
|---|
{ "id": string, "backgroundBytesRead": string, "backgroundBytesWritten": string, "backgroundContextSwitches": string, "backgroundCycleCount": string, "backgroundFlushesCount": string, "backgroundReadOperations": string, "backgroundWriteOperations": string, "interfaceLuid": string } |
| Fields | |
|---|---|
id |
A unique identifier for the SRUM record or the application/user being monitored. |
backgroundBytesRead |
The number of bytes read by the application while running in the background. |
backgroundBytesWritten |
The number of bytes written by the application while running in the background. |
backgroundContextSwitches |
The number of context switches performed by the application's threads while in the background. |
backgroundCycleCount |
The amount of CPU cycle time consumed by the application in the background, measured in clock cycles. |
backgroundFlushesCount |
The number of flush operations performed by the application in the background. |
backgroundReadOperations |
The number of read operations performed by the application in the background. |
backgroundWriteOperations |
The number of write operations performed by the application in the background. |
interfaceLuid |
The Locally Unique Identifier (LUID) for the network interface used for data transfer. |
UserAssist
| JSON representation |
|---|
{ "applicationFocusCount": string, "applicationFocusDuration": string, "executionsCount": string, "entryIndex": string } |
| Fields | |
|---|---|
applicationFocusCount |
The number of times the application associated with the entry gained focus. |
applicationFocusDuration |
The total duration the application associated with the entry was in focus. A duration in seconds with up to nine fractional digits, ending with ' |
executionsCount |
The number of times the application associated with the entry has been executed. |
entryIndex |
The index or identifier of the user assist entry, unique per user. |
Entity
| JSON representation |
|---|
{ "metadata": { object ( |
| Fields | |
|---|---|
metadata |
Entity metadata such as timestamp, product, etc. |
entity |
Noun in the UDM event that this entity represents. |
relations[] |
One or more relationships between the entity (a) and other entities, including the relationship type and related entity. |
additional |
Important entity data that cannot be adequately represented within the formal sections of the Entity. |
metric |
Stores statistical metrics about the entity. Used if metadata.entity_type is METRIC. |
Union field
|
|
riskScore |
Stores information related to the entity's risk score. |
EntityMetadata
| JSON representation |
|---|
{ "productEntityId": string, "collectedTimestamp": string, "creationTimestamp": string, "interval": { object ( |
| Fields | |
|---|---|
productEntityId |
A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar). |
collectedTimestamp |
GMT timestamp when the entity information was collected by the vendor's local collection infrastructure. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
creationTimestamp |
GMT timestamp when the entity described by the product_entity_id was created on the system where data was collected. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
interval |
Valid existence time range for the version of the entity represented by this entity data. |
vendorName |
Vendor name of the product that produced the entity information. |
productName |
Product name that produced the entity information. |
feed |
Vendor feed name for a threat indicator feed. |
productVersion |
Version of the product that produced the entity information. |
entityType |
Entity type. If an entity has multiple possible types, this specifies the most specific type. |
description |
Human-readable description of the entity. |
threat[] |
Metadata provided by a threat intelligence feed that identified the entity as malicious. |
sourceType |
The source of the entity. |
sourceLabels[] |
Entity source metadata labels. |
eventMetadata |
Metadata field from the event. |
structuredFields |
Structured fields extracted from the log. |
extracted |
Flattened fields extracted from the log. |
Relation
| JSON representation |
|---|
{ "entity": { object ( |
| Fields | |
|---|---|
entity |
Entity (b) that the primary entity (a) is related to. |
entityType |
Type of the related entity (b) in this relationship. |
relationship |
Type of relationship. |
direction |
Directionality of relationship between primary entity (a) and the related entity (b). |
uid |
UID of the relationship. A base64-encoded string. |
entityLabel |
Label to identify the Noun of the relation. |
Metric
| JSON representation |
|---|
{ "firstSeen": string, "lastSeen": string, "sumMeasure": { object ( |
| Fields | |
|---|---|
firstSeen |
Timestamp of the first time the entity was seen in the environment. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastSeen |
Time stamp of the last time last time the entity was seen in the environment. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
sumMeasure |
Sum of all precomputed measures for the given metric. |
totalEvents |
Total number of events used to calculate the given precomputed metric. |
metricName |
Name of the analytic. |
dimensions[] |
All group by clauses used to calculate the metric. |
exportWindow |
Export window for which the metric was exported. |
Measure
| JSON representation |
|---|
{
"value": number,
"aggregateFunction": enum ( |
| Fields | |
|---|---|
value |
Value of the aggregated measure. |
aggregateFunction |
Function used to calculate the aggregated measure. |
DataTableRowInfo
| JSON representation |
|---|
{ "dataTable": string, "row": { object }, "rowId": string } |
| Fields | |
|---|---|
dataTable |
The name of data table. |
row |
Stores the key value pair for a data table row where the key is the name of the column for the given value. |
rowId |
The row id of the data table row. |
EntityGraphEnrichment
| JSON representation |
|---|
{ "dataTable": string, "enrichmentType": enum ( |
| Fields | |
|---|---|
dataTable |
The name of the data table. |
enrichmentType |
The type of enrichment. |
overriddenEntity |
The entity which has only the overridden fields populated. Only populated if the enrichment type is OVERRIDE. |
LatencyMetrics
| JSON representation |
|---|
{ "oldestIngestionTime": string, "newestIngestionTime": string, "oldestEventTime": string, "newestEventTime": string, "ingestionLatency": string } |
| Fields | |
|---|---|
oldestIngestionTime |
The oldest ingestion timestamp from the events used to create the detection. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
newestIngestionTime |
The newest (most recent) ingestion timestamp from the events used to create the detection. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
oldestEventTime |
The oldest event timestamp from the events used to create the detection. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
newestEventTime |
The newest (most recent) event timestamp from the events used to create the detection. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
ingestionLatency |
The difference between newest ingestion timestamp and newest event timestamp. A duration in seconds with up to nine fractional digits, ending with ' |
ResponsePlatformInfo
| JSON representation |
|---|
{
"alertId": string,
"responsePlatformType": enum ( |
| Fields | |
|---|---|
alertId |
Id of the alert in SOAR product. |
responsePlatformType |
Type of SOAR product. |
Feedback
| JSON representation |
|---|
{ "idpUserId": string, "createdTime": string, // Union field |
| Fields | |
|---|---|
idpUserId |
Required. |
createdTime |
Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
Union field
|
|
verdict |
|
Union field
|
|
reputation |
|
Union field
|
|
confidenceScore |
|
Union field
|
|
riskScore |
|
Union field
|
|
disregarded |
|
Union field
|
|
severity |
|
Union field
|
|
comment |
Optional. |
Union field
|
|
status |
Optional. |
Union field
|
|
priority |
Optional. |
Union field
|
|
rootCause |
Optional. |
Union field
|
|
reason |
Optional. |
Union field
|
|
severityDisplay |
Optional. |
Union field
|
|
priorityDisplay |
Optional. |
Union field
|
|
triageAgentInvestigationId |
Optional. |
Union field
|
|
userType |
|
SoarAlertMetadata
| JSON representation |
|---|
{ "alertId": string, "sourceRule": string, "vendor": string, "sourceSystem": string, "product": string, "sourceSystemTicketId": string, "sourceSystemUri": string } |
| Fields | |
|---|---|
alertId |
Alert ID in the source SIEM system. |
sourceRule |
Name of the rule triggering the alert in the source SIEM. |
vendor |
Name of the vendor. |
sourceSystem |
Name of the Source SIEM system. |
product |
Name of the product the alert is coming from. |
sourceSystemTicketId |
Ticket id for the alert in the source system. |
sourceSystemUri |
Url to the source SIEM system. |
AlertFieldAggregations
| JSON representation |
|---|
{
"fields": [
{
object ( |
| Fields | |
|---|---|
fields[] |
|
AlertFieldAggregation
| JSON representation |
|---|
{ "fieldName": string, "baselineAlertCount": integer, "alertCount": integer, "tooManyValues": boolean, "valueCount": integer, "allValues": [ { object ( |
| Fields | |
|---|---|
fieldName |
|
baselineAlertCount |
|
alertCount |
|
tooManyValues |
|
valueCount |
|
allValues[] |
|
topValues[] |
|
bottomValues[] |
|
AlertFieldValueCount
| JSON representation |
|---|
{
"value": {
object ( |
| Fields | |
|---|---|
value |
|
baselineAlertCount |
|
alertCount |
|
AlertFieldValue
| JSON representation |
|---|
{ // Union field |
| Fields | |
|---|---|
Union field
|
|
stringValue |
|
int32Value |
|
uint32Value |
|
int64Value |
|
uint64Value |
|
floatValue |
|
doubleValue |
|
enumValue |
|
boolValue |
|
bytesValue |
A base64-encoded string. |
Tool Annotations
Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌