Tool: udm_search
Search for security events in Chronicle SIEM using a UDM query.
Executes a Unified Data Model (UDM) query against Chronicle event logs within a specified time range. This tool is a direct passthrough to the UDM Search API. It can be used with a manually crafted UDM query or with a query generated by the translate_udm_query tool.
Limitations: - This tool uses a non-streaming API, which limits the practical time range for searches. - Queries spanning more than approximately one month may not complete successfully. - Please advise users to narrow the start_time and end_time if their initial request covers a larger period.
Agent Responsibilities: 1. Input Parsing: * The user's request to run a UDM search might span multiple lines. Typically, the format will be:
Run udm search:
Query:
<UDM_QUERY_STRING>
<TIME_RANGE_DESCRIPTION>
* The agent MUST extract the UDM query string from the line(s) immediately following "Query:". * The agent MUST extract the time range description (e.g., "Last 7 days", "from 2025-10-22 until 2025-10-23") from the line(s) following the UDM query.
Provide UDM Query: The agent MUST provide the extracted UDM query string in the
queryargument.Time Range Calculation: The agent MUST parse the extracted time range description and provide the
start_timeandend_timearguments as ISO 8601 formatted strings (e.g., YYYY-MM-DDTHH:MM:SSZ) to define the search window.- Absolute Timestamps: The tool requires absolute start and end times.
- Handle Relative Time: If the user specifies a relative time range (e.g., "Last 7 days", "yesterday", "last 2 hours"), the agent MUST calculate the corresponding absolute
start_timeandend_timein ISO 8601 format. These calculations MUST be based on the time the user's request was made (current timestamp: 2025-11-19T00:00:00Z). The agent should NOT ask the user for the current date. For example, if the request was made on 2025-11-19T10:00:00Z:- "Last 7 days":
start_timewould be '2025-11-12T10:00:00Z',end_timewould be '2025-11-19T10:00:00Z'. - "Yesterday":
start_timewould be '2025-11-18T00:00:00Z',end_timewould be '2025-11-19T00:00:00Z'.
- "Last 7 days":
- Handle Date Ranges: If the user specifies dates (e.g., "from 2025-10-22 until 2025-10-23"), this should be converted to an ISO 8601 range. Assume this means inclusive of the start date up to the end of the end date. Example: "from 2025-10-22 until 2025-10-23" translates to
start_time: '2025-10-22T00:00:00Z'andend_time: '2025-10-24T00:00:00Z'. - Use Translated Time Range: If
translate_udm_queryreturned atime_range, those values can be used directly.
Response Parsing: The agent must parse the raw JSON response, which follows the UdmSearchResponse structure, to extract the 'events' list and other information.
Workflow Integration: - Ideal for deep investigation after an initial alert, case, or entity has been prioritized. - Use it to retrieve detailed UDM event logs from Chronicle SIEM related to specific indicators or activities, going beyond high-level summaries from other tools. - Helps validate findings from other security platforms (SOAR, EDR, TI) by examining the underlying log evidence.
Use Cases: - Investigate specific activities or test hypotheses during incident analysis. - Retrieve raw event logs related to specific indicators (IPs, domains, users, hosts) or activities (e.g., logins, file modifications, network connections) within a defined time window when granular detail is needed.
Args: query (str): The UDM query string to execute. start_time (str): The start of the time range in ISO 8601 format (e.g., YYYY-MM-DDTHH:MM:SSZ). end_time (str): The end of the time range in ISO 8601 format (e.g., YYYY-MM-DDTHH:MM:SSZ). project_id (Optional[str]): Google Cloud project ID. Defaults to environment configuration. customer_id (Optional[str]): Chronicle customer ID. Defaults to environment configuration. max_events (int): Maximum number of event records to return. Defaults to 100. Max 10000. region (Optional[str]): Chronicle region (e.g., "us", "europe"). Defaults to environment configuration.
Returns: str: Raw JSON response from the API, corresponding to the UdmSearchResponse message. This contains: - 'events' (List[Dict]): The list of UDM event records found. - 'moreDataAvailable' (bool): Indicates if more events matched than were returned. - 'stats': Statistics related to the query (if applicable).
Example Usage: # Example 1: Search for network connections from a specific IP in the last 24 hours # Agent calculates start_time and end_time based on the current time of the request. # Assuming request time is 2025-11-19T15:00:00Z udm_search( query='principal.ip = "192.0.2.100" AND metadata.event_type = "NETWORK_CONNECTION"', start_time='2025-11-18T15:00:00Z', end_time='2025-11-19T15:00:00Z', project_id="my-project", customer_id="my-customer", region="us" )
# Example 2: Search for failed login events for a user 'jdoe'
# Assuming translate_udm_query returned:
# {'query': 'metadata.event_type = "USER_LOGIN" AND target.user.userid = "jdoe" AND security_result.action = "BLOCK"',
# 'time_range': {'startTime': '2025-10-01T00:00:00Z', 'endTime': '2025-10-02T00:00:00Z'}}
udm_search(
query='metadata.event_type = "USER_LOGIN" AND target.user.userid = "jdoe" AND security_result.action = "BLOCK"',
start_time='2025-10-01T00:00:00Z',
end_time='2025-10-02T00:00:00Z',
project_id="my-project",
customer_id="my-customer",
region="us",
max_events=200
)
Next Steps (using MCP-enabled tools): - Analyze Events: Parse the 'events' list from the response to examine individual event details. - Extract Indicators: Identify new indicators (IPs, domains, hashes, users, etc.) from the event fields. - Enrich Indicators: Use summarize_entity or threat intelligence tools on any new indicators found in the events. - Correlate: Compare findings with other data sources like alerts (get_alerts) or case information (get_case). - Document: Add significant findings as comments to a case using create_case_comment. - Take Action: If the events confirm malicious activity, initiate response actions using tools like execute_manual_action.
The following sample demonstrate how to use curl to invoke the udm_search MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "udm_search", "arguments": { // provide these details according to the tool's MCP specification } }, "jsonrpc": "2.0", "id": 1 }' |
Input Schema
Request message for UdmSearch.
UdmSearchRequest
| JSON representation |
|---|
{ "projectId": string, "customerId": string, "region": string, "query": string, "startTime": string, "endTime": string, "maxEvents": integer } |
| Fields | |
|---|---|
projectId |
Project ID of the customer. |
customerId |
Customer ID of the customer. |
region |
Region of the customer. |
query |
Query to search for. |
startTime |
Start time of the time range to search for. |
endTime |
End time of the time range to search for. |
maxEvents |
Maximum number of events to return. If not set, the default value is 100. |
Output Schema
Returns results matching the query and time range in UdmSearchRequest.
UdmSearchResponse
| JSON representation |
|---|
{ "events": [ { object ( |
| Fields | |
|---|---|
events[] |
List of matched events. |
moreDataAvailable |
Too many events matched the search criterion, some results have been omitted. |
stats |
LINT.ThenChange( //depot/google3/googlex/security/malachite/proto/udm_search.proto:stats_data ) Stats response for the query. |
Event
| JSON representation |
|---|
{
"name": string,
"udm": {
object ( |
| Fields | |
|---|---|
name |
The resource name of the event. Format: projects/{project}/locations/{location}/instances/{instance}/events/{event} where 'event' is URL-encoded Base64. The unencoded value of 'event' can also be found in udm.metadata.id. |
udm |
Event data in UDM format. |
UDM
| JSON representation |
|---|
{ "metadata": { object ( |
| Fields | |
|---|---|
metadata |
Event metadata such as timestamp, source product, etc. |
additional |
Any important vendor-specific event data that cannot be adequately represented within the formal sections of the UDM model. |
principal |
Represents the acting entity that originates the activity described in the event. The principal must include at least one machine detail (hostname, MACs, IPs, port, product-specific identifiers like an EDR asset ID) or user detail (for example, username), and optionally include process details. It must NOT include any of the following fields: email, files, registry keys or values. |
src |
Represents a source entity being acted upon by the participant along with the device or process context for the source object (the machine where the source object resides). For example, if user U copies file A on machine X to file B on machine Y, both file A and machine X would be specified in the src portion of the UDM event. |
target |
Represents a target entity being referenced by the event or an object on the target entity. For example, in a firewall connection from device A to device B, A is described as the principal and B is described as the target. For a process injection by process C into target process D, process C is described as the principal and process D is described as the target. |
intermediary[] |
Represents details on one or more intermediate entities processing activity described in the event. This includes device details about a proxy server or SMTP relay server. If an active event (that has a principal and possibly target) passes through any intermediaries, they're added here. Intermediaries can impact the overall action, for example blocking or modifying an ongoing request. A rule of thumb here is that 'principal', 'target', and description of the initial action should be the same regardless of the intermediary or its action. A successful network connection from A->B should look the same in principal/target/intermediary as one blocked by firewall C: principal: A, target: B (intermediary: C). |
observer |
Represents an observer entity (for example, a packet sniffer or network-based vulnerability scanner), which is not a direct intermediary, but which observes and reports on the event in question. |
about[] |
Represents entities referenced by the event that are not otherwise described in principal, src, target, intermediary or observer. For example, it could be used to track email file attachments, domains/URLs/IPs embedded within an email body, and DLLs that are loaded during a PROCESS_LAUNCH event. |
securityResult[] |
A list of security results. |
network |
All network details go here, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). |
extensions |
All other first-class, event-specific metadata goes in this message. Do not place protocol metadata in Extensions; put it in Network. |
extracted |
Flattened fields extracted from the log. |
Metadata
| JSON representation |
|---|
{ "id": string, "productLogId": string, "eventTimestamp": string, "eventTimestampAttributes": [ enum ( |
| Fields | |
|---|---|
id |
ID of the UDM event. Can be used for raw and normalized event retrieval. A base64-encoded string. |
productLogId |
A vendor-specific event identifier to uniquely identify the event (e.g. a GUID). |
eventTimestamp |
The GMT timestamp when the event was generated. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
eventTimestampAttributes[] |
Attributes associated with event_timestamp. This field is used to distinguish between different types of timestamps that can be used to represent the event_timestamp. |
collectedTimestamp |
The GMT timestamp when the event was collected by the vendor's local collection infrastructure. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
ingestedTimestamp |
The GMT timestamp when the event was ingested (received) by Chronicle. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
eventType |
The event type. If an event has multiple possible types, this specifies the most specific type. |
vendorName |
The name of the product vendor. |
productName |
The name of the product. |
productVersion |
The version of the product. |
productEventType |
A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start"). |
productDeploymentId |
The deployment identifier assigned by the vendor for a product deployment. |
description |
A human-readable unparsable description of the event. |
urlBackToProduct |
A URL that takes the user to the source product console for this event. |
ingestionLabels[] |
User-configured ingestion metadata labels. |
tags |
Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser. |
enrichmentState |
The enrichment state. |
logType |
The string value of log type. |
baseLabels |
Data access labels on the base event. |
enrichmentLabels |
Data access labels from all the contextual events used to enrich the base event. |
structuredFields |
Flattened fields extracted from the log. |
parserVersion |
The version of the parser that generated this UDM event. |
Timestamp
| JSON representation |
|---|
{ "seconds": string, "nanos": integer } |
| Fields | |
|---|---|
seconds |
Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z). |
nanos |
Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive. |
Label
| JSON representation |
|---|
{ "key": string, "value": string, "source": string, "rbacEnabled": boolean } |
| Fields | |
|---|---|
key |
The key. |
value |
The value. |
source |
Where the label is derived from. |
rbacEnabled |
Indicates whether this label can be used for Data RBAC |
Tags
| JSON representation |
|---|
{ "tenantId": [ string ], "dataTapConfigName": [ string ] } |
| Fields | |
|---|---|
tenantId[] |
A list of subtenant ids that this event belongs to. A base64-encoded string. |
dataTapConfigName[] |
A list of sink name values defined in DataTap configurations. |
DataAccessLabels
| JSON representation |
|---|
{
"logTypes": [
string
],
"ingestionLabels": [
string
],
"namespaces": [
string
],
"customLabels": [
string
],
"ingestionKvLabels": [
{
object ( |
| Fields | |
|---|---|
logTypes[] |
All the LogType labels. |
ingestionLabels[] |
All the ingestion labels. |
namespaces[] |
All the namespaces. |
customLabels[] |
All the complex labels (UDM search syntax based). |
ingestionKvLabels[] |
All the ingestion labels (key/value pairs). |
allowScopedAccess |
Are the labels ready for scoped access |
DataAccessIngestionLabel
| JSON representation |
|---|
{ "key": string, "value": string } |
| Fields | |
|---|---|
key |
The key. |
value |
The value. |
Struct
| JSON representation |
|---|
{ "fields": { string: value, ... } } |
| Fields | |
|---|---|
fields |
Unordered map of dynamically typed values. An object containing a list of |
FieldsEntry
| JSON representation |
|---|
{ "key": string, "value": value } |
| Fields | |
|---|---|
key |
|
value |
|
Value
| JSON representation |
|---|
{ // Union field |
| Fields | |
|---|---|
Union field kind. The kind of value. kind can be only one of the following: |
|
nullValue |
Represents a null value. |
numberValue |
Represents a double value. |
stringValue |
Represents a string value. |
boolValue |
Represents a boolean value. |
structValue |
Represents a structured value. |
listValue |
Represents a repeated |
ListValue
| JSON representation |
|---|
{ "values": [ value ] } |
| Fields | |
|---|---|
values[] |
Repeated field of dynamically typed values. |
Noun
| JSON representation |
|---|
{ "hostname": string, "domain": { object ( |
| Fields | |
|---|---|
hostname |
Client hostname or domain name field. Hostname also doubles as the domain for remote entities. This field can be used as an entity indicator for asset entities. |
domain |
Information about the domain. |
artifact |
Information about an artifact. |
urlMetadata |
Information about the URL. |
browser |
Information about an entry in the web browser's local history database. |
assetId |
The asset ID. This field can be used as an entity indicator for asset entities. |
user |
Information about the user. |
userManagementChain[] |
Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery. |
group |
Information about the group. |
process |
Information about the process. |
processAncestors[] |
Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery. |
asset |
Information about the asset. |
ip[] |
A list of IP addresses associated with a network connection. This field can be used as an entity indicator for asset entities. |
natIp[] |
A list of NAT translated IP addresses associated with a network connection. |
port |
Source or destination network port number when a specific network connection is described within an event. |
natPort |
NAT external network port number when a specific network connection is described within an event. |
mac[] |
List of MAC addresses associated with a device. This field can be used as an entity indicator for asset entities. |
administrativeDomain |
Domain which the device belongs to (for example, the Microsoft Windows domain). |
namespace |
Namespace which the device belongs to, such as "AD forest". Uses for this field include Microsoft Windows AD forest, the name of subsidiary, or the name of acquisition. This field can be used along with an asset indicator to identify an asset. |
url |
The URL. |
file |
Information about the file. |
email |
Email address. Only filled in for security_result.about |
registry |
Registry information. |
application |
The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle". |
platform |
Platform. |
platformVersion |
Platform version. For example, "Microsoft Windows 1803". |
platformPatchLevel |
Platform patch level. For example, "Build 17134.48" |
cloud |
Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud). |
location |
Physical location. For cloud environments, set the region in location.name. |
ipLocation[] |
Deprecated: use ip_geo_artifact.location instead. |
ipGeoArtifact[] |
Enriched geographic information corresponding to an IP address. Specifically, location and network data. |
resource |
Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, or processes because these objects are already part of Noun. |
resourceAncestors[] |
Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource). |
labels[] |
Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels). |
objectReference |
Finding to which the Analyst updated the feedback. |
investigation |
Analyst feedback/investigation for alerts. |
network |
Network details, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). |
securityResult[] |
A list of security results. |
Domain
| JSON representation |
|---|
{ "name": string, "prevalence": { object ( |
| Fields | |
|---|---|
name |
The domain name. This field can be used as an entity indicator for Domain entities. |
prevalence |
The prevalence of the domain within the customer's environment. |
firstSeenTime |
First seen timestamp of the domain in the customer's environment. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastSeenTime |
Last seen timestamp of the domain in the customer's environment. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
registrar |
Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM". |
contactEmail |
Contact email address. |
whoisServer |
Whois server name. |
nameServer[] |
Repeated list of name servers. |
creationTime |
Domain creation time. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
updateTime |
Last updated time. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
expirationTime |
Expiration time. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
auditUpdateTime |
Audit updated time. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
status |
Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values |
registrant |
Parsed contact information for the registrant of the domain. |
admin |
Parsed contact information for the administrative contact for the domain. |
tech |
Parsed contact information for the technical contact for the domain |
billing |
Parsed contact information for the billing contact of the domain. |
zone |
Parsed contact information for the zone. |
whoisRecordRawText |
WHOIS raw text. A base64-encoded string. |
registryDataRawText |
Registry Data raw text. A base64-encoded string. |
ianaRegistrarId |
IANA Registrar ID. See https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml |
privateRegistration |
Indicates whether the domain appears to be using a private registration service to mask the owner's contact information. |
categories[] |
Categories assign to the domain as retrieved from VirusTotal. |
favicon |
Includes difference hash and MD5 hash of the domain's favicon. |
jarm |
Domain's JARM hash. |
lastDnsRecords[] |
Domain's DNS records from the last scan. |
lastDnsRecordsTime |
Date when the DNS records list was retrieved by VirusTotal. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastHttpsCertificate |
SSL certificate object retrieved last time the domain was analyzed. |
lastHttpsCertificateTime |
When the certificate was retrieved by VirusTotal. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
popularityRanks[] |
Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc |
tags[] |
List of representative attributes. |
whoisTime |
Date of the last update of the WHOIS record. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
Prevalence
| JSON representation |
|---|
{ "rollingMax": integer, "dayCount": integer, "rollingMaxSubDomains": integer, "dayMax": integer, "dayMaxSubDomains": integer } |
| Fields | |
|---|---|
rollingMax |
The maximum number of assets per day accessing the resource over the trailing day_count days. |
dayCount |
The number of days over which rolling_max is calculated. |
rollingMaxSubDomains |
The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains. |
dayMax |
The max prevalence score in a day interval window. |
dayMaxSubDomains |
The max prevalence score in a day interval window across sub-domains. This field is only valid for domains. |
User
| JSON representation |
|---|
{ "productObjectId": string, "userid": string, "userDisplayName": string, "firstName": string, "middleName": string, "lastName": string, "phoneNumbers": [ string ], "personalAddress": { object ( |
| Fields | |
|---|---|
productObjectId |
A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar). This field can be used as an entity indicator for user entities. |
userid |
The ID of the user. This field can be used as an entity indicator for user entities. |
userDisplayName |
The display name of the user (e.g. "John Locke"). |
firstName |
First name of the user (e.g. "John"). |
middleName |
Middle name of the user. |
lastName |
Last name of the user (e.g. "Locke"). |
phoneNumbers[] |
Phone numbers for the user. |
personalAddress |
Personal address of the user. |
attribute |
Generic entity metadata attributes of the user. |
firstSeenTime |
The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
accountType |
Type of user account (for example, service, domain, or cloud). This is somewhat aligned to: https://attack.mitre.org/techniques/T1078/ |
groupid |
The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. |
groupIdentifiers[] |
Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar). |
windowsSid |
The Microsoft Windows SID of the user. This field can be used as an entity indicator for user entities. |
emailAddresses[] |
Email addresses of the user. This field can be used as an entity indicator for user entities. |
employeeId |
Human capital management identifier. This field can be used as an entity indicator for user entities. |
title |
User job title. |
companyName |
User job company name. |
department[] |
User job department |
officeAddress |
User job office location. |
managers[] |
User job manager(s). |
hireDate |
User job employment hire date. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
terminationDate |
User job employment termination date. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
timeOff[] |
User time off leaves from active work. |
lastLoginTime |
User last login timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastPasswordChangeTime |
User last password change timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
passwordExpirationTime |
User password expiration timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
accountExpirationTime |
User account expiration timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
accountLockoutTime |
User account lockout timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastBadPasswordAttemptTime |
User last bad password attempt timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
userAuthenticationStatus |
System authentication status for user. |
roleName |
System role name for user. Deprecated: use attribute.roles. |
roleDescription |
System role description for user. Deprecated: use attribute.roles. |
userRole |
System role for user. Deprecated: use attribute.roles. |
Location
| JSON representation |
|---|
{
"city": string,
"state": string,
"countryOrRegion": string,
"name": string,
"deskName": string,
"floorName": string,
"regionLatitude": number,
"regionLongitude": number,
"regionCoordinates": {
object ( |
| Fields | |
|---|---|
city |
The city. |
state |
The state. |
countryOrRegion |
The country or region. |
name |
Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2"). |
deskName |
Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D"). |
floorName |
Floor name, number or a combination of the two for a building. (e.g. "1-A"). |
regionLatitude |
Deprecated: use region_coordinates. |
regionLongitude |
Deprecated: use region_coordinates. |
regionCoordinates |
Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. |
LatLng
| JSON representation |
|---|
{ "latitude": number, "longitude": number } |
| Fields | |
|---|---|
latitude |
The latitude in degrees. It must be in the range [-90.0, +90.0]. |
longitude |
The longitude in degrees. It must be in the range [-180.0, +180.0]. |
Attribute
| JSON representation |
|---|
{ "cloud": { object ( |
| Fields | |
|---|---|
cloud |
Cloud metadata attributes such as project ID, account ID, or organizational hierarchy. |
labels[] |
Set of labels for the entity. Should only be used for product labels (for example, Google Cloud resource labels or Azure AD sensitivity labels. Should not be used for arbitrary key-value mappings. |
permissions[] |
System permissions for IAM entity (human principal, service account, group). |
roles[] |
System IAM roles to be assumed by resources to use the role's permissions for access control. |
creationTime |
Time the resource or entity was created or provisioned. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastUpdateTime |
Time the resource or entity was last updated. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
Cloud
| JSON representation |
|---|
{ "environment": enum ( |
| Fields | |
|---|---|
environment |
The Cloud environment. |
vpc |
The cloud environment VPC. Deprecated. |
project |
The cloud environment project information. Deprecated: Use Resource.resource_ancestors |
availabilityZone |
The cloud environment availability zone (different from region which is location.name). |
Resource
| JSON representation |
|---|
{ "type": string, "resourceType": enum ( |
| Fields | |
|---|---|
type |
Deprecated: use resource_type instead. |
resourceType |
Resource type. |
resourceSubtype |
Resource sub-type (e.g. "BigQuery", "Bigtable"). |
id |
Deprecated: Use resource.name or resource.product_object_id. |
name |
The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. |
parent |
The parent of the resource. For a database table, the parent is the database. For a storage object, the bucket name. Deprecated: use resource_ancestors.name. |
productObjectId |
A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) This field can be used as an entity indicator for a Resource entity. |
attribute |
Generic entity metadata attributes of the resource. |
scheduledTask |
Information about a scheduled task associated with the resource. |
volume |
Information about a storage volume associated with the resource. |
service |
Information about a Windows service associated with the resource. |
ScheduledTask
| JSON representation |
|---|
{ "minute": integer, "hour": integer, "monthDay": integer, "month": integer, "weekDay": integer, "comment": string, "author": string } |
| Fields | |
|---|---|
minute |
The minute of the hour (0-59). |
hour |
The hour of the day (0-23). |
monthDay |
The day of the month (1-31). |
month |
The month of the year (1-12). |
weekDay |
The day of the week (0-6, Sunday=0). |
comment |
A comment or description for the task. |
author |
The author or creator of the task. |
Volume
| JSON representation |
|---|
{ "fileSystem": string, "mountPoint": string, "devicePath": string, "isMounted": boolean, "isReadOnly": boolean, "name": string } |
| Fields | |
|---|---|
fileSystem |
The name of the file system on the volume (e.g., "NTFS", "FAT32"). |
mountPoint |
The path where the volume is mounted (e.g., "C:", "/mnt/data"). |
devicePath |
The system path to the device (e.g., "\.\HarddiskVolume1", "/dev/sda1"). |
isMounted |
Indicates whether the volume is currently mounted. |
isReadOnly |
Indicates whether the volume is mounted as read-only. |
name |
The user-assigned label or name for the volume. |
Service
| JSON representation |
|---|
{ "displayName": string, "serviceType": enum ( |
| Fields | |
|---|---|
displayName |
The user-friendly display name of the service. |
serviceType |
The type of service. |
startupType |
The startup type of the service. |
state |
Output only. The status of the service. |
Permission
| JSON representation |
|---|
{
"name": string,
"description": string,
"type": enum ( |
| Fields | |
|---|---|
name |
Name of the permission (e.g. chronicle.analyst.updateRule). |
description |
Description of the permission (e.g. 'Ability to update detect rules'). |
type |
Type of the permission. |
Role
| JSON representation |
|---|
{
"name": string,
"description": string,
"type": enum ( |
| Fields | |
|---|---|
name |
System role name for user. |
description |
System role description for user. |
type |
System role type for well known roles. |
TimeOff
| JSON representation |
|---|
{
"interval": {
object ( |
| Fields | |
|---|---|
interval |
Interval duration of the leave. |
description |
Description of the leave if available (e.g. 'Vacation'). |
Interval
| JSON representation |
|---|
{ "startTime": string, "endTime": string } |
| Fields | |
|---|---|
startTime |
Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
endTime |
Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
Favicon
| JSON representation |
|---|
{ "rawMd5": string, "dhash": string } |
| Fields | |
|---|---|
rawMd5 |
Favicon's MD5 hash. |
dhash |
Difference hash. |
DNSRecord
| JSON representation |
|---|
{ "type": string, "value": string, "ttl": string, "priority": string, "retry": string, "refresh": string, "minimum": string, "expire": string, "serial": string, "rname": string } |
| Fields | |
|---|---|
type |
Type. |
value |
Value. |
ttl |
Time to live. A duration in seconds with up to nine fractional digits, ending with ' |
priority |
Priority. |
retry |
Retry. |
refresh |
Refresh. A duration in seconds with up to nine fractional digits, ending with ' |
minimum |
Minimum. A duration in seconds with up to nine fractional digits, ending with ' |
expire |
Expire. A duration in seconds with up to nine fractional digits, ending with ' |
serial |
Serial. |
rname |
Rname. |
Duration
| JSON representation |
|---|
{ "seconds": string, "nanos": integer } |
| Fields | |
|---|---|
seconds |
Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years |
nanos |
Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 |
SSLCertificate
| JSON representation |
|---|
{ "certSignature": { object ( |
| Fields | |
|---|---|
certSignature |
Certificate's signature and algorithm. |
extension |
(DEPRECATED) certificate's extension. |
certExtensions |
Certificate's extensions. |
firstSeenTime |
Date the certificate was first retrieved by VirusTotal. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
issuer |
Certificate's issuer data. |
ec |
EC public key information. |
serialNumber |
Certificate's serial number hexdump. |
signatureAlgorithm |
Algorithm used for the signature (for example, "sha1RSA"). |
size |
Certificate content length. |
subject |
Certificate's subject data. |
thumbprint |
Certificate's content SHA1 hash. |
thumbprintSha256 |
Certificate's content SHA256 hash. |
validity |
Certificate's validity period. |
version |
Certificate version (typically "V1", "V2" or "V3"). |
publicKey |
Public key information. |
CertSignature
| JSON representation |
|---|
{ "signature": string, "signatureAlgorithm": string } |
| Fields | |
|---|---|
signature |
Signature. |
signatureAlgorithm |
Algorithm. |
Extension
| JSON representation |
|---|
{
"ca": boolean,
"subjectKeyId": string,
"authorityKeyId": {
object ( |
| Fields | |
|---|---|
ca |
Whether the subject acts as a certificate authority (CA) or not. |
subjectKeyId |
Identifies the public key being certified. |
authorityKeyId |
Identifies the public key to be used to verify the signature on this certificate or CRL. |
keyUsage |
The purpose for which the certified public key is used. |
caInfoAccess |
Authority information access locations are URLs that are added to a certificate in its authority information access extension. |
crlDistributionPoints |
CRL distribution points to which a certificate user should refer to ascertain if the certificate has been revoked. |
extendedKeyUsage |
One or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension field. |
subjectAlternativeName |
Contains one or more alternative names, using any of a variety of name forms, for the entity that is bound by the CA to the certified public key. |
certificatePolicies |
Different certificate policies will relate to different applications which may use the certified key. |
netscapeCertComment |
Used to include free-form text comments inside certificates. |
certTemplateNameDc |
BMP data value "DomainController". See MS Q291010. |
netscapeCertificate |
Identify whether the certificate subject is an SSL client, an SSL server, or a CA. |
peLogotype |
Whether the certificate includes a logotype. |
oldAuthorityKeyId |
Whether the certificate has an old authority key identifier extension. |
AuthorityKeyId
| JSON representation |
|---|
{ "keyid": string, "serialNumber": string } |
| Fields | |
|---|---|
keyid |
Key hexdump. |
serialNumber |
Serial number hexdump. |
Subject
| JSON representation |
|---|
{ "countryName": string, "commonName": string, "locality": string, "organization": string, "organizationalUnit": string, "stateOrProvinceName": string } |
| Fields | |
|---|---|
countryName |
C: Country name. |
commonName |
CN: CommonName. |
locality |
L: Locality. |
organization |
O: Organization. |
organizationalUnit |
OU: OrganizationalUnit. |
stateOrProvinceName |
ST: StateOrProvinceName. |
EC
| JSON representation |
|---|
{ "oid": string, "pub": string } |
| Fields | |
|---|---|
oid |
Curve name. |
pub |
Public key hexdump. |
Validity
| JSON representation |
|---|
{ "expiryTime": string, "issueTime": string } |
| Fields | |
|---|---|
expiryTime |
Expiry date. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
issueTime |
Issue date. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
PublicKey
| JSON representation |
|---|
{
"algorithm": string,
"rsa": {
object ( |
| Fields | |
|---|---|
algorithm |
Any of "RSA", "DSA" or "EC". Indicates the algorithm used to generate the certificate. |
rsa |
RSA public key information. |
RSA
| JSON representation |
|---|
{ "keySize": string, "modulus": string, "exponent": string } |
| Fields | |
|---|---|
keySize |
Key size. |
modulus |
Key modulus hexdump. |
exponent |
Key exponent hexdump. |
PopularityRank
| JSON representation |
|---|
{ "giver": string, "rank": string, "ingestionTime": string } |
| Fields | |
|---|---|
giver |
Name of the rank serial number hexdump. |
rank |
Rank position. |
ingestionTime |
Timestamp when the rank was ingested. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
Artifact
| JSON representation |
|---|
{ "ip": string, "prevalence": { object ( |
| Fields | |
|---|---|
ip |
IP address of the artifact. This field can be used as an entity indicator for an external destination IP entity. |
prevalence |
The prevalence of the artifact within the customer's environment. |
firstSeenTime |
First seen timestamp of the IP in the customer's environment. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastSeenTime |
Last seen timestamp of the IP address in the customer's environment. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
location |
Location of the Artifact's IP address. |
network |
Network information related to the Artifact's IP address. |
asOwner |
Owner of the Autonomous System to which the IP address belongs. |
asn |
Autonomous System Number to which the IP address belongs. |
jarm |
The JARM hash for the IP address. (https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a). |
lastHttpsCertificate |
SSL certificate information about the IP address. |
lastHttpsCertificateDate |
Most recent date for the certificate in VirusTotal. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
regionalInternetRegistry |
RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC). |
tags[] |
Identification attributes |
whois |
WHOIS information as returned from the pertinent WHOIS server. |
whoisDate |
Date of the last update of the WHOIS record in VirusTotal. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
tunnels[] |
VPN tunnels. |
anonymous |
Whether the VPN tunnels are configured for anonymous browsing or not. |
artifactClient |
Entity or software accessing or utilizing network resources. |
risks[] |
This field lists potential risks associated with the network activity. |
Network
| JSON representation |
|---|
{ "sentBytes": string, "receivedBytes": string, "totalBytes": string, "sentPackets": string, "receivedPackets": string, "sessionDuration": string, "sessionId": string, "parentSessionId": string, "applicationProtocolVersion": string, "communityId": string, "direction": enum ( |
| Fields | |
|---|---|
sentBytes |
The number of bytes sent. |
receivedBytes |
The number of bytes received. |
totalBytes |
The number of total bytes. |
sentPackets |
The number of packets sent. |
receivedPackets |
The number of packets received. |
sessionDuration |
The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer. A duration in seconds with up to nine fractional digits, ending with ' |
sessionId |
The ID of the network session. |
parentSessionId |
The ID of the parent network session. |
applicationProtocolVersion |
The version of the application protocol. e.g. "1.1, 2.0" |
communityId |
Community ID network flow value. |
direction |
The direction of network traffic. |
ipProtocol |
The IP protocol. |
applicationProtocol |
The application protocol. |
ftp |
FTP info. |
email |
Email info for the sender/recipient. |
dns |
DNS info. |
dhcp |
DHCP info. |
http |
HTTP info. |
tls |
TLS info. |
smtp |
SMTP info. Store fields specific to SMTP not covered by Email. |
asn |
Autonomous system number. |
dnsDomain |
DNS domain name. |
carrierName |
Carrier identification. |
organizationName |
Organization name (e.g Google). |
ipSubnetRange |
Associated human-readable IP subnet range (e.g. 10.1.2.0/24). |
isProxy |
Whether the IP address is a known proxy. |
proxyInfo |
Proxy information. Only set if is_proxy is true. |
connectionState |
Output only. The state of the network connection. |
Ftp
| JSON representation |
|---|
{ "command": string } |
| Fields | |
|---|---|
command |
The FTP command. |
| JSON representation |
|---|
{ "from": string, "replyTo": string, "to": [ string ], "cc": [ string ], "bcc": [ string ], "mailId": string, "subject": [ string ], "bounceAddress": string } |
| Fields | |
|---|---|
from |
The 'from' address. |
replyTo |
The 'reply to' address. |
to[] |
A list of 'to' addresses. |
cc[] |
A list of 'cc' addresses. |
bcc[] |
A list of 'bcc' addresses. |
mailId |
The mail (or message) ID. |
subject[] |
The subject line(s) of the email. |
bounceAddress |
The envelope from address. https://en.wikipedia.org/wiki/Bounce_address |
Dns
| JSON representation |
|---|
{ "id": integer, "response": boolean, "opcode": integer, "authoritative": boolean, "truncated": boolean, "recursionDesired": boolean, "recursionAvailable": boolean, "responseCode": integer, "questions": [ { object ( |
| Fields | |
|---|---|
id |
DNS query id. |
response |
Set to true if the event is a DNS response. See QR field from RFC1035. |
opcode |
The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS). |
authoritative |
Other DNS header flags. See RFC1035, section 4.1.1. |
truncated |
Whether the DNS response was truncated. |
recursionDesired |
Whether a recursive DNS lookup is desired. |
recursionAvailable |
Whether a recursive DNS lookup is available. |
responseCode |
Response code. See RCODE from RFC1035. |
questions[] |
A list of domain protocol message questions. |
answers[] |
A list of answers to the domain name query. |
authority[] |
A list of domain name servers which verified the answers to the domain name queries. |
additional[] |
A list of additional domain name servers that can be used to verify the answer to the domain. |
Question
| JSON representation |
|---|
{
"name": string,
"type": integer,
"class": integer,
"prevalence": {
object ( |
| Fields | |
|---|---|
name |
The domain name. |
type |
The code specifying the type of the query. |
class |
The code specifying the class of the query. |
prevalence |
The prevalence of the domain within the customer's environment. |
ResourceRecord
| JSON representation |
|---|
{ "name": string, "type": integer, "class": integer, "ttl": integer, "data": string, "binaryData": string } |
| Fields | |
|---|---|
name |
The name of the owner of the resource record. |
type |
The code specifying the type of the resource record. |
class |
The code specifying the class of the resource record. |
ttl |
The time interval for which the resource record can be cached before the source of the information should again be queried. |
data |
The payload or response to the DNS question for all responses encoded in UTF-8 format |
binaryData |
The raw bytes of any non-UTF8 strings that might be included as part of a DNS response. A base64-encoded string. |
Dhcp
| JSON representation |
|---|
{ "opcode": enum ( |
| Fields | |
|---|---|
opcode |
The BOOTP op code. |
htype |
Hardware address type. |
hlen |
Hardware address length. |
hops |
Hardware ops. |
transactionId |
Transaction ID. |
seconds |
Seconds elapsed since client began address acquisition/renewal process. |
flags |
Flags. |
ciaddr |
Client IP address (ciaddr). |
yiaddr |
Your IP address (yiaddr). |
siaddr |
IP address of the next bootstrap server. |
giaddr |
Relay agent IP address (giaddr). |
chaddr |
Client hardware address (chaddr). |
sname |
Server name that the client wishes to boot from. |
file |
Boot image filename. |
options[] |
List of DHCP options. |
type |
DHCP message type. |
leaseTimeSeconds |
Lease time in seconds. See RFC2132, section 9.2. |
clientHostname |
Client hostname. See RFC2132, section 3.14. |
clientIdentifier |
Client identifier. See RFC2132, section 9.14. Note: Make sure to update the client_identifier_string field as well if you update this field. A base64-encoded string. |
requestedAddress |
Requested IP address. See RFC2132, section 9.1. |
clientIdentifierString |
Client identifier as string. See RFC2132, section 9.14. This field holds the string value of the client_identifier. |
Option
| JSON representation |
|---|
{ "code": integer, "data": string } |
| Fields | |
|---|---|
code |
Code. See RFC1533. |
data |
Data. A base64-encoded string. |
Http
| JSON representation |
|---|
{
"method": string,
"referralUrl": string,
"userAgent": string,
"responseCode": integer,
"parsedUserAgent": {
object ( |
| Fields | |
|---|---|
method |
The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE"). |
referralUrl |
The URL for the HTTP referer. |
userAgent |
The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent. |
responseCode |
The response status code, for example 200, 302, 404, or 500. |
parsedUserAgent |
The parsed user_agent string. |
UserAgentProto
| JSON representation |
|---|
{ "family": enum ( |
| Fields | |
|---|---|
family |
User agent family captures the type of browser/app at a high-level e.g. MSIE, Gecko, Safari etc.. |
subFamily |
Sub-family identifies individual regexps when a family has more than 1. This is used to generate the right UA string from a protobuf. Examples in the AppleWebKit family: Chrome and Safari. Can also be an arbitrary identifier. |
platform |
The platform describes the environment in which the browser or app runs. For desktop user agents, Platform is a string describing the OS family e.g. Windows, Macintosh, Linux. For mobile user agents, Platform either describes the OS family (if available) or the hardware maker. e.g. Linux, or HTC, LG, Palm. |
device |
(Usually) Mobile specific: name of hardware device, may or may not contain the full model name. e.g. iPhone, Palm750, SPH-M800. Reduced to "K" for Android devices with reduced User-Agent and no client hints (https://www.chromium.org/updates/ua-reduction/). |
deviceVersion |
(Usually) Mobile specific: version of hardware device Unavailable with reduced User-Agent and no client hints (https://www.chromium.org/updates/ua-reduction/). |
carrier |
Mobile specific: name of mobile carrier |
security |
Security level reported by user agent, either U, I or N. Unavailable with reduced User-Agent and no client hints (https://www.chromium.org/updates/ua-reduction/). |
locale |
Locale in which the browser is running as country code and optionally language pair. Unavailable with reduced User-Agent and no client hints (https://www.chromium.org/updates/ua-reduction/). |
os |
Full name of the operating system e.g. "Darwin/9.7.0", "Android 1.5", "Windows 98" Version is reduced, and other data might also be missing, for reduced User-Agent and no client hints (https://www.chromium.org/updates/ua-reduction/). |
osVariant |
Extra qualifier for the OS e.g. "(i386)", "Build/CUPCAKE", "PalmSource/Palm-D061" Unavailable with reduced User-Agent and no client hints (https://www.chromium.org/updates/ua-reduction/). |
browser |
Product brand within the family: Firefox, Netscape, Camino etc.. Or Earth, Windows-Media-Player etc.. for non-browser user agents. |
browserVersion |
Minor and lower versions unavailable with reduced User-Agent and no client hints (https://www.chromium.org/updates/ua-reduction/). |
browserEngineVersion |
Version of the rendering engine e.g. "8.01" for "Opera/8.01" |
googleToolbarVersion |
Version number of GoogleToolbar, if installed. Applies only to MSIE and Firefox at this time. |
javaProfile |
Mobile specific: e.g. Profile/MIDP-2.0 |
javaProfileVersion |
|
javaConfiguration |
Mobile specific: e.g. Configuration/CLDC-1.1 |
javaConfigurationVersion |
|
messaging |
Mobile specific: e.g. MMP/2.0 |
messagingVersion |
|
annotation[] |
|
Annotation
| JSON representation |
|---|
{ "key": string, "value": string } |
| Fields | |
|---|---|
key |
|
value |
|
Tls
| JSON representation |
|---|
{ "client": { object ( |
| Fields | |
|---|---|
client |
Certificate information for the client certificate. |
server |
Certificate information for the server certificate. |
cipher |
Cipher used during the connection. |
curve |
Elliptical curve used for a given cipher. |
version |
TLS version. |
versionProtocol |
Protocol. |
established |
Indicates whether the TLS negotiation was successful. |
nextProtocol |
Protocol to be used for tunnel. |
resumed |
Indicates whether the TLS connection was resumed from a previous TLS negotiation. |
Client
| JSON representation |
|---|
{
"certificate": {
object ( |
| Fields | |
|---|---|
certificate |
Client certificate. |
ja3 |
JA3 hash from the TLS ClientHello, as a hex-encoded string. |
serverName |
Host name of the server, that the client is connecting to. |
supportedCiphers[] |
Ciphers supported by the client during client hello. |
Certificate
| JSON representation |
|---|
{ "version": string, "serial": string, "subject": string, "issuer": string, "md5": string, "sha1": string, "sha256": string, "notBefore": string, "notAfter": string } |
| Fields | |
|---|---|
version |
Certificate version. |
serial |
Certificate serial number. |
subject |
Subject of the certificate. |
issuer |
Issuer of the certificate. |
md5 |
The MD5 hash of the certificate, as a hex-encoded string. |
sha1 |
The SHA1 hash of the certificate, as a hex-encoded string. |
sha256 |
The SHA256 hash of the certificate, as a hex-encoded string. |
notBefore |
Indicates when the certificate is first valid. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
notAfter |
Indicates when the certificate is no longer valid. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
Server
| JSON representation |
|---|
{
"certificate": {
object ( |
| Fields | |
|---|---|
certificate |
Server certificate. |
ja3s |
JA3 hash from the TLS ServerHello, as a hex-encoded string. |
Smtp
| JSON representation |
|---|
{ "helo": string, "mailFrom": string, "rcptTo": [ string ], "serverResponse": [ string ], "messagePath": string, "isWebmail": boolean, "isTls": boolean } |
| Fields | |
|---|---|
helo |
The client's 'HELO'/'EHLO' string. |
mailFrom |
The client's 'MAIL FROM' string. |
rcptTo[] |
The client's 'RCPT TO' string(s). |
serverResponse[] |
The server's response(s) to the client. |
messagePath |
The message's path (extracted from the headers). |
isWebmail |
If the message was sent via a webmail client. |
isTls |
If the connection switched to TLS. |
ProxyInfo
| JSON representation |
|---|
{ "anonymous": boolean, "anonymousVpn": boolean, "publicProxy": boolean, "torExitNode": boolean, "smartDnsProxy": boolean, "hostingProvider": boolean, "vpnDatacenter": boolean, "residentialProxy": boolean, "vpnServiceName": string, "proxyOverVpn": boolean, "relayProxy": boolean } |
| Fields | |
|---|---|
anonymous |
Whether the IP address is anonymous. |
anonymousVpn |
Whether the IP address is an anonymous VPN. |
publicProxy |
Whether the IP address is a public proxy. |
torExitNode |
Whether the IP address is a tor exit node. |
smartDnsProxy |
Whether the IP address is a smart DNS proxy. |
hostingProvider |
Whether the IP address is a hosting provider. |
vpnDatacenter |
Whether the IP address is a VPN datacenter. |
residentialProxy |
Whether the IP address is a residential proxy. |
vpnServiceName |
The name of the VPN service. |
proxyOverVpn |
Whether the IP address is a proxy over VPN. |
relayProxy |
Whether the IP address is a relay proxy. |
Tunnels
| JSON representation |
|---|
{ "provider": string, "type": string } |
| Fields | |
|---|---|
provider |
The provider of the VPN tunnels being used. |
type |
The type of the VPN tunnels. |
ArtifactClient
| JSON representation |
|---|
{ "behaviors": [ string ], "proxies": [ string ] } |
| Fields | |
|---|---|
behaviors[] |
The behaviors of the client accessing the network. |
proxies[] |
The type of proxies used by the client. |
Url
| JSON representation |
|---|
{ "url": string, "categories": [ string ], "favicon": { object ( |
| Fields | |
|---|---|
url |
URL. |
categories[] |
Categorisation done by VirusTotal partners. |
favicon |
Difference hash and MD5 hash of the URL's. |
htmlMeta |
Meta tags (only for URLs downloading HTML). |
lastFinalUrl |
If the original URL redirects, where does it end. |
lastHttpResponseCode |
HTTP response code of the last response. |
lastHttpResponseContentLength |
Length in bytes of the content received. |
lastHttpResponseContentSha256 |
URL response body's SHA256 hash. |
lastHttpResponseCookies |
Website's cookies. |
lastHttpResponseHeaders |
Headers and values of the last HTTP response. |
tags[] |
Tags. |
title |
Webpage title. |
trackers[] |
Trackers found in the URL in a historical manner. |
Tracker
| JSON representation |
|---|
{ "tracker": string, "id": string, "timestamp": string, "url": string } |
| Fields | |
|---|---|
tracker |
Tracker name. |
id |
Tracker ID, if available. |
timestamp |
Tracker ingestion date. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
url |
Tracker script URL. |
Browser
| JSON representation |
|---|
{ "browserType": enum ( |
| Fields | |
|---|---|
browserType |
The browser that recorded the history entry (e.g. "Chrome", "Firefox", "Safari", etc.). |
browserVersion |
The browser version. |
firstVisitTime |
The timestamp indicating the initial visit to the URL. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastVisitTime |
The timestamp indicating the most recent visit to the URL. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
profile |
The browser profile associated with the history entry. |
typed |
A boolean value indicating if the URL was typed by the user. |
visitType |
Describes the type of navigation or visit (e.g., direct, redirect, etc.). |
hidden |
A boolean value indicating if the history entry is hidden. |
requestOriginUri |
Indicates the URI from which the current visit originated. |
visitCount |
The total number of times the Url has been visited. |
visitCountCriteria |
Describes the criteria used to calculate the visit_count. |
indexedContent |
Represents the textual content of a web page. This field should be kept short. Large strings may affect latency and payload sizes. |
firstBookmarkedTime |
The timestamp indicating the first time the URL was bookmarked. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
cookies[] |
Information about the cookies. |
typedCount |
The number of times the URL was visited with this specific visit type and visit source. |
visitSource |
The source of the visit. |
Cookie
| JSON representation |
|---|
{
"name": string,
"value": string,
"domain": string,
"path": string,
"expirationTime": string,
"httpOnly": boolean,
"secure": boolean,
"maxAge": string,
"sameSite": enum ( |
| Fields | |
|---|---|
name |
The unique name identifying the cookie. |
value |
The data stored within the cookie. |
domain |
The domain for which the cookie is valid. |
path |
The URL path for which the cookie is valid. |
expirationTime |
The date and time when the cookie will expire. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
httpOnly |
Indicates if the cookie is inaccessible via client-side scripts (e.g., JavaScript). |
secure |
Indicates if the cookie should only be sent over secure HTTPS connections. |
maxAge |
The maximum age of the cookie in seconds. |
sameSite |
Affects cross-site request behavior. |
session |
Indicates if the cookie is persistent. |
partitioned |
Shows if the cookies is stored using partitioned storage. |
Group
| JSON representation |
|---|
{
"productObjectId": string,
"creationTime": string,
"groupDisplayName": string,
"attribute": {
object ( |
| Fields | |
|---|---|
productObjectId |
Product globally unique user object identifier, such as an LDAP Object Identifier. |
creationTime |
Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
groupDisplayName |
Group display name. e.g. "Finance". |
attribute |
Generic entity metadata attributes of the group. |
emailAddresses[] |
Email addresses of the group. |
windowsSid |
Microsoft Windows SID of the group. |
Process
| JSON representation |
|---|
{ "pid": string, "parentPid": string, "parentProcess": { object ( |
| Fields | |
|---|---|
pid |
The process ID. This field can be used as an entity indicator for process entities. |
parentPid |
The ID of the parent process. Deprecated: use parent_process.pid instead. |
parentProcess |
Information about the parent process. |
file |
Information about the file in use by the process. |
commandLine |
The command line command that created the process. This field can be used as an entity indicator for process entities. |
commandLineHistory[] |
The command line history of the process. |
productSpecificProcessId |
A product specific process id. |
accessMask |
A bit mask representing the level of access. |
integrityLevelRid |
The Microsoft Windows integrity level relative ID (RID) of the process. |
euid |
The effective user ID of the process. |
ruid |
The real user ID of the process. |
egid |
The effective group ID of the process. |
rgid |
The real group ID of the process. |
pgid |
The identifier that points to the process group ID leader. |
sessionLeaderPid |
The process ID of the session leader process. |
tty |
The teletype terminal which the command was executed within. |
tokenElevationType |
The elevation type of the process on Microsoft Windows. This determines if any privileges are removed when UAC is enabled. |
productSpecificParentProcessId |
A product specific id for the parent process. Please use parent_process.product_specific_process_id instead. |
ipv6 |
This is used to determine if the process is an IPv6 process. |
kernelDuration |
The kernel time spent in the process. A duration in seconds with up to nine fractional digits, ending with ' |
userDuration |
The user time spent in the process. A duration in seconds with up to nine fractional digits, ending with ' |
realDuration |
The real time spent in the process. This is the sum of the kernel and user time. A duration in seconds with up to nine fractional digits, ending with ' |
File
| JSON representation |
|---|
{ "sha256": string, "md5": string, "sha1": string, "size": string, "fullPath": string, "mimeType": string, "fileMetadata": { object ( |
| Fields | |
|---|---|
sha256 |
The SHA256 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. |
md5 |
The MD5 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. |
sha1 |
The SHA1 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. |
size |
The size of the file in bytes. |
fullPath |
The full path identifying the location of the file on the system. This field can be used as an entity indicator for file entities. |
mimeType |
The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", or "powershell script". |
fileMetadata |
Metadata associated with the file. Deprecate FileMetadata in favor of using fields in File. |
securityResult |
Google Cloud Threat Intelligence (GCTI) security result for the file including threat context and detection metadata. |
peFile |
Metadata about the Portable Executable (PE) file. |
ssdeep |
Ssdeep of the file |
vhash |
Vhash of the file. |
ahash |
Deprecated. Use authentihash instead. |
authentihash |
Authentihash of the file. |
symhash |
SymHash of the file. Used for Mach-O (e.g. MacOS) binaries, to identify similar files based on their symbol table. |
prefetchFileMetadata |
Metadata about the prefetch file. |
fileType |
FileType field. |
capabilitiesTags[] |
Capabilities tags. |
names[] |
Names fields. |
tags[] |
Tags for the file. |
lastModificationTime |
Timestamp when the file was last updated. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
createTime |
Timestamp when the file was created. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastAccessTime |
Timestamp when the file was accessed. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
prevalence |
Prevalence of the file hash in the customer's environment. |
firstSeenTime |
Timestamp the file was first seen in the customer's environment. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastSeenTime |
Timestamp the file was last seen in the customer's environment. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
statMode |
The mode of the file. A bit string indicating the permissions and privileges of the file. |
statInode |
The file identifier. Unique identifier of object within a file system. |
statDev |
The file system identifier to which the object belongs. |
statNlink |
Number of links to file. |
statFlags |
User defined flags for file. |
lastAnalysisTime |
Timestamp the file was last analysed. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
embeddedUrls[] |
Embedded urls found in the file. |
embeddedDomains[] |
Embedded domains found in the file. |
embeddedIps[] |
Embedded IP addresses found in the file. |
exifInfo |
Exif metadata from different file formats extracted by exiftool. |
signatureInfo |
File signature information extracted from different tools. |
pdfInfo |
Information about the PDF file structure. |
firstSubmissionTime |
First submission time of the file. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastSubmissionTime |
Last submission time of the file. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
mainIcon |
Icon's relevant hashes. |
ntfs |
NTFS metadata. |
appCompatCache |
Windows AppCompatCache (Application Compatibility) metadata. |
FileMetadata
| JSON representation |
|---|
{
"pe": {
object ( |
| Fields | |
|---|---|
pe |
Metadata for Microsoft Windows PE files. Deprecate PeFileMetadata in favor of single File proto. |
PeFileMetadata
| JSON representation |
|---|
{ "importHash": string } |
| Fields | |
|---|---|
importHash |
Hash of PE imports. |
SecurityResult
| JSON representation |
|---|
{ "about": { object ( |
| Fields | |
|---|---|
about |
If the security result is about a specific entity (Noun), add it here. This field is not populated when the SecurityResult appears in a detection. |
category[] |
The security category. This field is not populated when the SecurityResult appears in a detection. |
categoryDetails[] |
For vendor-specific categories. For web categorization, put type in here such as "gambling" or "porn". This field is not populated when the SecurityResult appears in a detection. |
threatName |
A vendor-assigned classification common across multiple customers (for example, "W32/File-A", "Slammer"). This field is not populated when the SecurityResult appears in a detection. |
ruleSet |
The curated detection's rule set identifier. (for example, "windows-threats") This is primarily set in rule-generated detections and alerts. |
ruleSetDisplayName |
The curated detections rule set display name. This is primarily set in rule-generated detections and alerts. |
rulesetCategoryDisplayName |
The curated detection rule set category display name. (for example, if rule_set_display_name is "CDIR SCC Enhanced Exfiltration", the rule_set_category is "Cloud Threats"). This is primarily set in rule-generated detections and alerts. |
ruleId |
A vendor-specific ID for a rule, varying by observer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe"). |
ruleName |
Name of the security rule (e.g. "BlockInboundToOracle"). |
ruleVersion |
Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependant and lexical ordering should not be assumed. |
ruleType |
The type of security rule. |
ruleAuthor |
Author of the security rule. This field is not populated when the SecurityResult appears in a detection. |
ruleLabels[] |
A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John"). This is primarily set in rule-generated detections and alerts. |
alertState |
The alerting types of this security result. This is primarily set for rule-generated detections and alerts. |
detectionFields[] |
An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (the security result matched variables). For Collection SecurityResults, prefer variables instead. |
outcomes[] |
A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to a stringified version of their values. This is only populated when the SecurityResult appears in a detection. This is deprecated. Use variables instead. |
variables |
A list of outcomes and match variables that represent the results of this security finding. This list represents a mapping of names of the requested outcomes or match variables, to their values. This is only populated when the SecurityResult appears in a detection. An object containing a list of |
summary |
A short human-readable summary (e.g. "failed login occurred") |
description |
A human-readable description (e.g. "user password was wrong"). This can be more detailed than the summary. |
action[] |
Actions taken for this event. This field is not populated when the SecurityResult appears in a detection. |
actionDetails |
The detail of the action taken as provided by the vendor. This field is not populated when the SecurityResult appears in a detection. |
severity |
The severity of the result. |
confidence |
The confidence level of the result as estimated by the product. This field is not populated when the SecurityResult appears in a detection. |
priority |
The priority of the result. This field is not populated when the SecurityResult appears in a detection. |
riskScore |
The risk score of the security result. |
confidenceScore |
The confidence score of the security result. This field is not populated when the SecurityResult appears in a detection. |
analyticsMetadata[] |
Stores metadata about each risk analytic metric the rule uses. This field is not populated when the SecurityResult appears in a detection. |
severityDetails |
Vendor-specific severity. This field is not populated when the SecurityResult appears in a detection. |
confidenceDetails |
Additional detail with regards to the confidence of a security event as estimated by the product vendor. This field is not populated when the SecurityResult appears in a detection. |
priorityDetails |
Vendor-specific information about the security result priority. This field is not populated when the SecurityResult appears in a detection. |
urlBackToProduct |
URL that takes the user to the source product console for this event. This field is not populated when the SecurityResult appears in a detection. |
threatId |
Vendor-specific ID for a threat. This field is not populated when the SecurityResult appears in a detection. |
threatFeedName |
Vendor feed name for a threat indicator feed. This field is not populated when the SecurityResult appears in a detection. |
threatIdNamespace |
The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id. This field is not populated when the SecurityResult appears in a detection. |
threatStatus |
Current status of the threat This field is not populated when the SecurityResult appears in a detection. |
attackDetails |
MITRE ATT&CK details. This field is not populated when the SecurityResult appears in a detection. |
firstDiscoveredTime |
First time the IoC threat was discovered in the provider. This field is not populated when the SecurityResult appears in a detection. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
associations[] |
Associations related to the threat. |
campaigns[] |
Campaigns using this IOC threat. This is deprecated. Use threat_collections instead. |
reports[] |
Reports that reference this IOC threat. These are the report IDs. This is deprecated. Use threat_collections instead. |
verdict |
Verdict about the IoC from the provider. This field is now deprecated. Use VerdictInfo instead. |
lastUpdatedTime |
Last time the IoC threat was updated in the provider. This field is not populated when the SecurityResult appears in a detection. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
verdictInfo[] |
Verdict information about the IoC from the provider. This field is not populated when the SecurityResult appears in a detection. |
threatVerdict |
GCTI threat verdict on the security result entity. This field is not populated when the SecurityResult appears in a detection. |
lastDiscoveredTime |
Last time the IoC was seen in the provider data. This field is not populated when the SecurityResult appears in a detection. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
detectionDepth |
The depth of the detection chain. Applies only to composite detections. |
threatCollections[] |
GTI collections associated with the security result. |
VariablesEntry
| JSON representation |
|---|
{
"key": string,
"value": {
object ( |
| Fields | |
|---|---|
key |
|
value |
|
FindingVariable
| JSON representation |
|---|
{ "type": enum ( |
| Fields | |
|---|---|
type |
The type of the variable. |
value |
The value in string form. |
sourcePath |
The UDM field path for the field which this value was derived from. Example: |
Union field typed_value. The typed value of the variable. typed_value can be only one of the following: |
|
boolVal |
The value in boolean format. |
bytesVal |
The value in bytes format. A base64-encoded string. |
doubleVal |
The value in double format. |
int64Val |
The value in int64 format. |
uint64Val |
The value in uint64 format. |
stringVal |
The value in string format. Enum values are returned as strings. |
timestampTime |
The value in timestamp format. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
nullVal |
Whether the value is null. |
boolSeq |
The value in boolsequence format. |
bytesSeq |
The value in bytessequence format. |
doubleSeq |
The value in doublesequence format. |
int64Seq |
The value in int64sequence format. |
uint64Seq |
The value in uint64sequence format. |
stringSeq |
The value in stringsequence format. |
BoolSequence
| JSON representation |
|---|
{ "boolVals": [ boolean ] } |
| Fields | |
|---|---|
boolVals[] |
bool sequence. |
BytesSequence
| JSON representation |
|---|
{ "bytesVals": [ string ] } |
| Fields | |
|---|---|
bytesVals[] |
bytes sequence. A base64-encoded string. |
DoubleSequence
| JSON representation |
|---|
{ "doubleVals": [ number ] } |
| Fields | |
|---|---|
doubleVals[] |
double sequence. |
Int64Sequence
| JSON representation |
|---|
{ "int64Vals": [ string ] } |
| Fields | |
|---|---|
int64Vals[] |
int64 sequence. |
Uint64Sequence
| JSON representation |
|---|
{ "uint64Vals": [ string ] } |
| Fields | |
|---|---|
uint64Vals[] |
uint64 sequence. |
StringSequence
| JSON representation |
|---|
{ "stringVals": [ string ] } |
| Fields | |
|---|---|
stringVals[] |
string sequence. |
AnalyticsMetadata
| JSON representation |
|---|
{ "analytic": string } |
| Fields | |
|---|---|
analytic |
Name of the analytic. |
AttackDetails
| JSON representation |
|---|
{ "version": string, "tactics": [ { object ( |
| Fields | |
|---|---|
version |
ATT&CK version (e.g. 12.1). |
tactics[] |
Tactics employed. |
techniques[] |
Techniques employed. |
Tactic
| JSON representation |
|---|
{ "id": string, "name": string } |
| Fields | |
|---|---|
id |
Tactic ID (e.g. "TA0043"). |
name |
Tactic Name (e.g. "Reconnaissance") |
Technique
| JSON representation |
|---|
{ "id": string, "name": string, "subtechniqueId": string, "subtechniqueName": string } |
| Fields | |
|---|---|
id |
Technique ID (e.g. "T1595"). |
name |
Technique Name (e.g. "Active Scanning"). |
subtechniqueId |
Subtechnique ID (e.g. "T1595.001"). |
subtechniqueName |
Subtechnique Name (e.g. "Scanning IP Blocks"). |
Association
| JSON representation |
|---|
{ "id": string, "countryCode": [ string ], "type": enum ( |
| Fields | |
|---|---|
id |
Unique association id generated by mandiant. |
countryCode[] |
Country from which the threat actor/ malware is originated. |
type |
Signifies the type of association. |
name |
Name of the threat actor/malware. |
description |
Human readable description about the association. |
role |
Role of the malware. Not applicable for threat actor. |
sourceCountry |
Name of the country the threat originated from. |
alias[] |
Different aliases of the threat actor given by different sources. |
firstReferenceTime |
First time the threat actor was referenced or seen. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastReferenceTime |
Last time the threat actor was referenced or seen. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
industriesAffected[] |
List of industries the threat actor affects. |
associatedActors[] |
List of associated threat actors for a malware. Not applicable for threat actors. |
regionCode |
Name of the country, the threat is originating from. |
sponsorRegion |
Sponsor region of the threat actor. |
targetedRegions[] |
Targeted regions. |
tags[] |
Tags. |
AssociationAlias
| JSON representation |
|---|
{ "name": string, "company": string } |
| Fields | |
|---|---|
name |
Name of the alias. |
company |
Name of the provider who gave the association's name. |
Verdict
| JSON representation |
|---|
{ "sourceCount": integer, "responseCount": integer, "neighbourInfluence": string, "verdict": { object ( |
| Fields | |
|---|---|
sourceCount |
Number of sources from which intelligence was extracted. |
responseCount |
Total response count across all sources. |
neighbourInfluence |
Describes the neighbour influence of the verdict. |
verdict |
ML Verdict provided by sources like Mandiant. |
analystVerdict |
Human analyst verdict provided by sources like Mandiant. |
ProviderMLVerdict
| JSON representation |
|---|
{ "sourceProvider": string, "benignCount": integer, "maliciousCount": integer, "confidenceScore": integer, "mandiantSources": [ { object ( |
| Fields | |
|---|---|
sourceProvider |
Source provider giving the ML verdict. |
benignCount |
Count of responses where this IoC was marked benign. |
maliciousCount |
Count of responses where this IoC was marked malicious. |
confidenceScore |
Confidence score of the verdict. |
mandiantSources[] |
List of mandiant sources from which the verdict was generated. |
thirdPartySources[] |
List of third-party sources from which the verdict was generated. |
Source
| JSON representation |
|---|
{ "name": string, "benignCount": integer, "maliciousCount": integer, "quality": enum ( |
| Fields | |
|---|---|
name |
Name of the IoC source. |
benignCount |
Count of responses where this IoC was marked benign. |
maliciousCount |
Count of responses where this IoC was marked malicious. |
quality |
Quality of the IoC mapping extracted from the source. |
responseCount |
Total response count from this source. |
sourceCount |
Number of sources from which intelligence was extracted. |
threatIntelligenceSources[] |
Different threat intelligence sources from which IoC info was extracted. |
AnalystVerdict
| JSON representation |
|---|
{
"confidenceScore": integer,
"verdictTime": string,
"verdictResponse": enum ( |
| Fields | |
|---|---|
confidenceScore |
Confidence score of the verdict. |
verdictTime |
Timestamp at which the verdict was generated. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
verdictResponse |
Details of the verdict. |
VerdictInfo
| JSON representation |
|---|
{ "sourceCount": integer, "responseCount": integer, "neighbourInfluence": string, "verdictType": enum ( |
| Fields | |
|---|---|
sourceCount |
Number of sources from which intelligence was extracted. |
responseCount |
Total response count across all sources. |
neighbourInfluence |
Describes the near neighbor influence of the verdict. |
verdictType |
Type of verdict. |
sourceProvider |
Source provider giving the machine learning verdict. |
benignCount |
Count of responses where this IoC was marked as benign. |
maliciousCount |
Count of responses where this IoC was marked as malicious. |
confidenceScore |
Confidence score of the verdict. |
iocStats[] |
List of IoCStats from which the verdict was generated. |
verdictTime |
Timestamp when the verdict was generated. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
verdictResponse |
Details about the verdict. |
globalCustomerCount |
Global customer count over the last 30 days |
globalHitsCount |
Global hit count over the last 30 days. |
pwn |
Whether one or more Mandiant incident response customers had this indicator in their environment. |
categoryDetails |
Tags related to the verdict. |
pwnFirstTaggedTime |
The timestamp of the first time a pwn was associated to this entity. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
IoCStats
| JSON representation |
|---|
{ "iocStatsType": enum ( |
| Fields | |
|---|---|
iocStatsType |
Describes the source of the IoCStat. |
firstLevelSource |
Name of first level IoC source, for example Mandiant or a third-party. |
secondLevelSource |
Name of the second-level IoC source, for example Crowdsourced Threat Analysis or Knowledge Graph. |
benignCount |
Count of responses where the IoC was identified as benign. |
quality |
Level of confidence in the IoC mapping extracted from the source. |
maliciousCount |
Count of responses where the IoC was identified as malicious. |
responseCount |
Total number of response from the source. |
sourceCount |
Number of sources from which information was extracted. |
ThreatCollectionItem
| JSON representation |
|---|
{
"id": string,
"type": enum ( |
| Fields | |
|---|---|
id |
The ID of the threat collection. |
type |
The type of threat collection (e.g., "campaign"). |
altNames[] |
The name of the threat collection. |
FileMetadataPE
| JSON representation |
|---|
{ "imphash": string, "entryPoint": string, "entryPointExiftool": string, "compilationTime": string, "compilationExiftoolTime": string, "section": [ { object ( |
| Fields | |
|---|---|
imphash |
Imphash of the file. |
entryPoint |
info.pe-entry-point. |
entryPointExiftool |
info.exiftool.EntryPoint. |
compilationTime |
info.pe-timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
compilationExiftoolTime |
info.exiftool.TimeStamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
section[] |
FilemetadataSection fields. |
imports[] |
FilemetadataImports fields. |
resource[] |
FilemetadataPeResourceInfo fields. |
resourcesTypeCount[] |
Deprecated: use resources_type_count_str. |
resourcesLanguageCount[] |
Deprecated: use resources_language_count_str. |
resourcesTypeCountStr[] |
Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5 |
resourcesLanguageCountStr[] |
Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10 |
signatureInfo |
FilemetadataSignatureInfo field. deprecated, user File.signature_info instead. |
FileMetadataSection
| JSON representation |
|---|
{ "name": string, "entropy": number, "rawSizeBytes": string, "virtualSizeBytes": string, "md5Hex": string } |
| Fields | |
|---|---|
name |
Name of the section. |
entropy |
Entropy of the section. |
rawSizeBytes |
Raw file size in bytes. |
virtualSizeBytes |
Virtual file size in bytes. |
md5Hex |
MD5 hex of the file. |
FileMetadataImports
| JSON representation |
|---|
{ "library": string, "functions": [ string ] } |
| Fields | |
|---|---|
library |
Library field. |
functions[] |
Function field. |
FileMetadataPeResourceInfo
| JSON representation |
|---|
{ "sha256Hex": string, "filetypeMagic": string, "languageCode": string, "entropy": number, "fileType": string } |
| Fields | |
|---|---|
sha256Hex |
SHA256_hex field.. |
filetypeMagic |
Type of resource content, as identified by the magic Python module. |
languageCode |
Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification. Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US | |
entropy |
Entropy of the resource. |
fileType |
File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum. |
StringToInt64MapEntry
| JSON representation |
|---|
{ // Union field |
| Fields | |
|---|---|
Union field
|
|
key |
Key field. |
Union field
|
|
value |
Value field. |
FileMetadataSignatureInfo
| JSON representation |
|---|
{ "verificationMessage": string, "verified": boolean, "signer": [ string ], "signers": [ { object ( |
| Fields | |
|---|---|
verificationMessage |
Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found. |
verified |
True if verification_message == "Signed" |
signer[] |
Deprecated: use signers field. |
signers[] |
File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority. |
x509[] |
List of certificates. |
SignerInfo
| JSON representation |
|---|
{ // Union field |
| Fields | |
|---|---|
Union field
|
|
name |
Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority. |
Union field
|
|
status |
It can say "Valid" or state the problem with the certificate if any (e.g. "This certificate or one of the certificates in the certificate chain is not time valid."). |
Union field
|
|
validUsage |
Indicates which situations the certificate is valid for (e.g. "Code Signing"). |
Union field
|
|
certIssuer |
Company that issued the certificate. |
X509
| JSON representation |
|---|
{ "name": string, "algorithm": string, "thumbprint": string, "certIssuer": string, "serialNumber": string } |
| Fields | |
|---|---|
name |
Certificate name. |
algorithm |
Certificate algorithm. |
thumbprint |
Certificate thumbprint. |
certIssuer |
Issuer of the certificate. |
serialNumber |
Certificate serial number. |
PrefetchFileMetadata
| JSON representation |
|---|
{ "runCount": string, "prefetchHash": string } |
| Fields | |
|---|---|
runCount |
The number of times the application has been run. |
prefetchHash |
A hash of the executable path used to identify the prefetch file. |
ExifInfo
| JSON representation |
|---|
{ "originalFile": string, "product": string, "company": string, "fileDescription": string, "entryPoint": string, "compilationTime": string } |
| Fields | |
|---|---|
originalFile |
original file name. |
product |
product name. |
company |
company name. |
fileDescription |
description of a file. |
entryPoint |
entry point. |
compilationTime |
Compilation time. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
SignatureInfo
| JSON representation |
|---|
{ "sigcheck": { object ( |
| Fields | |
|---|---|
sigcheck |
Signature information extracted from the sigcheck tool. |
codesign |
Signature information extracted from the codesign utility. |
FileMetadataCodesign
| JSON representation |
|---|
{ "id": string, "format": string, "compilationTime": string, "teamId": string } |
| Fields | |
|---|---|
id |
Code sign identifier. |
format |
Code sign format. |
compilationTime |
Code sign timestamp Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
teamId |
The assigned team identifier of the developer who signed the application. |
PDFInfo
| JSON representation |
|---|
{ "js": string, "javascript": string, "launchActionCount": string, "objectStreamCount": string, "endobjCount": string, "header": string, "acroform": string, "autoaction": string, "embeddedFile": string, "encrypted": string, "flash": string, "jbig2Compression": string, "objCount": string, "endstreamCount": string, "pageCount": string, "streamCount": string, "openaction": string, "startxref": string, "suspiciousColors": string, "trailer": string, "xfa": string, "xref": string } |
| Fields | |
|---|---|
js |
Number of /JS tags found in the PDF file. Should be the same as javascript field in normal scenarios. |
javascript |
Number of /JavaScript tags found in the PDF file. Should be the same as the js field in normal scenarios. |
launchActionCount |
Number of /Launch tags found in the PDF file. |
objectStreamCount |
Number of object streams. |
endobjCount |
Number of object definitions (endobj keyword). |
header |
PDF version. |
acroform |
Number of /AcroForm tags found in the PDF. |
autoaction |
Number of /AA tags found in the PDF. |
embeddedFile |
Number of /EmbeddedFile tags found in the PDF. |
encrypted |
Whether the document is encrypted or not. This is defined by the /Encrypt tag. |
flash |
Number of /RichMedia tags found in the PDF. |
jbig2Compression |
Number of /JBIG2Decode tags found in the PDF. |
objCount |
Number of objects definitions (obj keyword). |
endstreamCount |
Number of defined stream objects (stream keyword). |
pageCount |
Number of pages in the PDF. |
streamCount |
Number of defined stream objects (stream keyword). |
openaction |
Number of /OpenAction tags found in the PDF. |
startxref |
Number of startxref keywords in the PDF. |
suspiciousColors |
Number of colors expressed with more than 3 bytes (CVE-2009-3459). |
trailer |
Number of trailer keywords in the PDF. |
xfa |
Number of \XFA tags found in the PDF. |
xref |
Number of xref keywords in the PDF. |
NtfsFileMetadata
| JSON representation |
|---|
{
"changeTime": string,
"filenameCreateTime": string,
"filenameModifyTime": string,
"filenameAccessTime": string,
"filenameChangeTime": string,
"usnJournal": [
{
object ( |
| Fields | |
|---|---|
changeTime |
NTFS MFT entry changed timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
filenameCreateTime |
NTFS $FILE_NAME attribute created timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
filenameModifyTime |
NTFS $FILE_NAME attribute modified timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
filenameAccessTime |
NTFS $FILE_NAME attribute accessed timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
filenameChangeTime |
NTFS $FILE_NAME attribute changed timestamp. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
usnJournal[] |
NTFS USN journal. |
UsnJournal
| JSON representation |
|---|
{ "attributesFlag": string, "attributes": enum ( |
| Fields | |
|---|---|
attributesFlag |
File attributes flags from the USN record (e.g., "0x20"). |
attributes |
Deprecated: Use file_attributes instead. File attributes from the USN record. |
fileAttributes[] |
File attributes from the USN record. |
allocated |
Indicates whether the file is allocated in the Master File Table (MFT). |
reason |
Human-readable string describing the reason for the USN journal entry (e.g., "USN_REASON_FILE_CREATE"). |
AppCompatMetadata
| JSON representation |
|---|
{ "sequence": integer, "executed": boolean, "controlSet": string } |
| Fields | |
|---|---|
sequence |
Indicates the chronological order in which the entry was added to the cache. |
executed |
Indicates whether the file associated with the entry was executed. |
controlSet |
Indicates which registry Control Set the AppCompatCache data belongs to (e.g., "ControlSet001"). |
Asset
| JSON representation |
|---|
{ "productObjectId": string, "hostname": string, "assetId": string, "ip": [ string ], "mac": [ string ], "natIp": [ string ], "firstSeenTime": string, "hardware": [ { object ( |
| Fields | |
|---|---|
productObjectId |
A vendor-specific identifier to uniquely identify the entity (a GUID or similar). This field can be used as an entity indicator for asset entities. |
hostname |
Asset hostname or domain name field. This field can be used as an entity indicator for asset entities. |
assetId |
The asset ID. Value must contain the ':' character. For example, cs:abcdd23434. This field can be used as an entity indicator for asset entities. |
ip[] |
A list of IP addresses associated with an asset. This field can be used as an entity indicator for asset entities. |
mac[] |
List of MAC addresses associated with an asset. This field can be used as an entity indicator for asset entities. |
natIp[] |
List of NAT IP addresses associated with an asset. |
firstSeenTime |
The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
hardware[] |
The asset hardware specifications. |
platformSoftware |
The asset operating system platform software. |
software[] |
The asset software details. |
location |
Location of the asset. |
category |
The category of the asset (e.g. "End User Asset", "Workstation", "Server"). |
type |
The type of the asset (e.g. workstation or laptop or server). |
networkDomain |
The network domain of the asset (e.g. "corp.acme.com") |
creationTime |
Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
firstDiscoverTime |
Time the asset was first discovered (by asset management/discoverability software). Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastDiscoverTime |
Time the asset was last discovered (by asset management/discoverability software). Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
systemLastUpdateTime |
Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a VM), use Attribute.last_update_time. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastBootTime |
Time the asset was last boot started. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
labels[] |
Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata. |
deploymentStatus |
The deployment status of the asset for device lifecycle purposes. |
vulnerabilities[] |
Vulnerabilities discovered on asset. |
attribute |
Generic entity metadata attributes of the asset. |
wmiPersistenceItem |
Information about a WMI persistence item. |
Hardware
| JSON representation |
|---|
{ "serialNumber": string, "manufacturer": string, "model": string, "cpuPlatform": string, "cpuModel": string, "cpuClockSpeed": string, "cpuMaxClockSpeed": string, "cpuNumberCores": string, "ram": string } |
| Fields | |
|---|---|
serialNumber |
Hardware serial number. |
manufacturer |
Hardware manufacturer. |
model |
Hardware model. |
cpuPlatform |
Platform of the hardware CPU (e.g. "Intel Broadwell"). |
cpuModel |
Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5"). |
cpuClockSpeed |
Clock speed of the hardware CPU in MHz. |
cpuMaxClockSpeed |
Maximum possible clock speed of the hardware CPU in MHz. |
cpuNumberCores |
Number of CPU cores. |
ram |
Amount of the hardware ramdom access memory (RAM) in Mb. |
PlatformSoftware
| JSON representation |
|---|
{
"platform": enum ( |
| Fields | |
|---|---|
platform |
The platform operating system. |
platformVersion |
The platform software version ( e.g. "Microsoft Windows 1803"). |
platformPatchLevel |
The platform software patch level ( e.g. "Build 17134.48", "SP1"). |
Software
| JSON representation |
|---|
{
"name": string,
"version": string,
"permissions": [
{
object ( |
| Fields | |
|---|---|
name |
The name of the software. |
version |
The version of the software. |
permissions[] |
System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE" |
description |
The description of the software. |
vendorName |
The name of the software vendor. |
Vulnerability
| JSON representation |
|---|
{ "about": { object ( |
| Fields | |
|---|---|
about |
If the vulnerability is about a specific noun (e.g. executable), then add it here. |
name |
Name of the vulnerability (e.g. "Unsupported OS Version detected"). |
description |
Description of the vulnerability. |
vendor |
Vendor of scan that discovered vulnerability. |
scanStartTime |
If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
scanEndTime |
If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
firstFound |
Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastFound |
Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
severity |
The severity of the vulnerability. |
severityDetails |
Vendor-specific severity |
cvssBaseScore |
CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting. |
cvssVector |
Vector of CVSS properties (e.g. "AV:L/AC:H/Au:N/C:N/I:P/A:C") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator |
cvssVersion |
Version of CVSS Vector/Score. |
cveId |
Common Vulnerabilities and Exposures Id. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id |
cveDescription |
Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record |
vendorVulnerabilityId |
Vendor specific vulnerability id (e.g. Microsoft security bulletin id). |
vendorKnowledgeBaseArticleId |
Vendor specific knowledge base article (e.g. "KBXXXXXX" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase |
WmiPersistenceItem
| JSON representation |
|---|
{ "caption": string, "name": string, "settingId": string, "derivation": string, "propertyCount": string, "relPath": string, "dynasty": string, "wmiSuperClass": string, "wmiClass": string, "genus": string } |
| Fields | |
|---|---|
caption |
A brief title or caption for the WMI object. |
name |
The name of the WMI object. |
settingId |
The identifier for the setting. |
derivation |
The base class from which the WMI class is derived (e.g., CIM_Setting). |
propertyCount |
The number of properties in the WMI object. |
relPath |
The relative path to the WMI object (e.g., Win32_StartupCommand.Command='''). |
dynasty |
The top-level class in the WMI inheritance hierarchy (e.g., CMI_Setting). |
wmiSuperClass |
The immediate parent class in the WMI inheritance hierarchy. |
wmiClass |
The name of the WMI class. |
genus |
An integer representing the type or version of the WMI object. |
Registry
| JSON representation |
|---|
{
"registryKey": string,
"registryValueName": string,
"registryValueData": string,
"registryValueType": enum ( |
| Fields | |
|---|---|
registryKey |
Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...). |
registryValueName |
Name of the registry value associated with an application or system component (e.g. TEMP). |
registryValueData |
Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp). |
registryValueType |
Type of the registry value. |
registryValueBinaryData |
Binary data associated with a registry value. This field is only populated if the registry value type is BINARY. This field is not populated for other registry value types. A base64-encoded string. |
Id
| JSON representation |
|---|
{
"namespace": enum ( |
| Fields | |
|---|---|
namespace |
Namespace the id belongs to. |
id |
Full raw ID. A base64-encoded string. |
stringId |
Some ids are stored as strings that are not able to be translated to bytes, so store these separately. Ex. detection id of the form de_aaaaaaaa-aaaa... |
Investigation
| JSON representation |
|---|
{ "comments": [ string ], // Union field |
| Fields | |
|---|---|
comments[] |
Comment added by the Analyst. |
Union field
|
|
verdict |
Describes reason a finding investigation was resolved. |
Union field
|
|
reputation |
Describes whether a finding was useful or not-useful. |
Union field
|
|
severityScore |
Severity score for a finding set by an analyst. |
Union field
|
|
status |
Describes the workflow status of a finding. |
Union field
|
|
priority |
Priority of the Alert or Finding set by analyst. |
Union field
|
|
rootCause |
Root cause of the Alert or Finding set by analyst. |
Union field
|
|
reason |
Reason for closing the Case or Alert. |
Union field
|
|
riskScore |
Risk score for a finding set by an analyst. |
Union field
|
|
id |
Identifier for the investigation |
Extensions
| JSON representation |
|---|
{ "auth": { object ( |
| Fields | |
|---|---|
auth |
An authentication extension. |
vulns |
A vulnerability extension. |
entityRisk |
An entity risk change extension. |
linuxUtmp |
A Linux Utmp extension. This captures details specific to Linux Utmp events, which record login and logout sessions on a Linux system. |
windowsEventLog |
A Windows Event Log extension. This captures details specific to Windows Event Log events, providing structured information from various Windows logs. |
resourceUsage |
A resource usage extension. This captures details about what entity (e.g., process, user) is using a specific resource. |
systemEventDetails |
A system event details extension. This captures additional details for system-level events, such as message type, sender image ID, and subsystem. |
outlookMetadata |
A Microsoft Outlook specific metadata extension. This includes metadata related to Outlook items, such as comments, templates, and security flags. |
srum |
A SRUM extension. This captures details specific to Windows System Resource Usage Monitor (SRUM) events, providing insights into application resource consumption. |
userAssist |
A UserAssist extension. This captures details specific to Windows User Assist events, which track application usage and execution. |
Authentication
| JSON representation |
|---|
{ "type": enum ( |
| Fields | |
|---|---|
type |
The type of authentication. |
mechanism[] |
The authentication mechanism. |
authDetails |
The vendor defined details of the authentication. |
outcome |
The outcome of the authentication event. |
Vulnerabilities
| JSON representation |
|---|
{
"vulnerabilities": [
{
object ( |
| Fields | |
|---|---|
vulnerabilities[] |
A list of vulnerabilities. |
EntityRisk
| JSON representation |
|---|
{ "riskVersion": string, "riskWindow": { object ( |
| Fields | |
|---|---|
riskVersion |
Version of the risk score calculation algorithm. |
riskWindow |
Time window used when computing the risk score for an entity, for example 24 hours or 7 days. |
DEPRECATEDRiskScore |
Deprecated risk score. |
detectionsCount |
Number of detections that make up the risk score within the time window. |
firstDetectionTime |
Timestamp of the first detection within the specified time window. This field is empty when there are no detections. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
lastDetectionTime |
Timestamp of the last detection within the specified time window. This field is empty when there are no detections. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
riskScore |
Raw risk score for the entity. |
normalizedRiskScore |
Normalized risk score for the entity. This value is between 0-1000. |
riskWindowSize |
Risk window duration for the entity. A duration in seconds with up to nine fractional digits, ending with ' |
lastResetTime |
Timestamp for UEBA risk score reset based deduplication. Used specifically for risk based meta rules. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
detailUri |
Link to the Google Security Operations UI with information about the entity risk score. If the SecOps instance has multiple frontend paths configured, this will be a relative path that can be used to construct the full URL. |
riskWindowHasNewDetections |
Whether there are new detections for the risk window. |
Union field
|
|
riskDelta |
Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window. |
Union field
|
|
rawRiskDelta |
Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window. |
RiskDelta
| JSON representation |
|---|
{ "previousRangeEndTime": string, "riskScoreDelta": integer, "previousRiskScore": integer, "riskScoreNumericDelta": integer } |
| Fields | |
|---|---|
previousRangeEndTime |
End time of the previous time window. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
riskScoreDelta |
Difference in the normalized risk score from the previous recorded value. |
previousRiskScore |
Risk score from previous risk window |
riskScoreNumericDelta |
Numeric change between current and previous risk score |
LinuxUtmp
| JSON representation |
|---|
{
"recordType": enum ( |
| Fields | |
|---|---|
recordType |
The activity record type. |
WindowsEventLog
| JSON representation |
|---|
{
"channel": enum ( |
| Fields | |
|---|---|
channel |
The channel of the event. |
eventId |
A unique identifier for a specific type of event. |
activityId |
A GUID (Globally Unique Identifier) used to link a sequence of related events together. |
ResourceUsage
| JSON representation |
|---|
{ "usedEntity": string, "usedEntityId": string } |
| Fields | |
|---|---|
usedEntity |
The name of the entity (e.g., process, user) that is using the resource. |
usedEntityId |
A numerical identifier for the entity using the resource (e.g., PID, UID). |
SystemEventDetails
| JSON representation |
|---|
{ "messageType": string, "senderImageId": string, "subsystem": string } |
| Fields | |
|---|---|
messageType |
The specific type or category of the message. |
senderImageId |
An identifier for the image associated with the sender of the message. |
subsystem |
The subsystem or component that generated the event. |
OutlookMetadata
| JSON representation |
|---|
{ "comment": string, "template": string, "title": string, "securityFlagsCount": integer } |
| Fields | |
|---|---|
comment |
A user-defined comment or note associated with the Outlook item. |
template |
The name of the template file used to create the Outlook item. |
title |
The title of the Outlook item. |
securityFlagsCount |
Count of Security-related flags for the message, such as encryption or signing status. |
Srum
| JSON representation |
|---|
{ "id": string, "backgroundBytesRead": string, "backgroundBytesWritten": string, "backgroundContextSwitches": string, "backgroundCycleCount": string, "backgroundFlushesCount": string, "backgroundReadOperations": string, "backgroundWriteOperations": string, "interfaceLuid": string } |
| Fields | |
|---|---|
id |
A unique identifier for the SRUM record or the application/user being monitored. |
backgroundBytesRead |
The number of bytes read by the application while running in the background. |
backgroundBytesWritten |
The number of bytes written by the application while running in the background. |
backgroundContextSwitches |
The number of context switches performed by the application's threads while in the background. |
backgroundCycleCount |
The amount of CPU cycle time consumed by the application in the background, measured in clock cycles. |
backgroundFlushesCount |
The number of flush operations performed by the application in the background. |
backgroundReadOperations |
The number of read operations performed by the application in the background. |
backgroundWriteOperations |
The number of write operations performed by the application in the background. |
interfaceLuid |
The Locally Unique Identifier (LUID) for the network interface used for data transfer. |
UserAssist
| JSON representation |
|---|
{ "applicationFocusCount": string, "applicationFocusDuration": string, "executionsCount": string, "entryIndex": string } |
| Fields | |
|---|---|
applicationFocusCount |
The number of times the application associated with the entry gained focus. |
applicationFocusDuration |
The total duration the application associated with the entry was in focus. A duration in seconds with up to nine fractional digits, ending with ' |
executionsCount |
The number of times the application associated with the entry has been executed. |
entryIndex |
The index or identifier of the user assist entry, unique per user. |
StatsData
| JSON representation |
|---|
{
"results": [
{
object ( |
| Fields | |
|---|---|
results[] |
Result rows that are queried. |
tooManyResults |
If true, there are too many results to return and some have been omitted. |
hasJoin |
Indicates to the frontend that the result is a join-stats result. |
hasDataTable |
Indicates to the frontend that the result contains a data-table. |
StatsColumnData
| JSON representation |
|---|
{
"column": string,
"values": [
{
object ( |
| Fields | |
|---|---|
column |
Used to store column names. |
values[] |
Store list of values in a column. |
StatsColumnType
| JSON representation |
|---|
{ // Union field |
| Fields | |
|---|---|
Union field type. Store single value or list of values in a column. type can be only one of the following: |
|
value |
Single value in a column. |
list |
List of values in a column e.g. IPs |
StatsColumnValue
| JSON representation |
|---|
{ // Union field |
| Fields | |
|---|---|
Union field value. Value of the column based on data type value can be only one of the following: |
|
nullVal |
True if the value is NULL. |
boolVal |
Boolean value. |
bytesVal |
Bytes value. A base64-encoded string. |
doubleVal |
Double value. |
int64Val |
Integer value (signed). |
uint64Val |
Un-signed integer value. |
stringVal |
String value. Enum values are returned as strings. |
timestampVal |
Timestamp values. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
dateVal |
Date values. |
protoVal |
For any proto values that are not any of the above. An object containing fields of an arbitrary type. An additional field |
Date
| JSON representation |
|---|
{ "year": integer, "month": integer, "day": integer } |
| Fields | |
|---|---|
year |
Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. |
month |
Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. |
day |
Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. |
Any
| JSON representation |
|---|
{ "typeUrl": string, "value": string } |
| Fields | |
|---|---|
typeUrl |
A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one "/" character. The last segment of the URL's path must represent the fully qualified name of the type (as in In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme
Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than |
value |
Must be a valid serialized protocol buffer of the above specified type. A base64-encoded string. |
StatsList
| JSON representation |
|---|
{
"values": [
{
object ( |
| Fields | |
|---|---|
values[] |
List of values in one cell of the column. |
Tool Annotations
Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌