Entity

JSON representation
EntityMetadata
- JSON representation
Relation
- JSON representation
Metric
- JSON representation
Measure
- JSON representation

An Entity provides additional context about an item in a UDM event. For example, a PROCESS_LAUNCH event describes that user 'abc@example.corp' launched process 'shady.exe'. The event does not include information that user 'abc@example.com' is a recently terminated employee who administers a server storing finance data. Information stored in one or more Entities can add this additional context.

JSON representation

JSON representation
{ "metadata": { object (`EntityMetadata`) }, "entity": { object (`Noun`) }, "relations": [ { object (`Relation`) } ], "additional": { object }, "metric": { object (`Metric`) }, "riskScore": { object (`EntityRisk`) } }

{
  "metadata": {
    object (EntityMetadata)
  },
  "entity": {
    object (Noun)
  },
  "relations": [
    {
      object (Relation)
    }
  ],
  "additional": {
    object
  },
  "metric": {
    object (Metric)
  },
  "riskScore": {
    object (EntityRisk)
  }
}

Fields
`metadata`	`object (EntityMetadata)` Entity metadata such as timestamp, product, etc.
`entity`	`object (Noun)` Noun in the UDM event that this entity represents.
`relations[]`	`object (Relation)` One or more relationships between the entity (a) and other entities, including the relationship type and related entity.
`additional`	`object (Struct format)` Important entity data that cannot be adequately represented within the formal sections of the Entity.
`metric`	`object (Metric)` Stores statistical metrics about the entity. Used if metadata.entity_type is METRIC.
`riskScore`	`object (EntityRisk)` Stores information related to the entity's risk score.

EntityMetadata

Information about the Entity and the product where the entity was created. Next Tag: 18

JSON representation

JSON representation
{ "productEntityId": string, "collectedTimestamp": string, "creationTimestamp": string, "interval": { object (`Interval`) }, "vendorName": string, "productName": string, "feed": string, "productVersion": string, "entityType": enum (`EntityType`), "description": string, "threat": [ { object (`SecurityResult`) } ], "sourceType": enum (`SourceType`), "sourceLabels": [ { object (`Label`) } ], "eventMetadata": { object (`Metadata`) }, "structuredFields": { object }, "extracted": { object }, "atiPrioritization": { object (`AtiPrioritization`) } }

{
  "productEntityId": string,
  "collectedTimestamp": string,
  "creationTimestamp": string,
  "interval": {
    object (Interval)
  },
  "vendorName": string,
  "productName": string,
  "feed": string,
  "productVersion": string,
  "entityType": enum (EntityType),
  "description": string,
  "threat": [
    {
      object (SecurityResult)
    }
  ],
  "sourceType": enum (SourceType),
  "sourceLabels": [
    {
      object (Label)
    }
  ],
  "eventMetadata": {
    object (Metadata)
  },
  "structuredFields": {
    object
  },
  "extracted": {
    object
  },
  "atiPrioritization": {
    object (AtiPrioritization)
  }
}

Fields
`productEntityId`	`string` A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar).
`collectedTimestamp`	`string (Timestamp format)` GMT timestamp when the entity information was collected by the vendor's local collection infrastructure. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`creationTimestamp`	`string (Timestamp format)` GMT timestamp when the entity described by the productEntityId was created on the system where data was collected. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`interval`	`object (Interval)` Valid existence time range for the version of the entity represented by this entity data.
`vendorName`	`string` Vendor name of the product that produced the entity information.
`productName`	`string` Product name that produced the entity information.
`feed`	`string` Vendor feed name for a threat indicator feed.
`productVersion`	`string` Version of the product that produced the entity information.
`entityType`	`enum (EntityType)` Entity type. If an entity has multiple possible types, this specifies the most specific type.
`description`	`string` Human-readable description of the entity.
`threat[]`	`object (SecurityResult)` Metadata provided by a threat intelligence feed that identified the entity as malicious.
`sourceType`	`enum (SourceType)` The source of the entity.
`sourceLabels[]`	`object (Label)` Entity source metadata labels.
`eventMetadata`	`object (Metadata)` Metadata field from the event.
`structuredFields (deprecated)`	`object (Struct format)` This item is deprecated! Structured fields extracted from the log.
`extracted`	`object (Struct format)` Flattened fields extracted from the log.
`atiPrioritization`	`object (AtiPrioritization)` Prioritization factors used by ATI curated rules.

Relation

Defines the relationship between the entity (a) and another entity (b).

JSON representation
{ "entity": { object (`Noun`) }, "entityType": enum (`EntityType`), "relationship": enum (`Relationship`), "direction": enum (`Directionality`), "uid": string, "entityLabel": enum (`EntityLabel`) }

Fields
`entity`	`object (Noun)` Entity (b) that the primary entity (a) is related to.
`entityType`	`enum (EntityType)` Type of the related entity (b) in this relationship.
`relationship`	`enum (Relationship)` Type of relationship.
`direction`	`enum (Directionality)` Directionality of relationship between primary entity (a) and the related entity (b).
`uid`	`string (bytes format)` UID of the relationship. A base64-encoded string.
`entityLabel`	`enum (EntityLabel)` Label to identify the Noun of the relation.

Metric

Stores precomputed aggregated analytic data for an entity.

JSON representation

JSON representation
{ "firstSeen": string, "lastSeen": string, "sumMeasure": { object (`Measure`) }, "totalEvents": string, "metricName": enum (`MetricName`), "dimensions": [ enum (`Dimension`) ], "exportWindow": string }

{
  "firstSeen": string,
  "lastSeen": string,
  "sumMeasure": {
    object (Measure)
  },
  "totalEvents": string,
  "metricName": enum (MetricName),
  "dimensions": [
    enum (Dimension)
  ],
  "exportWindow": string
}

Fields
`firstSeen`	`string (Timestamp format)` Timestamp of the first time the entity was seen in the environment. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`lastSeen`	`string (Timestamp format)` Time stamp of the last time last time the entity was seen in the environment. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`sumMeasure`	`object (Measure)` Sum of all precomputed measures for the given metric.
`totalEvents`	`string (int64 format)` Total number of events used to calculate the given precomputed metric.
`metricName`	`enum (MetricName)` Name of the analytic.
`dimensions[]`	`enum (Dimension)` All group by clauses used to calculate the metric.
`exportWindow`	`string (int64 format)` Export window for which the metric was exported.

Measure

Describes the precomputed measure.

JSON representation
{ "value": number, "aggregateFunction": enum (`AggregateFunction`) }

Fields

Fields
`value`	`number` Value of the aggregated measure.
`aggregateFunction`	`enum (AggregateFunction)` Function used to calculate the aggregated measure.

value

number

Value of the aggregated measure.

aggregateFunction

enum (AggregateFunction)

Function used to calculate the aggregated measure.

Entity Stay organized with collections Save and categorize content based on your preferences.

EntityMetadata

Relation

Metric

Measure

Entity