Metadata

General information associated with a UDM event.

JSON representation 
{
  "id": string,
  "productLogId": string,
  "eventTimestamp": string,
  "eventTimestampAttributes": [
    enum (EventTimestampAttribute)
  ],
  "collectedTimestamp": string,
  "ingestedTimestamp": string,
  "eventType": enum (EventType),
  "vendorName": string,
  "productName": string,
  "productVersion": string,
  "productEventType": string,
  "productDeploymentId": string,
  "description": string,
  "urlBackToProduct": string,
  "ingestionLabels": [
    {
      object (Label)
    }
  ],
  "tags": {
    object (Tags)
  },
  "enrichmentState": enum (EnrichmentState),
  "logType": string,
  "baseLabels": {
    object (DataAccessLabels)
  },
  "enrichmentLabels": {
    object (DataAccessLabels)
  },
  "structuredFields": {
    object
  },
  "parserVersion": string
}
Fields
id

string (bytes format)

ID of the UDM event. Can be used for raw and normalized event retrieval.

A base64-encoded string.
productLogId

string

A vendor-specific event identifier to uniquely identify the event (e.g. a GUID).
eventTimestamp

string (Timestamp format)

The GMT timestamp when the event was generated.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
eventTimestampAttributes[]

enum (EventTimestampAttribute)

Attributes associated with eventTimestamp. This field is used to distinguish between different types of timestamps that can be used to represent the eventTimestamp.
collectedTimestamp

string (Timestamp format)

The GMT timestamp when the event was collected by the vendor's local collection infrastructure.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
ingestedTimestamp

string (Timestamp format)

The GMT timestamp when the event was ingested (received) by Chronicle.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
eventType

enum (EventType)

The event type. If an event has multiple possible types, this specifies the most specific type.
vendorName

string

The name of the product vendor.
productName

string

The name of the product.
productVersion

string

The version of the product.
productEventType

string

A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start").
productDeploymentId

string

The deployment identifier assigned by the vendor for a product deployment.
description

string

A human-readable unparsable description of the event.
urlBackToProduct

string

A URL that takes the user to the source product console for this event.
ingestionLabels[]

object (Label)

User-configured ingestion metadata labels.
tags

object (Tags)

Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser.
enrichmentState

enum (EnrichmentState)

The enrichment state.
logType

string

The string value of log type.
baseLabels

object (DataAccessLabels)

Data access labels on the base event.
enrichmentLabels

object (DataAccessLabels)

Data access labels from all the contextual events used to enrich the base event.
structuredFields
(deprecated)

object (Struct format)

Flattened fields extracted from the log.
parserVersion

string

The version of the parser that generated this UDM event.

Tags

Tags are event metadata which is set by examining event contents post-parsing. For example, a UDM event may be assigned a tenantId based on certain customer-defined parameters.

JSON representation 
{
  "tenantId": [
    string
  ],
  "dataTapConfigName": [
    string
  ]
}
Fields
tenantId[]

string (bytes format)

A list of subtenant ids that this event belongs to.

A base64-encoded string.
dataTapConfigName[]

string

A list of sink name values defined in DataTap configurations.