Unified Data Model field list

This document provides a list of fields available in the Unified Data Model schema. When specifying a field, use the following format: <prefix>.<field_name1>.<field_name2>.<...>.<field_nameN>=<value>

When writing rules for Detect Engine, use the <prefix> pattern $event for Event fields and $entity for Entity fields. For example:

$event.metadata.event_type
$event.network.dhcp.opcode
$event.principal.user.location.city
$entity.graph.entity.hostname
$entity.graph.metadata.product_name

When you write configuration-based normalizer (CBN) parsers, use the <prefix> pattern event.idm.read_only_udm for UDM Event fields and event.idm.graph for UDM Entity fields. For example:

event.idm.read_only_udm.metadata.event_type
event.idm.read_only_udm.network.dhcp.opcode
event.idm.read_only_udm.principal.user.location.city
event.idm.graph.entity.user.user_display_name
event.idm.graph.entity.asset.hostname

Field name and field type values can look similar. This document uses style conventions to help you identify the differences:

Field type values use camelCase characters. For example, platform and eventType.
Field name values use lowercase characters. For example, platform and event_type.
Standard datatype values use lowercase characters.

UDM Entity data model

The UDM Entity Data model represents a state-in-time view of the objects within an enterprise, such as users, assets, and organizational resources. Unlike the Event Model, which captures point-in-time activities (telemetry), the Entity model provides the context necessary for effective threat hunting and risk scoring.

By mapping metadata from disparate sources like Active Directory, EDR inventories, and CMDBs into a unified structure, developers can programmatically correlate "who" or "what" is involved in a security incident. This model is essential for building relationship graphs, tracking asset criticality, and applying identity-centric security policies across the organization.

AtiPrioritization

AtiPrioritization contains various fields used to calculate a priority score for an entity identified as a threat.

Field Name	Type	Label	Description
gti_verdict	int32		The confidence score from the GTI verdict source.
gti_severity	int32		The confidence score from the GTI severity source.
gti_threat_score	int32		The confidence score from the GTI threat score source.
mandiant_analyst_confidence	int32		The confidence score from the Mandiant Analyst Intel source.
gti_update_time	google.protobuf.Timestamp		Timestamp of the latest update for GTI verdict, severity, or threat score.
active_ir	bool		Indicates whether one or more Mandiant incident response customers had this indicator in their environment.
active_ir_first_tagged_time	google.protobuf.Timestamp		The timestamp of the first time an active IR was applied to this entity.
global_customer_count	int64		Global customer count over the last 30 days.
global_hit_count	int64		Global hit count over the last 30 days.
exclusive	bool		Indicates whether the indicator is being used by a maximum of one threat actor.
osint	bool		Indicates whether the indicator details are available in open source.
scanner	bool		Indicates whether the indicator is a scanner.
reviewed	bool		Indicates whether the indicator verdict has passed review.
attributed_malware	SecurityResult.Association	repeated	Malware families associated with this indicator.
attributed_threat_actors	SecurityResult.Association	repeated	Threat actors associated with this indicator.

Entity

An Entity provides additional context about an item in a UDM event. For example, a PROCESS_LAUNCH event describes that user abc@example.corp launched process shady.exe. The event does not include information that user abc@example.com is a recently terminated employee who administers a server storing finance data. Information stored in one or more Entities can add this additional context.

Field name	Type	Label	Description
metadata	EntityMetadata		Entity metadata such as timestamp, product, etc.
entity	Noun		Noun in the UDM event that this entity represents.
relations	Relation	repeated	One or more relationships between the entity (a) and other entities, including the relationship type and related entity.
additional	google.protobuf.Struct		Important entity data that cannot be adequately represented within the formal sections of the Entity.
risk_score	EntityRisk	optional	Stores information related to the entity's risk score.
metric	Metric		Stores statistical metrics about the entity. Used if metadata.entity_type is METRIC.

EntityMetadata

Information about the Entity and the product where the entity was created.

Field name	Type	Label	Description
product_entity_id	string		A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar).
collected_timestamp	google.protobuf.Timestamp		GMT timestamp when the entity information was collected by the vendor's local collection infrastructure.
creation_timestamp	google.protobuf.Timestamp		GMT timestamp when the entity described by the product_entity_id was created on the system where data was collected.
interval	google.type.Interval		Valid existence time range for the version of the entity represented by this entity data.
vendor_name	string		Vendor name of the product that produced the entity information.
product_name	string		Product name that produced the entity information.
feed	string		Vendor feed name for a threat indicator feed.
product_version	string		Version of the product that produced the entity information.
entity_type	EntityMetadata.EntityType (Enumerated list)		Entity type. If an entity has multiple possible types, this specifies the most specific type.
description	string		Human-readable description of the entity.
threat	SecurityResult	repeated	Metadata provided by a threat intelligence feed that identified the entity as malicious.
source_type	EntityMetadata.SourceType (Enumerated list)		The source of the entity.
source_labels	Label	repeated	Entity source metadata labels.
event_metadata	Metadata		Metadata field from the event.
structured_fields	google.protobuf.Struct		Structured fields extracted from the log.
extracted	google.protobuf.Struct		Flattened fields extracted from the log.
ati_prioritization	AtiPrioritization		Prioritization factors used by ATI curated rules.

EntityRisk

Stores information related to the risk score of an entity.

Field Name	Type	Label	Description
risk_version	string		Version of the risk score calculation algorithm.
risk_window	google.type.Interval		Time window used when computing the risk score for an entity, for example 24 hours or 7 days.
risk_window_has_new_detections	boolean		Indicates whether or not there are new detections for the risk window.
DEPRECATED_risk_score	int32		Deprecated risk score.
risk_delta	RiskDelta	optional	Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window.
detections_count	int32		Number of detections that make up the risk score within the time window.
first_detection_time	google.protobuf.Timestamp		Timestamp of the first detection within the specified time window. This field is empty when there are no detections.
last_detection_time	google.protobuf.Timestamp		Timestamp of the last detection within the specified time window. This field is empty when there are no detections.
risk_score	float		Raw risk score for the entity.
normalized_risk_score	int32		Normalized risk score for the entity. This value is between 0-1000.
risk_window_size	Int64		Risk window duration for the Entity.
raw_risk_delta	RiskDelta	optional	Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window.

Metric

Stores precomputed aggregated analytic data for an entity.

Field name	Type	Label	Description
first_seen	google.protobuf.Timestamp		Timestamp of the first time the entity was seen in the environment.
last_seen	google.protobuf.Timestamp		Time stamp of the last time the entity was seen in the environment.
sum_measure	Metric.Measure		Sum of all precomputed measures for the given metric.
total_events	int64		Total number of events used to calculate the given precomputed metric.
metric_name	Metric.MetricName (Enumerated list)		Name of the analytic.
dimensions	Metric.Dimension (Enumerated list)	repeated	All group by clauses used to calculate the metric.
export_window	int64		Export window for which the metric was exported.

Metric.Measure

Describes the precomputed measure.

Field Name	Type	Label	Description
value	double		Value of the aggregated measure.
aggregate_function	Metric.AggregateFunction (Enumerated list)		Function used to calculate the aggregated measure.

Relation

Defines the relationship between the entity (a) and another entity (b).

Field name	Type	Description
entity	Noun	Entity (b) that the primary entity (a) is related to.
entity_type	EntityMetadata.EntityType (Enumerated list)	Type of the related entity (b) in this relationship.
relationship	Relation.Relationship (Enumerated list)	Type of relationship.
direction	Relation.Directionality (Enumerated list)	Directionality of relationship between primary entity (a) and the related entity (b).
uid	bytes	UID of the relationship.
entity_label	Relation.EntityLabel (Enumerated list)	Label to identify the Noun of the relation.

RiskDelta

Describes the difference in risk score between two points in time.

Field Name	Type	Description
previous_range_end_time	google.protobuf.Timestamp	End time of the previous time window.
risk_score_delta	int32	Difference in the normalized risk score from the previous recorded value.
previous_risk_score	int32	Risk score from previous risk window
risk_score_numeric_delta	int32	Numeric change between current and previous risk score

Entity enumerated types

EntityMetadata.EntityType

Describes the type of entity. An unknown event type.

Enum Value	Enum Number	Description
ASSET	1	An asset, such as workstation, laptop, phone, virtual machine, etc.
USER	10000	User.
GROUP	10001	Group.
RESOURCE	2	Resource.
IP_ADDRESS	3	An external IP address.
CIDR_BLOCK	9	A CIDR block.
FILE	4	A file.
DOMAIN_NAME	5	A domain.
URL	6	A url.
MUTEX	7	A mutex.
METRIC	8	A metric.

EntityMetadata.SourceType

Describes the source of an entity.

Enum value	Enum number	Description
SOURCE_TYPE_UNSPECIFIED	0	Default source type
ENTITY_CONTEXT	1	Entities ingested from customers (e.g. AD_CONTEXT, DLP_CONTEXT)
DERIVED_CONTEXT	2	Entities derived from customer data such as prevalence, artifact first/last seen, or asset/user first seen stats.
GLOBAL_CONTEXT	3	Global contextual entities such as WHOIS or Safe Browsing.

Metric.AggregateFunction

Mathematic function used to calculate the value.

Enum value	Enum number	Description
AGGREGATE_FUNCTION_UNSPECIFIED	0	Default value.
MIN	1	Minimum.
MAX	2	Maximum.
COUNT	3	Count.
SUM	4	Sum.
AVG	5	Average.
STDDEV	6	Standard Deviation.

Metric.Dimension

Describes field used as the dimension when grouping data to calculate the aggregate metric.

Enum value	Enum number	Description
DIMENSION_UNSPECIFIED	0	Default
PRINCIPAL_DEVICE	1	Principal Device
TARGET_USER	2	Target User
TARGET_DEVICE	3	Target Device
PRINCIPAL_USER	4	Principal User
TARGET_IP	5	Target IP
PRINCIPAL_FILE_HASH	6	Principal File Hash
PRINCIPAL_COUNTRY	7	Principal Country
SECURITY_CATEGORY	8	Security Category
NETWORK_ASN	9	Network ASN
CLIENT_CERTIFICATE_HASH	10	Client Certificate Hash
DNS_QUERY_TYPE	11	DNS Query Type
DNS_DOMAIN	12	DNS Domain
HTTP_USER_AGENT	13	HTTP User Agent
EVENT_TYPE	14	Event Type
PRODUCT_NAME	15	Product Name
PRODUCT_EVENT_TYPE	16	Product Event Type
PARENT_FOLDER_PATH	17	Parent Folder Path
TARGET_RESOURCE_NAME	18	Target resource Name
PRINCIPAL_APPLICATION	19	Principal Application.
TARGET_APPLICATION	20	Target Application.
EMAIL_TO_ADDRESS	21	Email To Address.
EMAIL_FROM_ADDRESS	22	Email From Address.
MAIL_ID	23	Mail Id.
PRINCIPAL_IP	24	Principal IP.
SECURITY_ACTION	25	Security Action.
SECURITY_RULE_ID	28	Security Rule Id.
TARGET_NETWORK_ORGANIZATION_NAME	29	Target Network Organization name.
PRINCIPAL_NETWORK_ORGANIZATION_NAME	30	Principal Network Organization name.
PRINCIPAL_PROCESS_FILE_PATH	31	Principal Process File Path.
PRINCIPAL_PROCESS_FILE_HASH	32	Principal Process File SHA256 Hash.
SECURITY_RESULT_RULE_NAME	33	Security Result rule name.
TARGET_RESOURCE_LABEL_KEY	34	Target Resource label key.
VENDOR_NAME	35	Vendor name.
TARGET_RESOURCE_TYPE	36	Target Resource type.
TARGET_LOCATION_NAME	37	Target Location name.
LOG_TYPE	38	Log type.
TARGET_HOSTNAME	39	Target Hostname.

Metric.MetricName

The name of the precomputed analytic.

Enum value	Enum number	Description
METRIC_NAME_UNSPECIFIED	0	Default
NETWORK_BYTES_INBOUND	1	Total received network bytes.
NETWORK_BYTES_OUTBOUND	2	Total network sent bytes.
NETWORK_BYTES_TOTAL	3	Total network sent bytes and received bytes.
AUTH_ATTEMPTS_SUCCESS	4	Successful authentication attempts.
AUTH_ATTEMPTS_FAIL	5	Failed authentication attempts.
AUTH_ATTEMPTS_TOTAL	6	Total authentication attempts.
DNS_BYTES_OUTBOUND	7	Total number of sent bytes for DNS events.
NETWORK_FLOWS_INBOUND	8	Total number of events having non-null received bytes.
NETWORK_FLOWS_OUTBOUND	9	Total number of events having non-null sent bytes.
NETWORK_FLOWS_TOTAL	10	Total events having non-null sent or received bytes.
DNS_QUERIES_SUCCESS	11	DNS query success count - Number of events with response_code = 0.
DNS_QUERIES_FAIL	12	Number of events with response_code != 0.
DNS_QUERIES_TOTAL	13	Total number of DNS queries made.
FILE_EXECUTIONS_SUCCESS	14	Number of successful file executions.
FILE_EXECUTIONS_FAIL	15	Number of failed file executions.
FILE_EXECUTIONS_TOTAL	16	Total number file executions.
HTTP_QUERIES_SUCCESS	17	Number of successful HTTP queries.
HTTP_QUERIES_FAIL	18	Number of failed HTTP queries.
HTTP_QUERIES_TOTAL	19	Total number of HTTP queries.
WORKSPACE_EMAILS_SENT_TOTAL	20	Total number of emails sent in Google Workspace.
WORKSPACE_TOTAL_DOWNLOAD_ACTIONS	21	Total number of download actions in Google Workspace.
WORKSPACE_TOTAL_CHANGE_ACTIONS	22	Total number of change actions in Google Workspace.
WORKSPACE_AUTH_ATTEMPTS_TOTAL	23	Total number of authentication attempts in Google Workspace.
WORKSPACE_NETWORK_BYTES_OUTBOUND	24	Number of outbound network bytes (total sent) in Google Workspace.
WORKSPACE_NETWORK_BYTES_TOTAL	25	Total number of network bytes (both sent and received) in Google Workspace.
ALERT_EVENT_NAME_COUNT	26	Track number of alerts fired by EDR/SENTINEL/MICROSOFT_GRAPH.
RESOURCE_CREATION_TOTAL	27	Analytic tracking successful resource creations.
RESOURCE_CREATION_SUCCESS	28	Analytic tracking successful resource creations.
RESOURCE_READ_SUCCESS	29	Analytic tracking successful resource reads.
RESOURCE_READ_FAIL	30	Analytic tracking failed resource reads.
RESOURCE_DELETION_SUCCESS	31	Analytic tracking successful resource deletions.
RESOURCE_CREATION_FAIL	32	Analytic tracking failed resource creations.
RESOURCE_DELETION_FAIL	33	Analytic tracking failed resource deletions.
RESOURCE_DELETION_TOTAL	34	Analytic tracking total resource deletions.
RESOURCE_READ_TOTAL	35	Analytic tracking total resource reads.
RESOURCE_WRITTEN_FAIL	36	Analytic tracking failed resource writes.
RESOURCE_WRITTEN_SUCCESS	37	Analytic tracking successful resource writes.
RESOURCE_WRITTEN_TOTAL	38	Analytic tracking total resource writes.
UDM_DATA_PRESENCE_SUMMARY	39	UDM data summary tracking unique values of dimensions.

Relation.Directionality

Describes the relationship model as directed or undirected.

Enum value	Enum number	Description
DIRECTIONALITY_UNSPECIFIED	0	Default value.
BIDIRECTIONAL	1	Modeled in both directions. Primary entity (a) to related entity (b) and related entity (b) to primary entity (a).
UNIDIRECTIONAL	2	Modeled in a single direction. Primary entity (a) to related entity (b).

Relation.EntityLabel

Entity label of the relation.

Enum value	Enum number	Description
ENTITY_LABEL_UNSPECIFIED	0	Default value.
PRINCIPAL	1	The Noun represents a principal type object.
TARGET	2	The Noun represents a target type object.
OBSERVER	3	The Noun represents an observer type object.
SRC	4	The Noun represents src type object.
NETWORK	5	The Noun represents a network type object.
SECURITY_RESULT	6	The Noun represents a SecurityResult object.
INTERMEDIARY	7	The Noun represents an intermediary type object.

Relation.Relationship

Type of relationship between the primary entity (a) and related entity (b).

Enum value	Enum number	Description
RELATIONSHIP_UNSPECIFIED	0	Default value
OWNS	1	Related entity is owned by the primary entity (e.g. user owns device asset).
ADMINISTERS	2	Related entity is administered by the primary entity (e.g. user administers a group).
MEMBER	3	Primary entity is a member of the related entity (e.g. user is a member of a group).
EXECUTES	4	Primary entity may have executed the related entity.
DOWNLOADED_FROM	5	Primary entity may have been downloaded from the related entity.
CONTACTS	6	Primary entity contacts the related entity.

UDM Event data model

A Unified Data Model event.

Field name	Type	Label	Description
metadata	Metadata		Event metadata such as timestamp, source product, etc.
additional	google.protobuf.Struct		Any important vendor-specific event data that cannot be adequately represented within the formal sections of the UDM model.
principal	Noun		Represents the acting entity that originates the activity described in the event. The principal must include at least one machine detail (hostname, MACs, IPs, port, product-specific identifiers like an EDR asset ID) or user detail (for example, username), and optionally include process details. It must NOT include any of the following fields: email, files, registry keys or values.
src	Noun		Represents a source entity being acted upon by the participant along with the device or process context for the source object (the machine where the source object resides). For example, if user U copies file A on machine X to file B on machine Y, both file A and machine X would be specified in the src portion of the UDM event.
target	Noun		Represents a target entity being referenced by the event or an object on the target entity. For example, in a firewall connection from device A to device B, A is described as the principal and B is described as the target. For a process injection by process C into target process D, process C is described as the principal and process D is described as the target.
intermediary	Noun	repeated	Represents details on one or more intermediate entities processing activity described in the event. This includes device details about a proxy server or SMTP relay server. If an active event (that has a principal and possibly target) passes through any intermediaries, they're added here. Intermediaries can impact the overall action, for example blocking or modifying an ongoing request. A rule of thumb here is that `principal`, `target`, and description of the initial action should be the same regardless of the intermediary or its action. A successful network connection from A->B should look the same in principal/target/intermediary as one blocked by firewall C: principal: A, target: B (intermediary: C).
observer	Noun		Represents an observer entity (for example, a packet sniffer or network-based vulnerability scanner), which is not a direct intermediary, but which observes and reports on the event in question.
about	Noun	repeated	Represents entities referenced by the event that are not otherwise described in principal, src, target, intermediary or observer. For example, it could be used to track email file attachments, domains/URLs/IPs embedded within an email body, and DLLs that are loaded during a PROCESS_LAUNCH event.
security_result	SecurityResult	repeated	A list of security results.
network	Network		All network details go here, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP).
extensions	Extensions		All other first-class, event-specific metadata goes in this message. Do not place protocol metadata in Extensions; put it in Network.
extracted	google.protobuf.Struct		Flattened fields extracted from the log.
grouped	GroupedFields	optional	Related UDM fields that are grouped together.

Event top level types

Extensions

Extensions to a UDM event.

Field Name	Type	Description
auth	Authentication	An authentication extension.
vulns	Vulnerabilities	A vulnerability extension.
entity_risk	EntityRisk	An entity risk change extension.
linux_utmp	LinuxUtmp	A Linux Utmp extension. This captures details specific to Linux Utmp events, which record login and logout sessions on a Linux system.
windows_event_log	WindowsEventLog	A Windows Event Log extension. This captures details specific to Windows Event Log events, providing structured information from various Windows logs.
resource_usage	ResourceUsage	A resource usage extension. This captures details about what entity, for example, a process or user, is using a specific resource.
system_event_details	SystemEventDetails	A system event details extension. This captures additional details for system-level events, such as message type, sender image ID, and subsystem.
outlook_metadata	OutlookMetadata	A Microsoft Outlook metadata extension. This includes metadata related to Outlook items, such as comments, templates, and security flags.
srum	Srum	A SRUM extension. This captures details specific to Windows System Resource Usage Monitor (SRUM) events, providing insights into application resource consumption.
user_assist	UserAssist	A UserAssist extension. This captures details specific to Windows User Assist events, which track application usage and execution.

Metadata

General information associated with a UDM event.

Field Name	Type	Label	Description
id	bytes		ID of the UDM event. Can be used for raw and normalized event retrieval.
product_log_id	string		A vendor-specific event identifier to uniquely identify the event (e.g. a GUID).
event_timestamp	google.protobuf.Timestamp		The GMT timestamp when the event was generated.
event_timestamp_attributes	Metadata.EventTimestampAttribute (Enumerated list)	repeated	Attributes associated with event_timestamp. This field is used to distinguish between different types of timestamps that can be used to represent the event_timestamp.
collected_timestamp	google.protobuf.Timestamp		The GMT timestamp when the event was collected by the vendor's local collection infrastructure.
ingested_timestamp	google.protobuf.Timestamp		The GMT timestamp when the event was ingested (received) by Google SecOps.
event_type	Metadata.EventType (Enumerated list)		The event type. If an event has multiple possible types, this specifies the most specific type.
vendor_name	string		The name of the product vendor.
product_name	string		The name of the product.
product_version	string		The version of the product.
product_event_type	string		A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start").
product_deployment_id	string		The deployment identifier assigned by the vendor for a product deployment.
description	string		A human-readable unparsable description of the event.
url_back_to_product	string		A URL that takes the user to the source product console for this event.
ingestion_labels	Label	repeated	User-configured ingestion metadata labels.
tags	Tags		Tags added by Google SecOps after an event is parsed. It is an error to populate this field from within a parser.
enrichment_state	Metadata.EnrichmentState (Enumerated list)		The enrichment state.
log_type	string		The string value of log type.
base_labels	DataAccessLabels		Data access labels on the base event.
enrichment_labels	DataAccessLabels		Data access labels from all the contextual events used to enrich the base event.
structured_fields	google.protobuf.Struct		Flattened fields extracted from the log.
parser_version	string		The version of the parser that generated this UDM event.

Network

A network event.

Field Name	Type	Description
sent_bytes	uint64	The number of bytes sent.
received_bytes	uint64	The number of bytes received.
total_bytes	int64	The number of total bytes.
sent_packets	int64	The number of packets sent.
received_packets	int64	The number of packets received.
session_duration	Int64	The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer.
session_id	string	The ID of the network session.
parent_session_id	string	The ID of the parent network session.
application_protocol_version	string	The version of the application protocol. e.g. "1.1, 2.0"
community_id	string	Community ID network flow value.
direction	Network.Direction (Enumerated list)	The direction of network traffic.
ip_protocol	Network.IpProtocol (Enumerated list)	The IP protocol.
ipv6	bool	True if IPv6 is used.
application_protocol	Network.ApplicationProtocol (Enumerated list)	The application protocol.
ftp	Ftp	FTP info.
email	Email	Email info for the sender/recipient.
dns	Dns	DNS info.
dhcp	Dhcp	DHCP info.
http	Http	HTTP info.
tls	Tls	TLS info.
smtp	Smtp	SMTP info. Store fields specific to SMTP not covered by Email.
asn	string	Autonomous system number.
dns_domain	string	DNS domain name.
carrier_name	string	Carrier identification.
organization_name	string	Organization name (e.g Google).
ip_subnet_range	string	Associated human-readable IP subnet range (e.g. 10.1.2.0/24).
is_proxy	bool	Whether the IP address is a known proxy.
proxy_info	ProxyInfo	Proxy information. Only set if is_proxy is true.
connection_state	Network.ConnectionState (Enumerated list)	The state of the network connection.

Noun

The Noun type is used to represent the different entities in an event: principal, src, target, observer, intermediary, and about. It stores attributes known about the entity. For example, if the entity is a device with multiple IP or MAC addresses, it stores the IP and MAC addresses that are relevant to the event.

Field Name	Type	Label	Description
hostname	string		Client hostname or domain name field. Hostname also doubles as the domain for remote entities. This field can be used as an entity indicator for asset entities.
domain	Domain		Information about the domain.
artifact	Artifact		Information about an artifact.
url_metadata	Url		Information about the URL.
browser	Browser		Information about an entry in the web browser's local history database.
asset_id	string		The asset ID. This field can be used as an entity indicator for asset entities.
user	User		Information about the user.
user_management_chain	User	repeated	Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery.
group	Group		Information about the group.
process	Process		Information about the process.
process_ancestors	Process	repeated	Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery.
asset	Asset		Information about the asset.
ip	string	repeated	A list of IP addresses associated with a network connection. This field can be used as an entity indicator for asset entities.
nat_ip	string	repeated	A list of NAT translated IP addresses associated with a network connection.
port	int32		Source or destination network port number when a specific network connection is described within an event.
nat_port	int32		NAT external network port number when a specific network connection is described within an event.
mac	string	repeated	List of MAC addresses associated with a device. This field can be used as an entity indicator for asset entities. Must be valid MAC addresses (EUI-48) in ASCII.
administrative_domain	string		Domain (128 characters maximum) which the device belongs to (for example, the Microsoft Windows domain).
namespace	string		Namespace which the device belongs to, such as "AD forest". Uses for this field include Microsoft Windows AD forest, the name of subsidiary, or the name of acquisition. This field can be used along with an asset indicator to identify an asset.
url	string		The URL.
file	File		Information about the file.
email	string		Email address. Only filled in for security_result.about
registry	Registry		Registry information.
application	string		The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Google SecOps".
platform	Noun.Platform (Enumerated list)		Platform.
platform_version	string		Platform version. For example, "Microsoft Windows 1803".
platform_patch_level	string		Platform patch level. For example, "Build 17134.48"
cloud	Cloud		Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud).
location	Location		Physical location. For cloud environments, set the region in location.name.
ip_location	Location	repeated	Deprecated: use ip_geo_artifact.location instead.
ip_geo_artifact	Artifact	repeated	Enriched geographic information corresponding to an IP address. Specifically, location and network data.
resource	Resource		Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, or processes because these objects are already part of Noun.
resource_ancestors	Resource	repeated	Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource).
labels	Label	repeated	Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels).
object_reference	Id		Finding to which the Analyst updated the feedback.
investigation	Investigation		Analyst feedback/investigation for alerts.
network	Network		Network details, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP).
security_result	SecurityResult	repeated	A list of security results.

SecurityResult

Security related metadata for the event. A security result might be something like "virus detected and quarantined," "malicious connection blocked," or "sensitive data included in document foo.doc." Each security result, of which there may be more than one, may either pertain to the whole event, or to a

specific object or device referenced in the event (e.g. a malicious file that was detected, or a sensitive document sent as an email attachment). For

security results that apply to a particular object referenced in the event, the security_results message MUST contain details about the implicated object (such as process, user, IP, domain, URL, IP, or email address) in the about field. For security results that apply to the entire event (e.g. SPAM found in this email), the about field must remain empty.

Field Name	Type	Label	Description
about	Noun		If the security result is about a specific entity (Noun), add it here. This field is not populated when the SecurityResult appears in a detection.
category	SecurityResult.SecurityCategory (Enumerated list)	repeated	The security category. This field is not populated when the SecurityResult appears in a detection.
category_details	string	repeated	For vendor-specific categories. For web categorization, put type in here such as "gambling" or "porn". This field is not populated when the SecurityResult appears in a detection.
threat_name	string		A vendor-assigned classification common across multiple customers (for example, "W32/File-A", "Slammer"). This field is not populated when the SecurityResult appears in a detection.
rule_set	string		The curated detection's rule set identifier. (for example, "windows-threats") This is primarily set in rule-generated detections and alerts.
rule_set_display_name	string		The curated detections rule set display name. This is primarily set in rule-generated detections and alerts.
ruleset_category_display_name	string		The curated detection rule set category display name. (for example, if rule_set_display_name is "CDIR SCC Enhanced Exfiltration", the rule_set_category is "Cloud Threats"). This is primarily set in rule-generated detections and alerts.
rule_id	string		A vendor-specific ID for a rule, varying by observer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe").
rule_name	string		Name of the security rule (e.g. "BlockInboundToOracle").
display_name	string		The display name of the security result. This is populated from `name_override` Outcome Variable, if present. Otherwise, this field is not set.
rule_version	string		Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependent and lexical ordering should not be assumed.
rule_type	string		The type of security rule.
rule_author	string		Author of the security rule. This field is not populated when the SecurityResult appears in a detection.
rule_labels	Label	repeated	A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John"). This is primarily set in rule-generated detections and alerts.
alert_state	SecurityResult.AlertState (Enumerated list)		The alerting types of this security result. This is primarily set for rule-generated detections and alerts.
detection_fields	Label	repeated	An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (the security result matched variables). For Collection SecurityResults, prefer variables instead.
outcomes	Label	repeated	A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to a stringified version of their values. This is only populated when the SecurityResult appears in a detection. This is deprecated. Use variables instead.
variables	SecurityResult.VariablesEntry	repeated	A list of outcomes and match variables that represent the results of this security finding. This list represents a mapping of names of the requested outcomes or match variables, to their values. This is only populated when the SecurityResult appears in a detection.
summary	string		A short human-readable summary (e.g. "failed login occurred")
description	string		A human-readable description (e.g. "user password was wrong"). This can be more detailed than the summary.
action	SecurityResult.Action (Enumerated list)	repeated	Actions taken for this event. This field is not populated when the SecurityResult appears in a detection.
action_details	string		The detail of the action taken as provided by the vendor. This field is not populated when the SecurityResult appears in a detection.
severity	SecurityResult.ProductSeverity (Enumerated list)		The severity of the result.
confidence	SecurityResult.ProductConfidence (Enumerated list)		The confidence level of the result as estimated by the product. This field is not populated when the SecurityResult appears in a detection.
priority	SecurityResult.ProductPriority (Enumerated list)		The priority of the result. This field is not populated when the SecurityResult appears in a detection.
risk_score	float		The risk score of the security result.
confidence_score	float		The confidence score of the security result. This field is not populated when the SecurityResult appears in a detection.
analytics_metadata	AnalyticsMetadata	repeated	Stores metadata about each risk analytic metric the rule uses. This field is not populated when the SecurityResult appears in a detection.
severity_details	string		Vendor-specific severity. This field is not populated when the SecurityResult appears in a detection.
confidence_details	string		Additional detail with regards to the confidence of a security event as estimated by the product vendor. This field is not populated when the SecurityResult appears in a detection.
priority_details	string		Vendor-specific information about the security result priority. This field is not populated when the SecurityResult appears in a detection.
url_back_to_product	string		URL that takes the user to the source product console for this event. This field is not populated when the SecurityResult appears in a detection.
threat_id	string		Vendor-specific ID for a threat. This field is not populated when the SecurityResult appears in a detection.
threat_feed_name	string		Vendor feed name for a threat indicator feed. This field is not populated when the SecurityResult appears in a detection.
threat_id_namespace	Id.Namespace		The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Google SecOps as it is a vendor specific id. This field is not populated when the SecurityResult appears in a detection.
threat_status	SecurityResult.ThreatStatus (Enumerated list)		Current status of the threat This field is not populated when the SecurityResult appears in a detection.
attack_details	AttackDetails		MITRE ATT&CK details. This field is not populated when the SecurityResult appears in a detection.
first_discovered_time	google.protobuf.Timestamp		First time the IoC threat was discovered in the provider. This field is not populated when the SecurityResult appears in a detection.
associations	SecurityResult.Association	repeated	Associations related to the threat.
campaigns	string	repeated	Campaigns using this IOC threat. This is deprecated. Use threat_collections instead.
reports	string	repeated	Reports that reference this IOC threat. These are the report IDs. This is deprecated. Use threat_collections instead.
verdict	SecurityResult.Verdict (Enumerated list)		Verdict about the IoC from the provider. This field is now deprecated. Use VerdictInfo instead.
last_updated_time	google.protobuf.Timestamp		Last time the IoC threat was updated in the provider. This field is not populated when the SecurityResult appears in a detection.
verdict_info	SecurityResult.VerdictInfo	repeated	Verdict information about the IoC from the provider. This field is not populated when the SecurityResult appears in a detection.
threat_verdict	ThreatVerdict (Enumerated list)		GCTI threat verdict on the security result entity. This field is not populated when the SecurityResult appears in a detection.
last_discovered_time	google.protobuf.Timestamp		Last time the IoC was seen in the provider data. This field is not populated when the SecurityResult appears in a detection.
detection_depth	int64		The depth of the detection chain. Applies only to composite detections.
threat_collections	SecurityResult.ThreatCollectionItem	repeated	GTI collections associated with the security result.

Event subtypes

AnalyticsMetadata

Stores information about an analytics metric used in a rule.

Field Name	Type	Label	Description
analytic	string		Name of the analytic.

AppCompatMetadata

Windows AppCompatCache (Application Compatibility) metadata.

Field Name	Type	Description
sequence	int32	Indicates the chronological order in which the entry was added to the cache.
executed	bool	Indicates whether the file associated with the entry was executed.
control_set	string	Indicates which registry Control Set the AppCompatCache data belongs to (e.g., "ControlSet001").

Artifact

Information about an artifact. The artifact can only be an IP.

Field Name	Type	Label	Description
ip	string		IP address of the artifact. This field can be used as an entity indicator for an external destination IP entity.
prevalence	Prevalence		The prevalence of the artifact within the customer's environment.
first_seen_time	google.protobuf.Timestamp		First seen timestamp of the IP in the customer's environment.
last_seen_time	google.protobuf.Timestamp		Last seen timestamp of the IP address in the customer's environment.
location	Location		Location of the Artifact's IP address.
network	Network		Network information related to the Artifact's IP address.
as_owner	string		Owner of the Autonomous System to which the IP address belongs.
asn	int64		Autonomous System Number to which the IP address belongs.
jarm	string		The JARM hash for the IP address. (see Easily identify malicious servers on the Internet with JARM).
last_https_certificate	SSLCertificate		SSL certificate information about the IP address.
last_https_certificate_date	google.protobuf.Timestamp		Most recent date for the certificate in VirusTotal.
regional_internet_registry	string		RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC).
tags	string	repeated	Identification attributes
whois	string		WHOIS information as returned from the pertinent WHOIS server.
whois_date	google.protobuf.Timestamp		Date of the last update of the WHOIS record in VirusTotal.
tunnels	Tunnels	repeated	VPN tunnels.
anonymous	bool		Whether the VPN tunnels are configured for anonymous browsing or not.
artifact_client	ArtifactClient		Entity or software accessing or utilizing network resources.
risks	string	repeated	This field lists potential risks associated with the network activity.

ArtifactClient

Entity or software accessing or utilizing network resources.

Field Name	Type	Label	Description
behaviors	string	repeated	The behaviors of the client accessing the network.
proxies	string	repeated	The type of proxies used by the client.

Asset

Information about a compute asset such as a workstation, laptop, phone, virtual desktop, or VM.

Field Name	Type	Label	Description
product_object_id	string		A vendor-specific identifier to uniquely identify the entity (a GUID or similar). This field can be used as an entity indicator for asset entities.
hostname	string		Asset hostname or domain name field. This field can be used as an entity indicator for asset entities.
asset_id	string		The asset ID. Value must contain the `:` character. For example, cs:abcdd23434. This field can be used as an entity indicator for asset entities.
ip	string	repeated	A list of IP addresses associated with an asset. This field can be used as an entity indicator for asset entities.
mac	string	repeated	List of MAC addresses associated with an asset. This field can be used as an entity indicator for asset entities.
nat_ip	string	repeated	List of NAT IP addresses associated with an asset.
first_seen_time	google.protobuf.Timestamp		The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed.
hardware	Hardware	repeated	The asset hardware specifications.
platform_software	PlatformSoftware		The asset operating system platform software.
software	Software	repeated	The asset software details.
location	Location		Location of the asset.
category	string		The category of the asset (e.g. "End User Asset", "Workstation", "Server").
type	Asset.AssetType (Enumerated list)		The type of the asset (e.g. workstation or laptop or server).
network_domain	string		The network domain of the asset (e.g. "corp.acme.com")
creation_time	google.protobuf.Timestamp		Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata.
first_discover_time	google.protobuf.Timestamp		Time the asset was first discovered (by asset management/discoverability software).
last_discover_time	google.protobuf.Timestamp		Time the asset was last discovered (by asset management/discoverability software).
system_last_update_time	google.protobuf.Timestamp		Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a VM), use Attribute.last_update_time.
last_boot_time	google.protobuf.Timestamp		Time the asset was last boot started.
labels	Label	repeated	Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata.
deployment_status	Asset.DeploymentStatus (Enumerated list)		The deployment status of the asset for device lifecycle purposes.
vulnerabilities	Vulnerability	repeated	Vulnerabilities discovered on asset.
attribute	Attribute (Enumerated list)		Generic entity metadata attributes of the asset.
wmi_persistence_item	WmiPersistenceItem		Information about a WMI persistence item.

AttackDetails

MITRE ATT&CK details.

Field Name	Type	Label	Description
version	string		ATT&CK version (e.g. 12.1).
tactics	AttackDetails.Tactic	repeated	Tactics employed.
techniques	AttackDetails.Technique	repeated	Techniques employed.

AttackDetails.Tactic

Tactic information related to an attack or threat.

Field Name	Type	Label	Description
id	string		Tactic ID (e.g. "TA0043").
name	string		Tactic Name (e.g. "Reconnaissance")

AttackDetails.Technique

Technique information related to an attack or threat.

Field Name	Type	Description
id	string	Technique ID (e.g. "T1595").
name	string	Technique Name (e.g. "Active Scanning").
subtechnique_id	string	Subtechnique ID (e.g. "T1595.001").
subtechnique_name	string	Subtechnique Name (e.g. "Scanning IP Blocks").

Attribute

Attribute is a container for generic entity attributes including common attributes across core entities (such as, user or asset). For example, Cloud is a generic entity attribute since it can apply to an asset (for example, a VM) or a user (for example, an identity service account).

Field Name	Type	Label	Description
cloud	Cloud		Cloud metadata attributes such as project ID, account ID, or organizational hierarchy.
labels	Label	repeated	Set of labels for the entity. Should only be used for product labels (for example, Google Cloud resource labels or Azure AD sensitivity labels. Should not be used for arbitrary key-value mappings.
permissions	Permission	repeated	System permissions for IAM entity (human principal, service account, group).
roles	Role (Enumerated list)	repeated	System IAM roles to be assumed by resources to use the role's permissions for access control.
creation_time	google.protobuf.Timestamp		Time the resource or entity was created or provisioned.
last_update_time	google.protobuf.Timestamp		Time the resource or entity was last updated.

Authentication

The Authentication extension captures details specific to authentication events. General guidelines for authentication events:

Details about the source of the authentication event (for example, client IP or hostname), should be captured in principal. The principal may be empty if we have no details about the source of the login.
Details about the target of the authentication event (for example, details about the machine that is being logged into or logged out of) should be captured in target.
Some authentication events may involve a third-party. For example, a user logs into a cloud service (for example, Google SecOps) via their company's SSO (the event is logged by their SSO solution). In this case, the principal captures information about the user's device, the target captures details about the cloud service they logged into, and the intermediary captures details about the SSO solution.

Field Name	Type	Label	Description
type	Authentication.AuthType (Enumerated list)		The type of authentication.
mechanism	Authentication.Mechanism (Enumerated list)	repeated	The authentication mechanism.
auth_details	string		The vendor defined details of the authentication.
outcome	Authentication.Outcome (Enumerated list)		The outcome of the authentication event.

BoolSequence

BoolSequence represents a sequence of bools.

Field Name	Type	Label	Description
bool_vals	bool	repeated	bool sequence.

Browser

Information about an entry in the web browser's local history database.

Field Name	Type	Label	Description
browser_type	Browser.BrowserType (Enumerated list)		The browser that recorded the history entry (e.g. "Chrome", "Firefox", "Safari", etc.).
browser_version	string		The browser version.
first_visit_time	google.protobuf.Timestamp		The timestamp indicating the initial visit to the URL.
last_visit_time	google.protobuf.Timestamp		The timestamp indicating the most recent visit to the URL.
profile	string		The browser profile associated with the history entry.
typed	bool		A boolean value indicating if the URL was typed by the user.
visit_type	Browser.UrlVisitType (Enumerated list)		Describes the type of navigation or visit (e.g., direct, redirect, etc.).
hidden	bool		A boolean value indicating if the history entry is hidden.
request_origin_uri	string		Indicates the URI from which the current visit originated.
visit_count	int64		The total number of times the Url has been visited.
visit_count_criteria	string		Describes the criteria used to calculate the visit_count.
indexed_content	string		Represents the textual content of a web page. This field should be kept short. Large strings may affect latency and payload sizes.
first_bookmarked_time	google.protobuf.Timestamp		The timestamp indicating the first time the URL was bookmarked.
cookies	Browser.Cookie	repeated	Information about the cookies.
typed_count	int64		The number of times the URL was visited with this specific visit type and visit source.
visit_source	Browser.VisitSource (Enumerated list)		The source of the visit.

Browser.Cookie

Browser cookie.

Field Name	Type	Description
name	string	The unique name identifying the cookie.
value	string	The data stored within the cookie.
domain	string	The domain for which the cookie is valid.
path	string	The URL path for which the cookie is valid.
expiration_time	google.protobuf.Timestamp	The date and time when the cookie will expire.
http_only	bool	Indicates if the cookie is inaccessible via client-side scripts (e.g., JavaScript).
secure	bool	Indicates if the cookie should only be sent over secure HTTPS connections.
max_age	int64	The maximum age of the cookie in seconds.
same_site	Browser.Cookie.CookieSameSite (Enumerated list)	Affects cross-site request behavior.
session	bool	Indicates if the cookie is persistent.
partitioned	bool	Shows if the cookies is stored using partitioned storage.

BytesSequence

BytesSequence represents a sequence of bytes.

Field Name	Type	Label	Description
bytes_vals	bytes	repeated	bytes sequence.

Certificate

Certificate information

Field Name	Type	Description
version	string	Certificate version.
serial	string	Certificate serial number.
subject	string	Subject of the certificate.
issuer	string	Issuer of the certificate.
md5	string	The MD5 hash of the certificate, as a hex-encoded string.
sha1	string	The SHA1 hash of the certificate, as a hex-encoded string.
sha256	string	The SHA256 hash of the certificate, as a hex-encoded string.
not_before	google.protobuf.Timestamp	Indicates when the certificate is first valid.
not_after	google.protobuf.Timestamp	Indicates when the certificate is no longer valid.

Cloud

Metadata related to the cloud environment.

Field Name	Type	Description
environment	Cloud.CloudEnvironment (Enumerated list)	The Cloud environment.
vpc	Resource	The cloud environment VPC. Deprecated.
project	Resource	The cloud environment project information. Deprecated: Use Resource.resource_ancestors
availability_zone	string	The cloud environment availability zone (different from region which is location.name).

DNSRecord

DNS record.

Field Name	Type	Description
type	string	Type.
value	string	Value.
ttl	Int64	Time to live.
priority	int64	Priority.
retry	int64	Retry.
refresh	Int64	Refresh.
minimum	Int64	Minimum.
expire	Int64	Expire.
serial	int64	Serial.
rname	string	Rname.

Dhcp

DHCP information.

Field Name	Type	Label	Description
opcode	Dhcp.OpCode (Enumerated list)		The BOOTP op code.
htype	uint32		Hardware address type.
hlen	uint32		Hardware address length.
hops	uint32		Hardware ops.
transaction_id	uint32		Transaction ID.
seconds	uint32		Seconds elapsed since client began address acquisition/renewal process.
flags	uint32		Flags.
ciaddr	string		Client IP address (ciaddr).
yiaddr	string		Your IP address (yiaddr).
siaddr	string		IP address of the next bootstrap server.
giaddr	string		Relay agent IP address (giaddr).
chaddr	string		Client hardware address (chaddr).
sname	string		Server name that the client wishes to boot from.
file	string		Boot image filename.
options	Dhcp.Option	repeated	List of DHCP options.
type	Dhcp.MessageType (Enumerated list)		DHCP message type.
lease_time_seconds	uint32		Lease time in seconds. See RFC2132, section 9.2.
client_hostname	string		Client hostname. See RFC2132, section 3.14.
client_identifier	bytes		Client identifier. See RFC2132, section 9.14. Note: Make sure to update the client_identifier_string field as well if you update this field.
requested_address	string		Requested IP address. See RFC2132, section 9.1.
client_identifier_string	string		Client identifier as string. See RFC2132, section 9.14. This field holds the string value of the client_identifier.

Dhcp.Option

DHCP options.

Field Name	Type	Label	Description
code	uint32		Code. See RFC1533.
data	bytes		Data.

Dns

DNS information.

Field Name	Type	Label	Description
id	uint32		DNS query id.
response	bool		Set to true if the event is a DNS response. See QR field from RFC1035.
opcode	uint32		The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS).
authoritative	bool		Other DNS header flags. See RFC1035, section 4.1.1.
truncated	bool		Whether the DNS response was truncated.
recursion_desired	bool		Whether a recursive DNS lookup is desired.
recursion_available	bool		Whether a recursive DNS lookup is available.
response_code	uint32		Response code. See RCODE from RFC1035.
questions	Dns.Question	repeated	A list of domain protocol message questions.
answers	Dns.ResourceRecord	repeated	A list of answers to the domain name query.
authority	Dns.ResourceRecord	repeated	A list of domain name servers which verified the answers to the domain name queries.
additional	Dns.ResourceRecord	repeated	A list of additional domain name servers that can be used to verify the answer to the domain.

Dns.Question

DNS Questions. See RFC1035, section 4.1.2.

Field Name	Type	Description
name	string	The domain name.
type	uint32	The code specifying the type of the query.
class	uint32	The code specifying the class of the query.
prevalence	Prevalence	The prevalence of the domain within the customer's environment.

Dns.ResourceRecord

DNS Resource Records. See RFC1035, section 4.1.3.

Field Name	Type	Description
name	string	The name of the owner of the resource record.
type	uint32	The code specifying the type of the resource record.
class	uint32	The code specifying the class of the resource record.
ttl	uint32	The time interval for which the resource record can be cached before the source of the information should again be queried.
data	string	The payload or response to the DNS question for all responses encoded in UTF-8 format
binary_data	bytes	The raw bytes of any non-UTF8 strings that might be included as part of a DNS response.

Domain

Information about a domain.

Field Name	Type	Label	Description
name	string		The domain name. This field can be used as an entity indicator for Domain entities.
prevalence	Prevalence		The prevalence of the domain within the customer's environment.
first_seen_time	google.protobuf.Timestamp		First seen timestamp of the domain in the customer's environment.
last_seen_time	google.protobuf.Timestamp		Last seen timestamp of the domain in the customer's environment.
registrar	string		Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM".
contact_email	string		Contact email address.
whois_server	string		Whois server name.
name_server	string	repeated	Repeated list of name servers.
creation_time	google.protobuf.Timestamp		Domain creation time.
update_time	google.protobuf.Timestamp		Last updated time.
expiration_time	google.protobuf.Timestamp		Expiration time.
audit_update_time	google.protobuf.Timestamp		Audit updated time.
status	string		Domain status. See ICANN EPP Status Codes for meanings of possible values.
registrant	User		Parsed contact information for the registrant of the domain.
admin	User		Parsed contact information for the administrative contact for the domain.
tech	User		Parsed contact information for the technical contact for the domain
billing	User		Parsed contact information for the billing contact of the domain.
zone	User		Parsed contact information for the zone.
whois_record_raw_text	bytes		WHOIS raw text.
registry_data_raw_text	bytes		Registry Data raw text.
iana_registrar_id	int32		IANA Registrar ID. See IANA Registrar IDs.
private_registration	bool		Indicates whether the domain appears to be using a private registration service to mask the owner's contact information.
categories	string	repeated	Categories assign to the domain as retrieved from VirusTotal.
favicon	Favicon		Includes difference hash and MD5 hash of the domain's favicon.
jarm	string		Domain's JARM hash.
last_dns_records	DNSRecord	repeated	Domain's DNS records from the last scan.
last_dns_records_time	google.protobuf.Timestamp		Date when the DNS records list was retrieved by VirusTotal.
last_https_certificate	SSLCertificate		SSL certificate object retrieved last time the domain was analyzed.
last_https_certificate_time	google.protobuf.Timestamp		When the certificate was retrieved by VirusTotal.
popularity_ranks	PopularityRank	repeated	Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc
tags	string	repeated	List of representative attributes.
whois_time	google.protobuf.Timestamp		Date of the last update of the WHOIS record.

DoubleSequence

DoubleSequence represents a sequence of doubles.

Field Name	Type	Label	Description
double_vals	double	repeated	double sequence.

Email

Email info.

Field Name	Type	Label	Description
from	string		The `from` address.
reply_to	string		The `reply to` address.
to	string	repeated	A list of `to` addresses.
cc	string	repeated	A list of `cc` addresses.
bcc	string	repeated	A list of `bcc` addresses.
mail_id	string		The mail (or message) ID.
subject	string	repeated	The subject line(s) of the email.
bounce_address	string		The envelope from address. Wikipedia: Bounce address

ExifInfo

Exif information.

Field Name	Type	Description
original_file	string	original file name.
product	string	product name.
company	string	company name.
file_description	string	description of a file.
entry_point	int64	entry point.
compilation_time	google.protobuf.Timestamp	Compilation time.

Favicon

Difference hash and MD5 hash of the domain's favicon.

Field Name	Type	Label	Description
raw_md5	string		Favicon's MD5 hash.
dhash	string		Difference hash.

File

Information about a file.

Field Name	Type	Label	Description
sha256	string		The SHA256 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities.
md5	string		The MD5 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities.
sha1	string		The SHA1 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities.
size	uint64		The size of the file in bytes.
full_path	string		The full path identifying the location of the file on the system. This field can be used as an entity indicator for file entities.
mime_type	string		The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", or "powershell script".
file_metadata	FileMetadata		Metadata associated with the file. Deprecate FileMetadata in favor of using fields in File.
security_result	SecurityResult		Google Cloud Threat Intelligence (GCTI) security result for the file including threat context and detection metadata.
pe_file	FileMetadataPE		Metadata about the Portable Executable (PE) file.
ssdeep	string		Ssdeep of the file
vhash	string		Vhash of the file.
ahash	string		Deprecated. Use authentihash instead.
authentihash	string		Authentihash of the file.
symhash	string		SymHash of the file. Used for Mach-O (e.g. MacOS) binaries, to identify similar files based on their symbol table.
prefetch_file_metadata	PrefetchFileMetadata		Metadata about the prefetch file.
file_type	File.FileType (Enumerated list)		FileType field.
capabilities_tags	string	repeated	Capabilities tags.
names	string	repeated	Names fields.
tags	string	repeated	Tags for the file.
last_modification_time	google.protobuf.Timestamp		Timestamp when the file was last updated.
create_time	google.protobuf.Timestamp		Timestamp when the file was created.
last_access_time	google.protobuf.Timestamp		Timestamp when the file was accessed.
prevalence	Prevalence		Prevalence of the file hash in the customer's environment.
first_seen_time	google.protobuf.Timestamp		Timestamp the file was first seen in the customer's environment.
last_seen_time	google.protobuf.Timestamp		Timestamp the file was last seen in the customer's environment.
stat_mode	uint64		The mode of the file. A bit string indicating the permissions and privileges of the file.
stat_inode	uint64		The file identifier. Unique identifier of object within a file system.
stat_dev	uint64		The file system identifier to which the object belongs.
stat_nlink	uint64		Number of links to file.
stat_flags	uint32		User defined flags for file.
last_analysis_time	google.protobuf.Timestamp		Timestamp the file was last analysed.
embedded_urls	string	repeated	Embedded urls found in the file.
embedded_domains	string	repeated	Embedded domains found in the file.
embedded_ips	string	repeated	Embedded IP addresses found in the file.
exif_info	ExifInfo		Exif metadata from different file formats extracted by exiftool.
signature_info	SignatureInfo		File signature information extracted from different tools.
pdf_info	PDFInfo		Information about the PDF file structure.
first_submission_time	google.protobuf.Timestamp		First submission time of the file.
last_submission_time	google.protobuf.Timestamp		Last submission time of the file.
main_icon	Favicon		Icon's relevant hashes.
ntfs	NtfsFileMetadata		NTFS metadata.
app_compat_cache	AppCompatMetadata		Windows AppCompatCache (Application Compatibility) metadata.

FileMetadata

Metadata about a file. Place metadata about different file types here, for example data from the Microsoft Windows VersionInfo block or digital signer details. Use a different sub-message per file type.

Field Name	Type	Label	Description
pe	PeFileMetadata		Metadata for Microsoft Windows PE files. Deprecate PeFileMetadata in favor of single File proto.

FileMetadataCodesign

File metadata from the codesign utility.

Field Name	Type	Description
id	string	Code sign identifier.
format	string	Code sign format.
compilation_time	google.protobuf.Timestamp	Code sign timestamp
team_id	string	The assigned team identifier of the developer who signed the application.

FileMetadataImports

File metadata imports.

Field Name	Type	Label	Description
library	string		Library field.
functions	string	repeated	Function field.

FileMetadataPE

Metadata about the Portable Executable (PE) file.

Field Name	Type	Label	Description
imphash	string		Imphash of the file.
entry_point	int64		info.pe-entry-point.
entry_point_exiftool	int64		info.exiftool.EntryPoint.
compilation_time	google.protobuf.Timestamp		info.pe-timestamp.
compilation_exiftool_time	google.protobuf.Timestamp		info.exiftool.TimeStamp.
section	FileMetadataSection	repeated	FilemetadataSection fields.
imports	FileMetadataImports	repeated	FilemetadataImports fields.
resource	FileMetadataPeResourceInfo	repeated	FilemetadataPeResourceInfo fields.
resources_type_count	StringToInt64MapEntry	repeated	Deprecated: use resources_type_count_str.
resources_language_count	StringToInt64MapEntry	repeated	Deprecated: use resources_language_count_str.
resources_type_count_str	Label	repeated	Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5
resources_language_count_str	Label	repeated	Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10
signature_info	FileMetadataSignatureInfo		FilemetadataSignatureInfo field. deprecated, user File.signature_info instead.

FileMetadataPeResourceInfo

File metadata for PE resource.

Field Name	Type	Description
sha256_hex	string	SHA256_hex field..
filetype_magic	string	Type of resource content, as identified by the magic Python module.
language_code	string	Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification. Examples: \| Language \| Sublanguage \| Field value \| \| LANG_NEUTRAL \| SUBLANG_NEUTRAL \| NEUTRAL \| \| LANG_FRENCH \| - \| FRENCH \| \| LANG_ENGLISH \| SUBLANG_ENGLISH US \| ENGLISH US \|
entropy	double	Entropy of the resource.
file_type	string	File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum.

FileMetadataSection

File metadata section.

Field Name	Type	Description
name	string	Name of the section.
entropy	double	Entropy of the section.
raw_size_bytes	int64	Raw file size in bytes.
virtual_size_bytes	int64	Virtual file size in bytes.
md5_hex	string	MD5 hex of the file.

FileMetadataSignatureInfo

Signature information.

Field Name	Type	Label	Description
verification_message	string		Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found.
verified	bool		True if verification_message == "Signed"
signer	string	repeated	Deprecated: use signers field.
signers	SignerInfo	repeated	File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority.
x509	X509	repeated	List of certificates.

FindingVariable

A structure that holds the value and associated metadata for values extracted while producing a Finding.

Field Name	Type	Description
type	FindingVariable.Type (Enumerated list)	The type of the variable.
value	string	The value in string form.
source_path	string	The UDM field path for the field which this value was derived from. Example: `principal.user.username`
bool_val	bool	The value in boolean format.
bytes_val	bytes	The value in bytes format.
double_val	double	The value in double format.
int64_val	int64	The value in int64 format.
uint64_val	uint64	The value in uint64 format.
string_val	string	The value in string format. Enum values are returned as strings.
timestamp_time	google.protobuf.Timestamp	The value in timestamp format.
null_val	bool	Whether the value is null.
bool_seq	BoolSequence	The value in boolsequence format.
bytes_seq	BytesSequence	The value in bytessequence format.
double_seq	DoubleSequence	The value in doublesequence format.
int64_seq	Int64Sequence	The value in int64sequence format.
uint64_seq	Uint64Sequence	The value in uint64sequence format.
string_seq	StringSequence	The value in stringsequence format.

Ftp

FTP info.

Field Name	Type	Label	Description
command	string		The FTP command.

Group

Information about an organizational group.

Field name	Type	Label	Description
product_object_id	string		Product globally unique user object identifier, such as an LDAP Object Identifier.
creation_time	google.protobuf.Timestamp		Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata.
group_display_name	string		Group display name. e.g. "Finance".
attribute	Attribute (Enumerated list)		Generic entity metadata attributes of the group.
email_addresses	string	repeated	Email addresses of the group.
windows_sid	string		Microsoft Windows SID of the group.

GroupedFields

Grouped fields are aliases for groups of related UDM fields. All fields grouped together are of type string.

Field name	Type	Label	Description
ip	string	repeated	IP addresses.
domain	string	repeated	Domains.
hostname	string	repeated	Hostnames.
user	string	repeated	Users.
email	string	repeated	Emails.
file_path	string	repeated	File paths.
hash	string	repeated	File Hashes.
process_id	string	repeated	Process Identifiers.

Hardware

Hardware specification details for a resource, including both physical and virtual hardware.

Field name	Type	Description
serial_number	string	Hardware serial number.
manufacturer	string	Hardware manufacturer.
model	string	Hardware model.
cpu_platform	string	Platform of the hardware CPU (e.g. "Intel Broadwell").
cpu_model	string	Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5").
cpu_clock_speed	uint64	Clock speed of the hardware CPU in MHz.
cpu_max_clock_speed	uint64	Maximum possible clock speed of the hardware CPU in MHz.
cpu_number_cores	uint64	Number of CPU cores.
ram	uint64	Amount of the hardware random access memory (RAM) in Mb.

Http

Specify the full URL of the HTTP request within "target". Also specify any uploaded or downloaded file information within "source" or "target".

Field name	Type	Description
method	string	The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE").
referral_url	string	The URL for the HTTP referer.
user_agent	string	The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent.
response_code	int32	The response status code, for example 200, 302, 404, or 500.
parsed_user_agent		The parsed user_agent string.

Int64Sequence

Int64Sequence represents a sequence of int64s.

Field name	Type	Label	Description
int64_vals	int64	repeated	int64 sequence.

Investigation

Represents the aggregated state of an investigation such as categorization,

severity, and status. Can be expanded to include analyst assignment details and more.

Field Name	Type	Label	Description
verdict	Verdict (Enumerated list)	optional	Describes reason a finding investigation was resolved.
reputation	Reputation (Enumerated list)	optional	Describes whether a finding was useful or not-useful.
severity_score	uint32	optional	Severity score for a finding set by an analyst.
status	Status (Enumerated list)	optional	Describes the workflow status of a finding.
comments	string	repeated	Comment added by the Analyst.
priority	Priority (Enumerated list)	optional	Priority of the Alert or Finding set by analyst.
root_cause	string	optional	Root cause of the Alert or Finding set by analyst.
reason	Reason (Enumerated list)	optional	Reason for closing the Case or Alert.
risk_score	uint32	optional	Risk score for a finding set by an analyst.
id	string	optional	Identifier for the investigation

Label

Key value labels.

Field name	Type	Description
key	string	The key.
value	string	The value.
source	string	Where the label is derived from.
rbac_enabled	bool	Indicates whether this label can be used for Data RBAC

LinuxUtmp

The LinuxUtmp extension captures details specific to Linux Utmp events.

Field name	Type	Label	Description
record_type	LinuxUtmp.RecordType (Enumerated list)		The activity record type.

Location

Information about a location.

Field Name	Type	Description
city	string	The city.
state	string	The state.
country_or_region	string	The country or region.
name	string	Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").
desk_name	string	Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").
floor_name	string	Floor name, number or a combination of the two for a building. (e.g. "1-A").
region_latitude	float	Deprecated: use region_coordinates.
region_longitude	float	Deprecated: use region_coordinates.
region_coordinates	google.type.LatLng	Coordinates for the associated region. See google.type.LatLng for a description of the fields.

NtfsFileMetadata

NTFS-specific file metadata.

Field Name	Type	Label	Description
change_time	google.protobuf.Timestamp		NTFS MFT entry changed timestamp.
filename_create_time	google.protobuf.Timestamp		NTFS $FILE_NAME attribute created timestamp.
filename_modify_time	google.protobuf.Timestamp		NTFS $FILE_NAME attribute modified timestamp.
filename_access_time	google.protobuf.Timestamp		NTFS $FILE_NAME attribute accessed timestamp.
filename_change_time	google.protobuf.Timestamp		NTFS $FILE_NAME attribute changed timestamp.
usn_journal	UsnJournal	repeated	NTFS USN journal.

OutlookMetadata

Microsoft Outlook specific metadata.

Field Name	Type	Description
comment	string	A user-defined comment or note associated with the Outlook item.
template	string	The name of the template file used to create the Outlook item.
title	string	The title of the Outlook item.
security_flags_count	int32	Count of Security-related flags for the message, such as encryption or signing status.

PDFInfo

Information about the PDF file structure. See https://developers.virustotal.com/reference/pdf_info

Field name	Type	Description
js	int64	Number of /JS tags found in the PDF file. Should be the same as javascript field in normal scenarios.
javascript	int64	Number of /JavaScript tags found in the PDF file. Should be the same as the js field in normal scenarios.
launch_action_count	int64	Number of /Launch tags found in the PDF file.
object_stream_count	int64	Number of object streams.
endobj_count	int64	Number of object definitions (endobj keyword).
header	string	PDF version.
acroform	int64	Number of /AcroForm tags found in the PDF.
autoaction	int64	Number of /AA tags found in the PDF.
embedded_file	int64	Number of /EmbeddedFile tags found in the PDF.
encrypted	int64	Whether the document is encrypted or not. This is defined by the /Encrypt tag.
flash	int64	Number of /RichMedia tags found in the PDF.
jbig2_compression	int64	Number of /JBIG2Decode tags found in the PDF.
obj_count	int64	Number of objects definitions (obj keyword).
endstream_count	int64	Number of defined stream objects (stream keyword).
page_count	int64	Number of pages in the PDF.
stream_count	int64	Number of defined stream objects (stream keyword).
openaction	int64	Number of /OpenAction tags found in the PDF.
startxref	int64	Number of startxref keywords in the PDF.
suspicious_colors	int64	Number of colors expressed with more than 3 bytes (CVE-2009-3459).
trailer	int64	Number of trailer keywords in the PDF.
xfa	int64	Number of \XFA tags found in the PDF.
xref	int64	Number of xref keywords in the PDF.

PeFileMetadata

Metadata about a Microsoft Windows Portable Executable.

Field Name	Type	Label	Description
import_hash	string		Hash of PE imports.

Permission

System permission for resource access and modification.

Field Name	Type	Description
name	string	Name of the permission (e.g. chronicle.analyst.updateRule).
description	string	Description of the permission (e.g. `Ability to update detect rules`).
type	Permission.PermissionType (Enumerated list)	Type of the permission.

PlatformSoftware

Platform software information about an operating system.

Field Name	Type	Description
platform	Noun.Platform (Enumerated list)	The platform operating system.
platform_version	string	The platform software version ( e.g. "Microsoft Windows 1803").
platform_patch_level	string	The platform software patch level ( e.g. "Build 17134.48", "SP1").

PopularityRank

Domain's position in popularity ranks for sources such as Alexa, Quantcast, or Statvoo.

Field Name	Type	Description
giver	string	Name of the rank serial number hexdump.
rank	int64	Rank position.
ingestion_time	google.protobuf.Timestamp	Timestamp when the rank was ingested.

PrefetchFileMetadata

Windows Prefetch file metadata.

Field name	Type	Label	Description
run_count	int64		The number of times the application has been run.
prefetch_hash	string		A hash of the executable path used to identify the prefetch file.

Prevalence

The prevalence of a resource within the customer's environment. This measures how common it is for assets to access the resource.

Field Name	Type	Description
rolling_max	int32	The maximum number of assets per day accessing the resource over the trailing day_count days.
day_count	int32	The number of days over which rolling_max is calculated.
rolling_max_sub_domains	int32	The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains.
day_max	int32	The max prevalence score in a day interval window.
day_max_sub_domains	int32	The max prevalence score in a day interval window across sub-domains. This field is only valid for domains.

Process

Information about a process.

Field name	Type	Label	Description
pid	string		The process ID. This field can be used as an entity indicator for process entities.
parent_pid	string		The ID of the parent process. Deprecated: use parent_process.pid instead.
parent_process	Process		Information about the parent process.
file	File		Information about the file in use by the process.
command_line	string		The command line command that created the process. This field can be used as an entity indicator for process entities.
command_line_history	string	repeated	The command line history of the process.
product_specific_process_id	string		A product specific process id.
access_mask	uint64		A bit mask representing the level of access.
integrity_level_rid	uint64		The Microsoft Windows integrity level relative ID (RID) of the process.
euid	string		The effective user ID of the process.
ruid	string		The real user ID of the process.
egid	string		The effective group ID of the process.
rgid	string		The real group ID of the process.
pgid	string		The identifier that points to the process group ID leader.
session_leader_pid	string		The process ID of the session leader process.
tty	string		The teletype terminal which the command was executed within.
token_elevation_type	Process.TokenElevationType (Enumerated list)		The elevation type of the process on Microsoft Windows. This type determines whether any privileges are removed when you enable User Account Control (UAC).
product_specific_parent_process_id	string		A product-specific ID for the parent process. Use `parent_process.product_specific_process_id` instead.
ipv6	bool		Whether the process is an IPv6 process.
kernel_duration	Int64		The kernel time spent in the process.
user_duration	Int64		The user time spent in the process.
real_duration	Int64		The real time spent in the process. This is the sum of the kernel and user time.
state	Process.State (Enumerated list)		The state of the process.

ProxyInfo

Proxy information.

Field name	Type	Description
anonymous	bool	Whether the IP address is anonymous.
anonymous_vpn	bool	Whether the IP address is an anonymous VPN.
public_proxy	bool	Whether the IP address is a public proxy.
tor_exit_node	bool	Whether the IP address is a tor exit node.
smart_dns_proxy	bool	Whether the IP address is a smart DNS proxy.
hosting_provider	bool	Whether the IP address is a hosting provider.
vpn_datacenter	bool	Whether the IP address is a VPN datacenter.
residential_proxy	bool	Whether the IP address is a residential proxy.
vpn_service_name	string	The name of the VPN service.
proxy_over_vpn	bool	Whether the IP address is a proxy over VPN.
relay_proxy	bool	Whether the IP address is a relay proxy.

Registry

Information about a registry key or value.

Field Name	Type	Description
registry_key	string	Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...).
registry_value_name	string	Name of the registry value associated with an application or system component (e.g. TEMP).
registry_value_data	string	Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp).
registry_value_type	Registry.Type (Enumerated list)	Type of the registry value.
registry_value_binary_data	bytes	Binary data associated with a registry value. This field is only populated if the registry value type is BINARY. This field is not populated for other registry value types.

Resource

Information about a resource such as a task, Cloud Storage bucket, database, disk, logical policy, or something similar.

Field Name	Type	Description
type	string	Deprecated: use resource_type instead.
resource_type	Resource.ResourceType (Enumerated list)	Resource type.
resource_subtype	string	Resource sub-type (e.g. "BigQuery", "Bigtable").
id	string	Deprecated: Use resource.name or resource.product_object_id.
name	string	The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe.
parent	string	The parent of the resource. For a database table, the parent is the database. For a storage object, the bucket name. Deprecated: use resource_ancestors.name.
product_object_id	string	A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) This field can be used as an entity indicator for a Resource entity.
attribute	Attribute (Enumerated list)	Generic entity metadata attributes of the resource.
scheduled_task	ScheduledTask	DEPRECATED: use windows_scheduled_task for Windows scheduled tasks or scheduled_cron_task for cron jobs. Information about a scheduled task associated with the resource.
scheduled_cron_task	ScheduledCronTask	Information about a scheduled cron task associated with the resource.
scheduled_anacron_task	ScheduledAnacronTask	Information about a scheduled anacron task associated with the resource.
windows_scheduled_task	WindowsScheduledTask	Information about a Windows scheduled task associated with the resource.
volume	Volume	Information about a storage volume associated with the resource.
service	Service	Information about a Windows service associated with the resource.

ResourceUsage

The ResourceUsage extension captures details about what is using a resource.

Field Name	Type	Label	Description
used_entity	string		The name of the entity (e.g., process, user) that is using the resource.
used_entity_id	string		A numerical identifier for the entity using the resource (e.g., PID, UID).

Role

System role for resource access and modification.

Field Name	Type	Description
name	string	System role name for user.
description	string	System role description for user.
type	Role.Type (Enumerated list)	System role type for well known roles.

SSLCertificate

SSL certificate.

Field Name	Type	Description
cert_signature	SSLCertificate.CertSignature	Certificate's signature and algorithm.
extension	SSLCertificate.Extension	(DEPRECATED) certificate's extension.
cert_extensions	google.protobuf.Struct	Certificate's extensions.
first_seen_time	google.protobuf.Timestamp	Date the certificate was first retrieved by VirusTotal.
issuer	SSLCertificate.Subject	Certificate's issuer data.
ec	SSLCertificate.EC	EC public key information.
serial_number	string	Certificate's serial number hexdump.
signature_algorithm	string	Algorithm used for the signature (for example, "sha1RSA").
size	int64	Certificate content length.
subject	SSLCertificate.Subject	Certificate's subject data.
thumbprint	string	Certificate's content SHA1 hash.
thumbprint_sha256	string	Certificate's content SHA256 hash.
validity	SSLCertificate.Validity	Certificate's validity period.
version	string	Certificate version (typically "V1", "V2" or "V3").
public_key	SSLCertificate.PublicKey	Public key information.

SSLCertificate.AuthorityKeyId

Identifies the public key to be used to verify the signature on this certificate or CRL.

Field Name	Type	Label	Description
keyid	string		Key hexdump.
serial_number	string		Serial number hexdump.

SSLCertificate.CertSignature

Certificate's signature and algorithm.

Field Name	Type	Label	Description
signature	string		Signature.
signature_algorithm	string		Algorithm.

SSLCertificate.DSA

DSA public key information.

Field Name	Type	Description
p	string	p component hexdump.
q	string	q component hexdump.
g	string	g component hexdump.
pub	string	Public key hexdump.

SSLCertificate.EC

EC public key information.

Field Name	Type	Label	Description
oid	string		Curve name.
pub	string		Public key hexdump.

SSLCertificate.Extension

Certificate's extensions.

Field Name	Type	Description
ca	bool	Whether the subject acts as a certificate authority (CA) or not.
subject_key_id	string	Identifies the public key being certified.
authority_key_id	SSLCertificate.AuthorityKeyId	Identifies the public key to be used to verify the signature on this certificate or CRL.
key_usage	string	The purpose for which the certified public key is used.
ca_info_access	string	Authority information access locations are URLs that are added to a certificate in its authority information access extension.
crl_distribution_points	string	CRL distribution points to which a certificate user should refer to ascertain if the certificate has been revoked.
extended_key_usage	string	One or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension field.
subject_alternative_name	string	Contains one or more alternative names, using any of a variety of name forms, for the entity that is bound by the CA to the certified public key.
certificate_policies	string	Different certificate policies will relate to different applications which may use the certified key.
netscape_cert_comment	string	Used to include free-form text comments inside certificates.
cert_template_name_dc	string	BMP data value "DomainController". See MS Q291010.
netscape_certificate	bool	Identify whether the certificate subject is an SSL client, an SSL server, or a CA.
pe_logotype	bool	Whether the certificate includes a logotype.
old_authority_key_id	bool	Whether the certificate has an old authority key identifier extension.

SSLCertificate.PublicKey

Subject public key info.

Field Name	Type	Label	Description
algorithm	string		Any of "RSA", "DSA" or "EC". Indicates the algorithm used to generate the certificate.
rsa	SSLCertificate.RSA		RSA public key information.

SSLCertificate.RSA

RSA public key information.

Field Name	Type	Description
key_size	int64	Key size.
modulus	string	Key modulus hexdump.
exponent	string	Key exponent hexdump.

SSLCertificate.Subject

Subject data.

Field Name	Type	Description
country_name	string	C: Country name.
common_name	string	CN: CommonName.
locality	string	L: Locality.
organization	string	O: Organization.
organizational_unit	string	OU: OrganizationalUnit.
state_or_province_name	string	ST: StateOrProvinceName.

SSLCertificate.Validity

Defines certificate's validity period.

Field Name	Type	Label	Description
expiry_time	google.protobuf.Timestamp		Expiry date.
issue_time	google.protobuf.Timestamp		Issue date.

ScheduledAnacronTask

Information about a scheduled anacron task.

Field Name	Type	Description
period	string	Anacrontab period field. Value is an integer in days, or a string like "@daily", "@weekly", or "@monthly".
delay_minutes	int64	The delay in minutes before the job is run.
job_id	string	The unique identifier of the job.
path	string	The PATH environment variable defined in the anacrontab file.
source_line	string	The original source line from the anacrontab file.

ScheduledCronTask

Information about a scheduled cron task.

Field Name	Type	Description
minute	string	Crontab minute field. Value is an integer between 0 and 59 and can also be a range or list of values (e.g., "0-59", "0-59/5", "0,15,30,45") and it // can also be an asterisk (*) to indicate first-last minutes. For more information on the format, see the crontab(5) man page.
hour	string	Crontab hour field. Value is an integer between 0 and 23, a range or list of values (e.g., "0-6", "/2", "1,2"), or an asterisk () to indicate first-last hours.
month_day	string	Crontab day of month field. Value is an integer between 1 and 31, a range or list of values (e.g., "1-7", "1-31/7", "1,15"), or an asterisk (*) to indicate first-last days of month.
month	string	Crontab month field. Value is an integer between 1 and 12 or a 3-letter name (e.g., "Jan"), a range or list of values (e.g., "1-3", "/2", "1,6"), or an asterisk () to indicate first-last months.
week_day	string	Crontab day of week field. Value is an integer between 0 and 7 (0 or 7 is Sunday) or a 3-letter name (e.g., "Fri"), a range or list of values (e.g., "1-5", "0,6"), or an asterisk (*) to indicate first-last days of week.
comment	string	A comment or description for the task.
author	string	The author or creator of the task.
event	string	Crontab special string or event (e.g., "@reboot", "@daily").
path	string	The PATH environment variable defined in the crontab file.

ScheduledTask

Deprecated: use WindowsScheduledTask for Windows scheduled tasks or ScheduledCronTask for cron jobs.

Information about a scheduled task.

Field Name	Type	Description
minute	int32	The minute of the hour (0-59).
hour	int32	The hour of the day (0-23).
month_day	int32	The day of the month (1-31).
month	int32	The month of the year (1-12).
week_day	int32	The day of the week (0-6, Sunday=0).
comment	string	A comment or description for the task.
author	string	The account name that authored or last modified the scheduled task.

SecurityResult.AnalystVerdict

Verdict provided by the human analyst. These fields are used to model Mandiant sources.

Field Name	Type	Description
confidence_score	int32	Confidence score of the verdict.
verdict_time	google.protobuf.Timestamp	Timestamp at which the verdict was generated.
verdict_response	SecurityResult.VerdictResponse (Enumerated list)	Details of the verdict.

SecurityResult.Association

Associations represent different metadata about malware and threat actors involved with an IoC.

Field Name	Type	Label	Description
id	string		Unique association id generated by mandiant.
country_code	string	repeated	Country from which the threat actor/ malware is originated.
type	SecurityResult.Association.AssociationType (Enumerated list)		Signifies the type of association.
name	string		Name of the threat actor/malware.
description	string		Human readable description about the association.
role	string		Role of the malware. Not applicable for threat actor.
source_country	string		Name of the country the threat originated from.
alias	SecurityResult.Association.AssociationAlias	repeated	Different aliases of the threat actor given by different sources.
first_reference_time	google.protobuf.Timestamp		First time the threat actor was referenced or seen.
last_reference_time	google.protobuf.Timestamp		Last time the threat actor was referenced or seen.
industries_affected	string	repeated	List of industries the threat actor affects.
associated_actors	SecurityResult.Association	repeated	List of associated threat actors for a malware. Not applicable for threat actors.
region_code	Location		Name of the country, the threat is originating from.
sponsor_region	Location		Sponsor region of the threat actor.
targeted_regions	Location	repeated	Targeted regions.
tags	string	repeated	Tags.

SecurityResult.Association.AssociationAlias

Association Alias used to represent Mandiant Threat Intelligence.

Field Name	Type	Label	Description
name	string		Name of the alias.
company	string		Name of the provider who gave the association's name.

SecurityResult.IoCStats

Information about the threat intelligence source. These fields are used to model Mandiant sources.

Field Name	Type	Description
ioc_stats_type	SecurityResult.IoCStatsType (Enumerated list)	Describes the source of the IoCStat.
first_level_source	string	Name of first level IoC source, for example Mandiant or a third-party.
second_level_source	string	Name of the second-level IoC source, for example Crowdsourced Threat Analysis or Knowledge Graph.
benign_count	int32	Count of responses where the IoC was identified as benign.
quality	SecurityResult.ProductConfidence (Enumerated list)	Level of confidence in the IoC mapping extracted from the source.
malicious_count	int32	Count of responses where the IoC was identified as malicious.
response_count	int32	Total number of response from the source.
source_count	int32	Number of sources from which information was extracted.

SecurityResult.ProviderMLVerdict

Deprecated. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources.

Field Name	Type	Label	Description
source_provider	string		Source provider giving the ML verdict.
benign_count	int32		Count of responses where this IoC was marked benign.
malicious_count	int32		Count of responses where this IoC was marked malicious.
confidence_score	int32		Confidence score of the verdict.
mandiant_sources	SecurityResult.Source	repeated	List of mandiant sources from which the verdict was generated.
third_party_sources	SecurityResult.Source	repeated	List of third-party sources from which the verdict was generated.

SecurityResult.Source

Deprecated. Information about the threat intelligence source. These fields are used to model Mandiant sources.

Field Name	Type	Label	Description
name	string		Name of the IoC source.
benign_count	int32		Count of responses where this IoC was marked benign.
malicious_count	int32		Count of responses where this IoC was marked malicious.
quality	SecurityResult.ProductConfidence (Enumerated list)		Quality of the IoC mapping extracted from the source.
response_count	int32		Total response count from this source.
source_count	int32		Number of sources from which intelligence was extracted.
threat_intelligence_sources	SecurityResult.Source	repeated	Different threat intelligence sources from which IoC info was extracted.

SecurityResult.ThreatCollectionItem

Threat Collection that is either a threat campaign or a threat report.

Field Name	Type	Label	Description
id	string		The ID of the threat collection.
type	SecurityResult.ThreatCollectionType (Enumerated list)		The type of threat collection, for example, campaign.
alt_names	string	repeated	The name of the threat collection.

SecurityResult.VariablesEntry

Field Name	Type	Label	Description
key	string
value	FindingVariable

SecurityResult.Verdict

Deprecated. Encapsulates the threat verdict provided by human analysts and ML models. These fields are used to model Mandiant sources.

Field Name	Type	Description
source_count	int32	Number of sources from which intelligence was extracted.
response_count	int32	Total response count across all sources.
neighbour_influence	string	Describes the neighbour influence of the verdict.
verdict	SecurityResult.ProviderMLVerdict	ML Verdict provided by sources like Mandiant.
analyst_verdict	SecurityResult.AnalystVerdict	Human analyst verdict provided by sources like Mandiant.

SecurityResult.VerdictInfo

Describes the threat verdict provided by human analysts and machine learning models. These fields are used to model Mandiant sources.

Field Name	Type	Label	Description
source_count	int32		Number of sources from which intelligence was extracted.
response_count	int32		Total response count across all sources.
neighbour_influence	string		Describes the near neighbor influence of the verdict.
verdict_type	SecurityResult.VerdictType (Enumerated list)		Type of verdict.
source_provider	string		Source provider giving the machine learning verdict.
benign_count	int32		Count of responses where this IoC was marked as benign.
malicious_count	int32		Count of responses where this IoC was marked as malicious.
confidence_score	int32		Confidence score of the verdict.
ioc_stats	SecurityResult.IoCStats	repeated	List of IoCStats from which the verdict was generated.
verdict_time	google.protobuf.Timestamp		Timestamp when the verdict was generated.
verdict_response	SecurityResult.VerdictResponse (Enumerated list)		Details about the verdict.
global_customer_count	int32		Global customer count over the last 30 days
global_hits_count	int32		Global hit count over the last 30 days.
pwn	bool		Whether one or more Mandiant incident response customers had this indicator in their environment.
category_details	string		Tags related to the verdict.
pwn_first_tagged_time	google.protobuf.Timestamp		The timestamp of the first time a pwn was associated to this entity.

Service

Information about a Windows service.

Field name	Type	Label	Description
display_name	string		The user-friendly display name of the service.
service_type	Service.ServiceType (Enumerated list)		Deprecated: use service_types instead. The type of service.
service_types	Service.ServiceType (Enumerated list)	repeated	The list of service types.
startup_type	Service.StartupType (Enumerated list)		The startup type of the service.
state	Service.State (Enumerated list)		The status of the service.

SignatureInfo

File signature information extracted from different tools.

Field name	Type	Label	Description
sigcheck	FileMetadataSignatureInfo		Signature information extracted from the sigcheck tool.
codesign	FileMetadataCodesign		Signature information extracted from the codesign utility.

SignerInfo

File metadata related to the signer information.

Field name	Type	Label	Description
name	string	optional	Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority.
status	string	optional	It can say "Valid" or state the problem with the certificate if any (e.g. "This certificate or one of the certificates in the certificate chain is not time valid.").
valid_usage	string	optional	Indicates which situations the certificate is valid for (e.g. "Code Signing").
cert_issuer	string	optional	Company that issued the certificate.

Smtp

SMTP info. See RFC 2821.

Field name	Type	Label	Description
helo	string		The client's `HELO`/`EHLO` string.
mail_from	string		The client's `MAIL FROM` string.
rcpt_to	string	repeated	The client's `RCPT TO` string(s).
server_response	string	repeated	The server's response(s) to the client.
message_path	string		The message's path (extracted from the headers).
is_webmail	bool		If the message was sent via a webmail client.
is_tls	bool		If the connection switched to TLS.

Software

Information about a software package or application.

Field Name	Type	Label	Description
name	string		The name of the software.
version	string		The version of the software.
permissions	Permission	repeated	System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE"
description	string		The description of the software.
vendor_name	string		The name of the software vendor.

Srum

The Srum extension captures details specific to Windows System Resource Usage Monitor (SRUM) events.

Field Name	Type	Description
id	string	A unique identifier for the SRUM record or the application/user being monitored.
background_bytes_read	int64	The number of bytes read by the application while running in the background.
background_bytes_written	int64	The number of bytes written by the application while running in the background.
background_context_switches	int64	The number of context switches performed by the application's threads while in the background.
background_cycle_count	int64	The amount of CPU cycle time consumed by the application in the background, measured in clock cycles.
background_flushes_count	int64	The number of flush operations performed by the application in the background.
background_read_operations	int64	The number of read operations performed by the application in the background.
background_write_operations	int64	The number of write operations performed by the application in the background.
interface_luid	string	The Locally Unique Identifier (LUID) for the network interface used for data transfer.

StringSequence

StringSequence represents a sequence of string.

Field Name	Type	Label	Description
string_vals	string	repeated	string sequence.

StringToInt64MapEntry

Field Name	Type	Label	Description
key	string	optional	Key field.
value	int64	optional	Value field.

SystemEventDetails

Captures additional details for system-level events.

Field Name	Type	Description
message_type	string	The specific type or category of the message.
sender_image_id	string	An identifier for the image associated with the sender of the message.
subsystem	string	The subsystem or component that generated the event.

TimeOff

System record for leave/time-off from a Human Capital Management (HCM)

system.

Field Name	Type	Label	Description
interval	google.type.Interval		Interval duration of the leave.
description	string		Description of the leave if available (e.g. `Vacation`).

Tls

Transport Layer Security (TLS) information.

Field Name	Type	Description
client	Tls.Client	Certificate information for the client certificate.
server	Tls.Server	Certificate information for the server certificate.
cipher	string	Cipher used during the connection.
curve	string	Elliptical curve used for a given cipher.
version	string	TLS version.
version_protocol	string	Protocol.
established	bool	Indicates whether the TLS negotiation was successful.
next_protocol	string	Protocol to be used for tunnel.
resumed	bool	Indicates whether the TLS connection was resumed from a previous TLS negotiation.

Tls.Client

Transport Layer Security (TLS) information associated with the client (for example, Certificate or JA3 hash).

Field Name	Type	Label	Description
certificate	Certificate		Client certificate.
ja3	string		JA3 hash from the TLS ClientHello, as a hex-encoded string.
server_name	string		Host name of the server, that the client is connecting to.
supported_ciphers	string	repeated	Ciphers supported by the client during client hello.
ja4	string		JA4 hash from the TLS ClientHello, as a hex-encoded string.

Tls.Server

Transport Layer Security (TLS) information associated with the server (for example, Certificate or JA3 hash).

Field Name	Type	Description
certificate	Certificate	Server certificate.
ja3s	string	JA3 hash from the TLS ServerHello, as a hex-encoded string.
ja4s	string	JA4 hash from the TLS ServerHello, as a hex-encoded string.

Tracker

URL Tracker.

Field Name	Type	Description
tracker	string	Tracker name.
id	string	Tracker ID, if available.
timestamp	google.protobuf.Timestamp	Tracker ingestion date.
url	string	Tracker script URL.

Tunnels

VPN tunnels.

Field Name	Type	Label	Description
provider	string		The provider of the VPN tunnels being used.
type	string		The type of the VPN tunnels.

Uint64Sequence

Uint64Sequence represents a sequence of uint64s.

Field Name	Type	Label	Description
uint64_vals	uint64	repeated	uint64 sequence.

Url

Url.

Field Name	Type	Label	Description
url	string		URL.
categories	string	repeated	Categorisation done by VirusTotal partners.
favicon	Favicon		Difference hash and MD5 hash of the URL's.
html_meta	google.protobuf.Struct		Meta tags (only for URLs downloading HTML).
last_final_url	string		If the original URL redirects, where does it end.
last_http_response_code	int32		HTTP response code of the last response.
last_http_response_content_length	int64		Length in bytes of the content received.
last_http_response_content_sha256	string		URL response body's SHA256 hash.
last_http_response_cookies	google.protobuf.Struct		Website's cookies.
last_http_response_headers	google.protobuf.Struct		Headers and values of the last HTTP response.
tags	string	repeated	Tags.
title	string		Webpage title.
trackers	Tracker	repeated	Trackers found in the URL in a historical manner.

User

Information about a user.

Field Name	Type	Label	Description
product_object_id	string		A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar). This field can be used as an entity indicator for user entities.
userid	string		The ID of the user. This field can be used as an entity indicator for user entities.
user_display_name	string		The display name of the user (e.g. "John Locke").
first_name	string		First name of the user (e.g. "John").
middle_name	string		Middle name of the user.
last_name	string		Last name of the user (e.g. "Locke").
phone_numbers	string	repeated	Phone numbers for the user.
personal_address	Location		Personal address of the user.
attribute	Attribute (Enumerated list)		Generic entity metadata attributes of the user.
first_seen_time	google.protobuf.Timestamp		The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.
account_type	User.AccountType (Enumerated list)		Type of user account (for example, service, domain, or cloud). This is somewhat aligned to MITRE ATT&CK T1078 (Valid Accounts).
groupid	string		The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field.
group_identifiers	string	repeated	Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).
windows_sid	string		The Microsoft Windows SID of the user. This field can be used as an entity indicator for user entities.
email_addresses	string	repeated	Email addresses of the user. This field can be used as an entity indicator for user entities.
employee_id	string		Human capital management identifier. This field can be used as an entity indicator for user entities.
title	string		User job title.
company_name	string		User job company name.
department	string	repeated	User job department
office_address	Location		User job office location.
managers	User	repeated	User job manager(s).
hire_date	google.protobuf.Timestamp		User job employment hire date.
termination_date	google.protobuf.Timestamp		User job employment termination date.
time_off	TimeOff	repeated	User time off leaves from active work.
last_login_time	google.protobuf.Timestamp		User last login timestamp.
last_password_change_time	google.protobuf.Timestamp		User last password change timestamp.
password_expiration_time	google.protobuf.Timestamp		User password expiration timestamp.
account_expiration_time	google.protobuf.Timestamp		User account expiration timestamp.
account_lockout_time	google.protobuf.Timestamp		User account lockout timestamp.
last_bad_password_attempt_time	google.protobuf.Timestamp		User last bad password attempt timestamp.
user_authentication_status	Authentication.AuthenticationStatus (Enumerated list)		System authentication status for user.
role_name	string		System role name for user. Deprecated: use attribute.roles.
role_description	string		System role description for user. Deprecated: use attribute.roles.
user_role	User.Role (Enumerated list)		System role for user. Deprecated: use attribute.roles.

UserAssist

The UserAssist extension captures details specific to Windows User Assist events.

Field Name	Type	Description
application_focus_count	int64	The number of times the application associated with the entry gained focus.
application_focus_duration	Int64	The total duration the application associated with the entry was in focus.
executions_count	int64	The number of times the application associated with the entry has been executed.
entry_index	int64	The index or identifier of the user assist entry, unique per user.

UsnJournal

Information from the NTFS USN Journal.

Field Name	Type	Label	Description
attributes_flag	string		File attributes flags from the USN record (e.g., "0x20").
attributes	UsnJournal.Attribute (Enumerated list)		Deprecated: Use file_attributes instead. File attributes from the USN record.
file_attributes	UsnJournal.Attribute (Enumerated list)	repeated	File attributes from the USN record.
allocated	bool		Indicates whether the file is allocated in the Master File Table (MFT).
reason	UsnJournal.Reason (Enumerated list)		Deprecated: Use reasons instead. Human-readable string describing the reason for the USN journal entry. (e.g., "USN_REASON_FILE_CREATE").
reasons	UsnJournal.Reason (Enumerated list)	repeated	Human-readable string describing the reasons for the USN journal entry (e.g., "USN_REASON_FILE_CREATE").

Volume

Information about a storage volume.

Field Name	Type	Description
file_system	string	The name of the file system on the volume (e.g., "NTFS", "FAT32").
mount_point	string	The path where the volume is mounted (e.g., "C:", "/mnt/data").
device_path	string	The system path to the device (e.g., "\\.\HarddiskVolume1", "/dev/sda1").
is_mounted	bool	Indicates whether the volume is currently mounted.
is_read_only	bool	Indicates whether the volume is mounted as read-only.
name	string	The user-assigned label or name for the volume.

Vulnerabilities

The Vulnerabilities extension captures details on observed/detected vulnerabilities.

Field Name	Type	Label	Description
vulnerabilities	Vulnerability	repeated	A list of vulnerabilities.

Vulnerability

A vulnerability.

Field Name	Type	Description
about	Noun	If the vulnerability is about a specific noun (e.g. executable), then add it here.
name	string	Name of the vulnerability (e.g. "Unsupported OS Version detected").
description	string	Description of the vulnerability.
vendor	string	Vendor of scan that discovered vulnerability.
scan_start_time	google.protobuf.Timestamp	If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable.
scan_end_time	google.protobuf.Timestamp	If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable.
first_found	google.protobuf.Timestamp	Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset.
last_found	google.protobuf.Timestamp	Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset.
severity	Vulnerability.Severity (Enumerated list)	The severity of the vulnerability.
severity_details	string	Vendor-specific severity
cvss_base_score	float	CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting.
cvss_vector	string	Vector of CVSS properties (e.g. "AV:L/AC:H/Au:N/C:N/I:P/A:C") Can be linked to via the NVD CVSS v2 Calculator.>
cvss_version	string	Version of CVSS Vector/Score.
cve_id	string	Common Vulnerabilities and Exposures Id. Wikipedia: Common Vulnerabilities and Exposures and What is a CVE ID?
cve_description	string	Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record
vendor_vulnerability_id	string	Vendor specific vulnerability id (e.g. Microsoft security bulletin id).
vendor_knowledge_base_article_id	string	Vendor specific knowledge base article (e.g. "KBXXXXXX" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase

WindowsEventLog

The WindowsEventLog extension captures details specific to Windows Event Log events.

Field Name	Type	Description
channel	WindowsEventLog.Channel (Enumerated list)	The channel of the event.
event_id	string	A unique identifier for a specific type of event.
activity_id	string	A GUID (Globally Unique Identifier) used to link a sequence of related events together.

WindowsScheduledTask

Information about a Windows scheduled task.

Field Name	Type	Label	Description
author	string		The account name that authored or last modified the scheduled task.
virtual_path	string		The task's path in the Task Scheduler library.
exit_code	int32		The result which was returned the last time the registered task was run.
state	WindowsScheduledTask.TaskState (Enumerated list)		The operation state of the task.
logon_type	WindowsScheduledTask.TaskLogonType (Enumerated list)		The logon type of the task.
task_actions	WindowsScheduledTask.TaskAction	repeated	The actions of the scheduled task.
task_triggers	WindowsScheduledTask.TaskTrigger	repeated	The triggers of the scheduled task.

WindowsScheduledTask.TaskAction

The task action.

Field Name	Type	Label	Description
action_type	WindowsScheduledTask.TaskAction.ActionType (Enumerated list)		The action type of the task.
exec_arguments	string	repeated	The arguments of the task. This field is only populated if the task action type is EXEC.
exec_working_directory	string		The executable working directory of the task. This field is only populated if the task action type is EXEC.
com_class_id	string		The COM class IF the action is COM handler. This field is only populated if the task action type is COM_HANDLER.
com_data	string		The data of the task. This field is only populated if the task action type is COM_HANDLER.

WindowsScheduledTask.TaskTrigger

The trigger of the scheduled task.

Field Name	Type	Description
enabled	bool	Indicates whether the task trigger is enabled.
duration	Int64	The duration of the task trigger repetition.
interval	string	The interval between each repetition of the task. The format for this string is PDTHMS (for example, "PT5M" is 5 minutes, "PT1H" is 1 hour, and "PT20M" is 20 minutes). The maximum time allowed is 31 days, and the minimum time allowed is 1 minute.
trigger_type	WindowsScheduledTask.TaskTrigger.TriggerType (Enumerated list)	The trigger frequency of the task.

WmiPersistenceItem

Information about a WMI persistence item.

Field Name	Type	Description
caption	string	A brief title or caption for the WMI object.
name	string	The name of the WMI object.
setting_id	string	The identifier for the setting.
derivation	string	The base class from which the WMI class is derived (e.g., CIM_Setting).
property_count	int64	The number of properties in the WMI object.
rel_path	string	The relative path to the WMI object (e.g., Win32_StartupCommand.Command=''').
dynasty	string	The top-level class in the WMI inheritance hierarchy (e.g., CMI_Setting).
wmi_super_class	string	The immediate parent class in the WMI inheritance hierarchy.
wmi_class	string	The name of the WMI class.
genus	int64	An integer representing the type or version of the WMI object.

X509

File certificate.

Field Name	Type	Description
name	string	Certificate name.
algorithm	string	Certificate algorithm.
thumbprint	string	Certificate thumbprint.
cert_issuer	string	Issuer of the certificate.
serial_number	string	Certificate serial number.

Data access fields

DataAccessIngestionLabel

Field Name	Type	Label	Description
key	string		The key.
value	string		The value.

DataAccessLabels

Field Name	Type	Label	Description
log_types	string	repeated	All the LogType labels.
ingestion_labels	string	repeated	All the ingestion labels.
namespaces	string	repeated	All the namespaces.
custom_labels	string	repeated	All the complex labels (UDM search syntax based).
ingestion_kv_labels	DataAccessIngestionLabel	repeated	All the ingestion labels (key/value pairs).
allow_scoped_access	bool		Are the labels ready for scoped access

Event enumerated types

Asset.AssetType

The role type of the asset.

Enum Value	Enum Number	Description
ROLE_UNSPECIFIED	0	Unspecified asset role.
WORKSTATION	1	A workstation or desktop.
LAPTOP	2	A laptop computer.
IOT	3	An IOT asset.
NETWORK_ATTACHED_STORAGE	4	A network attached storage device.
PRINTER	5	A printer.
SCANNER	6	A scanner.
SERVER	7	A server.
TAPE_LIBRARY	8	A tape library device.
MOBILE	9	A mobile device such as a mobile phone or PDA.

Asset.DeploymentStatus

Deployment status states.

Enum Value	Enum Number	Description
DEPLOYMENT_STATUS_UNSPECIFIED	0	Unspecified deployment status.
ACTIVE	1	Asset is active, functional and deployed.
PENDING_DECOMMISSION	2	Asset is pending decommission and no longer deployed.
DECOMMISSIONED	3	Asset is decommissioned.

Authentication.AuthType

Type of system the authentication event is associated with.

Enum Value	Enum Number	Description
AUTHTYPE_UNSPECIFIED	0	The default type.
MACHINE	1	A machine authentication.
SSO	2	An SSO authentication.
VPN	3	A VPN authentication.
PHYSICAL	4	A Physical authentication (e.g. "Badge reader").
TACACS	5	A TACACS family protocol for networked systems authentication (e.g. TACACS, TACACS+).

Authentication.AuthenticationStatus

Authentication status, can be used to describe the status of authentication for a user or particular credential.

Enum Value	Enum Number	Description
UNKNOWN_AUTHENTICATION_STATUS	0	The default authentication status.
ACTIVE	1	The authentication method is in active state.
SUSPENDED	2	The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS	3	The authentication method has no active credentials.
DELETED	4	The authentication method has been deleted.

Authentication.Mechanism

Mechanism(s) used to authenticate.

Enum Value	Enum Number	Description
MECHANISM_UNSPECIFIED	0	The default mechanism.
USERNAME_PASSWORD	1	Username + password authentication.
OTP	2	OTP authentication.
HARDWARE_KEY	3	Hardware key authentication.
LOCAL	4	Local authentication.
REMOTE	5	Remote authentication.
REMOTE_INTERACTIVE	6	RDP, Terminal Services, or VNC.
MECHANISM_OTHER	7	Some other mechanism that is not defined here.
BADGE_READER	8	Badge reader authentication
NETWORK	9	Network authentication.
BATCH	10	Batch authentication.
SERVICE	11	Service authentication
UNLOCK	12	Direct human-interactive unlock authentication.
NETWORK_CLEAR_TEXT	13	Network clear text authentication.
NEW_CREDENTIALS	14	Authentication with new credentials.
INTERACTIVE	15	Interactive authentication.
CACHED_INTERACTIVE	16	Interactive authentication using cached credentials.
CACHED_REMOTE_INTERACTIVE	17	Cached Remote Interactive authentication using cached credentials.
CACHED_UNLOCK	18	Cached Remote Interactive authentication using cached credentials.
BIOMETRIC	19	Biometric device such as a fingerprint reader.
WEARABLE	20	Wearable such as an Apple Watch.

Authentication.Outcome

The outcome of the authentication event.

Enum Value	Enum Number	Description
OUTCOME_UNSPECIFIED	0	The default outcome.
SUCCESS	1	The authentication was successful.
FAILURE	2	The authentication failed.

Browser.BrowserType

The name of the browser.

Enum Value	Enum Number	Description
BROWSER_TYPE_UNSPECIFIED	0	Default value.
CHROME	1	Chrome.
FIREFOX	2	Firefox.
SAFARI	3	Safari.
INTERNET_EXPLORER	4	Internet Explorer.
EDGE	5	Edge.
OPERA	6	Opera.

Browser.Cookie.CookieSameSite

The SameSite attribute of a cookie.

Enum Value	Enum Number	Description
COOKIE_SAME_SITE_UNSPECIFIED	0	Default value.
STRICT	1	Corresponds to SameSite=Strict.
LAX	2	Corresponds to SameSite=Lax.
NONE	3	Corresponds to SameSite=None.

Browser.UrlVisitType

The type of visit to a URL.

Enum Value	Enum Number	Description
URL_VISIT_TYPE_UNSPECIFIED	0	Default value.
LINK	1	The user clicked a link.
TYPED	2	The user typed a URL.
AUTO_BOOKMARK	3	The user bookmarked the URL.
AUTO_SUBFRAME	4	Loaded in a nested subframe by the parent frame.
MANUAL_SUBFRAME	5	Loaded in a nested subframe by the user.
GENERATED	6	The user clicked on auto generated link in browser address bar.
AUTO_TOPLEVEL	7	The page was loaded through command line or is the starting page.
FORM_SUBMIT	8	The user submitted a form.
RELOAD	9	The user reloaded the page.
KEYWORD	10	The Url was generated by a keyword search configured by user.
KEYWORD_GENERATED	11	Corresponds to a visit generated by a keyword search.
REDIRECT	12	The user was redirected to the URL.

Browser.VisitSource

The source of the visit.

Enum Value	Enum Number	Description
VISIT_SOURCE_UNSPECIFIED	0	Default value.
SYNCED	1	The visit was synced from another device.
BROWSER	2	The visit was from a browser.
EXTENSION	3	The visit was from an extension.
IMPORTED	4	The visit was imported from another browser application.

Cloud.CloudEnvironment

The service provider environment.

Enum Value	Enum Number	Description
UNSPECIFIED_CLOUD_ENVIRONMENT	0	Default.
GOOGLE_CLOUD_PLATFORM	1	Google Cloud Platform.
AMAZON_WEB_SERVICES	2	Amazon Web Services.
MICROSOFT_AZURE	3	Microsoft Azure.

Dhcp.MessageType

DHCP message type. See RFC2131, section 3.1.

Enum Value	Enum Number	Description
UNKNOWN_MESSAGE_TYPE	0	Default message type.
DISCOVER	1	DHCPDISCOVER.
OFFER	2	DHCPOFFER.
REQUEST	3	DHCPREQUEST.
DECLINE	4	DHCPDECLINE.
ACK	5	DHCPACK.
NAK	6	DHCPNAK.
RELEASE	7	DHCPRELEASE.
INFORM	8	DHCPINFORM.
WIN_DELETED	100	Microsoft Windows DHCP "lease deleted".
WIN_EXPIRED	101	Microsoft Windows DHCP "lease expired".

Dhcp.OpCode

BOOTP op code. See RFC951, section 3.

Enum Value	Enum Number	Description
UNKNOWN_OPCODE	0	Default opcode.
BOOTREQUEST	1	Request.
BOOTREPLY	2	Reply.

File.FileType

The file type, for example Microsoft Windows executable.

Enum Value	Enum Number	Description
FILE_TYPE_UNSPECIFIED	0	File type is UNSPECIFIED.
FILE_TYPE_PE_EXE	1	File type is PE_EXE.
FILE_TYPE_PE_DLL	2	Although DLLs are actually portable executables, this value enables the file type to be identified separately. File type is PE_DLL.
FILE_TYPE_MSI	3	File type is MSI.
FILE_TYPE_NE_EXE	10	File type is NE_EXE.
FILE_TYPE_NE_DLL	11	File type is NE_DLL.
FILE_TYPE_DOS_EXE	20	File type is DOS_EXE.
FILE_TYPE_DOS_COM	21	File type is DOS_COM.
FILE_TYPE_COFF	30	File type is COFF.
FILE_TYPE_ELF	31	File type is ELF.
FILE_TYPE_LINUX_KERNEL	32	File type is LINUX_KERNEL.
FILE_TYPE_RPM	33	File type is RPM.
FILE_TYPE_LINUX	34	File type is LINUX.
FILE_TYPE_MACH_O	35	File type is MACH_O.
FILE_TYPE_JAVA_BYTECODE	36	File type is JAVA_BYTECODE.
FILE_TYPE_DMG	37	File type is DMG.
FILE_TYPE_DEB	38	File type is DEB.
FILE_TYPE_PKG	39	File type is PKG.
FILE_TYPE_PYC	40	File type is PYC.
FILE_TYPE_LNK	50	File type is LNK.
FILE_TYPE_DESKTOP_ENTRY	51	File type is DESKTOP_ENTRY.
FILE_TYPE_JPEG	100	File type is JPEG.
FILE_TYPE_TIFF	101	File type is TIFF.
FILE_TYPE_GIF	102	File type is GIF.
FILE_TYPE_PNG	103	File type is PNG.
FILE_TYPE_BMP	104	File type is BMP.
FILE_TYPE_GIMP	105	File type is GIMP.
FILE_TYPE_IN_DESIGN	106	File type is Adobe InDesign.
FILE_TYPE_PSD	107	File type is PSD. Adobe Photoshop.
FILE_TYPE_TARGA	108	File type is TARGA.
FILE_TYPE_XWD	109	File type is XWD.
FILE_TYPE_DIB	110	File type is DIB.
FILE_TYPE_JNG	111	File type is JNG.
FILE_TYPE_ICO	112	File type is ICO.
FILE_TYPE_FPX	113	File type is FPX.
FILE_TYPE_EPS	114	File type is EPS.
FILE_TYPE_SVG	115	File type is SVG.
FILE_TYPE_EMF	116	File type is EMF.
FILE_TYPE_WEBP	117	File type is WEBP.
FILE_TYPE_DWG	118	File type is DWG.
FILE_TYPE_DXF	119	File type is DXF.
FILE_TYPE_THREEDS	120	File type is 3DS.
FILE_TYPE_OGG	150	File type is OGG.
FILE_TYPE_FLC	151	File type is FLC.
FILE_TYPE_FLI	152	File type is FLI.
FILE_TYPE_MP3	153	File type is MP3.
FILE_TYPE_FLAC	154	File type is FLAC.
FILE_TYPE_WAV	155	File type is WAV.
FILE_TYPE_MIDI	156	File type is MIDI.
FILE_TYPE_AVI	157	File type is AVI.
FILE_TYPE_MPEG	158	File type is MPEG.
FILE_TYPE_QUICKTIME	159	File type is QUICKTIME.
FILE_TYPE_ASF	160	File type is ASF.
FILE_TYPE_DIVX	161	File type is DIVX.
FILE_TYPE_FLV	162	File type is FLV.
FILE_TYPE_WMA	163	File type is WMA.
FILE_TYPE_WMV	164	File type is WMV.
FILE_TYPE_RM	165	File type is RM. RealMedia type.
FILE_TYPE_MOV	166	File type is MOV.
FILE_TYPE_MP4	167	File type is MP4.
FILE_TYPE_T3GP	168	File type is T3GP.
FILE_TYPE_WEBM	169	File type is WEBM.
FILE_TYPE_MKV	170	File type is MKV.
FILE_TYPE_PDF	200	File type is PDF.
FILE_TYPE_PS	201	File type is PS.
FILE_TYPE_DOC	202	File type is DOC.
FILE_TYPE_DOCX	203	File type is DOCX.
FILE_TYPE_PPT	204	File type is PPT.
FILE_TYPE_PPTX	205	File type is PPTX.
FILE_TYPE_XLS	206	File type is XLS.
FILE_TYPE_XLSX	207	File type is XLSX.
FILE_TYPE_RTF	208	File type is RTF.
FILE_TYPE_PPSX	209	File type is PPSX.
FILE_TYPE_ODP	250	File type is ODP.
FILE_TYPE_ODS	251	File type is ODS.
FILE_TYPE_ODT	252	File type is ODT.
FILE_TYPE_HWP	253	File type is HWP.
FILE_TYPE_GUL	254	File type is GUL.
FILE_TYPE_ODF	255	File type is ODF.
FILE_TYPE_ODG	256	File type is ODG.
FILE_TYPE_ONE_NOTE	257	File type is ONE_NOTE.
FILE_TYPE_OOXML	258	File type is OOXML.
FILE_TYPE_SLK	259	File type is SLK.
FILE_TYPE_EBOOK	260	File type is EBOOK.
FILE_TYPE_LATEX	261	File type is LATEX.
FILE_TYPE_TTF	262	File type is TTF.
FILE_TYPE_EOT	263	File type is EOT.
FILE_TYPE_WOFF	264	File type is WOFF.
FILE_TYPE_CHM	265	File type is CHM.
FILE_TYPE_ZIP	300	File type is ZIP.
FILE_TYPE_GZIP	301	File type is GZIP.
FILE_TYPE_BZIP	302	File type is BZIP.
FILE_TYPE_RZIP	303	File type is RZIP.
FILE_TYPE_DZIP	304	File type is DZIP.
FILE_TYPE_SEVENZIP	305	File type is SEVENZIP.
FILE_TYPE_CAB	306	File type is CAB.
FILE_TYPE_JAR	307	File type is JAR.
FILE_TYPE_RAR	308	File type is RAR.
FILE_TYPE_MSCOMPRESS	309	File type is MSCOMPRESS.
FILE_TYPE_ACE	310	File type is ACE.
FILE_TYPE_ARC	311	File type is ARC.
FILE_TYPE_ARJ	312	File type is ARJ.
FILE_TYPE_ASD	313	File type is ASD.
FILE_TYPE_BLACKHOLE	314	File type is BLACKHOLE.
FILE_TYPE_KGB	315	File type is KGB.
FILE_TYPE_ZLIB	316	File type is ZLIB.
FILE_TYPE_TAR	317	File type is TAR.
FILE_TYPE_ZST	318	File type is ZST.
FILE_TYPE_LZFSE	319	File type is LZFSE.
FILE_TYPE_PYTHON_WHL	320	File type is PYTHON_WHL.
FILE_TYPE_PYTHON_PKG	321	File type is PYTHON_PKG.
FILE_TYPE_MSIX	322	File type is MSIX, new Windows app package format.
FILE_TYPE_TEXT	400	File type is TEXT.
FILE_TYPE_SCRIPT	401	File type is SCRIPT.
FILE_TYPE_PHP	402	File type is PHP.
FILE_TYPE_PYTHON	403	File type is PYTHON.
FILE_TYPE_PERL	404	File type is PERL.
FILE_TYPE_RUBY	405	File type is RUBY.
FILE_TYPE_C	406	File type is C.
FILE_TYPE_CPP	407	File type is CPP.
FILE_TYPE_JAVA	408	File type is JAVA.
FILE_TYPE_SHELLSCRIPT	409	File type is SHELLSCRIPT.
FILE_TYPE_PASCAL	410	File type is PASCAL.
FILE_TYPE_AWK	411	File type is AWK.
FILE_TYPE_DYALOG	412	File type is DYALOG.
FILE_TYPE_FORTRAN	413	File type is FORTRAN.
FILE_TYPE_JAVASCRIPT	414	File type is JAVASCRIPT.
FILE_TYPE_POWERSHELL	415	File type is POWERSHELL.
FILE_TYPE_VBA	416	File type is VBA.
FILE_TYPE_M4	417	File type is M4.
FILE_TYPE_OBJETIVEC	418	File type is OBJETIVEC.
FILE_TYPE_JMOD	419	File type is JMOD.
FILE_TYPE_MAKEFILE	420	File type is MAKEFILE.
FILE_TYPE_INI	421	File type is INI.
FILE_TYPE_CLJ	422	File type is CLJ.
FILE_TYPE_PDB	425	File type is PDB.
FILE_TYPE_SQL	426	File type is SQL.
FILE_TYPE_NEKO	427	File type is NEKO.
FILE_TYPE_WER	428	File type is WER.
FILE_TYPE_GOLANG	429	File type is GOLANG.
FILE_TYPE_M3U	430	File type is M3U.
FILE_TYPE_BAT	431	File type is BAT, Windows .bat/.cmd (old files are tagged as SHELLSCRIPT).
FILE_TYPE_MSC	432	File type is MSC, Microsoft Management Console (MMC).
FILE_TYPE_RDP	433	File type is RDP, Microsoft Remote Desktop Protocol (RDP) file.
FILE_TYPE_SYMBIAN	500	File type is SYMBIAN.
FILE_TYPE_PALMOS	501	File type is PALMOS.
FILE_TYPE_WINCE	502	File type is WINCE.
FILE_TYPE_ANDROID	503	File type is ANDROID.
FILE_TYPE_IPHONE	504	File type is IPHONE.
FILE_TYPE_HTML	600	File type is HTML.
FILE_TYPE_XML	601	File type is XML.
FILE_TYPE_SWF	602	File type is SWF.
FILE_TYPE_FLA	603	File type is FLA.
FILE_TYPE_COOKIE	604	File type is COOKIE.
FILE_TYPE_TORRENT	605	File type is TORRENT.
FILE_TYPE_EMAIL_TYPE	606	File type is EMAIL_TYPE.
FILE_TYPE_OUTLOOK	607	File type is OUTLOOK.
FILE_TYPE_SGML	608	File type is SGML.
FILE_TYPE_JSON	609	File type is JSON.
FILE_TYPE_CSV	610	File type is CSV.
FILE_TYPE_HTA	611	File type is HTA (HTML Application).
FILE_TYPE_INTERNET_SHORTCUT	612	File type is MSHTML .url.
FILE_TYPE_CAP	700	File type is CAP.
FILE_TYPE_ISOIMAGE	800	File type is ISOIMAGE.
FILE_TYPE_SQUASHFS	801	File type is SQUASHFS.
FILE_TYPE_VHD	802	File type is VHD.
FILE_TYPE_APPLE	1000	File type is APPLE.
FILE_TYPE_MACINTOSH	1001	File type is MACINTOSH.
FILE_TYPE_APPLESINGLE	1002	File type is APPLESINGLE.
FILE_TYPE_APPLEDOUBLE	1003	File type is APPLEDOUBLE.
FILE_TYPE_MACINTOSH_HFS	1004	File type is MACINTOSH_HFS.
FILE_TYPE_APPLE_PLIST	1005	File type is APPLE_PLIST.
FILE_TYPE_MACINTOSH_LIB	1006	File type is MACINTOSH_LIB.
FILE_TYPE_APPLESCRIPT	1007	File type is APPLESCRIPT.
FILE_TYPE_APPLESCRIPT_COMPILED	1008	File type is APPLESCRIPT_COMPILED .
FILE_TYPE_CRX	1100	File type is CRX.
FILE_TYPE_XPI	1101	File type is XPI.
FILE_TYPE_ROM	1200	File type is ROM.
FILE_TYPE_IPS	1201	File type is IPS.
FILE_TYPE_PEM	1300	File type is PEM.
FILE_TYPE_PGP	1301	File type is PGP.
FILE_TYPE_CRT	1302	File type is CRT.

FindingVariable.Type

Type options for Finding variables.

Enum Value	Enum Number	Description
TYPE_UNSPECIFIED	0	An unspecified variable type.
MATCH	1	A variable coming from the match conditions.
OUTCOME	2	A variable representing significant data that was found in the detection logic.

LinuxUtmp.RecordType

The type of activity record from the Utmp file.

Enum Value	Enum Number	Description
RECORD_TYPE_UNSPECIFIED	0	The default record type.
RUN_LVL	1	Run-level change.
BOOT_TIME	2	System boot time.
NEW_TIME	3	New time after system clock change.
OLD_TIME	4	Old time before system clock change.
INIT_PROCESS	5	Process spawned by init.
LOGIN_PROCESS	6	Login process.
USER_PROCESS	7	Normal user process (logged-in session).
DEAD_PROCESS	8	Terminated process (session ended).
ACCOUNTING	9	Accounting message.

Metadata.EnrichmentState

An enrichment state.

Enum Value	Enum Number	Description
ENRICHMENT_STATE_UNSPECIFIED	0	Unspecified.
ENRICHED	1	The event has been enriched by Google SecOps.
UNENRICHED	2	The event has not been enriched by Google SecOps.

Metadata.EventTimestampAttribute

Enum representing the type of timestamp that the event_timestamp field represents.

Enum Value	Enum Number	Description
EVENT_TIMESTAMP_ATTRIBUTE_UNSPECIFIED	0	Default event timestamp attribute.
FILE_LAST_ACCESS_TIME	1	Deprecated. Use LAST_ACCESSED instead.
FILE_LAST_MODIFIED_TIME	2	Deprecated. Use LAST_MODIFIED instead.
FILE_METADATA_LAST_CHANGE_TIME	3	Deprecated. Use METADATA_LAST_CHANGED instead.
FILE_CREATION_TIME	4	Deprecated. Use CREATED instead.
COLLECTED_TIME	5	Deprecated. Use COLLECTED instead.
COLLECTED	6	The time when the event was collected by the vendor's local collection infrastructure.
ACCESSED	7	The time when the file was accessed.
CHANGED	8	The time when the file was changed.
CREATED	9	The time when the file was first created.
FILE_NAME_ACCESSED	10	The time when the file name was accessed.
FILE_NAME_CHANGED	11	The time when the file name was changed.
FILE_NAME_CREATED	12	The time when the file name was created.
FILE_NAME_LAST_ACCESSED	13	The time when the file name was last accessed.
FILE_NAME_LAST_MODIFIED	14	The time when the file name was last modified.
FILE_NAME_METADATA_LAST_CHANGED	15	The time when the file name metadata was last changed.
FILE_NAME_MODIFIED	16	The time when the file name was modified.
LAST_ACCESSED	17	The time when the file was last accessed.
LAST_MODIFIED	18	The time when the file was last modified.
METADATA_LAST_CHANGED	19	The time when the file metadata was last changed.
MODIFIED	20	The time when the file was modified.
ADDED	21	Added Timestamp.
BACKED_UP	22	Backed Up Timestamp.
LAST_CONNECTED	23	Last Connected timestamp.
DELETED	24	Deleted Timestamp.
ENDED	25	Ended Timestamp.
EXITED	26	Exited Timestamp.
EXPIRED	27	Expired Timestamp.
FIRST_ACCESSED	28	First Accessed Timestamp.
APPEARED	29	Appeared Timestamp.
INSTALLED	30	Installed Timestamp.
LAST_ACTIVE	31	Last Active Timestamp.
LAST_LOGGED_IN	32	Last Login Timestamp.
LAST_LOGIN_ATTEMPT	33	Last Login Attempt Timestamp.
LAST_PASSWORD_SET	34	Last Password Set Timestamp.
LAST_PRINTED	35	Last Printed Timestamp.
LAST_RESUMED	36	Last Resumed Timestamp.
LAST_EXECUTED	37	Last Executed Timestamp.
LAST_SEEN	38	Last Seen Timestamp.
LAST_SHUTDOWN	39	Last Shutdown Timestamp.
LAST_UPDATED	40	Last Updated Timestamp.
LAST_USED	41	Last Used Timestamp.
LAST_VISITED	42	Last Visited Timestamp.
LINKED	43	Linked Timestamp.
METADATA_MODIFIED	44	Metadata Modified Timestamp.
CONTENT_MODIFIED	45	Modified Timestamp.
PURCHASED	46	Purchased Timestamp.
RECORDED	47	Recorded Timestamp.
REQUEST_RECEIVED	48	Request Received Timestamp.
RESPONSE_SENT	49	Response Sent Timestamp.
SCHEDULED_TO_END	50	Scheduled to End Timestamp.
SCHEDULED_TO_START	51	Scheduled to Start Timestamp.
SENT	52	Sent Timestamp.
STARTED	53	Started Timestamp.
UPDATED	54	Updated Timestamp.
VALIDATED	55	Validated Timestamp.
MOST_RECENT_RUN	56	Most Recent Run Timestamp.
NEXT_RUN	57	Next Run Timestamp.
VISITED	58	Visited Timestamp.
TARGET_CREATED	59	Target Created Timestamp.
VOLUME_CREATED	60	Volume Created Timestamp.
POST_CHECKED	61	Post Checked Timestamp.
SYNCHRONIZED	62	Synchronized Timestamp.
ITEM_CREATED	63	Item Created Timestamp.
ITEM_MODIFIED	64	Item Modified Timestamp.
DOCUMENT_LAST_SAVED	65	Document Last Saved Timestamp.
LAST_REGISTERED	66	Last Registered Timestamp.
LAUNCHED	67	Launched Timestamp.
FIRST_VISITED	68	First Visited Timestamp.
FIRST_SEEN	69	First Seen Timestamp.
DOWNLOADED	70	Downloaded Timestamp.

Metadata.EventType

An event type. Choose event type not based on the product that generated the event but the one that logged the event itself. So, for example, an antivirus (AV)

scanning email on a client would generate an SMTP_PROXY event, not an AV event. A DLP device scanning a web upload would generate an HTTP_PROXY event and not a DLP or process activity event. Note: In the case of a HTTP_PROXY event, you might also include process details if this occurred on an endpoint. That would be optional, but there are a certain set of required fields and banned fields due to its status as an HTTP_PROXY event.

Enum Value	Enum Number	Description
EVENTTYPE_UNSPECIFIED	0	Default event type
PROCESS_UNCATEGORIZED	10000	Activity related to a process which does not match any other event types.
PROCESS_LAUNCH	10001	Process launch.
PROCESS_INJECTION	10002	Process injecting into another process.
PROCESS_PRIVILEGE_ESCALATION	10003	Process privilege escalation.
PROCESS_TERMINATION	10004	Process termination.
PROCESS_OPEN	10005	Process being opened.
PROCESS_MODULE_LOAD	10006	Process loading a module.
REGISTRY_UNCATEGORIZED	11000	Registry event which does not match any of the other event types.
REGISTRY_CREATION	11001	Registry creation.
REGISTRY_MODIFICATION	11002	Registry modification.
REGISTRY_DELETION	11003	Registry deletion.
SETTING_UNCATEGORIZED	12000	Settings-related event which does not match any of the other event types.
SETTING_CREATION	12001	Setting creation.
SETTING_MODIFICATION	12002	Setting modification.
SETTING_DELETION	12003	Setting deletion.
MUTEX_UNCATEGORIZED	13000	Any mutex event other than creation.
MUTEX_CREATION	13001	Mutex creation.
FILE_UNCATEGORIZED	14000	File event which does not match any of the other event types.
FILE_CREATION	14001	File created.
FILE_DELETION	14002	File deleted.
FILE_MODIFICATION	14003	File modified.
FILE_READ	14004	File read.
FILE_COPY	14005	File copied. Used for file copies, for example, to a thumb drive.
FILE_OPEN	14006	File opened.
FILE_MOVE	14007	File moved or renamed.
FILE_SYNC	14008	File synced (for example, Google Drive, Dropbox, backup).
USER_UNCATEGORIZED	15000	User activity which does not match any of the other event types.
USER_LOGIN	15001	User login.
USER_LOGOUT	15002	User logout.
USER_CREATION	15003	User creation.
USER_CHANGE_PASSWORD	15004	User password change event.
USER_CHANGE_PERMISSIONS	15005	Change in user permissions.
USER_STATS	15006	Deprecated. Used to update user info for an LDAP dump.
USER_BADGE_IN	15007	User physically badging into a location.
USER_DELETION	15008	User deletion.
USER_RESOURCE_CREATION	15009	User creating a virtual resource. This is equivalent to RESOURCE_CREATION.
USER_RESOURCE_UPDATE_CONTENT	15010	User updating content of a virtual resource. This is equivalent to RESOURCE_WRITTEN.
USER_RESOURCE_UPDATE_PERMISSIONS	15011	User updating permissions of a virtual resource. This is equivalent to RESOURCE_PERMISSIONS_CHANGE.
USER_COMMUNICATION	15012	User initiating communication through a medium (for example, video).
USER_RESOURCE_ACCESS	15013	User accessing a virtual resource. This is equivalent to RESOURCE_READ.
USER_RESOURCE_DELETION	15014	User deleting a virtual resource. This is equivalent to RESOURCE_DELETION.
GROUP_UNCATEGORIZED	23000	A group activity that does not fall into one of the other event types.
GROUP_CREATION	23001	A group creation.
GROUP_DELETION	23002	A group deletion.
GROUP_MODIFICATION	23003	A group modification.
EMAIL_UNCATEGORIZED	19000	Email messages
EMAIL_TRANSACTION	19001	An email transaction.
EMAIL_URL_CLICK	19002	Deprecated: use NETWORK_HTTP instead. An email URL click event.
NETWORK_UNCATEGORIZED	16000	A network event that does not fit into one of the other event types.
NETWORK_FLOW	16001	Aggregated flow stats like netflow.
NETWORK_CONNECTION	16002	Network connection details like from a FW.
NETWORK_FTP	16003	FTP telemetry.
NETWORK_DHCP	16004	DHCP payload.
NETWORK_DNS	16005	DNS payload.
NETWORK_HTTP	16006	HTTP telemetry.
NETWORK_SMTP	16007	SMTP telemetry.
STATUS_UNCATEGORIZED	17000	A status message that does not fit into one of the other event types.
STATUS_HEARTBEAT	17001	Heartbeat indicating product is alive.
STATUS_STARTUP	17002	An agent startup.
STATUS_SHUTDOWN	17003	An agent shutdown.
STATUS_UPDATE	17004	A software or fingerprint update.
SCAN_UNCATEGORIZED	18000	Scan item that does not fit into one of the other event types.
SCAN_FILE	18001	A file scan.
SCAN_PROCESS_BEHAVIORS	18002	Scan process behaviors. Please use SCAN_PROCESS instead.
SCAN_PROCESS	18003	Scan process.
SCAN_HOST	18004	Scan results from scanning an entire host device for threats/sensitive documents.
SCAN_VULN_HOST	18005	Vulnerability scan logs about host vulnerabilities (e.g., out of date software) and network vulnerabilities (e.g., unprotected service detected via a network scan).
SCAN_VULN_NETWORK	18006	Vulnerability scan logs about network vulnerabilities.
SCAN_NETWORK	18007	Scan network for suspicious activity
SCHEDULED_TASK_UNCATEGORIZED	20000	Scheduled task event that does not fall into one of the other event types.
SCHEDULED_TASK_CREATION	20001	Scheduled task creation.
SCHEDULED_TASK_DELETION	20002	Scheduled task deletion.
SCHEDULED_TASK_ENABLE	20003	Scheduled task being enabled.
SCHEDULED_TASK_DISABLE	20004	Scheduled task being disabled.
SCHEDULED_TASK_MODIFICATION	20005	Scheduled task being modified.
SYSTEM_AUDIT_LOG_UNCATEGORIZED	21000	A system audit log event that is not a wipe.
SYSTEM_AUDIT_LOG_WIPE	21001	A system audit log wipe.
SERVICE_UNSPECIFIED	22000	Service event that does not fit into one of the other event types.
SERVICE_CREATION	22001	A service creation.
SERVICE_DELETION	22002	A service deletion.
SERVICE_START	22003	A service start.
SERVICE_STOP	22004	A service stop.
SERVICE_MODIFICATION	22005	A service modification.
GENERIC_EVENT	100000	Operating system events that are not described by any of the other event types. Might include uncategorized Microsoft Windows event logs.
RESOURCE_CREATION	1	The resource was created/provisioned. This is equivalent to USER_RESOURCE_CREATION.
RESOURCE_DELETION	2	The resource was deleted/deprovisioned. This is equivalent to USER_RESOURCE_DELETION.
RESOURCE_PERMISSIONS_CHANGE	3	The resource had it's permissions or ACLs updated. This is equivalent to USER_RESOURCE_UPDATE_PERMISSIONS.
RESOURCE_READ	4	The resource was read. This is equivalent to USER_RESOURCE_ACCESS.
RESOURCE_WRITTEN	5	The resource was written to. This is equivalent to USER_RESOURCE_UPDATE_CONTENT.
DEVICE_FIRMWARE_UPDATE	25000	Firmware update.
DEVICE_CONFIG_UPDATE	25001	Configuration update.
DEVICE_PROGRAM_UPLOAD	25002	A program or application uploaded to a device.
DEVICE_PROGRAM_DOWNLOAD	25003	A program or application downloaded to a device.
ANALYST_UPDATE_VERDICT	24000	Analyst update about the Verdict (such as true positive, false positive, or disregard) of a finding.
ANALYST_UPDATE_REPUTATION	24001	Analyst update about the Reputation (such as useful or not useful) of a finding.
ANALYST_UPDATE_SEVERITY_SCORE	24002	Analyst update about the Severity score (0-100) of a finding.
ANALYST_UPDATE_STATUS	24007	Analyst update about the finding status.
ANALYST_ADD_COMMENT	24008	Analyst addition of a comment for a finding.
ANALYST_UPDATE_PRIORITY	24009	Analyst update about the priority (such as low, medium, or high) for a finding.
ANALYST_UPDATE_ROOT_CAUSE	24010	Analyst update about the root cause for a finding.
ANALYST_UPDATE_REASON	24011	Analyst update about the reason (such as malicious or not malicious) for a finding.
ANALYST_UPDATE_RISK_SCORE	24012	Analyst update about the risk score (0-100) of a finding.
ENTITY_RISK_CHANGE	26000	An update to an entity risk score. This event type is restricted to events published by Google Security Operations Risk Analytics.
TRIAGE_AGENT_UPDATE_INVESTIGATION	27000	Triage Agent has investigated the finding.

Network.ApplicationProtocol

A network application protocol.

Enum Value	Enum Number	Description
UNKNOWN_APPLICATION_PROTOCOL	0	The default application protocol.
AFP	1	Apple Filing Protocol.
APPC	2	Advanced Program-to-Program Communication.
AMQP	3	Advanced Message Queuing Protocol.
ATOM	4	Publishing Protocol.
BEEP	5	Block Extensible Exchange Protocol.
BITCOIN	6	Crypto currency protocol.
BIT_TORRENT	7	Peer-to-peer file sharing.
CFDP	8	Coherent File Distribution Protocol.
CIP	67	Common Industrial Protocol.
COAP	9	Constrained Application Protocol.
COTP	68	Connection Oriented Transport Protocol.
DCERPC	66	DCE/RPC.
DDS	10	Data Distribution Service.
DEVICE_NET	11	Automation industry protocol.
DHCP	4000	DHCP.
DICOM	69	Digital Imaging and Communications in Medicine Protocol.
DNP3	70	Distributed Network Protocol 3 (DNP3)
DNS	3000	DNS.
E_DONKEY	12	Classic file sharing protocol.
ENRP	13	Endpoint Handlespace Redundancy Protocol.
FAST_TRACK	14	Filesharing peer-to-peer protocol.
FINGER	15	User Information Protocol.
FREENET	16	Censorship resistant peer-to-peer network.
FTAM	17	File Transfer Access and Management.
GOOSE	71	GOOSE Protocol.
GOPHER	18	Gopher protocol.
GRPC	77	gRPC Remote Procedure Call.
HL7	19	Health Level Seven.
H323	20	Packet-based multimedia communications system.
HTTP	2000	HTTP.
HTTPS	2001	HTTPS.
IEC104	72	IEC 60870-5-104 (IEC 104) Protocol.
IRCP	21	Internet Relay Chat Protocol.
KADEMLIA	22	Peer-to-peer hashtables.
KRB5	65	Kerberos 5.
LDAP	23	Lightweight Directory Access Protocol.
LPD	24	Line Printer Daemon Protocol.
MIME	25	Multipurpose Internet Mail Extensions and Secure MIME.
MMS	73	Multimedia Messaging Service.
MODBUS	26	Serial communications protocol.
MQTT	27	Message Queuing Telemetry Transport.
NETCONF	28	Network Configuration.
NFS	29	Network File System.
NIS	30	Network Information Service.
NNTP	31	Network News Transfer Protocol.
NTCIP	32	National Transportation Communications for Intelligent Transportation System.
NTP	33	Network Time Protocol.
OSCAR	34	AOL Instant Messenger Protocol.
PNRP	35	Peer Name Resolution Protocol.
PTP	74	Precision Time Protocol.
QUIC	1000	QUIC.
RDP	36	Remote Desktop Protocol.
RELP	37	Reliable Event Logging Protocol.
RIP	38	Routing Information Protocol.
RLOGIN	39	Remote Login in UNIX Systems.
RPC	40	Remote Procedure Call.
RTMP	41	Real Time Messaging Protocol.
RTP	42	Real-time Transport Protocol.
RTPS	43	Real Time Publish Subscribe.
RTSP	44	Real Time Streaming Protocol.
SAP	45	Session Announcement Protocol.
SDP	46	Session Description Protocol.
SIP	47	Session Initiation Protocol.
SLP	48	Service Location Protocol.
SMB	49	Server Message Block.
SMTP	50	Simple Mail Transfer Protocol.
SNMP	75	Simple Network Management Protocol.
SNTP	51	Simple Network Time Protocol.
SSH	52	Secure Shell.
SSMS	53	Secure SMS Messaging Protocol.
STYX	54	Styx/9P - Plan 9 from Bell Labs distributed file system protocol.
SV	76	Sampled Values Protocol.
TCAP	55	Transaction Capabilities Application Part.
TDS	56	Tabular Data Stream.
TOR	57	Anonymity network.
TSP	58	Time Stamp Protocol.
VTP	59	Virtual Terminal Protocol.
WHOIS	60	Remote Directory Access Protocol.
WEB_DAV	61	Web Distributed Authoring and Versioning.
X400	62	Message Handling Service Protocol.
X500	63	Directory Access Protocol (DAP).
XMPP	64	Extensible Messaging and Presence Protocol.
FTP	78	File Transfer Protocol.

Network.ConnectionState

The state of a network connection.

Enum Value	Enum Number	Description
CONNECTION_STATE_UNSPECIFIED	0	The default connection state.
LISTENING	1	The port is listening for incoming connections.
ESTABLISHED	2	A connection has been established.
TIME_WAIT	3	The connection is waiting for a timeout.
CLOSE_WAIT	4	The connection is waiting for a connection termination request from the local application.
CLOSED	5	The connection is closed.
SYN_SENT	6	A connection request has been sent.
SYN_RECEIVED	7	A connection request has been received.
FIN_WAIT1	8	The connection is waiting for a connection termination request from the remote host.
FIN_WAIT2	9	The connection is waiting for a connection termination request from the local application.
LAST_ACK	10	The connection is waiting for an acknowledgment of the final connection termination request.

Network.Direction

A network traffic direction.

Enum Value	Enum Number	Description
UNKNOWN_DIRECTION	0	The default direction.
INBOUND	1	An inbound request.
OUTBOUND	2	An outbound request.
BROADCAST	3	A broadcast.

Network.IpProtocol

An IP protocol.

Enum Value	Enum Number	Description
UNKNOWN_IP_PROTOCOL	0	The default protocol.
ICMP	1	ICMP.
IGMP	2	IGMP
TCP	6	TCP.
UDP	17	UDP.
IP6IN4	41	IPv6 Encapsulation
GRE	47	Generic Routing Encapsulation
ESP	50	Encapsulating Security Payload
ICMP6	58	ICMPv6
EIGRP	88	Enhanced Interior Gateway Routing
ETHERIP	97	Ethernet-within-IP Encapsulation
PIM	103	Protocol Independent Multicast
VRRP	112	Virtual Router Redundancy Protocol
SCTP	132	Stream Control Transmission Protocol

Noun.Platform

Operating system platform.

Enum Value	Enum Number	Description
UNKNOWN_PLATFORM	0	Default value.
WINDOWS	1	Microsoft Windows.
MAC	2	macOS.
LINUX	3	Linux.
GCP	4	Deprecated: see cloud.environment.
AWS	5	Deprecated: see cloud.environment.
AZURE	6	Deprecated: see cloud.environment.
IOS	7	IOS
ANDROID	8	Android
CHROME_OS	9	Chrome OS

Permission.PermissionType

High level categorizations of permission type.

Enum Value	Enum Number	Description
UNKNOWN_PERMISSION_TYPE	0	Default permission type.
ADMIN_WRITE	1	Administrator write permission.
ADMIN_READ	2	Administrator read permission.
DATA_WRITE	3	Data resource access write permission.
DATA_READ	4	Data resource access read permission.

Priority

Priority that is assigned to a Case or Alert.

Enum Value	Enum Number	Description
PRIORITY_UNSPECIFIED	0	Default priority level.
PRIORITY_INFO	100	Informational priority.
PRIORITY_LOW	200	Low priority.
PRIORITY_MEDIUM	300	Medium priority.
PRIORITY_HIGH	400	High priority.
PRIORITY_CRITICAL	500	Critical priority.

Process.State

The state of the process. See the psutil Process Status Constants.

Enum Value	Enum Number	Description
STATE_UNSPECIFIED	0	Undetermined state.
RUNNING	1	Process is running or runnable.
SLEEPING	2	Process is waiting for an event.
DISK_SLEEP	3	Process is in uninterruptible sleep, typically I/O.
STOPPED	4	Process is stopped.
TRACING_STOP	5	Process is stopped by debugger.
ZOMBIE	6	Process is terminated but not reaped by parent.
DEAD	7	Process is terminated.
WAKE_KILL	8	Process is woken to be killed.
WAKING	9	Process is waking from sleep.
PARKED	10	Linux specific: process is parked.
IDLE	11	Linux, macOS, and FreeBSD specific: process is idle.
LOCKED	12	FreeBSD specific: process is locked.
WAITING	13	FreeBSD specific: process is waiting.
SUSPENDED	14	NetBSD specific: process is suspended.

Process.TokenElevationType

The elevation type of the process's token. See the TOKEN_ELEVATION_TYPE enumeration.

Enum Value	Enum Number	Description
UNKNOWN	0	An undetermined token type.
TYPE_1	1	A full token with no privileges removed or groups disabled.
TYPE_2	2	An elevated token with no privileges removed or groups disabled. Used when running as administrator.
TYPE_3	3	A limited token with administrative privileges removed and administrative groups disabled.

Reason

Reason for closing an Alert or Case in the SOAR product.

Enum Value	Enum Number	Description
REASON_UNSPECIFIED	0	Default reason.
REASON_NOT_MALICIOUS	1	Case or Alert not malicious.
REASON_MALICIOUS	2	Case or Alert is malicious.
REASON_MAINTENANCE	3	Case or Alert is under maintenance.

Registry.Type

These values are based on the Windows Registry Value Types.

Enum Value	Enum Number	Description
TYPE_UNSPECIFIED	0	Default registry value type used when the type is unknown.
NONE	1	The registry value is not set and only the key exists.
SZ	2	A null-terminated string.
EXPAND_SZ	3	A null-terminated string that contains unexpanded references to environment variables
BINARY	4	Binary data in any form.
DWORD	5	A 32-bit number.
DWORD_LITTLE_ENDIAN	6	A 32-bit number in little-endian format.
DWORD_BIG_ENDIAN	7	A 32-bit number in big-endian format.
LINK	8	A null-terminated Unicode string that contains the target path of a symbolic link.
MULTI_SZ	9	A sequence of null-terminated strings, terminated by an empty string
RESOURCE_LIST	10	A device driver resource list.
QWORD	11	A 64-bit number.
QWORD_LITTLE_ENDIAN	12	A 64-bit number in little-endian format.

Reputation

Categorization options for the usefulness of a finding.

Enum Value	Enum Number	Description
REPUTATION_UNSPECIFIED	0	An unspecified reputation.
USEFUL	1	A categorization of the finding as useful.
NOT_USEFUL	2	A categorization of the finding as not useful.

Resource.ResourceType

The type of resource.

Enum Value	Enum Number	Description
UNSPECIFIED	0	Default type.
MUTEX	1	Mutex.
TASK	2	Task.
PIPE	3	Named pipe.
DEVICE	4	Device.
FIREWALL_RULE	5	Firewall rule.
MAILBOX_FOLDER	6	Mailbox folder.
VPC_NETWORK	7	VPC Network.
VIRTUAL_MACHINE	8	Virtual machine.
STORAGE_BUCKET	9	Storage bucket.
STORAGE_OBJECT	10	Storage object.
DATABASE	11	Database.
TABLE	12	Data table.
CLOUD_PROJECT	13	Cloud project.
CLOUD_ORGANIZATION	14	Cloud organization.
SERVICE_ACCOUNT	15	Service account.
ACCESS_POLICY	16	Access policy.
CLUSTER	17	Cluster.
SETTING	18	Settings.
DATASET	19	Dataset.
BACKEND_SERVICE	20	Endpoint that receive traffic from a load balancer or proxy.
POD	21	Pod, which is a collection of containers. Often used in Kubernetes.
CONTAINER	22	Container.
FUNCTION	23	Cloud function.
RUNTIME	24	Runtime.
IP_ADDRESS	25	IP address.
DISK	26	Disk.
VOLUME	27	Volume.
IMAGE	28	Machine image.
SNAPSHOT	29	Snapshot.
REPOSITORY	30	Repository.
CREDENTIAL	31	Credential, e.g. access keys, ssh keys, tokens, certificates.
LOAD_BALANCER	32	Load balancer.
GATEWAY	33	Gateway.
SUBNET	34	Subnet.
USER	35	User.
SERVICE	36	Service.

Role.Type

Well-known system roles.

Enum Value	Enum Number	Description
TYPE_UNSPECIFIED	0	Default user role.
ADMINISTRATOR	1	Product administrator with elevated privileges.
SERVICE_ACCOUNT	2	System service account for automated privilege access.

SecurityResult.Action

Enum representing different possible actions taken by the product that created the event.

Google SecOps classifies:

ALLOW and ALLOW_WITH_MODIFICATION actions as "successful".
BLOCK, QUARANTINE, FAIL, and CHALLENGE actions as "failed". This includes all corresponding metrics (for example, AUTH_ATTEMPTS_FAIL, FILE_EXECUTIONS_FAIL, RESOURCE_READ_FAIL, and so on).
UNKNOWN_ACTION actions as neither "successful" nor "failed", because, for example, logs might not provide information whether a login event occurred but some kind of "unknown" error was issued nonetheless.

Enum Value	Enum Number	Description
UNKNOWN_ACTION	0	The default action.
ALLOW	1	Allowed.
BLOCK	2	Blocked.
ALLOW_WITH_MODIFICATION	3	Strip, modify something (e.g. File or email was disinfected or rewritten and still forwarded).
QUARANTINE	4	Put somewhere for later analysis (does NOT imply block).
FAIL	5	Failed (e.g. the event was allowed but failed).
CHALLENGE	6	Challenged (e.g. the user was challenged by a Captcha, 2FA).

SecurityResult.AlertState

The type of alerting set up for a security result.

Enum Value	Enum Number	Description
UNSPECIFIED	0	The security result type is not known.
NOT_ALERTING	1	The security result is not an alert.
ALERTING	2	The security result is an alert.

SecurityResult.Association.AssociationType

Represents different possible Association types. Can be threat or malware. Used to represent Mandiant threat intelligence.

Enum Value	Enum Number	Description
ASSOCIATION_TYPE_UNSPECIFIED	0	The default Association Type.
THREAT_ACTOR	1	Association type Threat actor.
MALWARE	2	Association type Malware.
SOFTWARE_TOOLKIT	3	Association type Software toolkit.

SecurityResult.IoCStatsType

Type of IoCStat based on source.

Enum Value	Enum Number	Description
UNSPECIFIED_IOC_STATS_TYPE	0	IoCStat source is unidentified.
MANDIANT_SOURCES	1	IoCStat is from a Mandiant Source.
THIRD_PARTY_SOURCES	2	IoCStat is from a third-party source.
THREAT_INTELLIGENCE_IOC_STATS	3	IoCStat is from a threat intelligence feed.

SecurityResult.ProductConfidence

A level of confidence in the result.

Enum Value	Enum Number	Description
UNKNOWN_CONFIDENCE	0	The default confidence level.
LOW_CONFIDENCE	200	Low confidence.
MEDIUM_CONFIDENCE	300	Medium confidence.
HIGH_CONFIDENCE	400	High confidence.

SecurityResult.ProductPriority

A product priority level.

Enum Value	Enum Number	Description
UNKNOWN_PRIORITY	0	Default priority level.
LOW_PRIORITY	200	Low priority.
MEDIUM_PRIORITY	300	Medium priority.
HIGH_PRIORITY	400	High priority.

SecurityResult.ProductSeverity

Defined by the product

Enum Value	Enum Number	Description
UNKNOWN_SEVERITY	0	The default severity level.
INFORMATIONAL	100	Info severity.
ERROR	150	An error.
NONE	101	No malicious result.
LOW	200	Low-severity malicious result.
MEDIUM	300	Medium-severity malicious result.
HIGH	400	High-severity malicious result.
CRITICAL	500	Critical-severity malicious result.

SecurityResult.SecurityCategory

SecurityCategory is used to standardize security categories across products

so one event is not categorized as "malware" and another as a "virus".

Enum Value	Enum Number	Description
UNKNOWN_CATEGORY	0	The default category.
SOFTWARE_MALICIOUS	10000	Malware, spyware, rootkit.
SOFTWARE_SUSPICIOUS	10100	Below the conviction threshold; probably bad.
SOFTWARE_PUA	10200	Potentially Unwanted App (such as adware).
NETWORK_MALICIOUS	20000	Includes C&C or network exploit.
NETWORK_SUSPICIOUS	20100	Suspicious activity, such as potential reverse tunnel.
NETWORK_CATEGORIZED_CONTENT	20200	Non-security related: URL has category like gambling or porn.
NETWORK_DENIAL_OF_SERVICE	20300	DoS, DDoS.
NETWORK_RECON	20400	Port scan detected by an IDS, probing of web app.
NETWORK_COMMAND_AND_CONTROL	20500	If we know this is a C&C channel.
ACL_VIOLATION	30000	Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc.
AUTH_VIOLATION	40000	Authentication failed (e.g. bad password or bad 2-factor authentication).
EXPLOIT	50000	Exploit: For all manner of exploits including attempted overflows, bad protocol encodings, ROP, SQL injection, etc. For both network and host- based exploits.
DATA_EXFILTRATION	60000	DLP: Sensitive data transmission, copy to thumb drive.
DATA_AT_REST	60100	DLP: Sensitive data found at rest in a scan.
DATA_DESTRUCTION	60200	Attempt to destroy/delete data.
TOR_EXIT_NODE	60300	TOR Exit Nodes.
MAIL_SPAM	70000	Spam email, message, etc.
MAIL_PHISHING	70100	Phishing email, chat messages, etc.
MAIL_SPOOFING	70200	Spoofed source email address, etc.
POLICY_VIOLATION	80000	Security-related policy violation (e.g. firewall/proxy/HIPS rule violated, NAC block action).
SOCIAL_ENGINEERING	90001	Threats which manipulate to break normal security procedures.
PHISHING	90002	Phishing pages, pops, https phishing etc.

SecurityResult.ThreatCollectionType

Different Types of threat collections currently supported.

Enum Value	Enum Number	Description
THREAT_COLLECTION_TYPE_UNSPECIFIED	0	Threat collection type is unspecified.
CAMPAIGN	1	Threat collection type is campaign.
REPORT	2	Threat collection type is report.

SecurityResult.ThreatStatus

Vendor-specific information about the status of a threat (ITW).

Enum Value	Enum Number	Description
THREAT_STATUS_UNSPECIFIED	0	Default threat status
ACTIVE	1	Active threat.
CLEARED	2	Cleared threat.
FALSE_POSITIVE	3	False positive.

SecurityResult.VerdictResponse

Represents different verdict types. Used to represent Mandiant threat intelligence.

Enum Value	Enum Number	Description
VERDICT_RESPONSE_UNSPECIFIED	0	The default verdict response type.
MALICIOUS	1	VerdictResponse resulted a threat as malicious.
BENIGN	2	VerdictResponse resulted a threat as benign.

SecurityResult.VerdictType

Category of the verdict.

Enum Value	Enum Number	Description
VERDICT_TYPE_UNSPECIFIED	0	Verdict category not specified.
PROVIDER_ML_VERDICT	1	MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources.
ANALYST_VERDICT	2	Verdict provided by the human analyst. These fields are used to model Mandiant sources.

Service.ServiceType

The type of service.

Enum Value	Enum Number	Description
SERVICE_TYPE_UNSPECIFIED	0	Default service type.
KERNEL_DRIVER	1	A kernel driver.
FILE_SYSTEM_DRIVER	2	A file system driver.
WIN32_OWN_PROCESS	3	A process that is owned by the service. This is a Windows-specific service type.
WIN32_SHARE_PROCESS	4	A process that is shared by the service. This is a Windows-specific service type.
ADAPTER	5	An adapter. This is a Windows-specific service type.
RECOGNIZER_DRIVER	6	A recognizer driver. This is a Windows-specific service type.
INTERACTIVE_PROCESS	7	An interactive process. This is a Windows-specific service type.

Service.StartupType

How the service is started.

Enum Value	Enum Number	Description
STARTUP_TYPE_UNSPECIFIED	0	Default startup type.
AUTOMATIC	1	The service is started automatically.
MANUAL	2	The service is started manually by a user.
DISABLED	3	The service is disabled and will not start automatically.

Service.State

The current status of the service.

Enum Value	Enum Number	Description
STATE_UNSPECIFIED	0	Default service status.
RUNNING	1	The service is running.
STOPPED	2	The service is stopped. This is a Windows-specific service status.
PAUSED	3	The service is paused. This is a Windows-specific service status.
COMPLETED	4	The service is completed.
START_PENDING	5	The service is starting.
STOP_PENDING	6	The service is stopping.
PAUSE_PENDING	7	The service is pausing.
CONTINUE_PENDING	8	The service is continuing.

Status

Describes status of a finding.

Enum Value	Enum Number	Description
STATUS_UNSPECIFIED	0	Unspecified finding status.
NEW	1	New finding.
REVIEWED	2	When a finding has feedback.
CLOSED	3	When an analyst closes an finding.
OPEN	4	Open. Used to indicate that a Case / Alert is open.

ThreatVerdict

GCTI threat verdict levels.

Enum Value	Enum Number	Description
THREAT_VERDICT_UNSPECIFIED	0	Unspecified threat verdict level.
UNDETECTED	1	Undetected threat verdict level.
SUSPICIOUS	2	Suspicious threat verdict level.
MALICIOUS	3	Malicious threat verdict level.

User.AccountType

User Account Type.

Enum Value	Enum Number	Description
ACCOUNT_TYPE_UNSPECIFIED	0	Default user account type.
DOMAIN_ACCOUNT_TYPE	1	A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE	2	A local machine account.
CLOUD_ACCOUNT_TYPE	3	A SaaS service account type (such as Slack or GitHub).
SERVICE_ACCOUNT_TYPE	4	A non-human account for data access.
DEFAULT_ACCOUNT_TYPE	5	A system built in default account.

User.Role

User system roles.

Enum Value	Enum Number	Description
UNKNOWN_ROLE	0	Default user role.
ADMINISTRATOR	1	Product administrator with elevated privileges.
SERVICE_ACCOUNT	2	System service account for automated privilege access. Deprecated: not a role, instead set User.account_type.

UsnJournal.Attribute

File attributes from the USN record (e.g., "READ_ONLY, HIDDEN"). See https://learn.microsoft.com/en-us/windows/win32/fileio/file-attribute-constants for more information about the attributes.

Enum Value	Enum Number	Description
ATTRIBUTE_UNSPECIFIED	0	Unspecified attribute.
READ_ONLY	1	A file that is read-only.
HIDDEN	2	The file or directory is hidden.
SYSTEM	3	A file or directory that the operating system uses.
ARCHIVE	4	Archive file or directory.
COMPRESSED	5	A file or directory that is compressed.
ENCRYPTED	6	A file or directory that is encrypted.
DIRECTORY	7	The handle that identifies the directory.
DEVICE	8	Reserved for system use.
NORMAL	9	A file that does not have other attributes set.
TEMPORARY	10	A file that is being used for temporary storage.
SPARSE_FILE	11	A file that is a sparse file.
REPARSE_POINT	12	A file or directory that has an associated reparse point.
OFFLINE	13	The data of a file is not available immediately.
NOT_CONTENT_INDEXED	14	The file or directory is not to be indexed.
NON_CONTENT_INDEXED	14	Deprecated: Use NOT_CONTENT_INDEXED instead.
INTEGRITY_STREAM	15	The directory or user data stream is configured with integrity.
VIRTUAL	16	Reserved for system use.
NO_SCRUB_DATA	17	The user data stream not to be read by the background data integrity scanner.
EA	18	A file or directory with extended attributes.
PINNED	19	The file or directory should be kept fully present locally.
UNPINNED	20	The file or directory should not be kept fully present locally.
RECALL_ON_OPEN	21	The file or directory has no physical representation on the local system.
RECALL_ON_DATA_ACCESS	22	The file or directory is not fully present locally.

UsnJournal.Reason

The reason for the USN journal entry.

Enum Value	Enum Number	Description
REASON_UNSPECIFIED	0	Unspecified reason.
DATA_OVERWRITE	1	Data overwrite reason.
DATA_EXTEND	2	Data extend reason.
DATA_TRUNCATION	3	Data truncation reason.
NAMED_DATA_OVERWRITE	4	Named data overwrite reason.
NAMED_DATA_EXTEND	5	Named data extend reason.
NAMED_DATA_TRUNCATION	6	Named data truncation reason.
FILE_CREATE	7	File create reason.
FILE_DELETE	8	File delete reason.
EA_CHANGE	9	EA change reason.
SECURITY_CHANGE	10	Security change reason.
RENAME_OLD_NAME	11	Rename old name reason.
RENAME_NEW_NAME	12	Rename new name reason.
INDEXABLE_CHANGE	13	Indexable change reason.
BASIC_INFO_CHANGE	14	Basic info change reason.
HARD_LINK_CHANGE	15	Hard link change reason.
COMPRESSION_CHANGE	16	Compression change reason.
ENCRYPTION_CHANGE	17	Encryption change reason.
OBJECT_ID_CHANGE	18	Object ID change reason.
REPARSE_POINT_CHANGE	19	Reparse point change reason.
STREAM_CHANGE	20	Stream change reason.
TRANSACTED_CHANGE	21	Transacted change reason.
CLOSE	22	Close reason.

Verdict

Categorization options for the validity of a finding (for example, whether it reflects an actual security incident).

Enum Value	Enum Number	Description
VERDICT_UNSPECIFIED	0	An unspecified verdict.
TRUE_POSITIVE	1	A categorization of the finding as a "true positive".
FALSE_POSITIVE	2	A categorization of the finding as a "false positive".

Vulnerability.Severity

Severity of the vulnerability.

Enum Value	Enum Number	Description
UNKNOWN_SEVERITY	0	The default severity level.
LOW	1	Low severity.
MEDIUM	2	Medium severity.
HIGH	3	High severity.
CRITICAL	4	Critical severity.

WindowsEventLog.Channel

The channel specifies the source or category of the event.

Enum Value	Enum Number	Description
CHANNEL_UNSPECIFIED	0	Default channel.
SECURITY	1	The security channel.
SYSTEM	2	The system channel.
APPLICATION	3	The application channel.
SETUP	4	The setup channel.
FORWARDED_EVENTS	5	The forwarded events channel.
OTHER	6	The other channel.

WindowsScheduledTask.TaskAction.ActionType

Enum representing the action type of the task.

Enum Value	Enum Number	Description
ACTION_TYPE_UNSPECIFIED	0	The action type is not specified.
EXEC	1	This action performs a command-line operation. For example, the action can run a script, launch an executable, or, if the name of a document is provided, find its associated application and launch the application with the document.
COM_HANDLER	2	This action fires a handler. This action can only be used if the task Compatibility property is set to TASK_COMPATIBILITY_V2.
SEND_EMAIL	3	This action sends an email message. This action can only be used if the task Compatibility property is set to TASK_COMPATIBILITY_V2.
SHOW_MESSAGE	4	This action shows a message box. This action can only be used if the task Compatibility property is set to TASK_COMPATIBILITY_V2.

WindowsScheduledTask.TaskLogonType

Enum representing the logon type of the task.

Enum Value	Enum Number	Description
TASK_LOGON_TYPE_UNSPECIFIED	0	The logon method is not specified. Used for non-NT credentials.
PASSWORD	1	Use a password for logging on the user. The password must be supplied at registration time.
S4U	2	Use an existing interactive token to run a task. The user must log on using a service for user (S4U) logon. When an S4U logon is used, no password is stored by the system and there is no access to either the network or encrypted files.
INTERACTIVE_TOKEN	3	User must already be logged on. The task will be run only in an existing interactive session.
GROUP	4	Logon with group credentials.
SERVICE_ACCOUNT	5	Indicates that a Local System, Local Service, or Network Service account is being used as a security context to run the task.
INTERACTIVE_TOKEN_OR_PASSWORD	6	First use the interactive token. If the user is not logged on (no interactive token is available), the password is used. The password must be specified when a task is registered. This flag is not recommended for new tasks because it is less reliable than TASK_LOGON_PASSWORD.

WindowsScheduledTask.TaskState

Enum representing the operation state of the task.

Enum Value	Enum Number	Description
TASK_STATE_UNSPECIFIED	0	The state of the task is unknown or not specified.
DISABLED	1	The task is registered but is disabled and no instances of the task are queued or running. The task cannot be run until it is enabled.
QUEUED	2	Instances of the task are queued.
ACTIVE	3	The task is ready to be executed, but no instances are queued or running.
RUNNING	4	One or more instances of the task are running.

WindowsScheduledTask.TaskTrigger.TriggerType

Enum representing the trigger type of the task. For more details, see https://learn.microsoft.com/en-us/windows/win32/api/taskschd/ne-taskschd-task_trigger_type2.

Enum Value	Enum Number	Description
TRIGGER_TYPE_UNSPECIFIED	0	The trigger frequency is not specified.
EVENT	1	Triggers the task when a specific event occurs.
TIME	2	Triggers the task at a specific time of day.
DAILY	3	Triggers the task on a daily schedule. For example, the task starts at a specific time every day, every other day, or every third day.
WEEKLY	4	Triggers the task on a weekly schedule. For example, the task starts at 8:00 AM on a specific day every week or other week.
MONTHLY	5	Triggers the task on a monthly schedule. For example, the task starts on specific days of specific months.
MONTHLYDOW	6	Triggers the task on a monthly day-of-week schedule. For example, the task starts on a specific days of the week, weeks of the month, and months of the year.
IDLE	7	Triggers the task when the computer goes into an idle state.
REGISTRATION	8	Triggers the task when the task is registered.
BOOT	9	Triggers the task when the computer boots.
LOGON	10	Triggers the task when a specific user logs on.
SESSION_STATE_CHANGE	11	Triggers the task when a specific user session state changes.
CUSTOM_TRIGGER01	12	Custom trigger 01.

Standard datatypes

Standard datatypes and the equivalent types in other languages.

Datatype	Notes	C++	Java	Python	Go	C#	PHP	Ruby
double		double	double	float	float64	double	float	Float
float		float	float	float	float32	float	float	Float
int32	Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead.	int32	int	int	int32	int	integer	Bignum or Fixnum (as required)
int64	Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead.	int64	long	int/long	int64	long	integer/string	Bignum
uint32	Uses variable-length encoding.	uint32	int	int/long	uint32	uint	integer	Bignum or Fixnum (as required)
uint64	Uses variable-length encoding.	uint64	long	int/long	uint64	ulong	integer/string	Bignum or Fixnum (as required)
sint32	Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s.	int32	int	int	int32	int	integer	Bignum or Fixnum (as required)
sint64	Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s.	int64	long	int/long	int64	long	integer/string	Bignum
fixed32	Always four bytes. More efficient than uint32 if values are often greater than 2^28.	uint32	int	int	uint32	uint	integer	Bignum or Fixnum (as required)
fixed64	Always eight bytes. More efficient than uint64 if values are often greater than 2^56.	uint64	long	int/long	uint64	ulong	integer/string	Bignum
sfixed32	Always four bytes.	int32	int	int	int32	int	integer	Bignum or Fixnum (as required)
sfixed64	Always eight bytes.	int64	long	int/long	int64	long	integer/string	Bignum
bool		bool	boolean	boolean	bool	bool	boolean	TrueClass/FalseClass
string	A string must always contain UTF-8 encoded or 7-bit ASCII text.	string	String	str/unicode	string	string	string	String (UTF-8)
bytes	May contain any arbitrary sequence of bytes.	string	ByteString	str	[]byte	ByteString	string	String (ASCII-8BIT)

Field Name	Type	Label	Description
tenant_id	bytes	repeated	A list of subtenant ids that this event belongs to.
data_tap_config_name	string	repeated	A list of sink name values defined in DataTap configurations.