UDM field list

This document provides a list of fields available in the Unified Data Model(UDM) schema.

Field name and field type values can look similar. This document uses styleconventions to help you identify the differences:

  • Field type values use camelCase characters; for example,platform andeventType.
  • Field name values use lowercase characters; for example,platform andevent_type. When a field name consists of more than one word, an underscore is used to separate the words.
  • Standard data type values use lowercase characters.

For details about dashboard query examples, seeUDM Events andEntity Graph.

UDM field name formats

When specifying a field, use the following format:

<prefix>.<field_name1>.<field_name2>.<...>.<field_nameN>=<value>

Field name format for Detect Engine

When writing rules for Detect Engine:

  • Use the <prefix> pattern$event for Event fields; for example:

    • $event.metadata.event_type
    • $event.network.dhcp.opcode
    • $event.principal.user.location.city

  • Use the <prefix> pattern$entity for Entity fields; for example:

    • $entity.graph.entity.hostname
    • $entity.graph.metadata.product_name

Field name format for parsers

When writing configuration-based normalizer (CBN) parsers:

  • Use the <prefix> patternevent.idm.read_only_udm for UDM Event fields; for example:

    • event.idm.read_only_udm.metadata.event_type
    • event.idm.read_only_udm.network.dhcp.opcode
    • event.idm.read_only_udm.principal.user.location.city

  • Use the <prefix> patternevent.idm.entity for UDM Entity fields; for example:

    • event.idm.entity.entity.user.user_display_name
    • event.idm.entity.entity.asset.hostname

UDM Entity data model

TheUDM Entity Data model represents a state-in-time view of the objects within an enterprise, such as users, assets, and organizational resources. Unlike the Event Model, which captures point-in-time activities (telemetry), the Entity model provides the context necessary for effective threat hunting and risk scoring.

By mapping metadata from disparate sources like Active Directory, EDR inventories, and CMDBs into a unified structure, developers can programmatically correlate "who" or "what" is involved in a security incident. This model is essential for building relationship graphs, tracking asset criticality, and applying identity-centric security policies across the organization.

Entity

An Entity provides additional context about an item in a UDM event. Forexample, a PROCESS_LAUNCH event describes that user 'abc@example.corp'launched process 'shady.exe'.The event does not include information that user 'abc@example.com' is arecently terminated employee who administers a server storing finance data.Information stored in one or more Entities can add this additional context.

Field NameTypeLabelDescription
metadataEntityMetadataEntity metadata such as timestamp, product, etc.
entityNounNoun in the UDM event that this entity represents.
relationsRelationrepeatedOne or more relationships between the entity (a) and other entities,including the relationship type and related entity.
additionalgoogle.protobuf.StructImportant entity data that cannot be adequately represented withinthe formal sections of the Entity.
risk_scoreEntityRiskoptionalStores information related to the entity's risk score.
metricMetricStores statistical metrics about the entity. Used if metadata.entity_typeis METRIC.

EntityMetadata

Information about the Entity and the product where the entity was created.

Field NameTypeLabelDescription
product_entity_idstringA vendor-specific identifier that uniquely identifies the entity(for example, a GUID, LDAP, OID, or similar).
collected_timestampgoogle.protobuf.TimestampGMT timestamp when the entity information was collected by the vendor'slocal collection infrastructure.
creation_timestampgoogle.protobuf.TimestampGMT timestamp when the entity described by the product_entity_id wascreated on the system where data was collected.
intervalgoogle.type.IntervalValid existence time range for the version of the entity represented bythis entity data.
vendor_namestringVendor name of the product that produced the entity information.
product_namestringProduct name that produced the entity information.
feedstringVendor feed name for a threat indicator feed.
product_versionstringVersion of the product that produced the entity information.
entity_typeEntityMetadata.EntityType (Enumerated list)Entity type.If an entity has multiple possible types, this specifies the most specifictype.
descriptionstringHuman-readable description of the entity.
threatSecurityResultrepeatedMetadata provided by a threat intelligence feed that identified theentity as malicious.
source_typeEntityMetadata.SourceType (Enumerated list)The source of the entity.
source_labelsLabelrepeatedEntity source metadata labels.
event_metadataMetadataMetadata field from the event.

EntityRisk

Stores information related to the risk score of an entity.

Field NameTypeLabelDescription
risk_versionstringVersion of the risk score calculation algorithm.
risk_windowgoogle.type.IntervalTime window used when computing the risk score for an entity, forexample 24 hours or 7 days.
risk_window_has_new_detectionsbooleanIndicates whether or not there are new detections for the risk window.
DEPRECATED_risk_scoreint32Deprecated risk score.
risk_deltaRiskDeltaoptionalRepresents the change in risk score for an entity between the end of theprevious time window and the end of the current time window.
detections_countint32Number of detections that make up the risk score within the time window.
first_detection_timegoogle.protobuf.TimestampTimestamp of the first detection within the specified time window.This field is empty when there are no detections.
last_detection_timegoogle.protobuf.TimestampTimestamp of the last detection within the specified time window.This field is empty when there are no detections.
risk_scorefloatRaw risk score for the entity.
normalized_risk_scoreint32Normalized risk score for the entity. This value is between 0-1000.
risk_window_sizeInt64Risk window duration for the Entity.
raw_risk_deltaRiskDeltaoptionalRepresents the change in raw risk score for an entity between the end ofthe previous time window and the end of the current time window.

Metric

Stores precomputed aggregated analytic data for an entity.

Field NameTypeLabelDescription
first_seengoogle.protobuf.TimestampTimestamp of the first time the entity was seen in the environment.
last_seengoogle.protobuf.TimestampTimestamp of the last time the entity was seen in the environment.
sum_measureMetric.MeasureSum of all precomputed measures for the given metric.
total_eventsint64Total number of events used to calculate the given precomputed metric.
metric_nameMetric.MetricName (Enumerated list)Name of the analytic.
dimensionsMetric.Dimension (Enumerated list)repeatedAll group by clauses used to calculate the metric.
export_windowint64Export window for which the metric was exported.

Metric.Measure

Describes the precomputed measure.

Field NameTypeLabelDescription
valuedoubleValue of the aggregated measure.
aggregate_functionMetric.AggregateFunction (Enumerated list)Function used to calculate the aggregated measure.

Relation

Defines the relationship between the entity (a) and another entity (b).

Field NameTypeLabelDescription
entityNounEntity (b) that the primary entity (a) is related to.
entity_typeEntityMetadata.EntityType (Enumerated list)Type of the related entity (b) in this relationship.
relationshipRelation.Relationship (Enumerated list)Type of relationship.
directionRelation.Directionality (Enumerated list)Directionality of relationship between primary entity (a) and therelated entity (b).
uidbytesUID of the relationship.
entity_labelRelation.EntityLabel (Enumerated list)Label to identify the Noun of the relation.

RiskDelta

Describes the difference in risk score between two points in time.

Field NameTypeLabelDescription
previous_range_end_timegoogle.protobuf.TimestampEnd time of the previous time window.
risk_score_deltaint32Difference in the normalized risk score from the previous recorded value.
previous_risk_scoreint32Risk score from previous risk window
risk_score_numeric_deltaint32Numeric change between current and previous risk score

Entity enumerated types

EntityMetadata.EntityType

Describes the type of entity.An unknown event type.

Enum ValueEnum NumberDescription
ASSET1An asset, such as workstation, laptop, phone, or virtual machine.
USER10000User.
GROUP10001Group.
RESOURCE2Resource.
IP_ADDRESS3An external IP address. The request should includeIOC intel threat metadata for each entity to be ingested.
FILE4A file. The request should includeIOC intel threat metadata for each entity to be ingested.
DOMAIN_NAME5A domain. The request should includeIOC intel threat metadata for each entity to be ingested.
URL6A URL.
MUTEX7A mutex. The request should includeIOC intel threat metadata for each entity to be ingested.

EntityMetadata.SourceType

Describes the source of an entity.

Enum ValueEnum NumberDescription
SOURCE_TYPE_UNSPECIFIED0Default source type
ENTITY_CONTEXT1Entities ingested from customers (for example, AD_CONTEXT, DLP_CONTEXT)
DERIVED_CONTEXT2Entities derived from customer data such as prevalence, artifactfirst/last seen, or asset/user first seen stats.
GLOBAL_CONTEXT3Global contextual entities such as WHOIS or Safe Browsing.

Metric.AggregateFunction

Mathematic function used to calculate the value.

Enum ValueEnum NumberDescription
AGGREGATE_FUNCTION_UNSPECIFIED0Default value.
MIN1Minimum.
MAX2Maximum.
COUNT3Count.
SUM4Sum.
AVG5Average.
STDDEV6Standard Deviation.

Metric.Dimension

Describes field used as the dimension when grouping data to calculate theaggregate metric.

Enum ValueEnum NumberDescription
DIMENSION_UNSPECIFIED0Default
PRINCIPAL_DEVICE1Principal Device
TARGET_USER2Target User
TARGET_DEVICE3Target Device
PRINCIPAL_USER4Principal User
TARGET_IP5Target IP
PRINCIPAL_FILE_HASH6Principal File Hash
PRINCIPAL_COUNTRY7Principal Country
SECURITY_CATEGORY8Security Category
NETWORK_ASN9Network ASN
CLIENT_CERTIFICATE_HASH10Client Certificate Hash
DNS_QUERY_TYPE11DNS Query Type
DNS_DOMAIN12DNS Domain
HTTP_USER_AGENT13HTTP User Agent
EVENT_TYPE14Event Type
PRODUCT_NAME15Product Name
PRODUCT_EVENT_TYPE16Product Event Type
PARENT_FOLDER_PATH17Parent Folder Path
TARGET_RESOURCE_NAME18Target resource Name
PRINCIPAL_APPLICATION19Principal Application.
TARGET_APPLICATION20Target Application.
EMAIL_TO_ADDRESS21Email To Address.
EMAIL_FROM_ADDRESS22Email From Address.
MAIL_ID23Mail Id.
PRINCIPAL_IP24Principal IP.
SECURITY_ACTION25Security Action.
SECURITY_RULE_ID28Security Rule Id.
TARGET_NETWORK_ORGANIZATION_NAME29Target Network Organization name.
PRINCIPAL_NETWORK_ORGANIZATION_NAME30Principal Network Organization name.
PRINCIPAL_PROCESS_FILE_PATH31Principal Process File Path.
PRINCIPAL_PROCESS_FILE_HASH32Principal Process File SHA256 Hash.
SECURITY_RESULT_RULE_NAME33Security Result rule name.

Metric.MetricName

The name of the precomputed analytic.

Enum ValueEnum NumberDescription
METRIC_NAME_UNSPECIFIED0Default
NETWORK_BYTES_INBOUND1Total received network bytes.
NETWORK_BYTES_OUTBOUND2Total network sent bytes.
NETWORK_BYTES_TOTAL3Total network sent bytes and received bytes.
AUTH_ATTEMPTS_SUCCESS4Successful authentication attempts.
AUTH_ATTEMPTS_FAIL5Failed authentication attempts.
AUTH_ATTEMPTS_TOTAL6Total authentication attempts.
DNS_BYTES_OUTBOUND7Total number of sent bytes for DNS events.
NETWORK_FLOWS_INBOUND8Total number of events having non-null received bytes.
NETWORK_FLOWS_OUTBOUND9Total number of events having non-null sent bytes.
NETWORK_FLOWS_TOTAL10Total events having non-null sent or received bytes.
DNS_QUERIES_SUCCESS11DNS query success count - Number of events with response_code = 0.
DNS_QUERIES_FAIL12Number of events with response_code != 0.
DNS_QUERIES_TOTAL13Total number of DNS queries made.
FILE_EXECUTIONS_SUCCESS14Number of successful file executions.
FILE_EXECUTIONS_FAIL15Number of failed file executions.
FILE_EXECUTIONS_TOTAL16Total number file executions.
HTTP_QUERIES_SUCCESS17Number of successful HTTP queries.
HTTP_QUERIES_FAIL18Number of failed HTTP queries.
HTTP_QUERIES_TOTAL19Total number of HTTP queries.
WORKSPACE_EMAILS_SENT_TOTAL20Total number of emails sent in Google Workspace.
WORKSPACE_TOTAL_DOWNLOAD_ACTIONS21Total number of download actions in Google Workspace.
WORKSPACE_TOTAL_CHANGE_ACTIONS22Total number of change actions in Google Workspace.
WORKSPACE_AUTH_ATTEMPTS_TOTAL23Total number of authentication attempts in Google Workspace.
WORKSPACE_NETWORK_BYTES_OUTBOUND24Number of outbound network bytes (total sent) in Google Workspace.
WORKSPACE_NETWORK_BYTES_TOTAL25Total number of network bytes (both sent and received) in Google Workspace.
ALERT_EVENT_NAME_COUNT26Track number of alerts fired by EDR/SENTINEL/MICROSOFT_GRAPH.
RESOURCE_CREATION_TOTAL27Total number of successful resource creations attempts (Success + Fail).
RESOURCE_CREATION_SUCCESS28Number of successful resource creations.
RESOURCE_READ_SUCCESS29Number of successful resource reads.
RESOURCE_READ_FAIL30Number of failed resource reads.
RESOURCE_DELETION_SUCCESS31Number of successful resource deletions.
RESOURCE_CREATION_FAIL32Number of failed resource creations.
RESOURCE_DELETION_FAIL33Number of failed resource deletions.
RESOURCE_DELETION_TOTAL34 Total number of resource deletions.
RESOURCE_READ_TOTAL35 Total number of resource reads.
RESOURCE_WRITTEN_FAIL36Number of failed resource writes.
RESOURCE_WRITTEN_SUCCESS37Number of successful resource writes.
RESOURCE_WRITTEN_TOTAL38Total number of resource writes.
UDM_DATA_PRESENCE_SUMMARY39Number of events grouped by a series of UDM fields, on a per customer basis.

Relation.Directionality

Describes the relationship model as directed or undirected.

Enum ValueEnum NumberDescription
DIRECTIONALITY_UNSPECIFIED0Default value.
BIDIRECTIONAL1Modeled in both directions. Primary entity (a) to related entity (b) andrelated entity (b) to primary entity (a).
UNIDIRECTIONAL2Modeled in a single direction. Primary entity (a) to related entity (b).

Relation.EntityLabel

Entity label of the relation.

Enum ValueEnum NumberDescription
ENTITY_LABEL_UNSPECIFIED0Default value.
PRINCIPAL1The Noun represents a principal type object.
TARGET2The Noun represents a target type object.
OBSERVER3The Noun represents an observer type object.
SRC4The Noun represents src type object.
NETWORK5The Noun represents a network type object.
SECURITY_RESULT6The Noun represents a SecurityResult object.
INTERMEDIARY7The Noun represents an intermediary type object.

Relation.Relationship

Type of relationship between the primary entity (a) and related entity (b).

Enum ValueEnum NumberDescription
RELATIONSHIP_UNSPECIFIED0Default value
OWNS1Related entity is owned by the primary entity (for example: user owns deviceasset).
ADMINISTERS2Related entity is administered by the primary entity (for example: useradministers a group).
MEMBER3Primary entity is a member of the related entity (for example: user is a memberof a group).
EXECUTES4Primary entity may have executed the related entity.
DOWNLOADED_FROM5Primary entity may have been downloaded from the related entity.
CONTACTS6Primary entity contacts the related entity.

UDM Event data model

A UDM event.

Field NameTypeLabelDescription
metadataMetadataEvent metadata such as timestamp, source product, etc.
additionalgoogle.protobuf.StructAny important vendor-specific event data that cannot be adequatelyrepresented within the formal sections of the UDM model.
principalNounRepresents the source of activity in the event. The principal is determined based on the context of the event being analyzed. For example, consider a scenario where a user on a hostxyz makes an SSH connection to a remote host1234. The remote host then initiates a request to google.com. In the SSH connection event, the principal isxyz. In the request event togoogle.com, the principal is1234.
The principal must include at least one machine-related (such as hostname, MAC addresses, IP addresses, port, product-specific identifiers like an Endpoint Detection and Response (EDR) asset ID) or user-related detail (for example, username). It can also include process details but must not include a domain name or any of the following fields: email, files, registry keys, or values.
srcNounRepresents a source entity being acted upon by the participant along withthe device or process context for the source object (the machine where thesource object resides). For example, if user U copies file A on machine Xto file B on machine Y, both file A and machine X would be specified in thesrc portion of the UDM event.
targetNounRepresents a target entity being referenced by the event or an object onthe target entity. For example, in a firewall connection from device A todevice B, A is described as the principal and B is described as the target.For a process injection by process C into target process D, process C isdescribed as the principal and process D is described as the target.
intermediaryNounrepeatedRepresents details on one or more intermediate entities processing activitydescribed in the event. This includes device details about a proxy serveror SMTP relay server. If an active event (that has a principal andpossibly target) passes through any intermediaries, they're added here.Intermediaries can impact the overall action, for example blocking ormodifying an ongoing request. A rule of thumb here is that 'principal','target', and description of the initial action should be the sameregardless of the intermediary or its action. A successful networkconnection from A->B should look the same in principal/target/intermediaryas one blocked by firewall C: principal: A, target: B (intermediary: C).
observerNounRepresents an observer entity (for example, a packet sniffer ornetwork-based vulnerability scanner), which is not a direct intermediary,but which observes and reports on the event in question.
aboutNounrepeatedRepresents entities referenced by the event that are not otherwisedescribed in principal, src, target, intermediary or observer. For example,it could be used to track email file attachments, domains/URLs/IPs embeddedwithin an email body, and DLLs that are loaded during a PROCESS_LAUNCHevent.
security_resultSecurityResultrepeatedA list of security results.
networkNetworkAll network details go here, including sub-messages with details on eachprotocol (for example, DHCP, DNS, or HTTP).
extensionsExtensionsAll other core, event-specific metadata goes in this message.Don't place protocol metadata in Extensions; put it in Network.

Event top level types

Extensions

Extensions to a UDM event.

Field NameTypeLabelDescription
authAuthenticationAn authentication extension.
vulnsVulnerabilitiesA vulnerability extension.

Metadata

General information associated with a UDM event.

Field NameTypeLabelDescription
idbytesID of the UDM event. Can be used for raw and normalized event retrieval.
product_log_idstringA vendor-specific event identifier to uniquely identify the event (for example: aGUID).
event_timestampgoogle.protobuf.TimestampThe GMT timestamp when the event was generated.
collected_timestampgoogle.protobuf.TimestampThe GMT timestamp when the event was collected by the vendor's localcollection infrastructure.
ingested_timestampgoogle.protobuf.TimestampThe GMT timestamp when the event was ingested (received) by Google Security Operations.
event_typeMetadata.EventTypeThe event type.If an event has multiple possible types, this specifies the most specifictype.
vendor_namestringThe name of the product vendor.
product_namestringThe name of the product.
product_versionstringThe version of the product.
product_event_typestringA short, descriptive, human-readable, product-specific event name or type(for example: "Scanned X", "User account created", "process_start").
product_deployment_idstringThe deployment identifier assigned by the vendor for a product deployment.
descriptionstringA human-readable unparsable description of the event.
url_back_to_productstringA URL that takes the user to the source product console for this event.
ingestion_labelsLabelrepeatedUser-configured ingestion metadata labels.
tagsTagsTags added by Google SecOps after an event is parsed. It is an error topopulate this field from within a parser.
enrichment_stateMetadata.EnrichmentStateThe enrichment state.
log_typestringThe string value of log type.
base_labelsDataAccessLabelsData access labels on the base event.
enrichment_labelsDataAccessLabelsData access labels from all the contextual events used to enrich the baseevent.

Network

A network event.

Field NameTypeLabelDescription
sent_bytesuint64The number of bytes sent.
received_bytesuint64The number of bytes received.
sent_packetsint64The number of packets sent.
received_packetsint64The number of packets received.
session_durationInt64The duration of the session as the number of seconds and nanoseconds.For seconds, network.session_duration.seconds, the type is a 64-bitinteger. For nanoseconds, network.session_duration.nanos, the type is a32-bit integer.
session_idstringThe ID of the network session.
parent_session_idstringThe ID of the parent network session.
application_protocol_versionstringThe version of the application protocol, for example, "1.1, 2.0".
community_idstringCommunity ID network flow value.
directionNetwork.DirectionThe direction of network traffic.
ip_protocolNetwork.IpProtocolThe IP protocol.
application_protocolNetwork.ApplicationProtocolThe application protocol.
ftpFtpFTP info.
emailEmailEmail information for the sender or recipient.
dnsDnsDNS information
dhcpDhcpDHCP info.
httpHttpHTTP info.
tlsTlsTLS info.
smtpSmtpSMTP info.Store fields specific to SMTP not covered by Email.
asnstringAutonomous system number.
dns_domainstringDNS domain name.
carrier_namestringCarrier identification.
organization_namestringOrganization name (e.g Google).
ip_subnet_rangestringAssociated human-readable IP subnet range (for example, 10.1.2.0/24).

Noun

The Noun type is used to represent the different entities in an event:principal, src, target, observer, intermediary, and about. It storesattributes known about the entity. For example, if the entity is a devicewith multiple IP or MAC addresses, it stores the IP and MAC addresses thatare relevant to the event.

Field NameTypeLabelDescription
hostnamestringClient hostname or domain name field.Hostname also doubles as the domain for remote entities.
domainDomainInformation about the domain.
artifactArtifactArtifacts are pieces of contextual data about entities in your environment. They're essential for security investigations because they provide enriched information about various elements involved in security events. This detail helps analysts understand the full scope and timeline of an attack. An artifact can only be an IP address.
url_metadataURLInformation about the URL.
asset_idstringThe asset ID.
userUserInformation about the user.
user_management_chainUserrepeatedInformation about the user's management chain (reporting hierarchy).Note: The user_management_chain field is only populated when data is exported toBigQuery because BigQuery doesn't support recursive data types (such as theuser.managers. structure).
groupGroupInformation about the group.
processProcessInformation about the process.
process_ancestorsProcessrepeatedInformation about the process's ancestors ordered from immediate ancestor(parent process) to root.Note: process_ancestors is only populated when data is exported to BigQuerysince recursive fields (for example, process.parent_process) are not supported byBigQuery.
assetAssetInformation about the asset.
ipstringrepeatedA list of IP addresses associated with a network connection.
nat_ipstringrepeatedA list of NAT translated IP addresses associated with a network connection.
portint32Source or destination network port number when a specific networkconnection is described within an event.
nat_portint32NAT external network port number when a specific network connection isdescribed within an event.
macstringrepeatedList of MAC addresses associated with a device.
administrative_domainstringDomain which the device belongs to (for example, the Microsoft Windowsdomain).
namespacestringNamespace which the device belongs to, such as "AD forest".Uses for this field include Microsoft Windows AD forest, the name ofsubsidiary, or the name of acquisition.
URLstringThe URL.
fileFileInformation about the file.
emailstringEmail address.Only filled in for security_result.about
registryRegistryRegistry information.
applicationstringThe name of an application or service.Some SSO solutions only capture the name of a target applicationsuch as "Atlassian" or "Google".
platformNoun.PlatformPlatform.
platform_versionstringPlatform version. For example,"Microsoft Windows 1803".
platform_patch_levelstringPlatform patch level.For example, "Build 17134.48"
cloudCloudCloud metadata.Deprecated: cloud should be populated in entity Attribute as genericmetadata (for example, asset.attribute.cloud).
locationLocationPhysical location. For cloud environments, set the region inlocation.name.
ip_locationLocationrepeatedDeprecated: use ip_geo_artifact.location instead.
ip_geo_artifactArtifactrepeatedEnriched geographic information corresponding to an IP address.Specifically, location and network data.
resourceResourceInformation about the resource (for example, scheduled task, calendar entry).This field shouldn't be used for files, registry, or processes becausethese objects are already part of Noun.
resource_ancestorsResourcerepeatedInformation about the resource's ancestors ordered from immediate ancestor(starting with parent resource).
labelsLabelrepeatedLabels are key-value pairs.For example: key = "env", value = "prod".Deprecated: labels should be populated in entity Attribute as genericmetadata (for example, user.attribute.labels).
object_referenceIdFinding to which the Analyst updated the feedback.
investigationInvestigationAnalyst feedback/investigation for alerts.
networkNetworkNetwork details, including sub-messages with details on each protocol(for example, DHCP, DNS, or HTTP).
security_resultSecurityResultrepeatedA list of security results.

SecurityResult

Security related metadata for the event. A security result might be somethinglike "virus detected and quarantined," "malicious connection blocked," or"sensitive data included in document foo.doc." Each security result, of whichthere may be more than one, may either pertain to the whole event, or to a

specific object or device referenced in the event (for example, a malicious filethat was detected, or a sensitive document sent as an email attachment). For

security results that apply to a particular object referenced in the event,the security_results message MUST contain details about the implicated object(such as process, user, IP, domain, URL, IP, or email address) in the aboutfield. For security results that apply to the entire event (for example, SPAM foundin this email), the about field must remain empty.

Field NameTypeLabelDescription
aboutNounIf the security result is about a specific entity (Noun), add it here.
categorySecurityResult.SecurityCategoryrepeatedThe security category.
category_detailsstringrepeatedFor vendor-specific categories. For web categorization, put type in heresuch as "gambling" or "porn".
threat_namestringA vendor-assigned classification common across multiple customers(for example, "W32/File-A", "Slammer").
rule_setstringThe result's rule set identifier(for example, "windows-threats").
rule_set_display_namestringThe curated detections rule set display name.
ruleset_category_display_namestringThe curated detection rule set category display name.(for example, if rule_set_display_name is "CDIR SCC Enhanced Exfiltration",the rule_set_category is "Cloud Threats").
rule_idstringA vendor-specific ID and name for a rule, varying by observer type(for example, "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe").
rule_namestringName of the security rule(for example, "BlockInboundToOracle").
rule_versionstringVersion of the security rule.(for example, "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00").Note that rule versions are source-dependent and lexical orderingshouldn't be assumed.
rule_typestringThe type of security rule.
rule_authorstringAuthor of the security rule.
rule_labelsLabelrepeatedA list of rule labels that can't be captured by the other fieldsin security result(for example, "reference : AnotherRule", "contributor : John").
alert_stateSecurityResult.AlertStateThe alerting types of this security result.
detection_fieldsLabelrepeatedAn ordered list of values, that represent fields in detections for asecurity finding. This list represents mapping of names of requestedentities to their values (i.e. the security result matched variables) .
outcomesLabelrepeatedA list of outcomes that represent the results of this security finding.This list represents a mapping of names of the requested outcomes,to their values.
summarystringA human-readable summary (for example, "failed login occurred").
descriptionstringA human-readable description (for example, "user password was wrong").
actionSecurityResult.ActionrepeatedActions taken for this event.
action_detailsstringThe detail of the action taken as provided by the vendor.
severitySecurityResult.ProductSeverityThe severity of the result.
confidenceSecurityResult.ProductConfidenceThe confidence level of the result as estimated by the product.
prioritySecurityResult.ProductPriorityThe priority of the result.
risk_scorefloatThe risk score of the security result.
confidence_scorefloatThe confidence score of the security result.
analytics_metadataAnalyticsMetadatarepeatedStores metadata about each risk analytic metric the rule uses.
severity_detailsstringVendor-specific severity.
confidence_detailsstringAdditional detail with regards to the confidence of a security event asestimated by the product vendor.
priority_detailsstringVendor-specific information about the security result priority.
url_back_to_productstringURL that takes the user to the source product console for this event.
threat_idstringVendor-specific ID for a threat.
threat_feed_namestringVendor feed name for a threat indicator feed.
threat_id_namespaceId.NamespaceThe attribute threat_id_namespace qualifies threat_id with an ID namespaceto get anunique ID. The attribute threat_id by itself is not unique across Google SecOpsas it is a vendor specific ID.
threat_statusSecurityResult.ThreatStatusCurrent status of the threat
attack_detailsAttackDetailsMITRE ATT&CK details.
first_discovered_timegoogle.protobuf.TimestampFirst time the IoC threat was discovered in the provider.
associationsSecurityResult.AssociationrepeatedAssociations related to the threat.
campaignsstringrepeatedCampaigns using this IOC threat.
verdictSecurityResult.VerdictVerdict about the IoC from the provider.This field is now deprecated. Use VerdictInfo instead.
last_updated_timegoogle.protobuf.TimestampLast time the IoC threat was updated in the provider.
verdict_infoSecurityResult.VerdictInforepeatedVerdict information about the IoC from the provider.
threat_verdictThreatVerdictGCTI threat verdict on the security result entity.
last_discovered_timegoogle.protobuf.TimestampLast time the IoC was seen in the provider data.

Event subtypes

AnalyticsMetadata

Stores information about an analytics metric used in a rule.

Field NameTypeLabelDescription
analyticstringName of the analytic.

Artifact

Information about an artifact. The artifact can only be an IP.

Field NameTypeLabelDescription
ipstringIP address of the artifact.
prevalencePrevalenceThe prevalence of the artifact within the customer's environment.
first_seen_timegoogle.protobuf.TimestampFirst seen timestamp of the IP in the customer's environment.
last_seen_timegoogle.protobuf.TimestampLast seen timestamp of the IP address in the customer's environment.
locationLocationLocation of the Artifact's IP address.
networkNetworkNetwork information related to the Artifact's IP address.
as_ownerstringOwner of the Autonomous System to which the IP address belongs.
asnint64Autonomous System Number to which the IP address belongs.
jarmstringThe JARM hash for the IP address.(https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a).
last_https_certificateSSLCertificateSSL certificate information about the IP address.
last_https_certificate_dategoogle.protobuf.TimestampMost recent date for the certificate in VirusTotal.
regional_internet_registrystringRIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC).
tagsstringrepeatedIdentification attributes
whoisstringWHOIS information as returned from the pertinent WHOIS server.
whois_dategoogle.protobuf.TimestampDate of the last update of the WHOIS record in VirusTotal.

Asset

Information about a compute asset such as a workstation, laptop, phone,virtual desktop, or VM.

Field NameTypeLabelDescription
product_object_idstringA vendor-specific identifier to uniquely identify the entity (a GUID orsimilar).
hostnamestringAsset hostname or domain name field.
asset_idstringThe asset ID. Value must contain the ':' character. For example,cs:abcdd23434.
ipstringrepeatedA list of IP addresses associated with an asset.
macstringrepeatedList of MAC addresses associated with an asset.
nat_ipstringrepeatedList of NAT IP addresses associated with an asset.
first_seen_timegoogle.protobuf.TimestampThe first observed time for an asset.The value is calculated on the basis of thefirst time the identifier was observed.
hardwareHardwarerepeatedThe asset hardware specifications.
platform_softwarePlatformSoftwareThe asset operating system platform software.
softwareSoftwarerepeatedThe asset software details.
locationLocationLocation of the asset.
categorystringThe category of the asset (for example, "End User Asset", "Workstation", "Server").
typeAsset.AssetTypeThe type of asset (for example, workstation, laptop, server).
network_domainstringThe network domain of the asset (for example, "corp.acme.com").
creation_timegoogle.protobuf.TimestampTime the asset was created or provisioned.Deprecate: creation_time should be populated in Attribute as genericmetadata.
first_discover_timegoogle.protobuf.TimestampTime the asset was first discovered (by asset management/discoverabilitysoftware).
last_discover_timegoogle.protobuf.TimestampTime the asset was last discovered (by asset management/discoverabilitysoftware).
system_last_update_timegoogle.protobuf.TimestampTime the asset system or OS was last updated.For all other operations that are not system updates (such as resizing aVM), use Attribute.last_update_time.
last_boot_timegoogle.protobuf.TimestampTime the asset was last boot started.
labelsLabelrepeatedMetadata labels for the asset.Deprecated: labels should be populated in Attribute as generic metadata.
deployment_statusAsset.DeploymentStatusThe deployment status of the asset for device lifecycle purposes.
vulnerabilitiesVulnerabilityrepeatedVulnerabilities discovered on asset.
attributeAttributeGeneric entity metadata attributes of the asset.

AttackDetails

MITRE ATT&CK details.

Field NameTypeLabelDescription
versionstringATT&CK version (for example, 12.1).
tacticsAttackDetails.TacticrepeatedTactics employed.
techniquesAttackDetails.TechniquerepeatedTechniques employed.

AttackDetails.Tactic

Tactic information related to an attack or threat.

Field NameTypeLabelDescription
idstringTactic ID (for example, "TA0043").
namestringTactic Name (for example, "Reconnaissance").

AttackDetails.Technique

Technique information related to an attack or threat.

Field NameTypeLabelDescription
idstringTechnique ID (for example, "T1595").
namestringTechnique Name (for example, "Active Scanning").
subtechnique_idstringSubtechnique ID (for example, "T1595.001").
subtechnique_namestringSubtechnique Name (for example, "Scanning IP Blocks").

Attribute

Attribute is a container for generic entity attributes including commonattributes across core entities (such as, user or asset). For example, Cloudis a generic entity attribute since it can apply to an asset (for example, aVM) or a user (for example, an identity service account).

Field NameTypeLabelDescription
cloudCloudCloud metadata attributes such as project ID, account ID, or organizationalhierarchy.
labelsLabelrepeatedSet of labels for the entity. Should only be used for product labels (forexample, Google Cloud resource labels or Azure AD sensitivity labels.This shouldn't be used for arbitrary key-value mappings.
permissionsPermissionrepeatedSystem permissions for IAM entity(human principal, service account, group).
rolesRolerepeatedSystem IAM roles to be assumed by resources to use the role's permissionsfor access control.
creation_timegoogle.protobuf.TimestampTime the resource or entity was created or provisioned.
last_update_timegoogle.protobuf.TimestampTime the resource or entity was last updated.

Authentication

The Authentication extension captures details specific to authenticationevents.General guidelines for authentication events:

  • Details about the source of the authentication event (for example, clientIP or hostname), should be captured in principal. The principal may beempty if we have no details about the source of the login.

  • Details about the target of the authentication event (for example, detailsabout the machine that is being logged into or logged out of) should becaptured in target.

  • Some authentication events may involve a third-party. For example, a userlogs into a cloud service (for example, Google SecOps) using their company's SSO (theevent is logged by their SSO solution). In this case, the principalcaptures information about the user's device, the target captures detailsabout the cloud service they logged into, and the intermediary capturesdetails about the SSO solution.

Field NameTypeLabelDescription
typeAuthentication.AuthTypeThe type of authentication.
mechanismAuthentication.MechanismrepeatedThe authentication mechanism.
auth_detailsstringThe vendor defined details of the authentication.

Certificate

Certificate information

Field NameTypeLabelDescription
versionstringCertificate version.
serialstringCertificate serial number.
subjectstringSubject of the certificate.
issuerstringIssuer of the certificate.
md5stringThe MD5 hash of the certificate, as a hex-encoded string.
sha1stringThe SHA-1 hash of the certificate, as a hex-encoded string.
sha256stringThe SHA256 hash of the certificate, as a hex-encoded string.
not_beforegoogle.protobuf.TimestampIndicates when the certificate is first valid.
not_aftergoogle.protobuf.TimestampIndicates when the certificate is no longer valid.

Cloud

Metadata related to the cloud environment.

Field NameTypeLabelDescription
environmentCloud.CloudEnvironmentThe Cloud environment.
vpcResourceThe cloud environment VPC.Deprecated.
projectResourceThe cloud environment project information.Deprecated: Use Resource.resource_ancestors
availability_zonestringThe cloud environment availability zone (different from region which islocation.name).

DNSRecord

DNS record.

Field NameTypeLabelDescription
typestringType.
valuestringValue.
ttlInt64Time to live.
priorityint64Priority.
retryint64Retry.
refreshInt64Refresh.
minimumInt64Minimum.
expireInt64Expire.
serialint64Serial.
rnamestringRname.

Dhcp

DHCP information.

Field NameTypeLabelDescription
opcodeDhcp.OpCodeThe BOOTP op code.
htypeuint32Hardware address type.
hlenuint32Hardware address length.
hopsuint32Hardware ops.
transaction_iduint32Transaction ID.
secondsuint32Seconds elapsed since client began address acquisition/renewal process.
flagsuint32Flags.
ciaddrstringClient IP address (ciaddr).
yiaddrstringYour IP address (yiaddr).
siaddrstringIP address of the next bootstrap server.
giaddrstringRelay agent IP address (giaddr).
chaddrstringClient hardware address (chaddr).
snamestringServer name that the client wishes to boot from.
filestringBoot image filename.
optionsDhcp.OptionrepeatedList of DHCP options.
typeDhcp.MessageTypeDHCP message type.
lease_time_secondsuint32Lease time in seconds. See RFC2132, section 9.2.
client_hostnamestringClient hostname. See RFC2132, section 3.14.
client_identifierbytesClient identifier. See RFC2132, section 9.14.
requested_addressstringRequested IP address. See RFC2132, section 9.1.

Dhcp.Option

DHCP options.

Field NameTypeLabelDescription
codeuint32Code. See RFC1533.
databytesData.

Dns

DNS information.

Field NameTypeLabelDescription
iduint32DNS query id.
responseboolSet to true if the event is a DNS response. See QR field from RFC1035.
opcodeuint32The DNS OpCode used to specify the type of DNS query(for example, QUERY, IQUERY, or STATUS).
authoritativeboolOther DNS header flags. See RFC1035, section 4.1.1.
truncatedboolWhether the DNS response was truncated.
recursion_desiredboolWhether a recursive DNS lookup is desired.
recursion_availableboolWhether a recursive DNS lookup is available.
response_codeuint32Response code. See RCODE from RFC1035.
questionsDns.QuestionrepeatedA list of domain protocol message questions.
answersDns.ResourceRecordrepeatedA list of answers to the domain name query.
authorityDns.ResourceRecordrepeatedA list of domain name servers which verified the answers to the domain namequeries.
additionalDns.ResourceRecordrepeatedA list of additional domain name servers that can be used to verify theanswer to the domain.

Dns.Question

DNS Questions. See RFC1035, section 4.1.2.

Field NameTypeLabelDescription
namestringThe domain name.
typeuint32The code specifying the type of the query.
classuint32The code specifying the class of the query.
prevalencePrevalenceThe prevalence of the domain within the customer's environment.

Dns.ResourceRecord

DNS Resource Records. See RFC1035, section 4.1.3.

Field NameTypeLabelDescription
namestringThe name of the owner of the resource record.
typeuint32The code specifying the type of the resource record.
classuint32The code specifying the class of the resource record.
ttluint32The time interval for which the resource record can be cached before thesource of the information should again be queried.
datastringThe payload or response to the DNS question for all responses encoded inUTF-8 format
binary_databytesThe raw bytes of any non-UTF8 strings that might be included as part of aDNS response.

Domain

Information about a domain.

Field NameTypeLabelDescription
namestringThe domain name.
prevalencePrevalenceThe prevalence of the domain within the customer's environment.
first_seen_timegoogle.protobuf.TimestampFirst seen timestamp of the domain in the customer's environment.
last_seen_timegoogle.protobuf.TimestampLast seen timestamp of the domain in the customer's environment.
registrarstringRegistrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)","GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM".
contact_emailstringContact email address.
whois_serverstringWhois server name.
name_serverstringrepeatedRepeated list of name servers.
creation_timegoogle.protobuf.TimestampDomain creation time.
update_timegoogle.protobuf.TimestampLast updated time.
expiration_timegoogle.protobuf.TimestampExpiration time.
audit_update_timegoogle.protobuf.TimestampAudit updated time.
statusstringDomain status. Seehttps://www.icann.org/resources/pages/epp-status-codes-2014-06-16-enfor meanings of possible values
registrantUserParsed contact information for the registrant of the domain.
adminUserParsed contact information for the administrative contact for the domain.
techUserParsed contact information for the technical contact for the domain
billingUserParsed contact information for the billing contact of the domain.
zoneUserParsed contact information for the zone.
whois_record_raw_textbytesWHOIS raw text.
registry_data_raw_textbytesRegistry Data raw text.
iana_registrar_idint32IANA Registrar ID. Seehttps://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml
private_registrationboolIndicates whether the domain appears to be using a private registrationservice to mask the owner's contact information.
categoriesstringrepeatedCategories assign to the domain as retrieved from VirusTotal.
faviconFaviconIncludes difference hash and MD5 hash of the domain's favicon.
jarmstringDomain's JARM hash.
last_dns_recordsDNSRecordrepeatedDomain's DNS records from the last scan.
last_dns_records_timegoogle.protobuf.TimestampDate when the DNS records list was retrieved by VirusTotal.
last_https_certificateSSLCertificateSSL certificate object retrieved last time the domain was analyzed.
last_https_certificate_timegoogle.protobuf.TimestampWhen the certificate was retrieved by VirusTotal.
popularity_ranksPopularityRankrepeatedDomain's position in popularity ranks such as Alexa, Quantcast, Statvoo,etc
tagsstringrepeatedList of representative attributes.
whois_timegoogle.protobuf.TimestampDate of the last update of the WHOIS record.

Email

Email information for the sender or recipient.

Field NameTypeLabelDescription
fromstringThe 'from' address.
reply_tostringThe 'reply to' address.
tostringrepeatedA list of 'to' addresses.
ccstringrepeatedA list of 'cc' addresses.
bccstringrepeatedA list of 'bcc' addresses.
mail_idstringThe mail (or message) ID.
subjectstringrepeatedThe subject lines of the email.
bounce_addressstringThe envelope from address.https://en.wikipedia.org/wiki/Bounce_address
Note: Each individual email address field (such asfrom,to,cc, and so on) has a maximum limit of 256 bytes. Values exceeding this limit cause a parsing error.

Favicon

Difference hash and MD5 hash of the domain's favicon.

Field NameTypeLabelDescription
raw_md5stringFavicon's MD5 hash.
dhashstringDifference hash.

File

Information about a file.

Field NameTypeLabelDescription
sha256stringThe SHA256 hash of the file, as a hex-encoded string.
md5stringThe MD5 hash of the file, as a hex-encoded string.
sha1stringThe SHA1 hash of the file, as a hex-encoded string.
sizeuint64The size of the file in bytes.
full_pathstringThe full path identifying the location of the file on the system.
mime_typestringThe MIME (Multipurpose Internet Mail Extensions) type of the file,for example "PE", "PDF", or "powershell script".
file_metadataFileMetadataMetadata associated with the file.Deprecate FileMetadata in favor of using fields in File.
security_resultSecurityResultGoogle Cloud Threat Intelligence (GCTI) security result for the fileincluding threat context and detection metadata.
pe_fileFileMetadataPEMetadata about the Portable Executable (PE) file.
ssdeepstringSsdeep of the file
vhashstringVhash of the file.
ahashstringDeprecated. Use authentihash instead.
authentihashstringAuthentihash of the file.
file_typeFile.FileTypeFileType field.
capabilities_tagsstringrepeatedCapabilities tags.
namesstringrepeatedNames fields.
tagsstringrepeatedTags for the file.
last_modification_timegoogle.protobuf.TimestampTimestamp when the file was last updated.
prevalencePrevalencePrevalence of the file hash in the customer's environment.
first_seen_timegoogle.protobuf.TimestampTimestamp the file was first seen in the customer's environment.
last_seen_timegoogle.protobuf.TimestampTimestamp the file was last seen in the customer's environment.
stat_modeuint64The mode of the file. A bit string indicating the permissions andprivileges of the file.
stat_inodeuint64The file identifier. Unique identifier of object within a file system.
stat_devuint64The file system identifier to which the object belongs.
stat_nlinkuint64Number of links to file.
stat_flagsuint32User defined flags for file.
last_analysis_timegoogle.protobuf.TimestampTimestamp the file was last analysed.
embedded_urlsstringrepeatedEmbedded URLs found in the file.
embedded_domainsstringrepeatedEmbedded domains found in the file.
embedded_ipsstringrepeatedEmbedded IP addresses found in the file.
exif_infoExifInfoExif metadata from different file formats extracted by exiftool.
signature_infoSignatureInfoFile signature information extracted from different tools.
pdf_infoPDFInfoInformation about the PDF file structure.
first_submission_timegoogle.protobuf.TimestampFirst submission time of the file.
last_submission_timegoogle.protobuf.TimestampLast submission time of the file.
main_iconFaviconIcon's relevant hashes.

FileMetadataCodesign

File metadata from the codesign utility.

Field NameTypeLabelDescription
idstringCode sign identifier.
formatstringCode sign format.
compilation_timegoogle.protobuf.TimestampCode sign timestamp

FileMetadataPE

Metadata about the Portable Executable (PE) file.

Field NameTypeLabelDescription
imphashstringImphash of the file.
entry_pointint64info.pe-entry-point.
entry_point_exiftoolint64info.exiftool.EntryPoint.
compilation_timegoogle.protobuf.Timestampinfo.pe-timestamp.
compilation_exiftool_timegoogle.protobuf.Timestampinfo.exiftool.TimeStamp.
section FileMetadataSectionrepeatedFilemetadataSection fields.
imports FileMetadataImportsrepeatedFilemetadataImports fields.
resource FileMetadataPeResourceInforepeatedFilemetadataPeResourceInfo fields.
resources_type_countStringToInt64MapEntryrepeatedDeprecated: use resources_type_count_str.
resources_language_countStringToInt64MapEntryrepeatedDeprecated: use resources_language_count_str.
resources_type_count_strLabelrepeatedNumber of resources by resource type.Example: RT_ICON: 10, RT_DIALOG: 5
resources_language_count_strLabelrepeatedNumber of resources by language.Example: NEUTRAL: 20, ENGLISH US: 10
signature_infoFileMetadataSignatureInfoFilemetadataSignatureInfo field.deprecated, user File.signature_info instead.

FileMetadataSignatureInfo

Signature information.

Field NameTypeLabelDescription
verification_messagestringStatus of the certificate.Valid values are "Signed", "Unsigned" or a description of the certificateanomaly, if found.
verifiedboolTrue if verification_message == "Signed"
signerstringrepeatedDeprecated: use signers field.
signersSignerInforepeatedFile metadata signer information.The order of the signers matters. Each element is a higher levelauthority, being the last the root authority.
x509X509repeatedList of certificates.

Ftp

FTP info.

Field NameTypeLabelDescription
commandstringThe FTP command.

Group

Information about an organizational group.

Field NameTypeLabelDescription
product_object_idstringProduct globally unique user object identifier, such as an LDAP ObjectIdentifier.
creation_timegoogle.protobuf.TimestampGroup creation time.Deprecated: creation_time should be populated in Attribute as genericmetadata.
group_display_namestringGroup display name, for example, "Finance".
attributeAttributeGeneric entity metadata attributes of the group.
email_addressesstringrepeatedEmail addresses of the group.
windows_sidstringMicrosoft Windows SID of the group.

Hardware

Hardware specification details for a resource, including both physical andvirtual hardware.

Field NameTypeLabelDescription
serial_numberstringHardware serial number.
manufacturerstringHardware manufacturer.
modelstringHardware model.
cpu_platformstringPlatform of the hardware CPU (for example, "Intel Broadwell").
cpu_modelstringModel description of the hardware CPU(for example, "2.8 GHz Quad-Core Intel Core i5").
cpu_clock_speeduint64Clock speed of the hardware CPU in MHz.
cpu_max_clock_speeduint64Maximum possible clock speed of the hardware CPU in MHz.
cpu_number_coresuint64Number of CPU cores.
ramuint64Amount of the hardware random access memory (RAM) in Mb.

Http

Specify the full URL of the HTTP request within "target".Also specify any uploaded or downloaded file information within "source"or "target".

Field NameTypeLabelDescription
methodstringThe HTTP request method(for example, "GET", "POST", "PATCH", "DELETE").
referral_urlstringThe URL for the HTTP referer.
user_agentstringThe User-Agent request header which includes the application type,operating system, software vendor or software version of the requestingsoftware user agent.
response_codestringThe response status code, for example200, 302, 404, or 500.
parsed_user_agentstringThe parsed user_agent string.

Investigation

Represents the aggregated state of an investigation such as categorization,

severity, and status. Can be expanded to include analyst assignment detailsand more.

Field NameTypeLabelDescription
verdictVerdictoptionalDescribes reason a finding investigation was resolved.
reputationReputationoptionalDescribes whether a finding was useful or not-useful.
severity_scoreuint32optionalSeverity score for a finding set by an analyst.
statusStatusoptionalDescribes the workflow status of a finding.
commentsstringrepeatedComment added by the Analyst.
priorityPriorityoptionalPriority of the Alert or Finding set by analyst.
root_causestringoptionalRoot cause of the Alert or Finding set by analyst.
reasonReasonoptionalReason for closing the Case or Alert.
risk_scoreuint32optionalRisk score for a finding set by an analyst.

Label

Key value labels.

Field NameTypeLabelDescription
keystringThe key.
valuestringThe value.
rbac_enabledboolIndicates whether this label can be used for Data RBAC

Location

Information about a location.

Field NameTypeLabelDescription
citystringThe city.
statestringThe state.
country_or_regionstringThe country or region.
namestringCustom location name (for example, building or site name like "London Office").For cloud environments, this is the region (for example, "us-west2").
desk_namestringDesk name or individual location, typically for an employee in anoffice (for example, "IN-BLR-BCPC-11-1121D").
floor_namestringFloor name, number, or a combination of the two for a building (for example, "1-A").
region_latitudefloatDeprecated: use region_coordinates.
region_longitudefloatDeprecated: use region_coordinates.
region_coordinatesgoogle.type.LatLngCoordinates for the associated region.Seehttps://cloud.google.com/vision/docs/reference/rest/v1/LatLngfor a description of the fields.

PDFInfo

Information about the PDF file structure. Seehttps://developers.virustotal.com/reference/pdf_info

Field NameTypeLabelDescription
jsint64Number of /JS tags found in the PDF file. Should be the same asjavascript field in normal scenarios.
javascriptint64Number of /JavaScript tags found in the PDF file. Should be the same asthe js field in normal scenarios.
launch_action_countint64Number of /Launch tags found in the PDF file.
object_stream_countint64Number of object streams.
endobj_countint64Number of object definitions (endobj keyword).
headerstringPDF version.
acroformint64Number of /AcroForm tags found in the PDF.
autoactionint64Number of /AA tags found in the PDF.
embedded_fileint64Number of /EmbeddedFile tags found in the PDF.
encryptedint64Whether the document is encrypted or not. This is defined by the /Encrypttag.
flashint64Number of /RichMedia tags found in the PDF.
jbig2_compressionint64Number of /JBIG2Decode tags found in the PDF.
obj_countint64Number of objects definitions (obj keyword).
endstream_countint64Number of defined stream objects (stream keyword).
page_countint64Number of pages in the PDF.
stream_countint64Number of defined stream objects (stream keyword).
openactionint64Number of /OpenAction tags found in the PDF.
startxrefint64Number of startxref keywords in the PDF.
suspicious_colorsint64Number of colors expressed with more than 3 bytes (CVE-2009-3459).
trailerint64Number of trailer keywords in the PDF.
xfaint64Number of \XFA tags found in the PDF.
xrefint64Number of xref keywords in the PDF.

PeFileMetadata

Metadata about a Microsoft Windows Portable Executable.

Field NameTypeLabelDescription
import_hashstringHash of PE imports.

Permission

System permission for resource access and modification.

Field NameTypeLabelDescription
namestringName of the permission (for example, chronicle.analyst.updateRule).
descriptionstringDescription of the permission (for example, 'Ability to update detect rules').
typePermission.PermissionTypeType of the permission.

PlatformSoftware

Platform software information about an operating system.

Field NameTypeLabelDescription
platformNoun.PlatformThe platform operating system.
platform_versionstringPlatform software version (for example, "Microsoft Windows 1803").
platform_patch_levelstringPlatform software patch level (for example, "Build 17134.48", "SP1").

PopularityRank

Domain's position in popularity ranks for sources such as Alexa, Quantcast,or Statvoo.

Field NameTypeLabelDescription
giverstringName of the rank serial number hexdump.
rankint64Rank position.
ingestion_timegoogle.protobuf.TimestampTimestamp when the rank was ingested.

Prevalence

The prevalence of a resource within the customer's environment.This measures how common it is for assets to access the resource.

Field NameTypeLabelDescription
rolling_maxint32The maximum number of assets per day accessing the resource over thetrailing day_count days.
day_countint32The number of days over which rolling_max is calculated.
rolling_max_sub_domainsint32The maximum number of assets per day accessing the domain along withsub-domains over the trailing day_count days. This field is only valid fordomains.
day_maxint32The max prevalence score in a day interval window.
day_max_sub_domainsint32The max prevalence score in a day interval window across sub-domains. Thisfield is only valid for domains.

Process

Information about a process.

Field NameTypeLabelDescription
pidstringThe process ID.
parent_pidstringThe ID of the parent process.Deprecated: use parent_process.pid instead.
parent_processProcessInformation about the parent process.
fileFileInformation about the file in use by the process.
command_linestringThe command line command that created the process.
command_line_historystringrepeatedThe command line history of the process.
product_specific_process_idstringA product specific process id.
access_maskuint64A bit mask representing the level of access.
integrity_level_riduint64The Microsoft Windows integrity level relative ID (RID) of the process.
token_elevation_typeProcess.TokenElevationTypeThe elevation type of the process on Microsoft Windows. This determines ifany privileges are removed when UAC is enabled.
product_specific_parent_process_idstringA product specific id for the parent process.Please use parent_process.product_specific_process_id instead.

Registry

Information about a registry key or value.

Field NameTypeLabelDescription
registry_keystringRegistry key associated with an application or system component(for example, HKEY_, HKCU\Environment...).
registry_value_namestringName of the registry value associated with an application or systemcomponent (for example, TEMP).
registry_value_datastringData associated with a registry value(for example, %USERPROFILE%\Local Settings\Temp).

Resource

Information about a resource such as a task, Cloud Storagebucket, database, disk, logical policy, or something similar.

Field NameTypeLabelDescription
typestringDeprecated: use resource_type instead.
resource_typeResource.ResourceTypeResource type.
resource_subtypestringResource sub-type (for example, "BigQuery", "Bigtable").
idstringDeprecated: Use resource.name or resource.product_object_id.
namestringThe full name of the resource. For example,Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123,and AWS: arn:aws:iam::123456789012:user/johndoe.
parentstringThe parent of the resource.For a database table, the parent is the database. For a storage object,the bucket name. Deprecated: use resource_ancestors.name.
product_object_idstringA vendor-specific identifier to uniquely identify the entity (a GUID,OID, or similar)
attributeAttributeGeneric entity metadata attributes of the resource.

Role

System role for resource access and modification.

Field NameTypeLabelDescription
namestringSystem role name for user.
descriptionstringSystem role description for user.
typeRole.TypeSystem role type for well known roles.

SSLCertificate

SSL certificate.

Field NameTypeLabelDescription
cert_signatureSSLCertificate.CertSignatureCertificate's signature and algorithm.
extensionSSLCertificate.Extension(DEPRECATED) certificate's extension.
cert_extensionsgoogle.protobuf.StructCertificate's extensions.
first_seen_timegoogle.protobuf.TimestampDate the certificate was first retrieved by VirusTotal.
issuerSSLCertificate.SubjectCertificate's issuer data.
ecSSLCertificate.ECEC public key information.
serial_numberstringCertificate's serial number hexdump.
signature_algorithmstringAlgorithm used for the signature (for example, "sha1RSA").
sizeint64Certificate content length.
subjectSSLCertificate.SubjectCertificate's subject data.
thumbprintstringCertificate's content SHA1 hash.
thumbprint_sha256stringCertificate's content SHA256 hash.
validitySSLCertificate.ValidityCertificate's validity period.
versionstringCertificate version (typically "V1", "V2" or "V3").

SSLCertificate.AuthorityKeyId

Identifies the public key to be used to verify the signature on thiscertificate or CRL.

Field NameTypeLabelDescription
keyidstringKey hexdump.
serial_numberstringSerial number hexdump.

SSLCertificate.CertSignature

Certificate's signature and algorithm.

Field NameTypeLabelDescription
signaturestringSignature.
signature_algorithmstringAlgorithm.

SSLCertificate.DSA

DSA public key information.

Field NameTypeLabelDescription
pstringp component hexdump.
qstringq component hexdump.
gstringg component hexdump.
pubstringPublic key hexdump.

SSLCertificate.EC

EC public key information.

Field NameTypeLabelDescription
oidstringCurve name.
pubstringPublic key hexdump.

SSLCertificate.Extension

Certificate's extensions.

Field NameTypeLabelDescription
caboolWhether the subject acts as a certificate authority (CA) or not.
subject_key_idstringIdentifies the public key being certified.
authority_key_idSSLCertificate.AuthorityKeyIdIdentifies the public key to be used to verify the signature on thiscertificate or CRL.
key_usagestringThe purpose for which the certified public key is used.
ca_info_accessstringAuthority information access locations are URLs that are added to acertificate in its authority information access extension.
crl_distribution_pointsstringCRL distribution points to which a certificate user should refer toascertain if the certificate has been revoked.
extended_key_usagestringOne or more purposes for which the certified public key may be used, inaddition to or in place of the basic purposes indicated in the key usageextension field.
subject_alternative_namestringContains one or more alternative names, using any of a variety of nameforms, for the entity that is bound by the CA to the certified publickey.
certificate_policiesstringDifferent certificate policies will relate to different applicationswhich may use the certified key.
netscape_cert_commentstringUsed to include free-form text comments inside certificates.
cert_template_name_dcstringBMP data value "DomainController". See MS Q291010.
netscape_certificateboolIdentify whether the certificate subject is an SSL client, an SSL server,or a CA.
pe_logotypeboolWhether the certificate includes a logotype.
old_authority_key_idboolWhether the certificate has an old authority key identifier extension.

SSLCertificate.PublicKey

Subject public key info.

Field NameTypeLabelDescription
algorithmstringAny of "RSA", "DSA" or "EC". Indicates the algorithm used to generate thecertificate.
rsaSSLCertificate.RSARSA public key information.

SSLCertificate.RSA

RSA public key information.

Field NameTypeLabelDescription
key_sizeint64Key size.
modulusstringKey modulus hexdump.
exponentstringKey exponent hexdump.

SSLCertificate.Subject

Subject data.

Field NameTypeLabelDescription
country_namestringC: Country name.
common_namestringCN: CommonName.
localitystringL: Locality.
organizationstringO: Organization.
organizational_unitstringOU: OrganizationalUnit.
state_or_province_namestringST: StateOrProvinceName.

SSLCertificate.Validity

Defines certificate's validity period.

Field NameTypeLabelDescription
expiry_timegoogle.protobuf.TimestampExpiry date.
issue_timegoogle.protobuf.TimestampIssue date.

SecurityResult.AnalystVerdict

Verdict provided by the human analyst. These fields are used to modelMandiant sources.

Field NameTypeLabelDescription
confidence_scoreint32Confidence score of the verdict.
verdict_timegoogle.protobuf.TimestampTimestamp at which the verdict was generated.
verdict_responseSecurityResult.VerdictResponseDetails of the verdict.

SecurityResult.Association

Association represents different metadata about malware and threat actorsinvolved with an IoC.

Field NameTypeLabelDescription
idstringUnique association id generated by mandiant.
country_codestringrepeatedCountry from which the threat actor/ malware is originated.
typeSecurityResult.Association.AssociationTypeSignifies the type of association.
namestringName of the threat actor/malware.
descriptionstringHuman-readable description about the association.
rolestringRole of the malware. Not applicable for threat actor.
source_countrystringName of the country the threat originated from.
aliasSecurityResult.Association.AssociationAliasrepeatedDifferent aliases of the threat actor given by different sources.
first_reference_timegoogle.protobuf.TimestampFirst time the threat actor was referenced or seen.
last_reference_timegoogle.protobuf.TimestampLast time the threat actor was referenced or seen.
industries_affectedstringrepeatedList of industries the threat actor affects.
associated_actorsSecurityResult.AssociationrepeatedList of associated threat actors for a malware. Not applicable for threatactors.
region_codeLocationName of the country, the threat is originating from.
sponsor_regionLocationSponsor region of the threat actor.
targeted_regionsLocationrepeatedTargeted regions.
tagsstringrepeatedTags.

SecurityResult.Association.AssociationAlias

Association Alias used to represent Mandiant Threat Intelligence.

Field NameTypeLabelDescription
namestringName of the alias.
companystringName of the provider who gave the association's name.

SecurityResult.IoCStats

Information about the threat intelligence source. These fields are used tomodel Mandiant sources.

Field NameTypeLabelDescription
ioc_stats_typeSecurityResult.IoCStatsTypeDescribes the source of the IoCStat.
first_level_sourcestringName of first level IoC source, for example Mandiant or a third-party.
second_level_sourcestringName of the second-level IoC source, for example Crowdsourced ThreatAnalysis or Knowledge Graph.
benign_countint32Count of responses where the IoC was identified as benign.
qualitySecurityResult.ProductConfidenceLevel of confidence in the IoC mapping extracted from the source.
malicious_countint32Count of responses where the IoC was identified as malicious.
response_countint32Total number of response from the source.
source_countint32Number of sources from which information was extracted.

SecurityResult.ProviderMLVerdict

MLVerdict result provided from threat providers, like Mandiant. Thesefields are used to model Mandiant sources.

Field NameTypeLabelDescription
source_providerstringSource provider giving the ML verdict.
benign_countint32Count of responses where this IoC was marked benign.
malicious_countint32Count of responses where this IoC was marked malicious.
confidence_scoreint32Confidence score of the verdict.
mandiant_sourcesSecurityResult.SourcerepeatedList of mandiant sources from which the verdict was generated.
third_party_sourcesSecurityResult.SourcerepeatedList of third-party sources from which the verdict was generated.

SecurityResult.Source

Information about the threat intelligence source. These fields are used tomodel Mandiant sources.

Field NameTypeLabelDescription
namestringName of the IoC source.
benign_countint32Count of responses where this IoC was marked benign.
malicious_countint32Count of responses where this IoC was marked malicious.
qualitySecurityResult.ProductConfidenceQuality of the IoC mapping extracted from the source.
response_countint32Total response count from this source.
source_countint32Number of sources from which intelligence was extracted.
threat_intelligence_sourcesSecurityResult.SourcerepeatedDifferent threat intelligence sources from which IoC info was extracted.

SecurityResult.Verdict

Encapsulates the threat verdict provided by human analysts and ML models.These fields are used to model Mandiant sources.

Field NameTypeLabelDescription
source_countint32Number of sources from which intelligence was extracted.
response_countint32Total response count across all sources.
neighbour_influencestringDescribes the neighbour influence of the verdict.
verdictSecurityResult.ProviderMLVerdictML Verdict provided by sources like Mandiant.
analyst_verdictSecurityResult.AnalystVerdictHuman analyst verdict provided by sources like Mandiant.

SecurityResult.VerdictInfo

Describes the threat verdict provided by human analysts and machinelearning models. These fields are used to model Mandiant sources.

Field NameTypeLabelDescription
source_countint32Number of sources from which intelligence was extracted.
response_countint32Total response count across all sources.
neighbour_influencestringDescribes the near neighbor influence of the verdict.
verdict_typeSecurityResult.VerdictTypeType of verdict.
source_providerstringSource provider giving the machine learning verdict.
benign_countint32Count of responses where this IoC was marked as benign.
malicious_countint32Count of responses where this IoC was marked as malicious.
confidence_scoreint32Confidence score of the verdict.
ioc_statsSecurityResult.IoCStatsrepeatedList of IoCStats from which the verdict was generated.
verdict_timegoogle.protobuf.TimestampTimestamp when the verdict was generated.
verdict_responseSecurityResult.VerdictResponseDetails about the verdict.
global_customer_countint32Global customer count over the last 30 days
global_hits_countint32Global hit count over the last 30 days.
pwnboolWhether one or more Mandiant incident response customers had thisindicator in their environment.
category_detailsstringTags related to the verdict.
pwn_first_tagged_timegoogle.protobuf.TimestampThe timestamp of the first time a pwn was associated to this entity.

SignatureInfo

File signature information extracted from different tools.

Field NameTypeLabelDescription
sigcheckFileMetadataSignatureInfoSignature information extracted from the sigcheck tool.
codesignFileMetadataCodesignSignature information extracted from the codesign utility.

SignerInfo

File metadata related to the signer information.

Field NameTypeLabelDescription
namestringoptionalCommon name of the signers/certificate.The order of the signers matters. Each element is a higher levelauthority, the last being the root authority.
statusstringoptionalIt can say "Valid" or state the problem with the certificate if any (e.g."This certificate or one of the certificates in the certificate chain isnot time valid.").
valid_usagestringoptionalIndicates which situations the certificate is valid for (for example, "CodeSigning").
cert_issuerstringoptionalCompany that issued the certificate.

Smtp

SMTP info. See RFC 2821.

Field NameTypeLabelDescription
helostringThe client's 'HELO'/'EHLO' string.
mail_fromstringThe client's 'MAIL FROM' string.
rcpt_tostringrepeatedThe client's 'RCPT TO' string(s).
server_responsestringrepeatedThe server's response(s) to the client.
message_pathstringThe message's path (extracted from the headers).
is_webmailboolIf the message was sent via a webmail client.
is_tlsboolIf the connection switched to TLS.

Software

Information about a software package or application.

Field NameTypeLabelDescription
namestringThe name of the software.
versionstringThe version of the software.
permissionsPermissionrepeatedSystem permissions granted to the software.For example, "android.permission.WRITE_EXTERNAL_STORAGE"
descriptionstringThe description of the software.
vendor_namestringThe name of the software vendor.

Tags

Tags are event metadata which is set by examining event contentspost-parsing. For example, a UDM event may be assigned a tenant_id based oncertain customer-defined parameters.

Field NameTypeLabelDescription
tenant_idbytesrepeatedA list of subtenant ids that this event belongs to.
data_tap_config_namestringrepeatedA list of sink name values defined in DataTap configurations.

TimeOff

System record for leave/time-off from a Human Capital Management (HCM)

system.

Field NameTypeLabelDescription
intervalgoogle.type.IntervalInterval duration of the leave.
descriptionstringDescription of the leave if available (for example, 'Vacation').

Tls

Transport Layer Security (TLS) information.

Field NameTypeLabelDescription
clientTls.ClientCertificate information for the client certificate.
serverTls.ServerCertificate information for the server certificate.
cipherstringCipher used during the connection.
curvestringElliptical curve used for a given cipher.
versionstringTLS version.
version_protocolstringProtocol.
establishedboolIndicates whether the TLS negotiation was successful.
next_protocolstringProtocol to be used for tunnel.
resumedboolIndicates whether the TLS connection was resumed from a previousTLS negotiation.

Tls.Client

Transport Layer Security (TLS) information associated with the client(for example, Certificate or JA3 hash).

Field NameTypeLabelDescription
certificateCertificateClient certificate.
ja3stringJA3 hash from the TLS ClientHello, as a hex-encoded string.
server_namestringHost name of the server, that the client is connecting to.
supported_ciphersstringrepeatedCiphers supported by the client during client hello.

Tls.Server

Transport Layer Security (TLS) information associated with the server(for example, Certificate or JA3 hash).

Field NameTypeLabelDescription
certificateCertificateServer certificate.
ja3sstringJA3 hash from the TLS ServerHello, as a hex-encoded string.

Tracker

URL Tracker.

Field NameTypeLabelDescription
trackerstringTracker name.
idstringTracker ID, if available.
timestampgoogle.protobuf.TimestampTracker ingestion date.
URLstringTracker script URL.

URL

URL.

Field NameTypeLabelDescription
URLstringURL.
categoriesstringrepeatedCategorisation done by VirusTotal partners.
faviconFaviconDifference hash and MD5 hash of the URL's.
html_metagoogle.protobuf.StructMeta tags (only for URLs downloading HTML).
last_final_urlstringIf the original URL redirects, where does it end.
last_http_response_codeint32HTTP response code of the last response.
last_http_response_content_lengthint64Length in bytes of the content received.
last_http_response_content_sha256stringURL response body's SHA256 hash.
last_http_response_cookiesgoogle.protobuf.StructWebsite's cookies.
last_http_response_headersgoogle.protobuf.StructHeaders and values of the last HTTP response.
tagsstringrepeatedTags.
titlestringWebpage title.
trackersTrackerrepeatedTrackers found in the URL in a historical manner.

User

Information about a user.

Field NameTypeLabelDescription
product_object_idstringA vendor-specific identifier to uniquely identify the entity (for example, a GUID,LDAP, OID, or similar).
useridstringThe ID of the user.
user_display_namestringThe display name of the user(for example, "John Locke").
first_namestringFirst name of the user (for example, "John").
middle_namestringMiddle name of the user.
last_namestringLast name of the user (for example, "Locke").
phone_numbersstringrepeatedPhone numbers for the user.
personal_addressLocationPersonal address of the user.
attributeAttributeGeneric entity metadata attributes of the user.
first_seen_timegoogle.protobuf.TimestampThe first observed time for a user.The value is calculated on the basis of thefirst time the identifier was observed.
account_typeUser.AccountTypeType of user account (for example, service, domain, or cloud). This issomewhat aligned to:https://attack.mitre.org/techniques/T1078/
groupidstringThe ID of the group that the user belongs to.Deprecated in favor of the repeated group_identifiers field.
group_identifiersstringrepeatedProduct object identifiers of the group(s) the user belongs toA vendor-specific identifier to uniquely identify the group(s) the userbelongs to (a GUID, LDAP OID, or similar).
windows_sidstringThe Microsoft Windows SID of the user.
email_addressesstringrepeatedEmail addresses of the user.
employee_idstringHuman capital management identifier.
titlestringUser job title.
company_namestringUser job company name.
departmentstringrepeatedUser job department
office_addressLocationUser job office location.
managersUserrepeatedUser job manager(s).
hire_dategoogle.protobuf.TimestampUser job employment hire date.
termination_dategoogle.protobuf.TimestampUser job employment termination date.
time_offTimeOffrepeatedUser time off leaves from active work.
last_login_timegoogle.protobuf.TimestampUser last login timestamp.
last_password_change_timegoogle.protobuf.TimestampUser last password change timestamp.
password_expiration_timegoogle.protobuf.TimestampUser password expiration timestamp.
account_expiration_timegoogle.protobuf.TimestampUser account expiration timestamp.
account_lockout_timegoogle.protobuf.TimestampUser account lockout timestamp.
last_bad_password_attempt_timegoogle.protobuf.TimestampUser last bad password attempt timestamp.
user_authentication_statusAuthentication.AuthenticationStatusSystem authentication status for user.
role_namestringSystem role name for user.Deprecated: use attribute.roles.
role_descriptionstringSystem role description for user.Deprecated: use attribute.roles.
user_roleUser.RoleSystem role for user.Deprecated: use attribute.roles.

Vulnerabilities

The Vulnerabilities extension captures details on observed/detectedvulnerabilities.

Field NameTypeLabelDescription
vulnerabilitiesVulnerabilityrepeatedA list of vulnerabilities.

Vulnerability

A vulnerability.

Field NameTypeLabelDescription
aboutNounIf the vulnerability is about a specific noun (for example, executable),then add it here.
namestringName of the vulnerability (for example, "Unsupported OS Version detected").
descriptionstringDescription of the vulnerability.
vendorstringVendor of scan that discovered vulnerability.
scan_start_timegoogle.protobuf.TimestampIf the vulnerability was discovered during an asset scan, then thisfield should be populated with the time the scan started.This field can be left unset if the start time is not available or notapplicable.
scan_end_timegoogle.protobuf.TimestampIf the vulnerability was discovered during an asset scan, then this fieldshould be populated with the time the scan ended.This field can be left unset if the end time is not available or notapplicable.
first_foundgoogle.protobuf.TimestampProducts that maintain a history of vuln scans should populate first_foundwith the time that a scan first detected the vulnerability on this asset.
last_foundgoogle.protobuf.TimestampProducts that maintain a history of vuln scans should populate last_foundwith the time that a scan last detected the vulnerability on this asset.
severityVulnerability.SeverityThe severity of the vulnerability.
severity_detailsstringVendor-specific severity
cvss_base_scorefloatCVSS Base Score in the range of 0.0 to 10.0.Useful for sorting.
cvss_vectorstringVector of CVSS properties (for example, "AV:L/AC:H/Au:N/C:N/I:P/A:C")Can be linked to via:https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator
cvss_versionstringVersion of CVSS Vector/Score.
cve_idstringCommon Vulnerabilities and Exposures Id.https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposureshttps://cve.mitre.org/about/faqs.html#what_is_cve_id
cve_descriptionstringCommon Vulnerabilities and Exposures Description.https://cve.mitre.org/about/faqs.html#what_is_cve_record
vendor_vulnerability_idstringVendor specific vulnerability id (for example, Microsoft security bulletin id).
vendor_knowledge_base_article_idstringVendor specific knowledge base article (for example, "KBXXXXXX" from Microsoft).https://en.wikipedia.org/wiki/Microsoft_Knowledge_Basehttps://access.redhat.com/knowledgebase

X509

File certificate.

Field NameTypeLabelDescription
namestringCertificate name.
algorithmstringCertificate algorithm.
thumbprintstringCertificate thumbprint.
cert_issuerstringIssuer of the certificate.
serial_numberstringCertificate serial number.

Event enumerated types

Asset.AssetType

The role type of the asset.

Enum ValueEnum NumberDescription
ROLE_UNSPECIFIED0Unspecified asset role.
WORKSTATION1A workstation or desktop.
LAPTOP2A laptop computer.
IOT3An IOT asset.
NETWORK_ATTACHED_STORAGE4A network attached storage device.
PRINTER5A printer.
SCANNER6A scanner.
SERVER7A server.
TAPE_LIBRARY8A tape library device.
MOBILE9A mobile device such as a mobile phone or PDA.

Asset.DeploymentStatus

Deployment status states.

Enum ValueEnum NumberDescription
DEPLOYMENT_STATUS_UNSPECIFIED0Unspecified deployment status.
ACTIVE1Asset is active, functional and deployed.
PENDING_DECOMMISSION2Asset is pending decommission and no longer deployed.
DECOMMISSIONED3Asset is decommissioned.

Authentication.AuthType

Type of system the authentication event is associated with.

Enum ValueEnum NumberDescription
AUTHTYPE_UNSPECIFIED0The default type.
MACHINE1A machine authentication.
SSO2An SSO authentication.
VPN3A VPN authentication.
PHYSICAL4A Physical authentication (for example, "Badge reader").
TACACS5A TACACS family protocol for networked systems authentication(for example, TACACS, TACACS+).

Authentication.AuthenticationStatus

Authentication status, can be used to describe the status of authenticationfor a user or particular credential.

Enum ValueEnum NumberDescription
UNKNOWN_AUTHENTICATION_STATUS0The default authentication status.
ACTIVE1The authentication method is in active state.
SUSPENDED2The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS3The authentication method has no active credentials.
DELETED4The authentication method has been deleted.

Authentication.Mechanism

Mechanism(s) used to authenticate.

Enum ValueEnum NumberDescription
MECHANISM_UNSPECIFIED0The default mechanism.
USERNAME_PASSWORD1Username + password authentication.
OTP2OTP authentication.
HARDWARE_KEY3Hardware key authentication.
LOCAL4Local authentication.
REMOTE5Remote authentication.
REMOTE_INTERACTIVE6RDP, Terminal Services, or VNC.
MECHANISM_OTHER7Some other mechanism that is not defined here.
BADGE_READER8Badge reader authentication
NETWORK9Network authentication.
BATCH10Batch authentication.
SERVICE11Service authentication
UNLOCK12Direct human-interactive unlock authentication.
NETWORK_CLEAR_TEXT13Network clear text authentication.
NEW_CREDENTIALS14Authentication with new credentials.
INTERACTIVE15Interactive authentication.
CACHED_INTERACTIVE16Interactive authentication using cached credentials.
CACHED_REMOTE_INTERACTIVE17Cached Remote Interactive authentication using cached credentials.
CACHED_UNLOCK18Cached Remote Interactive authentication using cached credentials.

Cloud.CloudEnvironment

The service provider environment.

Enum ValueEnum NumberDescription
UNSPECIFIED_CLOUD_ENVIRONMENT0Default.
GOOGLE_CLOUD_PLATFORM1Google Cloud Platform.
AMAZON_WEB_SERVICES2Amazon Web Services.
MICROSOFT_AZURE3Microsoft Azure.

Dhcp.MessageType

DHCP message type. See RFC2131, section 3.1.

Enum ValueEnum NumberDescription
UNKNOWN_MESSAGE_TYPE0Default message type.
DISCOVER1DHCPDISCOVER.
OFFER2DHCPOFFER.
REQUEST3DHCPREQUEST.
DECLINE4DHCPDECLINE.
ACK5DHCPACK.
NAK6DHCPNAK.
RELEASE7DHCPRELEASE.
INFORM8DHCPINFORM.
WIN_DELETED100Microsoft Windows DHCP "lease deleted".
WIN_EXPIRED101Microsoft Windows DHCP "lease expired".

Dhcp.OpCode

BOOTP op code. See RFC951, section 3.

Enum ValueEnum NumberDescription
UNKNOWN_OPCODE0Default opcode.
BOOTREQUEST1Request.
BOOTREPLY2Reply.

File.FileType

The file type, for example Microsoft Windows executable.

Enum ValueEnum NumberDescription
FILE_TYPE_UNSPECIFIED0File type is UNSPECIFIED.
FILE_TYPE_PE_EXE1File type is PE_EXE.
FILE_TYPE_PE_DLL2Although DLLs are actually portable executables, this valueenables the file type to be identified separately.File type is PE_DLL.
FILE_TYPE_MSI3File type is MSI.
FILE_TYPE_NE_EXE10File type is NE_EXE.
FILE_TYPE_NE_DLL11File type is NE_DLL.
FILE_TYPE_DOS_EXE20File type is DOS_EXE.
FILE_TYPE_DOS_COM21File type is DOS_COM.
FILE_TYPE_COFF30File type is COFF.
FILE_TYPE_ELF31File type is ELF.
FILE_TYPE_LINUX_KERNEL32File type is LINUX_KERNEL.
FILE_TYPE_RPM33File type is RPM.
FILE_TYPE_LINUX34File type is LINUX.
FILE_TYPE_MACH_O35File type is MACH_O.
FILE_TYPE_JAVA_BYTECODE36File type is JAVA_BYTECODE.
FILE_TYPE_DMG37File type is DMG.
FILE_TYPE_DEB38File type is DEB.
FILE_TYPE_PKG39File type is PKG.
FILE_TYPE_PYC40File type is PYC.
FILE_TYPE_LNK50File type is LNK.
FILE_TYPE_JPEG100File type is JPEG.
FILE_TYPE_TIFF101File type is TIFF.
FILE_TYPE_GIF102File type is GIF.
FILE_TYPE_PNG103File type is PNG.
FILE_TYPE_BMP104File type is BMP.
FILE_TYPE_GIMP105File type is GIMP.
FILE_TYPE_IN_DESIGN106File type is Adobe InDesign.
FILE_TYPE_PSD107File type is PSD.Adobe Photoshop.
FILE_TYPE_TARGA108File type is TARGA.
FILE_TYPE_XWD109File type is XWD.
FILE_TYPE_DIB110File type is DIB.
FILE_TYPE_JNG111File type is JNG.
FILE_TYPE_ICO112File type is ICO.
FILE_TYPE_FPX113File type is FPX.
FILE_TYPE_EPS114File type is EPS.
FILE_TYPE_SVG115File type is SVG.
FILE_TYPE_EMF116File type is EMF.
FILE_TYPE_WEBP117File type is WEBP.
FILE_TYPE_DWG118File type is DWG.
FILE_TYPE_DXF119File type is DXF.
FILE_TYPE_THREEDS120File type is 3DS.
FILE_TYPE_OGG150File type is OGG.
FILE_TYPE_FLC151File type is FLC.
FILE_TYPE_FLI152File type is FLI.
FILE_TYPE_MP3153File type is MP3.
FILE_TYPE_FLAC154File type is FLAC.
FILE_TYPE_WAV155File type is WAV.
FILE_TYPE_MIDI156File type is MIDI.
FILE_TYPE_AVI157File type is AVI.
FILE_TYPE_MPEG158File type is MPEG.
FILE_TYPE_QUICKTIME159File type is QUICKTIME.
FILE_TYPE_ASF160File type is ASF.
FILE_TYPE_DIVX161File type is DIVX.
FILE_TYPE_FLV162File type is FLV.
FILE_TYPE_WMA163File type is WMA.
FILE_TYPE_WMV164File type is WMV.
FILE_TYPE_RM165File type is RM.RealMedia type.
FILE_TYPE_MOV166File type is MOV.
FILE_TYPE_MP4167File type is MP4.
FILE_TYPE_T3GP168File type is T3GP.
FILE_TYPE_WEBM169File type is WEBM.
FILE_TYPE_MKV170File type is MKV.
FILE_TYPE_PDF200File type is PDF.
FILE_TYPE_PS201File type is PS.
FILE_TYPE_DOC202File type is DOC.
FILE_TYPE_DOCX203File type is DOCX.
FILE_TYPE_PPT204File type is PPT.
FILE_TYPE_PPTX205File type is PPTX.
FILE_TYPE_PPSX209File type is PPSX.
FILE_TYPE_XLS206File type is XLS.
FILE_TYPE_XLSX207File type is XLSX.
FILE_TYPE_RTF208File type is RTF.
FILE_TYPE_ODP250File type is ODP.
FILE_TYPE_ODS251File type is ODS.
FILE_TYPE_ODT252File type is ODT.
FILE_TYPE_HWP253File type is HWP.
FILE_TYPE_GUL254File type is GUL.
FILE_TYPE_ODF255File type is ODF.
FILE_TYPE_ODG256File type is ODG.
FILE_TYPE_ONE_NOTE257File type is ONE_NOTE.
FILE_TYPE_OOXML258File type is OOXML.
FILE_TYPE_EBOOK260File type is EBOOK.
FILE_TYPE_LATEX261File type is LATEX.
FILE_TYPE_TTF262File type is TTF.
FILE_TYPE_EOT263File type is EOT.
FILE_TYPE_WOFF264File type is WOFF.
FILE_TYPE_CHM265File type is CHM.
FILE_TYPE_ZIP300File type is ZIP.
FILE_TYPE_GZIP301File type is GZIP.
FILE_TYPE_BZIP302File type is BZIP.
FILE_TYPE_RZIP303File type is RZIP.
FILE_TYPE_DZIP304File type is DZIP.
FILE_TYPE_SEVENZIP305File type is SEVENZIP.
FILE_TYPE_CAB306File type is CAB.
FILE_TYPE_JAR307File type is JAR.
FILE_TYPE_RAR308File type is RAR.
FILE_TYPE_MSCOMPRESS309File type is MSCOMPRESS.
FILE_TYPE_ACE310File type is ACE.
FILE_TYPE_ARC311File type is ARC.
FILE_TYPE_ARJ312File type is ARJ.
FILE_TYPE_ASD313File type is ASD.
FILE_TYPE_BLACKHOLE314File type is BLACKHOLE.
FILE_TYPE_KGB315File type is KGB.
FILE_TYPE_ZLIB316File type is ZLIB.
FILE_TYPE_TAR317File type is TAR.
FILE_TYPE_ZST318File type is ZST.
FILE_TYPE_LZFSE319File type is LZFSE.
FILE_TYPE_PYTHON_WHL320File type is PYTHON_WHL.
FILE_TYPE_PYTHON_PKG321File type is PYTHON_PKG.
FILE_TYPE_TEXT400File type is TEXT.
FILE_TYPE_SCRIPT401File type is SCRIPT.
FILE_TYPE_PHP402File type is PHP.
FILE_TYPE_PYTHON403File type is PYTHON.
FILE_TYPE_PERL404File type is PERL.
FILE_TYPE_RUBY405File type is RUBY.
FILE_TYPE_C406File type is C.
FILE_TYPE_CPP407File type is CPP.
FILE_TYPE_JAVA408File type is JAVA.
FILE_TYPE_SHELLSCRIPT409File type is SHELLSCRIPT.
FILE_TYPE_PASCAL410File type is PASCAL.
FILE_TYPE_AWK411File type is AWK.
FILE_TYPE_DYALOG412File type is DYALOG.
FILE_TYPE_FORTRAN413File type is FORTRAN.
FILE_TYPE_JAVASCRIPT414File type is JAVASCRIPT.
FILE_TYPE_POWERSHELL415File type is POWERSHELL.
FILE_TYPE_VBA416File type is VBA.
FILE_TYPE_M4417File type is M4.
FILE_TYPE_OBJETIVEC418File type is OBJETIVEC.
FILE_TYPE_JMOD419File type is JMOD.
FILE_TYPE_MAKEFILE420File type is MAKEFILE.
FILE_TYPE_INI421File type is INI.
FILE_TYPE_CLJ422File type is CLJ.
FILE_TYPE_PDB425File type is PDB.
FILE_TYPE_SQL426File type is SQL.
FILE_TYPE_NEKO427File type is NEKO.
FILE_TYPE_WER428File type is WER.
FILE_TYPE_GOLANG429File type is GOLANG.
FILE_TYPE_SYMBIAN500File type is SYMBIAN.
FILE_TYPE_PALMOS501File type is PALMOS.
FILE_TYPE_WINCE502File type is WINCE.
FILE_TYPE_ANDROID503File type is ANDROID.
FILE_TYPE_IPHONE504File type is IPHONE.
FILE_TYPE_HTML600File type is HTML.
FILE_TYPE_XML601File type is XML.
FILE_TYPE_SWF602File type is SWF.
FILE_TYPE_FLA603File type is FLA.
FILE_TYPE_COOKIE604File type is COOKIE.
FILE_TYPE_TORRENT605File type is TORRENT.
FILE_TYPE_EMAIL_TYPE606File type is EMAIL_TYPE.
FILE_TYPE_OUTLOOK607File type is OUTLOOK.
FILE_TYPE_SGML608File type is SGML.
FILE_TYPE_JSON609File type is JSON.
FILE_TYPE_CSV610File type is CSV.
FILE_TYPE_CAP700File type is CAP.
FILE_TYPE_ISOIMAGE800File type is ISOIMAGE.
FILE_TYPE_SQUASHFS801File type is SQUASHFS.
FILE_TYPE_VHD802File type is VHD.
FILE_TYPE_APPLE1000File type is APPLE.
FILE_TYPE_MACINTOSH1001File type is MACINTOSH.
FILE_TYPE_APPLESINGLE1002File type is APPLESINGLE.
FILE_TYPE_APPLEDOUBLE1003File type is APPLEDOUBLE.
FILE_TYPE_MACINTOSH_HFS1004File type is MACINTOSH_HFS.
FILE_TYPE_APPLE_PLIST1005File type is APPLE_PLIST.
FILE_TYPE_MACINTOSH_LIB1006File type is MACINTOSH_LIB.
FILE_TYPE_APPLESCRIPT1007File type is APPLESCRIPT.
FILE_TYPE_APPLESCRIPT_COMPILED1008File type is APPLESCRIPT_COMPILED .
FILE_TYPE_CRX1100File type is CRX.
FILE_TYPE_XPI1101File type is XPI.
FILE_TYPE_ROM1200File type is ROM.
FILE_TYPE_IPS1201File type is IPS.
FILE_TYPE_PEM1300File type is PEM.
FILE_TYPE_PGP1301File type is PGP.
FILE_TYPE_CRT1302File type is CRT.

Metadata.EnrichmentState

An enrichment state.

Enum ValueEnum NumberDescription
ENRICHMENT_STATE_UNSPECIFIED0Unspecified.
ENRICHED1The event has been enriched by Google SecOps.
UNENRICHED2The event has not been enriched by Google SecOps.

Metadata.EventType

An event type.Choose the event type based on the entity that logged the event, rather than theproduct that generated it. For example, an antivirus (AV) scanning a client emailwould log an SMTP_PROXY event, not an AV event. A DLP device scanning a webupload would generate an HTTP_PROXYevent and not a DLP or process activity event.

Note: In the case of aHTTP_PROXY event, you might also include process details if this occurredon an endpoint. That would be optional, but there are a certain set ofrequired fields and banned fields due to its status as an HTTP_PROXY event.
Enum ValueEnum NumberDescription
EVENTTYPE_UNSPECIFIED0Default event type
PROCESS_UNCATEGORIZED10000Activity related to a process which does not match any other event types.
PROCESS_LAUNCH10001Process launch.
PROCESS_INJECTION10002Process injecting into another process.
PROCESS_PRIVILEGE_ESCALATION10003Process privilege escalation.
PROCESS_TERMINATION10004Process termination.
PROCESS_OPEN10005Process being opened.
PROCESS_MODULE_LOAD10006Process loading a module.
REGISTRY_UNCATEGORIZED11000Registry event which does not match any of the other event types.
REGISTRY_CREATION11001Registry creation.
REGISTRY_MODIFICATION11002Registry modification.
REGISTRY_DELETION11003Registry deletion.
SETTING_UNCATEGORIZED12000Settings-related event which does not match any of the otherevent types.
SETTING_CREATION12001Setting creation.
SETTING_MODIFICATION12002Setting modification.
SETTING_DELETION12003Setting deletion.
MUTEX_UNCATEGORIZED13000Any mutex event other than creation.
MUTEX_CREATION13001Mutex creation.
FILE_UNCATEGORIZED14000File event which does not match any of the other event types.
FILE_CREATION14001File created.
FILE_DELETION14002File deleted.
FILE_MODIFICATION14003File modified.
FILE_READ14004File read.
FILE_COPY14005File copied.Used for file copies, for example, to a thumb drive.
FILE_OPEN14006File opened.
FILE_MOVE14007File moved or renamed.
FILE_SYNC14008File synced (for example, Google Drive, Dropbox, backup).
USER_UNCATEGORIZED15000User activity which does not match any of the other event types.
USER_LOGIN15001User login.
USER_LOGOUT15002User logout.
USER_CREATION15003User creation.
USER_CHANGE_PASSWORD15004User password change event.
USER_CHANGE_PERMISSIONS15005Change in user permissions.
USER_STATS15006Deprecated. Used to update user info for an LDAP dump.
USER_BADGE_IN15007User physically badging into a location.
USER_DELETION15008User deletion.
USER_RESOURCE_CREATION15009User creating a virtual resource.This is equivalent to RESOURCE_CREATION.
USER_RESOURCE_UPDATE_CONTENT15010User updating content of a virtual resource.This is equivalent to RESOURCE_WRITTEN.
USER_RESOURCE_UPDATE_PERMISSIONS15011User updating permissions of a virtual resource.This is equivalent to RESOURCE_PERMISSIONS_CHANGE.
USER_COMMUNICATION15012User initiating communication through a medium (for example, video).
USER_RESOURCE_ACCESS15013User accessing a virtual resource.This is equivalent to RESOURCE_READ.
USER_RESOURCE_DELETION15014User deleting a virtual resource.This is equivalent to RESOURCE_DELETION.
GROUP_UNCATEGORIZED23000A group activity that does not fall into one of the other event types.
GROUP_CREATION23001A group creation.
GROUP_DELETION23002A group deletion.
GROUP_MODIFICATION23003A group modification.
EMAIL_UNCATEGORIZED19000Email messages
EMAIL_TRANSACTION19001An email transaction.
EMAIL_URL_CLICK19002Deprecated: use NETWORK_HTTP instead. An email URL click event.
NETWORK_UNCATEGORIZED16000A network event that does not fit into one of the other event types.
NETWORK_FLOW16001Aggregated flow stats like netflow.
NETWORK_CONNECTION16002Network connection details like from a FW.
NETWORK_FTP16003FTP telemetry.
NETWORK_DHCP16004DHCP payload.
NETWORK_DNS16005DNS payload.
NETWORK_HTTP16006HTTP telemetry.
NETWORK_SMTP16007SMTP telemetry.
STATUS_UNCATEGORIZED17000A status message that does not fit into one of the other event types.
STATUS_HEARTBEAT17001Heartbeat indicating product is alive.
STATUS_STARTUP17002An agent startup.
STATUS_SHUTDOWN17003An agent shutdown.
STATUS_UPDATE17004A software or fingerprint update.
SCAN_UNCATEGORIZED18000Scan item that does not fit into one of the other event types.
SCAN_FILE18001A file scan.
SCAN_PROCESS_BEHAVIORS18002Scan process behaviors.Please use SCAN_PROCESS instead.
SCAN_PROCESS18003Scan process.
SCAN_HOST18004Scan results from scanning an entire host device for threats/sensitivedocuments.
SCAN_VULN_HOST18005Vulnerability scan logs about host vulnerabilities (for example, out of datesoftware) and network vulnerabilities (for example, unprotected service detectedvia a network scan).
SCAN_VULN_NETWORK18006Vulnerability scan logs about network vulnerabilities.
SCAN_NETWORK18007Scan network for suspicious activity
SCHEDULED_TASK_UNCATEGORIZED20000Scheduled task event that does not fall into one of the otherevent types.
SCHEDULED_TASK_CREATION20001Scheduled task creation.
SCHEDULED_TASK_DELETION20002Scheduled task deletion.
SCHEDULED_TASK_ENABLE20003Scheduled task being enabled.
SCHEDULED_TASK_DISABLE20004Scheduled task being disabled.
SCHEDULED_TASK_MODIFICATION20005Scheduled task being modified.
SYSTEM_AUDIT_LOG_UNCATEGORIZED21000A system audit log event that is not a wipe.
SYSTEM_AUDIT_LOG_WIPE21001A system audit log wipe.
SERVICE_UNSPECIFIED22000Service event that does not fit into one of the other event types.
SERVICE_CREATION22001A service creation.
SERVICE_DELETION22002A service deletion.
SERVICE_START22003A service start.
SERVICE_STOP22004A service stop.
SERVICE_MODIFICATION22005A service modification.
GENERIC_EVENT100000Operating system events that are not described by any of the otherevent types. Might include uncategorized Microsoft Windows event logs.
RESOURCE_CREATION1The resource was created/provisioned.This is equivalent to USER_RESOURCE_CREATION.
RESOURCE_DELETION2The resource was deleted/deprovisioned.This is equivalent to USER_RESOURCE_DELETION.
RESOURCE_PERMISSIONS_CHANGE3The resource had it's permissions or ACLs updated.This is equivalent to USER_RESOURCE_UPDATE_PERMISSIONS.
RESOURCE_READ4The resource was read.This is equivalent to USER_RESOURCE_ACCESS.
RESOURCE_WRITTEN5The resource was written to.This is equivalent to USER_RESOURCE_UPDATE_CONTENT.
DEVICE_FIRMWARE_UPDATE25000Firmware update.
DEVICE_CONFIG_UPDATE25001Configuration update.
DEVICE_PROGRAM_UPLOAD25002A program or application uploaded to a device.
DEVICE_PROGRAM_DOWNLOAD25003A program or application downloaded to a device.
ANALYST_UPDATE_VERDICT24000Analyst update about the Verdict (such as true positive, false positive,or disregard) of a finding.
ANALYST_UPDATE_REPUTATION24001Analyst update about the Reputation (such as useful or not useful) of afinding.
ANALYST_UPDATE_SEVERITY_SCORE24002Analyst update about the Severity score (0-100) of a finding.
ANALYST_UPDATE_STATUS24007Analyst update about the finding status.
ANALYST_ADD_COMMENT24008Analyst addition of a comment for a finding.
ANALYST_UPDATE_PRIORITY24009Analyst update about the priority (such as low, medium, or high) for afinding.
ANALYST_UPDATE_ROOT_CAUSE24010Analyst update about the root cause for a finding.
ANALYST_UPDATE_REASON24011Analyst update about the reason (such as malicious or not malicious) fora finding.
ANALYST_UPDATE_RISK_SCORE24012Analyst update about the risk score (0-100) of a finding.
ENTITY_RISK_CHANGE26000Events indicating a change in the Entity's risk posture (the affected entity is identified by the `about` field).

Network.ApplicationProtocol

A network application protocol.

Enum ValueEnum NumberDescription
UNKNOWN_APPLICATION_PROTOCOL0The default application protocol.
AFP1Apple Filing Protocol.
APPC2Advanced Program-to-Program Communication.
AMQP3Advanced Message Queuing Protocol.
ATOM4Publishing Protocol.
BEEP5Block Extensible Exchange Protocol.
BITCOIN6Crypto currency protocol.
BIT_TORRENT7Peer-to-peer file sharing.
CFDP8Coherent File Distribution Protocol.
CIP67Common Industrial Protocol.
COAP9Constrained Application Protocol.
COTP68Connection Oriented Transport Protocol.
DCERPC66DCE/RPC.
DDS10Data Distribution Service.
DEVICE_NET11Automation industry protocol.
DHCP4000DHCP.
DICOM69Digital Imaging and Communications in Medicine Protocol.
DNP370Distributed Network Protocol 3 (DNP3)
DNS3000DNS.
E_DONKEY12Classic file sharing protocol.
ENRP13Endpoint Handlespace Redundancy Protocol.
FAST_TRACK14Filesharing peer-to-peer protocol.
FINGER15User Information Protocol.
FREENET16Censorship resistant peer-to-peer network.
FTAM17File Transfer Access and Management.
GOOSE71GOOSE Protocol.
GOPHER18Gopher protocol.
GRPC77gRPC Remote Procedure Call.
HL719Health Level Seven.
H32320Packet-based multimedia communications system.
HTTP2000HTTP.
HTTPS2001HTTPS.
IEC10472IEC 60870-5-104 (IEC 104) Protocol.
IRCP21Internet Relay Chat Protocol.
KADEMLIA22Peer-to-peer hashtables.
KRB565Kerberos 5.
LDAP23Lightweight Directory Access Protocol.
LPD24Line Printer Daemon Protocol.
MIME25Multipurpose Internet Mail Extensions and Secure MIME.
MMS73Multimedia Messaging Service.
MODBUS26Serial communications protocol.
MQTT27Message Queuing Telemetry Transport.
NETCONF28Network Configuration.
NFS29Network File System.
NIS30Network Information Service.
NNTP31Network News Transfer Protocol.
NTCIP32National Transportation Communications for Intelligent TransportationSystem.
NTP33Network Time Protocol.
OSCAR34AOL Instant Messenger Protocol.
PNRP35Peer Name Resolution Protocol.
PTP74Precision Time Protocol.
QUIC1000QUIC.
RDP36Remote Desktop Protocol.
RELP37Reliable Event Logging Protocol.
RIP38Routing Information Protocol.
RLOGIN39Remote Login in UNIX Systems.
RPC40Remote Procedure Call.
RTMP41Real Time Messaging Protocol.
RTP42Real-time Transport Protocol.
RTPS43Real Time Publish Subscribe.
RTSP44Real Time Streaming Protocol.
SAP45Session Announcement Protocol.
SDP46Session Description Protocol.
SIP47Session Initiation Protocol.
SLP48Service Location Protocol.
SMB49Server Message Block.
SMTP50Simple Mail Transfer Protocol.
SNMP75Simple Network Management Protocol.
SNTP51Simple Network Time Protocol.
SSH52Secure Shell.
SSMS53Secure SMS Messaging Protocol.
STYX54Styx/9P - Plan 9 from Bell Labs distributed file system protocol.
SV76Sampled Values Protocol.
TCAP55Transaction Capabilities Application Part.
TDS56Tabular Data Stream.
TOR57Anonymity network.
TSP58Time Stamp Protocol.
VTP59Virtual Terminal Protocol.
WHOIS60Remote Directory Access Protocol.
WEB_DAV61Web Distributed Authoring and Versioning.
X40062Message Handling Service Protocol.
X50063Directory Access Protocol (DAP).
XMPP64Extensible Messaging and Presence Protocol.

Network.Direction

A network traffic direction.

Enum ValueEnum NumberDescription
UNKNOWN_DIRECTION0The default direction.
INBOUND1An inbound request.
OUTBOUND2An outbound request.
BROADCAST3A broadcast.

Network.IpProtocol

An IP protocol.

Enum ValueEnum NumberDescription
UNKNOWN_IP_PROTOCOL0The default protocol.
ICMP1ICMP.
IGMP2IGMP
TCP6TCP.
UDP17UDP.
IP6IN441IPv6 Encapsulation
GRE47Generic Routing Encapsulation
ESP50Encapsulating Security Payload
ICMP658ICMPv6
EIGRP88Enhanced Interior Gateway Routing
ETHERIP97Ethernet-within-IP Encapsulation
PIM103Protocol Independent Multicast
VRRP112Virtual Router Redundancy Protocol
SCTP132Stream Control Transmission Protocol

Noun.Platform

Operating system platform.

Enum ValueEnum NumberDescription
UNKNOWN_PLATFORM0Default value.
WINDOWS1Microsoft Windows.
MAC2macOS.
LINUX3Linux.
Google Cloud4Deprecated: see cloud.environment.
AWS5Deprecated: see cloud.environment.
AZURE6Deprecated: see cloud.environment.
IOS7IOS
ANDROID8Android
CHROME_OS9Chrome OS

Permission.PermissionType

High level categorizations of permission type.

Enum ValueEnum NumberDescription
UNKNOWN_PERMISSION_TYPE0Default permission type.
ADMIN_WRITE1Administrator write permission.
ADMIN_READ2Administrator read permission.
DATA_WRITE3Data resource access write permission.
DATA_READ4Data resource access read permission.

Priority

Priority that is assigned to a Case or Alert.

Enum ValueEnum NumberDescription
PRIORITY_UNSPECIFIED0Default priority level.
PRIORITY_INFO100Informational priority.
PRIORITY_LOW200Low priority.
PRIORITY_MEDIUM300Medium priority.
PRIORITY_HIGH400High priority.
PRIORITY_CRITICAL500Critical priority.

Process.TokenElevationType

The elevation type of the process's token.Seehttps://learn.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-token_elevation_type

Enum ValueEnum NumberDescription
UNKNOWN0An undetermined token type.
TYPE_11A full token with no privileges removed or groups disabled.
TYPE_22An elevated token with no privileges removed or groups disabled. Usedwhen running as administrator.
TYPE_33A limited token with administrative privileges removed andadministrative groups disabled.

Reason

Reason for closing an Alert or Case in the SOAR product.

Enum ValueEnum NumberDescription
REASON_UNSPECIFIED0Default reason.
REASON_NOT_MALICIOUS1Case or Alert not malicious.
REASON_MALICIOUS2Case or Alert is malicious.
REASON_MAINTENANCE3Case or Alert is under maintenance.

Reputation

Categorization options for the usefulness of a Finding.

Enum ValueEnum NumberDescription
REPUTATION_UNSPECIFIED0An unspecified reputation.
USEFUL1A categorization of the finding as useful.
NOT_USEFUL2A categorization of the finding as not useful.

Resource.ResourceType

Enum ValueEnum NumberDescription
UNSPECIFIED0Default type.
MUTEX1Mutex.
TASK2Task.
PIPE3Named pipe.
DEVICE4Device.
FIREWALL_RULE5Firewall rule.
MAILBOX_FOLDER6Mailbox folder.
VPC_NETWORK7VPC Network.
VIRTUAL_MACHINE8Virtual machine.
STORAGE_BUCKET9Storage bucket.
STORAGE_OBJECT10Storage object.
DATABASE11Database.
TABLE12Data table.
CLOUD_PROJECT13Cloud project.
CLOUD_ORGANIZATION14Cloud organization.
SERVICE_ACCOUNT15Service account.
ACCESS_POLICY16Access policy.
CLUSTER17Cluster.
SETTING18Settings.
DATASET19Dataset.
BACKEND_SERVICE20Endpoint that receive traffic from a load balancer or proxy.
POD21Pod, which is a collection of containers. Often used in Kubernetes.
CONTAINER22Container.
FUNCTION23Cloud function.
RUNTIME24Runtime.
IP_ADDRESS25IP address.
DISK26Disk.
VOLUME27Volume.
IMAGE28Machine image.
SNAPSHOT29Snapshot.
REPOSITORY30Repository.
CREDENTIAL31Credential, for example, access keys, ssh keys, tokens, certificates.
LOAD_BALANCER32Load balancer.
GATEWAY33Gateway.
SUBNET34Subnet.
USER35User

Role.Type

Well-known system roles.

Enum ValueEnum NumberDescription
TYPE_UNSPECIFIED0Default user role.
ADMINISTRATOR1Product administrator with elevated privileges.
SERVICE_ACCOUNT2System service account for automated privilege access.

SecurityResult.Action

Enum representing different possible actions taken by the product thatcreated the event.

Enum ValueEnum NumberDescription
UNKNOWN_ACTION0The default action.
ALLOW1Allowed.
BLOCK2Blocked.
ALLOW_WITH_MODIFICATION3Allowed with modification. The entity was modified (for example, "disinfected", "rewritten") before being forwarded.
QUARANTINE4Quarantine. The entity is isolated for later analysis, but isn't blocked from execution or delivery.
FAIL5Fail. The event processing failed (for example, the action was permitted but couldn't be completed).
CHALLENGE6Challenge. The user was presented with an extra validation step (for example, "CAPTCHA" or "2FA").

Google SecOpsmetrics classify UDM actions into three states—successful, failed, or neutral—to track outcomes:

  • Successful actions:ALLOW andALLOW_WITH_MODIFICATION actions are counted as successful.
  • Failed actions:BLOCK,QUARANTINE,FAIL, andCHALLENGE are counted as failed. This classification applies to all corresponding metrics (for example, "AUTH_ATTEMPTS_FAIL", "FILE_EXECUTIONS_FAIL", "RESOURCE_READ_FAIL").
  • Neutral actions:UNKNOWN_ACTION is classified as neither successful nor failed. This state typically reflects ambiguous logging where the final outcome (for example, a login) isn't confirmed, but an unknown error was still issued.

SecurityResult.AlertState

The type of alerting set up for a security result.

Enum ValueEnum NumberDescription
UNSPECIFIED0The security result type is not known.
NOT_ALERTING1The security result is not an alert.
ALERTING2The security result is an alert.

SecurityResult.Association.AssociationType

Represents different possible Association types. Can be threat ormalware. Used to represent Mandiant threat intelligence.

Enum ValueEnum NumberDescription
ASSOCIATION_TYPE_UNSPECIFIED0The default Association Type.
THREAT_ACTOR1Association type Threat actor.
MALWARE2Association type Malware.

SecurityResult.IoCStatsType

Type of IoCStat based on source.

Enum ValueEnum NumberDescription
UNSPECIFIED_IOC_STATS_TYPE0IoCStat source is unidentified.
MANDIANT_SOURCES1IoCStat is from a Mandiant Source.
THIRD_PARTY_SOURCES2IoCStat is from a third-party source.
THREAT_INTELLIGENCE_IOC_STATS3IoCStat is from a threat intelligence feed.

SecurityResult.ProductConfidence

A level of confidence in the result.

Enum ValueEnum NumberDescription
UNKNOWN_CONFIDENCE0The default confidence level.
LOW_CONFIDENCE200Low confidence.
MEDIUM_CONFIDENCE300Medium confidence.
HIGH_CONFIDENCE400High confidence.

SecurityResult.ProductPriority

A product priority level.

Enum ValueEnum NumberDescription
UNKNOWN_PRIORITY0Default priority level.
LOW_PRIORITY200Low priority.
MEDIUM_PRIORITY300Medium priority.
HIGH_PRIORITY400High priority.

SecurityResult.ProductSeverity

Defined by the product

Enum ValueEnum NumberDescription
UNKNOWN_SEVERITY0The default severity level.
INFORMATIONAL100Info severity.
ERROR150An error.
NONE101No malicious result.
LOW200Low-severity malicious result.
MEDIUM300Medium-severity malicious result.
HIGH400High-severity malicious result.
CRITICAL500Critical-severity malicious result.

SecurityResult.SecurityCategory

SecurityCategory is used to standardize security categories across productsso one event is not categorized as "malware" and another as a "virus".

Enum ValueEnum NumberDescription
UNKNOWN_CATEGORY0The default category.
SOFTWARE_MALICIOUS10000Malware, spyware, rootkit.
SOFTWARE_SUSPICIOUS10100Below the conviction threshold; probably bad.
SOFTWARE_PUA10200Potentially Unwanted App (such as adware).
NETWORK_MALICIOUS20000Includes C&C or network exploit.
NETWORK_SUSPICIOUS20100Suspicious activity, such as potential reverse tunnel.
NETWORK_CATEGORIZED_CONTENT20200Non-security related: URL has category like gambling or porn.
NETWORK_DENIAL_OF_SERVICE20300DoS, DDoS.
NETWORK_RECON20400Port scan detected by an IDS, probing of web app.
NETWORK_COMMAND_AND_CONTROL20500If we know this is a C&C channel.
ACL_VIOLATION30000Unauthorized access attempted, including attempted access to files,web services, processes, web objects, etc.
AUTH_VIOLATION40000Authentication failed (for example, bad password or bad 2-factor authentication).
EXPLOIT50000Exploit: For all manner of exploits including attempted overflows, badprotocol encodings, ROP, SQL injection, etc. For both network and host-based exploits.
DATA_EXFILTRATION60000DLP: Sensitive data transmission, copy to thumb drive.
DATA_AT_REST60100DLP: Sensitive data found at rest in a scan.
DATA_DESTRUCTION60200Attempt to destroy/delete data.
TOR_EXIT_NODE60300TOR Exit Nodes.
MAIL_SPAM70000Spam email, message, etc.
MAIL_PHISHING70100Phishing email, chat messages, etc.
MAIL_SPOOFING70200Spoofed source email address, etc.
POLICY_VIOLATION80000Security-related policy violation (for example, firewall/proxy/HIPS ruleviolated, NAC block action).
SOCIAL_ENGINEERING90001Threats which manipulate to break normal security procedures.
PHISHING90002Phishing pages, pops, https phishing etc.

SecurityResult.ThreatStatus

Vendor-specific information about the status of a threat (ITW).

Enum ValueEnum NumberDescription
THREAT_STATUS_UNSPECIFIED0Default threat status
ACTIVE1Active threat.
CLEARED2Cleared threat.
FALSE_POSITIVE3False positive.

SecurityResult.VerdictResponse

Represents different verdict types. Used to represent Mandiantthreat intelligence.

Enum ValueEnum NumberDescription
VERDICT_RESPONSE_UNSPECIFIED0The default verdict response type.
MALICIOUS1VerdictResponse resulted a threat as malicious.
BENIGN2VerdictResponse resulted a threat as benign.

SecurityResult.VerdictType

Category of the verdict.

Enum ValueEnum NumberDescription
VERDICT_TYPE_UNSPECIFIED0Verdict category not specified.
PROVIDER_ML_VERDICT1MLVerdict result provided from threat providers, like Mandiant. Thesefields are used to model Mandiant sources.
ANALYST_VERDICT2Verdict provided by the human analyst. These fields are used to modelMandiant sources.

Status

Describes status of a Finding.

Enum ValueEnum NumberDescription
STATUS_UNSPECIFIED0Unspecified finding status.
NEW1New finding.
REVIEWED2When a finding has feedback.
CLOSED3When an analyst closes an finding.
OPEN4Open. Used to indicate that a Case / Alert is open.

ThreatVerdict

GCTI threat verdict levels.

Enum ValueEnum NumberDescription
THREAT_VERDICT_UNSPECIFIED0Unspecified threat verdict level.
UNDETECTED1Undetected threat verdict level.
SUSPICIOUS2Suspicious threat verdict level.
MALICIOUS3Malicious threat verdict level.

User.AccountType

User Account Type.

Enum ValueEnum NumberDescription
ACCOUNT_TYPE_UNSPECIFIED0Default user account type.
DOMAIN_ACCOUNT_TYPE1A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE2A local machine account.
CLOUD_ACCOUNT_TYPE3A SaaS service account type (such as Slack or GitHub).
SERVICE_ACCOUNT_TYPE4A non-human account for data access.
DEFAULT_ACCOUNT_TYPE5A system built in default account.

User.Role

User system roles.

Enum ValueEnum NumberDescription
UNKNOWN_ROLE0Default user role.
ADMINISTRATOR1Product administrator with elevated privileges.
SERVICE_ACCOUNT2System service account for automated privilege access.Deprecated: not a role, instead set User.account_type.

Verdict

Categorization options for the validity of a Finding (i.e. whether itreflects an actual security incident).

Enum ValueEnum NumberDescription
VERDICT_UNSPECIFIED0An unspecified verdict.
TRUE_POSITIVE1A categorization of the finding as a "true positive".
FALSE_POSITIVE2A categorization of the finding as a "false positive".

Vulnerability.Severity

Severity of the vulnerability.

Enum ValueEnum NumberDescription
UNKNOWN_SEVERITY0The default severity level.
LOW1Low severity.
MEDIUM2Medium severity.
HIGH3High severity.
CRITICAL4Critical severity.

Standard datatypes

Standard datatypes and the equivalent types in other languages.

DatatypeNotesC++JavaPythonGoC#PHPRuby
doubledoubledoublefloatfloat64doublefloatFloat
floatfloatfloatfloatfloat32floatfloatFloat
int32Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead.int32intintint32intintegerBignum or Fixnum (as required)
int64Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead.int64longint/longint64longinteger/stringBignum
uint32Uses variable-length encoding.uint32intint/longuint32uintintegerBignum or Fixnum (as required)
uint64Uses variable-length encoding.uint64longint/longuint64ulonginteger/stringBignum or Fixnum (as required)
sint32Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s.int32intintint32intintegerBignum or Fixnum (as required)
sint64Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s.int64longint/longint64longinteger/stringBignum
fixed32Always four bytes. More efficient than uint32 if values are often greater than 2^28.uint32intintuint32uintintegerBignum or Fixnum (as required)
fixed64Always eight bytes. More efficient than uint64 if values are often greater than 2^56.uint64longint/longuint64ulonginteger/stringBignum
sfixed32Always four bytes.int32intintint32intintegerBignum or Fixnum (as required)
sfixed64Always eight bytes.int64longint/longint64longinteger/stringBignum
boolboolbooleanbooleanboolboolbooleanTrueClass/FalseClass
stringA string must always contain UTF-8 encoded or 7-bit ASCII text.stringStringstr/unicodestringstringstringString (UTF-8)
bytesMay contain any arbitrary sequence of bytes.stringByteStringstr[]byteByteStringstringString (ASCII-8BIT)

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.