Extensions

JSON representation
Vulnerabilities
- JSON representation
LinuxUtmp
- JSON representation
WindowsEventLog
- JSON representation
ResourceUsage
- JSON representation
SystemEventDetails
- JSON representation
OutlookMetadata
- JSON representation
Srum
- JSON representation
UserAssist
- JSON representation

Extensions to a UDM event.

JSON representation

JSON representation
{ "auth" : { object ( `Authentication` ) } , "vulns" : { object ( `Vulnerabilities` ) } , "entityRisk" : { object ( `EntityRisk` ) } , "linuxUtmp" : { object ( `LinuxUtmp` ) } , "windowsEventLog" : { object ( `WindowsEventLog` ) } , "resourceUsage" : { object ( `ResourceUsage` ) } , "systemEventDetails" : { object ( `SystemEventDetails` ) } , "outlookMetadata" : { object ( `OutlookMetadata` ) } , "srum" : { object ( `Srum` ) } , "userAssist" : { object ( `UserAssist` ) } }

 { 
 "auth" 
 : 
 { 
 object (  Authentication 
 
) 
 } 
 , 
 "vulns" 
 : 
 { 
 object (  Vulnerabilities 
 
) 
 } 
 , 
 "entityRisk" 
 : 
 { 
 object (  EntityRisk 
 
) 
 } 
 , 
 "linuxUtmp" 
 : 
 { 
 object (  LinuxUtmp 
 
) 
 } 
 , 
 "windowsEventLog" 
 : 
 { 
 object (  WindowsEventLog 
 
) 
 } 
 , 
 "resourceUsage" 
 : 
 { 
 object (  ResourceUsage 
 
) 
 } 
 , 
 "systemEventDetails" 
 : 
 { 
 object (  SystemEventDetails 
 
) 
 } 
 , 
 "outlookMetadata" 
 : 
 { 
 object (  OutlookMetadata 
 
) 
 } 
 , 
 "srum" 
 : 
 { 
 object (  Srum 
 
) 
 } 
 , 
 "userAssist" 
 : 
 { 
 object (  UserAssist 
 
) 
 } 
 }

Fields
`auth`	`object ( Authentication )` An authentication extension.
`vulns`	`object ( Vulnerabilities )` A vulnerability extension.
`entityRisk`	`object ( EntityRisk )` An entity risk change extension.
`linuxUtmp`	`object ( LinuxUtmp )` A Linux Utmp extension. This captures details specific to Linux Utmp events, which record login and logout sessions on a Linux system.
`windowsEventLog`	`object ( WindowsEventLog )` A Windows Event Log extension. This captures details specific to Windows Event Log events, providing structured information from various Windows logs.
`resourceUsage`	`object ( ResourceUsage )` A resource usage extension. This captures details about what entity (e.g., process, user) is using a specific resource.
`systemEventDetails`	`object ( SystemEventDetails )` A system event details extension. This captures additional details for system-level events, such as message type, sender image ID, and subsystem.
`outlookMetadata`	`object ( OutlookMetadata )` A Microsoft Outlook specific metadata extension. This includes metadata related to Outlook items, such as comments, templates, and security flags.
`srum`	`object ( Srum )` A SRUM extension. This captures details specific to Windows System Resource Usage Monitor (SRUM) events, providing insights into application resource consumption.
`userAssist`	`object ( UserAssist )` A UserAssist extension. This captures details specific to Windows User Assist events, which track application usage and execution.

Vulnerabilities

The Vulnerabilities extension captures details on observed/detected vulnerabilities.

JSON representation
{ "vulnerabilities" : [ { object ( `Vulnerability` ) } ] }

Fields

Fields
`vulnerabilities[]`	`object ( Vulnerability )` A list of vulnerabilities.

vulnerabilities[]

object ( Vulnerability )

A list of vulnerabilities.

LinuxUtmp

The LinuxUtmp extension captures details specific to Linux Utmp events.

JSON representation
{ "recordType" : enum ( `RecordType` ) }

Fields

Fields
`recordType`	`enum ( RecordType )` The activity record type.

recordType

enum ( RecordType )

The activity record type.

WindowsEventLog

The WindowsEventLog extension captures details specific to Windows Event Log events.

JSON representation
{ "channel" : enum ( `Channel` ) , "eventId" : string , "activityId" : string }

Fields

Fields
`channel`	`enum ( Channel )` The channel of the event.
`eventId`	`string` A unique identifier for a specific type of event.
`activityId`	`string` A GUID (Globally Unique Identifier) used to link a sequence of related events together.

channel

enum ( Channel )

The channel of the event.

eventId

string

A unique identifier for a specific type of event.

activityId

string

A GUID (Globally Unique Identifier) used to link a sequence of related events together.

ResourceUsage

The ResourceUsage extension captures details about what is using a resource.

JSON representation
{ "usedEntity" : string , "usedEntityId" : string }

Fields

Fields
`usedEntity`	`string` The name of the entity (e.g., process, user) that is using the resource.
`usedEntityId`	`string` A numerical identifier for the entity using the resource (e.g., PID, UID).

usedEntity

string

The name of the entity (e.g., process, user) that is using the resource.

usedEntityId

string

A numerical identifier for the entity using the resource (e.g., PID, UID).

SystemEventDetails

Captures additional details for system-level events.

JSON representation
{ "messageType" : string , "senderImageId" : string , "subsystem" : string }

Fields

Fields
`messageType`	`string` The specific type or category of the message.
`senderImageId`	`string` An identifier for the image associated with the sender of the message.
`subsystem`	`string` The subsystem or component that generated the event.

messageType

string

The specific type or category of the message.

senderImageId

string

An identifier for the image associated with the sender of the message.

subsystem

string

The subsystem or component that generated the event.

OutlookMetadata

Microsoft Outlook specific metadata.

JSON representation
{ "comment" : string , "template" : string , "title" : string , "securityFlagsCount" : integer }

Fields
`comment`	`string` A user-defined comment or note associated with the Outlook item.
`template`	`string` The name of the template file used to create the Outlook item.
`title`	`string` The title of the Outlook item.
`securityFlagsCount`	`integer` Count of Security-related flags for the message, such as encryption or signing status.

Srum

The Srum extension captures details specific to Windows System Resource Usage Monitor (SRUM) events.

JSON representation
{ "id" : string , "backgroundBytesRead" : string , "backgroundBytesWritten" : string , "backgroundContextSwitches" : string , "backgroundCycleCount" : string , "backgroundFlushesCount" : string , "backgroundReadOperations" : string , "backgroundWriteOperations" : string , "interfaceLuid" : string }

JSON representation

 { 
 "id" 
 : 
 string 
 , 
 "backgroundBytesRead" 
 : 
 string 
 , 
 "backgroundBytesWritten" 
 : 
 string 
 , 
 "backgroundContextSwitches" 
 : 
 string 
 , 
 "backgroundCycleCount" 
 : 
 string 
 , 
 "backgroundFlushesCount" 
 : 
 string 
 , 
 "backgroundReadOperations" 
 : 
 string 
 , 
 "backgroundWriteOperations" 
 : 
 string 
 , 
 "interfaceLuid" 
 : 
 string 
 }

Fields
`id`	`string` A unique identifier for the SRUM record or the application/user being monitored.
`backgroundBytesRead`	`string ( int64 format)` The number of bytes read by the application while running in the background.
`backgroundBytesWritten`	`string ( int64 format)` The number of bytes written by the application while running in the background.
`backgroundContextSwitches`	`string ( int64 format)` The number of context switches performed by the application's threads while in the background.
`backgroundCycleCount`	`string ( int64 format)` The amount of CPU cycle time consumed by the application in the background, measured in clock cycles.
`backgroundFlushesCount`	`string ( int64 format)` The number of flush operations performed by the application in the background.
`backgroundReadOperations`	`string ( int64 format)` The number of read operations performed by the application in the background.
`backgroundWriteOperations`	`string ( int64 format)` The number of write operations performed by the application in the background.
`interfaceLuid`	`string` The Locally Unique Identifier (LUID) for the network interface used for data transfer.

UserAssist

The UserAssist extension captures details specific to Windows User Assist events.

JSON representation
{ "applicationFocusCount" : string , "applicationFocusDuration" : string , "executionsCount" : string , "entryIndex" : string }

Fields
`applicationFocusCount`	`string ( int64 format)` The number of times the application associated with the entry gained focus.
`applicationFocusDuration`	`string ( Duration format)` The total duration the application associated with the entry was in focus. A duration in seconds with up to nine fractional digits, ending with ' `s` '. Example: `"3.5s"` .
`executionsCount`	`string ( int64 format)` The number of times the application associated with the entry has been executed.
`entryIndex`	`string ( int64 format)` The index or identifier of the user assist entry, unique per user.