- JSON representation
- EventTimestampAttribute
- Tags
- EnrichmentState
- DataAccessLabels
- DataAccessIngestionLabel
General information associated with a UDM event.
| JSON representation |
|---|
{ "id" : string , "productLogId" : string , "eventTimestamp" : string , "eventTimestampAttributes" : [ enum ( |
| Fields | |
|---|---|
id
|
ID of the UDM event. Can be used for raw and normalized event retrieval. A base64-encoded string. |
productLogId
|
A vendor-specific event identifier to uniquely identify the event (e.g. a GUID). |
eventTimestamp
|
The GMT timestamp when the event was generated. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
eventTimestampAttributes[]
|
Attributes associated with eventTimestamp. This field is used to distinguish between different types of timestamps that can be used to represent the eventTimestamp. |
collectedTimestamp
|
The GMT timestamp when the event was collected by the vendor's local collection infrastructure. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
ingestedTimestamp
|
The GMT timestamp when the event was ingested (received) by Chronicle. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
eventType
|
The event type. If an event has multiple possible types, this specifies the most specific type. |
vendorName
|
The name of the product vendor. |
productName
|
The name of the product. |
productVersion
|
The version of the product. |
productEventType
|
A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start"). |
productDeploymentId
|
The deployment identifier assigned by the vendor for a product deployment. |
description
|
A human-readable unparsable description of the event. |
urlBackToProduct
|
A URL that takes the user to the source product console for this event. |
ingestionLabels[]
|
User-configured ingestion metadata labels. |
tags
|
Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser. |
enrichmentState
|
The enrichment state. |
logType
|
The string value of log type. |
baseLabels
|
Data access labels on the base event. |
enrichmentLabels
|
Data access labels from all the contextual events used to enrich the base event. |
structuredFields
|
Flattened fields extracted from the log. |
parserVersion
|
The version of the parser that generated this UDM event. |
EventTimestampAttribute
Enum representing the type of timestamp that the eventTimestamp field represents.
| Enums | |
|---|---|
EVENT_TIMESTAMP_ATTRIBUTE_UNSPECIFIED
|
Default event timestamp attribute. |
FILE_LAST_ACCESS_TIME
|
Deprecated. Use LAST_ACCESSED instead. |
FILE_LAST_MODIFIED_TIME
|
Deprecated. Use LAST_MODIFIED instead. |
FILE_METADATA_LAST_CHANGE_TIME
|
Deprecated. Use METADATA_LAST_CHANGED instead. |
FILE_CREATION_TIME
|
Deprecated. Use CREATED instead. |
COLLECTED_TIME
|
Deprecated. Use COLLECTED instead. |
COLLECTED
|
The time when the event was collected by the vendor's local collection infrastructure. |
ACCESSED
|
The time when the file was accessed. |
CHANGED
|
The time when the file was changed. |
CREATED
|
The time when the file was first created. |
FILE_NAME_ACCESSED
|
The time when the file name was accessed. |
FILE_NAME_CHANGED
|
The time when the file name was changed. |
FILE_NAME_CREATED
|
The time when the file name was created. |
FILE_NAME_LAST_ACCESSED
|
The time when the file name was last accessed. |
FILE_NAME_LAST_MODIFIED
|
The time when the file name was last modified. |
FILE_NAME_METADATA_LAST_CHANGED
|
The time when the file name metadata was last changed. |
FILE_NAME_MODIFIED
|
The time when the file name was modified. |
LAST_ACCESSED
|
The time when the file was last accessed. |
LAST_MODIFIED
|
The time when the file was last modified. |
METADATA_LAST_CHANGED
|
The time when the file metadata was last changed. |
MODIFIED
|
The time when the file was modified. |
Tags
Tags are event metadata which is set by examining event contents post-parsing. For example, a UDM event may be assigned a tenantId based on certain customer-defined parameters.
| JSON representation |
|---|
{ "tenantId" : [ string ] , "dataTapConfigName" : [ string ] } |
| Fields | |
|---|---|
tenantId[]
|
A list of subtenant ids that this event belongs to. A base64-encoded string. |
dataTapConfigName[]
|
A list of sink name values defined in DataTap configurations. |
EnrichmentState
An enrichment state.
| Enums | |
|---|---|
ENRICHMENT_STATE_UNSPECIFIED
|
Unspecified. |
ENRICHED
|
The event has been enriched by Chronicle. |
UNENRICHED
|
The event has not been enriched by Chronicle. |
DataAccessLabels
| JSON representation |
|---|
{
"logTypes"
:
[
string
]
,
"ingestionLabels"
:
[
string
]
,
"namespaces"
:
[
string
]
,
"customLabels"
:
[
string
]
,
"ingestionKvLabels"
:
[
{
object (
|
| Fields | |
|---|---|
logTypes[]
|
All the LogType labels. |
ingestionLabels[]
|
All the ingestion labels. |
namespaces[]
|
All the namespaces. |
customLabels[]
|
All the complex labels (UDM search syntax based). |
ingestionKvLabels[]
|
All the ingestion labels (key/value pairs). |
allowScopedAccess
|
Are the labels ready for scoped access |
DataAccessIngestionLabel
| JSON representation |
|---|
{ "key" : string , "value" : string } |
| Fields | |
|---|---|
key
|
The key. |
value
|
The value. |
