Metadata

JSON representation
Tags
- JSON representation

General information associated with a UDM event.

JSON representation

JSON representation
{ "id" : string , "productLogId" : string , "eventTimestamp" : string , "eventTimestampAttributes" : [ enum ( `EventTimestampAttribute` ) ] , "collectedTimestamp" : string , "ingestedTimestamp" : string , "eventType" : enum ( `EventType` ) , "vendorName" : string , "productName" : string , "productVersion" : string , "productEventType" : string , "productDeploymentId" : string , "description" : string , "urlBackToProduct" : string , "ingestionLabels" : [ { object ( `Label` ) } ] , "tags" : { object ( `Tags` ) } , "enrichmentState" : enum ( `EnrichmentState` ) , "logType" : string , "baseLabels" : { object ( `DataAccessLabels` ) } , "enrichmentLabels" : { object ( `DataAccessLabels` ) } , "structuredFields" : { object } , "parserVersion" : string }

 { 
 "id" 
 : 
 string 
 , 
 "productLogId" 
 : 
 string 
 , 
 "eventTimestamp" 
 : 
 string 
 , 
 "eventTimestampAttributes" 
 : 
 [ 
 enum (  EventTimestampAttribute 
 
) 
 ] 
 , 
 "collectedTimestamp" 
 : 
 string 
 , 
 "ingestedTimestamp" 
 : 
 string 
 , 
 "eventType" 
 : 
 enum (  EventType 
 
) 
 , 
 "vendorName" 
 : 
 string 
 , 
 "productName" 
 : 
 string 
 , 
 "productVersion" 
 : 
 string 
 , 
 "productEventType" 
 : 
 string 
 , 
 "productDeploymentId" 
 : 
 string 
 , 
 "description" 
 : 
 string 
 , 
 "urlBackToProduct" 
 : 
 string 
 , 
 "ingestionLabels" 
 : 
 [ 
 { 
 object (  Label 
 
) 
 } 
 ] 
 , 
 "tags" 
 : 
 { 
 object (  Tags 
 
) 
 } 
 , 
 "enrichmentState" 
 : 
 enum (  EnrichmentState 
 
) 
 , 
 "logType" 
 : 
 string 
 , 
 "baseLabels" 
 : 
 { 
 object (  DataAccessLabels 
 
) 
 } 
 , 
 "enrichmentLabels" 
 : 
 { 
 object (  DataAccessLabels 
 
) 
 } 
 , 
 "structuredFields" 
 : 
 { 
 object 
 } 
 , 
 "parserVersion" 
 : 
 string 
 }

Fields
`id`	`string ( bytes format)` ID of the UDM event. Can be used for raw and normalized event retrieval. A base64-encoded string.
`productLogId`	`string` A vendor-specific event identifier to uniquely identify the event (e.g. a GUID).
`eventTimestamp`	`string ( Timestamp format)` The GMT timestamp when the event was generated. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"` , `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"` .
`eventTimestampAttributes[]`	`enum ( EventTimestampAttribute )` Attributes associated with eventTimestamp. This field is used to distinguish between different types of timestamps that can be used to represent the eventTimestamp.
`collectedTimestamp`	`string ( Timestamp format)` The GMT timestamp when the event was collected by the vendor's local collection infrastructure. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"` , `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"` .
`ingestedTimestamp`	`string ( Timestamp format)` The GMT timestamp when the event was ingested (received) by Chronicle. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"` , `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"` .
`eventType`	`enum ( EventType )` The event type. If an event has multiple possible types, this specifies the most specific type.
`vendorName`	`string` The name of the product vendor.
`productName`	`string` The name of the product.
`productVersion`	`string` The version of the product.
`productEventType`	`string` A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start").
`productDeploymentId`	`string` The deployment identifier assigned by the vendor for a product deployment.
`description`	`string` A human-readable unparsable description of the event.
`urlBackToProduct`	`string` A URL that takes the user to the source product console for this event.
`ingestionLabels[]`	`object ( Label )` User-configured ingestion metadata labels.
`tags`	`object ( Tags )` Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser.
`enrichmentState`	`enum ( EnrichmentState )` The enrichment state.
`logType`	`string` The string value of log type.
`baseLabels`	`object ( DataAccessLabels )` Data access labels on the base event.
`enrichmentLabels`	`object ( DataAccessLabels )` Data access labels from all the contextual events used to enrich the base event.
`structuredFields (deprecated)`	`object ( Struct format)` This item is deprecated! Flattened fields extracted from the log.
`parserVersion`	`string` The version of the parser that generated this UDM event.