General information associated with a UDM event.
| JSON representation |
|---|
{ "id" : string , "product_log_id" : string , "event_timestamp" : string , "collected_timestamp" : string , "ingested_timestamp" : string , "event_type" : enum ( |
| Fields | |
|---|---|
id
|
ID of the UDM event. Can be used for raw and normalized event retrieval. A base64-encoded string. |
product_log_id
|
A vendor-specific event identifier to uniquely identify the event (e.g. a GUID). |
event_timestamp
|
The GMT timestamp when the event was generated. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
collected_timestamp
|
The GMT timestamp when the event was collected by the vendor's local collection infrastructure. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
ingested_timestamp
|
The GMT timestamp when the event was ingested (received) by Chronicle. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
event_type
|
The event type. If an event has multiple possible types, this specifies the most specific type. |
vendor_name
|
The name of the product vendor. |
product_name
|
The name of the product. |
product_version
|
The version of the product. |
product_event_type
|
A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start"). |
product_deployment_id
|
The deployment identifier assigned by the vendor for a product deployment. |
description
|
A human-readable unparsable description of the event. |
url_back_to_product
|
A URL that takes the user to the source product console for this event. |
ingestion_labels[]
|
User-configured ingestion metadata labels. |
tags
|
Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser. |
enrichment_state
|
The enrichment state. |
log_type
|
The string value of log type. |
base_labels
|
Data access labels on the base event. |
enrichment_labels
|
Data access labels from all the contextual events used to enrich the base event. |
structured_fields
|
Flattened fields extracted from the log. |
Tags
Tags are event metadata which is set by examining event contents post-parsing. For example, a UDM event may be assigned a tenant_id based on certain customer-defined parameters.
| JSON representation |
|---|
{ "tenant_id" : [ string ] , "data_tap_config_name" : [ string ] } |
| Fields | |
|---|---|
tenant_id[]
|
A list of subtenant ids that this event belongs to. A base64-encoded string. |
data_tap_config_name[]
|
A list of sink name values defined in DataTap configurations. |
DataAccessLabels
| JSON representation |
|---|
{
"log_types"
:
[
string
]
,
"ingestion_labels"
:
[
string
]
,
"namespaces"
:
[
string
]
,
"custom_labels"
:
[
string
]
,
"ingestion_kv_labels"
:
[
{
object (
|
| Fields | |
|---|---|
log_types[]
|
All the LogType labels. |
ingestion_labels[]
|
All the ingestion labels. |
namespaces[]
|
All the namespaces. |
custom_labels[]
|
All the complex labels (UDM search syntax based). |
ingestion_kv_labels[]
|
All the ingestion labels (key/value pairs). |
allow_scoped_access
|
Are the labels ready for scoped access |
DataAccessIngestionLabel
| JSON representation |
|---|
{ "key" : string , "value" : string } |
| Fields | |
|---|---|
key
|
The key. |
value
|
The value. |
