YaraL2Detection

JSON representation

JSON representation
{ "id" : string , "ruleType" : enum ( `RuleType` ) , "fields" : [ { object ( `Value` ) } ] , "outcomes" : [ { object ( `Value` ) } ] , "timeWindow" : { object ( `Interval` ) } , "resultEvents" : { string : { object ( `EventSampleList` ) } , ... } , "resultEntityEvents" : { string : { object ( `EventSampleList` ) } , ... } , "detectionTimestamp" : string , "commitTimestamp" : string , "alertingType" : enum ( `AlertingType` ) }

 { 
 "id" 
 : 
 string 
 , 
 "ruleType" 
 : 
 enum (  RuleType 
 
) 
 , 
 "fields" 
 : 
 [ 
 { 
 object (  Value 
 
) 
 } 
 ] 
 , 
 "outcomes" 
 : 
 [ 
 { 
 object (  Value 
 
) 
 } 
 ] 
 , 
 "timeWindow" 
 : 
 { 
 object (  Interval 
 
) 
 } 
 , 
 "resultEvents" 
 : 
 { 
 string 
 : 
 { 
 object (  EventSampleList 
 
) 
 } 
 , 
 ... 
 } 
 , 
 "resultEntityEvents" 
 : 
 { 
 string 
 : 
 { 
 object (  EventSampleList 
 
) 
 } 
 , 
 ... 
 } 
 , 
 "detectionTimestamp" 
 : 
 string 
 , 
 "commitTimestamp" 
 : 
 string 
 , 
 "alertingType" 
 : 
 enum (  AlertingType 
 
) 
 }

Fields
`id`	`string`
`ruleType`	`enum ( RuleType )`
`fields[]`	`object ( Value )`
`outcomes[]`	`object ( Value )`
`timeWindow`	`object ( Interval )`
`resultEvents`	`map (key: string, value: object ( EventSampleList ))` An object containing a list of `"key": value` pairs. Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }` .
`resultEntityEvents`	`map (key: string, value: object ( EventSampleList ))` An object containing a list of `"key": value` pairs. Example: `{ "name": "wrench", "mass": "1.3kg", "count": "3" }` .
`detectionTimestamp`	`string ( Timestamp format)` Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"` , `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"` .
`commitTimestamp`	`string ( Timestamp format)` Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"` , `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"` .
`alertingType`	`enum ( AlertingType )`

RuleType

Enums
`UNKNOWN`
`SINGLE_EVENT`
`MULTI_EVENT`
`WINDOWED_SINGLE_EVENT`

Value

JSON representation

JSON representation
{ "name" : string , "fieldPath" : string , // Union field `value` can be only one of the following: "boolVal" : boolean , "bytesVal" : string , "doubleVal" : number , "int64Val" : string , "uint64Val" : string , "stringVal" : string , "nullVal" : boolean , "boolList" : { object ( `BoolList` ) } , "bytesList" : { object ( `BytesList` ) } , "doubleList" : { object ( `DoubleList` ) } , "int64List" : { object ( `Int64List` ) } , "uint64List" : { object ( `Uint64List` ) } , "stringList" : { object ( `StringList` ) } , "boolSeq" : { object ( `BoolSequence` ) } , "bytesSeq" : { object ( `BytesSequence` ) } , "doubleSeq" : { object ( `DoubleSequence` ) } , "int64Seq" : { object ( `Int64Sequence` ) } , "uint64Seq" : { object ( `Uint64Sequence` ) } , "stringSeq" : { object ( `StringSequence` ) } , "timestampVal" : string // End of list of possible types for union field `value` . }

 { 
 "name" 
 : 
 string 
 , 
 "fieldPath" 
 : 
 string 
 , 
 // Union field value 
can be only one of the following: 
 "boolVal" 
 : 
 boolean 
 , 
 "bytesVal" 
 : 
 string 
 , 
 "doubleVal" 
 : 
 number 
 , 
 "int64Val" 
 : 
 string 
 , 
 "uint64Val" 
 : 
 string 
 , 
 "stringVal" 
 : 
 string 
 , 
 "nullVal" 
 : 
 boolean 
 , 
 "boolList" 
 : 
 { 
 object (  BoolList 
 
) 
 } 
 , 
 "bytesList" 
 : 
 { 
 object (  BytesList 
 
) 
 } 
 , 
 "doubleList" 
 : 
 { 
 object (  DoubleList 
 
) 
 } 
 , 
 "int64List" 
 : 
 { 
 object (  Int64List 
 
) 
 } 
 , 
 "uint64List" 
 : 
 { 
 object (  Uint64List 
 
) 
 } 
 , 
 "stringList" 
 : 
 { 
 object (  StringList 
 
) 
 } 
 , 
 "boolSeq" 
 : 
 { 
 object (  BoolSequence 
 
) 
 } 
 , 
 "bytesSeq" 
 : 
 { 
 object (  BytesSequence 
 
) 
 } 
 , 
 "doubleSeq" 
 : 
 { 
 object (  DoubleSequence 
 
) 
 } 
 , 
 "int64Seq" 
 : 
 { 
 object (  Int64Sequence 
 
) 
 } 
 , 
 "uint64Seq" 
 : 
 { 
 object (  Uint64Sequence 
 
) 
 } 
 , 
 "stringSeq" 
 : 
 { 
 object (  StringSequence 
 
) 
 } 
 , 
 "timestampVal" 
 : 
 string 
 // End of list of possible types for union field value 
. 
 }

Fields

name

string

fieldPath

string

Union field value .

value can be only one of the following:

boolVal

boolean

bytesVal

string ( bytes format)

A base64-encoded string.

doubleVal

number

int64Val

string ( int64 format)

uint64Val

string

stringVal

string

nullVal

boolean

boolList
 (deprecated)

object ( BoolList )

bytesList
 (deprecated)

object ( BytesList )

doubleList
 (deprecated)

object ( DoubleList )

int64List
 (deprecated)

object ( Int64List )

uint64List
 (deprecated)

object ( Uint64List )

stringList
 (deprecated)

object ( StringList )

boolSeq

object ( BoolSequence )

bytesSeq

object ( BytesSequence )

doubleSeq

object ( DoubleSequence )

int64Seq

object ( Int64Sequence )

uint64Seq

object ( Uint64Sequence )

stringSeq

object ( StringSequence )

timestampVal

string ( Timestamp format)

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z" , "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30" .

BoolList

JSON representation
{ "boolVals" : [ boolean ] }

Fields
`boolVals[]`	`boolean`

BytesList

JSON representation
{ "bytesVals" : [ string ] }

Fields

Fields
`bytesVals[]`	`string ( bytes format)` A base64-encoded string.

bytesVals[]

string ( bytes format)

A base64-encoded string.

DoubleList

JSON representation
{ "doubleVals" : [ number ] }

Fields
`doubleVals[]`	`number`

Int64List

JSON representation
{ "int64Vals" : [ string ] }

Fields
`int64Vals[]`	`string ( int64 format)`

Uint64List

JSON representation
{ "uint64Vals" : [ string ] }

Fields
`uint64Vals[]`	`string`

StringList

JSON representation
{ "stringVals" : [ string ] }

Fields
`stringVals[]`	`string`

EventSampleList

JSON representation
{ "eventSamples" : [ { object ( `EventSample` ) } ] , "tooManyEventSamples" : boolean }

Fields
`eventSamples[]`	`object ( EventSample )`
`tooManyEventSamples`	`boolean`

EventSample

JSON representation

JSON representation
{ "rawLogToken" : string , "joinedDataTableRows" : [ { object ( `DataTableRowDetails` ) } ] , // Union field `event_sample` can be only one of the following: "event" : { object ( `UDM` ) } , "entity" : { object ( `Entity` ) } // End of list of possible types for union field `event_sample` . }

 { 
 "rawLogToken" 
 : 
 string 
 , 
 "joinedDataTableRows" 
 : 
 [ 
 { 
 object (  DataTableRowDetails 
 
) 
 } 
 ] 
 , 
 // Union field event_sample 
can be only one of the following: 
 "event" 
 : 
 { 
 object (  UDM 
 
) 
 } 
 , 
 "entity" 
 : 
 { 
 object (  Entity 
 
) 
 } 
 // End of list of possible types for union field event_sample 
. 
 }

Fields

rawLogToken

string

joinedDataTableRows[]

object ( DataTableRowDetails )

Union field event_sample .

event_sample can be only one of the following:

event

object ( UDM )

entity

object ( Entity )

AlertingType

Enums
`UNSPECIFIED`
`NOT_ALERTING`
`ALERTING`