UDM field list

This document provides a list of fields available in the Unified Data Model ( UDM ) schema.

Field name and field type values can look similar. This document uses style conventions to help you identify the differences:

Field type values use camelCase characters; for example, platform and eventType .
Field name values use lowercase characters; for example, platform and event_type . When a field name consists of more than one word, an underscore is used to separate the words.
Standard data type values use lowercase characters.

UDM field name formats

When specifying a field, use the following format:

<prefix>.<field_name1>.<field_name2>.<...>.<field_nameN>=<value>

Field name format for Detect Engine

When writing rules for Detect Engine:

Use the <prefix> pattern $event for Event fields; for example:
- $event.metadata.event_type
- $event.network.dhcp.opcode
- $event.principal.user.location.city
Use the <prefix> pattern $entity for Entity fields; for example:
- $entity.graph.entity.hostname
- $entity.graph.metadata.product_name

Field name format for parsers

When writing configuration-based normalizer (CBN) parsers:

Use the <prefix> pattern event.idm.read_only_udm for UDM Event fields; for example:
- event.idm.read_only_udm.metadata.event_type
- event.idm.read_only_udm.network.dhcp.opcode
- event.idm.read_only_udm.principal.user.location.city
Use the <prefix> pattern event.idm.entity for UDM Entity fields; for example:
- event.idm.entity.entity.user.user_display_name
- event.idm.entity.entity.asset.hostname

UDM Entity data model

Entity

An Entity provides additional context about an item in a UDM event. For example, a PROCESS_LAUNCH event describes that user 'abc@example.corp' launched process 'shady.exe'. The event does not include information that user 'abc@example.com' is a recently terminated employee who administers a server storing finance data. Information stored in one or more Entities can add this additional context.

Field Name	Type	Label	Description
metadata	EntityMetadata		Entity metadata such as timestamp, product, etc.
entity	Noun		Noun in the UDM event that this entity represents.
relations	Relation	repeated	One or more relationships between the entity (a) and other entities, including the relationship type and related entity.
additional	google.protobuf.Struct		Important entity data that cannot be adequately represented within the formal sections of the Entity.
risk_score	EntityRisk	optional	Stores information related to the entity's risk score.
metric	Metric		Stores statistical metrics about the entity. Used if metadata.entity_type is METRIC.

EntityMetadata

Information about the Entity and the product where the entity was created.

Field Name	Type	Label	Description
product_entity_id	string		A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar).
collected_timestamp	google.protobuf.Timestamp		GMT timestamp when the entity information was collected by the vendor's local collection infrastructure.
creation_timestamp	google.protobuf.Timestamp		GMT timestamp when the entity described by the product_entity_id was created on the system where data was collected.
interval	google.type.Interval		Valid existence time range for the version of the entity represented by this entity data.
vendor_name	string		Vendor name of the product that produced the entity information.
product_name	string		Product name that produced the entity information.
feed	string		Vendor feed name for a threat indicator feed.
product_version	string		Version of the product that produced the entity information.
entity_type	EntityMetadata.EntityType (Enumerated list)		Entity type. If an entity has multiple possible types, this specifies the most specific type.
description	string		Human-readable description of the entity.
threat	SecurityResult	repeated	Metadata provided by a threat intelligence feed that identified the entity as malicious.
source_type	EntityMetadata.SourceType (Enumerated list)		The source of the entity.
source_labels	Label	repeated	Entity source metadata labels.
event_metadata	Metadata		Metadata field from the event.

EntityRisk

Stores information related to the risk score of an entity.

Field Name	Type	Label	Description
risk_version	string		Version of the risk score calculation algorithm.
risk_window	google.type.Interval		Time window used when computing the risk score for an entity, for example 24 hours or 7 days.
DEPRECATED_risk_score	int32		Deprecated risk score.
risk_delta	RiskDelta	optional	Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window.
detections_count	int32		Number of detections that make up the risk score within the time window.
first_detection_time	google.protobuf.Timestamp		Timestamp of the first detection within the specified time window. This field is empty when there are no detections.
last_detection_time	google.protobuf.Timestamp		Timestamp of the last detection within the specified time window. This field is empty when there are no detections.
risk_score	float		Raw risk score for the entity.
normalized_risk_score	int32		Normalized risk score for the entity. This value is between 0-1000.
risk_window_size	Int64		Risk window duration for the Entity.
raw_risk_delta	RiskDelta	optional	Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window.

Metric

Stores precomputed aggregated analytic data for an entity.

Field Name	Type	Label	Description
first_seen	google.protobuf.Timestamp		Timestamp of the first time the entity was seen in the environment.
last_seen	google.protobuf.Timestamp		Timestamp of the last time the entity was seen in the environment.
sum_measure	Metric.Measure		Sum of all precomputed measures for the given metric.
total_events	int64		Total number of events used to calculate the given precomputed metric.
metric_name	Metric.MetricName (Enumerated list)		Name of the analytic.
dimensions	Metric.Dimension (Enumerated list)	repeated	All group by clauses used to calculate the metric.
export_window	int64		Export window for which the metric was exported.

Metric.Measure

Describes the precomputed measure.

Field Name	Type	Label	Description
value	double		Value of the aggregated measure.
aggregate_function	Metric.AggregateFunction (Enumerated list)		Function used to calculate the aggregated measure.

Relation

Defines the relationship between the entity (a) and another entity (b).

Field Name	Type	Description
entity	Noun	Entity (b) that the primary entity (a) is related to.
entity_type	EntityMetadata.EntityType (Enumerated list)	Type of the related entity (b) in this relationship.
relationship	Relation.Relationship (Enumerated list)	Type of relationship.
direction	Relation.Directionality (Enumerated list)	Directionality of relationship between primary entity (a) and the related entity (b).
uid	bytes	UID of the relationship.
entity_label	Relation.EntityLabel (Enumerated list)	Label to identify the Noun of the relation.

RiskDelta

Describes the difference in risk score between two points in time.

Field Name	Type	Description
previous_range_end_time	google.protobuf.Timestamp	End time of the previous time window.
risk_score_delta	int32	Difference in the normalized risk score from the previous recorded value.
previous_risk_score	int32	Risk score from previous risk window
risk_score_numeric_delta	int32	Numeric change between current and previous risk score

Entity enumerated types

EntityMetadata.EntityType

Describes the type of entity. An unknown event type.

Enum Value	Enum Number	Description
ASSET	1	An asset, such as workstation, laptop, phone, or virtual machine.
USER	10000	User.
GROUP	10001	Group.
RESOURCE	2	Resource.
IP_ADDRESS	3	An external IP address. The request should include IOC intel threat metadata for each entity to be ingested.
FILE	4	A file. The request should include IOC intel threat metadata for each entity to be ingested.
DOMAIN_NAME	5	A domain. The request should include IOC intel threat metadata for each entity to be ingested.
URL	6	A URL.
MUTEX	7	A mutex. The request should include IOC intel threat metadata for each entity to be ingested.

EntityMetadata.SourceType

Describes the source of an entity.

Enum Value	Enum Number	Description
SOURCE_TYPE_UNSPECIFIED	0	Default source type
ENTITY_CONTEXT	1	Entities ingested from customers (e.g. AD_CONTEXT, DLP_CONTEXT)
DERIVED_CONTEXT	2	Entities derived from customer data such as prevalence, artifact first/last seen, or asset/user first seen stats.
GLOBAL_CONTEXT	3	Global contextual entities such as WHOIS or Safe Browsing.

Metric.AggregateFunction

Mathematic function used to calculate the value.

Enum Value	Enum Number	Description
AGGREGATE_FUNCTION_UNSPECIFIED	0	Default value.
MIN	1	Minimum.
MAX	2	Maximum.
COUNT	3	Count.
SUM	4	Sum.
AVG	5	Average.
STDDEV	6	Standard Deviation.

Metric.Dimension

Describes field used as the dimension when grouping data to calculate the aggregate metric.

Enum Value	Enum Number	Description
DIMENSION_UNSPECIFIED	0	Default
PRINCIPAL_DEVICE	1	Principal Device
TARGET_USER	2	Target User
TARGET_DEVICE	3	Target Device
PRINCIPAL_USER	4	Principal User
TARGET_IP	5	Target IP
PRINCIPAL_FILE_HASH	6	Principal File Hash
PRINCIPAL_COUNTRY	7	Principal Country
SECURITY_CATEGORY	8	Security Category
NETWORK_ASN	9	Network ASN
CLIENT_CERTIFICATE_HASH	10	Client Certificate Hash
DNS_QUERY_TYPE	11	DNS Query Type
DNS_DOMAIN	12	DNS Domain
HTTP_USER_AGENT	13	HTTP User Agent
EVENT_TYPE	14	Event Type
PRODUCT_NAME	15	Product Name
PRODUCT_EVENT_TYPE	16	Product Event Type
PARENT_FOLDER_PATH	17	Parent Folder Path
TARGET_RESOURCE_NAME	18	Target resource Name
PRINCIPAL_APPLICATION	19	Principal Application.
TARGET_APPLICATION	20	Target Application.
EMAIL_TO_ADDRESS	21	Email To Address.
EMAIL_FROM_ADDRESS	22	Email From Address.
MAIL_ID	23	Mail Id.
PRINCIPAL_IP	24	Principal IP.
SECURITY_ACTION	25	Security Action.
SECURITY_RULE_ID	28	Security Rule Id.
TARGET_NETWORK_ORGANIZATION_NAME	29	Target Network Organization name.
PRINCIPAL_NETWORK_ORGANIZATION_NAME	30	Principal Network Organization name.
PRINCIPAL_PROCESS_FILE_PATH	31	Principal Process File Path.
PRINCIPAL_PROCESS_FILE_HASH	32	Principal Process File SHA256 Hash.
SECURITY_RESULT_RULE_NAME	33	Security Result rule name.

Metric.MetricName

The name of the precomputed analytic.

Enum Value	Enum Number	Description
METRIC_NAME_UNSPECIFIED	0	Default
NETWORK_BYTES_INBOUND	1	Total received network bytes.
NETWORK_BYTES_OUTBOUND	2	Total network sent bytes.
NETWORK_BYTES_TOTAL	3	Total network sent bytes and received bytes.
AUTH_ATTEMPTS_SUCCESS	4	Successful authentication attempts.
AUTH_ATTEMPTS_FAIL	5	Failed authentication attempts.
AUTH_ATTEMPTS_TOTAL	6	Total authentication attempts.
DNS_BYTES_OUTBOUND	7	Total number of sent bytes for DNS events.
NETWORK_FLOWS_INBOUND	8	Total number of events having non-null received bytes.
NETWORK_FLOWS_OUTBOUND	9	Total number of events having non-null sent bytes.
NETWORK_FLOWS_TOTAL	10	Total events having non-null sent or received bytes.
DNS_QUERIES_SUCCESS	11	DNS query success count - Number of events with response_code = 0.
DNS_QUERIES_FAIL	12	Number of events with response_code != 0.
DNS_QUERIES_TOTAL	13	Total number of DNS queries made.
FILE_EXECUTIONS_SUCCESS	14	Number of successfule file executions.
FILE_EXECUTIONS_FAIL	15	Number of failed file executions.
FILE_EXECUTIONS_TOTAL	16	Total number file executions.
HTTP_QUERIES_SUCCESS	17	Number of successful HTTP queries.
HTTP_QUERIES_FAIL	18	Number of failed HTTP queries.
HTTP_QUERIES_TOTAL	19	Total number of HTTP queries.
WORKSPACE_EMAILS_SENT_TOTAL	20	Total number of emails sent in Google Workspace.
WORKSPACE_TOTAL_DOWNLOAD_ACTIONS	21	Total number of download actions in Google Workspace.
WORKSPACE_TOTAL_CHANGE_ACTIONS	22	Total number of change actions in Google Workspace.
WORKSPACE_AUTH_ATTEMPTS_TOTAL	23	Total number of authentication attempts in Google Workspace.
WORKSPACE_NETWORK_BYTES_OUTBOUND	24	Number of outbound network bytes (total sent) in Google Workspace.
WORKSPACE_NETWORK_BYTES_TOTAL	25	Total number of network bytes (both sent and received) in Google Workspace.
ALERT_EVENT_NAME_COUNT	26	Track number of alerts fired by EDR/SENTINEL/MICROSOFT_GRAPH.

Relation.Directionality

Describes the relationship model as directed or undirected.

Enum Value	Enum Number	Description
DIRECTIONALITY_UNSPECIFIED	0	Default value.
BIDIRECTIONAL	1	Modeled in both directions. Primary entity (a) to related entity (b) and related entity (b) to primary entity (a).
UNIDIRECTIONAL	2	Modeled in a single direction. Primary entity (a) to related entity (b).

Relation.EntityLabel

Entity label of the relation.

Enum Value	Enum Number	Description
ENTITY_LABEL_UNSPECIFIED	0	Default value.
PRINCIPAL	1	The Noun represents a principal type object.
TARGET	2	The Noun represents a target type object.
OBSERVER	3	The Noun represents an observer type object.
SRC	4	The Noun represents src type object.
NETWORK	5	The Noun represents a network type object.
SECURITY_RESULT	6	The Noun represents a SecurityResult object.
INTERMEDIARY	7	The Noun represents an intermediary type object.

Relation.Relationship

Type of relationship between the primary entity (a) and related entity (b).

Enum Value	Enum Number	Description
RELATIONSHIP_UNSPECIFIED	0	Default value
OWNS	1	Related entity is owned by the primary entity (for example: user owns device asset).
ADMINISTERS	2	Related entity is administered by the primary entity (for example: user administers a group).
MEMBER	3	Primary entity is a member of the related entity (foe example: user is a member of a group).
EXECUTES	4	Primary entity may have executed the related entity.
DOWNLOADED_FROM	5	Primary entity may have been downloaded from the related entity.
CONTACTS	6	Primary entity contacts the related entity.

UDM Event data model

A UDM event.

Field Name	Type	Label	Description
metadata	Metadata		Event metadata such as timestamp, source product, etc.
additional	google.protobuf.Struct		Any important vendor-specific event data that cannot be adequately represented within the formal sections of the UDM model.
principal	Noun		Represents the acting entity that originates the activity described in the event. The principal must include at least one machine detail (hostname, MACs, IPs, port, product-specific identifiers like an EDR asset ID) or user detail (for example, username), and optionally include process details. It must NOT include any of the following fields: email, files, registry keys, or values.
src	Noun		Represents a source entity being acted upon by the participant along with the device or process context for the source object (the machine where the source object resides). For example, if user U copies file A on machine X to file B on machine Y, both file A and machine X would be specified in the src portion of the UDM event.
target	Noun		Represents a target entity being referenced by the event or an object on the target entity. For example, in a firewall connection from device A to device B, A is described as the principal and B is described as the target. For a process injection by process C into target process D, process C is described as the principal and process D is described as the target.
intermediary	Noun	repeated	Represents details on one or more intermediate entities processing activity described in the event. This includes device details about a proxy server or SMTP relay server. If an active event (that has a principal and possibly target) passes through any intermediaries, they're added here. Intermediaries can impact the overall action, for example blocking or modifying an ongoing request. A rule of thumb here is that 'principal', 'target', and description of the initial action should be the same regardless of the intermediary or its action. A successful network connection from A->B should look the same in principal/target/intermediary as one blocked by firewall C: principal: A, target: B (intermediary: C).
observer	Noun		Represents an observer entity (for example, a packet sniffer or network-based vulnerability scanner), which is not a direct intermediary, but which observes and reports on the event in question.
about	Noun	repeated	Represents entities referenced by the event that are not otherwise described in principal, src, target, intermediary or observer. For example, it could be used to track email file attachments, domains/URLs/IPs embedded within an email body, and DLLs that are loaded during a PROCESS_LAUNCH event.
security_result	SecurityResult	repeated	A list of security results.
network	Network		All network details go here, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP).
extensions	Extensions		All other first-class, event-specific metadata goes in this message. Don't place protocol metadata in Extensions; put it in Network.

Event top level types

Extensions

Extensions to a UDM event.

Field Name	Type	Label	Description
auth	Authentication		An authentication extension.
vulns	Vulnerabilities		A vulnerability extension.

Metadata

General information associated with a UDM event.

Field Name	Type	Label	Description
id	bytes		ID of the UDM event. Can be used for raw and normalized event retrieval.
product_log_id	string		A vendor-specific event identifier to uniquely identify the event (for example: a GUID).
event_timestamp	google.protobuf.Timestamp		The GMT timestamp when the event was generated.
collected_timestamp	google.protobuf.Timestamp		The GMT timestamp when the event was collected by the vendor's local collection infrastructure.
ingested_timestamp	google.protobuf.Timestamp		The GMT timestamp when the event was ingested (received) by Google Security Operations.
event_type	Metadata.EventType		The event type. If an event has multiple possible types, this specifies the most specific type.
vendor_name	string		The name of the product vendor.
product_name	string		The name of the product.
product_version	string		The version of the product.
product_event_type	string		A short, descriptive, human-readable, product-specific event name or type (for example: "Scanned X", "User account created", "process_start").
product_deployment_id	string		The deployment identifier assigned by the vendor for a product deployment.
description	string		A human-readable unparsable description of the event.
url_back_to_product	string		A URL that takes the user to the source product console for this event.
ingestion_labels	Label	repeated	User-configured ingestion metadata labels.
tags	Tags		Tags added by Google SecOps after an event is parsed. It is an error to populate this field from within a parser.
enrichment_state	Metadata.EnrichmentState		The enrichment state.
log_type	string		The string value of log type.
base_labels	DataAccessLabels		Data access labels on the base event.
enrichment_labels	DataAccessLabels		Data access labels from all the contextual events used to enrich the base event.

Network

A network event.

Field Name	Type	Description
sent_bytes	uint64	The number of bytes sent.
received_bytes	uint64	The number of bytes received.
sent_packets	int64	The number of packets sent.
received_packets	int64	The number of packets received.
session_duration	Int64	The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer.
session_id	string	The ID of the network session.
parent_session_id	string	The ID of the parent network session.
application_protocol_version	string	The version of the application protocol. e.g. "1.1, 2.0"
community_id	string	Community ID network flow value.
direction	Network.Direction	The direction of network traffic.
ip_protocol	Network.IpProtocol	The IP protocol.
application_protocol	Network.ApplicationProtocol	The application protocol.
ftp	Ftp	FTP info.
email	Email	Email info for the sender/recipient.
dns	Dns	DNS info.
dhcp	Dhcp	DHCP info.
http	Http	HTTP info.
tls	Tls	TLS info.
smtp	Smtp	SMTP info. Store fields specific to SMTP not covered by Email.
asn	string	Autonomous system number.
dns_domain	string	DNS domain name.
carrier_name	string	Carrier identification.
organization_name	string	Organization name (e.g Google).
ip_subnet_range	string	Associated human-readable IP subnet range (e.g. 10.1.2.0/24).

Noun

The Noun type is used to represent the different entities in an event: principal, src, target, observer, intermediary, and about. It stores attributes known about the entity. For example, if the entity is a device with multiple IP or MAC addresses, it stores the IP and MAC addresses that are relevant to the event.

Field Name	Type	Label	Description
hostname	string		Client hostname or domain name field. Hostname also doubles as the domain for remote entities.
domain	Domain		Information about the domain.
artifact	Artifact		Artifacts are pieces of contextual data about entities in your environment. They're essential for security investigations because they provide enriched information about various elements involved in security events. This detail helps analysts understand the full scope and timeline of an attack. There are three types of artifacts: `FILE` , `DOMAIN_NAME` and `IP_ADDRESS` .
url_metadata	URL		Information about the URL.
asset_id	string		The asset ID.
user	User		Information about the user.
user_management_chain	User	repeated	Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery.
group	Group		Information about the group.
process	Process		Information about the process.
process_ancestors	Process	repeated	Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery.
asset	Asset		Information about the asset.
ip	string	repeated	A list of IP addresses associated with a network connection.
nat_ip	string	repeated	A list of NAT translated IP addresses associated with a network connection.
port	int32		Source or destination network port number when a specific network connection is described within an event.
nat_port	int32		NAT external network port number when a specific network connection is described within an event.
mac	string	repeated	List of MAC addresses associated with a device.
administrative_domain	string		Domain which the device belongs to (for example, the Microsoft Windows domain).
namespace	string		Namespace which the device belongs to, such as "AD forest". Uses for this field include Microsoft Windows AD forest, the name of subsidiary, or the name of acquisition.
URL	string		The URL.
file	File		Information about the file.
email	string		Email address. Only filled in for security_result.about
registry	Registry		Registry information.
application	string		The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Google".
platform	Noun.Platform		Platform.
platform_version	string		Platform version. For example, "Microsoft Windows 1803".
platform_patch_level	string		Platform patch level. For example, "Build 17134.48"
cloud	Cloud		Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud).
location	Location		Physical location. For cloud environments, set the region in location.name.
ip_location	Location	repeated	Deprecated: use ip_geo_artifact.location instead.
ip_geo_artifact	Artifact	repeated	Enriched geographic information corresponding to an IP address. Specifically, location and network data.
resource	Resource		Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, or processes because these objects are already part of Noun.
resource_ancestors	Resource	repeated	Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource).
labels	Label	repeated	Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels).
object_reference	Id		Finding to which the Analyst updated the feedback.
investigation	Investigation		Analyst feedback/investigation for alerts.
network	Network		Network details, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP).
security_result	SecurityResult	repeated	A list of security results.

SecurityResult

Security related metadata for the event. A security result might be something like "virus detected and quarantined," "malicious connection blocked," or "sensitive data included in document foo.doc." Each security result, of which there may be more than one, may either pertain to the whole event, or to a

specific object or device referenced in the event (e.g. a malicious file that was detected, or a sensitive document sent as an email attachment). For

security results that apply to a particular object referenced in the event, the security_results message MUST contain details about the implicated object (such as process, user, IP, domain, URL, IP, or email address) in the about field. For security results that apply to the entire event (e.g. SPAM found in this email), the about field must remain empty.

Field Name	Type	Label	Description
about	Noun		If the security result is about a specific entity (Noun), add it here.
category	SecurityResult.SecurityCategory	repeated	The security category.
category_details	string	repeated	For vendor-specific categories. For web categorization, put type in here such as "gambling" or "porn".
threat_name	string		A vendor-assigned classification common across multiple customers (e.g. "W32/File-A", "Slammer").
rule_set	string		The result's rule set identifier. (e.g. "windows-threats")
rule_set_display_name	string		The curated detections rule set display name.
ruleset_category_display_name	string		The curated detection rule set category display name. (for example, if rule_set_display_name is "CDIR SCC Enhanced Exfiltration", the rule_set_category is "Cloud Threats").
rule_id	string		A vendor-specific ID and name for a rule, varying by observerer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe").
rule_name	string		Name of the security rule (e.g. "BlockInboundToOracle").
rule_version	string		Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependant and lexical ordering should not be assumed.
rule_type	string		The type of security rule.
rule_author	string		Author of the security rule.
rule_labels	Label	repeated	A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John").
alert_state	SecurityResult.AlertState		The alerting types of this security result.
detection_fields	Label	repeated	An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (i.e. the security result matched variables) .
outcomes	Label	repeated	A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to their values.
summary	string		A human readable summary (e.g. "failed login occurred")
description	string		A human readable description (e.g. "user password was wrong")
action	SecurityResult.Action	repeated	Actions taken for this event.
action_details	string		The detail of the action taken as provided by the vendor.
severity	SecurityResult.ProductSeverity		The severity of the result.
confidence	SecurityResult.ProductConfidence		The confidence level of the result as estimated by the product.
priority	SecurityResult.ProductPriority		The priority of the result.
risk_score	float		The risk score of the security result.
confidence_score	float		The confidence score of the security result.
analytics_metadata	AnalyticsMetadata	repeated	Stores metadata about each risk analytic metric the rule uses.
severity_details	string		Vendor-specific severity.
confidence_details	string		Additional detail with regards to the confidence of a security event as estimated by the product vendor.
priority_details	string		Vendor-specific information about the security result priority.
url_back_to_product	string		URL that takes the user to the source product console for this event.
threat_id	string		Vendor-specific ID for a threat.
threat_feed_name	string		Vendor feed name for a threat indicator feed.
threat_id_namespace	Id.Namespace		The attribute threat_id_namespace qualifies threat_id with an ID namespace to get an unique ID. The attribute threat_id by itself is not unique across Google SecOps as it is a vendor specific ID.
threat_status	SecurityResult.ThreatStatus		Current status of the threat
attack_details	AttackDetails		MITRE ATT&CK details.
first_discovered_time	google.protobuf.Timestamp		First time the IoC threat was discovered in the provider.
associations	SecurityResult.Association	repeated	Associations related to the threat.
campaigns	string	repeated	Campaigns using this IOC threat.
verdict	SecurityResult.Verdict		Verdict about the IoC from the provider. This field is now deprecated. Use VerdictInfo instead.
last_updated_time	google.protobuf.Timestamp		Last time the IoC threat was updated in the provider.
verdict_info	SecurityResult.VerdictInfo	repeated	Verdict information about the IoC from the provider.
threat_verdict	ThreatVerdict		GCTI threat verdict on the security result entity.
last_discovered_time	google.protobuf.Timestamp		Last time the IoC was seen in the provider data.

Event subtypes

AnalyticsMetadata

Stores information about an analytics metric used in a rule.

Field Name	Type	Label	Description
analytic	string		Name of the analytic.

Artifact

Information about an artifact. The artifact can only be an IP.

Field Name	Type	Label	Description
ip	string		IP address of the artifact.
prevalence	Prevalence		The prevalence of the artifact within the customer's environment.
first_seen_time	google.protobuf.Timestamp		First seen timestamp of the IP in the customer's environment.
last_seen_time	google.protobuf.Timestamp		Last seen timestamp of the IP address in the customer's environment.
location	Location		Location of the Artifact's IP address.
network	Network		Network information related to the Artifact's IP address.
as_owner	string		Owner of the Autonomous System to which the IP address belongs.
asn	int64		Autonomous System Number to which the IP address belongs.
jarm	string		The JARM hash for the IP address. (https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a).
last_https_certificate	SSLCertificate		SSL certificate information about the IP address.
last_https_certificate_date	google.protobuf.Timestamp		Most recent date for the certificate in VirusTotal.
regional_internet_registry	string		RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC).
tags	string	repeated	Identification attributes
whois	string		WHOIS information as returned from the pertinent WHOIS server.
whois_date	google.protobuf.Timestamp		Date of the last update of the WHOIS record in VirusTotal.

Asset

Information about a compute asset such as a workstation, laptop, phone, virtual desktop, or VM.

Field Name	Type	Label	Description
product_object_id	string		A vendor-specific identifier to uniquely identify the entity (a GUID or similar).
hostname	string		Asset hostname or domain name field.
asset_id	string		The asset ID. Value must contain the ':' character. For example, cs:abcdd23434.
ip	string	repeated	A list of IP addresses associated with an asset.
mac	string	repeated	List of MAC addresses associated with an asset.
nat_ip	string	repeated	List of NAT IP addresses associated with an asset.
first_seen_time	google.protobuf.Timestamp		The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed.
hardware	Hardware	repeated	The asset hardware specifications.
platform_software	PlatformSoftware		The asset operating system platform software.
software	Software	repeated	The asset software details.
location	Location		Location of the asset.
category	string		The category of the asset (e.g. "End User Asset", "Workstation", "Server").
type	Asset.AssetType		The type of the asset (e.g. workstation or laptop or server).
network_domain	string		The network domain of the asset (e.g. "corp.acme.com")
creation_time	google.protobuf.Timestamp		Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata.
first_discover_time	google.protobuf.Timestamp		Time the asset was first discovered (by asset management/discoverability software).
last_discover_time	google.protobuf.Timestamp		Time the asset was last discovered (by asset management/discoverability software).
system_last_update_time	google.protobuf.Timestamp		Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a VM), use Attribute.last_update_time.
last_boot_time	google.protobuf.Timestamp		Time the asset was last boot started.
labels	Label	repeated	Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata.
deployment_status	Asset.DeploymentStatus		The deployment status of the asset for device lifecycle purposes.
vulnerabilities	Vulnerability	repeated	Vulnerabilities discovered on asset.
attribute	Attribute		Generic entity metadata attributes of the asset.

AttackDetails

MITRE ATT&CK details.

Field Name	Type	Label	Description
version	string		ATT&CK version (e.g. 12.1).
tactics	AttackDetails.Tactic	repeated	Tactics employed.
techniques	AttackDetails.Technique	repeated	Techniques employed.

AttackDetails.Tactic

Tactic information related to an attack or threat.

Field Name	Type	Label	Description
id	string		Tactic ID (e.g. "TA0043").
name	string		Tactic Name (e.g. "Reconnaissance")

AttackDetails.Technique

Technique information related to an attack or threat.

Field Name	Type	Description
id	string	Technique ID (e.g. "T1595").
name	string	Technique Name (e.g. "Active Scanning").
subtechnique_id	string	Subtechnique ID (e.g. "T1595.001").
subtechnique_name	string	Subtechnique Name (e.g. "Scanning IP Blocks").

Attribute

Attribute is a container for generic entity attributes including common attributes across core entities (such as, user or asset). For example, Cloud is a generic entity attribute since it can apply to an asset (for example, a VM) or a user (for example, an identity service account).

Field Name	Type	Label	Description
cloud	Cloud		Cloud metadata attributes such as project ID, account ID, or organizational hierarchy.
labels	Label	repeated	Set of labels for the entity. Should only be used for product labels (for example, Google Cloud resource labels or Azure AD sensitivity labels. Should not be used for arbitrary key-value mappings.
permissions	Permission	repeated	System permissions for IAM entity (human principal, service account, group).
roles	Role	repeated	System IAM roles to be assumed by resources to use the role's permissions for access control.
creation_time	google.protobuf.Timestamp		Time the resource or entity was created or provisioned.
last_update_time	google.protobuf.Timestamp		Time the resource or entity was last updated.

Authentication

The Authentication extension captures details specific to authentication events. General guidelines for authentication events:

Details about the source of the authentication event (for example, client IP or hostname), should be captured in principal. The principal may be empty if we have no details about the source of the login.
Details about the target of the authentication event (for example, details about the machine that is being logged into or logged out of) should be captured in target.
Some authentication events may involve a third-party. For example, a user logs into a cloud service (for example, Google SecOps) using their company's SSO (the event is logged by their SSO solution). In this case, the principal captures information about the user's device, the target captures details about the cloud service they logged into, and the intermediary captures details about the SSO solution.

Field Name	Type	Label	Description
type	Authentication.AuthType		The type of authentication.
mechanism	Authentication.Mechanism	repeated	The authentication mechanism.
auth_details	string		The vendor defined details of the authentication.

Certificate

Certificate information

Field Name	Type	Description
version	string	Certificate version.
serial	string	Certificate serial number.
subject	string	Subject of the certificate.
issuer	string	Issuer of the certificate.
md5	string	The MD5 hash of the certificate, as a hex-encoded string.
sha1	string	The SHA1 hash of the certificate, as a hex-encoded string.
sha256	string	The SHA256 hash of the certificate, as a hex-encoded string.
not_before	google.protobuf.Timestamp	Indicates when the certificate is first valid.
not_after	google.protobuf.Timestamp	Indicates when the certificate is no longer valid.

Cloud

Metadata related to the cloud environment.

Field Name	Type	Description
environment	Cloud.CloudEnvironment	The Cloud environment.
vpc	Resource	The cloud environment VPC. Deprecated.
project	Resource	The cloud environment project information. Deprecated: Use Resource.resource_ancestors
availability_zone	string	The cloud environment availability zone (different from region which is location.name).

DNSRecord

DNS record.

Field Name	Type	Description
type	string	Type.
value	string	Value.
ttl	Int64	Time to live.
priority	int64	Priority.
retry	int64	Retry.
refresh	Int64	Refresh.
minimum	Int64	Minimum.
expire	Int64	Expire.
serial	int64	Serial.
rname	string	Rname.

Dhcp

DHCP information.

Field Name	Type	Label	Description
opcode	Dhcp.OpCode		The BOOTP op code.
htype	uint32		Hardware address type.
hlen	uint32		Hardware address length.
hops	uint32		Hardware ops.
transaction_id	uint32		Transaction ID.
seconds	uint32		Seconds elapsed since client began address acquisition/renewal process.
flags	uint32		Flags.
ciaddr	string		Client IP address (ciaddr).
yiaddr	string		Your IP address (yiaddr).
siaddr	string		IP address of the next bootstrap server.
giaddr	string		Relay agent IP address (giaddr).
chaddr	string		Client hardware address (chaddr).
sname	string		Server name that the client wishes to boot from.
file	string		Boot image filename.
options	Dhcp.Option	repeated	List of DHCP options.
type	Dhcp.MessageType		DHCP message type.
lease_time_seconds	uint32		Lease time in seconds. See RFC2132, section 9.2.
client_hostname	string		Client hostname. See RFC2132, section 3.14.
client_identifier	bytes		Client identifier. See RFC2132, section 9.14.
requested_address	string		Requested IP address. See RFC2132, section 9.1.

Dhcp.Option

DHCP options.

Field Name	Type	Label	Description
code	uint32		Code. See RFC1533.
data	bytes		Data.

Dns

DNS information.

Field Name	Type	Label	Description
id	uint32		DNS query id.
response	bool		Set to true if the event is a DNS response. See QR field from RFC1035.
opcode	uint32		The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS).
authoritative	bool		Other DNS header flags. See RFC1035, section 4.1.1.
truncated	bool		Whether the DNS response was truncated.
recursion_desired	bool		Whether a recursive DNS lookup is desired.
recursion_available	bool		Whether a recursive DNS lookup is available.
response_code	uint32		Response code. See RCODE from RFC1035.
questions	Dns.Question	repeated	A list of domain protocol message questions.
answers	Dns.ResourceRecord	repeated	A list of answers to the domain name query.
authority	Dns.ResourceRecord	repeated	A list of domain name servers which verified the answers to the domain name queries.
additional	Dns.ResourceRecord	repeated	A list of additional domain name servers that can be used to verify the answer to the domain.

Dns.Question

DNS Questions. See RFC1035, section 4.1.2.

Field Name	Type	Description
name	string	The domain name.
type	uint32	The code specifying the type of the query.
class	uint32	The code specifying the class of the query.
prevalence	Prevalence	The prevalence of the domain within the customer's environment.

Dns.ResourceRecord

DNS Resource Records. See RFC1035, section 4.1.3.

Field Name	Type	Description
name	string	The name of the owner of the resource record.
type	uint32	The code specifying the type of the resource record.
class	uint32	The code specifying the class of the resource record.
ttl	uint32	The time interval for which the resource record can be cached before the source of the information should again be queried.
data	string	The payload or response to the DNS question for all responses encoded in UTF-8 format
binary_data	bytes	The raw bytes of any non-UTF8 strings that might be included as part of a DNS response.

Domain

Information about a domain.

Field Name	Type	Label	Description
name	string		The domain name.
prevalence	Prevalence		The prevalence of the domain within the customer's environment.
first_seen_time	google.protobuf.Timestamp		First seen timestamp of the domain in the customer's environment.
last_seen_time	google.protobuf.Timestamp		Last seen timestamp of the domain in the customer's environment.
registrar	string		Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM".
contact_email	string		Contact email address.
whois_server	string		Whois server name.
name_server	string	repeated	Repeated list of name servers.
creation_time	google.protobuf.Timestamp		Domain creation time.
update_time	google.protobuf.Timestamp		Last updated time.
expiration_time	google.protobuf.Timestamp		Expiration time.
audit_update_time	google.protobuf.Timestamp		Audit updated time.
status	string		Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values
registrant	User		Parsed contact information for the registrant of the domain.
admin	User		Parsed contact information for the administrative contact for the domain.
tech	User		Parsed contact information for the technical contact for the domain
billing	User		Parsed contact information for the billing contact of the domain.
zone	User		Parsed contact information for the zone.
whois_record_raw_text	bytes		WHOIS raw text.
registry_data_raw_text	bytes		Registry Data raw text.
iana_registrar_id	int32		IANA Registrar ID. See https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml
private_registration	bool		Indicates whether the domain appears to be using a private registration service to mask the owner's contact information.
categories	string	repeated	Categories assign to the domain as retrieved from VirusTotal.
favicon	Favicon		Includes difference hash and MD5 hash of the domain's favicon.
jarm	string		Domain's JARM hash.
last_dns_records	DNSRecord	repeated	Domain's DNS records from the last scan.
last_dns_records_time	google.protobuf.Timestamp		Date when the DNS records list was retrieved by VirusTotal.
last_https_certificate	SSLCertificate		SSL certificate object retrieved last time the domain was analyzed.
last_https_certificate_time	google.protobuf.Timestamp		When the certificate was retrieved by VirusTotal.
popularity_ranks	PopularityRank	repeated	Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc
tags	string	repeated	List of representative attributes.
whois_time	google.protobuf.Timestamp		Date of the last update of the WHOIS record.

Email

Email info.

Field Name	Type	Label	Description
from	string		The 'from' address.
reply_to	string		The 'reply to' address.
to	string	repeated	A list of 'to' addresses.
cc	string	repeated	A list of 'cc' addresses.
bcc	string	repeated	A list of 'bcc' addresses.
mail_id	string		The mail (or message) ID.
subject	string	repeated	The subject line(s) of the email.
bounce_address	string		The envelope from address. https://en.wikipedia.org/wiki/Bounce_address

Favicon

Difference hash and MD5 hash of the domain's favicon.

Field Name	Type	Label	Description
raw_md5	string		Favicon's MD5 hash.
dhash	string		Difference hash.

File

Information about a file.

Field Name	Type	Label	Description
sha256	string		The SHA256 hash of the file, as a hex-encoded string.
md5	string		The MD5 hash of the file, as a hex-encoded string.
sha1	string		The SHA1 hash of the file, as a hex-encoded string.
size	uint64		The size of the file in bytes.
full_path	string		The full path identifying the location of the file on the system.
mime_type	string		The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", or "powershell script".
file_metadata	FileMetadata		Metadata associated with the file. Deprecate FileMetadata in favor of using fields in File.
security_result	SecurityResult		Google Cloud Threat Intelligence (GCTI) security result for the file including threat context and detection metadata.
pe_file	FileMetadataPE		Metadata about the Portable Executable (PE) file.
ssdeep	string		Ssdeep of the file
vhash	string		Vhash of the file.
ahash	string		Deprecated. Use authentihash instead.
authentihash	string		Authentihash of the file.
file_type	File.FileType		FileType field.
capabilities_tags	string	repeated	Capabilities tags.
names	string	repeated	Names fields.
tags	string	repeated	Tags for the file.
last_modification_time	google.protobuf.Timestamp		Timestamp when the file was last updated.
prevalence	Prevalence		Prevalence of the file hash in the customer's environment.
first_seen_time	google.protobuf.Timestamp		Timestamp the file was first seen in the customer's environment.
last_seen_time	google.protobuf.Timestamp		Timestamp the file was last seen in the customer's environment.
stat_mode	uint64		The mode of the file. A bit string indicating the permissions and privileges of the file.
stat_inode	uint64		The file identifier. Unique identifier of object within a file system.
stat_dev	uint64		The file system identifier to which the object belongs.
stat_nlink	uint64		Number of links to file.
stat_flags	uint32		User defined flags for file.
last_analysis_time	google.protobuf.Timestamp		Timestamp the file was last analysed.
embedded_urls	string	repeated	Embedded URLs found in the file.
embedded_domains	string	repeated	Embedded domains found in the file.
embedded_ips	string	repeated	Embedded IP addresses found in the file.
exif_info	ExifInfo		Exif metadata from different file formats extracted by exiftool.
signature_info	SignatureInfo		File signature information extracted from different tools.
pdf_info	PDFInfo		Information about the PDF file structure.
first_submission_time	google.protobuf.Timestamp		First submission time of the file.
last_submission_time	google.protobuf.Timestamp		Last submission time of the file.
main_icon	Favicon		Icon's relevant hashes.

FileMetadataCodesign

File metadata from the codesign utility.

Field Name	Type	Description
id	string	Code sign identifier.
format	string	Code sign format.
compilation_time	google.protobuf.Timestamp	Code sign timestamp

FileMetadataPE

Metadata about the Portable Executable (PE) file.

Field Name	Type	Label	Description
imphash	string		Imphash of the file.
entry_point	int64		info.pe-entry-point.
entry_point_exiftool	int64		info.exiftool.EntryPoint.
compilation_time	google.protobuf.Timestamp		info.pe-timestamp.
compilation_exiftool_time	google.protobuf.Timestamp		info.exiftool.TimeStamp.
section	FileMetadataSection	repeated	FilemetadataSection fields.
imports	FileMetadataImports	repeated	FilemetadataImports fields.
resource	FileMetadataPeResourceInfo	repeated	FilemetadataPeResourceInfo fields.
resources_type_count	StringToInt64MapEntry	repeated	Deprecated: use resources_type_count_str.
resources_language_count	StringToInt64MapEntry	repeated	Deprecated: use resources_language_count_str.
resources_type_count_str	Label	repeated	Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5
resources_language_count_str	Label	repeated	Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10
signature_info	FileMetadataSignatureInfo		FilemetadataSignatureInfo field. deprecated, user File.signature_info instead.

FileMetadataSignatureInfo

Signature information.

Field Name	Type	Label	Description
verification_message	string		Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found.
verified	bool		True if verification_message == "Signed"
signer	string	repeated	Deprecated: use signers field.
signers	SignerInfo	repeated	File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority.
x509	X509	repeated	List of certificates.

Ftp

FTP info.

Field Name	Type	Label	Description
command	string		The FTP command.

Group

Information about an organizational group.

Field Name	Type	Label	Description
product_object_id	string		Product globally unique user object identifier, such as an LDAP Object Identifier.
creation_time	google.protobuf.Timestamp		Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata.
group_display_name	string		Group display name. e.g. "Finance".
attribute	Attribute		Generic entity metadata attributes of the group.
email_addresses	string	repeated	Email addresses of the group.
windows_sid	string		Microsoft Windows SID of the group.

Hardware

Hardware specification details for a resource, including both physical and virtual hardware.

Field Name	Type	Description
serial_number	string	Hardware serial number.
manufacturer	string	Hardware manufacturer.
model	string	Hardware model.
cpu_platform	string	Platform of the hardware CPU (e.g. "Intel Broadwell").
cpu_model	string	Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5").
cpu_clock_speed	uint64	Clock speed of the hardware CPU in MHz.
cpu_max_clock_speed	uint64	Maximum possible clock speed of the hardware CPU in MHz.
cpu_number_cores	uint64	Number of CPU cores.
ram	uint64	Amount of the hardware ramdom access memory (RAM) in Mb.

Http

Specify the full URL of the HTTP request within "target". Also specify any uploaded or downloaded file information within "source" or "target".

Field Name	Type	Description
method	string	The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE").
referral_url	string	The URL for the HTTP referer.
user_agent	string	The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent.
response_code	int32	The response status code, for example 200, 302, 404, or 500.
parsed_user_agent		The parsed user_agent string.

Investigation

Represents the aggregated state of an investigation such as categorization,

severity, and status. Can be expanded to include analyst assignment details and more.

Field Name	Type	Label	Description
verdict	Verdict	optional	Describes reason a finding investigation was resolved.
reputation	Reputation	optional	Describes whether a finding was useful or not-useful.
severity_score	uint32	optional	Severity score for a finding set by an analyst.
status	Status	optional	Describes the workflow status of a finding.
comments	string	repeated	Comment added by the Analyst.
priority	Priority	optional	Priority of the Alert or Finding set by analyst.
root_cause	string	optional	Root cause of the Alert or Finding set by analyst.
reason	Reason	optional	Reason for closing the Case or Alert.
risk_score	uint32	optional	Risk score for a finding set by an analyst.

Label

Key value labels.

Field Name	Type	Description
key	string	The key.
value	string	The value.
rbac_enabled	bool	Indicates whether this label can be used for Data RBAC

Location

Information about a location.

Field Name	Type	Description
city	string	The city.
state	string	The state.
country_or_region	string	The country or region.
name	string	Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").
desk_name	string	Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").
floor_name	string	Floor name, number or a combination of the two for a building. (e.g. "1-A").
region_latitude	float	Deprecated: use region_coordinates.
region_longitude	float	Deprecated: use region_coordinates.
region_coordinates	google.type.LatLng	Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields.

PDFInfo

Information about the PDF file structure. See https://developers.virustotal.com/reference/pdf_info

Field Name	Type	Description
js	int64	Number of /JS tags found in the PDF file. Should be the same as javascript field in normal scenarios.
javascript	int64	Number of /JavaScript tags found in the PDF file. Should be the same as the js field in normal scenarios.
launch_action_count	int64	Number of /Launch tags found in the PDF file.
object_stream_count	int64	Number of object streams.
endobj_count	int64	Number of object definitions (endobj keyword).
header	string	PDF version.
acroform	int64	Number of /AcroForm tags found in the PDF.
autoaction	int64	Number of /AA tags found in the PDF.
embedded_file	int64	Number of /EmbeddedFile tags found in the PDF.
encrypted	int64	Whether the document is encrypted or not. This is defined by the /Encrypt tag.
flash	int64	Number of /RichMedia tags found in the PDF.
jbig2_compression	int64	Number of /JBIG2Decode tags found in the PDF.
obj_count	int64	Number of objects definitions (obj keyword).
endstream_count	int64	Number of defined stream objects (stream keyword).
page_count	int64	Number of pages in the PDF.
stream_count	int64	Number of defined stream objects (stream keyword).
openaction	int64	Number of /OpenAction tags found in the PDF.
startxref	int64	Number of startxref keywords in the PDF.
suspicious_colors	int64	Number of colors expressed with more than 3 bytes (CVE-2009-3459).
trailer	int64	Number of trailer keywords in the PDF.
xfa	int64	Number of \XFA tags found in the PDF.
xref	int64	Number of xref keywords in the PDF.

PeFileMetadata

Metadata about a Microsoft Windows Portable Executable.

Field Name	Type	Label	Description
import_hash	string		Hash of PE imports.

Permission

System permission for resource access and modification.

Field Name	Type	Description
name	string	Name of the permission (e.g. chronicle.analyst.updateRule).
description	string	Description of the permission (e.g. 'Ability to update detect rules').
type	Permission.PermissionType	Type of the permission.

PlatformSoftware

Platform software information about an operating system.

Field Name	Type	Description
platform	Noun.Platform	The platform operating system.
platform_version	string	The platform software version ( e.g. "Microsoft Windows 1803").
platform_patch_level	string	The platform software patch level ( e.g. "Build 17134.48", "SP1").

PopularityRank

Domain's position in popularity ranks for sources such as Alexa, Quantcast, or Statvoo.

Field Name	Type	Description
giver	string	Name of the rank serial number hexdump.
rank	int64	Rank position.
ingestion_time	google.protobuf.Timestamp	Timestamp when the rank was ingested.

Prevalence

The prevalence of a resource within the customer's environment. This measures how common it is for assets to access the resource.

Field Name	Type	Description
rolling_max	int32	The maximum number of assets per day accessing the resource over the trailing day_count days.
day_count	int32	The number of days over which rolling_max is calculated.
rolling_max_sub_domains	int32	The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains.
day_max	int32	The max prevalence score in a day interval window.
day_max_sub_domains	int32	The max prevalence score in a day interval window across sub-domains. This field is only valid for domains.

Process

Information about a process.

Field Name	Type	Label	Description
pid	string		The process ID.
parent_pid	string		The ID of the parent process. Deprecated: use parent_process.pid instead.
parent_process	Process		Information about the parent process.
file	File		Information about the file in use by the process.
command_line	string		The command line command that created the process.
command_line_history	string	repeated	The command line history of the process.
product_specific_process_id	string		A product specific process id.
access_mask	uint64		A bit mask representing the level of access.
integrity_level_rid	uint64		The Microsoft Windows integrity level relative ID (RID) of the process.
token_elevation_type	Process.TokenElevationType		The elevation type of the process on Microsoft Windows. This determines if any privileges are removed when UAC is enabled.
product_specific_parent_process_id	string		A product specific id for the parent process. Please use parent_process.product_specific_process_id instead.

Registry

Information about a registry key or value.

Field Name	Type	Description
registry_key	string	Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...).
registry_value_name	string	Name of the registry value associated with an application or system component (e.g. TEMP).
registry_value_data	string	Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp).

Resource

Information about a resource such as a task, Cloud Storage bucket, database, disk, logical policy, or something similar.

Field Name	Type	Description
type	string	Deprecated: use resource_type instead.
resource_type	Resource.ResourceType	Resource type.
resource_subtype	string	Resource sub-type (e.g. "BigQuery", "Bigtable").
id	string	Deprecated: Use resource.name or resource.product_object_id.
name	string	The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe.
parent	string	The parent of the resource. For a database table, the parent is the database. For a storage object, the bucket name. Deprecated: use resource_ancestors.name.
product_object_id	string	A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)
attribute	Attribute	Generic entity metadata attributes of the resource.

Role

System role for resource access and modification.

Field Name	Type	Description
name	string	System role name for user.
description	string	System role description for user.
type	Role.Type	System role type for well known roles.

SSLCertificate

SSL certificate.

Field Name	Type	Description
cert_signature	SSLCertificate.CertSignature	Certificate's signature and algorithm.
extension	SSLCertificate.Extension	(DEPRECATED) certificate's extension.
cert_extensions	google.protobuf.Struct	Certificate's extensions.
first_seen_time	google.protobuf.Timestamp	Date the certificate was first retrieved by VirusTotal.
issuer	SSLCertificate.Subject	Certificate's issuer data.
ec	SSLCertificate.EC	EC public key information.
serial_number	string	Certificate's serial number hexdump.
signature_algorithm	string	Algorithm used for the signature (for example, "sha1RSA").
size	int64	Certificate content length.
subject	SSLCertificate.Subject	Certificate's subject data.
thumbprint	string	Certificate's content SHA1 hash.
thumbprint_sha256	string	Certificate's content SHA256 hash.
validity	SSLCertificate.Validity	Certificate's validity period.
version	string	Certificate version (typically "V1", "V2" or "V3").

SSLCertificate.AuthorityKeyId

Identifies the public key to be used to verify the signature on this certificate or CRL.

Field Name	Type	Label	Description
keyid	string		Key hexdump.
serial_number	string		Serial number hexdump.

SSLCertificate.CertSignature

Certificate's signature and algorithm.

Field Name	Type	Label	Description
signature	string		Signature.
signature_algorithm	string		Algorithm.

SSLCertificate.DSA

DSA public key information.

Field Name	Type	Description
p	string	p component hexdump.
q	string	q component hexdump.
g	string	g component hexdump.
pub	string	Public key hexdump.

SSLCertificate.EC

EC public key information.

Field Name	Type	Label	Description
oid	string		Curve name.
pub	string		Public key hexdump.

SSLCertificate.Extension

Certificate's extensions.

Field Name	Type	Description
ca	bool	Whether the subject acts as a certificate authority (CA) or not.
subject_key_id	string	Identifies the public key being certified.
authority_key_id	SSLCertificate.AuthorityKeyId	Identifies the public key to be used to verify the signature on this certificate or CRL.
key_usage	string	The purpose for which the certified public key is used.
ca_info_access	string	Authority information access locations are URLs that are added to a certificate in its authority information access extension.
crl_distribution_points	string	CRL distribution points to which a certificate user should refer to ascertain if the certificate has been revoked.
extended_key_usage	string	One or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension field.
subject_alternative_name	string	Contains one or more alternative names, using any of a variety of name forms, for the entity that is bound by the CA to the certified public key.
certificate_policies	string	Different certificate policies will relate to different applications which may use the certified key.
netscape_cert_comment	string	Used to include free-form text comments inside certificates.
cert_template_name_dc	string	BMP data value "DomainController". See MS Q291010.
netscape_certificate	bool	Identify whether the certificate subject is an SSL client, an SSL server, or a CA.
pe_logotype	bool	Whether the certificate includes a logotype.
old_authority_key_id	bool	Whether the certificate has an old authority key identifier extension.

SSLCertificate.PublicKey

Subject public key info.

Field Name	Type	Label	Description
algorithm	string		Any of "RSA", "DSA" or "EC". Indicates the algorithm used to generate the certificate.
rsa	SSLCertificate.RSA		RSA public key information.

SSLCertificate.RSA

RSA public key information.

Field Name	Type	Description
key_size	int64	Key size.
modulus	string	Key modulus hexdump.
exponent	string	Key exponent hexdump.

SSLCertificate.Subject

Subject data.

Field Name	Type	Description
country_name	string	C: Country name.
common_name	string	CN: CommonName.
locality	string	L: Locality.
organization	string	O: Organization.
organizational_unit	string	OU: OrganizationalUnit.
state_or_province_name	string	ST: StateOrProvinceName.

SSLCertificate.Validity

Defines certificate's validity period.

Field Name	Type	Label	Description
expiry_time	google.protobuf.Timestamp		Expiry date.
issue_time	google.protobuf.Timestamp		Issue date.

SecurityResult.AnalystVerdict

Verdict provided by the human analyst. These fields are used to model Mandiant sources.

Field Name	Type	Description
confidence_score	int32	Confidence score of the verdict.
verdict_time	google.protobuf.Timestamp	Timestamp at which the verdict was generated.
verdict_response	SecurityResult.VerdictResponse	Details of the verdict.

SecurityResult.Association

Associations represents different metadata about malware and threat actors involved with an IoC.

Field Name	Type	Label	Description
id	string		Unique association id generated by mandiant.
country_code	string	repeated	Country from which the threat actor/ malware is originated.
type	SecurityResult.Association.AssociationType		Signifies the type of association.
name	string		Name of the threat actor/malware.
description	string		Human readable description about the association.
role	string		Role of the malware. Not applicable for threat actor.
source_country	string		Name of the country the threat originated from.
alias	SecurityResult.Association.AssociationAlias	repeated	Different aliases of the threat actor given by different sources.
first_reference_time	google.protobuf.Timestamp		First time the threat actor was referenced or seen.
last_reference_time	google.protobuf.Timestamp		Last time the threat actor was referenced or seen.
industries_affected	string	repeated	List of industries the threat actor affects.
associated_actors	SecurityResult.Association	repeated	List of associated threat actors for a malware. Not applicable for threat actors.
region_code	Location		Name of the country, the threat is originating from.
sponsor_region	Location		Sponsor region of the threat actor.
targeted_regions	Location	repeated	Targeted regions.
tags	string	repeated	Tags.

SecurityResult.Association.AssociationAlias

Association Alias used to represent Mandiant Threat Intelligence.

Field Name	Type	Label	Description
name	string		Name of the alias.
company	string		Name of the provider who gave the association's name.

SecurityResult.IoCStats

Information about the threat intelligence source. These fields are used to model Mandiant sources.

Field Name	Type	Description
ioc_stats_type	SecurityResult.IoCStatsType	Describes the source of the IoCStat.
first_level_source	string	Name of first level IoC source, for example Mandiant or a third-party.
second_level_source	string	Name of the second-level IoC source, for example Crowdsourced Threat Analysis or Knowledge Graph.
benign_count	int32	Count of responses where the IoC was identified as benign.
quality	SecurityResult.ProductConfidence	Level of confidence in the IoC mapping extracted from the source.
malicious_count	int32	Count of responses where the IoC was identified as malicious.
response_count	int32	Total number of response from the source.
source_count	int32	Number of sources from which information was extracted.

SecurityResult.ProviderMLVerdict

MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources.

Field Name	Type	Label	Description
source_provider	string		Source provider giving the ML verdict.
benign_count	int32		Count of responses where this IoC was marked benign.
malicious_count	int32		Count of responses where this IoC was marked malicious.
confidence_score	int32		Confidence score of the verdict.
mandiant_sources	SecurityResult.Source	repeated	List of mandiant sources from which the verdict was generated.
third_party_sources	SecurityResult.Source	repeated	List of third-party sources from which the verdict was generated.

SecurityResult.Source

Information about the threat intelligence source. These fields are used to model Mandiant sources.

Field Name	Type	Label	Description
name	string		Name of the IoC source.
benign_count	int32		Count of responses where this IoC was marked benign.
malicious_count	int32		Count of responses where this IoC was marked malicious.
quality	SecurityResult.ProductConfidence		Quality of the IoC mapping extracted from the source.
response_count	int32		Total response count from this source.
source_count	int32		Number of sources from which intelligence was extracted.
threat_intelligence_sources	SecurityResult.Source	repeated	Different threat intelligence sources from which IoC info was extracted.

SecurityResult.Verdict

Encapsulates the threat verdict provided by human analysts and ML models. These fields are used to model Mandiant sources.

Field Name	Type	Description
source_count	int32	Number of sources from which intelligence was extracted.
response_count	int32	Total response count across all sources.
neighbour_influence	string	Describes the neighbour influence of the verdict.
verdict	SecurityResult.ProviderMLVerdict	ML Verdict provided by sources like Mandiant.
analyst_verdict	SecurityResult.AnalystVerdict	Human analyst verdict provided by sources like Mandiant.

SecurityResult.VerdictInfo

Describes the threat verdict provided by human analysts and machine learning models. These fields are used to model Mandiant sources.

Field Name	Type	Label	Description
source_count	int32		Number of sources from which intelligence was extracted.
response_count	int32		Total response count across all sources.
neighbour_influence	string		Describes the near neighbor influence of the verdict.
verdict_type	SecurityResult.VerdictType		Type of verdict.
source_provider	string		Source provider giving the machine learning verdict.
benign_count	int32		Count of responses where this IoC was marked as benign.
malicious_count	int32		Count of responses where this IoC was marked as malicious.
confidence_score	int32		Confidence score of the verdict.
ioc_stats	SecurityResult.IoCStats	repeated	List of IoCStats from which the verdict was generated.
verdict_time	google.protobuf.Timestamp		Timestamp when the verdict was generated.
verdict_response	SecurityResult.VerdictResponse		Details about the verdict.
global_customer_count	int32		Global customer count over the last 30 days
global_hits_count	int32		Global hit count over the last 30 days.
pwn	bool		Whether one or more Mandiant incident response customers had this indicator in their environment.
category_details	string		Tags related to the verdict.
pwn_first_tagged_time	google.protobuf.Timestamp		The timestamp of the first time a pwn was associated to this entity.

SignatureInfo

File signature information extracted from different tools.

Field Name	Type	Label	Description
sigcheck	FileMetadataSignatureInfo		Signature information extracted from the sigcheck tool.
codesign	FileMetadataCodesign		Signature information extracted from the codesign utility.

SignerInfo

File metadata related to the signer information.

Field Name	Type	Label	Description
name	string	optional	Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority.
status	string	optional	It can say "Valid" or state the problem with the certificate if any (e.g. "This certificate or one of the certificates in the certificate chain is not time valid.").
valid_usage	string	optional	Indicates which situations the certificate is valid for (e.g. "Code Signing").
cert_issuer	string	optional	Company that issued the certificate.

Smtp

SMTP info. See RFC 2821.

Field Name	Type	Label	Description
helo	string		The client's 'HELO'/'EHLO' string.
mail_from	string		The client's 'MAIL FROM' string.
rcpt_to	string	repeated	The client's 'RCPT TO' string(s).
server_response	string	repeated	The server's response(s) to the client.
message_path	string		The message's path (extracted from the headers).
is_webmail	bool		If the message was sent via a webmail client.
is_tls	bool		If the connection switched to TLS.

Software

Information about a software package or application.

Field Name	Type	Label	Description
name	string		The name of the software.
version	string		The version of the software.
permissions	Permission	repeated	System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE"
description	string		The description of the software.
vendor_name	string		The name of the software vendor.

TimeOff

System record for leave/time-off from a Human Capital Management (HCM)

system.

Field Name	Type	Label	Description
interval	google.type.Interval		Interval duration of the leave.
description	string		Description of the leave if available (e.g. 'Vacation').

Tls

Transport Layer Security (TLS) information.

Field Name	Type	Description
client	Tls.Client	Certificate information for the client certificate.
server	Tls.Server	Certificate information for the server certificate.
cipher	string	Cipher used during the connection.
curve	string	Elliptical curve used for a given cipher.
version	string	TLS version.
version_protocol	string	Protocol.
established	bool	Indicates whether the TLS negotiation was successful.
next_protocol	string	Protocol to be used for tunnel.
resumed	bool	Indicates whether the TLS connection was resumed from a previous TLS negotiation.

Tls.Client

Transport Layer Security (TLS) information associated with the client (for example, Certificate or JA3 hash).

Field Name	Type	Label	Description
certificate	Certificate		Client certificate.
ja3	string		JA3 hash from the TLS ClientHello, as a hex-encoded string.
server_name	string		Host name of the server, that the client is connecting to.
supported_ciphers	string	repeated	Ciphers supported by the client during client hello.

Tls.Server

Transport Layer Security (TLS) information associated with the server (for example, Certificate or JA3 hash).

Field Name	Type	Label	Description
certificate	Certificate		Server certificate.
ja3s	string		JA3 hash from the TLS ServerHello, as a hex-encoded string.

Tracker

URL Tracker.

Field Name	Type	Description
tracker	string	Tracker name.
id	string	Tracker ID, if available.
timestamp	google.protobuf.Timestamp	Tracker ingestion date.
URL	string	Tracker script URL.

URL

URL.

Field Name	Type	Label	Description
URL	string		URL.
categories	string	repeated	Categorisation done by VirusTotal partners.
favicon	Favicon		Difference hash and MD5 hash of the URL's.
html_meta	google.protobuf.Struct		Meta tags (only for URLs downloading HTML).
last_final_url	string		If the original URL redirects, where does it end.
last_http_response_code	int32		HTTP response code of the last response.
last_http_response_content_length	int64		Length in bytes of the content received.
last_http_response_content_sha256	string		URL response body's SHA256 hash.
last_http_response_cookies	google.protobuf.Struct		Website's cookies.
last_http_response_headers	google.protobuf.Struct		Headers and values of the last HTTP response.
tags	string	repeated	Tags.
title	string		Webpage title.
trackers	Tracker	repeated	Trackers found in the URL in a historical manner.

User

Information about a user.

Field Name	Type	Label	Description
product_object_id	string		A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).
userid	string		The ID of the user.
user_display_name	string		The display name of the user (e.g. "John Locke").
first_name	string		First name of the user (e.g. "John").
middle_name	string		Middle name of the user.
last_name	string		Last name of the user (e.g. "Locke").
phone_numbers	string	repeated	Phone numbers for the user.
personal_address	Location		Personal address of the user.
attribute	Attribute		Generic entity metadata attributes of the user.
first_seen_time	google.protobuf.Timestamp		The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.
account_type	User.AccountType		Type of user account (for example, service, domain, or cloud). This is somewhat aligned to: https://attack.mitre.org/techniques/T1078/
groupid	string		The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field.
group_identifiers	string	repeated	Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).
windows_sid	string		The Microsoft Windows SID of the user.
email_addresses	string	repeated	Email addresses of the user.
employee_id	string		Human capital management identifier.
title	string		User job title.
company_name	string		User job company name.
department	string	repeated	User job department
office_address	Location		User job office location.
managers	User	repeated	User job manager(s).
hire_date	google.protobuf.Timestamp		User job employment hire date.
termination_date	google.protobuf.Timestamp		User job employment termination date.
time_off	TimeOff	repeated	User time off leaves from active work.
last_login_time	google.protobuf.Timestamp		User last login timestamp.
last_password_change_time	google.protobuf.Timestamp		User last password change timestamp.
password_expiration_time	google.protobuf.Timestamp		User password expiration timestamp.
account_expiration_time	google.protobuf.Timestamp		User account expiration timestamp.
account_lockout_time	google.protobuf.Timestamp		User account lockout timestamp.
last_bad_password_attempt_time	google.protobuf.Timestamp		User last bad password attempt timestamp.
user_authentication_status	Authentication.AuthenticationStatus		System authentication status for user.
role_name	string		System role name for user. Deprecated: use attribute.roles.
role_description	string		System role description for user. Deprecated: use attribute.roles.
user_role	User.Role		System role for user. Deprecated: use attribute.roles.

Vulnerabilities

The Vulnerabilities extension captures details on observed/detected vulnerabilities.

Field Name	Type	Label	Description
vulnerabilities	Vulnerability	repeated	A list of vulnerabilities.

Vulnerability

A vulnerability.

Field Name	Type	Description
about	Noun	If the vulnerability is about a specific noun (e.g. executable), then add it here.
name	string	Name of the vulnerability (e.g. "Unsupported OS Version detected").
description	string	Description of the vulnerability.
vendor	string	Vendor of scan that discovered vulnerability.
scan_start_time	google.protobuf.Timestamp	If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable.
scan_end_time	google.protobuf.Timestamp	If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable.
first_found	google.protobuf.Timestamp	Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset.
last_found	google.protobuf.Timestamp	Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset.
severity	Vulnerability.Severity	The severity of the vulnerability.
severity_details	string	Vendor-specific severity
cvss_base_score	float	CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting.
cvss_vector	string	Vector of CVSS properties (e.g. "AV:L/AC:H/Au:N/C:N/I:P/A:C") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator
cvss_version	string	Version of CVSS Vector/Score.
cve_id	string	Common Vulnerabilities and Exposures Id. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id
cve_description	string	Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record
vendor_vulnerability_id	string	Vendor specific vulnerability id (e.g. Microsoft security bulletin id).
vendor_knowledge_base_article_id	string	Vendor specific knowledge base article (e.g. "KBXXXXXX" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase

X509

File certificate.

Field Name	Type	Description
name	string	Certificate name.
algorithm	string	Certificate algorithm.
thumbprint	string	Certificate thumbprint.
cert_issuer	string	Issuer of the certificate.
serial_number	string	Certificate serial number.

Event enumerated types

Asset.AssetType

The role type of the asset.

Enum Value	Enum Number	Description
ROLE_UNSPECIFIED	0	Unspecified asset role.
WORKSTATION	1	A workstation or desktop.
LAPTOP	2	A laptop computer.
IOT	3	An IOT asset.
NETWORK_ATTACHED_STORAGE	4	A network attached storage device.
PRINTER	5	A printer.
SCANNER	6	A scanner.
SERVER	7	A server.
TAPE_LIBRARY	8	A tape library device.
MOBILE	9	A mobile device such as a mobile phone or PDA.

Asset.DeploymentStatus

Deployment status states.

Enum Value	Enum Number	Description
DEPLOYMENT_STATUS_UNSPECIFIED	0	Unspecified deployment status.
ACTIVE	1	Asset is active, functional and deployed.
PENDING_DECOMMISSION	2	Asset is pending decommission and no longer deployed.
DECOMMISSIONED	3	Asset is decommissioned.

Authentication.AuthType

Type of system the authentication event is associated with.

Enum Value	Enum Number	Description
AUTHTYPE_UNSPECIFIED	0	The default type.
MACHINE	1	A machine authentication.
SSO	2	An SSO authentication.
VPN	3	A VPN authentication.
PHYSICAL	4	A Physical authentication (e.g. "Badge reader").
TACACS	5	A TACACS family protocol for networked systems authentication (e.g. TACACS, TACACS+).

Authentication.AuthenticationStatus

Authentication status, can be used to describe the status of authentication for a user or particular credential.

Enum Value	Enum Number	Description
UNKNOWN_AUTHENTICATION_STATUS	0	The default authentication status.
ACTIVE	1	The authentication method is in active state.
SUSPENDED	2	The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS	3	The authentication method has no active credentials.
DELETED	4	The authentication method has been deleted.

Authentication.Mechanism

Mechanism(s) used to authenticate.

Enum Value	Enum Number	Description
MECHANISM_UNSPECIFIED	0	The default mechanism.
USERNAME_PASSWORD	1	Username + password authentication.
OTP	2	OTP authentication.
HARDWARE_KEY	3	Hardware key authentication.
LOCAL	4	Local authentication.
REMOTE	5	Remote authentication.
REMOTE_INTERACTIVE	6	RDP, Terminal Services, or VNC.
MECHANISM_OTHER	7	Some other mechanism that is not defined here.
BADGE_READER	8	Badge reader authentication
NETWORK	9	Network authentication.
BATCH	10	Batch authentication.
SERVICE	11	Service authentication
UNLOCK	12	Direct human-interactive unlock authentication.
NETWORK_CLEAR_TEXT	13	Network clear text authentication.
NEW_CREDENTIALS	14	Authentication with new credentials.
INTERACTIVE	15	Interactive authentication.
CACHED_INTERACTIVE	16	Interactive authentication using cached credentials.
CACHED_REMOTE_INTERACTIVE	17	Cached Remote Interactive authentication using cached credentials.
CACHED_UNLOCK	18	Cached Remote Interactive authentication using cached credentials.

Cloud.CloudEnvironment

The service provider environment.

Enum Value	Enum Number	Description
UNSPECIFIED_CLOUD_ENVIRONMENT	0	Default.
GOOGLE_CLOUD_PLATFORM	1	Google Cloud Platform.
AMAZON_WEB_SERVICES	2	Amazon Web Services.
MICROSOFT_AZURE	3	Microsoft Azure.

Dhcp.MessageType

DHCP message type. See RFC2131, section 3.1.

Enum Value	Enum Number	Description
UNKNOWN_MESSAGE_TYPE	0	Default message type.
DISCOVER	1	DHCPDISCOVER.
OFFER	2	DHCPOFFER.
REQUEST	3	DHCPREQUEST.
DECLINE	4	DHCPDECLINE.
ACK	5	DHCPACK.
NAK	6	DHCPNAK.
RELEASE	7	DHCPRELEASE.
INFORM	8	DHCPINFORM.
WIN_DELETED	100	Microsoft Windows DHCP "lease deleted".
WIN_EXPIRED	101	Microsoft Windows DHCP "lease expired".

Dhcp.OpCode

BOOTP op code. See RFC951, section 3.

Enum Value	Enum Number	Description
UNKNOWN_OPCODE	0	Default opcode.
BOOTREQUEST	1	Request.
BOOTREPLY	2	Reply.

File.FileType

The file type, for example Microsoft Windows executable.

Enum Value	Enum Number	Description
FILE_TYPE_UNSPECIFIED	0	File type is UNSPECIFIED.
FILE_TYPE_PE_EXE	1	File type is PE_EXE.
FILE_TYPE_PE_DLL	2	Although DLLs are actually portable executables, this value enables the file type to be identified separately. File type is PE_DLL.
FILE_TYPE_MSI	3	File type is MSI.
FILE_TYPE_NE_EXE	10	File type is NE_EXE.
FILE_TYPE_NE_DLL	11	File type is NE_DLL.
FILE_TYPE_DOS_EXE	20	File type is DOS_EXE.
FILE_TYPE_DOS_COM	21	File type is DOS_COM.
FILE_TYPE_COFF	30	File type is COFF.
FILE_TYPE_ELF	31	File type is ELF.
FILE_TYPE_LINUX_KERNEL	32	File type is LINUX_KERNEL.
FILE_TYPE_RPM	33	File type is RPM.
FILE_TYPE_LINUX	34	File type is LINUX.
FILE_TYPE_MACH_O	35	File type is MACH_O.
FILE_TYPE_JAVA_BYTECODE	36	File type is JAVA_BYTECODE.
FILE_TYPE_DMG	37	File type is DMG.
FILE_TYPE_DEB	38	File type is DEB.
FILE_TYPE_PKG	39	File type is PKG.
FILE_TYPE_PYC	40	File type is PYC.
FILE_TYPE_LNK	50	File type is LNK.
FILE_TYPE_JPEG	100	File type is JPEG.
FILE_TYPE_TIFF	101	File type is TIFF.
FILE_TYPE_GIF	102	File type is GIF.
FILE_TYPE_PNG	103	File type is PNG.
FILE_TYPE_BMP	104	File type is BMP.
FILE_TYPE_GIMP	105	File type is GIMP.
FILE_TYPE_IN_DESIGN	106	File type is Adobe InDesign.
FILE_TYPE_PSD	107	File type is PSD. Adobe Photoshop.
FILE_TYPE_TARGA	108	File type is TARGA.
FILE_TYPE_XWD	109	File type is XWD.
FILE_TYPE_DIB	110	File type is DIB.
FILE_TYPE_JNG	111	File type is JNG.
FILE_TYPE_ICO	112	File type is ICO.
FILE_TYPE_FPX	113	File type is FPX.
FILE_TYPE_EPS	114	File type is EPS.
FILE_TYPE_SVG	115	File type is SVG.
FILE_TYPE_EMF	116	File type is EMF.
FILE_TYPE_WEBP	117	File type is WEBP.
FILE_TYPE_DWG	118	File type is DWG.
FILE_TYPE_DXF	119	File type is DXF.
FILE_TYPE_THREEDS	120	File type is 3DS.
FILE_TYPE_OGG	150	File type is OGG.
FILE_TYPE_FLC	151	File type is FLC.
FILE_TYPE_FLI	152	File type is FLI.
FILE_TYPE_MP3	153	File type is MP3.
FILE_TYPE_FLAC	154	File type is FLAC.
FILE_TYPE_WAV	155	File type is WAV.
FILE_TYPE_MIDI	156	File type is MIDI.
FILE_TYPE_AVI	157	File type is AVI.
FILE_TYPE_MPEG	158	File type is MPEG.
FILE_TYPE_QUICKTIME	159	File type is QUICKTIME.
FILE_TYPE_ASF	160	File type is ASF.
FILE_TYPE_DIVX	161	File type is DIVX.
FILE_TYPE_FLV	162	File type is FLV.
FILE_TYPE_WMA	163	File type is WMA.
FILE_TYPE_WMV	164	File type is WMV.
FILE_TYPE_RM	165	File type is RM. RealMedia type.
FILE_TYPE_MOV	166	File type is MOV.
FILE_TYPE_MP4	167	File type is MP4.
FILE_TYPE_T3GP	168	File type is T3GP.
FILE_TYPE_WEBM	169	File type is WEBM.
FILE_TYPE_MKV	170	File type is MKV.
FILE_TYPE_PDF	200	File type is PDF.
FILE_TYPE_PS	201	File type is PS.
FILE_TYPE_DOC	202	File type is DOC.
FILE_TYPE_DOCX	203	File type is DOCX.
FILE_TYPE_PPT	204	File type is PPT.
FILE_TYPE_PPTX	205	File type is PPTX.
FILE_TYPE_PPSX	209	File type is PPSX.
FILE_TYPE_XLS	206	File type is XLS.
FILE_TYPE_XLSX	207	File type is XLSX.
FILE_TYPE_RTF	208	File type is RTF.
FILE_TYPE_ODP	250	File type is ODP.
FILE_TYPE_ODS	251	File type is ODS.
FILE_TYPE_ODT	252	File type is ODT.
FILE_TYPE_HWP	253	File type is HWP.
FILE_TYPE_GUL	254	File type is GUL.
FILE_TYPE_ODF	255	File type is ODF.
FILE_TYPE_ODG	256	File type is ODG.
FILE_TYPE_ONE_NOTE	257	File type is ONE_NOTE.
FILE_TYPE_OOXML	258	File type is OOXML.
FILE_TYPE_EBOOK	260	File type is EBOOK.
FILE_TYPE_LATEX	261	File type is LATEX.
FILE_TYPE_TTF	262	File type is TTF.
FILE_TYPE_EOT	263	File type is EOT.
FILE_TYPE_WOFF	264	File type is WOFF.
FILE_TYPE_CHM	265	File type is CHM.
FILE_TYPE_ZIP	300	File type is ZIP.
FILE_TYPE_GZIP	301	File type is GZIP.
FILE_TYPE_BZIP	302	File type is BZIP.
FILE_TYPE_RZIP	303	File type is RZIP.
FILE_TYPE_DZIP	304	File type is DZIP.
FILE_TYPE_SEVENZIP	305	File type is SEVENZIP.
FILE_TYPE_CAB	306	File type is CAB.
FILE_TYPE_JAR	307	File type is JAR.
FILE_TYPE_RAR	308	File type is RAR.
FILE_TYPE_MSCOMPRESS	309	File type is MSCOMPRESS.
FILE_TYPE_ACE	310	File type is ACE.
FILE_TYPE_ARC	311	File type is ARC.
FILE_TYPE_ARJ	312	File type is ARJ.
FILE_TYPE_ASD	313	File type is ASD.
FILE_TYPE_BLACKHOLE	314	File type is BLACKHOLE.
FILE_TYPE_KGB	315	File type is KGB.
FILE_TYPE_ZLIB	316	File type is ZLIB.
FILE_TYPE_TAR	317	File type is TAR.
FILE_TYPE_ZST	318	File type is ZST.
FILE_TYPE_LZFSE	319	File type is LZFSE.
FILE_TYPE_PYTHON_WHL	320	File type is PYTHON_WHL.
FILE_TYPE_PYTHON_PKG	321	File type is PYTHON_PKG.
FILE_TYPE_TEXT	400	File type is TEXT.
FILE_TYPE_SCRIPT	401	File type is SCRIPT.
FILE_TYPE_PHP	402	File type is PHP.
FILE_TYPE_PYTHON	403	File type is PYTHON.
FILE_TYPE_PERL	404	File type is PERL.
FILE_TYPE_RUBY	405	File type is RUBY.
FILE_TYPE_C	406	File type is C.
FILE_TYPE_CPP	407	File type is CPP.
FILE_TYPE_JAVA	408	File type is JAVA.
FILE_TYPE_SHELLSCRIPT	409	File type is SHELLSCRIPT.
FILE_TYPE_PASCAL	410	File type is PASCAL.
FILE_TYPE_AWK	411	File type is AWK.
FILE_TYPE_DYALOG	412	File type is DYALOG.
FILE_TYPE_FORTRAN	413	File type is FORTRAN.
FILE_TYPE_JAVASCRIPT	414	File type is JAVASCRIPT.
FILE_TYPE_POWERSHELL	415	File type is POWERSHELL.
FILE_TYPE_VBA	416	File type is VBA.
FILE_TYPE_M4	417	File type is M4.
FILE_TYPE_OBJETIVEC	418	File type is OBJETIVEC.
FILE_TYPE_JMOD	419	File type is JMOD.
FILE_TYPE_MAKEFILE	420	File type is MAKEFILE.
FILE_TYPE_INI	421	File type is INI.
FILE_TYPE_CLJ	422	File type is CLJ.
FILE_TYPE_PDB	425	File type is PDB.
FILE_TYPE_SQL	426	File type is SQL.
FILE_TYPE_NEKO	427	File type is NEKO.
FILE_TYPE_WER	428	File type is WER.
FILE_TYPE_GOLANG	429	File type is GOLANG.
FILE_TYPE_SYMBIAN	500	File type is SYMBIAN.
FILE_TYPE_PALMOS	501	File type is PALMOS.
FILE_TYPE_WINCE	502	File type is WINCE.
FILE_TYPE_ANDROID	503	File type is ANDROID.
FILE_TYPE_IPHONE	504	File type is IPHONE.
FILE_TYPE_HTML	600	File type is HTML.
FILE_TYPE_XML	601	File type is XML.
FILE_TYPE_SWF	602	File type is SWF.
FILE_TYPE_FLA	603	File type is FLA.
FILE_TYPE_COOKIE	604	File type is COOKIE.
FILE_TYPE_TORRENT	605	File type is TORRENT.
FILE_TYPE_EMAIL_TYPE	606	File type is EMAIL_TYPE.
FILE_TYPE_OUTLOOK	607	File type is OUTLOOK.
FILE_TYPE_SGML	608	File type is SGML.
FILE_TYPE_JSON	609	File type is JSON.
FILE_TYPE_CSV	610	File type is CSV.
FILE_TYPE_CAP	700	File type is CAP.
FILE_TYPE_ISOIMAGE	800	File type is ISOIMAGE.
FILE_TYPE_SQUASHFS	801	File type is SQUASHFS.
FILE_TYPE_VHD	802	File type is VHD.
FILE_TYPE_APPLE	1000	File type is APPLE.
FILE_TYPE_MACINTOSH	1001	File type is MACINTOSH.
FILE_TYPE_APPLESINGLE	1002	File type is APPLESINGLE.
FILE_TYPE_APPLEDOUBLE	1003	File type is APPLEDOUBLE.
FILE_TYPE_MACINTOSH_HFS	1004	File type is MACINTOSH_HFS.
FILE_TYPE_APPLE_PLIST	1005	File type is APPLE_PLIST.
FILE_TYPE_MACINTOSH_LIB	1006	File type is MACINTOSH_LIB.
FILE_TYPE_APPLESCRIPT	1007	File type is APPLESCRIPT.
FILE_TYPE_APPLESCRIPT_COMPILED	1008	File type is APPLESCRIPT_COMPILED .
FILE_TYPE_CRX	1100	File type is CRX.
FILE_TYPE_XPI	1101	File type is XPI.
FILE_TYPE_ROM	1200	File type is ROM.
FILE_TYPE_IPS	1201	File type is IPS.
FILE_TYPE_PEM	1300	File type is PEM.
FILE_TYPE_PGP	1301	File type is PGP.
FILE_TYPE_CRT	1302	File type is CRT.

Metadata.EnrichmentState

An enrichment state.

Enum Value	Enum Number	Description
ENRICHMENT_STATE_UNSPECIFIED	0	Unspecified.
ENRICHED	1	The event has been enriched by Google SecOps.
UNENRICHED	2	The event has not been enriched by Google SecOps.

Metadata.EventType

An event type. Choose the event type based on the entity that logged the event, rather than the product that generated it. For example, an antivirus (AV) scanning a client email would log an SMTP_PROXY event, not an AV event. A DLP device scanning a web upload would generate an HTTP_PROXY event and not a DLP or process activity event.

Enum Value	Enum Number	Description
EVENTTYPE_UNSPECIFIED	0	Default event type
PROCESS_UNCATEGORIZED	10000	Activity related to a process which does not match any other event types.
PROCESS_LAUNCH	10001	Process launch.
PROCESS_INJECTION	10002	Process injecting into another process.
PROCESS_PRIVILEGE_ESCALATION	10003	Process privilege escalation.
PROCESS_TERMINATION	10004	Process termination.
PROCESS_OPEN	10005	Process being opened.
PROCESS_MODULE_LOAD	10006	Process loading a module.
REGISTRY_UNCATEGORIZED	11000	Registry event which does not match any of the other event types.
REGISTRY_CREATION	11001	Registry creation.
REGISTRY_MODIFICATION	11002	Registry modification.
REGISTRY_DELETION	11003	Registry deletion.
SETTING_UNCATEGORIZED	12000	Settings-related event which does not match any of the other event types.
SETTING_CREATION	12001	Setting creation.
SETTING_MODIFICATION	12002	Setting modification.
SETTING_DELETION	12003	Setting deletion.
MUTEX_UNCATEGORIZED	13000	Any mutex event other than creation.
MUTEX_CREATION	13001	Mutex creation.
FILE_UNCATEGORIZED	14000	File event which does not match any of the other event types.
FILE_CREATION	14001	File created.
FILE_DELETION	14002	File deleted.
FILE_MODIFICATION	14003	File modified.
FILE_READ	14004	File read.
FILE_COPY	14005	File copied. Used for file copies, for example, to a thumb drive.
FILE_OPEN	14006	File opened.
FILE_MOVE	14007	File moved or renamed.
FILE_SYNC	14008	File synced (for example, Google Drive, Dropbox, backup).
USER_UNCATEGORIZED	15000	User activity which does not match any of the other event types.
USER_LOGIN	15001	User login.
USER_LOGOUT	15002	User logout.
USER_CREATION	15003	User creation.
USER_CHANGE_PASSWORD	15004	User password change event.
USER_CHANGE_PERMISSIONS	15005	Change in user permissions.
USER_STATS	15006	Deprecated. Used to update user info for an LDAP dump.
USER_BADGE_IN	15007	User physically badging into a location.
USER_DELETION	15008	User deletion.
USER_RESOURCE_CREATION	15009	User creating a virtual resource. This is equivalent to RESOURCE_CREATION.
USER_RESOURCE_UPDATE_CONTENT	15010	User updating content of a virtual resource. This is equivalent to RESOURCE_WRITTEN.
USER_RESOURCE_UPDATE_PERMISSIONS	15011	User updating permissions of a virtual resource. This is equivalent to RESOURCE_PERMISSIONS_CHANGE.
USER_COMMUNICATION	15012	User initiating communication through a medium (for example, video).
USER_RESOURCE_ACCESS	15013	User accessing a virtual resource. This is equivalent to RESOURCE_READ.
USER_RESOURCE_DELETION	15014	User deleting a virtual resource. This is equivalent to RESOURCE_DELETION.
GROUP_UNCATEGORIZED	23000	A group activity that does not fall into one of the other event types.
GROUP_CREATION	23001	A group creation.
GROUP_DELETION	23002	A group deletion.
GROUP_MODIFICATION	23003	A group modification.
EMAIL_UNCATEGORIZED	19000	Email messages
EMAIL_TRANSACTION	19001	An email transaction.
EMAIL_URL_CLICK	19002	Deprecated: use NETWORK_HTTP instead. An email URL click event.
NETWORK_UNCATEGORIZED	16000	A network event that does not fit into one of the other event types.
NETWORK_FLOW	16001	Aggregated flow stats like netflow.
NETWORK_CONNECTION	16002	Network connection details like from a FW.
NETWORK_FTP	16003	FTP telemetry.
NETWORK_DHCP	16004	DHCP payload.
NETWORK_DNS	16005	DNS payload.
NETWORK_HTTP	16006	HTTP telemetry.
NETWORK_SMTP	16007	SMTP telemetry.
STATUS_UNCATEGORIZED	17000	A status message that does not fit into one of the other event types.
STATUS_HEARTBEAT	17001	Heartbeat indicating product is alive.
STATUS_STARTUP	17002	An agent startup.
STATUS_SHUTDOWN	17003	An agent shutdown.
STATUS_UPDATE	17004	A software or fingerprint update.
SCAN_UNCATEGORIZED	18000	Scan item that does not fit into one of the other event types.
SCAN_FILE	18001	A file scan.
SCAN_PROCESS_BEHAVIORS	18002	Scan process behaviors. Please use SCAN_PROCESS instead.
SCAN_PROCESS	18003	Scan process.
SCAN_HOST	18004	Scan results from scanning an entire host device for threats/sensitive documents.
SCAN_VULN_HOST	18005	Vulnerability scan logs about host vulnerabilities (e.g., out of date software) and network vulnerabilities (e.g., unprotected service detected via a network scan).
SCAN_VULN_NETWORK	18006	Vulnerability scan logs about network vulnerabilities.
SCAN_NETWORK	18007	Scan network for suspicious activity
SCHEDULED_TASK_UNCATEGORIZED	20000	Scheduled task event that does not fall into one of the other event types.
SCHEDULED_TASK_CREATION	20001	Scheduled task creation.
SCHEDULED_TASK_DELETION	20002	Scheduled task deletion.
SCHEDULED_TASK_ENABLE	20003	Scheduled task being enabled.
SCHEDULED_TASK_DISABLE	20004	Scheduled task being disabled.
SCHEDULED_TASK_MODIFICATION	20005	Scheduled task being modified.
SYSTEM_AUDIT_LOG_UNCATEGORIZED	21000	A system audit log event that is not a wipe.
SYSTEM_AUDIT_LOG_WIPE	21001	A system audit log wipe.
SERVICE_UNSPECIFIED	22000	Service event that does not fit into one of the other event types.
SERVICE_CREATION	22001	A service creation.
SERVICE_DELETION	22002	A service deletion.
SERVICE_START	22003	A service start.
SERVICE_STOP	22004	A service stop.
SERVICE_MODIFICATION	22005	A service modification.
GENERIC_EVENT	100000	Operating system events that are not described by any of the other event types. Might include uncategorized Microsoft Windows event logs.
RESOURCE_CREATION	1	The resource was created/provisioned. This is equivalent to USER_RESOURCE_CREATION.
RESOURCE_DELETION	2	The resource was deleted/deprovisioned. This is equivalent to USER_RESOURCE_DELETION.
RESOURCE_PERMISSIONS_CHANGE	3	The resource had it's permissions or ACLs updated. This is equivalent to USER_RESOURCE_UPDATE_PERMISSIONS.
RESOURCE_READ	4	The resource was read. This is equivalent to USER_RESOURCE_ACCESS.
RESOURCE_WRITTEN	5	The resource was written to. This is equivalent to USER_RESOURCE_UPDATE_CONTENT.
DEVICE_FIRMWARE_UPDATE	25000	Firmware update.
DEVICE_CONFIG_UPDATE	25001	Configuration update.
DEVICE_PROGRAM_UPLOAD	25002	A program or application uploaded to a device.
DEVICE_PROGRAM_DOWNLOAD	25003	A program or application downloaded to a device.
ANALYST_UPDATE_VERDICT	24000	Analyst update about the Verdict (such as true positive, false positive, or disregard) of a finding.
ANALYST_UPDATE_REPUTATION	24001	Analyst update about the Reputation (such as useful or not useful) of a finding.
ANALYST_UPDATE_SEVERITY_SCORE	24002	Analyst update about the Severity score (0-100) of a finding.
ANALYST_UPDATE_STATUS	24007	Analyst update about the finding status.
ANALYST_ADD_COMMENT	24008	Analyst addition of a comment for a finding.
ANALYST_UPDATE_PRIORITY	24009	Analyst update about the priority (such as low, medium, or high) for a finding.
ANALYST_UPDATE_ROOT_CAUSE	24010	Analyst update about the root cause for a finding.
ANALYST_UPDATE_REASON	24011	Analyst update about the reason (such as malicious or not malicious) for a finding.
ANALYST_UPDATE_RISK_SCORE	24012	Analyst update about the risk score (0-100) of a finding.

Network.ApplicationProtocol

A network application protocol.

Enum Value	Enum Number	Description
UNKNOWN_APPLICATION_PROTOCOL	0	The default application protocol.
AFP	1	Apple Filing Protocol.
APPC	2	Advanced Program-to-Program Communication.
AMQP	3	Advanced Message Queuing Protocol.
ATOM	4	Publishing Protocol.
BEEP	5	Block Extensible Exchange Protocol.
BITCOIN	6	Crypto currency protocol.
BIT_TORRENT	7	Peer-to-peer file sharing.
CFDP	8	Coherent File Distribution Protocol.
CIP	67	Common Industrial Protocol.
COAP	9	Constrained Application Protocol.
COTP	68	Connection Oriented Transport Protocol.
DCERPC	66	DCE/RPC.
DDS	10	Data Distribution Service.
DEVICE_NET	11	Automation industry protocol.
DHCP	4000	DHCP.
DICOM	69	Digital Imaging and Communications in Medicine Protocol.
DNP3	70	Distributed Network Protocol 3 (DNP3)
DNS	3000	DNS.
E_DONKEY	12	Classic file sharing protocol.
ENRP	13	Endpoint Handlespace Redundancy Protocol.
FAST_TRACK	14	Filesharing peer-to-peer protocol.
FINGER	15	User Information Protocol.
FREENET	16	Censorship resistant peer-to-peer network.
FTAM	17	File Transfer Access and Management.
GOOSE	71	GOOSE Protocol.
GOPHER	18	Gopher protocol.
GRPC	77	gRPC Remote Procedure Call.
HL7	19	Health Level Seven.
H323	20	Packet-based multimedia communications system.
HTTP	2000	HTTP.
HTTPS	2001	HTTPS.
IEC104	72	IEC 60870-5-104 (IEC 104) Protocol.
IRCP	21	Internet Relay Chat Protocol.
KADEMLIA	22	Peer-to-peer hashtables.
KRB5	65	Kerberos 5.
LDAP	23	Lightweight Directory Access Protocol.
LPD	24	Line Printer Daemon Protocol.
MIME	25	Multipurpose Internet Mail Extensions and Secure MIME.
MMS	73	Multimedia Messaging Service.
MODBUS	26	Serial communications protocol.
MQTT	27	Message Queuing Telemetry Transport.
NETCONF	28	Network Configuration.
NFS	29	Network File System.
NIS	30	Network Information Service.
NNTP	31	Network News Transfer Protocol.
NTCIP	32	National Transportation Communications for Intelligent Transportation System.
NTP	33	Network Time Protocol.
OSCAR	34	AOL Instant Messenger Protocol.
PNRP	35	Peer Name Resolution Protocol.
PTP	74	Precision Time Protocol.
QUIC	1000	QUIC.
RDP	36	Remote Desktop Protocol.
RELP	37	Reliable Event Logging Protocol.
RIP	38	Routing Information Protocol.
RLOGIN	39	Remote Login in UNIX Systems.
RPC	40	Remote Procedure Call.
RTMP	41	Real Time Messaging Protocol.
RTP	42	Real-time Transport Protocol.
RTPS	43	Real Time Publish Subscribe.
RTSP	44	Real Time Streaming Protocol.
SAP	45	Session Announcement Protocol.
SDP	46	Session Description Protocol.
SIP	47	Session Initiation Protocol.
SLP	48	Service Location Protocol.
SMB	49	Server Message Block.
SMTP	50	Simple Mail Transfer Protocol.
SNMP	75	Simple Network Management Protocol.
SNTP	51	Simple Network Time Protocol.
SSH	52	Secure Shell.
SSMS	53	Secure SMS Messaging Protocol.
STYX	54	Styx/9P - Plan 9 from Bell Labs distributed file system protocol.
SV	76	Sampled Values Protocol.
TCAP	55	Transaction Capabilities Application Part.
TDS	56	Tabular Data Stream.
TOR	57	Anonymity network.
TSP	58	Time Stamp Protocol.
VTP	59	Virtual Terminal Protocol.
WHOIS	60	Remote Directory Access Protocol.
WEB_DAV	61	Web Distributed Authoring and Versioning.
X400	62	Message Handling Service Protocol.
X500	63	Directory Access Protocol (DAP).
XMPP	64	Extensible Messaging and Presence Protocol.

Network.Direction

A network traffic direction.

Enum Value	Enum Number	Description
UNKNOWN_DIRECTION	0	The default direction.
INBOUND	1	An inbound request.
OUTBOUND	2	An outbound request.
BROADCAST	3	A broadcast.

Network.IpProtocol

An IP protocol.

Enum Value	Enum Number	Description
UNKNOWN_IP_PROTOCOL	0	The default protocol.
ICMP	1	ICMP.
IGMP	2	IGMP
TCP	6	TCP.
UDP	17	UDP.
IP6IN4	41	IPv6 Encapsulation
GRE	47	Generic Routing Encapsulation
ESP	50	Encapsulating Security Payload
ICMP6	58	ICMPv6
EIGRP	88	Enhanced Interior Gateway Routing
ETHERIP	97	Ethernet-within-IP Encapsulation
PIM	103	Protocol Independent Multicast
VRRP	112	Virtual Router Redundancy Protocol
SCTP	132	Stream Control Transmission Protocol

Noun.Platform

Operating system platform.

Enum Value	Enum Number	Description
UNKNOWN_PLATFORM	0	Default value.
WINDOWS	1	Microsoft Windows.
MAC	2	macOS.
LINUX	3	Linux.
Google Cloud	4	Deprecated: see cloud.environment.
AWS	5	Deprecated: see cloud.environment.
AZURE	6	Deprecated: see cloud.environment.
IOS	7	IOS
ANDROID	8	Android
CHROME_OS	9	Chrome OS

Permission.PermissionType

High level categorizations of permission type.

Enum Value	Enum Number	Description
UNKNOWN_PERMISSION_TYPE	0	Default permission type.
ADMIN_WRITE	1	Administrator write permission.
ADMIN_READ	2	Administrator read permission.
DATA_WRITE	3	Data resource access write permission.
DATA_READ	4	Data resource access read permission.

Priority

Priority that is assigned to a Case or Alert.

Enum Value	Enum Number	Description
PRIORITY_UNSPECIFIED	0	Default priority level.
PRIORITY_INFO	100	Informational priority.
PRIORITY_LOW	200	Low priority.
PRIORITY_MEDIUM	300	Medium priority.
PRIORITY_HIGH	400	High priority.
PRIORITY_CRITICAL	500	Critical priority.

Process.TokenElevationType

The elevation type of the process's token. See https://learn.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-token_elevation_type

Enum Value	Enum Number	Description
UNKNOWN	0	An undetermined token type.
TYPE_1	1	A full token with no privileges removed or groups disabled.
TYPE_2	2	An elevated token with no privileges removed or groups disabled. Used when running as administrator.
TYPE_3	3	A limited token with administrative privileges removed and administrative groups disabled.

Reason

Reason for closing an Alert or Case in the SOAR product.

Enum Value	Enum Number	Description
REASON_UNSPECIFIED	0	Default reason.
REASON_NOT_MALICIOUS	1	Case or Alert not malicious.
REASON_MALICIOUS	2	Case or Alert is malicious.
REASON_MAINTENANCE	3	Case or Alert is under maintenance.

Reputation

Categorization options for the usefulness of a Finding.

Enum Value	Enum Number	Description
REPUTATION_UNSPECIFIED	0	An unspecified reputation.
USEFUL	1	A categorization of the finding as useful.
NOT_USEFUL	2	A categorization of the finding as not useful.

Resource.ResourceType

Enum Value	Enum Number	Description
UNSPECIFIED	0	Default type.
MUTEX	1	Mutex.
TASK	2	Task.
PIPE	3	Named pipe.
DEVICE	4	Device.
FIREWALL_RULE	5	Firewall rule.
MAILBOX_FOLDER	6	Mailbox folder.
VPC_NETWORK	7	VPC Network.
VIRTUAL_MACHINE	8	Virtual machine.
STORAGE_BUCKET	9	Storage bucket.
STORAGE_OBJECT	10	Storage object.
DATABASE	11	Database.
TABLE	12	Data table.
CLOUD_PROJECT	13	Cloud project.
CLOUD_ORGANIZATION	14	Cloud organization.
SERVICE_ACCOUNT	15	Service account.
ACCESS_POLICY	16	Access policy.
CLUSTER	17	Cluster.
SETTING	18	Settings.
DATASET	19	Dataset.
BACKEND_SERVICE	20	Endpoint that receive traffic from a load balancer or proxy.
POD	21	Pod, which is a collection of containers. Often used in Kubernetes.
CONTAINER	22	Container.
FUNCTION	23	Cloud function.
RUNTIME	24	Runtime.
IP_ADDRESS	25	IP address.
DISK	26	Disk.
VOLUME	27	Volume.
IMAGE	28	Machine image.
SNAPSHOT	29	Snapshot.
REPOSITORY	30	Repository.
CREDENTIAL	31	Credential, e.g. access keys, ssh keys, tokens, certificates.
LOAD_BALANCER	32	Load balancer.
GATEWAY	33	Gateway.
SUBNET	34	Subnet.
USER	35	User

Role.Type

Well-known system roles.

Enum Value	Enum Number	Description
TYPE_UNSPECIFIED	0	Default user role.
ADMINISTRATOR	1	Product administrator with elevated privileges.
SERVICE_ACCOUNT	2	System service account for automated privilege access.

SecurityResult.Action

Enum representing different possible actions taken by the product that created the event.

Enum Value	Enum Number	Description
UNKNOWN_ACTION	0	The default action.
ALLOW	1	Allowed.
BLOCK	2	Blocked.
ALLOW_WITH_MODIFICATION	3	Strip, modify something (e.g. File or email was disinfected or rewritten and still forwarded).
QUARANTINE	4	Put somewhere for later analysis (does NOT imply block).
FAIL	5	Failed (e.g. the event was allowed but failed).
CHALLENGE	6	Challenged (e.g. the user was challenged by a Captcha, 2FA).

SecurityResult.AlertState

The type of alerting set up for a security result.

Enum Value	Enum Number	Description
UNSPECIFIED	0	The security result type is not known.
NOT_ALERTING	1	The security result is not an alert.
ALERTING	2	The security result is an alert.

SecurityResult.Association.AssociationType

Represents different possible Association types. Can be threat or malware. Used to represent Mandiant threat intelligence.

Enum Value	Enum Number	Description
ASSOCIATION_TYPE_UNSPECIFIED	0	The default Association Type.
THREAT_ACTOR	1	Association type Threat actor.
MALWARE	2	Association type Malware.

SecurityResult.IoCStatsType

Type of IoCStat based on source.

Enum Value	Enum Number	Description
UNSPECIFIED_IOC_STATS_TYPE	0	IoCStat source is unidentified.
MANDIANT_SOURCES	1	IoCStat is from a Mandiant Source.
THIRD_PARTY_SOURCES	2	IoCStat is from a third-party source.
THREAT_INTELLIGENCE_IOC_STATS	3	IoCStat is from a threat intelligence feed.

SecurityResult.ProductConfidence

A level of confidence in the result.

Enum Value	Enum Number	Description
UNKNOWN_CONFIDENCE	0	The default confidence level.
LOW_CONFIDENCE	200	Low confidence.
MEDIUM_CONFIDENCE	300	Medium confidence.
HIGH_CONFIDENCE	400	High confidence.

SecurityResult.ProductPriority

A product priority level.

Enum Value	Enum Number	Description
UNKNOWN_PRIORITY	0	Default priority level.
LOW_PRIORITY	200	Low priority.
MEDIUM_PRIORITY	300	Medium priority.
HIGH_PRIORITY	400	High priority.

SecurityResult.ProductSeverity

Defined by the product

Enum Value	Enum Number	Description
UNKNOWN_SEVERITY	0	The default severity level.
INFORMATIONAL	100	Info severity.
ERROR	150	An error.
NONE	101	No malicious result.
LOW	200	Low-severity malicious result.
MEDIUM	300	Medium-severity malicious result.
HIGH	400	High-severity malicious result.
CRITICAL	500	Critical-severity malicious result.

SecurityResult.SecurityCategory

SecurityCategory is used to standardize security categories across products

so one event is not categorized as "malware" and another as a "virus".

Enum Value	Enum Number	Description
UNKNOWN_CATEGORY	0	The default category.
SOFTWARE_MALICIOUS	10000	Malware, spyware, rootkit.
SOFTWARE_SUSPICIOUS	10100	Below the conviction threshold; probably bad.
SOFTWARE_PUA	10200	Potentially Unwanted App (such as adware).
NETWORK_MALICIOUS	20000	Includes C&C or network exploit.
NETWORK_SUSPICIOUS	20100	Suspicious activity, such as potential reverse tunnel.
NETWORK_CATEGORIZED_CONTENT	20200	Non-security related: URL has category like gambling or porn.
NETWORK_DENIAL_OF_SERVICE	20300	DoS, DDoS.
NETWORK_RECON	20400	Port scan detected by an IDS, probing of web app.
NETWORK_COMMAND_AND_CONTROL	20500	If we know this is a C&C channel.
ACL_VIOLATION	30000	Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc.
AUTH_VIOLATION	40000	Authentication failed (e.g. bad password or bad 2-factor authentication).
EXPLOIT	50000	Exploit: For all manner of exploits including attempted overflows, bad protocol encodings, ROP, SQL injection, etc. For both network and host- based exploits.
DATA_EXFILTRATION	60000	DLP: Sensitive data transmission, copy to thumb drive.
DATA_AT_REST	60100	DLP: Sensitive data found at rest in a scan.
DATA_DESTRUCTION	60200	Attempt to destroy/delete data.
TOR_EXIT_NODE	60300	TOR Exit Nodes.
MAIL_SPAM	70000	Spam email, message, etc.
MAIL_PHISHING	70100	Phishing email, chat messages, etc.
MAIL_SPOOFING	70200	Spoofed source email address, etc.
POLICY_VIOLATION	80000	Security-related policy violation (e.g. firewall/proxy/HIPS rule violated, NAC block action).
SOCIAL_ENGINEERING	90001	Threats which manipulate to break normal security procedures.
PHISHING	90002	Phishing pages, pops, https phishing etc.

SecurityResult.ThreatStatus

Vendor-specific information about the status of a threat (ITW).

Enum Value	Enum Number	Description
THREAT_STATUS_UNSPECIFIED	0	Default threat status
ACTIVE	1	Active threat.
CLEARED	2	Cleared threat.
FALSE_POSITIVE	3	False positive.

SecurityResult.VerdictResponse

Represents different verdict types. Used to represent Mandiant threat intelligence.

Enum Value	Enum Number	Description
VERDICT_RESPONSE_UNSPECIFIED	0	The default verdict response type.
MALICIOUS	1	VerdictResponse resulted a threat as malicious.
BENIGN	2	VerdictResponse resulted a threat as benign.

SecurityResult.VerdictType

Category of the verdict.

Enum Value	Enum Number	Description
VERDICT_TYPE_UNSPECIFIED	0	Verdict category not specified.
PROVIDER_ML_VERDICT	1	MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources.
ANALYST_VERDICT	2	Verdict provided by the human analyst. These fields are used to model Mandiant sources.

Status

Describes status of a Finding.

Enum Value	Enum Number	Description
STATUS_UNSPECIFIED	0	Unspecified finding status.
NEW	1	New finding.
REVIEWED	2	When a finding has feedback.
CLOSED	3	When an analyst closes an finding.
OPEN	4	Open. Used to indicate that a Case / Alert is open.

ThreatVerdict

GCTI threat verdict levels.

Enum Value	Enum Number	Description
THREAT_VERDICT_UNSPECIFIED	0	Unspecified threat verdict level.
UNDETECTED	1	Undetected threat verdict level.
SUSPICIOUS	2	Suspicious threat verdict level.
MALICIOUS	3	Malicious threat verdict level.

User.AccountType

User Account Type.

Enum Value	Enum Number	Description
ACCOUNT_TYPE_UNSPECIFIED	0	Default user account type.
DOMAIN_ACCOUNT_TYPE	1	A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE	2	A local machine account.
CLOUD_ACCOUNT_TYPE	3	A SaaS service account type (such as Slack or GitHub).
SERVICE_ACCOUNT_TYPE	4	A non-human account for data access.
DEFAULT_ACCOUNT_TYPE	5	A system built in default account.

User.Role

User system roles.

Enum Value	Enum Number	Description
UNKNOWN_ROLE	0	Default user role.
ADMINISTRATOR	1	Product administrator with elevated privileges.
SERVICE_ACCOUNT	2	System service account for automated privilege access. Deprecated: not a role, instead set User.account_type.

Verdict

Categorization options for the validity of a Finding (i.e. whether it reflects an actual security incident).

Enum Value	Enum Number	Description
VERDICT_UNSPECIFIED	0	An unspecified verdict.
TRUE_POSITIVE	1	A categorization of the finding as a "true positive".
FALSE_POSITIVE	2	A categorization of the finding as a "false positive".

Vulnerability.Severity

Severity of the vulnerability.

Enum Value	Enum Number	Description
UNKNOWN_SEVERITY	0	The default severity level.
LOW	1	Low severity.
MEDIUM	2	Medium severity.
HIGH	3	High severity.
CRITICAL	4	Critical severity.

Standard datatypes

Standard datatypes and the equivalent types in other languages.

Datatype	Notes	C++	Java	Python	Go	C#	PHP	Ruby
double		double	double	float	float64	double	float	Float
float		float	float	float	float32	float	float	Float
int32	Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead.	int32	int	int	int32	int	integer	Bignum or Fixnum (as required)
int64	Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead.	int64	long	int/long	int64	long	integer/string	Bignum
uint32	Uses variable-length encoding.	uint32	int	int/long	uint32	uint	integer	Bignum or Fixnum (as required)
uint64	Uses variable-length encoding.	uint64	long	int/long	uint64	ulong	integer/string	Bignum or Fixnum (as required)
sint32	Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s.	int32	int	int	int32	int	integer	Bignum or Fixnum (as required)
sint64	Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s.	int64	long	int/long	int64	long	integer/string	Bignum
fixed32	Always four bytes. More efficient than uint32 if values are often greater than 2^28.	uint32	int	int	uint32	uint	integer	Bignum or Fixnum (as required)
fixed64	Always eight bytes. More efficient than uint64 if values are often greater than 2^56.	uint64	long	int/long	uint64	ulong	integer/string	Bignum
sfixed32	Always four bytes.	int32	int	int	int32	int	integer	Bignum or Fixnum (as required)
sfixed64	Always eight bytes.	int64	long	int/long	int64	long	integer/string	Bignum
bool		bool	boolean	boolean	bool	bool	boolean	TrueClass/FalseClass
string	A string must always contain UTF-8 encoded or 7-bit ASCII text.	string	String	str/unicode	string	string	string	String (UTF-8)
bytes	May contain any arbitrary sequence of bytes.	string	ByteString	str	[]byte	ByteString	string	String (ASCII-8BIT)

Field Name	Type	Label	Description
tenant_id	bytes	repeated	A list of subtenant ids that this event belongs to.
data_tap_config_name	string	repeated	A list of sink name values defined in DataTap configurations.