Spaces:
Paused
Paused
| Field Name,Type,Description | |
| metadata,EntityMetadata,"Entity metadata such as timestamp, product, etc." | |
| entity,Noun,Noun in the UDM event that this entity represents. | |
| relations,Relation,"One or more relationships between the entity (a) and other entities, including the relationship type and related entity." | |
| additional,google.protobuf.Struct,"Important entity data that cannot be adequately represented within | |
| the formal sections of the Entity." | |
| risk_score,EntityRisk,Stores information related to the entity's risk score. | |
| metric,Metric,"Stores statistical metrics about the entity. Used if metadata.entity_type | |
| is METRIC." | |
| product_entity_id,string,"A vendor-specific identifier that uniquely identifies the entity | |
| (e.g. a GUID, LDAP, OID, or similar)." | |
| collected_timestamp,google.protobuf.Timestamp,"GMT timestamp when the entity information was collected by the vendor's | |
| local collection infrastructure." | |
| creation_timestamp,google.protobuf.Timestamp,"GMT timestamp when the entity described by the product_entity_id was | |
| created on the system where data was collected." | |
| interval,google.type.Interval,"Valid existence time range for the version of the entity represented by | |
| this entity data." | |
| vendor_name,string,Vendor name of the product that produced the entity information. | |
| product_name,string,Product name that produced the entity information. | |
| feed,string,Vendor feed name for a threat indicator feed. | |
| product_version,string,Version of the product that produced the entity information. | |
| entity_type,EntityMetadata.EntityType (Enumerated list),"Entity type. | |
| If an entity has multiple possible types, this specifies the most specific | |
| type." | |
| description,string,Human-readable description of the entity. | |
| threat,SecurityResult,"Metadata provided by a threat intelligence feed that identified the | |
| entity as malicious." | |
| source_type,EntityMetadata.SourceType (Enumerated list),The source of the entity. | |
| source_labels,Label,Entity source metadata labels. | |
| event_metadata,Metadata,Metadata field from the event. | |
| risk_version,string,Version of the risk score calculation algorithm. | |
| risk_window,google.type.Interval,"Time window used when computing the risk score for an entity, for | |
| example 24 hours or 7 days." | |
| DEPRECATED_risk_score,int32,Deprecated risk score. | |
| risk_delta,RiskDelta,"Represents the change in risk score for an entity between the end of the | |
| previous time window and the end of the current time window." | |
| detections_count,int32,Number of detections that make up the risk score within the time window. | |
| first_detection_time,google.protobuf.Timestamp,"Timestamp of the first detection within the specified time window. | |
| This field is empty when there are no detections." | |
| last_detection_time,google.protobuf.Timestamp,"Timestamp of the last detection within the specified time window. | |
| This field is empty when there are no detections." | |
| risk_score,float,Raw risk score for the entity. | |
| normalized_risk_score,int32,Normalized risk score for the entity. This value is between 0-1000. | |
| risk_window_size,Int64,Risk window duration for the Entity. | |
| raw_risk_delta,RiskDelta,"Represents the change in raw risk score for an entity between the end of | |
| the previous time window and the end of the current time window." | |
| first_seen,google.protobuf.Timestamp,Timestamp of the first time the entity was seen in the environment. | |
| last_seen,google.protobuf.Timestamp,Timestamp of the last time the entity was seen in the environment. | |
| sum_measure,Metric.Measure,Sum of all precomputed measures for the given metric. | |
| total_events,int64,Total number of events used to calculate the given precomputed metric. | |
| metric_name,Metric.MetricName (Enumerated list),Name of the analytic. | |
| dimensions,Metric.Dimension (Enumerated list),All group by clauses used to calculate the metric. | |
| export_window,int64,Export window for which the metric was exported. | |
| value,double,Value of the aggregated measure. | |
| aggregate_function,Metric.AggregateFunction (Enumerated list),Function used to calculate the aggregated measure. | |
| entity,Noun,Entity (b) that the primary entity (a) is related to. | |
| entity_type,EntityMetadata.EntityType (Enumerated list),Type of the related entity (b) in this relationship. | |
| relationship,Relation.Relationship (Enumerated list),Type of relationship. | |
| direction,Relation.Directionality (Enumerated list),"Directionality of relationship between primary entity (a) and the | |
| related entity (b)." | |
| uid,bytes,UID of the relationship. | |
| entity_label,Relation.EntityLabel (Enumerated list),Label to identify the Noun of the relation. | |
| previous_range_end_time,google.protobuf.Timestamp,End time of the previous time window. | |
| risk_score_delta,int32,Difference in the normalized risk score from the previous recorded value. | |
| previous_risk_score,int32,Risk score from previous risk window | |
| risk_score_numeric_delta,int32,Numeric change between current and previous risk score | |
| metadata,Metadata,"Event metadata such as timestamp, source product, etc." | |
| additional,google.protobuf.Struct,"Any important vendor-specific event data that cannot be adequately | |
| represented within the formal sections of the UDM model." | |
| principal,Noun,"Represents the acting entity that originates the activity | |
| described in the event. The principal must include at least one machine | |
| detail (hostname, MACs, IPs, port, product-specific identifiers like an | |
| EDR asset ID) or user detail (for example, username), and optionally | |
| include process details. It must NOT include any of the following fields: | |
| email, files, registry keys, or values." | |
| src,Noun,"Represents a source entity being acted upon by the participant along with | |
| the device or process context for the source object (the machine where the | |
| source object resides). For example, if user U copies file A on machine X | |
| to file B on machine Y, both file A and machine X would be specified in the | |
| src portion of the UDM event." | |
| target,Noun,"Represents a target entity being referenced by the event or an object on | |
| the target entity. For example, in a firewall connection from device A to | |
| device B, A is described as the principal and B is described as the target. | |
| For a process injection by process C into target process D, process C is | |
| described as the principal and process D is described as the target." | |
| intermediary,Noun,"Represents details on one or more intermediate entities processing activity | |
| described in the event. This includes device details about a proxy server | |
| or SMTP relay server. If an active event (that has a principal and | |
| possibly target) passes through any intermediaries, they're added here. | |
| Intermediaries can impact the overall action, for example blocking or | |
| modifying an ongoing request. A rule of thumb here is that 'principal', | |
| 'target', and description of the initial action should be the same | |
| regardless of the intermediary or its action. A successful network | |
| connection from A->B should look the same in principal/target/intermediary | |
| as one blocked by firewall C: principal: A, target: B (intermediary: C)." | |
| observer,Noun,"Represents an observer entity (for example, a packet sniffer or | |
| network-based vulnerability scanner), which is not a direct intermediary, | |
| but which observes and reports on the event in question." | |
| about,Noun,"Represents entities referenced by the event that are not otherwise | |
| described in principal, src, target, intermediary or observer. For example, | |
| it could be used to track email file attachments, domains/URLs/IPs embedded | |
| within an email body, and DLLs that are loaded during a PROCESS_LAUNCH | |
| event." | |
| security_result,SecurityResult,A list of security results. | |
| network,Network,"All network details go here, including sub-messages with details on each | |
| protocol (for example, DHCP, DNS, or HTTP)." | |
| extensions,Extensions,"All other first-class, event-specific metadata goes in this message. | |
| Don't place protocol metadata in Extensions; put it in Network." | |
| auth,Authentication,An authentication extension. | |
| vulns,Vulnerabilities,A vulnerability extension. | |
| id,bytes,ID of the UDM event. Can be used for raw and normalized event retrieval. | |
| product_log_id,string,"A vendor-specific event identifier to uniquely identify the event (for example: a | |
| GUID)." | |
| event_timestamp,google.protobuf.Timestamp,The GMT timestamp when the event was generated. | |
| collected_timestamp,google.protobuf.Timestamp,"The GMT timestamp when the event was collected by the vendor's local | |
| collection infrastructure." | |
| ingested_timestamp,google.protobuf.Timestamp,The GMT timestamp when the event was ingested (received) by Google Security Operations. | |
| event_type,Metadata.EventType,"The event type. | |
| If an event has multiple possible types, this specifies the most specific | |
| type." | |
| vendor_name,string,The name of the product vendor. | |
| product_name,string,The name of the product. | |
| product_version,string,The version of the product. | |
| product_event_type,string,"A short, descriptive, human-readable, product-specific event name or type | |
| (for example: ""Scanned X"", ""User account created"", ""process_start"")." | |
| product_deployment_id,string,The deployment identifier assigned by the vendor for a product deployment. | |
| description,string,A human-readable unparsable description of the event. | |
| url_back_to_product,string,A URL that takes the user to the source product console for this event. | |
| ingestion_labels,Label,User-configured ingestion metadata labels. | |
| tags,Tags,"Tags added by Google Security Operations after an event is parsed. It is an error to | |
| populate this field from within a parser." | |
| enrichment_state,Metadata.EnrichmentState,The enrichment state. | |
| log_type,string,The string value of log type. | |
| base_labels,DataAccessLabels,Data access labels on the base event. | |
| enrichment_labels,DataAccessLabels,"Data access labels from all the contextual events used to enrich the base | |
| event." | |
| sent_bytes,uint64,The number of bytes sent. | |
| received_bytes,uint64,The number of bytes received. | |
| sent_packets,int64,The number of packets sent. | |
| received_packets,int64,The number of packets received. | |
| session_duration,Int64,"The duration of the session as the number of seconds and nanoseconds. | |
| For seconds, network.session_duration.seconds, the type is a 64-bit | |
| integer. For nanoseconds, network.session_duration.nanos, the type is a | |
| 32-bit integer." | |
| session_id,string,The ID of the network session. | |
| parent_session_id,string,The ID of the parent network session. | |
| application_protocol_version,string,"The version of the application protocol. e.g. ""1.1, 2.0""" | |
| community_id,string,Community ID network flow value. | |
| direction,Network.Direction,The direction of network traffic. | |
| ip_protocol,Network.IpProtocol,The IP protocol. | |
| application_protocol,Network.ApplicationProtocol,The application protocol. | |
| ftp,Ftp,FTP info. | |
| email,Email,Email info for the sender/recipient. | |
| dns,Dns,DNS info. | |
| dhcp,Dhcp,DHCP info. | |
| http,Http,HTTP info. | |
| tls,Tls,TLS info. | |
| smtp,Smtp,"SMTP info. | |
| Store fields specific to SMTP not covered by Email." | |
| asn,string,Autonomous system number. | |
| dns_domain,string,DNS domain name. | |
| carrier_name,string,Carrier identification. | |
| organization_name,string,Organization name (e.g Google). | |
| ip_subnet_range,string,Associated human-readable IP subnet range (e.g. 10.1.2.0/24). | |
| hostname,string,"Client hostname or domain name field. | |
| Hostname also doubles as the domain for remote entities." | |
| domain,Domain,Information about the domain. | |
| artifact,Artifact,Information about an artifact. | |
| url_metadata,URL,Information about the URL. | |
| asset_id,string,The asset ID. | |
| user,User,Information about the user. | |
| user_management_chain,User,"Information about the user's management chain (reporting hierarchy). | |
| Note: user_management_chain is only populated when data is exported to | |
| BigQuery since recursive fields (e.g. user.managers) are not supported by | |
| BigQuery." | |
| group,Group,Information about the group. | |
| process,Process,Information about the process. | |
| process_ancestors,Process,"Information about the process's ancestors ordered from immediate ancestor | |
| (parent process) to root. | |
| Note: process_ancestors is only populated when data is exported to BigQuery | |
| since recursive fields (e.g. process.parent_process) are not supported by | |
| BigQuery." | |
| asset,Asset,Information about the asset. | |
| ip,string,A list of IP addresses associated with a network connection. | |
| nat_ip,string,A list of NAT translated IP addresses associated with a network connection. | |
| port,int32,"Source or destination network port number when a specific network | |
| connection is described within an event." | |
| nat_port,int32,"NAT external network port number when a specific network connection is | |
| described within an event." | |
| mac,string,List of MAC addresses associated with a device. | |
| administrative_domain,string,"Domain which the device belongs to (for example, the Microsoft Windows | |
| domain)." | |
| namespace,string,"Namespace which the device belongs to, such as ""AD forest"". | |
| Uses for this field include Microsoft Windows AD forest, the name of | |
| subsidiary, or the name of acquisition." | |
| URL,string,The URL. | |
| file,File,Information about the file. | |
| email,string,"Email address. | |
| Only filled in for security_result.about" | |
| registry,Registry,Registry information. | |
| application,string,"The name of an application or service. | |
| Some SSO solutions only capture the name of a target application | |
| such as ""Atlassian"" or ""Google""." | |
| platform,Noun.Platform,Platform. | |
| platform_version,string,"Platform version. For example, | |
| ""Microsoft Windows 1803""." | |
| platform_patch_level,string,"Platform patch level. | |
| For example, ""Build 17134.48""" | |
| cloud,Cloud,"Cloud metadata. | |
| Deprecated: cloud should be populated in entity Attribute as generic | |
| metadata (e.g. asset.attribute.cloud)." | |
| location,Location,"Physical location. For cloud environments, set the region in | |
| location.name." | |
| ip_location,Location,Deprecated: use ip_geo_artifact.location instead. | |
| ip_geo_artifact,Artifact,"Enriched geographic information corresponding to an IP address. | |
| Specifically, location and network data." | |
| resource,Resource,"Information about the resource (e.g. scheduled task, calendar entry). | |
| This field should not be used for files, registry, or processes because | |
| these objects are already part of Noun." | |
| resource_ancestors,Resource,"Information about the resource's ancestors ordered from immediate ancestor | |
| (starting with parent resource)." | |
| labels,Label,"Labels are key-value pairs. | |
| For example: key = ""env"", value = ""prod"". | |
| Deprecated: labels should be populated in entity Attribute as generic | |
| metadata (e.g. user.attribute.labels)." | |
| object_reference,Id,Finding to which the Analyst updated the feedback. | |
| investigation,Investigation,Analyst feedback/investigation for alerts. | |
| network,Network,"Network details, including sub-messages with details on each protocol | |
| (for example, DHCP, DNS, or HTTP)." | |
| security_result,SecurityResult,A list of security results. | |
| about,Noun,"If the security result is about a specific entity (Noun), add it here." | |
| category,SecurityResult.SecurityCategory,The security category. | |
| category_details,string,"For vendor-specific categories. For web categorization, put type in here | |
| such as ""gambling"" or ""porn""." | |
| threat_name,string,"A vendor-assigned classification common across multiple customers | |
| (e.g. ""W32/File-A"", ""Slammer"")." | |
| rule_set,string,"The result's rule set identifier. | |
| (e.g. ""windows-threats"")" | |
| rule_set_display_name,string,The curated detections rule set display name. | |
| ruleset_category_display_name,string,"The curated detection rule set category display name. | |
| (for example, if rule_set_display_name is ""CDIR SCC Enhanced Exfiltration"", | |
| the rule_set_category is ""Cloud Threats"")." | |
| rule_id,string,"A vendor-specific ID and name for a rule, varying by observerer type | |
| (e.g. ""08123"", ""5d2b44d0-5ef6-40f5-a704-47d61d3babbe"")." | |
| rule_name,string,"Name of the security rule | |
| (e.g. ""BlockInboundToOracle"")." | |
| rule_version,string,"Version of the security rule. | |
| (e.g. ""v1.1"", ""00001"", ""1604709794"", ""2020-11-16T23:04:19+00:00""). | |
| Note that rule versions are source-dependant and lexical ordering | |
| should not be assumed." | |
| rule_type,string,The type of security rule. | |
| rule_author,string,Author of the security rule. | |
| rule_labels,Label,"A list of rule labels that can't be captured by the other fields | |
| in security result | |
| (e.g. ""reference : AnotherRule"", ""contributor : John"")." | |
| alert_state,SecurityResult.AlertState,The alerting types of this security result. | |
| detection_fields,Label,"An ordered list of values, that represent fields in detections for a | |
| security finding. This list represents mapping of names of requested | |
| entities to their values (i.e. the security result matched variables) ." | |
| outcomes,Label,"A list of outcomes that represent the results of this security finding. | |
| This list represents a mapping of names of the requested outcomes, | |
| to their values." | |
| summary,string,"A human readable summary (e.g. ""failed login occurred"")" | |
| description,string,"A human readable description (e.g. ""user password was wrong"")" | |
| action,SecurityResult.Action,Actions taken for this event. | |
| action_details,string,The detail of the action taken as provided by the vendor. | |
| severity,SecurityResult.ProductSeverity,The severity of the result. | |
| confidence,SecurityResult.ProductConfidence,The confidence level of the result as estimated by the product. | |
| priority,SecurityResult.ProductPriority,The priority of the result. | |
| risk_score,float,The risk score of the security result. | |
| confidence_score,float,The confidence score of the security result. | |
| analytics_metadata,AnalyticsMetadata,Stores metadata about each risk analytic metric the rule uses. | |
| severity_details,string,Vendor-specific severity. | |
| confidence_details,string,"Additional detail with regards to the confidence of a security event as | |
| estimated by the product vendor." | |
| priority_details,string,Vendor-specific information about the security result priority. | |
| url_back_to_product,string,URL that takes the user to the source product console for this event. | |
| threat_id,string,Vendor-specific ID for a threat. | |
| threat_feed_name,string,Vendor feed name for a threat indicator feed. | |
| threat_id_namespace,Id.Namespace,"The attribute threat_id_namespace qualifies threat_id with an ID namespace | |
| to get an | |
| unique ID. The attribute threat_id by itself is not unique across Google SecOps | |
| as it is a vendor specific ID." | |
| threat_status,SecurityResult.ThreatStatus,Current status of the threat | |
| attack_details,AttackDetails,MITRE ATT&CK details. | |
| first_discovered_time,google.protobuf.Timestamp,First time the IoC threat was discovered in the provider. | |
| associations,SecurityResult.Association,Associations related to the threat. | |
| campaigns,string,Campaigns using this IOC threat. | |
| verdict,SecurityResult.Verdict,"Verdict about the IoC from the provider. | |
| This field is now deprecated. Use VerdictInfo instead." | |
| last_updated_time,google.protobuf.Timestamp,Last time the IoC threat was updated in the provider. | |
| verdict_info,SecurityResult.VerdictInfo,Verdict information about the IoC from the provider. | |
| threat_verdict,ThreatVerdict,GCTI threat verdict on the security result entity. | |
| last_discovered_time,google.protobuf.Timestamp,Last time the IoC was seen in the provider data. | |
| analytic,string,Name of the analytic. | |
| ip,string,IP address of the artifact. | |
| prevalence,Prevalence,The prevalence of the artifact within the customer's environment. | |
| first_seen_time,google.protobuf.Timestamp,First seen timestamp of the IP in the customer's environment. | |
| last_seen_time,google.protobuf.Timestamp,Last seen timestamp of the IP address in the customer's environment. | |
| location,Location,Location of the Artifact's IP address. | |
| network,Network,Network information related to the Artifact's IP address. | |
| as_owner,string,Owner of the Autonomous System to which the IP address belongs. | |
| asn,int64,Autonomous System Number to which the IP address belongs. | |
| jarm,string,"The JARM hash for the IP address. | |
| (https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a)." | |
| last_https_certificate,SSLCertificate,SSL certificate information about the IP address. | |
| last_https_certificate_date,google.protobuf.Timestamp,Most recent date for the certificate in VirusTotal. | |
| regional_internet_registry,string,"RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC)." | |
| tags,string,Identification attributes | |
| whois,string,WHOIS information as returned from the pertinent WHOIS server. | |
| whois_date,google.protobuf.Timestamp,Date of the last update of the WHOIS record in VirusTotal. | |
| product_object_id,string,"A vendor-specific identifier to uniquely identify the entity (a GUID or | |
| similar)." | |
| hostname,string,Asset hostname or domain name field. | |
| asset_id,string,"The asset ID. Value must contain the ':' character. For example, | |
| cs:abcdd23434." | |
| ip,string,A list of IP addresses associated with an asset. | |
| mac,string,List of MAC addresses associated with an asset. | |
| nat_ip,string,List of NAT IP addresses associated with an asset. | |
| first_seen_time,google.protobuf.Timestamp,"The first observed time for an asset. | |
| The value is calculated on the basis of the | |
| first time the identifier was observed." | |
| hardware,Hardware,The asset hardware specifications. | |
| platform_software,PlatformSoftware,The asset operating system platform software. | |
| software,Software,The asset software details. | |
| location,Location,Location of the asset. | |
| category,string,"The category of the asset (e.g. ""End User Asset"", ""Workstation"", ""Server"")." | |
| type,Asset.AssetType,The type of the asset (e.g. workstation or laptop or server). | |
| network_domain,string,"The network domain of the asset (e.g. ""corp.acme.com"")" | |
| creation_time,google.protobuf.Timestamp,"Time the asset was created or provisioned. | |
| Deprecate: creation_time should be populated in Attribute as generic | |
| metadata." | |
| first_discover_time,google.protobuf.Timestamp,"Time the asset was first discovered (by asset management/discoverability | |
| software)." | |
| last_discover_time,google.protobuf.Timestamp,"Time the asset was last discovered (by asset management/discoverability | |
| software)." | |
| system_last_update_time,google.protobuf.Timestamp,"Time the asset system or OS was last updated. | |
| For all other operations that are not system updates (such as resizing a | |
| VM), use Attribute.last_update_time." | |
| last_boot_time,google.protobuf.Timestamp,Time the asset was last boot started. | |
| labels,Label,"Metadata labels for the asset. | |
| Deprecated: labels should be populated in Attribute as generic metadata." | |
| deployment_status,Asset.DeploymentStatus,The deployment status of the asset for device lifecycle purposes. | |
| vulnerabilities,Vulnerability,Vulnerabilities discovered on asset. | |
| attribute,Attribute,Generic entity metadata attributes of the asset. | |
| version,string,ATT&CK version (e.g. 12.1). | |
| tactics,AttackDetails.Tactic,Tactics employed. | |
| techniques,AttackDetails.Technique,Techniques employed. | |
| id,string,"Tactic ID (e.g. ""TA0043"")." | |
| name,string,"Tactic Name (e.g. ""Reconnaissance"")" | |
| id,string,"Technique ID (e.g. ""T1595"")." | |
| name,string,"Technique Name (e.g. ""Active Scanning"")." | |
| subtechnique_id,string,"Subtechnique ID (e.g. ""T1595.001"")." | |
| subtechnique_name,string,"Subtechnique Name (e.g. ""Scanning IP Blocks"")." | |
| cloud,Cloud,"Cloud metadata attributes such as project ID, account ID, or organizational | |
| hierarchy." | |
| labels,Label,"Set of labels for the entity. Should only be used for product labels (for | |
| example, Google Cloud resource labels or Azure AD sensitivity labels. | |
| Should not be used for arbitrary key-value mappings." | |
| permissions,Permission,"System permissions for IAM entity | |
| (human principal, service account, group)." | |
| roles,Role,"System IAM roles to be assumed by resources to use the role's permissions | |
| for access control." | |
| creation_time,google.protobuf.Timestamp,Time the resource or entity was created or provisioned. | |
| last_update_time,google.protobuf.Timestamp,Time the resource or entity was last updated. | |
| type,Authentication.AuthType,The type of authentication. | |
| mechanism,Authentication.Mechanism,The authentication mechanism. | |
| auth_details,string,The vendor defined details of the authentication. | |
| version,string,Certificate version. | |
| serial,string,Certificate serial number. | |
| subject,string,Subject of the certificate. | |
| issuer,string,Issuer of the certificate. | |
| md5,string,"The MD5 hash of the certificate, as a hex-encoded string." | |
| sha1,string,"The SHA1 hash of the certificate, as a hex-encoded string." | |
| sha256,string,"The SHA256 hash of the certificate, as a hex-encoded string." | |
| not_before,google.protobuf.Timestamp,Indicates when the certificate is first valid. | |
| not_after,google.protobuf.Timestamp,Indicates when the certificate is no longer valid. | |
| environment,Cloud.CloudEnvironment,The Cloud environment. | |
| vpc,Resource,"The cloud environment VPC. | |
| Deprecated." | |
| project,Resource,"The cloud environment project information. | |
| Deprecated: Use Resource.resource_ancestors" | |
| availability_zone,string,"The cloud environment availability zone (different from region which is | |
| location.name)." | |
| type,string,Type. | |
| value,string,Value. | |
| ttl,Int64,Time to live. | |
| priority,int64,Priority. | |
| retry,int64,Retry. | |
| refresh,Int64,Refresh. | |
| minimum,Int64,Minimum. | |
| expire,Int64,Expire. | |
| serial,int64,Serial. | |
| rname,string,Rname. | |
| opcode,Dhcp.OpCode,The BOOTP op code. | |
| htype,uint32,Hardware address type. | |
| hlen,uint32,Hardware address length. | |
| hops,uint32,Hardware ops. | |
| transaction_id,uint32,Transaction ID. | |
| seconds,uint32,Seconds elapsed since client began address acquisition/renewal process. | |
| flags,uint32,Flags. | |
| ciaddr,string,Client IP address (ciaddr). | |
| yiaddr,string,Your IP address (yiaddr). | |
| siaddr,string,IP address of the next bootstrap server. | |
| giaddr,string,Relay agent IP address (giaddr). | |
| chaddr,string,Client hardware address (chaddr). | |
| sname,string,Server name that the client wishes to boot from. | |
| file,string,Boot image filename. | |
| options,Dhcp.Option,List of DHCP options. | |
| type,Dhcp.MessageType,DHCP message type. | |
| lease_time_seconds,uint32,"Lease time in seconds. See RFC2132, section 9.2." | |
| client_hostname,string,"Client hostname. See RFC2132, section 3.14." | |
| client_identifier,bytes,"Client identifier. See RFC2132, section 9.14." | |
| requested_address,string,"Requested IP address. See RFC2132, section 9.1." | |
| code,uint32,Code. See RFC1533. | |
| data,bytes,Data. | |
| id,uint32,DNS query id. | |
| response,bool,Set to true if the event is a DNS response. See QR field from RFC1035. | |
| opcode,uint32,"The DNS OpCode used to specify the type of DNS query | |
| (for example, QUERY, IQUERY, or STATUS)." | |
| authoritative,bool,"Other DNS header flags. See RFC1035, section 4.1.1." | |
| truncated,bool,Whether the DNS response was truncated. | |
| recursion_desired,bool,Whether a recursive DNS lookup is desired. | |
| recursion_available,bool,Whether a recursive DNS lookup is available. | |
| response_code,uint32,Response code. See RCODE from RFC1035. | |
| questions,Dns.Question,A list of domain protocol message questions. | |
| answers,Dns.ResourceRecord,A list of answers to the domain name query. | |
| authority,Dns.ResourceRecord,"A list of domain name servers which verified the answers to the domain name | |
| queries." | |
| additional,Dns.ResourceRecord,"A list of additional domain name servers that can be used to verify the | |
| answer to the domain." | |
| name,string,The domain name. | |
| type,uint32,The code specifying the type of the query. | |
| class,uint32,The code specifying the class of the query. | |
| prevalence,Prevalence,The prevalence of the domain within the customer's environment. | |
| name,string,The name of the owner of the resource record. | |
| type,uint32,The code specifying the type of the resource record. | |
| class,uint32,The code specifying the class of the resource record. | |
| ttl,uint32,"The time interval for which the resource record can be cached before the | |
| source of the information should again be queried." | |
| data,string,"The payload or response to the DNS question for all responses encoded in | |
| UTF-8 format" | |
| binary_data,bytes,"The raw bytes of any non-UTF8 strings that might be included as part of a | |
| DNS response." | |
| name,string,The domain name. | |
| prevalence,Prevalence,The prevalence of the domain within the customer's environment. | |
| first_seen_time,google.protobuf.Timestamp,First seen timestamp of the domain in the customer's environment. | |
| last_seen_time,google.protobuf.Timestamp,Last seen timestamp of the domain in the customer's environment. | |
| registrar,string,"Registrar name . FOr example, ""Wild West Domains, Inc. (R120-LROR)"", | |
| ""GoDaddy.com, LLC"", or ""PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM""." | |
| contact_email,string,Contact email address. | |
| whois_server,string,Whois server name. | |
| name_server,string,Repeated list of name servers. | |
| creation_time,google.protobuf.Timestamp,Domain creation time. | |
| update_time,google.protobuf.Timestamp,Last updated time. | |
| expiration_time,google.protobuf.Timestamp,Expiration time. | |
| audit_update_time,google.protobuf.Timestamp,Audit updated time. | |
| status,string,"Domain status. See | |
| https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en | |
| for meanings of possible values" | |
| registrant,User,Parsed contact information for the registrant of the domain. | |
| admin,User,Parsed contact information for the administrative contact for the domain. | |
| tech,User,Parsed contact information for the technical contact for the domain | |
| billing,User,Parsed contact information for the billing contact of the domain. | |
| zone,User,Parsed contact information for the zone. | |
| whois_record_raw_text,bytes,WHOIS raw text. | |
| registry_data_raw_text,bytes,Registry Data raw text. | |
| iana_registrar_id,int32,"IANA Registrar ID. See | |
| https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml" | |
| private_registration,bool,"Indicates whether the domain appears to be using a private registration | |
| service to mask the owner's contact information." | |
| categories,string,Categories assign to the domain as retrieved from VirusTotal. | |
| favicon,Favicon,Includes difference hash and MD5 hash of the domain's favicon. | |
| jarm,string,Domain's JARM hash. | |
| last_dns_records,DNSRecord,Domain's DNS records from the last scan. | |
| last_dns_records_time,google.protobuf.Timestamp,Date when the DNS records list was retrieved by VirusTotal. | |
| last_https_certificate,SSLCertificate,SSL certificate object retrieved last time the domain was analyzed. | |
| last_https_certificate_time,google.protobuf.Timestamp,When the certificate was retrieved by VirusTotal. | |
| popularity_ranks,PopularityRank,"Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, | |
| etc" | |
| tags,string,List of representative attributes. | |
| whois_time,google.protobuf.Timestamp,Date of the last update of the WHOIS record. | |
| from,string,The 'from' address. | |
| reply_to,string,The 'reply to' address. | |
| to,string,A list of 'to' addresses. | |
| cc,string,A list of 'cc' addresses. | |
| bcc,string,A list of 'bcc' addresses. | |
| mail_id,string,The mail (or message) ID. | |
| subject,string,The subject line(s) of the email. | |
| bounce_address,string,"The envelope from address. | |
| https://en.wikipedia.org/wiki/Bounce_address" | |
| raw_md5,string,Favicon's MD5 hash. | |
| dhash,string,Difference hash. | |
| sha256,string,"The SHA256 hash of the file, as a hex-encoded string." | |
| md5,string,"The MD5 hash of the file, as a hex-encoded string." | |
| sha1,string,"The SHA1 hash of the file, as a hex-encoded string." | |
| size,uint64,The size of the file in bytes. | |
| full_path,string,The full path identifying the location of the file on the system. | |
| mime_type,string,"The MIME (Multipurpose Internet Mail Extensions) type of the file, | |
| for example ""PE"", ""PDF"", or ""powershell script""." | |
| file_metadata,FileMetadata,"Metadata associated with the file. | |
| Deprecate FileMetadata in favor of using fields in File." | |
| security_result,SecurityResult,"Google Cloud Threat Intelligence (GCTI) security result for the file | |
| including threat context and detection metadata." | |
| pe_file,FileMetadataPE,Metadata about the Portable Executable (PE) file. | |
| ssdeep,string,Ssdeep of the file | |
| vhash,string,Vhash of the file. | |
| ahash,string,Deprecated. Use authentihash instead. | |
| authentihash,string,Authentihash of the file. | |
| file_type,File.FileType,FileType field. | |
| capabilities_tags,string,Capabilities tags. | |
| names,string,Names fields. | |
| tags,string,Tags for the file. | |
| last_modification_time,google.protobuf.Timestamp,Timestamp when the file was last updated. | |
| prevalence,Prevalence,Prevalence of the file hash in the customer's environment. | |
| first_seen_time,google.protobuf.Timestamp,Timestamp the file was first seen in the customer's environment. | |
| last_seen_time,google.protobuf.Timestamp,Timestamp the file was last seen in the customer's environment. | |
| stat_mode,uint64,"The mode of the file. A bit string indicating the permissions and | |
| privileges of the file." | |
| stat_inode,uint64,The file identifier. Unique identifier of object within a file system. | |
| stat_dev,uint64,The file system identifier to which the object belongs. | |
| stat_nlink,uint64,Number of links to file. | |
| stat_flags,uint32,User defined flags for file. | |
| last_analysis_time,google.protobuf.Timestamp,Timestamp the file was last analysed. | |
| embedded_urls,string,Embedded URLs found in the file. | |
| embedded_domains,string,Embedded domains found in the file. | |
| embedded_ips,string,Embedded IP addresses found in the file. | |
| exif_info,ExifInfo,Exif metadata from different file formats extracted by exiftool. | |
| signature_info,SignatureInfo,File signature information extracted from different tools. | |
| pdf_info,PDFInfo,Information about the PDF file structure. | |
| first_submission_time,google.protobuf.Timestamp,First submission time of the file. | |
| last_submission_time,google.protobuf.Timestamp,Last submission time of the file. | |
| main_icon,Favicon,Icon's relevant hashes. | |
| id,string,Code sign identifier. | |
| format,string,Code sign format. | |
| compilation_time,google.protobuf.Timestamp,Code sign timestamp | |
| imphash,string,Imphash of the file. | |
| entry_point,int64,info.pe-entry-point. | |
| entry_point_exiftool,int64,info.exiftool.EntryPoint. | |
| compilation_time,google.protobuf.Timestamp,info.pe-timestamp. | |
| compilation_exiftool_time,google.protobuf.Timestamp,info.exiftool.TimeStamp. | |
| section,FileMetadataSection,FilemetadataSection fields. | |
| imports,FileMetadataImports,FilemetadataImports fields. | |
| resource,FileMetadataPeResourceInfo,FilemetadataPeResourceInfo fields. | |
| resources_type_count,StringToInt64MapEntry,Deprecated: use resources_type_count_str. | |
| resources_language_count,StringToInt64MapEntry,Deprecated: use resources_language_count_str. | |
| resources_type_count_str,Label,"Number of resources by resource type. | |
| Example: RT_ICON: 10, RT_DIALOG: 5" | |
| resources_language_count_str,Label,"Number of resources by language. | |
| Example: NEUTRAL: 20, ENGLISH US: 10" | |
| signature_info,FileMetadataSignatureInfo,"FilemetadataSignatureInfo field. | |
| deprecated, user File.signature_info instead." | |
| verification_message,string,"Status of the certificate. | |
| Valid values are ""Signed"", ""Unsigned"" or a description of the certificate | |
| anomaly, if found." | |
| verified,bool,"True if verification_message == ""Signed""" | |
| signer,string,Deprecated: use signers field. | |
| signers,SignerInfo,"File metadata signer information. | |
| The order of the signers matters. Each element is a higher level | |
| authority, being the last the root authority." | |
| x509,X509,List of certificates. | |
| command,string,The FTP command. | |
| product_object_id,string,"Product globally unique user object identifier, such as an LDAP Object | |
| Identifier." | |
| creation_time,google.protobuf.Timestamp,"Group creation time. | |
| Deprecated: creation_time should be populated in Attribute as generic | |
| metadata." | |
| group_display_name,string,"Group display name. e.g. ""Finance""." | |
| attribute,Attribute,Generic entity metadata attributes of the group. | |
| email_addresses,string,Email addresses of the group. | |
| windows_sid,string,Microsoft Windows SID of the group. | |
| serial_number,string,Hardware serial number. | |
| manufacturer,string,Hardware manufacturer. | |
| model,string,Hardware model. | |
| cpu_platform,string,"Platform of the hardware CPU (e.g. ""Intel Broadwell"")." | |
| cpu_model,string,"Model description of the hardware CPU | |
| (e.g. ""2.8 GHz Quad-Core Intel Core i5"")." | |
| cpu_clock_speed,uint64,Clock speed of the hardware CPU in MHz. | |
| cpu_max_clock_speed,uint64,Maximum possible clock speed of the hardware CPU in MHz. | |
| cpu_number_cores,uint64,Number of CPU cores. | |
| ram,uint64,Amount of the hardware ramdom access memory (RAM) in Mb. | |
| method,string,"The HTTP request method | |
| (e.g. ""GET"", ""POST"", ""PATCH"", ""DELETE"")." | |
| referral_url,string,The URL for the HTTP referer. | |
| user_agent,string,"The User-Agent request header which includes the application type, | |
| operating system, software vendor or software version of the requesting | |
| software user agent." | |
| response_code,int32,"The response status code, for example | |
| 200, 302, 404, or 500." | |
| parsed_user_agent,,The parsed user_agent string. | |
| verdict,Verdict,Describes reason a finding investigation was resolved. | |
| reputation,Reputation,Describes whether a finding was useful or not-useful. | |
| severity_score,uint32,Severity score for a finding set by an analyst. | |
| status,Status,Describes the workflow status of a finding. | |
| comments,string,Comment added by the Analyst. | |
| priority,Priority,Priority of the Alert or Finding set by analyst. | |
| root_cause,string,Root cause of the Alert or Finding set by analyst. | |
| reason,Reason,Reason for closing the Case or Alert. | |
| risk_score,uint32,Risk score for a finding set by an analyst. | |
| key,string,The key. | |
| value,string,The value. | |
| rbac_enabled,bool,Indicates whether this label can be used for Data RBAC | |
| city,string,The city. | |
| state,string,The state. | |
| country_or_region,string,The country or region. | |
| name,string,"Custom location name (e.g. building or site name like ""London Office""). | |
| For cloud environments, this is the region (e.g. ""us-west2"")." | |
| desk_name,string,"Desk name or individual location, typically for an employee in an | |
| office. | |
| (e.g. ""IN-BLR-BCPC-11-1121D"")." | |
| floor_name,string,"Floor name, number or a combination of the two for a building. | |
| (e.g. ""1-A"")." | |
| region_latitude,float,Deprecated: use region_coordinates. | |
| region_longitude,float,Deprecated: use region_coordinates. | |
| region_coordinates,google.type.LatLng,"Coordinates for the associated region. | |
| See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng | |
| for a description of the fields." | |
| js,int64,"Number of /JS tags found in the PDF file. Should be the same as | |
| javascript field in normal scenarios." | |
| javascript,int64,"Number of /JavaScript tags found in the PDF file. Should be the same as | |
| the js field in normal scenarios." | |
| launch_action_count,int64,Number of /Launch tags found in the PDF file. | |
| object_stream_count,int64,Number of object streams. | |
| endobj_count,int64,Number of object definitions (endobj keyword). | |
| header,string,PDF version. | |
| acroform,int64,Number of /AcroForm tags found in the PDF. | |
| autoaction,int64,Number of /AA tags found in the PDF. | |
| embedded_file,int64,Number of /EmbeddedFile tags found in the PDF. | |
| encrypted,int64,"Whether the document is encrypted or not. This is defined by the /Encrypt | |
| tag." | |
| flash,int64,Number of /RichMedia tags found in the PDF. | |
| jbig2_compression,int64,Number of /JBIG2Decode tags found in the PDF. | |
| obj_count,int64,Number of objects definitions (obj keyword). | |
| endstream_count,int64,Number of defined stream objects (stream keyword). | |
| page_count,int64,Number of pages in the PDF. | |
| stream_count,int64,Number of defined stream objects (stream keyword). | |
| openaction,int64,Number of /OpenAction tags found in the PDF. | |
| startxref,int64,Number of startxref keywords in the PDF. | |
| suspicious_colors,int64,Number of colors expressed with more than 3 bytes (CVE-2009-3459). | |
| trailer,int64,Number of trailer keywords in the PDF. | |
| xfa,int64,Number of \XFA tags found in the PDF. | |
| xref,int64,Number of xref keywords in the PDF. | |
| import_hash,string,Hash of PE imports. | |
| name,string,Name of the permission (e.g. chronicle.analyst.updateRule). | |
| description,string,Description of the permission (e.g. 'Ability to update detect rules'). | |
| type,Permission.PermissionType,Type of the permission. | |
| platform,Noun.Platform,The platform operating system. | |
| platform_version,string,"The platform software version ( | |
| e.g. ""Microsoft Windows 1803"")." | |
| platform_patch_level,string,"The platform software patch level ( | |
| e.g. ""Build 17134.48"", ""SP1"")." | |
| giver,string,Name of the rank serial number hexdump. | |
| rank,int64,Rank position. | |
| ingestion_time,google.protobuf.Timestamp,Timestamp when the rank was ingested. | |
| rolling_max,int32,"The maximum number of assets per day accessing the resource over the | |
| trailing day_count days." | |
| day_count,int32,The number of days over which rolling_max is calculated. | |
| rolling_max_sub_domains,int32,"The maximum number of assets per day accessing the domain along with | |
| sub-domains over the trailing day_count days. This field is only valid for | |
| domains." | |
| day_max,int32,The max prevalence score in a day interval window. | |
| day_max_sub_domains,int32,"The max prevalence score in a day interval window across sub-domains. This | |
| field is only valid for domains." | |
| pid,string,The process ID. | |
| parent_pid,string,"The ID of the parent process. | |
| Deprecated: use parent_process.pid instead." | |
| parent_process,Process,Information about the parent process. | |
| file,File,Information about the file in use by the process. | |
| command_line,string,The command line command that created the process. | |
| command_line_history,string,The command line history of the process. | |
| product_specific_process_id,string,A product specific process id. | |
| access_mask,uint64,A bit mask representing the level of access. | |
| integrity_level_rid,uint64,The Microsoft Windows integrity level relative ID (RID) of the process. | |
| token_elevation_type,Process.TokenElevationType,"The elevation type of the process on Microsoft Windows. This determines if | |
| any privileges are removed when UAC is enabled." | |
| product_specific_parent_process_id,string,"A product specific id for the parent process. | |
| Please use parent_process.product_specific_process_id instead." | |
| registry_key,string,"Registry key associated with an application or system component | |
| (e.g., HKEY_, HKCU\Environment...)." | |
| registry_value_name,string,"Name of the registry value associated with an application or system | |
| component (e.g. TEMP)." | |
| registry_value_data,string,"Data associated with a registry value | |
| (e.g. %USERPROFILE%\Local Settings\Temp)." | |
| type,string,Deprecated: use resource_type instead. | |
| resource_type,Resource.ResourceType,Resource type. | |
| resource_subtype,string,"Resource sub-type (e.g. ""BigQuery"", ""Bigtable"")." | |
| id,string,Deprecated: Use resource.name or resource.product_object_id. | |
| name,string,"The full name of the resource. For example, | |
| Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, | |
| and AWS: arn:aws:iam::123456789012:user/johndoe." | |
| parent,string,"The parent of the resource. | |
| For a database table, the parent is the database. For a storage object, | |
| the bucket name. Deprecated: use resource_ancestors.name." | |
| product_object_id,string,"A vendor-specific identifier to uniquely identify the entity (a GUID, | |
| OID, or similar)" | |
| attribute,Attribute,Generic entity metadata attributes of the resource. | |
| name,string,System role name for user. | |
| description,string,System role description for user. | |
| type,Role.Type,System role type for well known roles. | |
| cert_signature,SSLCertificate.CertSignature,Certificate's signature and algorithm. | |
| extension,SSLCertificate.Extension,(DEPRECATED) certificate's extension. | |
| cert_extensions,google.protobuf.Struct,Certificate's extensions. | |
| first_seen_time,google.protobuf.Timestamp,Date the certificate was first retrieved by VirusTotal. | |
| issuer,SSLCertificate.Subject,Certificate's issuer data. | |
| ec,SSLCertificate.EC,EC public key information. | |
| serial_number,string,Certificate's serial number hexdump. | |
| signature_algorithm,string,"Algorithm used for the signature (for example, ""sha1RSA"")." | |
| size,int64,Certificate content length. | |
| subject,SSLCertificate.Subject,Certificate's subject data. | |
| thumbprint,string,Certificate's content SHA1 hash. | |
| thumbprint_sha256,string,Certificate's content SHA256 hash. | |
| validity,SSLCertificate.Validity,Certificate's validity period. | |
| version,string,"Certificate version (typically ""V1"", ""V2"" or ""V3"")." | |
| keyid,string,Key hexdump. | |
| serial_number,string,Serial number hexdump. | |
| signature,string,Signature. | |
| signature_algorithm,string,Algorithm. | |
| p,string,p component hexdump. | |
| q,string,q component hexdump. | |
| g,string,g component hexdump. | |
| pub,string,Public key hexdump. | |
| oid,string,Curve name. | |
| pub,string,Public key hexdump. | |
| ca,bool,Whether the subject acts as a certificate authority (CA) or not. | |
| subject_key_id,string,Identifies the public key being certified. | |
| authority_key_id,SSLCertificate.AuthorityKeyId,"Identifies the public key to be used to verify the signature on this | |
| certificate or CRL." | |
| key_usage,string,The purpose for which the certified public key is used. | |
| ca_info_access,string,"Authority information access locations are URLs that are added to a | |
| certificate in its authority information access extension." | |
| crl_distribution_points,string,"CRL distribution points to which a certificate user should refer to | |
| ascertain if the certificate has been revoked." | |
| extended_key_usage,string,"One or more purposes for which the certified public key may be used, in | |
| addition to or in place of the basic purposes indicated in the key usage | |
| extension field." | |
| subject_alternative_name,string,"Contains one or more alternative names, using any of a variety of name | |
| forms, for the entity that is bound by the CA to the certified public | |
| key." | |
| certificate_policies,string,"Different certificate policies will relate to different applications | |
| which may use the certified key." | |
| netscape_cert_comment,string,Used to include free-form text comments inside certificates. | |
| cert_template_name_dc,string,"BMP data value ""DomainController"". See MS Q291010." | |
| netscape_certificate,bool,"Identify whether the certificate subject is an SSL client, an SSL server, | |
| or a CA." | |
| pe_logotype,bool,Whether the certificate includes a logotype. | |
| old_authority_key_id,bool,Whether the certificate has an old authority key identifier extension. | |
| algorithm,string,"Any of ""RSA"", ""DSA"" or ""EC"". Indicates the algorithm used to generate the | |
| certificate." | |
| rsa,SSLCertificate.RSA,RSA public key information. | |
| key_size,int64,Key size. | |
| modulus,string,Key modulus hexdump. | |
| exponent,string,Key exponent hexdump. | |
| country_name,string,C: Country name. | |
| common_name,string,CN: CommonName. | |
| locality,string,L: Locality. | |
| organization,string,O: Organization. | |
| organizational_unit,string,OU: OrganizationalUnit. | |
| state_or_province_name,string,ST: StateOrProvinceName. | |
| expiry_time,google.protobuf.Timestamp,Expiry date. | |
| issue_time,google.protobuf.Timestamp,Issue date. | |
| confidence_score,int32,Confidence score of the verdict. | |
| verdict_time,google.protobuf.Timestamp,Timestamp at which the verdict was generated. | |
| verdict_response,SecurityResult.VerdictResponse,Details of the verdict. | |
| id,string,Unique association id generated by mandiant. | |
| country_code,string,Country from which the threat actor/ malware is originated. | |
| type,SecurityResult.Association.AssociationType,Signifies the type of association. | |
| name,string,Name of the threat actor/malware. | |
| description,string,Human readable description about the association. | |
| role,string,Role of the malware. Not applicable for threat actor. | |
| source_country,string,Name of the country the threat originated from. | |
| alias,SecurityResult.Association.AssociationAlias,Different aliases of the threat actor given by different sources. | |
| first_reference_time,google.protobuf.Timestamp,First time the threat actor was referenced or seen. | |
| last_reference_time,google.protobuf.Timestamp,Last time the threat actor was referenced or seen. | |
| industries_affected,string,List of industries the threat actor affects. | |
| associated_actors,SecurityResult.Association,"List of associated threat actors for a malware. Not applicable for threat | |
| actors." | |
| region_code,Location,"Name of the country, the threat is originating from." | |
| sponsor_region,Location,Sponsor region of the threat actor. | |
| targeted_regions,Location,Targeted regions. | |
| tags,string,Tags. | |
| name,string,Name of the alias. | |
| company,string,Name of the provider who gave the association's name. | |
| ioc_stats_type,SecurityResult.IoCStatsType,Describes the source of the IoCStat. | |
| first_level_source,string,"Name of first level IoC source, for example Mandiant or a third-party." | |
| second_level_source,string,"Name of the second-level IoC source, for example Crowdsourced Threat | |
| Analysis or Knowledge Graph." | |
| benign_count,int32,Count of responses where the IoC was identified as benign. | |
| quality,SecurityResult.ProductConfidence,Level of confidence in the IoC mapping extracted from the source. | |
| malicious_count,int32,Count of responses where the IoC was identified as malicious. | |
| response_count,int32,Total number of response from the source. | |
| source_count,int32,Number of sources from which information was extracted. | |
| source_provider,string,Source provider giving the ML verdict. | |
| benign_count,int32,Count of responses where this IoC was marked benign. | |
| malicious_count,int32,Count of responses where this IoC was marked malicious. | |
| confidence_score,int32,Confidence score of the verdict. | |
| mandiant_sources,SecurityResult.Source,List of mandiant sources from which the verdict was generated. | |
| third_party_sources,SecurityResult.Source,List of third-party sources from which the verdict was generated. | |
| name,string,Name of the IoC source. | |
| benign_count,int32,Count of responses where this IoC was marked benign. | |
| malicious_count,int32,Count of responses where this IoC was marked malicious. | |
| quality,SecurityResult.ProductConfidence,Quality of the IoC mapping extracted from the source. | |
| response_count,int32,Total response count from this source. | |
| source_count,int32,Number of sources from which intelligence was extracted. | |
| threat_intelligence_sources,SecurityResult.Source,Different threat intelligence sources from which IoC info was extracted. | |
| source_count,int32,Number of sources from which intelligence was extracted. | |
| response_count,int32,Total response count across all sources. | |
| neighbour_influence,string,Describes the neighbour influence of the verdict. | |
| verdict,SecurityResult.ProviderMLVerdict,ML Verdict provided by sources like Mandiant. | |
| analyst_verdict,SecurityResult.AnalystVerdict,Human analyst verdict provided by sources like Mandiant. | |
| source_count,int32,Number of sources from which intelligence was extracted. | |
| response_count,int32,Total response count across all sources. | |
| neighbour_influence,string,Describes the near neighbor influence of the verdict. | |
| verdict_type,SecurityResult.VerdictType,Type of verdict. | |
| source_provider,string,Source provider giving the machine learning verdict. | |
| benign_count,int32,Count of responses where this IoC was marked as benign. | |
| malicious_count,int32,Count of responses where this IoC was marked as malicious. | |
| confidence_score,int32,Confidence score of the verdict. | |
| ioc_stats,SecurityResult.IoCStats,List of IoCStats from which the verdict was generated. | |
| verdict_time,google.protobuf.Timestamp,Timestamp when the verdict was generated. | |
| verdict_response,SecurityResult.VerdictResponse,Details about the verdict. | |
| global_customer_count,int32,Global customer count over the last 30 days | |
| global_hits_count,int32,Global hit count over the last 30 days. | |
| pwn,bool,"Whether one or more Mandiant incident response customers had this | |
| indicator in their environment." | |
| category_details,string,Tags related to the verdict. | |
| pwn_first_tagged_time,google.protobuf.Timestamp,The timestamp of the first time a pwn was associated to this entity. | |
| sigcheck,FileMetadataSignatureInfo,Signature information extracted from the sigcheck tool. | |
| codesign,FileMetadataCodesign,Signature information extracted from the codesign utility. | |
| name,string,"Common name of the signers/certificate. | |
| The order of the signers matters. Each element is a higher level | |
| authority, the last being the root authority." | |
| status,string,"It can say ""Valid"" or state the problem with the certificate if any (e.g. | |
| ""This certificate or one of the certificates in the certificate chain is | |
| not time valid."")." | |
| valid_usage,string,"Indicates which situations the certificate is valid for (e.g. ""Code | |
| Signing"")." | |
| cert_issuer,string,Company that issued the certificate. | |
| helo,string,The client's 'HELO'/'EHLO' string. | |
| mail_from,string,The client's 'MAIL FROM' string. | |
| rcpt_to,string,The client's 'RCPT TO' string(s). | |
| server_response,string,The server's response(s) to the client. | |
| message_path,string,The message's path (extracted from the headers). | |
| is_webmail,bool,If the message was sent via a webmail client. | |
| is_tls,bool,If the connection switched to TLS. | |
| name,string,The name of the software. | |
| version,string,The version of the software. | |
| permissions,Permission,"System permissions granted to the software. | |
| For example, ""android.permission.WRITE_EXTERNAL_STORAGE""" | |
| description,string,The description of the software. | |
| vendor_name,string,The name of the software vendor. | |
| tenant_id,bytes,A list of subtenant ids that this event belongs to. | |
| data_tap_config_name,string,A list of sink name values defined in DataTap configurations. | |
| interval,google.type.Interval,Interval duration of the leave. | |
| description,string,Description of the leave if available (e.g. 'Vacation'). | |
| client,Tls.Client,Certificate information for the client certificate. | |
| server,Tls.Server,Certificate information for the server certificate. | |
| cipher,string,Cipher used during the connection. | |
| curve,string,Elliptical curve used for a given cipher. | |
| version,string,TLS version. | |
| version_protocol,string,Protocol. | |
| established,bool,Indicates whether the TLS negotiation was successful. | |
| next_protocol,string,Protocol to be used for tunnel. | |
| resumed,bool,"Indicates whether the TLS connection was resumed from a previous | |
| TLS negotiation." | |
| certificate,Certificate,Client certificate. | |
| ja3,string,"JA3 hash from the TLS ClientHello, as a hex-encoded string." | |
| server_name,string,"Host name of the server, that the client is connecting to." | |
| supported_ciphers,string,Ciphers supported by the client during client hello. | |
| certificate,Certificate,Server certificate. | |
| ja3s,string,"JA3 hash from the TLS ServerHello, as a hex-encoded string." | |
| tracker,string,Tracker name. | |
| id,string,"Tracker ID, if available." | |
| timestamp,google.protobuf.Timestamp,Tracker ingestion date. | |
| URL,string,Tracker script URL. | |
| URL,string,URL. | |
| categories,string,Categorisation done by VirusTotal partners. | |
| favicon,Favicon,Difference hash and MD5 hash of the URL's. | |
| html_meta,google.protobuf.Struct,Meta tags (only for URLs downloading HTML). | |
| last_final_url,string,"If the original URL redirects, where does it end." | |
| last_http_response_code,int32,HTTP response code of the last response. | |
| last_http_response_content_length,int64,Length in bytes of the content received. | |
| last_http_response_content_sha256,string,URL response body's SHA256 hash. | |
| last_http_response_cookies,google.protobuf.Struct,Website's cookies. | |
| last_http_response_headers,google.protobuf.Struct,Headers and values of the last HTTP response. | |
| tags,string,Tags. | |
| title,string,Webpage title. | |
| trackers,Tracker,Trackers found in the URL in a historical manner. | |
| product_object_id,string,"A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, | |
| LDAP, OID, or similar)." | |
| userid,string,The ID of the user. | |
| user_display_name,string,"The display name of the user | |
| (e.g. ""John Locke"")." | |
| first_name,string,"First name of the user (e.g. ""John"")." | |
| middle_name,string,Middle name of the user. | |
| last_name,string,"Last name of the user (e.g. ""Locke"")." | |
| phone_numbers,string,Phone numbers for the user. | |
| personal_address,Location,Personal address of the user. | |
| attribute,Attribute,Generic entity metadata attributes of the user. | |
| first_seen_time,google.protobuf.Timestamp,"The first observed time for a user. | |
| The value is calculated on the basis of the | |
| first time the identifier was observed." | |
| account_type,User.AccountType,"Type of user account (for example, service, domain, or cloud). This is | |
| somewhat aligned to: https://attack.mitre.org/techniques/T1078/" | |
| groupid,string,"The ID of the group that the user belongs to. | |
| Deprecated in favor of the repeated group_identifiers field." | |
| group_identifiers,string,"Product object identifiers of the group(s) the user belongs to | |
| A vendor-specific identifier to uniquely identify the group(s) the user | |
| belongs to (a GUID, LDAP OID, or similar)." | |
| windows_sid,string,The Microsoft Windows SID of the user. | |
| email_addresses,string,Email addresses of the user. | |
| employee_id,string,Human capital management identifier. | |
| title,string,User job title. | |
| company_name,string,User job company name. | |
| department,string,User job department | |
| office_address,Location,User job office location. | |
| managers,User,User job manager(s). | |
| hire_date,google.protobuf.Timestamp,User job employment hire date. | |
| termination_date,google.protobuf.Timestamp,User job employment termination date. | |
| time_off,TimeOff,User time off leaves from active work. | |
| last_login_time,google.protobuf.Timestamp,User last login timestamp. | |
| last_password_change_time,google.protobuf.Timestamp,User last password change timestamp. | |
| password_expiration_time,google.protobuf.Timestamp,User password expiration timestamp. | |
| account_expiration_time,google.protobuf.Timestamp,User account expiration timestamp. | |
| account_lockout_time,google.protobuf.Timestamp,User account lockout timestamp. | |
| last_bad_password_attempt_time,google.protobuf.Timestamp,User last bad password attempt timestamp. | |
| user_authentication_status,Authentication.AuthenticationStatus,System authentication status for user. | |
| role_name,string,"System role name for user. | |
| Deprecated: use attribute.roles." | |
| role_description,string,"System role description for user. | |
| Deprecated: use attribute.roles." | |
| user_role,User.Role,"System role for user. | |
| Deprecated: use attribute.roles." | |
| vulnerabilities,Vulnerability,A list of vulnerabilities. | |
| about,Noun,"If the vulnerability is about a specific noun (e.g. executable), | |
| then add it here." | |
| name,string,"Name of the vulnerability (e.g. ""Unsupported OS Version detected"")." | |
| description,string,Description of the vulnerability. | |
| vendor,string,Vendor of scan that discovered vulnerability. | |
| scan_start_time,google.protobuf.Timestamp,"If the vulnerability was discovered during an asset scan, then this | |
| field should be populated with the time the scan started. | |
| This field can be left unset if the start time is not available or not | |
| applicable." | |
| scan_end_time,google.protobuf.Timestamp,"If the vulnerability was discovered during an asset scan, then this field | |
| should be populated with the time the scan ended. | |
| This field can be left unset if the end time is not available or not | |
| applicable." | |
| first_found,google.protobuf.Timestamp,"Products that maintain a history of vuln scans should populate first_found | |
| with the time that a scan first detected the vulnerability on this asset." | |
| last_found,google.protobuf.Timestamp,"Products that maintain a history of vuln scans should populate last_found | |
| with the time that a scan last detected the vulnerability on this asset." | |
| severity,Vulnerability.Severity,The severity of the vulnerability. | |
| severity_details,string,Vendor-specific severity | |
| cvss_base_score,float,"CVSS Base Score in the range of 0.0 to 10.0. | |
| Useful for sorting." | |
| cvss_vector,string,"Vector of CVSS properties (e.g. ""AV:L/AC:H/Au:N/C:N/I:P/A:C"") | |
| Can be linked to via: | |
| https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator" | |
| cvss_version,string,Version of CVSS Vector/Score. | |
| cve_id,string,"Common Vulnerabilities and Exposures Id. | |
| https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures | |
| https://cve.mitre.org/about/faqs.html#what_is_cve_id" | |
| cve_description,string,"Common Vulnerabilities and Exposures Description. | |
| https://cve.mitre.org/about/faqs.html#what_is_cve_record" | |
| vendor_vulnerability_id,string,Vendor specific vulnerability id (e.g. Microsoft security bulletin id). | |
| vendor_knowledge_base_article_id,string,"Vendor specific knowledge base article (e.g. ""KBXXXXXX"" from Microsoft). | |
| https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base | |
| https://access.redhat.com/knowledgebase" | |
| name,string,Certificate name. | |
| algorithm,string,Certificate algorithm. | |
| thumbprint,string,Certificate thumbprint. | |
| cert_issuer,string,Issuer of the certificate. | |
| serial_number,string,Certificate serial number. | |