Spaces:

Galatea007
/

LLMopsDK

Paused

App Files Files Community

Galatea007 commited on Oct 9, 2024

Commit

e1ab91f

verified ·

1 Parent(s): ed7314a

Upload udm_field_list_v2.csv

Browse files

Files changed (1) hide show

udm_field_list_v2.csv +989 -0

udm_field_list_v2.csv ADDED Viewed

	@@ -0,0 +1,989 @@

+UDM_Field,Description
+metadata,"Entity metadata such as timestamp, product, etc."
+entity,Noun in the UDM event that this entity represents.
+relations,"One or more relationships between the entity (a) and other entities, including the relationship type and related entity."
+additional,"Important entity data that cannot be adequately represented within
+the formal sections of the Entity."
+risk_score,Stores information related to the entity's risk score.
+metric,"Stores statistical metrics about the entity. Used if metadata.entity_type
+is METRIC."
+product_entity_id,"A vendor-specific identifier that uniquely identifies the entity
+(e.g. a GUID, LDAP, OID, or similar)."
+collected_timestamp,"GMT timestamp when the entity information was collected by the vendor's
+local collection infrastructure."
+creation_timestamp,"GMT timestamp when the entity described by the product_entity_id was
+created on the system where data was collected."
+interval,"Valid existence time range for the version of the entity represented by
+this entity data."
+vendor_name,Vendor name of the product that produced the entity information.
+product_name,Product name that produced the entity information.
+feed,Vendor feed name for a threat indicator feed.
+product_version,Version of the product that produced the entity information.
+entity_type,"Entity type.
+If an entity has multiple possible types, this specifies the most specific
+type."
+description,Human-readable description of the entity.
+threat,"Metadata provided by a threat intelligence feed that identified the
+entity as malicious."
+source_type,The source of the entity.
+source_labels,Entity source metadata labels.
+event_metadata,Metadata field from the event.
+risk_version,Version of the risk score calculation algorithm.
+risk_window,"Time window used when computing the risk score for an entity, for
+example 24 hours or 7 days."
+DEPRECATED_risk_score,Deprecated risk score.
+risk_delta,"Represents the change in risk score for an entity between the end of the
+previous time window and the end of the current time window."
+detections_count,Number of detections that make up the risk score within the time window.
+first_detection_time,"Timestamp of the first detection within the specified time window.
+This field is empty when there are no detections."
+last_detection_time,"Timestamp of the last detection within the specified time window.
+This field is empty when there are no detections."
+risk_score,Raw risk score for the entity.
+normalized_risk_score,Normalized risk score for the entity. This value is between 0-1000.
+risk_window_size,Risk window duration for the Entity.
+raw_risk_delta,"Represents the change in raw risk score for an entity between the end of
+the previous time window and the end of the current time window."
+first_seen,Timestamp of the first time the entity was seen in the environment.
+last_seen,Timestamp of the last time the entity was seen in the environment.
+sum_measure,Sum of all precomputed measures for the given metric.
+total_events,Total number of events used to calculate the given precomputed metric.
+metric_name,Name of the analytic.
+dimensions,All group by clauses used to calculate the metric.
+export_window,Export window for which the metric was exported.
+value,Value of the aggregated measure.
+aggregate_function,Function used to calculate the aggregated measure.
+entity,Entity (b) that the primary entity (a) is related to.
+entity_type,Type of the related entity (b) in this relationship.
+relationship,Type of relationship.
+direction,"Directionality of relationship between primary entity (a) and the
+related entity (b)."
+uid,UID of the relationship.
+entity_label,Label to identify the Noun of the relation.
+previous_range_end_time,End time of the previous time window.
+risk_score_delta,Difference in the normalized risk score from the previous recorded value.
+previous_risk_score,Risk score from previous risk window
+risk_score_numeric_delta,Numeric change between current and previous risk score
+metadata,"Event metadata such as timestamp, source product, etc."
+additional,"Any important vendor-specific event data that cannot be adequately
+represented within the formal sections of the UDM model."
+principal,"Represents the acting entity that originates the activity
+described in the event. The principal must include at least one machine
+detail (hostname, MACs, IPs, port, product-specific identifiers like an
+EDR asset ID) or user detail (for example, username), and optionally
+include process details. It must NOT include any of the following fields:
+email, files, registry keys, or values."
+src,"Represents a source entity being acted upon by the participant along with
+the device or process context for the source object (the machine where the
+source object resides). For example, if user U copies file A on machine X
+to file B on machine Y, both file A and machine X would be specified in the
+src portion of the UDM event."
+target,"Represents a target entity being referenced by the event or an object on
+the target entity. For example, in a firewall connection from device A to
+device B, A is described as the principal and B is described as the target.
+For a process injection by process C into target process D, process C is
+described as the principal and process D is described as the target."
+intermediary,"Represents details on one or more intermediate entities processing activity
+described in the event. This includes device details about a proxy server
+or SMTP relay server. If an active event (that has a principal and
+possibly target) passes through any intermediaries, they're added here.
+Intermediaries can impact the overall action, for example blocking or
+modifying an ongoing request.  A rule of thumb here is that 'principal',
+'target', and description of the initial action should be the same
+regardless of the intermediary or its action.  A successful network
+connection from A->B should look the same in principal/target/intermediary
+as one blocked by firewall C: principal: A, target: B (intermediary: C)."
+observer,"Represents an observer entity (for example, a packet sniffer or
+network-based vulnerability scanner), which is not a direct intermediary,
+but which observes and reports on the event in question."
+about,"Represents entities referenced by the event that are not otherwise
+described in principal, src, target, intermediary or observer. For example,
+it could be used to track email file attachments, domains/URLs/IPs embedded
+within an email body, and DLLs that are loaded during a PROCESS_LAUNCH
+event."
+security_result,A list of security results.
+network,"All network details go here, including sub-messages with details on each
+protocol (for example, DHCP, DNS, or HTTP)."
+extensions,"All other first-class, event-specific metadata goes in this message.
+Don't place protocol metadata in Extensions; put it in Network."
+auth,An authentication extension.
+vulns,A vulnerability extension.
+id,ID of the UDM event. Can be used for raw and normalized event retrieval.
+product_log_id,"A vendor-specific event identifier to uniquely identify the event (for example: a
+GUID)."
+event_timestamp,The GMT timestamp when the event was generated.
+collected_timestamp,"The GMT timestamp when the event was collected by the vendor's local
+collection infrastructure."
+ingested_timestamp,The GMT timestamp when the event was ingested (received) by Google Security Operations.
+event_type,"The event type.
+If an event has multiple possible types, this specifies the most specific
+type."
+vendor_name,The name of the product vendor.
+product_name,The name of the product.
+product_version,The version of the product.
+product_event_type,"A short, descriptive, human-readable, product-specific event name or type
+(for example: ""Scanned X"", ""User account created"", ""process_start"")."
+product_deployment_id,The deployment identifier assigned by the vendor for a product deployment.
+description,A human-readable unparsable description of the event.
+url_back_to_product,A URL that takes the user to the source product console for this event.
+ingestion_labels,User-configured ingestion metadata labels.
+tags,"Tags added by Google Security Operations after an event is parsed. It is an error to
+populate this field from within a parser."
+enrichment_state,The enrichment state.
+log_type,The string value of log type.
+base_labels,Data access labels on the base event.
+enrichment_labels,"Data access labels from all the contextual events used to enrich the base
+event."
+sent_bytes,The number of bytes sent.
+received_bytes,The number of bytes received.
+sent_packets,The number of packets sent.
+received_packets,The number of packets received.
+session_duration,"The duration of the session as the number of seconds and nanoseconds.
+For seconds, network.session_duration.seconds, the type is a 64-bit
+integer. For nanoseconds, network.session_duration.nanos, the type is a
+32-bit integer."
+session_id,The ID of the network session.
+parent_session_id,The ID of the parent network session.
+application_protocol_version,"The version of the application protocol. e.g. ""1.1, 2.0"""
+community_id,Community ID network flow value.
+direction,The direction of network traffic.
+ip_protocol,The IP protocol.
+application_protocol,The application protocol.
+ftp,FTP info.
+email,Email info for the sender/recipient.
+dns,DNS info.
+dhcp,DHCP info.
+http,HTTP info.
+tls,TLS info.
+smtp,"SMTP info.
+Store fields specific to SMTP not covered by Email."
+asn,Autonomous system number.
+dns_domain,DNS domain name.
+carrier_name,Carrier identification.
+organization_name,Organization name (e.g Google).
+ip_subnet_range,Associated human-readable IP subnet range (e.g. 10.1.2.0/24).
+hostname,"Client hostname or domain name field.
+Hostname also doubles as the domain for remote entities."
+domain,Information about the domain.
+artifact,Information about an artifact.
+url_metadata,Information about the URL.
+asset_id,The asset ID.
+user,Information about the user.
+user_management_chain,"Information about the user's management chain (reporting hierarchy).
+Note: user_management_chain is only populated when data is exported to
+BigQuery since recursive fields (e.g. user.managers) are not supported by
+BigQuery."
+group,Information about the group.
+process,Information about the process.
+process_ancestors,"Information about the process's ancestors ordered from immediate ancestor
+(parent process) to root.
+Note: process_ancestors is only populated when data is exported to BigQuery
+since recursive fields (e.g. process.parent_process) are not supported by
+BigQuery."
+asset,Information about the asset.
+ip,A list of IP addresses associated with a network connection.
+nat_ip,A list of NAT translated IP addresses associated with a network connection.
+port,"Source or destination network port number when a specific network
+connection is described within an event."
+nat_port,"NAT external network port number when a specific network connection is
+described within an event."
+mac,List of MAC addresses associated with a device.
+administrative_domain,"Domain which the device belongs to (for example, the Microsoft Windows
+domain)."
+namespace,"Namespace which the device belongs to, such as ""AD forest"".
+Uses for this field include Microsoft Windows AD forest, the name of
+subsidiary, or the name of acquisition."
+URL,The URL.
+file,Information about the file.
+email,"Email address.
+Only filled in for security_result.about"
+registry,Registry information.
+application,"The name of an application or service.
+Some SSO solutions only capture the name of a target application
+such as ""Atlassian"" or ""Google""."
+platform,Platform.
+platform_version,"Platform version. For example,
+""Microsoft Windows 1803""."
+platform_patch_level,"Platform patch level.
+For example, ""Build 17134.48"""
+cloud,"Cloud metadata.
+Deprecated: cloud should be populated in entity Attribute as generic
+metadata (e.g. asset.attribute.cloud)."
+location,"Physical location. For cloud environments, set the region in
+location.name."
+ip_location,Deprecated: use ip_geo_artifact.location instead.
+ip_geo_artifact,"Enriched geographic information corresponding to an IP address.
+Specifically, location and network data."
+resource,"Information about the resource (e.g. scheduled task, calendar entry).
+This field should not be used for files, registry, or processes because
+these objects are already part of Noun."
+resource_ancestors,"Information about the resource's ancestors ordered from immediate ancestor
+(starting with parent resource)."
+labels,"Labels are key-value pairs.
+For example: key = ""env"", value = ""prod"".
+Deprecated: labels should be populated in entity Attribute as generic
+metadata (e.g. user.attribute.labels)."
+object_reference,Finding to which the Analyst updated the feedback.
+investigation,Analyst feedback/investigation for alerts.
+network,"Network details, including sub-messages with details on each protocol
+(for example, DHCP, DNS, or HTTP)."
+security_result,A list of security results.
+about,"If the security result is about a specific entity (Noun), add it here."
+category,The security category.
+category_details,"For vendor-specific categories. For web categorization, put type in here
+such as ""gambling"" or ""porn""."
+threat_name,"A vendor-assigned classification common across multiple customers
+(e.g. ""W32/File-A"", ""Slammer"")."
+rule_set,"The result's rule set identifier.
+(e.g. ""windows-threats"")"
+rule_set_display_name,The curated detections rule set display name.
+ruleset_category_display_name,"The curated detection rule set category display name.
+(for example, if rule_set_display_name is ""CDIR SCC Enhanced Exfiltration"",
+the rule_set_category is ""Cloud Threats"")."
+rule_id,"A vendor-specific ID and name for a rule, varying by observerer type
+(e.g. ""08123"", ""5d2b44d0-5ef6-40f5-a704-47d61d3babbe"")."
+rule_name,"Name of the security rule
+(e.g. ""BlockInboundToOracle"")."
+rule_version,"Version of the security rule.
+(e.g. ""v1.1"", ""00001"", ""1604709794"", ""2020-11-16T23:04:19+00:00"").
+Note that rule versions are source-dependant and lexical ordering
+should not be assumed."
+rule_type,The type of security rule.
+rule_author,Author of the security rule.
+rule_labels,"A list of rule labels that can't be captured by the other fields
+in security result
+(e.g. ""reference : AnotherRule"", ""contributor : John"")."
+alert_state,The alerting types of this security result.
+detection_fields,"An ordered list of values, that represent fields in detections for a
+security finding. This list represents mapping of names of requested
+entities to their values (i.e. the security result matched variables) ."
+outcomes,"A list of outcomes that represent the results of this security finding.
+This list represents a mapping of names of the requested outcomes,
+to their values."
+summary,"A human readable summary (e.g. ""failed login occurred"")"
+description,"A human readable description (e.g. ""user password was wrong"")"
+action,Actions taken for this event.
+action_details,The detail of the action taken as provided by the vendor.
+severity,The severity of the result.
+confidence,The confidence level of the result as estimated by the product.
+priority,The priority of the result.
+risk_score,The risk score of the security result.
+confidence_score,The confidence score of the security result.
+analytics_metadata,Stores metadata about each risk analytic metric the rule uses.
+severity_details,Vendor-specific severity.
+confidence_details,"Additional detail with regards to the confidence of a security event as
+estimated by the product vendor."
+priority_details,Vendor-specific information about the security result priority.
+url_back_to_product,URL that takes the user to the source product console for this event.
+threat_id,Vendor-specific ID for a threat.
+threat_feed_name,Vendor feed name for a threat indicator feed.
+threat_id_namespace,"The attribute threat_id_namespace qualifies threat_id with an ID namespace
+to get an
+unique ID. The attribute threat_id by itself is not unique across Google SecOps
+as it is a vendor specific ID."
+threat_status,Current status of the threat
+attack_details,MITRE ATT&CK details.
+first_discovered_time,First time the IoC threat was discovered in the provider.
+associations,Associations related to the threat.
+campaigns,Campaigns using this IOC threat.
+verdict,"Verdict about the IoC from the provider.
+This field is now deprecated. Use VerdictInfo instead."
+last_updated_time,Last time the IoC threat was updated in the provider.
+verdict_info,Verdict information about the IoC from the provider.
+threat_verdict,GCTI threat verdict on the security result entity.
+last_discovered_time,Last time the IoC was seen in the provider data.
+analytic,Name of the analytic.
+ip,IP address of the artifact.
+prevalence,The prevalence of the artifact within the customer's environment.
+first_seen_time,First seen timestamp of the IP in the customer's environment.
+last_seen_time,Last seen timestamp of the IP address in the customer's environment.
+location,Location of the Artifact's IP address.
+network,Network information related to the Artifact's IP address.
+as_owner,Owner of the Autonomous System to which the IP address belongs.
+asn,Autonomous System Number to which the IP address belongs.
+jarm,"The JARM hash for the IP address.
+(https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a)."
+last_https_certificate,SSL certificate information about the IP address.
+last_https_certificate_date,Most recent date for the certificate in VirusTotal.
+regional_internet_registry,"RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC)."
+tags,Identification attributes
+whois,WHOIS information as returned from the pertinent WHOIS server.
+whois_date,Date of the last update of the WHOIS record in VirusTotal.
+product_object_id,"A vendor-specific identifier to uniquely identify the entity (a GUID  or
+similar)."
+hostname,Asset hostname or domain name field.
+asset_id,"The asset ID. Value must contain the ':' character. For example,
+cs:abcdd23434."
+ip,A list of IP addresses associated with an asset.
+mac,List of MAC addresses associated with an asset.
+nat_ip,List of NAT IP addresses associated with an asset.
+first_seen_time,"The first observed time for an asset.
+The value is calculated on the basis of the
+first time the identifier was observed."
+hardware,The asset hardware specifications.
+platform_software,The asset operating system platform software.
+software,The asset software details.
+location,Location of the asset.
+category,"The category of the asset (e.g. ""End User Asset"", ""Workstation"", ""Server"")."
+type,The type of the asset (e.g. workstation or laptop or server).
+network_domain,"The network domain of the asset (e.g. ""corp.acme.com"")"
+creation_time,"Time the asset was created or provisioned.
+Deprecate: creation_time should be populated in Attribute as generic
+metadata."
+first_discover_time,"Time the asset was first discovered (by asset management/discoverability
+software)."
+last_discover_time,"Time the asset was last discovered (by asset management/discoverability
+software)."
+system_last_update_time,"Time the asset system or OS was last updated.
+For all other operations that are not system updates (such as resizing a
+VM), use Attribute.last_update_time."
+last_boot_time,Time the asset was last boot started.
+labels,"Metadata labels for the asset.
+Deprecated: labels should be populated in Attribute as generic metadata."
+deployment_status,The deployment status of the asset for device lifecycle purposes.
+vulnerabilities,Vulnerabilities discovered on asset.
+attribute,Generic entity metadata attributes of the asset.
+version,ATT&CK version (e.g. 12.1).
+tactics,Tactics employed.
+techniques,Techniques employed.
+id,"Tactic ID (e.g. ""TA0043"")."
+name,"Tactic Name (e.g. ""Reconnaissance"")"
+id,"Technique ID (e.g. ""T1595"")."
+name,"Technique Name (e.g. ""Active Scanning"")."
+subtechnique_id,"Subtechnique ID (e.g. ""T1595.001"")."
+subtechnique_name,"Subtechnique Name (e.g. ""Scanning IP Blocks"")."
+cloud,"Cloud metadata attributes such as project ID, account ID, or organizational
+hierarchy."
+labels,"Set of labels for the entity. Should only be used for product labels (for
+example, Google Cloud resource labels or Azure AD sensitivity labels.
+Should not be used for arbitrary key-value mappings."
+permissions,"System permissions for IAM entity
+(human principal, service account, group)."
+roles,"System IAM roles to be assumed by resources to use the role's permissions
+for access control."
+creation_time,Time the resource or entity was created or provisioned.
+last_update_time,Time the resource or entity was last updated.
+type,The type of authentication.
+mechanism,The authentication mechanism.
+auth_details,The vendor defined details of the authentication.
+version,Certificate version.
+serial,Certificate serial number.
+subject,Subject of the certificate.
+issuer,Issuer of the certificate.
+md5,"The MD5 hash of the certificate, as a hex-encoded string."
+sha1,"The SHA1 hash of the certificate, as a hex-encoded string."
+sha256,"The SHA256 hash of the certificate, as a hex-encoded string."
+not_before,Indicates when the certificate is first valid.
+not_after,Indicates when the certificate is no longer valid.
+environment,The Cloud environment.
+vpc,"The cloud environment VPC.
+Deprecated."
+project,"The cloud environment project information.
+Deprecated: Use Resource.resource_ancestors"
+availability_zone,"The cloud environment availability zone (different from region which is
+location.name)."
+type,Type.
+value,Value.
+ttl,Time to live.
+priority,Priority.
+retry,Retry.
+refresh,Refresh.
+minimum,Minimum.
+expire,Expire.
+serial,Serial.
+rname,Rname.
+opcode,The BOOTP op code.
+htype,Hardware address type.
+hlen,Hardware address length.
+hops,Hardware ops.
+transaction_id,Transaction ID.
+seconds,Seconds elapsed since client began address acquisition/renewal process.
+flags,Flags.
+ciaddr,Client IP address (ciaddr).
+yiaddr,Your IP address (yiaddr).
+siaddr,IP address of the next bootstrap server.
+giaddr,Relay agent IP address (giaddr).
+chaddr,Client hardware address (chaddr).
+sname,Server name that the client wishes to boot from.
+file,Boot image filename.
+options,List of DHCP options.
+type,DHCP message type.
+lease_time_seconds,"Lease time in seconds. See RFC2132, section 9.2."
+client_hostname,"Client hostname. See RFC2132, section 3.14."
+client_identifier,"Client identifier. See RFC2132, section 9.14."
+requested_address,"Requested IP address. See RFC2132, section 9.1."
+code,Code. See RFC1533.
+data,Data.
+id,DNS query id.
+response,Set to true if the event is a DNS response. See QR field from RFC1035.
+opcode,"The DNS OpCode used to specify the type of DNS query
+(for example, QUERY, IQUERY, or STATUS)."
+authoritative,"Other DNS header flags. See RFC1035, section 4.1.1."
+truncated,Whether the DNS response was truncated.
+recursion_desired,Whether a recursive DNS lookup is desired.
+recursion_available,Whether a recursive DNS lookup is available.
+response_code,Response code. See RCODE from RFC1035.
+questions,A list of domain protocol message questions.
+answers,A list of answers to the domain name query.
+authority,"A list of domain name servers which verified the answers to the domain name
+queries."
+additional,"A list of additional domain name servers that can be used to verify the
+answer to the domain."
+name,The domain name.
+type,The code specifying the type of the query.
+class,The code specifying the class of the query.
+prevalence,The prevalence of the domain within the customer's environment.
+name,The name of the owner of the resource record.
+type,The code specifying the type of the resource record.
+class,The code specifying the class of the resource record.
+ttl,"The time interval for which the resource record can be cached before the
+source of the information should again be queried."
+data,"The payload or response to the DNS question for all responses encoded in
+UTF-8 format"
+binary_data,"The raw bytes of any non-UTF8 strings that might be included as part of a
+DNS response."
+name,The domain name.
+prevalence,The prevalence of the domain within the customer's environment.
+first_seen_time,First seen timestamp of the domain in the customer's environment.
+last_seen_time,Last seen timestamp of the domain in the customer's environment.
+registrar,"Registrar name . FOr example, ""Wild West Domains, Inc. (R120-LROR)"",
+""GoDaddy.com, LLC"", or ""PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM""."
+contact_email,Contact email address.
+whois_server,Whois server name.
+name_server,Repeated list of name servers.
+creation_time,Domain creation time.
+update_time,Last updated time.
+expiration_time,Expiration time.
+audit_update_time,Audit updated time.
+status,"Domain status. See
+https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en
+for meanings of possible values"
+registrant,Parsed contact information for the registrant of the domain.
+admin,Parsed contact information for the administrative contact for the domain.
+tech,Parsed contact information for the technical contact for the domain
+billing,Parsed contact information for the billing contact of the domain.
+zone,Parsed contact information for the zone.
+whois_record_raw_text,WHOIS raw text.
+registry_data_raw_text,Registry Data raw text.
+iana_registrar_id,"IANA Registrar ID.  See
+https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml"
+private_registration,"Indicates whether the domain appears to be using a private registration
+service to mask the owner's contact information."
+categories,Categories assign to the domain as retrieved from VirusTotal.
+favicon,Includes difference hash and MD5 hash of the domain's favicon.
+jarm,Domain's JARM hash.
+last_dns_records,Domain's DNS records from the last scan.
+last_dns_records_time,Date when the DNS records list was retrieved by VirusTotal.
+last_https_certificate,SSL certificate object retrieved last time the domain was analyzed.
+last_https_certificate_time,When the certificate was retrieved by VirusTotal.
+popularity_ranks,"Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo,
+etc"
+tags,List of representative attributes.
+whois_time,Date of the last update of the WHOIS record.
+from,The 'from' address.
+reply_to,The 'reply to' address.
+to,A list of 'to' addresses.
+cc,A list of 'cc' addresses.
+bcc,A list of 'bcc' addresses.
+mail_id,The mail (or message) ID.
+subject,The subject line(s) of the email.
+bounce_address,"The envelope from address.
+https://en.wikipedia.org/wiki/Bounce_address"
+raw_md5,Favicon's MD5 hash.
+dhash,Difference hash.
+sha256,"The SHA256 hash of the file, as a hex-encoded string."
+md5,"The MD5 hash of the file, as a hex-encoded string."
+sha1,"The SHA1 hash of the file, as a hex-encoded string."
+size,The size of the file in bytes.
+full_path,The full path identifying the location of the file on the system.
+mime_type,"The MIME (Multipurpose Internet Mail Extensions) type of the file,
+for example ""PE"", ""PDF"", or ""powershell script""."
+file_metadata,"Metadata associated with the file.
+Deprecate FileMetadata in favor of using fields in File."
+security_result,"Google Cloud Threat Intelligence (GCTI) security result for the file
+including threat context and detection metadata."
+pe_file,Metadata about the Portable Executable (PE) file.
+ssdeep,Ssdeep of the file
+vhash,Vhash of the file.
+ahash,Deprecated. Use authentihash instead.
+authentihash,Authentihash of the file.
+file_type,FileType field.
+capabilities_tags,Capabilities tags.
+names,Names fields.
+tags,Tags for the file.
+last_modification_time,Timestamp when the file was last updated.
+prevalence,Prevalence of the file hash in the customer's environment.
+first_seen_time,Timestamp the file was first seen in the customer's environment.
+last_seen_time,Timestamp the file was last seen in the customer's environment.
+stat_mode,"The mode of the file. A bit string indicating the permissions and
+privileges of the file."
+stat_inode,The file identifier. Unique identifier of object within a file system.
+stat_dev,The file system identifier to which the object belongs.
+stat_nlink,Number of links to file.
+stat_flags,User defined flags for file.
+last_analysis_time,Timestamp the file was last analysed.
+embedded_urls,Embedded URLs found in the file.
+embedded_domains,Embedded domains found in the file.
+embedded_ips,Embedded IP addresses found in the file.
+exif_info,Exif metadata from different file formats extracted by exiftool.
+signature_info,File signature information extracted from different tools.
+pdf_info,Information about the PDF file structure.
+first_submission_time,First submission time of the file.
+last_submission_time,Last submission time of the file.
+main_icon,Icon's relevant hashes.
+id,Code sign identifier.
+format,Code sign format.
+compilation_time,Code sign timestamp
+imphash,Imphash of the file.
+entry_point,info.pe-entry-point.
+entry_point_exiftool,info.exiftool.EntryPoint.
+compilation_time,info.pe-timestamp.
+compilation_exiftool_time,info.exiftool.TimeStamp.
+section,FilemetadataSection fields.
+imports,FilemetadataImports fields.
+resource,FilemetadataPeResourceInfo fields.
+resources_type_count,Deprecated: use resources_type_count_str.
+resources_language_count,Deprecated: use resources_language_count_str.
+resources_type_count_str,"Number of resources by resource type.
+Example: RT_ICON: 10, RT_DIALOG: 5"
+resources_language_count_str,"Number of resources by language.
+Example: NEUTRAL: 20, ENGLISH US: 10"
+signature_info,"FilemetadataSignatureInfo field.
+deprecated, user File.signature_info instead."
+verification_message,"Status of the certificate.
+Valid values are ""Signed"", ""Unsigned"" or a description of the certificate
+anomaly, if found."
+verified,"True if verification_message == ""Signed"""
+signer,Deprecated: use signers field.
+signers,"File metadata signer information.
+The order of the signers matters. Each element is a higher level
+authority, being the last the root authority."
+x509,List of certificates.
+command,The FTP command.
+product_object_id,"Product globally unique user object identifier, such as an LDAP Object
+Identifier."
+creation_time,"Group creation time.
+Deprecated: creation_time should be populated in Attribute as generic
+metadata."
+group_display_name,"Group display name. e.g. ""Finance""."
+attribute,Generic entity metadata attributes of the group.
+email_addresses,Email addresses of the group.
+windows_sid,Microsoft Windows SID of the group.
+serial_number,Hardware serial number.
+manufacturer,Hardware manufacturer.
+model,Hardware model.
+cpu_platform,"Platform of the hardware CPU (e.g. ""Intel Broadwell"")."
+cpu_model,"Model description of the hardware CPU
+(e.g. ""2.8 GHz Quad-Core Intel Core i5"")."
+cpu_clock_speed,Clock speed of the hardware CPU in MHz.
+cpu_max_clock_speed,Maximum possible clock speed of the hardware CPU in MHz.
+cpu_number_cores,Number of CPU cores.
+ram,Amount of the hardware ramdom access memory (RAM) in Mb.
+method,"The HTTP request method
+(e.g. ""GET"", ""POST"", ""PATCH"", ""DELETE"")."
+referral_url,The URL for the HTTP referer.
+user_agent,"The User-Agent request header which includes the application type,
+operating system, software vendor or software version of the requesting
+software user agent."
+response_code,"The response status code, for example
+200, 302, 404, or 500."
+parsed_user_agent,The parsed user_agent string.
+verdict,Describes reason a finding investigation was resolved.
+reputation,Describes whether a finding was useful or not-useful.
+severity_score,Severity score for a finding set by an analyst.
+status,Describes the workflow status of a finding.
+comments,Comment added by the Analyst.
+priority,Priority of the Alert or Finding set by analyst.
+root_cause,Root cause of the Alert or Finding set by analyst.
+reason,Reason for closing the Case or Alert.
+risk_score,Risk score for a finding set by an analyst.
+key,The key.
+value,The value.
+rbac_enabled,Indicates whether this label can be used for Data RBAC
+city,The city.
+state,The state.
+country_or_region,The country or region.
+name,"Custom location name (e.g. building or site name like ""London Office"").
+For cloud environments, this is the region (e.g. ""us-west2"")."
+desk_name,"Desk name or individual location, typically for an employee in an
+office.
+(e.g. ""IN-BLR-BCPC-11-1121D"")."
+floor_name,"Floor name, number or a combination of the two for a building.
+(e.g. ""1-A"")."
+region_latitude,Deprecated: use region_coordinates.
+region_longitude,Deprecated: use region_coordinates.
+region_coordinates,"Coordinates for the associated region.
+See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng
+for a description of the fields."
+js,"Number of /JS tags found in the PDF file. Should be the same as
+javascript field in normal scenarios."
+javascript,"Number of /JavaScript tags found in the PDF file. Should be the same as
+the js field in normal scenarios."
+launch_action_count,Number of /Launch tags found in the PDF file.
+object_stream_count,Number of object streams.
+endobj_count,Number of object definitions (endobj keyword).
+header,PDF version.
+acroform,Number of /AcroForm tags found in the PDF.
+autoaction,Number of /AA tags found in the PDF.
+embedded_file,Number of /EmbeddedFile tags found in the PDF.
+encrypted,"Whether the document is encrypted or not. This is defined by the /Encrypt
+tag."
+flash,Number of /RichMedia tags found in the PDF.
+jbig2_compression,Number of /JBIG2Decode tags found in the PDF.
+obj_count,Number of objects definitions (obj keyword).
+endstream_count,Number of defined stream objects (stream keyword).
+page_count,Number of pages in the PDF.
+stream_count,Number of defined stream objects (stream keyword).
+openaction,Number of /OpenAction tags found in the PDF.
+startxref,Number of startxref keywords in the PDF.
+suspicious_colors,Number of colors expressed with more than 3 bytes (CVE-2009-3459).
+trailer,Number of trailer keywords in the PDF.
+xfa,Number of \XFA tags found in the PDF.
+xref,Number of xref keywords in the PDF.
+import_hash,Hash of PE imports.
+name,Name of the permission (e.g. chronicle.analyst.updateRule).
+description,Description of the permission (e.g. 'Ability to update detect rules').
+type,Type of the permission.
+platform,The platform operating system.
+platform_version,"The platform software version (
+e.g. ""Microsoft Windows 1803"")."
+platform_patch_level,"The platform software patch level (
+e.g. ""Build 17134.48"", ""SP1"")."
+giver,Name of the rank serial number hexdump.
+rank,Rank position.
+ingestion_time,Timestamp when the rank was ingested.
+rolling_max,"The maximum number of assets per day accessing the resource over the
+trailing day_count days."
+day_count,The number of days over which rolling_max is calculated.
+rolling_max_sub_domains,"The maximum number of assets per day accessing the domain along with
+sub-domains over the trailing day_count days. This field is only valid for
+domains."
+day_max,The max prevalence score in a day interval window.
+day_max_sub_domains,"The max prevalence score in a day interval window across sub-domains. This
+field is only valid for domains."
+pid,The process ID.
+parent_pid,"The ID of the parent process.
+Deprecated: use parent_process.pid instead."
+parent_process,Information about the parent process.
+file,Information about the file in use by the process.
+command_line,The command line command that created the process.
+command_line_history,The command line history of the process.
+product_specific_process_id,A product specific process id.
+access_mask,A bit mask representing the level of access.
+integrity_level_rid,The Microsoft Windows integrity level relative ID (RID) of the process.
+token_elevation_type,"The elevation type of the process on Microsoft Windows. This determines if
+any privileges are removed when UAC is enabled."
+product_specific_parent_process_id,"A product specific id for the parent process.
+Please use parent_process.product_specific_process_id instead."
+registry_key,"Registry key associated with an application or system component
+(e.g., HKEY_, HKCU\Environment...)."
+registry_value_name,"Name of the registry value associated with an application or system
+component (e.g. TEMP)."
+registry_value_data,"Data associated with a registry value
+(e.g. %USERPROFILE%\Local Settings\Temp)."
+type,Deprecated: use resource_type instead.
+resource_type,Resource type.
+resource_subtype,"Resource sub-type (e.g. ""BigQuery"", ""Bigtable"")."
+id,Deprecated: Use resource.name or resource.product_object_id.
+name,"The full name of the resource. For example,
+Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123,
+and AWS: arn:aws:iam::123456789012:user/johndoe."
+parent,"The parent of the resource.
+For a database table, the parent is the database. For a storage object,
+the bucket name.  Deprecated: use resource_ancestors.name."
+product_object_id,"A vendor-specific identifier to uniquely identify the entity (a GUID,
+OID, or similar)"
+attribute,Generic entity metadata attributes of the resource.
+name,System role name for user.
+description,System role description for user.
+type,System role type for well known roles.
+cert_signature,Certificate's signature and algorithm.
+extension,(DEPRECATED) certificate's extension.
+cert_extensions,Certificate's extensions.
+first_seen_time,Date the certificate was first retrieved by VirusTotal.
+issuer,Certificate's issuer data.
+ec,EC public key information.
+serial_number,Certificate's serial number hexdump.
+signature_algorithm,"Algorithm used for the signature (for example, ""sha1RSA"")."
+size,Certificate content length.
+subject,Certificate's subject data.
+thumbprint,Certificate's content SHA1 hash.
+thumbprint_sha256,Certificate's content SHA256 hash.
+validity,Certificate's validity period.
+version,"Certificate version (typically ""V1"", ""V2"" or ""V3"")."
+keyid,Key hexdump.
+serial_number,Serial number hexdump.
+signature,Signature.
+signature_algorithm,Algorithm.
+p,p component hexdump.
+q,q component hexdump.
+g,g component hexdump.
+pub,Public key hexdump.
+oid,Curve name.
+pub,Public key hexdump.
+ca,Whether the subject acts as a certificate authority (CA) or not.
+subject_key_id,Identifies the public key being certified.
+authority_key_id,"Identifies the public key to be used to verify the signature on this
+certificate or CRL."
+key_usage,The purpose for which the certified public key is used.
+ca_info_access,"Authority information access locations are URLs that are added to a
+certificate in its authority information access extension."
+crl_distribution_points,"CRL distribution points to which a certificate user should refer to
+ascertain if the certificate has been revoked."
+extended_key_usage,"One or more purposes for which the certified public key may be used, in
+addition to or in place of the basic purposes indicated in the key usage
+extension field."
+subject_alternative_name,"Contains one or more alternative names, using any of a variety of name
+forms, for the entity that is bound by the CA to the certified public
+key."
+certificate_policies,"Different certificate policies will relate to different applications
+which may use the certified key."
+netscape_cert_comment,Used to include free-form text comments inside certificates.
+cert_template_name_dc,"BMP data value ""DomainController"". See MS Q291010."
+netscape_certificate,"Identify whether the certificate subject is an SSL client, an SSL server,
+or a CA."
+pe_logotype,Whether the certificate includes a logotype.
+old_authority_key_id,Whether the certificate has an old authority key identifier extension.
+algorithm,"Any of ""RSA"", ""DSA"" or ""EC"". Indicates the algorithm used to generate the
+certificate."
+rsa,RSA public key information.
+key_size,Key size.
+modulus,Key modulus hexdump.
+exponent,Key exponent hexdump.
+country_name,C: Country name.
+common_name,CN: CommonName.
+locality,L: Locality.
+organization,O: Organization.
+organizational_unit,OU: OrganizationalUnit.
+state_or_province_name,ST: StateOrProvinceName.
+expiry_time,Expiry date.
+issue_time,Issue date.
+confidence_score,Confidence score of the verdict.
+verdict_time,Timestamp at which the verdict was generated.
+verdict_response,Details of the verdict.
+id,Unique association id generated by mandiant.
+country_code,Country from which the threat actor/ malware is originated.
+type,Signifies the type of association.
+name,Name of the threat actor/malware.
+description,Human readable description about the association.
+role,Role of the malware. Not applicable for threat actor.
+source_country,Name of the country the threat originated from.
+alias,Different aliases of the threat actor given by different sources.
+first_reference_time,First time the threat actor was referenced or seen.
+last_reference_time,Last time the threat actor was referenced or seen.
+industries_affected,List of industries the threat actor affects.
+associated_actors,"List of associated threat actors for a malware. Not applicable for threat
+actors."
+region_code,"Name of the country, the threat is originating from."
+sponsor_region,Sponsor region of the threat actor.
+targeted_regions,Targeted regions.
+tags,Tags.
+name,Name of the alias.
+company,Name of the provider who gave the association's name.
+ioc_stats_type,Describes the source of the IoCStat.
+first_level_source,"Name of first level IoC source, for example Mandiant or a third-party."
+second_level_source,"Name of the second-level IoC source, for example Crowdsourced Threat
+Analysis or Knowledge Graph."
+benign_count,Count of responses where the IoC was identified as benign.
+quality,Level of confidence in the IoC mapping extracted from the source.
+malicious_count,Count of responses where the IoC was identified as malicious.
+response_count,Total number of response from the source.
+source_count,Number of sources from which information was extracted.
+source_provider,Source provider giving the ML verdict.
+benign_count,Count of responses where this IoC was marked benign.
+malicious_count,Count of responses where this IoC was marked malicious.
+confidence_score,Confidence score of the verdict.
+mandiant_sources,List of mandiant sources from which the verdict was generated.
+third_party_sources,List of third-party sources from which the verdict was generated.
+name,Name of the IoC source.
+benign_count,Count of responses where this IoC was marked benign.
+malicious_count,Count of responses where this IoC was marked malicious.
+quality,Quality of the IoC mapping extracted from the source.
+response_count,Total response count from this source.
+source_count,Number of sources from which intelligence was extracted.
+threat_intelligence_sources,Different threat intelligence sources from which IoC info was extracted.
+source_count,Number of sources from which intelligence was extracted.
+response_count,Total response count across all sources.
+neighbour_influence,Describes the neighbour influence of the verdict.
+verdict,ML Verdict provided by sources like Mandiant.
+analyst_verdict,Human analyst verdict provided by sources like Mandiant.
+source_count,Number of sources from which intelligence was extracted.
+response_count,Total response count across all sources.
+neighbour_influence,Describes the near neighbor influence of the verdict.
+verdict_type,Type of verdict.
+source_provider,Source provider giving the machine learning verdict.
+benign_count,Count of responses where this IoC was marked as benign.
+malicious_count,Count of responses where this IoC was marked as malicious.
+confidence_score,Confidence score of the verdict.
+ioc_stats,List of IoCStats from which the verdict was generated.
+verdict_time,Timestamp when the verdict was generated.
+verdict_response,Details about the verdict.
+global_customer_count,Global customer count over the last 30 days
+global_hits_count,Global hit count over the last 30 days.
+pwn,"Whether one or more Mandiant incident response customers had this
+indicator in their environment."
+category_details,Tags related to the verdict.
+pwn_first_tagged_time,The timestamp of the first time a pwn was associated to this entity.
+sigcheck,Signature information extracted from the sigcheck tool.
+codesign,Signature information extracted from the codesign utility.
+name,"Common name of the signers/certificate.
+The order of the signers matters. Each element is a higher level
+authority, the last being the root authority."
+status,"It can say ""Valid"" or state the problem with the certificate if any (e.g.
+""This certificate or one of the certificates in the certificate chain is
+not time valid."")."
+valid_usage,"Indicates which situations the certificate is valid for (e.g. ""Code
+Signing"")."
+cert_issuer,Company that issued the certificate.
+helo,The client's 'HELO'/'EHLO' string.
+mail_from,The client's 'MAIL FROM' string.
+rcpt_to,The client's 'RCPT TO' string(s).
+server_response,The server's response(s) to the client.
+message_path,The message's path (extracted from the headers).
+is_webmail,If the message was sent via a webmail client.
+is_tls,If the connection switched to TLS.
+name,The name of the software.
+version,The version of the software.
+permissions,"System permissions granted to the software.
+For example, ""android.permission.WRITE_EXTERNAL_STORAGE"""
+description,The description of the software.
+vendor_name,The name of the software vendor.
+tenant_id,A list of subtenant ids that this event belongs to.
+data_tap_config_name,A list of sink name values defined in DataTap configurations.
+interval,Interval duration of the leave.
+description,Description of the leave if available (e.g. 'Vacation').
+client,Certificate information for the client certificate.
+server,Certificate information for the server certificate.
+cipher,Cipher used during the connection.
+curve,Elliptical curve used for a given cipher.
+version,TLS version.
+version_protocol,Protocol.
+established,Indicates whether the TLS negotiation was successful.
+next_protocol,Protocol to be used for tunnel.
+resumed,"Indicates whether the TLS connection was resumed from a previous
+TLS negotiation."
+certificate,Client certificate.
+ja3,"JA3 hash from the TLS ClientHello, as a hex-encoded string."
+server_name,"Host name of the server, that the client is connecting to."
+supported_ciphers,Ciphers supported by the client during client hello.
+certificate,Server certificate.
+ja3s,"JA3 hash from the TLS ServerHello, as a hex-encoded string."
+tracker,Tracker name.
+id,"Tracker ID, if available."
+timestamp,Tracker ingestion date.
+URL,Tracker script URL.
+URL,URL.
+categories,Categorisation done by VirusTotal partners.
+favicon,Difference hash and MD5 hash of the URL's.
+html_meta,Meta tags (only for URLs downloading HTML).
+last_final_url,"If the original URL redirects, where does it end."
+last_http_response_code,HTTP response code of the last response.
+last_http_response_content_length,Length in bytes of the content received.
+last_http_response_content_sha256,URL response body's SHA256 hash.
+last_http_response_cookies,Website's cookies.
+last_http_response_headers,Headers and values of the last HTTP response.
+tags,Tags.
+title,Webpage title.
+trackers,Trackers found in the URL in a historical manner.
+product_object_id,"A vendor-specific identifier to uniquely identify the entity (e.g. a GUID,
+LDAP, OID, or similar)."
+userid,The ID of the user.
+user_display_name,"The display name of the user
+(e.g. ""John Locke"")."
+first_name,"First name of the user (e.g. ""John"")."
+middle_name,Middle name of the user.
+last_name,"Last name of the user (e.g. ""Locke"")."
+phone_numbers,Phone numbers for the user.
+personal_address,Personal address of the user.
+attribute,Generic entity metadata attributes of the user.
+first_seen_time,"The first observed time for a user.
+The value is calculated on the basis of the
+first time the identifier was observed."
+account_type,"Type of user account (for example, service, domain, or cloud). This is
+somewhat aligned to: https://attack.mitre.org/techniques/T1078/"
+groupid,"The ID of the group that the user belongs to.
+Deprecated in favor of the repeated group_identifiers field."
+group_identifiers,"Product object identifiers of the group(s) the user belongs to
+A vendor-specific identifier to uniquely identify the group(s) the user
+belongs to (a GUID, LDAP OID, or similar)."
+windows_sid,The Microsoft Windows SID of the user.
+email_addresses,Email addresses of the user.
+employee_id,Human capital management identifier.
+title,User job title.
+company_name,User job company name.
+department,User job department
+office_address,User job office location.
+managers,User job manager(s).
+hire_date,User job employment hire date.
+termination_date,User job employment termination date.
+time_off,User time off leaves from active work.
+last_login_time,User last login timestamp.
+last_password_change_time,User last password change timestamp.
+password_expiration_time,User password expiration timestamp.
+account_expiration_time,User account expiration timestamp.
+account_lockout_time,User account lockout timestamp.
+last_bad_password_attempt_time,User last bad password attempt timestamp.
+user_authentication_status,System authentication status for user.
+role_name,"System role name for user.
+Deprecated: use attribute.roles."
+role_description,"System role description for user.
+Deprecated: use attribute.roles."
+user_role,"System role for user.
+Deprecated: use attribute.roles."
+vulnerabilities,A list of vulnerabilities.
+about,"If the vulnerability is about a specific noun (e.g. executable),
+then add it here."
+name,"Name of the vulnerability (e.g. ""Unsupported OS Version detected"")."
+description,Description of the vulnerability.
+vendor,Vendor of scan that discovered vulnerability.
+scan_start_time,"If the vulnerability was discovered during an asset scan, then this
+field should be populated with the time the scan started.
+This field can be left unset if the start time is not available or not
+applicable."
+scan_end_time,"If the vulnerability was discovered during an asset scan, then this field
+should be populated with the time the scan ended.
+This field can be left unset if the end time is not available or not
+applicable."
+first_found,"Products that maintain a history of vuln scans should populate first_found
+with the time that a scan first detected the vulnerability on this asset."
+last_found,"Products that maintain a history of vuln scans should populate last_found
+with the time that a scan last detected the vulnerability on this asset."
+severity,The severity of the vulnerability.
+severity_details,Vendor-specific severity
+cvss_base_score,"CVSS Base Score in the range of 0.0 to 10.0.
+Useful for sorting."
+cvss_vector,"Vector of CVSS properties (e.g. ""AV:L/AC:H/Au:N/C:N/I:P/A:C"")
+Can be linked to via:
+https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator"
+cvss_version,Version of CVSS Vector/Score.
+cve_id,"Common Vulnerabilities and Exposures Id.
+https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures
+https://cve.mitre.org/about/faqs.html#what_is_cve_id"
+cve_description,"Common Vulnerabilities and Exposures Description.
+https://cve.mitre.org/about/faqs.html#what_is_cve_record"
+vendor_vulnerability_id,Vendor specific vulnerability id (e.g. Microsoft security bulletin id).
+vendor_knowledge_base_article_id,"Vendor specific knowledge base article (e.g. ""KBXXXXXX"" from Microsoft).
+https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base
+https://access.redhat.com/knowledgebase"
+name,Certificate name.
+algorithm,Certificate algorithm.
+thumbprint,Certificate thumbprint.
+cert_issuer,Issuer of the certificate.
+serial_number,Certificate serial number.