UDM_Field,Description
metadata,"Entity metadata such as timestamp, product, etc."
entity,Noun in the UDM event that this entity represents.
relations,"One or more relationships between the entity (a) and other entities, including the relationship type and related entity."
additional,"Important entity data that cannot be adequately represented within
the formal sections of the Entity."
risk_score,Stores information related to the entity's risk score.
metric,"Stores statistical metrics about the entity. Used if metadata.entity_type
is METRIC."
product_entity_id,"A vendor-specific identifier that uniquely identifies the entity
(e.g. a GUID, LDAP, OID, or similar)."
collected_timestamp,"GMT timestamp when the entity information was collected by the vendor's
local collection infrastructure."
creation_timestamp,"GMT timestamp when the entity described by the product_entity_id was
created on the system where data was collected."
interval,"Valid existence time range for the version of the entity represented by
this entity data."
vendor_name,Vendor name of the product that produced the entity information.
product_name,Product name that produced the entity information.
feed,Vendor feed name for a threat indicator feed.
product_version,Version of the product that produced the entity information.
entity_type,"Entity type.
If an entity has multiple possible types, this specifies the most specific
type."
description,Human-readable description of the entity.
threat,"Metadata provided by a threat intelligence feed that identified the
entity as malicious."
source_type,The source of the entity.
source_labels,Entity source metadata labels.
event_metadata,Metadata field from the event.
risk_version,Version of the risk score calculation algorithm.
risk_window,"Time window used when computing the risk score for an entity, for
example 24 hours or 7 days."
DEPRECATED_risk_score,Deprecated risk score.
risk_delta,"Represents the change in risk score for an entity between the end of the
previous time window and the end of the current time window."
detections_count,Number of detections that make up the risk score within the time window.
first_detection_time,"Timestamp of the first detection within the specified time window.
This field is empty when there are no detections."
last_detection_time,"Timestamp of the last detection within the specified time window.
This field is empty when there are no detections."
risk_score,Raw risk score for the entity.
normalized_risk_score,Normalized risk score for the entity. This value is between 0-1000.
risk_window_size,Risk window duration for the Entity.
raw_risk_delta,"Represents the change in raw risk score for an entity between the end of
the previous time window and the end of the current time window."
first_seen,Timestamp of the first time the entity was seen in the environment.
last_seen,Timestamp of the last time the entity was seen in the environment.
sum_measure,Sum of all precomputed measures for the given metric.
total_events,Total number of events used to calculate the given precomputed metric.
metric_name,Name of the analytic.
dimensions,All group by clauses used to calculate the metric.
export_window,Export window for which the metric was exported.
value,Value of the aggregated measure.
aggregate_function,Function used to calculate the aggregated measure.
entity,Entity (b) that the primary entity (a) is related to.
entity_type,Type of the related entity (b) in this relationship.
relationship,Type of relationship.
direction,"Directionality of relationship between primary entity (a) and the
related entity (b)."
uid,UID of the relationship.
entity_label,Label to identify the Noun of the relation.
previous_range_end_time,End time of the previous time window.
risk_score_delta,Difference in the normalized risk score from the previous recorded value.
previous_risk_score,Risk score from previous risk window
risk_score_numeric_delta,Numeric change between current and previous risk score
metadata,"Event metadata such as timestamp, source product, etc."
additional,"Any important vendor-specific event data that cannot be adequately
represented within the formal sections of the UDM model."
principal,"Represents the acting entity that originates the activity
described in the event. The principal must include at least one machine
detail (hostname, MACs, IPs, port, product-specific identifiers like an
EDR asset ID) or user detail (for example, username), and optionally
include process details. It must NOT include any of the following fields:
email, files, registry keys, or values."
src,"Represents a source entity being acted upon by the participant along with
the device or process context for the source object (the machine where the

source object resides). For example, if user U copies file A on machine X
to file B on machine Y, both file A and machine X would be specified in the

src portion of the UDM event."
target,"Represents a target entity being referenced by the event or an object on
the target entity. For example, in a firewall connection from device A to
device B, A is described as the principal and B is described as the target.
For a process injection by process C into target process D, process C is
described as the principal and process D is described as the target."
intermediary,"Represents details on one or more intermediate entities processing activity
described in the event. This includes device details about a proxy server
or SMTP relay server. If an active event (that has a principal and
possibly target) passes through any intermediaries, they're added here.
Intermediaries can impact the overall action, for example blocking or
modifying an ongoing request.  A rule of thumb here is that 'principal',
'target', and description of the initial action should be the same
regardless of the intermediary or its action.  A successful network
connection from A->B should look the same in principal/target/intermediary
as one blocked by firewall C: principal: A, target: B (intermediary: C)."
observer,"Represents an observer entity (for example, a packet sniffer or
network-based vulnerability scanner), which is not a direct intermediary,
but which observes and reports on the event in question."
about,"Represents entities referenced by the event that are not otherwise
described in principal, src, target, intermediary or observer. For example,
it could be used to track email file attachments, domains/URLs/IPs embedded
within an email body, and DLLs that are loaded during a PROCESS_LAUNCH
event."
security_result,A list of security results.
network,"All network details go here, including sub-messages with details on each
protocol (for example, DHCP, DNS, or HTTP)."
extensions,"All other first-class, event-specific metadata goes in this message.
Don't place protocol metadata in Extensions; put it in Network."
auth,An authentication extension.
vulns,A vulnerability extension.
id,ID of the UDM event. Can be used for raw and normalized event retrieval.
product_log_id,"A vendor-specific event identifier to uniquely identify the event (for example: a
GUID)."
event_timestamp,The GMT timestamp when the event was generated.
collected_timestamp,"The GMT timestamp when the event was collected by the vendor's local
collection infrastructure."
ingested_timestamp,The GMT timestamp when the event was ingested (received) by Google Security Operations.
event_type,"The event type.
If an event has multiple possible types, this specifies the most specific
type."
vendor_name,The name of the product vendor.
product_name,The name of the product.
product_version,The version of the product.
product_event_type,"A short, descriptive, human-readable, product-specific event name or type
(for example: ""Scanned X"", ""User account created"", ""process_start"")."
product_deployment_id,The deployment identifier assigned by the vendor for a product deployment.
description,A human-readable unparsable description of the event.
url_back_to_product,A URL that takes the user to the source product console for this event.
ingestion_labels,User-configured ingestion metadata labels.
tags,"Tags added by Google Security Operations after an event is parsed. It is an error to
populate this field from within a parser."
enrichment_state,The enrichment state.
log_type,The string value of log type.
base_labels,Data access labels on the base event.
enrichment_labels,"Data access labels from all the contextual events used to enrich the base
event."
sent_bytes,The number of bytes sent.
received_bytes,The number of bytes received.
sent_packets,The number of packets sent.
received_packets,The number of packets received.
session_duration,"The duration of the session as the number of seconds and nanoseconds.
For seconds, network.session_duration.seconds, the type is a 64-bit
integer. For nanoseconds, network.session_duration.nanos, the type is a
32-bit integer."
session_id,The ID of the network session.
parent_session_id,The ID of the parent network session.
application_protocol_version,"The version of the application protocol. e.g. ""1.1, 2.0"""
community_id,Community ID network flow value.
direction,The direction of network traffic.
ip_protocol,The IP protocol.
application_protocol,The application protocol.
ftp,FTP info.
email,Email info for the sender/recipient.
dns,DNS info.
dhcp,DHCP info.
http,HTTP info.
tls,TLS info.
smtp,"SMTP info.
Store fields specific to SMTP not covered by Email."
asn,Autonomous system number.
dns_domain,DNS domain name.
carrier_name,Carrier identification.
organization_name,Organization name (e.g Google).
ip_subnet_range,Associated human-readable IP subnet range (e.g. 10.1.2.0/24).
hostname,"Client hostname or domain name field.
Hostname also doubles as the domain for remote entities."
domain,Information about the domain.
artifact,Information about an artifact.
url_metadata,Information about the URL.
asset_id,The asset ID.
user,Information about the user.
user_management_chain,"Information about the user's management chain (reporting hierarchy).
Note: user_management_chain is only populated when data is exported to
BigQuery since recursive fields (e.g. user.managers) are not supported by
BigQuery."
group,Information about the group.
process,Information about the process.
process_ancestors,"Information about the process's ancestors ordered from immediate ancestor
(parent process) to root.
Note: process_ancestors is only populated when data is exported to BigQuery

since recursive fields (e.g. process.parent_process) are not supported by
BigQuery."
asset,Information about the asset.
ip,A list of IP addresses associated with a network connection.
nat_ip,A list of NAT translated IP addresses associated with a network connection.
port,"Source or destination network port number when a specific network
connection is described within an event."
nat_port,"NAT external network port number when a specific network connection is
described within an event."
mac,List of MAC addresses associated with a device.
administrative_domain,"Domain which the device belongs to (for example, the Microsoft Windows
domain)."
namespace,"Namespace which the device belongs to, such as ""AD forest"".
Uses for this field include Microsoft Windows AD forest, the name of

subsidiary, or the name of acquisition."
URL,The URL.
file,Information about the file.
email,"Email address.
Only filled in for security_result.about"
registry,Registry information.
application,"The name of an application or service.
Some SSO solutions only capture the name of a target application
such as ""Atlassian"" or ""Google""."
platform,Platform.
platform_version,"Platform version. For example,
""Microsoft Windows 1803""."
platform_patch_level,"Platform patch level.
For example, ""Build 17134.48"""
cloud,"Cloud metadata.
Deprecated: cloud should be populated in entity Attribute as generic
metadata (e.g. asset.attribute.cloud)."
location,"Physical location. For cloud environments, set the region in
location.name."
ip_location,Deprecated: use ip_geo_artifact.location instead.
ip_geo_artifact,"Enriched geographic information corresponding to an IP address.
Specifically, location and network data."
resource,"Information about the resource (e.g. scheduled task, calendar entry).
This field should not be used for files, registry, or processes because
these objects are already part of Noun."
resource_ancestors,"Information about the resource's ancestors ordered from immediate ancestor
(starting with parent resource)."
labels,"Labels are key-value pairs.
For example: key = ""env"", value = ""prod"".
Deprecated: labels should be populated in entity Attribute as generic
metadata (e.g. user.attribute.labels)."
object_reference,Finding to which the Analyst updated the feedback.
investigation,Analyst feedback/investigation for alerts.
network,"Network details, including sub-messages with details on each protocol
(for example, DHCP, DNS, or HTTP)."
security_result,A list of security results.
about,"If the security result is about a specific entity (Noun), add it here."
category,The security category.
category_details,"For vendor-specific categories. For web categorization, put type in here

such as ""gambling"" or ""porn""."
threat_name,"A vendor-assigned classification common across multiple customers
(e.g. ""W32/File-A"", ""Slammer"")."
rule_set,"The result's rule set identifier.
(e.g. ""windows-threats"")"
rule_set_display_name,The curated detections rule set display name.
ruleset_category_display_name,"The curated detection rule set category display name.
(for example, if rule_set_display_name is ""CDIR SCC Enhanced Exfiltration"",
the rule_set_category is ""Cloud Threats"")."
rule_id,"A vendor-specific ID and name for a rule, varying by observerer type
(e.g. ""08123"", ""5d2b44d0-5ef6-40f5-a704-47d61d3babbe"")."
rule_name,"Name of the security rule
(e.g. ""BlockInboundToOracle"")."
rule_version,"Version of the security rule.
(e.g. ""v1.1"", ""00001"", ""1604709794"", ""2020-11-16T23:04:19+00:00"").
Note that rule versions are source-dependant and lexical ordering

should not be assumed."
rule_type,The type of security rule.
rule_author,Author of the security rule.
rule_labels,"A list of rule labels that can't be captured by the other fields
in security result
(e.g. ""reference : AnotherRule"", ""contributor : John"")."
alert_state,The alerting types of this security result.
detection_fields,"An ordered list of values, that represent fields in detections for a

security finding. This list represents mapping of names of requested
entities to their values (i.e. the security result matched variables) ."
outcomes,"A list of outcomes that represent the results of this security finding.
This list represents a mapping of names of the requested outcomes,
to their values."
summary,"A human readable summary (e.g. ""failed login occurred"")"
description,"A human readable description (e.g. ""user password was wrong"")"
action,Actions taken for this event.
action_details,The detail of the action taken as provided by the vendor.
severity,The severity of the result.
confidence,The confidence level of the result as estimated by the product.
priority,The priority of the result.
risk_score,The risk score of the security result.
confidence_score,The confidence score of the security result.
analytics_metadata,Stores metadata about each risk analytic metric the rule uses.
severity_details,Vendor-specific severity.
confidence_details,"Additional detail with regards to the confidence of a security event as
estimated by the product vendor."
priority_details,Vendor-specific information about the security result priority.
url_back_to_product,URL that takes the user to the source product console for this event.
threat_id,Vendor-specific ID for a threat.
threat_feed_name,Vendor feed name for a threat indicator feed.
threat_id_namespace,"The attribute threat_id_namespace qualifies threat_id with an ID namespace
to get an
unique ID. The attribute threat_id by itself is not unique across Google SecOps
as it is a vendor specific ID."
threat_status,Current status of the threat
attack_details,MITRE ATT&CK details.
first_discovered_time,First time the IoC threat was discovered in the provider.
associations,Associations related to the threat.
campaigns,Campaigns using this IOC threat.
verdict,"Verdict about the IoC from the provider.
This field is now deprecated. Use VerdictInfo instead."
last_updated_time,Last time the IoC threat was updated in the provider.
verdict_info,Verdict information about the IoC from the provider.
threat_verdict,GCTI threat verdict on the security result entity.
last_discovered_time,Last time the IoC was seen in the provider data.
analytic,Name of the analytic.
ip,IP address of the artifact.
prevalence,The prevalence of the artifact within the customer's environment.
first_seen_time,First seen timestamp of the IP in the customer's environment.
last_seen_time,Last seen timestamp of the IP address in the customer's environment.
location,Location of the Artifact's IP address.
network,Network information related to the Artifact's IP address.
as_owner,Owner of the Autonomous System to which the IP address belongs.
asn,Autonomous System Number to which the IP address belongs.
jarm,"The JARM hash for the IP address.
(https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a)."
last_https_certificate,SSL certificate information about the IP address.
last_https_certificate_date,Most recent date for the certificate in VirusTotal.
regional_internet_registry,"RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC)."
tags,Identification attributes
whois,WHOIS information as returned from the pertinent WHOIS server.
whois_date,Date of the last update of the WHOIS record in VirusTotal.
product_object_id,"A vendor-specific identifier to uniquely identify the entity (a GUID  or

similar)."
hostname,Asset hostname or domain name field.
asset_id,"The asset ID. Value must contain the ':' character. For example,
cs:abcdd23434."
ip,A list of IP addresses associated with an asset.
mac,List of MAC addresses associated with an asset.
nat_ip,List of NAT IP addresses associated with an asset.
first_seen_time,"The first observed time for an asset.
The value is calculated on the basis of the
first time the identifier was observed."
hardware,The asset hardware specifications.
platform_software,The asset operating system platform software.
software,The asset software details.
location,Location of the asset.
category,"The category of the asset (e.g. ""End User Asset"", ""Workstation"", ""Server"")."
type,The type of the asset (e.g. workstation or laptop or server).
network_domain,"The network domain of the asset (e.g. ""corp.acme.com"")"
creation_time,"Time the asset was created or provisioned.
Deprecate: creation_time should be populated in Attribute as generic
metadata."
first_discover_time,"Time the asset was first discovered (by asset management/discoverability

software)."
last_discover_time,"Time the asset was last discovered (by asset management/discoverability

software)."
system_last_update_time,"Time the asset system or OS was last updated.
For all other operations that are not system updates (such as resizing a
VM), use Attribute.last_update_time."
last_boot_time,Time the asset was last boot started.
labels,"Metadata labels for the asset.
Deprecated: labels should be populated in Attribute as generic metadata."
deployment_status,The deployment status of the asset for device lifecycle purposes.
vulnerabilities,Vulnerabilities discovered on asset.
attribute,Generic entity metadata attributes of the asset.
version,ATT&CK version (e.g. 12.1).
tactics,Tactics employed.
techniques,Techniques employed.
id,"Tactic ID (e.g. ""TA0043"")."
name,"Tactic Name (e.g. ""Reconnaissance"")"
id,"Technique ID (e.g. ""T1595"")."
name,"Technique Name (e.g. ""Active Scanning"")."
subtechnique_id,"Subtechnique ID (e.g. ""T1595.001"")."
subtechnique_name,"Subtechnique Name (e.g. ""Scanning IP Blocks"")."
cloud,"Cloud metadata attributes such as project ID, account ID, or organizational
hierarchy."
labels,"Set of labels for the entity. Should only be used for product labels (for
example, Google Cloud resource labels or Azure AD sensitivity labels.
Should not be used for arbitrary key-value mappings."
permissions,"System permissions for IAM entity
(human principal, service account, group)."
roles,"System IAM roles to be assumed by resources to use the role's permissions
for access control."
creation_time,Time the resource or entity was created or provisioned.
last_update_time,Time the resource or entity was last updated.
type,The type of authentication.
mechanism,The authentication mechanism.
auth_details,The vendor defined details of the authentication.
version,Certificate version.
serial,Certificate serial number.
subject,Subject of the certificate.
issuer,Issuer of the certificate.
md5,"The MD5 hash of the certificate, as a hex-encoded string."
sha1,"The SHA1 hash of the certificate, as a hex-encoded string."
sha256,"The SHA256 hash of the certificate, as a hex-encoded string."
not_before,Indicates when the certificate is first valid.
not_after,Indicates when the certificate is no longer valid.
environment,The Cloud environment.
vpc,"The cloud environment VPC.
Deprecated."
project,"The cloud environment project information.
Deprecated: Use Resource.resource_ancestors"
availability_zone,"The cloud environment availability zone (different from region which is
location.name)."
type,Type.
value,Value.
ttl,Time to live.
priority,Priority.
retry,Retry.
refresh,Refresh.
minimum,Minimum.
expire,Expire.
serial,Serial.
rname,Rname.
opcode,The BOOTP op code.
htype,Hardware address type.
hlen,Hardware address length.
hops,Hardware ops.
transaction_id,Transaction ID.
seconds,Seconds elapsed since client began address acquisition/renewal process.
flags,Flags.
ciaddr,Client IP address (ciaddr).
yiaddr,Your IP address (yiaddr).
siaddr,IP address of the next bootstrap server.
giaddr,Relay agent IP address (giaddr).
chaddr,Client hardware address (chaddr).
sname,Server name that the client wishes to boot from.
file,Boot image filename.
options,List of DHCP options.
type,DHCP message type.
lease_time_seconds,"Lease time in seconds. See RFC2132, section 9.2."
client_hostname,"Client hostname. See RFC2132, section 3.14."
client_identifier,"Client identifier. See RFC2132, section 9.14."
requested_address,"Requested IP address. See RFC2132, section 9.1."
code,Code. See RFC1533.
data,Data.
id,DNS query id.
response,Set to true if the event is a DNS response. See QR field from RFC1035.
opcode,"The DNS OpCode used to specify the type of DNS query
(for example, QUERY, IQUERY, or STATUS)."
authoritative,"Other DNS header flags. See RFC1035, section 4.1.1."
truncated,Whether the DNS response was truncated.
recursion_desired,Whether a recursive DNS lookup is desired.
recursion_available,Whether a recursive DNS lookup is available.
response_code,Response code. See RCODE from RFC1035.
questions,A list of domain protocol message questions.
answers,A list of answers to the domain name query.
authority,"A list of domain name servers which verified the answers to the domain name
queries."
additional,"A list of additional domain name servers that can be used to verify the
answer to the domain."
name,The domain name.
type,The code specifying the type of the query.
class,The code specifying the class of the query.
prevalence,The prevalence of the domain within the customer's environment.
name,The name of the owner of the resource record.
type,The code specifying the type of the resource record.
class,The code specifying the class of the resource record.
ttl,"The time interval for which the resource record can be cached before the

source of the information should again be queried."
data,"The payload or response to the DNS question for all responses encoded in
UTF-8 format"
binary_data,"The raw bytes of any non-UTF8 strings that might be included as part of a
DNS response."
name,The domain name.
prevalence,The prevalence of the domain within the customer's environment.
first_seen_time,First seen timestamp of the domain in the customer's environment.
last_seen_time,Last seen timestamp of the domain in the customer's environment.
registrar,"Registrar name . FOr example, ""Wild West Domains, Inc. (R120-LROR)"",
""GoDaddy.com, LLC"", or ""PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM""."
contact_email,Contact email address.
whois_server,Whois server name.
name_server,Repeated list of name servers.
creation_time,Domain creation time.
update_time,Last updated time.
expiration_time,Expiration time.
audit_update_time,Audit updated time.
status,"Domain status. See
https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en
for meanings of possible values"
registrant,Parsed contact information for the registrant of the domain.
admin,Parsed contact information for the administrative contact for the domain.
tech,Parsed contact information for the technical contact for the domain
billing,Parsed contact information for the billing contact of the domain.
zone,Parsed contact information for the zone.
whois_record_raw_text,WHOIS raw text.
registry_data_raw_text,Registry Data raw text.
iana_registrar_id,"IANA Registrar ID.  See
https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml"
private_registration,"Indicates whether the domain appears to be using a private registration

service to mask the owner's contact information."
categories,Categories assign to the domain as retrieved from VirusTotal.
favicon,Includes difference hash and MD5 hash of the domain's favicon.
jarm,Domain's JARM hash.
last_dns_records,Domain's DNS records from the last scan.
last_dns_records_time,Date when the DNS records list was retrieved by VirusTotal.
last_https_certificate,SSL certificate object retrieved last time the domain was analyzed.
last_https_certificate_time,When the certificate was retrieved by VirusTotal.
popularity_ranks,"Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo,
etc"
tags,List of representative attributes.
whois_time,Date of the last update of the WHOIS record.
from,The 'from' address.
reply_to,The 'reply to' address.
to,A list of 'to' addresses.
cc,A list of 'cc' addresses.
bcc,A list of 'bcc' addresses.
mail_id,The mail (or message) ID.
subject,The subject line(s) of the email.
bounce_address,"The envelope from address.
https://en.wikipedia.org/wiki/Bounce_address"
raw_md5,Favicon's MD5 hash.
dhash,Difference hash.
sha256,"The SHA256 hash of the file, as a hex-encoded string."
md5,"The MD5 hash of the file, as a hex-encoded string."
sha1,"The SHA1 hash of the file, as a hex-encoded string."
size,The size of the file in bytes.
full_path,The full path identifying the location of the file on the system.
mime_type,"The MIME (Multipurpose Internet Mail Extensions) type of the file,
for example ""PE"", ""PDF"", or ""powershell script""."
file_metadata,"Metadata associated with the file.
Deprecate FileMetadata in favor of using fields in File."
security_result,"Google Cloud Threat Intelligence (GCTI) security result for the file
including threat context and detection metadata."
pe_file,Metadata about the Portable Executable (PE) file.
ssdeep,Ssdeep of the file
vhash,Vhash of the file.
ahash,Deprecated. Use authentihash instead.
authentihash,Authentihash of the file.
file_type,FileType field.
capabilities_tags,Capabilities tags.
names,Names fields.
tags,Tags for the file.
last_modification_time,Timestamp when the file was last updated.
prevalence,Prevalence of the file hash in the customer's environment.
first_seen_time,Timestamp the file was first seen in the customer's environment.
last_seen_time,Timestamp the file was last seen in the customer's environment.
stat_mode,"The mode of the file. A bit string indicating the permissions and
privileges of the file."
stat_inode,The file identifier. Unique identifier of object within a file system.
stat_dev,The file system identifier to which the object belongs.
stat_nlink,Number of links to file.
stat_flags,User defined flags for file.
last_analysis_time,Timestamp the file was last analysed.
embedded_urls,Embedded URLs found in the file.
embedded_domains,Embedded domains found in the file.
embedded_ips,Embedded IP addresses found in the file.
exif_info,Exif metadata from different file formats extracted by exiftool.
signature_info,File signature information extracted from different tools.
pdf_info,Information about the PDF file structure.
first_submission_time,First submission time of the file.
last_submission_time,Last submission time of the file.
main_icon,Icon's relevant hashes.
id,Code sign identifier.
format,Code sign format.
compilation_time,Code sign timestamp
imphash,Imphash of the file.
entry_point,info.pe-entry-point.
entry_point_exiftool,info.exiftool.EntryPoint.
compilation_time,info.pe-timestamp.
compilation_exiftool_time,info.exiftool.TimeStamp.
section,FilemetadataSection fields.
imports,FilemetadataImports fields.
resource,FilemetadataPeResourceInfo fields.
resources_type_count,Deprecated: use resources_type_count_str.
resources_language_count,Deprecated: use resources_language_count_str.
resources_type_count_str,"Number of resources by resource type.
Example: RT_ICON: 10, RT_DIALOG: 5"
resources_language_count_str,"Number of resources by language.
Example: NEUTRAL: 20, ENGLISH US: 10"
signature_info,"FilemetadataSignatureInfo field.
deprecated, user File.signature_info instead."
verification_message,"Status of the certificate.
Valid values are ""Signed"", ""Unsigned"" or a description of the certificate
anomaly, if found."
verified,"True if verification_message == ""Signed"""
signer,Deprecated: use signers field.
signers,"File metadata signer information.
The order of the signers matters. Each element is a higher level
authority, being the last the root authority."
x509,List of certificates.
command,The FTP command.
product_object_id,"Product globally unique user object identifier, such as an LDAP Object
Identifier."
creation_time,"Group creation time.
Deprecated: creation_time should be populated in Attribute as generic
metadata."
group_display_name,"Group display name. e.g. ""Finance""."
attribute,Generic entity metadata attributes of the group.
email_addresses,Email addresses of the group.
windows_sid,Microsoft Windows SID of the group.
serial_number,Hardware serial number.
manufacturer,Hardware manufacturer.
model,Hardware model.
cpu_platform,"Platform of the hardware CPU (e.g. ""Intel Broadwell"")."
cpu_model,"Model description of the hardware CPU
(e.g. ""2.8 GHz Quad-Core Intel Core i5"")."
cpu_clock_speed,Clock speed of the hardware CPU in MHz.
cpu_max_clock_speed,Maximum possible clock speed of the hardware CPU in MHz.
cpu_number_cores,Number of CPU cores.
ram,Amount of the hardware ramdom access memory (RAM) in Mb.
method,"The HTTP request method
(e.g. ""GET"", ""POST"", ""PATCH"", ""DELETE"")."
referral_url,The URL for the HTTP referer.
user_agent,"The User-Agent request header which includes the application type,
operating system, software vendor or software version of the requesting

software user agent."
response_code,"The response status code, for example
200, 302, 404, or 500."
parsed_user_agent,The parsed user_agent string.
verdict,Describes reason a finding investigation was resolved.
reputation,Describes whether a finding was useful or not-useful.
severity_score,Severity score for a finding set by an analyst.
status,Describes the workflow status of a finding.
comments,Comment added by the Analyst.
priority,Priority of the Alert or Finding set by analyst.
root_cause,Root cause of the Alert or Finding set by analyst.
reason,Reason for closing the Case or Alert.
risk_score,Risk score for a finding set by an analyst.
key,The key.
value,The value.
rbac_enabled,Indicates whether this label can be used for Data RBAC
city,The city.
state,The state.
country_or_region,The country or region.
name,"Custom location name (e.g. building or site name like ""London Office"").
For cloud environments, this is the region (e.g. ""us-west2"")."
desk_name,"Desk name or individual location, typically for an employee in an
office.
(e.g. ""IN-BLR-BCPC-11-1121D"")."
floor_name,"Floor name, number or a combination of the two for a building.
(e.g. ""1-A"")."
region_latitude,Deprecated: use region_coordinates.
region_longitude,Deprecated: use region_coordinates.
region_coordinates,"Coordinates for the associated region.
See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng
for a description of the fields."
js,"Number of /JS tags found in the PDF file. Should be the same as
javascript field in normal scenarios."
javascript,"Number of /JavaScript tags found in the PDF file. Should be the same as
the js field in normal scenarios."
launch_action_count,Number of /Launch tags found in the PDF file.
object_stream_count,Number of object streams.
endobj_count,Number of object definitions (endobj keyword).
header,PDF version.
acroform,Number of /AcroForm tags found in the PDF.
autoaction,Number of /AA tags found in the PDF.
embedded_file,Number of /EmbeddedFile tags found in the PDF.
encrypted,"Whether the document is encrypted or not. This is defined by the /Encrypt
tag."
flash,Number of /RichMedia tags found in the PDF.
jbig2_compression,Number of /JBIG2Decode tags found in the PDF.
obj_count,Number of objects definitions (obj keyword).
endstream_count,Number of defined stream objects (stream keyword).
page_count,Number of pages in the PDF.
stream_count,Number of defined stream objects (stream keyword).
openaction,Number of /OpenAction tags found in the PDF.
startxref,Number of startxref keywords in the PDF.
suspicious_colors,Number of colors expressed with more than 3 bytes (CVE-2009-3459).
trailer,Number of trailer keywords in the PDF.
xfa,Number of \XFA tags found in the PDF.
xref,Number of xref keywords in the PDF.
import_hash,Hash of PE imports.
name,Name of the permission (e.g. chronicle.analyst.updateRule).
description,Description of the permission (e.g. 'Ability to update detect rules').
type,Type of the permission.
platform,The platform operating system.
platform_version,"The platform software version (
e.g. ""Microsoft Windows 1803"")."
platform_patch_level,"The platform software patch level (
e.g. ""Build 17134.48"", ""SP1"")."
giver,Name of the rank serial number hexdump.
rank,Rank position.
ingestion_time,Timestamp when the rank was ingested.
rolling_max,"The maximum number of assets per day accessing the resource over the
trailing day_count days."
day_count,The number of days over which rolling_max is calculated.
rolling_max_sub_domains,"The maximum number of assets per day accessing the domain along with

sub-domains over the trailing day_count days. This field is only valid for
domains."
day_max,The max prevalence score in a day interval window.
day_max_sub_domains,"The max prevalence score in a day interval window across sub-domains. This
field is only valid for domains."
pid,The process ID.
parent_pid,"The ID of the parent process.
Deprecated: use parent_process.pid instead."
parent_process,Information about the parent process.
file,Information about the file in use by the process.
command_line,The command line command that created the process.
command_line_history,The command line history of the process.
product_specific_process_id,A product specific process id.
access_mask,A bit mask representing the level of access.
integrity_level_rid,The Microsoft Windows integrity level relative ID (RID) of the process.
token_elevation_type,"The elevation type of the process on Microsoft Windows. This determines if
any privileges are removed when UAC is enabled."
product_specific_parent_process_id,"A product specific id for the parent process.
Please use parent_process.product_specific_process_id instead."
registry_key,"Registry key associated with an application or system component
(e.g., HKEY_, HKCU\Environment...)."
registry_value_name,"Name of the registry value associated with an application or system
component (e.g. TEMP)."
registry_value_data,"Data associated with a registry value
(e.g. %USERPROFILE%\Local Settings\Temp)."
type,Deprecated: use resource_type instead.
resource_type,Resource type.
resource_subtype,"Resource sub-type (e.g. ""BigQuery"", ""Bigtable"")."
id,Deprecated: Use resource.name or resource.product_object_id.
name,"The full name of the resource. For example,
Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123,
and AWS: arn:aws:iam::123456789012:user/johndoe."
parent,"The parent of the resource.
For a database table, the parent is the database. For a storage object,
the bucket name.  Deprecated: use resource_ancestors.name."
product_object_id,"A vendor-specific identifier to uniquely identify the entity (a GUID,
OID, or similar)"
attribute,Generic entity metadata attributes of the resource.
name,System role name for user.
description,System role description for user.
type,System role type for well known roles.
cert_signature,Certificate's signature and algorithm.
extension,(DEPRECATED) certificate's extension.
cert_extensions,Certificate's extensions.
first_seen_time,Date the certificate was first retrieved by VirusTotal.
issuer,Certificate's issuer data.
ec,EC public key information.
serial_number,Certificate's serial number hexdump.
signature_algorithm,"Algorithm used for the signature (for example, ""sha1RSA"")."
size,Certificate content length.
subject,Certificate's subject data.
thumbprint,Certificate's content SHA1 hash.
thumbprint_sha256,Certificate's content SHA256 hash.
validity,Certificate's validity period.
version,"Certificate version (typically ""V1"", ""V2"" or ""V3"")."
keyid,Key hexdump.
serial_number,Serial number hexdump.
signature,Signature.
signature_algorithm,Algorithm.
p,p component hexdump.
q,q component hexdump.
g,g component hexdump.
pub,Public key hexdump.
oid,Curve name.
pub,Public key hexdump.
ca,Whether the subject acts as a certificate authority (CA) or not.
subject_key_id,Identifies the public key being certified.
authority_key_id,"Identifies the public key to be used to verify the signature on this
certificate or CRL."
key_usage,The purpose for which the certified public key is used.
ca_info_access,"Authority information access locations are URLs that are added to a
certificate in its authority information access extension."
crl_distribution_points,"CRL distribution points to which a certificate user should refer to
ascertain if the certificate has been revoked."
extended_key_usage,"One or more purposes for which the certified public key may be used, in
addition to or in place of the basic purposes indicated in the key usage
extension field."
subject_alternative_name,"Contains one or more alternative names, using any of a variety of name
forms, for the entity that is bound by the CA to the certified public
key."
certificate_policies,"Different certificate policies will relate to different applications
which may use the certified key."
netscape_cert_comment,Used to include free-form text comments inside certificates.
cert_template_name_dc,"BMP data value ""DomainController"". See MS Q291010."
netscape_certificate,"Identify whether the certificate subject is an SSL client, an SSL server,
or a CA."
pe_logotype,Whether the certificate includes a logotype.
old_authority_key_id,Whether the certificate has an old authority key identifier extension.
algorithm,"Any of ""RSA"", ""DSA"" or ""EC"". Indicates the algorithm used to generate the
certificate."
rsa,RSA public key information.
key_size,Key size.
modulus,Key modulus hexdump.
exponent,Key exponent hexdump.
country_name,C: Country name.
common_name,CN: CommonName.
locality,L: Locality.
organization,O: Organization.
organizational_unit,OU: OrganizationalUnit.
state_or_province_name,ST: StateOrProvinceName.
expiry_time,Expiry date.
issue_time,Issue date.
confidence_score,Confidence score of the verdict.
verdict_time,Timestamp at which the verdict was generated.
verdict_response,Details of the verdict.
id,Unique association id generated by mandiant.
country_code,Country from which the threat actor/ malware is originated.
type,Signifies the type of association.
name,Name of the threat actor/malware.
description,Human readable description about the association.
role,Role of the malware. Not applicable for threat actor.
source_country,Name of the country the threat originated from.
alias,Different aliases of the threat actor given by different sources.
first_reference_time,First time the threat actor was referenced or seen.
last_reference_time,Last time the threat actor was referenced or seen.
industries_affected,List of industries the threat actor affects.
associated_actors,"List of associated threat actors for a malware. Not applicable for threat
actors."
region_code,"Name of the country, the threat is originating from."
sponsor_region,Sponsor region of the threat actor.
targeted_regions,Targeted regions.
tags,Tags.
name,Name of the alias.
company,Name of the provider who gave the association's name.
ioc_stats_type,Describes the source of the IoCStat.
first_level_source,"Name of first level IoC source, for example Mandiant or a third-party."
second_level_source,"Name of the second-level IoC source, for example Crowdsourced Threat
Analysis or Knowledge Graph."
benign_count,Count of responses where the IoC was identified as benign.
quality,Level of confidence in the IoC mapping extracted from the source.
malicious_count,Count of responses where the IoC was identified as malicious.
response_count,Total number of response from the source.
source_count,Number of sources from which information was extracted.
source_provider,Source provider giving the ML verdict.
benign_count,Count of responses where this IoC was marked benign.
malicious_count,Count of responses where this IoC was marked malicious.
confidence_score,Confidence score of the verdict.
mandiant_sources,List of mandiant sources from which the verdict was generated.
third_party_sources,List of third-party sources from which the verdict was generated.
name,Name of the IoC source.
benign_count,Count of responses where this IoC was marked benign.
malicious_count,Count of responses where this IoC was marked malicious.
quality,Quality of the IoC mapping extracted from the source.
response_count,Total response count from this source.
source_count,Number of sources from which intelligence was extracted.
threat_intelligence_sources,Different threat intelligence sources from which IoC info was extracted.
source_count,Number of sources from which intelligence was extracted.
response_count,Total response count across all sources.
neighbour_influence,Describes the neighbour influence of the verdict.
verdict,ML Verdict provided by sources like Mandiant.
analyst_verdict,Human analyst verdict provided by sources like Mandiant.
source_count,Number of sources from which intelligence was extracted.
response_count,Total response count across all sources.
neighbour_influence,Describes the near neighbor influence of the verdict.
verdict_type,Type of verdict.
source_provider,Source provider giving the machine learning verdict.
benign_count,Count of responses where this IoC was marked as benign.
malicious_count,Count of responses where this IoC was marked as malicious.
confidence_score,Confidence score of the verdict.
ioc_stats,List of IoCStats from which the verdict was generated.
verdict_time,Timestamp when the verdict was generated.
verdict_response,Details about the verdict.
global_customer_count,Global customer count over the last 30 days
global_hits_count,Global hit count over the last 30 days.
pwn,"Whether one or more Mandiant incident response customers had this
indicator in their environment."
category_details,Tags related to the verdict.
pwn_first_tagged_time,The timestamp of the first time a pwn was associated to this entity.
sigcheck,Signature information extracted from the sigcheck tool.
codesign,Signature information extracted from the codesign utility.
name,"Common name of the signers/certificate.
The order of the signers matters. Each element is a higher level
authority, the last being the root authority."
status,"It can say ""Valid"" or state the problem with the certificate if any (e.g.
""This certificate or one of the certificates in the certificate chain is
not time valid."")."
valid_usage,"Indicates which situations the certificate is valid for (e.g. ""Code
Signing"")."
cert_issuer,Company that issued the certificate.
helo,The client's 'HELO'/'EHLO' string.
mail_from,The client's 'MAIL FROM' string.
rcpt_to,The client's 'RCPT TO' string(s).
server_response,The server's response(s) to the client.
message_path,The message's path (extracted from the headers).
is_webmail,If the message was sent via a webmail client.
is_tls,If the connection switched to TLS.
name,The name of the software.
version,The version of the software.
permissions,"System permissions granted to the software.
For example, ""android.permission.WRITE_EXTERNAL_STORAGE"""
description,The description of the software.
vendor_name,The name of the software vendor.
tenant_id,A list of subtenant ids that this event belongs to.
data_tap_config_name,A list of sink name values defined in DataTap configurations.
interval,Interval duration of the leave.
description,Description of the leave if available (e.g. 'Vacation').
client,Certificate information for the client certificate.
server,Certificate information for the server certificate.
cipher,Cipher used during the connection.
curve,Elliptical curve used for a given cipher.
version,TLS version.
version_protocol,Protocol.
established,Indicates whether the TLS negotiation was successful.
next_protocol,Protocol to be used for tunnel.
resumed,"Indicates whether the TLS connection was resumed from a previous
TLS negotiation."
certificate,Client certificate.
ja3,"JA3 hash from the TLS ClientHello, as a hex-encoded string."
server_name,"Host name of the server, that the client is connecting to."
supported_ciphers,Ciphers supported by the client during client hello.
certificate,Server certificate.
ja3s,"JA3 hash from the TLS ServerHello, as a hex-encoded string."
tracker,Tracker name.
id,"Tracker ID, if available."
timestamp,Tracker ingestion date.
URL,Tracker script URL.
URL,URL.
categories,Categorisation done by VirusTotal partners.
favicon,Difference hash and MD5 hash of the URL's.
html_meta,Meta tags (only for URLs downloading HTML).
last_final_url,"If the original URL redirects, where does it end."
last_http_response_code,HTTP response code of the last response.
last_http_response_content_length,Length in bytes of the content received.
last_http_response_content_sha256,URL response body's SHA256 hash.
last_http_response_cookies,Website's cookies.
last_http_response_headers,Headers and values of the last HTTP response.
tags,Tags.
title,Webpage title.
trackers,Trackers found in the URL in a historical manner.
product_object_id,"A vendor-specific identifier to uniquely identify the entity (e.g. a GUID,
LDAP, OID, or similar)."
userid,The ID of the user.
user_display_name,"The display name of the user
(e.g. ""John Locke"")."
first_name,"First name of the user (e.g. ""John"")."
middle_name,Middle name of the user.
last_name,"Last name of the user (e.g. ""Locke"")."
phone_numbers,Phone numbers for the user.
personal_address,Personal address of the user.
attribute,Generic entity metadata attributes of the user.
first_seen_time,"The first observed time for a user.
The value is calculated on the basis of the
first time the identifier was observed."
account_type,"Type of user account (for example, service, domain, or cloud). This is

somewhat aligned to: https://attack.mitre.org/techniques/T1078/"
groupid,"The ID of the group that the user belongs to.
Deprecated in favor of the repeated group_identifiers field."
group_identifiers,"Product object identifiers of the group(s) the user belongs to
A vendor-specific identifier to uniquely identify the group(s) the user
belongs to (a GUID, LDAP OID, or similar)."
windows_sid,The Microsoft Windows SID of the user.
email_addresses,Email addresses of the user.
employee_id,Human capital management identifier.
title,User job title.
company_name,User job company name.
department,User job department
office_address,User job office location.
managers,User job manager(s).
hire_date,User job employment hire date.
termination_date,User job employment termination date.
time_off,User time off leaves from active work.
last_login_time,User last login timestamp.
last_password_change_time,User last password change timestamp.
password_expiration_time,User password expiration timestamp.
account_expiration_time,User account expiration timestamp.
account_lockout_time,User account lockout timestamp.
last_bad_password_attempt_time,User last bad password attempt timestamp.
user_authentication_status,System authentication status for user.
role_name,"System role name for user.
Deprecated: use attribute.roles."
role_description,"System role description for user.
Deprecated: use attribute.roles."
user_role,"System role for user.
Deprecated: use attribute.roles."
vulnerabilities,A list of vulnerabilities.
about,"If the vulnerability is about a specific noun (e.g. executable),
then add it here."
name,"Name of the vulnerability (e.g. ""Unsupported OS Version detected"")."
description,Description of the vulnerability.
vendor,Vendor of scan that discovered vulnerability.
scan_start_time,"If the vulnerability was discovered during an asset scan, then this
field should be populated with the time the scan started.
This field can be left unset if the start time is not available or not
applicable."
scan_end_time,"If the vulnerability was discovered during an asset scan, then this field

should be populated with the time the scan ended.
This field can be left unset if the end time is not available or not
applicable."
first_found,"Products that maintain a history of vuln scans should populate first_found
with the time that a scan first detected the vulnerability on this asset."
last_found,"Products that maintain a history of vuln scans should populate last_found
with the time that a scan last detected the vulnerability on this asset."
severity,The severity of the vulnerability.
severity_details,Vendor-specific severity
cvss_base_score,"CVSS Base Score in the range of 0.0 to 10.0.
Useful for sorting."
cvss_vector,"Vector of CVSS properties (e.g. ""AV:L/AC:H/Au:N/C:N/I:P/A:C"")
Can be linked to via:

https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator"
cvss_version,Version of CVSS Vector/Score.
cve_id,"Common Vulnerabilities and Exposures Id.
https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures
https://cve.mitre.org/about/faqs.html#what_is_cve_id"
cve_description,"Common Vulnerabilities and Exposures Description.
https://cve.mitre.org/about/faqs.html#what_is_cve_record"
vendor_vulnerability_id,Vendor specific vulnerability id (e.g. Microsoft security bulletin id).
vendor_knowledge_base_article_id,"Vendor specific knowledge base article (e.g. ""KBXXXXXX"" from Microsoft).
https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base
https://access.redhat.com/knowledgebase"
name,Certificate name.
algorithm,Certificate algorithm.
thumbprint,Certificate thumbprint.
cert_issuer,Issuer of the certificate.
serial_number,Certificate serial number.