An Entity provides additional context about an item in a UDM event. For example, a PROCESS_LAUNCH event describes that user 'abc@example.corp' launched process 'shady.exe'. The event does not include information that user 'abc@example.com' is a recently terminated employee who administers a server storing finance data. Information stored in one or more Entities can add this additional context.
JSON representation |
---|
{ "metadata": { object ( |
Fields | |
---|---|
metadata |
Entity metadata such as timestamp, product, etc. |
entity |
Noun in the UDM event that this entity represents. |
relations[] |
One or more relationships between the entity (a) and other entities, including the relationship type and related entity. |
additional |
Important entity data that cannot be adequately represented within the formal sections of the Entity. |
metric |
Stores statistical metrics about the entity. Used if metadata.entity_type is METRIC. |
risk_score |
Stores information related to the entity's risk score. |
EntityMetadata
Information about the Entity and the product where the entity was created. Next Tag: 17
JSON representation |
---|
{ "product_entity_id": string, "collected_timestamp": string, "creation_timestamp": string, "interval": { object ( |
Fields | |
---|---|
product_entity_id |
A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar). |
collected_timestamp |
GMT timestamp when the entity information was collected by the vendor's local collection infrastructure. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
creation_timestamp |
GMT timestamp when the entity described by the product_entity_id was created on the system where data was collected. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
interval |
Valid existence time range for the version of the entity represented by this entity data. |
vendor_name |
Vendor name of the product that produced the entity information. |
product_name |
Product name that produced the entity information. |
feed |
Vendor feed name for a threat indicator feed. |
product_version |
Version of the product that produced the entity information. |
entity_type |
Entity type. If an entity has multiple possible types, this specifies the most specific type. |
description |
Human-readable description of the entity. |
threat[] |
Metadata provided by a threat intelligence feed that identified the entity as malicious. |
source_type |
The source of the entity. |
source_labels[] |
Entity source metadata labels. |
event_metadata |
Metadata field from the event. |
structured_fields |
Structured fields extracted from the log. |
extracted |
Flattened fields extracted from the log. |
Relation
Defines the relationship between the entity (a) and another entity (b).
JSON representation |
---|
{ "entity": { object ( |
Fields | |
---|---|
entity |
Entity (b) that the primary entity (a) is related to. |
entity_type |
Type of the related entity (b) in this relationship. |
relationship |
Type of relationship. |
direction |
Directionality of relationship between primary entity (a) and the related entity (b). |
uid |
UID of the relationship. A base64-encoded string. |
entity_label |
Label to identify the Noun of the relation. |
Metric
Stores precomputed aggregated analytic data for an entity.
JSON representation |
---|
{ "first_seen": string, "last_seen": string, "sum_measure": { object ( |
Fields | |
---|---|
first_seen |
Timestamp of the first time the entity was seen in the environment. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
last_seen |
Time stamp of the last time last time the entity was seen in the environment. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
sum_measure |
Sum of all precomputed measures for the given metric. |
total_events |
Total number of events used to calculate the given precomputed metric. |
metric_name |
Name of the analytic. |
dimensions[] |
All group by clauses used to calculate the metric. |
export_window |
Export window for which the metric was exported. |
Measure
Describes the precomputed measure.
JSON representation |
---|
{
"value": number,
"aggregate_function": enum ( |
Fields | |
---|---|
value |
Value of the aggregated measure. |
aggregate_function |
Function used to calculate the aggregated measure. |