- JSON representation
- EventTimestampAttribute
- Tags
- EnrichmentState
- DataAccessLabels
- DataAccessIngestionLabel
General information associated with a UDM event.
JSON representation |
---|
{ "id": string, "productLogId": string, "eventTimestamp": string, "eventTimestampAttributes": [ enum ( |
Fields | |
---|---|
id |
ID of the UDM event. Can be used for raw and normalized event retrieval. A base64-encoded string. |
productLogId |
A vendor-specific event identifier to uniquely identify the event (e.g. a GUID). |
eventTimestamp |
The GMT timestamp when the event was generated. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
eventTimestampAttributes[] |
Attributes associated with eventTimestamp. This field is used to distinguish between different types of timestamps that can be used to represent the eventTimestamp. |
collectedTimestamp |
The GMT timestamp when the event was collected by the vendor's local collection infrastructure. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
ingestedTimestamp |
The GMT timestamp when the event was ingested (received) by Chronicle. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
eventType |
The event type. If an event has multiple possible types, this specifies the most specific type. |
vendorName |
The name of the product vendor. |
productName |
The name of the product. |
productVersion |
The version of the product. |
productEventType |
A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start"). |
productDeploymentId |
The deployment identifier assigned by the vendor for a product deployment. |
description |
A human-readable unparsable description of the event. |
urlBackToProduct |
A URL that takes the user to the source product console for this event. |
ingestionLabels[] |
User-configured ingestion metadata labels. |
tags |
Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser. |
enrichmentState |
The enrichment state. |
logType |
The string value of log type. |
baseLabels |
Data access labels on the base event. |
enrichmentLabels |
Data access labels from all the contextual events used to enrich the base event. |
structuredFields |
Flattened fields extracted from the log. |
parserVersion |
The version of the parser that generated this UDM event. |
EventTimestampAttribute
Enum representing the type of timestamp that the eventTimestamp field represents.
Enums | |
---|---|
EVENT_TIMESTAMP_ATTRIBUTE_UNSPECIFIED |
Default event timestamp attribute. |
FILE_LAST_ACCESS_TIME |
Deprecated. Use LAST_ACCESSED instead. |
FILE_LAST_MODIFIED_TIME |
Deprecated. Use LAST_MODIFIED instead. |
FILE_METADATA_LAST_CHANGE_TIME |
Deprecated. Use METADATA_LAST_CHANGED instead. |
FILE_CREATION_TIME |
Deprecated. Use CREATED instead. |
COLLECTED_TIME |
Deprecated. Use COLLECTED instead. |
COLLECTED |
The time when the event was collected by the vendor's local collection infrastructure. |
ACCESSED |
The time when the file was accessed. |
CHANGED |
The time when the file was changed. |
CREATED |
The time when the file was first created. |
FILE_NAME_ACCESSED |
The time when the file name was accessed. |
FILE_NAME_CHANGED |
The time when the file name was changed. |
FILE_NAME_CREATED |
The time when the file name was created. |
FILE_NAME_LAST_ACCESSED |
The time when the file name was last accessed. |
FILE_NAME_LAST_MODIFIED |
The time when the file name was last modified. |
FILE_NAME_METADATA_LAST_CHANGED |
The time when the file name metadata was last changed. |
FILE_NAME_MODIFIED |
The time when the file name was modified. |
LAST_ACCESSED |
The time when the file was last accessed. |
LAST_MODIFIED |
The time when the file was last modified. |
METADATA_LAST_CHANGED |
The time when the file metadata was last changed. |
MODIFIED |
The time when the file was modified. |
ADDED |
Added Timestamp. |
BACKED_UP |
Backed Up Timestamp. |
LAST_CONNECTED |
Last Connected timestamp. |
DELETED |
Deleted Timestamp. |
ENDED |
Ended Timestamp. |
EXITED |
Exited Timestamp. |
EXPIRED |
Expired Timestamp. |
FIRST_ACCESSED |
First Accessed Timestamp. |
APPEARED |
Appeared Timestamp. |
INSTALLED |
Installed Timestamp. |
LAST_ACTIVE |
Last Active Timestamp. |
LAST_LOGGED_IN |
Last Login Timestamp. |
LAST_LOGIN_ATTEMPT |
Last Login Attempt Timestamp. |
LAST_PASSWORD_SET |
Last Password Set Timestamp. |
LAST_PRINTED |
Last Printed Timestamp. |
LAST_RESUMED |
Last Resumed Timestamp. |
LAST_EXECUTED |
Last Executed Timestamp. |
LAST_SEEN |
Last Seen Timestamp. |
LAST_SHUTDOWN |
Last Shutdown Timestamp. |
LAST_UPDATED |
Last Updated Timestamp. |
LAST_USED |
Last Used Timestamp. |
LAST_VISITED |
Last Visited Timestamp. |
LINKED |
Linked Timestamp. |
METADATA_MODIFIED |
Metadata Modified Timestamp. |
CONTENT_MODIFIED |
Modified Timestamp. |
PURCHASED |
Purchased Timestamp. |
RECORDED |
Recorded Timestamp. |
REQUEST_RECEIVED |
Request Received Timestamp. |
RESPONSE_SENT |
Response Sent Timestamp. |
SCHEDULED_TO_END |
Scheduled to End Timestamp. |
SCHEDULED_TO_START |
Scheduled to Start Timestamp. |
SENT |
Sent Timestamp. |
STARTED |
Started Timestamp. |
UPDATED |
Updated Timestamp. |
VALIDATED |
Validated Timestamp. |
MOST_RECENT_RUN |
Most Recent Run Timestamp. |
NEXT_RUN |
Next Run Timestamp. |
VISITED |
Visited Timestamp. |
TARGET_CREATED |
Target Created Timestamp. |
VOLUME_CREATED |
Volume Created Timestamp. |
POST_CHECKED |
Post Checked Timestamp. |
SYNCHRONIZED |
Synchronized Timestamp. |
ITEM_CREATED |
Item Created Timestamp. |
ITEM_MODIFIED |
Item Modified Timestamp. |
DOCUMENT_LAST_SAVED |
Document Last Saved Timestamp. |
LAST_REGISTERED |
Last Registered Timestamp. |
LAUNCHED |
Launched Timestamp. |
Tags
Tags are event metadata which is set by examining event contents post-parsing. For example, a UDM event may be assigned a tenantId based on certain customer-defined parameters.
JSON representation |
---|
{ "tenantId": [ string ], "dataTapConfigName": [ string ] } |
Fields | |
---|---|
tenantId[] |
A list of subtenant ids that this event belongs to. A base64-encoded string. |
dataTapConfigName[] |
A list of sink name values defined in DataTap configurations. |
EnrichmentState
An enrichment state.
Enums | |
---|---|
ENRICHMENT_STATE_UNSPECIFIED |
Unspecified. |
ENRICHED |
The event has been enriched by Chronicle. |
UNENRICHED |
The event has not been enriched by Chronicle. |
DataAccessLabels
JSON representation |
---|
{
"logTypes": [
string
],
"ingestionLabels": [
string
],
"namespaces": [
string
],
"customLabels": [
string
],
"ingestionKvLabels": [
{
object ( |
Fields | |
---|---|
logTypes[] |
All the LogType labels. |
ingestionLabels[] |
All the ingestion labels. |
namespaces[] |
All the namespaces. |
customLabels[] |
All the complex labels (UDM search syntax based). |
ingestionKvLabels[] |
All the ingestion labels (key/value pairs). |
allowScopedAccess |
Are the labels ready for scoped access |
DataAccessIngestionLabel
JSON representation |
---|
{ "key": string, "value": string } |
Fields | |
---|---|
key |
The key. |
value |
The value. |