- JSON representation
- EventTimestampAttribute
- Tags
- EnrichmentState
- DataAccessLabels
- DataAccessIngestionLabel
General information associated with a UDM event.
| JSON representation |
|---|
{ "id": string, "productLogId": string, "eventTimestamp": string, "eventTimestampAttributes": [ enum ( |
| Fields | |
|---|---|
id |
ID of the UDM event. Can be used for raw and normalized event retrieval. A base64-encoded string. |
productLogId |
A vendor-specific event identifier to uniquely identify the event (e.g. a GUID). |
eventTimestamp |
The GMT timestamp when the event was generated. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
eventTimestampAttributes[] |
Attributes associated with eventTimestamp. This field is used to distinguish between different types of timestamps that can be used to represent the eventTimestamp. |
collectedTimestamp |
The GMT timestamp when the event was collected by the vendor's local collection infrastructure. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
ingestedTimestamp |
The GMT timestamp when the event was ingested (received) by Chronicle. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
eventType |
The event type. If an event has multiple possible types, this specifies the most specific type. |
vendorName |
The name of the product vendor. |
productName |
The name of the product. |
productVersion |
The version of the product. |
productEventType |
A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start"). |
productDeploymentId |
The deployment identifier assigned by the vendor for a product deployment. |
description |
A human-readable unparsable description of the event. |
urlBackToProduct |
A URL that takes the user to the source product console for this event. |
ingestionLabels[] |
User-configured ingestion metadata labels. |
tags |
Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser. |
enrichmentState |
The enrichment state. |
logType |
The string value of log type. |
baseLabels |
Data access labels on the base event. |
enrichmentLabels |
Data access labels from all the contextual events used to enrich the base event. |
structuredFields |
Flattened fields extracted from the log. |
parserVersion |
The version of the parser that generated this UDM event. |
EventTimestampAttribute
Enum representing the type of timestamp that the eventTimestamp field represents.
| Enums | |
|---|---|
EVENT_TIMESTAMP_ATTRIBUTE_UNSPECIFIED |
Default event timestamp attribute. |
FILE_LAST_ACCESS_TIME |
Deprecated. Use LAST_ACCESSED instead. |
FILE_LAST_MODIFIED_TIME |
Deprecated. Use LAST_MODIFIED instead. |
FILE_METADATA_LAST_CHANGE_TIME |
Deprecated. Use METADATA_LAST_CHANGED instead. |
FILE_CREATION_TIME |
Deprecated. Use CREATED instead. |
COLLECTED_TIME |
Deprecated. Use COLLECTED instead. |
COLLECTED |
The time when the event was collected by the vendor's local collection infrastructure. |
ACCESSED |
The time when the file was accessed. |
CHANGED |
The time when the file was changed. |
CREATED |
The time when the file was first created. |
FILE_NAME_ACCESSED |
The time when the file name was accessed. |
FILE_NAME_CHANGED |
The time when the file name was changed. |
FILE_NAME_CREATED |
The time when the file name was created. |
FILE_NAME_LAST_ACCESSED |
The time when the file name was last accessed. |
FILE_NAME_LAST_MODIFIED |
The time when the file name was last modified. |
FILE_NAME_METADATA_LAST_CHANGED |
The time when the file name metadata was last changed. |
FILE_NAME_MODIFIED |
The time when the file name was modified. |
LAST_ACCESSED |
The time when the file was last accessed. |
LAST_MODIFIED |
The time when the file was last modified. |
METADATA_LAST_CHANGED |
The time when the file metadata was last changed. |
MODIFIED |
The time when the file was modified. |
Tags
Tags are event metadata which is set by examining event contents post-parsing. For example, a UDM event may be assigned a tenantId based on certain customer-defined parameters.
| JSON representation |
|---|
{ "tenantId": [ string ], "dataTapConfigName": [ string ] } |
| Fields | |
|---|---|
tenantId[] |
A list of subtenant ids that this event belongs to. A base64-encoded string. |
dataTapConfigName[] |
A list of sink name values defined in DataTap configurations. |
EnrichmentState
An enrichment state.
| Enums | |
|---|---|
ENRICHMENT_STATE_UNSPECIFIED |
Unspecified. |
ENRICHED |
The event has been enriched by Chronicle. |
UNENRICHED |
The event has not been enriched by Chronicle. |
DataAccessLabels
| JSON representation |
|---|
{
"logTypes": [
string
],
"ingestionLabels": [
string
],
"namespaces": [
string
],
"customLabels": [
string
],
"ingestionKvLabels": [
{
object ( |
| Fields | |
|---|---|
logTypes[] |
All the LogType labels. |
ingestionLabels[] |
All the ingestion labels. |
namespaces[] |
All the namespaces. |
customLabels[] |
All the complex labels (UDM search syntax based). |
ingestionKvLabels[] |
All the ingestion labels (key/value pairs). |
allowScopedAccess |
Are the labels ready for scoped access |
DataAccessIngestionLabel
| JSON representation |
|---|
{ "key": string, "value": string } |
| Fields | |
|---|---|
key |
The key. |
value |
The value. |