Metadata

General information associated with a UDM event.

JSON representation
{
  "id": string,
  "productLogId": string,
  "eventTimestamp": string,
  "eventTimestampAttributes": [
    enum (EventTimestampAttribute)
  ],
  "collectedTimestamp": string,
  "ingestedTimestamp": string,
  "eventType": enum (EventType),
  "vendorName": string,
  "productName": string,
  "productVersion": string,
  "productEventType": string,
  "productDeploymentId": string,
  "description": string,
  "urlBackToProduct": string,
  "ingestionLabels": [
    {
      object (Label)
    }
  ],
  "tags": {
    object (Tags)
  },
  "enrichmentState": enum (EnrichmentState),
  "logType": string,
  "baseLabels": {
    object (DataAccessLabels)
  },
  "enrichmentLabels": {
    object (DataAccessLabels)
  },
  "structuredFields": {
    object
  },
  "parserVersion": string
}
Fields
id

string (bytes format)

ID of the UDM event. Can be used for raw and normalized event retrieval.

A base64-encoded string.

productLogId

string

A vendor-specific event identifier to uniquely identify the event (e.g. a GUID).

eventTimestamp

string (Timestamp format)

The GMT timestamp when the event was generated.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

eventTimestampAttributes[]

enum (EventTimestampAttribute)

Attributes associated with eventTimestamp. This field is used to distinguish between different types of timestamps that can be used to represent the eventTimestamp.

collectedTimestamp

string (Timestamp format)

The GMT timestamp when the event was collected by the vendor's local collection infrastructure.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

ingestedTimestamp

string (Timestamp format)

The GMT timestamp when the event was ingested (received) by Chronicle.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

eventType

enum (EventType)

The event type. If an event has multiple possible types, this specifies the most specific type.

vendorName

string

The name of the product vendor.

productName

string

The name of the product.

productVersion

string

The version of the product.

productEventType

string

A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start").

productDeploymentId

string

The deployment identifier assigned by the vendor for a product deployment.

description

string

A human-readable unparsable description of the event.

urlBackToProduct

string

A URL that takes the user to the source product console for this event.

ingestionLabels[]

object (Label)

User-configured ingestion metadata labels.

tags

object (Tags)

Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser.

enrichmentState

enum (EnrichmentState)

The enrichment state.

logType

string

The string value of log type.

baseLabels

object (DataAccessLabels)

Data access labels on the base event.

enrichmentLabels

object (DataAccessLabels)

Data access labels from all the contextual events used to enrich the base event.

structuredFields
(deprecated)

object (Struct format)

Flattened fields extracted from the log.

parserVersion

string

The version of the parser that generated this UDM event.

EventTimestampAttribute

Enum representing the type of timestamp that the eventTimestamp field represents.

Enums
EVENT_TIMESTAMP_ATTRIBUTE_UNSPECIFIED Default event timestamp attribute.
FILE_LAST_ACCESS_TIME

Deprecated. Use LAST_ACCESSED instead.

FILE_LAST_MODIFIED_TIME

Deprecated. Use LAST_MODIFIED instead.

FILE_METADATA_LAST_CHANGE_TIME

Deprecated. Use METADATA_LAST_CHANGED instead.

FILE_CREATION_TIME

Deprecated. Use CREATED instead.

COLLECTED_TIME

Deprecated. Use COLLECTED instead.

COLLECTED The time when the event was collected by the vendor's local collection infrastructure.
ACCESSED The time when the file was accessed.
CHANGED The time when the file was changed.
CREATED The time when the file was first created.
FILE_NAME_ACCESSED The time when the file name was accessed.
FILE_NAME_CHANGED The time when the file name was changed.
FILE_NAME_CREATED The time when the file name was created.
FILE_NAME_LAST_ACCESSED The time when the file name was last accessed.
FILE_NAME_LAST_MODIFIED The time when the file name was last modified.
FILE_NAME_METADATA_LAST_CHANGED The time when the file name metadata was last changed.
FILE_NAME_MODIFIED The time when the file name was modified.
LAST_ACCESSED The time when the file was last accessed.
LAST_MODIFIED The time when the file was last modified.
METADATA_LAST_CHANGED The time when the file metadata was last changed.
MODIFIED The time when the file was modified.
ADDED Added Timestamp.
BACKED_UP Backed Up Timestamp.
LAST_CONNECTED Last Connected timestamp.
DELETED Deleted Timestamp.
ENDED Ended Timestamp.
EXITED Exited Timestamp.
EXPIRED Expired Timestamp.
FIRST_ACCESSED First Accessed Timestamp.
APPEARED Appeared Timestamp.
INSTALLED Installed Timestamp.
LAST_ACTIVE Last Active Timestamp.
LAST_LOGGED_IN Last Login Timestamp.
LAST_LOGIN_ATTEMPT Last Login Attempt Timestamp.
LAST_PASSWORD_SET Last Password Set Timestamp.
LAST_PRINTED Last Printed Timestamp.
LAST_RESUMED Last Resumed Timestamp.
LAST_EXECUTED Last Executed Timestamp.
LAST_SEEN Last Seen Timestamp.
LAST_SHUTDOWN Last Shutdown Timestamp.
LAST_UPDATED Last Updated Timestamp.
LAST_USED Last Used Timestamp.
LAST_VISITED Last Visited Timestamp.
LINKED Linked Timestamp.
METADATA_MODIFIED Metadata Modified Timestamp.
CONTENT_MODIFIED Modified Timestamp.
PURCHASED Purchased Timestamp.
RECORDED Recorded Timestamp.
REQUEST_RECEIVED Request Received Timestamp.
RESPONSE_SENT Response Sent Timestamp.
SCHEDULED_TO_END Scheduled to End Timestamp.
SCHEDULED_TO_START Scheduled to Start Timestamp.
SENT Sent Timestamp.
STARTED Started Timestamp.
UPDATED Updated Timestamp.
VALIDATED Validated Timestamp.
MOST_RECENT_RUN Most Recent Run Timestamp.
NEXT_RUN Next Run Timestamp.
VISITED Visited Timestamp.
TARGET_CREATED Target Created Timestamp.
VOLUME_CREATED Volume Created Timestamp.
POST_CHECKED Post Checked Timestamp.
SYNCHRONIZED Synchronized Timestamp.
ITEM_CREATED Item Created Timestamp.
ITEM_MODIFIED Item Modified Timestamp.
DOCUMENT_LAST_SAVED Document Last Saved Timestamp.
LAST_REGISTERED Last Registered Timestamp.
LAUNCHED Launched Timestamp.

Tags

Tags are event metadata which is set by examining event contents post-parsing. For example, a UDM event may be assigned a tenantId based on certain customer-defined parameters.

JSON representation
{
  "tenantId": [
    string
  ],
  "dataTapConfigName": [
    string
  ]
}
Fields
tenantId[]

string (bytes format)

A list of subtenant ids that this event belongs to.

A base64-encoded string.

dataTapConfigName[]

string

A list of sink name values defined in DataTap configurations.

EnrichmentState

An enrichment state.

Enums
ENRICHMENT_STATE_UNSPECIFIED Unspecified.
ENRICHED The event has been enriched by Chronicle.
UNENRICHED The event has not been enriched by Chronicle.

DataAccessLabels

JSON representation
{
  "logTypes": [
    string
  ],
  "ingestionLabels": [
    string
  ],
  "namespaces": [
    string
  ],
  "customLabels": [
    string
  ],
  "ingestionKvLabels": [
    {
      object (DataAccessIngestionLabel)
    }
  ],
  "allowScopedAccess": boolean
}
Fields
logTypes[]

string

All the LogType labels.

ingestionLabels[]
(deprecated)

string

All the ingestion labels.

namespaces[]

string

All the namespaces.

customLabels[]

string

All the complex labels (UDM search syntax based).

ingestionKvLabels[]

object (DataAccessIngestionLabel)

All the ingestion labels (key/value pairs).

allowScopedAccess

boolean

Are the labels ready for scoped access

DataAccessIngestionLabel

JSON representation
{
  "key": string,
  "value": string
}
Fields
key

string

The key.

value

string

The value.