Metadata

JSON representation
EventTimestampAttribute
Tags
- JSON representation
EnrichmentState
DataAccessLabels
- JSON representation
DataAccessIngestionLabel
- JSON representation

General information associated with a UDM event.

JSON representation

JSON representation
{ "id": string, "productLogId": string, "eventTimestamp": string, "eventTimestampAttributes": [ enum (`EventTimestampAttribute`) ], "collectedTimestamp": string, "ingestedTimestamp": string, "eventType": enum (`EventType`), "vendorName": string, "productName": string, "productVersion": string, "productEventType": string, "productDeploymentId": string, "description": string, "urlBackToProduct": string, "ingestionLabels": [ { object (`Label`) } ], "tags": { object (`Tags`) }, "enrichmentState": enum (`EnrichmentState`), "logType": string, "baseLabels": { object (`DataAccessLabels`) }, "enrichmentLabels": { object (`DataAccessLabels`) }, "structuredFields": { object }, "parserVersion": string }

{
  "id": string,
  "productLogId": string,
  "eventTimestamp": string,
  "eventTimestampAttributes": [
    enum (EventTimestampAttribute)
  ],
  "collectedTimestamp": string,
  "ingestedTimestamp": string,
  "eventType": enum (EventType),
  "vendorName": string,
  "productName": string,
  "productVersion": string,
  "productEventType": string,
  "productDeploymentId": string,
  "description": string,
  "urlBackToProduct": string,
  "ingestionLabels": [
    {
      object (Label)
    }
  ],
  "tags": {
    object (Tags)
  },
  "enrichmentState": enum (EnrichmentState),
  "logType": string,
  "baseLabels": {
    object (DataAccessLabels)
  },
  "enrichmentLabels": {
    object (DataAccessLabels)
  },
  "structuredFields": {
    object
  },
  "parserVersion": string
}

Fields
`id`	`string (bytes format)` ID of the UDM event. Can be used for raw and normalized event retrieval. A base64-encoded string.
`productLogId`	`string` A vendor-specific event identifier to uniquely identify the event (e.g. a GUID).
`eventTimestamp`	`string (Timestamp format)` The GMT timestamp when the event was generated. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`eventTimestampAttributes[]`	`enum (EventTimestampAttribute)` Attributes associated with eventTimestamp. This field is used to distinguish between different types of timestamps that can be used to represent the eventTimestamp.
`collectedTimestamp`	`string (Timestamp format)` The GMT timestamp when the event was collected by the vendor's local collection infrastructure. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`ingestedTimestamp`	`string (Timestamp format)` The GMT timestamp when the event was ingested (received) by Chronicle. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`eventType`	`enum (EventType)` The event type. If an event has multiple possible types, this specifies the most specific type.
`vendorName`	`string` The name of the product vendor.
`productName`	`string` The name of the product.
`productVersion`	`string` The version of the product.
`productEventType`	`string` A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start").
`productDeploymentId`	`string` The deployment identifier assigned by the vendor for a product deployment.
`description`	`string` A human-readable unparsable description of the event.
`urlBackToProduct`	`string` A URL that takes the user to the source product console for this event.
`ingestionLabels[]`	`object (Label)` User-configured ingestion metadata labels.
`tags`	`object (Tags)` Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser.
`enrichmentState`	`enum (EnrichmentState)` The enrichment state.
`logType`	`string` The string value of log type.
`baseLabels`	`object (DataAccessLabels)` Data access labels on the base event.
`enrichmentLabels`	`object (DataAccessLabels)` Data access labels from all the contextual events used to enrich the base event.
`structuredFields (deprecated)`	`object (Struct format)` This item is deprecated! Flattened fields extracted from the log.
`parserVersion`	`string` The version of the parser that generated this UDM event.

EventTimestampAttribute

Enum representing the type of timestamp that the eventTimestamp field represents.

Enums
`EVENT_TIMESTAMP_ATTRIBUTE_UNSPECIFIED`	Default event timestamp attribute.
`FILE_LAST_ACCESS_TIME`	Deprecated. Use LAST_ACCESSED instead. This item is deprecated!
`FILE_LAST_MODIFIED_TIME`	Deprecated. Use LAST_MODIFIED instead. This item is deprecated!
`FILE_METADATA_LAST_CHANGE_TIME`	Deprecated. Use METADATA_LAST_CHANGED instead. This item is deprecated!
`FILE_CREATION_TIME`	Deprecated. Use CREATED instead. This item is deprecated!
`COLLECTED_TIME`	Deprecated. Use COLLECTED instead. This item is deprecated!
`COLLECTED`	The time when the event was collected by the vendor's local collection infrastructure.
`ACCESSED`	The time when the file was accessed.
`CHANGED`	The time when the file was changed.
`CREATED`	The time when the file was first created.
`FILE_NAME_ACCESSED`	The time when the file name was accessed.
`FILE_NAME_CHANGED`	The time when the file name was changed.
`FILE_NAME_CREATED`	The time when the file name was created.
`FILE_NAME_LAST_ACCESSED`	The time when the file name was last accessed.
`FILE_NAME_LAST_MODIFIED`	The time when the file name was last modified.
`FILE_NAME_METADATA_LAST_CHANGED`	The time when the file name metadata was last changed.
`FILE_NAME_MODIFIED`	The time when the file name was modified.
`LAST_ACCESSED`	The time when the file was last accessed.
`LAST_MODIFIED`	The time when the file was last modified.
`METADATA_LAST_CHANGED`	The time when the file metadata was last changed.
`MODIFIED`	The time when the file was modified.
`ADDED`	Added Timestamp.
`BACKED_UP`	Backed Up Timestamp.
`LAST_CONNECTED`	Last Connected timestamp.
`DELETED`	Deleted Timestamp.
`ENDED`	Ended Timestamp.
`EXITED`	Exited Timestamp.
`EXPIRED`	Expired Timestamp.
`FIRST_ACCESSED`	First Accessed Timestamp.
`APPEARED`	Appeared Timestamp.
`INSTALLED`	Installed Timestamp.
`LAST_ACTIVE`	Last Active Timestamp.
`LAST_LOGGED_IN`	Last Login Timestamp.
`LAST_LOGIN_ATTEMPT`	Last Login Attempt Timestamp.
`LAST_PASSWORD_SET`	Last Password Set Timestamp.
`LAST_PRINTED`	Last Printed Timestamp.
`LAST_RESUMED`	Last Resumed Timestamp.
`LAST_EXECUTED`	Last Executed Timestamp.
`LAST_SEEN`	Last Seen Timestamp.
`LAST_SHUTDOWN`	Last Shutdown Timestamp.
`LAST_UPDATED`	Last Updated Timestamp.
`LAST_USED`	Last Used Timestamp.
`LAST_VISITED`	Last Visited Timestamp.
`LINKED`	Linked Timestamp.
`METADATA_MODIFIED`	Metadata Modified Timestamp.
`CONTENT_MODIFIED`	Modified Timestamp.
`PURCHASED`	Purchased Timestamp.
`RECORDED`	Recorded Timestamp.
`REQUEST_RECEIVED`	Request Received Timestamp.
`RESPONSE_SENT`	Response Sent Timestamp.
`SCHEDULED_TO_END`	Scheduled to End Timestamp.
`SCHEDULED_TO_START`	Scheduled to Start Timestamp.
`SENT`	Sent Timestamp.
`STARTED`	Started Timestamp.
`UPDATED`	Updated Timestamp.
`VALIDATED`	Validated Timestamp.
`MOST_RECENT_RUN`	Most Recent Run Timestamp.
`NEXT_RUN`	Next Run Timestamp.
`VISITED`	Visited Timestamp.
`TARGET_CREATED`	Target Created Timestamp.
`VOLUME_CREATED`	Volume Created Timestamp.
`POST_CHECKED`	Post Checked Timestamp.
`SYNCHRONIZED`	Synchronized Timestamp.
`ITEM_CREATED`	Item Created Timestamp.
`ITEM_MODIFIED`	Item Modified Timestamp.
`DOCUMENT_LAST_SAVED`	Document Last Saved Timestamp.
`LAST_REGISTERED`	Last Registered Timestamp.
`LAUNCHED`	Launched Timestamp.

JSON representation
{ "tenantId": [ string ], "dataTapConfigName": [ string ] }

Fields
`tenantId[]`	`string (bytes format)` A list of subtenant ids that this event belongs to. A base64-encoded string.
`dataTapConfigName[]`	`string` A list of sink name values defined in DataTap configurations.

EnrichmentState

An enrichment state.

Enums
`ENRICHMENT_STATE_UNSPECIFIED`	Unspecified.
`ENRICHED`	The event has been enriched by Chronicle.
`UNENRICHED`	The event has not been enriched by Chronicle.

DataAccessLabels

JSON representation

JSON representation
{ "logTypes": [ string ], "ingestionLabels": [ string ], "namespaces": [ string ], "customLabels": [ string ], "ingestionKvLabels": [ { object (`DataAccessIngestionLabel`) } ], "allowScopedAccess": boolean }

{
  "logTypes": [
    string
  ],
  "ingestionLabels": [
    string
  ],
  "namespaces": [
    string
  ],
  "customLabels": [
    string
  ],
  "ingestionKvLabels": [
    {
      object (DataAccessIngestionLabel)
    }
  ],
  "allowScopedAccess": boolean
}

Fields
`logTypes[]`	`string` All the LogType labels.
`ingestionLabels[] (deprecated)`	`string` This item is deprecated! All the ingestion labels.
`namespaces[]`	`string` All the namespaces.
`customLabels[]`	`string` All the complex labels (UDM search syntax based).
`ingestionKvLabels[]`	`object (DataAccessIngestionLabel)` All the ingestion labels (key/value pairs).
`allowScopedAccess`	`boolean` Are the labels ready for scoped access

DataAccessIngestionLabel

JSON representation
{ "key": string, "value": string }

Fields

Fields
`key`	`string` The key.
`value`	`string` The value.

key

string

The key.

value

string

The value.