Metadata

JSON representation
Tags
- JSON representation
EnrichmentState
DataAccessLabels
- JSON representation
DataAccessIngestionLabel
- JSON representation

NEXT TAG: 21 General information associated with a UDM event.

JSON representation

JSON representation
{ "id": string, "product_log_id": string, "event_timestamp": string, "collected_timestamp": string, "ingested_timestamp": string, "event_type": enum (`EventType`), "vendor_name": string, "product_name": string, "product_version": string, "product_event_type": string, "product_deployment_id": string, "description": string, "url_back_to_product": string, "ingestion_labels": [ { object (`Label`) } ], "tags": { object (`Tags`) }, "enrichment_state": enum (`EnrichmentState`), "log_type": string, "base_labels": { object (`DataAccessLabels`) }, "enrichment_labels": { object (`DataAccessLabels`) }, "structured_fields": { object } }

{
  "id": string,
  "product_log_id": string,
  "event_timestamp": string,
  "collected_timestamp": string,
  "ingested_timestamp": string,
  "event_type": enum (EventType),
  "vendor_name": string,
  "product_name": string,
  "product_version": string,
  "product_event_type": string,
  "product_deployment_id": string,
  "description": string,
  "url_back_to_product": string,
  "ingestion_labels": [
    {
      object (Label)
    }
  ],
  "tags": {
    object (Tags)
  },
  "enrichment_state": enum (EnrichmentState),
  "log_type": string,
  "base_labels": {
    object (DataAccessLabels)
  },
  "enrichment_labels": {
    object (DataAccessLabels)
  },
  "structured_fields": {
    object
  }
}

Fields
`id`	`string (bytes format)` ID of the UDM event. Can be used for raw and normalized event retrieval. A base64-encoded string.
`product_log_id`	`string` A vendor-specific event identifier to uniquely identify the event (e.g. a GUID).
`event_timestamp`	`string (Timestamp format)` The GMT timestamp when the event was generated. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`collected_timestamp`	`string (Timestamp format)` The GMT timestamp when the event was collected by the vendor's local collection infrastructure. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`ingested_timestamp`	`string (Timestamp format)` The GMT timestamp when the event was ingested (received) by Chronicle. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: `"2014-10-02T15:01:23Z"`, `"2014-10-02T15:01:23.045123456Z"` or `"2014-10-02T15:01:23+05:30"`.
`event_type`	`enum (EventType)` The event type. If an event has multiple possible types, this specifies the most specific type.
`vendor_name`	`string` The name of the product vendor.
`product_name`	`string` The name of the product.
`product_version`	`string` The version of the product.
`product_event_type`	`string` A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start").
`product_deployment_id`	`string` The deployment identifier assigned by the vendor for a product deployment.
`description`	`string` A human-readable unparsable description of the event.
`url_back_to_product`	`string` A URL that takes the user to the source product console for this event.
`ingestion_labels[]`	`object (Label)` User-configured ingestion metadata labels.
`tags`	`object (Tags)` Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser.
`enrichment_state`	`enum (EnrichmentState)` The enrichment state.
`log_type`	`string` The string value of log type.
`base_labels`	`object (DataAccessLabels)` Data access labels on the base event.
`enrichment_labels`	`object (DataAccessLabels)` Data access labels from all the contextual events used to enrich the base event.
`structured_fields (deprecated)`	`object (Struct format)` This item is deprecated! Flattened fields extracted from the log.

JSON representation
{ "tenant_id": [ string ], "data_tap_config_name": [ string ] }

Fields
`tenant_id[]`	`string (bytes format)` A list of subtenant ids that this event belongs to. A base64-encoded string.
`data_tap_config_name[]`	`string` A list of sink name values defined in DataTap configurations.

EnrichmentState

An enrichment state.

Enums
`ENRICHMENT_STATE_UNSPECIFIED`	Unspecified.
`ENRICHED`	The event has been enriched by Chronicle.
`UNENRICHED`	The event has not been enriched by Chronicle.

DataAccessLabels

JSON representation

JSON representation
{ "log_types": [ string ], "ingestion_labels": [ string ], "namespaces": [ string ], "custom_labels": [ string ], "ingestion_kv_labels": [ { object (`DataAccessIngestionLabel`) } ], "allow_scoped_access": boolean }

{
  "log_types": [
    string
  ],
  "ingestion_labels": [
    string
  ],
  "namespaces": [
    string
  ],
  "custom_labels": [
    string
  ],
  "ingestion_kv_labels": [
    {
      object (DataAccessIngestionLabel)
    }
  ],
  "allow_scoped_access": boolean
}

Fields
`log_types[]`	`string` All the LogType labels.
`ingestion_labels[] (deprecated)`	`string` This item is deprecated! All the ingestion labels.
`namespaces[]`	`string` All the namespaces.
`custom_labels[]`	`string` All the complex labels (UDM search syntax based).
`ingestion_kv_labels[]`	`object (DataAccessIngestionLabel)` All the ingestion labels (key/value pairs).
`allow_scoped_access`	`boolean` Are the labels ready for scoped access

DataAccessIngestionLabel

JSON representation
{ "key": string, "value": string }

Fields

Fields
`key`	`string` The key.
`value`	`string` The value.

key

string

The key.

value

string

The value.