- HTTP request
- Path parameters
- Query parameters
- Request body
- Response body
- Authorization scopes
- IAM Permissions
- EnrichingSource
- EnrichmentSources
- Try it!
Full name: projects.locations.instances.events.fetchEnrichedEvent
Gets the enriched event for a given event id.
HTTP request
Path parameters
Parameters | |
---|---|
name |
Required. The ID of the event to retrieve. Format: projects/{project}/locations/{location}/instances/{instance}/events/{event} |
Query parameters
Parameters | |
---|---|
detectionId |
Optional. The detectionId to return event data for. Events that are copied to a detection can have different enrichment than the equivalent standalone events, or the same event copied to a different detection. |
Request body
The request body must be empty.
Response body
Response message for events.fetchEnrichedEvent.
If successful, the response body contains data with the following structure:
JSON representation |
---|
{ "udm": { object ( |
Fields | |
---|---|
udm |
The enriched UDM event. |
enrichedFields |
A map of enriched fields in the parent event to information about where the enriched data originated. The key of the map is the field path of the UDM field. For example, "principal.user.windows_sid". . @deprecated Use udmEnrichedFields instead. An object containing a list of |
udmEnrichedFields |
A map of enriched fields in the parent event to information about where the enriched data originated. The key of the map is the field path of the UDM field. For example, "principal.user.windows_sid". The value is a list of sources that the enriched data was taken from. This is needed for on-the-fly Provenance where at read time we cannot determine the enrichment source for a given field if more than one source is present. An object containing a list of |
Authorization scopes
Requires the following OAuth scope:
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview.
IAM Permissions
Requires the following IAM permission on the name
resource:
chronicle.events.fetchEnrichedEvent
For more information, see the IAM documentation.
EnrichingSource
Represents information about the enrichment source of an enriched field.
JSON representation |
---|
{ "displayName": string, // Union field |
Fields | |
---|---|
displayName |
Output only. The source of enrichment. For example, "GeoIP" or "Google Threat Intel". |
Union field source . The source of the enrichment. source can be only one of the following: |
|
event |
Output only. The resource name of the Event that the enrichment data was taken from. |
entity |
Output only. The resource name of the Entity that the enrichment data was taken from. |
EnrichmentSources
The sources of enrichment.
JSON representation |
---|
{
"sources": [
{
object ( |
Fields | |
---|---|
sources[] |
Output only. The sources of enrichment for a given enriched field. This is needed for on-the-fly Provenance where at read time we cannot determine the enrichment source for a given field if more than one source is present. |