Method: events.fetchEnrichedEvent

Full name: projects.locations.instances.events.fetchEnrichedEvent

Gets the enriched event for a given event id.

HTTP request


Path parameters

Parameters
name

string

Required. The ID of the event to retrieve. Format: projects/{project}/locations/{location}/instances/{instance}/events/{event}

Query parameters

Parameters
detectionId

string

Optional. The detectionId to return event data for. Events that are copied to a detection can have different enrichment than the equivalent standalone events, or the same event copied to a different detection.

Request body

The request body must be empty.

Response body

Response message for events.fetchEnrichedEvent.

If successful, the response body contains data with the following structure:

JSON representation
{
  "udm": {
    object (UDM)
  },
  "enrichedFields": {
    string: {
      object (EnrichingSource)
    },
    ...
  },
  "udmEnrichedFields": {
    string: {
      object (EnrichmentSources)
    },
    ...
  }
}
Fields
udm

object (UDM)

The enriched UDM event.

enrichedFields

map (key: string, value: object (EnrichingSource))

A map of enriched fields in the parent event to information about where the enriched data originated. The key of the map is the field path of the UDM field. For example, "principal.user.windows_sid". . @deprecated Use udmEnrichedFields instead.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

udmEnrichedFields

map (key: string, value: object (EnrichmentSources))

A map of enriched fields in the parent event to information about where the enriched data originated. The key of the map is the field path of the UDM field. For example, "principal.user.windows_sid". The value is a list of sources that the enriched data was taken from. This is needed for on-the-fly Provenance where at read time we cannot determine the enrichment source for a given field if more than one source is present.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the name resource:

  • chronicle.events.fetchEnrichedEvent

For more information, see the IAM documentation.

EnrichingSource

Represents information about the enrichment source of an enriched field.

JSON representation
{
  "displayName": string,

  // Union field source can be only one of the following:
  "event": string,
  "entity": string
  // End of list of possible types for union field source.
}
Fields
displayName

string

Output only. The source of enrichment. For example, "GeoIP" or "Google Threat Intel".

Union field source. The source of the enrichment. source can be only one of the following:
event

string

Output only. The resource name of the Event that the enrichment data was taken from.

entity

string

Output only. The resource name of the Entity that the enrichment data was taken from.

EnrichmentSources

The sources of enrichment.

JSON representation
{
  "sources": [
    {
      object (EnrichingSource)
    }
  ]
}
Fields
sources[]

object (EnrichingSource)

Output only. The sources of enrichment for a given enriched field. This is needed for on-the-fly Provenance where at read time we cannot determine the enrichment source for a given field if more than one source is present.