Metadata Fields¶
Event metadata such as timestamp, source product, etc.
Metadata Field Details¶
metadata.collected_timestamp¶
Description: The GMT timestamp when the event was collected by the vendor's local collection infrastructure.
Type: String
metadata.description¶
Description: A human-readable unparsable description of the event.
Type: String
metadata.event_timestamp¶
Description: The GMT timestamp when the event was generated.
Type: String
metadata.event_type¶
Description: If an event has multiple possible types, this specifies the most specific type.
Type: Enum
| Enum | Description |
|---|---|
| EVENTTYPE_UNSPECIFIED | Default event type |
| PROCESS_UNCATEGORIZED | Activity related to a process which does not match any other event types. |
| PROCESS_LAUNCH | Process launch. |
| PROCESS_INJECTION | Process injecting into another process. |
| PROCESS_PRIVILEGE_ESCALATION | Process privilege escalation. |
| PROCESS_TERMINATION | Process termination. |
| PROCESS_OPEN | Process being opened. |
| PROCESS_MODULE_LOAD | Process loading a module. |
| REGISTRY_UNCATEGORIZED | Registry event which does not match any of the other event types. |
| REGISTRY_CREATION | Registry creation. |
| REGISTRY_MODIFICATION | Registry modification. |
| REGISTRY_DELETION | Registry deletion. |
| SETTING_UNCATEGORIZED | Settings-related event which does not match any of the other event types. |
| SETTING_CREATION | Setting creation. |
| SETTING_MODIFICATION | Setting modification. |
| SETTING_DELETION | Setting deletion. |
| MUTEX_UNCATEGORIZED | Any mutex event other than creation. |
| MUTEX_CREATION | Mutex creation. |
| FILE_UNCATEGORIZED | File event which does not match any of the other event types. |
| FILE_CREATION | File created. |
| FILE_DELETION | File deleted. |
| FILE_MODIFICATION | File modified. |
| FILE_READ | File read. |
| FILE_COPY | File copied. Used for file copies, for example, to a thumb drive. |
| FILE_OPEN | File opened. |
| FILE_MOVE | File moved or renamed. |
| FILE_SYNC | File synced (for example, Google Drive, Dropbox, backup). |
| USER_UNCATEGORIZED | User activity which does not match any of the other event types. |
| USER_LOGIN | User login. |
| USER_LOGOUT | User logout. |
| USER_CREATION | User creation. |
| USER_CHANGE_PASSWORD | User password change event. |
| USER_CHANGE_PERMISSIONS | Change in user permissions. |
| USER_STATS | Deprecated. Used to update user info for an LDAP dump. |
| USER_BADGE_IN | User physically badging into a location. |
| USER_DELETION | User deletion. |
| USER_RESOURCE_CREATION | User creating a virtual resource. This is equivalent to RESOURCE_CREATION. |
| USER_RESOURCE_UPDATE_CONTENT | User updating content of a virtual resource. This is equivalent to RESOURCE_WRITTEN. |
| USER_RESOURCE_UPDATE_PERMISSIONS | User updating permissions of a virtual resource. This is equivalent to RESOURCE_PERMISSIONS_CHANGE. |
| USER_COMMUNICATION | User initiating communication through a medium (for example, video). |
| USER_RESOURCE_ACCESS | User accessing a virtual resource. This is equivalent to RESOURCE_READ. |
| USER_RESOURCE_DELETION | User deleting a virtual resource. This is equivalent to RESOURCE_DELETION. |
| GROUP_UNCATEGORIZED | A group activity that does not fall into one of the other event types. |
| GROUP_CREATION | A group creation. |
| GROUP_DELETION | A group deletion. |
| GROUP_MODIFICATION | A group modification. |
| EMAIL_UNCATEGORIZED | Email messages |
| EMAIL_TRANSACTION | An email transaction. |
| EMAIL_URL_CLICK | Deprecated. An email URL click event. Use NETWORK_HTTP instead. |
| NETWORK_UNCATEGORIZED | A network event that does not fit into one of the other event types. |
| NETWORK_FLOW | Aggregated flow stats like netflow. |
| NETWORK_CONNECTION | Network connection details like from a FW. |
| NETWORK_FTP | FTP telemetry. |
| NETWORK_DHCP | DHCP payload. |
| NETWORK_DNS | DNS payload. |
| NETWORK_HTTP | HTTP telemetry. |
| NETWORK_SMTP | SMTP telemetry. |
| STATUS_UNCATEGORIZED | A status message that does not fit into one of the other event types. |
| STATUS_HEARTBEAT | Heartbeat indicating product is alive. |
| STATUS_STARTUP | An agent startup. |
| STATUS_SHUTDOWN | An agent shutdown. |
| STATUS_UPDATE | A software or fingerprint update. |
| SCAN_UNCATEGORIZED | Scan item that does not fit into one of the other event types. |
| SCAN_FILE | A file scan. |
| SCAN_PROCESS_BEHAVIORS | Scan process behaviors. Please use SCAN_PROCESS instead. |
| SCAN_PROCESS | Scan process. |
| SCAN_HOST | Scan results from scanning an entire host device for threats/sensitive documents. |
| SCAN_VULN_HOST | Vulnerability scan logs about host vulnerabilities (e.g., out of date software) and network vulnerabilities (e.g., unprotected service detected via a network scan). |
| SCAN_VULN_NETWORK | Vulnerability scan logs about network vulnerabilities. |
| SCAN_NETWORK | Scan network for suspicious activity |
| SCHEDULED_TASK_UNCATEGORIZED | Scheduled task event that does not fall into one of the other event types. |
| SCHEDULED_TASK_CREATION | Scheduled task creation. |
| SCHEDULED_TASK_DELETION | Scheduled task deletion. |
| SCHEDULED_TASK_ENABLE | Scheduled task being enabled. |
| SCHEDULED_TASK_DISABLE | Scheduled task being disabled. |
| SCHEDULED_TASK_MODIFICATION | Scheduled task being modified. |
| SYSTEM_AUDIT_LOG_UNCATEGORIZED | A system audit log event that is not a wipe. |
| SYSTEM_AUDIT_LOG_WIPE | A system audit log wipe. |
| SERVICE_UNSPECIFIED | Service event that does not fit into one of the other event types. |
| SERVICE_CREATION | A service creation. |
| SERVICE_DELETION | A service deletion. |
| SERVICE_START | A service start. |
| SERVICE_STOP | A service stop. |
| SERVICE_MODIFICATION | A service modification. |
| GENERIC_EVENT | OS events that do not fall in any of the other above event types. Might include uncategorized Windows event logs, etc. |
| RESOURCE_CREATION | The resource was created/provisioned. This is equivalent to USER_RESOURCE_CREATION. |
| RESOURCE_DELETION | The resource was deleted/deprovisioned. This is equivalent to USER_RESOURCE_DELETION. |
| RESOURCE_PERMISSIONS_CHANGE | The resource had it's permissions or ACLs updated. This is equivalent to USER_RESOURCE_UPDATE_PERMISSIONS. |
| RESOURCE_READ | The resource was read. This is equivalent to USER_RESOURCE_ACCESS. |
| RESOURCE_WRITTEN | The resource was written to. This is equivalent to USER_RESOURCE_UPDATE_CONTENT. |
| ANALYST_UPDATE_VERDICT | Analyst updating the Verdict (True-positive, False positive, Disregard etc.) of a finding |
| ANALYST_UPDATE_REPUTATION | Analyst updating the Reputation (useful, not useful) of a finding |
| ANALYST_UPDATE_SEVERITY_SCORE | Analyst updating the Severity score(0-100) of a finding. |
| ANALYST_UPDATE_STATUS | Analyst updating the finding status. |
| ANALYST_ADD_COMMENT | Analyst adding a comment for a finding. |
| ANALYST_UPDATE_PRIORITY | Analyst updating the priority (low, meduim, high, etc.) for a finding. |
| ANALYST_UPDATE_ROOT_CAUSE | Analyst updating the root cause for a finding. |
| ANALYST_UPDATE_REASON | Analyst updating the reason (malicious, not malicious, etc.) for a finding. |
| ANALYST_UPDATE_RISK_SCORE | Analyst updating the Risk score(0-100) of a finding. |
metadata.id¶
Description: ID of the UDM event. Can be used for raw and normalized event retrieval.
Type: String
metadata.ingested_timestamp¶
Description: The GMT timestamp when the event was ingested (received) by Chronicle.
Type: String
metadata.ingestion_labels[n].key¶
Description: The key.
Type: String
metadata.ingestion_labels[n].source¶
Description: Where the label is derived from. For now, only UDM field paths that are eligible outcome for signal index are populated. @hide_from_doc
Type: String
metadata.ingestion_labels[n].value¶
Description: The value.
Type: String
metadata.ingestion_labels¶
Description: User-configured ingestion metadata labels.
Type: Array
metadata.product_deployment_id¶
Description: The deployment identifier assigned by the vendor for a product deployment.
Type: String
metadata.product_event_type¶
Description: A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start").
Type: String
metadata.product_log_id¶
Description: A vendor-specific event identifier to uniquely identify the event (e.g. a GUID).
Type: String
metadata.product_name¶
Description: The name of the product.
Type: String
metadata.product_version¶
Description: The version of the product.
Type: String
metadata.tags.data_tap_config_name¶
Description: A list of sink name values defined in DataTap configurations.
Type: Array
metadata.tags.tenant_id¶
Description: A list of subtenant ids that this event belongs to. .
Type: Array
metadata.url_back_to_product¶
Description: A URL that takes the user to the source product console for this event.
Type: String
metadata.vendor_name¶
Description: The name of the product vendor.
Type: String