Skip to content

Securityresult Fields

A list of security results.

Securityresult Field Details

security_result[n].about.administrative_domain

Description: Domain which the device belongs to (for example, the Windows domain).

Type: String

security_result[n].about.application

Description: The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle".

Type: String

security_result[n].about.artifact.first_seen_time

Description: First seen timestamp of the IP in the customer tenant.

Type: String

security_result[n].about.artifact.ip

Description: IP address of the artifact.

Type: String

security_result[n].about.artifact.last_seen_time

Description: Last seen timestamp of the IP in the customer tenant.

Type: String

security_result[n].about.artifact.prevalence.day_count

Description: The number of days over which rolling_max is calculated.

Type: Integer

security_result[n].about.artifact.prevalence.rolling_max

Description: The maximum number of assets per day accessing the resource over the trailing day_count days.

Type: Integer

security_result[n].about.artifact.prevalence.rolling_max_sub_domains

Description: The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This fields is only valid for domains

Type: Integer

security_result[n].about.asset.asset_id

Description: The asset ID.

Type: String

security_result[n].about.asset.attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

security_result[n].about.asset.attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum Description
UNSPECIFIED_CLOUD_ENVIRONMENT Default.
GOOGLE_CLOUD_PLATFORM Google Cloud Platform.
AMAZON_WEB_SERVICES Amazon Web Services.
MICROSOFT_AZURE Microsoft Azure.

security_result[n].about.asset.attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

security_result[n].about.asset.attribute.labels[n].key

Description: The key.

Type: String

security_result[n].about.asset.attribute.labels[n].value

Description: The value.

Type: String

security_result[n].about.asset.attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

security_result[n].about.asset.attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

security_result[n].about.asset.attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

security_result[n].about.asset.attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

security_result[n].about.asset.attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum Description
UNKNOWN_PERMISSION_TYPE Default permission type.
ADMIN_WRITE Administrator write permission.
ADMIN_READ Administrator read permission.
DATA_WRITE Data resource access write permission.
DATA_READ Data resource access read permission.

security_result[n].about.asset.attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

security_result[n].about.asset.attribute.roles[n].description

Description: System role description for user.

Type: String

security_result[n].about.asset.attribute.roles[n].name

Description: System role name for user.

Type: String

security_result[n].about.asset.attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum Description
TYPE_UNSPECIFIED Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access.

security_result[n].about.asset.attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

security_result[n].about.asset.category

Description: The category of the asset (e.g. "End User Asset", "Workstation", "Server").

Type: String

security_result[n].about.asset.creation_time

Description: Time the asset was created or provisioned. Deprecated: creation_time should be populated in Attribute as generic metadata.

Type: String

security_result[n].about.asset.deployment_status

Description: The deployment status of the asset for device lifecycle purposes.

Type: Enum

Enum Description
DEPLOYMENT_STATUS_UNSPECIFIED Unspecified deployment status.
ACTIVE Asset is active, functional and deployed.
PENDING_DECOMISSION Asset is pending decommission and no longer deployed.
DECOMISSIONED Asset is decomissioned.

security_result[n].about.asset.first_discover_time

Description: Time the asset was first discovered (by asset management/discoverability software).

Type: String

security_result[n].about.asset.first_seen_time

Description: The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed.

Type: String

security_result[n].about.asset.hardware[n].cpu_clock_speed

Description: Clock speed of the hardware CPU in MHz.

Type: String

security_result[n].about.asset.hardware[n].cpu_max_clock_speed

Description: Maximum possible clock speed of the hardware CPU in MHz.

Type: String

security_result[n].about.asset.hardware[n].cpu_model

Description: Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5").

Type: String

security_result[n].about.asset.hardware[n].cpu_number_cores

Description: Number of CPU cores.

Type: String

security_result[n].about.asset.hardware[n].cpu_platform

Description: Platform of the hardware CPU (e.g. "Intel Broadwell").

Type: String

security_result[n].about.asset.hardware[n].manufacturer

Description: Hardware manufacturer.

Type: String

security_result[n].about.asset.hardware[n].model

Description: Hardware model.

Type: String

security_result[n].about.asset.hardware[n].ram

Description: Amount of the hardware ramdom access memory (RAM) in Mb.

Type: String

security_result[n].about.asset.hardware[n].serial_number

Description: Hardware serial number.

Type: String

security_result[n].about.asset.hardware

Description: The asset hardware specifications.

Type: Array

security_result[n].about.asset.hostname

Description: Asset hostname or domain name field.

Type: String

security_result[n].about.asset.ip

Description: A list of IP addresses associated with an asset.

Type: Array

security_result[n].about.asset.labels[n].key

Description: The key.

Type: String

security_result[n].about.asset.labels[n].value

Description: The value.

Type: String

security_result[n].about.asset.labels

Description: Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata.

Type: Array

security_result[n].about.asset.last_boot_time

Description: Time the asset was last boot started.

Type: String

security_result[n].about.asset.last_discover_time

Description: Time the asset was last discovered (by asset management/discoverability software).

Type: String

security_result[n].about.asset.location.city

Description: The city.

Type: String

security_result[n].about.asset.location.country_or_region

Description: The country or region.

Type: String

security_result[n].about.asset.location.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.asset.location.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.asset.location.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.asset.location.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.asset.location.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.asset.location.state

Description: The state.

Type: String

security_result[n].about.asset.mac

Description: List of MAC addresses associated with an asset.

Type: Array

security_result[n].about.asset.nat_ip

Description: List of NAT IP addresses associated with an asset.

Type: Array

security_result[n].about.asset.network_domain

Description: The network domain of the asset (e.g. "corp.acme.com")

Type: String

security_result[n].about.asset.platform_software.platform

Description: The platform operating system.

Type: Enum

Enum Description
UNKNOWN_PLATFORM Default value.
WINDOWS Windows.
MAC Mac OS.
LINUX Linux.
GCP DEPRECATED - See cloud.environment.
AWS DEPRECATED - See cloud.environment.
AZURE DEPRECATED - See cloud.environment.

security_result[n].about.asset.platform_software.platform_patch_level

Description: The platform software patch level ( e.g. "Build 17134.48", "SP1").

Type: String

security_result[n].about.asset.platform_software.platform_version

Description: The platform software version ( e.g. "Microsoft Windows 1803").

Type: String

security_result[n].about.asset.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID or similar).

Type: String

security_result[n].about.asset.software[n].name

Description: The name of the software.

Type: String

security_result[n].about.asset.software[n].permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

security_result[n].about.asset.software[n].permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

security_result[n].about.asset.software[n].permissions[n].type

Description: Type of the permission.

Type: Enum

Enum Description
UNKNOWN_PERMISSION_TYPE Default permission type.
ADMIN_WRITE Administrator write permission.
ADMIN_READ Administrator read permission.
DATA_WRITE Data resource access write permission.
DATA_READ Data resource access read permission.

security_result[n].about.asset.software[n].permissions

Description: System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE"

Type: Array

security_result[n].about.asset.software[n].version

Description: The version of the software.

Type: String

security_result[n].about.asset.software

Description: The asset software details.

Type: Array

security_result[n].about.asset.system_last_update_time

Description: Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a vm, etc.) use Attribute.last_update_time.

Type: String

security_result[n].about.asset.type

Description: The type of the asset (e.g. workstation or laptop or server).

Type: Enum

Enum Description
ROLE_UNSPECIFIED Unspecified asset role.
WORKSTATION A workstation or desktop.
LAPTOP A laptop computer.
IOT An IOT asset.
NETWORK_ATTACHED_STORAGE A network attached storage device.
PRINTER A printer.
SCANNER A scanner.
SERVER A server.
TAPE_LIBRARY A tape library device.
MOBILE A mobile device such as a mobile phone or PDA.

security_result[n].about.asset.vulnerabilities

Description: Vulnerabilities discovered on asset.

Type: Array

security_result[n].about.asset_id

Description: The asset ID.

Type: String

security_result[n].about.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

security_result[n].about.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum Description
UNSPECIFIED_CLOUD_ENVIRONMENT Default.
GOOGLE_CLOUD_PLATFORM Google Cloud Platform.
AMAZON_WEB_SERVICES Amazon Web Services.
MICROSOFT_AZURE Microsoft Azure.

security_result[n].about.domain.admin.account_type

Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/

Type: Enum

Enum Description
ACCOUNT_TYPE_UNSPECIFIED Default user account type.
DOMAIN_ACCOUNT_TYPE A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE A local machine account.
CLOUD_ACCOUNT_TYPE A SaaS service account type (Slack, GitHub, etc).
SERVICE_ACCOUNT_TYPE A non-human account for data access.
DEFAULT_ACCOUNT_TYPE A system built in default account.

security_result[n].about.domain.admin.attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

security_result[n].about.domain.admin.attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum Description
UNSPECIFIED_CLOUD_ENVIRONMENT Default.
GOOGLE_CLOUD_PLATFORM Google Cloud Platform.
AMAZON_WEB_SERVICES Amazon Web Services.
MICROSOFT_AZURE Microsoft Azure.

security_result[n].about.domain.admin.attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

security_result[n].about.domain.admin.attribute.labels[n].key

Description: The key.

Type: String

security_result[n].about.domain.admin.attribute.labels[n].value

Description: The value.

Type: String

security_result[n].about.domain.admin.attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

security_result[n].about.domain.admin.attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

security_result[n].about.domain.admin.attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

security_result[n].about.domain.admin.attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

security_result[n].about.domain.admin.attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum Description
UNKNOWN_PERMISSION_TYPE Default permission type.
ADMIN_WRITE Administrator write permission.
ADMIN_READ Administrator read permission.
DATA_WRITE Data resource access write permission.
DATA_READ Data resource access read permission.

security_result[n].about.domain.admin.attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

security_result[n].about.domain.admin.attribute.roles[n].description

Description: System role description for user.

Type: String

security_result[n].about.domain.admin.attribute.roles[n].name

Description: System role name for user.

Type: String

security_result[n].about.domain.admin.attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum Description
TYPE_UNSPECIFIED Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access.

security_result[n].about.domain.admin.attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

security_result[n].about.domain.admin.company_name

Description: User job company name.

Type: String

security_result[n].about.domain.admin.department

Description: User job department

Type: Array

security_result[n].about.domain.admin.email_addresses

Description: Email addresses of the user.

Type: Array

security_result[n].about.domain.admin.employee_id

Description: Human capital management identifier.

Type: String

security_result[n].about.domain.admin.first_name

Description: First name of the user (e.g. "John").

Type: String

security_result[n].about.domain.admin.first_seen_time

Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.

Type: String

security_result[n].about.domain.admin.group_identifiers

Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).

Type: Array

security_result[n].about.domain.admin.groupid

Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.

Type: String

security_result[n].about.domain.admin.hire_date

Description: User job employment hire date.

Type: String

security_result[n].about.domain.admin.last_name

Description: Last name of the user (e.g. "Locke").

Type: String

security_result[n].about.domain.admin.managers

Description: User job manager(s).

Type: Array

security_result[n].about.domain.admin.middle_name

Description: Middle name of the user.

Type: String

security_result[n].about.domain.admin.office_address.city

Description: The city.

Type: String

security_result[n].about.domain.admin.office_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.domain.admin.office_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.domain.admin.office_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.domain.admin.office_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.domain.admin.office_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.domain.admin.office_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.domain.admin.office_address.state

Description: The state.

Type: String

security_result[n].about.domain.admin.personal_address.city

Description: The city.

Type: String

security_result[n].about.domain.admin.personal_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.domain.admin.personal_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.domain.admin.personal_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.domain.admin.personal_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.domain.admin.personal_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.domain.admin.personal_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.domain.admin.personal_address.state

Description: The state.

Type: String

security_result[n].about.domain.admin.phone_numbers

Description: Phone numbers for the user.

Type: Array

security_result[n].about.domain.admin.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).

Type: String

security_result[n].about.domain.admin.role_description

Description: System role description for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.domain.admin.role_name

Description: System role name for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.domain.admin.termination_date

Description: User job employment termination date.

Type: String

security_result[n].about.domain.admin.time_off[n].description

Description: Description of the leave if available (e.g. 'Vacation').

Type: String

security_result[n].about.domain.admin.time_off[n].interval.end_time

Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.

Type: String

security_result[n].about.domain.admin.time_off[n].interval.start_time

Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.

Type: String

security_result[n].about.domain.admin.time_off

Description: User time off leaves from active work.

Type: Array

security_result[n].about.domain.admin.title

Description: User job title.

Type: String

security_result[n].about.domain.admin.user_authentication_status

Description: System authentication status for user.

Type: Enum

Enum Description
UNKNOWN_AUTHENTICATION_STATUS The default authentication status.
ACTIVE The authentication method is in active state.
SUSPENDED The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS The authentication method has no active credentials.
DELETED The authentication method has been deleted.

security_result[n].about.domain.admin.user_display_name

Description: The display name of the user (e.g. "John Locke").

Type: String

security_result[n].about.domain.admin.user_role

Description: System role for user. DEPRECATED: use attribute.roles.

Type: Enum

Enum Description
UNKNOWN_ROLE Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type.

security_result[n].about.domain.admin.userid

Description: The ID of the user.

Type: String

security_result[n].about.domain.admin.windows_sid

Description: The windows SID of the user.

Type: String

security_result[n].about.domain.audit_update_time

Description: Audit updated time.

Type: String

security_result[n].about.domain.billing.account_type

Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/

Type: Enum

Enum Description
ACCOUNT_TYPE_UNSPECIFIED Default user account type.
DOMAIN_ACCOUNT_TYPE A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE A local machine account.
CLOUD_ACCOUNT_TYPE A SaaS service account type (Slack, GitHub, etc).
SERVICE_ACCOUNT_TYPE A non-human account for data access.
DEFAULT_ACCOUNT_TYPE A system built in default account.

security_result[n].about.domain.billing.attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

security_result[n].about.domain.billing.attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum Description
UNSPECIFIED_CLOUD_ENVIRONMENT Default.
GOOGLE_CLOUD_PLATFORM Google Cloud Platform.
AMAZON_WEB_SERVICES Amazon Web Services.
MICROSOFT_AZURE Microsoft Azure.

security_result[n].about.domain.billing.attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

security_result[n].about.domain.billing.attribute.labels[n].key

Description: The key.

Type: String

security_result[n].about.domain.billing.attribute.labels[n].value

Description: The value.

Type: String

security_result[n].about.domain.billing.attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

security_result[n].about.domain.billing.attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

security_result[n].about.domain.billing.attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

security_result[n].about.domain.billing.attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

security_result[n].about.domain.billing.attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum Description
UNKNOWN_PERMISSION_TYPE Default permission type.
ADMIN_WRITE Administrator write permission.
ADMIN_READ Administrator read permission.
DATA_WRITE Data resource access write permission.
DATA_READ Data resource access read permission.

security_result[n].about.domain.billing.attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

security_result[n].about.domain.billing.attribute.roles[n].description

Description: System role description for user.

Type: String

security_result[n].about.domain.billing.attribute.roles[n].name

Description: System role name for user.

Type: String

security_result[n].about.domain.billing.attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum Description
TYPE_UNSPECIFIED Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access.

security_result[n].about.domain.billing.attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

security_result[n].about.domain.billing.company_name

Description: User job company name.

Type: String

security_result[n].about.domain.billing.department

Description: User job department

Type: Array

security_result[n].about.domain.billing.email_addresses

Description: Email addresses of the user.

Type: Array

security_result[n].about.domain.billing.employee_id

Description: Human capital management identifier.

Type: String

security_result[n].about.domain.billing.first_name

Description: First name of the user (e.g. "John").

Type: String

security_result[n].about.domain.billing.first_seen_time

Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.

Type: String

security_result[n].about.domain.billing.group_identifiers

Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).

Type: Array

security_result[n].about.domain.billing.groupid

Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.

Type: String

security_result[n].about.domain.billing.hire_date

Description: User job employment hire date.

Type: String

security_result[n].about.domain.billing.last_name

Description: Last name of the user (e.g. "Locke").

Type: String

security_result[n].about.domain.billing.managers

Description: User job manager(s).

Type: Array

security_result[n].about.domain.billing.middle_name

Description: Middle name of the user.

Type: String

security_result[n].about.domain.billing.office_address.city

Description: The city.

Type: String

security_result[n].about.domain.billing.office_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.domain.billing.office_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.domain.billing.office_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.domain.billing.office_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.domain.billing.office_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.domain.billing.office_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.domain.billing.office_address.state

Description: The state.

Type: String

security_result[n].about.domain.billing.personal_address.city

Description: The city.

Type: String

security_result[n].about.domain.billing.personal_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.domain.billing.personal_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.domain.billing.personal_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.domain.billing.personal_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.domain.billing.personal_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.domain.billing.personal_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.domain.billing.personal_address.state

Description: The state.

Type: String

security_result[n].about.domain.billing.phone_numbers

Description: Phone numbers for the user.

Type: Array

security_result[n].about.domain.billing.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).

Type: String

security_result[n].about.domain.billing.role_description

Description: System role description for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.domain.billing.role_name

Description: System role name for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.domain.billing.termination_date

Description: User job employment termination date.

Type: String

security_result[n].about.domain.billing.time_off[n].description

Description: Description of the leave if available (e.g. 'Vacation').

Type: String

security_result[n].about.domain.billing.time_off[n].interval.end_time

Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.

Type: String

security_result[n].about.domain.billing.time_off[n].interval.start_time

Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.

Type: String

security_result[n].about.domain.billing.time_off

Description: User time off leaves from active work.

Type: Array

security_result[n].about.domain.billing.title

Description: User job title.

Type: String

security_result[n].about.domain.billing.user_authentication_status

Description: System authentication status for user.

Type: Enum

Enum Description
UNKNOWN_AUTHENTICATION_STATUS The default authentication status.
ACTIVE The authentication method is in active state.
SUSPENDED The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS The authentication method has no active credentials.
DELETED The authentication method has been deleted.

security_result[n].about.domain.billing.user_display_name

Description: The display name of the user (e.g. "John Locke").

Type: String

security_result[n].about.domain.billing.user_role

Description: System role for user. DEPRECATED: use attribute.roles.

Type: Enum

Enum Description
UNKNOWN_ROLE Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type.

security_result[n].about.domain.billing.userid

Description: The ID of the user.

Type: String

security_result[n].about.domain.billing.windows_sid

Description: The windows SID of the user.

Type: String

security_result[n].about.domain.contact_email

Description: Contact email address.

Type: String

security_result[n].about.domain.creation_time

Description: Domain creation time.

Type: String

security_result[n].about.domain.expiration_time

Description: Expiration time.

Type: String

security_result[n].about.domain.first_seen_time

Description: First seen timestamp of the domain in the customer tenant.

Type: String

security_result[n].about.domain.iana_registrar_id

Description: IANA Registrar ID. See: https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml

Type: Integer

security_result[n].about.domain.last_seen_time

Description: Last seen timestamp of the domain in the customer tenant.

Type: String

security_result[n].about.domain.name

Description: The domain name.

Type: String

security_result[n].about.domain.name_server

Description: Repeated list of name servers.

Type: Array

security_result[n].about.domain.prevalence.day_count

Description: The number of days over which rolling_max is calculated.

Type: Integer

security_result[n].about.domain.prevalence.rolling_max

Description: The maximum number of assets per day accessing the resource over the trailing day_count days.

Type: Integer

security_result[n].about.domain.prevalence.rolling_max_sub_domains

Description: The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This fields is only valid for domains

Type: Integer

security_result[n].about.domain.private_registration

Description: Indicates whether the domain appears to be using a private registration service to mask the owner's contact information.

Type: Boolean

security_result[n].about.domain.registrant.account_type

Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/

Type: Enum

Enum Description
ACCOUNT_TYPE_UNSPECIFIED Default user account type.
DOMAIN_ACCOUNT_TYPE A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE A local machine account.
CLOUD_ACCOUNT_TYPE A SaaS service account type (Slack, GitHub, etc).
SERVICE_ACCOUNT_TYPE A non-human account for data access.
DEFAULT_ACCOUNT_TYPE A system built in default account.

security_result[n].about.domain.registrant.attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

security_result[n].about.domain.registrant.attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum Description
UNSPECIFIED_CLOUD_ENVIRONMENT Default.
GOOGLE_CLOUD_PLATFORM Google Cloud Platform.
AMAZON_WEB_SERVICES Amazon Web Services.
MICROSOFT_AZURE Microsoft Azure.

security_result[n].about.domain.registrant.attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

security_result[n].about.domain.registrant.attribute.labels[n].key

Description: The key.

Type: String

security_result[n].about.domain.registrant.attribute.labels[n].value

Description: The value.

Type: String

security_result[n].about.domain.registrant.attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

security_result[n].about.domain.registrant.attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

security_result[n].about.domain.registrant.attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

security_result[n].about.domain.registrant.attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

security_result[n].about.domain.registrant.attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum Description
UNKNOWN_PERMISSION_TYPE Default permission type.
ADMIN_WRITE Administrator write permission.
ADMIN_READ Administrator read permission.
DATA_WRITE Data resource access write permission.
DATA_READ Data resource access read permission.

security_result[n].about.domain.registrant.attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

security_result[n].about.domain.registrant.attribute.roles[n].description

Description: System role description for user.

Type: String

security_result[n].about.domain.registrant.attribute.roles[n].name

Description: System role name for user.

Type: String

security_result[n].about.domain.registrant.attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum Description
TYPE_UNSPECIFIED Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access.

security_result[n].about.domain.registrant.attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

security_result[n].about.domain.registrant.company_name

Description: User job company name.

Type: String

security_result[n].about.domain.registrant.department

Description: User job department

Type: Array

security_result[n].about.domain.registrant.email_addresses

Description: Email addresses of the user.

Type: Array

security_result[n].about.domain.registrant.employee_id

Description: Human capital management identifier.

Type: String

security_result[n].about.domain.registrant.first_name

Description: First name of the user (e.g. "John").

Type: String

security_result[n].about.domain.registrant.first_seen_time

Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.

Type: String

security_result[n].about.domain.registrant.group_identifiers

Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).

Type: Array

security_result[n].about.domain.registrant.groupid

Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.

Type: String

security_result[n].about.domain.registrant.hire_date

Description: User job employment hire date.

Type: String

security_result[n].about.domain.registrant.last_name

Description: Last name of the user (e.g. "Locke").

Type: String

security_result[n].about.domain.registrant.managers

Description: User job manager(s).

Type: Array

security_result[n].about.domain.registrant.middle_name

Description: Middle name of the user.

Type: String

security_result[n].about.domain.registrant.office_address.city

Description: The city.

Type: String

security_result[n].about.domain.registrant.office_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.domain.registrant.office_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.domain.registrant.office_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.domain.registrant.office_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.domain.registrant.office_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.domain.registrant.office_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.domain.registrant.office_address.state

Description: The state.

Type: String

security_result[n].about.domain.registrant.personal_address.city

Description: The city.

Type: String

security_result[n].about.domain.registrant.personal_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.domain.registrant.personal_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.domain.registrant.personal_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.domain.registrant.personal_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.domain.registrant.personal_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.domain.registrant.personal_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.domain.registrant.personal_address.state

Description: The state.

Type: String

security_result[n].about.domain.registrant.phone_numbers

Description: Phone numbers for the user.

Type: Array

security_result[n].about.domain.registrant.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).

Type: String

security_result[n].about.domain.registrant.role_description

Description: System role description for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.domain.registrant.role_name

Description: System role name for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.domain.registrant.termination_date

Description: User job employment termination date.

Type: String

security_result[n].about.domain.registrant.time_off[n].description

Description: Description of the leave if available (e.g. 'Vacation').

Type: String

security_result[n].about.domain.registrant.time_off[n].interval.end_time

Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.

Type: String

security_result[n].about.domain.registrant.time_off[n].interval.start_time

Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.

Type: String

security_result[n].about.domain.registrant.time_off

Description: User time off leaves from active work.

Type: Array

security_result[n].about.domain.registrant.title

Description: User job title.

Type: String

security_result[n].about.domain.registrant.user_authentication_status

Description: System authentication status for user.

Type: Enum

Enum Description
UNKNOWN_AUTHENTICATION_STATUS The default authentication status.
ACTIVE The authentication method is in active state.
SUSPENDED The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS The authentication method has no active credentials.
DELETED The authentication method has been deleted.

security_result[n].about.domain.registrant.user_display_name

Description: The display name of the user (e.g. "John Locke").

Type: String

security_result[n].about.domain.registrant.user_role

Description: System role for user. DEPRECATED: use attribute.roles.

Type: Enum

Enum Description
UNKNOWN_ROLE Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type.

security_result[n].about.domain.registrant.userid

Description: The ID of the user.

Type: String

security_result[n].about.domain.registrant.windows_sid

Description: The windows SID of the user.

Type: String

security_result[n].about.domain.registrar

Description: Registrar name - e.g. "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM", etc.

Type: String

security_result[n].about.domain.registry_data_raw_text

Description: Registry Data raw text

Type: String

security_result[n].about.domain.status

Description: Domain status. see: https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values

Type: String

security_result[n].about.domain.tech.account_type

Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/

Type: Enum

Enum Description
ACCOUNT_TYPE_UNSPECIFIED Default user account type.
DOMAIN_ACCOUNT_TYPE A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE A local machine account.
CLOUD_ACCOUNT_TYPE A SaaS service account type (Slack, GitHub, etc).
SERVICE_ACCOUNT_TYPE A non-human account for data access.
DEFAULT_ACCOUNT_TYPE A system built in default account.

security_result[n].about.domain.tech.attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

security_result[n].about.domain.tech.attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum Description
UNSPECIFIED_CLOUD_ENVIRONMENT Default.
GOOGLE_CLOUD_PLATFORM Google Cloud Platform.
AMAZON_WEB_SERVICES Amazon Web Services.
MICROSOFT_AZURE Microsoft Azure.

security_result[n].about.domain.tech.attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

security_result[n].about.domain.tech.attribute.labels[n].key

Description: The key.

Type: String

security_result[n].about.domain.tech.attribute.labels[n].value

Description: The value.

Type: String

security_result[n].about.domain.tech.attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

security_result[n].about.domain.tech.attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

security_result[n].about.domain.tech.attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

security_result[n].about.domain.tech.attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

security_result[n].about.domain.tech.attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum Description
UNKNOWN_PERMISSION_TYPE Default permission type.
ADMIN_WRITE Administrator write permission.
ADMIN_READ Administrator read permission.
DATA_WRITE Data resource access write permission.
DATA_READ Data resource access read permission.

security_result[n].about.domain.tech.attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

security_result[n].about.domain.tech.attribute.roles[n].description

Description: System role description for user.

Type: String

security_result[n].about.domain.tech.attribute.roles[n].name

Description: System role name for user.

Type: String

security_result[n].about.domain.tech.attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum Description
TYPE_UNSPECIFIED Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access.

security_result[n].about.domain.tech.attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

security_result[n].about.domain.tech.company_name

Description: User job company name.

Type: String

security_result[n].about.domain.tech.department

Description: User job department

Type: Array

security_result[n].about.domain.tech.email_addresses

Description: Email addresses of the user.

Type: Array

security_result[n].about.domain.tech.employee_id

Description: Human capital management identifier.

Type: String

security_result[n].about.domain.tech.first_name

Description: First name of the user (e.g. "John").

Type: String

security_result[n].about.domain.tech.first_seen_time

Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.

Type: String

security_result[n].about.domain.tech.group_identifiers

Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).

Type: Array

security_result[n].about.domain.tech.groupid

Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.

Type: String

security_result[n].about.domain.tech.hire_date

Description: User job employment hire date.

Type: String

security_result[n].about.domain.tech.last_name

Description: Last name of the user (e.g. "Locke").

Type: String

security_result[n].about.domain.tech.managers

Description: User job manager(s).

Type: Array

security_result[n].about.domain.tech.middle_name

Description: Middle name of the user.

Type: String

security_result[n].about.domain.tech.office_address.city

Description: The city.

Type: String

security_result[n].about.domain.tech.office_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.domain.tech.office_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.domain.tech.office_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.domain.tech.office_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.domain.tech.office_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.domain.tech.office_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.domain.tech.office_address.state

Description: The state.

Type: String

security_result[n].about.domain.tech.personal_address.city

Description: The city.

Type: String

security_result[n].about.domain.tech.personal_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.domain.tech.personal_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.domain.tech.personal_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.domain.tech.personal_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.domain.tech.personal_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.domain.tech.personal_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.domain.tech.personal_address.state

Description: The state.

Type: String

security_result[n].about.domain.tech.phone_numbers

Description: Phone numbers for the user.

Type: Array

security_result[n].about.domain.tech.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).

Type: String

security_result[n].about.domain.tech.role_description

Description: System role description for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.domain.tech.role_name

Description: System role name for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.domain.tech.termination_date

Description: User job employment termination date.

Type: String

security_result[n].about.domain.tech.time_off[n].description

Description: Description of the leave if available (e.g. 'Vacation').

Type: String

security_result[n].about.domain.tech.time_off[n].interval.end_time

Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.

Type: String

security_result[n].about.domain.tech.time_off[n].interval.start_time

Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.

Type: String

security_result[n].about.domain.tech.time_off

Description: User time off leaves from active work.

Type: Array

security_result[n].about.domain.tech.title

Description: User job title.

Type: String

security_result[n].about.domain.tech.user_authentication_status

Description: System authentication status for user.

Type: Enum

Enum Description
UNKNOWN_AUTHENTICATION_STATUS The default authentication status.
ACTIVE The authentication method is in active state.
SUSPENDED The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS The authentication method has no active credentials.
DELETED The authentication method has been deleted.

security_result[n].about.domain.tech.user_display_name

Description: The display name of the user (e.g. "John Locke").

Type: String

security_result[n].about.domain.tech.user_role

Description: System role for user. DEPRECATED: use attribute.roles.

Type: Enum

Enum Description
UNKNOWN_ROLE Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type.

security_result[n].about.domain.tech.userid

Description: The ID of the user.

Type: String

security_result[n].about.domain.tech.windows_sid

Description: The windows SID of the user.

Type: String

security_result[n].about.domain.update_time

Description: Last updated time.

Type: String

security_result[n].about.domain.whois_record_raw_text

Description: unix epoch of the time when the domaintools first catches the record, or the time when domaintools catch the record changes. domaintools_time_ms is also used as the bigtable timestamp.

Type: String

security_result[n].about.domain.whois_server

Description: Whois server name.

Type: String

security_result[n].about.domain.zone.account_type

Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/

Type: Enum

Enum Description
ACCOUNT_TYPE_UNSPECIFIED Default user account type.
DOMAIN_ACCOUNT_TYPE A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE A local machine account.
CLOUD_ACCOUNT_TYPE A SaaS service account type (Slack, GitHub, etc).
SERVICE_ACCOUNT_TYPE A non-human account for data access.
DEFAULT_ACCOUNT_TYPE A system built in default account.

security_result[n].about.domain.zone.attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

security_result[n].about.domain.zone.attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum Description
UNSPECIFIED_CLOUD_ENVIRONMENT Default.
GOOGLE_CLOUD_PLATFORM Google Cloud Platform.
AMAZON_WEB_SERVICES Amazon Web Services.
MICROSOFT_AZURE Microsoft Azure.

security_result[n].about.domain.zone.attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

security_result[n].about.domain.zone.attribute.labels[n].key

Description: The key.

Type: String

security_result[n].about.domain.zone.attribute.labels[n].value

Description: The value.

Type: String

security_result[n].about.domain.zone.attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

security_result[n].about.domain.zone.attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

security_result[n].about.domain.zone.attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

security_result[n].about.domain.zone.attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

security_result[n].about.domain.zone.attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum Description
UNKNOWN_PERMISSION_TYPE Default permission type.
ADMIN_WRITE Administrator write permission.
ADMIN_READ Administrator read permission.
DATA_WRITE Data resource access write permission.
DATA_READ Data resource access read permission.

security_result[n].about.domain.zone.attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

security_result[n].about.domain.zone.attribute.roles[n].description

Description: System role description for user.

Type: String

security_result[n].about.domain.zone.attribute.roles[n].name

Description: System role name for user.

Type: String

security_result[n].about.domain.zone.attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum Description
TYPE_UNSPECIFIED Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access.

security_result[n].about.domain.zone.attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

security_result[n].about.domain.zone.company_name

Description: User job company name.

Type: String

security_result[n].about.domain.zone.department

Description: User job department

Type: Array

security_result[n].about.domain.zone.email_addresses

Description: Email addresses of the user.

Type: Array

security_result[n].about.domain.zone.employee_id

Description: Human capital management identifier.

Type: String

security_result[n].about.domain.zone.first_name

Description: First name of the user (e.g. "John").

Type: String

security_result[n].about.domain.zone.first_seen_time

Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.

Type: String

security_result[n].about.domain.zone.group_identifiers

Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).

Type: Array

security_result[n].about.domain.zone.groupid

Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.

Type: String

security_result[n].about.domain.zone.hire_date

Description: User job employment hire date.

Type: String

security_result[n].about.domain.zone.last_name

Description: Last name of the user (e.g. "Locke").

Type: String

security_result[n].about.domain.zone.managers

Description: User job manager(s).

Type: Array

security_result[n].about.domain.zone.middle_name

Description: Middle name of the user.

Type: String

security_result[n].about.domain.zone.office_address.city

Description: The city.

Type: String

security_result[n].about.domain.zone.office_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.domain.zone.office_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.domain.zone.office_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.domain.zone.office_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.domain.zone.office_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.domain.zone.office_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.domain.zone.office_address.state

Description: The state.

Type: String

security_result[n].about.domain.zone.personal_address.city

Description: The city.

Type: String

security_result[n].about.domain.zone.personal_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.domain.zone.personal_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.domain.zone.personal_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.domain.zone.personal_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.domain.zone.personal_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.domain.zone.personal_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.domain.zone.personal_address.state

Description: The state.

Type: String

security_result[n].about.domain.zone.phone_numbers

Description: Phone numbers for the user.

Type: Array

security_result[n].about.domain.zone.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).

Type: String

security_result[n].about.domain.zone.role_description

Description: System role description for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.domain.zone.role_name

Description: System role name for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.domain.zone.termination_date

Description: User job employment termination date.

Type: String

security_result[n].about.domain.zone.time_off[n].description

Description: Description of the leave if available (e.g. 'Vacation').

Type: String

security_result[n].about.domain.zone.time_off[n].interval.end_time

Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.

Type: String

security_result[n].about.domain.zone.time_off[n].interval.start_time

Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.

Type: String

security_result[n].about.domain.zone.time_off

Description: User time off leaves from active work.

Type: Array

security_result[n].about.domain.zone.title

Description: User job title.

Type: String

security_result[n].about.domain.zone.user_authentication_status

Description: System authentication status for user.

Type: Enum

Enum Description
UNKNOWN_AUTHENTICATION_STATUS The default authentication status.
ACTIVE The authentication method is in active state.
SUSPENDED The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS The authentication method has no active credentials.
DELETED The authentication method has been deleted.

security_result[n].about.domain.zone.user_display_name

Description: The display name of the user (e.g. "John Locke").

Type: String

security_result[n].about.domain.zone.user_role

Description: System role for user. DEPRECATED: use attribute.roles.

Type: Enum

Enum Description
UNKNOWN_ROLE Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type.

security_result[n].about.domain.zone.userid

Description: The ID of the user.

Type: String

security_result[n].about.domain.zone.windows_sid

Description: The windows SID of the user.

Type: String

security_result[n].about.email

Description: Email address. Only filled in for security_result.about

Type: String

security_result[n].about.file.ahash

Description: Authentihash of the file.

Type: String

security_result[n].about.file.capabilities_tags

Description: Capabilities tags.

Type: Array

security_result[n].about.file.file_metadata.pe.import_hash

Description: Hash of PE imports.

Type: String

security_result[n].about.file.file_type

Description: FileType field.

Type: Enum

Enum Description
FILE_TYPE_UNSPECIFIED File type is UNSPECIFIED.
FILE_TYPE_PE_EXE -- OS specific executable related files -- File type is PE_EXE.
FILE_TYPE_PE_DLL We acknowledge the fact that DLLs are actually portable executables, but want to make the distinction so as to be able to treat them differently in sandboxing systems and the like. File type is PE_DLL.
FILE_TYPE_MSI File type is MSI.
FILE_TYPE_NE_EXE File type is NE_EXE.
FILE_TYPE_NE_DLL File type is NE_DLL.
FILE_TYPE_DOS_EXE File type is DOS_EXE.
FILE_TYPE_DOS_COM File type is DOS_COM.
FILE_TYPE_COFF File type is COFF.
FILE_TYPE_ELF File type is ELF.
FILE_TYPE_LINUX_KERNEL File type is LINUX_KERNEL.
FILE_TYPE_RPM File type is RPM.
FILE_TYPE_LINUX File type is LINUX.
FILE_TYPE_MACH_O File type is MACH_O.
FILE_TYPE_JAVA_BYTECODE File type is JAVA_BYTECODE.
FILE_TYPE_DMG File type is DMG.
FILE_TYPE_DEB File type is DEB.
FILE_TYPE_PKG File type is PKG.
FILE_TYPE_LNK -- Shortcuts -- File type is LNK.
FILE_TYPE_JPEG -- Image related types -- File type is JPEG.
FILE_TYPE_TIFF File type is TIFF.
FILE_TYPE_GIF File type is GIF.
FILE_TYPE_PNG File type is PNG.
FILE_TYPE_BMP File type is BMP.
FILE_TYPE_GIMP File type is GIMP.
FILE_TYPE_IN_DESIGN File type is IN_DESIGN.
FILE_TYPE_PSD File type is PSD. Adobe Photoshop.
FILE_TYPE_TARGA File type is TARGA.
FILE_TYPE_XWD File type is XWD.
FILE_TYPE_DIB File type is DIB.
FILE_TYPE_JNG File type is JNG.
FILE_TYPE_ICO File type is ICO.
FILE_TYPE_FPX File type is FPX.
FILE_TYPE_EPS File type is EPS.
FILE_TYPE_SVG File type is SVG.
FILE_TYPE_EMF File type is EMF.
FILE_TYPE_WEBP File type is WEBP.
FILE_TYPE_OGG -- Video related types -- File type is OGG.
FILE_TYPE_FLC File type is FLC.
FILE_TYPE_FLI File type is FLI.
FILE_TYPE_MP3 File type is MP3.
FILE_TYPE_FLAC File type is FLAC.
FILE_TYPE_WAV File type is WAV.
FILE_TYPE_MIDI File type is MIDI.
FILE_TYPE_AVI File type is AVI.
FILE_TYPE_MPEG File type is MPEG.
FILE_TYPE_QUICKTIME File type is QUICKTIME.
FILE_TYPE_ASF File type is ASF.
FILE_TYPE_DIVX File type is DIVX.
FILE_TYPE_FLV File type is FLV.
FILE_TYPE_WMA File type is WMA.
FILE_TYPE_WMV File type is WMV.
FILE_TYPE_RM File type is RM. RealMedia type.
FILE_TYPE_MOV File type is MOV.
FILE_TYPE_MP4 File type is MP4.
FILE_TYPE_T3GP File type is T3GP.
FILE_TYPE_PDF -- Document types -- File type is PDF.
FILE_TYPE_PS File type is PS.
FILE_TYPE_DOC File type is DOC.
FILE_TYPE_DOCX File type is DOCX.
FILE_TYPE_PPT File type is PPT.
FILE_TYPE_PPTX File type is PPTX.
FILE_TYPE_PPSX File type is PPSX.
FILE_TYPE_XLS File type is XLS.
FILE_TYPE_XLSX File type is XLSX.
FILE_TYPE_RTF File type is RTF.
FILE_TYPE_ODP File type is ODP.
FILE_TYPE_ODS File type is ODS.
FILE_TYPE_ODT File type is ODT.
FILE_TYPE_HWP File type is HWP.
FILE_TYPE_GUL File type is GUL.
FILE_TYPE_ODF File type is ODF.
FILE_TYPE_ODG File type is ODG.
FILE_TYPE_EBOOK -- Text/ebook related -- File type is EBOOK.
FILE_TYPE_LATEX File type is LATEX.
FILE_TYPE_TTF File type is TTF.
FILE_TYPE_EOT File type is EOT.
FILE_TYPE_WOFF File type is WOFF.
FILE_TYPE_CHM File type is CHM.
FILE_TYPE_ZIP -- Compressed bundles -- File type is ZIP.
FILE_TYPE_GZIP File type is GZIP.
FILE_TYPE_BZIP File type is BZIP.
FILE_TYPE_RZIP File type is RZIP.
FILE_TYPE_DZIP File type is DZIP.
FILE_TYPE_SEVENZIP File type is SEVENZIP.
FILE_TYPE_CAB File type is CAB.
FILE_TYPE_JAR File type is JAR.
FILE_TYPE_RAR File type is RAR.
FILE_TYPE_MSCOMPRESS File type is MSCOMPRESS.
FILE_TYPE_ACE File type is ACE.
FILE_TYPE_ARC File type is ARC.
FILE_TYPE_ARJ File type is ARJ.
FILE_TYPE_ASD File type is ASD.
FILE_TYPE_BLACKHOLE File type is BLACKHOLE.
FILE_TYPE_KGB File type is KGB.
FILE_TYPE_ZLIB File type is ZLIB.
FILE_TYPE_TAR File type is TAR.
FILE_TYPE_TEXT -- Scripting -- File type is TEXT.
FILE_TYPE_SCRIPT File type is SCRIPT.
FILE_TYPE_PHP File type is PHP.
FILE_TYPE_PYTHON File type is PYTHON.
FILE_TYPE_PERL File type is PERL.
FILE_TYPE_RUBY File type is RUBY.
FILE_TYPE_C File type is C.
FILE_TYPE_CPP File type is CPP.
FILE_TYPE_JAVA File type is JAVA.
FILE_TYPE_SHELLSCRIPT File type is SHELLSCRIPT.
FILE_TYPE_PASCAL File type is PASCAL.
FILE_TYPE_AWK File type is AWK.
FILE_TYPE_DYALOG File type is DYALOG.
FILE_TYPE_FORTRAN File type is FORTRAN.
FILE_TYPE_JAVASCRIPT File type is JAVASCRIPT.
FILE_TYPE_POWERSHELL File type is POWERSHELL.
FILE_TYPE_VBA File type is VBA.
FILE_TYPE_SYMBIAN -- Mobile phone types -- File type is SYMBIAN.
FILE_TYPE_PALMOS File type is PALMOS.
FILE_TYPE_WINCE File type is WINCE.
FILE_TYPE_ANDROID File type is ANDROID.
FILE_TYPE_IPHONE File type is IPHONE.
FILE_TYPE_HTML -- Web related -- File type is HTML.
FILE_TYPE_XML File type is XML.
FILE_TYPE_SWF File type is SWF.
FILE_TYPE_FLA File type is FLA.
FILE_TYPE_COOKIE File type is COOKIE.
FILE_TYPE_TORRENT File type is TORRENT.
FILE_TYPE_EMAIL_TYPE File type is EMAIL_TYPE.
FILE_TYPE_OUTLOOK File type is OUTLOOK.
FILE_TYPE_CAP -- Network traffic captures -- File type is CAP.
FILE_TYPE_ISOIMAGE -- Disk images -- File type is ISOIMAGE.
FILE_TYPE_APPLE -- Apple environment related, executables aside -- File type is APPLE.
FILE_TYPE_MACINTOSH File type is MACINTOSH.
FILE_TYPE_APPLESINGLE File type is APPLESINGLE.
FILE_TYPE_APPLEDOUBLE File type is APPLEDOUBLE.
FILE_TYPE_MACINTOSH_HFS File type is MACINTOSH_HFS.
FILE_TYPE_APPLE_PLIST File type is APPLE_PLIST.
FILE_TYPE_MACINTOSH_LIB File type is MACINTOSH_LIB.
FILE_TYPE_APPLESCRIPT File type is APPLESCRIPT.
FILE_TYPE_APPLESCRIPT_COMPILED File type is APPLESCRIPT_COMPILED .
FILE_TYPE_CRX -- Browser extensions -- File type is CRX.
FILE_TYPE_XPI File type is XPI.
FILE_TYPE_ROM -- Firmware related -- File type is ROM.

security_result[n].about.file.first_seen_time

Description: First seen timestamp of the File in the customer tenant.

Type: String

security_result[n].about.file.full_path

Description: The full path identifying the location of the file on the system.

Type: String

security_result[n].about.file.last_modification_time

Description: Timestamp when the file was last updated.

Type: String

security_result[n].about.file.last_seen_time

Description: Last seen timestamp of the IP in the customer tenant.

Type: String

security_result[n].about.file.md5

Description: The MD5 hash of the file.

Type: String

security_result[n].about.file.mime_type

Description: The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", "powershell script", etc.

Type: String

security_result[n].about.file.names

Description: Names fields.

Type: Array

security_result[n].about.file.pe_file.compilation_exiftool_time

Description: info.exiftool.TimeStamp.

Type: String

security_result[n].about.file.pe_file.compilation_time

Description: info.pe-timestamp.

Type: String

security_result[n].about.file.pe_file.entry_point

Description: info.pe-entry-point.

Type: String

security_result[n].about.file.pe_file.entry_point_exiftool

Description: info.exiftool.EntryPoint.

Type: String

security_result[n].about.file.pe_file.imphash

Description: Imphash of the file.

Type: String

security_result[n].about.file.pe_file.imports[n].functions

Description: Function field.

Type: Array

security_result[n].about.file.pe_file.imports[n].library

Description: Library field.

Type: String

security_result[n].about.file.pe_file.imports

Description: FilemetadataImports fields.

Type: Array

security_result[n].about.file.pe_file.resource[n].entropy

Description: Entropy of the resource.

Type: Number

security_result[n].about.file.pe_file.resource[n].file_type

Description: File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum.

Type: String

security_result[n].about.file.pe_file.resource[n].filetype_magic

Description: Type of resource content, as identified by the magic Python module. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/magic.py END GOOGLE-INTERNAL

Type: String

security_result[n].about.file.pe_file.resource[n].language_code

Description: Human-readable version of the language and sublanguage identifiers, as defined in the Windows PE specification. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/toolpefile.py?l=419&rcl=df1fcff7c5e82a39875359608b47669d5aff82c7 END GOOGLE-INTERNAL Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US |

Type: String

security_result[n].about.file.pe_file.resource[n].sha256_hex

Description: SHA256_hex field..

Type: String

security_result[n].about.file.pe_file.resource

Description: FilemetadataPeResourceInfo fields.

Type: Array

security_result[n].about.file.pe_file.resources_language_count[n].key

Description: Key field.

Type: String

security_result[n].about.file.pe_file.resources_language_count[n].value

Description: Value field.

Type: String

security_result[n].about.file.pe_file.resources_language_count

Description: Deprecated. Use resources_language_count_str.

Type: Array

security_result[n].about.file.pe_file.resources_language_count_str[n].key

Description: The key.

Type: String

security_result[n].about.file.pe_file.resources_language_count_str[n].value

Description: The value.

Type: String

security_result[n].about.file.pe_file.resources_language_count_str

Description: Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10

Type: Array

security_result[n].about.file.pe_file.resources_type_count[n].key

Description: Key field.

Type: String

security_result[n].about.file.pe_file.resources_type_count[n].value

Description: Value field.

Type: String

security_result[n].about.file.pe_file.resources_type_count

Description: Deprecated. Use resources_type_count_str.

Type: Array

security_result[n].about.file.pe_file.resources_type_count_str[n].key

Description: The key.

Type: String

security_result[n].about.file.pe_file.resources_type_count_str[n].value

Description: The value.

Type: String

security_result[n].about.file.pe_file.resources_type_count_str

Description: Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5

Type: Array

security_result[n].about.file.pe_file.section[n].entropy

Description: Entropy of the section.

Type: Number

security_result[n].about.file.pe_file.section[n].md5_hex

Description: MD5 hex of the file.

Type: String

security_result[n].about.file.pe_file.section[n].name

Description: Name of the section.

Type: String

security_result[n].about.file.pe_file.section[n].raw_size_bytes

Description: Raw file size in bytes.

Type: String

security_result[n].about.file.pe_file.section[n].virtual_size_bytes

Description: Virtual file size in bytes.

Type: String

security_result[n].about.file.pe_file.section

Description: FilemetadataSection fields.

Type: Array

security_result[n].about.file.pe_file.signature_info.signer

Description: Common name of the signers. The order of the signers matters. Each element is a higher level authority, being the last the root authority.

Type: Array

security_result[n].about.file.pe_file.signature_info.verification_message

Description: Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found.

Type: String

security_result[n].about.file.pe_file.signature_info.verified

Description: True iff verification_message == "Signed"

Type: Boolean

security_result[n].about.file.prevalence.day_count

Description: The number of days over which rolling_max is calculated.

Type: Integer

security_result[n].about.file.prevalence.rolling_max

Description: The maximum number of assets per day accessing the resource over the trailing day_count days.

Type: Integer

security_result[n].about.file.prevalence.rolling_max_sub_domains

Description: The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This fields is only valid for domains

Type: Integer

security_result[n].about.file.sha1

Description: The SHA1 hash of the file.

Type: String

security_result[n].about.file.sha256

Description: The SHA256 hash of the file.

Type: String

security_result[n].about.file.size

Description: The size of the file in bytes.

Type: String

security_result[n].about.file.ssdeep

Description: Ssdeep of the file

Type: String

security_result[n].about.file.vhash

Description: Vhash of the file.

Type: String

security_result[n].about.group.attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

security_result[n].about.group.attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum Description
UNSPECIFIED_CLOUD_ENVIRONMENT Default.
GOOGLE_CLOUD_PLATFORM Google Cloud Platform.
AMAZON_WEB_SERVICES Amazon Web Services.
MICROSOFT_AZURE Microsoft Azure.

security_result[n].about.group.attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

security_result[n].about.group.attribute.labels[n].key

Description: The key.

Type: String

security_result[n].about.group.attribute.labels[n].value

Description: The value.

Type: String

security_result[n].about.group.attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

security_result[n].about.group.attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

security_result[n].about.group.attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

security_result[n].about.group.attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

security_result[n].about.group.attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum Description
UNKNOWN_PERMISSION_TYPE Default permission type.
ADMIN_WRITE Administrator write permission.
ADMIN_READ Administrator read permission.
DATA_WRITE Data resource access write permission.
DATA_READ Data resource access read permission.

security_result[n].about.group.attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

security_result[n].about.group.attribute.roles[n].description

Description: System role description for user.

Type: String

security_result[n].about.group.attribute.roles[n].name

Description: System role name for user.

Type: String

security_result[n].about.group.attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum Description
TYPE_UNSPECIFIED Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access.

security_result[n].about.group.attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

security_result[n].about.group.creation_time

Description: Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata.

Type: String

security_result[n].about.group.email_addresses

Description: Email addresses of the group.

Type: Array

security_result[n].about.group.group_display_name

Description: Group display name. e.g. "Finance".

Type: String

security_result[n].about.group.product_object_id

Description: Product globally unique user object identifier, such as an LDAP Object Identifier.

Type: String

security_result[n].about.group.windows_sid

Description: Windows SID of the group.

Type: String

security_result[n].about.hostname

Description: Client hostname or domain name field. Hostname also doubles as the domain for remote entities.

Type: String

security_result[n].about.investigation.comments

Description: Comment added by the Analyst.

Type: Array

security_result[n].about.investigation.reputation

Description: Describes whether a finding was useful or not-useful.

Type: Enum

Enum Description
REPUTATION_UNSPECIFIED An unspecified reputation.
USEFUL A categorization of the finding as useful.
NOT_USEFUL A categorization of the finding as not useful.

security_result[n].about.investigation.severity_score

Description: Severity score for a finding set by an analyst.

Type: Integer

security_result[n].about.investigation.status

Description: Describes the workflow status of a finding.

Type: Enum

Enum Description
STATUS_UNSPECIFIED Unspecified finding status.
NEW New finding.
REVIEWED When a finding has feedback.
CLOSED When an analyst closes an finding.

security_result[n].about.investigation.verdict

Description: Describes reason a finding investigation was resolved.

Type: Enum

Enum Description
VERDICT_UNSPECIFIED An unspecified verdict.
TRUE_POSITIVE A categorization of the finding as a "true positive".
FALSE_POSITIVE A categorization of the finding as a "false positive".

security_result[n].about.ip

Description: A list of IP addresses associated with a network connection.

Type: Array

security_result[n].about.labels[n].key

Description: The key.

Type: String

security_result[n].about.labels[n].value

Description: The value.

Type: String

security_result[n].about.labels

Description: Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels).

Type: Array

security_result[n].about.location.city

Description: The city.

Type: String

security_result[n].about.location.country_or_region

Description: The country or region.

Type: String

security_result[n].about.location.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.location.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.location.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.location.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.location.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.location.state

Description: The state.

Type: String

security_result[n].about.mac

Description: List of MAC addresses associated with a device.

Type: Array

security_result[n].about.namespace

Description: Namespace which the device belongs to (e.g. AD forest) Uses for this field include Windows AD forest, name of subsidiary or acquisition, etc.

Type: String

security_result[n].about.nat_ip

Description: A list of NAT translated IP addresses associated with a network connection.

Type: Array

security_result[n].about.nat_port

Description: NAT external network port number when a specific network connection is described within an event.

Type: Integer

security_result[n].about.object_reference.id

Description: Full raw ID.

Type: String

security_result[n].about.object_reference.namespace

Description: Namespace the id belongs to.

Type: Enum

Enum Description
NORMALIZED_TELEMETRY Ingested and Normalized telemetry events
RAW_TELEMETRY Ingested Raw telemetry
RULE_DETECTIONS Chronicle Rules engine
UPPERCASE Uppercase
MACHINE_INTELLIGENCE DSML - Machine Intelligence
SECURITY_COMMAND_CENTER A normalized telemetry event from Google Security Command Center.

security_result[n].about.platform

Description: Platform.

Type: Enum

Enum Description
UNKNOWN_PLATFORM Default value.
WINDOWS Windows.
MAC Mac OS.
LINUX Linux.
GCP DEPRECATED - See cloud.environment.
AWS DEPRECATED - See cloud.environment.
AZURE DEPRECATED - See cloud.environment.

security_result[n].about.platform_patch_level

Description: Platform patch level. e.g. "Build 17134.48"

Type: String

security_result[n].about.platform_version

Description: Platform version. e.g. "Microsoft Windows 1803"

Type: String

security_result[n].about.port

Description: Source or destination network port number when a specific network connection is described within an event.

Type: Integer

security_result[n].about.process.access_mask

Description: A bit mask representing the level of access.

Type: String

security_result[n].about.process.command_line

Description: The command line command that created the process.

Type: String

security_result[n].about.process.command_line_history

Description: The command line history of the process.

Type: Array

security_result[n].about.process.file.ahash

Description: Authentihash of the file.

Type: String

security_result[n].about.process.file.capabilities_tags

Description: Capabilities tags.

Type: Array

security_result[n].about.process.file.file_metadata.pe.import_hash

Description: Hash of PE imports.

Type: String

security_result[n].about.process.file.file_type

Description: FileType field.

Type: Enum

Enum Description
FILE_TYPE_UNSPECIFIED File type is UNSPECIFIED.
FILE_TYPE_PE_EXE -- OS specific executable related files -- File type is PE_EXE.
FILE_TYPE_PE_DLL We acknowledge the fact that DLLs are actually portable executables, but want to make the distinction so as to be able to treat them differently in sandboxing systems and the like. File type is PE_DLL.
FILE_TYPE_MSI File type is MSI.
FILE_TYPE_NE_EXE File type is NE_EXE.
FILE_TYPE_NE_DLL File type is NE_DLL.
FILE_TYPE_DOS_EXE File type is DOS_EXE.
FILE_TYPE_DOS_COM File type is DOS_COM.
FILE_TYPE_COFF File type is COFF.
FILE_TYPE_ELF File type is ELF.
FILE_TYPE_LINUX_KERNEL File type is LINUX_KERNEL.
FILE_TYPE_RPM File type is RPM.
FILE_TYPE_LINUX File type is LINUX.
FILE_TYPE_MACH_O File type is MACH_O.
FILE_TYPE_JAVA_BYTECODE File type is JAVA_BYTECODE.
FILE_TYPE_DMG File type is DMG.
FILE_TYPE_DEB File type is DEB.
FILE_TYPE_PKG File type is PKG.
FILE_TYPE_LNK -- Shortcuts -- File type is LNK.
FILE_TYPE_JPEG -- Image related types -- File type is JPEG.
FILE_TYPE_TIFF File type is TIFF.
FILE_TYPE_GIF File type is GIF.
FILE_TYPE_PNG File type is PNG.
FILE_TYPE_BMP File type is BMP.
FILE_TYPE_GIMP File type is GIMP.
FILE_TYPE_IN_DESIGN File type is IN_DESIGN.
FILE_TYPE_PSD File type is PSD. Adobe Photoshop.
FILE_TYPE_TARGA File type is TARGA.
FILE_TYPE_XWD File type is XWD.
FILE_TYPE_DIB File type is DIB.
FILE_TYPE_JNG File type is JNG.
FILE_TYPE_ICO File type is ICO.
FILE_TYPE_FPX File type is FPX.
FILE_TYPE_EPS File type is EPS.
FILE_TYPE_SVG File type is SVG.
FILE_TYPE_EMF File type is EMF.
FILE_TYPE_WEBP File type is WEBP.
FILE_TYPE_OGG -- Video related types -- File type is OGG.
FILE_TYPE_FLC File type is FLC.
FILE_TYPE_FLI File type is FLI.
FILE_TYPE_MP3 File type is MP3.
FILE_TYPE_FLAC File type is FLAC.
FILE_TYPE_WAV File type is WAV.
FILE_TYPE_MIDI File type is MIDI.
FILE_TYPE_AVI File type is AVI.
FILE_TYPE_MPEG File type is MPEG.
FILE_TYPE_QUICKTIME File type is QUICKTIME.
FILE_TYPE_ASF File type is ASF.
FILE_TYPE_DIVX File type is DIVX.
FILE_TYPE_FLV File type is FLV.
FILE_TYPE_WMA File type is WMA.
FILE_TYPE_WMV File type is WMV.
FILE_TYPE_RM File type is RM. RealMedia type.
FILE_TYPE_MOV File type is MOV.
FILE_TYPE_MP4 File type is MP4.
FILE_TYPE_T3GP File type is T3GP.
FILE_TYPE_PDF -- Document types -- File type is PDF.
FILE_TYPE_PS File type is PS.
FILE_TYPE_DOC File type is DOC.
FILE_TYPE_DOCX File type is DOCX.
FILE_TYPE_PPT File type is PPT.
FILE_TYPE_PPTX File type is PPTX.
FILE_TYPE_PPSX File type is PPSX.
FILE_TYPE_XLS File type is XLS.
FILE_TYPE_XLSX File type is XLSX.
FILE_TYPE_RTF File type is RTF.
FILE_TYPE_ODP File type is ODP.
FILE_TYPE_ODS File type is ODS.
FILE_TYPE_ODT File type is ODT.
FILE_TYPE_HWP File type is HWP.
FILE_TYPE_GUL File type is GUL.
FILE_TYPE_ODF File type is ODF.
FILE_TYPE_ODG File type is ODG.
FILE_TYPE_EBOOK -- Text/ebook related -- File type is EBOOK.
FILE_TYPE_LATEX File type is LATEX.
FILE_TYPE_TTF File type is TTF.
FILE_TYPE_EOT File type is EOT.
FILE_TYPE_WOFF File type is WOFF.
FILE_TYPE_CHM File type is CHM.
FILE_TYPE_ZIP -- Compressed bundles -- File type is ZIP.
FILE_TYPE_GZIP File type is GZIP.
FILE_TYPE_BZIP File type is BZIP.
FILE_TYPE_RZIP File type is RZIP.
FILE_TYPE_DZIP File type is DZIP.
FILE_TYPE_SEVENZIP File type is SEVENZIP.
FILE_TYPE_CAB File type is CAB.
FILE_TYPE_JAR File type is JAR.
FILE_TYPE_RAR File type is RAR.
FILE_TYPE_MSCOMPRESS File type is MSCOMPRESS.
FILE_TYPE_ACE File type is ACE.
FILE_TYPE_ARC File type is ARC.
FILE_TYPE_ARJ File type is ARJ.
FILE_TYPE_ASD File type is ASD.
FILE_TYPE_BLACKHOLE File type is BLACKHOLE.
FILE_TYPE_KGB File type is KGB.
FILE_TYPE_ZLIB File type is ZLIB.
FILE_TYPE_TAR File type is TAR.
FILE_TYPE_TEXT -- Scripting -- File type is TEXT.
FILE_TYPE_SCRIPT File type is SCRIPT.
FILE_TYPE_PHP File type is PHP.
FILE_TYPE_PYTHON File type is PYTHON.
FILE_TYPE_PERL File type is PERL.
FILE_TYPE_RUBY File type is RUBY.
FILE_TYPE_C File type is C.
FILE_TYPE_CPP File type is CPP.
FILE_TYPE_JAVA File type is JAVA.
FILE_TYPE_SHELLSCRIPT File type is SHELLSCRIPT.
FILE_TYPE_PASCAL File type is PASCAL.
FILE_TYPE_AWK File type is AWK.
FILE_TYPE_DYALOG File type is DYALOG.
FILE_TYPE_FORTRAN File type is FORTRAN.
FILE_TYPE_JAVASCRIPT File type is JAVASCRIPT.
FILE_TYPE_POWERSHELL File type is POWERSHELL.
FILE_TYPE_VBA File type is VBA.
FILE_TYPE_SYMBIAN -- Mobile phone types -- File type is SYMBIAN.
FILE_TYPE_PALMOS File type is PALMOS.
FILE_TYPE_WINCE File type is WINCE.
FILE_TYPE_ANDROID File type is ANDROID.
FILE_TYPE_IPHONE File type is IPHONE.
FILE_TYPE_HTML -- Web related -- File type is HTML.
FILE_TYPE_XML File type is XML.
FILE_TYPE_SWF File type is SWF.
FILE_TYPE_FLA File type is FLA.
FILE_TYPE_COOKIE File type is COOKIE.
FILE_TYPE_TORRENT File type is TORRENT.
FILE_TYPE_EMAIL_TYPE File type is EMAIL_TYPE.
FILE_TYPE_OUTLOOK File type is OUTLOOK.
FILE_TYPE_CAP -- Network traffic captures -- File type is CAP.
FILE_TYPE_ISOIMAGE -- Disk images -- File type is ISOIMAGE.
FILE_TYPE_APPLE -- Apple environment related, executables aside -- File type is APPLE.
FILE_TYPE_MACINTOSH File type is MACINTOSH.
FILE_TYPE_APPLESINGLE File type is APPLESINGLE.
FILE_TYPE_APPLEDOUBLE File type is APPLEDOUBLE.
FILE_TYPE_MACINTOSH_HFS File type is MACINTOSH_HFS.
FILE_TYPE_APPLE_PLIST File type is APPLE_PLIST.
FILE_TYPE_MACINTOSH_LIB File type is MACINTOSH_LIB.
FILE_TYPE_APPLESCRIPT File type is APPLESCRIPT.
FILE_TYPE_APPLESCRIPT_COMPILED File type is APPLESCRIPT_COMPILED .
FILE_TYPE_CRX -- Browser extensions -- File type is CRX.
FILE_TYPE_XPI File type is XPI.
FILE_TYPE_ROM -- Firmware related -- File type is ROM.

security_result[n].about.process.file.first_seen_time

Description: First seen timestamp of the File in the customer tenant.

Type: String

security_result[n].about.process.file.full_path

Description: The full path identifying the location of the file on the system.

Type: String

security_result[n].about.process.file.last_modification_time

Description: Timestamp when the file was last updated.

Type: String

security_result[n].about.process.file.last_seen_time

Description: Last seen timestamp of the IP in the customer tenant.

Type: String

security_result[n].about.process.file.md5

Description: The MD5 hash of the file.

Type: String

security_result[n].about.process.file.mime_type

Description: The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", "powershell script", etc.

Type: String

security_result[n].about.process.file.names

Description: Names fields.

Type: Array

security_result[n].about.process.file.pe_file.compilation_exiftool_time

Description: info.exiftool.TimeStamp.

Type: String

security_result[n].about.process.file.pe_file.compilation_time

Description: info.pe-timestamp.

Type: String

security_result[n].about.process.file.pe_file.entry_point

Description: info.pe-entry-point.

Type: String

security_result[n].about.process.file.pe_file.entry_point_exiftool

Description: info.exiftool.EntryPoint.

Type: String

security_result[n].about.process.file.pe_file.imphash

Description: Imphash of the file.

Type: String

security_result[n].about.process.file.pe_file.imports[n].functions

Description: Function field.

Type: Array

security_result[n].about.process.file.pe_file.imports[n].library

Description: Library field.

Type: String

security_result[n].about.process.file.pe_file.imports

Description: FilemetadataImports fields.

Type: Array

security_result[n].about.process.file.pe_file.resource[n].entropy

Description: Entropy of the resource.

Type: Number

security_result[n].about.process.file.pe_file.resource[n].file_type

Description: File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum.

Type: String

security_result[n].about.process.file.pe_file.resource[n].filetype_magic

Description: Type of resource content, as identified by the magic Python module. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/magic.py END GOOGLE-INTERNAL

Type: String

security_result[n].about.process.file.pe_file.resource[n].language_code

Description: Human-readable version of the language and sublanguage identifiers, as defined in the Windows PE specification. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/toolpefile.py?l=419&rcl=df1fcff7c5e82a39875359608b47669d5aff82c7 END GOOGLE-INTERNAL Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US |

Type: String

security_result[n].about.process.file.pe_file.resource[n].sha256_hex

Description: SHA256_hex field..

Type: String

security_result[n].about.process.file.pe_file.resource

Description: FilemetadataPeResourceInfo fields.

Type: Array

security_result[n].about.process.file.pe_file.resources_language_count[n].key

Description: Key field.

Type: String

security_result[n].about.process.file.pe_file.resources_language_count[n].value

Description: Value field.

Type: String

security_result[n].about.process.file.pe_file.resources_language_count

Description: Deprecated. Use resources_language_count_str.

Type: Array

security_result[n].about.process.file.pe_file.resources_language_count_str[n].key

Description: The key.

Type: String

security_result[n].about.process.file.pe_file.resources_language_count_str[n].value

Description: The value.

Type: String

security_result[n].about.process.file.pe_file.resources_language_count_str

Description: Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10

Type: Array

security_result[n].about.process.file.pe_file.resources_type_count[n].key

Description: Key field.

Type: String

security_result[n].about.process.file.pe_file.resources_type_count[n].value

Description: Value field.

Type: String

security_result[n].about.process.file.pe_file.resources_type_count

Description: Deprecated. Use resources_type_count_str.

Type: Array

security_result[n].about.process.file.pe_file.resources_type_count_str[n].key

Description: The key.

Type: String

security_result[n].about.process.file.pe_file.resources_type_count_str[n].value

Description: The value.

Type: String

security_result[n].about.process.file.pe_file.resources_type_count_str

Description: Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5

Type: Array

security_result[n].about.process.file.pe_file.section[n].entropy

Description: Entropy of the section.

Type: Number

security_result[n].about.process.file.pe_file.section[n].md5_hex

Description: MD5 hex of the file.

Type: String

security_result[n].about.process.file.pe_file.section[n].name

Description: Name of the section.

Type: String

security_result[n].about.process.file.pe_file.section[n].raw_size_bytes

Description: Raw file size in bytes.

Type: String

security_result[n].about.process.file.pe_file.section[n].virtual_size_bytes

Description: Virtual file size in bytes.

Type: String

security_result[n].about.process.file.pe_file.section

Description: FilemetadataSection fields.

Type: Array

security_result[n].about.process.file.pe_file.signature_info.signer

Description: Common name of the signers. The order of the signers matters. Each element is a higher level authority, being the last the root authority.

Type: Array

security_result[n].about.process.file.pe_file.signature_info.verification_message

Description: Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found.

Type: String

security_result[n].about.process.file.pe_file.signature_info.verified

Description: True iff verification_message == "Signed"

Type: Boolean

security_result[n].about.process.file.prevalence.day_count

Description: The number of days over which rolling_max is calculated.

Type: Integer

security_result[n].about.process.file.prevalence.rolling_max

Description: The maximum number of assets per day accessing the resource over the trailing day_count days.

Type: Integer

security_result[n].about.process.file.prevalence.rolling_max_sub_domains

Description: The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This fields is only valid for domains

Type: Integer

security_result[n].about.process.file.sha1

Description: The SHA1 hash of the file.

Type: String

security_result[n].about.process.file.sha256

Description: The SHA256 hash of the file.

Type: String

security_result[n].about.process.file.size

Description: The size of the file in bytes.

Type: String

security_result[n].about.process.file.ssdeep

Description: Ssdeep of the file

Type: String

security_result[n].about.process.file.vhash

Description: Vhash of the file.

Type: String

security_result[n].about.process.parent_pid

Description: The ID of the parent process. Deprecated. Please use parent_process.pid instead.

Type: String

security_result[n].about.process.pid

Description: The process ID.

Type: String

security_result[n].about.process.product_specific_parent_process_id

Description: A product specific id for the parent process. Please use parent_process.product_specific_process_id instead.

Type: String

security_result[n].about.process.product_specific_process_id

Description: A product specific process id.

Type: String

security_result[n].about.process_ancestors[n].access_mask

Description: A bit mask representing the level of access.

Type: String

security_result[n].about.process_ancestors[n].command_line

Description: The command line command that created the process.

Type: String

security_result[n].about.process_ancestors[n].command_line_history

Description: The command line history of the process.

Type: Array

security_result[n].about.process_ancestors[n].file.ahash

Description: Authentihash of the file.

Type: String

security_result[n].about.process_ancestors[n].file.capabilities_tags

Description: Capabilities tags.

Type: Array

security_result[n].about.process_ancestors[n].file.file_metadata.pe.import_hash

Description: Hash of PE imports.

Type: String

security_result[n].about.process_ancestors[n].file.file_type

Description: FileType field.

Type: Enum

Enum Description
FILE_TYPE_UNSPECIFIED File type is UNSPECIFIED.
FILE_TYPE_PE_EXE -- OS specific executable related files -- File type is PE_EXE.
FILE_TYPE_PE_DLL We acknowledge the fact that DLLs are actually portable executables, but want to make the distinction so as to be able to treat them differently in sandboxing systems and the like. File type is PE_DLL.
FILE_TYPE_MSI File type is MSI.
FILE_TYPE_NE_EXE File type is NE_EXE.
FILE_TYPE_NE_DLL File type is NE_DLL.
FILE_TYPE_DOS_EXE File type is DOS_EXE.
FILE_TYPE_DOS_COM File type is DOS_COM.
FILE_TYPE_COFF File type is COFF.
FILE_TYPE_ELF File type is ELF.
FILE_TYPE_LINUX_KERNEL File type is LINUX_KERNEL.
FILE_TYPE_RPM File type is RPM.
FILE_TYPE_LINUX File type is LINUX.
FILE_TYPE_MACH_O File type is MACH_O.
FILE_TYPE_JAVA_BYTECODE File type is JAVA_BYTECODE.
FILE_TYPE_DMG File type is DMG.
FILE_TYPE_DEB File type is DEB.
FILE_TYPE_PKG File type is PKG.
FILE_TYPE_LNK -- Shortcuts -- File type is LNK.
FILE_TYPE_JPEG -- Image related types -- File type is JPEG.
FILE_TYPE_TIFF File type is TIFF.
FILE_TYPE_GIF File type is GIF.
FILE_TYPE_PNG File type is PNG.
FILE_TYPE_BMP File type is BMP.
FILE_TYPE_GIMP File type is GIMP.
FILE_TYPE_IN_DESIGN File type is IN_DESIGN.
FILE_TYPE_PSD File type is PSD. Adobe Photoshop.
FILE_TYPE_TARGA File type is TARGA.
FILE_TYPE_XWD File type is XWD.
FILE_TYPE_DIB File type is DIB.
FILE_TYPE_JNG File type is JNG.
FILE_TYPE_ICO File type is ICO.
FILE_TYPE_FPX File type is FPX.
FILE_TYPE_EPS File type is EPS.
FILE_TYPE_SVG File type is SVG.
FILE_TYPE_EMF File type is EMF.
FILE_TYPE_WEBP File type is WEBP.
FILE_TYPE_OGG -- Video related types -- File type is OGG.
FILE_TYPE_FLC File type is FLC.
FILE_TYPE_FLI File type is FLI.
FILE_TYPE_MP3 File type is MP3.
FILE_TYPE_FLAC File type is FLAC.
FILE_TYPE_WAV File type is WAV.
FILE_TYPE_MIDI File type is MIDI.
FILE_TYPE_AVI File type is AVI.
FILE_TYPE_MPEG File type is MPEG.
FILE_TYPE_QUICKTIME File type is QUICKTIME.
FILE_TYPE_ASF File type is ASF.
FILE_TYPE_DIVX File type is DIVX.
FILE_TYPE_FLV File type is FLV.
FILE_TYPE_WMA File type is WMA.
FILE_TYPE_WMV File type is WMV.
FILE_TYPE_RM File type is RM. RealMedia type.
FILE_TYPE_MOV File type is MOV.
FILE_TYPE_MP4 File type is MP4.
FILE_TYPE_T3GP File type is T3GP.
FILE_TYPE_PDF -- Document types -- File type is PDF.
FILE_TYPE_PS File type is PS.
FILE_TYPE_DOC File type is DOC.
FILE_TYPE_DOCX File type is DOCX.
FILE_TYPE_PPT File type is PPT.
FILE_TYPE_PPTX File type is PPTX.
FILE_TYPE_PPSX File type is PPSX.
FILE_TYPE_XLS File type is XLS.
FILE_TYPE_XLSX File type is XLSX.
FILE_TYPE_RTF File type is RTF.
FILE_TYPE_ODP File type is ODP.
FILE_TYPE_ODS File type is ODS.
FILE_TYPE_ODT File type is ODT.
FILE_TYPE_HWP File type is HWP.
FILE_TYPE_GUL File type is GUL.
FILE_TYPE_ODF File type is ODF.
FILE_TYPE_ODG File type is ODG.
FILE_TYPE_EBOOK -- Text/ebook related -- File type is EBOOK.
FILE_TYPE_LATEX File type is LATEX.
FILE_TYPE_TTF File type is TTF.
FILE_TYPE_EOT File type is EOT.
FILE_TYPE_WOFF File type is WOFF.
FILE_TYPE_CHM File type is CHM.
FILE_TYPE_ZIP -- Compressed bundles -- File type is ZIP.
FILE_TYPE_GZIP File type is GZIP.
FILE_TYPE_BZIP File type is BZIP.
FILE_TYPE_RZIP File type is RZIP.
FILE_TYPE_DZIP File type is DZIP.
FILE_TYPE_SEVENZIP File type is SEVENZIP.
FILE_TYPE_CAB File type is CAB.
FILE_TYPE_JAR File type is JAR.
FILE_TYPE_RAR File type is RAR.
FILE_TYPE_MSCOMPRESS File type is MSCOMPRESS.
FILE_TYPE_ACE File type is ACE.
FILE_TYPE_ARC File type is ARC.
FILE_TYPE_ARJ File type is ARJ.
FILE_TYPE_ASD File type is ASD.
FILE_TYPE_BLACKHOLE File type is BLACKHOLE.
FILE_TYPE_KGB File type is KGB.
FILE_TYPE_ZLIB File type is ZLIB.
FILE_TYPE_TAR File type is TAR.
FILE_TYPE_TEXT -- Scripting -- File type is TEXT.
FILE_TYPE_SCRIPT File type is SCRIPT.
FILE_TYPE_PHP File type is PHP.
FILE_TYPE_PYTHON File type is PYTHON.
FILE_TYPE_PERL File type is PERL.
FILE_TYPE_RUBY File type is RUBY.
FILE_TYPE_C File type is C.
FILE_TYPE_CPP File type is CPP.
FILE_TYPE_JAVA File type is JAVA.
FILE_TYPE_SHELLSCRIPT File type is SHELLSCRIPT.
FILE_TYPE_PASCAL File type is PASCAL.
FILE_TYPE_AWK File type is AWK.
FILE_TYPE_DYALOG File type is DYALOG.
FILE_TYPE_FORTRAN File type is FORTRAN.
FILE_TYPE_JAVASCRIPT File type is JAVASCRIPT.
FILE_TYPE_POWERSHELL File type is POWERSHELL.
FILE_TYPE_VBA File type is VBA.
FILE_TYPE_SYMBIAN -- Mobile phone types -- File type is SYMBIAN.
FILE_TYPE_PALMOS File type is PALMOS.
FILE_TYPE_WINCE File type is WINCE.
FILE_TYPE_ANDROID File type is ANDROID.
FILE_TYPE_IPHONE File type is IPHONE.
FILE_TYPE_HTML -- Web related -- File type is HTML.
FILE_TYPE_XML File type is XML.
FILE_TYPE_SWF File type is SWF.
FILE_TYPE_FLA File type is FLA.
FILE_TYPE_COOKIE File type is COOKIE.
FILE_TYPE_TORRENT File type is TORRENT.
FILE_TYPE_EMAIL_TYPE File type is EMAIL_TYPE.
FILE_TYPE_OUTLOOK File type is OUTLOOK.
FILE_TYPE_CAP -- Network traffic captures -- File type is CAP.
FILE_TYPE_ISOIMAGE -- Disk images -- File type is ISOIMAGE.
FILE_TYPE_APPLE -- Apple environment related, executables aside -- File type is APPLE.
FILE_TYPE_MACINTOSH File type is MACINTOSH.
FILE_TYPE_APPLESINGLE File type is APPLESINGLE.
FILE_TYPE_APPLEDOUBLE File type is APPLEDOUBLE.
FILE_TYPE_MACINTOSH_HFS File type is MACINTOSH_HFS.
FILE_TYPE_APPLE_PLIST File type is APPLE_PLIST.
FILE_TYPE_MACINTOSH_LIB File type is MACINTOSH_LIB.
FILE_TYPE_APPLESCRIPT File type is APPLESCRIPT.
FILE_TYPE_APPLESCRIPT_COMPILED File type is APPLESCRIPT_COMPILED .
FILE_TYPE_CRX -- Browser extensions -- File type is CRX.
FILE_TYPE_XPI File type is XPI.
FILE_TYPE_ROM -- Firmware related -- File type is ROM.

security_result[n].about.process_ancestors[n].file.first_seen_time

Description: First seen timestamp of the File in the customer tenant.

Type: String

security_result[n].about.process_ancestors[n].file.full_path

Description: The full path identifying the location of the file on the system.

Type: String

security_result[n].about.process_ancestors[n].file.last_modification_time

Description: Timestamp when the file was last updated.

Type: String

security_result[n].about.process_ancestors[n].file.last_seen_time

Description: Last seen timestamp of the IP in the customer tenant.

Type: String

security_result[n].about.process_ancestors[n].file.md5

Description: The MD5 hash of the file.

Type: String

security_result[n].about.process_ancestors[n].file.mime_type

Description: The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", "powershell script", etc.

Type: String

security_result[n].about.process_ancestors[n].file.names

Description: Names fields.

Type: Array

security_result[n].about.process_ancestors[n].file.pe_file.compilation_exiftool_time

Description: info.exiftool.TimeStamp.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.compilation_time

Description: info.pe-timestamp.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.entry_point

Description: info.pe-entry-point.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.entry_point_exiftool

Description: info.exiftool.EntryPoint.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.imphash

Description: Imphash of the file.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.imports[n].functions

Description: Function field.

Type: Array

security_result[n].about.process_ancestors[n].file.pe_file.imports[n].library

Description: Library field.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.imports

Description: FilemetadataImports fields.

Type: Array

security_result[n].about.process_ancestors[n].file.pe_file.resource[n].entropy

Description: Entropy of the resource.

Type: Number

security_result[n].about.process_ancestors[n].file.pe_file.resource[n].file_type

Description: File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.resource[n].filetype_magic

Description: Type of resource content, as identified by the magic Python module. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/magic.py END GOOGLE-INTERNAL

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.resource[n].language_code

Description: Human-readable version of the language and sublanguage identifiers, as defined in the Windows PE specification. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/toolpefile.py?l=419&rcl=df1fcff7c5e82a39875359608b47669d5aff82c7 END GOOGLE-INTERNAL Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US |

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.resource[n].sha256_hex

Description: SHA256_hex field..

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.resource

Description: FilemetadataPeResourceInfo fields.

Type: Array

security_result[n].about.process_ancestors[n].file.pe_file.resources_language_count[n].key

Description: Key field.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.resources_language_count[n].value

Description: Value field.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.resources_language_count

Description: Deprecated. Use resources_language_count_str.

Type: Array

security_result[n].about.process_ancestors[n].file.pe_file.resources_language_count_str[n].key

Description: The key.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.resources_language_count_str[n].value

Description: The value.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.resources_language_count_str

Description: Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10

Type: Array

security_result[n].about.process_ancestors[n].file.pe_file.resources_type_count[n].key

Description: Key field.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.resources_type_count[n].value

Description: Value field.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.resources_type_count

Description: Deprecated. Use resources_type_count_str.

Type: Array

security_result[n].about.process_ancestors[n].file.pe_file.resources_type_count_str[n].key

Description: The key.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.resources_type_count_str[n].value

Description: The value.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.resources_type_count_str

Description: Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5

Type: Array

security_result[n].about.process_ancestors[n].file.pe_file.section[n].entropy

Description: Entropy of the section.

Type: Number

security_result[n].about.process_ancestors[n].file.pe_file.section[n].md5_hex

Description: MD5 hex of the file.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.section[n].name

Description: Name of the section.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.section[n].raw_size_bytes

Description: Raw file size in bytes.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.section[n].virtual_size_bytes

Description: Virtual file size in bytes.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.section

Description: FilemetadataSection fields.

Type: Array

security_result[n].about.process_ancestors[n].file.pe_file.signature_info.signer

Description: Common name of the signers. The order of the signers matters. Each element is a higher level authority, being the last the root authority.

Type: Array

security_result[n].about.process_ancestors[n].file.pe_file.signature_info.verification_message

Description: Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.signature_info.verified

Description: True iff verification_message == "Signed"

Type: Boolean

security_result[n].about.process_ancestors[n].file.prevalence.day_count

Description: The number of days over which rolling_max is calculated.

Type: Integer

security_result[n].about.process_ancestors[n].file.prevalence.rolling_max

Description: The maximum number of assets per day accessing the resource over the trailing day_count days.

Type: Integer

security_result[n].about.process_ancestors[n].file.prevalence.rolling_max_sub_domains

Description: The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This fields is only valid for domains

Type: Integer

security_result[n].about.process_ancestors[n].file.sha1

Description: The SHA1 hash of the file.

Type: String

security_result[n].about.process_ancestors[n].file.sha256

Description: The SHA256 hash of the file.

Type: String

security_result[n].about.process_ancestors[n].file.size

Description: The size of the file in bytes.

Type: String

security_result[n].about.process_ancestors[n].file.ssdeep

Description: Ssdeep of the file

Type: String

security_result[n].about.process_ancestors[n].file.vhash

Description: Vhash of the file.

Type: String

security_result[n].about.process_ancestors[n].parent_pid

Description: The ID of the parent process. Deprecated. Please use parent_process.pid instead.

Type: String

security_result[n].about.process_ancestors[n].pid

Description: The process ID.

Type: String

security_result[n].about.process_ancestors[n].product_specific_parent_process_id

Description: A product specific id for the parent process. Please use parent_process.product_specific_process_id instead.

Type: String

security_result[n].about.process_ancestors[n].product_specific_process_id

Description: A product specific process id.

Type: String

security_result[n].about.process_ancestors

Description: Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery.

Type: Array

security_result[n].about.registry.registry_key

Description: Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...).

Type: String

security_result[n].about.registry.registry_value_data

Description: Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp).

Type: String

security_result[n].about.registry.registry_value_name

Description: Name of the registry value associated with an application or system component (e.g. TEMP).

Type: String

security_result[n].about.resource.attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

security_result[n].about.resource.attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum Description
UNSPECIFIED_CLOUD_ENVIRONMENT Default.
GOOGLE_CLOUD_PLATFORM Google Cloud Platform.
AMAZON_WEB_SERVICES Amazon Web Services.
MICROSOFT_AZURE Microsoft Azure.

security_result[n].about.resource.attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

security_result[n].about.resource.attribute.labels[n].key

Description: The key.

Type: String

security_result[n].about.resource.attribute.labels[n].value

Description: The value.

Type: String

security_result[n].about.resource.attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

security_result[n].about.resource.attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

security_result[n].about.resource.attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

security_result[n].about.resource.attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

security_result[n].about.resource.attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum Description
UNKNOWN_PERMISSION_TYPE Default permission type.
ADMIN_WRITE Administrator write permission.
ADMIN_READ Administrator read permission.
DATA_WRITE Data resource access write permission.
DATA_READ Data resource access read permission.

security_result[n].about.resource.attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

security_result[n].about.resource.attribute.roles[n].description

Description: System role description for user.

Type: String

security_result[n].about.resource.attribute.roles[n].name

Description: System role name for user.

Type: String

security_result[n].about.resource.attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum Description
TYPE_UNSPECIFIED Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access.

security_result[n].about.resource.attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

security_result[n].about.resource.id

Description: DEPRECATED

Type: String

security_result[n].about.resource.name

Description: The name of the resource.

Type: String

security_result[n].about.resource.parent

Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.

Type: String

security_result[n].about.resource.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)

Type: String

security_result[n].about.resource.resource_subtype

Description: Resource sub-type (e.g. "BigQuery", "Bigtable").

Type: String

security_result[n].about.resource.resource_type

Description: Resource type.

Type: Enum

Enum Description
UNSPECIFIED Default type.
MUTEX Mutex.
TASK Task.
PIPE Named pipe.
DEVICE Device.
FIREWALL_RULE Firewall rule.
MAILBOX_FOLDER Mailbox folder.
VPC_NETWORK VPC Network.
VIRTUAL_MACHINE Virtual machine.
STORAGE_BUCKET Storage bucket.
STORAGE_OBJECT Storage object.
DATABASE Database.
TABLE Data table.
CLOUD_PROJECT Cloud project.
CLOUD_ORGANIZATION Cloud organization.
SERVICE_ACCOUNT Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY Access policy.
CLUSTER Cluster.
SETTING Settings.
DATASET Dataset.
BACKEND_SERVICE Endpoint that receive traffic from a load balancer or proxy.

security_result[n].about.resource.type

Description: DEPRECATED - use resource_type instead.

Type: String

security_result[n].about.resource_ancestors[n].attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

security_result[n].about.resource_ancestors[n].attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum Description
UNSPECIFIED_CLOUD_ENVIRONMENT Default.
GOOGLE_CLOUD_PLATFORM Google Cloud Platform.
AMAZON_WEB_SERVICES Amazon Web Services.
MICROSOFT_AZURE Microsoft Azure.

security_result[n].about.resource_ancestors[n].attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

security_result[n].about.resource_ancestors[n].attribute.labels[n].key

Description: The key.

Type: String

security_result[n].about.resource_ancestors[n].attribute.labels[n].value

Description: The value.

Type: String

security_result[n].about.resource_ancestors[n].attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

security_result[n].about.resource_ancestors[n].attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

security_result[n].about.resource_ancestors[n].attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

security_result[n].about.resource_ancestors[n].attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

security_result[n].about.resource_ancestors[n].attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum Description
UNKNOWN_PERMISSION_TYPE Default permission type.
ADMIN_WRITE Administrator write permission.
ADMIN_READ Administrator read permission.
DATA_WRITE Data resource access write permission.
DATA_READ Data resource access read permission.

security_result[n].about.resource_ancestors[n].attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

security_result[n].about.resource_ancestors[n].attribute.roles[n].description

Description: System role description for user.

Type: String

security_result[n].about.resource_ancestors[n].attribute.roles[n].name

Description: System role name for user.

Type: String

security_result[n].about.resource_ancestors[n].attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum Description
TYPE_UNSPECIFIED Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access.

security_result[n].about.resource_ancestors[n].attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

security_result[n].about.resource_ancestors[n].id

Description: DEPRECATED

Type: String

security_result[n].about.resource_ancestors[n].name

Description: The name of the resource.

Type: String

security_result[n].about.resource_ancestors[n].parent

Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.

Type: String

security_result[n].about.resource_ancestors[n].product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)

Type: String

security_result[n].about.resource_ancestors[n].resource_subtype

Description: Resource sub-type (e.g. "BigQuery", "Bigtable").

Type: String

security_result[n].about.resource_ancestors[n].resource_type

Description: Resource type.

Type: Enum

Enum Description
UNSPECIFIED Default type.
MUTEX Mutex.
TASK Task.
PIPE Named pipe.
DEVICE Device.
FIREWALL_RULE Firewall rule.
MAILBOX_FOLDER Mailbox folder.
VPC_NETWORK VPC Network.
VIRTUAL_MACHINE Virtual machine.
STORAGE_BUCKET Storage bucket.
STORAGE_OBJECT Storage object.
DATABASE Database.
TABLE Data table.
CLOUD_PROJECT Cloud project.
CLOUD_ORGANIZATION Cloud organization.
SERVICE_ACCOUNT Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY Access policy.
CLUSTER Cluster.
SETTING Settings.
DATASET Dataset.
BACKEND_SERVICE Endpoint that receive traffic from a load balancer or proxy.

security_result[n].about.resource_ancestors[n].type

Description: DEPRECATED - use resource_type instead.

Type: String

security_result[n].about.resource_ancestors

Description: Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource).

Type: Array

security_result[n].about.url

Description: The URL.

Type: String

security_result[n].about.user.account_type

Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/

Type: Enum

Enum Description
ACCOUNT_TYPE_UNSPECIFIED Default user account type.
DOMAIN_ACCOUNT_TYPE A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE A local machine account.
CLOUD_ACCOUNT_TYPE A SaaS service account type (Slack, GitHub, etc).
SERVICE_ACCOUNT_TYPE A non-human account for data access.
DEFAULT_ACCOUNT_TYPE A system built in default account.

security_result[n].about.user.attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

security_result[n].about.user.attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum Description
UNSPECIFIED_CLOUD_ENVIRONMENT Default.
GOOGLE_CLOUD_PLATFORM Google Cloud Platform.
AMAZON_WEB_SERVICES Amazon Web Services.
MICROSOFT_AZURE Microsoft Azure.

security_result[n].about.user.attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

security_result[n].about.user.attribute.labels[n].key

Description: The key.

Type: String

security_result[n].about.user.attribute.labels[n].value

Description: The value.

Type: String

security_result[n].about.user.attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

security_result[n].about.user.attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

security_result[n].about.user.attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

security_result[n].about.user.attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

security_result[n].about.user.attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum Description
UNKNOWN_PERMISSION_TYPE Default permission type.
ADMIN_WRITE Administrator write permission.
ADMIN_READ Administrator read permission.
DATA_WRITE Data resource access write permission.
DATA_READ Data resource access read permission.

security_result[n].about.user.attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

security_result[n].about.user.attribute.roles[n].description

Description: System role description for user.

Type: String

security_result[n].about.user.attribute.roles[n].name

Description: System role name for user.

Type: String

security_result[n].about.user.attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum Description
TYPE_UNSPECIFIED Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access.

security_result[n].about.user.attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

security_result[n].about.user.company_name

Description: User job company name.

Type: String

security_result[n].about.user.department

Description: User job department

Type: Array

security_result[n].about.user.email_addresses

Description: Email addresses of the user.

Type: Array

security_result[n].about.user.employee_id

Description: Human capital management identifier.

Type: String

security_result[n].about.user.first_name

Description: First name of the user (e.g. "John").

Type: String

security_result[n].about.user.first_seen_time

Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.

Type: String

security_result[n].about.user.group_identifiers

Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).

Type: Array

security_result[n].about.user.groupid

Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.

Type: String

security_result[n].about.user.hire_date

Description: User job employment hire date.

Type: String

security_result[n].about.user.last_name

Description: Last name of the user (e.g. "Locke").

Type: String

security_result[n].about.user.managers

Description: User job manager(s).

Type: Array

security_result[n].about.user.middle_name

Description: Middle name of the user.

Type: String

security_result[n].about.user.office_address.city

Description: The city.

Type: String

security_result[n].about.user.office_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.user.office_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.user.office_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.user.office_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.user.office_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.user.office_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.user.office_address.state

Description: The state.

Type: String

security_result[n].about.user.personal_address.city

Description: The city.

Type: String

security_result[n].about.user.personal_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.user.personal_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.user.personal_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.user.personal_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.user.personal_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.user.personal_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.user.personal_address.state

Description: The state.

Type: String

security_result[n].about.user.phone_numbers

Description: Phone numbers for the user.

Type: Array

security_result[n].about.user.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).

Type: String

security_result[n].about.user.role_description

Description: System role description for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.user.role_name

Description: System role name for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.user.termination_date

Description: User job employment termination date.

Type: String

security_result[n].about.user.time_off[n].description

Description: Description of the leave if available (e.g. 'Vacation').

Type: String

security_result[n].about.user.time_off[n].interval.end_time

Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.

Type: String

security_result[n].about.user.time_off[n].interval.start_time

Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.

Type: String

security_result[n].about.user.time_off

Description: User time off leaves from active work.

Type: Array

security_result[n].about.user.title

Description: User job title.

Type: String

security_result[n].about.user.user_authentication_status

Description: System authentication status for user.

Type: Enum

Enum Description
UNKNOWN_AUTHENTICATION_STATUS The default authentication status.
ACTIVE The authentication method is in active state.
SUSPENDED The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS The authentication method has no active credentials.
DELETED The authentication method has been deleted.

security_result[n].about.user.user_display_name

Description: The display name of the user (e.g. "John Locke").

Type: String

security_result[n].about.user.user_role

Description: System role for user. DEPRECATED: use attribute.roles.

Type: Enum

Enum Description
UNKNOWN_ROLE Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type.

security_result[n].about.user.userid

Description: The ID of the user.

Type: String

security_result[n].about.user.windows_sid

Description: The windows SID of the user.

Type: String

security_result[n].about.user_management_chain[n].account_type

Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/

Type: Enum

Enum Description
ACCOUNT_TYPE_UNSPECIFIED Default user account type.
DOMAIN_ACCOUNT_TYPE A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE A local machine account.
CLOUD_ACCOUNT_TYPE A SaaS service account type (Slack, GitHub, etc).
SERVICE_ACCOUNT_TYPE A non-human account for data access.
DEFAULT_ACCOUNT_TYPE A system built in default account.

security_result[n].about.user_management_chain[n].attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

security_result[n].about.user_management_chain[n].attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum Description
UNSPECIFIED_CLOUD_ENVIRONMENT Default.
GOOGLE_CLOUD_PLATFORM Google Cloud Platform.
AMAZON_WEB_SERVICES Amazon Web Services.
MICROSOFT_AZURE Microsoft Azure.

security_result[n].about.user_management_chain[n].attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

security_result[n].about.user_management_chain[n].attribute.labels[n].key

Description: The key.

Type: String

security_result[n].about.user_management_chain[n].attribute.labels[n].value

Description: The value.

Type: String

security_result[n].about.user_management_chain[n].attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

security_result[n].about.user_management_chain[n].attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

security_result[n].about.user_management_chain[n].attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

security_result[n].about.user_management_chain[n].attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

security_result[n].about.user_management_chain[n].attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum Description
UNKNOWN_PERMISSION_TYPE Default permission type.
ADMIN_WRITE Administrator write permission.
ADMIN_READ Administrator read permission.
DATA_WRITE Data resource access write permission.
DATA_READ Data resource access read permission.

security_result[n].about.user_management_chain[n].attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

security_result[n].about.user_management_chain[n].attribute.roles[n].description

Description: System role description for user.

Type: String

security_result[n].about.user_management_chain[n].attribute.roles[n].name

Description: System role name for user.

Type: String

security_result[n].about.user_management_chain[n].attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum Description
TYPE_UNSPECIFIED Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access.

security_result[n].about.user_management_chain[n].attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

security_result[n].about.user_management_chain[n].company_name

Description: User job company name.

Type: String

security_result[n].about.user_management_chain[n].department

Description: User job department

Type: Array

security_result[n].about.user_management_chain[n].email_addresses

Description: Email addresses of the user.

Type: Array

security_result[n].about.user_management_chain[n].employee_id

Description: Human capital management identifier.

Type: String

security_result[n].about.user_management_chain[n].first_name

Description: First name of the user (e.g. "John").

Type: String

security_result[n].about.user_management_chain[n].first_seen_time

Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.

Type: String

security_result[n].about.user_management_chain[n].group_identifiers

Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).

Type: Array

security_result[n].about.user_management_chain[n].groupid

Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.

Type: String

security_result[n].about.user_management_chain[n].hire_date

Description: User job employment hire date.

Type: String

security_result[n].about.user_management_chain[n].last_name

Description: Last name of the user (e.g. "Locke").

Type: String

security_result[n].about.user_management_chain[n].managers

Description: User job manager(s).

Type: Array

security_result[n].about.user_management_chain[n].middle_name

Description: Middle name of the user.

Type: String

security_result[n].about.user_management_chain[n].office_address.city

Description: The city.

Type: String

security_result[n].about.user_management_chain[n].office_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.user_management_chain[n].office_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.user_management_chain[n].office_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.user_management_chain[n].office_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.user_management_chain[n].office_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.user_management_chain[n].office_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.user_management_chain[n].office_address.state

Description: The state.

Type: String

security_result[n].about.user_management_chain[n].personal_address.city

Description: The city.

Type: String

security_result[n].about.user_management_chain[n].personal_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.user_management_chain[n].personal_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.user_management_chain[n].personal_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.user_management_chain[n].personal_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.user_management_chain[n].personal_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.user_management_chain[n].personal_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.user_management_chain[n].personal_address.state

Description: The state.

Type: String

security_result[n].about.user_management_chain[n].phone_numbers

Description: Phone numbers for the user.

Type: Array

security_result[n].about.user_management_chain[n].product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).

Type: String

security_result[n].about.user_management_chain[n].role_description

Description: System role description for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.user_management_chain[n].role_name

Description: System role name for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.user_management_chain[n].termination_date

Description: User job employment termination date.

Type: String

security_result[n].about.user_management_chain[n].time_off[n].description

Description: Description of the leave if available (e.g. 'Vacation').

Type: String

security_result[n].about.user_management_chain[n].time_off[n].interval.end_time

Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.

Type: String

security_result[n].about.user_management_chain[n].time_off[n].interval.start_time

Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.

Type: String

security_result[n].about.user_management_chain[n].time_off

Description: User time off leaves from active work.

Type: Array

security_result[n].about.user_management_chain[n].title

Description: User job title.

Type: String

security_result[n].about.user_management_chain[n].user_authentication_status

Description: System authentication status for user.

Type: Enum

Enum Description
UNKNOWN_AUTHENTICATION_STATUS The default authentication status.
ACTIVE The authentication method is in active state.
SUSPENDED The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS The authentication method has no active credentials.
DELETED The authentication method has been deleted.

security_result[n].about.user_management_chain[n].user_display_name

Description: The display name of the user (e.g. "John Locke").

Type: String

security_result[n].about.user_management_chain[n].user_role

Description: System role for user. DEPRECATED: use attribute.roles.

Type: Enum

Enum Description
UNKNOWN_ROLE Default user role.
ADMINISTRATOR Product administrator with elevated privileges.
SERVICE_ACCOUNT System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type.

security_result[n].about.user_management_chain[n].userid

Description: The ID of the user.

Type: String

security_result[n].about.user_management_chain[n].windows_sid

Description: The windows SID of the user.

Type: String

security_result[n].about.user_management_chain

Description: Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery.

Type: Array

security_result[n].action

Description: Actions taken for this event.

Type: ArrayEnum

Enum Description
UNKNOWN_ACTION The default action.
ALLOW Allowed.
BLOCK Blocked.
ALLOW_WITH_MODIFICATION Strip, modify something (e.g. File or email was disinfected or rewritten and still forwarded).
QUARANTINE Put somewhere for later analysis (does NOT imply block).
FAIL Failed (e.g. the event was allowed but failed).

security_result[n].action_details

Description: The detail of the action taken as provided by the vendor.

Type: String

security_result[n].alert_state

Description: The alerting types of this security result.

Type: Enum

Enum Description
UNSPECIFIED The security result type is not known.
NOT_ALERTING The security result is not an alert.
ALERTING The security result is an alert.

security_result[n].category

Description: The security category.

Type: ArrayEnum

Enum Description
UNKNOWN_CATEGORY The default category.
SOFTWARE_MALICIOUS Malware, spyware, rootkit.
SOFTWARE_SUSPICIOUS Below the conviction threshold; probably bad.
SOFTWARE_PUA Potentially Unwanted App (adware, etc.).
NETWORK_MALICIOUS C&C, network exploit, etc.
NETWORK_SUSPICIOUS Suspicious activity, potential reverse tunnel, etc.
NETWORK_CATEGORIZED_CONTENT Non-security related: URL has category like gambling, porn, etc.
NETWORK_DENIAL_OF_SERVICE DoS, DDoS.
NETWORK_RECON Port scan detected by an IDS, probing of web app.
NETWORK_COMMAND_AND_CONTROL If we know this is a C&C channel.
ACL_VIOLATION Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc.
AUTH_VIOLATION Authentication failed (e.g. bad password or bad 2-factor authentication).
EXPLOIT Exploit: For all manner of exploits including attempted overflows, bad protocol encodings, ROP, SQL injection, etc. For both network and host- based exploits.
DATA_EXFILTRATION DLP: Sensitive data transmission, copy to thumb drive.
DATA_AT_REST DLP: Sensitive data found at rest in a scan.
DATA_DESTRUCTION Attempt to destroy/delete data.
MAIL_SPAM Spam email, message, etc.
MAIL_PHISHING Phishing email, chat messages, etc.
MAIL_SPOOFING Spoofed source email address, etc.
POLICY_VIOLATION Security-related policy violation (e.g. firewall/proxy/HIPS rule violated, NAC block action).

security_result[n].category_details

Description: For vendor-specific categories. For web categorization, put type in here such as "gambling", "porn", etc.

Type: Array

security_result[n].confidence

Description: The confidence level of the result as estimated by the product.

Type: Enum

Enum Description
UNKNOWN_CONFIDENCE The default confidence level.
LOW_CONFIDENCE Low confidence.
MEDIUM_CONFIDENCE Medium confidence.
HIGH_CONFIDENCE High confidence.

security_result[n].confidence_details

Description: Additional detail with regards to the confidence of a security event as estimated by the product vendor.

Type: String

security_result[n].description

Description: A human readable description (e.g. "user password was wrong")

Type: String

security_result[n].detection_fields[n].key

Description: The key.

Type: String

security_result[n].detection_fields[n].value

Description: The value.

Type: String

security_result[n].detection_fields

Description: An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (i.e. the security result matched variables) .

Type: Array

security_result[n].outcomes[n].key

Description: The key.

Type: String

security_result[n].outcomes[n].value

Description: The value.

Type: String

security_result[n].outcomes

Description: A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to their values.

Type: Array

security_result[n].priority

Description: The priority of the result.

Type: Enum

Enum Description
UNKNOWN_PRIORITY Default priority level.
LOW_PRIORITY Low priority.
MEDIUM_PRIORITY Medium priority.
HIGH_PRIORITY High priority.

security_result[n].priority_details

Description: Vendor-specific information about the security result priority.

Type: String

security_result[n].rule_author

Description: Author of the security rule.

Type: String

security_result[n].rule_id

Description: A vendor-specific ID and name for a rule, varying by observerer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe").

Type: String

security_result[n].rule_labels[n].key

Description: The key.

Type: String

security_result[n].rule_labels[n].value

Description: The value.

Type: String

security_result[n].rule_labels

Description: A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John").

Type: Array

security_result[n].rule_name

Description: Name of the security rule (e.g. "BlockInboundToOracle").

Type: String

security_result[n].rule_type

Description: The type of security rule.

Type: String

security_result[n].rule_version

Description: Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependant and lexical ordering should not be assumed.

Type: String

security_result[n].severity

Description: The severity of the result.

Type: Enum

Enum Description
UNKNOWN_SEVERITY The default severity level.
INFORMATIONAL Info severity.
ERROR An error.
LOW Low-severity malicious result.
MEDIUM Medium-severity malicious result.
HIGH High-severity malicious result.
CRITICAL Critical-severity malicious result.

security_result[n].severity_details

Description: Vendor-specific severity.

Type: String

security_result[n].summary

Description: A human readable summary (e.g. "failed login occurred")

Type: String

security_result[n].threat_feed_name

Description: Vendor feed name for a threat indicator feed.

Type: String

security_result[n].threat_id

Description: Vendor-specific ID for a threat.

Type: String

security_result[n].threat_id_namespace

Description: The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id.

Type: Enum

Enum Description
NORMALIZED_TELEMETRY Ingested and Normalized telemetry events
RAW_TELEMETRY Ingested Raw telemetry
RULE_DETECTIONS Chronicle Rules engine
UPPERCASE Uppercase
MACHINE_INTELLIGENCE DSML - Machine Intelligence
SECURITY_COMMAND_CENTER A normalized telemetry event from Google Security Command Center.

security_result[n].threat_name

Description: A vendor-assigned classification common across multiple customers (e.g. "W32/File-A", "Slammer").

Type: String

security_result[n].threat_status

Description: Current status of the threat

Type: Enum

Enum Description
THREAT_STATUS_UNSPECIFIED Default threat status
ACTIVE Active threat.
CLEARED Cleared threat.
FALSE_POSITIVE False positive.

security_result[n].url_back_to_product

Description: URL that takes the user to the source product console for this event.

Type: String