Securityresult Fields

A list of security results.

Securityresult Field Details

security_result[n].about.administrative_domain

Description: Domain which the device belongs to (for example, the Windows domain).

Type: String

security_result[n].about.application

Description: The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle".

Type: String

security_result[n].about.artifact.first_seen_time

Description: First seen timestamp of the IP in the customer's environment.

Type: String

security_result[n].about.artifact.ip

Description: IP address of the artifact.

Type: String

security_result[n].about.artifact.last_seen_time

Description: Last seen timestamp of the IP in the customer's environment.

Type: String

security_result[n].about.artifact.prevalence.day_count

Description: The number of days over which rolling_max is calculated.

Type: Integer

security_result[n].about.artifact.prevalence.day_max

Description: The max prevalence score in a day interval window.

Type: Integer

security_result[n].about.artifact.prevalence.day_max_sub_domains

Description: The max prevalence score in a day interval window across sub-domains. This field is only valid for domains.

Type: Integer

security_result[n].about.artifact.prevalence.rolling_max

Description: The maximum number of assets per day accessing the resource over the trailing day_count days.

Type: Integer

security_result[n].about.artifact.prevalence.rolling_max_sub_domains

Description: The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains.

Type: Integer

security_result[n].about.asset.asset_id

Description: The asset ID.

Type: String

security_result[n].about.asset.attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

security_result[n].about.asset.attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum	Description
UNSPECIFIED_CLOUD_ENVIRONMENT	Default.
GOOGLE_CLOUD_PLATFORM	Google Cloud Platform.
AMAZON_WEB_SERVICES	Amazon Web Services.
MICROSOFT_AZURE	Microsoft Azure.

security_result[n].about.asset.attribute.cloud.project.id

Description: DEPRECATED

Type: String

security_result[n].about.asset.attribute.cloud.project.name

Description: The name of the resource.

Type: String

security_result[n].about.asset.attribute.cloud.project.parent

Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.

Type: String

security_result[n].about.asset.attribute.cloud.project.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)

Type: String

security_result[n].about.asset.attribute.cloud.project.resource_subtype

Description: Resource sub-type (e.g. "BigQuery", "Bigtable").

Type: String

security_result[n].about.asset.attribute.cloud.project.resource_type

Description: Resource type.

Type: Enum

Enum	Description
UNSPECIFIED	Default type.
MUTEX	Mutex.
TASK	Task.
PIPE	Named pipe.
DEVICE	Device.
FIREWALL_RULE	Firewall rule.
MAILBOX_FOLDER	Mailbox folder.
VPC_NETWORK	VPC Network.
VIRTUAL_MACHINE	Virtual machine.
STORAGE_BUCKET	Storage bucket.
STORAGE_OBJECT	Storage object.
DATABASE	Database.
TABLE	Data table.
CLOUD_PROJECT	Cloud project.
CLOUD_ORGANIZATION	Cloud organization.
SERVICE_ACCOUNT	Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY	Access policy.
CLUSTER	Cluster.
SETTING	Settings.
DATASET	Dataset.
BACKEND_SERVICE	Endpoint that receive traffic from a load balancer or proxy.

security_result[n].about.asset.attribute.cloud.project.type

Description: DEPRECATED - use resource_type instead.

Type: String

security_result[n].about.asset.attribute.cloud.vpc.id

Description: DEPRECATED

Type: String

security_result[n].about.asset.attribute.cloud.vpc.name

Description: The name of the resource.

Type: String

security_result[n].about.asset.attribute.cloud.vpc.parent

Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.

Type: String

security_result[n].about.asset.attribute.cloud.vpc.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)

Type: String

security_result[n].about.asset.attribute.cloud.vpc.resource_subtype

Description: Resource sub-type (e.g. "BigQuery", "Bigtable").

Type: String

security_result[n].about.asset.attribute.cloud.vpc.resource_type

Description: Resource type.

Type: Enum

Enum	Description
UNSPECIFIED	Default type.
MUTEX	Mutex.
TASK	Task.
PIPE	Named pipe.
DEVICE	Device.
FIREWALL_RULE	Firewall rule.
MAILBOX_FOLDER	Mailbox folder.
VPC_NETWORK	VPC Network.
VIRTUAL_MACHINE	Virtual machine.
STORAGE_BUCKET	Storage bucket.
STORAGE_OBJECT	Storage object.
DATABASE	Database.
TABLE	Data table.
CLOUD_PROJECT	Cloud project.
CLOUD_ORGANIZATION	Cloud organization.
SERVICE_ACCOUNT	Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY	Access policy.
CLUSTER	Cluster.
SETTING	Settings.
DATASET	Dataset.
BACKEND_SERVICE	Endpoint that receive traffic from a load balancer or proxy.

security_result[n].about.asset.attribute.cloud.vpc.type

Description: DEPRECATED - use resource_type instead.

Type: String

security_result[n].about.asset.attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

security_result[n].about.asset.attribute.labels[n].key

Description: The key.

Type: String

security_result[n].about.asset.attribute.labels[n].source

Description: Where the label is derived from. For now, only UDM field paths that are eligible outcome for signal index are populated. @hide_from_doc

Type: String

security_result[n].about.asset.attribute.labels[n].value

Description: The value.

Type: String

security_result[n].about.asset.attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

security_result[n].about.asset.attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

security_result[n].about.asset.attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

security_result[n].about.asset.attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

security_result[n].about.asset.attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum	Description
UNKNOWN_PERMISSION_TYPE	Default permission type.
ADMIN_WRITE	Administrator write permission.
ADMIN_READ	Administrator read permission.
DATA_WRITE	Data resource access write permission.
DATA_READ	Data resource access read permission.

security_result[n].about.asset.attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

security_result[n].about.asset.attribute.roles[n].description

Description: System role description for user.

Type: String

security_result[n].about.asset.attribute.roles[n].name

Description: System role name for user.

Type: String

security_result[n].about.asset.attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum	Description
TYPE_UNSPECIFIED	Default user role.
ADMINISTRATOR	Product administrator with elevated privileges.
SERVICE_ACCOUNT	System service account for automated privilege access.

security_result[n].about.asset.attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

security_result[n].about.asset.category

Description: The category of the asset (e.g. "End User Asset", "Workstation", "Server").

Type: String

security_result[n].about.asset.creation_time

Description: Time the asset was created or provisioned. Deprecated: creation_time should be populated in Attribute as generic metadata.

Type: String

security_result[n].about.asset.deployment_status

Description: The deployment status of the asset for device lifecycle purposes.

Type: Enum

Enum	Description
DEPLOYMENT_STATUS_UNSPECIFIED	Unspecified deployment status.
ACTIVE	Asset is active, functional and deployed.
PENDING_DECOMISSION	Asset is pending decommission and no longer deployed.
DECOMISSIONED	Asset is decomissioned.

security_result[n].about.asset.first_discover_time

Description: Time the asset was first discovered (by asset management/discoverability software).

Type: String

security_result[n].about.asset.first_seen_time

Description: The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed.

Type: String

security_result[n].about.asset.hardware[n].cpu_clock_speed

Description: Clock speed of the hardware CPU in MHz.

Type: String

security_result[n].about.asset.hardware[n].cpu_max_clock_speed

Description: Maximum possible clock speed of the hardware CPU in MHz.

Type: String

security_result[n].about.asset.hardware[n].cpu_model

Description: Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5").

Type: String

security_result[n].about.asset.hardware[n].cpu_number_cores

Description: Number of CPU cores.

Type: String

security_result[n].about.asset.hardware[n].cpu_platform

Description: Platform of the hardware CPU (e.g. "Intel Broadwell").

Type: String

security_result[n].about.asset.hardware[n].manufacturer

Description: Hardware manufacturer.

Type: String

security_result[n].about.asset.hardware[n].model

Description: Hardware model.

Type: String

security_result[n].about.asset.hardware[n].ram

Description: Amount of the hardware ramdom access memory (RAM) in Mb.

Type: String

security_result[n].about.asset.hardware[n].serial_number

Description: Hardware serial number.

Type: String

security_result[n].about.asset.hardware

Description: The asset hardware specifications.

Type: Array

security_result[n].about.asset.hostname

Description: Asset hostname or domain name field.

Type: String

security_result[n].about.asset.ip

Description: A list of IP addresses associated with an asset.

Type: Array

security_result[n].about.asset.labels[n].key

Description: The key.

Type: String

security_result[n].about.asset.labels[n].source

Description: Where the label is derived from. For now, only UDM field paths that are eligible outcome for signal index are populated. @hide_from_doc

Type: String

security_result[n].about.asset.labels[n].value

Description: The value.

Type: String

security_result[n].about.asset.labels

Description: Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata.

Type: Array

security_result[n].about.asset.last_boot_time

Description: Time the asset was last boot started.

Type: String

security_result[n].about.asset.last_discover_time

Description: Time the asset was last discovered (by asset management/discoverability software).

Type: String

security_result[n].about.asset.location.city

Description: The city.

Type: String

security_result[n].about.asset.location.country_or_region

Description: The country or region.

Type: String

security_result[n].about.asset.location.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.asset.location.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.asset.location.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.asset.location.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.asset.location.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.asset.location.state

Description: The state.

Type: String

security_result[n].about.asset.mac

Description: List of MAC addresses associated with an asset.

Type: Array

security_result[n].about.asset.nat_ip

Description: List of NAT IP addresses associated with an asset.

Type: Array

security_result[n].about.asset.network_domain

Description: The network domain of the asset (e.g. "corp.acme.com")

Type: String

security_result[n].about.asset.platform_software.platform

Description: The platform operating system.

Type: Enum

Enum	Description
UNKNOWN_PLATFORM	Default value.
WINDOWS	Windows.
MAC	Mac OS.
LINUX	Linux.
GCP	DEPRECATED - See cloud.environment.
AWS	DEPRECATED - See cloud.environment.
AZURE	DEPRECATED - See cloud.environment.

security_result[n].about.asset.platform_software.platform_patch_level

Description: The platform software patch level ( e.g. "Build 17134.48", "SP1").

Type: String

security_result[n].about.asset.platform_software.platform_version

Description: The platform software version ( e.g. "Microsoft Windows 1803").

Type: String

security_result[n].about.asset.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID or similar).

Type: String

security_result[n].about.asset.software[n].name

Description: The name of the software.

Type: String

security_result[n].about.asset.software[n].permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

security_result[n].about.asset.software[n].permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

security_result[n].about.asset.software[n].permissions[n].type

Description: Type of the permission.

Type: Enum

Enum	Description
UNKNOWN_PERMISSION_TYPE	Default permission type.
ADMIN_WRITE	Administrator write permission.
ADMIN_READ	Administrator read permission.
DATA_WRITE	Data resource access write permission.
DATA_READ	Data resource access read permission.

security_result[n].about.asset.software[n].permissions

Description: System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE"

Type: Array

security_result[n].about.asset.software[n].version

Description: The version of the software.

Type: String

security_result[n].about.asset.software

Description: The asset software details.

Type: Array

security_result[n].about.asset.system_last_update_time

Description: Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a vm, etc.) use Attribute.last_update_time.

Type: String

security_result[n].about.asset.type

Description: The type of the asset (e.g. workstation or laptop or server).

Type: Enum

Enum	Description
ROLE_UNSPECIFIED	Unspecified asset role.
WORKSTATION	A workstation or desktop.
LAPTOP	A laptop computer.
IOT	An IOT asset.
NETWORK_ATTACHED_STORAGE	A network attached storage device.
PRINTER	A printer.
SCANNER	A scanner.
SERVER	A server.
TAPE_LIBRARY	A tape library device.
MOBILE	A mobile device such as a mobile phone or PDA.

security_result[n].about.asset.vulnerabilities[n].cve_description

Description: Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record

Type: String

security_result[n].about.asset.vulnerabilities[n].cve_id

Description: Common Vulnerabilities and Exposures Id. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id

Type: String

security_result[n].about.asset.vulnerabilities[n].cvss_base_score

Description: CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting.

Type: Number

security_result[n].about.asset.vulnerabilities[n].cvss_vector

Description: Vector of CVSS properties (e.g. "AV:L/AC:H/Au:N/C:N/I:P/A:C") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=VALUE

Type: String

security_result[n].about.asset.vulnerabilities[n].cvss_version

Description: Version of CVSS Vector/Score.

Type: String

security_result[n].about.asset.vulnerabilities[n].description

Description: Description of the vulnerability.

Type: String

security_result[n].about.asset.vulnerabilities[n].first_found

Description: Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset.

Type: String

security_result[n].about.asset.vulnerabilities[n].last_found

Description: Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset.

Type: String

security_result[n].about.asset.vulnerabilities[n].name

Description: Name of the vulnerability (e.g. "Unsupported OS Version detected").

Type: String

security_result[n].about.asset.vulnerabilities[n].scan_end_time

Description: If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable.

Type: String

security_result[n].about.asset.vulnerabilities[n].scan_start_time

Description: If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable.

Type: String

security_result[n].about.asset.vulnerabilities[n].severity

Description: The severity of the vulnerability.

Type: Enum

Enum	Description
UNKNOWN_SEVERITY	The default severity level.
LOW	Low severity.
MEDIUM	Medium severity.
HIGH	High severity.
CRITICAL	Critical severity.

security_result[n].about.asset.vulnerabilities[n].severity_details

Description: Vendor-specific severity

Type: String

security_result[n].about.asset.vulnerabilities[n].vendor

Description: Vendor of scan that discovered vulnerability.

Type: String

security_result[n].about.asset.vulnerabilities[n].vendor_knowledge_base_article_id

Description: Vendor specific knowledge base article (e.g. "KBXXXXXX" from Microsoft) https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase

Type: String

security_result[n].about.asset.vulnerabilities[n].vendor_vulnerability_id

Description: Vendor specific vulnerability id (e.g. Microsoft security bulletin id).

Type: String

security_result[n].about.asset.vulnerabilities

Description: Vulnerabilities discovered on asset.

Type: Array

security_result[n].about.asset_id

Description: The asset ID.

Type: String

security_result[n].about.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

security_result[n].about.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum	Description
UNSPECIFIED_CLOUD_ENVIRONMENT	Default.
GOOGLE_CLOUD_PLATFORM	Google Cloud Platform.
AMAZON_WEB_SERVICES	Amazon Web Services.
MICROSOFT_AZURE	Microsoft Azure.

security_result[n].about.cloud.project.id

Description: DEPRECATED

Type: String

security_result[n].about.cloud.project.name

Description: The name of the resource.

Type: String

security_result[n].about.cloud.project.parent

Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.

Type: String

security_result[n].about.cloud.project.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)

Type: String

security_result[n].about.cloud.project.resource_subtype

Description: Resource sub-type (e.g. "BigQuery", "Bigtable").

Type: String

security_result[n].about.cloud.project.resource_type

Description: Resource type.

Type: Enum

Enum	Description
UNSPECIFIED	Default type.
MUTEX	Mutex.
TASK	Task.
PIPE	Named pipe.
DEVICE	Device.
FIREWALL_RULE	Firewall rule.
MAILBOX_FOLDER	Mailbox folder.
VPC_NETWORK	VPC Network.
VIRTUAL_MACHINE	Virtual machine.
STORAGE_BUCKET	Storage bucket.
STORAGE_OBJECT	Storage object.
DATABASE	Database.
TABLE	Data table.
CLOUD_PROJECT	Cloud project.
CLOUD_ORGANIZATION	Cloud organization.
SERVICE_ACCOUNT	Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY	Access policy.
CLUSTER	Cluster.
SETTING	Settings.
DATASET	Dataset.
BACKEND_SERVICE	Endpoint that receive traffic from a load balancer or proxy.

security_result[n].about.cloud.project.type

Description: DEPRECATED - use resource_type instead.

Type: String

security_result[n].about.cloud.vpc.id

Description: DEPRECATED

Type: String

security_result[n].about.cloud.vpc.name

Description: The name of the resource.

Type: String

security_result[n].about.cloud.vpc.parent

Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.

Type: String

security_result[n].about.cloud.vpc.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)

Type: String

security_result[n].about.cloud.vpc.resource_subtype

Description: Resource sub-type (e.g. "BigQuery", "Bigtable").

Type: String

security_result[n].about.cloud.vpc.resource_type

Description: Resource type.

Type: Enum

Enum	Description
UNSPECIFIED	Default type.
MUTEX	Mutex.
TASK	Task.
PIPE	Named pipe.
DEVICE	Device.
FIREWALL_RULE	Firewall rule.
MAILBOX_FOLDER	Mailbox folder.
VPC_NETWORK	VPC Network.
VIRTUAL_MACHINE	Virtual machine.
STORAGE_BUCKET	Storage bucket.
STORAGE_OBJECT	Storage object.
DATABASE	Database.
TABLE	Data table.
CLOUD_PROJECT	Cloud project.
CLOUD_ORGANIZATION	Cloud organization.
SERVICE_ACCOUNT	Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY	Access policy.
CLUSTER	Cluster.
SETTING	Settings.
DATASET	Dataset.
BACKEND_SERVICE	Endpoint that receive traffic from a load balancer or proxy.

security_result[n].about.cloud.vpc.type

Description: DEPRECATED - use resource_type instead.

Type: String

security_result[n].about.domain.admin.account_type

Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/

Type: Enum

Enum	Description
ACCOUNT_TYPE_UNSPECIFIED	Default user account type.
DOMAIN_ACCOUNT_TYPE	A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE	A local machine account.
CLOUD_ACCOUNT_TYPE	A SaaS service account type (Slack, GitHub, etc).
SERVICE_ACCOUNT_TYPE	A non-human account for data access.
DEFAULT_ACCOUNT_TYPE	A system built in default account.

security_result[n].about.domain.admin.attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

security_result[n].about.domain.admin.attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum	Description
UNSPECIFIED_CLOUD_ENVIRONMENT	Default.
GOOGLE_CLOUD_PLATFORM	Google Cloud Platform.
AMAZON_WEB_SERVICES	Amazon Web Services.
MICROSOFT_AZURE	Microsoft Azure.

security_result[n].about.domain.admin.attribute.cloud.project.id

Description: DEPRECATED

Type: String

security_result[n].about.domain.admin.attribute.cloud.project.name

Description: The name of the resource.

Type: String

security_result[n].about.domain.admin.attribute.cloud.project.parent

Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.

Type: String

security_result[n].about.domain.admin.attribute.cloud.project.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)

Type: String

security_result[n].about.domain.admin.attribute.cloud.project.resource_subtype

Description: Resource sub-type (e.g. "BigQuery", "Bigtable").

Type: String

security_result[n].about.domain.admin.attribute.cloud.project.resource_type

Description: Resource type.

Type: Enum

Enum	Description
UNSPECIFIED	Default type.
MUTEX	Mutex.
TASK	Task.
PIPE	Named pipe.
DEVICE	Device.
FIREWALL_RULE	Firewall rule.
MAILBOX_FOLDER	Mailbox folder.
VPC_NETWORK	VPC Network.
VIRTUAL_MACHINE	Virtual machine.
STORAGE_BUCKET	Storage bucket.
STORAGE_OBJECT	Storage object.
DATABASE	Database.
TABLE	Data table.
CLOUD_PROJECT	Cloud project.
CLOUD_ORGANIZATION	Cloud organization.
SERVICE_ACCOUNT	Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY	Access policy.
CLUSTER	Cluster.
SETTING	Settings.
DATASET	Dataset.
BACKEND_SERVICE	Endpoint that receive traffic from a load balancer or proxy.

security_result[n].about.domain.admin.attribute.cloud.project.type

Description: DEPRECATED - use resource_type instead.

Type: String

security_result[n].about.domain.admin.attribute.cloud.vpc.id

Description: DEPRECATED

Type: String

security_result[n].about.domain.admin.attribute.cloud.vpc.name

Description: The name of the resource.

Type: String

security_result[n].about.domain.admin.attribute.cloud.vpc.parent

Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.

Type: String

security_result[n].about.domain.admin.attribute.cloud.vpc.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)

Type: String

security_result[n].about.domain.admin.attribute.cloud.vpc.resource_subtype

Description: Resource sub-type (e.g. "BigQuery", "Bigtable").

Type: String

security_result[n].about.domain.admin.attribute.cloud.vpc.resource_type

Description: Resource type.

Type: Enum

Enum	Description
UNSPECIFIED	Default type.
MUTEX	Mutex.
TASK	Task.
PIPE	Named pipe.
DEVICE	Device.
FIREWALL_RULE	Firewall rule.
MAILBOX_FOLDER	Mailbox folder.
VPC_NETWORK	VPC Network.
VIRTUAL_MACHINE	Virtual machine.
STORAGE_BUCKET	Storage bucket.
STORAGE_OBJECT	Storage object.
DATABASE	Database.
TABLE	Data table.
CLOUD_PROJECT	Cloud project.
CLOUD_ORGANIZATION	Cloud organization.
SERVICE_ACCOUNT	Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY	Access policy.
CLUSTER	Cluster.
SETTING	Settings.
DATASET	Dataset.
BACKEND_SERVICE	Endpoint that receive traffic from a load balancer or proxy.

security_result[n].about.domain.admin.attribute.cloud.vpc.type

Description: DEPRECATED - use resource_type instead.

Type: String

security_result[n].about.domain.admin.attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

security_result[n].about.domain.admin.attribute.labels[n].key

Description: The key.

Type: String

security_result[n].about.domain.admin.attribute.labels[n].source

Description: Where the label is derived from. For now, only UDM field paths that are eligible outcome for signal index are populated. @hide_from_doc

Type: String

security_result[n].about.domain.admin.attribute.labels[n].value

Description: The value.

Type: String

security_result[n].about.domain.admin.attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

security_result[n].about.domain.admin.attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

security_result[n].about.domain.admin.attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

security_result[n].about.domain.admin.attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

security_result[n].about.domain.admin.attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum	Description
UNKNOWN_PERMISSION_TYPE	Default permission type.
ADMIN_WRITE	Administrator write permission.
ADMIN_READ	Administrator read permission.
DATA_WRITE	Data resource access write permission.
DATA_READ	Data resource access read permission.

security_result[n].about.domain.admin.attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

security_result[n].about.domain.admin.attribute.roles[n].description

Description: System role description for user.

Type: String

security_result[n].about.domain.admin.attribute.roles[n].name

Description: System role name for user.

Type: String

security_result[n].about.domain.admin.attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum	Description
TYPE_UNSPECIFIED	Default user role.
ADMINISTRATOR	Product administrator with elevated privileges.
SERVICE_ACCOUNT	System service account for automated privilege access.

security_result[n].about.domain.admin.attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

security_result[n].about.domain.admin.company_name

Description: User job company name.

Type: String

security_result[n].about.domain.admin.department

Description: User job department

Type: Array

security_result[n].about.domain.admin.email_addresses

Description: Email addresses of the user.

Type: Array

security_result[n].about.domain.admin.employee_id

Description: Human capital management identifier.

Type: String

security_result[n].about.domain.admin.first_name

Description: First name of the user (e.g. "John").

Type: String

security_result[n].about.domain.admin.first_seen_time

Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.

Type: String

security_result[n].about.domain.admin.group_identifiers

Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).

Type: Array

security_result[n].about.domain.admin.groupid

Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.

Type: String

security_result[n].about.domain.admin.hire_date

Description: User job employment hire date.

Type: String

security_result[n].about.domain.admin.last_name

Description: Last name of the user (e.g. "Locke").

Type: String

security_result[n].about.domain.admin.managers

Description: User job manager(s).

Type: Array

security_result[n].about.domain.admin.middle_name

Description: Middle name of the user.

Type: String

security_result[n].about.domain.admin.office_address.city

Description: The city.

Type: String

security_result[n].about.domain.admin.office_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.domain.admin.office_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.domain.admin.office_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.domain.admin.office_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.domain.admin.office_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.domain.admin.office_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.domain.admin.office_address.state

Description: The state.

Type: String

security_result[n].about.domain.admin.personal_address.city

Description: The city.

Type: String

security_result[n].about.domain.admin.personal_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.domain.admin.personal_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.domain.admin.personal_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.domain.admin.personal_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.domain.admin.personal_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.domain.admin.personal_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.domain.admin.personal_address.state

Description: The state.

Type: String

security_result[n].about.domain.admin.phone_numbers

Description: Phone numbers for the user.

Type: Array

security_result[n].about.domain.admin.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).

Type: String

security_result[n].about.domain.admin.role_description

Description: System role description for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.domain.admin.role_name

Description: System role name for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.domain.admin.termination_date

Description: User job employment termination date.

Type: String

security_result[n].about.domain.admin.time_off[n].description

Description: Description of the leave if available (e.g. 'Vacation').

Type: String

security_result[n].about.domain.admin.time_off[n].interval.end_time

Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.

Type: String

security_result[n].about.domain.admin.time_off[n].interval.start_time

Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.

Type: String

security_result[n].about.domain.admin.time_off

Description: User time off leaves from active work.

Type: Array

security_result[n].about.domain.admin.title

Description: User job title.

Type: String

security_result[n].about.domain.admin.user_authentication_status

Description: System authentication status for user.

Type: Enum

Enum	Description
UNKNOWN_AUTHENTICATION_STATUS	The default authentication status.
ACTIVE	The authentication method is in active state.
SUSPENDED	The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS	The authentication method has no active credentials.
DELETED	The authentication method has been deleted.

security_result[n].about.domain.admin.user_display_name

Description: The display name of the user (e.g. "John Locke").

Type: String

security_result[n].about.domain.admin.user_role

Description: System role for user. DEPRECATED: use attribute.roles.

Type: Enum

Enum	Description
UNKNOWN_ROLE	Default user role.
ADMINISTRATOR	Product administrator with elevated privileges.
SERVICE_ACCOUNT	System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type.

security_result[n].about.domain.admin.userid

Description: The ID of the user.

Type: String

security_result[n].about.domain.admin.windows_sid

Description: The windows SID of the user.

Type: String

security_result[n].about.domain.audit_update_time

Description: Audit updated time.

Type: String

security_result[n].about.domain.billing.account_type

Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/

Type: Enum

Enum	Description
ACCOUNT_TYPE_UNSPECIFIED	Default user account type.
DOMAIN_ACCOUNT_TYPE	A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE	A local machine account.
CLOUD_ACCOUNT_TYPE	A SaaS service account type (Slack, GitHub, etc).
SERVICE_ACCOUNT_TYPE	A non-human account for data access.
DEFAULT_ACCOUNT_TYPE	A system built in default account.

security_result[n].about.domain.billing.attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

security_result[n].about.domain.billing.attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum	Description
UNSPECIFIED_CLOUD_ENVIRONMENT	Default.
GOOGLE_CLOUD_PLATFORM	Google Cloud Platform.
AMAZON_WEB_SERVICES	Amazon Web Services.
MICROSOFT_AZURE	Microsoft Azure.

security_result[n].about.domain.billing.attribute.cloud.project.id

Description: DEPRECATED

Type: String

security_result[n].about.domain.billing.attribute.cloud.project.name

Description: The name of the resource.

Type: String

security_result[n].about.domain.billing.attribute.cloud.project.parent

Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.

Type: String

security_result[n].about.domain.billing.attribute.cloud.project.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)

Type: String

security_result[n].about.domain.billing.attribute.cloud.project.resource_subtype

Description: Resource sub-type (e.g. "BigQuery", "Bigtable").

Type: String

security_result[n].about.domain.billing.attribute.cloud.project.resource_type

Description: Resource type.

Type: Enum

Enum	Description
UNSPECIFIED	Default type.
MUTEX	Mutex.
TASK	Task.
PIPE	Named pipe.
DEVICE	Device.
FIREWALL_RULE	Firewall rule.
MAILBOX_FOLDER	Mailbox folder.
VPC_NETWORK	VPC Network.
VIRTUAL_MACHINE	Virtual machine.
STORAGE_BUCKET	Storage bucket.
STORAGE_OBJECT	Storage object.
DATABASE	Database.
TABLE	Data table.
CLOUD_PROJECT	Cloud project.
CLOUD_ORGANIZATION	Cloud organization.
SERVICE_ACCOUNT	Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY	Access policy.
CLUSTER	Cluster.
SETTING	Settings.
DATASET	Dataset.
BACKEND_SERVICE	Endpoint that receive traffic from a load balancer or proxy.

security_result[n].about.domain.billing.attribute.cloud.project.type

Description: DEPRECATED - use resource_type instead.

Type: String

security_result[n].about.domain.billing.attribute.cloud.vpc.id

Description: DEPRECATED

Type: String

security_result[n].about.domain.billing.attribute.cloud.vpc.name

Description: The name of the resource.

Type: String

security_result[n].about.domain.billing.attribute.cloud.vpc.parent

Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.

Type: String

security_result[n].about.domain.billing.attribute.cloud.vpc.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)

Type: String

security_result[n].about.domain.billing.attribute.cloud.vpc.resource_subtype

Description: Resource sub-type (e.g. "BigQuery", "Bigtable").

Type: String

security_result[n].about.domain.billing.attribute.cloud.vpc.resource_type

Description: Resource type.

Type: Enum

Enum	Description
UNSPECIFIED	Default type.
MUTEX	Mutex.
TASK	Task.
PIPE	Named pipe.
DEVICE	Device.
FIREWALL_RULE	Firewall rule.
MAILBOX_FOLDER	Mailbox folder.
VPC_NETWORK	VPC Network.
VIRTUAL_MACHINE	Virtual machine.
STORAGE_BUCKET	Storage bucket.
STORAGE_OBJECT	Storage object.
DATABASE	Database.
TABLE	Data table.
CLOUD_PROJECT	Cloud project.
CLOUD_ORGANIZATION	Cloud organization.
SERVICE_ACCOUNT	Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY	Access policy.
CLUSTER	Cluster.
SETTING	Settings.
DATASET	Dataset.
BACKEND_SERVICE	Endpoint that receive traffic from a load balancer or proxy.

security_result[n].about.domain.billing.attribute.cloud.vpc.type

Description: DEPRECATED - use resource_type instead.

Type: String

security_result[n].about.domain.billing.attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

security_result[n].about.domain.billing.attribute.labels[n].key

Description: The key.

Type: String

security_result[n].about.domain.billing.attribute.labels[n].source

Description: Where the label is derived from. For now, only UDM field paths that are eligible outcome for signal index are populated. @hide_from_doc

Type: String

security_result[n].about.domain.billing.attribute.labels[n].value

Description: The value.

Type: String

security_result[n].about.domain.billing.attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

security_result[n].about.domain.billing.attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

security_result[n].about.domain.billing.attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

security_result[n].about.domain.billing.attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

security_result[n].about.domain.billing.attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum	Description
UNKNOWN_PERMISSION_TYPE	Default permission type.
ADMIN_WRITE	Administrator write permission.
ADMIN_READ	Administrator read permission.
DATA_WRITE	Data resource access write permission.
DATA_READ	Data resource access read permission.

security_result[n].about.domain.billing.attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

security_result[n].about.domain.billing.attribute.roles[n].description

Description: System role description for user.

Type: String

security_result[n].about.domain.billing.attribute.roles[n].name

Description: System role name for user.

Type: String

security_result[n].about.domain.billing.attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum	Description
TYPE_UNSPECIFIED	Default user role.
ADMINISTRATOR	Product administrator with elevated privileges.
SERVICE_ACCOUNT	System service account for automated privilege access.

security_result[n].about.domain.billing.attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

security_result[n].about.domain.billing.company_name

Description: User job company name.

Type: String

security_result[n].about.domain.billing.department

Description: User job department

Type: Array

security_result[n].about.domain.billing.email_addresses

Description: Email addresses of the user.

Type: Array

security_result[n].about.domain.billing.employee_id

Description: Human capital management identifier.

Type: String

security_result[n].about.domain.billing.first_name

Description: First name of the user (e.g. "John").

Type: String

security_result[n].about.domain.billing.first_seen_time

Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.

Type: String

security_result[n].about.domain.billing.group_identifiers

Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).

Type: Array

security_result[n].about.domain.billing.groupid

Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.

Type: String

security_result[n].about.domain.billing.hire_date

Description: User job employment hire date.

Type: String

security_result[n].about.domain.billing.last_name

Description: Last name of the user (e.g. "Locke").

Type: String

security_result[n].about.domain.billing.managers

Description: User job manager(s).

Type: Array

security_result[n].about.domain.billing.middle_name

Description: Middle name of the user.

Type: String

security_result[n].about.domain.billing.office_address.city

Description: The city.

Type: String

security_result[n].about.domain.billing.office_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.domain.billing.office_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.domain.billing.office_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.domain.billing.office_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.domain.billing.office_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.domain.billing.office_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.domain.billing.office_address.state

Description: The state.

Type: String

security_result[n].about.domain.billing.personal_address.city

Description: The city.

Type: String

security_result[n].about.domain.billing.personal_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.domain.billing.personal_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.domain.billing.personal_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.domain.billing.personal_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.domain.billing.personal_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.domain.billing.personal_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.domain.billing.personal_address.state

Description: The state.

Type: String

security_result[n].about.domain.billing.phone_numbers

Description: Phone numbers for the user.

Type: Array

security_result[n].about.domain.billing.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).

Type: String

security_result[n].about.domain.billing.role_description

Description: System role description for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.domain.billing.role_name

Description: System role name for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.domain.billing.termination_date

Description: User job employment termination date.

Type: String

security_result[n].about.domain.billing.time_off[n].description

Description: Description of the leave if available (e.g. 'Vacation').

Type: String

security_result[n].about.domain.billing.time_off[n].interval.end_time

Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.

Type: String

security_result[n].about.domain.billing.time_off[n].interval.start_time

Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.

Type: String

security_result[n].about.domain.billing.time_off

Description: User time off leaves from active work.

Type: Array

security_result[n].about.domain.billing.title

Description: User job title.

Type: String

security_result[n].about.domain.billing.user_authentication_status

Description: System authentication status for user.

Type: Enum

Enum	Description
UNKNOWN_AUTHENTICATION_STATUS	The default authentication status.
ACTIVE	The authentication method is in active state.
SUSPENDED	The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS	The authentication method has no active credentials.
DELETED	The authentication method has been deleted.

security_result[n].about.domain.billing.user_display_name

Description: The display name of the user (e.g. "John Locke").

Type: String

security_result[n].about.domain.billing.user_role

Description: System role for user. DEPRECATED: use attribute.roles.

Type: Enum

Enum	Description
UNKNOWN_ROLE	Default user role.
ADMINISTRATOR	Product administrator with elevated privileges.
SERVICE_ACCOUNT	System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type.

security_result[n].about.domain.billing.userid

Description: The ID of the user.

Type: String

security_result[n].about.domain.billing.windows_sid

Description: The windows SID of the user.

Type: String

security_result[n].about.domain.contact_email

Description: Contact email address.

Type: String

security_result[n].about.domain.creation_time

Description: Domain creation time.

Type: String

security_result[n].about.domain.expiration_time

Description: Expiration time.

Type: String

security_result[n].about.domain.first_seen_time

Description: First seen timestamp of the domain in the customer's environment.

Type: String

security_result[n].about.domain.iana_registrar_id

Description: IANA Registrar ID. See: https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml

Type: Integer

security_result[n].about.domain.last_seen_time

Description: Last seen timestamp of the domain in the customer's environment.

Type: String

security_result[n].about.domain.name

Description: The domain name.

Type: String

security_result[n].about.domain.name_server

Description: Repeated list of name servers.

Type: Array

security_result[n].about.domain.prevalence.day_count

Description: The number of days over which rolling_max is calculated.

Type: Integer

security_result[n].about.domain.prevalence.day_max

Description: The max prevalence score in a day interval window.

Type: Integer

security_result[n].about.domain.prevalence.day_max_sub_domains

Description: The max prevalence score in a day interval window across sub-domains. This field is only valid for domains.

Type: Integer

security_result[n].about.domain.prevalence.rolling_max

Description: The maximum number of assets per day accessing the resource over the trailing day_count days.

Type: Integer

security_result[n].about.domain.prevalence.rolling_max_sub_domains

Description: The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains.

Type: Integer

security_result[n].about.domain.private_registration

Description: Indicates whether the domain appears to be using a private registration service to mask the owner's contact information.

Type: Boolean

security_result[n].about.domain.registrant.account_type

Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/

Type: Enum

Enum	Description
ACCOUNT_TYPE_UNSPECIFIED	Default user account type.
DOMAIN_ACCOUNT_TYPE	A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE	A local machine account.
CLOUD_ACCOUNT_TYPE	A SaaS service account type (Slack, GitHub, etc).
SERVICE_ACCOUNT_TYPE	A non-human account for data access.
DEFAULT_ACCOUNT_TYPE	A system built in default account.

security_result[n].about.domain.registrant.attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

security_result[n].about.domain.registrant.attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum	Description
UNSPECIFIED_CLOUD_ENVIRONMENT	Default.
GOOGLE_CLOUD_PLATFORM	Google Cloud Platform.
AMAZON_WEB_SERVICES	Amazon Web Services.
MICROSOFT_AZURE	Microsoft Azure.

security_result[n].about.domain.registrant.attribute.cloud.project.id

Description: DEPRECATED

Type: String

security_result[n].about.domain.registrant.attribute.cloud.project.name

Description: The name of the resource.

Type: String

security_result[n].about.domain.registrant.attribute.cloud.project.parent

Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.

Type: String

security_result[n].about.domain.registrant.attribute.cloud.project.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)

Type: String

security_result[n].about.domain.registrant.attribute.cloud.project.resource_subtype

Description: Resource sub-type (e.g. "BigQuery", "Bigtable").

Type: String

security_result[n].about.domain.registrant.attribute.cloud.project.resource_type

Description: Resource type.

Type: Enum

Enum	Description
UNSPECIFIED	Default type.
MUTEX	Mutex.
TASK	Task.
PIPE	Named pipe.
DEVICE	Device.
FIREWALL_RULE	Firewall rule.
MAILBOX_FOLDER	Mailbox folder.
VPC_NETWORK	VPC Network.
VIRTUAL_MACHINE	Virtual machine.
STORAGE_BUCKET	Storage bucket.
STORAGE_OBJECT	Storage object.
DATABASE	Database.
TABLE	Data table.
CLOUD_PROJECT	Cloud project.
CLOUD_ORGANIZATION	Cloud organization.
SERVICE_ACCOUNT	Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY	Access policy.
CLUSTER	Cluster.
SETTING	Settings.
DATASET	Dataset.
BACKEND_SERVICE	Endpoint that receive traffic from a load balancer or proxy.

security_result[n].about.domain.registrant.attribute.cloud.project.type

Description: DEPRECATED - use resource_type instead.

Type: String

security_result[n].about.domain.registrant.attribute.cloud.vpc.id

Description: DEPRECATED

Type: String

security_result[n].about.domain.registrant.attribute.cloud.vpc.name

Description: The name of the resource.

Type: String

security_result[n].about.domain.registrant.attribute.cloud.vpc.parent

Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.

Type: String

security_result[n].about.domain.registrant.attribute.cloud.vpc.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)

Type: String

security_result[n].about.domain.registrant.attribute.cloud.vpc.resource_subtype

Description: Resource sub-type (e.g. "BigQuery", "Bigtable").

Type: String

security_result[n].about.domain.registrant.attribute.cloud.vpc.resource_type

Description: Resource type.

Type: Enum

Enum	Description
UNSPECIFIED	Default type.
MUTEX	Mutex.
TASK	Task.
PIPE	Named pipe.
DEVICE	Device.
FIREWALL_RULE	Firewall rule.
MAILBOX_FOLDER	Mailbox folder.
VPC_NETWORK	VPC Network.
VIRTUAL_MACHINE	Virtual machine.
STORAGE_BUCKET	Storage bucket.
STORAGE_OBJECT	Storage object.
DATABASE	Database.
TABLE	Data table.
CLOUD_PROJECT	Cloud project.
CLOUD_ORGANIZATION	Cloud organization.
SERVICE_ACCOUNT	Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY	Access policy.
CLUSTER	Cluster.
SETTING	Settings.
DATASET	Dataset.
BACKEND_SERVICE	Endpoint that receive traffic from a load balancer or proxy.

security_result[n].about.domain.registrant.attribute.cloud.vpc.type

Description: DEPRECATED - use resource_type instead.

Type: String

security_result[n].about.domain.registrant.attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

security_result[n].about.domain.registrant.attribute.labels[n].key

Description: The key.

Type: String

security_result[n].about.domain.registrant.attribute.labels[n].source

Description: Where the label is derived from. For now, only UDM field paths that are eligible outcome for signal index are populated. @hide_from_doc

Type: String

security_result[n].about.domain.registrant.attribute.labels[n].value

Description: The value.

Type: String

security_result[n].about.domain.registrant.attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

security_result[n].about.domain.registrant.attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

security_result[n].about.domain.registrant.attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

security_result[n].about.domain.registrant.attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

security_result[n].about.domain.registrant.attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum	Description
UNKNOWN_PERMISSION_TYPE	Default permission type.
ADMIN_WRITE	Administrator write permission.
ADMIN_READ	Administrator read permission.
DATA_WRITE	Data resource access write permission.
DATA_READ	Data resource access read permission.

security_result[n].about.domain.registrant.attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

security_result[n].about.domain.registrant.attribute.roles[n].description

Description: System role description for user.

Type: String

security_result[n].about.domain.registrant.attribute.roles[n].name

Description: System role name for user.

Type: String

security_result[n].about.domain.registrant.attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum	Description
TYPE_UNSPECIFIED	Default user role.
ADMINISTRATOR	Product administrator with elevated privileges.
SERVICE_ACCOUNT	System service account for automated privilege access.

security_result[n].about.domain.registrant.attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

security_result[n].about.domain.registrant.company_name

Description: User job company name.

Type: String

security_result[n].about.domain.registrant.department

Description: User job department

Type: Array

security_result[n].about.domain.registrant.email_addresses

Description: Email addresses of the user.

Type: Array

security_result[n].about.domain.registrant.employee_id

Description: Human capital management identifier.

Type: String

security_result[n].about.domain.registrant.first_name

Description: First name of the user (e.g. "John").

Type: String

security_result[n].about.domain.registrant.first_seen_time

Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.

Type: String

security_result[n].about.domain.registrant.group_identifiers

Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).

Type: Array

security_result[n].about.domain.registrant.groupid

Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.

Type: String

security_result[n].about.domain.registrant.hire_date

Description: User job employment hire date.

Type: String

security_result[n].about.domain.registrant.last_name

Description: Last name of the user (e.g. "Locke").

Type: String

security_result[n].about.domain.registrant.managers

Description: User job manager(s).

Type: Array

security_result[n].about.domain.registrant.middle_name

Description: Middle name of the user.

Type: String

security_result[n].about.domain.registrant.office_address.city

Description: The city.

Type: String

security_result[n].about.domain.registrant.office_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.domain.registrant.office_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.domain.registrant.office_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.domain.registrant.office_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.domain.registrant.office_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.domain.registrant.office_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.domain.registrant.office_address.state

Description: The state.

Type: String

security_result[n].about.domain.registrant.personal_address.city

Description: The city.

Type: String

security_result[n].about.domain.registrant.personal_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.domain.registrant.personal_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.domain.registrant.personal_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.domain.registrant.personal_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.domain.registrant.personal_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.domain.registrant.personal_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.domain.registrant.personal_address.state

Description: The state.

Type: String

security_result[n].about.domain.registrant.phone_numbers

Description: Phone numbers for the user.

Type: Array

security_result[n].about.domain.registrant.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).

Type: String

security_result[n].about.domain.registrant.role_description

Description: System role description for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.domain.registrant.role_name

Description: System role name for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.domain.registrant.termination_date

Description: User job employment termination date.

Type: String

security_result[n].about.domain.registrant.time_off[n].description

Description: Description of the leave if available (e.g. 'Vacation').

Type: String

security_result[n].about.domain.registrant.time_off[n].interval.end_time

Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.

Type: String

security_result[n].about.domain.registrant.time_off[n].interval.start_time

Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.

Type: String

security_result[n].about.domain.registrant.time_off

Description: User time off leaves from active work.

Type: Array

security_result[n].about.domain.registrant.title

Description: User job title.

Type: String

security_result[n].about.domain.registrant.user_authentication_status

Description: System authentication status for user.

Type: Enum

Enum	Description
UNKNOWN_AUTHENTICATION_STATUS	The default authentication status.
ACTIVE	The authentication method is in active state.
SUSPENDED	The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS	The authentication method has no active credentials.
DELETED	The authentication method has been deleted.

security_result[n].about.domain.registrant.user_display_name

Description: The display name of the user (e.g. "John Locke").

Type: String

security_result[n].about.domain.registrant.user_role

Description: System role for user. DEPRECATED: use attribute.roles.

Type: Enum

Enum	Description
UNKNOWN_ROLE	Default user role.
ADMINISTRATOR	Product administrator with elevated privileges.
SERVICE_ACCOUNT	System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type.

security_result[n].about.domain.registrant.userid

Description: The ID of the user.

Type: String

security_result[n].about.domain.registrant.windows_sid

Description: The windows SID of the user.

Type: String

security_result[n].about.domain.registrar

Description: Registrar name - e.g. "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM", etc.

Type: String

security_result[n].about.domain.registry_data_raw_text

Description: Registry Data raw text

Type: String

security_result[n].about.domain.status

Description: Domain status. see: https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values

Type: String

security_result[n].about.domain.tech.account_type

Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/

Type: Enum

Enum	Description
ACCOUNT_TYPE_UNSPECIFIED	Default user account type.
DOMAIN_ACCOUNT_TYPE	A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE	A local machine account.
CLOUD_ACCOUNT_TYPE	A SaaS service account type (Slack, GitHub, etc).
SERVICE_ACCOUNT_TYPE	A non-human account for data access.
DEFAULT_ACCOUNT_TYPE	A system built in default account.

security_result[n].about.domain.tech.attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

security_result[n].about.domain.tech.attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum	Description
UNSPECIFIED_CLOUD_ENVIRONMENT	Default.
GOOGLE_CLOUD_PLATFORM	Google Cloud Platform.
AMAZON_WEB_SERVICES	Amazon Web Services.
MICROSOFT_AZURE	Microsoft Azure.

security_result[n].about.domain.tech.attribute.cloud.project.id

Description: DEPRECATED

Type: String

security_result[n].about.domain.tech.attribute.cloud.project.name

Description: The name of the resource.

Type: String

security_result[n].about.domain.tech.attribute.cloud.project.parent

Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.

Type: String

security_result[n].about.domain.tech.attribute.cloud.project.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)

Type: String

security_result[n].about.domain.tech.attribute.cloud.project.resource_subtype

Description: Resource sub-type (e.g. "BigQuery", "Bigtable").

Type: String

security_result[n].about.domain.tech.attribute.cloud.project.resource_type

Description: Resource type.

Type: Enum

Enum	Description
UNSPECIFIED	Default type.
MUTEX	Mutex.
TASK	Task.
PIPE	Named pipe.
DEVICE	Device.
FIREWALL_RULE	Firewall rule.
MAILBOX_FOLDER	Mailbox folder.
VPC_NETWORK	VPC Network.
VIRTUAL_MACHINE	Virtual machine.
STORAGE_BUCKET	Storage bucket.
STORAGE_OBJECT	Storage object.
DATABASE	Database.
TABLE	Data table.
CLOUD_PROJECT	Cloud project.
CLOUD_ORGANIZATION	Cloud organization.
SERVICE_ACCOUNT	Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY	Access policy.
CLUSTER	Cluster.
SETTING	Settings.
DATASET	Dataset.
BACKEND_SERVICE	Endpoint that receive traffic from a load balancer or proxy.

security_result[n].about.domain.tech.attribute.cloud.project.type

Description: DEPRECATED - use resource_type instead.

Type: String

security_result[n].about.domain.tech.attribute.cloud.vpc.id

Description: DEPRECATED

Type: String

security_result[n].about.domain.tech.attribute.cloud.vpc.name

Description: The name of the resource.

Type: String

security_result[n].about.domain.tech.attribute.cloud.vpc.parent

Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.

Type: String

security_result[n].about.domain.tech.attribute.cloud.vpc.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)

Type: String

security_result[n].about.domain.tech.attribute.cloud.vpc.resource_subtype

Description: Resource sub-type (e.g. "BigQuery", "Bigtable").

Type: String

security_result[n].about.domain.tech.attribute.cloud.vpc.resource_type

Description: Resource type.

Type: Enum

Enum	Description
UNSPECIFIED	Default type.
MUTEX	Mutex.
TASK	Task.
PIPE	Named pipe.
DEVICE	Device.
FIREWALL_RULE	Firewall rule.
MAILBOX_FOLDER	Mailbox folder.
VPC_NETWORK	VPC Network.
VIRTUAL_MACHINE	Virtual machine.
STORAGE_BUCKET	Storage bucket.
STORAGE_OBJECT	Storage object.
DATABASE	Database.
TABLE	Data table.
CLOUD_PROJECT	Cloud project.
CLOUD_ORGANIZATION	Cloud organization.
SERVICE_ACCOUNT	Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY	Access policy.
CLUSTER	Cluster.
SETTING	Settings.
DATASET	Dataset.
BACKEND_SERVICE	Endpoint that receive traffic from a load balancer or proxy.

security_result[n].about.domain.tech.attribute.cloud.vpc.type

Description: DEPRECATED - use resource_type instead.

Type: String

security_result[n].about.domain.tech.attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

security_result[n].about.domain.tech.attribute.labels[n].key

Description: The key.

Type: String

security_result[n].about.domain.tech.attribute.labels[n].source

Description: Where the label is derived from. For now, only UDM field paths that are eligible outcome for signal index are populated. @hide_from_doc

Type: String

security_result[n].about.domain.tech.attribute.labels[n].value

Description: The value.

Type: String

security_result[n].about.domain.tech.attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

security_result[n].about.domain.tech.attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

security_result[n].about.domain.tech.attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

security_result[n].about.domain.tech.attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

security_result[n].about.domain.tech.attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum	Description
UNKNOWN_PERMISSION_TYPE	Default permission type.
ADMIN_WRITE	Administrator write permission.
ADMIN_READ	Administrator read permission.
DATA_WRITE	Data resource access write permission.
DATA_READ	Data resource access read permission.

security_result[n].about.domain.tech.attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

security_result[n].about.domain.tech.attribute.roles[n].description

Description: System role description for user.

Type: String

security_result[n].about.domain.tech.attribute.roles[n].name

Description: System role name for user.

Type: String

security_result[n].about.domain.tech.attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum	Description
TYPE_UNSPECIFIED	Default user role.
ADMINISTRATOR	Product administrator with elevated privileges.
SERVICE_ACCOUNT	System service account for automated privilege access.

security_result[n].about.domain.tech.attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

security_result[n].about.domain.tech.company_name

Description: User job company name.

Type: String

security_result[n].about.domain.tech.department

Description: User job department

Type: Array

security_result[n].about.domain.tech.email_addresses

Description: Email addresses of the user.

Type: Array

security_result[n].about.domain.tech.employee_id

Description: Human capital management identifier.

Type: String

security_result[n].about.domain.tech.first_name

Description: First name of the user (e.g. "John").

Type: String

security_result[n].about.domain.tech.first_seen_time

Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.

Type: String

security_result[n].about.domain.tech.group_identifiers

Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).

Type: Array

security_result[n].about.domain.tech.groupid

Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.

Type: String

security_result[n].about.domain.tech.hire_date

Description: User job employment hire date.

Type: String

security_result[n].about.domain.tech.last_name

Description: Last name of the user (e.g. "Locke").

Type: String

security_result[n].about.domain.tech.managers

Description: User job manager(s).

Type: Array

security_result[n].about.domain.tech.middle_name

Description: Middle name of the user.

Type: String

security_result[n].about.domain.tech.office_address.city

Description: The city.

Type: String

security_result[n].about.domain.tech.office_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.domain.tech.office_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.domain.tech.office_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.domain.tech.office_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.domain.tech.office_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.domain.tech.office_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.domain.tech.office_address.state

Description: The state.

Type: String

security_result[n].about.domain.tech.personal_address.city

Description: The city.

Type: String

security_result[n].about.domain.tech.personal_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.domain.tech.personal_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.domain.tech.personal_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.domain.tech.personal_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.domain.tech.personal_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.domain.tech.personal_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.domain.tech.personal_address.state

Description: The state.

Type: String

security_result[n].about.domain.tech.phone_numbers

Description: Phone numbers for the user.

Type: Array

security_result[n].about.domain.tech.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).

Type: String

security_result[n].about.domain.tech.role_description

Description: System role description for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.domain.tech.role_name

Description: System role name for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.domain.tech.termination_date

Description: User job employment termination date.

Type: String

security_result[n].about.domain.tech.time_off[n].description

Description: Description of the leave if available (e.g. 'Vacation').

Type: String

security_result[n].about.domain.tech.time_off[n].interval.end_time

Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.

Type: String

security_result[n].about.domain.tech.time_off[n].interval.start_time

Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.

Type: String

security_result[n].about.domain.tech.time_off

Description: User time off leaves from active work.

Type: Array

security_result[n].about.domain.tech.title

Description: User job title.

Type: String

security_result[n].about.domain.tech.user_authentication_status

Description: System authentication status for user.

Type: Enum

Enum	Description
UNKNOWN_AUTHENTICATION_STATUS	The default authentication status.
ACTIVE	The authentication method is in active state.
SUSPENDED	The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS	The authentication method has no active credentials.
DELETED	The authentication method has been deleted.

security_result[n].about.domain.tech.user_display_name

Description: The display name of the user (e.g. "John Locke").

Type: String

security_result[n].about.domain.tech.user_role

Description: System role for user. DEPRECATED: use attribute.roles.

Type: Enum

Enum	Description
UNKNOWN_ROLE	Default user role.
ADMINISTRATOR	Product administrator with elevated privileges.
SERVICE_ACCOUNT	System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type.

security_result[n].about.domain.tech.userid

Description: The ID of the user.

Type: String

security_result[n].about.domain.tech.windows_sid

Description: The windows SID of the user.

Type: String

security_result[n].about.domain.update_time

Description: Last updated time.

Type: String

security_result[n].about.domain.whois_record_raw_text

Description: unix epoch of the time when the domaintools first catches the record, or the time when domaintools catch the record changes. domaintools_time_ms is also used as the bigtable timestamp.

Type: String

security_result[n].about.domain.whois_server

Description: Whois server name.

Type: String

security_result[n].about.domain.zone.account_type

Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/

Type: Enum

Enum	Description
ACCOUNT_TYPE_UNSPECIFIED	Default user account type.
DOMAIN_ACCOUNT_TYPE	A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE	A local machine account.
CLOUD_ACCOUNT_TYPE	A SaaS service account type (Slack, GitHub, etc).
SERVICE_ACCOUNT_TYPE	A non-human account for data access.
DEFAULT_ACCOUNT_TYPE	A system built in default account.

security_result[n].about.domain.zone.attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

security_result[n].about.domain.zone.attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum	Description
UNSPECIFIED_CLOUD_ENVIRONMENT	Default.
GOOGLE_CLOUD_PLATFORM	Google Cloud Platform.
AMAZON_WEB_SERVICES	Amazon Web Services.
MICROSOFT_AZURE	Microsoft Azure.

security_result[n].about.domain.zone.attribute.cloud.project.id

Description: DEPRECATED

Type: String

security_result[n].about.domain.zone.attribute.cloud.project.name

Description: The name of the resource.

Type: String

security_result[n].about.domain.zone.attribute.cloud.project.parent

Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.

Type: String

security_result[n].about.domain.zone.attribute.cloud.project.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)

Type: String

security_result[n].about.domain.zone.attribute.cloud.project.resource_subtype

Description: Resource sub-type (e.g. "BigQuery", "Bigtable").

Type: String

security_result[n].about.domain.zone.attribute.cloud.project.resource_type

Description: Resource type.

Type: Enum

Enum	Description
UNSPECIFIED	Default type.
MUTEX	Mutex.
TASK	Task.
PIPE	Named pipe.
DEVICE	Device.
FIREWALL_RULE	Firewall rule.
MAILBOX_FOLDER	Mailbox folder.
VPC_NETWORK	VPC Network.
VIRTUAL_MACHINE	Virtual machine.
STORAGE_BUCKET	Storage bucket.
STORAGE_OBJECT	Storage object.
DATABASE	Database.
TABLE	Data table.
CLOUD_PROJECT	Cloud project.
CLOUD_ORGANIZATION	Cloud organization.
SERVICE_ACCOUNT	Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY	Access policy.
CLUSTER	Cluster.
SETTING	Settings.
DATASET	Dataset.
BACKEND_SERVICE	Endpoint that receive traffic from a load balancer or proxy.

security_result[n].about.domain.zone.attribute.cloud.project.type

Description: DEPRECATED - use resource_type instead.

Type: String

security_result[n].about.domain.zone.attribute.cloud.vpc.id

Description: DEPRECATED

Type: String

security_result[n].about.domain.zone.attribute.cloud.vpc.name

Description: The name of the resource.

Type: String

security_result[n].about.domain.zone.attribute.cloud.vpc.parent

Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.

Type: String

security_result[n].about.domain.zone.attribute.cloud.vpc.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)

Type: String

security_result[n].about.domain.zone.attribute.cloud.vpc.resource_subtype

Description: Resource sub-type (e.g. "BigQuery", "Bigtable").

Type: String

security_result[n].about.domain.zone.attribute.cloud.vpc.resource_type

Description: Resource type.

Type: Enum

Enum	Description
UNSPECIFIED	Default type.
MUTEX	Mutex.
TASK	Task.
PIPE	Named pipe.
DEVICE	Device.
FIREWALL_RULE	Firewall rule.
MAILBOX_FOLDER	Mailbox folder.
VPC_NETWORK	VPC Network.
VIRTUAL_MACHINE	Virtual machine.
STORAGE_BUCKET	Storage bucket.
STORAGE_OBJECT	Storage object.
DATABASE	Database.
TABLE	Data table.
CLOUD_PROJECT	Cloud project.
CLOUD_ORGANIZATION	Cloud organization.
SERVICE_ACCOUNT	Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY	Access policy.
CLUSTER	Cluster.
SETTING	Settings.
DATASET	Dataset.
BACKEND_SERVICE	Endpoint that receive traffic from a load balancer or proxy.

security_result[n].about.domain.zone.attribute.cloud.vpc.type

Description: DEPRECATED - use resource_type instead.

Type: String

security_result[n].about.domain.zone.attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

security_result[n].about.domain.zone.attribute.labels[n].key

Description: The key.

Type: String

security_result[n].about.domain.zone.attribute.labels[n].source

Description: Where the label is derived from. For now, only UDM field paths that are eligible outcome for signal index are populated. @hide_from_doc

Type: String

security_result[n].about.domain.zone.attribute.labels[n].value

Description: The value.

Type: String

security_result[n].about.domain.zone.attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

security_result[n].about.domain.zone.attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

security_result[n].about.domain.zone.attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

security_result[n].about.domain.zone.attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

security_result[n].about.domain.zone.attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum	Description
UNKNOWN_PERMISSION_TYPE	Default permission type.
ADMIN_WRITE	Administrator write permission.
ADMIN_READ	Administrator read permission.
DATA_WRITE	Data resource access write permission.
DATA_READ	Data resource access read permission.

security_result[n].about.domain.zone.attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

security_result[n].about.domain.zone.attribute.roles[n].description

Description: System role description for user.

Type: String

security_result[n].about.domain.zone.attribute.roles[n].name

Description: System role name for user.

Type: String

security_result[n].about.domain.zone.attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum	Description
TYPE_UNSPECIFIED	Default user role.
ADMINISTRATOR	Product administrator with elevated privileges.
SERVICE_ACCOUNT	System service account for automated privilege access.

security_result[n].about.domain.zone.attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

security_result[n].about.domain.zone.company_name

Description: User job company name.

Type: String

security_result[n].about.domain.zone.department

Description: User job department

Type: Array

security_result[n].about.domain.zone.email_addresses

Description: Email addresses of the user.

Type: Array

security_result[n].about.domain.zone.employee_id

Description: Human capital management identifier.

Type: String

security_result[n].about.domain.zone.first_name

Description: First name of the user (e.g. "John").

Type: String

security_result[n].about.domain.zone.first_seen_time

Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.

Type: String

security_result[n].about.domain.zone.group_identifiers

Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).

Type: Array

security_result[n].about.domain.zone.groupid

Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.

Type: String

security_result[n].about.domain.zone.hire_date

Description: User job employment hire date.

Type: String

security_result[n].about.domain.zone.last_name

Description: Last name of the user (e.g. "Locke").

Type: String

security_result[n].about.domain.zone.managers

Description: User job manager(s).

Type: Array

security_result[n].about.domain.zone.middle_name

Description: Middle name of the user.

Type: String

security_result[n].about.domain.zone.office_address.city

Description: The city.

Type: String

security_result[n].about.domain.zone.office_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.domain.zone.office_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.domain.zone.office_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.domain.zone.office_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.domain.zone.office_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.domain.zone.office_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.domain.zone.office_address.state

Description: The state.

Type: String

security_result[n].about.domain.zone.personal_address.city

Description: The city.

Type: String

security_result[n].about.domain.zone.personal_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.domain.zone.personal_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.domain.zone.personal_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.domain.zone.personal_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.domain.zone.personal_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.domain.zone.personal_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.domain.zone.personal_address.state

Description: The state.

Type: String

security_result[n].about.domain.zone.phone_numbers

Description: Phone numbers for the user.

Type: Array

security_result[n].about.domain.zone.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).

Type: String

security_result[n].about.domain.zone.role_description

Description: System role description for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.domain.zone.role_name

Description: System role name for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.domain.zone.termination_date

Description: User job employment termination date.

Type: String

security_result[n].about.domain.zone.time_off[n].description

Description: Description of the leave if available (e.g. 'Vacation').

Type: String

security_result[n].about.domain.zone.time_off[n].interval.end_time

Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.

Type: String

security_result[n].about.domain.zone.time_off[n].interval.start_time

Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.

Type: String

security_result[n].about.domain.zone.time_off

Description: User time off leaves from active work.

Type: Array

security_result[n].about.domain.zone.title

Description: User job title.

Type: String

security_result[n].about.domain.zone.user_authentication_status

Description: System authentication status for user.

Type: Enum

Enum	Description
UNKNOWN_AUTHENTICATION_STATUS	The default authentication status.
ACTIVE	The authentication method is in active state.
SUSPENDED	The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS	The authentication method has no active credentials.
DELETED	The authentication method has been deleted.

security_result[n].about.domain.zone.user_display_name

Description: The display name of the user (e.g. "John Locke").

Type: String

security_result[n].about.domain.zone.user_role

Description: System role for user. DEPRECATED: use attribute.roles.

Type: Enum

Enum	Description
UNKNOWN_ROLE	Default user role.
ADMINISTRATOR	Product administrator with elevated privileges.
SERVICE_ACCOUNT	System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type.

security_result[n].about.domain.zone.userid

Description: The ID of the user.

Type: String

security_result[n].about.domain.zone.windows_sid

Description: The windows SID of the user.

Type: String

security_result[n].about.email

Description: Email address. Only filled in for security_result.about

Type: String

security_result[n].about.file.ahash

Description: Deprecated, please use authentihash instead.

Type: String

security_result[n].about.file.authentihash

Description: Authentihash of the file.

Type: String

security_result[n].about.file.capabilities_tags

Description: Capabilities tags.

Type: Array

security_result[n].about.file.file_metadata.pe.import_hash

Description: Hash of PE imports.

Type: String

security_result[n].about.file.file_type

Description: FileType field.

Type: Enum

Enum	Description
FILE_TYPE_UNSPECIFIED	File type is UNSPECIFIED.
FILE_TYPE_PE_EXE	File type is PE_EXE.
FILE_TYPE_PE_DLL	Although DLLs are actually portable executables, this value enables the file type to be identified separately. File type is PE_DLL.
FILE_TYPE_MSI	File type is MSI.
FILE_TYPE_NE_EXE	File type is NE_EXE.
FILE_TYPE_NE_DLL	File type is NE_DLL.
FILE_TYPE_DOS_EXE	File type is DOS_EXE.
FILE_TYPE_DOS_COM	File type is DOS_COM.
FILE_TYPE_COFF	File type is COFF.
FILE_TYPE_ELF	File type is ELF.
FILE_TYPE_LINUX_KERNEL	File type is LINUX_KERNEL.
FILE_TYPE_RPM	File type is RPM.
FILE_TYPE_LINUX	File type is LINUX.
FILE_TYPE_MACH_O	File type is MACH_O.
FILE_TYPE_JAVA_BYTECODE	File type is JAVA_BYTECODE.
FILE_TYPE_DMG	File type is DMG.
FILE_TYPE_DEB	File type is DEB.
FILE_TYPE_PKG	File type is PKG.
FILE_TYPE_LNK	File type is LNK.
FILE_TYPE_JPEG	File type is JPEG.
FILE_TYPE_TIFF	File type is TIFF.
FILE_TYPE_GIF	File type is GIF.
FILE_TYPE_PNG	File type is PNG.
FILE_TYPE_BMP	File type is BMP.
FILE_TYPE_GIMP	File type is GIMP.
FILE_TYPE_IN_DESIGN	File type is Adobe InDesign.
FILE_TYPE_PSD	File type is PSD. Adobe Photoshop.
FILE_TYPE_TARGA	File type is TARGA.
FILE_TYPE_XWD	File type is XWD.
FILE_TYPE_DIB	File type is DIB.
FILE_TYPE_JNG	File type is JNG.
FILE_TYPE_ICO	File type is ICO.
FILE_TYPE_FPX	File type is FPX.
FILE_TYPE_EPS	File type is EPS.
FILE_TYPE_SVG	File type is SVG.
FILE_TYPE_EMF	File type is EMF.
FILE_TYPE_WEBP	File type is WEBP.
FILE_TYPE_OGG	File type is OGG.
FILE_TYPE_FLC	File type is FLC.
FILE_TYPE_FLI	File type is FLI.
FILE_TYPE_MP3	File type is MP3.
FILE_TYPE_FLAC	File type is FLAC.
FILE_TYPE_WAV	File type is WAV.
FILE_TYPE_MIDI	File type is MIDI.
FILE_TYPE_AVI	File type is AVI.
FILE_TYPE_MPEG	File type is MPEG.
FILE_TYPE_QUICKTIME	File type is QUICKTIME.
FILE_TYPE_ASF	File type is ASF.
FILE_TYPE_DIVX	File type is DIVX.
FILE_TYPE_FLV	File type is FLV.
FILE_TYPE_WMA	File type is WMA.
FILE_TYPE_WMV	File type is WMV.
FILE_TYPE_RM	File type is RM. RealMedia type.
FILE_TYPE_MOV	File type is MOV.
FILE_TYPE_MP4	File type is MP4.
FILE_TYPE_T3GP	File type is T3GP.
FILE_TYPE_PDF	File type is PDF.
FILE_TYPE_PS	File type is PS.
FILE_TYPE_DOC	File type is DOC.
FILE_TYPE_DOCX	File type is DOCX.
FILE_TYPE_PPT	File type is PPT.
FILE_TYPE_PPTX	File type is PPTX.
FILE_TYPE_PPSX	File type is PPSX.
FILE_TYPE_XLS	File type is XLS.
FILE_TYPE_XLSX	File type is XLSX.
FILE_TYPE_RTF	File type is RTF.
FILE_TYPE_ODP	File type is ODP.
FILE_TYPE_ODS	File type is ODS.
FILE_TYPE_ODT	File type is ODT.
FILE_TYPE_HWP	File type is HWP.
FILE_TYPE_GUL	File type is GUL.
FILE_TYPE_ODF	File type is ODF.
FILE_TYPE_ODG	File type is ODG.
FILE_TYPE_EBOOK	File type is EBOOK.
FILE_TYPE_LATEX	File type is LATEX.
FILE_TYPE_TTF	File type is TTF.
FILE_TYPE_EOT	File type is EOT.
FILE_TYPE_WOFF	File type is WOFF.
FILE_TYPE_CHM	File type is CHM.
FILE_TYPE_ZIP	File type is ZIP.
FILE_TYPE_GZIP	File type is GZIP.
FILE_TYPE_BZIP	File type is BZIP.
FILE_TYPE_RZIP	File type is RZIP.
FILE_TYPE_DZIP	File type is DZIP.
FILE_TYPE_SEVENZIP	File type is SEVENZIP.
FILE_TYPE_CAB	File type is CAB.
FILE_TYPE_JAR	File type is JAR.
FILE_TYPE_RAR	File type is RAR.
FILE_TYPE_MSCOMPRESS	File type is MSCOMPRESS.
FILE_TYPE_ACE	File type is ACE.
FILE_TYPE_ARC	File type is ARC.
FILE_TYPE_ARJ	File type is ARJ.
FILE_TYPE_ASD	File type is ASD.
FILE_TYPE_BLACKHOLE	File type is BLACKHOLE.
FILE_TYPE_KGB	File type is KGB.
FILE_TYPE_ZLIB	File type is ZLIB.
FILE_TYPE_TAR	File type is TAR.
FILE_TYPE_TEXT	File type is TEXT.
FILE_TYPE_SCRIPT	File type is SCRIPT.
FILE_TYPE_PHP	File type is PHP.
FILE_TYPE_PYTHON	File type is PYTHON.
FILE_TYPE_PERL	File type is PERL.
FILE_TYPE_RUBY	File type is RUBY.
FILE_TYPE_C	File type is C.
FILE_TYPE_CPP	File type is CPP.
FILE_TYPE_JAVA	File type is JAVA.
FILE_TYPE_SHELLSCRIPT	File type is SHELLSCRIPT.
FILE_TYPE_PASCAL	File type is PASCAL.
FILE_TYPE_AWK	File type is AWK.
FILE_TYPE_DYALOG	File type is DYALOG.
FILE_TYPE_FORTRAN	File type is FORTRAN.
FILE_TYPE_JAVASCRIPT	File type is JAVASCRIPT.
FILE_TYPE_POWERSHELL	File type is POWERSHELL.
FILE_TYPE_VBA	File type is VBA.
FILE_TYPE_SYMBIAN	File type is SYMBIAN.
FILE_TYPE_PALMOS	File type is PALMOS.
FILE_TYPE_WINCE	File type is WINCE.
FILE_TYPE_ANDROID	File type is ANDROID.
FILE_TYPE_IPHONE	File type is IPHONE.
FILE_TYPE_HTML	File type is HTML.
FILE_TYPE_XML	File type is XML.
FILE_TYPE_SWF	File type is SWF.
FILE_TYPE_FLA	File type is FLA.
FILE_TYPE_COOKIE	File type is COOKIE.
FILE_TYPE_TORRENT	File type is TORRENT.
FILE_TYPE_EMAIL_TYPE	File type is EMAIL_TYPE.
FILE_TYPE_OUTLOOK	File type is OUTLOOK.
FILE_TYPE_CAP	File type is CAP.
FILE_TYPE_ISOIMAGE	File type is ISOIMAGE.
FILE_TYPE_APPLE	File type is APPLE.
FILE_TYPE_MACINTOSH	File type is MACINTOSH.
FILE_TYPE_APPLESINGLE	File type is APPLESINGLE.
FILE_TYPE_APPLEDOUBLE	File type is APPLEDOUBLE.
FILE_TYPE_MACINTOSH_HFS	File type is MACINTOSH_HFS.
FILE_TYPE_APPLE_PLIST	File type is APPLE_PLIST.
FILE_TYPE_MACINTOSH_LIB	File type is MACINTOSH_LIB.
FILE_TYPE_APPLESCRIPT	File type is APPLESCRIPT.
FILE_TYPE_APPLESCRIPT_COMPILED	File type is APPLESCRIPT_COMPILED .
FILE_TYPE_CRX	File type is CRX.
FILE_TYPE_XPI	File type is XPI.
FILE_TYPE_ROM	File type is ROM.

security_result[n].about.file.first_seen_time

Description: Timestamp the file was first seen in the customer's environment.

Type: String

security_result[n].about.file.full_path

Description: The full path identifying the location of the file on the system.

Type: String

security_result[n].about.file.last_modification_time

Description: Timestamp when the file was last updated.

Type: String

security_result[n].about.file.last_seen_time

Description: Timestamp the file was last seen in the customer's environment.

Type: String

security_result[n].about.file.md5

Description: The MD5 hash of the file.

Type: String

security_result[n].about.file.mime_type

Description: The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", "powershell script", etc.

Type: String

security_result[n].about.file.names

Description: Names fields.

Type: Array

security_result[n].about.file.pe_file.compilation_exiftool_time

Description: info.exiftool.TimeStamp.

Type: String

security_result[n].about.file.pe_file.compilation_time

Description: info.pe-timestamp.

Type: String

security_result[n].about.file.pe_file.entry_point

Description: info.pe-entry-point.

Type: String

security_result[n].about.file.pe_file.entry_point_exiftool

Description: info.exiftool.EntryPoint.

Type: String

security_result[n].about.file.pe_file.imphash

Description: Imphash of the file.

Type: String

security_result[n].about.file.pe_file.imports[n].functions

Description: Function field.

Type: Array

security_result[n].about.file.pe_file.imports[n].library

Description: Library field.

Type: String

security_result[n].about.file.pe_file.imports

Description: FilemetadataImports fields.

Type: Array

security_result[n].about.file.pe_file.resource[n].entropy

Description: Entropy of the resource.

Type: Number

security_result[n].about.file.pe_file.resource[n].file_type

Description: File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum.

Type: String

security_result[n].about.file.pe_file.resource[n].filetype_magic

Description: Type of resource content, as identified by the magic Python module. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/magic.py END GOOGLE-INTERNAL

Type: String

security_result[n].about.file.pe_file.resource[n].language_code

Description: Human-readable version of the language and sublanguage identifiers, as defined in the Windows PE specification. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/toolpefile.py?l=419&rcl=df1fcff7c5e82a39875359608b47669d5aff82c7 END GOOGLE-INTERNAL Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US |

Type: String

security_result[n].about.file.pe_file.resource[n].sha256_hex

Description: SHA256_hex field..

Type: String

security_result[n].about.file.pe_file.resource

Description: FilemetadataPeResourceInfo fields.

Type: Array

security_result[n].about.file.pe_file.resources_language_count[n].key

Description: Key field.

Type: String

security_result[n].about.file.pe_file.resources_language_count[n].value

Description: Value field.

Type: String

security_result[n].about.file.pe_file.resources_language_count

Description: Deprecated. Use resources_language_count_str.

Type: Array

security_result[n].about.file.pe_file.resources_language_count_str[n].key

Description: The key.

Type: String

security_result[n].about.file.pe_file.resources_language_count_str[n].source

Description: Where the label is derived from. For now, only UDM field paths that are eligible outcome for signal index are populated. @hide_from_doc

Type: String

security_result[n].about.file.pe_file.resources_language_count_str[n].value

Description: The value.

Type: String

security_result[n].about.file.pe_file.resources_language_count_str

Description: Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10

Type: Array

security_result[n].about.file.pe_file.resources_type_count[n].key

Description: Key field.

Type: String

security_result[n].about.file.pe_file.resources_type_count[n].value

Description: Value field.

Type: String

security_result[n].about.file.pe_file.resources_type_count

Description: Deprecated. Use resources_type_count_str.

Type: Array

security_result[n].about.file.pe_file.resources_type_count_str[n].key

Description: The key.

Type: String

security_result[n].about.file.pe_file.resources_type_count_str[n].source

Description: Where the label is derived from. For now, only UDM field paths that are eligible outcome for signal index are populated. @hide_from_doc

Type: String

security_result[n].about.file.pe_file.resources_type_count_str[n].value

Description: The value.

Type: String

security_result[n].about.file.pe_file.resources_type_count_str

Description: Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5

Type: Array

security_result[n].about.file.pe_file.section[n].entropy

Description: Entropy of the section.

Type: Number

security_result[n].about.file.pe_file.section[n].md5_hex

Description: MD5 hex of the file.

Type: String

security_result[n].about.file.pe_file.section[n].name

Description: Name of the section.

Type: String

security_result[n].about.file.pe_file.section[n].raw_size_bytes

Description: Raw file size in bytes.

Type: String

security_result[n].about.file.pe_file.section[n].virtual_size_bytes

Description: Virtual file size in bytes.

Type: String

security_result[n].about.file.pe_file.section

Description: FilemetadataSection fields.

Type: Array

security_result[n].about.file.pe_file.signature_info.signer

Description: Deprecated, please use signers field.

Type: Array

security_result[n].about.file.pe_file.signature_info.signers[n].name

Description: Common name of the signers. The order of the signers matters. Each element is a higher level authority, being the last the root authority.

Type: String

security_result[n].about.file.pe_file.signature_info.signers

Description: File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority.

Type: Array

security_result[n].about.file.pe_file.signature_info.verification_message

Description: Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found.

Type: String

security_result[n].about.file.pe_file.signature_info.verified

Description: True iff verification_message == "Signed"

Type: Boolean

security_result[n].about.file.prevalence.day_count

Description: The number of days over which rolling_max is calculated.

Type: Integer

security_result[n].about.file.prevalence.day_max

Description: The max prevalence score in a day interval window.

Type: Integer

security_result[n].about.file.prevalence.day_max_sub_domains

Description: The max prevalence score in a day interval window across sub-domains. This field is only valid for domains.

Type: Integer

security_result[n].about.file.prevalence.rolling_max

Description: The maximum number of assets per day accessing the resource over the trailing day_count days.

Type: Integer

security_result[n].about.file.prevalence.rolling_max_sub_domains

Description: The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains.

Type: Integer

security_result[n].about.file.sha1

Description: The SHA1 hash of the file.

Type: String

security_result[n].about.file.sha256

Description: The SHA256 hash of the file.

Type: String

security_result[n].about.file.size

Description: The size of the file in bytes.

Type: String

security_result[n].about.file.ssdeep

Description: Ssdeep of the file

Type: String

security_result[n].about.file.vhash

Description: Vhash of the file.

Type: String

security_result[n].about.group.attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

security_result[n].about.group.attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum	Description
UNSPECIFIED_CLOUD_ENVIRONMENT	Default.
GOOGLE_CLOUD_PLATFORM	Google Cloud Platform.
AMAZON_WEB_SERVICES	Amazon Web Services.
MICROSOFT_AZURE	Microsoft Azure.

security_result[n].about.group.attribute.cloud.project.id

Description: DEPRECATED

Type: String

security_result[n].about.group.attribute.cloud.project.name

Description: The name of the resource.

Type: String

security_result[n].about.group.attribute.cloud.project.parent

Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.

Type: String

security_result[n].about.group.attribute.cloud.project.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)

Type: String

security_result[n].about.group.attribute.cloud.project.resource_subtype

Description: Resource sub-type (e.g. "BigQuery", "Bigtable").

Type: String

security_result[n].about.group.attribute.cloud.project.resource_type

Description: Resource type.

Type: Enum

Enum	Description
UNSPECIFIED	Default type.
MUTEX	Mutex.
TASK	Task.
PIPE	Named pipe.
DEVICE	Device.
FIREWALL_RULE	Firewall rule.
MAILBOX_FOLDER	Mailbox folder.
VPC_NETWORK	VPC Network.
VIRTUAL_MACHINE	Virtual machine.
STORAGE_BUCKET	Storage bucket.
STORAGE_OBJECT	Storage object.
DATABASE	Database.
TABLE	Data table.
CLOUD_PROJECT	Cloud project.
CLOUD_ORGANIZATION	Cloud organization.
SERVICE_ACCOUNT	Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY	Access policy.
CLUSTER	Cluster.
SETTING	Settings.
DATASET	Dataset.
BACKEND_SERVICE	Endpoint that receive traffic from a load balancer or proxy.

security_result[n].about.group.attribute.cloud.project.type

Description: DEPRECATED - use resource_type instead.

Type: String

security_result[n].about.group.attribute.cloud.vpc.id

Description: DEPRECATED

Type: String

security_result[n].about.group.attribute.cloud.vpc.name

Description: The name of the resource.

Type: String

security_result[n].about.group.attribute.cloud.vpc.parent

Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.

Type: String

security_result[n].about.group.attribute.cloud.vpc.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)

Type: String

security_result[n].about.group.attribute.cloud.vpc.resource_subtype

Description: Resource sub-type (e.g. "BigQuery", "Bigtable").

Type: String

security_result[n].about.group.attribute.cloud.vpc.resource_type

Description: Resource type.

Type: Enum

Enum	Description
UNSPECIFIED	Default type.
MUTEX	Mutex.
TASK	Task.
PIPE	Named pipe.
DEVICE	Device.
FIREWALL_RULE	Firewall rule.
MAILBOX_FOLDER	Mailbox folder.
VPC_NETWORK	VPC Network.
VIRTUAL_MACHINE	Virtual machine.
STORAGE_BUCKET	Storage bucket.
STORAGE_OBJECT	Storage object.
DATABASE	Database.
TABLE	Data table.
CLOUD_PROJECT	Cloud project.
CLOUD_ORGANIZATION	Cloud organization.
SERVICE_ACCOUNT	Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY	Access policy.
CLUSTER	Cluster.
SETTING	Settings.
DATASET	Dataset.
BACKEND_SERVICE	Endpoint that receive traffic from a load balancer or proxy.

security_result[n].about.group.attribute.cloud.vpc.type

Description: DEPRECATED - use resource_type instead.

Type: String

security_result[n].about.group.attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

security_result[n].about.group.attribute.labels[n].key

Description: The key.

Type: String

security_result[n].about.group.attribute.labels[n].source

Description: Where the label is derived from. For now, only UDM field paths that are eligible outcome for signal index are populated. @hide_from_doc

Type: String

security_result[n].about.group.attribute.labels[n].value

Description: The value.

Type: String

security_result[n].about.group.attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

security_result[n].about.group.attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

security_result[n].about.group.attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

security_result[n].about.group.attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

security_result[n].about.group.attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum	Description
UNKNOWN_PERMISSION_TYPE	Default permission type.
ADMIN_WRITE	Administrator write permission.
ADMIN_READ	Administrator read permission.
DATA_WRITE	Data resource access write permission.
DATA_READ	Data resource access read permission.

security_result[n].about.group.attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

security_result[n].about.group.attribute.roles[n].description

Description: System role description for user.

Type: String

security_result[n].about.group.attribute.roles[n].name

Description: System role name for user.

Type: String

security_result[n].about.group.attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum	Description
TYPE_UNSPECIFIED	Default user role.
ADMINISTRATOR	Product administrator with elevated privileges.
SERVICE_ACCOUNT	System service account for automated privilege access.

security_result[n].about.group.attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

security_result[n].about.group.creation_time

Description: Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata.

Type: String

security_result[n].about.group.email_addresses

Description: Email addresses of the group.

Type: Array

security_result[n].about.group.group_display_name

Description: Group display name. e.g. "Finance".

Type: String

security_result[n].about.group.product_object_id

Description: Product globally unique user object identifier, such as an LDAP Object Identifier.

Type: String

security_result[n].about.group.windows_sid

Description: Windows SID of the group.

Type: String

security_result[n].about.hostname

Description: Client hostname or domain name field. Hostname also doubles as the domain for remote entities.

Type: String

security_result[n].about.investigation.comments

Description: Comment added by the Analyst.

Type: Array

security_result[n].about.investigation.priority

Description: Priority of the Alert or Finding set by analyst.

Type: Enum

Enum	Description
PRIORITY_UNSPECIFIED	Default priority level.
PRIORITY_INFO	Informational priority.
PRIORITY_LOW	Low priority.
PRIORITY_MEDIUM	Medium priority.
PRIORITY_HIGH	High priority.
PRIORITY_CRITICAL	Critical priority.

security_result[n].about.investigation.reason

Description: Reason for closing the Case or Alert.

Type: Enum

Enum	Description
REASON_UNSPECIFIED	Default reason.
REASON_NOT_MALICIOUS	Case or Alert not malicious.
REASON_MALICIOUS	Case or Alert is malicious.
REASON_MAINTENANCE	Case or Alert is under maintenance.

security_result[n].about.investigation.reputation

Description: Describes whether a finding was useful or not-useful.

Type: Enum

Enum	Description
REPUTATION_UNSPECIFIED	An unspecified reputation.
USEFUL	A categorization of the finding as useful.
NOT_USEFUL	A categorization of the finding as not useful.

security_result[n].about.investigation.risk_score

Description: Risk score for a finding set by an analyst.

Type: Integer

security_result[n].about.investigation.root_cause

Description: Root cause of the Alert or Finding set by analyst.

Type: String

security_result[n].about.investigation.severity_score

Description: Severity score for a finding set by an analyst.

Type: Integer

security_result[n].about.investigation.status

Description: Describes the workflow status of a finding.

Type: Enum

Enum	Description
STATUS_UNSPECIFIED	Unspecified finding status.
NEW	New finding.
REVIEWED	When a finding has feedback.
CLOSED	When an analyst closes an finding.
OPEN	Open. Used to indicate that a Case / Alert is open.

security_result[n].about.investigation.verdict

Description: Describes reason a finding investigation was resolved.

Type: Enum

Enum	Description
VERDICT_UNSPECIFIED	An unspecified verdict.
TRUE_POSITIVE	A categorization of the finding as a "true positive".
FALSE_POSITIVE	A categorization of the finding as a "false positive".

security_result[n].about.ip

Description: A list of IP addresses associated with a network connection.

Type: Array

security_result[n].about.ip_location[n].city

Description: The city.

Type: String

security_result[n].about.ip_location[n].country_or_region

Description: The country or region.

Type: String

security_result[n].about.ip_location[n].desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.ip_location[n].floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.ip_location[n].name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.ip_location[n].region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.ip_location[n].region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.ip_location[n].state

Description: The state.

Type: String

security_result[n].about.ip_location

Description: Enriched location information corresponding to IP address. Note: This field can include both ingested location data and a location field retrieved from artifact aliasing.

Type: Array

security_result[n].about.labels[n].key

Description: The key.

Type: String

security_result[n].about.labels[n].source

Description: Where the label is derived from. For now, only UDM field paths that are eligible outcome for signal index are populated. @hide_from_doc

Type: String

security_result[n].about.labels[n].value

Description: The value.

Type: String

security_result[n].about.labels

Description: Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels).

Type: Array

security_result[n].about.location.city

Description: The city.

Type: String

security_result[n].about.location.country_or_region

Description: The country or region.

Type: String

security_result[n].about.location.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.location.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.location.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.location.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.location.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.location.state

Description: The state.

Type: String

security_result[n].about.mac

Description: List of MAC addresses associated with a device.

Type: Array

security_result[n].about.namespace

Description: Namespace which the device belongs to (e.g. AD forest) Uses for this field include Windows AD forest, name of subsidiary or acquisition, etc.

Type: String

security_result[n].about.nat_ip

Description: A list of NAT translated IP addresses associated with a network connection.

Type: Array

security_result[n].about.nat_port

Description: NAT external network port number when a specific network connection is described within an event.

Type: Integer

security_result[n].about.object_reference.id

Description: Full raw ID.

Type: String

security_result[n].about.object_reference.namespace

Description: Namespace the id belongs to.

Type: Enum

Enum	Description
NORMALIZED_TELEMETRY	Ingested and Normalized telemetry events
RAW_TELEMETRY	Ingested Raw telemetry
RULE_DETECTIONS	Chronicle Rules engine
UPPERCASE	Uppercase
MACHINE_INTELLIGENCE	DSML - Machine Intelligence
SECURITY_COMMAND_CENTER	A normalized telemetry event from Google Security Command Center.
UNSPECIFIED	Unspecified Namespace

security_result[n].about.platform

Description: Platform.

Type: Enum

Enum	Description
UNKNOWN_PLATFORM	Default value.
WINDOWS	Windows.
MAC	Mac OS.
LINUX	Linux.
GCP	DEPRECATED - See cloud.environment.
AWS	DEPRECATED - See cloud.environment.
AZURE	DEPRECATED - See cloud.environment.

security_result[n].about.platform_patch_level

Description: Platform patch level. e.g. "Build 17134.48"

Type: String

security_result[n].about.platform_version

Description: Platform version. e.g. "Microsoft Windows 1803"

Type: String

security_result[n].about.port

Description: Source or destination network port number when a specific network connection is described within an event.

Type: Integer

security_result[n].about.process.access_mask

Description: A bit mask representing the level of access.

Type: String

security_result[n].about.process.command_line

Description: The command line command that created the process.

Type: String

security_result[n].about.process.command_line_history

Description: The command line history of the process.

Type: Array

security_result[n].about.process.file.ahash

Description: Deprecated, please use authentihash instead.

Type: String

security_result[n].about.process.file.authentihash

Description: Authentihash of the file.

Type: String

security_result[n].about.process.file.capabilities_tags

Description: Capabilities tags.

Type: Array

security_result[n].about.process.file.file_metadata.pe.import_hash

Description: Hash of PE imports.

Type: String

security_result[n].about.process.file.file_type

Description: FileType field.

Type: Enum

Enum	Description
FILE_TYPE_UNSPECIFIED	File type is UNSPECIFIED.
FILE_TYPE_PE_EXE	File type is PE_EXE.
FILE_TYPE_PE_DLL	Although DLLs are actually portable executables, this value enables the file type to be identified separately. File type is PE_DLL.
FILE_TYPE_MSI	File type is MSI.
FILE_TYPE_NE_EXE	File type is NE_EXE.
FILE_TYPE_NE_DLL	File type is NE_DLL.
FILE_TYPE_DOS_EXE	File type is DOS_EXE.
FILE_TYPE_DOS_COM	File type is DOS_COM.
FILE_TYPE_COFF	File type is COFF.
FILE_TYPE_ELF	File type is ELF.
FILE_TYPE_LINUX_KERNEL	File type is LINUX_KERNEL.
FILE_TYPE_RPM	File type is RPM.
FILE_TYPE_LINUX	File type is LINUX.
FILE_TYPE_MACH_O	File type is MACH_O.
FILE_TYPE_JAVA_BYTECODE	File type is JAVA_BYTECODE.
FILE_TYPE_DMG	File type is DMG.
FILE_TYPE_DEB	File type is DEB.
FILE_TYPE_PKG	File type is PKG.
FILE_TYPE_LNK	File type is LNK.
FILE_TYPE_JPEG	File type is JPEG.
FILE_TYPE_TIFF	File type is TIFF.
FILE_TYPE_GIF	File type is GIF.
FILE_TYPE_PNG	File type is PNG.
FILE_TYPE_BMP	File type is BMP.
FILE_TYPE_GIMP	File type is GIMP.
FILE_TYPE_IN_DESIGN	File type is Adobe InDesign.
FILE_TYPE_PSD	File type is PSD. Adobe Photoshop.
FILE_TYPE_TARGA	File type is TARGA.
FILE_TYPE_XWD	File type is XWD.
FILE_TYPE_DIB	File type is DIB.
FILE_TYPE_JNG	File type is JNG.
FILE_TYPE_ICO	File type is ICO.
FILE_TYPE_FPX	File type is FPX.
FILE_TYPE_EPS	File type is EPS.
FILE_TYPE_SVG	File type is SVG.
FILE_TYPE_EMF	File type is EMF.
FILE_TYPE_WEBP	File type is WEBP.
FILE_TYPE_OGG	File type is OGG.
FILE_TYPE_FLC	File type is FLC.
FILE_TYPE_FLI	File type is FLI.
FILE_TYPE_MP3	File type is MP3.
FILE_TYPE_FLAC	File type is FLAC.
FILE_TYPE_WAV	File type is WAV.
FILE_TYPE_MIDI	File type is MIDI.
FILE_TYPE_AVI	File type is AVI.
FILE_TYPE_MPEG	File type is MPEG.
FILE_TYPE_QUICKTIME	File type is QUICKTIME.
FILE_TYPE_ASF	File type is ASF.
FILE_TYPE_DIVX	File type is DIVX.
FILE_TYPE_FLV	File type is FLV.
FILE_TYPE_WMA	File type is WMA.
FILE_TYPE_WMV	File type is WMV.
FILE_TYPE_RM	File type is RM. RealMedia type.
FILE_TYPE_MOV	File type is MOV.
FILE_TYPE_MP4	File type is MP4.
FILE_TYPE_T3GP	File type is T3GP.
FILE_TYPE_PDF	File type is PDF.
FILE_TYPE_PS	File type is PS.
FILE_TYPE_DOC	File type is DOC.
FILE_TYPE_DOCX	File type is DOCX.
FILE_TYPE_PPT	File type is PPT.
FILE_TYPE_PPTX	File type is PPTX.
FILE_TYPE_PPSX	File type is PPSX.
FILE_TYPE_XLS	File type is XLS.
FILE_TYPE_XLSX	File type is XLSX.
FILE_TYPE_RTF	File type is RTF.
FILE_TYPE_ODP	File type is ODP.
FILE_TYPE_ODS	File type is ODS.
FILE_TYPE_ODT	File type is ODT.
FILE_TYPE_HWP	File type is HWP.
FILE_TYPE_GUL	File type is GUL.
FILE_TYPE_ODF	File type is ODF.
FILE_TYPE_ODG	File type is ODG.
FILE_TYPE_EBOOK	File type is EBOOK.
FILE_TYPE_LATEX	File type is LATEX.
FILE_TYPE_TTF	File type is TTF.
FILE_TYPE_EOT	File type is EOT.
FILE_TYPE_WOFF	File type is WOFF.
FILE_TYPE_CHM	File type is CHM.
FILE_TYPE_ZIP	File type is ZIP.
FILE_TYPE_GZIP	File type is GZIP.
FILE_TYPE_BZIP	File type is BZIP.
FILE_TYPE_RZIP	File type is RZIP.
FILE_TYPE_DZIP	File type is DZIP.
FILE_TYPE_SEVENZIP	File type is SEVENZIP.
FILE_TYPE_CAB	File type is CAB.
FILE_TYPE_JAR	File type is JAR.
FILE_TYPE_RAR	File type is RAR.
FILE_TYPE_MSCOMPRESS	File type is MSCOMPRESS.
FILE_TYPE_ACE	File type is ACE.
FILE_TYPE_ARC	File type is ARC.
FILE_TYPE_ARJ	File type is ARJ.
FILE_TYPE_ASD	File type is ASD.
FILE_TYPE_BLACKHOLE	File type is BLACKHOLE.
FILE_TYPE_KGB	File type is KGB.
FILE_TYPE_ZLIB	File type is ZLIB.
FILE_TYPE_TAR	File type is TAR.
FILE_TYPE_TEXT	File type is TEXT.
FILE_TYPE_SCRIPT	File type is SCRIPT.
FILE_TYPE_PHP	File type is PHP.
FILE_TYPE_PYTHON	File type is PYTHON.
FILE_TYPE_PERL	File type is PERL.
FILE_TYPE_RUBY	File type is RUBY.
FILE_TYPE_C	File type is C.
FILE_TYPE_CPP	File type is CPP.
FILE_TYPE_JAVA	File type is JAVA.
FILE_TYPE_SHELLSCRIPT	File type is SHELLSCRIPT.
FILE_TYPE_PASCAL	File type is PASCAL.
FILE_TYPE_AWK	File type is AWK.
FILE_TYPE_DYALOG	File type is DYALOG.
FILE_TYPE_FORTRAN	File type is FORTRAN.
FILE_TYPE_JAVASCRIPT	File type is JAVASCRIPT.
FILE_TYPE_POWERSHELL	File type is POWERSHELL.
FILE_TYPE_VBA	File type is VBA.
FILE_TYPE_SYMBIAN	File type is SYMBIAN.
FILE_TYPE_PALMOS	File type is PALMOS.
FILE_TYPE_WINCE	File type is WINCE.
FILE_TYPE_ANDROID	File type is ANDROID.
FILE_TYPE_IPHONE	File type is IPHONE.
FILE_TYPE_HTML	File type is HTML.
FILE_TYPE_XML	File type is XML.
FILE_TYPE_SWF	File type is SWF.
FILE_TYPE_FLA	File type is FLA.
FILE_TYPE_COOKIE	File type is COOKIE.
FILE_TYPE_TORRENT	File type is TORRENT.
FILE_TYPE_EMAIL_TYPE	File type is EMAIL_TYPE.
FILE_TYPE_OUTLOOK	File type is OUTLOOK.
FILE_TYPE_CAP	File type is CAP.
FILE_TYPE_ISOIMAGE	File type is ISOIMAGE.
FILE_TYPE_APPLE	File type is APPLE.
FILE_TYPE_MACINTOSH	File type is MACINTOSH.
FILE_TYPE_APPLESINGLE	File type is APPLESINGLE.
FILE_TYPE_APPLEDOUBLE	File type is APPLEDOUBLE.
FILE_TYPE_MACINTOSH_HFS	File type is MACINTOSH_HFS.
FILE_TYPE_APPLE_PLIST	File type is APPLE_PLIST.
FILE_TYPE_MACINTOSH_LIB	File type is MACINTOSH_LIB.
FILE_TYPE_APPLESCRIPT	File type is APPLESCRIPT.
FILE_TYPE_APPLESCRIPT_COMPILED	File type is APPLESCRIPT_COMPILED .
FILE_TYPE_CRX	File type is CRX.
FILE_TYPE_XPI	File type is XPI.
FILE_TYPE_ROM	File type is ROM.

security_result[n].about.process.file.first_seen_time

Description: Timestamp the file was first seen in the customer's environment.

Type: String

security_result[n].about.process.file.full_path

Description: The full path identifying the location of the file on the system.

Type: String

security_result[n].about.process.file.last_modification_time

Description: Timestamp when the file was last updated.

Type: String

security_result[n].about.process.file.last_seen_time

Description: Timestamp the file was last seen in the customer's environment.

Type: String

security_result[n].about.process.file.md5

Description: The MD5 hash of the file.

Type: String

security_result[n].about.process.file.mime_type

Description: The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", "powershell script", etc.

Type: String

security_result[n].about.process.file.names

Description: Names fields.

Type: Array

security_result[n].about.process.file.pe_file.compilation_exiftool_time

Description: info.exiftool.TimeStamp.

Type: String

security_result[n].about.process.file.pe_file.compilation_time

Description: info.pe-timestamp.

Type: String

security_result[n].about.process.file.pe_file.entry_point

Description: info.pe-entry-point.

Type: String

security_result[n].about.process.file.pe_file.entry_point_exiftool

Description: info.exiftool.EntryPoint.

Type: String

security_result[n].about.process.file.pe_file.imphash

Description: Imphash of the file.

Type: String

security_result[n].about.process.file.pe_file.imports[n].functions

Description: Function field.

Type: Array

security_result[n].about.process.file.pe_file.imports[n].library

Description: Library field.

Type: String

security_result[n].about.process.file.pe_file.imports

Description: FilemetadataImports fields.

Type: Array

security_result[n].about.process.file.pe_file.resource[n].entropy

Description: Entropy of the resource.

Type: Number

security_result[n].about.process.file.pe_file.resource[n].file_type

Description: File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum.

Type: String

security_result[n].about.process.file.pe_file.resource[n].filetype_magic

Description: Type of resource content, as identified by the magic Python module. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/magic.py END GOOGLE-INTERNAL

Type: String

security_result[n].about.process.file.pe_file.resource[n].language_code

Description: Human-readable version of the language and sublanguage identifiers, as defined in the Windows PE specification. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/toolpefile.py?l=419&rcl=df1fcff7c5e82a39875359608b47669d5aff82c7 END GOOGLE-INTERNAL Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US |

Type: String

security_result[n].about.process.file.pe_file.resource[n].sha256_hex

Description: SHA256_hex field..

Type: String

security_result[n].about.process.file.pe_file.resource

Description: FilemetadataPeResourceInfo fields.

Type: Array

security_result[n].about.process.file.pe_file.resources_language_count[n].key

Description: Key field.

Type: String

security_result[n].about.process.file.pe_file.resources_language_count[n].value

Description: Value field.

Type: String

security_result[n].about.process.file.pe_file.resources_language_count

Description: Deprecated. Use resources_language_count_str.

Type: Array

security_result[n].about.process.file.pe_file.resources_language_count_str[n].key

Description: The key.

Type: String

security_result[n].about.process.file.pe_file.resources_language_count_str[n].source

Description: Where the label is derived from. For now, only UDM field paths that are eligible outcome for signal index are populated. @hide_from_doc

Type: String

security_result[n].about.process.file.pe_file.resources_language_count_str[n].value

Description: The value.

Type: String

security_result[n].about.process.file.pe_file.resources_language_count_str

Description: Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10

Type: Array

security_result[n].about.process.file.pe_file.resources_type_count[n].key

Description: Key field.

Type: String

security_result[n].about.process.file.pe_file.resources_type_count[n].value

Description: Value field.

Type: String

security_result[n].about.process.file.pe_file.resources_type_count

Description: Deprecated. Use resources_type_count_str.

Type: Array

security_result[n].about.process.file.pe_file.resources_type_count_str[n].key

Description: The key.

Type: String

security_result[n].about.process.file.pe_file.resources_type_count_str[n].source

Description: Where the label is derived from. For now, only UDM field paths that are eligible outcome for signal index are populated. @hide_from_doc

Type: String

security_result[n].about.process.file.pe_file.resources_type_count_str[n].value

Description: The value.

Type: String

security_result[n].about.process.file.pe_file.resources_type_count_str

Description: Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5

Type: Array

security_result[n].about.process.file.pe_file.section[n].entropy

Description: Entropy of the section.

Type: Number

security_result[n].about.process.file.pe_file.section[n].md5_hex

Description: MD5 hex of the file.

Type: String

security_result[n].about.process.file.pe_file.section[n].name

Description: Name of the section.

Type: String

security_result[n].about.process.file.pe_file.section[n].raw_size_bytes

Description: Raw file size in bytes.

Type: String

security_result[n].about.process.file.pe_file.section[n].virtual_size_bytes

Description: Virtual file size in bytes.

Type: String

security_result[n].about.process.file.pe_file.section

Description: FilemetadataSection fields.

Type: Array

security_result[n].about.process.file.pe_file.signature_info.signer

Description: Deprecated, please use signers field.

Type: Array

security_result[n].about.process.file.pe_file.signature_info.signers[n].name

Description: Common name of the signers. The order of the signers matters. Each element is a higher level authority, being the last the root authority.

Type: String

security_result[n].about.process.file.pe_file.signature_info.signers

Description: File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority.

Type: Array

security_result[n].about.process.file.pe_file.signature_info.verification_message

Description: Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found.

Type: String

security_result[n].about.process.file.pe_file.signature_info.verified

Description: True iff verification_message == "Signed"

Type: Boolean

security_result[n].about.process.file.prevalence.day_count

Description: The number of days over which rolling_max is calculated.

Type: Integer

security_result[n].about.process.file.prevalence.day_max

Description: The max prevalence score in a day interval window.

Type: Integer

security_result[n].about.process.file.prevalence.day_max_sub_domains

Description: The max prevalence score in a day interval window across sub-domains. This field is only valid for domains.

Type: Integer

security_result[n].about.process.file.prevalence.rolling_max

Description: The maximum number of assets per day accessing the resource over the trailing day_count days.

Type: Integer

security_result[n].about.process.file.prevalence.rolling_max_sub_domains

Description: The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains.

Type: Integer

security_result[n].about.process.file.sha1

Description: The SHA1 hash of the file.

Type: String

security_result[n].about.process.file.sha256

Description: The SHA256 hash of the file.

Type: String

security_result[n].about.process.file.size

Description: The size of the file in bytes.

Type: String

security_result[n].about.process.file.ssdeep

Description: Ssdeep of the file

Type: String

security_result[n].about.process.file.vhash

Description: Vhash of the file.

Type: String

security_result[n].about.process.parent_pid

Description: The ID of the parent process. Deprecated. Please use parent_process.pid instead.

Type: String

security_result[n].about.process.pid

Description: The process ID.

Type: String

security_result[n].about.process.product_specific_parent_process_id

Description: A product specific id for the parent process. Please use parent_process.product_specific_process_id instead.

Type: String

security_result[n].about.process.product_specific_process_id

Description: A product specific process id.

Type: String

security_result[n].about.process_ancestors[n].access_mask

Description: A bit mask representing the level of access.

Type: String

security_result[n].about.process_ancestors[n].command_line

Description: The command line command that created the process.

Type: String

security_result[n].about.process_ancestors[n].command_line_history

Description: The command line history of the process.

Type: Array

security_result[n].about.process_ancestors[n].file.ahash

Description: Deprecated, please use authentihash instead.

Type: String

security_result[n].about.process_ancestors[n].file.authentihash

Description: Authentihash of the file.

Type: String

security_result[n].about.process_ancestors[n].file.capabilities_tags

Description: Capabilities tags.

Type: Array

security_result[n].about.process_ancestors[n].file.file_metadata.pe.import_hash

Description: Hash of PE imports.

Type: String

security_result[n].about.process_ancestors[n].file.file_type

Description: FileType field.

Type: Enum

Enum	Description
FILE_TYPE_UNSPECIFIED	File type is UNSPECIFIED.
FILE_TYPE_PE_EXE	File type is PE_EXE.
FILE_TYPE_PE_DLL	Although DLLs are actually portable executables, this value enables the file type to be identified separately. File type is PE_DLL.
FILE_TYPE_MSI	File type is MSI.
FILE_TYPE_NE_EXE	File type is NE_EXE.
FILE_TYPE_NE_DLL	File type is NE_DLL.
FILE_TYPE_DOS_EXE	File type is DOS_EXE.
FILE_TYPE_DOS_COM	File type is DOS_COM.
FILE_TYPE_COFF	File type is COFF.
FILE_TYPE_ELF	File type is ELF.
FILE_TYPE_LINUX_KERNEL	File type is LINUX_KERNEL.
FILE_TYPE_RPM	File type is RPM.
FILE_TYPE_LINUX	File type is LINUX.
FILE_TYPE_MACH_O	File type is MACH_O.
FILE_TYPE_JAVA_BYTECODE	File type is JAVA_BYTECODE.
FILE_TYPE_DMG	File type is DMG.
FILE_TYPE_DEB	File type is DEB.
FILE_TYPE_PKG	File type is PKG.
FILE_TYPE_LNK	File type is LNK.
FILE_TYPE_JPEG	File type is JPEG.
FILE_TYPE_TIFF	File type is TIFF.
FILE_TYPE_GIF	File type is GIF.
FILE_TYPE_PNG	File type is PNG.
FILE_TYPE_BMP	File type is BMP.
FILE_TYPE_GIMP	File type is GIMP.
FILE_TYPE_IN_DESIGN	File type is Adobe InDesign.
FILE_TYPE_PSD	File type is PSD. Adobe Photoshop.
FILE_TYPE_TARGA	File type is TARGA.
FILE_TYPE_XWD	File type is XWD.
FILE_TYPE_DIB	File type is DIB.
FILE_TYPE_JNG	File type is JNG.
FILE_TYPE_ICO	File type is ICO.
FILE_TYPE_FPX	File type is FPX.
FILE_TYPE_EPS	File type is EPS.
FILE_TYPE_SVG	File type is SVG.
FILE_TYPE_EMF	File type is EMF.
FILE_TYPE_WEBP	File type is WEBP.
FILE_TYPE_OGG	File type is OGG.
FILE_TYPE_FLC	File type is FLC.
FILE_TYPE_FLI	File type is FLI.
FILE_TYPE_MP3	File type is MP3.
FILE_TYPE_FLAC	File type is FLAC.
FILE_TYPE_WAV	File type is WAV.
FILE_TYPE_MIDI	File type is MIDI.
FILE_TYPE_AVI	File type is AVI.
FILE_TYPE_MPEG	File type is MPEG.
FILE_TYPE_QUICKTIME	File type is QUICKTIME.
FILE_TYPE_ASF	File type is ASF.
FILE_TYPE_DIVX	File type is DIVX.
FILE_TYPE_FLV	File type is FLV.
FILE_TYPE_WMA	File type is WMA.
FILE_TYPE_WMV	File type is WMV.
FILE_TYPE_RM	File type is RM. RealMedia type.
FILE_TYPE_MOV	File type is MOV.
FILE_TYPE_MP4	File type is MP4.
FILE_TYPE_T3GP	File type is T3GP.
FILE_TYPE_PDF	File type is PDF.
FILE_TYPE_PS	File type is PS.
FILE_TYPE_DOC	File type is DOC.
FILE_TYPE_DOCX	File type is DOCX.
FILE_TYPE_PPT	File type is PPT.
FILE_TYPE_PPTX	File type is PPTX.
FILE_TYPE_PPSX	File type is PPSX.
FILE_TYPE_XLS	File type is XLS.
FILE_TYPE_XLSX	File type is XLSX.
FILE_TYPE_RTF	File type is RTF.
FILE_TYPE_ODP	File type is ODP.
FILE_TYPE_ODS	File type is ODS.
FILE_TYPE_ODT	File type is ODT.
FILE_TYPE_HWP	File type is HWP.
FILE_TYPE_GUL	File type is GUL.
FILE_TYPE_ODF	File type is ODF.
FILE_TYPE_ODG	File type is ODG.
FILE_TYPE_EBOOK	File type is EBOOK.
FILE_TYPE_LATEX	File type is LATEX.
FILE_TYPE_TTF	File type is TTF.
FILE_TYPE_EOT	File type is EOT.
FILE_TYPE_WOFF	File type is WOFF.
FILE_TYPE_CHM	File type is CHM.
FILE_TYPE_ZIP	File type is ZIP.
FILE_TYPE_GZIP	File type is GZIP.
FILE_TYPE_BZIP	File type is BZIP.
FILE_TYPE_RZIP	File type is RZIP.
FILE_TYPE_DZIP	File type is DZIP.
FILE_TYPE_SEVENZIP	File type is SEVENZIP.
FILE_TYPE_CAB	File type is CAB.
FILE_TYPE_JAR	File type is JAR.
FILE_TYPE_RAR	File type is RAR.
FILE_TYPE_MSCOMPRESS	File type is MSCOMPRESS.
FILE_TYPE_ACE	File type is ACE.
FILE_TYPE_ARC	File type is ARC.
FILE_TYPE_ARJ	File type is ARJ.
FILE_TYPE_ASD	File type is ASD.
FILE_TYPE_BLACKHOLE	File type is BLACKHOLE.
FILE_TYPE_KGB	File type is KGB.
FILE_TYPE_ZLIB	File type is ZLIB.
FILE_TYPE_TAR	File type is TAR.
FILE_TYPE_TEXT	File type is TEXT.
FILE_TYPE_SCRIPT	File type is SCRIPT.
FILE_TYPE_PHP	File type is PHP.
FILE_TYPE_PYTHON	File type is PYTHON.
FILE_TYPE_PERL	File type is PERL.
FILE_TYPE_RUBY	File type is RUBY.
FILE_TYPE_C	File type is C.
FILE_TYPE_CPP	File type is CPP.
FILE_TYPE_JAVA	File type is JAVA.
FILE_TYPE_SHELLSCRIPT	File type is SHELLSCRIPT.
FILE_TYPE_PASCAL	File type is PASCAL.
FILE_TYPE_AWK	File type is AWK.
FILE_TYPE_DYALOG	File type is DYALOG.
FILE_TYPE_FORTRAN	File type is FORTRAN.
FILE_TYPE_JAVASCRIPT	File type is JAVASCRIPT.
FILE_TYPE_POWERSHELL	File type is POWERSHELL.
FILE_TYPE_VBA	File type is VBA.
FILE_TYPE_SYMBIAN	File type is SYMBIAN.
FILE_TYPE_PALMOS	File type is PALMOS.
FILE_TYPE_WINCE	File type is WINCE.
FILE_TYPE_ANDROID	File type is ANDROID.
FILE_TYPE_IPHONE	File type is IPHONE.
FILE_TYPE_HTML	File type is HTML.
FILE_TYPE_XML	File type is XML.
FILE_TYPE_SWF	File type is SWF.
FILE_TYPE_FLA	File type is FLA.
FILE_TYPE_COOKIE	File type is COOKIE.
FILE_TYPE_TORRENT	File type is TORRENT.
FILE_TYPE_EMAIL_TYPE	File type is EMAIL_TYPE.
FILE_TYPE_OUTLOOK	File type is OUTLOOK.
FILE_TYPE_CAP	File type is CAP.
FILE_TYPE_ISOIMAGE	File type is ISOIMAGE.
FILE_TYPE_APPLE	File type is APPLE.
FILE_TYPE_MACINTOSH	File type is MACINTOSH.
FILE_TYPE_APPLESINGLE	File type is APPLESINGLE.
FILE_TYPE_APPLEDOUBLE	File type is APPLEDOUBLE.
FILE_TYPE_MACINTOSH_HFS	File type is MACINTOSH_HFS.
FILE_TYPE_APPLE_PLIST	File type is APPLE_PLIST.
FILE_TYPE_MACINTOSH_LIB	File type is MACINTOSH_LIB.
FILE_TYPE_APPLESCRIPT	File type is APPLESCRIPT.
FILE_TYPE_APPLESCRIPT_COMPILED	File type is APPLESCRIPT_COMPILED .
FILE_TYPE_CRX	File type is CRX.
FILE_TYPE_XPI	File type is XPI.
FILE_TYPE_ROM	File type is ROM.

security_result[n].about.process_ancestors[n].file.first_seen_time

Description: Timestamp the file was first seen in the customer's environment.

Type: String

security_result[n].about.process_ancestors[n].file.full_path

Description: The full path identifying the location of the file on the system.

Type: String

security_result[n].about.process_ancestors[n].file.last_modification_time

Description: Timestamp when the file was last updated.

Type: String

security_result[n].about.process_ancestors[n].file.last_seen_time

Description: Timestamp the file was last seen in the customer's environment.

Type: String

security_result[n].about.process_ancestors[n].file.md5

Description: The MD5 hash of the file.

Type: String

security_result[n].about.process_ancestors[n].file.mime_type

Description: The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", "powershell script", etc.

Type: String

security_result[n].about.process_ancestors[n].file.names

Description: Names fields.

Type: Array

security_result[n].about.process_ancestors[n].file.pe_file.compilation_exiftool_time

Description: info.exiftool.TimeStamp.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.compilation_time

Description: info.pe-timestamp.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.entry_point

Description: info.pe-entry-point.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.entry_point_exiftool

Description: info.exiftool.EntryPoint.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.imphash

Description: Imphash of the file.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.imports[n].functions

Description: Function field.

Type: Array

security_result[n].about.process_ancestors[n].file.pe_file.imports[n].library

Description: Library field.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.imports

Description: FilemetadataImports fields.

Type: Array

security_result[n].about.process_ancestors[n].file.pe_file.resource[n].entropy

Description: Entropy of the resource.

Type: Number

security_result[n].about.process_ancestors[n].file.pe_file.resource[n].file_type

Description: File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.resource[n].filetype_magic

Description: Type of resource content, as identified by the magic Python module. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/magic.py END GOOGLE-INTERNAL

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.resource[n].language_code

Description: Human-readable version of the language and sublanguage identifiers, as defined in the Windows PE specification. BEGIN GOOGLE-INTERNAL See http://cs/virustotal/virustotal-core-analysis/sav/common/tools/toolpefile/toolpefile.py?l=419&rcl=df1fcff7c5e82a39875359608b47669d5aff82c7 END GOOGLE-INTERNAL Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US |

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.resource[n].sha256_hex

Description: SHA256_hex field..

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.resource

Description: FilemetadataPeResourceInfo fields.

Type: Array

security_result[n].about.process_ancestors[n].file.pe_file.resources_language_count[n].key

Description: Key field.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.resources_language_count[n].value

Description: Value field.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.resources_language_count

Description: Deprecated. Use resources_language_count_str.

Type: Array

security_result[n].about.process_ancestors[n].file.pe_file.resources_language_count_str[n].key

Description: The key.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.resources_language_count_str[n].source

Description: Where the label is derived from. For now, only UDM field paths that are eligible outcome for signal index are populated. @hide_from_doc

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.resources_language_count_str[n].value

Description: The value.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.resources_language_count_str

Description: Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10

Type: Array

security_result[n].about.process_ancestors[n].file.pe_file.resources_type_count[n].key

Description: Key field.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.resources_type_count[n].value

Description: Value field.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.resources_type_count

Description: Deprecated. Use resources_type_count_str.

Type: Array

security_result[n].about.process_ancestors[n].file.pe_file.resources_type_count_str[n].key

Description: The key.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.resources_type_count_str[n].source

Description: Where the label is derived from. For now, only UDM field paths that are eligible outcome for signal index are populated. @hide_from_doc

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.resources_type_count_str[n].value

Description: The value.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.resources_type_count_str

Description: Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5

Type: Array

security_result[n].about.process_ancestors[n].file.pe_file.section[n].entropy

Description: Entropy of the section.

Type: Number

security_result[n].about.process_ancestors[n].file.pe_file.section[n].md5_hex

Description: MD5 hex of the file.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.section[n].name

Description: Name of the section.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.section[n].raw_size_bytes

Description: Raw file size in bytes.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.section[n].virtual_size_bytes

Description: Virtual file size in bytes.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.section

Description: FilemetadataSection fields.

Type: Array

security_result[n].about.process_ancestors[n].file.pe_file.signature_info.signer

Description: Deprecated, please use signers field.

Type: Array

security_result[n].about.process_ancestors[n].file.pe_file.signature_info.signers[n].name

Description: Common name of the signers. The order of the signers matters. Each element is a higher level authority, being the last the root authority.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.signature_info.signers

Description: File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority.

Type: Array

security_result[n].about.process_ancestors[n].file.pe_file.signature_info.verification_message

Description: Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found.

Type: String

security_result[n].about.process_ancestors[n].file.pe_file.signature_info.verified

Description: True iff verification_message == "Signed"

Type: Boolean

security_result[n].about.process_ancestors[n].file.prevalence.day_count

Description: The number of days over which rolling_max is calculated.

Type: Integer

security_result[n].about.process_ancestors[n].file.prevalence.day_max

Description: The max prevalence score in a day interval window.

Type: Integer

security_result[n].about.process_ancestors[n].file.prevalence.day_max_sub_domains

Description: The max prevalence score in a day interval window across sub-domains. This field is only valid for domains.

Type: Integer

security_result[n].about.process_ancestors[n].file.prevalence.rolling_max

Description: The maximum number of assets per day accessing the resource over the trailing day_count days.

Type: Integer

security_result[n].about.process_ancestors[n].file.prevalence.rolling_max_sub_domains

Description: The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains.

Type: Integer

security_result[n].about.process_ancestors[n].file.sha1

Description: The SHA1 hash of the file.

Type: String

security_result[n].about.process_ancestors[n].file.sha256

Description: The SHA256 hash of the file.

Type: String

security_result[n].about.process_ancestors[n].file.size

Description: The size of the file in bytes.

Type: String

security_result[n].about.process_ancestors[n].file.ssdeep

Description: Ssdeep of the file

Type: String

security_result[n].about.process_ancestors[n].file.vhash

Description: Vhash of the file.

Type: String

security_result[n].about.process_ancestors[n].parent_pid

Description: The ID of the parent process. Deprecated. Please use parent_process.pid instead.

Type: String

security_result[n].about.process_ancestors[n].pid

Description: The process ID.

Type: String

security_result[n].about.process_ancestors[n].product_specific_parent_process_id

Description: A product specific id for the parent process. Please use parent_process.product_specific_process_id instead.

Type: String

security_result[n].about.process_ancestors[n].product_specific_process_id

Description: A product specific process id.

Type: String

security_result[n].about.process_ancestors

Description: Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery.

Type: Array

security_result[n].about.registry.registry_key

Description: Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...).

Type: String

security_result[n].about.registry.registry_value_data

Description: Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp).

Type: String

security_result[n].about.registry.registry_value_name

Description: Name of the registry value associated with an application or system component (e.g. TEMP).

Type: String

security_result[n].about.resource.id

Description: DEPRECATED

Type: String

security_result[n].about.resource.name

Description: The name of the resource.

Type: String

security_result[n].about.resource.parent

Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.

Type: String

security_result[n].about.resource.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)

Type: String

security_result[n].about.resource.resource_subtype

Description: Resource sub-type (e.g. "BigQuery", "Bigtable").

Type: String

security_result[n].about.resource.resource_type

Description: Resource type.

Type: Enum

Enum	Description
UNSPECIFIED	Default type.
MUTEX	Mutex.
TASK	Task.
PIPE	Named pipe.
DEVICE	Device.
FIREWALL_RULE	Firewall rule.
MAILBOX_FOLDER	Mailbox folder.
VPC_NETWORK	VPC Network.
VIRTUAL_MACHINE	Virtual machine.
STORAGE_BUCKET	Storage bucket.
STORAGE_OBJECT	Storage object.
DATABASE	Database.
TABLE	Data table.
CLOUD_PROJECT	Cloud project.
CLOUD_ORGANIZATION	Cloud organization.
SERVICE_ACCOUNT	Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY	Access policy.
CLUSTER	Cluster.
SETTING	Settings.
DATASET	Dataset.
BACKEND_SERVICE	Endpoint that receive traffic from a load balancer or proxy.

security_result[n].about.resource.type

Description: DEPRECATED - use resource_type instead.

Type: String

security_result[n].about.resource_ancestors[n].id

Description: DEPRECATED

Type: String

security_result[n].about.resource_ancestors[n].name

Description: The name of the resource.

Type: String

security_result[n].about.resource_ancestors[n].parent

Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.

Type: String

security_result[n].about.resource_ancestors[n].product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)

Type: String

security_result[n].about.resource_ancestors[n].resource_subtype

Description: Resource sub-type (e.g. "BigQuery", "Bigtable").

Type: String

security_result[n].about.resource_ancestors[n].resource_type

Description: Resource type.

Type: Enum

Enum	Description
UNSPECIFIED	Default type.
MUTEX	Mutex.
TASK	Task.
PIPE	Named pipe.
DEVICE	Device.
FIREWALL_RULE	Firewall rule.
MAILBOX_FOLDER	Mailbox folder.
VPC_NETWORK	VPC Network.
VIRTUAL_MACHINE	Virtual machine.
STORAGE_BUCKET	Storage bucket.
STORAGE_OBJECT	Storage object.
DATABASE	Database.
TABLE	Data table.
CLOUD_PROJECT	Cloud project.
CLOUD_ORGANIZATION	Cloud organization.
SERVICE_ACCOUNT	Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY	Access policy.
CLUSTER	Cluster.
SETTING	Settings.
DATASET	Dataset.
BACKEND_SERVICE	Endpoint that receive traffic from a load balancer or proxy.

security_result[n].about.resource_ancestors[n].type

Description: DEPRECATED - use resource_type instead.

Type: String

security_result[n].about.resource_ancestors

Description: Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource).

Type: Array

security_result[n].about.url

Description: The URL.

Type: String

security_result[n].about.user.account_type

Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/

Type: Enum

Enum	Description
ACCOUNT_TYPE_UNSPECIFIED	Default user account type.
DOMAIN_ACCOUNT_TYPE	A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE	A local machine account.
CLOUD_ACCOUNT_TYPE	A SaaS service account type (Slack, GitHub, etc).
SERVICE_ACCOUNT_TYPE	A non-human account for data access.
DEFAULT_ACCOUNT_TYPE	A system built in default account.

security_result[n].about.user.attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

security_result[n].about.user.attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum	Description
UNSPECIFIED_CLOUD_ENVIRONMENT	Default.
GOOGLE_CLOUD_PLATFORM	Google Cloud Platform.
AMAZON_WEB_SERVICES	Amazon Web Services.
MICROSOFT_AZURE	Microsoft Azure.

security_result[n].about.user.attribute.cloud.project.id

Description: DEPRECATED

Type: String

security_result[n].about.user.attribute.cloud.project.name

Description: The name of the resource.

Type: String

security_result[n].about.user.attribute.cloud.project.parent

Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.

Type: String

security_result[n].about.user.attribute.cloud.project.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)

Type: String

security_result[n].about.user.attribute.cloud.project.resource_subtype

Description: Resource sub-type (e.g. "BigQuery", "Bigtable").

Type: String

security_result[n].about.user.attribute.cloud.project.resource_type

Description: Resource type.

Type: Enum

Enum	Description
UNSPECIFIED	Default type.
MUTEX	Mutex.
TASK	Task.
PIPE	Named pipe.
DEVICE	Device.
FIREWALL_RULE	Firewall rule.
MAILBOX_FOLDER	Mailbox folder.
VPC_NETWORK	VPC Network.
VIRTUAL_MACHINE	Virtual machine.
STORAGE_BUCKET	Storage bucket.
STORAGE_OBJECT	Storage object.
DATABASE	Database.
TABLE	Data table.
CLOUD_PROJECT	Cloud project.
CLOUD_ORGANIZATION	Cloud organization.
SERVICE_ACCOUNT	Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY	Access policy.
CLUSTER	Cluster.
SETTING	Settings.
DATASET	Dataset.
BACKEND_SERVICE	Endpoint that receive traffic from a load balancer or proxy.

security_result[n].about.user.attribute.cloud.project.type

Description: DEPRECATED - use resource_type instead.

Type: String

security_result[n].about.user.attribute.cloud.vpc.id

Description: DEPRECATED

Type: String

security_result[n].about.user.attribute.cloud.vpc.name

Description: The name of the resource.

Type: String

security_result[n].about.user.attribute.cloud.vpc.parent

Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.

Type: String

security_result[n].about.user.attribute.cloud.vpc.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)

Type: String

security_result[n].about.user.attribute.cloud.vpc.resource_subtype

Description: Resource sub-type (e.g. "BigQuery", "Bigtable").

Type: String

security_result[n].about.user.attribute.cloud.vpc.resource_type

Description: Resource type.

Type: Enum

Enum	Description
UNSPECIFIED	Default type.
MUTEX	Mutex.
TASK	Task.
PIPE	Named pipe.
DEVICE	Device.
FIREWALL_RULE	Firewall rule.
MAILBOX_FOLDER	Mailbox folder.
VPC_NETWORK	VPC Network.
VIRTUAL_MACHINE	Virtual machine.
STORAGE_BUCKET	Storage bucket.
STORAGE_OBJECT	Storage object.
DATABASE	Database.
TABLE	Data table.
CLOUD_PROJECT	Cloud project.
CLOUD_ORGANIZATION	Cloud organization.
SERVICE_ACCOUNT	Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY	Access policy.
CLUSTER	Cluster.
SETTING	Settings.
DATASET	Dataset.
BACKEND_SERVICE	Endpoint that receive traffic from a load balancer or proxy.

security_result[n].about.user.attribute.cloud.vpc.type

Description: DEPRECATED - use resource_type instead.

Type: String

security_result[n].about.user.attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

security_result[n].about.user.attribute.labels[n].key

Description: The key.

Type: String

security_result[n].about.user.attribute.labels[n].source

Description: Where the label is derived from. For now, only UDM field paths that are eligible outcome for signal index are populated. @hide_from_doc

Type: String

security_result[n].about.user.attribute.labels[n].value

Description: The value.

Type: String

security_result[n].about.user.attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

security_result[n].about.user.attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

security_result[n].about.user.attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

security_result[n].about.user.attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

security_result[n].about.user.attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum	Description
UNKNOWN_PERMISSION_TYPE	Default permission type.
ADMIN_WRITE	Administrator write permission.
ADMIN_READ	Administrator read permission.
DATA_WRITE	Data resource access write permission.
DATA_READ	Data resource access read permission.

security_result[n].about.user.attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

security_result[n].about.user.attribute.roles[n].description

Description: System role description for user.

Type: String

security_result[n].about.user.attribute.roles[n].name

Description: System role name for user.

Type: String

security_result[n].about.user.attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum	Description
TYPE_UNSPECIFIED	Default user role.
ADMINISTRATOR	Product administrator with elevated privileges.
SERVICE_ACCOUNT	System service account for automated privilege access.

security_result[n].about.user.attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

security_result[n].about.user.company_name

Description: User job company name.

Type: String

security_result[n].about.user.department

Description: User job department

Type: Array

security_result[n].about.user.email_addresses

Description: Email addresses of the user.

Type: Array

security_result[n].about.user.employee_id

Description: Human capital management identifier.

Type: String

security_result[n].about.user.first_name

Description: First name of the user (e.g. "John").

Type: String

security_result[n].about.user.first_seen_time

Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.

Type: String

security_result[n].about.user.group_identifiers

Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).

Type: Array

security_result[n].about.user.groupid

Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.

Type: String

security_result[n].about.user.hire_date

Description: User job employment hire date.

Type: String

security_result[n].about.user.last_name

Description: Last name of the user (e.g. "Locke").

Type: String

security_result[n].about.user.managers

Description: User job manager(s).

Type: Array

security_result[n].about.user.middle_name

Description: Middle name of the user.

Type: String

security_result[n].about.user.office_address.city

Description: The city.

Type: String

security_result[n].about.user.office_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.user.office_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.user.office_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.user.office_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.user.office_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.user.office_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.user.office_address.state

Description: The state.

Type: String

security_result[n].about.user.personal_address.city

Description: The city.

Type: String

security_result[n].about.user.personal_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.user.personal_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.user.personal_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.user.personal_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.user.personal_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.user.personal_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.user.personal_address.state

Description: The state.

Type: String

security_result[n].about.user.phone_numbers

Description: Phone numbers for the user.

Type: Array

security_result[n].about.user.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).

Type: String

security_result[n].about.user.role_description

Description: System role description for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.user.role_name

Description: System role name for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.user.termination_date

Description: User job employment termination date.

Type: String

security_result[n].about.user.time_off[n].description

Description: Description of the leave if available (e.g. 'Vacation').

Type: String

security_result[n].about.user.time_off[n].interval.end_time

Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.

Type: String

security_result[n].about.user.time_off[n].interval.start_time

Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.

Type: String

security_result[n].about.user.time_off

Description: User time off leaves from active work.

Type: Array

security_result[n].about.user.title

Description: User job title.

Type: String

security_result[n].about.user.user_authentication_status

Description: System authentication status for user.

Type: Enum

Enum	Description
UNKNOWN_AUTHENTICATION_STATUS	The default authentication status.
ACTIVE	The authentication method is in active state.
SUSPENDED	The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS	The authentication method has no active credentials.
DELETED	The authentication method has been deleted.

security_result[n].about.user.user_display_name

Description: The display name of the user (e.g. "John Locke").

Type: String

security_result[n].about.user.user_role

Description: System role for user. DEPRECATED: use attribute.roles.

Type: Enum

Enum	Description
UNKNOWN_ROLE	Default user role.
ADMINISTRATOR	Product administrator with elevated privileges.
SERVICE_ACCOUNT	System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type.

security_result[n].about.user.userid

Description: The ID of the user.

Type: String

security_result[n].about.user.windows_sid

Description: The windows SID of the user.

Type: String

security_result[n].about.user_management_chain[n].account_type

Description: Type of user account (service, domain, cloud, etc). Somewhat aligned to: https://attack.mitre.org/techniques/T1078/

Type: Enum

Enum	Description
ACCOUNT_TYPE_UNSPECIFIED	Default user account type.
DOMAIN_ACCOUNT_TYPE	A human account part of some domain in directory services.
LOCAL_ACCOUNT_TYPE	A local machine account.
CLOUD_ACCOUNT_TYPE	A SaaS service account type (Slack, GitHub, etc).
SERVICE_ACCOUNT_TYPE	A non-human account for data access.
DEFAULT_ACCOUNT_TYPE	A system built in default account.

security_result[n].about.user_management_chain[n].attribute.cloud.availability_zone

Description: The cloud environment availability zone (different from region which is location.name).

Type: String

security_result[n].about.user_management_chain[n].attribute.cloud.environment

Description: The Cloud environment.

Type: Enum

Enum	Description
UNSPECIFIED_CLOUD_ENVIRONMENT	Default.
GOOGLE_CLOUD_PLATFORM	Google Cloud Platform.
AMAZON_WEB_SERVICES	Amazon Web Services.
MICROSOFT_AZURE	Microsoft Azure.

security_result[n].about.user_management_chain[n].attribute.cloud.project.id

Description: DEPRECATED

Type: String

security_result[n].about.user_management_chain[n].attribute.cloud.project.name

Description: The name of the resource.

Type: String

security_result[n].about.user_management_chain[n].attribute.cloud.project.parent

Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.

Type: String

security_result[n].about.user_management_chain[n].attribute.cloud.project.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)

Type: String

security_result[n].about.user_management_chain[n].attribute.cloud.project.resource_subtype

Description: Resource sub-type (e.g. "BigQuery", "Bigtable").

Type: String

security_result[n].about.user_management_chain[n].attribute.cloud.project.resource_type

Description: Resource type.

Type: Enum

Enum	Description
UNSPECIFIED	Default type.
MUTEX	Mutex.
TASK	Task.
PIPE	Named pipe.
DEVICE	Device.
FIREWALL_RULE	Firewall rule.
MAILBOX_FOLDER	Mailbox folder.
VPC_NETWORK	VPC Network.
VIRTUAL_MACHINE	Virtual machine.
STORAGE_BUCKET	Storage bucket.
STORAGE_OBJECT	Storage object.
DATABASE	Database.
TABLE	Data table.
CLOUD_PROJECT	Cloud project.
CLOUD_ORGANIZATION	Cloud organization.
SERVICE_ACCOUNT	Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY	Access policy.
CLUSTER	Cluster.
SETTING	Settings.
DATASET	Dataset.
BACKEND_SERVICE	Endpoint that receive traffic from a load balancer or proxy.

security_result[n].about.user_management_chain[n].attribute.cloud.project.type

Description: DEPRECATED - use resource_type instead.

Type: String

security_result[n].about.user_management_chain[n].attribute.cloud.vpc.id

Description: DEPRECATED

Type: String

security_result[n].about.user_management_chain[n].attribute.cloud.vpc.name

Description: The name of the resource.

Type: String

security_result[n].about.user_management_chain[n].attribute.cloud.vpc.parent

Description: The parent of the resource. For a database table, the parent is the database and for a storage object, the bucket name, etc. Deprecated: Use resource_ancestors.name.

Type: String

security_result[n].about.user_management_chain[n].attribute.cloud.vpc.product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar)

Type: String

security_result[n].about.user_management_chain[n].attribute.cloud.vpc.resource_subtype

Description: Resource sub-type (e.g. "BigQuery", "Bigtable").

Type: String

security_result[n].about.user_management_chain[n].attribute.cloud.vpc.resource_type

Description: Resource type.

Type: Enum

Enum	Description
UNSPECIFIED	Default type.
MUTEX	Mutex.
TASK	Task.
PIPE	Named pipe.
DEVICE	Device.
FIREWALL_RULE	Firewall rule.
MAILBOX_FOLDER	Mailbox folder.
VPC_NETWORK	VPC Network.
VIRTUAL_MACHINE	Virtual machine.
STORAGE_BUCKET	Storage bucket.
STORAGE_OBJECT	Storage object.
DATABASE	Database.
TABLE	Data table.
CLOUD_PROJECT	Cloud project.
CLOUD_ORGANIZATION	Cloud organization.
SERVICE_ACCOUNT	Service account. DEPRECATED. Service accounts should be type User.
ACCESS_POLICY	Access policy.
CLUSTER	Cluster.
SETTING	Settings.
DATASET	Dataset.
BACKEND_SERVICE	Endpoint that receive traffic from a load balancer or proxy.

security_result[n].about.user_management_chain[n].attribute.cloud.vpc.type

Description: DEPRECATED - use resource_type instead.

Type: String

security_result[n].about.user_management_chain[n].attribute.creation_time

Description: Time the resource or entity was created or provisioned.

Type: String

security_result[n].about.user_management_chain[n].attribute.labels[n].key

Description: The key.

Type: String

security_result[n].about.user_management_chain[n].attribute.labels[n].source

Description: Where the label is derived from. For now, only UDM field paths that are eligible outcome for signal index are populated. @hide_from_doc

Type: String

security_result[n].about.user_management_chain[n].attribute.labels[n].value

Description: The value.

Type: String

security_result[n].about.user_management_chain[n].attribute.labels

Description: Set of labels for the entity. Should only be used for product labels (e.g. Google Cloud resource labels, Azure AD sensitivity labels, etc). Should not be used for arbitrary key-value mappings.

Type: Array

security_result[n].about.user_management_chain[n].attribute.last_update_time

Description: Time the resource or entity was last updated.

Type: String

security_result[n].about.user_management_chain[n].attribute.permissions[n].description

Description: Description of the permission (e.g. 'Ability to update detect rules').

Type: String

security_result[n].about.user_management_chain[n].attribute.permissions[n].name

Description: Name of the permission (e.g. chronicle.analyst.updateRule).

Type: String

security_result[n].about.user_management_chain[n].attribute.permissions[n].type

Description: Type of the permission.

Type: Enum

Enum	Description
UNKNOWN_PERMISSION_TYPE	Default permission type.
ADMIN_WRITE	Administrator write permission.
ADMIN_READ	Administrator read permission.
DATA_WRITE	Data resource access write permission.
DATA_READ	Data resource access read permission.

security_result[n].about.user_management_chain[n].attribute.permissions

Description: System permissions for IAM entity (human principal, service account, group).

Type: Array

security_result[n].about.user_management_chain[n].attribute.roles[n].description

Description: System role description for user.

Type: String

security_result[n].about.user_management_chain[n].attribute.roles[n].name

Description: System role name for user.

Type: String

security_result[n].about.user_management_chain[n].attribute.roles[n].type

Description: System role type for well known roles.

Type: Enum

Enum	Description
TYPE_UNSPECIFIED	Default user role.
ADMINISTRATOR	Product administrator with elevated privileges.
SERVICE_ACCOUNT	System service account for automated privilege access.

security_result[n].about.user_management_chain[n].attribute.roles

Description: System IAM roles to be assumed by resources to use the role's permissions for access control.

Type: Array

security_result[n].about.user_management_chain[n].company_name

Description: User job company name.

Type: String

security_result[n].about.user_management_chain[n].department

Description: User job department

Type: Array

security_result[n].about.user_management_chain[n].email_addresses

Description: Email addresses of the user.

Type: Array

security_result[n].about.user_management_chain[n].employee_id

Description: Human capital management identifier.

Type: String

security_result[n].about.user_management_chain[n].first_name

Description: First name of the user (e.g. "John").

Type: String

security_result[n].about.user_management_chain[n].first_seen_time

Description: The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.

Type: String

security_result[n].about.user_management_chain[n].group_identifiers

Description: Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).

Type: Array

security_result[n].about.user_management_chain[n].groupid

Description: The ID of the group that the user belongs to. DEPRECATED in favor of the repeated group_identifiers field.

Type: String

security_result[n].about.user_management_chain[n].hire_date

Description: User job employment hire date.

Type: String

security_result[n].about.user_management_chain[n].last_name

Description: Last name of the user (e.g. "Locke").

Type: String

security_result[n].about.user_management_chain[n].managers

Description: User job manager(s).

Type: Array

security_result[n].about.user_management_chain[n].middle_name

Description: Middle name of the user.

Type: String

security_result[n].about.user_management_chain[n].office_address.city

Description: The city.

Type: String

security_result[n].about.user_management_chain[n].office_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.user_management_chain[n].office_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.user_management_chain[n].office_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.user_management_chain[n].office_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.user_management_chain[n].office_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.user_management_chain[n].office_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.user_management_chain[n].office_address.state

Description: The state.

Type: String

security_result[n].about.user_management_chain[n].personal_address.city

Description: The city.

Type: String

security_result[n].about.user_management_chain[n].personal_address.country_or_region

Description: The country or region.

Type: String

security_result[n].about.user_management_chain[n].personal_address.desk_name

Description: Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D").

Type: String

security_result[n].about.user_management_chain[n].personal_address.floor_name

Description: Floor name, number or a combination of the two for a building. (e.g. "1-A").

Type: String

security_result[n].about.user_management_chain[n].personal_address.name

Description: Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2").

Type: String

security_result[n].about.user_management_chain[n].personal_address.region_latitude

Description: Latitude of the center of the associated region.

Type: Number

security_result[n].about.user_management_chain[n].personal_address.region_longitude

Description: Longitude of the center of the associated region.

Type: Number

security_result[n].about.user_management_chain[n].personal_address.state

Description: The state.

Type: String

security_result[n].about.user_management_chain[n].phone_numbers

Description: Phone numbers for the user.

Type: Array

security_result[n].about.user_management_chain[n].product_object_id

Description: A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar).

Type: String

security_result[n].about.user_management_chain[n].role_description

Description: System role description for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.user_management_chain[n].role_name

Description: System role name for user. DEPRECATED: use attribute.roles.

Type: String

security_result[n].about.user_management_chain[n].termination_date

Description: User job employment termination date.

Type: String

security_result[n].about.user_management_chain[n].time_off[n].description

Description: Description of the leave if available (e.g. 'Vacation').

Type: String

security_result[n].about.user_management_chain[n].time_off[n].interval.end_time

Description: Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end.

Type: String

security_result[n].about.user_management_chain[n].time_off[n].interval.start_time

Description: Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start.

Type: String

security_result[n].about.user_management_chain[n].time_off

Description: User time off leaves from active work.

Type: Array

security_result[n].about.user_management_chain[n].title

Description: User job title.

Type: String

security_result[n].about.user_management_chain[n].user_authentication_status

Description: System authentication status for user.

Type: Enum

Enum	Description
UNKNOWN_AUTHENTICATION_STATUS	The default authentication status.
ACTIVE	The authentication method is in active state.
SUSPENDED	The authentication method is in suspended/disabled state.
NO_ACTIVE_CREDENTIALS	The authentication method has no active credentials.
DELETED	The authentication method has been deleted.

security_result[n].about.user_management_chain[n].user_display_name

Description: The display name of the user (e.g. "John Locke").

Type: String

security_result[n].about.user_management_chain[n].user_role

Description: System role for user. DEPRECATED: use attribute.roles.

Type: Enum

Enum	Description
UNKNOWN_ROLE	Default user role.
ADMINISTRATOR	Product administrator with elevated privileges.
SERVICE_ACCOUNT	System service account for automated privilege access. Deprecated: Not a role, instead set User.account_type.

security_result[n].about.user_management_chain[n].userid

Description: The ID of the user.

Type: String

security_result[n].about.user_management_chain[n].windows_sid

Description: The windows SID of the user.

Type: String

security_result[n].about.user_management_chain

Description: Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery.

Type: Array

security_result[n].action

Description: Actions taken for this event.

Type: ArrayEnum

Enum	Description
UNKNOWN_ACTION	The default action.
ALLOW	Allowed.
BLOCK	Blocked.
ALLOW_WITH_MODIFICATION	Strip, modify something (e.g. File or email was disinfected or rewritten and still forwarded).
QUARANTINE	Put somewhere for later analysis (does NOT imply block).
FAIL	Failed (e.g. the event was allowed but failed).
CHALLENGE	Challenged (e.g. the user was challenged by a Captcha, 2FA).

security_result[n].action_details

Description: The detail of the action taken as provided by the vendor.

Type: String

security_result[n].alert_state

Description: The alerting types of this security result.

Type: Enum

Enum	Description
UNSPECIFIED	The security result type is not known.
NOT_ALERTING	The security result is not an alert.
ALERTING	The security result is an alert.

security_result[n].category

Description: The security category.

Type: ArrayEnum

Enum	Description
UNKNOWN_CATEGORY	The default category.
SOFTWARE_MALICIOUS	Malware, spyware, rootkit.
SOFTWARE_SUSPICIOUS	Below the conviction threshold; probably bad.
SOFTWARE_PUA	Potentially Unwanted App (adware, etc.).
NETWORK_MALICIOUS	C&C, network exploit, etc.
NETWORK_SUSPICIOUS	Suspicious activity, potential reverse tunnel, etc.
NETWORK_CATEGORIZED_CONTENT	Non-security related: URL has category like gambling, porn, etc.
NETWORK_DENIAL_OF_SERVICE	DoS, DDoS.
NETWORK_RECON	Port scan detected by an IDS, probing of web app.
NETWORK_COMMAND_AND_CONTROL	If we know this is a C&C channel.
ACL_VIOLATION	Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc.
AUTH_VIOLATION	Authentication failed (e.g. bad password or bad 2-factor authentication).
EXPLOIT	Exploit: For all manner of exploits including attempted overflows, bad protocol encodings, ROP, SQL injection, etc. For both network and host- based exploits.
DATA_EXFILTRATION	DLP: Sensitive data transmission, copy to thumb drive.
DATA_AT_REST	DLP: Sensitive data found at rest in a scan.
DATA_DESTRUCTION	Attempt to destroy/delete data.
MAIL_SPAM	@exclude Spam email, message, etc.
MAIL_PHISHING	Phishing email, chat messages, etc.
MAIL_SPOOFING	Spoofed source email address, etc.
POLICY_VIOLATION	Security-related policy violation (e.g. firewall/proxy/HIPS rule violated, NAC block action).
SOCIAL_ENGINEERING	Threats which manipulate to break normal security procedures.
PHISHING	Phishing pages, pops, https phishing etc.

security_result[n].category_details

Description: For vendor-specific categories. For web categorization, put type in here such as "gambling", "porn", etc.

Type: Array

security_result[n].confidence

Description: The confidence level of the result as estimated by the product.

Type: Enum

Enum	Description
UNKNOWN_CONFIDENCE	The default confidence level.
LOW_CONFIDENCE	Low confidence.
MEDIUM_CONFIDENCE	Medium confidence.
HIGH_CONFIDENCE	High confidence.

security_result[n].confidence_details

Description: Additional detail with regards to the confidence of a security event as estimated by the product vendor.

Type: String

security_result[n].description

Description: A human readable description (e.g. "user password was wrong")

Type: String

security_result[n].detection_fields[n].key

Description: The key.

Type: String

security_result[n].detection_fields[n].source

Description: Where the label is derived from. For now, only UDM field paths that are eligible outcome for signal index are populated. @hide_from_doc

Type: String

security_result[n].detection_fields[n].value

Description: The value.

Type: String

security_result[n].detection_fields

Description: An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (i.e. the security result matched variables) .

Type: Array

security_result[n].outcomes[n].key

Description: The key.

Type: String

security_result[n].outcomes[n].source

Description: Where the label is derived from. For now, only UDM field paths that are eligible outcome for signal index are populated. @hide_from_doc

Type: String

security_result[n].outcomes[n].value

Description: The value.

Type: String

security_result[n].outcomes

Description: A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to their values.

Type: Array

security_result[n].priority

Description: The priority of the result.

Type: Enum

Enum	Description
UNKNOWN_PRIORITY	Default priority level.
LOW_PRIORITY	Low priority.
MEDIUM_PRIORITY	Medium priority.
HIGH_PRIORITY	High priority.

security_result[n].priority_details

Description: Vendor-specific information about the security result priority.

Type: String

security_result[n].rule_author

Description: Author of the security rule.

Type: String

security_result[n].rule_id

Description: A vendor-specific ID and name for a rule, varying by observerer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe").

Type: String

security_result[n].rule_labels[n].key

Description: The key.

Type: String

security_result[n].rule_labels[n].source

Description: Where the label is derived from. For now, only UDM field paths that are eligible outcome for signal index are populated. @hide_from_doc

Type: String

security_result[n].rule_labels[n].value

Description: The value.

Type: String

security_result[n].rule_labels

Description: A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John").

Type: Array

security_result[n].rule_name

Description: Name of the security rule (e.g. "BlockInboundToOracle").

Type: String

security_result[n].rule_set

Description: The result's rule set identifier. (e.g. "windows-threats")

Type: String

security_result[n].rule_set_display_name

Description: The result's rule set display name. (e.g. "Windows Threats")

Type: String

security_result[n].rule_type

Description: The type of security rule.

Type: String

security_result[n].rule_version

Description: Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependant and lexical ordering should not be assumed.

Type: String

security_result[n].severity

Description: The severity of the result.

Type: Enum

Enum	Description
UNKNOWN_SEVERITY	The default severity level.
INFORMATIONAL	Info severity.
ERROR	An error.
LOW	Low-severity malicious result.
MEDIUM	Medium-severity malicious result.
HIGH	High-severity malicious result.
CRITICAL	Critical-severity malicious result.

security_result[n].severity_details

Description: Vendor-specific severity.

Type: String

security_result[n].summary

Description: A human readable summary (e.g. "failed login occurred")

Type: String

security_result[n].threat_feed_name

Description: Vendor feed name for a threat indicator feed.

Type: String

security_result[n].threat_id

Description: Vendor-specific ID for a threat.

Type: String

security_result[n].threat_id_namespace

Description: The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id.

Type: Enum

Enum	Description
NORMALIZED_TELEMETRY	Ingested and Normalized telemetry events
RAW_TELEMETRY	Ingested Raw telemetry
RULE_DETECTIONS	Chronicle Rules engine
UPPERCASE	Uppercase
MACHINE_INTELLIGENCE	DSML - Machine Intelligence
SECURITY_COMMAND_CENTER	A normalized telemetry event from Google Security Command Center.
UNSPECIFIED	Unspecified Namespace

security_result[n].threat_name

Description: A vendor-assigned classification common across multiple customers (e.g. "W32/File-A", "Slammer").

Type: String

security_result[n].threat_status

Description: Current status of the threat

Type: Enum

Enum	Description
THREAT_STATUS_UNSPECIFIED	Default threat status
ACTIVE	Active threat.
CLEARED	Cleared threat.
FALSE_POSITIVE	False positive.

security_result[n].url_back_to_product

Description: URL that takes the user to the source product console for this event.

Type: String